]> git.ipfire.org Git - thirdparty/openvpn.git/blob - src/openvpn/options.c
projects / thirdparty / openvpn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Allow certain DHCP options to be used without DHCP server
[thirdparty/openvpn.git] / src / openvpn / options.c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2023 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38
39 #include "syshead.h"
40
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "ssl_ncp.h"
49 #include "options.h"
50 #include "misc.h"
51 #include "socket.h"
52 #include "packet_id.h"
53 #include "pkcs11.h"
54 #include "win32.h"
55 #include "push.h"
56 #include "pool.h"
57 #include "proto.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include "ssl_verify.h"
62 #include "platform.h"
63 #include "xkey_common.h"
64 #include "dco.h"
65 #include <ctype.h>
66
67 #include "memdbg.h"
68
69 const char title_string[] =
70 PACKAGE_STRING
71 #ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73 #endif
74 " " TARGET_ALIAS
75 #if defined(ENABLE_CRYPTO_MBEDTLS)
76 " [SSL (mbed TLS)]"
77 #elif defined(ENABLE_CRYPTO_OPENSSL)
78 " [SSL (OpenSSL)]"
79 #else
80 " [SSL]"
81 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82 #ifdef USE_COMP
83 #ifdef ENABLE_LZO
84 " [LZO]"
85 #endif
86 #ifdef ENABLE_LZ4
87 " [LZ4]"
88 #endif
89 #ifdef ENABLE_COMP_STUB
90 " [COMP_STUB]"
91 #endif
92 #endif /* USE_COMP */
93 #if EPOLL
94 " [EPOLL]"
95 #endif
96 #ifdef PRODUCT_TAP_DEBUG
97 " [TAPDBG]"
98 #endif
99 #ifdef ENABLE_PKCS11
100 " [PKCS11]"
101 #endif
102 #if ENABLE_IP_PKTINFO
103 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104 " [MH/PKTINFO]"
105 #elif defined(IP_RECVDSTADDR)
106 " [MH/RECVDA]"
107 #endif
108 #endif
109 " [AEAD]"
110 #ifdef ENABLE_DCO
111 " [DCO]"
112 #endif
113 #ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
115 #endif
116 ;
117
118 #ifndef ENABLE_SMALL
119
120 static const char usage_message[] =
121 "%s\n"
122 "\n"
123 "General Options:\n"
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
127 "\n"
128 "Tunnel Options:\n"
129 "--local host : Local host name or ip address. Implies --bind.\n"
130 "--remote host [port] : Remote host name or ip address.\n"
131 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
132 "--remote-random-hostname : Add a random string to remote DNS name.\n"
133 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
134 "--proto p : Use protocol p for communicating with peer.\n"
135 " p = udp (default), tcp-server, tcp-client\n"
136 " udp4, tcp4-server, tcp4-client\n"
137 " udp6, tcp6-server, tcp6-client\n"
138 "--proto-force p : only consider protocol p in list of connection profiles.\n"
139 " p = udp or tcp\n"
140 "--connect-retry n [m] : For client, number of seconds to wait between\n"
141 " connection retries (default=%d). On repeated retries\n"
142 " the wait time is exponentially increased to a maximum of m\n"
143 " (default=%d).\n"
144 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
145 "--http-proxy s p [up] [auth] : Connect to remote host\n"
146 " through an HTTP proxy at address s and port p.\n"
147 " If proxy authentication is required,\n"
148 " up is a file containing username/password on 2 lines, or\n"
149 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
150 " the proxy requires NTLM authentication.\n"
151 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
152 " determine auth method and query for username/password\n"
153 " if needed. auto-nct disables weak proxy auth methods.\n"
154 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
155 " Repeat to set multiple options.\n"
156 " VERSION version (default=1.0)\n"
157 " AGENT user-agent\n"
158 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
159 " address s and port p (default port = 1080).\n"
160 " If proxy authentication is required,\n"
161 " up is a file containing username/password on 2 lines, or\n"
162 " 'stdin' to prompt for console.\n"
163 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
164 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
165 " resolve for n seconds before failing (disabled by default).\n"
166 " Set n=\"infinite\" to retry indefinitely.\n"
167 "--float : Allow remote to change its IP address/port, such as through\n"
168 " DHCP (this is the default if --remote is not used).\n"
169 "--ipchange cmd : Run command cmd on remote ip address initial\n"
170 " setting or change -- execute as: cmd ip-address port#\n"
171 "--port port : TCP/UDP port # for both local and remote.\n"
172 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
173 "--rport port : TCP/UDP port # for remote (default=%s).\n"
174 "--bind : Bind to local address and port. (This is the default unless\n"
175 " --proto tcp-client"
176 " or --http-proxy"
177 " or --socks-proxy"
178 " is used).\n"
179 "--nobind : Do not bind to local address and port.\n"
180 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
181 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
182 " this option only if the tun/tap device used with --dev\n"
183 " does not begin with \"tun\" or \"tap\".\n"
184 "--dev-node node : Explicitly set the device node rather than using\n"
185 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
186 #if defined(ENABLE_DCO)
187 "--disable-dco : Do not attempt using Data Channel Offload.\n"
188 #endif
189 "--lladdr hw : Set the link layer address of the tap device.\n"
190 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
191 #ifdef ENABLE_IPROUTE
192 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
193 #endif
194 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
195 " endpoint and rn as a remote endpoint. l & rn should be\n"
196 " swapped on the other peer. l & rn must be private\n"
197 " addresses outside of the subnets used by either peer.\n"
198 " TAP: configure device to use IP address l as a local\n"
199 " endpoint and rn as a subnet mask.\n"
200 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
201 " endpoint (as a /64) and r as remote endpoint\n"
202 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
203 " pass --ifconfig parms by environment to scripts.\n"
204 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
205 " connection doesn't match the remote side.\n"
206 "--route network [netmask] [gateway] [metric] :\n"
207 " Add route to routing table after connection\n"
208 " is established. Multiple routes can be specified.\n"
209 " netmask default: 255.255.255.255\n"
210 " gateway default: taken from --route-gateway or --ifconfig\n"
211 " Specify default by leaving blank or setting to \"default\".\n"
212 "--route-ipv6 network/bits [gateway] [metric] :\n"
213 " Add IPv6 route to routing table after connection\n"
214 " is established. Multiple routes can be specified.\n"
215 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
216 " in --ifconfig-ipv6\n"
217 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
218 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
219 "--route-metric m : Specify a default metric for use with --route.\n"
220 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
221 " adding routes (may be 0). If not specified, routes will\n"
222 " be added immediately after tun/tap open. On Windows, wait\n"
223 " up to w seconds for TUN/TAP adapter to come up.\n"
224 "--route-up cmd : Run command cmd after routes are added.\n"
225 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
226 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
227 " --route-up script using environmental variables.\n"
228 "--route-nopull : When used with --client or --pull, accept options pushed\n"
229 " by server EXCEPT for routes, dns, and dhcp options.\n"
230 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
231 " --ifconfig, --route, and --route-gateway.\n"
232 "--redirect-gateway [flags]: Automatically execute routing\n"
233 " commands to redirect all outgoing IP traffic through the\n"
234 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
235 " connected via a common subnet, such as with WiFi.\n"
236 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
237 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
238 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
239 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
240 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
241 " the default gateway. Useful when pushing private subnets.\n"
242 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
243 " ICMPv6 host unreachable messages on the client.\n"
244 " (Server) Instead of forwarding IPv6 packets send\n"
245 " ICMPv6 host unreachable packets to the client.\n"
246 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
247 "--push-peer-info : (client only) push client info to server.\n"
248 "--setenv name value : Set a custom environmental variable to pass to script.\n"
249 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
250 " directives for future OpenVPN versions to be ignored.\n"
251 "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
252 " these options to be ignored when unknown\n"
253 "--script-security level: Where level can be:\n"
254 " 0 -- strictly no calling of external programs\n"
255 " 1 -- (default) only call built-ins such as ifconfig\n"
256 " 2 -- allow calling of built-ins and scripts\n"
257 " 3 -- allow password to be passed to scripts via env\n"
258 "--shaper n : Restrict output to peer to n bytes per second.\n"
259 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
260 " ping once every n seconds, restart if ping not received\n"
261 " for m seconds.\n"
262 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
263 " produces a combined in/out byte count < bytes.\n"
264 "--session-timeout n: Limit connection time to n seconds.\n"
265 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
266 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
267 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
268 " remote address.\n"
269 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
270 #if ENABLE_IP_PKTINFO
271 "--multihome : Configure a multi-homed UDP server.\n"
272 #endif
273 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
274 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
275 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
276 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
277 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
278 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
279 #if PASSTOS_CAPABILITY
280 "--passtos : TOS passthrough (applies to IPv4 only).\n"
281 #endif
282 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
283 " TCP/UDP MTU from it (default=%d).\n"
284 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
285 " as n bytes more than the tun-mtu size on read\n"
286 " (default TUN=0 TAP=%d).\n"
287 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
288 " from it.\n"
289 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
290 " 'no' -- Never send DF (Don't Fragment) frames\n"
291 " 'maybe' -- Use per-route hints\n"
292 " 'yes' -- Always DF (Don't Fragment)\n"
293 "--mtu-test : Empirically measure and report MTU.\n"
294 #ifdef ENABLE_FRAGMENT
295 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
296 " datagrams are sent which are larger than max bytes.\n"
297 " Adds 4 bytes of overhead per datagram.\n"
298 #endif
299 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
300 " or --fragment max value, whichever is lower.\n"
301 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
302 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
303 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
304 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
305 " can be matched in policy routing and packetfilter rules.\n"
306 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
307 " listening for connections. This allows sending encrypted packets\n"
308 " via a VRF present on the system.\n"
309 #endif
310 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
311 #ifdef ENABLE_MEMSTATS
312 "--memstats file : Write live usage stats to memory mapped binary file.\n"
313 #endif
314 "--mlock : Disable Paging -- ensures key material and tunnel\n"
315 " data will never be written to disk.\n"
316 "--up cmd : Run command cmd after successful tun device open.\n"
317 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
318 " ifconfig-local-ip ifconfig-remote-ip\n"
319 " (pre --user or --group UID/GID change)\n"
320 "--up-delay : Delay tun/tap open and possible --up script execution\n"
321 " until after TCP/UDP connection establishment with peer.\n"
322 "--down cmd : Run command cmd after tun device close.\n"
323 " (post --user/--group UID/GID change and/or --chroot)\n"
324 " (command parameters are same as --up option)\n"
325 "--down-pre : Run --down command before TUN/TAP close.\n"
326 "--up-restart : Run up/down commands for all restarts including those\n"
327 " caused by --ping-restart or SIGUSR1\n"
328 "--user user : Set UID to user after initialization.\n"
329 "--group group : Set GID to group after initialization.\n"
330 "--chroot dir : Chroot to this directory after initialization.\n"
331 #ifdef ENABLE_SELINUX
332 "--setcon context: Apply this SELinux context after initialization.\n"
333 #endif
334 "--cd dir : Change to this directory before initialization.\n"
335 "--daemon [name] : Become a daemon after initialization.\n"
336 " The optional 'name' parameter will be passed\n"
337 " as the program name to the system logger.\n"
338 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
339 " See --daemon above for a description of the 'name' parm.\n"
340 "--log file : Output log to file which is created/truncated on open.\n"
341 "--log-append file : Append log to file, or create file if nonexistent.\n"
342 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
343 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
344 "--writepid file : Write main process ID to file.\n"
345 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
346 "--echo [parms ...] : Echo parameters to log output.\n"
347 "--verb n : Set output verbosity to n (default=%d):\n"
348 " (Level 3 is recommended if you want a good summary\n"
349 " of what's happening without being swamped by output).\n"
350 " : 0 -- no output except fatal errors\n"
351 " : 1 -- startup info + connection initiated messages +\n"
352 " non-fatal encryption & net errors\n"
353 " : 2,3 -- show TLS negotiations & route info\n"
354 " : 4 -- show parameters\n"
355 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
356 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
357 " : 6 to 11 -- debug messages of increasing verbosity\n"
358 "--mute n : Log at most n consecutive messages in the same category.\n"
359 "--status file [n] : Write operational status to file every n seconds.\n"
360 "--status-version [n] : Choose the status file format version number.\n"
361 " Currently, n can be 1, 2, or 3 (default=1).\n"
362 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
363 #ifdef ENABLE_DEBUG
364 "--gremlin mask : Special stress testing mode (for debugging only).\n"
365 #endif
366 #if defined(USE_COMP)
367 "--compress alg : Use compression algorithm alg\n"
368 "--allow-compression: Specify whether compression should be allowed\n"
369 #if defined(ENABLE_LZO)
370 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
371 " packet for incompressible data.\n"
372 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
373 " is specified.\n"
374 #endif
375 #endif
376 #ifdef ENABLE_MANAGEMENT
377 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
378 " management functions. pass is a password file\n"
379 " or 'stdin' to prompt from console.\n"
380 #if UNIX_SOCK_SUPPORT
381 " To listen on a unix domain socket, specific the pathname\n"
382 " in place of ip and use 'unix' as the port number.\n"
383 #endif
384 "--management-client : Management interface will connect as a TCP client to\n"
385 " ip/port rather than listen as a TCP server.\n"
386 "--management-query-passwords : Query management channel for private key\n"
387 " and auth-user-pass passwords.\n"
388 "--management-query-proxy : Query management channel for proxy information.\n"
389 "--management-query-remote : Query management channel for --remote directive.\n"
390 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
391 " of the management interface explicitly starts it.\n"
392 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
393 "--management-forget-disconnect : Forget passwords when management disconnect\n"
394 " event occurs.\n"
395 "--management-up-down : Report tunnel up/down events to management interface.\n"
396 "--management-log-cache n : Cache n lines of log file history for usage\n"
397 " by the management channel.\n"
398 #if UNIX_SOCK_SUPPORT
399 "--management-client-user u : When management interface is a unix socket, only\n"
400 " allow connections from user u.\n"
401 "--management-client-group g : When management interface is a unix socket, only\n"
402 " allow connections from group g.\n"
403 #endif
404 "--management-client-auth : gives management interface client the responsibility\n"
405 " to authenticate clients after their client certificate\n"
406 " has been verified.\n"
407 #endif /* ifdef ENABLE_MANAGEMENT */
408 #ifdef ENABLE_PLUGIN
409 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
410 " to its initialization function.\n"
411 #endif
412 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
413 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
414 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
415 "\n"
416 "Multi-Client Server options (when --mode server is used):\n"
417 "--server network netmask : Helper option to easily configure server mode.\n"
418 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
419 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
420 " easily configure ethernet bridging server mode.\n"
421 "--push \"option\" : Push a config file option back to the peer for remote\n"
422 " execution. Peer must specify --pull in its config file.\n"
423 "--push-reset : Don't inherit global push list for specific\n"
424 " client instance.\n"
425 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
426 " a specific client instance.\n"
427 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
428 " to be dynamically allocated to connecting clients.\n"
429 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
430 " data to file, at seconds intervals (default=600).\n"
431 " If seconds=0, file will be treated as read-only.\n"
432 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
433 " to be dynamically allocated to connecting clients.\n"
434 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
435 " overrides --ifconfig-pool dynamic allocation.\n"
436 " Only valid in a client-specific config file.\n"
437 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
438 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
439 " Only valid in a client-specific config file.\n"
440 "--iroute network [netmask] : Route subnet to client.\n"
441 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
442 " Sets up internal routes only.\n"
443 " Only valid in a client-specific config file.\n"
444 "--disable : Client is disabled.\n"
445 " Only valid in a client-specific config file.\n"
446 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
447 " mandatory client certificate verification.\n"
448 " Default is to require the client to supply a certificate.\n"
449 "--username-as-common-name : For auth-user-pass authentication, use\n"
450 " the authenticated username as the common name,\n"
451 " rather than the common name from the client cert.\n"
452 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
453 " run command cmd to verify. If method='via-env', pass\n"
454 " user/pass via environment, if method='via-file', pass\n"
455 " user/pass via temporary file.\n"
456 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
457 " to each client, replacing the password. Useful when\n"
458 " OTP based two-factor auth mechanisms are in use and\n"
459 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
460 " for generated tokens can be set.\n"
461 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
462 " with those of the server will be disconnected.\n"
463 "--auth-user-pass-optional : Allow connections by clients that don't\n"
464 " specify a username/password.\n"
465 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
466 " any printable character.\n"
467 "--client-to-client : Internally route client-to-client traffic.\n"
468 "--duplicate-cn : Allow multiple clients with the same common name to\n"
469 " concurrently connect.\n"
470 "--client-connect cmd : Run command cmd on client connection.\n"
471 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
472 "--client-config-dir dir : Directory for custom client config files.\n"
473 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
474 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
475 "--hash-size r v : Set the size of the real address hash table to r and the\n"
476 " virtual address table to v.\n"
477 "--bcast-buffers n : Allocate n broadcast buffers.\n"
478 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
479 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
480 " as well as pushes it to connecting clients.\n"
481 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
482 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
483 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
484 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
485 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
486 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
487 " older than n seconds. Run this check every t\n"
488 " seconds (defaults to n).\n"
489 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
490 " clients. n = 1 - reconnect to same server,\n"
491 " 2 - advance to next server, default=1.\n"
492 #if PORT_SHARE
493 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
494 " sessions to a web server at host:port. dir specifies an\n"
495 " optional directory to write origin IP:port data.\n"
496 #endif
497 "\n"
498 "Client options (when connecting to a multi-client server):\n"
499 "--client : Helper option to easily configure client mode.\n"
500 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
501 " up is a file containing the username on the first line,\n"
502 " and a password on the second. If either the password or both\n"
503 " the username and the password are omitted OpenVPN will prompt\n"
504 " for them from console.\n"
505 "--pull : Accept certain config file options from the peer as if they\n"
506 " were part of the local config file. Must be specified\n"
507 " when connecting to a '--mode server' remote host.\n"
508 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
509 " server if it starts with the text t. The action flag accept,\n"
510 " ignore or reject causes the option to be allowed, removed or\n"
511 " rejected with error. May be specified multiple times, and\n"
512 " each filter is applied in the order of appearance.\n"
513 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
514 " Valid options are :\n"
515 " address <addr[:port]> [addr[:port]] : server address 4/6\n"
516 " resolve-domains <domain> [domain ...] : split domains\n"
517 " exclude-domains <domain> [domain ...] : domains not to resolve\n"
518 " dnssec <yes|no|optional> : option to use DNSSEC\n"
519 " type <DoH|DoT> : query server over HTTPS / TLS\n"
520 " sni <domain> : DNS server name indication\n"
521 "--dns search-domains <domain> [domain ...]:\n"
522 " Add domains to DNS domain search list\n"
523 "--auth-retry t : How to handle auth failures. Set t to\n"
524 " none (default), interact, or nointeract.\n"
525 "--static-challenge t e : Enable static challenge/response protocol using\n"
526 " challenge text t, with e indicating echo flag (0|1)\n"
527 "--connect-timeout n : when polling possible remote servers to connect to\n"
528 " in a round-robin fashion, spend no more than n seconds\n"
529 " waiting for a response before trying the next server.\n"
530 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
531 " incoming tun packets with same destination as host.\n"
532 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
533 " server/remote. n = # of retries, default=1.\n"
534 "\n"
535 "Data Channel Encryption Options (must be compatible between peers):\n"
536 "(These options are meaningful for both Static Key & TLS-mode)\n"
537 "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
538 " Use shared secret file f, generate with --genkey.\n"
539 " The optional d parameter controls key directionality.\n"
540 " If d is specified, use separate keys for each\n"
541 " direction, set d=0 on one side of the connection,\n"
542 " and d=1 on the other side.\n"
543 "--auth alg : Authenticate packets with HMAC using message\n"
544 " digest algorithm alg (default=%s).\n"
545 " (usually adds 16 or 20 bytes per packet)\n"
546 " Set alg=none to disable authentication.\n"
547 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
548 " You should usually use --data-ciphers instead.\n"
549 " Set alg=none to disable encryption.\n"
550 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
551 #ifndef ENABLE_CRYPTO_MBEDTLS
552 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
553 #endif
554 "--no-replay : (DEPRECATED) Disable replay protection.\n"
555 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
556 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
557 " and a time window of t seconds.\n"
558 " Default n=%d t=%d\n"
559 "--replay-persist file : Persist replay-protection state across sessions\n"
560 " using file.\n"
561 "--test-crypto : Run a self-test of crypto features enabled.\n"
562 " For debugging only.\n"
563 #ifdef ENABLE_PREDICTION_RESISTANCE
564 "--use-prediction-resistance: Enable prediction resistance on the random\n"
565 " number generator.\n"
566 #endif
567 "\n"
568 "TLS Key Negotiation Options:\n"
569 "(These options are meaningful only for TLS-mode)\n"
570 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
571 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
572 "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
573 " number, such as 1 (default), 2, etc.\n"
574 "--ca file : Certificate authority file in .pem format containing\n"
575 " root certificate.\n"
576 #ifndef ENABLE_CRYPTO_MBEDTLS
577 "--capath dir : A directory of trusted certificates (CAs"
578 " and CRLs).\n"
579 #endif /* ENABLE_CRYPTO_MBEDTLS */
580 "--dh file : File containing Diffie Hellman parameters\n"
581 " in .pem format (for --tls-server only).\n"
582 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
583 "--cert file : Local certificate in .pem format -- must be signed\n"
584 " by a Certificate Authority in --ca file.\n"
585 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
586 "--key file : Local private key in .pem format.\n"
587 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
588 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
589 " is specified, require max TLS version supported by SSL implementation.\n"
590 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
591 #ifndef ENABLE_CRYPTO_MBEDTLS
592 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
593 " and optionally the root CA certificate.\n"
594 #endif
595 #ifdef ENABLE_X509ALTUSERNAME
596 "--x509-username-field : Field in x509 certificate containing the username.\n"
597 " Default is CN in the Subject field.\n"
598 #endif
599 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
600 " Valid algo flags are SHA1 and SHA256. \n"
601 #ifdef _WIN32
602 "--cryptoapicert select-string : Load the certificate and private key from the\n"
603 " Windows Certificate System Store.\n"
604 #endif
605 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
606 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
607 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
608 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
609 " (default=legacy).\n"
610 "--providers l : A list l of OpenSSL providers to load.\n"
611 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
612 " if no ACK from remote within n seconds (default=%d).\n"
613 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
614 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
615 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
616 " and at least min (defaults to 90%% of max on servers and equal\n"
617 " to max on clients).\n"
618 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
619 " of handshake initiation by any peer (default=%d).\n"
620 "--tran-window n : Transition window -- old key can live this many seconds\n"
621 " after new key renegotiation begins (default=%d).\n"
622 "--single-session: Allow only one session (reset state on restart).\n"
623 "--tls-exit : Exit on TLS negotiation failure.\n"
624 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
625 " control channel to protect against attacks on the TLS stack\n"
626 " and DoS attacks.\n"
627 " f (required) is a shared-secret key file.\n"
628 " The optional d parameter controls key directionality,\n"
629 " see --secret option for more info.\n"
630 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
631 " of the TLS control channel to hide the TLS certificate,\n"
632 " provide basic post-quantum security and protect against\n"
633 " attacks on the TLS stack and DoS attacks.\n"
634 " key (required) provides the pre-shared key file.\n"
635 " see --secret option for more info.\n"
636 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
637 " For servers: use key to decrypt client-specific keys. For\n"
638 " key generation (--genkey tls-crypt-v2-client): use key to\n"
639 " encrypt generated client-specific key. (See --tls-crypt.)\n"
640 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
641 " fresh tls-crypt-v2 client key, and store to\n"
642 " keyfile. If supplied, include metadata in wrapped key.\n"
643 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
644 " fresh tls-crypt-v2 server key, and store to keyfile\n"
645 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
646 " client-supplied tls-crypt-v2 client key\n"
647 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
648 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
649 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
650 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
651 " pending TLS connection that has otherwise passed all other\n"
652 " tests of certification. cmd should return 0 to allow\n"
653 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
654 " executed as 'cmd certificate_depth subject')\n"
655 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
656 " in an openvpn temporary file in [directory]. Peer cert is \n"
657 " stored before tls-verify script execution and deleted after.\n"
658 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
659 " DN name. The remote host must also pass all other tests\n"
660 " of verification.\n"
661 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
662 " an explicit nsCertType designation t = 'client' | 'server'.\n"
663 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
664 " plugins and management interface.\n"
665 #ifdef HAVE_EXPORT_KEYING_MATERIAL
666 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
667 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
668 #endif
669 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
670 " explicit key usage, you can specify more than one value.\n"
671 " value should be given in hex format.\n"
672 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
673 " explicit extended key usage. Extended key usage can be encoded\n"
674 " as an object identifier or OpenSSL string representation.\n"
675 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
676 " key usage and extended key usage based on RFC3280 TLS rules.\n"
677 " t = 'client' | 'server'.\n"
678 #ifdef ENABLE_PKCS11
679 "\n"
680 "PKCS#11 Options:\n"
681 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
682 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
683 " path. Set for each provider.\n"
684 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
685 " 0 : Try to determine automatically (default).\n"
686 " 1 : Use Sign.\n"
687 " 2 : Use SignRecover.\n"
688 " 4 : Use Decrypt.\n"
689 " 8 : Use Unwrap.\n"
690 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
691 " certificate can be accessed. Set for each provider.\n"
692 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
693 " cache until token is removed.\n"
694 "--pkcs11-id-management : Acquire identity from management interface.\n"
695 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
696 #endif /* ENABLE_PKCS11 */
697 "\n"
698 "SSL Library information:\n"
699 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
700 "--show-digests : Show message digest algorithms to use with --auth option.\n"
701 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
702 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
703 #ifdef _WIN32
704 "\n"
705 "Windows Specific:\n"
706 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
707 " from SystemRoot environment variable.\n"
708 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
709 " IP address using method = manual, netsh, ipapi,\n"
710 " dynamic, or adaptive (default = adaptive).\n"
711 " Dynamic method allows two optional parameters:\n"
712 " offset: DHCP server address offset (> -256 and < 256).\n"
713 " If 0, use network address, if >0, take nth\n"
714 " address forward from network address, if <0,\n"
715 " take nth address backward from broadcast\n"
716 " address.\n"
717 " Default is 0.\n"
718 " lease-time: Lease time in seconds.\n"
719 " Default is one year.\n"
720 "--route-method : Which method to use for adding routes on Windows?\n"
721 " adaptive (default) -- Try ipapi then fall back to exe.\n"
722 " ipapi -- Use IP helper API.\n"
723 " exe -- Call the route.exe shell command.\n"
724 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
725 " be used with --ip-win32 dynamic. For options\n"
726 " which allow multiple addresses,\n"
727 " --dhcp-option must be repeated.\n"
728 " DOMAIN name : Set DNS suffix\n"
729 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
730 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
731 " NTP : Set NTP server address(es)\n"
732 " NBDD : Set NBDD server address(es)\n"
733 " WINS addr : Set WINS server address(es)\n"
734 " NBT type : Set NetBIOS over TCP/IP Node type\n"
735 " 1: B, 2: P, 4: M, 8: H\n"
736 " NBS id : Set NetBIOS scope ID\n"
737 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
738 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
739 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
740 " startup.\n"
741 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
742 " on connection initiation.\n"
743 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
744 " attempting to set adapter properties.\n"
745 "--pause-exit : When run from a console window, pause before exiting.\n"
746 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
747 " service, and should not be used directly by end-users.\n"
748 " ex is the name of an event object which, when\n"
749 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
750 " optional parameter controls the initial state of ex.\n"
751 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
752 " after TAP adapter is up and routes have been added.\n"
753 "--windows-driver : Which tun driver to use?\n"
754 " ovpn-dco (default)\n"
755 " tap-windows6\n"
756 " wintun\n"
757 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
758 "Windows Standalone Options:\n"
759 "\n"
760 "--show-adapters : Show all TAP-Windows adapters.\n"
761 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
762 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
763 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
764 " to access TAP adapter.\n"
765 #endif /* ifdef _WIN32 */
766 "\n"
767 "Generate a new key :\n"
768 "--genkey secret file : Generate a new random key of type and write to file\n"
769 " (for use with --secret, --tls-auth or --tls-crypt)."
770 #ifdef ENABLE_FEATURE_TUN_PERSIST
771 "\n"
772 "Tun/tap config mode (available with linux 2.4+):\n"
773 "--mktun : Create a persistent tunnel.\n"
774 "--rmtun : Remove a persistent tunnel.\n"
775 "--dev tunX|tapX : tun/tap device\n"
776 "--dev-type dt : Device type. See tunnel options above for details.\n"
777 "--user user : User to set privilege to.\n"
778 "--group group : Group to set privilege to.\n"
779 #endif
780 #ifdef ENABLE_PKCS11
781 "\n"
782 "PKCS#11 standalone options:\n"
783 #ifdef DEFAULT_PKCS11_MODULE
784 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
785 #else
786 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
787 #endif
788 " --verb option can be added *BEFORE* this.\n"
789 #endif /* ENABLE_PKCS11 */
790 "\n"
791 "General Standalone Options:\n"
792 #ifdef ENABLE_DEBUG
793 "--show-gateway : Show info about default gateway.\n"
794 #endif
795 ;
796
797 #endif /* !ENABLE_SMALL */
798
799 /*
800 * This is where the options defaults go.
801 * Any option not explicitly set here
802 * will be set to 0.
803 */
804 void
805 init_options(struct options *o, const bool init_gc)
806 {
807 CLEAR(*o);
808 if (init_gc)
809 {
810 gc_init(&o->gc);
811 gc_init(&o->dns_options.gc);
812 o->gc_owned = true;
813 }
814 o->mode = MODE_POINT_TO_POINT;
815 o->topology = TOP_NET30;
816 o->ce.proto = PROTO_UDP;
817 o->ce.af = AF_UNSPEC;
818 o->ce.bind_ipv6_only = false;
819 o->ce.connect_retry_seconds = 1;
820 o->ce.connect_retry_seconds_max = 300;
821 o->ce.connect_timeout = 120;
822 o->connect_retry_max = 0;
823 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
824 o->verbosity = 1;
825 o->status_file_update_freq = 60;
826 o->status_file_version = 1;
827 o->ce.bind_local = true;
828 o->ce.tun_mtu = TUN_MTU_DEFAULT;
829 o->ce.occ_mtu = 0;
830 o->ce.link_mtu = LINK_MTU_DEFAULT;
831 o->ce.tls_mtu = TLS_MTU_DEFAULT;
832 o->ce.mtu_discover_type = -1;
833 o->ce.mssfix = 0;
834 o->ce.mssfix_default = true;
835 o->ce.mssfix_encap = true;
836 o->route_delay_window = 30;
837 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
838 o->resolve_in_advance = false;
839 o->proto_force = -1;
840 o->occ = true;
841 #ifdef ENABLE_MANAGEMENT
842 o->management_log_history_cache = 250;
843 o->management_echo_buffer_size = 100;
844 o->management_state_buffer_size = 100;
845 #endif
846 #ifdef ENABLE_FEATURE_TUN_PERSIST
847 o->persist_mode = 1;
848 #endif
849 #ifdef _WIN32
850 #if 0
851 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
852 #else
853 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
854 #endif
855 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
856 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
857 o->route_method = ROUTE_METHOD_ADAPTIVE;
858 o->block_outside_dns = false;
859 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
860 #endif
861 o->vlan_accept = VLAN_ALL;
862 o->vlan_pvid = 1;
863 o->real_hash_size = 256;
864 o->virtual_hash_size = 256;
865 o->n_bcast_buf = 256;
866 o->tcp_queue_limit = 64;
867 o->max_clients = 1024;
868 o->cf_initial_per = 10;
869 o->cf_initial_max = 100;
870 o->max_routes_per_client = 256;
871 o->stale_routes_check_interval = 0;
872 o->ifconfig_pool_persist_refresh_freq = 600;
873 o->scheduled_exit_interval = 5;
874 o->authname = "SHA1";
875 o->replay = true;
876 o->replay_window = DEFAULT_SEQ_BACKTRACK;
877 o->replay_time = DEFAULT_TIME_BACKTRACK;
878 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
879 #ifdef ENABLE_PREDICTION_RESISTANCE
880 o->use_prediction_resistance = false;
881 #endif
882 o->tls_timeout = 2;
883 o->renegotiate_bytes = -1;
884 o->renegotiate_seconds = 3600;
885 o->renegotiate_seconds_min = -1;
886 o->handshake_window = 60;
887 o->transition_window = 3600;
888 o->tls_cert_profile = NULL;
889 o->ecdh_curve = NULL;
890 #ifdef ENABLE_X509ALTUSERNAME
891 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
892 #endif
893 #ifdef ENABLE_PKCS11
894 o->pkcs11_pin_cache_period = -1;
895 #endif /* ENABLE_PKCS11 */
896
897 /* P2MP server context features */
898 o->auth_token_generate = false;
899
900 /* Set default --tmp-dir */
901 #ifdef _WIN32
902 /* On Windows, find temp dir via environment variables */
903 o->tmp_dir = win_get_tempdir();
904 #else
905 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
906 o->tmp_dir = getenv("TMPDIR");
907 if (!o->tmp_dir)
908 {
909 o->tmp_dir = "/tmp";
910 }
911 #endif /* _WIN32 */
912 o->allow_recursive_routing = false;
913
914 #ifndef ENABLE_DCO
915 o->tuntap_options.disable_dco = true;
916 #endif /* ENABLE_DCO */
917 }
918
919 void
920 uninit_options(struct options *o)
921 {
922 if (o->connection_list)
923 {
924 CLEAR(*o->connection_list);
925 }
926 if (o->remote_list)
927 {
928 CLEAR(*o->remote_list);
929 }
930 if (o->gc_owned)
931 {
932 gc_free(&o->gc);
933 gc_free(&o->dns_options.gc);
934 }
935 }
936
937 struct pull_filter
938 {
939 #define PUF_TYPE_UNDEF 0 /** undefined filter type */
940 #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
941 #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
942 #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
943 int type;
944 int size;
945 char *pattern;
946 struct pull_filter *next;
947 };
948
949 struct pull_filter_list
950 {
951 struct pull_filter *head;
952 struct pull_filter *tail;
953 };
954
955 #ifndef ENABLE_SMALL
956
957 static const char *
958 pull_filter_type_name(int type)
959 {
960 if (type == PUF_TYPE_ACCEPT)
961 {
962 return "accept";
963 }
964 if (type == PUF_TYPE_IGNORE)
965 {
966 return "ignore";
967 }
968 if (type == PUF_TYPE_REJECT)
969 {
970 return "reject";
971 }
972 else
973 {
974 return "???";
975 }
976 }
977
978 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
979 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
980 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
981 o->var ## _inline ? "[INLINE]" : \
982 (o->var ? o->var : "[UNDEF]"), \
983 "'%s'")
984 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
985 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
986 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
987 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
988 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
989
990 #endif /* ifndef ENABLE_SMALL */
991
992 static void
993 setenv_connection_entry(struct env_set *es,
994 const struct connection_entry *e,
995 const int i)
996 {
997 setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
998 setenv_str_i(es, "local", e->local, i);
999 setenv_str_i(es, "local_port", e->local_port, i);
1000 setenv_str_i(es, "remote", e->remote, i);
1001 setenv_str_i(es, "remote_port", e->remote_port, i);
1002
1003 if (e->http_proxy_options)
1004 {
1005 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
1006 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
1007 }
1008 if (e->socks_proxy_server)
1009 {
1010 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1011 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1012 }
1013 }
1014
1015 void
1016 setenv_settings(struct env_set *es, const struct options *o)
1017 {
1018 setenv_str(es, "config", o->config);
1019 setenv_int(es, "verb", o->verbosity);
1020 setenv_int(es, "daemon", o->daemon);
1021 setenv_int(es, "daemon_log_redirect", o->log);
1022 setenv_long_long(es, "daemon_start_time", time(NULL));
1023 setenv_int(es, "daemon_pid", platform_getpid());
1024
1025 if (o->connection_list)
1026 {
1027 int i;
1028 for (i = 0; i < o->connection_list->len; ++i)
1029 {
1030 setenv_connection_entry(es, o->connection_list->array[i], i+1);
1031 }
1032 }
1033 else
1034 {
1035 setenv_connection_entry(es, &o->ce, 1);
1036 }
1037
1038 if (!o->pull)
1039 {
1040 setenv_dns_options(&o->dns_options, es);
1041 }
1042 }
1043
1044 #ifndef _WIN32
1045 static void
1046 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1047 {
1048 if (len > 0)
1049 {
1050 struct gc_arena gc = gc_new();
1051 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1052 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1053 int i;
1054 bool first = true;
1055 bool good = true;
1056
1057 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1058 ++o->foreign_option_index;
1059 for (i = 0; i < len; ++i)
1060 {
1061 if (argv[i])
1062 {
1063 if (!first)
1064 {
1065 good &= buf_printf(&value, " ");
1066 }
1067 good &= buf_printf(&value, "%s", argv[i]);
1068 first = false;
1069 }
1070 }
1071 if (good)
1072 {
1073 setenv_str(es, BSTR(&name), BSTR(&value));
1074 }
1075 else
1076 {
1077 msg(M_WARN, "foreign_option: name/value overflow");
1078 }
1079 gc_free(&gc);
1080 }
1081 }
1082 #endif /* ifndef _WIN32 */
1083
1084 static in_addr_t
1085 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1086 {
1087 unsigned int flags = GETADDR_HOST_ORDER;
1088 bool succeeded = false;
1089 in_addr_t ret;
1090
1091 if (msglevel & M_FATAL)
1092 {
1093 flags |= GETADDR_FATAL;
1094 }
1095
1096 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1097 if (!succeeded && error)
1098 {
1099 *error = true;
1100 }
1101 return ret;
1102 }
1103
1104 /**
1105 * Returns newly allocated string containing address part without "/nn".
1106 *
1107 * If gc != NULL, the allocated memory is registered in the supplied gc.
1108 */
1109 static char *
1110 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1111 {
1112 const char *end = strchr(addr, '/');
1113 char *ret = NULL;
1114 if (NULL == end)
1115 {
1116 ret = string_alloc(addr, gc);
1117 }
1118 else
1119 {
1120 size_t len = end - addr;
1121 ret = gc_malloc(len + 1, true, gc);
1122 memcpy(ret, addr, len);
1123 }
1124 return ret;
1125 }
1126
1127 static bool
1128 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1129 {
1130 struct in6_addr t_addr;
1131 unsigned int t_bits;
1132
1133 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1134 }
1135
1136 static char *
1137 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1138 {
1139 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1140 char *dest = ret;
1141 char c;
1142
1143 do
1144 {
1145 c = *src++;
1146 if (c == from)
1147 {
1148 c = to;
1149 }
1150 *dest++ = c;
1151 }
1152 while (c);
1153 return ret;
1154 }
1155
1156 /**
1157 * Parses a hexstring and checks if the string has the correct length. Return
1158 * a verify_hash_list containing the parsed hash string.
1159 *
1160 * @param str String to check/parse
1161 * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1)
1162 * @param msglevel message level to use when printing warnings/errors
1163 * @param gc The returned object will be allocated in this gc
1164 */
1165 static struct verify_hash_list *
1166 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1167 {
1168 int i = 0;
1169 const char *cp = str;
1170
1171 struct verify_hash_list *ret;
1172 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1173
1174 char term = 0;
1175 unsigned int byte;
1176
1177 while (*cp && i < nbytes)
1178 {
1179 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1180 if (!isxdigit(cp[0])
1181 || !isxdigit(cp[1])
1182 || (cp[2] != ':' && cp[2] != '\0')
1183 || sscanf(cp, "%x", &byte) != 1)
1184 {
1185 msg(msglevel, "format error in hash fingerprint: %s", str);
1186 break;
1187 }
1188
1189 ret->hash[i++] = (uint8_t)byte;
1190
1191 term = cp[2];
1192 if (term == '\0')
1193 {
1194 break;
1195 }
1196 cp += 3;
1197 }
1198 if (i < nbytes)
1199 {
1200 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1201 }
1202 else if (term != '\0')
1203 {
1204 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1205 }
1206 return ret;
1207 }
1208
1209 /**
1210 * Parses a string consisting of multiple lines of hexstrings and checks if each
1211 * string has the correct length. Empty lines are ignored. Returns
1212 * a linked list of (possibly) multiple verify_hash_list objects.
1213 *
1214 * @param str String to check/parse
1215 * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1)
1216 * @param msglevel message level to use when printing warnings/errors
1217 * @param gc The returned list items will be allocated in this gc
1218 */
1219 static struct verify_hash_list *
1220 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1221 struct gc_arena *gc)
1222 {
1223 struct gc_arena gc_temp = gc_new();
1224 char *lines = string_alloc(str, &gc_temp);
1225
1226 struct verify_hash_list *ret = NULL;
1227
1228 const char *line;
1229 while ((line = strsep(&lines, "\n")))
1230 {
1231 /* ignore leading whitespace */
1232 while (isspace(*line))
1233 {
1234 line++;
1235 }
1236 /* skip empty lines and comment lines */
1237 if (strlen(line) == 0 || *line == '#' || *line == ';')
1238 {
1239 continue;
1240 }
1241
1242 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1243 msglevel, gc);
1244
1245 if (!hash)
1246 {
1247 gc_free(&gc_temp);
1248 return NULL;
1249 }
1250
1251 hash->next = ret;
1252 ret = hash;
1253 }
1254 gc_free(&gc_temp);
1255
1256 return ret;
1257 }
1258 #ifdef _WIN32
1259
1260 #ifndef ENABLE_SMALL
1261
1262 static void
1263 show_dhcp_option_list(const char *name, const char *const *array, int len)
1264 {
1265 int i;
1266 for (i = 0; i < len; ++i)
1267 {
1268 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1269 }
1270 }
1271
1272 static void
1273 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1274 {
1275 struct gc_arena gc = gc_new();
1276 int i;
1277 for (i = 0; i < len; ++i)
1278 {
1279 msg(D_SHOW_PARMS, " %s[%d] = %s",
1280 name,
1281 i,
1282 print_in_addr_t(array[i], 0, &gc));
1283 }
1284 gc_free(&gc);
1285 }
1286
1287 static void
1288 show_tuntap_options(const struct tuntap_options *o)
1289 {
1290 SHOW_BOOL(ip_win32_defined);
1291 SHOW_INT(ip_win32_type);
1292 SHOW_INT(dhcp_masq_offset);
1293 SHOW_INT(dhcp_lease_time);
1294 SHOW_INT(tap_sleep);
1295 SHOW_UNSIGNED(dhcp_options);
1296 SHOW_BOOL(dhcp_renew);
1297 SHOW_BOOL(dhcp_pre_release);
1298 SHOW_STR(domain);
1299 SHOW_STR(netbios_scope);
1300 SHOW_INT(netbios_node_type);
1301 SHOW_BOOL(disable_nbt);
1302
1303 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1304 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1305 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1306 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1307 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1308 }
1309
1310 #endif /* ifndef ENABLE_SMALL */
1311 #endif /* ifdef _WIN32 */
1312
1313 #if defined(_WIN32) || defined(TARGET_ANDROID)
1314 static void
1315 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1316 {
1317 struct in6_addr addr;
1318 if (*len >= N_DHCP_ADDR)
1319 {
1320 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1321 N_DHCP_ADDR);
1322 }
1323 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1324 {
1325 dns6_list[(*len)++] = addr;
1326 }
1327 }
1328 static void
1329 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1330 {
1331 if (*len >= N_DHCP_ADDR)
1332 {
1333 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1334 name,
1335 N_DHCP_ADDR,
1336 name);
1337 }
1338 else
1339 {
1340 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1341 {
1342 bool error = false;
1343 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1344 if (!error)
1345 {
1346 array[(*len)++] = addr;
1347 }
1348 }
1349 else
1350 {
1351 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1352 }
1353 }
1354 }
1355
1356 /*
1357 * If DNS options are set use these for TUN/TAP options as well.
1358 * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1359 * Existing options will be discarded.
1360 */
1361 static void
1362 tuntap_options_copy_dns(struct options *o)
1363 {
1364 struct tuntap_options *tt = &o->tuntap_options;
1365 struct dns_options *dns = &o->dns_options;
1366
1367 if (dns->search_domains)
1368 {
1369 tt->domain_search_list_len = 0;
1370 const struct dns_domain *domain = dns->search_domains;
1371 while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1372 {
1373 tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1374 domain = domain->next;
1375 }
1376 if (domain)
1377 {
1378 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1379 }
1380 }
1381
1382 if (dns->servers)
1383 {
1384 tt->dns_len = 0;
1385 tt->dns6_len = 0;
1386 bool overflow = false;
1387 const struct dns_server *server = dns->servers;
1388 while (server)
1389 {
1390 if (server->addr4_defined && tt->dns_len < N_DHCP_ADDR)
1391 {
1392 tt->dns[tt->dns_len++] = server->addr4.s_addr;
1393 }
1394 else
1395 {
1396 overflow = true;
1397 }
1398 if (server->addr6_defined && tt->dns6_len < N_DHCP_ADDR)
1399 {
1400 tt->dns6[tt->dns6_len++] = server->addr6;
1401 }
1402 else
1403 {
1404 overflow = true;
1405 }
1406 server = server->next;
1407 }
1408 if (overflow)
1409 {
1410 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1411 }
1412 }
1413 }
1414 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1415 static void
1416 foreign_options_copy_dns(struct options *o, struct env_set *es)
1417 {
1418 const struct dns_domain *domain = o->dns_options.search_domains;
1419 const struct dns_server *server = o->dns_options.servers;
1420 if (!domain && !server)
1421 {
1422 return;
1423 }
1424
1425 /* reset the index since we're starting all over again */
1426 int opt_max = o->foreign_option_index;
1427 o->foreign_option_index = 0;
1428
1429 for (int i = 1; i <= opt_max; ++i)
1430 {
1431 char name[32];
1432 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", i);
1433
1434 const char *env_str = env_set_get(es, name);
1435 const char *value = strchr(env_str, '=') + 1;
1436 if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1437 || (server && strstr(value, "dhcp-option DNS") == value))
1438 {
1439 setenv_del(es, name);
1440 }
1441 else
1442 {
1443 setenv_foreign_option(o, &value, 1, es);
1444 }
1445 }
1446
1447 struct gc_arena gc = gc_new();
1448
1449 while (server)
1450 {
1451 if (server->addr4_defined)
1452 {
1453 const char *argv[] = {
1454 "dhcp-option",
1455 "DNS",
1456 print_in_addr_t(server->addr4.s_addr, 0, &gc)
1457 };
1458 setenv_foreign_option(o, argv, 3, es);
1459 }
1460 if (server->addr6_defined)
1461 {
1462 const char *argv[] = {
1463 "dhcp-option",
1464 "DNS6",
1465 print_in6_addr(server->addr6, 0, &gc)
1466 };
1467 setenv_foreign_option(o, argv, 3, es);
1468 }
1469 server = server->next;
1470 }
1471 while (domain)
1472 {
1473 const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1474 setenv_foreign_option(o, argv, 3, es);
1475 domain = domain->next;
1476 }
1477
1478 gc_free(&gc);
1479
1480 /* remove old leftover entries */
1481 while (o->foreign_option_index < opt_max)
1482 {
1483 char name[32];
1484 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1485 setenv_del(es, name);
1486 }
1487 }
1488 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1489
1490 #ifndef ENABLE_SMALL
1491 static const char *
1492 print_vlan_accept(enum vlan_acceptable_frames mode)
1493 {
1494 switch (mode)
1495 {
1496 case VLAN_ONLY_TAGGED:
1497 return "tagged";
1498
1499 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1500 return "untagged";
1501
1502 case VLAN_ALL:
1503 return "all";
1504 }
1505 return NULL;
1506 }
1507
1508 static void
1509 show_p2mp_parms(const struct options *o)
1510 {
1511 struct gc_arena gc = gc_new();
1512
1513 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1514 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1515 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1516 SHOW_INT(server_netbits_ipv6);
1517 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1518 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1519 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1520 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1521 if (o->push_list.head)
1522 {
1523 const struct push_entry *e = o->push_list.head;
1524 while (e)
1525 {
1526 if (e->enable)
1527 {
1528 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1529 }
1530 e = e->next;
1531 }
1532 }
1533 SHOW_BOOL(ifconfig_pool_defined);
1534 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1535 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1536 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1537 SHOW_STR(ifconfig_pool_persist_filename);
1538 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1539 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1540 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1541 SHOW_INT(ifconfig_ipv6_pool_netbits);
1542 SHOW_INT(n_bcast_buf);
1543 SHOW_INT(tcp_queue_limit);
1544 SHOW_INT(real_hash_size);
1545 SHOW_INT(virtual_hash_size);
1546 SHOW_STR(client_connect_script);
1547 SHOW_STR(learn_address_script);
1548 SHOW_STR(client_disconnect_script);
1549 SHOW_STR(client_crresponse_script);
1550 SHOW_STR(client_config_dir);
1551 SHOW_BOOL(ccd_exclusive);
1552 SHOW_STR(tmp_dir);
1553 SHOW_BOOL(push_ifconfig_defined);
1554 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1555 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1556 SHOW_BOOL(push_ifconfig_ipv6_defined);
1557 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1558 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1559 SHOW_BOOL(enable_c2c);
1560 SHOW_BOOL(duplicate_cn);
1561 SHOW_INT(cf_max);
1562 SHOW_INT(cf_per);
1563 SHOW_INT(cf_initial_max);
1564 SHOW_INT(cf_initial_per);
1565 SHOW_INT(max_clients);
1566 SHOW_INT(max_routes_per_client);
1567 SHOW_STR(auth_user_pass_verify_script);
1568 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1569 SHOW_BOOL(auth_token_generate);
1570 SHOW_INT(auth_token_lifetime);
1571 SHOW_STR_INLINE(auth_token_secret_file);
1572 #if PORT_SHARE
1573 SHOW_STR(port_share_host);
1574 SHOW_STR(port_share_port);
1575 #endif
1576 SHOW_BOOL(vlan_tagging);
1577 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1578 SHOW_INT(vlan_pvid);
1579
1580 SHOW_BOOL(client);
1581 SHOW_BOOL(pull);
1582 SHOW_STR_INLINE(auth_user_pass_file);
1583
1584 gc_free(&gc);
1585 }
1586
1587 #endif /* ! ENABLE_SMALL */
1588
1589 static void
1590 option_iroute(struct options *o,
1591 const char *network_str,
1592 const char *netmask_str,
1593 int msglevel)
1594 {
1595 struct iroute *ir;
1596
1597 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1598 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1599 ir->netbits = 32; /* host route if no netmask given */
1600
1601 if (netmask_str)
1602 {
1603 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1604 ir->netbits = netmask_to_netbits2(netmask);
1605
1606 if (ir->netbits < 0)
1607 {
1608 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1609 network_str,
1610 netmask_str);
1611 return;
1612 }
1613 }
1614
1615 ir->next = o->iroutes;
1616 o->iroutes = ir;
1617 }
1618
1619 static void
1620 option_iroute_ipv6(struct options *o,
1621 const char *prefix_str,
1622 int msglevel)
1623 {
1624 struct iroute_ipv6 *ir;
1625
1626 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1627
1628 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1629 {
1630 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1631 prefix_str);
1632 return;
1633 }
1634
1635 ir->next = o->iroutes_ipv6;
1636 o->iroutes_ipv6 = ir;
1637 }
1638
1639 #ifndef ENABLE_SMALL
1640 static void
1641 show_http_proxy_options(const struct http_proxy_options *o)
1642 {
1643 int i;
1644 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1645 SHOW_STR(server);
1646 SHOW_STR(port);
1647 SHOW_STR(auth_method_string);
1648 SHOW_STR(auth_file);
1649 SHOW_STR(http_version);
1650 SHOW_STR(user_agent);
1651 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1652 {
1653 if (o->custom_headers[i].content)
1654 {
1655 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1656 o->custom_headers[i].name, o->custom_headers[i].content);
1657 }
1658 else
1659 {
1660 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1661 o->custom_headers[i].name);
1662 }
1663 }
1664 msg(D_SHOW_PARMS, "END http_proxy");
1665 }
1666 #endif /* ifndef ENABLE_SMALL */
1667
1668 void
1669 options_detach(struct options *o)
1670 {
1671 gc_detach(&o->gc);
1672 o->routes = NULL;
1673 o->client_nat = NULL;
1674 clone_push_list(o);
1675 }
1676
1677 void
1678 rol_check_alloc(struct options *options)
1679 {
1680 if (!options->routes)
1681 {
1682 options->routes = new_route_option_list(&options->gc);
1683 }
1684 }
1685
1686 static void
1687 rol6_check_alloc(struct options *options)
1688 {
1689 if (!options->routes_ipv6)
1690 {
1691 options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1692 }
1693 }
1694
1695 static void
1696 cnol_check_alloc(struct options *options)
1697 {
1698 if (!options->client_nat)
1699 {
1700 options->client_nat = new_client_nat_list(&options->gc);
1701 }
1702 }
1703
1704 #ifndef ENABLE_SMALL
1705 static void
1706 show_connection_entry(const struct connection_entry *o)
1707 {
1708 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1709 SHOW_STR(local);
1710 SHOW_STR(local_port);
1711 SHOW_STR(remote);
1712 SHOW_STR(remote_port);
1713 SHOW_BOOL(remote_float);
1714 SHOW_BOOL(bind_defined);
1715 SHOW_BOOL(bind_local);
1716 SHOW_BOOL(bind_ipv6_only);
1717 SHOW_INT(connect_retry_seconds);
1718 SHOW_INT(connect_timeout);
1719
1720 if (o->http_proxy_options)
1721 {
1722 show_http_proxy_options(o->http_proxy_options);
1723 }
1724 SHOW_STR(socks_proxy_server);
1725 SHOW_STR(socks_proxy_port);
1726 SHOW_INT(tun_mtu);
1727 SHOW_BOOL(tun_mtu_defined);
1728 SHOW_INT(link_mtu);
1729 SHOW_BOOL(link_mtu_defined);
1730 SHOW_INT(tun_mtu_extra);
1731 SHOW_BOOL(tun_mtu_extra_defined);
1732 SHOW_INT(tls_mtu);
1733
1734 SHOW_INT(mtu_discover_type);
1735
1736 #ifdef ENABLE_FRAGMENT
1737 SHOW_INT(fragment);
1738 #endif
1739 SHOW_INT(mssfix);
1740 SHOW_BOOL(mssfix_encap);
1741 SHOW_BOOL(mssfix_fixed);
1742
1743 SHOW_INT(explicit_exit_notification);
1744
1745 SHOW_STR_INLINE(tls_auth_file);
1746 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1747 "%s");
1748 SHOW_STR_INLINE(tls_crypt_file);
1749 SHOW_STR_INLINE(tls_crypt_v2_file);
1750 }
1751
1752
1753 static void
1754 show_connection_entries(const struct options *o)
1755 {
1756 if (o->connection_list)
1757 {
1758 const struct connection_list *l = o->connection_list;
1759 int i;
1760 for (i = 0; i < l->len; ++i)
1761 {
1762 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1763 show_connection_entry(l->array[i]);
1764 }
1765 }
1766 else
1767 {
1768 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1769 show_connection_entry(&o->ce);
1770 }
1771 msg(D_SHOW_PARMS, "Connection profiles END");
1772 }
1773
1774 static void
1775 show_pull_filter_list(const struct pull_filter_list *l)
1776 {
1777 struct pull_filter *f;
1778 if (!l)
1779 {
1780 return;
1781 }
1782
1783 msg(D_SHOW_PARMS, " Pull filters:");
1784 for (f = l->head; f; f = f->next)
1785 {
1786 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1787 }
1788 }
1789
1790 #endif /* ifndef ENABLE_SMALL */
1791
1792 void
1793 show_settings(const struct options *o)
1794 {
1795 #ifndef ENABLE_SMALL
1796 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1797
1798 SHOW_STR(config);
1799
1800 SHOW_INT(mode);
1801
1802 #ifdef ENABLE_FEATURE_TUN_PERSIST
1803 SHOW_BOOL(persist_config);
1804 SHOW_INT(persist_mode);
1805 #endif
1806
1807 SHOW_BOOL(show_ciphers);
1808 SHOW_BOOL(show_digests);
1809 SHOW_BOOL(show_engines);
1810 SHOW_BOOL(genkey);
1811 SHOW_STR(genkey_filename);
1812 SHOW_STR(key_pass_file);
1813 SHOW_BOOL(show_tls_ciphers);
1814
1815 SHOW_INT(connect_retry_max);
1816 show_connection_entries(o);
1817
1818 SHOW_BOOL(remote_random);
1819
1820 SHOW_STR(ipchange);
1821 SHOW_STR(dev);
1822 SHOW_STR(dev_type);
1823 SHOW_STR(dev_node);
1824 #if defined(ENABLE_DCO)
1825 SHOW_BOOL(tuntap_options.disable_dco);
1826 #endif
1827 SHOW_STR(lladdr);
1828 SHOW_INT(topology);
1829 SHOW_STR(ifconfig_local);
1830 SHOW_STR(ifconfig_remote_netmask);
1831 SHOW_BOOL(ifconfig_noexec);
1832 SHOW_BOOL(ifconfig_nowarn);
1833 SHOW_STR(ifconfig_ipv6_local);
1834 SHOW_INT(ifconfig_ipv6_netbits);
1835 SHOW_STR(ifconfig_ipv6_remote);
1836
1837 SHOW_INT(shaper);
1838 SHOW_INT(mtu_test);
1839
1840 SHOW_BOOL(mlock);
1841
1842 SHOW_INT(keepalive_ping);
1843 SHOW_INT(keepalive_timeout);
1844 SHOW_INT(inactivity_timeout);
1845 SHOW_INT(session_timeout);
1846 SHOW_INT64(inactivity_minimum_bytes);
1847 SHOW_INT(ping_send_timeout);
1848 SHOW_INT(ping_rec_timeout);
1849 SHOW_INT(ping_rec_timeout_action);
1850 SHOW_BOOL(ping_timer_remote);
1851 SHOW_INT(remap_sigusr1);
1852 SHOW_BOOL(persist_tun);
1853 SHOW_BOOL(persist_local_ip);
1854 SHOW_BOOL(persist_remote_ip);
1855 SHOW_BOOL(persist_key);
1856
1857 #if PASSTOS_CAPABILITY
1858 SHOW_BOOL(passtos);
1859 #endif
1860
1861 SHOW_INT(resolve_retry_seconds);
1862 SHOW_BOOL(resolve_in_advance);
1863
1864 SHOW_STR(username);
1865 SHOW_STR(groupname);
1866 SHOW_STR(chroot_dir);
1867 SHOW_STR(cd_dir);
1868 #ifdef ENABLE_SELINUX
1869 SHOW_STR(selinux_context);
1870 #endif
1871 SHOW_STR(writepid);
1872 SHOW_STR(up_script);
1873 SHOW_STR(down_script);
1874 SHOW_BOOL(down_pre);
1875 SHOW_BOOL(up_restart);
1876 SHOW_BOOL(up_delay);
1877 SHOW_BOOL(daemon);
1878 SHOW_BOOL(log);
1879 SHOW_BOOL(suppress_timestamps);
1880 SHOW_BOOL(machine_readable_output);
1881 SHOW_INT(nice);
1882 SHOW_INT(verbosity);
1883 SHOW_INT(mute);
1884 #ifdef ENABLE_DEBUG
1885 SHOW_INT(gremlin);
1886 #endif
1887 SHOW_STR(status_file);
1888 SHOW_INT(status_file_version);
1889 SHOW_INT(status_file_update_freq);
1890
1891 SHOW_BOOL(occ);
1892 SHOW_INT(rcvbuf);
1893 SHOW_INT(sndbuf);
1894 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1895 SHOW_INT(mark);
1896 #endif
1897 SHOW_INT(sockflags);
1898
1899 SHOW_BOOL(fast_io);
1900
1901 #ifdef USE_COMP
1902 SHOW_INT(comp.alg);
1903 SHOW_INT(comp.flags);
1904 #endif
1905
1906 SHOW_STR(route_script);
1907 SHOW_STR(route_default_gateway);
1908 SHOW_INT(route_default_metric);
1909 SHOW_BOOL(route_noexec);
1910 SHOW_INT(route_delay);
1911 SHOW_INT(route_delay_window);
1912 SHOW_BOOL(route_delay_defined);
1913 SHOW_BOOL(route_nopull);
1914 SHOW_BOOL(route_gateway_via_dhcp);
1915 SHOW_BOOL(allow_pull_fqdn);
1916 show_pull_filter_list(o->pull_filter_list);
1917
1918 if (o->routes)
1919 {
1920 print_route_options(o->routes, D_SHOW_PARMS);
1921 }
1922
1923 if (o->client_nat)
1924 {
1925 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1926 }
1927
1928 show_dns_options(&o->dns_options);
1929
1930 #ifdef ENABLE_MANAGEMENT
1931 SHOW_STR(management_addr);
1932 SHOW_STR(management_port);
1933 SHOW_STR(management_user_pass);
1934 SHOW_INT(management_log_history_cache);
1935 SHOW_INT(management_echo_buffer_size);
1936 SHOW_STR(management_client_user);
1937 SHOW_STR(management_client_group);
1938 SHOW_INT(management_flags);
1939 #endif
1940 #ifdef ENABLE_PLUGIN
1941 if (o->plugin_list)
1942 {
1943 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1944 }
1945 #endif
1946
1947 SHOW_STR_INLINE(shared_secret_file);
1948 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1949 SHOW_STR(ciphername);
1950 SHOW_STR(ncp_ciphers);
1951 SHOW_STR(authname);
1952 #ifndef ENABLE_CRYPTO_MBEDTLS
1953 SHOW_BOOL(engine);
1954 #endif /* ENABLE_CRYPTO_MBEDTLS */
1955 SHOW_BOOL(replay);
1956 SHOW_BOOL(mute_replay_warnings);
1957 SHOW_INT(replay_window);
1958 SHOW_INT(replay_time);
1959 SHOW_STR(packet_id_file);
1960 SHOW_BOOL(test_crypto);
1961 #ifdef ENABLE_PREDICTION_RESISTANCE
1962 SHOW_BOOL(use_prediction_resistance);
1963 #endif
1964
1965 SHOW_BOOL(tls_server);
1966 SHOW_BOOL(tls_client);
1967 SHOW_STR_INLINE(ca_file);
1968 SHOW_STR(ca_path);
1969 SHOW_STR_INLINE(dh_file);
1970 if ((o->management_flags & MF_EXTERNAL_CERT))
1971 {
1972 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1973 }
1974 else
1975 {
1976 SHOW_STR_INLINE(cert_file);
1977 }
1978 SHOW_STR_INLINE(extra_certs_file);
1979
1980 if ((o->management_flags & MF_EXTERNAL_KEY))
1981 {
1982 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1983 }
1984 else
1985 {
1986 SHOW_STR_INLINE(priv_key_file);
1987 }
1988 #ifndef ENABLE_CRYPTO_MBEDTLS
1989 SHOW_STR_INLINE(pkcs12_file);
1990 #endif
1991 #ifdef ENABLE_CRYPTOAPI
1992 SHOW_STR(cryptoapi_cert);
1993 #endif
1994 SHOW_STR(cipher_list);
1995 SHOW_STR(cipher_list_tls13);
1996 SHOW_STR(tls_cert_profile);
1997 SHOW_STR(tls_verify);
1998 SHOW_STR(tls_export_cert);
1999 SHOW_INT(verify_x509_type);
2000 SHOW_STR(verify_x509_name);
2001 SHOW_STR_INLINE(crl_file);
2002 SHOW_INT(ns_cert_type);
2003 {
2004 int i;
2005 for (i = 0; i<MAX_PARMS; i++)
2006 {
2007 SHOW_INT(remote_cert_ku[i]);
2008 }
2009 }
2010 SHOW_STR(remote_cert_eku);
2011 if (o->verify_hash)
2012 {
2013 SHOW_INT(verify_hash_algo);
2014 SHOW_INT(verify_hash_depth);
2015 struct gc_arena gc = gc_new();
2016 struct verify_hash_list *hl = o->verify_hash;
2017 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2018 SHA256_DIGEST_LENGTH;
2019 while (hl)
2020 {
2021 char *s = format_hex_ex(hl->hash, digest_len, 0,
2022 1, ":", &gc);
2023 SHOW_PARM(verify_hash, s, "%s");
2024 hl = hl->next;
2025 }
2026 gc_free(&gc);
2027 }
2028 SHOW_INT(ssl_flags);
2029
2030 SHOW_INT(tls_timeout);
2031
2032 SHOW_INT(renegotiate_bytes);
2033 SHOW_INT(renegotiate_packets);
2034 SHOW_INT(renegotiate_seconds);
2035
2036 SHOW_INT(handshake_window);
2037 SHOW_INT(transition_window);
2038
2039 SHOW_BOOL(single_session);
2040 SHOW_BOOL(push_peer_info);
2041 SHOW_BOOL(tls_exit);
2042
2043 SHOW_STR(tls_crypt_v2_metadata);
2044
2045 #ifdef ENABLE_PKCS11
2046 {
2047 int i;
2048 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2049 {
2050 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2051 }
2052 }
2053 {
2054 int i;
2055 for (i = 0; i<MAX_PARMS; i++)
2056 {
2057 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2058 }
2059 }
2060 {
2061 int i;
2062 for (i = 0; i<MAX_PARMS; i++)
2063 {
2064 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2065 }
2066 }
2067 {
2068 int i;
2069 for (i = 0; i<MAX_PARMS; i++)
2070 {
2071 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2072 }
2073 }
2074 SHOW_INT(pkcs11_pin_cache_period);
2075 SHOW_STR(pkcs11_id);
2076 SHOW_BOOL(pkcs11_id_management);
2077 #endif /* ENABLE_PKCS11 */
2078
2079 show_p2mp_parms(o);
2080
2081 #ifdef _WIN32
2082 SHOW_BOOL(show_net_up);
2083 SHOW_INT(route_method);
2084 SHOW_BOOL(block_outside_dns);
2085 show_tuntap_options(&o->tuntap_options);
2086 #endif
2087 #endif /* ifndef ENABLE_SMALL */
2088 }
2089
2090 #undef SHOW_PARM
2091 #undef SHOW_STR
2092 #undef SHOW_INT
2093 #undef SHOW_BOOL
2094
2095 #ifdef ENABLE_MANAGEMENT
2096
2097 static struct http_proxy_options *
2098 parse_http_proxy_override(const char *server,
2099 const char *port,
2100 const char *flags,
2101 const int msglevel,
2102 struct gc_arena *gc)
2103 {
2104 if (server && port)
2105 {
2106 struct http_proxy_options *ho;
2107 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2108 ho->server = string_alloc(server, gc);
2109 ho->port = port;
2110 if (flags && !strcmp(flags, "nct"))
2111 {
2112 ho->auth_retry = PAR_NCT;
2113 }
2114 else
2115 {
2116 ho->auth_retry = PAR_ALL;
2117 }
2118 ho->http_version = "1.0";
2119 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2120 return ho;
2121 }
2122 else
2123 {
2124 return NULL;
2125 }
2126 }
2127
2128 static void
2129 options_postprocess_http_proxy_override(struct options *o)
2130 {
2131 const struct connection_list *l = o->connection_list;
2132 int i;
2133 bool succeed = false;
2134 for (i = 0; i < l->len; ++i)
2135 {
2136 struct connection_entry *ce = l->array[i];
2137 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2138 {
2139 ce->http_proxy_options = o->http_proxy_override;
2140 succeed = true;
2141 }
2142 }
2143 if (succeed)
2144 {
2145 for (i = 0; i < l->len; ++i)
2146 {
2147 struct connection_entry *ce = l->array[i];
2148 if (ce->proto == PROTO_UDP)
2149 {
2150 ce->flags |= CE_DISABLED;
2151 }
2152 }
2153 }
2154 else
2155 {
2156 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2157 }
2158 }
2159
2160 #endif /* ifdef ENABLE_MANAGEMENT */
2161
2162 static struct connection_list *
2163 alloc_connection_list_if_undef(struct options *options)
2164 {
2165 if (!options->connection_list)
2166 {
2167 ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2168 }
2169 return options->connection_list;
2170 }
2171
2172 static struct connection_entry *
2173 alloc_connection_entry(struct options *options, const int msglevel)
2174 {
2175 struct connection_list *l = alloc_connection_list_if_undef(options);
2176 struct connection_entry *e;
2177
2178 if (l->len == l->capacity)
2179 {
2180 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2181 struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2182 if (ce == NULL)
2183 {
2184 msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2185 return NULL;
2186 }
2187 l->array = ce;
2188 l->capacity = capacity;
2189 }
2190 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2191 l->array[l->len++] = e;
2192 return e;
2193 }
2194
2195 static struct remote_list *
2196 alloc_remote_list_if_undef(struct options *options)
2197 {
2198 if (!options->remote_list)
2199 {
2200 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2201 }
2202 return options->remote_list;
2203 }
2204
2205 static struct remote_entry *
2206 alloc_remote_entry(struct options *options, const int msglevel)
2207 {
2208 struct remote_list *l = alloc_remote_list_if_undef(options);
2209 struct remote_entry *e;
2210
2211 if (l->len == l->capacity)
2212 {
2213 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2214 struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2215 if (re == NULL)
2216 {
2217 msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2218 return NULL;
2219 }
2220 l->array = re;
2221 l->capacity = capacity;
2222 }
2223 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2224 l->array[l->len++] = e;
2225 return e;
2226 }
2227
2228 static struct pull_filter_list *
2229 alloc_pull_filter_list(struct options *o)
2230 {
2231 if (!o->pull_filter_list)
2232 {
2233 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2234 }
2235 return o->pull_filter_list;
2236 }
2237
2238 static struct pull_filter *
2239 alloc_pull_filter(struct options *o, const int msglevel)
2240 {
2241 struct pull_filter_list *l = alloc_pull_filter_list(o);
2242 struct pull_filter *f;
2243
2244 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2245 if (l->head)
2246 {
2247 ASSERT(l->tail);
2248 l->tail->next = f;
2249 }
2250 else
2251 {
2252 ASSERT(!l->tail);
2253 l->head = f;
2254 }
2255 l->tail = f;
2256 return f;
2257 }
2258
2259 static void
2260 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2261 {
2262 if (re->remote)
2263 {
2264 ce->remote = re->remote;
2265 }
2266 if (re->remote_port)
2267 {
2268 ce->remote_port = re->remote_port;
2269 }
2270 if (re->proto >= 0)
2271 {
2272 ce->proto = re->proto;
2273 }
2274 if (re->af > 0)
2275 {
2276 ce->af = re->af;
2277 }
2278 }
2279
2280 static void
2281 connection_entry_preload_key(const char **key_file, bool *key_inline,
2282 struct gc_arena *gc)
2283 {
2284 if (key_file && *key_file && !(*key_inline))
2285 {
2286 struct buffer in = buffer_read_from_file(*key_file, gc);
2287 if (!buf_valid(&in))
2288 {
2289 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2290 }
2291
2292 *key_file = (const char *) in.data;
2293 *key_inline = true;
2294 }
2295 }
2296
2297 static void
2298 check_ca_required(const struct options *options)
2299 {
2300 if (options->verify_hash_no_ca
2301 || options->pkcs12_file
2302 || options->ca_file
2303 #ifndef ENABLE_CRYPTO_MBEDTLS
2304 || options->ca_path
2305 #endif
2306 )
2307 {
2308 return;
2309 }
2310
2311 const char *const str = "You must define CA file (--ca)"
2312 #ifndef ENABLE_CRYPTO_MBEDTLS
2313 " or CA path (--capath)"
2314 #endif
2315 " and/or peer fingerprint verification (--peer-fingerprint)";
2316 msg(M_USAGE, "%s", str);
2317 }
2318
2319 static void
2320 options_postprocess_verify_ce(const struct options *options,
2321 const struct connection_entry *ce)
2322 {
2323 struct options defaults;
2324 int dev = DEV_TYPE_UNDEF;
2325 bool pull = false;
2326
2327 init_options(&defaults, true);
2328
2329 if (options->test_crypto)
2330 {
2331 notnull(options->shared_secret_file, "key file (--secret)");
2332 }
2333 else
2334 {
2335 notnull(options->dev, "TUN/TAP device (--dev)");
2336 }
2337
2338 /*
2339 * Get tun/tap/null device type
2340 */
2341 dev = dev_type_enum(options->dev, options->dev_type);
2342
2343 /*
2344 * If "proto tcp" is specified, make sure we know whether it is
2345 * tcp-client or tcp-server.
2346 */
2347 if (ce->proto == PROTO_TCP)
2348 {
2349 msg(M_USAGE,
2350 "--proto tcp is ambiguous in this context. Please specify "
2351 "--proto tcp-server or --proto tcp-client");
2352 }
2353
2354 if (options->lladdr && dev != DEV_TYPE_TAP)
2355 {
2356 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2357 }
2358
2359 /*
2360 * Sanity check on MTU parameters
2361 */
2362 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2363 {
2364 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2365 }
2366
2367 if (!proto_is_udp(ce->proto) && options->mtu_test)
2368 {
2369 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2370 }
2371
2372 /* will we be pulling options from server? */
2373 pull = options->pull;
2374
2375 /*
2376 * Sanity check on --local, --remote, and --ifconfig
2377 */
2378
2379 if (proto_is_net(ce->proto)
2380 && string_defined_equal(ce->local, ce->remote)
2381 && string_defined_equal(ce->local_port, ce->remote_port))
2382 {
2383 msg(M_USAGE, "--remote and --local addresses are the same");
2384 }
2385
2386 if (string_defined_equal(ce->remote, options->ifconfig_local)
2387 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2388 {
2389 msg(M_USAGE,
2390 "--local and --remote addresses must be distinct from --ifconfig "
2391 "addresses");
2392 }
2393
2394 if (string_defined_equal(ce->local, options->ifconfig_local)
2395 || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2396 {
2397 msg(M_USAGE,
2398 "--local addresses must be distinct from --ifconfig addresses");
2399 }
2400
2401 if (string_defined_equal(options->ifconfig_local,
2402 options->ifconfig_remote_netmask))
2403 {
2404 msg(M_USAGE,
2405 "local and remote/netmask --ifconfig addresses must be different");
2406 }
2407
2408 if (ce->bind_defined && !ce->bind_local)
2409 {
2410 msg(M_USAGE, "--bind and --nobind can't be used together");
2411 }
2412
2413 if (ce->local && !ce->bind_local)
2414 {
2415 msg(M_USAGE,
2416 "--local and --nobind don't make sense when used together");
2417 }
2418
2419 if (ce->local_port_defined && !ce->bind_local)
2420 {
2421 msg(M_USAGE,
2422 "--lport and --nobind don't make sense when used together");
2423 }
2424
2425 if (!ce->remote && !ce->bind_local)
2426 {
2427 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2428 }
2429
2430 /*
2431 * Check for consistency of management options
2432 */
2433 #ifdef ENABLE_MANAGEMENT
2434 if (!options->management_addr
2435 && (options->management_flags
2436 || options->management_log_history_cache != defaults.management_log_history_cache))
2437 {
2438 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2439 }
2440
2441 if ((options->management_client_user || options->management_client_group)
2442 && !(options->management_flags & MF_UNIX_SOCK))
2443 {
2444 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2445 }
2446
2447 if (options->management_addr
2448 && !(options->management_flags & MF_UNIX_SOCK)
2449 && (!options->management_user_pass))
2450 {
2451 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2452 "passwords is STRONGLY discouraged and considered insecure");
2453 }
2454
2455 #endif /* ifdef ENABLE_MANAGEMENT */
2456
2457 #if !defined(HAVE_XKEY_PROVIDER)
2458 if ((tls_version_max() >= TLS_VER_1_3)
2459 && (options->management_flags & MF_EXTERNAL_KEY)
2460 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2461 )
2462 {
2463 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2464 "nopadding argument/support");
2465 }
2466 #endif
2467 /*
2468 * Windows-specific options.
2469 */
2470
2471 #ifdef _WIN32
2472 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2473 {
2474 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2475 }
2476
2477 if ((options->tuntap_options.ip_win32_defined)
2478 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2479 {
2480 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2481 }
2482
2483 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2484 {
2485 const char *prefix = "Some dhcp-options require DHCP server";
2486 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2487 {
2488 msg(M_USAGE, "%s, which is not supported by selected %s driver",
2489 prefix, print_windows_driver(options->windows_driver));
2490 }
2491 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2492 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2493 {
2494 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2495 prefix);
2496 }
2497 }
2498
2499 if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2500 {
2501 msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2502 }
2503 #endif /* ifdef _WIN32 */
2504
2505 /*
2506 * Check that protocol options make sense.
2507 */
2508
2509 #ifdef ENABLE_FRAGMENT
2510 if (!proto_is_udp(ce->proto) && ce->fragment)
2511 {
2512 msg(M_USAGE, "--fragment can only be used with --proto udp");
2513 }
2514 #endif
2515
2516 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2517 {
2518 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2519 }
2520
2521 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2522 {
2523 msg(M_USAGE,
2524 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2525 "tcp-client)");
2526 }
2527
2528 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2529 {
2530 msg(M_USAGE,
2531 "--http-proxy not specified but other http proxy options present");
2532 }
2533
2534 if (ce->http_proxy_options && ce->socks_proxy_server)
2535 {
2536 msg(M_USAGE,
2537 "--http-proxy can not be used together with --socks-proxy");
2538 }
2539
2540 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2541 {
2542 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2543 }
2544
2545 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2546 {
2547 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2548 }
2549
2550 /*
2551 * Check consistency of --mode server options.
2552 */
2553 if (options->mode == MODE_SERVER)
2554 {
2555 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2556 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2557 #ifdef TARGET_ANDROID
2558 msg(M_FATAL, "--mode server not supported on Android");
2559 #endif
2560 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2561 {
2562 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2563 }
2564 if (options->pull)
2565 {
2566 msg(M_USAGE, "--pull cannot be used with --mode server");
2567 }
2568 if (options->pull_filter_list)
2569 {
2570 msg(M_WARN, "--pull-filter ignored for --mode server");
2571 }
2572 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2573 {
2574 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2575 }
2576 #if PORT_SHARE
2577 if ((options->port_share_host || options->port_share_port)
2578 && (ce->proto != PROTO_TCP_SERVER))
2579 {
2580 msg(M_USAGE, "--port-share only works in TCP server mode "
2581 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2582 }
2583 #endif
2584 if (!options->tls_server)
2585 {
2586 msg(M_USAGE, "--mode server requires --tls-server");
2587 }
2588 if (ce->remote)
2589 {
2590 msg(M_USAGE, "--remote cannot be used with --mode server");
2591 }
2592 if (!ce->bind_local)
2593 {
2594 msg(M_USAGE, "--nobind cannot be used with --mode server");
2595 }
2596 if (ce->http_proxy_options)
2597 {
2598 msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2599 }
2600 if (ce->socks_proxy_server)
2601 {
2602 msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2603 }
2604 /* <connection> blocks force to have a remote embedded, so we check
2605 * for the --remote and bail out if it is present
2606 */
2607 if (options->connection_list->len >1
2608 || options->connection_list->array[0]->remote)
2609 {
2610 msg(M_USAGE, "<connection> cannot be used with --mode server");
2611 }
2612
2613 if (options->shaper)
2614 {
2615 msg(M_USAGE, "--shaper cannot be used with --mode server");
2616 }
2617 if (options->ipchange)
2618 {
2619 msg(M_USAGE,
2620 "--ipchange cannot be used with --mode server (use "
2621 "--client-connect instead)");
2622 }
2623 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2624 {
2625 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2626 }
2627 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2628 {
2629 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2630 }
2631 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2632 {
2633 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2634 }
2635 if (options->routes && (options->routes->flags & RG_ENABLE))
2636 {
2637 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2638 }
2639 if (options->route_delay_defined)
2640 {
2641 msg(M_USAGE, "--route-delay cannot be used with --mode server");
2642 }
2643 if (options->up_delay)
2644 {
2645 msg(M_USAGE, "--up-delay cannot be used with --mode server");
2646 }
2647 if (!options->ifconfig_pool_defined
2648 && !options->ifconfig_ipv6_pool_defined
2649 && options->ifconfig_pool_persist_filename)
2650 {
2651 msg(M_USAGE,
2652 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2653 }
2654 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2655 {
2656 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2657 }
2658 if (options->allow_recursive_routing)
2659 {
2660 msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2661 }
2662 if (options->auth_user_pass_file)
2663 {
2664 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2665 }
2666 if (options->ccd_exclusive && !options->client_config_dir)
2667 {
2668 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2669 }
2670 if (options->auth_token_generate && !options->renegotiate_seconds)
2671 {
2672 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2673 "--renegotiate_seconds setting");
2674 }
2675 if (options->auth_token_generate && options->auth_token_renewal
2676 && options->auth_token_renewal < 2 * options->handshake_window)
2677 {
2678 msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2679 " two times --hand-window (%d).",
2680 options->handshake_window);
2681
2682 }
2683 {
2684 const bool ccnr = (options->auth_user_pass_verify_script
2685 || PLUGIN_OPTION_LIST(options)
2686 || MAN_CLIENT_AUTH_ENABLED(options));
2687 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2688 if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2689 {
2690 msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2691 }
2692 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2693 {
2694 msg(M_USAGE, "--username-as-common-name %s", postfix);
2695 }
2696 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2697 {
2698 msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2699 }
2700 }
2701
2702 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2703 {
2704 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2705 }
2706 if (!options->vlan_tagging)
2707 {
2708 if (options->vlan_accept != defaults.vlan_accept)
2709 {
2710 msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2711 }
2712 if (options->vlan_pvid != defaults.vlan_pvid)
2713 {
2714 msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2715 }
2716 }
2717 }
2718 else
2719 {
2720 /*
2721 * When not in server mode, err if parameters are
2722 * specified which require --mode server.
2723 */
2724 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2725 {
2726 msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2727 }
2728 if (options->ifconfig_ipv6_pool_defined)
2729 {
2730 msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2731 }
2732 if (options->real_hash_size != defaults.real_hash_size
2733 || options->virtual_hash_size != defaults.virtual_hash_size)
2734 {
2735 msg(M_USAGE, "--hash-size requires --mode server");
2736 }
2737 if (options->learn_address_script)
2738 {
2739 msg(M_USAGE, "--learn-address requires --mode server");
2740 }
2741 if (options->client_connect_script)
2742 {
2743 msg(M_USAGE, "--client-connect requires --mode server");
2744 }
2745 if (options->client_crresponse_script)
2746 {
2747 msg(M_USAGE, "--client-crresponse requires --mode server");
2748 }
2749 if (options->client_disconnect_script)
2750 {
2751 msg(M_USAGE, "--client-disconnect requires --mode server");
2752 }
2753 if (options->client_config_dir || options->ccd_exclusive)
2754 {
2755 msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2756 }
2757 if (options->enable_c2c)
2758 {
2759 msg(M_USAGE, "--client-to-client requires --mode server");
2760 }
2761 if (options->duplicate_cn)
2762 {
2763 msg(M_USAGE, "--duplicate-cn requires --mode server");
2764 }
2765 if (options->cf_max || options->cf_per)
2766 {
2767 msg(M_USAGE, "--connect-freq requires --mode server");
2768 }
2769 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2770 {
2771 msg(M_USAGE, "--verify-client-cert requires --mode server");
2772 }
2773 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2774 {
2775 msg(M_USAGE, "--username-as-common-name requires --mode server");
2776 }
2777 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2778 {
2779 msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2780 }
2781 if (options->ssl_flags & SSLF_OPT_VERIFY)
2782 {
2783 msg(M_USAGE, "--opt-verify requires --mode server");
2784 }
2785 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2786 {
2787 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2788 "affect the server. To have TCP_NODELAY in both direction use "
2789 "tcp-nodelay in the server configuration instead.");
2790 }
2791 if (options->auth_user_pass_verify_script)
2792 {
2793 msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2794 }
2795 if (options->auth_token_generate)
2796 {
2797 msg(M_USAGE, "--auth-gen-token requires --mode server");
2798 }
2799 #if PORT_SHARE
2800 if (options->port_share_host || options->port_share_port)
2801 {
2802 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2803 }
2804 #endif
2805
2806 if (options->stale_routes_check_interval)
2807 {
2808 msg(M_USAGE, "--stale-routes-check requires --mode server");
2809 }
2810
2811 if (options->vlan_tagging)
2812 {
2813 msg(M_USAGE, "--vlan-tagging requires --mode server");
2814 }
2815 }
2816
2817 /*
2818 * Check consistency of replay options
2819 */
2820 if (!options->replay
2821 && (options->replay_window != defaults.replay_window
2822 || options->replay_time != defaults.replay_time))
2823 {
2824 msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2825 }
2826
2827 /*
2828 * SSL/TLS mode sanity checks.
2829 */
2830 if (options->tls_server + options->tls_client
2831 +(options->shared_secret_file != NULL) > 1)
2832 {
2833 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2834 }
2835
2836 if (!options->tls_server && !options->tls_client)
2837 {
2838 msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
2839 "configuration detected. OpenVPN 2.7 will remove the "
2840 "functionality to run a VPN without TLS. "
2841 "See the examples section in the manual page for "
2842 "examples of a similar quick setup with peer-fingerprint.");
2843 }
2844
2845 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2846 {
2847 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2848 "--verify-client-cert none|optional "
2849 "may accept clients which do not present a certificate");
2850 }
2851
2852 const int tls_version_max =
2853 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2854 & SSLF_TLS_VERSION_MAX_MASK;
2855 const int tls_version_min =
2856 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2857 & SSLF_TLS_VERSION_MIN_MASK;
2858
2859 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2860 {
2861 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2862 }
2863
2864 if (options->tls_server || options->tls_client)
2865 {
2866 check_ca_required(options);
2867 #ifdef ENABLE_PKCS11
2868 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2869 {
2870 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2871 }
2872 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2873 {
2874 msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2875 }
2876
2877 if (options->pkcs11_providers[0])
2878 {
2879 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2880 {
2881 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2882 }
2883 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2884 {
2885 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2886 }
2887 if (options->cert_file)
2888 {
2889 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2890 }
2891 if (options->priv_key_file)
2892 {
2893 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2894 }
2895 if (options->management_flags & MF_EXTERNAL_KEY)
2896 {
2897 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2898 }
2899 if (options->management_flags & MF_EXTERNAL_CERT)
2900 {
2901 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2902 }
2903 if (options->pkcs12_file)
2904 {
2905 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2906 }
2907 #ifdef ENABLE_CRYPTOAPI
2908 if (options->cryptoapi_cert)
2909 {
2910 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2911 }
2912 #endif
2913 }
2914 else
2915 #endif /* ifdef ENABLE_PKCS11 */
2916 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2917 {
2918 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2919 }
2920 else if ((options->management_flags & MF_EXTERNAL_CERT))
2921 {
2922 if (options->cert_file)
2923 {
2924 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2925 }
2926 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2927 {
2928 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2929 }
2930 }
2931 else
2932 #ifdef ENABLE_CRYPTOAPI
2933 if (options->cryptoapi_cert)
2934 {
2935 if (options->cert_file)
2936 {
2937 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2938 }
2939 if (options->priv_key_file)
2940 {
2941 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2942 }
2943 if (options->pkcs12_file)
2944 {
2945 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2946 }
2947 if (options->management_flags & MF_EXTERNAL_KEY)
2948 {
2949 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2950 }
2951 if (options->management_flags & MF_EXTERNAL_CERT)
2952 {
2953 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2954 }
2955 }
2956 else
2957 #endif /* ifdef ENABLE_CRYPTOAPI */
2958 if (options->pkcs12_file)
2959 {
2960 #ifdef ENABLE_CRYPTO_MBEDTLS
2961 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2962 #else
2963 if (options->ca_path)
2964 {
2965 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2966 }
2967 if (options->cert_file)
2968 {
2969 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2970 }
2971 if (options->priv_key_file)
2972 {
2973 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2974 }
2975 if (options->management_flags & MF_EXTERNAL_KEY)
2976 {
2977 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2978 }
2979 if (options->management_flags & MF_EXTERNAL_CERT)
2980 {
2981 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2982 }
2983 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2984 }
2985 else
2986 {
2987 #ifdef ENABLE_CRYPTO_MBEDTLS
2988 if (options->ca_path)
2989 {
2990 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2991 }
2992 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2993 if (pull)
2994 {
2995
2996 const int sum =
2997 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2998 + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2999
3000 if (sum == 0)
3001 {
3002 if (!options->auth_user_pass_file)
3003 {
3004 msg(M_USAGE, "No client-side authentication method is "
3005 "specified. You must use either "
3006 "--cert/--key, --pkcs12, or "
3007 "--auth-user-pass");
3008 }
3009 }
3010 else if (sum != 2)
3011 {
3012 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
3013 }
3014 }
3015 else
3016 {
3017 if (!(options->management_flags & MF_EXTERNAL_CERT))
3018 {
3019 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
3020 }
3021 if (!(options->management_flags & MF_EXTERNAL_KEY))
3022 {
3023 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
3024 }
3025 }
3026 }
3027 if (ce->tls_auth_file && ce->tls_crypt_file)
3028 {
3029 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
3030 }
3031 if (options->tls_client && ce->tls_crypt_v2_file
3032 && (ce->tls_auth_file || ce->tls_crypt_file))
3033 {
3034 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3035 }
3036 }
3037 else
3038 {
3039 /*
3040 * Make sure user doesn't specify any TLS options
3041 * when in non-TLS mode.
3042 */
3043
3044 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3045 }
3046
3047 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3048
3049 MUST_BE_UNDEF(ca_file);
3050 MUST_BE_UNDEF(ca_path);
3051 MUST_BE_UNDEF(dh_file);
3052 MUST_BE_UNDEF(cert_file);
3053 MUST_BE_UNDEF(priv_key_file);
3054 #ifndef ENABLE_CRYPTO_MBEDTLS
3055 MUST_BE_UNDEF(pkcs12_file);
3056 #endif
3057 MUST_BE_UNDEF(cipher_list);
3058 MUST_BE_UNDEF(cipher_list_tls13);
3059 MUST_BE_UNDEF(tls_cert_profile);
3060 MUST_BE_UNDEF(tls_verify);
3061 MUST_BE_UNDEF(tls_export_cert);
3062 MUST_BE_UNDEF(verify_x509_name);
3063 MUST_BE_UNDEF(tls_timeout);
3064 MUST_BE_UNDEF(renegotiate_bytes);
3065 MUST_BE_UNDEF(renegotiate_packets);
3066 MUST_BE_UNDEF(renegotiate_seconds);
3067 MUST_BE_UNDEF(handshake_window);
3068 MUST_BE_UNDEF(transition_window);
3069 MUST_BE_UNDEF(tls_auth_file);
3070 MUST_BE_UNDEF(tls_crypt_file);
3071 MUST_BE_UNDEF(tls_crypt_v2_file);
3072 MUST_BE_UNDEF(single_session);
3073 MUST_BE_UNDEF(push_peer_info);
3074 MUST_BE_UNDEF(tls_exit);
3075 MUST_BE_UNDEF(crl_file);
3076 MUST_BE_UNDEF(ns_cert_type);
3077 MUST_BE_UNDEF(remote_cert_ku[0]);
3078 MUST_BE_UNDEF(remote_cert_eku);
3079 #ifdef ENABLE_PKCS11
3080 MUST_BE_UNDEF(pkcs11_providers[0]);
3081 MUST_BE_UNDEF(pkcs11_private_mode[0]);
3082 MUST_BE_UNDEF(pkcs11_id);
3083 MUST_BE_UNDEF(pkcs11_id_management);
3084 #endif
3085
3086 if (pull)
3087 {
3088 msg(M_USAGE, err, "--pull");
3089 }
3090 }
3091 #undef MUST_BE_UNDEF
3092
3093 if (options->auth_user_pass_file && !options->pull)
3094 {
3095 msg(M_USAGE, "--auth-user-pass requires --pull");
3096 }
3097
3098 uninit_options(&defaults);
3099 }
3100
3101 static void
3102 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3103 {
3104 const int dev = dev_type_enum(o->dev, o->dev_type);
3105
3106 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3107 {
3108 if (ce->proto == PROTO_TCP)
3109 {
3110 ce->proto = PROTO_TCP_SERVER;
3111 }
3112 }
3113
3114 if (o->client)
3115 {
3116 if (ce->proto == PROTO_TCP)
3117 {
3118 ce->proto = PROTO_TCP_CLIENT;
3119 }
3120 }
3121
3122 /* an option is present that requires local bind to enabled */
3123 bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
3124
3125 /* socks proxy is enabled */
3126 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3127
3128 /* If binding is not forced by an explicit option and we have (at least)
3129 * one of --tcp-client, --pull (or --client), or socks we do not bind
3130 * locally to have "normal" IP client behaviour of a random source port */
3131 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3132 {
3133 ce->bind_local = false;
3134 }
3135
3136 if (!ce->bind_local)
3137 {
3138 ce->local_port = NULL;
3139 }
3140
3141 /* if protocol forcing is enabled, disable all protocols
3142 * except for the forced one
3143 */
3144 if (o->proto_force >= 0 && o->proto_force != ce->proto)
3145 {
3146 ce->flags |= CE_DISABLED;
3147 }
3148
3149 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3150 * so fall back to IPv4-only (trac #1221)
3151 */
3152 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3153 {
3154 if (ce->af == AF_INET6)
3155 {
3156 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3157 "'--socks-proxy' today. Forcing IPv4 mode." );
3158 }
3159 else
3160 {
3161 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3162 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3163 }
3164 ce->af = AF_INET;
3165 }
3166
3167 /*
3168 * Set MTU defaults
3169 */
3170 {
3171 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3172 {
3173 ce->tun_mtu_defined = true;
3174 }
3175 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3176 {
3177 ce->tun_mtu_extra_defined = true;
3178 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3179 }
3180 }
3181
3182 /*
3183 * If --mssfix is supplied without a parameter or not specified at all,
3184 * default it to --fragment value, if --fragment is specified and otherwise
3185 * to the default if tun-mtu is 1500
3186 */
3187 if (o->ce.mssfix_default)
3188 {
3189 #ifdef ENABLE_FRAGMENT
3190 if (ce->fragment)
3191 {
3192 ce->mssfix = ce->fragment;
3193 }
3194 else
3195 #endif
3196 if (ce->tun_mtu_defined)
3197 {
3198 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3199 {
3200 /* We want to only set mssfix default value if we use a default
3201 * MTU Size, otherwise the different size of tun should either
3202 * already solve the problem or mssfix might artifically make the
3203 * payload packets smaller without mssfix 0 */
3204 ce->mssfix = MSSFIX_DEFAULT;
3205 ce->mssfix_encap = true;
3206 }
3207 else
3208 {
3209 /* We still apply the mssfix value but only adjust it to the
3210 * size of the tun interface. */
3211 ce->mssfix = ce->tun_mtu;
3212 ce->mssfix_fixed = true;
3213 }
3214 }
3215 }
3216
3217 /*
3218 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3219 *
3220 * At the end only one of these will be really set because the parser
3221 * logic prevents configurations where more are set.
3222 */
3223 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3224 {
3225 ce->tls_auth_file = o->tls_auth_file;
3226 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3227 ce->key_direction = o->key_direction;
3228
3229 ce->tls_crypt_file = o->tls_crypt_file;
3230 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3231
3232 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3233 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3234 }
3235
3236 /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
3237 * keys were not already embedded in the config file.
3238 */
3239 if (o->persist_key)
3240 {
3241 connection_entry_preload_key(&ce->tls_auth_file,
3242 &ce->tls_auth_file_inline, &o->gc);
3243 connection_entry_preload_key(&ce->tls_crypt_file,
3244 &ce->tls_crypt_file_inline, &o->gc);
3245 connection_entry_preload_key(&ce->tls_crypt_v2_file,
3246 &ce->tls_crypt_v2_file_inline, &o->gc);
3247 }
3248
3249 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3250 {
3251 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3252 ce->explicit_exit_notification = 0;
3253 }
3254 }
3255
3256 #ifdef _WIN32
3257 /* If iservice is in use, we need def1 method for redirect-gateway */
3258 static void
3259 remap_redirect_gateway_flags(struct options *opt)
3260 {
3261 if (opt->routes
3262 && opt->route_method == ROUTE_METHOD_SERVICE
3263 && opt->routes->flags & RG_REROUTE_GW
3264 && !(opt->routes->flags & RG_DEF1))
3265 {
3266 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3267 opt->routes->flags |= RG_DEF1;
3268 }
3269 }
3270 #endif
3271
3272 /*
3273 * Save/Restore certain option defaults before --pull is applied.
3274 */
3275
3276 static void
3277 pre_connect_save(struct options *o)
3278 {
3279 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3280 o->pre_connect->tuntap_options = o->tuntap_options;
3281 o->pre_connect->tuntap_options_defined = true;
3282 o->pre_connect->foreign_option_index = o->foreign_option_index;
3283
3284 if (o->routes)
3285 {
3286 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3287 o->pre_connect->routes_defined = true;
3288 }
3289 if (o->routes_ipv6)
3290 {
3291 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3292 o->pre_connect->routes_ipv6_defined = true;
3293 }
3294 if (o->client_nat)
3295 {
3296 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3297 o->pre_connect->client_nat_defined = true;
3298 }
3299
3300 o->pre_connect->route_default_gateway = o->route_default_gateway;
3301 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3302
3303 o->pre_connect->dns_options = clone_dns_options(o->dns_options, &o->gc);
3304
3305 /* NCP related options that can be overwritten by a push */
3306 o->pre_connect->ciphername = o->ciphername;
3307 o->pre_connect->authname = o->authname;
3308
3309 /* Ping related options should be reset to the config values on reconnect */
3310 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3311 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3312 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3313
3314 /* Miscellaneous Options */
3315 #ifdef USE_COMP
3316 o->pre_connect->comp = o->comp;
3317 #endif
3318 }
3319
3320 void
3321 pre_connect_restore(struct options *o, struct gc_arena *gc)
3322 {
3323 const struct options_pre_connect *pp = o->pre_connect;
3324 if (pp)
3325 {
3326 CLEAR(o->tuntap_options);
3327 if (pp->tuntap_options_defined)
3328 {
3329 o->tuntap_options = pp->tuntap_options;
3330 }
3331
3332 if (pp->routes_defined)
3333 {
3334 rol_check_alloc(o);
3335 copy_route_option_list(o->routes, pp->routes, gc);
3336 }
3337 else
3338 {
3339 o->routes = NULL;
3340 }
3341
3342 if (pp->routes_ipv6_defined)
3343 {
3344 rol6_check_alloc(o);
3345 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3346 }
3347 else
3348 {
3349 o->routes_ipv6 = NULL;
3350 }
3351
3352 o->route_default_gateway = pp->route_default_gateway;
3353 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3354
3355 /* Free DNS options and reset them to pre-pull state */
3356 gc_free(&o->dns_options.gc);
3357 struct gc_arena dns_gc = gc_new();
3358 o->dns_options = clone_dns_options(pp->dns_options, &dns_gc);
3359 o->dns_options.gc = dns_gc;
3360
3361 if (pp->client_nat_defined)
3362 {
3363 cnol_check_alloc(o);
3364 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3365 }
3366 else
3367 {
3368 o->client_nat = NULL;
3369 }
3370
3371 o->foreign_option_index = pp->foreign_option_index;
3372
3373 o->ciphername = pp->ciphername;
3374 o->authname = pp->authname;
3375
3376 o->ping_rec_timeout = pp->ping_rec_timeout;
3377 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3378 o->ping_send_timeout = pp->ping_send_timeout;
3379
3380 /* Miscellaneous Options */
3381 #ifdef USE_COMP
3382 o->comp = pp->comp;
3383 #endif
3384 }
3385
3386 o->push_continuation = 0;
3387 o->push_option_types_found = 0;
3388 o->imported_protocol_flags = 0;
3389 }
3390
3391 static void
3392 options_postprocess_mutate_invariant(struct options *options)
3393 {
3394 #ifdef _WIN32
3395 const int dev = dev_type_enum(options->dev, options->dev_type);
3396
3397 /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3398 if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3399 || options->windows_driver == WINDOWS_DRIVER_DCO)
3400 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3401 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3402 {
3403 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3404 }
3405
3406 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3407 {
3408 /* delay may only be necessary when we perform DHCP handshake */
3409 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3410 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3411 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3412 {
3413 options->route_delay_defined = true;
3414 options->route_delay = 5; /* Vista sometimes has a race without this */
3415 }
3416 }
3417
3418 if (options->ifconfig_noexec)
3419 {
3420 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3421 options->ifconfig_noexec = false;
3422 }
3423
3424 remap_redirect_gateway_flags(options);
3425
3426 /*
3427 * Check consistency of --mode server options.
3428 */
3429 if (options->mode == MODE_SERVER)
3430 {
3431 /*
3432 * We need to explicitly set --tap-sleep because
3433 * we do not schedule event timers in the top-level context.
3434 */
3435 options->tuntap_options.tap_sleep = 10;
3436 if (options->route_delay_defined && options->route_delay)
3437 {
3438 options->tuntap_options.tap_sleep = options->route_delay;
3439 }
3440 options->route_delay_defined = false;
3441 }
3442 #endif /* ifdef _WIN32 */
3443
3444 #ifdef DEFAULT_PKCS11_MODULE
3445 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3446 * by default if the user asks for PKCS#11 without otherwise specifying
3447 * the module to use. */
3448 if (!options->pkcs11_providers[0]
3449 && (options->pkcs11_id || options->pkcs11_id_management))
3450 {
3451 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3452 }
3453 #endif
3454 }
3455
3456 static void
3457 options_postprocess_verify(const struct options *o)
3458 {
3459 if (o->connection_list)
3460 {
3461 int i;
3462 for (i = 0; i < o->connection_list->len; ++i)
3463 {
3464 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3465 }
3466 }
3467 else
3468 {
3469 options_postprocess_verify_ce(o, &o->ce);
3470 }
3471
3472 dns_options_verify(M_FATAL, &o->dns_options);
3473
3474 if (dco_enabled(o) && o->enable_c2c)
3475 {
3476 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3477 "channel offload: packets are always sent to the VPN "
3478 "interface and then routed based on the system routing table");
3479 }
3480 }
3481
3482 /**
3483 * Checks for availibility of Chacha20-Poly1305 and sets
3484 * the ncp_cipher to either AES-256-GCM:AES-128-GCM or
3485 * AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
3486 */
3487 static void
3488 options_postprocess_setdefault_ncpciphers(struct options *o)
3489 {
3490 if (o->ncp_ciphers)
3491 {
3492 /* custom --data-ciphers set, keep list */
3493 return;
3494 }
3495
3496 /* check if crypto library supports chacha */
3497 bool can_do_chacha = cipher_valid("CHACHA20-POLY1305");
3498
3499 if (can_do_chacha && dco_enabled(o))
3500 {
3501 /* also make sure that dco supports chacha */
3502 can_do_chacha = tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3503 }
3504
3505 if (can_do_chacha)
3506 {
3507 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3508 }
3509 else
3510 {
3511 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3512 }
3513 }
3514
3515 static void
3516 options_postprocess_cipher(struct options *o)
3517 {
3518 if (!o->pull && !(o->mode == MODE_SERVER))
3519 {
3520 /* If the cipher is not set, use the old default of BF-CBC. We will
3521 * warn that this is deprecated on cipher initialisation, no need
3522 * to warn here as well */
3523 if (!o->ciphername)
3524 {
3525 o->ciphername = "BF-CBC";
3526 }
3527 else
3528 {
3529 o->enable_ncp_fallback = true;
3530 }
3531 return;
3532 }
3533
3534 /* pull or P2MP mode */
3535 if (!o->ciphername)
3536 {
3537 /* We still need to set the ciphername to BF-CBC since various other
3538 * parts of OpenVPN assert that the ciphername is set */
3539 o->ciphername = "BF-CBC";
3540
3541 msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3542 "defaulted to BF-CBC as fallback when cipher negotiation "
3543 "failed in this case. If you need this fallback please add "
3544 "'--data-ciphers-fallback BF-CBC' to your configuration "
3545 "and/or add BF-CBC to --data-ciphers.");
3546 }
3547 else if (!o->enable_ncp_fallback
3548 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3549 {
3550 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3551 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3552 "negotiations. ",
3553 o->ciphername, o->ncp_ciphers);
3554 }
3555 }
3556
3557 /**
3558 * The option --compat-mode is used to set up default settings to values
3559 * used on the specified openvpn version and earlier.
3560 *
3561 * This function is used in various "default option" paths to test if the
3562 * user requested compatibility with a version before the one specified
3563 * as argument. This way some default settings can be automatically
3564 * altered to guarantee compatibility with the version specified by the
3565 * user via --compat-mode.
3566 *
3567 * @param version need compatibility with openvpn versions before the
3568 * one specified (20401 = before 2.4.1)
3569 * @return whether compatibility should be enabled
3570 */
3571 static bool
3572 need_compatibility_before(const struct options *o, unsigned int version)
3573 {
3574 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3575 }
3576
3577 /**
3578 * Changes default values so that OpenVPN can be compatible with the user
3579 * specified version
3580 */
3581 static void
3582 options_set_backwards_compatible_options(struct options *o)
3583 {
3584 /* TLS min version is not set */
3585 int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3586 & SSLF_TLS_VERSION_MIN_MASK;
3587 if (tls_ver_min == 0)
3588 {
3589 int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3590 & SSLF_TLS_VERSION_MAX_MASK;
3591 if (need_compatibility_before(o, 20307))
3592 {
3593 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3594 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3595 }
3596 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3597 {
3598 /* Use TLS 1.2 as proper default */
3599 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3600 }
3601 else
3602 {
3603 /* Maximize the minimum version */
3604 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3605 }
3606 }
3607
3608 if (need_compatibility_before(o, 20400))
3609 {
3610 if (!o->ciphername)
3611 {
3612 /* If ciphername is not set default to BF-CBC when targeting these
3613 * old versions that do not have NCP */
3614 o->ciphername = "BF-CBC";
3615 }
3616 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3617 * not have OCC strings required for "poor man's NCP" */
3618 o->enable_ncp_fallback = true;
3619 }
3620
3621 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3622 * Version 2.4 probably does not need it but NCP was not so
3623 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3624 * Only do this iff --cipher is set (explicitly or by compat mode
3625 * < 2.4.0, see above). This is not 100% correct backwards compatible
3626 * behaviour but 2.5 already behaved like this */
3627 if (o->ciphername && need_compatibility_before(o, 20500)
3628 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3629 {
3630 append_cipher_to_ncp_list(o, o->ciphername);
3631 }
3632
3633 #ifdef USE_COMP
3634 /* Compression is deprecated and we do not want to announce support for it
3635 * by default anymore, additionally DCO breaks with compression.
3636 *
3637 * Disable compression by default starting with 2.6.0 if no other
3638 * compression related option has been explicitly set */
3639 if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600)
3640 && (o->comp.flags == 0))
3641 {
3642 o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
3643 }
3644 #endif
3645 }
3646
3647 static void
3648 options_postprocess_mutate(struct options *o, struct env_set *es)
3649 {
3650 int i;
3651 /*
3652 * Process helper-type options which map to other, more complex
3653 * sequences of options.
3654 */
3655 helper_client_server(o);
3656 helper_keepalive(o);
3657 helper_tcp_nodelay(o);
3658
3659 options_postprocess_setdefault_ncpciphers(o);
3660 options_set_backwards_compatible_options(o);
3661
3662 options_postprocess_cipher(o);
3663 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3664 if (o->ncp_ciphers == NULL)
3665 {
3666 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3667 }
3668
3669 if (o->remote_list && !o->connection_list)
3670 {
3671 /*
3672 * Convert remotes into connection list
3673 */
3674 const struct remote_list *rl = o->remote_list;
3675 for (i = 0; i < rl->len; ++i)
3676 {
3677 const struct remote_entry *re = rl->array[i];
3678 struct connection_entry ce = o->ce;
3679 struct connection_entry *ace;
3680
3681 ASSERT(re->remote);
3682 connection_entry_load_re(&ce, re);
3683 ace = alloc_connection_entry(o, M_USAGE);
3684 ASSERT(ace);
3685 *ace = ce;
3686 }
3687 }
3688 else if (!o->remote_list && !o->connection_list)
3689 {
3690 struct connection_entry *ace;
3691 ace = alloc_connection_entry(o, M_USAGE);
3692 ASSERT(ace);
3693 *ace = o->ce;
3694 }
3695
3696 ASSERT(o->connection_list);
3697 for (i = 0; i < o->connection_list->len; ++i)
3698 {
3699 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3700 }
3701
3702 if (o->tls_server)
3703 {
3704 /* Check that DH file is specified, or explicitly disabled */
3705 notnull(o->dh_file, "DH file (--dh)");
3706 if (streq(o->dh_file, "none"))
3707 {
3708 o->dh_file = NULL;
3709 }
3710 }
3711 else if (o->dh_file)
3712 {
3713 /* DH file is only meaningful in a tls-server context. */
3714 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3715 "include this in your server configuration");
3716 o->dh_file = NULL;
3717 }
3718 #if ENABLE_MANAGEMENT
3719 if (o->http_proxy_override)
3720 {
3721 options_postprocess_http_proxy_override(o);
3722 }
3723 #endif
3724 if (!o->ca_file && !o->ca_path && o->verify_hash
3725 && o->verify_hash_depth == 0)
3726 {
3727 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3728 "option set). ");
3729 o->verify_hash_no_ca = true;
3730 }
3731
3732 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3733 {
3734 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3735 "incompatible with each other.");
3736 }
3737
3738 if (dco_enabled(o))
3739 {
3740 /* check if any option should force disabling DCO */
3741 o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
3742 || !dco_check_startup_option(D_DCO, o);
3743 }
3744
3745 #ifdef _WIN32
3746 if (dco_enabled(o))
3747 {
3748 o->windows_driver = WINDOWS_DRIVER_DCO;
3749 }
3750 else
3751 {
3752 if (o->windows_driver == WINDOWS_DRIVER_DCO)
3753 {
3754 msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3755 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3756 }
3757 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3758 {
3759 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3760 }
3761 }
3762 #endif
3763
3764 if (dco_enabled(o) && o->dev_node)
3765 {
3766 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3767 "data channel offload");
3768 o->dev_node = NULL;
3769 }
3770
3771 /* this depends on o->windows_driver, which is set above */
3772 options_postprocess_mutate_invariant(o);
3773
3774 /*
3775 * Save certain parms before modifying options during connect, especially
3776 * when using --pull
3777 */
3778 if (o->pull)
3779 {
3780 dns_options_preprocess_pull(&o->dns_options);
3781 }
3782 else
3783 {
3784 #if defined(_WIN32) || defined(TARGET_ANDROID)
3785 tuntap_options_copy_dns(o);
3786 #else
3787 foreign_options_copy_dns(o, es);
3788 #endif
3789 }
3790 if (o->auth_token_generate && !o->auth_token_renewal)
3791 {
3792 o->auth_token_renewal = o->renegotiate_seconds;
3793 }
3794 pre_connect_save(o);
3795 }
3796
3797 /*
3798 * Check file/directory sanity
3799 *
3800 */
3801 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
3802
3803 #define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
3804 #define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
3805 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
3806 #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */
3807 #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */
3808
3809 static bool
3810 check_file_access(const int type, const char *file, const int mode, const char *opt)
3811 {
3812 int errcode = 0;
3813
3814 /* If no file configured, no errors to look for */
3815 if (!file)
3816 {
3817 return false;
3818 }
3819
3820 /* If stdin is allowed and the file name is 'stdin', then do no
3821 * further checks as stdin is always available
3822 */
3823 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3824 {
3825 return false;
3826 }
3827
3828 /* Is the directory path leading to the given file accessible? */
3829 if (type & CHKACC_DIRPATH)
3830 {
3831 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3832 char *dirpath = dirname(fullpath);
3833
3834 if (platform_access(dirpath, mode|X_OK) != 0)
3835 {
3836 errcode = errno;
3837 }
3838 free(fullpath);
3839 }
3840
3841 /* Is the file itself accessible? */
3842 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3843 {
3844 errcode = errno;
3845 }
3846
3847 /* If the file exists and is accessible, is it writable? */
3848 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3849 {
3850 if (platform_access(file, W_OK) != 0)
3851 {
3852 errcode = errno;
3853 }
3854 }
3855
3856 /* Warn if a given private file is group/others accessible. */
3857 if (type & CHKACC_PRIVATE)
3858 {
3859 platform_stat_t st;
3860 if (platform_stat(file, &st))
3861 {
3862 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3863 }
3864 #ifndef _WIN32
3865 else
3866 {
3867 if (st.st_mode & (S_IRWXG|S_IRWXO))
3868 {
3869 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3870 }
3871 }
3872 #endif
3873 }
3874
3875 /* Scream if an error is found */
3876 if (errcode > 0)
3877 {
3878 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3879 }
3880
3881 /* Return true if an error occurred */
3882 return (errcode != 0 ? true : false);
3883 }
3884
3885 /* A wrapper for check_file_access() which also takes a chroot directory.
3886 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3887 * otherwise it will look for the file inside the given chroot directory instead.
3888 */
3889 static bool
3890 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3891 {
3892 bool ret = false;
3893
3894 /* If no file configured, no errors to look for */
3895 if (!file)
3896 {
3897 return false;
3898 }
3899
3900 /* If chroot is set, look for the file/directory inside the chroot */
3901 if (chroot)
3902 {
3903 struct gc_arena gc = gc_new();
3904 struct buffer chroot_file;
3905
3906 chroot_file = prepend_dir(chroot, file, &gc);
3907 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3908 gc_free(&gc);
3909 }
3910 else
3911 {
3912 /* No chroot in play, just call core file check function */
3913 ret = check_file_access(type, file, mode, opt);
3914 }
3915 return ret;
3916 }
3917
3918 /**
3919 * A wrapper for check_file_access_chroot() that returns false immediately if
3920 * the file is inline (and therefore there is no access to check)
3921 */
3922 static bool
3923 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3924 const int type, const char *file,
3925 const int mode, const char *opt)
3926 {
3927 if (is_inline)
3928 {
3929 return false;
3930 }
3931
3932 return check_file_access_chroot(chroot, type, file, mode, opt);
3933 }
3934
3935 /**
3936 * A wrapper for check_file_access() that returns false immediately if the file
3937 * is inline (and therefore there is no access to check)
3938 */
3939 static bool
3940 check_file_access_inline(bool is_inline, const int type, const char *file,
3941 const int mode, const char *opt)
3942 {
3943 if (is_inline)
3944 {
3945 return false;
3946 }
3947
3948 return check_file_access(type, file, mode, opt);
3949 }
3950
3951 /*
3952 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3953 * valid file with appropriate permissions.
3954 *
3955 * "command" consists of a path, optionally followed by a space, which may be
3956 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3957 * performed.
3958 *
3959 * The path and arguments in "command" may be single- or double-quoted or escaped.
3960 *
3961 * The path is extracted from "command", then check_file_access() is called to check it. The
3962 * arguments, if any, are ignored.
3963 *
3964 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3965 * check_file_access() arguments.
3966 */
3967 static bool
3968 check_cmd_access(const char *command, const char *opt, const char *chroot)
3969 {
3970 struct argv argv;
3971 bool return_code;
3972
3973 /* If no command was set, there are no errors to look for */
3974 if (!command)
3975 {
3976 return false;
3977 }
3978
3979 /* Extract executable path and arguments */
3980 argv = argv_new();
3981 argv_parse_cmd(&argv, command);
3982
3983 /* if an executable is specified then check it; otherwise, complain */
3984 if (argv.argv[0])
3985 {
3986 /* Scripts requires R_OK as well, but that might fail on binaries which
3987 * only requires X_OK to function on Unix - a scenario not unlikely to
3988 * be seen on suid binaries.
3989 */
3990 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3991 }
3992 else
3993 {
3994 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3995 opt, command);
3996 return_code = true;
3997 }
3998
3999 argv_free(&argv);
4000
4001 return return_code;
4002 }
4003
4004 /*
4005 * Sanity check of all file/dir options. Checks that file/dir
4006 * is accessible by OpenVPN
4007 */
4008 static void
4009 options_postprocess_filechecks(struct options *options)
4010 {
4011 bool errs = false;
4012
4013 /* ** SSL/TLS/crypto related files ** */
4014 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4015 options->dh_file, R_OK, "--dh");
4016
4017 if (!options->verify_hash_no_ca)
4018 {
4019 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4020 options->ca_file, R_OK, "--ca");
4021 }
4022
4023 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4024 options->ca_path, R_OK, "--capath");
4025
4026 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
4027 options->cert_file, R_OK, "--cert");
4028
4029 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4030 options->extra_certs_file, R_OK,
4031 "--extra-certs");
4032
4033 if (!(options->management_flags & MF_EXTERNAL_KEY))
4034 {
4035 errs |= check_file_access_inline(options->priv_key_file_inline,
4036 CHKACC_FILE|CHKACC_PRIVATE,
4037 options->priv_key_file, R_OK, "--key");
4038 }
4039
4040 errs |= check_file_access_inline(options->pkcs12_file_inline,
4041 CHKACC_FILE|CHKACC_PRIVATE,
4042 options->pkcs12_file, R_OK, "--pkcs12");
4043
4044 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4045 {
4046 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4047 options->crl_file, R_OK|X_OK,
4048 "--crl-verify directory");
4049 }
4050 else
4051 {
4052 errs |= check_file_access_chroot_inline(options->crl_file_inline,
4053 options->chroot_dir,
4054 CHKACC_FILE, options->crl_file,
4055 R_OK, "--crl-verify");
4056 }
4057
4058 ASSERT(options->connection_list);
4059 for (int i = 0; i < options->connection_list->len; ++i)
4060 {
4061 struct connection_entry *ce = options->connection_list->array[i];
4062
4063 errs |= check_file_access_inline(ce->tls_auth_file_inline,
4064 CHKACC_FILE|CHKACC_PRIVATE,
4065 ce->tls_auth_file, R_OK,
4066 "--tls-auth");
4067 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4068 CHKACC_FILE|CHKACC_PRIVATE,
4069 ce->tls_crypt_file, R_OK,
4070 "--tls-crypt");
4071 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4072 CHKACC_FILE|CHKACC_PRIVATE,
4073 ce->tls_crypt_v2_file, R_OK,
4074 "--tls-crypt-v2");
4075 }
4076
4077 errs |= check_file_access_inline(options->shared_secret_file_inline,
4078 CHKACC_FILE|CHKACC_PRIVATE,
4079 options->shared_secret_file, R_OK,
4080 "--secret");
4081
4082 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4083 options->packet_id_file, R_OK|W_OK, "--replay-persist");
4084
4085 /* ** Password files ** */
4086 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4087 options->key_pass_file, R_OK, "--askpass");
4088 #ifdef ENABLE_MANAGEMENT
4089 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4090 options->management_user_pass, R_OK,
4091 "--management user/password file");
4092 #endif /* ENABLE_MANAGEMENT */
4093 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4094 CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4095 options->auth_user_pass_file, R_OK,
4096 "--auth-user-pass");
4097 /* ** System related ** */
4098 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4099 R_OK|X_OK, "--chroot directory");
4100 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4101 R_OK|W_OK, "--writepid");
4102
4103 /* ** Log related ** */
4104 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4105 R_OK|W_OK, "--status");
4106
4107 /* ** Config related ** */
4108 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
4109 R_OK|W_OK|X_OK, "--tls-export-cert");
4110 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4111 R_OK|X_OK, "--client-config-dir");
4112 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4113 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4114
4115 if (errs)
4116 {
4117 msg(M_USAGE, "Please correct these errors.");
4118 }
4119 }
4120 #endif /* !ENABLE_SMALL */
4121
4122 /*
4123 * Sanity check on options.
4124 * Also set some options based on other
4125 * options.
4126 */
4127 void
4128 options_postprocess(struct options *options, struct env_set *es)
4129 {
4130 options_postprocess_mutate(options, es);
4131 options_postprocess_verify(options);
4132 #ifndef ENABLE_SMALL
4133 options_postprocess_filechecks(options);
4134 #endif /* !ENABLE_SMALL */
4135 }
4136
4137 /*
4138 * Sanity check on options after more options were pulled from server.
4139 * Also time to modify some options based on other options.
4140 */
4141 bool
4142 options_postprocess_pull(struct options *o, struct env_set *es)
4143 {
4144 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4145 if (success)
4146 {
4147 dns_options_postprocess_pull(&o->dns_options);
4148 setenv_dns_options(&o->dns_options, es);
4149 #if defined(_WIN32) || defined(TARGET_ANDROID)
4150 tuntap_options_copy_dns(o);
4151 #else
4152 foreign_options_copy_dns(o, es);
4153 #endif
4154 }
4155 return success;
4156 }
4157
4158 /*
4159 * Build an options string to represent data channel encryption options.
4160 * This string must match exactly between peers. The keysize is checked
4161 * separately by read_key().
4162 *
4163 * The following options must match on both peers:
4164 *
4165 * Tunnel options:
4166 *
4167 * --dev tun|tap [unit number need not match]
4168 * --dev-type tun|tap
4169 * --link-mtu
4170 * --udp-mtu
4171 * --tun-mtu
4172 * --proto udp
4173 * --proto tcp-client [matched with --proto tcp-server
4174 * on the other end of the connection]
4175 * --proto tcp-server [matched with --proto tcp-client on
4176 * the other end of the connection]
4177 * --tun-ipv6
4178 * --ifconfig x y [matched with --ifconfig y x on
4179 * the other end of the connection]
4180 *
4181 * --comp-lzo
4182 * --compress alg
4183 * --fragment
4184 *
4185 * Crypto Options:
4186 *
4187 * --cipher
4188 * --auth
4189 * --secret
4190 * --no-replay
4191 *
4192 * SSL Options:
4193 *
4194 * --tls-auth
4195 * --tls-client [matched with --tls-server on
4196 * the other end of the connection]
4197 * --tls-server [matched with --tls-client on
4198 * the other end of the connection]
4199 */
4200 char *
4201 options_string(const struct options *o,
4202 const struct frame *frame,
4203 struct tuntap *tt,
4204 openvpn_net_ctx_t *ctx,
4205 bool remote,
4206 struct gc_arena *gc)
4207 {
4208 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4209 bool tt_local = false;
4210
4211 buf_printf(&out, "V4");
4212
4213 /*
4214 * Tunnel Options
4215 */
4216
4217 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4218 /* the link-mtu that we send has only a meaning if have a fixed
4219 * cipher (p2p) or have a fallback cipher configured for older non
4220 * ncp clients. But not sending it will make even 2.4 complain
4221 * about it being missing. So still send it. */
4222 buf_printf(&out, ",link-mtu %u",
4223 (unsigned int) calc_options_string_link_mtu(o, frame));
4224
4225 if (o->ce.occ_mtu != 0)
4226 {
4227 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4228 }
4229 else
4230 {
4231 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4232 }
4233
4234 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4235
4236 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4237 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4238 * is usually pushed by the server, triggering a non-helpful warning
4239 */
4240 if (o->ifconfig_ipv6_local && p2p_nopull)
4241 {
4242 buf_printf(&out, ",tun-ipv6");
4243 }
4244
4245 /*
4246 * Try to get ifconfig parameters into the options string.
4247 * If tt is undefined, make a temporary instantiation.
4248 */
4249 if (!tt)
4250 {
4251 tt = init_tun(o->dev,
4252 o->dev_type,
4253 o->topology,
4254 o->ifconfig_local,
4255 o->ifconfig_remote_netmask,
4256 o->ifconfig_ipv6_local,
4257 o->ifconfig_ipv6_netbits,
4258 o->ifconfig_ipv6_remote,
4259 NULL,
4260 NULL,
4261 false,
4262 NULL,
4263 ctx,
4264 NULL);
4265 if (tt)
4266 {
4267 tt_local = true;
4268 }
4269 }
4270
4271 if (tt && p2p_nopull)
4272 {
4273 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4274 if (ios && strlen(ios))
4275 {
4276 buf_printf(&out, ",ifconfig %s", ios);
4277 }
4278 }
4279 if (tt_local)
4280 {
4281 free(tt);
4282 tt = NULL;
4283 }
4284
4285 #ifdef USE_COMP
4286 if (o->comp.alg != COMP_ALG_UNDEF)
4287 {
4288 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4289 }
4290 #endif
4291
4292 #ifdef ENABLE_FRAGMENT
4293 if (o->ce.fragment)
4294 {
4295 buf_printf(&out, ",mtu-dynamic");
4296 }
4297 #endif
4298
4299 #define TLS_CLIENT (o->tls_client)
4300 #define TLS_SERVER (o->tls_server)
4301
4302 /*
4303 * Key direction
4304 */
4305 {
4306 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4307 if (kd)
4308 {
4309 buf_printf(&out, ",keydir %s", kd);
4310 }
4311 }
4312
4313 /*
4314 * Crypto Options
4315 */
4316 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4317 {
4318 struct key_type kt;
4319
4320 ASSERT((o->shared_secret_file != NULL)
4321 + (TLS_CLIENT == true)
4322 + (TLS_SERVER == true)
4323 <= 1);
4324
4325 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4326 * to work here in the default configuration */
4327 const char *ciphername = o->ciphername;
4328 int keysize = 0;
4329
4330 if (strcmp(o->ciphername, "BF-CBC") == 0)
4331 {
4332 init_key_type(&kt, "none", o->authname, true, false);
4333 keysize = 128;
4334 }
4335 else
4336 {
4337 init_key_type(&kt, o->ciphername, o->authname, true, false);
4338 ciphername = cipher_kt_name(kt.cipher);
4339 if (cipher_defined(o->ciphername))
4340 {
4341 keysize = cipher_kt_key_size(kt.cipher) * 8;
4342 }
4343 }
4344 /* Only announce the cipher to our peer if we are willing to
4345 * support it */
4346 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4347 {
4348 buf_printf(&out, ",cipher %s", ciphername);
4349 }
4350 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4351 buf_printf(&out, ",keysize %d", keysize);
4352 if (o->shared_secret_file)
4353 {
4354 buf_printf(&out, ",secret");
4355 }
4356 if (!o->replay)
4357 {
4358 buf_printf(&out, ",no-replay");
4359 }
4360
4361 #ifdef ENABLE_PREDICTION_RESISTANCE
4362 if (o->use_prediction_resistance)
4363 {
4364 buf_printf(&out, ",use-prediction-resistance");
4365 }
4366 #endif
4367 }
4368
4369 /*
4370 * SSL Options
4371 */
4372 {
4373 if (TLS_CLIENT || TLS_SERVER)
4374 {
4375 if (o->ce.tls_auth_file)
4376 {
4377 buf_printf(&out, ",tls-auth");
4378 }
4379 /* Not adding tls-crypt here, because we won't reach this code if
4380 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4381 * break stuff, so leaving that in place. */
4382
4383 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4384 }
4385
4386 if (remote)
4387 {
4388 if (TLS_CLIENT)
4389 {
4390 buf_printf(&out, ",tls-server");
4391 }
4392 else if (TLS_SERVER)
4393 {
4394 buf_printf(&out, ",tls-client");
4395 }
4396 }
4397 else
4398 {
4399 if (TLS_CLIENT)
4400 {
4401 buf_printf(&out, ",tls-client");
4402 }
4403 else if (TLS_SERVER)
4404 {
4405 buf_printf(&out, ",tls-server");
4406 }
4407 }
4408 }
4409
4410 #undef TLS_CLIENT
4411 #undef TLS_SERVER
4412
4413 return BSTR(&out);
4414 }
4415
4416 /*
4417 * Compare option strings for equality.
4418 * If the first two chars of the strings differ, it means that
4419 * we are looking at different versions of the options string,
4420 * therefore don't compare them and return true.
4421 */
4422
4423 bool
4424 options_cmp_equal(char *actual, const char *expected)
4425 {
4426 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4427 }
4428
4429 void
4430 options_warning(char *actual, const char *expected)
4431 {
4432 options_warning_safe(actual, expected, strlen(actual) + 1);
4433 }
4434
4435 static const char *
4436 options_warning_extract_parm1(const char *option_string,
4437 struct gc_arena *gc_ret)
4438 {
4439 struct gc_arena gc = gc_new();
4440 struct buffer b = string_alloc_buf(option_string, &gc);
4441 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4442 const char *ret;
4443
4444 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4445 ret = string_alloc(p, gc_ret);
4446 gc_free(&gc);
4447 return ret;
4448 }
4449
4450 static void
4451 options_warning_safe_scan2(const int msglevel,
4452 const int delim,
4453 const bool report_inconsistent,
4454 const char *p1,
4455 const struct buffer *b2_src,
4456 const char *b1_name,
4457 const char *b2_name)
4458 {
4459 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4460 * OCC in a future version (because it's not useful). To reduce questions
4461 * when interoperating, we no longer printing a warning about it.
4462 */
4463 if (strprefix(p1, "key-method ")
4464 || strprefix(p1, "keydir ")
4465 || strprefix(p1, "proto ")
4466 || streq(p1, "tls-auth")
4467 || strprefix(p1, "tun-ipv6")
4468 || strprefix(p1, "cipher "))
4469 {
4470 return;
4471 }
4472
4473 if (strlen(p1) > 0)
4474 {
4475 struct gc_arena gc = gc_new();
4476 struct buffer b2 = *b2_src;
4477 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4478 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4479
4480 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4481 {
4482 if (strlen(p2))
4483 {
4484 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4485
4486 if (!strcmp(p1, p2))
4487 {
4488 goto done;
4489 }
4490 if (!strcmp(p1_prefix, p2_prefix))
4491 {
4492 if (report_inconsistent)
4493 {
4494 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4495 safe_print(p1_prefix, &gc),
4496 b1_name,
4497 safe_print(p1, &gc),
4498 b2_name,
4499 safe_print(p2, &gc));
4500 }
4501 goto done;
4502 }
4503 }
4504 }
4505
4506 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4507 safe_print(p1_prefix, &gc),
4508 b1_name,
4509 b2_name,
4510 b1_name,
4511 safe_print(p1, &gc));
4512
4513 done:
4514 gc_free(&gc);
4515 }
4516 }
4517
4518 static void
4519 options_warning_safe_scan1(const int msglevel,
4520 const int delim,
4521 const bool report_inconsistent,
4522 const struct buffer *b1_src,
4523 const struct buffer *b2_src,
4524 const char *b1_name,
4525 const char *b2_name)
4526 {
4527 struct gc_arena gc = gc_new();
4528 struct buffer b = *b1_src;
4529 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4530
4531 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4532 {
4533 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4534 }
4535
4536 gc_free(&gc);
4537 }
4538
4539 static void
4540 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4541 {
4542 struct gc_arena gc = gc_new();
4543
4544 if (actual_n > 0)
4545 {
4546 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4547 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4548 actual[actual_n - 1] = 0;
4549
4550 buf_printf(&local, "version %s", expected);
4551 buf_printf(&remote, "version %s", actual);
4552
4553 options_warning_safe_scan1(msglevel, ',', true,
4554 &local, &remote,
4555 "local", "remote");
4556
4557 options_warning_safe_scan1(msglevel, ',', false,
4558 &remote, &local,
4559 "remote", "local");
4560 }
4561
4562 gc_free(&gc);
4563 }
4564
4565 bool
4566 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4567 {
4568 struct gc_arena gc = gc_new();
4569 bool ret = true;
4570
4571 if (actual_n > 0)
4572 {
4573 actual[actual_n - 1] = 0;
4574 if (strncmp(actual, expected, 2))
4575 {
4576 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4577 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4578 }
4579 else
4580 {
4581 ret = !strcmp(actual, expected);
4582 }
4583 }
4584 gc_free(&gc);
4585 return ret;
4586 }
4587
4588 void
4589 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4590 {
4591 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4592 }
4593
4594 const char *
4595 options_string_version(const char *s, struct gc_arena *gc)
4596 {
4597 struct buffer out = alloc_buf_gc(4, gc);
4598 strncpynt((char *) BPTR(&out), s, 3);
4599 return BSTR(&out);
4600 }
4601
4602 char *
4603 options_string_extract_option(const char *options_string, const char *opt_name,
4604 struct gc_arena *gc)
4605 {
4606 char *ret = NULL;
4607 const size_t opt_name_len = strlen(opt_name);
4608
4609 const char *p = options_string;
4610 while (p)
4611 {
4612 if (0 == strncmp(p, opt_name, opt_name_len)
4613 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4614 {
4615 /* option found, extract value */
4616 const char *start = &p[opt_name_len+1];
4617 const char *end = strchr(p, ',');
4618 size_t val_len = end ? end - start : strlen(start);
4619 ret = gc_malloc(val_len+1, true, gc);
4620 memcpy(ret, start, val_len);
4621 break;
4622 }
4623 p = strchr(p, ',');
4624 if (p)
4625 {
4626 p++; /* skip delimiter */
4627 }
4628 }
4629 return ret;
4630 }
4631
4632 #ifdef _WIN32
4633 /**
4634 * Parses --windows-driver config option
4635 *
4636 * @param str value of --windows-driver option
4637 * @param msglevel msglevel to report parsing error
4638 * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value
4639 */
4640 static enum windows_driver_type
4641 parse_windows_driver(const char *str, const int msglevel)
4642 {
4643 if (streq(str, "tap-windows6"))
4644 {
4645 return WINDOWS_DRIVER_TAP_WINDOWS6;
4646 }
4647 else if (streq(str, "wintun"))
4648 {
4649 return WINDOWS_DRIVER_WINTUN;
4650 }
4651
4652 else if (streq(str, "ovpn-dco"))
4653 {
4654 return WINDOWS_DRIVER_DCO;
4655 }
4656 else
4657 {
4658 msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4659 "or ovpn-dco");
4660 return WINDOWS_DRIVER_UNSPECIFIED;
4661 }
4662 }
4663 #endif /* ifdef _WIN32 */
4664
4665 /*
4666 * parse/print topology coding
4667 */
4668
4669 int
4670 parse_topology(const char *str, const int msglevel)
4671 {
4672 if (streq(str, "net30"))
4673 {
4674 return TOP_NET30;
4675 }
4676 else if (streq(str, "p2p"))
4677 {
4678 return TOP_P2P;
4679 }
4680 else if (streq(str, "subnet"))
4681 {
4682 return TOP_SUBNET;
4683 }
4684 else
4685 {
4686 msg(msglevel, "--topology must be net30, p2p, or subnet");
4687 return TOP_UNDEF;
4688 }
4689 }
4690
4691 const char *
4692 print_topology(const int topology)
4693 {
4694 switch (topology)
4695 {
4696 case TOP_UNDEF:
4697 return "undef";
4698
4699 case TOP_NET30:
4700 return "net30";
4701
4702 case TOP_P2P:
4703 return "p2p";
4704
4705 case TOP_SUBNET:
4706 return "subnet";
4707
4708 default:
4709 return "unknown";
4710 }
4711 }
4712
4713 /*
4714 * Manage auth-retry variable
4715 */
4716
4717 static int global_auth_retry; /* GLOBAL */
4718
4719 int
4720 auth_retry_get(void)
4721 {
4722 return global_auth_retry;
4723 }
4724
4725 bool
4726 auth_retry_set(const int msglevel, const char *option)
4727 {
4728 if (streq(option, "interact"))
4729 {
4730 global_auth_retry = AR_INTERACT;
4731 }
4732 else if (streq(option, "nointeract"))
4733 {
4734 global_auth_retry = AR_NOINTERACT;
4735 }
4736 else if (streq(option, "none"))
4737 {
4738 global_auth_retry = AR_NONE;
4739 }
4740 else
4741 {
4742 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4743 return false;
4744 }
4745 return true;
4746 }
4747
4748 const char *
4749 auth_retry_print(void)
4750 {
4751 switch (global_auth_retry)
4752 {
4753 case AR_NONE:
4754 return "none";
4755
4756 case AR_NOINTERACT:
4757 return "nointeract";
4758
4759 case AR_INTERACT:
4760 return "interact";
4761
4762 default:
4763 return "???";
4764 }
4765 }
4766
4767 /*
4768 * Print the help message.
4769 */
4770 static void
4771 usage(void)
4772 {
4773 FILE *fp = msg_fp(0);
4774
4775 #ifdef ENABLE_SMALL
4776
4777 fprintf(fp, "Usage message not available\n");
4778
4779 #else
4780
4781 struct options o;
4782 init_options(&o, true);
4783
4784 fprintf(fp, usage_message,
4785 title_string,
4786 o.ce.connect_retry_seconds,
4787 o.ce.connect_retry_seconds_max,
4788 o.ce.local_port, o.ce.remote_port,
4789 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4790 o.verbosity,
4791 o.authname,
4792 o.replay_window, o.replay_time,
4793 o.tls_timeout, o.renegotiate_seconds,
4794 o.handshake_window, o.transition_window);
4795 fflush(fp);
4796
4797 #endif /* ENABLE_SMALL */
4798
4799 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4800 }
4801
4802 void
4803 usage_small(void)
4804 {
4805 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4806 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4807 }
4808
4809 #ifdef _WIN32
4810 void
4811 show_windows_version(const unsigned int flags)
4812 {
4813 struct gc_arena gc = gc_new();
4814 msg(flags, "Windows version %s", win32_version_string(&gc, true));
4815 gc_free(&gc);
4816 }
4817 #endif
4818
4819 void
4820 show_library_versions(const unsigned int flags)
4821 {
4822 #ifdef ENABLE_LZO
4823 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4824 #else
4825 #define LZO_LIB_VER_STR "", ""
4826 #endif
4827
4828 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4829 LZO_LIB_VER_STR);
4830
4831 #undef LZO_LIB_VER_STR
4832 }
4833
4834 static void
4835 usage_version(void)
4836 {
4837 msg(M_INFO|M_NOPREFIX, "%s", title_string);
4838 show_library_versions( M_INFO|M_NOPREFIX );
4839 #ifdef _WIN32
4840 show_windows_version( M_INFO|M_NOPREFIX );
4841 #endif
4842 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4843 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>");
4844 #ifndef ENABLE_SMALL
4845 #ifdef CONFIGURE_DEFINES
4846 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4847 #endif
4848 #ifdef CONFIGURE_SPECIAL_BUILD
4849 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4850 #endif
4851 #endif
4852 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4853 }
4854
4855 void
4856 notnull(const char *arg, const char *description)
4857 {
4858 if (!arg)
4859 {
4860 msg(M_USAGE, "You must define %s", description);
4861 }
4862 }
4863
4864 bool
4865 string_defined_equal(const char *s1, const char *s2)
4866 {
4867 if (s1 && s2)
4868 {
4869 return !strcmp(s1, s2);
4870 }
4871 else
4872 {
4873 return false;
4874 }
4875 }
4876
4877 #if 0
4878 static void
4879 ping_rec_err(int msglevel)
4880 {
4881 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4882 }
4883 #endif
4884
4885 static int
4886 positive_atoi(const char *str)
4887 {
4888 const int i = atoi(str);
4889 return i < 0 ? 0 : i;
4890 }
4891
4892 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4893 static unsigned int
4894 atou(const char *str)
4895 {
4896 unsigned int val = 0;
4897 sscanf(str, "%u", &val);
4898 return val;
4899 }
4900 #endif
4901
4902 static inline bool
4903 space(unsigned char c)
4904 {
4905 return c == '\0' || isspace(c);
4906 }
4907
4908 int
4909 parse_line(const char *line,
4910 char *p[],
4911 const int n,
4912 const char *file,
4913 const int line_num,
4914 int msglevel,
4915 struct gc_arena *gc)
4916 {
4917 const int STATE_INITIAL = 0;
4918 const int STATE_READING_QUOTED_PARM = 1;
4919 const int STATE_READING_UNQUOTED_PARM = 2;
4920 const int STATE_DONE = 3;
4921 const int STATE_READING_SQUOTED_PARM = 4;
4922
4923 const char *error_prefix = "";
4924
4925 int ret = 0;
4926 const char *c = line;
4927 int state = STATE_INITIAL;
4928 bool backslash = false;
4929 char in, out;
4930
4931 char parm[OPTION_PARM_SIZE];
4932 unsigned int parm_len = 0;
4933
4934 msglevel &= ~M_OPTERR;
4935
4936 if (msglevel & M_MSG_VIRT_OUT)
4937 {
4938 error_prefix = "ERROR: ";
4939 }
4940
4941 do
4942 {
4943 in = *c;
4944 out = 0;
4945
4946 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4947 {
4948 backslash = true;
4949 }
4950 else
4951 {
4952 if (state == STATE_INITIAL)
4953 {
4954 if (!space(in))
4955 {
4956 if (in == ';' || in == '#') /* comment */
4957 {
4958 break;
4959 }
4960 if (!backslash && in == '\"')
4961 {
4962 state = STATE_READING_QUOTED_PARM;
4963 }
4964 else if (!backslash && in == '\'')
4965 {
4966 state = STATE_READING_SQUOTED_PARM;
4967 }
4968 else
4969 {
4970 out = in;
4971 state = STATE_READING_UNQUOTED_PARM;
4972 }
4973 }
4974 }
4975 else if (state == STATE_READING_UNQUOTED_PARM)
4976 {
4977 if (!backslash && space(in))
4978 {
4979 state = STATE_DONE;
4980 }
4981 else
4982 {
4983 out = in;
4984 }
4985 }
4986 else if (state == STATE_READING_QUOTED_PARM)
4987 {
4988 if (!backslash && in == '\"')
4989 {
4990 state = STATE_DONE;
4991 }
4992 else
4993 {
4994 out = in;
4995 }
4996 }
4997 else if (state == STATE_READING_SQUOTED_PARM)
4998 {
4999 if (in == '\'')
5000 {
5001 state = STATE_DONE;
5002 }
5003 else
5004 {
5005 out = in;
5006 }
5007 }
5008 if (state == STATE_DONE)
5009 {
5010 /* ASSERT (parm_len > 0); */
5011 p[ret] = gc_malloc(parm_len + 1, true, gc);
5012 memcpy(p[ret], parm, parm_len);
5013 p[ret][parm_len] = '\0';
5014 state = STATE_INITIAL;
5015 parm_len = 0;
5016 ++ret;
5017 }
5018
5019 if (backslash && out)
5020 {
5021 if (!(out == '\\' || out == '\"' || space(out)))
5022 {
5023 #ifdef ENABLE_SMALL
5024 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5025 #else
5026 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5027 #endif
5028 return 0;
5029 }
5030 }
5031 backslash = false;
5032 }
5033
5034 /* store parameter character */
5035 if (out)
5036 {
5037 if (parm_len >= SIZE(parm))
5038 {
5039 parm[SIZE(parm) - 1] = 0;
5040 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5041 error_prefix, file, line_num, (int) SIZE(parm), parm);
5042 return 0;
5043 }
5044 parm[parm_len++] = out;
5045 }
5046
5047 /* avoid overflow if too many parms in one config file line */
5048 if (ret >= n)
5049 {
5050 break;
5051 }
5052
5053 } while (*c++ != '\0');
5054
5055 if (state == STATE_READING_QUOTED_PARM)
5056 {
5057 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5058 return 0;
5059 }
5060 if (state == STATE_READING_SQUOTED_PARM)
5061 {
5062 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5063 return 0;
5064 }
5065 if (state != STATE_INITIAL)
5066 {
5067 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5068 return 0;
5069 }
5070 #if 0
5071 {
5072 int i;
5073 for (i = 0; i < ret; ++i)
5074 {
5075 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5076 }
5077 }
5078 #endif
5079 return ret;
5080 }
5081
5082 static void
5083 bypass_doubledash(char **p)
5084 {
5085 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5086 {
5087 *p += 2;
5088 }
5089 }
5090
5091 struct in_src {
5092 #define IS_TYPE_FP 1
5093 #define IS_TYPE_BUF 2
5094 int type;
5095 union {
5096 FILE *fp;
5097 struct buffer *multiline;
5098 } u;
5099 };
5100
5101 static bool
5102 in_src_get(const struct in_src *is, char *line, const int size)
5103 {
5104 if (is->type == IS_TYPE_FP)
5105 {
5106 return BOOL_CAST(fgets(line, size, is->u.fp));
5107 }
5108 else if (is->type == IS_TYPE_BUF)
5109 {
5110 bool status = buf_parse(is->u.multiline, '\n', line, size);
5111 if ((int) strlen(line) + 1 < size)
5112 {
5113 strcat(line, "\n");
5114 }
5115 return status;
5116 }
5117 else
5118 {
5119 ASSERT(0);
5120 return false;
5121 }
5122 }
5123
5124 static char *
5125 read_inline_file(struct in_src *is, const char *close_tag,
5126 int *num_lines, struct gc_arena *gc)
5127 {
5128 char line[OPTION_LINE_SIZE];
5129 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5130 char *ret;
5131 bool endtagfound = false;
5132
5133 while (in_src_get(is, line, sizeof(line)))
5134 {
5135 (*num_lines)++;
5136 char *line_ptr = line;
5137 /* Remove leading spaces */
5138 while (isspace(*line_ptr))
5139 {
5140 line_ptr++;
5141 }
5142 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5143 {
5144 endtagfound = true;
5145 break;
5146 }
5147 if (!buf_safe(&buf, strlen(line)+1))
5148 {
5149 /* Increase buffer size */
5150 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5151 ASSERT(buf_copy(&buf2, &buf));
5152 buf_clear(&buf);
5153 free_buf(&buf);
5154 buf = buf2;
5155 }
5156 buf_printf(&buf, "%s", line);
5157 }
5158 if (!endtagfound)
5159 {
5160 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5161 }
5162 ret = string_alloc(BSTR(&buf), gc);
5163 buf_clear(&buf);
5164 free_buf(&buf);
5165 secure_memzero(line, sizeof(line));
5166 return ret;
5167 }
5168
5169 static int
5170 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5171 {
5172 int num_inline_lines = 0;
5173
5174 if (p[0] && !p[1])
5175 {
5176 char *arg = p[0];
5177 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5178 {
5179 struct buffer close_tag;
5180
5181 arg[strlen(arg) - 1] = '\0';
5182 p[0] = string_alloc(arg + 1, gc);
5183 close_tag = alloc_buf(strlen(p[0]) + 4);
5184 buf_printf(&close_tag, "</%s>", p[0]);
5185 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5186 p[2] = NULL;
5187 free_buf(&close_tag);
5188 }
5189 }
5190 return num_inline_lines;
5191 }
5192
5193 static int
5194 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5195 {
5196 struct in_src is;
5197 is.type = IS_TYPE_FP;
5198 is.u.fp = fp;
5199 return check_inline_file(&is, p, gc);
5200 }
5201
5202 static int
5203 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5204 struct gc_arena *gc)
5205 {
5206 struct in_src is;
5207 is.type = IS_TYPE_BUF;
5208 is.u.multiline = multiline;
5209 return check_inline_file(&is, p, gc);
5210 }
5211
5212 static void
5213 add_option(struct options *options,
5214 char *p[],
5215 bool is_inline,
5216 const char *file,
5217 int line,
5218 const int level,
5219 const int msglevel,
5220 const unsigned int permission_mask,
5221 unsigned int *option_types_found,
5222 struct env_set *es);
5223
5224 static void
5225 read_config_file(struct options *options,
5226 const char *file,
5227 int level,
5228 const char *top_file,
5229 const int top_line,
5230 const int msglevel,
5231 const unsigned int permission_mask,
5232 unsigned int *option_types_found,
5233 struct env_set *es)
5234 {
5235 const int max_recursive_levels = 10;
5236 FILE *fp;
5237 int line_num;
5238 char line[OPTION_LINE_SIZE+1];
5239 char *p[MAX_PARMS+1];
5240
5241 ++level;
5242 if (level <= max_recursive_levels)
5243 {
5244 if (streq(file, "stdin"))
5245 {
5246 fp = stdin;
5247 }
5248 else
5249 {
5250 fp = platform_fopen(file, "r");
5251 }
5252 if (fp)
5253 {
5254 line_num = 0;
5255 while (fgets(line, sizeof(line), fp))
5256 {
5257 int offset = 0;
5258 CLEAR(p);
5259 ++line_num;
5260 if (strlen(line) == OPTION_LINE_SIZE)
5261 {
5262 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5263 file, line_num, OPTION_LINE_SIZE, line);
5264 }
5265
5266 /* Ignore UTF-8 BOM at start of stream */
5267 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5268 {
5269 offset = 3;
5270 }
5271 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5272 {
5273 bypass_doubledash(&p[0]);
5274 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5275 add_option(options, p, lines_inline, file, line_num, level,
5276 msglevel, permission_mask, option_types_found,
5277 es);
5278 line_num += lines_inline;
5279 }
5280 }
5281 if (fp != stdin)
5282 {
5283 fclose(fp);
5284 }
5285 }
5286 else
5287 {
5288 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5289 }
5290 }
5291 else
5292 {
5293 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5294 }
5295 secure_memzero(line, sizeof(line));
5296 CLEAR(p);
5297 }
5298
5299 static void
5300 read_config_string(const char *prefix,
5301 struct options *options,
5302 const char *config,
5303 const int msglevel,
5304 const unsigned int permission_mask,
5305 unsigned int *option_types_found,
5306 struct env_set *es)
5307 {
5308 char line[OPTION_LINE_SIZE];
5309 struct buffer multiline;
5310 int line_num = 0;
5311
5312 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5313
5314 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5315 {
5316 char *p[MAX_PARMS+1];
5317 CLEAR(p);
5318 ++line_num;
5319 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5320 {
5321 bypass_doubledash(&p[0]);
5322 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5323 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5324 permission_mask, option_types_found, es);
5325 line_num += lines_inline;
5326 }
5327 CLEAR(p);
5328 }
5329 secure_memzero(line, sizeof(line));
5330 }
5331
5332 void
5333 parse_argv(struct options *options,
5334 const int argc,
5335 char *argv[],
5336 const int msglevel,
5337 const unsigned int permission_mask,
5338 unsigned int *option_types_found,
5339 struct env_set *es)
5340 {
5341 /* usage message */
5342 if (argc <= 1)
5343 {
5344 usage();
5345 }
5346
5347 /* config filename specified only? */
5348 if (argc == 2 && strncmp(argv[1], "--", 2))
5349 {
5350 char *p[MAX_PARMS+1];
5351 CLEAR(p);
5352 p[0] = "config";
5353 p[1] = argv[1];
5354 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5355 option_types_found, es);
5356 }
5357 else
5358 {
5359 /* parse command line */
5360 for (int i = 1; i < argc; ++i)
5361 {
5362 char *p[MAX_PARMS+1];
5363 CLEAR(p);
5364 p[0] = argv[i];
5365 if (strncmp(p[0], "--", 2))
5366 {
5367 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5368 }
5369 else
5370 {
5371 p[0] += 2;
5372 }
5373
5374 int j;
5375 for (j = 1; j < MAX_PARMS; ++j)
5376 {
5377 if (i + j < argc)
5378 {
5379 char *arg = argv[i + j];
5380 if (strncmp(arg, "--", 2))
5381 {
5382 p[j] = arg;
5383 }
5384 else
5385 {
5386 break;
5387 }
5388 }
5389 }
5390 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5391 option_types_found, es);
5392 i += j - 1;
5393 }
5394 }
5395 }
5396
5397 /**
5398 * Filter an option line by all pull filters.
5399 *
5400 * If a match is found, the line is modified depending on
5401 * the filter type, and returns true. If the filter type is
5402 * reject, SIGUSR1 is triggered and the return value is false.
5403 * In that case the caller must end the push processing.
5404 */
5405 static bool
5406 apply_pull_filter(const struct options *o, char *line)
5407 {
5408 struct pull_filter *f;
5409
5410 if (!o->pull_filter_list)
5411 {
5412 return true;
5413 }
5414
5415 /* skip leading spaces matching the behaviour of parse_line */
5416 while (isspace(*line))
5417 {
5418 line++;
5419 }
5420
5421 for (f = o->pull_filter_list->head; f; f = f->next)
5422 {
5423 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5424 {
5425 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5426 return true;
5427 }
5428 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5429 {
5430 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5431 *line = '\0';
5432 return true;
5433 }
5434 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5435 {
5436 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5437 *line = '\0';
5438 throw_signal_soft(SIGUSR1, "Offending option received from server");
5439 return false;
5440 }
5441 }
5442 return true;
5443 }
5444
5445 bool
5446 apply_push_options(struct options *options,
5447 struct buffer *buf,
5448 unsigned int permission_mask,
5449 unsigned int *option_types_found,
5450 struct env_set *es)
5451 {
5452 char line[OPTION_PARM_SIZE];
5453 int line_num = 0;
5454 const char *file = "[PUSH-OPTIONS]";
5455 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5456
5457 while (buf_parse(buf, ',', line, sizeof(line)))
5458 {
5459 char *p[MAX_PARMS+1];
5460 CLEAR(p);
5461 ++line_num;
5462 if (!apply_pull_filter(options, line))
5463 {
5464 return false; /* Cause push/pull error and stop push processing */
5465 }
5466 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5467 {
5468 add_option(options, p, false, file, line_num, 0, msglevel,
5469 permission_mask, option_types_found, es);
5470 }
5471 }
5472 return true;
5473 }
5474
5475 void
5476 options_server_import(struct options *o,
5477 const char *filename,
5478 int msglevel,
5479 unsigned int permission_mask,
5480 unsigned int *option_types_found,
5481 struct env_set *es)
5482 {
5483 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5484 read_config_file(o,
5485 filename,
5486 0,
5487 filename,
5488 0,
5489 msglevel,
5490 permission_mask,
5491 option_types_found,
5492 es);
5493 }
5494
5495 void
5496 options_string_import(struct options *options,
5497 const char *config,
5498 const int msglevel,
5499 const unsigned int permission_mask,
5500 unsigned int *option_types_found,
5501 struct env_set *es)
5502 {
5503 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5504 }
5505
5506 #define VERIFY_PERMISSION(mask) { \
5507 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5508 option_types_found, msglevel, options, is_inline)) \
5509 { \
5510 goto err; \
5511 } \
5512 }
5513
5514 static bool
5515 verify_permission(const char *name,
5516 const char *file,
5517 int line,
5518 const unsigned int type,
5519 const unsigned int allowed,
5520 unsigned int *found,
5521 const int msglevel,
5522 struct options *options,
5523 bool is_inline)
5524 {
5525 if (!(type & allowed))
5526 {
5527 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5528 return false;
5529 }
5530
5531 if (is_inline && !(type & OPT_P_INLINE))
5532 {
5533 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5534 file, line);
5535 return false;
5536 }
5537
5538 if (found)
5539 {
5540 *found |= type;
5541 }
5542
5543 #ifndef ENABLE_SMALL
5544 /* Check if this options is allowed in connection block,
5545 * but we are currently not in a connection block
5546 * unless this is a pushed option.
5547 * Parsing a connection block uses a temporary options struct without
5548 * connection_list
5549 */
5550
5551 if ((type & OPT_P_CONNECTION) && options->connection_list
5552 && !(allowed & OPT_P_PULL_MODE))
5553 {
5554 if (file)
5555 {
5556 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5557 }
5558 else
5559 {
5560 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5561 }
5562 }
5563 #endif
5564 return true;
5565 }
5566
5567 /*
5568 * Check that an option doesn't have too
5569 * many parameters.
5570 */
5571
5572 #define NM_QUOTE_HINT (1<<0)
5573
5574 static bool
5575 no_more_than_n_args(const int msglevel,
5576 char *p[],
5577 const int max,
5578 const unsigned int flags)
5579 {
5580 const int len = string_array_len((const char **)p);
5581
5582 if (!len)
5583 {
5584 return false;
5585 }
5586
5587 if (len > max)
5588 {
5589 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5590 p[0],
5591 max - 1,
5592 max >= 3 ? "s" : "",
5593 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5594 return false;
5595 }
5596 else
5597 {
5598 return true;
5599 }
5600 }
5601
5602 static inline int
5603 msglevel_forward_compatible(struct options *options, const int msglevel)
5604 {
5605 return options->forward_compatible ? M_WARN : msglevel;
5606 }
5607
5608 static void
5609 set_user_script(struct options *options,
5610 const char **script,
5611 const char *new_script,
5612 const char *type,
5613 bool in_chroot)
5614 {
5615 if (*script)
5616 {
5617 msg(M_WARN, "Multiple --%s scripts defined. "
5618 "The previously configured script is overridden.", type);
5619 }
5620 *script = new_script;
5621 options->user_script_used = true;
5622
5623 #ifndef ENABLE_SMALL
5624 {
5625 char script_name[100];
5626 openvpn_snprintf(script_name, sizeof(script_name),
5627 "--%s script", type);
5628
5629 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5630 {
5631 msg(M_USAGE, "Please correct this error.");
5632 }
5633
5634 }
5635 #endif
5636 }
5637
5638 #ifdef USE_COMP
5639 static void
5640 show_compression_warning(struct compress_options *info)
5641 {
5642 if (comp_non_stub_enabled(info))
5643 {
5644 /*
5645 * Check if already displayed the strong warning and enabled full
5646 * compression
5647 */
5648 if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5649 {
5650 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5651 "Compression has been used in the past to break encryption. "
5652 "Sent packets are not compressed unless \"allow-compression yes\" "
5653 "is also set.");
5654 }
5655 }
5656 }
5657 #endif
5658
5659 bool
5660 key_is_external(const struct options *options)
5661 {
5662 bool ret = false;
5663 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5664 #ifdef ENABLE_PKCS11
5665 ret = ret || (options->pkcs11_providers[0] != NULL);
5666 #endif
5667 #ifdef ENABLE_CRYPTOAPI
5668 ret = ret || options->cryptoapi_cert;
5669 #endif
5670
5671 return ret;
5672 }
5673
5674 static void
5675 add_option(struct options *options,
5676 char *p[],
5677 bool is_inline,
5678 const char *file,
5679 int line,
5680 const int level,
5681 const int msglevel,
5682 const unsigned int permission_mask,
5683 unsigned int *option_types_found,
5684 struct env_set *es)
5685 {
5686 struct gc_arena gc = gc_new();
5687 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5688 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5689
5690 ASSERT(MAX_PARMS >= 7);
5691
5692 /*
5693 * If directive begins with "setenv opt" prefix, don't raise an error if
5694 * directive is unrecognized.
5695 */
5696 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5697 {
5698 if (!p[2])
5699 {
5700 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5701 }
5702 p += 2;
5703 msglevel_fc = M_WARN;
5704 }
5705
5706 if (!file)
5707 {
5708 file = "[CMD-LINE]";
5709 line = 1;
5710 }
5711 if (streq(p[0], "help"))
5712 {
5713 VERIFY_PERMISSION(OPT_P_GENERAL);
5714 usage();
5715 if (p[1])
5716 {
5717 msg(msglevel, "--help does not accept any parameters");
5718 goto err;
5719 }
5720 }
5721 if (streq(p[0], "version") && !p[1])
5722 {
5723 VERIFY_PERMISSION(OPT_P_GENERAL);
5724 usage_version();
5725 }
5726 else if (streq(p[0], "config") && p[1] && !p[2])
5727 {
5728 VERIFY_PERMISSION(OPT_P_CONFIG);
5729
5730 /* save first config file only in options */
5731 if (!options->config)
5732 {
5733 options->config = p[1];
5734 }
5735
5736 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5737 }
5738 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5739 else if (streq(p[0], "show-gateway") && !p[2])
5740 {
5741 struct route_gateway_info rgi;
5742 struct route_ipv6_gateway_info rgi6;
5743 struct in6_addr remote = IN6ADDR_ANY_INIT;
5744 openvpn_net_ctx_t net_ctx;
5745 VERIFY_PERMISSION(OPT_P_GENERAL);
5746 if (p[1])
5747 {
5748 get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5749 }
5750 net_ctx_init(NULL, &net_ctx);
5751 get_default_gateway(&rgi, &net_ctx);
5752 get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5753 print_default_gateway(M_INFO, &rgi, &rgi6);
5754 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5755 }
5756 #endif
5757 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5758 {
5759 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5760 int j;
5761 bool good = true;
5762
5763 VERIFY_PERMISSION(OPT_P_ECHO);
5764
5765 for (j = 1; j < MAX_PARMS; ++j)
5766 {
5767 if (!p[j])
5768 {
5769 break;
5770 }
5771 if (j > 1)
5772 {
5773 good &= buf_printf(&string, " ");
5774 }
5775 good &= buf_printf(&string, "%s", p[j]);
5776 }
5777 if (good)
5778 {
5779 /* only message-related ECHO are logged, since other ECHOs
5780 * can potentially include security-sensitive strings */
5781 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5782 {
5783 msg(M_INFO, "%s:%s",
5784 pull_mode ? "ECHO-PULL" : "ECHO",
5785 BSTR(&string));
5786 }
5787 #ifdef ENABLE_MANAGEMENT
5788 if (management)
5789 {
5790 management_echo(management, BSTR(&string), pull_mode);
5791 }
5792 #endif
5793 }
5794 else
5795 {
5796 msg(M_WARN, "echo/parameter option overflow");
5797 }
5798 }
5799 #ifdef ENABLE_MANAGEMENT
5800 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5801 {
5802 VERIFY_PERMISSION(OPT_P_GENERAL);
5803 if (streq(p[2], "unix"))
5804 {
5805 #if UNIX_SOCK_SUPPORT
5806 options->management_flags |= MF_UNIX_SOCK;
5807 #else
5808 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5809 goto err;
5810 #endif
5811 }
5812
5813 options->management_addr = p[1];
5814 options->management_port = p[2];
5815 if (p[3])
5816 {
5817 options->management_user_pass = p[3];
5818 }
5819 }
5820 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5821 {
5822 VERIFY_PERMISSION(OPT_P_GENERAL);
5823 options->management_client_user = p[1];
5824 }
5825 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5826 {
5827 VERIFY_PERMISSION(OPT_P_GENERAL);
5828 options->management_client_group = p[1];
5829 }
5830 else if (streq(p[0], "management-query-passwords") && !p[1])
5831 {
5832 VERIFY_PERMISSION(OPT_P_GENERAL);
5833 options->management_flags |= MF_QUERY_PASSWORDS;
5834 }
5835 else if (streq(p[0], "management-query-remote") && !p[1])
5836 {
5837 VERIFY_PERMISSION(OPT_P_GENERAL);
5838 options->management_flags |= MF_QUERY_REMOTE;
5839 }
5840 else if (streq(p[0], "management-query-proxy") && !p[1])
5841 {
5842 VERIFY_PERMISSION(OPT_P_GENERAL);
5843 options->management_flags |= MF_QUERY_PROXY;
5844 }
5845 else if (streq(p[0], "management-hold") && !p[1])
5846 {
5847 VERIFY_PERMISSION(OPT_P_GENERAL);
5848 options->management_flags |= MF_HOLD;
5849 }
5850 else if (streq(p[0], "management-signal") && !p[1])
5851 {
5852 VERIFY_PERMISSION(OPT_P_GENERAL);
5853 options->management_flags |= MF_SIGNAL;
5854 }
5855 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5856 {
5857 VERIFY_PERMISSION(OPT_P_GENERAL);
5858 options->management_flags |= MF_FORGET_DISCONNECT;
5859 }
5860 else if (streq(p[0], "management-up-down") && !p[1])
5861 {
5862 VERIFY_PERMISSION(OPT_P_GENERAL);
5863 options->management_flags |= MF_UP_DOWN;
5864 }
5865 else if (streq(p[0], "management-client") && !p[1])
5866 {
5867 VERIFY_PERMISSION(OPT_P_GENERAL);
5868 options->management_flags |= MF_CONNECT_AS_CLIENT;
5869 }
5870 else if (streq(p[0], "management-external-key"))
5871 {
5872 VERIFY_PERMISSION(OPT_P_GENERAL);
5873 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5874 {
5875 if (streq(p[j], "nopadding"))
5876 {
5877 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5878 }
5879 else if (streq(p[j], "pkcs1"))
5880 {
5881 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5882 }
5883 else if (streq(p[j], "pss"))
5884 {
5885 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5886 }
5887 else if (streq(p[j], "digest"))
5888 {
5889 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5890 }
5891 else
5892 {
5893 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5894 }
5895 }
5896 /*
5897 * When no option is present, assume that only PKCS1
5898 * padding is supported
5899 */
5900 if (!(options->management_flags
5901 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5902 {
5903 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5904 }
5905 options->management_flags |= MF_EXTERNAL_KEY;
5906 }
5907 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5908 {
5909 VERIFY_PERMISSION(OPT_P_GENERAL);
5910 options->management_flags |= MF_EXTERNAL_CERT;
5911 options->management_certificate = p[1];
5912 }
5913 else if (streq(p[0], "management-client-auth") && !p[1])
5914 {
5915 VERIFY_PERMISSION(OPT_P_GENERAL);
5916 options->management_flags |= MF_CLIENT_AUTH;
5917 }
5918 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5919 {
5920 int cache;
5921
5922 VERIFY_PERMISSION(OPT_P_GENERAL);
5923 cache = atoi(p[1]);
5924 if (cache < 1)
5925 {
5926 msg(msglevel, "--management-log-cache parameter is out of range");
5927 goto err;
5928 }
5929 options->management_log_history_cache = cache;
5930 }
5931 #endif /* ifdef ENABLE_MANAGEMENT */
5932 #ifdef ENABLE_PLUGIN
5933 else if (streq(p[0], "plugin") && p[1])
5934 {
5935 VERIFY_PERMISSION(OPT_P_PLUGIN);
5936 if (!options->plugin_list)
5937 {
5938 options->plugin_list = plugin_option_list_new(&options->gc);
5939 }
5940 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5941 {
5942 msg(msglevel, "plugin add failed: %s", p[1]);
5943 goto err;
5944 }
5945 }
5946 #endif
5947 else if (streq(p[0], "mode") && p[1] && !p[2])
5948 {
5949 VERIFY_PERMISSION(OPT_P_GENERAL);
5950 if (streq(p[1], "p2p"))
5951 {
5952 options->mode = MODE_POINT_TO_POINT;
5953 }
5954 else if (streq(p[1], "server"))
5955 {
5956 options->mode = MODE_SERVER;
5957 }
5958 else
5959 {
5960 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5961 goto err;
5962 }
5963 }
5964 else if (streq(p[0], "dev") && p[1] && !p[2])
5965 {
5966 VERIFY_PERMISSION(OPT_P_GENERAL);
5967 options->dev = p[1];
5968 }
5969 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5970 {
5971 VERIFY_PERMISSION(OPT_P_GENERAL);
5972 options->dev_type = p[1];
5973 }
5974 #ifdef _WIN32
5975 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5976 {
5977 VERIFY_PERMISSION(OPT_P_GENERAL);
5978 options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5979 }
5980 #endif
5981 else if (streq(p[0], "disable-dco"))
5982 {
5983 options->tuntap_options.disable_dco = true;
5984 }
5985 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5986 {
5987 VERIFY_PERMISSION(OPT_P_GENERAL);
5988 options->dev_node = p[1];
5989 }
5990 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5991 {
5992 VERIFY_PERMISSION(OPT_P_UP);
5993 if (mac_addr_safe(p[1])) /* MAC address only */
5994 {
5995 options->lladdr = p[1];
5996 }
5997 else
5998 {
5999 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6000 goto err;
6001 }
6002 }
6003 else if (streq(p[0], "topology") && p[1] && !p[2])
6004 {
6005 VERIFY_PERMISSION(OPT_P_UP);
6006 options->topology = parse_topology(p[1], msglevel);
6007 }
6008 else if (streq(p[0], "tun-ipv6") && !p[1])
6009 {
6010 if (!pull_mode)
6011 {
6012 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6013 }
6014 }
6015 #ifdef ENABLE_IPROUTE
6016 else if (streq(p[0], "iproute") && p[1] && !p[2])
6017 {
6018 VERIFY_PERMISSION(OPT_P_GENERAL);
6019 iproute_path = p[1];
6020 }
6021 #endif
6022 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6023 {
6024 VERIFY_PERMISSION(OPT_P_UP);
6025 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6026 {
6027 options->ifconfig_local = p[1];
6028 options->ifconfig_remote_netmask = p[2];
6029 }
6030 else
6031 {
6032 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6033 goto err;
6034 }
6035 }
6036 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6037 {
6038 unsigned int netbits;
6039
6040 VERIFY_PERMISSION(OPT_P_UP);
6041 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6042 && ipv6_addr_safe( p[2] ) )
6043 {
6044 if (netbits < 64 || netbits > 124)
6045 {
6046 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6047 goto err;
6048 }
6049
6050 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6051 options->ifconfig_ipv6_netbits = netbits;
6052 options->ifconfig_ipv6_remote = p[2];
6053 }
6054 else
6055 {
6056 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6057 goto err;
6058 }
6059 }
6060 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6061 {
6062 VERIFY_PERMISSION(OPT_P_UP);
6063 options->ifconfig_noexec = true;
6064 }
6065 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6066 {
6067 VERIFY_PERMISSION(OPT_P_UP);
6068 options->ifconfig_nowarn = true;
6069 }
6070 else if (streq(p[0], "local") && p[1] && !p[2])
6071 {
6072 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6073 options->ce.local = p[1];
6074 }
6075 else if (streq(p[0], "remote-random") && !p[1])
6076 {
6077 VERIFY_PERMISSION(OPT_P_GENERAL);
6078 options->remote_random = true;
6079 }
6080 else if (streq(p[0], "connection") && p[1] && !p[3])
6081 {
6082 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6083 if (is_inline)
6084 {
6085 struct options sub;
6086 struct connection_entry *e;
6087
6088 init_options(&sub, true);
6089 sub.ce = options->ce;
6090 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6091 OPT_P_CONNECTION, option_types_found, es);
6092 if (!sub.ce.remote)
6093 {
6094 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6095 uninit_options(&sub);
6096 goto err;
6097 }
6098
6099 e = alloc_connection_entry(options, msglevel);
6100 if (!e)
6101 {
6102 uninit_options(&sub);
6103 goto err;
6104 }
6105 *e = sub.ce;
6106 gc_transfer(&options->gc, &sub.gc);
6107 uninit_options(&sub);
6108 }
6109 }
6110 else if (streq(p[0], "ignore-unknown-option") && p[1])
6111 {
6112 int i;
6113 int j;
6114 int numignored = 0;
6115 const char **ignore;
6116
6117 VERIFY_PERMISSION(OPT_P_GENERAL);
6118 /* Find out how many options to be ignored */
6119 for (i = 1; p[i]; i++)
6120 {
6121 numignored++;
6122 }
6123
6124 /* add number of options already ignored */
6125 for (i = 0; options->ignore_unknown_option
6126 && options->ignore_unknown_option[i]; i++)
6127 {
6128 numignored++;
6129 }
6130
6131 /* Allocate array */
6132 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6133 for (i = 0; options->ignore_unknown_option
6134 && options->ignore_unknown_option[i]; i++)
6135 {
6136 ignore[i] = options->ignore_unknown_option[i];
6137 }
6138
6139 options->ignore_unknown_option = ignore;
6140
6141 for (j = 1; p[j]; j++)
6142 {
6143 /* Allow the user to specify ignore-unknown-option --opt too */
6144 if (p[j][0]=='-' && p[j][1]=='-')
6145 {
6146 options->ignore_unknown_option[i] = (p[j]+2);
6147 }
6148 else
6149 {
6150 options->ignore_unknown_option[i] = p[j];
6151 }
6152 i++;
6153 }
6154
6155 options->ignore_unknown_option[i] = NULL;
6156 }
6157 #if ENABLE_MANAGEMENT
6158 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6159 {
6160 VERIFY_PERMISSION(OPT_P_GENERAL);
6161 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
6162 if (!options->http_proxy_override)
6163 {
6164 goto err;
6165 }
6166 }
6167 #endif
6168 else if (streq(p[0], "remote") && p[1] && !p[4])
6169 {
6170 struct remote_entry re;
6171 re.remote = re.remote_port = NULL;
6172 re.proto = -1;
6173 re.af = 0;
6174
6175 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6176 re.remote = p[1];
6177 if (p[2])
6178 {
6179 re.remote_port = p[2];
6180 if (p[3])
6181 {
6182 const int proto = ascii2proto(p[3]);
6183 const sa_family_t af = ascii2af(p[3]);
6184 if (proto < 0)
6185 {
6186 msg(msglevel,
6187 "remote: bad protocol associated with host %s: '%s'",
6188 p[1], p[3]);
6189 goto err;
6190 }
6191 re.proto = proto;
6192 re.af = af;
6193 }
6194 }
6195 if (permission_mask & OPT_P_GENERAL)
6196 {
6197 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6198 if (!e)
6199 {
6200 goto err;
6201 }
6202 *e = re;
6203 }
6204 else if (permission_mask & OPT_P_CONNECTION)
6205 {
6206 connection_entry_load_re(&options->ce, &re);
6207 }
6208 }
6209 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6210 {
6211 VERIFY_PERMISSION(OPT_P_GENERAL);
6212 if (streq(p[1], "infinite"))
6213 {
6214 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6215 }
6216 else
6217 {
6218 options->resolve_retry_seconds = positive_atoi(p[1]);
6219 }
6220 }
6221 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6222 {
6223 VERIFY_PERMISSION(OPT_P_GENERAL);
6224 options->resolve_in_advance = true;
6225 /* Note the ip-remote-hint and the argument p[1] are for
6226 * backward compatibility */
6227 if (p[1])
6228 {
6229 options->ip_remote_hint = p[1];
6230 }
6231 }
6232 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6233 {
6234 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6235 options->ce.connect_retry_seconds = positive_atoi(p[1]);
6236 /*
6237 * Limit the base value of retry wait interval to 16 bits to avoid
6238 * overflow when scaled up for exponential backoff
6239 */
6240 if (options->ce.connect_retry_seconds > 0xFFFF)
6241 {
6242 options->ce.connect_retry_seconds = 0xFFFF;
6243 msg(M_WARN, "connect retry wait interval truncated to %d",
6244 options->ce.connect_retry_seconds);
6245 }
6246
6247 if (p[2])
6248 {
6249 options->ce.connect_retry_seconds_max =
6250 max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
6251 }
6252 }
6253 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6254 && p[1] && !p[2])
6255 {
6256 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6257 options->ce.connect_timeout = positive_atoi(p[1]);
6258 }
6259 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6260 {
6261 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6262 options->connect_retry_max = positive_atoi(p[1]);
6263 }
6264 else if (streq(p[0], "ipchange") && p[1])
6265 {
6266 VERIFY_PERMISSION(OPT_P_SCRIPT);
6267 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6268 {
6269 goto err;
6270 }
6271 set_user_script(options,
6272 &options->ipchange,
6273 string_substitute(p[1], ',', ' ', &options->gc),
6274 "ipchange", true);
6275 }
6276 else if (streq(p[0], "float") && !p[1])
6277 {
6278 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6279 options->ce.remote_float = true;
6280 }
6281 #ifdef ENABLE_DEBUG
6282 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6283 {
6284 VERIFY_PERMISSION(OPT_P_GENERAL);
6285 options->gremlin = positive_atoi(p[1]);
6286 }
6287 #endif
6288 else if (streq(p[0], "chroot") && p[1] && !p[2])
6289 {
6290 VERIFY_PERMISSION(OPT_P_GENERAL);
6291 options->chroot_dir = p[1];
6292 }
6293 else if (streq(p[0], "cd") && p[1] && !p[2])
6294 {
6295 VERIFY_PERMISSION(OPT_P_GENERAL);
6296 if (platform_chdir(p[1]))
6297 {
6298 msg(M_ERR, "cd to '%s' failed", p[1]);
6299 goto err;
6300 }
6301 options->cd_dir = p[1];
6302 }
6303 #ifdef ENABLE_SELINUX
6304 else if (streq(p[0], "setcon") && p[1] && !p[2])
6305 {
6306 VERIFY_PERMISSION(OPT_P_GENERAL);
6307 options->selinux_context = p[1];
6308 }
6309 #endif
6310 else if (streq(p[0], "writepid") && p[1] && !p[2])
6311 {
6312 VERIFY_PERMISSION(OPT_P_GENERAL);
6313 options->writepid = p[1];
6314 }
6315 else if (streq(p[0], "up") && p[1])
6316 {
6317 VERIFY_PERMISSION(OPT_P_SCRIPT);
6318 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6319 {
6320 goto err;
6321 }
6322 set_user_script(options, &options->up_script, p[1], "up", false);
6323 }
6324 else if (streq(p[0], "down") && p[1])
6325 {
6326 VERIFY_PERMISSION(OPT_P_SCRIPT);
6327 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6328 {
6329 goto err;
6330 }
6331 set_user_script(options, &options->down_script, p[1], "down", true);
6332 }
6333 else if (streq(p[0], "down-pre") && !p[1])
6334 {
6335 VERIFY_PERMISSION(OPT_P_GENERAL);
6336 options->down_pre = true;
6337 }
6338 else if (streq(p[0], "up-delay") && !p[1])
6339 {
6340 VERIFY_PERMISSION(OPT_P_GENERAL);
6341 options->up_delay = true;
6342 }
6343 else if (streq(p[0], "up-restart") && !p[1])
6344 {
6345 VERIFY_PERMISSION(OPT_P_GENERAL);
6346 options->up_restart = true;
6347 }
6348 else if (streq(p[0], "syslog") && !p[2])
6349 {
6350 VERIFY_PERMISSION(OPT_P_GENERAL);
6351 open_syslog(p[1], false);
6352 }
6353 else if (streq(p[0], "daemon") && !p[2])
6354 {
6355 bool didit = false;
6356 VERIFY_PERMISSION(OPT_P_GENERAL);
6357 if (!options->daemon)
6358 {
6359 options->daemon = didit = true;
6360 open_syslog(p[1], false);
6361 }
6362 if (p[1])
6363 {
6364 if (!didit)
6365 {
6366 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6367 goto err;
6368 }
6369 }
6370 }
6371 else if (streq(p[0], "log") && p[1] && !p[2])
6372 {
6373 VERIFY_PERMISSION(OPT_P_GENERAL);
6374 options->log = true;
6375 redirect_stdout_stderr(p[1], false);
6376 }
6377 else if (streq(p[0], "suppress-timestamps") && !p[1])
6378 {
6379 VERIFY_PERMISSION(OPT_P_GENERAL);
6380 options->suppress_timestamps = true;
6381 set_suppress_timestamps(true);
6382 }
6383 else if (streq(p[0], "machine-readable-output") && !p[1])
6384 {
6385 VERIFY_PERMISSION(OPT_P_GENERAL);
6386 options->machine_readable_output = true;
6387 set_machine_readable_output(true);
6388 }
6389 else if (streq(p[0], "log-append") && p[1] && !p[2])
6390 {
6391 VERIFY_PERMISSION(OPT_P_GENERAL);
6392 options->log = true;
6393 redirect_stdout_stderr(p[1], true);
6394 }
6395 #ifdef ENABLE_MEMSTATS
6396 else if (streq(p[0], "memstats") && p[1] && !p[2])
6397 {
6398 VERIFY_PERMISSION(OPT_P_GENERAL);
6399 options->memstats_fn = p[1];
6400 }
6401 #endif
6402 else if (streq(p[0], "mlock") && !p[1])
6403 {
6404 VERIFY_PERMISSION(OPT_P_GENERAL);
6405 options->mlock = true;
6406 }
6407 #if ENABLE_IP_PKTINFO
6408 else if (streq(p[0], "multihome") && !p[1])
6409 {
6410 VERIFY_PERMISSION(OPT_P_GENERAL);
6411 options->sockflags |= SF_USE_IP_PKTINFO;
6412 }
6413 #endif
6414 else if (streq(p[0], "verb") && p[1] && !p[2])
6415 {
6416 VERIFY_PERMISSION(OPT_P_MESSAGES);
6417 options->verbosity = positive_atoi(p[1]);
6418 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6419 {
6420 /* We pass this flag to the SSL library to avoid
6421 * mbed TLS always generating debug level logging */
6422 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6423 }
6424 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6425 /* Warn when a debug verbosity is supplied when built without debug support */
6426 if (options->verbosity >= 7)
6427 {
6428 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6429 options->verbosity);
6430 }
6431 #endif
6432 }
6433 else if (streq(p[0], "mute") && p[1] && !p[2])
6434 {
6435 VERIFY_PERMISSION(OPT_P_MESSAGES);
6436 options->mute = positive_atoi(p[1]);
6437 }
6438 else if (streq(p[0], "errors-to-stderr") && !p[1])
6439 {
6440 VERIFY_PERMISSION(OPT_P_MESSAGES);
6441 errors_to_stderr();
6442 }
6443 else if (streq(p[0], "status") && p[1] && !p[3])
6444 {
6445 VERIFY_PERMISSION(OPT_P_GENERAL);
6446 options->status_file = p[1];
6447 if (p[2])
6448 {
6449 options->status_file_update_freq = positive_atoi(p[2]);
6450 }
6451 }
6452 else if (streq(p[0], "status-version") && p[1] && !p[2])
6453 {
6454 int version;
6455
6456 VERIFY_PERMISSION(OPT_P_GENERAL);
6457 version = atoi(p[1]);
6458 if (version < 1 || version > 3)
6459 {
6460 msg(msglevel, "--status-version must be 1 to 3");
6461 goto err;
6462 }
6463 options->status_file_version = version;
6464 }
6465 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6466 {
6467 VERIFY_PERMISSION(OPT_P_GENERAL);
6468 if (streq(p[1], "SIGHUP"))
6469 {
6470 options->remap_sigusr1 = SIGHUP;
6471 }
6472 else if (streq(p[1], "SIGTERM"))
6473 {
6474 options->remap_sigusr1 = SIGTERM;
6475 }
6476 else
6477 {
6478 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6479 goto err;
6480 }
6481 }
6482 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6483 {
6484 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6485 options->ce.link_mtu = positive_atoi(p[1]);
6486 options->ce.link_mtu_defined = true;
6487 }
6488 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6489 {
6490 VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6491 options->ce.tun_mtu = positive_atoi(p[1]);
6492 options->ce.tun_mtu_defined = true;
6493 if (p[2])
6494 {
6495 options->ce.occ_mtu = positive_atoi(p[2]);
6496 }
6497 else
6498 {
6499 options->ce.occ_mtu = 0;
6500 }
6501 }
6502 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6503 {
6504 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6505 int max_mtu = positive_atoi(p[1]);
6506 if (max_mtu < 68 || max_mtu > 65536)
6507 {
6508 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6509 }
6510 else
6511 {
6512 options->ce.tun_mtu_max = max_mtu;
6513 }
6514 }
6515 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6516 {
6517 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6518 options->ce.tun_mtu_extra = positive_atoi(p[1]);
6519 options->ce.tun_mtu_extra_defined = true;
6520 }
6521 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6522 {
6523 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6524 int maxmtu = positive_atoi(p[1]);
6525 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6526
6527 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6528 {
6529 msg(M_WARN, "Note: max-packet-size value outside of allowed "
6530 "control channel packet size (%d to %d), will use %d "
6531 "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6532 options->ce.tls_mtu);
6533 }
6534
6535 /* also set mssfix maxmtu mtu */
6536 options->ce.mssfix = maxmtu;
6537 options->ce.mssfix_default = false;
6538 options->ce.mssfix_encap = true;
6539 }
6540 #ifdef ENABLE_FRAGMENT
6541 else if (streq(p[0], "mtu-dynamic"))
6542 {
6543 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6544 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6545 goto err;
6546 }
6547 else if (streq(p[0], "fragment") && p[1] && !p[3])
6548 {
6549 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6550 options->ce.fragment = positive_atoi(p[1]);
6551
6552 if (p[2] && streq(p[2], "mtu"))
6553 {
6554 options->ce.fragment_encap = true;
6555 }
6556 else if (p[2])
6557 {
6558 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6559 }
6560 }
6561 #endif /* ifdef ENABLE_FRAGMENT */
6562 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6563 {
6564 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6565 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6566 }
6567 else if (streq(p[0], "mtu-test") && !p[1])
6568 {
6569 VERIFY_PERMISSION(OPT_P_GENERAL);
6570 options->mtu_test = true;
6571 }
6572 else if (streq(p[0], "nice") && p[1] && !p[2])
6573 {
6574 VERIFY_PERMISSION(OPT_P_NICE);
6575 options->nice = atoi(p[1]);
6576 }
6577 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6578 {
6579 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6580 options->rcvbuf = positive_atoi(p[1]);
6581 }
6582 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6583 {
6584 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6585 options->sndbuf = positive_atoi(p[1]);
6586 }
6587 else if (streq(p[0], "mark") && p[1] && !p[2])
6588 {
6589 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6590 VERIFY_PERMISSION(OPT_P_GENERAL);
6591 options->mark = atoi(p[1]);
6592 #endif
6593 }
6594 else if (streq(p[0], "socket-flags"))
6595 {
6596 int j;
6597 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6598 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6599 {
6600 if (streq(p[j], "TCP_NODELAY"))
6601 {
6602 options->sockflags |= SF_TCP_NODELAY;
6603 }
6604 else
6605 {
6606 msg(msglevel, "unknown socket flag: %s", p[j]);
6607 }
6608 }
6609 }
6610 #ifdef TARGET_LINUX
6611 else if (streq(p[0], "bind-dev") && p[1])
6612 {
6613 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6614 options->bind_dev = p[1];
6615 }
6616 #endif
6617 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6618 {
6619 VERIFY_PERMISSION(OPT_P_GENERAL);
6620 #ifdef TARGET_LINUX
6621 options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6622 #else
6623 msg(msglevel, "--txqueuelen not supported on this OS");
6624 goto err;
6625 #endif
6626 }
6627 else if (streq(p[0], "shaper") && p[1] && !p[2])
6628 {
6629 int shaper;
6630
6631 VERIFY_PERMISSION(OPT_P_SHAPER);
6632 shaper = atoi(p[1]);
6633 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6634 {
6635 msg(msglevel, "Bad shaper value, must be between %d and %d",
6636 SHAPER_MIN, SHAPER_MAX);
6637 goto err;
6638 }
6639 options->shaper = shaper;
6640 }
6641 else if (streq(p[0], "port") && p[1] && !p[2])
6642 {
6643 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6644 options->ce.local_port = options->ce.remote_port = p[1];
6645 }
6646 else if (streq(p[0], "lport") && p[1] && !p[2])
6647 {
6648 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6649 options->ce.local_port_defined = true;
6650 options->ce.local_port = p[1];
6651 }
6652 else if (streq(p[0], "rport") && p[1] && !p[2])
6653 {
6654 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6655 options->ce.remote_port = p[1];
6656 }
6657 else if (streq(p[0], "bind") && !p[2])
6658 {
6659 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6660 options->ce.bind_defined = true;
6661 if (p[1] && streq(p[1], "ipv6only"))
6662 {
6663 options->ce.bind_ipv6_only = true;
6664 }
6665
6666 }
6667 else if (streq(p[0], "nobind") && !p[1])
6668 {
6669 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6670 options->ce.bind_local = false;
6671 }
6672 else if (streq(p[0], "fast-io") && !p[1])
6673 {
6674 VERIFY_PERMISSION(OPT_P_GENERAL);
6675 options->fast_io = true;
6676 }
6677 else if (streq(p[0], "inactive") && p[1] && !p[3])
6678 {
6679 VERIFY_PERMISSION(OPT_P_TIMER);
6680 options->inactivity_timeout = positive_atoi(p[1]);
6681 if (p[2])
6682 {
6683 int64_t val = atoll(p[2]);
6684 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6685 if (options->inactivity_minimum_bytes > INT_MAX)
6686 {
6687 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6688 " >2 Gbyte was silently ignored in older versions. If "
6689 " your VPN exits unexpectedly with 'Inactivity timeout'"
6690 " in %d seconds, revisit this value.",
6691 options->inactivity_timeout );
6692 }
6693 }
6694 }
6695 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6696 {
6697 VERIFY_PERMISSION(OPT_P_TIMER);
6698 options->session_timeout = positive_atoi(p[1]);
6699 }
6700 else if (streq(p[0], "proto") && p[1] && !p[2])
6701 {
6702 int proto;
6703 sa_family_t af;
6704 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6705 proto = ascii2proto(p[1]);
6706 af = ascii2af(p[1]);
6707 if (proto < 0)
6708 {
6709 msg(msglevel,
6710 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6711 p[1],
6712 proto2ascii_all(&gc));
6713 goto err;
6714 }
6715 options->ce.proto = proto;
6716 options->ce.af = af;
6717 }
6718 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6719 {
6720 int proto_force;
6721 VERIFY_PERMISSION(OPT_P_GENERAL);
6722 proto_force = ascii2proto(p[1]);
6723 if (proto_force < 0)
6724 {
6725 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6726 goto err;
6727 }
6728 options->proto_force = proto_force;
6729 }
6730 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6731 {
6732 struct http_proxy_options *ho;
6733
6734 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6735
6736 {
6737 if (!p[2])
6738 {
6739 msg(msglevel, "http-proxy port number not defined");
6740 goto err;
6741 }
6742
6743 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6744
6745 ho->server = p[1];
6746 ho->port = p[2];
6747 }
6748
6749 if (p[3])
6750 {
6751 /* auto -- try to figure out proxy addr, port, and type automatically */
6752 /* semiauto -- given proxy addr:port, try to figure out type automatically */
6753 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6754 if (streq(p[3], "auto"))
6755 {
6756 ho->auth_retry = PAR_ALL;
6757 }
6758 else if (streq(p[3], "auto-nct"))
6759 {
6760 ho->auth_retry = PAR_NCT;
6761 }
6762 else
6763 {
6764 ho->auth_method_string = "basic";
6765 ho->auth_file = p[3];
6766
6767 if (p[4])
6768 {
6769 ho->auth_method_string = p[4];
6770 }
6771 }
6772 }
6773 else
6774 {
6775 ho->auth_method_string = "none";
6776 }
6777 }
6778 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6779 {
6780 struct http_proxy_options *ho;
6781 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6782 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6783 ho->auth_file = p[1];
6784 ho->inline_creds = is_inline;
6785 }
6786 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6787 {
6788 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6789 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6790 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6791 "Use connect-retry-max 1 to get a similar behavior as before.");
6792 }
6793 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6794 {
6795 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6796 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6797 "server is established is managed with a single timeout set by connect-timeout");
6798 }
6799 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6800 {
6801 struct http_proxy_options *ho;
6802
6803 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6804 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6805
6806 if (streq(p[1], "VERSION") && p[2] && !p[3])
6807 {
6808 ho->http_version = p[2];
6809 }
6810 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6811 {
6812 ho->user_agent = p[2];
6813 }
6814 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6815 && p[2])
6816 {
6817 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6818 * with either two argument or one */
6819
6820 struct http_custom_header *custom_header = NULL;
6821 int i;
6822 /* Find the first free header */
6823 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6824 {
6825 if (!ho->custom_headers[i].name)
6826 {
6827 custom_header = &ho->custom_headers[i];
6828 break;
6829 }
6830 }
6831 if (!custom_header)
6832 {
6833 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6834 }
6835 else
6836 {
6837 /* We will save p[2] and p[3], the proxy code will detect if
6838 * p[3] is NULL */
6839 custom_header->name = p[2];
6840 custom_header->content = p[3];
6841 }
6842 }
6843 else
6844 {
6845 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6846 }
6847 }
6848 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6849 {
6850 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6851
6852 if (p[2])
6853 {
6854 options->ce.socks_proxy_port = p[2];
6855 }
6856 else
6857 {
6858 options->ce.socks_proxy_port = "1080";
6859 }
6860 options->ce.socks_proxy_server = p[1];
6861 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6862 }
6863 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6864 {
6865 VERIFY_PERMISSION(OPT_P_GENERAL);
6866 options->keepalive_ping = atoi(p[1]);
6867 options->keepalive_timeout = atoi(p[2]);
6868 }
6869 else if (streq(p[0], "ping") && p[1] && !p[2])
6870 {
6871 VERIFY_PERMISSION(OPT_P_TIMER);
6872 options->ping_send_timeout = positive_atoi(p[1]);
6873 }
6874 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6875 {
6876 VERIFY_PERMISSION(OPT_P_TIMER);
6877 options->ping_rec_timeout = positive_atoi(p[1]);
6878 options->ping_rec_timeout_action = PING_EXIT;
6879 }
6880 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6881 {
6882 VERIFY_PERMISSION(OPT_P_TIMER);
6883 options->ping_rec_timeout = positive_atoi(p[1]);
6884 options->ping_rec_timeout_action = PING_RESTART;
6885 }
6886 else if (streq(p[0], "ping-timer-rem") && !p[1])
6887 {
6888 VERIFY_PERMISSION(OPT_P_TIMER);
6889 options->ping_timer_remote = true;
6890 }
6891 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6892 {
6893 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6894 if (p[1])
6895 {
6896 options->ce.explicit_exit_notification = positive_atoi(p[1]);
6897 }
6898 else
6899 {
6900 options->ce.explicit_exit_notification = 1;
6901 }
6902 }
6903 else if (streq(p[0], "persist-tun") && !p[1])
6904 {
6905 VERIFY_PERMISSION(OPT_P_PERSIST);
6906 options->persist_tun = true;
6907 }
6908 else if (streq(p[0], "persist-key") && !p[1])
6909 {
6910 VERIFY_PERMISSION(OPT_P_PERSIST);
6911 options->persist_key = true;
6912 }
6913 else if (streq(p[0], "persist-local-ip") && !p[1])
6914 {
6915 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6916 options->persist_local_ip = true;
6917 }
6918 else if (streq(p[0], "persist-remote-ip") && !p[1])
6919 {
6920 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6921 options->persist_remote_ip = true;
6922 }
6923 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6924 {
6925 VERIFY_PERMISSION(OPT_P_ROUTE);
6926 cnol_check_alloc(options);
6927 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6928 }
6929 else if (streq(p[0], "route") && p[1] && !p[5])
6930 {
6931 VERIFY_PERMISSION(OPT_P_ROUTE);
6932 rol_check_alloc(options);
6933 if (pull_mode)
6934 {
6935 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6936 {
6937 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6938 goto err;
6939 }
6940 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
6941 {
6942 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
6943 goto err;
6944 }
6945 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
6946 {
6947 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
6948 goto err;
6949 }
6950 }
6951 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
6952 }
6953 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6954 {
6955 VERIFY_PERMISSION(OPT_P_ROUTE);
6956 rol6_check_alloc(options);
6957 if (pull_mode)
6958 {
6959 if (!ipv6_addr_safe_hexplusbits(p[1]))
6960 {
6961 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
6962 goto err;
6963 }
6964 if (p[2] && !ipv6_addr_safe(p[2]))
6965 {
6966 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
6967 goto err;
6968 }
6969 /* p[3] is metric, if present */
6970 }
6971 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
6972 }
6973 else if (streq(p[0], "max-routes") && !p[2])
6974 {
6975 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
6976 "The number of routes is unlimited as of OpenVPN 2.4. "
6977 "This option will be removed in a future version, "
6978 "please remove it from your configuration.");
6979 }
6980 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6981 {
6982 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6983 if (streq(p[1], "dhcp"))
6984 {
6985 options->route_gateway_via_dhcp = true;
6986 }
6987 else
6988 {
6989 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6990 {
6991 options->route_default_gateway = p[1];
6992 }
6993 else
6994 {
6995 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6996 goto err;
6997 }
6998 }
6999 }
7000 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7001 {
7002 if (ipv6_addr_safe(p[1]))
7003 {
7004 options->route_ipv6_default_gateway = p[1];
7005 }
7006 else
7007 {
7008 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7009 goto err;
7010 }
7011 }
7012 else if (streq(p[0], "route-metric") && p[1] && !p[2])
7013 {
7014 VERIFY_PERMISSION(OPT_P_ROUTE);
7015 options->route_default_metric = positive_atoi(p[1]);
7016 }
7017 else if (streq(p[0], "route-delay") && !p[3])
7018 {
7019 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7020 options->route_delay_defined = true;
7021 if (p[1])
7022 {
7023 options->route_delay = positive_atoi(p[1]);
7024 if (p[2])
7025 {
7026 options->route_delay_window = positive_atoi(p[2]);
7027 }
7028 }
7029 else
7030 {
7031 options->route_delay = 0;
7032 }
7033 }
7034 else if (streq(p[0], "route-up") && p[1])
7035 {
7036 VERIFY_PERMISSION(OPT_P_SCRIPT);
7037 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7038 {
7039 goto err;
7040 }
7041 set_user_script(options, &options->route_script, p[1], "route-up", false);
7042 }
7043 else if (streq(p[0], "route-pre-down") && p[1])
7044 {
7045 VERIFY_PERMISSION(OPT_P_SCRIPT);
7046 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7047 {
7048 goto err;
7049 }
7050 set_user_script(options,
7051 &options->route_predown_script,
7052 p[1],
7053 "route-pre-down", true);
7054 }
7055 else if (streq(p[0], "route-noexec") && !p[1])
7056 {
7057 VERIFY_PERMISSION(OPT_P_SCRIPT);
7058 options->route_noexec = true;
7059 }
7060 else if (streq(p[0], "route-nopull") && !p[1])
7061 {
7062 VERIFY_PERMISSION(OPT_P_GENERAL);
7063 options->route_nopull = true;
7064 }
7065 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7066 {
7067 struct pull_filter *f;
7068 VERIFY_PERMISSION(OPT_P_GENERAL)
7069 f = alloc_pull_filter(options, msglevel);
7070
7071 if (strcmp("accept", p[1]) == 0)
7072 {
7073 f->type = PUF_TYPE_ACCEPT;
7074 }
7075 else if (strcmp("ignore", p[1]) == 0)
7076 {
7077 f->type = PUF_TYPE_IGNORE;
7078 }
7079 else if (strcmp("reject", p[1]) == 0)
7080 {
7081 f->type = PUF_TYPE_REJECT;
7082 }
7083 else
7084 {
7085 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7086 goto err;
7087 }
7088 f->pattern = p[2];
7089 f->size = strlen(p[2]);
7090 }
7091 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7092 {
7093 VERIFY_PERMISSION(OPT_P_GENERAL);
7094 options->allow_pull_fqdn = true;
7095 }
7096 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7097 {
7098 int j;
7099 VERIFY_PERMISSION(OPT_P_ROUTE);
7100 rol_check_alloc(options);
7101
7102 if (options->routes->flags & RG_ENABLE)
7103 {
7104 msg(M_WARN,
7105 "WARNING: You have specified redirect-gateway and "
7106 "redirect-private at the same time (or the same option "
7107 "multiple times). This is not well supported and may lead to "
7108 "unexpected results");
7109 }
7110
7111 options->routes->flags |= RG_ENABLE;
7112
7113 if (streq(p[0], "redirect-gateway"))
7114 {
7115 options->routes->flags |= RG_REROUTE_GW;
7116 }
7117 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7118 {
7119 if (streq(p[j], "local"))
7120 {
7121 options->routes->flags |= RG_LOCAL;
7122 }
7123 else if (streq(p[j], "autolocal"))
7124 {
7125 options->routes->flags |= RG_AUTO_LOCAL;
7126 }
7127 else if (streq(p[j], "def1"))
7128 {
7129 options->routes->flags |= RG_DEF1;
7130 }
7131 else if (streq(p[j], "bypass-dhcp"))
7132 {
7133 options->routes->flags |= RG_BYPASS_DHCP;
7134 }
7135 else if (streq(p[j], "bypass-dns"))
7136 {
7137 options->routes->flags |= RG_BYPASS_DNS;
7138 }
7139 else if (streq(p[j], "block-local"))
7140 {
7141 options->routes->flags |= RG_BLOCK_LOCAL;
7142 }
7143 else if (streq(p[j], "ipv6"))
7144 {
7145 rol6_check_alloc(options);
7146 options->routes_ipv6->flags |= RG_REROUTE_GW;
7147 }
7148 else if (streq(p[j], "!ipv4"))
7149 {
7150 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7151 }
7152 else
7153 {
7154 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7155 goto err;
7156 }
7157 }
7158 #ifdef _WIN32
7159 /* we need this here to handle pushed --redirect-gateway */
7160 remap_redirect_gateway_flags(options);
7161 #endif
7162 }
7163 else if (streq(p[0], "block-ipv6") && !p[1])
7164 {
7165 VERIFY_PERMISSION(OPT_P_ROUTE);
7166 options->block_ipv6 = true;
7167 }
7168 else if (streq(p[0], "remote-random-hostname") && !p[1])
7169 {
7170 VERIFY_PERMISSION(OPT_P_GENERAL);
7171 options->sockflags |= SF_HOST_RANDOMIZE;
7172 }
7173 else if (streq(p[0], "setenv") && p[1] && !p[3])
7174 {
7175 VERIFY_PERMISSION(OPT_P_GENERAL);
7176 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7177 {
7178 options->sockflags |= SF_HOST_RANDOMIZE;
7179 }
7180 else if (streq(p[1], "GENERIC_CONFIG"))
7181 {
7182 msg(msglevel, "this is a generic configuration and cannot directly be used");
7183 goto err;
7184 }
7185 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7186 {
7187 options->push_peer_info = true;
7188 }
7189 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7190 {
7191 options->ce.connect_timeout = positive_atoi(p[2]);
7192 }
7193 else
7194 {
7195 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7196 {
7197 options->forward_compatible = true;
7198 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7199 }
7200 setenv_str(es, p[1], p[2] ? p[2] : "");
7201 }
7202 }
7203 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7204 {
7205 unsigned int major, minor, patch;
7206 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7207 {
7208 msg(msglevel, "cannot parse version number for --compat-mode: %s",
7209 p[1]);
7210 goto err;
7211 }
7212
7213 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7214 }
7215 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7216 {
7217 VERIFY_PERMISSION(OPT_P_SETENV);
7218 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7219 }
7220 else if (streq(p[0], "script-security") && p[1] && !p[2])
7221 {
7222 VERIFY_PERMISSION(OPT_P_GENERAL);
7223 script_security_set(atoi(p[1]));
7224 }
7225 else if (streq(p[0], "mssfix") && !p[3])
7226 {
7227 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7228 if (p[1])
7229 {
7230 /* value specified, assume encapsulation is not
7231 * included unless "mtu" follows later */
7232 options->ce.mssfix = positive_atoi(p[1]);
7233 options->ce.mssfix_encap = false;
7234 options->ce.mssfix_default = false;
7235 }
7236 else
7237 {
7238 /* Set MTU to default values */
7239 options->ce.mssfix_default = true;
7240 options->ce.mssfix_encap = true;
7241 options->ce.mssfix_fixed = false;
7242 }
7243
7244 if (p[2] && streq(p[2], "mtu"))
7245 {
7246 options->ce.mssfix_encap = true;
7247 }
7248 else if (p[2] && streq(p[2], "fixed"))
7249 {
7250 options->ce.mssfix_fixed = true;
7251 }
7252 else if (p[2])
7253 {
7254 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7255 }
7256 }
7257 else if (streq(p[0], "disable-occ") && !p[1])
7258 {
7259 VERIFY_PERMISSION(OPT_P_GENERAL);
7260 options->occ = false;
7261 }
7262 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7263 {
7264 const int lev = M_WARN;
7265 bool error = false;
7266 in_addr_t network, netmask;
7267
7268 VERIFY_PERMISSION(OPT_P_GENERAL);
7269 network = get_ip_addr(p[1], lev, &error);
7270 netmask = get_ip_addr(p[2], lev, &error);
7271 if (error || !network || !netmask)
7272 {
7273 msg(msglevel, "error parsing --server parameters");
7274 goto err;
7275 }
7276 options->server_defined = true;
7277 options->server_network = network;
7278 options->server_netmask = netmask;
7279
7280 if (p[3])
7281 {
7282 if (streq(p[3], "nopool"))
7283 {
7284 options->server_flags |= SF_NOPOOL;
7285 }
7286 else
7287 {
7288 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7289 goto err;
7290 }
7291 }
7292 }
7293 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7294 {
7295 const int lev = M_WARN;
7296 struct in6_addr network;
7297 unsigned int netbits = 0;
7298
7299 VERIFY_PERMISSION(OPT_P_GENERAL);
7300 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7301 {
7302 msg(msglevel, "error parsing --server-ipv6 parameter");
7303 goto err;
7304 }
7305 if (netbits < 64 || netbits > 124)
7306 {
7307 msg(msglevel,
7308 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7309 netbits);
7310
7311 goto err;
7312 }
7313 options->server_ipv6_defined = true;
7314 options->server_network_ipv6 = network;
7315 options->server_netbits_ipv6 = netbits;
7316 }
7317 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7318 {
7319 const int lev = M_WARN;
7320 bool error = false;
7321 in_addr_t ip, netmask, pool_start, pool_end;
7322
7323 VERIFY_PERMISSION(OPT_P_GENERAL);
7324 ip = get_ip_addr(p[1], lev, &error);
7325 netmask = get_ip_addr(p[2], lev, &error);
7326 pool_start = get_ip_addr(p[3], lev, &error);
7327 pool_end = get_ip_addr(p[4], lev, &error);
7328 if (error || !ip || !netmask || !pool_start || !pool_end)
7329 {
7330 msg(msglevel, "error parsing --server-bridge parameters");
7331 goto err;
7332 }
7333 options->server_bridge_defined = true;
7334 options->server_bridge_ip = ip;
7335 options->server_bridge_netmask = netmask;
7336 options->server_bridge_pool_start = pool_start;
7337 options->server_bridge_pool_end = pool_end;
7338 }
7339 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7340 {
7341 VERIFY_PERMISSION(OPT_P_GENERAL);
7342 options->server_bridge_proxy_dhcp = true;
7343 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7344 }
7345 else if (streq(p[0], "server-bridge") && !p[1])
7346 {
7347 VERIFY_PERMISSION(OPT_P_GENERAL);
7348 options->server_bridge_proxy_dhcp = true;
7349 }
7350 else if (streq(p[0], "push") && p[1] && !p[2])
7351 {
7352 VERIFY_PERMISSION(OPT_P_PUSH);
7353 push_options(options, &p[1], msglevel, &options->gc);
7354 }
7355 else if (streq(p[0], "push-reset") && !p[1])
7356 {
7357 VERIFY_PERMISSION(OPT_P_INSTANCE);
7358 push_reset(options);
7359 }
7360 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7361 {
7362 VERIFY_PERMISSION(OPT_P_INSTANCE);
7363 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7364 push_remove_option(options, p[1]);
7365 }
7366 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7367 {
7368 const int lev = M_WARN;
7369 bool error = false;
7370 in_addr_t start, end, netmask = 0;
7371
7372 VERIFY_PERMISSION(OPT_P_GENERAL);
7373 start = get_ip_addr(p[1], lev, &error);
7374 end = get_ip_addr(p[2], lev, &error);
7375 if (p[3])
7376 {
7377 netmask = get_ip_addr(p[3], lev, &error);
7378 }
7379 if (error)
7380 {
7381 msg(msglevel, "error parsing --ifconfig-pool parameters");
7382 goto err;
7383 }
7384 if (!ifconfig_pool_verify_range(msglevel, start, end))
7385 {
7386 goto err;
7387 }
7388
7389 options->ifconfig_pool_defined = true;
7390 options->ifconfig_pool_start = start;
7391 options->ifconfig_pool_end = end;
7392 if (netmask)
7393 {
7394 options->ifconfig_pool_netmask = netmask;
7395 }
7396 }
7397 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7398 {
7399 VERIFY_PERMISSION(OPT_P_GENERAL);
7400 options->ifconfig_pool_persist_filename = p[1];
7401 if (p[2])
7402 {
7403 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
7404 }
7405 }
7406 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7407 {
7408 const int lev = M_WARN;
7409 struct in6_addr network;
7410 unsigned int netbits = 0;
7411
7412 VERIFY_PERMISSION(OPT_P_GENERAL);
7413 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7414 {
7415 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7416 goto err;
7417 }
7418 if (netbits < 64 || netbits > 124)
7419 {
7420 msg(msglevel,
7421 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7422 netbits);
7423 goto err;
7424 }
7425
7426 options->ifconfig_ipv6_pool_defined = true;
7427 options->ifconfig_ipv6_pool_base = network;
7428 options->ifconfig_ipv6_pool_netbits = netbits;
7429 }
7430 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7431 {
7432 int real, virtual;
7433
7434 VERIFY_PERMISSION(OPT_P_GENERAL);
7435 real = atoi(p[1]);
7436 virtual = atoi(p[2]);
7437 if (real < 1 || virtual < 1)
7438 {
7439 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7440 goto err;
7441 }
7442 options->real_hash_size = real;
7443 options->virtual_hash_size = real;
7444 }
7445 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7446 {
7447 int cf_max, cf_per;
7448
7449 VERIFY_PERMISSION(OPT_P_GENERAL);
7450 cf_max = atoi(p[1]);
7451 cf_per = atoi(p[2]);
7452 if (cf_max < 0 || cf_per < 0)
7453 {
7454 msg(msglevel, "--connect-freq parms must be > 0");
7455 goto err;
7456 }
7457 options->cf_max = cf_max;
7458 options->cf_per = cf_per;
7459 }
7460 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7461 {
7462 long cf_max, cf_per;
7463
7464 VERIFY_PERMISSION(OPT_P_GENERAL);
7465 char *e1, *e2;
7466 cf_max = strtol(p[1], &e1, 10);
7467 cf_per = strtol(p[2], &e2, 10);
7468 if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7469 {
7470 msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7471 goto err;
7472 }
7473 options->cf_initial_max = cf_max;
7474 options->cf_initial_per = cf_per;
7475 }
7476 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7477 {
7478 int max_clients;
7479
7480 VERIFY_PERMISSION(OPT_P_GENERAL);
7481 max_clients = atoi(p[1]);
7482 if (max_clients < 0)
7483 {
7484 msg(msglevel, "--max-clients must be at least 1");
7485 goto err;
7486 }
7487 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7488 {
7489 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7490 goto err;
7491 }
7492 options->max_clients = max_clients;
7493 }
7494 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7495 {
7496 VERIFY_PERMISSION(OPT_P_INHERIT);
7497 options->max_routes_per_client = max_int(atoi(p[1]), 1);
7498 }
7499 else if (streq(p[0], "client-cert-not-required") && !p[1])
7500 {
7501 VERIFY_PERMISSION(OPT_P_GENERAL);
7502 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7503 }
7504 else if (streq(p[0], "verify-client-cert") && !p[2])
7505 {
7506 VERIFY_PERMISSION(OPT_P_GENERAL);
7507
7508 /* Reset any existing flags */
7509 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7510 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7511 if (p[1])
7512 {
7513 if (streq(p[1], "none"))
7514 {
7515 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7516 }
7517 else if (streq(p[1], "optional"))
7518 {
7519 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7520 }
7521 else if (!streq(p[1], "require"))
7522 {
7523 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7524 goto err;
7525 }
7526 }
7527 }
7528 else if (streq(p[0], "username-as-common-name") && !p[1])
7529 {
7530 VERIFY_PERMISSION(OPT_P_GENERAL);
7531 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7532 }
7533 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7534 {
7535 VERIFY_PERMISSION(OPT_P_GENERAL);
7536 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7537 }
7538 else if (streq(p[0], "opt-verify") && !p[1])
7539 {
7540 VERIFY_PERMISSION(OPT_P_GENERAL);
7541 msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7542 "in OpenVPN 2.7");
7543 options->ssl_flags |= SSLF_OPT_VERIFY;
7544 }
7545 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7546 {
7547 VERIFY_PERMISSION(OPT_P_SCRIPT);
7548 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7549 {
7550 goto err;
7551 }
7552 if (p[2])
7553 {
7554 if (streq(p[2], "via-env"))
7555 {
7556 options->auth_user_pass_verify_script_via_file = false;
7557 }
7558 else if (streq(p[2], "via-file"))
7559 {
7560 options->auth_user_pass_verify_script_via_file = true;
7561 }
7562 else
7563 {
7564 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7565 goto err;
7566 }
7567 }
7568 else
7569 {
7570 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7571 goto err;
7572 }
7573 set_user_script(options,
7574 &options->auth_user_pass_verify_script,
7575 p[1], "auth-user-pass-verify", true);
7576 }
7577 else if (streq(p[0], "auth-gen-token"))
7578 {
7579 VERIFY_PERMISSION(OPT_P_GENERAL);
7580 options->auth_token_generate = true;
7581 options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7582
7583 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7584 {
7585 /* the second parameter can be the renewal time */
7586 if (i == 2 && positive_atoi(p[i]))
7587 {
7588 options->auth_token_renewal = positive_atoi(p[i]);
7589 }
7590 else if (streq(p[i], "external-auth"))
7591 {
7592 options->auth_token_call_auth = true;
7593 }
7594 else
7595 {
7596 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7597 }
7598 }
7599
7600 }
7601 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7602 {
7603 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7604 options->auth_token_secret_file = p[1];
7605 options->auth_token_secret_file_inline = is_inline;
7606
7607 }
7608 else if (streq(p[0], "client-connect") && p[1])
7609 {
7610 VERIFY_PERMISSION(OPT_P_SCRIPT);
7611 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7612 {
7613 goto err;
7614 }
7615 set_user_script(options, &options->client_connect_script,
7616 p[1], "client-connect", true);
7617 }
7618 else if (streq(p[0], "client-crresponse") && p[1])
7619 {
7620 VERIFY_PERMISSION(OPT_P_SCRIPT);
7621 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7622 {
7623 goto err;
7624 }
7625 set_user_script(options, &options->client_crresponse_script,
7626 p[1], "client-crresponse", true);
7627 }
7628 else if (streq(p[0], "client-disconnect") && p[1])
7629 {
7630 VERIFY_PERMISSION(OPT_P_SCRIPT);
7631 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7632 {
7633 goto err;
7634 }
7635 set_user_script(options, &options->client_disconnect_script,
7636 p[1], "client-disconnect", true);
7637 }
7638 else if (streq(p[0], "learn-address") && p[1])
7639 {
7640 VERIFY_PERMISSION(OPT_P_SCRIPT);
7641 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7642 {
7643 goto err;
7644 }
7645 set_user_script(options, &options->learn_address_script,
7646 p[1], "learn-address", true);
7647 }
7648 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7649 {
7650 VERIFY_PERMISSION(OPT_P_GENERAL);
7651 options->tmp_dir = p[1];
7652 }
7653 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7654 {
7655 VERIFY_PERMISSION(OPT_P_GENERAL);
7656 options->client_config_dir = p[1];
7657 }
7658 else if (streq(p[0], "ccd-exclusive") && !p[1])
7659 {
7660 VERIFY_PERMISSION(OPT_P_GENERAL);
7661 options->ccd_exclusive = true;
7662 }
7663 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7664 {
7665 int n_bcast_buf;
7666
7667 VERIFY_PERMISSION(OPT_P_GENERAL);
7668 n_bcast_buf = atoi(p[1]);
7669 if (n_bcast_buf < 1)
7670 {
7671 msg(msglevel, "--bcast-buffers parameter must be > 0");
7672 }
7673 options->n_bcast_buf = n_bcast_buf;
7674 }
7675 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7676 {
7677 int tcp_queue_limit;
7678
7679 VERIFY_PERMISSION(OPT_P_GENERAL);
7680 tcp_queue_limit = atoi(p[1]);
7681 if (tcp_queue_limit < 1)
7682 {
7683 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7684 }
7685 options->tcp_queue_limit = tcp_queue_limit;
7686 }
7687 #if PORT_SHARE
7688 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7689 {
7690 VERIFY_PERMISSION(OPT_P_GENERAL);
7691 options->port_share_host = p[1];
7692 options->port_share_port = p[2];
7693 options->port_share_journal_dir = p[3];
7694 }
7695 #endif
7696 else if (streq(p[0], "client-to-client") && !p[1])
7697 {
7698 VERIFY_PERMISSION(OPT_P_GENERAL);
7699 options->enable_c2c = true;
7700 }
7701 else if (streq(p[0], "duplicate-cn") && !p[1])
7702 {
7703 VERIFY_PERMISSION(OPT_P_GENERAL);
7704 options->duplicate_cn = true;
7705 }
7706 else if (streq(p[0], "iroute") && p[1] && !p[3])
7707 {
7708 VERIFY_PERMISSION(OPT_P_INSTANCE);
7709 option_iroute(options, p[1], p[2], msglevel);
7710 }
7711 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7712 {
7713 VERIFY_PERMISSION(OPT_P_INSTANCE);
7714 option_iroute_ipv6(options, p[1], msglevel);
7715 }
7716 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7717 {
7718 in_addr_t local, remote_netmask;
7719
7720 VERIFY_PERMISSION(OPT_P_INSTANCE);
7721 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7722 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7723 if (local && remote_netmask)
7724 {
7725 options->push_ifconfig_defined = true;
7726 options->push_ifconfig_local = local;
7727 options->push_ifconfig_remote_netmask = remote_netmask;
7728 if (p[3])
7729 {
7730 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7731 }
7732 }
7733 else
7734 {
7735 msg(msglevel, "cannot parse --ifconfig-push addresses");
7736 goto err;
7737 }
7738 }
7739 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7740 {
7741 in_addr_t network, netmask;
7742
7743 VERIFY_PERMISSION(OPT_P_GENERAL);
7744 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7745 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7746 if (network && netmask)
7747 {
7748 options->push_ifconfig_constraint_defined = true;
7749 options->push_ifconfig_constraint_network = network;
7750 options->push_ifconfig_constraint_netmask = netmask;
7751 }
7752 else
7753 {
7754 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7755 goto err;
7756 }
7757 }
7758 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7759 {
7760 struct in6_addr local, remote;
7761 unsigned int netbits;
7762
7763 VERIFY_PERMISSION(OPT_P_INSTANCE);
7764
7765 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7766 {
7767 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7768 goto err;
7769 }
7770
7771 if (p[2])
7772 {
7773 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7774 {
7775 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7776 goto err;
7777 }
7778 }
7779 else
7780 {
7781 if (!options->ifconfig_ipv6_local
7782 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7783 NULL, msglevel ) )
7784 {
7785 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7786 goto err;
7787 }
7788 }
7789
7790 options->push_ifconfig_ipv6_defined = true;
7791 options->push_ifconfig_ipv6_local = local;
7792 options->push_ifconfig_ipv6_netbits = netbits;
7793 options->push_ifconfig_ipv6_remote = remote;
7794 options->push_ifconfig_ipv6_blocked = false;
7795 }
7796 else if (streq(p[0], "disable") && !p[1])
7797 {
7798 VERIFY_PERMISSION(OPT_P_INSTANCE);
7799 options->disable = true;
7800 }
7801 else if (streq(p[0], "tcp-nodelay") && !p[1])
7802 {
7803 VERIFY_PERMISSION(OPT_P_GENERAL);
7804 options->server_flags |= SF_TCP_NODELAY_HELPER;
7805 }
7806 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7807 {
7808 int ageing_time, check_interval;
7809
7810 VERIFY_PERMISSION(OPT_P_GENERAL);
7811 ageing_time = atoi(p[1]);
7812 if (p[2])
7813 {
7814 check_interval = atoi(p[2]);
7815 }
7816 else
7817 {
7818 check_interval = ageing_time;
7819 }
7820
7821 if (ageing_time < 1 || check_interval < 1)
7822 {
7823 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7824 goto err;
7825 }
7826 options->stale_routes_ageing_time = ageing_time;
7827 options->stale_routes_check_interval = check_interval;
7828 }
7829
7830 else if (streq(p[0], "client") && !p[1])
7831 {
7832 VERIFY_PERMISSION(OPT_P_GENERAL);
7833 options->client = true;
7834 }
7835 else if (streq(p[0], "pull") && !p[1])
7836 {
7837 VERIFY_PERMISSION(OPT_P_GENERAL);
7838 options->pull = true;
7839 }
7840 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7841 {
7842 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7843 options->push_continuation = atoi(p[1]);
7844 }
7845 else if (streq(p[0], "auth-user-pass") && !p[2])
7846 {
7847 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7848 if (p[1])
7849 {
7850 options->auth_user_pass_file = p[1];
7851 options->auth_user_pass_file_inline = is_inline;
7852 }
7853 else
7854 {
7855 options->auth_user_pass_file = "stdin";
7856 }
7857 }
7858 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7859 {
7860 VERIFY_PERMISSION(OPT_P_GENERAL);
7861 auth_retry_set(msglevel, p[1]);
7862 }
7863 #ifdef ENABLE_MANAGEMENT
7864 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7865 {
7866 VERIFY_PERMISSION(OPT_P_GENERAL);
7867 options->sc_info.challenge_text = p[1];
7868 if (atoi(p[2]))
7869 {
7870 options->sc_info.flags |= SC_ECHO;
7871 }
7872 }
7873 #endif
7874 else if (streq(p[0], "msg-channel") && p[1])
7875 {
7876 #ifdef _WIN32
7877 VERIFY_PERMISSION(OPT_P_GENERAL);
7878 HANDLE process = GetCurrentProcess();
7879 HANDLE handle = (HANDLE) atoll(p[1]);
7880 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7881 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7882 {
7883 msg(msglevel, "could not duplicate service pipe handle");
7884 goto err;
7885 }
7886 options->route_method = ROUTE_METHOD_SERVICE;
7887 #else /* ifdef _WIN32 */
7888 msg(msglevel, "--msg-channel is only supported on Windows");
7889 goto err;
7890 #endif
7891 }
7892 #ifdef _WIN32
7893 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7894 {
7895 VERIFY_PERMISSION(OPT_P_GENERAL);
7896 if (streq(p[1], "env"))
7897 {
7898 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7899 "This entry will now be ignored. "
7900 "Please remove this entry from your configuration file.");
7901 }
7902 else
7903 {
7904 set_win_sys_path(p[1], es);
7905 }
7906 }
7907 else if (streq(p[0], "route-method") && p[1] && !p[2])
7908 {
7909 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7910 if (streq(p[1], "adaptive"))
7911 {
7912 options->route_method = ROUTE_METHOD_ADAPTIVE;
7913 }
7914 else if (streq(p[1], "ipapi"))
7915 {
7916 options->route_method = ROUTE_METHOD_IPAPI;
7917 }
7918 else if (streq(p[1], "exe"))
7919 {
7920 options->route_method = ROUTE_METHOD_EXE;
7921 }
7922 else
7923 {
7924 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7925 goto err;
7926 }
7927 }
7928 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7929 {
7930 const int index = ascii2ipset(p[1]);
7931 struct tuntap_options *to = &options->tuntap_options;
7932
7933 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7934
7935 if (index < 0)
7936 {
7937 msg(msglevel,
7938 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
7939 p[1],
7940 ipset2ascii_all(&gc));
7941 goto err;
7942 }
7943
7944 if (index == IPW32_SET_ADAPTIVE)
7945 {
7946 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7947 }
7948
7949 if (index == IPW32_SET_DHCP_MASQ)
7950 {
7951 if (p[2])
7952 {
7953 if (!streq(p[2], "default"))
7954 {
7955 int offset = atoi(p[2]);
7956
7957 if (!(offset > -256 && offset < 256))
7958 {
7959 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
7960 goto err;
7961 }
7962
7963 to->dhcp_masq_custom_offset = true;
7964 to->dhcp_masq_offset = offset;
7965 }
7966
7967 if (p[3])
7968 {
7969 const int min_lease = 30;
7970 int lease_time;
7971 lease_time = atoi(p[3]);
7972 if (lease_time < min_lease)
7973 {
7974 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
7975 goto err;
7976 }
7977 to->dhcp_lease_time = lease_time;
7978 }
7979 }
7980 }
7981 to->ip_win32_type = index;
7982 to->ip_win32_defined = true;
7983 }
7984 #endif /* ifdef _WIN32 */
7985 else if (streq(p[0], "dns") && p[1])
7986 {
7987 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7988
7989 if (streq(p[1], "search-domains") && p[2])
7990 {
7991 dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
7992 }
7993 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
7994 {
7995 long priority;
7996 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
7997 {
7998 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
7999 goto err;
8000 }
8001
8002 struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8003
8004 if (streq(p[3], "address") && !p[6])
8005 {
8006 for (int i = 4; p[i]; i++)
8007 {
8008 if (!dns_server_addr_parse(server, p[i]))
8009 {
8010 msg(msglevel, "--dns server %ld: malformed or duplicate address '%s'", priority, p[i]);
8011 goto err;
8012 }
8013 }
8014 }
8015 else if (streq(p[3], "resolve-domains"))
8016 {
8017 if (server->domain_type == DNS_EXCLUDE_DOMAINS)
8018 {
8019 msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
8020 goto err;
8021 }
8022 server->domain_type = DNS_RESOLVE_DOMAINS;
8023 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8024 }
8025 else if (streq(p[3], "exclude-domains"))
8026 {
8027 if (server->domain_type == DNS_RESOLVE_DOMAINS)
8028 {
8029 msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
8030 goto err;
8031 }
8032 server->domain_type = DNS_EXCLUDE_DOMAINS;
8033 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8034 }
8035 else if (streq(p[3], "dnssec") && !p[5])
8036 {
8037 if (streq(p[4], "yes"))
8038 {
8039 server->dnssec = DNS_SECURITY_YES;
8040 }
8041 else if (streq(p[4], "no"))
8042 {
8043 server->dnssec = DNS_SECURITY_NO;
8044 }
8045 else if (streq(p[4], "optional"))
8046 {
8047 server->dnssec = DNS_SECURITY_OPTIONAL;
8048 }
8049 else
8050 {
8051 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8052 goto err;
8053 }
8054 }
8055 else if (streq(p[3], "transport") && !p[5])
8056 {
8057 if (streq(p[4], "plain"))
8058 {
8059 server->transport = DNS_TRANSPORT_PLAIN;
8060 }
8061 else if (streq(p[4], "DoH"))
8062 {
8063 server->transport = DNS_TRANSPORT_HTTPS;
8064 }
8065 else if (streq(p[4], "DoT"))
8066 {
8067 server->transport = DNS_TRANSPORT_TLS;
8068 }
8069 else
8070 {
8071 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8072 goto err;
8073 }
8074 }
8075 else if (streq(p[3], "sni") && !p[5])
8076 {
8077 server->sni = p[4];
8078 }
8079 else
8080 {
8081 msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8082 goto err;
8083 }
8084 }
8085 else
8086 {
8087 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8088 goto err;
8089 }
8090 }
8091 #if defined(_WIN32) || defined(TARGET_ANDROID)
8092 else if (streq(p[0], "dhcp-option") && p[1])
8093 {
8094 struct tuntap_options *o = &options->tuntap_options;
8095 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8096
8097 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8098 && p[2] && !p[3])
8099 {
8100 o->domain = p[2];
8101 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8102 }
8103 else if (streq(p[1], "NBS") && p[2] && !p[3])
8104 {
8105 o->netbios_scope = p[2];
8106 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8107 }
8108 else if (streq(p[1], "NBT") && p[2] && !p[3])
8109 {
8110 int t;
8111 t = atoi(p[2]);
8112 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8113 {
8114 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8115 goto err;
8116 }
8117 o->netbios_node_type = t;
8118 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8119 }
8120 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8121 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8122 {
8123 if (strstr(p[2], ":"))
8124 {
8125 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8126 }
8127 else
8128 {
8129 dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8130 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8131 }
8132 }
8133 else if (streq(p[1], "WINS") && p[2] && !p[3])
8134 {
8135 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8136 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8137 }
8138 else if (streq(p[1], "NTP") && p[2] && !p[3])
8139 {
8140 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8141 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8142 }
8143 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8144 {
8145 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8146 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8147 }
8148 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8149 {
8150 if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8151 {
8152 o->domain_search_list[o->domain_search_list_len++] = p[2];
8153 }
8154 else
8155 {
8156 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8157 p[1], N_SEARCH_LIST_LEN);
8158 }
8159 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8160 }
8161 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8162 {
8163 o->disable_nbt = 1;
8164 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8165 }
8166 #if defined(TARGET_ANDROID)
8167 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8168 {
8169 o->http_proxy_port = atoi(p[3]);
8170 o->http_proxy = p[2];
8171 }
8172 #endif
8173 else
8174 {
8175 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8176 goto err;
8177 }
8178 }
8179 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8180 #ifdef _WIN32
8181 else if (streq(p[0], "show-adapters") && !p[1])
8182 {
8183 VERIFY_PERMISSION(OPT_P_GENERAL);
8184 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8185 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8186 }
8187 else if (streq(p[0], "show-net") && !p[1])
8188 {
8189 VERIFY_PERMISSION(OPT_P_GENERAL);
8190 show_routes(M_INFO|M_NOPREFIX);
8191 show_adapters(M_INFO|M_NOPREFIX);
8192 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8193 }
8194 else if (streq(p[0], "show-net-up") && !p[1])
8195 {
8196 VERIFY_PERMISSION(OPT_P_UP);
8197 options->show_net_up = true;
8198 }
8199 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8200 {
8201 int s;
8202 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8203 s = atoi(p[1]);
8204 if (s < 0 || s >= 256)
8205 {
8206 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8207 goto err;
8208 }
8209 options->tuntap_options.tap_sleep = s;
8210 }
8211 else if (streq(p[0], "dhcp-renew") && !p[1])
8212 {
8213 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8214 options->tuntap_options.dhcp_renew = true;
8215 }
8216 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8217 {
8218 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8219 options->tuntap_options.dhcp_pre_release = true;
8220 options->tuntap_options.dhcp_renew = true;
8221 }
8222 else if (streq(p[0], "dhcp-release") && !p[1])
8223 {
8224 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8225 }
8226 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8227 {
8228 unsigned int adapter_index;
8229 VERIFY_PERMISSION(OPT_P_GENERAL);
8230 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8231 adapter_index = atou(p[1]);
8232 sleep(options->tuntap_options.tap_sleep);
8233 if (options->tuntap_options.dhcp_pre_release)
8234 {
8235 dhcp_release_by_adapter_index(adapter_index);
8236 }
8237 if (options->tuntap_options.dhcp_renew)
8238 {
8239 dhcp_renew_by_adapter_index(adapter_index);
8240 }
8241 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8242 }
8243 else if (streq(p[0], "register-dns") && !p[1])
8244 {
8245 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8246 options->tuntap_options.register_dns = true;
8247 }
8248 else if (streq(p[0], "block-outside-dns") && !p[1])
8249 {
8250 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8251 options->block_outside_dns = true;
8252 }
8253 else if (streq(p[0], "rdns-internal") && !p[1])
8254 /* standalone method for internal use
8255 *
8256 * (if --register-dns is set, openvpn needs to call itself in a
8257 * sub-process to execute the required functions in a non-blocking
8258 * way, and uses --rdns-internal to signal that to itself)
8259 */
8260 {
8261 VERIFY_PERMISSION(OPT_P_GENERAL);
8262 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8263 if (options->tuntap_options.register_dns)
8264 {
8265 ipconfig_register_dns(NULL);
8266 }
8267 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8268 }
8269 else if (streq(p[0], "show-valid-subnets") && !p[1])
8270 {
8271 VERIFY_PERMISSION(OPT_P_GENERAL);
8272 show_valid_win32_tun_subnets();
8273 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8274 }
8275 else if (streq(p[0], "pause-exit") && !p[1])
8276 {
8277 VERIFY_PERMISSION(OPT_P_GENERAL);
8278 set_pause_exit_win32();
8279 }
8280 else if (streq(p[0], "service") && p[1] && !p[3])
8281 {
8282 VERIFY_PERMISSION(OPT_P_GENERAL);
8283 options->exit_event_name = p[1];
8284 if (p[2])
8285 {
8286 options->exit_event_initial_state = (atoi(p[2]) != 0);
8287 }
8288 }
8289 else if (streq(p[0], "allow-nonadmin") && !p[2])
8290 {
8291 VERIFY_PERMISSION(OPT_P_GENERAL);
8292 tap_allow_nonadmin_access(p[1]);
8293 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8294 }
8295 else if (streq(p[0], "user") && p[1] && !p[2])
8296 {
8297 VERIFY_PERMISSION(OPT_P_GENERAL);
8298 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8299 }
8300 else if (streq(p[0], "group") && p[1] && !p[2])
8301 {
8302 VERIFY_PERMISSION(OPT_P_GENERAL);
8303 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8304 }
8305 #else /* ifdef _WIN32 */
8306 else if (streq(p[0], "user") && p[1] && !p[2])
8307 {
8308 VERIFY_PERMISSION(OPT_P_GENERAL);
8309 options->username = p[1];
8310 }
8311 else if (streq(p[0], "group") && p[1] && !p[2])
8312 {
8313 VERIFY_PERMISSION(OPT_P_GENERAL);
8314 options->groupname = p[1];
8315 }
8316 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8317 {
8318 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8319 setenv_foreign_option(options, (const char **)p, 3, es);
8320 }
8321 else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8322 {
8323 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8324 }
8325 #endif /* ifdef _WIN32 */
8326 #if PASSTOS_CAPABILITY
8327 else if (streq(p[0], "passtos") && !p[1])
8328 {
8329 VERIFY_PERMISSION(OPT_P_GENERAL);
8330 options->passtos = true;
8331 }
8332 #endif
8333 #if defined(USE_COMP)
8334 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8335 {
8336 VERIFY_PERMISSION(OPT_P_GENERAL);
8337
8338 if (streq(p[1], "no"))
8339 {
8340 options->comp.flags =
8341 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8342 if (comp_non_stub_enabled(&options->comp))
8343 {
8344 msg(msglevel, "'--allow-compression no' conflicts with "
8345 " enabling compression");
8346 }
8347 }
8348 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8349 {
8350 /* Also printed on a push to hint at configuration problems */
8351 msg(msglevel, "Cannot set allow-compression to '%s' "
8352 "after set to 'no'", p[1]);
8353 goto err;
8354 }
8355 else if (streq(p[1], "asym"))
8356 {
8357 options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
8358 options->comp.flags |= COMP_F_ALLOW_ASYM;
8359 }
8360 else if (streq(p[1], "yes"))
8361 {
8362 msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
8363 "been used in the past to break encryption. Allowing compression allows "
8364 "attacks that break encryption. Using \"--allow-compression yes\" is "
8365 "strongly discouraged for common usage. See --compress in the manual "
8366 "page for more information ");
8367
8368 options->comp.flags |= COMP_F_ALLOW_COMPRESS;
8369 }
8370 else
8371 {
8372 msg(msglevel, "bad allow-compression option: %s -- "
8373 "must be 'yes', 'no', or 'asym'", p[1]);
8374 goto err;
8375 }
8376 }
8377 else if (streq(p[0], "comp-lzo") && !p[2])
8378 {
8379 VERIFY_PERMISSION(OPT_P_COMP);
8380
8381 /* All lzo variants do not use swap */
8382 options->comp.flags &= ~COMP_F_SWAP;
8383 #if defined(ENABLE_LZO)
8384 if (p[1] && streq(p[1], "no"))
8385 #endif
8386 {
8387 options->comp.alg = COMP_ALG_STUB;
8388 options->comp.flags &= ~COMP_F_ADAPTIVE;
8389 }
8390 #if defined(ENABLE_LZO)
8391 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8392 {
8393 /* Also printed on a push to hint at configuration problems */
8394 msg(msglevel, "Cannot set comp-lzo to '%s', "
8395 "allow-compression is set to 'no'", p[1]);
8396 goto err;
8397 }
8398 else if (p[1])
8399 {
8400 if (streq(p[1], "yes"))
8401 {
8402 options->comp.alg = COMP_ALG_LZO;
8403 options->comp.flags &= ~COMP_F_ADAPTIVE;
8404 }
8405 else if (streq(p[1], "adaptive"))
8406 {
8407 options->comp.alg = COMP_ALG_LZO;
8408 options->comp.flags |= COMP_F_ADAPTIVE;
8409 }
8410 else
8411 {
8412 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8413 goto err;
8414 }
8415 }
8416 else
8417 {
8418 options->comp.alg = COMP_ALG_LZO;
8419 options->comp.flags |= COMP_F_ADAPTIVE;
8420 }
8421 show_compression_warning(&options->comp);
8422 #endif /* if defined(ENABLE_LZO) */
8423 }
8424 else if (streq(p[0], "comp-noadapt") && !p[1])
8425 {
8426 /*
8427 * We do not need to check here if we allow compression since
8428 * it only modifies a flag if compression is enabled
8429 */
8430 VERIFY_PERMISSION(OPT_P_COMP);
8431 options->comp.flags &= ~COMP_F_ADAPTIVE;
8432 }
8433 else if (streq(p[0], "compress") && !p[2])
8434 {
8435 VERIFY_PERMISSION(OPT_P_COMP);
8436 if (p[1])
8437 {
8438 if (streq(p[1], "stub"))
8439 {
8440 options->comp.alg = COMP_ALG_STUB;
8441 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8442 }
8443 else if (streq(p[1], "stub-v2"))
8444 {
8445 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8446 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8447 }
8448 else if (streq(p[1], "migrate"))
8449 {
8450 options->comp.alg = COMP_ALG_UNDEF;
8451 options->comp.flags = COMP_F_MIGRATE;
8452
8453 }
8454 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8455 {
8456 /* Also printed on a push to hint at configuration problems */
8457 msg(msglevel, "Cannot set compress to '%s', "
8458 "allow-compression is set to 'no'", p[1]);
8459 goto err;
8460 }
8461 #if defined(ENABLE_LZO)
8462 else if (streq(p[1], "lzo"))
8463 {
8464 options->comp.alg = COMP_ALG_LZO;
8465 options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
8466 }
8467 #endif
8468 #if defined(ENABLE_LZ4)
8469 else if (streq(p[1], "lz4"))
8470 {
8471 options->comp.alg = COMP_ALG_LZ4;
8472 options->comp.flags |= COMP_F_SWAP;
8473 }
8474 else if (streq(p[1], "lz4-v2"))
8475 {
8476 options->comp.alg = COMP_ALGV2_LZ4;
8477 }
8478 #endif
8479 else
8480 {
8481 msg(msglevel, "bad comp option: %s", p[1]);
8482 goto err;
8483 }
8484 }
8485 else
8486 {
8487 options->comp.alg = COMP_ALG_STUB;
8488 options->comp.flags |= COMP_F_SWAP;
8489 }
8490 show_compression_warning(&options->comp);
8491 }
8492 #endif /* USE_COMP */
8493 else if (streq(p[0], "show-ciphers") && !p[1])
8494 {
8495 VERIFY_PERMISSION(OPT_P_GENERAL);
8496 options->show_ciphers = true;
8497 }
8498 else if (streq(p[0], "show-digests") && !p[1])
8499 {
8500 VERIFY_PERMISSION(OPT_P_GENERAL);
8501 options->show_digests = true;
8502 }
8503 else if (streq(p[0], "show-engines") && !p[1])
8504 {
8505 VERIFY_PERMISSION(OPT_P_GENERAL);
8506 options->show_engines = true;
8507 }
8508 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8509 {
8510 int key_direction;
8511
8512 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8513
8514 key_direction = ascii2keydirection(msglevel, p[1]);
8515 if (key_direction >= 0)
8516 {
8517 if (permission_mask & OPT_P_GENERAL)
8518 {
8519 options->key_direction = key_direction;
8520 }
8521 else if (permission_mask & OPT_P_CONNECTION)
8522 {
8523 options->ce.key_direction = key_direction;
8524 }
8525 }
8526 else
8527 {
8528 goto err;
8529 }
8530 }
8531 else if (streq(p[0], "secret") && p[1] && !p[3])
8532 {
8533 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8534 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8535 options->shared_secret_file = p[1];
8536 options->shared_secret_file_inline = is_inline;
8537 if (!is_inline && p[2])
8538 {
8539 int key_direction;
8540
8541 key_direction = ascii2keydirection(msglevel, p[2]);
8542 if (key_direction >= 0)
8543 {
8544 options->key_direction = key_direction;
8545 }
8546 else
8547 {
8548 goto err;
8549 }
8550 }
8551 }
8552 else if (streq(p[0], "genkey") && !p[4])
8553 {
8554 VERIFY_PERMISSION(OPT_P_GENERAL);
8555 options->genkey = true;
8556 if (!p[1])
8557 {
8558 options->genkey_type = GENKEY_SECRET;
8559 }
8560 else
8561 {
8562 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8563 || streq(p[1], "tls-crypt"))
8564 {
8565 options->genkey_type = GENKEY_SECRET;
8566 }
8567 else if (streq(p[1], "tls-crypt-v2-server"))
8568 {
8569 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8570 }
8571 else if (streq(p[1], "tls-crypt-v2-client"))
8572 {
8573 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8574 if (p[3])
8575 {
8576 options->genkey_extra_data = p[3];
8577 }
8578 }
8579 else if (streq(p[1], "auth-token"))
8580 {
8581 options->genkey_type = GENKEY_AUTH_TOKEN;
8582 }
8583 else
8584 {
8585 msg(msglevel, "unknown --genkey type: %s", p[1]);
8586 }
8587
8588 }
8589 if (p[2])
8590 {
8591 options->genkey_filename = p[2];
8592 }
8593 }
8594 else if (streq(p[0], "auth") && p[1] && !p[2])
8595 {
8596 VERIFY_PERMISSION(OPT_P_GENERAL);
8597 options->authname = p[1];
8598 }
8599 else if (streq(p[0], "cipher") && p[1] && !p[2])
8600 {
8601 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8602 options->ciphername = p[1];
8603 }
8604 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8605 {
8606 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8607 options->ciphername = p[1];
8608 options->enable_ncp_fallback = true;
8609 }
8610 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8611 && p[1] && !p[2])
8612 {
8613 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8614 if (streq(p[0], "ncp-ciphers"))
8615 {
8616 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8617 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8618 }
8619 options->ncp_ciphers = p[1];
8620 }
8621 else if (streq(p[0], "key-derivation") && p[1])
8622 {
8623 /* NCP only option that is pushed by the server to enable EKM,
8624 * should not be used by normal users in config files*/
8625 VERIFY_PERMISSION(OPT_P_NCP)
8626 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8627 if (streq(p[1], "tls-ekm"))
8628 {
8629 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8630 }
8631 else
8632 #endif
8633 {
8634 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8635 }
8636 }
8637 else if (streq(p[0], "protocol-flags") && p[1])
8638 {
8639 /* NCP only option that is pushed by the server to enable protocol
8640 * features that are negotiated, should not be used by normal users
8641 * in config files */
8642 VERIFY_PERMISSION(OPT_P_NCP)
8643 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8644 {
8645 if (streq(p[j], "cc-exit"))
8646 {
8647 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8648 }
8649 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8650 else if (streq(p[j], "tls-ekm"))
8651 {
8652 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8653 }
8654 #endif
8655 else
8656 {
8657 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8658 }
8659 }
8660 }
8661 else if (streq(p[0], "prng") && p[1] && !p[3])
8662 {
8663 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8664 }
8665 else if (streq(p[0], "no-replay") && !p[1])
8666 {
8667 VERIFY_PERMISSION(OPT_P_GENERAL);
8668 options->replay = false;
8669 }
8670 else if (streq(p[0], "replay-window") && !p[3])
8671 {
8672 VERIFY_PERMISSION(OPT_P_GENERAL);
8673 if (p[1])
8674 {
8675 int replay_window;
8676
8677 replay_window = atoi(p[1]);
8678 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8679 {
8680 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8681 replay_window,
8682 MIN_SEQ_BACKTRACK,
8683 MAX_SEQ_BACKTRACK);
8684 goto err;
8685 }
8686 options->replay_window = replay_window;
8687
8688 if (p[2])
8689 {
8690 int replay_time;
8691
8692 replay_time = atoi(p[2]);
8693 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8694 {
8695 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8696 replay_time,
8697 MIN_TIME_BACKTRACK,
8698 MAX_TIME_BACKTRACK);
8699 goto err;
8700 }
8701 options->replay_time = replay_time;
8702 }
8703 }
8704 else
8705 {
8706 msg(msglevel, "replay-window option is missing window size parameter");
8707 goto err;
8708 }
8709 }
8710 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8711 {
8712 VERIFY_PERMISSION(OPT_P_GENERAL);
8713 options->mute_replay_warnings = true;
8714 }
8715 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8716 {
8717 VERIFY_PERMISSION(OPT_P_GENERAL);
8718 options->packet_id_file = p[1];
8719 }
8720 else if (streq(p[0], "test-crypto") && !p[1])
8721 {
8722 VERIFY_PERMISSION(OPT_P_GENERAL);
8723 options->test_crypto = true;
8724 }
8725 #ifndef ENABLE_CRYPTO_MBEDTLS
8726 else if (streq(p[0], "engine") && !p[2])
8727 {
8728 VERIFY_PERMISSION(OPT_P_GENERAL);
8729 if (p[1])
8730 {
8731 options->engine = p[1];
8732 }
8733 else
8734 {
8735 options->engine = "auto";
8736 }
8737 }
8738 #endif /* ENABLE_CRYPTO_MBEDTLS */
8739 else if (streq(p[0], "providers") && p[1])
8740 {
8741 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8742 {
8743 options->providers.names[j] = p[j];
8744 }
8745 }
8746 #ifdef ENABLE_PREDICTION_RESISTANCE
8747 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8748 {
8749 VERIFY_PERMISSION(OPT_P_GENERAL);
8750 options->use_prediction_resistance = true;
8751 }
8752 #endif
8753 else if (streq(p[0], "show-tls") && !p[1])
8754 {
8755 VERIFY_PERMISSION(OPT_P_GENERAL);
8756 options->show_tls_ciphers = true;
8757 }
8758 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8759 {
8760 VERIFY_PERMISSION(OPT_P_GENERAL);
8761 options->show_curves = true;
8762 }
8763 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8764 {
8765 VERIFY_PERMISSION(OPT_P_GENERAL);
8766 msg(M_WARN, "Consider setting groups/curves preference with "
8767 "tls-groups instead of forcing a specific curve with "
8768 "ecdh-curve.");
8769 options->ecdh_curve = p[1];
8770 }
8771 else if (streq(p[0], "tls-server") && !p[1])
8772 {
8773 VERIFY_PERMISSION(OPT_P_GENERAL);
8774 options->tls_server = true;
8775 }
8776 else if (streq(p[0], "tls-client") && !p[1])
8777 {
8778 VERIFY_PERMISSION(OPT_P_GENERAL);
8779 options->tls_client = true;
8780 }
8781 else if (streq(p[0], "ca") && p[1] && !p[2])
8782 {
8783 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8784 options->ca_file = p[1];
8785 options->ca_file_inline = is_inline;
8786 }
8787 #ifndef ENABLE_CRYPTO_MBEDTLS
8788 else if (streq(p[0], "capath") && p[1] && !p[2])
8789 {
8790 VERIFY_PERMISSION(OPT_P_GENERAL);
8791 options->ca_path = p[1];
8792 }
8793 #endif /* ENABLE_CRYPTO_MBEDTLS */
8794 else if (streq(p[0], "dh") && p[1] && !p[2])
8795 {
8796 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8797 options->dh_file = p[1];
8798 options->dh_file_inline = is_inline;
8799 }
8800 else if (streq(p[0], "cert") && p[1] && !p[2])
8801 {
8802 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8803 options->cert_file = p[1];
8804 options->cert_file_inline = is_inline;
8805 }
8806 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8807 {
8808 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8809 options->extra_certs_file = p[1];
8810 options->extra_certs_file_inline = is_inline;
8811 }
8812 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8813 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8814 {
8815 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8816
8817 int verify_hash_depth = 0;
8818 if (streq(p[0], "verify-hash"))
8819 {
8820 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8821 "You should switch to the either use the level 1 certificate as "
8822 "--ca option, use --tls-verify or use --peer-fingerprint");
8823 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8824 verify_hash_depth = 1;
8825 }
8826
8827 options->verify_hash_algo = MD_SHA256;
8828
8829 int digest_len = SHA256_DIGEST_LENGTH;
8830
8831 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8832 {
8833 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8834 " --peer-fingerprint are mutually exclusive", p[0]);
8835 goto err;
8836 }
8837
8838 if (streq(p[0], "verify-hash"))
8839 {
8840 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8841 {
8842 options->verify_hash_algo = MD_SHA1;
8843 digest_len = SHA_DIGEST_LENGTH;
8844 }
8845 else if (p[2] && !streq(p[2], "SHA256"))
8846 {
8847 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8848 "(only SHA1 and SHA256 are supported)", p[2]);
8849 goto err;
8850 }
8851 }
8852
8853 struct verify_hash_list *newlist;
8854 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8855 msglevel, &options->gc);
8856
8857 /* Append the new list to the end of our current list */
8858 if (!options->verify_hash)
8859 {
8860 options->verify_hash = newlist;
8861 options->verify_hash_depth = verify_hash_depth;
8862 }
8863 else
8864 {
8865 /* since both the old and new list can have multiple entries
8866 * we need to go to the end of one of them to concatenate them */
8867 struct verify_hash_list *listend = options->verify_hash;
8868 while (listend->next)
8869 {
8870 listend = listend->next;
8871 }
8872 listend->next = newlist;
8873 }
8874 }
8875 #ifdef ENABLE_CRYPTOAPI
8876 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8877 {
8878 VERIFY_PERMISSION(OPT_P_GENERAL);
8879 options->cryptoapi_cert = p[1];
8880 }
8881 #endif
8882 else if (streq(p[0], "key") && p[1] && !p[2])
8883 {
8884 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8885 options->priv_key_file = p[1];
8886 options->priv_key_file_inline = is_inline;
8887 }
8888 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8889 {
8890 int ver;
8891 VERIFY_PERMISSION(OPT_P_GENERAL);
8892 ver = tls_version_parse(p[1], p[2]);
8893 if (ver == TLS_VER_BAD)
8894 {
8895 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8896 goto err;
8897 }
8898 options->ssl_flags &=
8899 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8900 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8901 }
8902 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8903 {
8904 int ver;
8905 VERIFY_PERMISSION(OPT_P_GENERAL);
8906 ver = tls_version_parse(p[1], NULL);
8907 if (ver == TLS_VER_BAD)
8908 {
8909 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8910 goto err;
8911 }
8912 options->ssl_flags &=
8913 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8914 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8915 }
8916 #ifndef ENABLE_CRYPTO_MBEDTLS
8917 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8918 {
8919 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8920 options->pkcs12_file = p[1];
8921 options->pkcs12_file_inline = is_inline;
8922 }
8923 #endif /* ENABLE_CRYPTO_MBEDTLS */
8924 else if (streq(p[0], "askpass") && !p[2])
8925 {
8926 VERIFY_PERMISSION(OPT_P_GENERAL);
8927 if (p[1])
8928 {
8929 options->key_pass_file = p[1];
8930 }
8931 else
8932 {
8933 options->key_pass_file = "stdin";
8934 }
8935 }
8936 else if (streq(p[0], "auth-nocache") && !p[1])
8937 {
8938 VERIFY_PERMISSION(OPT_P_GENERAL);
8939 ssl_set_auth_nocache();
8940 }
8941 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8942 {
8943 VERIFY_PERMISSION(OPT_P_ECHO);
8944 ssl_set_auth_token(p[1]);
8945 #ifdef ENABLE_MANAGEMENT
8946 if (management)
8947 {
8948 management_auth_token(management, p[1]);
8949 }
8950 #endif
8951 }
8952 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8953 {
8954 VERIFY_PERMISSION(OPT_P_ECHO);
8955 ssl_set_auth_token_user(p[1]);
8956 }
8957 else if (streq(p[0], "single-session") && !p[1])
8958 {
8959 VERIFY_PERMISSION(OPT_P_GENERAL);
8960 options->single_session = true;
8961 }
8962 else if (streq(p[0], "push-peer-info") && !p[1])
8963 {
8964 VERIFY_PERMISSION(OPT_P_GENERAL);
8965 options->push_peer_info = true;
8966 }
8967 else if (streq(p[0], "tls-exit") && !p[1])
8968 {
8969 VERIFY_PERMISSION(OPT_P_GENERAL);
8970 options->tls_exit = true;
8971 }
8972 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8973 {
8974 VERIFY_PERMISSION(OPT_P_GENERAL);
8975 options->cipher_list = p[1];
8976 }
8977 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8978 {
8979 VERIFY_PERMISSION(OPT_P_GENERAL);
8980 options->tls_cert_profile = p[1];
8981 }
8982 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8983 {
8984 VERIFY_PERMISSION(OPT_P_GENERAL);
8985 options->cipher_list_tls13 = p[1];
8986 }
8987 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8988 {
8989 VERIFY_PERMISSION(OPT_P_GENERAL);
8990 options->tls_groups = p[1];
8991 }
8992 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
8993 || !p[2]))
8994 {
8995 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8996 if (p[2] && streq(p[2], "dir"))
8997 {
8998 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8999 }
9000 options->crl_file = p[1];
9001 options->crl_file_inline = is_inline;
9002 }
9003 else if (streq(p[0], "tls-verify") && p[1])
9004 {
9005 VERIFY_PERMISSION(OPT_P_SCRIPT);
9006 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9007 {
9008 goto err;
9009 }
9010 set_user_script(options, &options->tls_verify,
9011 string_substitute(p[1], ',', ' ', &options->gc),
9012 "tls-verify", true);
9013 }
9014 #ifndef ENABLE_CRYPTO_MBEDTLS
9015 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9016 {
9017 VERIFY_PERMISSION(OPT_P_GENERAL);
9018 options->tls_export_cert = p[1];
9019 }
9020 #endif
9021 else if (streq(p[0], "compat-names"))
9022 {
9023 VERIFY_PERMISSION(OPT_P_GENERAL);
9024 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9025 "Update your configuration.");
9026 goto err;
9027 }
9028 else if (streq(p[0], "no-name-remapping") && !p[1])
9029 {
9030 VERIFY_PERMISSION(OPT_P_GENERAL);
9031 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9032 "Update your configuration.");
9033 goto err;
9034 }
9035 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9036 {
9037 int type = VERIFY_X509_SUBJECT_DN;
9038 VERIFY_PERMISSION(OPT_P_GENERAL);
9039 if (p[2])
9040 {
9041 if (streq(p[2], "subject"))
9042 {
9043 type = VERIFY_X509_SUBJECT_DN;
9044 }
9045 else if (streq(p[2], "name"))
9046 {
9047 type = VERIFY_X509_SUBJECT_RDN;
9048 }
9049 else if (streq(p[2], "name-prefix"))
9050 {
9051 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9052 }
9053 else
9054 {
9055 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9056 goto err;
9057 }
9058 }
9059 options->verify_x509_type = type;
9060 options->verify_x509_name = p[1];
9061 }
9062 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9063 {
9064 VERIFY_PERMISSION(OPT_P_GENERAL);
9065 if (streq(p[1], "server"))
9066 {
9067 options->ns_cert_type = NS_CERT_CHECK_SERVER;
9068 }
9069 else if (streq(p[1], "client"))
9070 {
9071 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9072 }
9073 else
9074 {
9075 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9076 goto err;
9077 }
9078 }
9079 else if (streq(p[0], "remote-cert-ku"))
9080 {
9081 VERIFY_PERMISSION(OPT_P_GENERAL);
9082
9083 size_t j;
9084 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9085 {
9086 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9087 }
9088 if (j == 1)
9089 {
9090 /* No specific KU required, but require KU to be present */
9091 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9092 }
9093 }
9094 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9095 {
9096 VERIFY_PERMISSION(OPT_P_GENERAL);
9097 options->remote_cert_eku = p[1];
9098 }
9099 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9100 {
9101 VERIFY_PERMISSION(OPT_P_GENERAL);
9102
9103 if (streq(p[1], "server"))
9104 {
9105 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9106 options->remote_cert_eku = "TLS Web Server Authentication";
9107 }
9108 else if (streq(p[1], "client"))
9109 {
9110 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9111 options->remote_cert_eku = "TLS Web Client Authentication";
9112 }
9113 else
9114 {
9115 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9116 goto err;
9117 }
9118 }
9119 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9120 {
9121 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9122 options->tls_timeout = positive_atoi(p[1]);
9123 }
9124 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9125 {
9126 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9127 options->renegotiate_bytes = positive_atoi(p[1]);
9128 }
9129 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9130 {
9131 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9132 options->renegotiate_packets = positive_atoi(p[1]);
9133 }
9134 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9135 {
9136 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9137 options->renegotiate_seconds = positive_atoi(p[1]);
9138 if (p[2])
9139 {
9140 options->renegotiate_seconds_min = positive_atoi(p[2]);
9141 }
9142 }
9143 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9144 {
9145 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9146 options->handshake_window = positive_atoi(p[1]);
9147 }
9148 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9149 {
9150 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9151 options->transition_window = positive_atoi(p[1]);
9152 }
9153 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9154 {
9155 int key_direction = -1;
9156
9157 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9158
9159 if (permission_mask & OPT_P_GENERAL)
9160 {
9161 options->tls_auth_file = p[1];
9162 options->tls_auth_file_inline = is_inline;
9163
9164 if (!is_inline && p[2])
9165 {
9166 key_direction = ascii2keydirection(msglevel, p[2]);
9167 if (key_direction < 0)
9168 {
9169 goto err;
9170 }
9171 options->key_direction = key_direction;
9172 }
9173
9174 }
9175 else if (permission_mask & OPT_P_CONNECTION)
9176 {
9177 options->ce.tls_auth_file = p[1];
9178 options->ce.tls_auth_file_inline = is_inline;
9179 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9180
9181 if (!is_inline && p[2])
9182 {
9183 key_direction = ascii2keydirection(msglevel, p[2]);
9184 if (key_direction < 0)
9185 {
9186 goto err;
9187 }
9188 options->ce.key_direction = key_direction;
9189 }
9190 }
9191 }
9192 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9193 {
9194 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9195 if (permission_mask & OPT_P_GENERAL)
9196 {
9197 options->tls_crypt_file = p[1];
9198 options->tls_crypt_file_inline = is_inline;
9199 }
9200 else if (permission_mask & OPT_P_CONNECTION)
9201 {
9202 options->ce.tls_crypt_file = p[1];
9203 options->ce.tls_crypt_file_inline = is_inline;
9204 }
9205 }
9206 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9207 {
9208 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9209 if (permission_mask & OPT_P_GENERAL)
9210 {
9211 options->tls_crypt_v2_file = p[1];
9212 options->tls_crypt_v2_file_inline = is_inline;
9213 }
9214 else if (permission_mask & OPT_P_CONNECTION)
9215 {
9216 options->ce.tls_crypt_v2_file = p[1];
9217 options->ce.tls_crypt_v2_file_inline = is_inline;
9218 }
9219
9220 if (p[2] && streq(p[2], "force-cookie"))
9221 {
9222 options->ce.tls_crypt_v2_force_cookie = true;
9223 }
9224 else if (p[2] && streq(p[2], "allow-noncookie"))
9225 {
9226 options->ce.tls_crypt_v2_force_cookie = false;
9227 }
9228 else if (p[2])
9229 {
9230 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9231 }
9232 }
9233 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9234 {
9235 VERIFY_PERMISSION(OPT_P_GENERAL);
9236 options->tls_crypt_v2_verify_script = p[1];
9237 }
9238 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9239 {
9240 VERIFY_PERMISSION(OPT_P_GENERAL);
9241 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9242 }
9243 #ifdef ENABLE_X509ALTUSERNAME
9244 else if (streq(p[0], "x509-username-field") && p[1])
9245 {
9246 /* This option used to automatically upcase the fieldnames passed as the
9247 * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9248 * fine-tuned by only upcasing Subject field attribute names which consist
9249 * of all lower-case characters. Mixed-case attributes such as
9250 * "emailAddress" are left as-is. An option parameter having the "ext:"
9251 * prefix for matching X.509v3 extended fields will also remain unchanged.
9252 */
9253 VERIFY_PERMISSION(OPT_P_GENERAL);
9254 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9255 {
9256 char *s = p[j];
9257
9258 if (strncmp("ext:", s, 4) != 0)
9259 {
9260 size_t i = 0;
9261 while (s[i] && !isupper(s[i]))
9262 {
9263 i++;
9264 }
9265 if (strlen(s) == i)
9266 {
9267 while ((*s = toupper(*s)) != '\0')
9268 {
9269 s++;
9270 }
9271 msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
9272 "--x509-username-field parameter to '%s'; please update your"
9273 "configuration", p[j]);
9274 }
9275 }
9276 else if (!x509_username_field_ext_supported(s+4))
9277 {
9278 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9279 }
9280 options->x509_username_field[j-1] = p[j];
9281 }
9282 }
9283 #endif /* ENABLE_X509ALTUSERNAME */
9284 #ifdef ENABLE_PKCS11
9285 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9286 {
9287 char *provider = p[1];
9288 bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
9289
9290 #ifdef DEFAULT_PKCS11_MODULE
9291 if (!provider)
9292 {
9293 provider = DEFAULT_PKCS11_MODULE;
9294 }
9295 else if (!p[2])
9296 {
9297 char *endp = NULL;
9298 int i = strtol(provider, &endp, 10);
9299
9300 if (*endp == 0)
9301 {
9302 /* There was one argument, and it was purely numeric.
9303 * Interpret it as the cert_private argument */
9304 provider = DEFAULT_PKCS11_MODULE;
9305 cert_private = i;
9306 }
9307 }
9308 #else /* ifdef DEFAULT_PKCS11_MODULE */
9309 if (!provider)
9310 {
9311 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9312 goto err;
9313 }
9314 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9315 VERIFY_PERMISSION(OPT_P_GENERAL);
9316
9317 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9318 show_pkcs11_ids(provider, cert_private);
9319 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9320 }
9321 else if (streq(p[0], "pkcs11-providers") && p[1])
9322 {
9323 int j;
9324
9325 VERIFY_PERMISSION(OPT_P_GENERAL);
9326
9327 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9328 {
9329 options->pkcs11_providers[j-1] = p[j];
9330 }
9331 }
9332 else if (streq(p[0], "pkcs11-protected-authentication"))
9333 {
9334 int j;
9335
9336 VERIFY_PERMISSION(OPT_P_GENERAL);
9337
9338 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9339 {
9340 options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9341 }
9342 }
9343 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9344 {
9345 int j;
9346
9347 VERIFY_PERMISSION(OPT_P_GENERAL);
9348
9349 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9350 {
9351 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9352 }
9353 }
9354 else if (streq(p[0], "pkcs11-cert-private"))
9355 {
9356 int j;
9357
9358 VERIFY_PERMISSION(OPT_P_GENERAL);
9359
9360 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9361 {
9362 options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9363 }
9364 }
9365 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9366 {
9367 VERIFY_PERMISSION(OPT_P_GENERAL);
9368 options->pkcs11_pin_cache_period = atoi(p[1]);
9369 }
9370 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9371 {
9372 VERIFY_PERMISSION(OPT_P_GENERAL);
9373 options->pkcs11_id = p[1];
9374 }
9375 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9376 {
9377 VERIFY_PERMISSION(OPT_P_GENERAL);
9378 options->pkcs11_id_management = true;
9379 }
9380 #endif /* ifdef ENABLE_PKCS11 */
9381 else if (streq(p[0], "rmtun") && !p[1])
9382 {
9383 VERIFY_PERMISSION(OPT_P_GENERAL);
9384 options->persist_config = true;
9385 options->persist_mode = 0;
9386 }
9387 else if (streq(p[0], "mktun") && !p[1])
9388 {
9389 VERIFY_PERMISSION(OPT_P_GENERAL);
9390 options->persist_config = true;
9391 options->persist_mode = 1;
9392 }
9393 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9394 {
9395 VERIFY_PERMISSION(OPT_P_PEER_ID);
9396 options->use_peer_id = true;
9397 options->peer_id = atoi(p[1]);
9398 }
9399 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9400 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9401 {
9402 int ekm_length = positive_atoi(p[2]);
9403
9404 VERIFY_PERMISSION(OPT_P_GENERAL);
9405
9406 if (strncmp(p[1], "EXPORTER", 8))
9407 {
9408 msg(msglevel, "Keying material exporter label must begin with "
9409 "\"EXPORTER\"");
9410 goto err;
9411 }
9412 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9413 {
9414 msg(msglevel, "Keying material exporter label must not be '"
9415 EXPORT_KEY_DATA_LABEL "'.");
9416 }
9417 if (ekm_length < 16 || ekm_length > 4095)
9418 {
9419 msg(msglevel, "Invalid keying material exporter length");
9420 goto err;
9421 }
9422
9423 options->keying_material_exporter_label = p[1];
9424 options->keying_material_exporter_length = ekm_length;
9425 }
9426 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9427 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9428 {
9429 VERIFY_PERMISSION(OPT_P_GENERAL);
9430 options->allow_recursive_routing = true;
9431 }
9432 else if (streq(p[0], "vlan-tagging") && !p[1])
9433 {
9434 VERIFY_PERMISSION(OPT_P_GENERAL);
9435 options->vlan_tagging = true;
9436 }
9437 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9438 {
9439 VERIFY_PERMISSION(OPT_P_GENERAL);
9440 if (streq(p[1], "tagged"))
9441 {
9442 options->vlan_accept = VLAN_ONLY_TAGGED;
9443 }
9444 else if (streq(p[1], "untagged"))
9445 {
9446 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9447 }
9448 else if (streq(p[1], "all"))
9449 {
9450 options->vlan_accept = VLAN_ALL;
9451 }
9452 else
9453 {
9454 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9455 goto err;
9456 }
9457 }
9458 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9459 {
9460 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9461 options->vlan_pvid = positive_atoi(p[1]);
9462 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9463 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9464 {
9465 msg(msglevel,
9466 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9467 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9468 goto err;
9469 }
9470 }
9471 else
9472 {
9473 int i;
9474 int msglevel = msglevel_fc;
9475 /* Check if an option is in --ignore-unknown-option and
9476 * set warning level to non fatal */
9477 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9478 {
9479 if (streq(p[0], options->ignore_unknown_option[i]))
9480 {
9481 msglevel = M_WARN;
9482 break;
9483 }
9484 }
9485 if (file)
9486 {
9487 msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9488 }
9489 else
9490 {
9491 msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9492 }
9493 }
9494 err:
9495 gc_free(&gc);
9496 }
Mirror of https://github.com/OpenVPN/openvpn.git