]> git.ipfire.org Git - thirdparty/openvpn.git/blob - src/openvpn/options.c
projects / thirdparty / openvpn.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Reduce default restart pause to 1 second
[thirdparty/openvpn.git] / src / openvpn / options.c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2022 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38
39 #include "syshead.h"
40
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "ssl_ncp.h"
49 #include "options.h"
50 #include "misc.h"
51 #include "socket.h"
52 #include "packet_id.h"
53 #include "pkcs11.h"
54 #include "win32.h"
55 #include "push.h"
56 #include "pool.h"
57 #include "proto.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include "ssl_verify.h"
62 #include "platform.h"
63 #include "xkey_common.h"
64 #include "dco.h"
65 #include <ctype.h>
66
67 #include "memdbg.h"
68
69 const char title_string[] =
70 PACKAGE_STRING
71 #ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73 #endif
74 " " TARGET_ALIAS
75 #if defined(ENABLE_CRYPTO_MBEDTLS)
76 " [SSL (mbed TLS)]"
77 #elif defined(ENABLE_CRYPTO_OPENSSL)
78 " [SSL (OpenSSL)]"
79 #else
80 " [SSL]"
81 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82 #ifdef USE_COMP
83 #ifdef ENABLE_LZO
84 " [LZO]"
85 #endif
86 #ifdef ENABLE_LZ4
87 " [LZ4]"
88 #endif
89 #ifdef ENABLE_COMP_STUB
90 " [COMP_STUB]"
91 #endif
92 #endif /* USE_COMP */
93 #if EPOLL
94 " [EPOLL]"
95 #endif
96 #ifdef PRODUCT_TAP_DEBUG
97 " [TAPDBG]"
98 #endif
99 #ifdef ENABLE_PKCS11
100 " [PKCS11]"
101 #endif
102 #if ENABLE_IP_PKTINFO
103 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104 " [MH/PKTINFO]"
105 #elif defined(IP_RECVDSTADDR)
106 " [MH/RECVDA]"
107 #endif
108 #endif
109 " [AEAD]"
110 #ifdef ENABLE_DCO
111 " [DCO]"
112 #endif
113 #ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
115 #endif
116 ;
117
118 #ifndef ENABLE_SMALL
119
120 static const char usage_message[] =
121 "%s\n"
122 "\n"
123 "General Options:\n"
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
127 "\n"
128 "Tunnel Options:\n"
129 "--local host : Local host name or ip address. Implies --bind.\n"
130 "--remote host [port] : Remote host name or ip address.\n"
131 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
132 "--remote-random-hostname : Add a random string to remote DNS name.\n"
133 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
134 "--proto p : Use protocol p for communicating with peer.\n"
135 " p = udp (default), tcp-server, tcp-client\n"
136 " udp4, tcp4-server, tcp4-client\n"
137 " udp6, tcp6-server, tcp6-client\n"
138 "--proto-force p : only consider protocol p in list of connection profiles.\n"
139 " p = udp or tcp\n"
140 "--connect-retry n [m] : For client, number of seconds to wait between\n"
141 " connection retries (default=%d). On repeated retries\n"
142 " the wait time is exponentially increased to a maximum of m\n"
143 " (default=%d).\n"
144 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
145 "--http-proxy s p [up] [auth] : Connect to remote host\n"
146 " through an HTTP proxy at address s and port p.\n"
147 " If proxy authentication is required,\n"
148 " up is a file containing username/password on 2 lines, or\n"
149 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
150 " the proxy requires NTLM authentication.\n"
151 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
152 " determine auth method and query for username/password\n"
153 " if needed. auto-nct disables weak proxy auth methods.\n"
154 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
155 " Repeat to set multiple options.\n"
156 " VERSION version (default=1.0)\n"
157 " AGENT user-agent\n"
158 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
159 " address s and port p (default port = 1080).\n"
160 " If proxy authentication is required,\n"
161 " up is a file containing username/password on 2 lines, or\n"
162 " 'stdin' to prompt for console.\n"
163 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
164 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
165 " resolve for n seconds before failing (disabled by default).\n"
166 " Set n=\"infinite\" to retry indefinitely.\n"
167 "--float : Allow remote to change its IP address/port, such as through\n"
168 " DHCP (this is the default if --remote is not used).\n"
169 "--ipchange cmd : Run command cmd on remote ip address initial\n"
170 " setting or change -- execute as: cmd ip-address port#\n"
171 "--port port : TCP/UDP port # for both local and remote.\n"
172 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
173 "--rport port : TCP/UDP port # for remote (default=%s).\n"
174 "--bind : Bind to local address and port. (This is the default unless\n"
175 " --proto tcp-client"
176 " or --http-proxy"
177 " or --socks-proxy"
178 " is used).\n"
179 "--nobind : Do not bind to local address and port.\n"
180 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
181 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
182 " this option only if the tun/tap device used with --dev\n"
183 " does not begin with \"tun\" or \"tap\".\n"
184 "--dev-node node : Explicitly set the device node rather than using\n"
185 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
186 #if defined(ENABLE_DCO)
187 "--disable-dco : Do not attempt using Data Channel Offload.\n"
188 #endif
189 "--lladdr hw : Set the link layer address of the tap device.\n"
190 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
191 #ifdef ENABLE_IPROUTE
192 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
193 #endif
194 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
195 " endpoint and rn as a remote endpoint. l & rn should be\n"
196 " swapped on the other peer. l & rn must be private\n"
197 " addresses outside of the subnets used by either peer.\n"
198 " TAP: configure device to use IP address l as a local\n"
199 " endpoint and rn as a subnet mask.\n"
200 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
201 " endpoint (as a /64) and r as remote endpoint\n"
202 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
203 " pass --ifconfig parms by environment to scripts.\n"
204 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
205 " connection doesn't match the remote side.\n"
206 "--route network [netmask] [gateway] [metric] :\n"
207 " Add route to routing table after connection\n"
208 " is established. Multiple routes can be specified.\n"
209 " netmask default: 255.255.255.255\n"
210 " gateway default: taken from --route-gateway or --ifconfig\n"
211 " Specify default by leaving blank or setting to \"default\".\n"
212 "--route-ipv6 network/bits [gateway] [metric] :\n"
213 " Add IPv6 route to routing table after connection\n"
214 " is established. Multiple routes can be specified.\n"
215 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
216 " in --ifconfig-ipv6\n"
217 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
218 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
219 "--route-metric m : Specify a default metric for use with --route.\n"
220 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
221 " adding routes (may be 0). If not specified, routes will\n"
222 " be added immediately after tun/tap open. On Windows, wait\n"
223 " up to w seconds for TUN/TAP adapter to come up.\n"
224 "--route-up cmd : Run command cmd after routes are added.\n"
225 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
226 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
227 " --route-up script using environmental variables.\n"
228 "--route-nopull : When used with --client or --pull, accept options pushed\n"
229 " by server EXCEPT for routes, dns, and dhcp options.\n"
230 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
231 " --ifconfig, --route, and --route-gateway.\n"
232 "--redirect-gateway [flags]: Automatically execute routing\n"
233 " commands to redirect all outgoing IP traffic through the\n"
234 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
235 " connected via a common subnet, such as with WiFi.\n"
236 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
237 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
238 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
239 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
240 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
241 " the default gateway. Useful when pushing private subnets.\n"
242 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
243 " ICMPv6 host unreachable messages on the client.\n"
244 " (Server) Instead of forwarding IPv6 packets send\n"
245 " ICMPv6 host unreachable packets to the client.\n"
246 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
247 "--push-peer-info : (client only) push client info to server.\n"
248 "--setenv name value : Set a custom environmental variable to pass to script.\n"
249 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
250 " directives for future OpenVPN versions to be ignored.\n"
251 "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
252 " these options to be ignored when unknown\n"
253 "--script-security level: Where level can be:\n"
254 " 0 -- strictly no calling of external programs\n"
255 " 1 -- (default) only call built-ins such as ifconfig\n"
256 " 2 -- allow calling of built-ins and scripts\n"
257 " 3 -- allow password to be passed to scripts via env\n"
258 "--shaper n : Restrict output to peer to n bytes per second.\n"
259 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
260 " ping once every n seconds, restart if ping not received\n"
261 " for m seconds.\n"
262 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
263 " produces a combined in/out byte count < bytes.\n"
264 "--session-timeout n: Limit connection time to n seconds.\n"
265 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
266 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
267 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
268 " remote address.\n"
269 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
270 #if ENABLE_IP_PKTINFO
271 "--multihome : Configure a multi-homed UDP server.\n"
272 #endif
273 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
274 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
275 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
276 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
277 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
278 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
279 #if PASSTOS_CAPABILITY
280 "--passtos : TOS passthrough (applies to IPv4 only).\n"
281 #endif
282 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
283 " TCP/UDP MTU from it (default=%d).\n"
284 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
285 " as n bytes more than the tun-mtu size on read\n"
286 " (default TUN=0 TAP=%d).\n"
287 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
288 " from it.\n"
289 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
290 " 'no' -- Never send DF (Don't Fragment) frames\n"
291 " 'maybe' -- Use per-route hints\n"
292 " 'yes' -- Always DF (Don't Fragment)\n"
293 "--mtu-test : Empirically measure and report MTU.\n"
294 #ifdef ENABLE_FRAGMENT
295 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
296 " datagrams are sent which are larger than max bytes.\n"
297 " Adds 4 bytes of overhead per datagram.\n"
298 #endif
299 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
300 " or --fragment max value, whichever is lower.\n"
301 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
302 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
303 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
304 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
305 " can be matched in policy routing and packetfilter rules.\n"
306 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
307 " listening for connections. This allows sending encrypted packets\n"
308 " via a VRF present on the system.\n"
309 #endif
310 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
311 #ifdef ENABLE_MEMSTATS
312 "--memstats file : Write live usage stats to memory mapped binary file.\n"
313 #endif
314 "--mlock : Disable Paging -- ensures key material and tunnel\n"
315 " data will never be written to disk.\n"
316 "--up cmd : Run command cmd after successful tun device open.\n"
317 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
318 " ifconfig-local-ip ifconfig-remote-ip\n"
319 " (pre --user or --group UID/GID change)\n"
320 "--up-delay : Delay tun/tap open and possible --up script execution\n"
321 " until after TCP/UDP connection establishment with peer.\n"
322 "--down cmd : Run command cmd after tun device close.\n"
323 " (post --user/--group UID/GID change and/or --chroot)\n"
324 " (command parameters are same as --up option)\n"
325 "--down-pre : Run --down command before TUN/TAP close.\n"
326 "--up-restart : Run up/down commands for all restarts including those\n"
327 " caused by --ping-restart or SIGUSR1\n"
328 "--user user : Set UID to user after initialization.\n"
329 "--group group : Set GID to group after initialization.\n"
330 "--chroot dir : Chroot to this directory after initialization.\n"
331 #ifdef ENABLE_SELINUX
332 "--setcon context: Apply this SELinux context after initialization.\n"
333 #endif
334 "--cd dir : Change to this directory before initialization.\n"
335 "--daemon [name] : Become a daemon after initialization.\n"
336 " The optional 'name' parameter will be passed\n"
337 " as the program name to the system logger.\n"
338 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
339 " See --daemon above for a description of the 'name' parm.\n"
340 "--log file : Output log to file which is created/truncated on open.\n"
341 "--log-append file : Append log to file, or create file if nonexistent.\n"
342 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
343 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
344 "--writepid file : Write main process ID to file.\n"
345 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
346 "--echo [parms ...] : Echo parameters to log output.\n"
347 "--verb n : Set output verbosity to n (default=%d):\n"
348 " (Level 3 is recommended if you want a good summary\n"
349 " of what's happening without being swamped by output).\n"
350 " : 0 -- no output except fatal errors\n"
351 " : 1 -- startup info + connection initiated messages +\n"
352 " non-fatal encryption & net errors\n"
353 " : 2,3 -- show TLS negotiations & route info\n"
354 " : 4 -- show parameters\n"
355 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
356 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
357 " : 6 to 11 -- debug messages of increasing verbosity\n"
358 "--mute n : Log at most n consecutive messages in the same category.\n"
359 "--status file [n] : Write operational status to file every n seconds.\n"
360 "--status-version [n] : Choose the status file format version number.\n"
361 " Currently, n can be 1, 2, or 3 (default=1).\n"
362 "--disable-occ : Disable options consistency check between peers.\n"
363 #ifdef ENABLE_DEBUG
364 "--gremlin mask : Special stress testing mode (for debugging only).\n"
365 #endif
366 #if defined(USE_COMP)
367 "--compress alg : Use compression algorithm alg\n"
368 "--allow-compression: Specify whether compression should be allowed\n"
369 #if defined(ENABLE_LZO)
370 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
371 " packet for incompressible data.\n"
372 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
373 " is specified.\n"
374 #endif
375 #endif
376 #ifdef ENABLE_MANAGEMENT
377 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
378 " management functions. pass is a password file\n"
379 " or 'stdin' to prompt from console.\n"
380 #if UNIX_SOCK_SUPPORT
381 " To listen on a unix domain socket, specific the pathname\n"
382 " in place of ip and use 'unix' as the port number.\n"
383 #endif
384 "--management-client : Management interface will connect as a TCP client to\n"
385 " ip/port rather than listen as a TCP server.\n"
386 "--management-query-passwords : Query management channel for private key\n"
387 " and auth-user-pass passwords.\n"
388 "--management-query-proxy : Query management channel for proxy information.\n"
389 "--management-query-remote : Query management channel for --remote directive.\n"
390 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
391 " of the management interface explicitly starts it.\n"
392 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
393 "--management-forget-disconnect : Forget passwords when management disconnect\n"
394 " event occurs.\n"
395 "--management-up-down : Report tunnel up/down events to management interface.\n"
396 "--management-log-cache n : Cache n lines of log file history for usage\n"
397 " by the management channel.\n"
398 #if UNIX_SOCK_SUPPORT
399 "--management-client-user u : When management interface is a unix socket, only\n"
400 " allow connections from user u.\n"
401 "--management-client-group g : When management interface is a unix socket, only\n"
402 " allow connections from group g.\n"
403 #endif
404 "--management-client-auth : gives management interface client the responsibility\n"
405 " to authenticate clients after their client certificate\n"
406 " has been verified.\n"
407 #endif /* ifdef ENABLE_MANAGEMENT */
408 #ifdef ENABLE_PLUGIN
409 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
410 " to its initialization function.\n"
411 #endif
412 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
413 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
414 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
415 "\n"
416 "Multi-Client Server options (when --mode server is used):\n"
417 "--server network netmask : Helper option to easily configure server mode.\n"
418 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
419 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
420 " easily configure ethernet bridging server mode.\n"
421 "--push \"option\" : Push a config file option back to the peer for remote\n"
422 " execution. Peer must specify --pull in its config file.\n"
423 "--push-reset : Don't inherit global push list for specific\n"
424 " client instance.\n"
425 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
426 " a specific client instance.\n"
427 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
428 " to be dynamically allocated to connecting clients.\n"
429 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
430 " data to file, at seconds intervals (default=600).\n"
431 " If seconds=0, file will be treated as read-only.\n"
432 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
433 " to be dynamically allocated to connecting clients.\n"
434 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
435 " overrides --ifconfig-pool dynamic allocation.\n"
436 " Only valid in a client-specific config file.\n"
437 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
438 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
439 " Only valid in a client-specific config file.\n"
440 "--iroute network [netmask] : Route subnet to client.\n"
441 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
442 " Sets up internal routes only.\n"
443 " Only valid in a client-specific config file.\n"
444 "--disable : Client is disabled.\n"
445 " Only valid in a client-specific config file.\n"
446 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
447 " mandatory client certificate verification.\n"
448 " Default is to require the client to supply a certificate.\n"
449 "--username-as-common-name : For auth-user-pass authentication, use\n"
450 " the authenticated username as the common name,\n"
451 " rather than the common name from the client cert.\n"
452 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
453 " run command cmd to verify. If method='via-env', pass\n"
454 " user/pass via environment, if method='via-file', pass\n"
455 " user/pass via temporary file.\n"
456 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
457 " to each client, replacing the password. Useful when\n"
458 " OTP based two-factor auth mechanisms are in use and\n"
459 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
460 " for generated tokens can be set.\n"
461 "--opt-verify : Clients that connect with options that are incompatible\n"
462 " with those of the server will be disconnected.\n"
463 "--auth-user-pass-optional : Allow connections by clients that don't\n"
464 " specify a username/password.\n"
465 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
466 " any printable character.\n"
467 "--client-to-client : Internally route client-to-client traffic.\n"
468 "--duplicate-cn : Allow multiple clients with the same common name to\n"
469 " concurrently connect.\n"
470 "--client-connect cmd : Run command cmd on client connection.\n"
471 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
472 "--client-config-dir dir : Directory for custom client config files.\n"
473 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
474 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
475 "--hash-size r v : Set the size of the real address hash table to r and the\n"
476 " virtual address table to v.\n"
477 "--bcast-buffers n : Allocate n broadcast buffers.\n"
478 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
479 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
480 " as well as pushes it to connecting clients.\n"
481 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
482 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
483 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
484 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
485 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
486 " older than n seconds. Run this check every t\n"
487 " seconds (defaults to n).\n"
488 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
489 " clients. n = 1 - reconnect to same server,\n"
490 " 2 - advance to next server, default=1.\n"
491 #if PORT_SHARE
492 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
493 " sessions to a web server at host:port. dir specifies an\n"
494 " optional directory to write origin IP:port data.\n"
495 #endif
496 "\n"
497 "Client options (when connecting to a multi-client server):\n"
498 "--client : Helper option to easily configure client mode.\n"
499 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
500 " up is a file containing the username on the first line,\n"
501 " and a password on the second. If either the password or both\n"
502 " the username and the password are omitted OpenVPN will prompt\n"
503 " for them from console.\n"
504 "--pull : Accept certain config file options from the peer as if they\n"
505 " were part of the local config file. Must be specified\n"
506 " when connecting to a '--mode server' remote host.\n"
507 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
508 " server if it starts with the text t. The action flag accept,\n"
509 " ignore or reject causes the option to be allowed, removed or\n"
510 " rejected with error. May be specified multiple times, and\n"
511 " each filter is applied in the order of appearance.\n"
512 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
513 " Valid options are :\n"
514 " address <addr[:port]> [addr[:port]] : server address 4/6\n"
515 " resolve-domains <domain> [domain ...] : split domains\n"
516 " exclude-domains <domain> [domain ...] : domains not to resolve\n"
517 " dnssec <yes|no|optional> : option to use DNSSEC\n"
518 " type <DoH|DoT> : query server over HTTPS / TLS\n"
519 " sni <domain> : DNS server name indication\n"
520 "--dns search-domains <domain> [domain ...]:\n"
521 " Add domains to DNS domain search list\n"
522 "--auth-retry t : How to handle auth failures. Set t to\n"
523 " none (default), interact, or nointeract.\n"
524 "--static-challenge t e : Enable static challenge/response protocol using\n"
525 " challenge text t, with e indicating echo flag (0|1)\n"
526 "--connect-timeout n : when polling possible remote servers to connect to\n"
527 " in a round-robin fashion, spend no more than n seconds\n"
528 " waiting for a response before trying the next server.\n"
529 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
530 " incoming tun packets with same destination as host.\n"
531 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
532 " server/remote. n = # of retries, default=1.\n"
533 "\n"
534 "Data Channel Encryption Options (must be compatible between peers):\n"
535 "(These options are meaningful for both Static Key & TLS-mode)\n"
536 "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
537 " Use shared secret file f, generate with --genkey.\n"
538 " The optional d parameter controls key directionality.\n"
539 " If d is specified, use separate keys for each\n"
540 " direction, set d=0 on one side of the connection,\n"
541 " and d=1 on the other side.\n"
542 "--auth alg : Authenticate packets with HMAC using message\n"
543 " digest algorithm alg (default=%s).\n"
544 " (usually adds 16 or 20 bytes per packet)\n"
545 " Set alg=none to disable authentication.\n"
546 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
547 " (default=%s).\n"
548 " Set alg=none to disable encryption.\n"
549 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
550 #ifndef ENABLE_CRYPTO_MBEDTLS
551 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
552 #endif
553 "--no-replay : (DEPRECATED) Disable replay protection.\n"
554 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
555 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
556 " and a time window of t seconds.\n"
557 " Default n=%d t=%d\n"
558 "--replay-persist file : Persist replay-protection state across sessions\n"
559 " using file.\n"
560 "--test-crypto : Run a self-test of crypto features enabled.\n"
561 " For debugging only.\n"
562 #ifdef ENABLE_PREDICTION_RESISTANCE
563 "--use-prediction-resistance: Enable prediction resistance on the random\n"
564 " number generator.\n"
565 #endif
566 "\n"
567 "TLS Key Negotiation Options:\n"
568 "(These options are meaningful only for TLS-mode)\n"
569 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
570 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
571 "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
572 " number, such as 1 (default), 2, etc.\n"
573 "--ca file : Certificate authority file in .pem format containing\n"
574 " root certificate.\n"
575 #ifndef ENABLE_CRYPTO_MBEDTLS
576 "--capath dir : A directory of trusted certificates (CAs"
577 " and CRLs).\n"
578 #endif /* ENABLE_CRYPTO_MBEDTLS */
579 "--dh file : File containing Diffie Hellman parameters\n"
580 " in .pem format (for --tls-server only).\n"
581 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
582 "--cert file : Local certificate in .pem format -- must be signed\n"
583 " by a Certificate Authority in --ca file.\n"
584 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
585 "--key file : Local private key in .pem format.\n"
586 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
587 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
588 " is specified, require max TLS version supported by SSL implementation.\n"
589 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
590 #ifndef ENABLE_CRYPTO_MBEDTLS
591 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
592 " and optionally the root CA certificate.\n"
593 #endif
594 #ifdef ENABLE_X509ALTUSERNAME
595 "--x509-username-field : Field in x509 certificate containing the username.\n"
596 " Default is CN in the Subject field.\n"
597 #endif
598 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
599 " Valid algo flags are SHA1 and SHA256. \n"
600 #ifdef _WIN32
601 "--cryptoapicert select-string : Load the certificate and private key from the\n"
602 " Windows Certificate System Store.\n"
603 #endif
604 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
605 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
606 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
607 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
608 " (default=legacy).\n"
609 "--providers l : A list l of OpenSSL providers to load.\n"
610 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
611 " if no ACK from remote within n seconds (default=%d).\n"
612 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
613 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
614 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
615 " and at least min (defaults to 90%% of max on servers and equal\n"
616 " to max on clients).\n"
617 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
618 " of handshake initiation by any peer (default=%d).\n"
619 "--tran-window n : Transition window -- old key can live this many seconds\n"
620 " after new key renegotiation begins (default=%d).\n"
621 "--single-session: Allow only one session (reset state on restart).\n"
622 "--tls-exit : Exit on TLS negotiation failure.\n"
623 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
624 " control channel to protect against attacks on the TLS stack\n"
625 " and DoS attacks.\n"
626 " f (required) is a shared-secret key file.\n"
627 " The optional d parameter controls key directionality,\n"
628 " see --secret option for more info.\n"
629 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
630 " of the TLS control channel to hide the TLS certificate,\n"
631 " provide basic post-quantum security and protect against\n"
632 " attacks on the TLS stack and DoS attacks.\n"
633 " key (required) provides the pre-shared key file.\n"
634 " see --secret option for more info.\n"
635 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
636 " For servers: use key to decrypt client-specific keys. For\n"
637 " key generation (--genkey tls-crypt-v2-client): use key to\n"
638 " encrypt generated client-specific key. (See --tls-crypt.)\n"
639 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
640 " fresh tls-crypt-v2 client key, and store to\n"
641 " keyfile. If supplied, include metadata in wrapped key.\n"
642 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
643 " fresh tls-crypt-v2 server key, and store to keyfile\n"
644 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
645 " client-supplied tls-crypt-v2 client key\n"
646 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
647 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
648 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
649 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
650 " pending TLS connection that has otherwise passed all other\n"
651 " tests of certification. cmd should return 0 to allow\n"
652 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
653 " executed as 'cmd certificate_depth subject')\n"
654 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
655 " in an openvpn temporary file in [directory]. Peer cert is \n"
656 " stored before tls-verify script execution and deleted after.\n"
657 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
658 " DN name. The remote host must also pass all other tests\n"
659 " of verification.\n"
660 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
661 " an explicit nsCertType designation t = 'client' | 'server'.\n"
662 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
663 " plugins and management interface.\n"
664 #ifdef HAVE_EXPORT_KEYING_MATERIAL
665 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
666 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
667 #endif
668 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
669 " explicit key usage, you can specify more than one value.\n"
670 " value should be given in hex format.\n"
671 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
672 " explicit extended key usage. Extended key usage can be encoded\n"
673 " as an object identifier or OpenSSL string representation.\n"
674 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
675 " key usage and extended key usage based on RFC3280 TLS rules.\n"
676 " t = 'client' | 'server'.\n"
677 #ifdef ENABLE_PKCS11
678 "\n"
679 "PKCS#11 Options:\n"
680 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
681 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
682 " path. Set for each provider.\n"
683 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
684 " 0 : Try to determine automatically (default).\n"
685 " 1 : Use Sign.\n"
686 " 2 : Use SignRecover.\n"
687 " 4 : Use Decrypt.\n"
688 " 8 : Use Unwrap.\n"
689 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
690 " certificate can be accessed. Set for each provider.\n"
691 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
692 " cache until token is removed.\n"
693 "--pkcs11-id-management : Acquire identity from management interface.\n"
694 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
695 #endif /* ENABLE_PKCS11 */
696 "\n"
697 "SSL Library information:\n"
698 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
699 "--show-digests : Show message digest algorithms to use with --auth option.\n"
700 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
701 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
702 #ifdef _WIN32
703 "\n"
704 "Windows Specific:\n"
705 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
706 " from SystemRoot environment variable.\n"
707 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
708 " IP address using method = manual, netsh, ipapi,\n"
709 " dynamic, or adaptive (default = adaptive).\n"
710 " Dynamic method allows two optional parameters:\n"
711 " offset: DHCP server address offset (> -256 and < 256).\n"
712 " If 0, use network address, if >0, take nth\n"
713 " address forward from network address, if <0,\n"
714 " take nth address backward from broadcast\n"
715 " address.\n"
716 " Default is 0.\n"
717 " lease-time: Lease time in seconds.\n"
718 " Default is one year.\n"
719 "--route-method : Which method to use for adding routes on Windows?\n"
720 " adaptive (default) -- Try ipapi then fall back to exe.\n"
721 " ipapi -- Use IP helper API.\n"
722 " exe -- Call the route.exe shell command.\n"
723 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
724 " be used with --ip-win32 dynamic. For options\n"
725 " which allow multiple addresses,\n"
726 " --dhcp-option must be repeated.\n"
727 " DOMAIN name : Set DNS suffix\n"
728 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
729 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
730 " NTP : Set NTP server address(es)\n"
731 " NBDD : Set NBDD server address(es)\n"
732 " WINS addr : Set WINS server address(es)\n"
733 " NBT type : Set NetBIOS over TCP/IP Node type\n"
734 " 1: B, 2: P, 4: M, 8: H\n"
735 " NBS id : Set NetBIOS scope ID\n"
736 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
737 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
738 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
739 " startup.\n"
740 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
741 " on connection initiation.\n"
742 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
743 " attempting to set adapter properties.\n"
744 "--pause-exit : When run from a console window, pause before exiting.\n"
745 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
746 " service, and should not be used directly by end-users.\n"
747 " ex is the name of an event object which, when\n"
748 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
749 " optional parameter controls the initial state of ex.\n"
750 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
751 " after TAP adapter is up and routes have been added.\n"
752 "--windows-driver : Which tun driver to use?\n"
753 " ovpn-dco (default)\n"
754 " tap-windows6\n"
755 " wintun\n"
756 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
757 "Windows Standalone Options:\n"
758 "\n"
759 "--show-adapters : Show all TAP-Windows adapters.\n"
760 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
761 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
762 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
763 " to access TAP adapter.\n"
764 #endif /* ifdef _WIN32 */
765 "\n"
766 "Generate a new key :\n"
767 "--genkey secret file : Generate a new random key of type and write to file\n"
768 " (for use with --secret, --tls-auth or --tls-crypt)."
769 #ifdef ENABLE_FEATURE_TUN_PERSIST
770 "\n"
771 "Tun/tap config mode (available with linux 2.4+):\n"
772 "--mktun : Create a persistent tunnel.\n"
773 "--rmtun : Remove a persistent tunnel.\n"
774 "--dev tunX|tapX : tun/tap device\n"
775 "--dev-type dt : Device type. See tunnel options above for details.\n"
776 "--user user : User to set privilege to.\n"
777 "--group group : Group to set privilege to.\n"
778 #endif
779 #ifdef ENABLE_PKCS11
780 "\n"
781 "PKCS#11 standalone options:\n"
782 #ifdef DEFAULT_PKCS11_MODULE
783 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
784 #else
785 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
786 #endif
787 " --verb option can be added *BEFORE* this.\n"
788 #endif /* ENABLE_PKCS11 */
789 "\n"
790 "General Standalone Options:\n"
791 #ifdef ENABLE_DEBUG
792 "--show-gateway : Show info about default gateway.\n"
793 #endif
794 ;
795
796 #endif /* !ENABLE_SMALL */
797
798 /*
799 * This is where the options defaults go.
800 * Any option not explicitly set here
801 * will be set to 0.
802 */
803 void
804 init_options(struct options *o, const bool init_gc)
805 {
806 CLEAR(*o);
807 if (init_gc)
808 {
809 gc_init(&o->gc);
810 gc_init(&o->dns_options.gc);
811 o->gc_owned = true;
812 }
813 o->mode = MODE_POINT_TO_POINT;
814 o->topology = TOP_NET30;
815 o->ce.proto = PROTO_UDP;
816 o->ce.af = AF_UNSPEC;
817 o->ce.bind_ipv6_only = false;
818 o->ce.connect_retry_seconds = 1;
819 o->ce.connect_retry_seconds_max = 300;
820 o->ce.connect_timeout = 120;
821 o->connect_retry_max = 0;
822 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
823 o->verbosity = 1;
824 o->status_file_update_freq = 60;
825 o->status_file_version = 1;
826 o->ce.bind_local = true;
827 o->ce.tun_mtu = TUN_MTU_DEFAULT;
828 o->ce.occ_mtu = 0;
829 o->ce.link_mtu = LINK_MTU_DEFAULT;
830 o->ce.tls_mtu = TLS_MTU_DEFAULT;
831 o->ce.mtu_discover_type = -1;
832 o->ce.mssfix = 0;
833 o->ce.mssfix_default = true;
834 o->ce.mssfix_encap = true;
835 o->route_delay_window = 30;
836 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
837 o->resolve_in_advance = false;
838 o->proto_force = -1;
839 o->occ = true;
840 #ifdef ENABLE_MANAGEMENT
841 o->management_log_history_cache = 250;
842 o->management_echo_buffer_size = 100;
843 o->management_state_buffer_size = 100;
844 #endif
845 #ifdef ENABLE_FEATURE_TUN_PERSIST
846 o->persist_mode = 1;
847 #endif
848 #ifdef _WIN32
849 #if 0
850 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
851 #else
852 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
853 #endif
854 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
855 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
856 o->route_method = ROUTE_METHOD_ADAPTIVE;
857 o->block_outside_dns = false;
858 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
859 #endif
860 o->vlan_accept = VLAN_ALL;
861 o->vlan_pvid = 1;
862 o->real_hash_size = 256;
863 o->virtual_hash_size = 256;
864 o->n_bcast_buf = 256;
865 o->tcp_queue_limit = 64;
866 o->max_clients = 1024;
867 o->max_routes_per_client = 256;
868 o->stale_routes_check_interval = 0;
869 o->ifconfig_pool_persist_refresh_freq = 600;
870 o->scheduled_exit_interval = 5;
871 o->authname = "SHA1";
872 o->replay = true;
873 o->replay_window = DEFAULT_SEQ_BACKTRACK;
874 o->replay_time = DEFAULT_TIME_BACKTRACK;
875 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
876 #ifdef ENABLE_PREDICTION_RESISTANCE
877 o->use_prediction_resistance = false;
878 #endif
879 o->tls_timeout = 2;
880 o->renegotiate_bytes = -1;
881 o->renegotiate_seconds = 3600;
882 o->renegotiate_seconds_min = -1;
883 o->handshake_window = 60;
884 o->transition_window = 3600;
885 o->tls_cert_profile = NULL;
886 o->ecdh_curve = NULL;
887 #ifdef ENABLE_X509ALTUSERNAME
888 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
889 #endif
890 #ifdef ENABLE_PKCS11
891 o->pkcs11_pin_cache_period = -1;
892 #endif /* ENABLE_PKCS11 */
893
894 /* P2MP server context features */
895 o->auth_token_generate = false;
896
897 /* Set default --tmp-dir */
898 #ifdef _WIN32
899 /* On Windows, find temp dir via environment variables */
900 o->tmp_dir = win_get_tempdir();
901 #else
902 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
903 o->tmp_dir = getenv("TMPDIR");
904 if (!o->tmp_dir)
905 {
906 o->tmp_dir = "/tmp";
907 }
908 #endif /* _WIN32 */
909 o->allow_recursive_routing = false;
910
911 #ifndef ENABLE_DCO
912 o->tuntap_options.disable_dco = true;
913 #endif /* ENABLE_DCO */
914 }
915
916 void
917 uninit_options(struct options *o)
918 {
919 if (o->gc_owned)
920 {
921 gc_free(&o->gc);
922 gc_free(&o->dns_options.gc);
923 }
924 }
925
926 struct pull_filter
927 {
928 #define PUF_TYPE_UNDEF 0 /** undefined filter type */
929 #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
930 #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
931 #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
932 int type;
933 int size;
934 char *pattern;
935 struct pull_filter *next;
936 };
937
938 struct pull_filter_list
939 {
940 struct pull_filter *head;
941 struct pull_filter *tail;
942 };
943
944 #ifndef ENABLE_SMALL
945
946 static const char *
947 pull_filter_type_name(int type)
948 {
949 if (type == PUF_TYPE_ACCEPT)
950 {
951 return "accept";
952 }
953 if (type == PUF_TYPE_IGNORE)
954 {
955 return "ignore";
956 }
957 if (type == PUF_TYPE_REJECT)
958 {
959 return "reject";
960 }
961 else
962 {
963 return "???";
964 }
965 }
966
967 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
968 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
969 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
970 o->var ## _inline ? "[INLINE]" : \
971 (o->var ? o->var : "[UNDEF]"), \
972 "'%s'")
973 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
974 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
975 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
976 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
977 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
978
979 #endif /* ifndef ENABLE_SMALL */
980
981 static void
982 setenv_connection_entry(struct env_set *es,
983 const struct connection_entry *e,
984 const int i)
985 {
986 setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
987 setenv_str_i(es, "local", e->local, i);
988 setenv_str_i(es, "local_port", e->local_port, i);
989 setenv_str_i(es, "remote", e->remote, i);
990 setenv_str_i(es, "remote_port", e->remote_port, i);
991
992 if (e->http_proxy_options)
993 {
994 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
995 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
996 }
997 if (e->socks_proxy_server)
998 {
999 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1000 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1001 }
1002 }
1003
1004 void
1005 setenv_settings(struct env_set *es, const struct options *o)
1006 {
1007 setenv_str(es, "config", o->config);
1008 setenv_int(es, "verb", o->verbosity);
1009 setenv_int(es, "daemon", o->daemon);
1010 setenv_int(es, "daemon_log_redirect", o->log);
1011 setenv_long_long(es, "daemon_start_time", time(NULL));
1012 setenv_int(es, "daemon_pid", platform_getpid());
1013
1014 if (o->connection_list)
1015 {
1016 int i;
1017 for (i = 0; i < o->connection_list->len; ++i)
1018 {
1019 setenv_connection_entry(es, o->connection_list->array[i], i+1);
1020 }
1021 }
1022 else
1023 {
1024 setenv_connection_entry(es, &o->ce, 1);
1025 }
1026
1027 if (!o->pull)
1028 {
1029 setenv_dns_options(&o->dns_options, es);
1030 }
1031 }
1032
1033 static void
1034 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1035 {
1036 if (len > 0)
1037 {
1038 struct gc_arena gc = gc_new();
1039 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1040 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1041 int i;
1042 bool first = true;
1043 bool good = true;
1044
1045 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1046 ++o->foreign_option_index;
1047 for (i = 0; i < len; ++i)
1048 {
1049 if (argv[i])
1050 {
1051 if (!first)
1052 {
1053 good &= buf_printf(&value, " ");
1054 }
1055 good &= buf_printf(&value, "%s", argv[i]);
1056 first = false;
1057 }
1058 }
1059 if (good)
1060 {
1061 setenv_str(es, BSTR(&name), BSTR(&value));
1062 }
1063 else
1064 {
1065 msg(M_WARN, "foreign_option: name/value overflow");
1066 }
1067 gc_free(&gc);
1068 }
1069 }
1070
1071 static in_addr_t
1072 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1073 {
1074 unsigned int flags = GETADDR_HOST_ORDER;
1075 bool succeeded = false;
1076 in_addr_t ret;
1077
1078 if (msglevel & M_FATAL)
1079 {
1080 flags |= GETADDR_FATAL;
1081 }
1082
1083 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1084 if (!succeeded && error)
1085 {
1086 *error = true;
1087 }
1088 return ret;
1089 }
1090
1091 /**
1092 * Returns newly allocated string containing address part without "/nn".
1093 *
1094 * If gc != NULL, the allocated memory is registered in the supplied gc.
1095 */
1096 static char *
1097 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1098 {
1099 const char *end = strchr(addr, '/');
1100 char *ret = NULL;
1101 if (NULL == end)
1102 {
1103 ret = string_alloc(addr, gc);
1104 }
1105 else
1106 {
1107 size_t len = end - addr;
1108 ret = gc_malloc(len + 1, true, gc);
1109 memcpy(ret, addr, len);
1110 }
1111 return ret;
1112 }
1113
1114 static bool
1115 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1116 {
1117 struct in6_addr t_addr;
1118 unsigned int t_bits;
1119
1120 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1121 }
1122
1123 static char *
1124 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1125 {
1126 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1127 char *dest = ret;
1128 char c;
1129
1130 do
1131 {
1132 c = *src++;
1133 if (c == from)
1134 {
1135 c = to;
1136 }
1137 *dest++ = c;
1138 }
1139 while (c);
1140 return ret;
1141 }
1142
1143 /**
1144 * Parses a hexstring and checks if the string has the correct length. Return
1145 * a verify_hash_list containing the parsed hash string.
1146 *
1147 * @param str String to check/parse
1148 * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1)
1149 * @param msglevel message level to use when printing warnings/errors
1150 * @param gc The returned object will be allocated in this gc
1151 */
1152 static struct verify_hash_list *
1153 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1154 {
1155 int i = 0;
1156 const char *cp = str;
1157
1158 struct verify_hash_list *ret;
1159 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1160
1161 char term = 0;
1162 unsigned int byte;
1163
1164 while (*cp && i < nbytes)
1165 {
1166 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1167 if (!isxdigit(cp[0])
1168 || !isxdigit(cp[1])
1169 || (cp[2] != ':' && cp[2] != '\0')
1170 || sscanf(cp, "%x", &byte) != 1)
1171 {
1172 msg(msglevel, "format error in hash fingerprint: %s", str);
1173 break;
1174 }
1175
1176 ret->hash[i++] = (uint8_t)byte;
1177
1178 term = cp[2];
1179 if (term == '\0')
1180 {
1181 break;
1182 }
1183 cp += 3;
1184 }
1185 if (i < nbytes)
1186 {
1187 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1188 }
1189 else if (term != '\0')
1190 {
1191 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1192 }
1193 return ret;
1194 }
1195
1196 /**
1197 * Parses a string consisting of multiple lines of hexstrings and checks if each
1198 * string has the correct length. Empty lines are ignored. Returns
1199 * a linked list of (possibly) multiple verify_hash_list objects.
1200 *
1201 * @param str String to check/parse
1202 * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1)
1203 * @param msglevel message level to use when printing warnings/errors
1204 * @param gc The returned list items will be allocated in this gc
1205 */
1206 static struct verify_hash_list *
1207 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1208 struct gc_arena *gc)
1209 {
1210 struct gc_arena gc_temp = gc_new();
1211 char *lines = string_alloc(str, &gc_temp);
1212
1213 struct verify_hash_list *ret = NULL;
1214
1215 const char *line;
1216 while ((line = strsep(&lines, "\n")))
1217 {
1218 /* ignore leading whitespace */
1219 while (isspace(*line))
1220 {
1221 line++;
1222 }
1223 /* skip empty lines and comment lines */
1224 if (strlen(line) == 0 || *line == '#' || *line == ';')
1225 {
1226 continue;
1227 }
1228
1229 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1230 msglevel, gc);
1231
1232 if (!hash)
1233 {
1234 gc_free(&gc_temp);
1235 return NULL;
1236 }
1237
1238 hash->next = ret;
1239 ret = hash;
1240 }
1241 gc_free(&gc_temp);
1242
1243 return ret;
1244 }
1245 #ifdef _WIN32
1246
1247 #ifndef ENABLE_SMALL
1248
1249 static void
1250 show_dhcp_option_list(const char *name, const char *const *array, int len)
1251 {
1252 int i;
1253 for (i = 0; i < len; ++i)
1254 {
1255 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1256 }
1257 }
1258
1259 static void
1260 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1261 {
1262 struct gc_arena gc = gc_new();
1263 int i;
1264 for (i = 0; i < len; ++i)
1265 {
1266 msg(D_SHOW_PARMS, " %s[%d] = %s",
1267 name,
1268 i,
1269 print_in_addr_t(array[i], 0, &gc));
1270 }
1271 gc_free(&gc);
1272 }
1273
1274 static void
1275 show_tuntap_options(const struct tuntap_options *o)
1276 {
1277 SHOW_BOOL(ip_win32_defined);
1278 SHOW_INT(ip_win32_type);
1279 SHOW_INT(dhcp_masq_offset);
1280 SHOW_INT(dhcp_lease_time);
1281 SHOW_INT(tap_sleep);
1282 SHOW_BOOL(dhcp_options);
1283 SHOW_BOOL(dhcp_renew);
1284 SHOW_BOOL(dhcp_pre_release);
1285 SHOW_STR(domain);
1286 SHOW_STR(netbios_scope);
1287 SHOW_INT(netbios_node_type);
1288 SHOW_BOOL(disable_nbt);
1289
1290 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1291 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1292 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1293 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1294 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1295 }
1296
1297 #endif /* ifndef ENABLE_SMALL */
1298 #endif /* ifdef _WIN32 */
1299
1300 #if defined(_WIN32) || defined(TARGET_ANDROID)
1301 static void
1302 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1303 {
1304 struct in6_addr addr;
1305 if (*len >= N_DHCP_ADDR)
1306 {
1307 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1308 N_DHCP_ADDR);
1309 }
1310 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1311 {
1312 dns6_list[(*len)++] = addr;
1313 }
1314 }
1315 static void
1316 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1317 {
1318 if (*len >= N_DHCP_ADDR)
1319 {
1320 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1321 name,
1322 N_DHCP_ADDR,
1323 name);
1324 }
1325 else
1326 {
1327 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1328 {
1329 bool error = false;
1330 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1331 if (!error)
1332 {
1333 array[(*len)++] = addr;
1334 }
1335 }
1336 else
1337 {
1338 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1339 }
1340 }
1341 }
1342
1343 /*
1344 * If DNS options are set use these for TUN/TAP options as well.
1345 * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1346 * Existing options will be discarded.
1347 */
1348 static void
1349 tuntap_options_copy_dns(struct options *o)
1350 {
1351 struct tuntap_options *tt = &o->tuntap_options;
1352 struct dns_options *dns = &o->dns_options;
1353
1354 if (dns->search_domains)
1355 {
1356 tt->domain_search_list_len = 0;
1357 const struct dns_domain *domain = dns->search_domains;
1358 while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1359 {
1360 tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1361 domain = domain->next;
1362 }
1363 if (domain)
1364 {
1365 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1366 }
1367 }
1368
1369 if (dns->servers)
1370 {
1371 tt->dns_len = 0;
1372 tt->dns6_len = 0;
1373 bool overflow = false;
1374 const struct dns_server *server = dns->servers;
1375 while (server)
1376 {
1377 if (server->addr4_defined && tt->dns_len < N_DHCP_ADDR)
1378 {
1379 tt->dns[tt->dns_len++] = server->addr4.s_addr;
1380 }
1381 else
1382 {
1383 overflow = true;
1384 }
1385 if (server->addr6_defined && tt->dns6_len < N_DHCP_ADDR)
1386 {
1387 tt->dns6[tt->dns6_len++] = server->addr6;
1388 }
1389 else
1390 {
1391 overflow = true;
1392 }
1393 server = server->next;
1394 }
1395 if (overflow)
1396 {
1397 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1398 }
1399 }
1400 }
1401 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1402 static void
1403 foreign_options_copy_dns(struct options *o, struct env_set *es)
1404 {
1405 const struct dns_domain *domain = o->dns_options.search_domains;
1406 const struct dns_server *server = o->dns_options.servers;
1407 if (!domain && !server)
1408 {
1409 return;
1410 }
1411
1412 /* reset the index since we're starting all over again */
1413 int opt_max = o->foreign_option_index;
1414 o->foreign_option_index = 0;
1415
1416 for (int i = 1; i <= opt_max; ++i)
1417 {
1418 char name[32];
1419 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", i);
1420
1421 const char *env_str = env_set_get(es, name);
1422 const char *value = strchr(env_str, '=') + 1;
1423 if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1424 || (server && strstr(value, "dhcp-option DNS") == value))
1425 {
1426 setenv_del(es, name);
1427 }
1428 else
1429 {
1430 setenv_foreign_option(o, &value, 1, es);
1431 }
1432 }
1433
1434 struct gc_arena gc = gc_new();
1435
1436 while (server)
1437 {
1438 if (server->addr4_defined)
1439 {
1440 const char *argv[] = {
1441 "dhcp-option",
1442 "DNS",
1443 print_in_addr_t(server->addr4.s_addr, 0, &gc)
1444 };
1445 setenv_foreign_option(o, argv, 3, es);
1446 }
1447 if (server->addr6_defined)
1448 {
1449 const char *argv[] = {
1450 "dhcp-option",
1451 "DNS6",
1452 print_in6_addr(server->addr6, 0, &gc)
1453 };
1454 setenv_foreign_option(o, argv, 3, es);
1455 }
1456 server = server->next;
1457 }
1458 while (domain)
1459 {
1460 const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1461 setenv_foreign_option(o, argv, 3, es);
1462 domain = domain->next;
1463 }
1464
1465 gc_free(&gc);
1466
1467 /* remove old leftover entries */
1468 while (o->foreign_option_index < opt_max)
1469 {
1470 char name[32];
1471 openvpn_snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1472 setenv_del(es, name);
1473 }
1474 }
1475 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1476
1477 #ifndef ENABLE_SMALL
1478 static const char *
1479 print_vlan_accept(enum vlan_acceptable_frames mode)
1480 {
1481 switch (mode)
1482 {
1483 case VLAN_ONLY_TAGGED:
1484 return "tagged";
1485
1486 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1487 return "untagged";
1488
1489 case VLAN_ALL:
1490 return "all";
1491 }
1492 return NULL;
1493 }
1494
1495 static void
1496 show_p2mp_parms(const struct options *o)
1497 {
1498 struct gc_arena gc = gc_new();
1499
1500 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1501 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1502 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1503 SHOW_INT(server_netbits_ipv6);
1504 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1505 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1506 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1507 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1508 if (o->push_list.head)
1509 {
1510 const struct push_entry *e = o->push_list.head;
1511 while (e)
1512 {
1513 if (e->enable)
1514 {
1515 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1516 }
1517 e = e->next;
1518 }
1519 }
1520 SHOW_BOOL(ifconfig_pool_defined);
1521 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1522 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1523 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1524 SHOW_STR(ifconfig_pool_persist_filename);
1525 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1526 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1527 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1528 SHOW_INT(ifconfig_ipv6_pool_netbits);
1529 SHOW_INT(n_bcast_buf);
1530 SHOW_INT(tcp_queue_limit);
1531 SHOW_INT(real_hash_size);
1532 SHOW_INT(virtual_hash_size);
1533 SHOW_STR(client_connect_script);
1534 SHOW_STR(learn_address_script);
1535 SHOW_STR(client_disconnect_script);
1536 SHOW_STR(client_crresponse_script);
1537 SHOW_STR(client_config_dir);
1538 SHOW_BOOL(ccd_exclusive);
1539 SHOW_STR(tmp_dir);
1540 SHOW_BOOL(push_ifconfig_defined);
1541 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1542 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1543 SHOW_BOOL(push_ifconfig_ipv6_defined);
1544 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1545 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1546 SHOW_BOOL(enable_c2c);
1547 SHOW_BOOL(duplicate_cn);
1548 SHOW_INT(cf_max);
1549 SHOW_INT(cf_per);
1550 SHOW_INT(max_clients);
1551 SHOW_INT(max_routes_per_client);
1552 SHOW_STR(auth_user_pass_verify_script);
1553 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1554 SHOW_BOOL(auth_token_generate);
1555 SHOW_INT(auth_token_lifetime);
1556 SHOW_STR_INLINE(auth_token_secret_file);
1557 #if PORT_SHARE
1558 SHOW_STR(port_share_host);
1559 SHOW_STR(port_share_port);
1560 #endif
1561 SHOW_BOOL(vlan_tagging);
1562 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1563 SHOW_INT(vlan_pvid);
1564
1565 SHOW_BOOL(client);
1566 SHOW_BOOL(pull);
1567 SHOW_STR_INLINE(auth_user_pass_file);
1568
1569 gc_free(&gc);
1570 }
1571
1572 #endif /* ! ENABLE_SMALL */
1573
1574 static void
1575 option_iroute(struct options *o,
1576 const char *network_str,
1577 const char *netmask_str,
1578 int msglevel)
1579 {
1580 struct iroute *ir;
1581
1582 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1583 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1584 ir->netbits = 32; /* host route if no netmask given */
1585
1586 if (netmask_str)
1587 {
1588 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1589 ir->netbits = netmask_to_netbits2(netmask);
1590
1591 if (ir->netbits < 0)
1592 {
1593 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1594 network_str,
1595 netmask_str);
1596 return;
1597 }
1598 }
1599
1600 ir->next = o->iroutes;
1601 o->iroutes = ir;
1602 }
1603
1604 static void
1605 option_iroute_ipv6(struct options *o,
1606 const char *prefix_str,
1607 int msglevel)
1608 {
1609 struct iroute_ipv6 *ir;
1610
1611 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1612
1613 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1614 {
1615 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1616 prefix_str);
1617 return;
1618 }
1619
1620 ir->next = o->iroutes_ipv6;
1621 o->iroutes_ipv6 = ir;
1622 }
1623
1624 #ifndef ENABLE_SMALL
1625 static void
1626 show_http_proxy_options(const struct http_proxy_options *o)
1627 {
1628 int i;
1629 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1630 SHOW_STR(server);
1631 SHOW_STR(port);
1632 SHOW_STR(auth_method_string);
1633 SHOW_STR(auth_file);
1634 SHOW_STR(http_version);
1635 SHOW_STR(user_agent);
1636 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1637 {
1638 if (o->custom_headers[i].content)
1639 {
1640 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1641 o->custom_headers[i].name, o->custom_headers[i].content);
1642 }
1643 else
1644 {
1645 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1646 o->custom_headers[i].name);
1647 }
1648 }
1649 msg(D_SHOW_PARMS, "END http_proxy");
1650 }
1651 #endif /* ifndef ENABLE_SMALL */
1652
1653 void
1654 options_detach(struct options *o)
1655 {
1656 gc_detach(&o->gc);
1657 o->routes = NULL;
1658 o->client_nat = NULL;
1659 clone_push_list(o);
1660 }
1661
1662 void
1663 rol_check_alloc(struct options *options)
1664 {
1665 if (!options->routes)
1666 {
1667 options->routes = new_route_option_list(&options->gc);
1668 }
1669 }
1670
1671 static void
1672 rol6_check_alloc(struct options *options)
1673 {
1674 if (!options->routes_ipv6)
1675 {
1676 options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1677 }
1678 }
1679
1680 static void
1681 cnol_check_alloc(struct options *options)
1682 {
1683 if (!options->client_nat)
1684 {
1685 options->client_nat = new_client_nat_list(&options->gc);
1686 }
1687 }
1688
1689 #ifndef ENABLE_SMALL
1690 static void
1691 show_connection_entry(const struct connection_entry *o)
1692 {
1693 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1694 SHOW_STR(local);
1695 SHOW_STR(local_port);
1696 SHOW_STR(remote);
1697 SHOW_STR(remote_port);
1698 SHOW_BOOL(remote_float);
1699 SHOW_BOOL(bind_defined);
1700 SHOW_BOOL(bind_local);
1701 SHOW_BOOL(bind_ipv6_only);
1702 SHOW_INT(connect_retry_seconds);
1703 SHOW_INT(connect_timeout);
1704
1705 if (o->http_proxy_options)
1706 {
1707 show_http_proxy_options(o->http_proxy_options);
1708 }
1709 SHOW_STR(socks_proxy_server);
1710 SHOW_STR(socks_proxy_port);
1711 SHOW_INT(tun_mtu);
1712 SHOW_BOOL(tun_mtu_defined);
1713 SHOW_INT(link_mtu);
1714 SHOW_BOOL(link_mtu_defined);
1715 SHOW_INT(tun_mtu_extra);
1716 SHOW_BOOL(tun_mtu_extra_defined);
1717 SHOW_INT(tls_mtu);
1718
1719 SHOW_INT(mtu_discover_type);
1720
1721 #ifdef ENABLE_FRAGMENT
1722 SHOW_INT(fragment);
1723 #endif
1724 SHOW_INT(mssfix);
1725 SHOW_BOOL(mssfix_encap);
1726 SHOW_BOOL(mssfix_fixed);
1727
1728 SHOW_INT(explicit_exit_notification);
1729
1730 SHOW_STR_INLINE(tls_auth_file);
1731 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1732 "%s");
1733 SHOW_STR_INLINE(tls_crypt_file);
1734 SHOW_STR_INLINE(tls_crypt_v2_file);
1735 }
1736
1737
1738 static void
1739 show_connection_entries(const struct options *o)
1740 {
1741 if (o->connection_list)
1742 {
1743 const struct connection_list *l = o->connection_list;
1744 int i;
1745 for (i = 0; i < l->len; ++i)
1746 {
1747 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1748 show_connection_entry(l->array[i]);
1749 }
1750 }
1751 else
1752 {
1753 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1754 show_connection_entry(&o->ce);
1755 }
1756 msg(D_SHOW_PARMS, "Connection profiles END");
1757 }
1758
1759 static void
1760 show_pull_filter_list(const struct pull_filter_list *l)
1761 {
1762 struct pull_filter *f;
1763 if (!l)
1764 {
1765 return;
1766 }
1767
1768 msg(D_SHOW_PARMS, " Pull filters:");
1769 for (f = l->head; f; f = f->next)
1770 {
1771 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1772 }
1773 }
1774
1775 #endif /* ifndef ENABLE_SMALL */
1776
1777 void
1778 show_settings(const struct options *o)
1779 {
1780 #ifndef ENABLE_SMALL
1781 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1782
1783 SHOW_STR(config);
1784
1785 SHOW_INT(mode);
1786
1787 #ifdef ENABLE_FEATURE_TUN_PERSIST
1788 SHOW_BOOL(persist_config);
1789 SHOW_INT(persist_mode);
1790 #endif
1791
1792 SHOW_BOOL(show_ciphers);
1793 SHOW_BOOL(show_digests);
1794 SHOW_BOOL(show_engines);
1795 SHOW_BOOL(genkey);
1796 SHOW_STR(genkey_filename);
1797 SHOW_STR(key_pass_file);
1798 SHOW_BOOL(show_tls_ciphers);
1799
1800 SHOW_INT(connect_retry_max);
1801 show_connection_entries(o);
1802
1803 SHOW_BOOL(remote_random);
1804
1805 SHOW_STR(ipchange);
1806 SHOW_STR(dev);
1807 SHOW_STR(dev_type);
1808 SHOW_STR(dev_node);
1809 #if defined(ENABLE_DCO)
1810 SHOW_BOOL(tuntap_options.disable_dco);
1811 #endif
1812 SHOW_STR(lladdr);
1813 SHOW_INT(topology);
1814 SHOW_STR(ifconfig_local);
1815 SHOW_STR(ifconfig_remote_netmask);
1816 SHOW_BOOL(ifconfig_noexec);
1817 SHOW_BOOL(ifconfig_nowarn);
1818 SHOW_STR(ifconfig_ipv6_local);
1819 SHOW_INT(ifconfig_ipv6_netbits);
1820 SHOW_STR(ifconfig_ipv6_remote);
1821
1822 SHOW_INT(shaper);
1823 SHOW_INT(mtu_test);
1824
1825 SHOW_BOOL(mlock);
1826
1827 SHOW_INT(keepalive_ping);
1828 SHOW_INT(keepalive_timeout);
1829 SHOW_INT(inactivity_timeout);
1830 SHOW_INT(session_timeout);
1831 SHOW_INT64(inactivity_minimum_bytes);
1832 SHOW_INT(ping_send_timeout);
1833 SHOW_INT(ping_rec_timeout);
1834 SHOW_INT(ping_rec_timeout_action);
1835 SHOW_BOOL(ping_timer_remote);
1836 SHOW_INT(remap_sigusr1);
1837 SHOW_BOOL(persist_tun);
1838 SHOW_BOOL(persist_local_ip);
1839 SHOW_BOOL(persist_remote_ip);
1840 SHOW_BOOL(persist_key);
1841
1842 #if PASSTOS_CAPABILITY
1843 SHOW_BOOL(passtos);
1844 #endif
1845
1846 SHOW_INT(resolve_retry_seconds);
1847 SHOW_BOOL(resolve_in_advance);
1848
1849 SHOW_STR(username);
1850 SHOW_STR(groupname);
1851 SHOW_STR(chroot_dir);
1852 SHOW_STR(cd_dir);
1853 #ifdef ENABLE_SELINUX
1854 SHOW_STR(selinux_context);
1855 #endif
1856 SHOW_STR(writepid);
1857 SHOW_STR(up_script);
1858 SHOW_STR(down_script);
1859 SHOW_BOOL(down_pre);
1860 SHOW_BOOL(up_restart);
1861 SHOW_BOOL(up_delay);
1862 SHOW_BOOL(daemon);
1863 SHOW_BOOL(log);
1864 SHOW_BOOL(suppress_timestamps);
1865 SHOW_BOOL(machine_readable_output);
1866 SHOW_INT(nice);
1867 SHOW_INT(verbosity);
1868 SHOW_INT(mute);
1869 #ifdef ENABLE_DEBUG
1870 SHOW_INT(gremlin);
1871 #endif
1872 SHOW_STR(status_file);
1873 SHOW_INT(status_file_version);
1874 SHOW_INT(status_file_update_freq);
1875
1876 SHOW_BOOL(occ);
1877 SHOW_INT(rcvbuf);
1878 SHOW_INT(sndbuf);
1879 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1880 SHOW_INT(mark);
1881 #endif
1882 SHOW_INT(sockflags);
1883
1884 SHOW_BOOL(fast_io);
1885
1886 #ifdef USE_COMP
1887 SHOW_INT(comp.alg);
1888 SHOW_INT(comp.flags);
1889 #endif
1890
1891 SHOW_STR(route_script);
1892 SHOW_STR(route_default_gateway);
1893 SHOW_INT(route_default_metric);
1894 SHOW_BOOL(route_noexec);
1895 SHOW_INT(route_delay);
1896 SHOW_INT(route_delay_window);
1897 SHOW_BOOL(route_delay_defined);
1898 SHOW_BOOL(route_nopull);
1899 SHOW_BOOL(route_gateway_via_dhcp);
1900 SHOW_BOOL(allow_pull_fqdn);
1901 show_pull_filter_list(o->pull_filter_list);
1902
1903 if (o->routes)
1904 {
1905 print_route_options(o->routes, D_SHOW_PARMS);
1906 }
1907
1908 if (o->client_nat)
1909 {
1910 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1911 }
1912
1913 show_dns_options(&o->dns_options);
1914
1915 #ifdef ENABLE_MANAGEMENT
1916 SHOW_STR(management_addr);
1917 SHOW_STR(management_port);
1918 SHOW_STR(management_user_pass);
1919 SHOW_INT(management_log_history_cache);
1920 SHOW_INT(management_echo_buffer_size);
1921 SHOW_STR(management_client_user);
1922 SHOW_STR(management_client_group);
1923 SHOW_INT(management_flags);
1924 #endif
1925 #ifdef ENABLE_PLUGIN
1926 if (o->plugin_list)
1927 {
1928 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1929 }
1930 #endif
1931
1932 SHOW_STR_INLINE(shared_secret_file);
1933 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1934 SHOW_STR(ciphername);
1935 SHOW_STR(ncp_ciphers);
1936 SHOW_STR(authname);
1937 #ifndef ENABLE_CRYPTO_MBEDTLS
1938 SHOW_BOOL(engine);
1939 #endif /* ENABLE_CRYPTO_MBEDTLS */
1940 SHOW_BOOL(replay);
1941 SHOW_BOOL(mute_replay_warnings);
1942 SHOW_INT(replay_window);
1943 SHOW_INT(replay_time);
1944 SHOW_STR(packet_id_file);
1945 SHOW_BOOL(test_crypto);
1946 #ifdef ENABLE_PREDICTION_RESISTANCE
1947 SHOW_BOOL(use_prediction_resistance);
1948 #endif
1949
1950 SHOW_BOOL(tls_server);
1951 SHOW_BOOL(tls_client);
1952 SHOW_STR_INLINE(ca_file);
1953 SHOW_STR(ca_path);
1954 SHOW_STR_INLINE(dh_file);
1955 #ifdef ENABLE_MANAGEMENT
1956 if ((o->management_flags & MF_EXTERNAL_CERT))
1957 {
1958 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1959 }
1960 else
1961 #endif
1962 SHOW_STR_INLINE(cert_file);
1963 SHOW_STR_INLINE(extra_certs_file);
1964
1965 #ifdef ENABLE_MANAGEMENT
1966 if ((o->management_flags & MF_EXTERNAL_KEY))
1967 {
1968 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1969 }
1970 else
1971 #endif
1972 SHOW_STR_INLINE(priv_key_file);
1973 #ifndef ENABLE_CRYPTO_MBEDTLS
1974 SHOW_STR_INLINE(pkcs12_file);
1975 #endif
1976 #ifdef ENABLE_CRYPTOAPI
1977 SHOW_STR(cryptoapi_cert);
1978 #endif
1979 SHOW_STR(cipher_list);
1980 SHOW_STR(cipher_list_tls13);
1981 SHOW_STR(tls_cert_profile);
1982 SHOW_STR(tls_verify);
1983 SHOW_STR(tls_export_cert);
1984 SHOW_INT(verify_x509_type);
1985 SHOW_STR(verify_x509_name);
1986 SHOW_STR_INLINE(crl_file);
1987 SHOW_INT(ns_cert_type);
1988 {
1989 int i;
1990 for (i = 0; i<MAX_PARMS; i++)
1991 {
1992 SHOW_INT(remote_cert_ku[i]);
1993 }
1994 }
1995 SHOW_STR(remote_cert_eku);
1996 if (o->verify_hash)
1997 {
1998 SHOW_INT(verify_hash_algo);
1999 SHOW_INT(verify_hash_depth);
2000 struct gc_arena gc = gc_new();
2001 struct verify_hash_list *hl = o->verify_hash;
2002 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2003 SHA256_DIGEST_LENGTH;
2004 while (hl)
2005 {
2006 char *s = format_hex_ex(hl->hash, digest_len, 0,
2007 1, ":", &gc);
2008 SHOW_PARM(verify_hash, s, "%s");
2009 hl = hl->next;
2010 }
2011 gc_free(&gc);
2012 }
2013 SHOW_INT(ssl_flags);
2014
2015 SHOW_INT(tls_timeout);
2016
2017 SHOW_INT(renegotiate_bytes);
2018 SHOW_INT(renegotiate_packets);
2019 SHOW_INT(renegotiate_seconds);
2020
2021 SHOW_INT(handshake_window);
2022 SHOW_INT(transition_window);
2023
2024 SHOW_BOOL(single_session);
2025 SHOW_BOOL(push_peer_info);
2026 SHOW_BOOL(tls_exit);
2027
2028 SHOW_STR(tls_crypt_v2_metadata);
2029
2030 #ifdef ENABLE_PKCS11
2031 {
2032 int i;
2033 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2034 {
2035 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2036 }
2037 }
2038 {
2039 int i;
2040 for (i = 0; i<MAX_PARMS; i++)
2041 {
2042 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2043 }
2044 }
2045 {
2046 int i;
2047 for (i = 0; i<MAX_PARMS; i++)
2048 {
2049 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2050 }
2051 }
2052 {
2053 int i;
2054 for (i = 0; i<MAX_PARMS; i++)
2055 {
2056 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2057 }
2058 }
2059 SHOW_INT(pkcs11_pin_cache_period);
2060 SHOW_STR(pkcs11_id);
2061 SHOW_BOOL(pkcs11_id_management);
2062 #endif /* ENABLE_PKCS11 */
2063
2064 show_p2mp_parms(o);
2065
2066 #ifdef _WIN32
2067 SHOW_BOOL(show_net_up);
2068 SHOW_INT(route_method);
2069 SHOW_BOOL(block_outside_dns);
2070 show_tuntap_options(&o->tuntap_options);
2071 #endif
2072 #endif /* ifndef ENABLE_SMALL */
2073 }
2074
2075 #undef SHOW_PARM
2076 #undef SHOW_STR
2077 #undef SHOW_INT
2078 #undef SHOW_BOOL
2079
2080 #ifdef ENABLE_MANAGEMENT
2081
2082 static struct http_proxy_options *
2083 parse_http_proxy_override(const char *server,
2084 const char *port,
2085 const char *flags,
2086 const int msglevel,
2087 struct gc_arena *gc)
2088 {
2089 if (server && port)
2090 {
2091 struct http_proxy_options *ho;
2092 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2093 ho->server = string_alloc(server, gc);
2094 ho->port = port;
2095 if (flags && !strcmp(flags, "nct"))
2096 {
2097 ho->auth_retry = PAR_NCT;
2098 }
2099 else
2100 {
2101 ho->auth_retry = PAR_ALL;
2102 }
2103 ho->http_version = "1.0";
2104 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2105 return ho;
2106 }
2107 else
2108 {
2109 return NULL;
2110 }
2111 }
2112
2113 static void
2114 options_postprocess_http_proxy_override(struct options *o)
2115 {
2116 const struct connection_list *l = o->connection_list;
2117 int i;
2118 bool succeed = false;
2119 for (i = 0; i < l->len; ++i)
2120 {
2121 struct connection_entry *ce = l->array[i];
2122 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2123 {
2124 ce->http_proxy_options = o->http_proxy_override;
2125 succeed = true;
2126 }
2127 }
2128 if (succeed)
2129 {
2130 for (i = 0; i < l->len; ++i)
2131 {
2132 struct connection_entry *ce = l->array[i];
2133 if (ce->proto == PROTO_UDP)
2134 {
2135 ce->flags |= CE_DISABLED;
2136 }
2137 }
2138 }
2139 else
2140 {
2141 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2142 }
2143 }
2144
2145 #endif /* ifdef ENABLE_MANAGEMENT */
2146
2147 static struct connection_list *
2148 alloc_connection_list_if_undef(struct options *options)
2149 {
2150 if (!options->connection_list)
2151 {
2152 ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2153 }
2154 return options->connection_list;
2155 }
2156
2157 static struct connection_entry *
2158 alloc_connection_entry(struct options *options, const int msglevel)
2159 {
2160 struct connection_list *l = alloc_connection_list_if_undef(options);
2161 struct connection_entry *e;
2162
2163 if (l->len >= CONNECTION_LIST_SIZE)
2164 {
2165 msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
2166 return NULL;
2167 }
2168 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2169 l->array[l->len++] = e;
2170 return e;
2171 }
2172
2173 static struct remote_list *
2174 alloc_remote_list_if_undef(struct options *options)
2175 {
2176 if (!options->remote_list)
2177 {
2178 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2179 }
2180 return options->remote_list;
2181 }
2182
2183 static struct remote_entry *
2184 alloc_remote_entry(struct options *options, const int msglevel)
2185 {
2186 struct remote_list *l = alloc_remote_list_if_undef(options);
2187 struct remote_entry *e;
2188
2189 if (l->len >= CONNECTION_LIST_SIZE)
2190 {
2191 msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
2192 return NULL;
2193 }
2194 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2195 l->array[l->len++] = e;
2196 return e;
2197 }
2198
2199 static struct pull_filter_list *
2200 alloc_pull_filter_list(struct options *o)
2201 {
2202 if (!o->pull_filter_list)
2203 {
2204 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2205 }
2206 return o->pull_filter_list;
2207 }
2208
2209 static struct pull_filter *
2210 alloc_pull_filter(struct options *o, const int msglevel)
2211 {
2212 struct pull_filter_list *l = alloc_pull_filter_list(o);
2213 struct pull_filter *f;
2214
2215 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2216 if (l->head)
2217 {
2218 ASSERT(l->tail);
2219 l->tail->next = f;
2220 }
2221 else
2222 {
2223 ASSERT(!l->tail);
2224 l->head = f;
2225 }
2226 l->tail = f;
2227 return f;
2228 }
2229
2230 static void
2231 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2232 {
2233 if (re->remote)
2234 {
2235 ce->remote = re->remote;
2236 }
2237 if (re->remote_port)
2238 {
2239 ce->remote_port = re->remote_port;
2240 }
2241 if (re->proto >= 0)
2242 {
2243 ce->proto = re->proto;
2244 }
2245 if (re->af > 0)
2246 {
2247 ce->af = re->af;
2248 }
2249 }
2250
2251 static void
2252 connection_entry_preload_key(const char **key_file, bool *key_inline,
2253 struct gc_arena *gc)
2254 {
2255 if (key_file && *key_file && !(*key_inline))
2256 {
2257 struct buffer in = buffer_read_from_file(*key_file, gc);
2258 if (!buf_valid(&in))
2259 {
2260 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2261 }
2262
2263 *key_file = (const char *) in.data;
2264 *key_inline = true;
2265 }
2266 }
2267
2268 static void
2269 check_ca_required(const struct options *options)
2270 {
2271 if (options->verify_hash_no_ca
2272 || options->pkcs12_file
2273 || options->ca_file
2274 #ifndef ENABLE_CRYPTO_MBEDTLS
2275 || options->ca_path
2276 #endif
2277 )
2278 {
2279 return;
2280 }
2281
2282 const char *const str = "You must define CA file (--ca)"
2283 #ifndef ENABLE_CRYPTO_MBEDTLS
2284 " or CA path (--capath)"
2285 #endif
2286 " and/or peer fingerprint verification (--peer-fingerprint)";
2287 msg(M_USAGE, str);
2288 }
2289
2290 static void
2291 options_postprocess_verify_ce(const struct options *options,
2292 const struct connection_entry *ce)
2293 {
2294 struct options defaults;
2295 int dev = DEV_TYPE_UNDEF;
2296 bool pull = false;
2297
2298 init_options(&defaults, true);
2299
2300 if (options->test_crypto)
2301 {
2302 notnull(options->shared_secret_file, "key file (--secret)");
2303 }
2304 else
2305 {
2306 notnull(options->dev, "TUN/TAP device (--dev)");
2307 }
2308
2309 /*
2310 * Get tun/tap/null device type
2311 */
2312 dev = dev_type_enum(options->dev, options->dev_type);
2313
2314 /*
2315 * If "proto tcp" is specified, make sure we know whether it is
2316 * tcp-client or tcp-server.
2317 */
2318 if (ce->proto == PROTO_TCP)
2319 {
2320 msg(M_USAGE,
2321 "--proto tcp is ambiguous in this context. Please specify "
2322 "--proto tcp-server or --proto tcp-client");
2323 }
2324
2325 if (options->lladdr && dev != DEV_TYPE_TAP)
2326 {
2327 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2328 }
2329
2330 /*
2331 * Sanity check on MTU parameters
2332 */
2333 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2334 {
2335 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2336 }
2337
2338 if (!proto_is_udp(ce->proto) && options->mtu_test)
2339 {
2340 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2341 }
2342
2343 /* will we be pulling options from server? */
2344 pull = options->pull;
2345
2346 /*
2347 * Sanity check on --local, --remote, and --ifconfig
2348 */
2349
2350 if (proto_is_net(ce->proto)
2351 && string_defined_equal(ce->local, ce->remote)
2352 && string_defined_equal(ce->local_port, ce->remote_port))
2353 {
2354 msg(M_USAGE, "--remote and --local addresses are the same");
2355 }
2356
2357 if (string_defined_equal(ce->remote, options->ifconfig_local)
2358 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2359 {
2360 msg(M_USAGE,
2361 "--local and --remote addresses must be distinct from --ifconfig "
2362 "addresses");
2363 }
2364
2365 if (string_defined_equal(ce->local, options->ifconfig_local)
2366 || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2367 {
2368 msg(M_USAGE,
2369 "--local addresses must be distinct from --ifconfig addresses");
2370 }
2371
2372 if (string_defined_equal(options->ifconfig_local,
2373 options->ifconfig_remote_netmask))
2374 {
2375 msg(M_USAGE,
2376 "local and remote/netmask --ifconfig addresses must be different");
2377 }
2378
2379 if (ce->bind_defined && !ce->bind_local)
2380 {
2381 msg(M_USAGE, "--bind and --nobind can't be used together");
2382 }
2383
2384 if (ce->local && !ce->bind_local)
2385 {
2386 msg(M_USAGE,
2387 "--local and --nobind don't make sense when used together");
2388 }
2389
2390 if (ce->local_port_defined && !ce->bind_local)
2391 {
2392 msg(M_USAGE,
2393 "--lport and --nobind don't make sense when used together");
2394 }
2395
2396 if (!ce->remote && !ce->bind_local)
2397 {
2398 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2399 }
2400
2401 /*
2402 * Check for consistency of management options
2403 */
2404 #ifdef ENABLE_MANAGEMENT
2405 if (!options->management_addr
2406 && (options->management_flags
2407 || options->management_log_history_cache != defaults.management_log_history_cache))
2408 {
2409 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2410 }
2411
2412 if ((options->management_client_user || options->management_client_group)
2413 && !(options->management_flags & MF_UNIX_SOCK))
2414 {
2415 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2416 }
2417
2418 if (options->management_addr
2419 && !(options->management_flags & MF_UNIX_SOCK)
2420 && (!options->management_user_pass))
2421 {
2422 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2423 "passwords is STRONGLY discouraged and considered insecure");
2424 }
2425
2426 #endif /* ifdef ENABLE_MANAGEMENT */
2427
2428 #if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
2429 if ((tls_version_max() >= TLS_VER_1_3)
2430 && (options->management_flags & MF_EXTERNAL_KEY)
2431 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2432 )
2433 {
2434 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2435 "nopadding argument/support");
2436 }
2437 #endif
2438 /*
2439 * Windows-specific options.
2440 */
2441
2442 #ifdef _WIN32
2443 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2444 {
2445 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2446 }
2447
2448 if ((options->tuntap_options.ip_win32_defined)
2449 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2450 {
2451 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2452 }
2453
2454 if (options->tuntap_options.dhcp_options
2455 && options->windows_driver != WINDOWS_DRIVER_WINTUN
2456 && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2457 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2458 {
2459 msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
2460 }
2461
2462 if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2463 {
2464 msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2465 }
2466 #endif /* ifdef _WIN32 */
2467
2468 /*
2469 * Check that protocol options make sense.
2470 */
2471
2472 #ifdef ENABLE_FRAGMENT
2473 if (!proto_is_udp(ce->proto) && ce->fragment)
2474 {
2475 msg(M_USAGE, "--fragment can only be used with --proto udp");
2476 }
2477 #endif
2478
2479 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2480 {
2481 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2482 }
2483
2484 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2485 {
2486 msg(M_USAGE,
2487 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2488 "tcp-client)");
2489 }
2490
2491 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2492 {
2493 msg(M_USAGE,
2494 "--http-proxy not specified but other http proxy options present");
2495 }
2496
2497 if (ce->http_proxy_options && ce->socks_proxy_server)
2498 {
2499 msg(M_USAGE,
2500 "--http-proxy can not be used together with --socks-proxy");
2501 }
2502
2503 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2504 {
2505 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2506 }
2507
2508 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2509 {
2510 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2511 }
2512
2513 /*
2514 * Check consistency of --mode server options.
2515 */
2516 if (options->mode == MODE_SERVER)
2517 {
2518 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2519 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2520 #ifdef TARGET_ANDROID
2521 msg(M_FATAL, "--mode server not supported on Android");
2522 #endif
2523 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2524 {
2525 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2526 }
2527 if (options->pull)
2528 {
2529 msg(M_USAGE, "--pull cannot be used with --mode server");
2530 }
2531 if (options->pull_filter_list)
2532 {
2533 msg(M_WARN, "--pull-filter ignored for --mode server");
2534 }
2535 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2536 {
2537 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2538 }
2539 #if PORT_SHARE
2540 if ((options->port_share_host || options->port_share_port)
2541 && (ce->proto != PROTO_TCP_SERVER))
2542 {
2543 msg(M_USAGE, "--port-share only works in TCP server mode "
2544 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2545 }
2546 #endif
2547 if (!options->tls_server)
2548 {
2549 msg(M_USAGE, "--mode server requires --tls-server");
2550 }
2551 if (ce->remote)
2552 {
2553 msg(M_USAGE, "--remote cannot be used with --mode server");
2554 }
2555 if (!ce->bind_local)
2556 {
2557 msg(M_USAGE, "--nobind cannot be used with --mode server");
2558 }
2559 if (ce->http_proxy_options)
2560 {
2561 msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2562 }
2563 if (ce->socks_proxy_server)
2564 {
2565 msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2566 }
2567 /* <connection> blocks force to have a remote embedded, so we check
2568 * for the --remote and bail out if it is present
2569 */
2570 if (options->connection_list->len >1
2571 || options->connection_list->array[0]->remote)
2572 {
2573 msg(M_USAGE, "<connection> cannot be used with --mode server");
2574 }
2575
2576 if (options->shaper)
2577 {
2578 msg(M_USAGE, "--shaper cannot be used with --mode server");
2579 }
2580 if (options->ipchange)
2581 {
2582 msg(M_USAGE,
2583 "--ipchange cannot be used with --mode server (use "
2584 "--client-connect instead)");
2585 }
2586 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2587 {
2588 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2589 }
2590 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2591 {
2592 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2593 }
2594 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2595 {
2596 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2597 }
2598 if (options->routes && (options->routes->flags & RG_ENABLE))
2599 {
2600 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2601 }
2602 if (options->route_delay_defined)
2603 {
2604 msg(M_USAGE, "--route-delay cannot be used with --mode server");
2605 }
2606 if (options->up_delay)
2607 {
2608 msg(M_USAGE, "--up-delay cannot be used with --mode server");
2609 }
2610 if (!options->ifconfig_pool_defined
2611 && !options->ifconfig_ipv6_pool_defined
2612 && options->ifconfig_pool_persist_filename)
2613 {
2614 msg(M_USAGE,
2615 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2616 }
2617 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2618 {
2619 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2620 }
2621 if (options->allow_recursive_routing)
2622 {
2623 msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2624 }
2625 if (options->auth_user_pass_file)
2626 {
2627 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2628 }
2629 if (options->ccd_exclusive && !options->client_config_dir)
2630 {
2631 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2632 }
2633 if (options->auth_token_generate && !options->renegotiate_seconds)
2634 {
2635 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2636 "--renegotiate_seconds setting");
2637 }
2638 if (options->auth_token_generate && options->auth_token_renewal
2639 && options->auth_token_renewal < 2 * options->handshake_window)
2640 {
2641 msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2642 " two times --hand-window (%d).",
2643 options->handshake_window);
2644
2645 }
2646 {
2647 const bool ccnr = (options->auth_user_pass_verify_script
2648 || PLUGIN_OPTION_LIST(options)
2649 || MAN_CLIENT_AUTH_ENABLED(options));
2650 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2651 if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2652 {
2653 msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2654 }
2655 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2656 {
2657 msg(M_USAGE, "--username-as-common-name %s", postfix);
2658 }
2659 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2660 {
2661 msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2662 }
2663 }
2664
2665 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2666 {
2667 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2668 }
2669 if (!options->vlan_tagging)
2670 {
2671 if (options->vlan_accept != defaults.vlan_accept)
2672 {
2673 msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2674 }
2675 if (options->vlan_pvid != defaults.vlan_pvid)
2676 {
2677 msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2678 }
2679 }
2680 }
2681 else
2682 {
2683 /*
2684 * When not in server mode, err if parameters are
2685 * specified which require --mode server.
2686 */
2687 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2688 {
2689 msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2690 }
2691 if (options->ifconfig_ipv6_pool_defined)
2692 {
2693 msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2694 }
2695 if (options->real_hash_size != defaults.real_hash_size
2696 || options->virtual_hash_size != defaults.virtual_hash_size)
2697 {
2698 msg(M_USAGE, "--hash-size requires --mode server");
2699 }
2700 if (options->learn_address_script)
2701 {
2702 msg(M_USAGE, "--learn-address requires --mode server");
2703 }
2704 if (options->client_connect_script)
2705 {
2706 msg(M_USAGE, "--client-connect requires --mode server");
2707 }
2708 if (options->client_crresponse_script)
2709 {
2710 msg(M_USAGE, "--client-crresponse requires --mode server");
2711 }
2712 if (options->client_disconnect_script)
2713 {
2714 msg(M_USAGE, "--client-disconnect requires --mode server");
2715 }
2716 if (options->client_config_dir || options->ccd_exclusive)
2717 {
2718 msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2719 }
2720 if (options->enable_c2c)
2721 {
2722 msg(M_USAGE, "--client-to-client requires --mode server");
2723 }
2724 if (options->duplicate_cn)
2725 {
2726 msg(M_USAGE, "--duplicate-cn requires --mode server");
2727 }
2728 if (options->cf_max || options->cf_per)
2729 {
2730 msg(M_USAGE, "--connect-freq requires --mode server");
2731 }
2732 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2733 {
2734 msg(M_USAGE, "--verify-client-cert requires --mode server");
2735 }
2736 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2737 {
2738 msg(M_USAGE, "--username-as-common-name requires --mode server");
2739 }
2740 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2741 {
2742 msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2743 }
2744 if (options->ssl_flags & SSLF_OPT_VERIFY)
2745 {
2746 msg(M_USAGE, "--opt-verify requires --mode server");
2747 }
2748 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2749 {
2750 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2751 "affect the server. To have TCP_NODELAY in both direction use "
2752 "tcp-nodelay in the server configuration instead.");
2753 }
2754 if (options->auth_user_pass_verify_script)
2755 {
2756 msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2757 }
2758 if (options->auth_token_generate)
2759 {
2760 msg(M_USAGE, "--auth-gen-token requires --mode server");
2761 }
2762 #if PORT_SHARE
2763 if (options->port_share_host || options->port_share_port)
2764 {
2765 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2766 }
2767 #endif
2768
2769 if (options->stale_routes_check_interval)
2770 {
2771 msg(M_USAGE, "--stale-routes-check requires --mode server");
2772 }
2773
2774 if (options->vlan_tagging)
2775 {
2776 msg(M_USAGE, "--vlan-tagging requires --mode server");
2777 }
2778 }
2779
2780 /*
2781 * Check consistency of replay options
2782 */
2783 if (!options->replay
2784 && (options->replay_window != defaults.replay_window
2785 || options->replay_time != defaults.replay_time))
2786 {
2787 msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2788 }
2789
2790 /*
2791 * SSL/TLS mode sanity checks.
2792 */
2793 if (options->tls_server + options->tls_client
2794 +(options->shared_secret_file != NULL) > 1)
2795 {
2796 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2797 }
2798
2799 if (!options->tls_server && !options->tls_client)
2800 {
2801 msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
2802 "configuration detected. OpenVPN 2.7 will remove the "
2803 "functionality to run a VPN without TLS. "
2804 "See the examples section in the manual page for "
2805 "examples of a similar quick setup with peer-fingerprint.");
2806 }
2807
2808 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2809 {
2810 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2811 "--verify-client-cert none|optional "
2812 "may accept clients which do not present a certificate");
2813 }
2814
2815 const int tls_version_max =
2816 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2817 & SSLF_TLS_VERSION_MAX_MASK;
2818 const int tls_version_min =
2819 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2820 & SSLF_TLS_VERSION_MIN_MASK;
2821
2822 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2823 {
2824 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2825 }
2826
2827 if (options->tls_server || options->tls_client)
2828 {
2829 check_ca_required(options);
2830 #ifdef ENABLE_PKCS11
2831 if (options->pkcs11_providers[0])
2832 {
2833 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2834 {
2835 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2836 }
2837 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2838 {
2839 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2840 }
2841 if (options->cert_file)
2842 {
2843 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2844 }
2845 if (options->priv_key_file)
2846 {
2847 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2848 }
2849 #ifdef ENABLE_MANAGEMENT
2850 if (options->management_flags & MF_EXTERNAL_KEY)
2851 {
2852 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2853 }
2854 if (options->management_flags & MF_EXTERNAL_CERT)
2855 {
2856 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2857 }
2858 #endif
2859 if (options->pkcs12_file)
2860 {
2861 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2862 }
2863 #ifdef ENABLE_CRYPTOAPI
2864 if (options->cryptoapi_cert)
2865 {
2866 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2867 }
2868 #endif
2869 }
2870 else
2871 #endif /* ifdef ENABLE_PKCS11 */
2872 #ifdef ENABLE_MANAGEMENT
2873 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2874 {
2875 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2876 }
2877 else if ((options->management_flags & MF_EXTERNAL_CERT))
2878 {
2879 if (options->cert_file)
2880 {
2881 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2882 }
2883 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2884 {
2885 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2886 }
2887 }
2888 else
2889 #endif
2890 #ifdef ENABLE_CRYPTOAPI
2891 if (options->cryptoapi_cert)
2892 {
2893 if (options->cert_file)
2894 {
2895 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2896 }
2897 if (options->priv_key_file)
2898 {
2899 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2900 }
2901 if (options->pkcs12_file)
2902 {
2903 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2904 }
2905 #ifdef ENABLE_MANAGEMENT
2906 if (options->management_flags & MF_EXTERNAL_KEY)
2907 {
2908 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2909 }
2910 if (options->management_flags & MF_EXTERNAL_CERT)
2911 {
2912 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2913 }
2914 #endif
2915 }
2916 else
2917 #endif /* ifdef ENABLE_CRYPTOAPI */
2918 if (options->pkcs12_file)
2919 {
2920 #ifdef ENABLE_CRYPTO_MBEDTLS
2921 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2922 #else
2923 if (options->ca_path)
2924 {
2925 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2926 }
2927 if (options->cert_file)
2928 {
2929 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2930 }
2931 if (options->priv_key_file)
2932 {
2933 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2934 }
2935 #ifdef ENABLE_MANAGEMENT
2936 if (options->management_flags & MF_EXTERNAL_KEY)
2937 {
2938 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2939 }
2940 if (options->management_flags & MF_EXTERNAL_CERT)
2941 {
2942 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2943 }
2944 #endif
2945 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2946 }
2947 else
2948 {
2949 #ifdef ENABLE_CRYPTO_MBEDTLS
2950 if (options->ca_path)
2951 {
2952 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2953 }
2954 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2955 if (pull)
2956 {
2957
2958 const int sum =
2959 #ifdef ENABLE_MANAGEMENT
2960 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2961 +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2962 #else
2963 (options->cert_file != NULL) + (options->priv_key_file != NULL);
2964 #endif
2965
2966 if (sum == 0)
2967 {
2968 if (!options->auth_user_pass_file)
2969 {
2970 msg(M_USAGE, "No client-side authentication method is "
2971 "specified. You must use either "
2972 "--cert/--key, --pkcs12, or "
2973 "--auth-user-pass");
2974 }
2975 }
2976 else if (sum != 2)
2977 {
2978 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2979 }
2980 }
2981 else
2982 {
2983 #ifdef ENABLE_MANAGEMENT
2984 if (!(options->management_flags & MF_EXTERNAL_CERT))
2985 #endif
2986 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2987 #ifdef ENABLE_MANAGEMENT
2988 if (!(options->management_flags & MF_EXTERNAL_KEY))
2989 #endif
2990 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2991 }
2992 }
2993 if (ce->tls_auth_file && ce->tls_crypt_file)
2994 {
2995 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2996 }
2997 if (options->tls_client && ce->tls_crypt_v2_file
2998 && (ce->tls_auth_file || ce->tls_crypt_file))
2999 {
3000 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3001 }
3002 }
3003 else
3004 {
3005 /*
3006 * Make sure user doesn't specify any TLS options
3007 * when in non-TLS mode.
3008 */
3009
3010 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3011 }
3012
3013 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3014
3015 MUST_BE_UNDEF(ca_file);
3016 MUST_BE_UNDEF(ca_path);
3017 MUST_BE_UNDEF(dh_file);
3018 MUST_BE_UNDEF(cert_file);
3019 MUST_BE_UNDEF(priv_key_file);
3020 #ifndef ENABLE_CRYPTO_MBEDTLS
3021 MUST_BE_UNDEF(pkcs12_file);
3022 #endif
3023 MUST_BE_UNDEF(cipher_list);
3024 MUST_BE_UNDEF(cipher_list_tls13);
3025 MUST_BE_UNDEF(tls_cert_profile);
3026 MUST_BE_UNDEF(tls_verify);
3027 MUST_BE_UNDEF(tls_export_cert);
3028 MUST_BE_UNDEF(verify_x509_name);
3029 MUST_BE_UNDEF(tls_timeout);
3030 MUST_BE_UNDEF(renegotiate_bytes);
3031 MUST_BE_UNDEF(renegotiate_packets);
3032 MUST_BE_UNDEF(renegotiate_seconds);
3033 MUST_BE_UNDEF(handshake_window);
3034 MUST_BE_UNDEF(transition_window);
3035 MUST_BE_UNDEF(tls_auth_file);
3036 MUST_BE_UNDEF(tls_crypt_file);
3037 MUST_BE_UNDEF(tls_crypt_v2_file);
3038 MUST_BE_UNDEF(single_session);
3039 MUST_BE_UNDEF(push_peer_info);
3040 MUST_BE_UNDEF(tls_exit);
3041 MUST_BE_UNDEF(crl_file);
3042 MUST_BE_UNDEF(ns_cert_type);
3043 MUST_BE_UNDEF(remote_cert_ku[0]);
3044 MUST_BE_UNDEF(remote_cert_eku);
3045 #ifdef ENABLE_PKCS11
3046 MUST_BE_UNDEF(pkcs11_providers[0]);
3047 MUST_BE_UNDEF(pkcs11_private_mode[0]);
3048 MUST_BE_UNDEF(pkcs11_id);
3049 MUST_BE_UNDEF(pkcs11_id_management);
3050 #endif
3051
3052 if (pull)
3053 {
3054 msg(M_USAGE, err, "--pull");
3055 }
3056 }
3057 #undef MUST_BE_UNDEF
3058
3059 if (options->auth_user_pass_file && !options->pull)
3060 {
3061 msg(M_USAGE, "--auth-user-pass requires --pull");
3062 }
3063
3064 uninit_options(&defaults);
3065 }
3066
3067 static void
3068 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3069 {
3070 const int dev = dev_type_enum(o->dev, o->dev_type);
3071
3072 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3073 {
3074 if (ce->proto == PROTO_TCP)
3075 {
3076 ce->proto = PROTO_TCP_SERVER;
3077 }
3078 }
3079
3080 if (o->client)
3081 {
3082 if (ce->proto == PROTO_TCP)
3083 {
3084 ce->proto = PROTO_TCP_CLIENT;
3085 }
3086 }
3087
3088 /* an option is present that requires local bind to enabled */
3089 bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
3090
3091 /* socks proxy is enabled */
3092 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3093
3094 /* If binding is not forced by an explicit option and we have (at least)
3095 * one of --tcp-client, --pull (or --client), or socks we do not bind
3096 * locally to have "normal" IP client behaviour of a random source port */
3097 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3098 {
3099 ce->bind_local = false;
3100 }
3101
3102 if (!ce->bind_local)
3103 {
3104 ce->local_port = NULL;
3105 }
3106
3107 /* if protocol forcing is enabled, disable all protocols
3108 * except for the forced one
3109 */
3110 if (o->proto_force >= 0 && o->proto_force != ce->proto)
3111 {
3112 ce->flags |= CE_DISABLED;
3113 }
3114
3115 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3116 * so fall back to IPv4-only (trac #1221)
3117 */
3118 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3119 {
3120 if (ce->af == AF_INET6)
3121 {
3122 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3123 "'--socks-proxy' today. Forcing IPv4 mode." );
3124 }
3125 else
3126 {
3127 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3128 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3129 }
3130 ce->af = AF_INET;
3131 }
3132
3133 /*
3134 * Set MTU defaults
3135 */
3136 {
3137 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3138 {
3139 ce->tun_mtu_defined = true;
3140 }
3141 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3142 {
3143 ce->tun_mtu_extra_defined = true;
3144 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3145 }
3146 }
3147
3148 /*
3149 * If --mssfix is supplied without a parameter or not specified at all,
3150 * default it to --fragment value, if --fragment is specified and otherwise
3151 * to the default if tun-mtu is 1500
3152 */
3153 if (o->ce.mssfix_default)
3154 {
3155 #ifdef ENABLE_FRAGMENT
3156 if (ce->fragment)
3157 {
3158 ce->mssfix = ce->fragment;
3159 }
3160 else
3161 #endif
3162 if (ce->tun_mtu_defined)
3163 {
3164 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3165 {
3166 /* We want to only set mssfix default value if we use a default
3167 * MTU Size, otherwise the different size of tun should either
3168 * already solve the problem or mssfix might artifically make the
3169 * payload packets smaller without mssfix 0 */
3170 ce->mssfix = MSSFIX_DEFAULT;
3171 ce->mssfix_encap = true;
3172 }
3173 else
3174 {
3175 /* We still apply the mssfix value but only adjust it to the
3176 * size of the tun interface. */
3177 ce->mssfix = ce->tun_mtu;
3178 ce->mssfix_fixed = true;
3179 }
3180 }
3181 }
3182
3183 /*
3184 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3185 *
3186 * At the end only one of these will be really set because the parser
3187 * logic prevents configurations where more are set.
3188 */
3189 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3190 {
3191 ce->tls_auth_file = o->tls_auth_file;
3192 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3193 ce->key_direction = o->key_direction;
3194
3195 ce->tls_crypt_file = o->tls_crypt_file;
3196 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3197
3198 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3199 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3200 }
3201
3202 /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
3203 * keys were not already embedded in the config file.
3204 */
3205 if (o->persist_key)
3206 {
3207 connection_entry_preload_key(&ce->tls_auth_file,
3208 &ce->tls_auth_file_inline, &o->gc);
3209 connection_entry_preload_key(&ce->tls_crypt_file,
3210 &ce->tls_crypt_file_inline, &o->gc);
3211 connection_entry_preload_key(&ce->tls_crypt_v2_file,
3212 &ce->tls_crypt_v2_file_inline, &o->gc);
3213 }
3214
3215 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3216 {
3217 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3218 ce->explicit_exit_notification = 0;
3219 }
3220 }
3221
3222 #ifdef _WIN32
3223 /* If iservice is in use, we need def1 method for redirect-gateway */
3224 static void
3225 remap_redirect_gateway_flags(struct options *opt)
3226 {
3227 if (opt->routes
3228 && opt->route_method == ROUTE_METHOD_SERVICE
3229 && opt->routes->flags & RG_REROUTE_GW
3230 && !(opt->routes->flags & RG_DEF1))
3231 {
3232 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3233 opt->routes->flags |= RG_DEF1;
3234 }
3235 }
3236 #endif
3237
3238 /*
3239 * Save/Restore certain option defaults before --pull is applied.
3240 */
3241
3242 static void
3243 pre_connect_save(struct options *o)
3244 {
3245 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3246 o->pre_connect->tuntap_options = o->tuntap_options;
3247 o->pre_connect->tuntap_options_defined = true;
3248 o->pre_connect->foreign_option_index = o->foreign_option_index;
3249
3250 if (o->routes)
3251 {
3252 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3253 o->pre_connect->routes_defined = true;
3254 }
3255 if (o->routes_ipv6)
3256 {
3257 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3258 o->pre_connect->routes_ipv6_defined = true;
3259 }
3260 if (o->client_nat)
3261 {
3262 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3263 o->pre_connect->client_nat_defined = true;
3264 }
3265
3266 o->pre_connect->route_default_gateway = o->route_default_gateway;
3267 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3268
3269 o->pre_connect->dns_options = clone_dns_options(o->dns_options, &o->gc);
3270
3271 /* NCP related options that can be overwritten by a push */
3272 o->pre_connect->ciphername = o->ciphername;
3273 o->pre_connect->authname = o->authname;
3274
3275 /* Ping related options should be reset to the config values on reconnect */
3276 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3277 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3278 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3279
3280 /* Miscellaneous Options */
3281 #ifdef USE_COMP
3282 o->pre_connect->comp = o->comp;
3283 #endif
3284 }
3285
3286 void
3287 pre_connect_restore(struct options *o, struct gc_arena *gc)
3288 {
3289 const struct options_pre_connect *pp = o->pre_connect;
3290 if (pp)
3291 {
3292 CLEAR(o->tuntap_options);
3293 if (pp->tuntap_options_defined)
3294 {
3295 o->tuntap_options = pp->tuntap_options;
3296 }
3297
3298 if (pp->routes_defined)
3299 {
3300 rol_check_alloc(o);
3301 copy_route_option_list(o->routes, pp->routes, gc);
3302 }
3303 else
3304 {
3305 o->routes = NULL;
3306 }
3307
3308 if (pp->routes_ipv6_defined)
3309 {
3310 rol6_check_alloc(o);
3311 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3312 }
3313 else
3314 {
3315 o->routes_ipv6 = NULL;
3316 }
3317
3318 o->route_default_gateway = pp->route_default_gateway;
3319 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3320
3321 /* Free DNS options and reset them to pre-pull state */
3322 gc_free(&o->dns_options.gc);
3323 struct gc_arena dns_gc = gc_new();
3324 o->dns_options = clone_dns_options(pp->dns_options, &dns_gc);
3325 o->dns_options.gc = dns_gc;
3326
3327 if (pp->client_nat_defined)
3328 {
3329 cnol_check_alloc(o);
3330 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3331 }
3332 else
3333 {
3334 o->client_nat = NULL;
3335 }
3336
3337 o->foreign_option_index = pp->foreign_option_index;
3338
3339 o->ciphername = pp->ciphername;
3340 o->authname = pp->authname;
3341
3342 o->ping_rec_timeout = pp->ping_rec_timeout;
3343 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3344 o->ping_send_timeout = pp->ping_send_timeout;
3345
3346 /* Miscellaneous Options */
3347 #ifdef USE_COMP
3348 o->comp = pp->comp;
3349 #endif
3350 }
3351
3352 o->push_continuation = 0;
3353 o->push_option_types_found = 0;
3354 o->imported_protocol_flags = 0;
3355 }
3356
3357 static void
3358 options_postprocess_mutate_invariant(struct options *options)
3359 {
3360 #ifdef _WIN32
3361 const int dev = dev_type_enum(options->dev, options->dev_type);
3362
3363 /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3364 if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3365 || options->windows_driver == WINDOWS_DRIVER_DCO)
3366 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3367 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3368 {
3369 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3370 }
3371
3372 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3373 {
3374 /* delay may only be necessary when we perform DHCP handshake */
3375 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3376 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3377 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3378 {
3379 options->route_delay_defined = true;
3380 options->route_delay = 5; /* Vista sometimes has a race without this */
3381 }
3382 }
3383
3384 if (options->ifconfig_noexec)
3385 {
3386 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3387 options->ifconfig_noexec = false;
3388 }
3389
3390 remap_redirect_gateway_flags(options);
3391
3392 /*
3393 * Check consistency of --mode server options.
3394 */
3395 if (options->mode == MODE_SERVER)
3396 {
3397 /*
3398 * We need to explicitly set --tap-sleep because
3399 * we do not schedule event timers in the top-level context.
3400 */
3401 options->tuntap_options.tap_sleep = 10;
3402 if (options->route_delay_defined && options->route_delay)
3403 {
3404 options->tuntap_options.tap_sleep = options->route_delay;
3405 }
3406 options->route_delay_defined = false;
3407 }
3408 #endif /* ifdef _WIN32 */
3409
3410 #ifdef DEFAULT_PKCS11_MODULE
3411 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3412 * by default if the user asks for PKCS#11 without otherwise specifying
3413 * the module to use. */
3414 if (!options->pkcs11_providers[0]
3415 && (options->pkcs11_id || options->pkcs11_id_management))
3416 {
3417 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3418 }
3419 #endif
3420 }
3421
3422 static void
3423 options_postprocess_verify(const struct options *o)
3424 {
3425 if (o->connection_list)
3426 {
3427 int i;
3428 for (i = 0; i < o->connection_list->len; ++i)
3429 {
3430 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3431 }
3432 }
3433 else
3434 {
3435 options_postprocess_verify_ce(o, &o->ce);
3436 }
3437
3438 dns_options_verify(M_FATAL, &o->dns_options);
3439
3440 if (dco_enabled(o) && o->enable_c2c)
3441 {
3442 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3443 "channel offload: packets are always sent to the VPN "
3444 "interface and then routed based on the system routing table");
3445 }
3446 }
3447
3448 /**
3449 * Checks for availibility of Chacha20-Poly1305 and sets
3450 * the ncp_cipher to either AES-256-GCM:AES-128-GCM or
3451 * AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
3452 */
3453 static void
3454 options_postprocess_setdefault_ncpciphers(struct options *o)
3455 {
3456 if (o->ncp_ciphers)
3457 {
3458 /* custom --data-ciphers set, keep list */
3459 return;
3460 }
3461
3462 /* check if crypto library supports chacha */
3463 bool can_do_chacha = cipher_valid("CHACHA20-POLY1305");
3464
3465 if (can_do_chacha && dco_enabled(o))
3466 {
3467 /* also make sure that dco supports chacha */
3468 can_do_chacha = tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3469 }
3470
3471 if (can_do_chacha)
3472 {
3473 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3474 }
3475 else
3476 {
3477 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3478 }
3479 }
3480
3481 static void
3482 options_postprocess_cipher(struct options *o)
3483 {
3484 if (!o->pull && !(o->mode == MODE_SERVER))
3485 {
3486 /* If the cipher is not set, use the old default of BF-CBC. We will
3487 * warn that this is deprecated on cipher initialisation, no need
3488 * to warn here as well */
3489 if (!o->ciphername)
3490 {
3491 o->ciphername = "BF-CBC";
3492 }
3493 else
3494 {
3495 o->enable_ncp_fallback = true;
3496 }
3497 return;
3498 }
3499
3500 /* pull or P2MP mode */
3501 if (!o->ciphername)
3502 {
3503 /* We still need to set the ciphername to BF-CBC since various other
3504 * parts of OpenVPN assert that the ciphername is set */
3505 o->ciphername = "BF-CBC";
3506
3507 msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3508 "defaulted to BF-CBC as fallback when cipher negotiation "
3509 "failed in this case. If you need this fallback please add "
3510 "'--data-ciphers-fallback BF-CBC' to your configuration "
3511 "and/or add BF-CBC to --data-ciphers.");
3512 }
3513 else if (!o->enable_ncp_fallback
3514 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3515 {
3516 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3517 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3518 "negotiations. ",
3519 o->ciphername, o->ncp_ciphers);
3520 }
3521 }
3522
3523 /**
3524 * The option --compat-mode is used to set up default settings to values
3525 * used on the specified openvpn version and earlier.
3526 *
3527 * This function is used in various "default option" paths to test if the
3528 * user requested compatibility with a version before the one specified
3529 * as argument. This way some default settings can be automatically
3530 * altered to guarantee compatibility with the version specified by the
3531 * user via --compat-mode.
3532 *
3533 * @param version need compatibility with openvpn versions before the
3534 * one specified (20401 = before 2.4.1)
3535 * @return whether compatibility should be enabled
3536 */
3537 static bool
3538 need_compatibility_before(const struct options *o, unsigned int version)
3539 {
3540 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3541 }
3542
3543 /**
3544 * Changes default values so that OpenVPN can be compatible with the user
3545 * specified version
3546 */
3547 static void
3548 options_set_backwards_compatible_options(struct options *o)
3549 {
3550 /* TLS min version is not set */
3551 int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3552 & SSLF_TLS_VERSION_MIN_MASK;
3553 if (tls_ver_min == 0)
3554 {
3555 int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3556 & SSLF_TLS_VERSION_MAX_MASK;
3557 if (need_compatibility_before(o, 20307))
3558 {
3559 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3560 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3561 }
3562 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3563 {
3564 /* Use TLS 1.2 as proper default */
3565 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3566 }
3567 else
3568 {
3569 /* Maximize the minimum version */
3570 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3571 }
3572 }
3573
3574 if (need_compatibility_before(o, 20400))
3575 {
3576 if (!o->ciphername)
3577 {
3578 /* If ciphername is not set default to BF-CBC when targeting these
3579 * old versions that do not have NCP */
3580 o->ciphername = "BF-CBC";
3581 }
3582 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3583 * not have OCC strings required for "poor man's NCP" */
3584 o->enable_ncp_fallback = true;
3585 }
3586
3587 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3588 * Version 2.4 probably does not need it but NCP was not so
3589 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3590 * Only do this iff --cipher is set (explicitly or by compat mode
3591 * < 2.4.0, see above). This is not 100% correct backwards compatible
3592 * behaviour but 2.5 already behaved like this */
3593 if (o->ciphername && need_compatibility_before(o, 20500)
3594 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3595 {
3596 append_cipher_to_ncp_list(o, o->ciphername);
3597 }
3598
3599 #ifdef USE_COMP
3600 /* Compression is deprecated and we do not want to announce support for it
3601 * by default anymore, additionally DCO breaks with compression.
3602 *
3603 * Disable compression by default starting with 2.6.0 if no other
3604 * compression related option has been explicitly set */
3605 if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600)
3606 && (o->comp.flags == 0))
3607 {
3608 o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
3609 }
3610 #endif
3611 }
3612
3613 static void
3614 options_postprocess_mutate(struct options *o, struct env_set *es)
3615 {
3616 int i;
3617 /*
3618 * Process helper-type options which map to other, more complex
3619 * sequences of options.
3620 */
3621 helper_client_server(o);
3622 helper_keepalive(o);
3623 helper_tcp_nodelay(o);
3624
3625 options_postprocess_setdefault_ncpciphers(o);
3626 options_set_backwards_compatible_options(o);
3627
3628 options_postprocess_cipher(o);
3629 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3630 if (o->ncp_ciphers == NULL)
3631 {
3632 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3633 }
3634
3635 if (o->remote_list && !o->connection_list)
3636 {
3637 /*
3638 * Convert remotes into connection list
3639 */
3640 const struct remote_list *rl = o->remote_list;
3641 for (i = 0; i < rl->len; ++i)
3642 {
3643 const struct remote_entry *re = rl->array[i];
3644 struct connection_entry ce = o->ce;
3645 struct connection_entry *ace;
3646
3647 ASSERT(re->remote);
3648 connection_entry_load_re(&ce, re);
3649 ace = alloc_connection_entry(o, M_USAGE);
3650 ASSERT(ace);
3651 *ace = ce;
3652 }
3653 }
3654 else if (!o->remote_list && !o->connection_list)
3655 {
3656 struct connection_entry *ace;
3657 ace = alloc_connection_entry(o, M_USAGE);
3658 ASSERT(ace);
3659 *ace = o->ce;
3660 }
3661
3662 ASSERT(o->connection_list);
3663 for (i = 0; i < o->connection_list->len; ++i)
3664 {
3665 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3666 }
3667
3668 if (o->tls_server)
3669 {
3670 /* Check that DH file is specified, or explicitly disabled */
3671 notnull(o->dh_file, "DH file (--dh)");
3672 if (streq(o->dh_file, "none"))
3673 {
3674 o->dh_file = NULL;
3675 }
3676 }
3677 else if (o->dh_file)
3678 {
3679 /* DH file is only meaningful in a tls-server context. */
3680 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3681 "include this in your server configuration");
3682 o->dh_file = NULL;
3683 }
3684 #if ENABLE_MANAGEMENT
3685 if (o->http_proxy_override)
3686 {
3687 options_postprocess_http_proxy_override(o);
3688 }
3689 #endif
3690 if (!o->ca_file && !o->ca_path && o->verify_hash
3691 && o->verify_hash_depth == 0)
3692 {
3693 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3694 "option set). ");
3695 o->verify_hash_no_ca = true;
3696 }
3697
3698 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3699 {
3700 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3701 "incompatible with each other.");
3702 }
3703
3704 if (dco_enabled(o))
3705 {
3706 /* check if any option should force disabling DCO */
3707 o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
3708 || !dco_check_startup_option(D_DCO, o);
3709 }
3710
3711 #ifdef _WIN32
3712 if (dco_enabled(o))
3713 {
3714 o->windows_driver = WINDOWS_DRIVER_DCO;
3715 }
3716 else
3717 {
3718 if (o->windows_driver == WINDOWS_DRIVER_DCO)
3719 {
3720 msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3721 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3722 }
3723 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3724 {
3725 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3726 }
3727 }
3728 #endif
3729
3730 if (dco_enabled(o) && o->dev_node)
3731 {
3732 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3733 "data channel offload");
3734 o->dev_node = NULL;
3735 }
3736
3737 /* this depends on o->windows_driver, which is set above */
3738 options_postprocess_mutate_invariant(o);
3739
3740 /*
3741 * Save certain parms before modifying options during connect, especially
3742 * when using --pull
3743 */
3744 if (o->pull)
3745 {
3746 dns_options_preprocess_pull(&o->dns_options);
3747 }
3748 else
3749 {
3750 #if defined(_WIN32) || defined(TARGET_ANDROID)
3751 tuntap_options_copy_dns(o);
3752 #else
3753 foreign_options_copy_dns(o, es);
3754 #endif
3755 }
3756 if (o->auth_token_generate && !o->auth_token_renewal)
3757 {
3758 o->auth_token_renewal = o->renegotiate_seconds;
3759 }
3760 pre_connect_save(o);
3761 }
3762
3763 /*
3764 * Check file/directory sanity
3765 *
3766 */
3767 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
3768
3769 #define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
3770 #define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
3771 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
3772 #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */
3773 #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */
3774
3775 static bool
3776 check_file_access(const int type, const char *file, const int mode, const char *opt)
3777 {
3778 int errcode = 0;
3779
3780 /* If no file configured, no errors to look for */
3781 if (!file)
3782 {
3783 return false;
3784 }
3785
3786 /* If stdin is allowed and the file name is 'stdin', then do no
3787 * further checks as stdin is always available
3788 */
3789 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3790 {
3791 return false;
3792 }
3793
3794 /* Is the directory path leading to the given file accessible? */
3795 if (type & CHKACC_DIRPATH)
3796 {
3797 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3798 char *dirpath = dirname(fullpath);
3799
3800 if (platform_access(dirpath, mode|X_OK) != 0)
3801 {
3802 errcode = errno;
3803 }
3804 free(fullpath);
3805 }
3806
3807 /* Is the file itself accessible? */
3808 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3809 {
3810 errcode = errno;
3811 }
3812
3813 /* If the file exists and is accessible, is it writable? */
3814 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3815 {
3816 if (platform_access(file, W_OK) != 0)
3817 {
3818 errcode = errno;
3819 }
3820 }
3821
3822 /* Warn if a given private file is group/others accessible. */
3823 if (type & CHKACC_PRIVATE)
3824 {
3825 platform_stat_t st;
3826 if (platform_stat(file, &st))
3827 {
3828 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3829 }
3830 #ifndef _WIN32
3831 else
3832 {
3833 if (st.st_mode & (S_IRWXG|S_IRWXO))
3834 {
3835 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3836 }
3837 }
3838 #endif
3839 }
3840
3841 /* Scream if an error is found */
3842 if (errcode > 0)
3843 {
3844 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3845 }
3846
3847 /* Return true if an error occurred */
3848 return (errcode != 0 ? true : false);
3849 }
3850
3851 /* A wrapper for check_file_access() which also takes a chroot directory.
3852 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3853 * otherwise it will look for the file inside the given chroot directory instead.
3854 */
3855 static bool
3856 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3857 {
3858 bool ret = false;
3859
3860 /* If no file configured, no errors to look for */
3861 if (!file)
3862 {
3863 return false;
3864 }
3865
3866 /* If chroot is set, look for the file/directory inside the chroot */
3867 if (chroot)
3868 {
3869 struct gc_arena gc = gc_new();
3870 struct buffer chroot_file;
3871
3872 chroot_file = prepend_dir(chroot, file, &gc);
3873 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3874 gc_free(&gc);
3875 }
3876 else
3877 {
3878 /* No chroot in play, just call core file check function */
3879 ret = check_file_access(type, file, mode, opt);
3880 }
3881 return ret;
3882 }
3883
3884 /**
3885 * A wrapper for check_file_access_chroot() that returns false immediately if
3886 * the file is inline (and therefore there is no access to check)
3887 */
3888 static bool
3889 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3890 const int type, const char *file,
3891 const int mode, const char *opt)
3892 {
3893 if (is_inline)
3894 {
3895 return false;
3896 }
3897
3898 return check_file_access_chroot(chroot, type, file, mode, opt);
3899 }
3900
3901 /**
3902 * A wrapper for check_file_access() that returns false immediately if the file
3903 * is inline (and therefore there is no access to check)
3904 */
3905 static bool
3906 check_file_access_inline(bool is_inline, const int type, const char *file,
3907 const int mode, const char *opt)
3908 {
3909 if (is_inline)
3910 {
3911 return false;
3912 }
3913
3914 return check_file_access(type, file, mode, opt);
3915 }
3916
3917 /*
3918 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3919 * valid file with appropriate permissions.
3920 *
3921 * "command" consists of a path, optionally followed by a space, which may be
3922 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3923 * performed.
3924 *
3925 * The path and arguments in "command" may be single- or double-quoted or escaped.
3926 *
3927 * The path is extracted from "command", then check_file_access() is called to check it. The
3928 * arguments, if any, are ignored.
3929 *
3930 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3931 * check_file_access() arguments.
3932 */
3933 static bool
3934 check_cmd_access(const char *command, const char *opt, const char *chroot)
3935 {
3936 struct argv argv;
3937 bool return_code;
3938
3939 /* If no command was set, there are no errors to look for */
3940 if (!command)
3941 {
3942 return false;
3943 }
3944
3945 /* Extract executable path and arguments */
3946 argv = argv_new();
3947 argv_parse_cmd(&argv, command);
3948
3949 /* if an executable is specified then check it; otherwise, complain */
3950 if (argv.argv[0])
3951 {
3952 /* Scripts requires R_OK as well, but that might fail on binaries which
3953 * only requires X_OK to function on Unix - a scenario not unlikely to
3954 * be seen on suid binaries.
3955 */
3956 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3957 }
3958 else
3959 {
3960 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3961 opt, command);
3962 return_code = true;
3963 }
3964
3965 argv_free(&argv);
3966
3967 return return_code;
3968 }
3969
3970 /*
3971 * Sanity check of all file/dir options. Checks that file/dir
3972 * is accessible by OpenVPN
3973 */
3974 static void
3975 options_postprocess_filechecks(struct options *options)
3976 {
3977 bool errs = false;
3978
3979 /* ** SSL/TLS/crypto related files ** */
3980 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
3981 options->dh_file, R_OK, "--dh");
3982
3983 if (!options->verify_hash_no_ca)
3984 {
3985 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
3986 options->ca_file, R_OK, "--ca");
3987 }
3988
3989 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
3990 options->ca_path, R_OK, "--capath");
3991
3992 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
3993 options->cert_file, R_OK, "--cert");
3994
3995 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
3996 options->extra_certs_file, R_OK,
3997 "--extra-certs");
3998
3999 #ifdef ENABLE_MANAGMENT
4000 if (!(options->management_flags & MF_EXTERNAL_KEY))
4001 #endif
4002 {
4003 errs |= check_file_access_inline(options->priv_key_file_inline,
4004 CHKACC_FILE|CHKACC_PRIVATE,
4005 options->priv_key_file, R_OK, "--key");
4006 }
4007
4008 errs |= check_file_access_inline(options->pkcs12_file_inline,
4009 CHKACC_FILE|CHKACC_PRIVATE,
4010 options->pkcs12_file, R_OK, "--pkcs12");
4011
4012 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4013 {
4014 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4015 options->crl_file, R_OK|X_OK,
4016 "--crl-verify directory");
4017 }
4018 else
4019 {
4020 errs |= check_file_access_chroot_inline(options->crl_file_inline,
4021 options->chroot_dir,
4022 CHKACC_FILE, options->crl_file,
4023 R_OK, "--crl-verify");
4024 }
4025
4026 ASSERT(options->connection_list);
4027 for (int i = 0; i < options->connection_list->len; ++i)
4028 {
4029 struct connection_entry *ce = options->connection_list->array[i];
4030
4031 errs |= check_file_access_inline(ce->tls_auth_file_inline,
4032 CHKACC_FILE|CHKACC_PRIVATE,
4033 ce->tls_auth_file, R_OK,
4034 "--tls-auth");
4035 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4036 CHKACC_FILE|CHKACC_PRIVATE,
4037 ce->tls_crypt_file, R_OK,
4038 "--tls-crypt");
4039 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4040 CHKACC_FILE|CHKACC_PRIVATE,
4041 ce->tls_crypt_v2_file, R_OK,
4042 "--tls-crypt-v2");
4043 }
4044
4045 errs |= check_file_access_inline(options->shared_secret_file_inline,
4046 CHKACC_FILE|CHKACC_PRIVATE,
4047 options->shared_secret_file, R_OK,
4048 "--secret");
4049
4050 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4051 options->packet_id_file, R_OK|W_OK, "--replay-persist");
4052
4053 /* ** Password files ** */
4054 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4055 options->key_pass_file, R_OK, "--askpass");
4056 #ifdef ENABLE_MANAGEMENT
4057 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4058 options->management_user_pass, R_OK,
4059 "--management user/password file");
4060 #endif /* ENABLE_MANAGEMENT */
4061 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4062 CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4063 options->auth_user_pass_file, R_OK,
4064 "--auth-user-pass");
4065 /* ** System related ** */
4066 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4067 R_OK|X_OK, "--chroot directory");
4068 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4069 R_OK|W_OK, "--writepid");
4070
4071 /* ** Log related ** */
4072 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4073 R_OK|W_OK, "--status");
4074
4075 /* ** Config related ** */
4076 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
4077 R_OK|W_OK|X_OK, "--tls-export-cert");
4078 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4079 R_OK|X_OK, "--client-config-dir");
4080 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4081 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4082
4083 if (errs)
4084 {
4085 msg(M_USAGE, "Please correct these errors.");
4086 }
4087 }
4088 #endif /* !ENABLE_SMALL */
4089
4090 /*
4091 * Sanity check on options.
4092 * Also set some options based on other
4093 * options.
4094 */
4095 void
4096 options_postprocess(struct options *options, struct env_set *es)
4097 {
4098 options_postprocess_mutate(options, es);
4099 options_postprocess_verify(options);
4100 #ifndef ENABLE_SMALL
4101 options_postprocess_filechecks(options);
4102 #endif /* !ENABLE_SMALL */
4103 }
4104
4105 /*
4106 * Sanity check on options after more options were pulled from server.
4107 * Also time to modify some options based on other options.
4108 */
4109 bool
4110 options_postprocess_pull(struct options *o, struct env_set *es)
4111 {
4112 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4113 if (success)
4114 {
4115 dns_options_postprocess_pull(&o->dns_options);
4116 setenv_dns_options(&o->dns_options, es);
4117 #if defined(_WIN32) || defined(TARGET_ANDROID)
4118 tuntap_options_copy_dns(o);
4119 #else
4120 foreign_options_copy_dns(o, es);
4121 #endif
4122 }
4123 return success;
4124 }
4125
4126 /*
4127 * Build an options string to represent data channel encryption options.
4128 * This string must match exactly between peers. The keysize is checked
4129 * separately by read_key().
4130 *
4131 * The following options must match on both peers:
4132 *
4133 * Tunnel options:
4134 *
4135 * --dev tun|tap [unit number need not match]
4136 * --dev-type tun|tap
4137 * --link-mtu
4138 * --udp-mtu
4139 * --tun-mtu
4140 * --proto udp
4141 * --proto tcp-client [matched with --proto tcp-server
4142 * on the other end of the connection]
4143 * --proto tcp-server [matched with --proto tcp-client on
4144 * the other end of the connection]
4145 * --tun-ipv6
4146 * --ifconfig x y [matched with --ifconfig y x on
4147 * the other end of the connection]
4148 *
4149 * --comp-lzo
4150 * --compress alg
4151 * --fragment
4152 *
4153 * Crypto Options:
4154 *
4155 * --cipher
4156 * --auth
4157 * --keysize
4158 * --secret
4159 * --no-replay
4160 *
4161 * SSL Options:
4162 *
4163 * --tls-auth
4164 * --tls-client [matched with --tls-server on
4165 * the other end of the connection]
4166 * --tls-server [matched with --tls-client on
4167 * the other end of the connection]
4168 */
4169 char *
4170 options_string(const struct options *o,
4171 const struct frame *frame,
4172 struct tuntap *tt,
4173 openvpn_net_ctx_t *ctx,
4174 bool remote,
4175 struct gc_arena *gc)
4176 {
4177 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4178 bool tt_local = false;
4179
4180 buf_printf(&out, "V4");
4181
4182 /*
4183 * Tunnel Options
4184 */
4185
4186 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4187 /* the link-mtu that we send has only a meaning if have a fixed
4188 * cipher (p2p) or have a fallback cipher configured for older non
4189 * ncp clients. But not sending it will make even 2.4 complain
4190 * about it being missing. So still send it. */
4191 buf_printf(&out, ",link-mtu %u",
4192 (unsigned int) calc_options_string_link_mtu(o, frame));
4193
4194 if (o->ce.occ_mtu != 0)
4195 {
4196 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4197 }
4198 else
4199 {
4200 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4201 }
4202
4203 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4204
4205 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4206 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4207 * is usually pushed by the server, triggering a non-helpful warning
4208 */
4209 if (o->ifconfig_ipv6_local && p2p_nopull)
4210 {
4211 buf_printf(&out, ",tun-ipv6");
4212 }
4213
4214 /*
4215 * Try to get ifconfig parameters into the options string.
4216 * If tt is undefined, make a temporary instantiation.
4217 */
4218 if (!tt)
4219 {
4220 tt = init_tun(o->dev,
4221 o->dev_type,
4222 o->topology,
4223 o->ifconfig_local,
4224 o->ifconfig_remote_netmask,
4225 o->ifconfig_ipv6_local,
4226 o->ifconfig_ipv6_netbits,
4227 o->ifconfig_ipv6_remote,
4228 NULL,
4229 NULL,
4230 false,
4231 NULL,
4232 ctx,
4233 NULL);
4234 if (tt)
4235 {
4236 tt_local = true;
4237 }
4238 }
4239
4240 if (tt && p2p_nopull)
4241 {
4242 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4243 if (ios && strlen(ios))
4244 {
4245 buf_printf(&out, ",ifconfig %s", ios);
4246 }
4247 }
4248 if (tt_local)
4249 {
4250 free(tt);
4251 tt = NULL;
4252 }
4253
4254 #ifdef USE_COMP
4255 if (o->comp.alg != COMP_ALG_UNDEF)
4256 {
4257 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4258 }
4259 #endif
4260
4261 #ifdef ENABLE_FRAGMENT
4262 if (o->ce.fragment)
4263 {
4264 buf_printf(&out, ",mtu-dynamic");
4265 }
4266 #endif
4267
4268 #define TLS_CLIENT (o->tls_client)
4269 #define TLS_SERVER (o->tls_server)
4270
4271 /*
4272 * Key direction
4273 */
4274 {
4275 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4276 if (kd)
4277 {
4278 buf_printf(&out, ",keydir %s", kd);
4279 }
4280 }
4281
4282 /*
4283 * Crypto Options
4284 */
4285 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4286 {
4287 struct key_type kt;
4288
4289 ASSERT((o->shared_secret_file != NULL)
4290 + (TLS_CLIENT == true)
4291 + (TLS_SERVER == true)
4292 <= 1);
4293
4294 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4295 * to work here in the default configuration */
4296 const char *ciphername = o->ciphername;
4297 int keysize = 0;
4298
4299 if (strcmp(o->ciphername, "BF-CBC") == 0)
4300 {
4301 init_key_type(&kt, "none", o->authname, true, false);
4302 keysize = 128;
4303 }
4304 else
4305 {
4306 init_key_type(&kt, o->ciphername, o->authname, true, false);
4307 ciphername = cipher_kt_name(kt.cipher);
4308 if (cipher_defined(o->ciphername))
4309 {
4310 keysize = cipher_kt_key_size(kt.cipher) * 8;
4311 }
4312 }
4313 /* Only announce the cipher to our peer if we are willing to
4314 * support it */
4315 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4316 {
4317 buf_printf(&out, ",cipher %s", ciphername);
4318 }
4319 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4320 buf_printf(&out, ",keysize %d", keysize);
4321 if (o->shared_secret_file)
4322 {
4323 buf_printf(&out, ",secret");
4324 }
4325 if (!o->replay)
4326 {
4327 buf_printf(&out, ",no-replay");
4328 }
4329
4330 #ifdef ENABLE_PREDICTION_RESISTANCE
4331 if (o->use_prediction_resistance)
4332 {
4333 buf_printf(&out, ",use-prediction-resistance");
4334 }
4335 #endif
4336 }
4337
4338 /*
4339 * SSL Options
4340 */
4341 {
4342 if (TLS_CLIENT || TLS_SERVER)
4343 {
4344 if (o->ce.tls_auth_file)
4345 {
4346 buf_printf(&out, ",tls-auth");
4347 }
4348 /* Not adding tls-crypt here, because we won't reach this code if
4349 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4350 * break stuff, so leaving that in place. */
4351
4352 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4353 }
4354
4355 if (remote)
4356 {
4357 if (TLS_CLIENT)
4358 {
4359 buf_printf(&out, ",tls-server");
4360 }
4361 else if (TLS_SERVER)
4362 {
4363 buf_printf(&out, ",tls-client");
4364 }
4365 }
4366 else
4367 {
4368 if (TLS_CLIENT)
4369 {
4370 buf_printf(&out, ",tls-client");
4371 }
4372 else if (TLS_SERVER)
4373 {
4374 buf_printf(&out, ",tls-server");
4375 }
4376 }
4377 }
4378
4379 #undef TLS_CLIENT
4380 #undef TLS_SERVER
4381
4382 return BSTR(&out);
4383 }
4384
4385 /*
4386 * Compare option strings for equality.
4387 * If the first two chars of the strings differ, it means that
4388 * we are looking at different versions of the options string,
4389 * therefore don't compare them and return true.
4390 */
4391
4392 bool
4393 options_cmp_equal(char *actual, const char *expected)
4394 {
4395 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4396 }
4397
4398 void
4399 options_warning(char *actual, const char *expected)
4400 {
4401 options_warning_safe(actual, expected, strlen(actual) + 1);
4402 }
4403
4404 static const char *
4405 options_warning_extract_parm1(const char *option_string,
4406 struct gc_arena *gc_ret)
4407 {
4408 struct gc_arena gc = gc_new();
4409 struct buffer b = string_alloc_buf(option_string, &gc);
4410 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4411 const char *ret;
4412
4413 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4414 ret = string_alloc(p, gc_ret);
4415 gc_free(&gc);
4416 return ret;
4417 }
4418
4419 static void
4420 options_warning_safe_scan2(const int msglevel,
4421 const int delim,
4422 const bool report_inconsistent,
4423 const char *p1,
4424 const struct buffer *b2_src,
4425 const char *b1_name,
4426 const char *b2_name)
4427 {
4428 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4429 * OCC in a future version (because it's not useful). To reduce questions
4430 * when interoperating, we no longer printing a warning about it.
4431 */
4432 if (strprefix(p1, "key-method ")
4433 || strprefix(p1, "keydir ")
4434 || strprefix(p1, "proto ")
4435 || streq(p1, "tls-auth")
4436 || strprefix(p1, "tun-ipv6")
4437 || strprefix(p1, "cipher "))
4438 {
4439 return;
4440 }
4441
4442 if (strlen(p1) > 0)
4443 {
4444 struct gc_arena gc = gc_new();
4445 struct buffer b2 = *b2_src;
4446 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4447 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4448
4449 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4450 {
4451 if (strlen(p2))
4452 {
4453 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4454
4455 if (!strcmp(p1, p2))
4456 {
4457 goto done;
4458 }
4459 if (!strcmp(p1_prefix, p2_prefix))
4460 {
4461 if (report_inconsistent)
4462 {
4463 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4464 safe_print(p1_prefix, &gc),
4465 b1_name,
4466 safe_print(p1, &gc),
4467 b2_name,
4468 safe_print(p2, &gc));
4469 }
4470 goto done;
4471 }
4472 }
4473 }
4474
4475 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4476 safe_print(p1_prefix, &gc),
4477 b1_name,
4478 b2_name,
4479 b1_name,
4480 safe_print(p1, &gc));
4481
4482 done:
4483 gc_free(&gc);
4484 }
4485 }
4486
4487 static void
4488 options_warning_safe_scan1(const int msglevel,
4489 const int delim,
4490 const bool report_inconsistent,
4491 const struct buffer *b1_src,
4492 const struct buffer *b2_src,
4493 const char *b1_name,
4494 const char *b2_name)
4495 {
4496 struct gc_arena gc = gc_new();
4497 struct buffer b = *b1_src;
4498 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4499
4500 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4501 {
4502 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4503 }
4504
4505 gc_free(&gc);
4506 }
4507
4508 static void
4509 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4510 {
4511 struct gc_arena gc = gc_new();
4512
4513 if (actual_n > 0)
4514 {
4515 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4516 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4517 actual[actual_n - 1] = 0;
4518
4519 buf_printf(&local, "version %s", expected);
4520 buf_printf(&remote, "version %s", actual);
4521
4522 options_warning_safe_scan1(msglevel, ',', true,
4523 &local, &remote,
4524 "local", "remote");
4525
4526 options_warning_safe_scan1(msglevel, ',', false,
4527 &remote, &local,
4528 "remote", "local");
4529 }
4530
4531 gc_free(&gc);
4532 }
4533
4534 bool
4535 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4536 {
4537 struct gc_arena gc = gc_new();
4538 bool ret = true;
4539
4540 if (actual_n > 0)
4541 {
4542 actual[actual_n - 1] = 0;
4543 #ifndef ENABLE_STRICT_OPTIONS_CHECK
4544 if (strncmp(actual, expected, 2))
4545 {
4546 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4547 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4548 }
4549 else
4550 #endif
4551 ret = !strcmp(actual, expected);
4552 }
4553 gc_free(&gc);
4554 return ret;
4555 }
4556
4557 void
4558 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4559 {
4560 options_warning_safe_ml(M_WARN, actual, expected, actual_n);
4561 }
4562
4563 const char *
4564 options_string_version(const char *s, struct gc_arena *gc)
4565 {
4566 struct buffer out = alloc_buf_gc(4, gc);
4567 strncpynt((char *) BPTR(&out), s, 3);
4568 return BSTR(&out);
4569 }
4570
4571 char *
4572 options_string_extract_option(const char *options_string, const char *opt_name,
4573 struct gc_arena *gc)
4574 {
4575 char *ret = NULL;
4576 const size_t opt_name_len = strlen(opt_name);
4577
4578 const char *p = options_string;
4579 while (p)
4580 {
4581 if (0 == strncmp(p, opt_name, opt_name_len)
4582 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4583 {
4584 /* option found, extract value */
4585 const char *start = &p[opt_name_len+1];
4586 const char *end = strchr(p, ',');
4587 size_t val_len = end ? end - start : strlen(start);
4588 ret = gc_malloc(val_len+1, true, gc);
4589 memcpy(ret, start, val_len);
4590 break;
4591 }
4592 p = strchr(p, ',');
4593 if (p)
4594 {
4595 p++; /* skip delimiter */
4596 }
4597 }
4598 return ret;
4599 }
4600
4601 #ifdef _WIN32
4602 /**
4603 * Parses --windows-driver config option
4604 *
4605 * @param str value of --windows-driver option
4606 * @param msglevel msglevel to report parsing error
4607 * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value
4608 */
4609 static enum windows_driver_type
4610 parse_windows_driver(const char *str, const int msglevel)
4611 {
4612 if (streq(str, "tap-windows6"))
4613 {
4614 return WINDOWS_DRIVER_TAP_WINDOWS6;
4615 }
4616 else if (streq(str, "wintun"))
4617 {
4618 return WINDOWS_DRIVER_WINTUN;
4619 }
4620
4621 else if (streq(str, "ovpn-dco"))
4622 {
4623 return WINDOWS_DRIVER_DCO;
4624 }
4625 else
4626 {
4627 msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4628 "or ovpn-dco");
4629 return WINDOWS_DRIVER_UNSPECIFIED;
4630 }
4631 }
4632 #endif /* ifdef _WIN32 */
4633
4634 /*
4635 * parse/print topology coding
4636 */
4637
4638 int
4639 parse_topology(const char *str, const int msglevel)
4640 {
4641 if (streq(str, "net30"))
4642 {
4643 return TOP_NET30;
4644 }
4645 else if (streq(str, "p2p"))
4646 {
4647 return TOP_P2P;
4648 }
4649 else if (streq(str, "subnet"))
4650 {
4651 return TOP_SUBNET;
4652 }
4653 else
4654 {
4655 msg(msglevel, "--topology must be net30, p2p, or subnet");
4656 return TOP_UNDEF;
4657 }
4658 }
4659
4660 const char *
4661 print_topology(const int topology)
4662 {
4663 switch (topology)
4664 {
4665 case TOP_UNDEF:
4666 return "undef";
4667
4668 case TOP_NET30:
4669 return "net30";
4670
4671 case TOP_P2P:
4672 return "p2p";
4673
4674 case TOP_SUBNET:
4675 return "subnet";
4676
4677 default:
4678 return "unknown";
4679 }
4680 }
4681
4682 /*
4683 * Manage auth-retry variable
4684 */
4685
4686 static int global_auth_retry; /* GLOBAL */
4687
4688 int
4689 auth_retry_get(void)
4690 {
4691 return global_auth_retry;
4692 }
4693
4694 bool
4695 auth_retry_set(const int msglevel, const char *option)
4696 {
4697 if (streq(option, "interact"))
4698 {
4699 global_auth_retry = AR_INTERACT;
4700 }
4701 else if (streq(option, "nointeract"))
4702 {
4703 global_auth_retry = AR_NOINTERACT;
4704 }
4705 else if (streq(option, "none"))
4706 {
4707 global_auth_retry = AR_NONE;
4708 }
4709 else
4710 {
4711 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4712 return false;
4713 }
4714 return true;
4715 }
4716
4717 const char *
4718 auth_retry_print(void)
4719 {
4720 switch (global_auth_retry)
4721 {
4722 case AR_NONE:
4723 return "none";
4724
4725 case AR_NOINTERACT:
4726 return "nointeract";
4727
4728 case AR_INTERACT:
4729 return "interact";
4730
4731 default:
4732 return "???";
4733 }
4734 }
4735
4736 /*
4737 * Print the help message.
4738 */
4739 static void
4740 usage(void)
4741 {
4742 FILE *fp = msg_fp(0);
4743
4744 #ifdef ENABLE_SMALL
4745
4746 fprintf(fp, "Usage message not available\n");
4747
4748 #else
4749
4750 struct options o;
4751 init_options(&o, true);
4752
4753 fprintf(fp, usage_message,
4754 title_string,
4755 o.ce.connect_retry_seconds,
4756 o.ce.connect_retry_seconds_max,
4757 o.ce.local_port, o.ce.remote_port,
4758 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4759 o.verbosity,
4760 o.authname, o.ciphername,
4761 o.replay_window, o.replay_time,
4762 o.tls_timeout, o.renegotiate_seconds,
4763 o.handshake_window, o.transition_window);
4764 fflush(fp);
4765
4766 #endif /* ENABLE_SMALL */
4767
4768 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4769 }
4770
4771 void
4772 usage_small(void)
4773 {
4774 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4775 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4776 }
4777
4778 #ifdef _WIN32
4779 void
4780 show_windows_version(const unsigned int flags)
4781 {
4782 struct gc_arena gc = gc_new();
4783 msg(flags, "Windows version %s", win32_version_string(&gc, true));
4784 gc_free(&gc);
4785 }
4786 #endif
4787
4788 void
4789 show_library_versions(const unsigned int flags)
4790 {
4791 #ifdef ENABLE_LZO
4792 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4793 #else
4794 #define LZO_LIB_VER_STR "", ""
4795 #endif
4796
4797 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4798 LZO_LIB_VER_STR);
4799
4800 #undef LZO_LIB_VER_STR
4801 }
4802
4803 static void
4804 usage_version(void)
4805 {
4806 msg(M_INFO|M_NOPREFIX, "%s", title_string);
4807 show_library_versions( M_INFO|M_NOPREFIX );
4808 #ifdef _WIN32
4809 show_windows_version( M_INFO|M_NOPREFIX );
4810 #endif
4811 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4812 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>");
4813 #ifndef ENABLE_SMALL
4814 #ifdef CONFIGURE_DEFINES
4815 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4816 #endif
4817 #ifdef CONFIGURE_SPECIAL_BUILD
4818 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4819 #endif
4820 #endif
4821 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4822 }
4823
4824 void
4825 notnull(const char *arg, const char *description)
4826 {
4827 if (!arg)
4828 {
4829 msg(M_USAGE, "You must define %s", description);
4830 }
4831 }
4832
4833 bool
4834 string_defined_equal(const char *s1, const char *s2)
4835 {
4836 if (s1 && s2)
4837 {
4838 return !strcmp(s1, s2);
4839 }
4840 else
4841 {
4842 return false;
4843 }
4844 }
4845
4846 #if 0
4847 static void
4848 ping_rec_err(int msglevel)
4849 {
4850 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4851 }
4852 #endif
4853
4854 static int
4855 positive_atoi(const char *str)
4856 {
4857 const int i = atoi(str);
4858 return i < 0 ? 0 : i;
4859 }
4860
4861 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4862 static unsigned int
4863 atou(const char *str)
4864 {
4865 unsigned int val = 0;
4866 sscanf(str, "%u", &val);
4867 return val;
4868 }
4869 #endif
4870
4871 static inline bool
4872 space(unsigned char c)
4873 {
4874 return c == '\0' || isspace(c);
4875 }
4876
4877 int
4878 parse_line(const char *line,
4879 char *p[],
4880 const int n,
4881 const char *file,
4882 const int line_num,
4883 int msglevel,
4884 struct gc_arena *gc)
4885 {
4886 const int STATE_INITIAL = 0;
4887 const int STATE_READING_QUOTED_PARM = 1;
4888 const int STATE_READING_UNQUOTED_PARM = 2;
4889 const int STATE_DONE = 3;
4890 const int STATE_READING_SQUOTED_PARM = 4;
4891
4892 const char *error_prefix = "";
4893
4894 int ret = 0;
4895 const char *c = line;
4896 int state = STATE_INITIAL;
4897 bool backslash = false;
4898 char in, out;
4899
4900 char parm[OPTION_PARM_SIZE];
4901 unsigned int parm_len = 0;
4902
4903 msglevel &= ~M_OPTERR;
4904
4905 if (msglevel & M_MSG_VIRT_OUT)
4906 {
4907 error_prefix = "ERROR: ";
4908 }
4909
4910 do
4911 {
4912 in = *c;
4913 out = 0;
4914
4915 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4916 {
4917 backslash = true;
4918 }
4919 else
4920 {
4921 if (state == STATE_INITIAL)
4922 {
4923 if (!space(in))
4924 {
4925 if (in == ';' || in == '#') /* comment */
4926 {
4927 break;
4928 }
4929 if (!backslash && in == '\"')
4930 {
4931 state = STATE_READING_QUOTED_PARM;
4932 }
4933 else if (!backslash && in == '\'')
4934 {
4935 state = STATE_READING_SQUOTED_PARM;
4936 }
4937 else
4938 {
4939 out = in;
4940 state = STATE_READING_UNQUOTED_PARM;
4941 }
4942 }
4943 }
4944 else if (state == STATE_READING_UNQUOTED_PARM)
4945 {
4946 if (!backslash && space(in))
4947 {
4948 state = STATE_DONE;
4949 }
4950 else
4951 {
4952 out = in;
4953 }
4954 }
4955 else if (state == STATE_READING_QUOTED_PARM)
4956 {
4957 if (!backslash && in == '\"')
4958 {
4959 state = STATE_DONE;
4960 }
4961 else
4962 {
4963 out = in;
4964 }
4965 }
4966 else if (state == STATE_READING_SQUOTED_PARM)
4967 {
4968 if (in == '\'')
4969 {
4970 state = STATE_DONE;
4971 }
4972 else
4973 {
4974 out = in;
4975 }
4976 }
4977 if (state == STATE_DONE)
4978 {
4979 /* ASSERT (parm_len > 0); */
4980 p[ret] = gc_malloc(parm_len + 1, true, gc);
4981 memcpy(p[ret], parm, parm_len);
4982 p[ret][parm_len] = '\0';
4983 state = STATE_INITIAL;
4984 parm_len = 0;
4985 ++ret;
4986 }
4987
4988 if (backslash && out)
4989 {
4990 if (!(out == '\\' || out == '\"' || space(out)))
4991 {
4992 #ifdef ENABLE_SMALL
4993 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4994 #else
4995 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4996 #endif
4997 return 0;
4998 }
4999 }
5000 backslash = false;
5001 }
5002
5003 /* store parameter character */
5004 if (out)
5005 {
5006 if (parm_len >= SIZE(parm))
5007 {
5008 parm[SIZE(parm) - 1] = 0;
5009 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5010 error_prefix, file, line_num, (int) SIZE(parm), parm);
5011 return 0;
5012 }
5013 parm[parm_len++] = out;
5014 }
5015
5016 /* avoid overflow if too many parms in one config file line */
5017 if (ret >= n)
5018 {
5019 break;
5020 }
5021
5022 } while (*c++ != '\0');
5023
5024 if (state == STATE_READING_QUOTED_PARM)
5025 {
5026 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5027 return 0;
5028 }
5029 if (state == STATE_READING_SQUOTED_PARM)
5030 {
5031 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5032 return 0;
5033 }
5034 if (state != STATE_INITIAL)
5035 {
5036 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5037 return 0;
5038 }
5039 #if 0
5040 {
5041 int i;
5042 for (i = 0; i < ret; ++i)
5043 {
5044 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5045 }
5046 }
5047 #endif
5048 return ret;
5049 }
5050
5051 static void
5052 bypass_doubledash(char **p)
5053 {
5054 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5055 {
5056 *p += 2;
5057 }
5058 }
5059
5060 struct in_src {
5061 #define IS_TYPE_FP 1
5062 #define IS_TYPE_BUF 2
5063 int type;
5064 union {
5065 FILE *fp;
5066 struct buffer *multiline;
5067 } u;
5068 };
5069
5070 static bool
5071 in_src_get(const struct in_src *is, char *line, const int size)
5072 {
5073 if (is->type == IS_TYPE_FP)
5074 {
5075 return BOOL_CAST(fgets(line, size, is->u.fp));
5076 }
5077 else if (is->type == IS_TYPE_BUF)
5078 {
5079 bool status = buf_parse(is->u.multiline, '\n', line, size);
5080 if ((int) strlen(line) + 1 < size)
5081 {
5082 strcat(line, "\n");
5083 }
5084 return status;
5085 }
5086 else
5087 {
5088 ASSERT(0);
5089 return false;
5090 }
5091 }
5092
5093 static char *
5094 read_inline_file(struct in_src *is, const char *close_tag,
5095 int *num_lines, struct gc_arena *gc)
5096 {
5097 char line[OPTION_LINE_SIZE];
5098 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5099 char *ret;
5100 bool endtagfound = false;
5101
5102 while (in_src_get(is, line, sizeof(line)))
5103 {
5104 (*num_lines)++;
5105 char *line_ptr = line;
5106 /* Remove leading spaces */
5107 while (isspace(*line_ptr))
5108 {
5109 line_ptr++;
5110 }
5111 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5112 {
5113 endtagfound = true;
5114 break;
5115 }
5116 if (!buf_safe(&buf, strlen(line)+1))
5117 {
5118 /* Increase buffer size */
5119 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5120 ASSERT(buf_copy(&buf2, &buf));
5121 buf_clear(&buf);
5122 free_buf(&buf);
5123 buf = buf2;
5124 }
5125 buf_printf(&buf, "%s", line);
5126 }
5127 if (!endtagfound)
5128 {
5129 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5130 }
5131 ret = string_alloc(BSTR(&buf), gc);
5132 buf_clear(&buf);
5133 free_buf(&buf);
5134 secure_memzero(line, sizeof(line));
5135 return ret;
5136 }
5137
5138 static int
5139 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5140 {
5141 int num_inline_lines = 0;
5142
5143 if (p[0] && !p[1])
5144 {
5145 char *arg = p[0];
5146 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5147 {
5148 struct buffer close_tag;
5149
5150 arg[strlen(arg) - 1] = '\0';
5151 p[0] = string_alloc(arg + 1, gc);
5152 close_tag = alloc_buf(strlen(p[0]) + 4);
5153 buf_printf(&close_tag, "</%s>", p[0]);
5154 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5155 p[2] = NULL;
5156 free_buf(&close_tag);
5157 }
5158 }
5159 return num_inline_lines;
5160 }
5161
5162 static int
5163 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5164 {
5165 struct in_src is;
5166 is.type = IS_TYPE_FP;
5167 is.u.fp = fp;
5168 return check_inline_file(&is, p, gc);
5169 }
5170
5171 static int
5172 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5173 struct gc_arena *gc)
5174 {
5175 struct in_src is;
5176 is.type = IS_TYPE_BUF;
5177 is.u.multiline = multiline;
5178 return check_inline_file(&is, p, gc);
5179 }
5180
5181 static void
5182 add_option(struct options *options,
5183 char *p[],
5184 bool is_inline,
5185 const char *file,
5186 int line,
5187 const int level,
5188 const int msglevel,
5189 const unsigned int permission_mask,
5190 unsigned int *option_types_found,
5191 struct env_set *es);
5192
5193 static void
5194 read_config_file(struct options *options,
5195 const char *file,
5196 int level,
5197 const char *top_file,
5198 const int top_line,
5199 const int msglevel,
5200 const unsigned int permission_mask,
5201 unsigned int *option_types_found,
5202 struct env_set *es)
5203 {
5204 const int max_recursive_levels = 10;
5205 FILE *fp;
5206 int line_num;
5207 char line[OPTION_LINE_SIZE+1];
5208 char *p[MAX_PARMS+1];
5209
5210 ++level;
5211 if (level <= max_recursive_levels)
5212 {
5213 if (streq(file, "stdin"))
5214 {
5215 fp = stdin;
5216 }
5217 else
5218 {
5219 fp = platform_fopen(file, "r");
5220 }
5221 if (fp)
5222 {
5223 line_num = 0;
5224 while (fgets(line, sizeof(line), fp))
5225 {
5226 int offset = 0;
5227 CLEAR(p);
5228 ++line_num;
5229 if (strlen(line) == OPTION_LINE_SIZE)
5230 {
5231 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5232 file, line_num, OPTION_LINE_SIZE, line);
5233 }
5234
5235 /* Ignore UTF-8 BOM at start of stream */
5236 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5237 {
5238 offset = 3;
5239 }
5240 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5241 {
5242 bypass_doubledash(&p[0]);
5243 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5244 add_option(options, p, lines_inline, file, line_num, level,
5245 msglevel, permission_mask, option_types_found,
5246 es);
5247 line_num += lines_inline;
5248 }
5249 }
5250 if (fp != stdin)
5251 {
5252 fclose(fp);
5253 }
5254 }
5255 else
5256 {
5257 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5258 }
5259 }
5260 else
5261 {
5262 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5263 }
5264 secure_memzero(line, sizeof(line));
5265 CLEAR(p);
5266 }
5267
5268 static void
5269 read_config_string(const char *prefix,
5270 struct options *options,
5271 const char *config,
5272 const int msglevel,
5273 const unsigned int permission_mask,
5274 unsigned int *option_types_found,
5275 struct env_set *es)
5276 {
5277 char line[OPTION_LINE_SIZE];
5278 struct buffer multiline;
5279 int line_num = 0;
5280
5281 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5282
5283 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5284 {
5285 char *p[MAX_PARMS+1];
5286 CLEAR(p);
5287 ++line_num;
5288 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5289 {
5290 bypass_doubledash(&p[0]);
5291 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5292 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5293 permission_mask, option_types_found, es);
5294 line_num += lines_inline;
5295 }
5296 CLEAR(p);
5297 }
5298 secure_memzero(line, sizeof(line));
5299 }
5300
5301 void
5302 parse_argv(struct options *options,
5303 const int argc,
5304 char *argv[],
5305 const int msglevel,
5306 const unsigned int permission_mask,
5307 unsigned int *option_types_found,
5308 struct env_set *es)
5309 {
5310 /* usage message */
5311 if (argc <= 1)
5312 {
5313 usage();
5314 }
5315
5316 /* config filename specified only? */
5317 if (argc == 2 && strncmp(argv[1], "--", 2))
5318 {
5319 char *p[MAX_PARMS+1];
5320 CLEAR(p);
5321 p[0] = "config";
5322 p[1] = argv[1];
5323 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5324 option_types_found, es);
5325 }
5326 else
5327 {
5328 /* parse command line */
5329 for (int i = 1; i < argc; ++i)
5330 {
5331 char *p[MAX_PARMS+1];
5332 CLEAR(p);
5333 p[0] = argv[i];
5334 if (strncmp(p[0], "--", 2))
5335 {
5336 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5337 }
5338 else
5339 {
5340 p[0] += 2;
5341 }
5342
5343 int j;
5344 for (j = 1; j < MAX_PARMS; ++j)
5345 {
5346 if (i + j < argc)
5347 {
5348 char *arg = argv[i + j];
5349 if (strncmp(arg, "--", 2))
5350 {
5351 p[j] = arg;
5352 }
5353 else
5354 {
5355 break;
5356 }
5357 }
5358 }
5359 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5360 option_types_found, es);
5361 i += j - 1;
5362 }
5363 }
5364 }
5365
5366 /**
5367 * Filter an option line by all pull filters.
5368 *
5369 * If a match is found, the line is modified depending on
5370 * the filter type, and returns true. If the filter type is
5371 * reject, SIGUSR1 is triggered and the return value is false.
5372 * In that case the caller must end the push processing.
5373 */
5374 static bool
5375 apply_pull_filter(const struct options *o, char *line)
5376 {
5377 struct pull_filter *f;
5378
5379 if (!o->pull_filter_list)
5380 {
5381 return true;
5382 }
5383
5384 /* skip leading spaces matching the behaviour of parse_line */
5385 while (isspace(*line))
5386 {
5387 line++;
5388 }
5389
5390 for (f = o->pull_filter_list->head; f; f = f->next)
5391 {
5392 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5393 {
5394 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5395 return true;
5396 }
5397 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5398 {
5399 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5400 *line = '\0';
5401 return true;
5402 }
5403 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5404 {
5405 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5406 *line = '\0';
5407 throw_signal_soft(SIGUSR1, "Offending option received from server");
5408 return false;
5409 }
5410 }
5411 return true;
5412 }
5413
5414 bool
5415 apply_push_options(struct options *options,
5416 struct buffer *buf,
5417 unsigned int permission_mask,
5418 unsigned int *option_types_found,
5419 struct env_set *es)
5420 {
5421 char line[OPTION_PARM_SIZE];
5422 int line_num = 0;
5423 const char *file = "[PUSH-OPTIONS]";
5424 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5425
5426 while (buf_parse(buf, ',', line, sizeof(line)))
5427 {
5428 char *p[MAX_PARMS+1];
5429 CLEAR(p);
5430 ++line_num;
5431 if (!apply_pull_filter(options, line))
5432 {
5433 return false; /* Cause push/pull error and stop push processing */
5434 }
5435 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5436 {
5437 add_option(options, p, false, file, line_num, 0, msglevel,
5438 permission_mask, option_types_found, es);
5439 }
5440 }
5441 return true;
5442 }
5443
5444 void
5445 options_server_import(struct options *o,
5446 const char *filename,
5447 int msglevel,
5448 unsigned int permission_mask,
5449 unsigned int *option_types_found,
5450 struct env_set *es)
5451 {
5452 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5453 read_config_file(o,
5454 filename,
5455 0,
5456 filename,
5457 0,
5458 msglevel,
5459 permission_mask,
5460 option_types_found,
5461 es);
5462 }
5463
5464 void
5465 options_string_import(struct options *options,
5466 const char *config,
5467 const int msglevel,
5468 const unsigned int permission_mask,
5469 unsigned int *option_types_found,
5470 struct env_set *es)
5471 {
5472 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5473 }
5474
5475 #define VERIFY_PERMISSION(mask) { \
5476 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5477 option_types_found, msglevel, options, is_inline)) \
5478 { \
5479 goto err; \
5480 } \
5481 }
5482
5483 static bool
5484 verify_permission(const char *name,
5485 const char *file,
5486 int line,
5487 const unsigned int type,
5488 const unsigned int allowed,
5489 unsigned int *found,
5490 const int msglevel,
5491 struct options *options,
5492 bool is_inline)
5493 {
5494 if (!(type & allowed))
5495 {
5496 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5497 return false;
5498 }
5499
5500 if (is_inline && !(type & OPT_P_INLINE))
5501 {
5502 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5503 file, line);
5504 return false;
5505 }
5506
5507 if (found)
5508 {
5509 *found |= type;
5510 }
5511
5512 #ifndef ENABLE_SMALL
5513 /* Check if this options is allowed in connection block,
5514 * but we are currently not in a connection block
5515 * unless this is a pushed option.
5516 * Parsing a connection block uses a temporary options struct without
5517 * connection_list
5518 */
5519
5520 if ((type & OPT_P_CONNECTION) && options->connection_list
5521 && !(allowed & OPT_P_PULL_MODE))
5522 {
5523 if (file)
5524 {
5525 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5526 }
5527 else
5528 {
5529 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5530 }
5531 }
5532 #endif
5533 return true;
5534 }
5535
5536 /*
5537 * Check that an option doesn't have too
5538 * many parameters.
5539 */
5540
5541 #define NM_QUOTE_HINT (1<<0)
5542
5543 static bool
5544 no_more_than_n_args(const int msglevel,
5545 char *p[],
5546 const int max,
5547 const unsigned int flags)
5548 {
5549 const int len = string_array_len((const char **)p);
5550
5551 if (!len)
5552 {
5553 return false;
5554 }
5555
5556 if (len > max)
5557 {
5558 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5559 p[0],
5560 max - 1,
5561 max >= 3 ? "s" : "",
5562 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5563 return false;
5564 }
5565 else
5566 {
5567 return true;
5568 }
5569 }
5570
5571 static inline int
5572 msglevel_forward_compatible(struct options *options, const int msglevel)
5573 {
5574 return options->forward_compatible ? M_WARN : msglevel;
5575 }
5576
5577 static void
5578 set_user_script(struct options *options,
5579 const char **script,
5580 const char *new_script,
5581 const char *type,
5582 bool in_chroot)
5583 {
5584 if (*script)
5585 {
5586 msg(M_WARN, "Multiple --%s scripts defined. "
5587 "The previously configured script is overridden.", type);
5588 }
5589 *script = new_script;
5590 options->user_script_used = true;
5591
5592 #ifndef ENABLE_SMALL
5593 {
5594 char script_name[100];
5595 openvpn_snprintf(script_name, sizeof(script_name),
5596 "--%s script", type);
5597
5598 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5599 {
5600 msg(M_USAGE, "Please correct this error.");
5601 }
5602
5603 }
5604 #endif
5605 }
5606
5607 #ifdef USE_COMP
5608 static void
5609 show_compression_warning(struct compress_options *info)
5610 {
5611 if (comp_non_stub_enabled(info))
5612 {
5613 /*
5614 * Check if already displayed the strong warning and enabled full
5615 * compression
5616 */
5617 if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5618 {
5619 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5620 "Compression has been used in the past to break encryption. "
5621 "Sent packets are not compressed unless \"allow-compression yes\" "
5622 "is also set.");
5623 }
5624 }
5625 }
5626 #endif
5627
5628 bool
5629 key_is_external(const struct options *options)
5630 {
5631 bool ret = false;
5632 #ifdef ENABLE_MANAGEMENT
5633 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5634 #endif
5635 #ifdef ENABLE_PKCS11
5636 ret = ret || (options->pkcs11_providers[0] != NULL);
5637 #endif
5638 #ifdef ENABLE_CRYPTOAPI
5639 ret = ret || options->cryptoapi_cert;
5640 #endif
5641
5642 return ret;
5643 }
5644
5645 static void
5646 add_option(struct options *options,
5647 char *p[],
5648 bool is_inline,
5649 const char *file,
5650 int line,
5651 const int level,
5652 const int msglevel,
5653 const unsigned int permission_mask,
5654 unsigned int *option_types_found,
5655 struct env_set *es)
5656 {
5657 struct gc_arena gc = gc_new();
5658 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5659 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5660
5661 ASSERT(MAX_PARMS >= 7);
5662
5663 /*
5664 * If directive begins with "setenv opt" prefix, don't raise an error if
5665 * directive is unrecognized.
5666 */
5667 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5668 {
5669 if (!p[2])
5670 {
5671 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5672 }
5673 p += 2;
5674 msglevel_fc = M_WARN;
5675 }
5676
5677 if (!file)
5678 {
5679 file = "[CMD-LINE]";
5680 line = 1;
5681 }
5682 if (streq(p[0], "help"))
5683 {
5684 VERIFY_PERMISSION(OPT_P_GENERAL);
5685 usage();
5686 if (p[1])
5687 {
5688 msg(msglevel, "--help does not accept any parameters");
5689 goto err;
5690 }
5691 }
5692 if (streq(p[0], "version") && !p[1])
5693 {
5694 VERIFY_PERMISSION(OPT_P_GENERAL);
5695 usage_version();
5696 }
5697 else if (streq(p[0], "config") && p[1] && !p[2])
5698 {
5699 VERIFY_PERMISSION(OPT_P_CONFIG);
5700
5701 /* save first config file only in options */
5702 if (!options->config)
5703 {
5704 options->config = p[1];
5705 }
5706
5707 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5708 }
5709 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5710 else if (streq(p[0], "show-gateway") && !p[2])
5711 {
5712 struct route_gateway_info rgi;
5713 struct route_ipv6_gateway_info rgi6;
5714 struct in6_addr remote = IN6ADDR_ANY_INIT;
5715 openvpn_net_ctx_t net_ctx;
5716 VERIFY_PERMISSION(OPT_P_GENERAL);
5717 if (p[1])
5718 {
5719 get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5720 }
5721 net_ctx_init(NULL, &net_ctx);
5722 get_default_gateway(&rgi, &net_ctx);
5723 get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5724 print_default_gateway(M_INFO, &rgi, &rgi6);
5725 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5726 }
5727 #endif
5728 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5729 {
5730 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5731 int j;
5732 bool good = true;
5733
5734 VERIFY_PERMISSION(OPT_P_ECHO);
5735
5736 for (j = 1; j < MAX_PARMS; ++j)
5737 {
5738 if (!p[j])
5739 {
5740 break;
5741 }
5742 if (j > 1)
5743 {
5744 good &= buf_printf(&string, " ");
5745 }
5746 good &= buf_printf(&string, "%s", p[j]);
5747 }
5748 if (good)
5749 {
5750 /* only message-related ECHO are logged, since other ECHOs
5751 * can potentially include security-sensitive strings */
5752 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5753 {
5754 msg(M_INFO, "%s:%s",
5755 pull_mode ? "ECHO-PULL" : "ECHO",
5756 BSTR(&string));
5757 }
5758 #ifdef ENABLE_MANAGEMENT
5759 if (management)
5760 {
5761 management_echo(management, BSTR(&string), pull_mode);
5762 }
5763 #endif
5764 }
5765 else
5766 {
5767 msg(M_WARN, "echo/parameter option overflow");
5768 }
5769 }
5770 #ifdef ENABLE_MANAGEMENT
5771 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5772 {
5773 VERIFY_PERMISSION(OPT_P_GENERAL);
5774 if (streq(p[2], "unix"))
5775 {
5776 #if UNIX_SOCK_SUPPORT
5777 options->management_flags |= MF_UNIX_SOCK;
5778 #else
5779 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5780 goto err;
5781 #endif
5782 }
5783
5784 options->management_addr = p[1];
5785 options->management_port = p[2];
5786 if (p[3])
5787 {
5788 options->management_user_pass = p[3];
5789 }
5790 }
5791 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5792 {
5793 VERIFY_PERMISSION(OPT_P_GENERAL);
5794 options->management_client_user = p[1];
5795 }
5796 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5797 {
5798 VERIFY_PERMISSION(OPT_P_GENERAL);
5799 options->management_client_group = p[1];
5800 }
5801 else if (streq(p[0], "management-query-passwords") && !p[1])
5802 {
5803 VERIFY_PERMISSION(OPT_P_GENERAL);
5804 options->management_flags |= MF_QUERY_PASSWORDS;
5805 }
5806 else if (streq(p[0], "management-query-remote") && !p[1])
5807 {
5808 VERIFY_PERMISSION(OPT_P_GENERAL);
5809 options->management_flags |= MF_QUERY_REMOTE;
5810 }
5811 else if (streq(p[0], "management-query-proxy") && !p[1])
5812 {
5813 VERIFY_PERMISSION(OPT_P_GENERAL);
5814 options->management_flags |= MF_QUERY_PROXY;
5815 }
5816 else if (streq(p[0], "management-hold") && !p[1])
5817 {
5818 VERIFY_PERMISSION(OPT_P_GENERAL);
5819 options->management_flags |= MF_HOLD;
5820 }
5821 else if (streq(p[0], "management-signal") && !p[1])
5822 {
5823 VERIFY_PERMISSION(OPT_P_GENERAL);
5824 options->management_flags |= MF_SIGNAL;
5825 }
5826 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5827 {
5828 VERIFY_PERMISSION(OPT_P_GENERAL);
5829 options->management_flags |= MF_FORGET_DISCONNECT;
5830 }
5831 else if (streq(p[0], "management-up-down") && !p[1])
5832 {
5833 VERIFY_PERMISSION(OPT_P_GENERAL);
5834 options->management_flags |= MF_UP_DOWN;
5835 }
5836 else if (streq(p[0], "management-client") && !p[1])
5837 {
5838 VERIFY_PERMISSION(OPT_P_GENERAL);
5839 options->management_flags |= MF_CONNECT_AS_CLIENT;
5840 }
5841 #ifdef ENABLE_MANAGEMENT
5842 else if (streq(p[0], "management-external-key"))
5843 {
5844 VERIFY_PERMISSION(OPT_P_GENERAL);
5845 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5846 {
5847 if (streq(p[j], "nopadding"))
5848 {
5849 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5850 }
5851 else if (streq(p[j], "pkcs1"))
5852 {
5853 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5854 }
5855 else if (streq(p[j], "pss"))
5856 {
5857 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5858 }
5859 else if (streq(p[j], "digest"))
5860 {
5861 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5862 }
5863 else
5864 {
5865 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5866 }
5867 }
5868 /*
5869 * When no option is present, assume that only PKCS1
5870 * padding is supported
5871 */
5872 if (!(options->management_flags
5873 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5874 {
5875 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5876 }
5877 options->management_flags |= MF_EXTERNAL_KEY;
5878 }
5879 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5880 {
5881 VERIFY_PERMISSION(OPT_P_GENERAL);
5882 options->management_flags |= MF_EXTERNAL_CERT;
5883 options->management_certificate = p[1];
5884 }
5885 else if (streq(p[0], "management-client-auth") && !p[1])
5886 {
5887 VERIFY_PERMISSION(OPT_P_GENERAL);
5888 options->management_flags |= MF_CLIENT_AUTH;
5889 }
5890 #endif /* ifdef ENABLE_MANAGEMENT */
5891 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5892 {
5893 int cache;
5894
5895 VERIFY_PERMISSION(OPT_P_GENERAL);
5896 cache = atoi(p[1]);
5897 if (cache < 1)
5898 {
5899 msg(msglevel, "--management-log-cache parameter is out of range");
5900 goto err;
5901 }
5902 options->management_log_history_cache = cache;
5903 }
5904 #endif /* ifdef ENABLE_MANAGEMENT */
5905 #ifdef ENABLE_PLUGIN
5906 else if (streq(p[0], "plugin") && p[1])
5907 {
5908 VERIFY_PERMISSION(OPT_P_PLUGIN);
5909 if (!options->plugin_list)
5910 {
5911 options->plugin_list = plugin_option_list_new(&options->gc);
5912 }
5913 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5914 {
5915 msg(msglevel, "plugin add failed: %s", p[1]);
5916 goto err;
5917 }
5918 }
5919 #endif
5920 else if (streq(p[0], "mode") && p[1] && !p[2])
5921 {
5922 VERIFY_PERMISSION(OPT_P_GENERAL);
5923 if (streq(p[1], "p2p"))
5924 {
5925 options->mode = MODE_POINT_TO_POINT;
5926 }
5927 else if (streq(p[1], "server"))
5928 {
5929 options->mode = MODE_SERVER;
5930 }
5931 else
5932 {
5933 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5934 goto err;
5935 }
5936 }
5937 else if (streq(p[0], "dev") && p[1] && !p[2])
5938 {
5939 VERIFY_PERMISSION(OPT_P_GENERAL);
5940 options->dev = p[1];
5941 }
5942 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5943 {
5944 VERIFY_PERMISSION(OPT_P_GENERAL);
5945 options->dev_type = p[1];
5946 }
5947 #ifdef _WIN32
5948 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5949 {
5950 VERIFY_PERMISSION(OPT_P_GENERAL);
5951 options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5952 }
5953 #endif
5954 else if (streq(p[0], "disable-dco"))
5955 {
5956 options->tuntap_options.disable_dco = true;
5957 }
5958 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5959 {
5960 VERIFY_PERMISSION(OPT_P_GENERAL);
5961 options->dev_node = p[1];
5962 }
5963 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5964 {
5965 VERIFY_PERMISSION(OPT_P_UP);
5966 if (mac_addr_safe(p[1])) /* MAC address only */
5967 {
5968 options->lladdr = p[1];
5969 }
5970 else
5971 {
5972 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5973 goto err;
5974 }
5975 }
5976 else if (streq(p[0], "topology") && p[1] && !p[2])
5977 {
5978 VERIFY_PERMISSION(OPT_P_UP);
5979 options->topology = parse_topology(p[1], msglevel);
5980 }
5981 else if (streq(p[0], "tun-ipv6") && !p[1])
5982 {
5983 if (!pull_mode)
5984 {
5985 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5986 }
5987 }
5988 #ifdef ENABLE_IPROUTE
5989 else if (streq(p[0], "iproute") && p[1] && !p[2])
5990 {
5991 VERIFY_PERMISSION(OPT_P_GENERAL);
5992 iproute_path = p[1];
5993 }
5994 #endif
5995 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5996 {
5997 VERIFY_PERMISSION(OPT_P_UP);
5998 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5999 {
6000 options->ifconfig_local = p[1];
6001 options->ifconfig_remote_netmask = p[2];
6002 }
6003 else
6004 {
6005 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6006 goto err;
6007 }
6008 }
6009 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6010 {
6011 unsigned int netbits;
6012
6013 VERIFY_PERMISSION(OPT_P_UP);
6014 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6015 && ipv6_addr_safe( p[2] ) )
6016 {
6017 if (netbits < 64 || netbits > 124)
6018 {
6019 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6020 goto err;
6021 }
6022
6023 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6024 options->ifconfig_ipv6_netbits = netbits;
6025 options->ifconfig_ipv6_remote = p[2];
6026 }
6027 else
6028 {
6029 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6030 goto err;
6031 }
6032 }
6033 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6034 {
6035 VERIFY_PERMISSION(OPT_P_UP);
6036 options->ifconfig_noexec = true;
6037 }
6038 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6039 {
6040 VERIFY_PERMISSION(OPT_P_UP);
6041 options->ifconfig_nowarn = true;
6042 }
6043 else if (streq(p[0], "local") && p[1] && !p[2])
6044 {
6045 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6046 options->ce.local = p[1];
6047 }
6048 else if (streq(p[0], "remote-random") && !p[1])
6049 {
6050 VERIFY_PERMISSION(OPT_P_GENERAL);
6051 options->remote_random = true;
6052 }
6053 else if (streq(p[0], "connection") && p[1] && !p[3])
6054 {
6055 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6056 if (is_inline)
6057 {
6058 struct options sub;
6059 struct connection_entry *e;
6060
6061 init_options(&sub, true);
6062 sub.ce = options->ce;
6063 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6064 OPT_P_CONNECTION, option_types_found, es);
6065 if (!sub.ce.remote)
6066 {
6067 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6068 uninit_options(&sub);
6069 goto err;
6070 }
6071
6072 e = alloc_connection_entry(options, msglevel);
6073 if (!e)
6074 {
6075 uninit_options(&sub);
6076 goto err;
6077 }
6078 *e = sub.ce;
6079 gc_transfer(&options->gc, &sub.gc);
6080 uninit_options(&sub);
6081 }
6082 }
6083 else if (streq(p[0], "ignore-unknown-option") && p[1])
6084 {
6085 int i;
6086 int j;
6087 int numignored = 0;
6088 const char **ignore;
6089
6090 VERIFY_PERMISSION(OPT_P_GENERAL);
6091 /* Find out how many options to be ignored */
6092 for (i = 1; p[i]; i++)
6093 {
6094 numignored++;
6095 }
6096
6097 /* add number of options already ignored */
6098 for (i = 0; options->ignore_unknown_option
6099 && options->ignore_unknown_option[i]; i++)
6100 {
6101 numignored++;
6102 }
6103
6104 /* Allocate array */
6105 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6106 for (i = 0; options->ignore_unknown_option
6107 && options->ignore_unknown_option[i]; i++)
6108 {
6109 ignore[i] = options->ignore_unknown_option[i];
6110 }
6111
6112 options->ignore_unknown_option = ignore;
6113
6114 for (j = 1; p[j]; j++)
6115 {
6116 /* Allow the user to specify ignore-unknown-option --opt too */
6117 if (p[j][0]=='-' && p[j][1]=='-')
6118 {
6119 options->ignore_unknown_option[i] = (p[j]+2);
6120 }
6121 else
6122 {
6123 options->ignore_unknown_option[i] = p[j];
6124 }
6125 i++;
6126 }
6127
6128 options->ignore_unknown_option[i] = NULL;
6129 }
6130 #if ENABLE_MANAGEMENT
6131 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6132 {
6133 VERIFY_PERMISSION(OPT_P_GENERAL);
6134 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
6135 if (!options->http_proxy_override)
6136 {
6137 goto err;
6138 }
6139 }
6140 #endif
6141 else if (streq(p[0], "remote") && p[1] && !p[4])
6142 {
6143 struct remote_entry re;
6144 re.remote = re.remote_port = NULL;
6145 re.proto = -1;
6146 re.af = 0;
6147
6148 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6149 re.remote = p[1];
6150 if (p[2])
6151 {
6152 re.remote_port = p[2];
6153 if (p[3])
6154 {
6155 const int proto = ascii2proto(p[3]);
6156 const sa_family_t af = ascii2af(p[3]);
6157 if (proto < 0)
6158 {
6159 msg(msglevel,
6160 "remote: bad protocol associated with host %s: '%s'",
6161 p[1], p[3]);
6162 goto err;
6163 }
6164 re.proto = proto;
6165 re.af = af;
6166 }
6167 }
6168 if (permission_mask & OPT_P_GENERAL)
6169 {
6170 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6171 if (!e)
6172 {
6173 goto err;
6174 }
6175 *e = re;
6176 }
6177 else if (permission_mask & OPT_P_CONNECTION)
6178 {
6179 connection_entry_load_re(&options->ce, &re);
6180 }
6181 }
6182 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6183 {
6184 VERIFY_PERMISSION(OPT_P_GENERAL);
6185 if (streq(p[1], "infinite"))
6186 {
6187 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6188 }
6189 else
6190 {
6191 options->resolve_retry_seconds = positive_atoi(p[1]);
6192 }
6193 }
6194 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6195 {
6196 VERIFY_PERMISSION(OPT_P_GENERAL);
6197 options->resolve_in_advance = true;
6198 /* Note the ip-remote-hint and the argument p[1] are for
6199 * backward compatibility */
6200 if (p[1])
6201 {
6202 options->ip_remote_hint = p[1];
6203 }
6204 }
6205 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6206 {
6207 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6208 options->ce.connect_retry_seconds = positive_atoi(p[1]);
6209 /*
6210 * Limit the base value of retry wait interval to 16 bits to avoid
6211 * overflow when scaled up for exponential backoff
6212 */
6213 if (options->ce.connect_retry_seconds > 0xFFFF)
6214 {
6215 options->ce.connect_retry_seconds = 0xFFFF;
6216 msg(M_WARN, "connect retry wait interval truncated to %d",
6217 options->ce.connect_retry_seconds);
6218 }
6219
6220 if (p[2])
6221 {
6222 options->ce.connect_retry_seconds_max =
6223 max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
6224 }
6225 }
6226 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6227 && p[1] && !p[2])
6228 {
6229 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6230 options->ce.connect_timeout = positive_atoi(p[1]);
6231 }
6232 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6233 {
6234 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6235 options->connect_retry_max = positive_atoi(p[1]);
6236 }
6237 else if (streq(p[0], "ipchange") && p[1])
6238 {
6239 VERIFY_PERMISSION(OPT_P_SCRIPT);
6240 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6241 {
6242 goto err;
6243 }
6244 set_user_script(options,
6245 &options->ipchange,
6246 string_substitute(p[1], ',', ' ', &options->gc),
6247 "ipchange", true);
6248 }
6249 else if (streq(p[0], "float") && !p[1])
6250 {
6251 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6252 options->ce.remote_float = true;
6253 }
6254 #ifdef ENABLE_DEBUG
6255 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6256 {
6257 VERIFY_PERMISSION(OPT_P_GENERAL);
6258 options->gremlin = positive_atoi(p[1]);
6259 }
6260 #endif
6261 else if (streq(p[0], "chroot") && p[1] && !p[2])
6262 {
6263 VERIFY_PERMISSION(OPT_P_GENERAL);
6264 options->chroot_dir = p[1];
6265 }
6266 else if (streq(p[0], "cd") && p[1] && !p[2])
6267 {
6268 VERIFY_PERMISSION(OPT_P_GENERAL);
6269 if (platform_chdir(p[1]))
6270 {
6271 msg(M_ERR, "cd to '%s' failed", p[1]);
6272 goto err;
6273 }
6274 options->cd_dir = p[1];
6275 }
6276 #ifdef ENABLE_SELINUX
6277 else if (streq(p[0], "setcon") && p[1] && !p[2])
6278 {
6279 VERIFY_PERMISSION(OPT_P_GENERAL);
6280 options->selinux_context = p[1];
6281 }
6282 #endif
6283 else if (streq(p[0], "writepid") && p[1] && !p[2])
6284 {
6285 VERIFY_PERMISSION(OPT_P_GENERAL);
6286 options->writepid = p[1];
6287 }
6288 else if (streq(p[0], "up") && p[1])
6289 {
6290 VERIFY_PERMISSION(OPT_P_SCRIPT);
6291 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6292 {
6293 goto err;
6294 }
6295 set_user_script(options, &options->up_script, p[1], "up", false);
6296 }
6297 else if (streq(p[0], "down") && p[1])
6298 {
6299 VERIFY_PERMISSION(OPT_P_SCRIPT);
6300 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6301 {
6302 goto err;
6303 }
6304 set_user_script(options, &options->down_script, p[1], "down", true);
6305 }
6306 else if (streq(p[0], "down-pre") && !p[1])
6307 {
6308 VERIFY_PERMISSION(OPT_P_GENERAL);
6309 options->down_pre = true;
6310 }
6311 else if (streq(p[0], "up-delay") && !p[1])
6312 {
6313 VERIFY_PERMISSION(OPT_P_GENERAL);
6314 options->up_delay = true;
6315 }
6316 else if (streq(p[0], "up-restart") && !p[1])
6317 {
6318 VERIFY_PERMISSION(OPT_P_GENERAL);
6319 options->up_restart = true;
6320 }
6321 else if (streq(p[0], "syslog") && !p[2])
6322 {
6323 VERIFY_PERMISSION(OPT_P_GENERAL);
6324 open_syslog(p[1], false);
6325 }
6326 else if (streq(p[0], "daemon") && !p[2])
6327 {
6328 bool didit = false;
6329 VERIFY_PERMISSION(OPT_P_GENERAL);
6330 if (!options->daemon)
6331 {
6332 options->daemon = didit = true;
6333 open_syslog(p[1], false);
6334 }
6335 if (p[1])
6336 {
6337 if (!didit)
6338 {
6339 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6340 goto err;
6341 }
6342 }
6343 }
6344 else if (streq(p[0], "log") && p[1] && !p[2])
6345 {
6346 VERIFY_PERMISSION(OPT_P_GENERAL);
6347 options->log = true;
6348 redirect_stdout_stderr(p[1], false);
6349 }
6350 else if (streq(p[0], "suppress-timestamps") && !p[1])
6351 {
6352 VERIFY_PERMISSION(OPT_P_GENERAL);
6353 options->suppress_timestamps = true;
6354 set_suppress_timestamps(true);
6355 }
6356 else if (streq(p[0], "machine-readable-output") && !p[1])
6357 {
6358 VERIFY_PERMISSION(OPT_P_GENERAL);
6359 options->machine_readable_output = true;
6360 set_machine_readable_output(true);
6361 }
6362 else if (streq(p[0], "log-append") && p[1] && !p[2])
6363 {
6364 VERIFY_PERMISSION(OPT_P_GENERAL);
6365 options->log = true;
6366 redirect_stdout_stderr(p[1], true);
6367 }
6368 #ifdef ENABLE_MEMSTATS
6369 else if (streq(p[0], "memstats") && p[1] && !p[2])
6370 {
6371 VERIFY_PERMISSION(OPT_P_GENERAL);
6372 options->memstats_fn = p[1];
6373 }
6374 #endif
6375 else if (streq(p[0], "mlock") && !p[1])
6376 {
6377 VERIFY_PERMISSION(OPT_P_GENERAL);
6378 options->mlock = true;
6379 }
6380 #if ENABLE_IP_PKTINFO
6381 else if (streq(p[0], "multihome") && !p[1])
6382 {
6383 VERIFY_PERMISSION(OPT_P_GENERAL);
6384 options->sockflags |= SF_USE_IP_PKTINFO;
6385 }
6386 #endif
6387 else if (streq(p[0], "verb") && p[1] && !p[2])
6388 {
6389 VERIFY_PERMISSION(OPT_P_MESSAGES);
6390 options->verbosity = positive_atoi(p[1]);
6391 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6392 {
6393 /* We pass this flag to the SSL library to avoid
6394 * mbed TLS always generating debug level logging */
6395 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6396 }
6397 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6398 /* Warn when a debug verbosity is supplied when built without debug support */
6399 if (options->verbosity >= 7)
6400 {
6401 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6402 options->verbosity);
6403 }
6404 #endif
6405 }
6406 else if (streq(p[0], "mute") && p[1] && !p[2])
6407 {
6408 VERIFY_PERMISSION(OPT_P_MESSAGES);
6409 options->mute = positive_atoi(p[1]);
6410 }
6411 else if (streq(p[0], "errors-to-stderr") && !p[1])
6412 {
6413 VERIFY_PERMISSION(OPT_P_MESSAGES);
6414 errors_to_stderr();
6415 }
6416 else if (streq(p[0], "status") && p[1] && !p[3])
6417 {
6418 VERIFY_PERMISSION(OPT_P_GENERAL);
6419 options->status_file = p[1];
6420 if (p[2])
6421 {
6422 options->status_file_update_freq = positive_atoi(p[2]);
6423 }
6424 }
6425 else if (streq(p[0], "status-version") && p[1] && !p[2])
6426 {
6427 int version;
6428
6429 VERIFY_PERMISSION(OPT_P_GENERAL);
6430 version = atoi(p[1]);
6431 if (version < 1 || version > 3)
6432 {
6433 msg(msglevel, "--status-version must be 1 to 3");
6434 goto err;
6435 }
6436 options->status_file_version = version;
6437 }
6438 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6439 {
6440 VERIFY_PERMISSION(OPT_P_GENERAL);
6441 if (streq(p[1], "SIGHUP"))
6442 {
6443 options->remap_sigusr1 = SIGHUP;
6444 }
6445 else if (streq(p[1], "SIGTERM"))
6446 {
6447 options->remap_sigusr1 = SIGTERM;
6448 }
6449 else
6450 {
6451 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6452 goto err;
6453 }
6454 }
6455 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6456 {
6457 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6458 options->ce.link_mtu = positive_atoi(p[1]);
6459 options->ce.link_mtu_defined = true;
6460 }
6461 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6462 {
6463 VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6464 options->ce.tun_mtu = positive_atoi(p[1]);
6465 options->ce.tun_mtu_defined = true;
6466 if (p[2])
6467 {
6468 options->ce.occ_mtu = positive_atoi(p[2]);
6469 }
6470 else
6471 {
6472 options->ce.occ_mtu = 0;
6473 }
6474 }
6475 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6476 {
6477 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6478 int max_mtu = positive_atoi(p[1]);
6479 if (max_mtu < 68 || max_mtu > 65536)
6480 {
6481 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6482 }
6483 else
6484 {
6485 options->ce.tun_mtu_max = max_mtu;
6486 }
6487 }
6488 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6489 {
6490 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6491 options->ce.tun_mtu_extra = positive_atoi(p[1]);
6492 options->ce.tun_mtu_extra_defined = true;
6493 }
6494 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6495 {
6496 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6497 int maxmtu = positive_atoi(p[1]);
6498 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6499
6500 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6501 {
6502 msg(M_WARN, "Note: max-packet-size value outside of allowed "
6503 "control channel packet size (%d to %d), will use %d "
6504 "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6505 options->ce.tls_mtu);
6506 }
6507
6508 /* also set mssfix maxmtu mtu */
6509 options->ce.mssfix = maxmtu;
6510 options->ce.mssfix_default = false;
6511 options->ce.mssfix_encap = true;
6512 }
6513 #ifdef ENABLE_FRAGMENT
6514 else if (streq(p[0], "mtu-dynamic"))
6515 {
6516 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6517 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6518 goto err;
6519 }
6520 else if (streq(p[0], "fragment") && p[1] && !p[3])
6521 {
6522 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6523 options->ce.fragment = positive_atoi(p[1]);
6524
6525 if (p[2] && streq(p[2], "mtu"))
6526 {
6527 options->ce.fragment_encap = true;
6528 }
6529 else if (p[2])
6530 {
6531 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6532 }
6533 }
6534 #endif /* ifdef ENABLE_FRAGMENT */
6535 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6536 {
6537 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6538 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6539 }
6540 else if (streq(p[0], "mtu-test") && !p[1])
6541 {
6542 VERIFY_PERMISSION(OPT_P_GENERAL);
6543 options->mtu_test = true;
6544 }
6545 else if (streq(p[0], "nice") && p[1] && !p[2])
6546 {
6547 VERIFY_PERMISSION(OPT_P_NICE);
6548 options->nice = atoi(p[1]);
6549 }
6550 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6551 {
6552 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6553 options->rcvbuf = positive_atoi(p[1]);
6554 }
6555 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6556 {
6557 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6558 options->sndbuf = positive_atoi(p[1]);
6559 }
6560 else if (streq(p[0], "mark") && p[1] && !p[2])
6561 {
6562 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6563 VERIFY_PERMISSION(OPT_P_GENERAL);
6564 options->mark = atoi(p[1]);
6565 #endif
6566 }
6567 else if (streq(p[0], "socket-flags"))
6568 {
6569 int j;
6570 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6571 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6572 {
6573 if (streq(p[j], "TCP_NODELAY"))
6574 {
6575 options->sockflags |= SF_TCP_NODELAY;
6576 }
6577 else
6578 {
6579 msg(msglevel, "unknown socket flag: %s", p[j]);
6580 }
6581 }
6582 }
6583 #ifdef TARGET_LINUX
6584 else if (streq(p[0], "bind-dev") && p[1])
6585 {
6586 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6587 options->bind_dev = p[1];
6588 }
6589 #endif
6590 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6591 {
6592 VERIFY_PERMISSION(OPT_P_GENERAL);
6593 #ifdef TARGET_LINUX
6594 options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6595 #else
6596 msg(msglevel, "--txqueuelen not supported on this OS");
6597 goto err;
6598 #endif
6599 }
6600 else if (streq(p[0], "shaper") && p[1] && !p[2])
6601 {
6602 int shaper;
6603
6604 VERIFY_PERMISSION(OPT_P_SHAPER);
6605 shaper = atoi(p[1]);
6606 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6607 {
6608 msg(msglevel, "Bad shaper value, must be between %d and %d",
6609 SHAPER_MIN, SHAPER_MAX);
6610 goto err;
6611 }
6612 options->shaper = shaper;
6613 }
6614 else if (streq(p[0], "port") && p[1] && !p[2])
6615 {
6616 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6617 options->ce.local_port = options->ce.remote_port = p[1];
6618 }
6619 else if (streq(p[0], "lport") && p[1] && !p[2])
6620 {
6621 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6622 options->ce.local_port_defined = true;
6623 options->ce.local_port = p[1];
6624 }
6625 else if (streq(p[0], "rport") && p[1] && !p[2])
6626 {
6627 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6628 options->ce.remote_port = p[1];
6629 }
6630 else if (streq(p[0], "bind") && !p[2])
6631 {
6632 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6633 options->ce.bind_defined = true;
6634 if (p[1] && streq(p[1], "ipv6only"))
6635 {
6636 options->ce.bind_ipv6_only = true;
6637 }
6638
6639 }
6640 else if (streq(p[0], "nobind") && !p[1])
6641 {
6642 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6643 options->ce.bind_local = false;
6644 }
6645 else if (streq(p[0], "fast-io") && !p[1])
6646 {
6647 VERIFY_PERMISSION(OPT_P_GENERAL);
6648 options->fast_io = true;
6649 }
6650 else if (streq(p[0], "inactive") && p[1] && !p[3])
6651 {
6652 VERIFY_PERMISSION(OPT_P_TIMER);
6653 options->inactivity_timeout = positive_atoi(p[1]);
6654 if (p[2])
6655 {
6656 int64_t val = atoll(p[2]);
6657 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6658 if (options->inactivity_minimum_bytes > INT_MAX)
6659 {
6660 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6661 " >2 Gbyte was silently ignored in older versions. If "
6662 " your VPN exits unexpectedly with 'Inactivity timeout'"
6663 " in %d seconds, revisit this value.",
6664 options->inactivity_timeout );
6665 }
6666 }
6667 }
6668 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6669 {
6670 VERIFY_PERMISSION(OPT_P_TIMER);
6671 options->session_timeout = positive_atoi(p[1]);
6672 }
6673 else if (streq(p[0], "proto") && p[1] && !p[2])
6674 {
6675 int proto;
6676 sa_family_t af;
6677 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6678 proto = ascii2proto(p[1]);
6679 af = ascii2af(p[1]);
6680 if (proto < 0)
6681 {
6682 msg(msglevel,
6683 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6684 p[1],
6685 proto2ascii_all(&gc));
6686 goto err;
6687 }
6688 options->ce.proto = proto;
6689 options->ce.af = af;
6690 }
6691 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6692 {
6693 int proto_force;
6694 VERIFY_PERMISSION(OPT_P_GENERAL);
6695 proto_force = ascii2proto(p[1]);
6696 if (proto_force < 0)
6697 {
6698 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6699 goto err;
6700 }
6701 options->proto_force = proto_force;
6702 }
6703 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6704 {
6705 struct http_proxy_options *ho;
6706
6707 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6708
6709 {
6710 if (!p[2])
6711 {
6712 msg(msglevel, "http-proxy port number not defined");
6713 goto err;
6714 }
6715
6716 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6717
6718 ho->server = p[1];
6719 ho->port = p[2];
6720 }
6721
6722 if (p[3])
6723 {
6724 /* auto -- try to figure out proxy addr, port, and type automatically */
6725 /* semiauto -- given proxy addr:port, try to figure out type automatically */
6726 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6727 if (streq(p[3], "auto"))
6728 {
6729 ho->auth_retry = PAR_ALL;
6730 }
6731 else if (streq(p[3], "auto-nct"))
6732 {
6733 ho->auth_retry = PAR_NCT;
6734 }
6735 else
6736 {
6737 ho->auth_method_string = "basic";
6738 ho->auth_file = p[3];
6739
6740 if (p[4])
6741 {
6742 ho->auth_method_string = p[4];
6743 }
6744 }
6745 }
6746 else
6747 {
6748 ho->auth_method_string = "none";
6749 }
6750 }
6751 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6752 {
6753 struct http_proxy_options *ho;
6754 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6755 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6756 ho->auth_file = p[1];
6757 ho->inline_creds = is_inline;
6758 }
6759 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6760 {
6761 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6762 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6763 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6764 "Use connect-retry-max 1 to get a similar behavior as before.");
6765 }
6766 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6767 {
6768 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6769 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6770 "server is established is managed with a single timeout set by connect-timeout");
6771 }
6772 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6773 {
6774 struct http_proxy_options *ho;
6775
6776 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6777 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6778
6779 if (streq(p[1], "VERSION") && p[2] && !p[3])
6780 {
6781 ho->http_version = p[2];
6782 }
6783 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6784 {
6785 ho->user_agent = p[2];
6786 }
6787 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6788 && p[2])
6789 {
6790 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6791 * with either two argument or one */
6792
6793 struct http_custom_header *custom_header = NULL;
6794 int i;
6795 /* Find the first free header */
6796 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6797 {
6798 if (!ho->custom_headers[i].name)
6799 {
6800 custom_header = &ho->custom_headers[i];
6801 break;
6802 }
6803 }
6804 if (!custom_header)
6805 {
6806 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6807 }
6808 else
6809 {
6810 /* We will save p[2] and p[3], the proxy code will detect if
6811 * p[3] is NULL */
6812 custom_header->name = p[2];
6813 custom_header->content = p[3];
6814 }
6815 }
6816 else
6817 {
6818 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6819 }
6820 }
6821 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6822 {
6823 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6824
6825 if (p[2])
6826 {
6827 options->ce.socks_proxy_port = p[2];
6828 }
6829 else
6830 {
6831 options->ce.socks_proxy_port = "1080";
6832 }
6833 options->ce.socks_proxy_server = p[1];
6834 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6835 }
6836 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6837 {
6838 VERIFY_PERMISSION(OPT_P_GENERAL);
6839 options->keepalive_ping = atoi(p[1]);
6840 options->keepalive_timeout = atoi(p[2]);
6841 }
6842 else if (streq(p[0], "ping") && p[1] && !p[2])
6843 {
6844 VERIFY_PERMISSION(OPT_P_TIMER);
6845 options->ping_send_timeout = positive_atoi(p[1]);
6846 }
6847 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6848 {
6849 VERIFY_PERMISSION(OPT_P_TIMER);
6850 options->ping_rec_timeout = positive_atoi(p[1]);
6851 options->ping_rec_timeout_action = PING_EXIT;
6852 }
6853 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6854 {
6855 VERIFY_PERMISSION(OPT_P_TIMER);
6856 options->ping_rec_timeout = positive_atoi(p[1]);
6857 options->ping_rec_timeout_action = PING_RESTART;
6858 }
6859 else if (streq(p[0], "ping-timer-rem") && !p[1])
6860 {
6861 VERIFY_PERMISSION(OPT_P_TIMER);
6862 options->ping_timer_remote = true;
6863 }
6864 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6865 {
6866 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6867 if (p[1])
6868 {
6869 options->ce.explicit_exit_notification = positive_atoi(p[1]);
6870 }
6871 else
6872 {
6873 options->ce.explicit_exit_notification = 1;
6874 }
6875 }
6876 else if (streq(p[0], "persist-tun") && !p[1])
6877 {
6878 VERIFY_PERMISSION(OPT_P_PERSIST);
6879 options->persist_tun = true;
6880 }
6881 else if (streq(p[0], "persist-key") && !p[1])
6882 {
6883 VERIFY_PERMISSION(OPT_P_PERSIST);
6884 options->persist_key = true;
6885 }
6886 else if (streq(p[0], "persist-local-ip") && !p[1])
6887 {
6888 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6889 options->persist_local_ip = true;
6890 }
6891 else if (streq(p[0], "persist-remote-ip") && !p[1])
6892 {
6893 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6894 options->persist_remote_ip = true;
6895 }
6896 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6897 {
6898 VERIFY_PERMISSION(OPT_P_ROUTE);
6899 cnol_check_alloc(options);
6900 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6901 }
6902 else if (streq(p[0], "route") && p[1] && !p[5])
6903 {
6904 VERIFY_PERMISSION(OPT_P_ROUTE);
6905 rol_check_alloc(options);
6906 if (pull_mode)
6907 {
6908 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6909 {
6910 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6911 goto err;
6912 }
6913 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
6914 {
6915 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
6916 goto err;
6917 }
6918 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
6919 {
6920 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
6921 goto err;
6922 }
6923 }
6924 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
6925 }
6926 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6927 {
6928 VERIFY_PERMISSION(OPT_P_ROUTE);
6929 rol6_check_alloc(options);
6930 if (pull_mode)
6931 {
6932 if (!ipv6_addr_safe_hexplusbits(p[1]))
6933 {
6934 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
6935 goto err;
6936 }
6937 if (p[2] && !ipv6_addr_safe(p[2]))
6938 {
6939 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
6940 goto err;
6941 }
6942 /* p[3] is metric, if present */
6943 }
6944 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
6945 }
6946 else if (streq(p[0], "max-routes") && !p[2])
6947 {
6948 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
6949 "The number of routes is unlimited as of OpenVPN 2.4. "
6950 "This option will be removed in a future version, "
6951 "please remove it from your configuration.");
6952 }
6953 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6954 {
6955 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6956 if (streq(p[1], "dhcp"))
6957 {
6958 options->route_gateway_via_dhcp = true;
6959 }
6960 else
6961 {
6962 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6963 {
6964 options->route_default_gateway = p[1];
6965 }
6966 else
6967 {
6968 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6969 goto err;
6970 }
6971 }
6972 }
6973 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
6974 {
6975 if (ipv6_addr_safe(p[1]))
6976 {
6977 options->route_ipv6_default_gateway = p[1];
6978 }
6979 else
6980 {
6981 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
6982 goto err;
6983 }
6984 }
6985 else if (streq(p[0], "route-metric") && p[1] && !p[2])
6986 {
6987 VERIFY_PERMISSION(OPT_P_ROUTE);
6988 options->route_default_metric = positive_atoi(p[1]);
6989 }
6990 else if (streq(p[0], "route-delay") && !p[3])
6991 {
6992 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6993 options->route_delay_defined = true;
6994 if (p[1])
6995 {
6996 options->route_delay = positive_atoi(p[1]);
6997 if (p[2])
6998 {
6999 options->route_delay_window = positive_atoi(p[2]);
7000 }
7001 }
7002 else
7003 {
7004 options->route_delay = 0;
7005 }
7006 }
7007 else if (streq(p[0], "route-up") && p[1])
7008 {
7009 VERIFY_PERMISSION(OPT_P_SCRIPT);
7010 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7011 {
7012 goto err;
7013 }
7014 set_user_script(options, &options->route_script, p[1], "route-up", false);
7015 }
7016 else if (streq(p[0], "route-pre-down") && p[1])
7017 {
7018 VERIFY_PERMISSION(OPT_P_SCRIPT);
7019 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7020 {
7021 goto err;
7022 }
7023 set_user_script(options,
7024 &options->route_predown_script,
7025 p[1],
7026 "route-pre-down", true);
7027 }
7028 else if (streq(p[0], "route-noexec") && !p[1])
7029 {
7030 VERIFY_PERMISSION(OPT_P_SCRIPT);
7031 options->route_noexec = true;
7032 }
7033 else if (streq(p[0], "route-nopull") && !p[1])
7034 {
7035 VERIFY_PERMISSION(OPT_P_GENERAL);
7036 options->route_nopull = true;
7037 }
7038 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7039 {
7040 struct pull_filter *f;
7041 VERIFY_PERMISSION(OPT_P_GENERAL)
7042 f = alloc_pull_filter(options, msglevel);
7043
7044 if (strcmp("accept", p[1]) == 0)
7045 {
7046 f->type = PUF_TYPE_ACCEPT;
7047 }
7048 else if (strcmp("ignore", p[1]) == 0)
7049 {
7050 f->type = PUF_TYPE_IGNORE;
7051 }
7052 else if (strcmp("reject", p[1]) == 0)
7053 {
7054 f->type = PUF_TYPE_REJECT;
7055 }
7056 else
7057 {
7058 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7059 goto err;
7060 }
7061 f->pattern = p[2];
7062 f->size = strlen(p[2]);
7063 }
7064 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7065 {
7066 VERIFY_PERMISSION(OPT_P_GENERAL);
7067 options->allow_pull_fqdn = true;
7068 }
7069 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7070 {
7071 int j;
7072 VERIFY_PERMISSION(OPT_P_ROUTE);
7073 rol_check_alloc(options);
7074
7075 if (options->routes->flags & RG_ENABLE)
7076 {
7077 msg(M_WARN,
7078 "WARNING: You have specified redirect-gateway and "
7079 "redirect-private at the same time (or the same option "
7080 "multiple times). This is not well supported and may lead to "
7081 "unexpected results");
7082 }
7083
7084 options->routes->flags |= RG_ENABLE;
7085
7086 if (streq(p[0], "redirect-gateway"))
7087 {
7088 options->routes->flags |= RG_REROUTE_GW;
7089 }
7090 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7091 {
7092 if (streq(p[j], "local"))
7093 {
7094 options->routes->flags |= RG_LOCAL;
7095 }
7096 else if (streq(p[j], "autolocal"))
7097 {
7098 options->routes->flags |= RG_AUTO_LOCAL;
7099 }
7100 else if (streq(p[j], "def1"))
7101 {
7102 options->routes->flags |= RG_DEF1;
7103 }
7104 else if (streq(p[j], "bypass-dhcp"))
7105 {
7106 options->routes->flags |= RG_BYPASS_DHCP;
7107 }
7108 else if (streq(p[j], "bypass-dns"))
7109 {
7110 options->routes->flags |= RG_BYPASS_DNS;
7111 }
7112 else if (streq(p[j], "block-local"))
7113 {
7114 options->routes->flags |= RG_BLOCK_LOCAL;
7115 }
7116 else if (streq(p[j], "ipv6"))
7117 {
7118 rol6_check_alloc(options);
7119 options->routes_ipv6->flags |= RG_REROUTE_GW;
7120 }
7121 else if (streq(p[j], "!ipv4"))
7122 {
7123 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7124 }
7125 else
7126 {
7127 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7128 goto err;
7129 }
7130 }
7131 #ifdef _WIN32
7132 /* we need this here to handle pushed --redirect-gateway */
7133 remap_redirect_gateway_flags(options);
7134 #endif
7135 }
7136 else if (streq(p[0], "block-ipv6") && !p[1])
7137 {
7138 VERIFY_PERMISSION(OPT_P_ROUTE);
7139 options->block_ipv6 = true;
7140 }
7141 else if (streq(p[0], "remote-random-hostname") && !p[1])
7142 {
7143 VERIFY_PERMISSION(OPT_P_GENERAL);
7144 options->sockflags |= SF_HOST_RANDOMIZE;
7145 }
7146 else if (streq(p[0], "setenv") && p[1] && !p[3])
7147 {
7148 VERIFY_PERMISSION(OPT_P_GENERAL);
7149 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7150 {
7151 options->sockflags |= SF_HOST_RANDOMIZE;
7152 }
7153 else if (streq(p[1], "GENERIC_CONFIG"))
7154 {
7155 msg(msglevel, "this is a generic configuration and cannot directly be used");
7156 goto err;
7157 }
7158 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7159 {
7160 options->push_peer_info = true;
7161 }
7162 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7163 {
7164 options->ce.connect_timeout = positive_atoi(p[2]);
7165 }
7166 else
7167 {
7168 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7169 {
7170 options->forward_compatible = true;
7171 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7172 }
7173 setenv_str(es, p[1], p[2] ? p[2] : "");
7174 }
7175 }
7176 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7177 {
7178 unsigned int major, minor, patch;
7179 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7180 {
7181 msg(msglevel, "cannot parse version number for --compat-mode: %s",
7182 p[1]);
7183 goto err;
7184 }
7185
7186 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7187 }
7188 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7189 {
7190 VERIFY_PERMISSION(OPT_P_SETENV);
7191 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7192 }
7193 else if (streq(p[0], "script-security") && p[1] && !p[2])
7194 {
7195 VERIFY_PERMISSION(OPT_P_GENERAL);
7196 script_security_set(atoi(p[1]));
7197 }
7198 else if (streq(p[0], "mssfix") && !p[3])
7199 {
7200 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7201 if (p[1])
7202 {
7203 /* value specified, assume encapsulation is not
7204 * included unless "mtu" follows later */
7205 options->ce.mssfix = positive_atoi(p[1]);
7206 options->ce.mssfix_encap = false;
7207 options->ce.mssfix_default = false;
7208 }
7209 else
7210 {
7211 /* Set MTU to default values */
7212 options->ce.mssfix_default = true;
7213 options->ce.mssfix_encap = true;
7214 options->ce.mssfix_fixed = false;
7215 }
7216
7217 if (p[2] && streq(p[2], "mtu"))
7218 {
7219 options->ce.mssfix_encap = true;
7220 }
7221 else if (p[2] && streq(p[2], "fixed"))
7222 {
7223 options->ce.mssfix_fixed = true;
7224 }
7225 else if (p[2])
7226 {
7227 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7228 }
7229 }
7230 else if (streq(p[0], "disable-occ") && !p[1])
7231 {
7232 VERIFY_PERMISSION(OPT_P_GENERAL);
7233 options->occ = false;
7234 }
7235 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7236 {
7237 const int lev = M_WARN;
7238 bool error = false;
7239 in_addr_t network, netmask;
7240
7241 VERIFY_PERMISSION(OPT_P_GENERAL);
7242 network = get_ip_addr(p[1], lev, &error);
7243 netmask = get_ip_addr(p[2], lev, &error);
7244 if (error || !network || !netmask)
7245 {
7246 msg(msglevel, "error parsing --server parameters");
7247 goto err;
7248 }
7249 options->server_defined = true;
7250 options->server_network = network;
7251 options->server_netmask = netmask;
7252
7253 if (p[3])
7254 {
7255 if (streq(p[3], "nopool"))
7256 {
7257 options->server_flags |= SF_NOPOOL;
7258 }
7259 else
7260 {
7261 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7262 goto err;
7263 }
7264 }
7265 }
7266 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7267 {
7268 const int lev = M_WARN;
7269 struct in6_addr network;
7270 unsigned int netbits = 0;
7271
7272 VERIFY_PERMISSION(OPT_P_GENERAL);
7273 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7274 {
7275 msg(msglevel, "error parsing --server-ipv6 parameter");
7276 goto err;
7277 }
7278 if (netbits < 64 || netbits > 124)
7279 {
7280 msg(msglevel,
7281 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7282 netbits);
7283
7284 goto err;
7285 }
7286 options->server_ipv6_defined = true;
7287 options->server_network_ipv6 = network;
7288 options->server_netbits_ipv6 = netbits;
7289 }
7290 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7291 {
7292 const int lev = M_WARN;
7293 bool error = false;
7294 in_addr_t ip, netmask, pool_start, pool_end;
7295
7296 VERIFY_PERMISSION(OPT_P_GENERAL);
7297 ip = get_ip_addr(p[1], lev, &error);
7298 netmask = get_ip_addr(p[2], lev, &error);
7299 pool_start = get_ip_addr(p[3], lev, &error);
7300 pool_end = get_ip_addr(p[4], lev, &error);
7301 if (error || !ip || !netmask || !pool_start || !pool_end)
7302 {
7303 msg(msglevel, "error parsing --server-bridge parameters");
7304 goto err;
7305 }
7306 options->server_bridge_defined = true;
7307 options->server_bridge_ip = ip;
7308 options->server_bridge_netmask = netmask;
7309 options->server_bridge_pool_start = pool_start;
7310 options->server_bridge_pool_end = pool_end;
7311 }
7312 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7313 {
7314 VERIFY_PERMISSION(OPT_P_GENERAL);
7315 options->server_bridge_proxy_dhcp = true;
7316 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7317 }
7318 else if (streq(p[0], "server-bridge") && !p[1])
7319 {
7320 VERIFY_PERMISSION(OPT_P_GENERAL);
7321 options->server_bridge_proxy_dhcp = true;
7322 }
7323 else if (streq(p[0], "push") && p[1] && !p[2])
7324 {
7325 VERIFY_PERMISSION(OPT_P_PUSH);
7326 push_options(options, &p[1], msglevel, &options->gc);
7327 }
7328 else if (streq(p[0], "push-reset") && !p[1])
7329 {
7330 VERIFY_PERMISSION(OPT_P_INSTANCE);
7331 push_reset(options);
7332 }
7333 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7334 {
7335 VERIFY_PERMISSION(OPT_P_INSTANCE);
7336 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7337 push_remove_option(options, p[1]);
7338 }
7339 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7340 {
7341 const int lev = M_WARN;
7342 bool error = false;
7343 in_addr_t start, end, netmask = 0;
7344
7345 VERIFY_PERMISSION(OPT_P_GENERAL);
7346 start = get_ip_addr(p[1], lev, &error);
7347 end = get_ip_addr(p[2], lev, &error);
7348 if (p[3])
7349 {
7350 netmask = get_ip_addr(p[3], lev, &error);
7351 }
7352 if (error)
7353 {
7354 msg(msglevel, "error parsing --ifconfig-pool parameters");
7355 goto err;
7356 }
7357 if (!ifconfig_pool_verify_range(msglevel, start, end))
7358 {
7359 goto err;
7360 }
7361
7362 options->ifconfig_pool_defined = true;
7363 options->ifconfig_pool_start = start;
7364 options->ifconfig_pool_end = end;
7365 if (netmask)
7366 {
7367 options->ifconfig_pool_netmask = netmask;
7368 }
7369 }
7370 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7371 {
7372 VERIFY_PERMISSION(OPT_P_GENERAL);
7373 options->ifconfig_pool_persist_filename = p[1];
7374 if (p[2])
7375 {
7376 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
7377 }
7378 }
7379 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7380 {
7381 const int lev = M_WARN;
7382 struct in6_addr network;
7383 unsigned int netbits = 0;
7384
7385 VERIFY_PERMISSION(OPT_P_GENERAL);
7386 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7387 {
7388 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7389 goto err;
7390 }
7391 if (netbits < 64 || netbits > 124)
7392 {
7393 msg(msglevel,
7394 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7395 netbits);
7396 goto err;
7397 }
7398
7399 options->ifconfig_ipv6_pool_defined = true;
7400 options->ifconfig_ipv6_pool_base = network;
7401 options->ifconfig_ipv6_pool_netbits = netbits;
7402 }
7403 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7404 {
7405 int real, virtual;
7406
7407 VERIFY_PERMISSION(OPT_P_GENERAL);
7408 real = atoi(p[1]);
7409 virtual = atoi(p[2]);
7410 if (real < 1 || virtual < 1)
7411 {
7412 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7413 goto err;
7414 }
7415 options->real_hash_size = real;
7416 options->virtual_hash_size = real;
7417 }
7418 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7419 {
7420 int cf_max, cf_per;
7421
7422 VERIFY_PERMISSION(OPT_P_GENERAL);
7423 cf_max = atoi(p[1]);
7424 cf_per = atoi(p[2]);
7425 if (cf_max < 0 || cf_per < 0)
7426 {
7427 msg(msglevel, "--connect-freq parms must be > 0");
7428 goto err;
7429 }
7430 options->cf_max = cf_max;
7431 options->cf_per = cf_per;
7432 }
7433 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7434 {
7435 int max_clients;
7436
7437 VERIFY_PERMISSION(OPT_P_GENERAL);
7438 max_clients = atoi(p[1]);
7439 if (max_clients < 0)
7440 {
7441 msg(msglevel, "--max-clients must be at least 1");
7442 goto err;
7443 }
7444 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7445 {
7446 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7447 goto err;
7448 }
7449 options->max_clients = max_clients;
7450 }
7451 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7452 {
7453 VERIFY_PERMISSION(OPT_P_INHERIT);
7454 options->max_routes_per_client = max_int(atoi(p[1]), 1);
7455 }
7456 else if (streq(p[0], "client-cert-not-required") && !p[1])
7457 {
7458 VERIFY_PERMISSION(OPT_P_GENERAL);
7459 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7460 }
7461 else if (streq(p[0], "verify-client-cert") && !p[2])
7462 {
7463 VERIFY_PERMISSION(OPT_P_GENERAL);
7464
7465 /* Reset any existing flags */
7466 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7467 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7468 if (p[1])
7469 {
7470 if (streq(p[1], "none"))
7471 {
7472 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7473 }
7474 else if (streq(p[1], "optional"))
7475 {
7476 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7477 }
7478 else if (!streq(p[1], "require"))
7479 {
7480 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7481 goto err;
7482 }
7483 }
7484 }
7485 else if (streq(p[0], "username-as-common-name") && !p[1])
7486 {
7487 VERIFY_PERMISSION(OPT_P_GENERAL);
7488 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7489 }
7490 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7491 {
7492 VERIFY_PERMISSION(OPT_P_GENERAL);
7493 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7494 }
7495 else if (streq(p[0], "opt-verify") && !p[1])
7496 {
7497 VERIFY_PERMISSION(OPT_P_GENERAL);
7498 options->ssl_flags |= SSLF_OPT_VERIFY;
7499 }
7500 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7501 {
7502 VERIFY_PERMISSION(OPT_P_SCRIPT);
7503 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7504 {
7505 goto err;
7506 }
7507 if (p[2])
7508 {
7509 if (streq(p[2], "via-env"))
7510 {
7511 options->auth_user_pass_verify_script_via_file = false;
7512 }
7513 else if (streq(p[2], "via-file"))
7514 {
7515 options->auth_user_pass_verify_script_via_file = true;
7516 }
7517 else
7518 {
7519 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7520 goto err;
7521 }
7522 }
7523 else
7524 {
7525 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7526 goto err;
7527 }
7528 set_user_script(options,
7529 &options->auth_user_pass_verify_script,
7530 p[1], "auth-user-pass-verify", true);
7531 }
7532 else if (streq(p[0], "auth-gen-token"))
7533 {
7534 VERIFY_PERMISSION(OPT_P_GENERAL);
7535 options->auth_token_generate = true;
7536 options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7537
7538 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7539 {
7540 /* the second parameter can be the renewal time */
7541 if (i == 2 && positive_atoi(p[i]))
7542 {
7543 options->auth_token_renewal = positive_atoi(p[i]);
7544 }
7545 else if (streq(p[i], "external-auth"))
7546 {
7547 options->auth_token_call_auth = true;
7548 }
7549 else
7550 {
7551 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7552 }
7553 }
7554
7555 }
7556 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7557 {
7558 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7559 options->auth_token_secret_file = p[1];
7560 options->auth_token_secret_file_inline = is_inline;
7561
7562 }
7563 else if (streq(p[0], "client-connect") && p[1])
7564 {
7565 VERIFY_PERMISSION(OPT_P_SCRIPT);
7566 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7567 {
7568 goto err;
7569 }
7570 set_user_script(options, &options->client_connect_script,
7571 p[1], "client-connect", true);
7572 }
7573 else if (streq(p[0], "client-crresponse") && p[1])
7574 {
7575 VERIFY_PERMISSION(OPT_P_SCRIPT);
7576 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7577 {
7578 goto err;
7579 }
7580 set_user_script(options, &options->client_crresponse_script,
7581 p[1], "client-crresponse", true);
7582 }
7583 else if (streq(p[0], "client-disconnect") && p[1])
7584 {
7585 VERIFY_PERMISSION(OPT_P_SCRIPT);
7586 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7587 {
7588 goto err;
7589 }
7590 set_user_script(options, &options->client_disconnect_script,
7591 p[1], "client-disconnect", true);
7592 }
7593 else if (streq(p[0], "learn-address") && p[1])
7594 {
7595 VERIFY_PERMISSION(OPT_P_SCRIPT);
7596 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7597 {
7598 goto err;
7599 }
7600 set_user_script(options, &options->learn_address_script,
7601 p[1], "learn-address", true);
7602 }
7603 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7604 {
7605 VERIFY_PERMISSION(OPT_P_GENERAL);
7606 options->tmp_dir = p[1];
7607 }
7608 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7609 {
7610 VERIFY_PERMISSION(OPT_P_GENERAL);
7611 options->client_config_dir = p[1];
7612 }
7613 else if (streq(p[0], "ccd-exclusive") && !p[1])
7614 {
7615 VERIFY_PERMISSION(OPT_P_GENERAL);
7616 options->ccd_exclusive = true;
7617 }
7618 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7619 {
7620 int n_bcast_buf;
7621
7622 VERIFY_PERMISSION(OPT_P_GENERAL);
7623 n_bcast_buf = atoi(p[1]);
7624 if (n_bcast_buf < 1)
7625 {
7626 msg(msglevel, "--bcast-buffers parameter must be > 0");
7627 }
7628 options->n_bcast_buf = n_bcast_buf;
7629 }
7630 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7631 {
7632 int tcp_queue_limit;
7633
7634 VERIFY_PERMISSION(OPT_P_GENERAL);
7635 tcp_queue_limit = atoi(p[1]);
7636 if (tcp_queue_limit < 1)
7637 {
7638 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7639 }
7640 options->tcp_queue_limit = tcp_queue_limit;
7641 }
7642 #if PORT_SHARE
7643 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7644 {
7645 VERIFY_PERMISSION(OPT_P_GENERAL);
7646 options->port_share_host = p[1];
7647 options->port_share_port = p[2];
7648 options->port_share_journal_dir = p[3];
7649 }
7650 #endif
7651 else if (streq(p[0], "client-to-client") && !p[1])
7652 {
7653 VERIFY_PERMISSION(OPT_P_GENERAL);
7654 options->enable_c2c = true;
7655 }
7656 else if (streq(p[0], "duplicate-cn") && !p[1])
7657 {
7658 VERIFY_PERMISSION(OPT_P_GENERAL);
7659 options->duplicate_cn = true;
7660 }
7661 else if (streq(p[0], "iroute") && p[1] && !p[3])
7662 {
7663 VERIFY_PERMISSION(OPT_P_INSTANCE);
7664 option_iroute(options, p[1], p[2], msglevel);
7665 }
7666 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7667 {
7668 VERIFY_PERMISSION(OPT_P_INSTANCE);
7669 option_iroute_ipv6(options, p[1], msglevel);
7670 }
7671 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7672 {
7673 in_addr_t local, remote_netmask;
7674
7675 VERIFY_PERMISSION(OPT_P_INSTANCE);
7676 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7677 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7678 if (local && remote_netmask)
7679 {
7680 options->push_ifconfig_defined = true;
7681 options->push_ifconfig_local = local;
7682 options->push_ifconfig_remote_netmask = remote_netmask;
7683 if (p[3])
7684 {
7685 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7686 }
7687 }
7688 else
7689 {
7690 msg(msglevel, "cannot parse --ifconfig-push addresses");
7691 goto err;
7692 }
7693 }
7694 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7695 {
7696 in_addr_t network, netmask;
7697
7698 VERIFY_PERMISSION(OPT_P_GENERAL);
7699 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7700 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7701 if (network && netmask)
7702 {
7703 options->push_ifconfig_constraint_defined = true;
7704 options->push_ifconfig_constraint_network = network;
7705 options->push_ifconfig_constraint_netmask = netmask;
7706 }
7707 else
7708 {
7709 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7710 goto err;
7711 }
7712 }
7713 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7714 {
7715 struct in6_addr local, remote;
7716 unsigned int netbits;
7717
7718 VERIFY_PERMISSION(OPT_P_INSTANCE);
7719
7720 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7721 {
7722 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7723 goto err;
7724 }
7725
7726 if (p[2])
7727 {
7728 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7729 {
7730 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7731 goto err;
7732 }
7733 }
7734 else
7735 {
7736 if (!options->ifconfig_ipv6_local
7737 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7738 NULL, msglevel ) )
7739 {
7740 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7741 goto err;
7742 }
7743 }
7744
7745 options->push_ifconfig_ipv6_defined = true;
7746 options->push_ifconfig_ipv6_local = local;
7747 options->push_ifconfig_ipv6_netbits = netbits;
7748 options->push_ifconfig_ipv6_remote = remote;
7749 options->push_ifconfig_ipv6_blocked = false;
7750 }
7751 else if (streq(p[0], "disable") && !p[1])
7752 {
7753 VERIFY_PERMISSION(OPT_P_INSTANCE);
7754 options->disable = true;
7755 }
7756 else if (streq(p[0], "tcp-nodelay") && !p[1])
7757 {
7758 VERIFY_PERMISSION(OPT_P_GENERAL);
7759 options->server_flags |= SF_TCP_NODELAY_HELPER;
7760 }
7761 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7762 {
7763 int ageing_time, check_interval;
7764
7765 VERIFY_PERMISSION(OPT_P_GENERAL);
7766 ageing_time = atoi(p[1]);
7767 if (p[2])
7768 {
7769 check_interval = atoi(p[2]);
7770 }
7771 else
7772 {
7773 check_interval = ageing_time;
7774 }
7775
7776 if (ageing_time < 1 || check_interval < 1)
7777 {
7778 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7779 goto err;
7780 }
7781 options->stale_routes_ageing_time = ageing_time;
7782 options->stale_routes_check_interval = check_interval;
7783 }
7784
7785 else if (streq(p[0], "client") && !p[1])
7786 {
7787 VERIFY_PERMISSION(OPT_P_GENERAL);
7788 options->client = true;
7789 }
7790 else if (streq(p[0], "pull") && !p[1])
7791 {
7792 VERIFY_PERMISSION(OPT_P_GENERAL);
7793 options->pull = true;
7794 }
7795 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7796 {
7797 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7798 options->push_continuation = atoi(p[1]);
7799 }
7800 else if (streq(p[0], "auth-user-pass") && !p[2])
7801 {
7802 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7803 if (p[1])
7804 {
7805 options->auth_user_pass_file = p[1];
7806 options->auth_user_pass_file_inline = is_inline;
7807 }
7808 else
7809 {
7810 options->auth_user_pass_file = "stdin";
7811 }
7812 }
7813 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7814 {
7815 VERIFY_PERMISSION(OPT_P_GENERAL);
7816 auth_retry_set(msglevel, p[1]);
7817 }
7818 #ifdef ENABLE_MANAGEMENT
7819 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7820 {
7821 VERIFY_PERMISSION(OPT_P_GENERAL);
7822 options->sc_info.challenge_text = p[1];
7823 if (atoi(p[2]))
7824 {
7825 options->sc_info.flags |= SC_ECHO;
7826 }
7827 }
7828 #endif
7829 else if (streq(p[0], "msg-channel") && p[1])
7830 {
7831 #ifdef _WIN32
7832 VERIFY_PERMISSION(OPT_P_GENERAL);
7833 HANDLE process = GetCurrentProcess();
7834 HANDLE handle = (HANDLE) atoll(p[1]);
7835 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7836 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7837 {
7838 msg(msglevel, "could not duplicate service pipe handle");
7839 goto err;
7840 }
7841 options->route_method = ROUTE_METHOD_SERVICE;
7842 #else /* ifdef _WIN32 */
7843 msg(msglevel, "--msg-channel is only supported on Windows");
7844 goto err;
7845 #endif
7846 }
7847 #ifdef _WIN32
7848 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7849 {
7850 VERIFY_PERMISSION(OPT_P_GENERAL);
7851 if (streq(p[1], "env"))
7852 {
7853 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7854 "This entry will now be ignored. "
7855 "Please remove this entry from your configuration file.");
7856 }
7857 else
7858 {
7859 set_win_sys_path(p[1], es);
7860 }
7861 }
7862 else if (streq(p[0], "route-method") && p[1] && !p[2])
7863 {
7864 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7865 if (streq(p[1], "adaptive"))
7866 {
7867 options->route_method = ROUTE_METHOD_ADAPTIVE;
7868 }
7869 else if (streq(p[1], "ipapi"))
7870 {
7871 options->route_method = ROUTE_METHOD_IPAPI;
7872 }
7873 else if (streq(p[1], "exe"))
7874 {
7875 options->route_method = ROUTE_METHOD_EXE;
7876 }
7877 else
7878 {
7879 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7880 goto err;
7881 }
7882 }
7883 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7884 {
7885 const int index = ascii2ipset(p[1]);
7886 struct tuntap_options *to = &options->tuntap_options;
7887
7888 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7889
7890 if (index < 0)
7891 {
7892 msg(msglevel,
7893 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
7894 p[1],
7895 ipset2ascii_all(&gc));
7896 goto err;
7897 }
7898
7899 if (index == IPW32_SET_ADAPTIVE)
7900 {
7901 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7902 }
7903
7904 if (index == IPW32_SET_DHCP_MASQ)
7905 {
7906 if (p[2])
7907 {
7908 if (!streq(p[2], "default"))
7909 {
7910 int offset = atoi(p[2]);
7911
7912 if (!(offset > -256 && offset < 256))
7913 {
7914 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
7915 goto err;
7916 }
7917
7918 to->dhcp_masq_custom_offset = true;
7919 to->dhcp_masq_offset = offset;
7920 }
7921
7922 if (p[3])
7923 {
7924 const int min_lease = 30;
7925 int lease_time;
7926 lease_time = atoi(p[3]);
7927 if (lease_time < min_lease)
7928 {
7929 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
7930 goto err;
7931 }
7932 to->dhcp_lease_time = lease_time;
7933 }
7934 }
7935 }
7936 to->ip_win32_type = index;
7937 to->ip_win32_defined = true;
7938 }
7939 #endif /* ifdef _WIN32 */
7940 else if (streq(p[0], "dns") && p[1])
7941 {
7942 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7943
7944 if (streq(p[1], "search-domains") && p[2])
7945 {
7946 dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
7947 }
7948 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
7949 {
7950 long priority;
7951 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
7952 {
7953 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
7954 goto err;
7955 }
7956
7957 struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
7958
7959 if (streq(p[3], "address") && !p[6])
7960 {
7961 for (int i = 4; p[i]; i++)
7962 {
7963 if (!dns_server_addr_parse(server, p[i]))
7964 {
7965 msg(msglevel, "--dns server %ld: malformed or duplicate address '%s'", priority, p[i]);
7966 goto err;
7967 }
7968 }
7969 }
7970 else if (streq(p[3], "resolve-domains"))
7971 {
7972 if (server->domain_type == DNS_EXCLUDE_DOMAINS)
7973 {
7974 msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
7975 goto err;
7976 }
7977 server->domain_type = DNS_RESOLVE_DOMAINS;
7978 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
7979 }
7980 else if (streq(p[3], "exclude-domains"))
7981 {
7982 if (server->domain_type == DNS_RESOLVE_DOMAINS)
7983 {
7984 msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
7985 goto err;
7986 }
7987 server->domain_type = DNS_EXCLUDE_DOMAINS;
7988 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
7989 }
7990 else if (streq(p[3], "dnssec") && !p[5])
7991 {
7992 if (streq(p[4], "yes"))
7993 {
7994 server->dnssec = DNS_SECURITY_YES;
7995 }
7996 else if (streq(p[4], "no"))
7997 {
7998 server->dnssec = DNS_SECURITY_NO;
7999 }
8000 else if (streq(p[4], "optional"))
8001 {
8002 server->dnssec = DNS_SECURITY_OPTIONAL;
8003 }
8004 else
8005 {
8006 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8007 goto err;
8008 }
8009 }
8010 else if (streq(p[3], "transport") && !p[5])
8011 {
8012 if (streq(p[4], "plain"))
8013 {
8014 server->transport = DNS_TRANSPORT_PLAIN;
8015 }
8016 else if (streq(p[4], "DoH"))
8017 {
8018 server->transport = DNS_TRANSPORT_HTTPS;
8019 }
8020 else if (streq(p[4], "DoT"))
8021 {
8022 server->transport = DNS_TRANSPORT_TLS;
8023 }
8024 else
8025 {
8026 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8027 goto err;
8028 }
8029 }
8030 else if (streq(p[3], "sni") && !p[5])
8031 {
8032 server->sni = p[4];
8033 }
8034 else
8035 {
8036 msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8037 goto err;
8038 }
8039 }
8040 else
8041 {
8042 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8043 goto err;
8044 }
8045 }
8046 #if defined(_WIN32) || defined(TARGET_ANDROID)
8047 else if (streq(p[0], "dhcp-option") && p[1])
8048 {
8049 struct tuntap_options *o = &options->tuntap_options;
8050 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8051 bool ipv6dns = false;
8052
8053 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8054 && p[2] && !p[3])
8055 {
8056 o->domain = p[2];
8057 }
8058 else if (streq(p[1], "NBS") && p[2] && !p[3])
8059 {
8060 o->netbios_scope = p[2];
8061 }
8062 else if (streq(p[1], "NBT") && p[2] && !p[3])
8063 {
8064 int t;
8065 t = atoi(p[2]);
8066 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8067 {
8068 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8069 goto err;
8070 }
8071 o->netbios_node_type = t;
8072 }
8073 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8074 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8075 {
8076 if (strstr(p[2], ":"))
8077 {
8078 ipv6dns = true;
8079 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8080 }
8081 else
8082 {
8083 dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8084 }
8085 }
8086 else if (streq(p[1], "WINS") && p[2] && !p[3])
8087 {
8088 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8089 }
8090 else if (streq(p[1], "NTP") && p[2] && !p[3])
8091 {
8092 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8093 }
8094 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8095 {
8096 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8097 }
8098 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8099 {
8100 if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8101 {
8102 o->domain_search_list[o->domain_search_list_len++] = p[2];
8103 }
8104 else
8105 {
8106 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8107 p[1], N_SEARCH_LIST_LEN);
8108 }
8109 }
8110 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8111 {
8112 o->disable_nbt = 1;
8113 }
8114 #if defined(TARGET_ANDROID)
8115 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8116 {
8117 o->http_proxy_port = atoi(p[3]);
8118 o->http_proxy = p[2];
8119 }
8120 #endif
8121 else
8122 {
8123 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8124 goto err;
8125 }
8126
8127 /* flag that we have options to give to the TAP driver's DHCPv4 server
8128 * - skipped for "DNS6", as that's not a DHCPv4 option
8129 */
8130 if (!ipv6dns)
8131 {
8132 o->dhcp_options = true;
8133 }
8134 }
8135 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8136 #ifdef _WIN32
8137 else if (streq(p[0], "show-adapters") && !p[1])
8138 {
8139 VERIFY_PERMISSION(OPT_P_GENERAL);
8140 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8141 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8142 }
8143 else if (streq(p[0], "show-net") && !p[1])
8144 {
8145 VERIFY_PERMISSION(OPT_P_GENERAL);
8146 show_routes(M_INFO|M_NOPREFIX);
8147 show_adapters(M_INFO|M_NOPREFIX);
8148 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8149 }
8150 else if (streq(p[0], "show-net-up") && !p[1])
8151 {
8152 VERIFY_PERMISSION(OPT_P_UP);
8153 options->show_net_up = true;
8154 }
8155 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8156 {
8157 int s;
8158 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8159 s = atoi(p[1]);
8160 if (s < 0 || s >= 256)
8161 {
8162 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8163 goto err;
8164 }
8165 options->tuntap_options.tap_sleep = s;
8166 }
8167 else if (streq(p[0], "dhcp-renew") && !p[1])
8168 {
8169 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8170 options->tuntap_options.dhcp_renew = true;
8171 }
8172 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8173 {
8174 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8175 options->tuntap_options.dhcp_pre_release = true;
8176 options->tuntap_options.dhcp_renew = true;
8177 }
8178 else if (streq(p[0], "dhcp-release") && !p[1])
8179 {
8180 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8181 }
8182 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8183 {
8184 unsigned int adapter_index;
8185 VERIFY_PERMISSION(OPT_P_GENERAL);
8186 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8187 adapter_index = atou(p[1]);
8188 sleep(options->tuntap_options.tap_sleep);
8189 if (options->tuntap_options.dhcp_pre_release)
8190 {
8191 dhcp_release_by_adapter_index(adapter_index);
8192 }
8193 if (options->tuntap_options.dhcp_renew)
8194 {
8195 dhcp_renew_by_adapter_index(adapter_index);
8196 }
8197 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8198 }
8199 else if (streq(p[0], "register-dns") && !p[1])
8200 {
8201 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8202 options->tuntap_options.register_dns = true;
8203 }
8204 else if (streq(p[0], "block-outside-dns") && !p[1])
8205 {
8206 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8207 options->block_outside_dns = true;
8208 }
8209 else if (streq(p[0], "rdns-internal") && !p[1])
8210 /* standalone method for internal use
8211 *
8212 * (if --register-dns is set, openvpn needs to call itself in a
8213 * sub-process to execute the required functions in a non-blocking
8214 * way, and uses --rdns-internal to signal that to itself)
8215 */
8216 {
8217 VERIFY_PERMISSION(OPT_P_GENERAL);
8218 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8219 if (options->tuntap_options.register_dns)
8220 {
8221 ipconfig_register_dns(NULL);
8222 }
8223 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8224 }
8225 else if (streq(p[0], "show-valid-subnets") && !p[1])
8226 {
8227 VERIFY_PERMISSION(OPT_P_GENERAL);
8228 show_valid_win32_tun_subnets();
8229 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8230 }
8231 else if (streq(p[0], "pause-exit") && !p[1])
8232 {
8233 VERIFY_PERMISSION(OPT_P_GENERAL);
8234 set_pause_exit_win32();
8235 }
8236 else if (streq(p[0], "service") && p[1] && !p[3])
8237 {
8238 VERIFY_PERMISSION(OPT_P_GENERAL);
8239 options->exit_event_name = p[1];
8240 if (p[2])
8241 {
8242 options->exit_event_initial_state = (atoi(p[2]) != 0);
8243 }
8244 }
8245 else if (streq(p[0], "allow-nonadmin") && !p[2])
8246 {
8247 VERIFY_PERMISSION(OPT_P_GENERAL);
8248 tap_allow_nonadmin_access(p[1]);
8249 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8250 }
8251 else if (streq(p[0], "user") && p[1] && !p[2])
8252 {
8253 VERIFY_PERMISSION(OPT_P_GENERAL);
8254 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8255 }
8256 else if (streq(p[0], "group") && p[1] && !p[2])
8257 {
8258 VERIFY_PERMISSION(OPT_P_GENERAL);
8259 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8260 }
8261 #else /* ifdef _WIN32 */
8262 else if (streq(p[0], "user") && p[1] && !p[2])
8263 {
8264 VERIFY_PERMISSION(OPT_P_GENERAL);
8265 options->username = p[1];
8266 }
8267 else if (streq(p[0], "group") && p[1] && !p[2])
8268 {
8269 VERIFY_PERMISSION(OPT_P_GENERAL);
8270 options->groupname = p[1];
8271 }
8272 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8273 {
8274 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8275 setenv_foreign_option(options, (const char **)p, 3, es);
8276 }
8277 else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8278 {
8279 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8280 }
8281 #endif /* ifdef _WIN32 */
8282 #if PASSTOS_CAPABILITY
8283 else if (streq(p[0], "passtos") && !p[1])
8284 {
8285 VERIFY_PERMISSION(OPT_P_GENERAL);
8286 options->passtos = true;
8287 }
8288 #endif
8289 #if defined(USE_COMP)
8290 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8291 {
8292 VERIFY_PERMISSION(OPT_P_GENERAL);
8293
8294 if (streq(p[1], "no"))
8295 {
8296 options->comp.flags =
8297 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8298 if (comp_non_stub_enabled(&options->comp))
8299 {
8300 msg(msglevel, "'--allow-compression no' conflicts with "
8301 " enabling compression");
8302 }
8303 }
8304 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8305 {
8306 /* Also printed on a push to hint at configuration problems */
8307 msg(msglevel, "Cannot set allow-compression to '%s' "
8308 "after set to 'no'", p[1]);
8309 goto err;
8310 }
8311 else if (streq(p[1], "asym"))
8312 {
8313 options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
8314 options->comp.flags |= COMP_F_ALLOW_ASYM;
8315 }
8316 else if (streq(p[1], "yes"))
8317 {
8318 msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
8319 "been used in the past to break encryption. Allowing compression allows "
8320 "attacks that break encryption. Using \"--allow-compression yes\" is "
8321 "strongly discouraged for common usage. See --compress in the manual "
8322 "page for more information ");
8323
8324 options->comp.flags |= COMP_F_ALLOW_COMPRESS;
8325 }
8326 else
8327 {
8328 msg(msglevel, "bad allow-compression option: %s -- "
8329 "must be 'yes', 'no', or 'asym'", p[1]);
8330 goto err;
8331 }
8332 }
8333 else if (streq(p[0], "comp-lzo") && !p[2])
8334 {
8335 VERIFY_PERMISSION(OPT_P_COMP);
8336
8337 /* All lzo variants do not use swap */
8338 options->comp.flags &= ~COMP_F_SWAP;
8339 #if defined(ENABLE_LZO)
8340 if (p[1] && streq(p[1], "no"))
8341 #endif
8342 {
8343 options->comp.alg = COMP_ALG_STUB;
8344 options->comp.flags &= ~COMP_F_ADAPTIVE;
8345 }
8346 #if defined(ENABLE_LZO)
8347 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8348 {
8349 /* Also printed on a push to hint at configuration problems */
8350 msg(msglevel, "Cannot set comp-lzo to '%s', "
8351 "allow-compression is set to 'no'", p[1]);
8352 goto err;
8353 }
8354 else if (p[1])
8355 {
8356 if (streq(p[1], "yes"))
8357 {
8358 options->comp.alg = COMP_ALG_LZO;
8359 options->comp.flags &= ~COMP_F_ADAPTIVE;
8360 }
8361 else if (streq(p[1], "adaptive"))
8362 {
8363 options->comp.alg = COMP_ALG_LZO;
8364 options->comp.flags |= COMP_F_ADAPTIVE;
8365 }
8366 else
8367 {
8368 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8369 goto err;
8370 }
8371 }
8372 else
8373 {
8374 options->comp.alg = COMP_ALG_LZO;
8375 options->comp.flags |= COMP_F_ADAPTIVE;
8376 }
8377 show_compression_warning(&options->comp);
8378 #endif /* if defined(ENABLE_LZO) */
8379 }
8380 else if (streq(p[0], "comp-noadapt") && !p[1])
8381 {
8382 /*
8383 * We do not need to check here if we allow compression since
8384 * it only modifies a flag if compression is enabled
8385 */
8386 VERIFY_PERMISSION(OPT_P_COMP);
8387 options->comp.flags &= ~COMP_F_ADAPTIVE;
8388 }
8389 else if (streq(p[0], "compress") && !p[2])
8390 {
8391 VERIFY_PERMISSION(OPT_P_COMP);
8392 if (p[1])
8393 {
8394 if (streq(p[1], "stub"))
8395 {
8396 options->comp.alg = COMP_ALG_STUB;
8397 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8398 }
8399 else if (streq(p[1], "stub-v2"))
8400 {
8401 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8402 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8403 }
8404 else if (streq(p[1], "migrate"))
8405 {
8406 options->comp.alg = COMP_ALG_UNDEF;
8407 options->comp.flags = COMP_F_MIGRATE;
8408
8409 }
8410 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8411 {
8412 /* Also printed on a push to hint at configuration problems */
8413 msg(msglevel, "Cannot set compress to '%s', "
8414 "allow-compression is set to 'no'", p[1]);
8415 goto err;
8416 }
8417 #if defined(ENABLE_LZO)
8418 else if (streq(p[1], "lzo"))
8419 {
8420 options->comp.alg = COMP_ALG_LZO;
8421 options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
8422 }
8423 #endif
8424 #if defined(ENABLE_LZ4)
8425 else if (streq(p[1], "lz4"))
8426 {
8427 options->comp.alg = COMP_ALG_LZ4;
8428 options->comp.flags |= COMP_F_SWAP;
8429 }
8430 else if (streq(p[1], "lz4-v2"))
8431 {
8432 options->comp.alg = COMP_ALGV2_LZ4;
8433 }
8434 #endif
8435 else
8436 {
8437 msg(msglevel, "bad comp option: %s", p[1]);
8438 goto err;
8439 }
8440 }
8441 else
8442 {
8443 options->comp.alg = COMP_ALG_STUB;
8444 options->comp.flags |= COMP_F_SWAP;
8445 }
8446 show_compression_warning(&options->comp);
8447 }
8448 #endif /* USE_COMP */
8449 else if (streq(p[0], "show-ciphers") && !p[1])
8450 {
8451 VERIFY_PERMISSION(OPT_P_GENERAL);
8452 options->show_ciphers = true;
8453 }
8454 else if (streq(p[0], "show-digests") && !p[1])
8455 {
8456 VERIFY_PERMISSION(OPT_P_GENERAL);
8457 options->show_digests = true;
8458 }
8459 else if (streq(p[0], "show-engines") && !p[1])
8460 {
8461 VERIFY_PERMISSION(OPT_P_GENERAL);
8462 options->show_engines = true;
8463 }
8464 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8465 {
8466 int key_direction;
8467
8468 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8469
8470 key_direction = ascii2keydirection(msglevel, p[1]);
8471 if (key_direction >= 0)
8472 {
8473 if (permission_mask & OPT_P_GENERAL)
8474 {
8475 options->key_direction = key_direction;
8476 }
8477 else if (permission_mask & OPT_P_CONNECTION)
8478 {
8479 options->ce.key_direction = key_direction;
8480 }
8481 }
8482 else
8483 {
8484 goto err;
8485 }
8486 }
8487 else if (streq(p[0], "secret") && p[1] && !p[3])
8488 {
8489 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8490 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8491 options->shared_secret_file = p[1];
8492 options->shared_secret_file_inline = is_inline;
8493 if (!is_inline && p[2])
8494 {
8495 int key_direction;
8496
8497 key_direction = ascii2keydirection(msglevel, p[2]);
8498 if (key_direction >= 0)
8499 {
8500 options->key_direction = key_direction;
8501 }
8502 else
8503 {
8504 goto err;
8505 }
8506 }
8507 }
8508 else if (streq(p[0], "genkey") && !p[4])
8509 {
8510 VERIFY_PERMISSION(OPT_P_GENERAL);
8511 options->genkey = true;
8512 if (!p[1])
8513 {
8514 options->genkey_type = GENKEY_SECRET;
8515 }
8516 else
8517 {
8518 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8519 || streq(p[1], "tls-crypt"))
8520 {
8521 options->genkey_type = GENKEY_SECRET;
8522 }
8523 else if (streq(p[1], "tls-crypt-v2-server"))
8524 {
8525 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8526 }
8527 else if (streq(p[1], "tls-crypt-v2-client"))
8528 {
8529 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8530 if (p[3])
8531 {
8532 options->genkey_extra_data = p[3];
8533 }
8534 }
8535 else if (streq(p[1], "auth-token"))
8536 {
8537 options->genkey_type = GENKEY_AUTH_TOKEN;
8538 }
8539 else
8540 {
8541 msg(msglevel, "unknown --genkey type: %s", p[1]);
8542 }
8543
8544 }
8545 if (p[2])
8546 {
8547 options->genkey_filename = p[2];
8548 }
8549 }
8550 else if (streq(p[0], "auth") && p[1] && !p[2])
8551 {
8552 VERIFY_PERMISSION(OPT_P_GENERAL);
8553 options->authname = p[1];
8554 }
8555 else if (streq(p[0], "cipher") && p[1] && !p[2])
8556 {
8557 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8558 options->ciphername = p[1];
8559 }
8560 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8561 {
8562 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8563 options->ciphername = p[1];
8564 options->enable_ncp_fallback = true;
8565 }
8566 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8567 && p[1] && !p[2])
8568 {
8569 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8570 if (streq(p[0], "ncp-ciphers"))
8571 {
8572 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8573 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8574 }
8575 options->ncp_ciphers = p[1];
8576 }
8577 else if (streq(p[0], "key-derivation") && p[1])
8578 {
8579 /* NCP only option that is pushed by the server to enable EKM,
8580 * should not be used by normal users in config files*/
8581 VERIFY_PERMISSION(OPT_P_NCP)
8582 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8583 if (streq(p[1], "tls-ekm"))
8584 {
8585 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8586 }
8587 else
8588 #endif
8589 {
8590 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8591 }
8592 }
8593 else if (streq(p[0], "protocol-flags") && p[1])
8594 {
8595 /* NCP only option that is pushed by the server to enable protocol
8596 * features that are negotiated, should not be used by normal users
8597 * in config files */
8598 VERIFY_PERMISSION(OPT_P_NCP)
8599 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8600 {
8601 if (streq(p[j], "cc-exit"))
8602 {
8603 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8604 }
8605 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8606 else if (streq(p[j], "tls-ekm"))
8607 {
8608 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8609 }
8610 #endif
8611 else
8612 {
8613 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8614 }
8615 }
8616 }
8617 else if (streq(p[0], "prng") && p[1] && !p[3])
8618 {
8619 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8620 }
8621 else if (streq(p[0], "no-replay") && !p[1])
8622 {
8623 VERIFY_PERMISSION(OPT_P_GENERAL);
8624 options->replay = false;
8625 }
8626 else if (streq(p[0], "replay-window") && !p[3])
8627 {
8628 VERIFY_PERMISSION(OPT_P_GENERAL);
8629 if (p[1])
8630 {
8631 int replay_window;
8632
8633 replay_window = atoi(p[1]);
8634 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8635 {
8636 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8637 replay_window,
8638 MIN_SEQ_BACKTRACK,
8639 MAX_SEQ_BACKTRACK);
8640 goto err;
8641 }
8642 options->replay_window = replay_window;
8643
8644 if (p[2])
8645 {
8646 int replay_time;
8647
8648 replay_time = atoi(p[2]);
8649 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8650 {
8651 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8652 replay_time,
8653 MIN_TIME_BACKTRACK,
8654 MAX_TIME_BACKTRACK);
8655 goto err;
8656 }
8657 options->replay_time = replay_time;
8658 }
8659 }
8660 else
8661 {
8662 msg(msglevel, "replay-window option is missing window size parameter");
8663 goto err;
8664 }
8665 }
8666 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8667 {
8668 VERIFY_PERMISSION(OPT_P_GENERAL);
8669 options->mute_replay_warnings = true;
8670 }
8671 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8672 {
8673 VERIFY_PERMISSION(OPT_P_GENERAL);
8674 options->packet_id_file = p[1];
8675 }
8676 else if (streq(p[0], "test-crypto") && !p[1])
8677 {
8678 VERIFY_PERMISSION(OPT_P_GENERAL);
8679 options->test_crypto = true;
8680 }
8681 #ifndef ENABLE_CRYPTO_MBEDTLS
8682 else if (streq(p[0], "engine") && !p[2])
8683 {
8684 VERIFY_PERMISSION(OPT_P_GENERAL);
8685 if (p[1])
8686 {
8687 options->engine = p[1];
8688 }
8689 else
8690 {
8691 options->engine = "auto";
8692 }
8693 }
8694 #endif /* ENABLE_CRYPTO_MBEDTLS */
8695 else if (streq(p[0], "providers") && p[1])
8696 {
8697 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8698 {
8699 options->providers.names[j] = p[j];
8700 }
8701 }
8702 #ifdef ENABLE_PREDICTION_RESISTANCE
8703 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8704 {
8705 VERIFY_PERMISSION(OPT_P_GENERAL);
8706 options->use_prediction_resistance = true;
8707 }
8708 #endif
8709 else if (streq(p[0], "show-tls") && !p[1])
8710 {
8711 VERIFY_PERMISSION(OPT_P_GENERAL);
8712 options->show_tls_ciphers = true;
8713 }
8714 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8715 {
8716 VERIFY_PERMISSION(OPT_P_GENERAL);
8717 options->show_curves = true;
8718 }
8719 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8720 {
8721 VERIFY_PERMISSION(OPT_P_GENERAL);
8722 msg(M_WARN, "Consider setting groups/curves preference with "
8723 "tls-groups instead of forcing a specific curve with "
8724 "ecdh-curve.");
8725 options->ecdh_curve = p[1];
8726 }
8727 else if (streq(p[0], "tls-server") && !p[1])
8728 {
8729 VERIFY_PERMISSION(OPT_P_GENERAL);
8730 options->tls_server = true;
8731 }
8732 else if (streq(p[0], "tls-client") && !p[1])
8733 {
8734 VERIFY_PERMISSION(OPT_P_GENERAL);
8735 options->tls_client = true;
8736 }
8737 else if (streq(p[0], "ca") && p[1] && !p[2])
8738 {
8739 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8740 options->ca_file = p[1];
8741 options->ca_file_inline = is_inline;
8742 }
8743 #ifndef ENABLE_CRYPTO_MBEDTLS
8744 else if (streq(p[0], "capath") && p[1] && !p[2])
8745 {
8746 VERIFY_PERMISSION(OPT_P_GENERAL);
8747 options->ca_path = p[1];
8748 }
8749 #endif /* ENABLE_CRYPTO_MBEDTLS */
8750 else if (streq(p[0], "dh") && p[1] && !p[2])
8751 {
8752 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8753 options->dh_file = p[1];
8754 options->dh_file_inline = is_inline;
8755 }
8756 else if (streq(p[0], "cert") && p[1] && !p[2])
8757 {
8758 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8759 options->cert_file = p[1];
8760 options->cert_file_inline = is_inline;
8761 }
8762 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8763 {
8764 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8765 options->extra_certs_file = p[1];
8766 options->extra_certs_file_inline = is_inline;
8767 }
8768 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8769 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8770 {
8771 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8772
8773 int verify_hash_depth = 0;
8774 if (streq(p[0], "verify-hash"))
8775 {
8776 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8777 "You should switch to the either use the level 1 certificate as "
8778 "--ca option, use --tls-verify or use --peer-fingerprint");
8779 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8780 verify_hash_depth = 1;
8781 }
8782
8783 options->verify_hash_algo = MD_SHA256;
8784
8785 int digest_len = SHA256_DIGEST_LENGTH;
8786
8787 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8788 {
8789 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8790 " --peer-fingerprint are mutually exclusive", p[0]);
8791 goto err;
8792 }
8793
8794 if (streq(p[0], "verify-hash"))
8795 {
8796 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8797 {
8798 options->verify_hash_algo = MD_SHA1;
8799 digest_len = SHA_DIGEST_LENGTH;
8800 }
8801 else if (p[2] && !streq(p[2], "SHA256"))
8802 {
8803 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8804 "(only SHA1 and SHA256 are supported)", p[2]);
8805 goto err;
8806 }
8807 }
8808
8809 struct verify_hash_list *newlist;
8810 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8811 msglevel, &options->gc);
8812
8813 /* Append the new list to the end of our current list */
8814 if (!options->verify_hash)
8815 {
8816 options->verify_hash = newlist;
8817 options->verify_hash_depth = verify_hash_depth;
8818 }
8819 else
8820 {
8821 /* since both the old and new list can have multiple entries
8822 * we need to go to the end of one of them to concatenate them */
8823 struct verify_hash_list *listend = options->verify_hash;
8824 while (listend->next)
8825 {
8826 listend = listend->next;
8827 }
8828 listend->next = newlist;
8829 }
8830 }
8831 #ifdef ENABLE_CRYPTOAPI
8832 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8833 {
8834 VERIFY_PERMISSION(OPT_P_GENERAL);
8835 options->cryptoapi_cert = p[1];
8836 }
8837 #endif
8838 else if (streq(p[0], "key") && p[1] && !p[2])
8839 {
8840 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8841 options->priv_key_file = p[1];
8842 options->priv_key_file_inline = is_inline;
8843 }
8844 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8845 {
8846 int ver;
8847 VERIFY_PERMISSION(OPT_P_GENERAL);
8848 ver = tls_version_parse(p[1], p[2]);
8849 if (ver == TLS_VER_BAD)
8850 {
8851 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8852 goto err;
8853 }
8854 options->ssl_flags &=
8855 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8856 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8857 }
8858 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8859 {
8860 int ver;
8861 VERIFY_PERMISSION(OPT_P_GENERAL);
8862 ver = tls_version_parse(p[1], NULL);
8863 if (ver == TLS_VER_BAD)
8864 {
8865 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8866 goto err;
8867 }
8868 options->ssl_flags &=
8869 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8870 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8871 }
8872 #ifndef ENABLE_CRYPTO_MBEDTLS
8873 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8874 {
8875 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8876 options->pkcs12_file = p[1];
8877 options->pkcs12_file_inline = is_inline;
8878 }
8879 #endif /* ENABLE_CRYPTO_MBEDTLS */
8880 else if (streq(p[0], "askpass") && !p[2])
8881 {
8882 VERIFY_PERMISSION(OPT_P_GENERAL);
8883 if (p[1])
8884 {
8885 options->key_pass_file = p[1];
8886 }
8887 else
8888 {
8889 options->key_pass_file = "stdin";
8890 }
8891 }
8892 else if (streq(p[0], "auth-nocache") && !p[1])
8893 {
8894 VERIFY_PERMISSION(OPT_P_GENERAL);
8895 ssl_set_auth_nocache();
8896 }
8897 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8898 {
8899 VERIFY_PERMISSION(OPT_P_ECHO);
8900 ssl_set_auth_token(p[1]);
8901 #ifdef ENABLE_MANAGEMENT
8902 if (management)
8903 {
8904 management_auth_token(management, p[1]);
8905 }
8906 #endif
8907 }
8908 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8909 {
8910 VERIFY_PERMISSION(OPT_P_ECHO);
8911 ssl_set_auth_token_user(p[1]);
8912 }
8913 else if (streq(p[0], "single-session") && !p[1])
8914 {
8915 VERIFY_PERMISSION(OPT_P_GENERAL);
8916 options->single_session = true;
8917 }
8918 else if (streq(p[0], "push-peer-info") && !p[1])
8919 {
8920 VERIFY_PERMISSION(OPT_P_GENERAL);
8921 options->push_peer_info = true;
8922 }
8923 else if (streq(p[0], "tls-exit") && !p[1])
8924 {
8925 VERIFY_PERMISSION(OPT_P_GENERAL);
8926 options->tls_exit = true;
8927 }
8928 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8929 {
8930 VERIFY_PERMISSION(OPT_P_GENERAL);
8931 options->cipher_list = p[1];
8932 }
8933 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8934 {
8935 VERIFY_PERMISSION(OPT_P_GENERAL);
8936 options->tls_cert_profile = p[1];
8937 }
8938 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8939 {
8940 VERIFY_PERMISSION(OPT_P_GENERAL);
8941 options->cipher_list_tls13 = p[1];
8942 }
8943 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8944 {
8945 VERIFY_PERMISSION(OPT_P_GENERAL);
8946 options->tls_groups = p[1];
8947 }
8948 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
8949 || !p[2]))
8950 {
8951 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8952 if (p[2] && streq(p[2], "dir"))
8953 {
8954 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8955 }
8956 options->crl_file = p[1];
8957 options->crl_file_inline = is_inline;
8958 }
8959 else if (streq(p[0], "tls-verify") && p[1])
8960 {
8961 VERIFY_PERMISSION(OPT_P_SCRIPT);
8962 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8963 {
8964 goto err;
8965 }
8966 set_user_script(options, &options->tls_verify,
8967 string_substitute(p[1], ',', ' ', &options->gc),
8968 "tls-verify", true);
8969 }
8970 #ifndef ENABLE_CRYPTO_MBEDTLS
8971 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8972 {
8973 VERIFY_PERMISSION(OPT_P_GENERAL);
8974 options->tls_export_cert = p[1];
8975 }
8976 #endif
8977 else if (streq(p[0], "compat-names"))
8978 {
8979 VERIFY_PERMISSION(OPT_P_GENERAL);
8980 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
8981 "Update your configuration.");
8982 goto err;
8983 }
8984 else if (streq(p[0], "no-name-remapping") && !p[1])
8985 {
8986 VERIFY_PERMISSION(OPT_P_GENERAL);
8987 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
8988 "Update your configuration.");
8989 goto err;
8990 }
8991 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
8992 {
8993 int type = VERIFY_X509_SUBJECT_DN;
8994 VERIFY_PERMISSION(OPT_P_GENERAL);
8995 if (p[2])
8996 {
8997 if (streq(p[2], "subject"))
8998 {
8999 type = VERIFY_X509_SUBJECT_DN;
9000 }
9001 else if (streq(p[2], "name"))
9002 {
9003 type = VERIFY_X509_SUBJECT_RDN;
9004 }
9005 else if (streq(p[2], "name-prefix"))
9006 {
9007 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9008 }
9009 else
9010 {
9011 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9012 goto err;
9013 }
9014 }
9015 options->verify_x509_type = type;
9016 options->verify_x509_name = p[1];
9017 }
9018 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9019 {
9020 VERIFY_PERMISSION(OPT_P_GENERAL);
9021 if (streq(p[1], "server"))
9022 {
9023 options->ns_cert_type = NS_CERT_CHECK_SERVER;
9024 }
9025 else if (streq(p[1], "client"))
9026 {
9027 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9028 }
9029 else
9030 {
9031 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9032 goto err;
9033 }
9034 }
9035 else if (streq(p[0], "remote-cert-ku"))
9036 {
9037 VERIFY_PERMISSION(OPT_P_GENERAL);
9038
9039 size_t j;
9040 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9041 {
9042 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9043 }
9044 if (j == 1)
9045 {
9046 /* No specific KU required, but require KU to be present */
9047 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9048 }
9049 }
9050 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9051 {
9052 VERIFY_PERMISSION(OPT_P_GENERAL);
9053 options->remote_cert_eku = p[1];
9054 }
9055 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9056 {
9057 VERIFY_PERMISSION(OPT_P_GENERAL);
9058
9059 if (streq(p[1], "server"))
9060 {
9061 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9062 options->remote_cert_eku = "TLS Web Server Authentication";
9063 }
9064 else if (streq(p[1], "client"))
9065 {
9066 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9067 options->remote_cert_eku = "TLS Web Client Authentication";
9068 }
9069 else
9070 {
9071 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9072 goto err;
9073 }
9074 }
9075 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9076 {
9077 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9078 options->tls_timeout = positive_atoi(p[1]);
9079 }
9080 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9081 {
9082 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9083 options->renegotiate_bytes = positive_atoi(p[1]);
9084 }
9085 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9086 {
9087 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9088 options->renegotiate_packets = positive_atoi(p[1]);
9089 }
9090 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9091 {
9092 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9093 options->renegotiate_seconds = positive_atoi(p[1]);
9094 if (p[2])
9095 {
9096 options->renegotiate_seconds_min = positive_atoi(p[2]);
9097 }
9098 }
9099 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9100 {
9101 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9102 options->handshake_window = positive_atoi(p[1]);
9103 }
9104 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9105 {
9106 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9107 options->transition_window = positive_atoi(p[1]);
9108 }
9109 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9110 {
9111 int key_direction = -1;
9112
9113 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9114
9115 if (permission_mask & OPT_P_GENERAL)
9116 {
9117 options->tls_auth_file = p[1];
9118 options->tls_auth_file_inline = is_inline;
9119
9120 if (!is_inline && p[2])
9121 {
9122 key_direction = ascii2keydirection(msglevel, p[2]);
9123 if (key_direction < 0)
9124 {
9125 goto err;
9126 }
9127 options->key_direction = key_direction;
9128 }
9129
9130 }
9131 else if (permission_mask & OPT_P_CONNECTION)
9132 {
9133 options->ce.tls_auth_file = p[1];
9134 options->ce.tls_auth_file_inline = is_inline;
9135 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9136
9137 if (!is_inline && p[2])
9138 {
9139 key_direction = ascii2keydirection(msglevel, p[2]);
9140 if (key_direction < 0)
9141 {
9142 goto err;
9143 }
9144 options->ce.key_direction = key_direction;
9145 }
9146 }
9147 }
9148 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9149 {
9150 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9151 if (permission_mask & OPT_P_GENERAL)
9152 {
9153 options->tls_crypt_file = p[1];
9154 options->tls_crypt_file_inline = is_inline;
9155 }
9156 else if (permission_mask & OPT_P_CONNECTION)
9157 {
9158 options->ce.tls_crypt_file = p[1];
9159 options->ce.tls_crypt_file_inline = is_inline;
9160 }
9161 }
9162 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9163 {
9164 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9165 if (permission_mask & OPT_P_GENERAL)
9166 {
9167 options->tls_crypt_v2_file = p[1];
9168 options->tls_crypt_v2_file_inline = is_inline;
9169 }
9170 else if (permission_mask & OPT_P_CONNECTION)
9171 {
9172 options->ce.tls_crypt_v2_file = p[1];
9173 options->ce.tls_crypt_v2_file_inline = is_inline;
9174 }
9175
9176 if (p[2] && streq(p[2], "force-cookie"))
9177 {
9178 options->ce.tls_crypt_v2_force_cookie = true;
9179 }
9180 else if (p[2] && streq(p[2], "allow-noncookie"))
9181 {
9182 options->ce.tls_crypt_v2_force_cookie = false;
9183 }
9184 else if (p[2])
9185 {
9186 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9187 }
9188 }
9189 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9190 {
9191 VERIFY_PERMISSION(OPT_P_GENERAL);
9192 options->tls_crypt_v2_verify_script = p[1];
9193 }
9194 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9195 {
9196 VERIFY_PERMISSION(OPT_P_GENERAL);
9197 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9198 }
9199 #ifdef ENABLE_X509ALTUSERNAME
9200 else if (streq(p[0], "x509-username-field") && p[1])
9201 {
9202 /* This option used to automatically upcase the fieldnames passed as the
9203 * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9204 * fine-tuned by only upcasing Subject field attribute names which consist
9205 * of all lower-case characters. Mixed-case attributes such as
9206 * "emailAddress" are left as-is. An option parameter having the "ext:"
9207 * prefix for matching X.509v3 extended fields will also remain unchanged.
9208 */
9209 VERIFY_PERMISSION(OPT_P_GENERAL);
9210 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9211 {
9212 char *s = p[j];
9213
9214 if (strncmp("ext:", s, 4) != 0)
9215 {
9216 size_t i = 0;
9217 while (s[i] && !isupper(s[i]))
9218 {
9219 i++;
9220 }
9221 if (strlen(s) == i)
9222 {
9223 while ((*s = toupper(*s)) != '\0')
9224 {
9225 s++;
9226 }
9227 msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
9228 "--x509-username-field parameter to '%s'; please update your"
9229 "configuration", p[j]);
9230 }
9231 }
9232 else if (!x509_username_field_ext_supported(s+4))
9233 {
9234 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9235 }
9236 options->x509_username_field[j-1] = p[j];
9237 }
9238 }
9239 #endif /* ENABLE_X509ALTUSERNAME */
9240 #ifdef ENABLE_PKCS11
9241 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9242 {
9243 char *provider = p[1];
9244 bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
9245
9246 #ifdef DEFAULT_PKCS11_MODULE
9247 if (!provider)
9248 {
9249 provider = DEFAULT_PKCS11_MODULE;
9250 }
9251 else if (!p[2])
9252 {
9253 char *endp = NULL;
9254 int i = strtol(provider, &endp, 10);
9255
9256 if (*endp == 0)
9257 {
9258 /* There was one argument, and it was purely numeric.
9259 * Interpret it as the cert_private argument */
9260 provider = DEFAULT_PKCS11_MODULE;
9261 cert_private = i;
9262 }
9263 }
9264 #else /* ifdef DEFAULT_PKCS11_MODULE */
9265 if (!provider)
9266 {
9267 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9268 goto err;
9269 }
9270 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9271 VERIFY_PERMISSION(OPT_P_GENERAL);
9272
9273 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9274 show_pkcs11_ids(provider, cert_private);
9275 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9276 }
9277 else if (streq(p[0], "pkcs11-providers") && p[1])
9278 {
9279 int j;
9280
9281 VERIFY_PERMISSION(OPT_P_GENERAL);
9282
9283 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9284 {
9285 options->pkcs11_providers[j-1] = p[j];
9286 }
9287 }
9288 else if (streq(p[0], "pkcs11-protected-authentication"))
9289 {
9290 int j;
9291
9292 VERIFY_PERMISSION(OPT_P_GENERAL);
9293
9294 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9295 {
9296 options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9297 }
9298 }
9299 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9300 {
9301 int j;
9302
9303 VERIFY_PERMISSION(OPT_P_GENERAL);
9304
9305 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9306 {
9307 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9308 }
9309 }
9310 else if (streq(p[0], "pkcs11-cert-private"))
9311 {
9312 int j;
9313
9314 VERIFY_PERMISSION(OPT_P_GENERAL);
9315
9316 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9317 {
9318 options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9319 }
9320 }
9321 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9322 {
9323 VERIFY_PERMISSION(OPT_P_GENERAL);
9324 options->pkcs11_pin_cache_period = atoi(p[1]);
9325 }
9326 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9327 {
9328 VERIFY_PERMISSION(OPT_P_GENERAL);
9329 options->pkcs11_id = p[1];
9330 }
9331 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9332 {
9333 VERIFY_PERMISSION(OPT_P_GENERAL);
9334 options->pkcs11_id_management = true;
9335 }
9336 #endif /* ifdef ENABLE_PKCS11 */
9337 else if (streq(p[0], "rmtun") && !p[1])
9338 {
9339 VERIFY_PERMISSION(OPT_P_GENERAL);
9340 options->persist_config = true;
9341 options->persist_mode = 0;
9342 }
9343 else if (streq(p[0], "mktun") && !p[1])
9344 {
9345 VERIFY_PERMISSION(OPT_P_GENERAL);
9346 options->persist_config = true;
9347 options->persist_mode = 1;
9348 }
9349 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9350 {
9351 VERIFY_PERMISSION(OPT_P_PEER_ID);
9352 options->use_peer_id = true;
9353 options->peer_id = atoi(p[1]);
9354 }
9355 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9356 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9357 {
9358 int ekm_length = positive_atoi(p[2]);
9359
9360 VERIFY_PERMISSION(OPT_P_GENERAL);
9361
9362 if (strncmp(p[1], "EXPORTER", 8))
9363 {
9364 msg(msglevel, "Keying material exporter label must begin with "
9365 "\"EXPORTER\"");
9366 goto err;
9367 }
9368 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9369 {
9370 msg(msglevel, "Keying material exporter label must not be '"
9371 EXPORT_KEY_DATA_LABEL "'.");
9372 }
9373 if (ekm_length < 16 || ekm_length > 4095)
9374 {
9375 msg(msglevel, "Invalid keying material exporter length");
9376 goto err;
9377 }
9378
9379 options->keying_material_exporter_label = p[1];
9380 options->keying_material_exporter_length = ekm_length;
9381 }
9382 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9383 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9384 {
9385 VERIFY_PERMISSION(OPT_P_GENERAL);
9386 options->allow_recursive_routing = true;
9387 }
9388 else if (streq(p[0], "vlan-tagging") && !p[1])
9389 {
9390 VERIFY_PERMISSION(OPT_P_GENERAL);
9391 options->vlan_tagging = true;
9392 }
9393 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9394 {
9395 VERIFY_PERMISSION(OPT_P_GENERAL);
9396 if (streq(p[1], "tagged"))
9397 {
9398 options->vlan_accept = VLAN_ONLY_TAGGED;
9399 }
9400 else if (streq(p[1], "untagged"))
9401 {
9402 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9403 }
9404 else if (streq(p[1], "all"))
9405 {
9406 options->vlan_accept = VLAN_ALL;
9407 }
9408 else
9409 {
9410 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9411 goto err;
9412 }
9413 }
9414 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9415 {
9416 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9417 options->vlan_pvid = positive_atoi(p[1]);
9418 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9419 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9420 {
9421 msg(msglevel,
9422 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9423 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9424 goto err;
9425 }
9426 }
9427 else
9428 {
9429 int i;
9430 int msglevel = msglevel_fc;
9431 /* Check if an option is in --ignore-unknown-option and
9432 * set warning level to non fatal */
9433 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9434 {
9435 if (streq(p[0], options->ignore_unknown_option[i]))
9436 {
9437 msglevel = M_WARN;
9438 break;
9439 }
9440 }
9441 if (file)
9442 {
9443 msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9444 }
9445 else
9446 {
9447 msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9448 }
9449 }
9450 err:
9451 gc_free(&gc);
9452 }
Mirror of https://github.com/OpenVPN/openvpn.git