* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
- * Copyright (C) 2008-2022 David Sommerseth <dazo@eurephia.org>
+ * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2008-2023 David Sommerseth <dazo@eurephia.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
#ifdef HAVE_CONFIG_H
#include "config.h"
-#elif defined(_MSC_VER)
-#include "config-msvc.h"
#endif
#ifdef HAVE_CONFIG_VERSION_H
#include "config-version.h"
"--setenv name value : Set a custom environmental variable to pass to script.\n"
"--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
" directives for future OpenVPN versions to be ignored.\n"
- "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
+ "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
" these options to be ignored when unknown\n"
"--script-security level: Where level can be:\n"
" 0 -- strictly no calling of external programs\n"
" for m seconds.\n"
"--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
" produces a combined in/out byte count < bytes.\n"
+ "--session-timeout n: Limit connection time to n seconds.\n"
"--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
"--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
"--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
"--status file [n] : Write operational status to file every n seconds.\n"
"--status-version [n] : Choose the status file format version number.\n"
" Currently, n can be 1, 2, or 3 (default=1).\n"
- "--disable-occ : Disable options consistency check between peers.\n"
+ "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
#ifdef ENABLE_DEBUG
"--gremlin mask : Special stress testing mode (for debugging only).\n"
#endif
" OTP based two-factor auth mechanisms are in use and\n"
" --reneg-* options are enabled. Optionally a lifetime in seconds\n"
" for generated tokens can be set.\n"
- "--opt-verify : Clients that connect with options that are incompatible\n"
+ "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
" with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n"
" as well as pushes it to connecting clients.\n"
"--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
"--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
+ "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
"--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
"--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
"--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
" each filter is applied in the order of appearance.\n"
"--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
" Valid options are :\n"
- " address <addr[:port]> [addr[:port]] : server address 4/6\n"
+ " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
" resolve-domains <domain> [domain ...] : split domains\n"
- " exclude-domains <domain> [domain ...] : domains not to resolve\n"
" dnssec <yes|no|optional> : option to use DNSSEC\n"
" type <DoH|DoT> : query server over HTTPS / TLS\n"
" sni <domain> : DNS server name indication\n"
"\n"
"Data Channel Encryption Options (must be compatible between peers):\n"
"(These options are meaningful for both Static Key & TLS-mode)\n"
- "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
- " Use shared secret file f, generate with --genkey.\n"
- " The optional d parameter controls key directionality.\n"
- " If d is specified, use separate keys for each\n"
- " direction, set d=0 on one side of the connection,\n"
- " and d=1 on the other side.\n"
"--auth alg : Authenticate packets with HMAC using message\n"
" digest algorithm alg (default=%s).\n"
" (usually adds 16 or 20 bytes per packet)\n"
" Set alg=none to disable authentication.\n"
- "--cipher alg : Encrypt packets with cipher algorithm alg\n"
- " (default=%s).\n"
+ "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
+ " You should usually use --data-ciphers instead.\n"
" Set alg=none to disable encryption.\n"
"--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
#ifndef ENABLE_CRYPTO_MBEDTLS
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
#endif
- "--no-replay : (DEPRECATED) Disable replay protection.\n"
"--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
"--replay-window n [t] : Use a replay protection sliding window of size n\n"
" and a time window of t seconds.\n"
"(These options are meaningful only for TLS-mode)\n"
"--tls-server : Enable TLS and assume server role during TLS handshake.\n"
"--tls-client : Enable TLS and assume client role during TLS handshake.\n"
- "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
- " number, such as 1 (default), 2, etc.\n"
"--ca file : Certificate authority file in .pem format containing\n"
" root certificate.\n"
#ifndef ENABLE_CRYPTO_MBEDTLS
" Windows Certificate System Store.\n"
#endif
"--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
- "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
+ "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
" : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
"--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
" (default=legacy).\n"
" control channel to protect against attacks on the TLS stack\n"
" and DoS attacks.\n"
" f (required) is a shared-secret key file.\n"
- " The optional d parameter controls key directionality,\n"
- " see --secret option for more info.\n"
+ " The optional d parameter controls key directionality.\n"
"--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
" of the TLS control channel to hide the TLS certificate,\n"
" provide basic post-quantum security and protect against\n"
" attacks on the TLS stack and DoS attacks.\n"
" key (required) provides the pre-shared key file.\n"
- " see --secret option for more info.\n"
"--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
" For servers: use key to decrypt client-specific keys. For\n"
" key generation (--genkey tls-crypt-v2-client): use key to\n"
" tests of certification. cmd should return 0 to allow\n"
" TLS handshake to proceed, or 1 to fail. (cmd is\n"
" executed as 'cmd certificate_depth subject')\n"
- "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
- " in an openvpn temporary file in [directory]. Peer cert is \n"
- " stored before tls-verify script execution and deleted after.\n"
"--verify-x509-name name: Accept connections only from a host with X509 subject\n"
" DN name. The remote host must also pass all other tests\n"
" of verification.\n"
+#ifndef ENABLE_CRYPTO_MBEDTLS
"--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
" an explicit nsCertType designation t = 'client' | 'server'.\n"
+#endif
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
#ifdef HAVE_EXPORT_KEYING_MATERIAL
"--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
" after TAP adapter is up and routes have been added.\n"
"--windows-driver : Which tun driver to use?\n"
- " tap-windows6 (default)\n"
+ " ovpn-dco (default)\n"
+ " tap-windows6\n"
" wintun\n"
"--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
"Windows Standalone Options:\n"
#endif /* ifdef _WIN32 */
"\n"
"Generate a new key :\n"
- "--genkey secret file : Generate a new random key of type and write to file\n"
- " (for use with --secret, --tls-auth or --tls-crypt)."
+ "--genkey tls-auth file : Generate a new random key of type and write to file\n"
+ " (for use with --tls-auth or --tls-crypt)."
#ifdef ENABLE_FEATURE_TUN_PERSIST
"\n"
"Tun/tap config mode (available with linux 2.4+):\n"
o->ce.proto = PROTO_UDP;
o->ce.af = AF_UNSPEC;
o->ce.bind_ipv6_only = false;
- o->ce.connect_retry_seconds = 5;
+ o->ce.connect_retry_seconds = 1;
o->ce.connect_retry_seconds_max = 300;
o->ce.connect_timeout = 120;
o->connect_retry_max = 0;
o->status_file_version = 1;
o->ce.bind_local = true;
o->ce.tun_mtu = TUN_MTU_DEFAULT;
+ o->ce.occ_mtu = 0;
o->ce.link_mtu = LINK_MTU_DEFAULT;
+ o->ce.tls_mtu = TLS_MTU_DEFAULT;
o->ce.mtu_discover_type = -1;
o->ce.mssfix = 0;
o->ce.mssfix_default = true;
o->n_bcast_buf = 256;
o->tcp_queue_limit = 64;
o->max_clients = 1024;
+ o->cf_initial_per = 10;
+ o->cf_initial_max = 100;
o->max_routes_per_client = 256;
o->stale_routes_check_interval = 0;
o->ifconfig_pool_persist_refresh_freq = 600;
o->scheduled_exit_interval = 5;
o->authname = "SHA1";
- o->replay = true;
o->replay_window = DEFAULT_SEQ_BACKTRACK;
o->replay_time = DEFAULT_TIME_BACKTRACK;
o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
void
uninit_options(struct options *o)
{
+ if (o->connection_list)
+ {
+ CLEAR(*o->connection_list);
+ }
+ if (o->remote_list)
+ {
+ CLEAR(*o->remote_list);
+ }
if (o->gc_owned)
{
gc_free(&o->gc);
}
}
+#ifndef _WIN32
static void
setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
{
gc_free(&gc);
}
}
+#endif /* ifndef _WIN32 */
static in_addr_t
get_ip_addr(const char *ip_string, int msglevel, bool *error)
SHOW_INT(dhcp_masq_offset);
SHOW_INT(dhcp_lease_time);
SHOW_INT(tap_sleep);
- SHOW_BOOL(dhcp_options);
+ SHOW_UNSIGNED(dhcp_options);
SHOW_BOOL(dhcp_renew);
SHOW_BOOL(dhcp_pre_release);
SHOW_STR(domain);
{
msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
}
+ tt->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
if (dns->servers)
const struct dns_server *server = dns->servers;
while (server)
{
- if (server->addr4_defined && tt->dns_len < N_DHCP_ADDR)
- {
- tt->dns[tt->dns_len++] = server->addr4.s_addr;
- }
- else
- {
- overflow = true;
- }
- if (server->addr6_defined && tt->dns6_len < N_DHCP_ADDR)
- {
- tt->dns6[tt->dns6_len++] = server->addr6;
- }
- else
+ for (int i = 0; i < server->addr_count; ++i)
{
- overflow = true;
+ if (server->addr[i].family == AF_INET)
+ {
+ if (tt->dns_len >= N_DHCP_ADDR)
+ {
+ overflow = true;
+ continue;
+ }
+ tt->dns[tt->dns_len++] = server->addr[i].in.a4.s_addr;
+ }
+ else
+ {
+ if (tt->dns6_len >= N_DHCP_ADDR)
+ {
+ overflow = true;
+ continue;
+ }
+ tt->dns6[tt->dns6_len++] = server->addr[i].in.a6;
+ }
}
server = server->next;
}
{
msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
}
+ tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
}
}
#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
while (server)
{
- if (server->addr4_defined)
+ for (int i = 0; i < server->addr_count; ++i)
{
- const char *argv[] = {
- "dhcp-option",
- "DNS",
- print_in_addr_t(server->addr4.s_addr, 0, &gc)
- };
- setenv_foreign_option(o, argv, 3, es);
- }
- if (server->addr6_defined)
- {
- const char *argv[] = {
- "dhcp-option",
- "DNS6",
- print_in6_addr(server->addr6, 0, &gc)
- };
- setenv_foreign_option(o, argv, 3, es);
+ if (server->addr[i].family == AF_INET)
+ {
+ const char *argv[] = {
+ "dhcp-option",
+ "DNS",
+ print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc)
+ };
+ setenv_foreign_option(o, argv, 3, es);
+ }
+ else
+ {
+ const char *argv[] = {
+ "dhcp-option",
+ "DNS6",
+ print_in6_addr(server->addr[i].in.a6, 0, &gc)
+ };
+ setenv_foreign_option(o, argv, 3, es);
+ }
}
server = server->next;
}
SHOW_BOOL(duplicate_cn);
SHOW_INT(cf_max);
SHOW_INT(cf_per);
+ SHOW_INT(cf_initial_max);
+ SHOW_INT(cf_initial_per);
SHOW_INT(max_clients);
SHOW_INT(max_routes_per_client);
SHOW_STR(auth_user_pass_verify_script);
SHOW_BOOL(client);
SHOW_BOOL(pull);
- SHOW_STR(auth_user_pass_file);
+ SHOW_STR_INLINE(auth_user_pass_file);
gc_free(&gc);
}
SHOW_BOOL(link_mtu_defined);
SHOW_INT(tun_mtu_extra);
SHOW_BOOL(tun_mtu_extra_defined);
+ SHOW_INT(tls_mtu);
SHOW_INT(mtu_discover_type);
SHOW_INT(keepalive_ping);
SHOW_INT(keepalive_timeout);
SHOW_INT(inactivity_timeout);
+ SHOW_INT(session_timeout);
SHOW_INT64(inactivity_minimum_bytes);
SHOW_INT(ping_send_timeout);
SHOW_INT(ping_rec_timeout);
SHOW_BOOL(fast_io);
-#ifdef USE_COMP
SHOW_INT(comp.alg);
SHOW_INT(comp.flags);
-#endif
SHOW_STR(route_script);
SHOW_STR(route_default_gateway);
#ifndef ENABLE_CRYPTO_MBEDTLS
SHOW_BOOL(engine);
#endif /* ENABLE_CRYPTO_MBEDTLS */
- SHOW_BOOL(replay);
SHOW_BOOL(mute_replay_warnings);
SHOW_INT(replay_window);
SHOW_INT(replay_time);
SHOW_STR_INLINE(ca_file);
SHOW_STR(ca_path);
SHOW_STR_INLINE(dh_file);
-#ifdef ENABLE_MANAGEMENT
if ((o->management_flags & MF_EXTERNAL_CERT))
{
SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
}
else
-#endif
- SHOW_STR_INLINE(cert_file);
+ {
+ SHOW_STR_INLINE(cert_file);
+ }
SHOW_STR_INLINE(extra_certs_file);
-#ifdef ENABLE_MANAGEMENT
if ((o->management_flags & MF_EXTERNAL_KEY))
{
SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
}
else
-#endif
- SHOW_STR_INLINE(priv_key_file);
+ {
+ SHOW_STR_INLINE(priv_key_file);
+ }
#ifndef ENABLE_CRYPTO_MBEDTLS
SHOW_STR_INLINE(pkcs12_file);
#endif
SHOW_STR(cipher_list_tls13);
SHOW_STR(tls_cert_profile);
SHOW_STR(tls_verify);
- SHOW_STR(tls_export_cert);
SHOW_INT(verify_x509_type);
SHOW_STR(verify_x509_name);
SHOW_STR_INLINE(crl_file);
struct connection_list *l = alloc_connection_list_if_undef(options);
struct connection_entry *e;
- if (l->len >= CONNECTION_LIST_SIZE)
+ if (l->len == l->capacity)
{
- msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
- return NULL;
+ int capacity = l->capacity + CONNECTION_LIST_SIZE;
+ struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
+ if (ce == NULL)
+ {
+ msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
+ return NULL;
+ }
+ l->array = ce;
+ l->capacity = capacity;
}
ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
l->array[l->len++] = e;
struct remote_list *l = alloc_remote_list_if_undef(options);
struct remote_entry *e;
- if (l->len >= CONNECTION_LIST_SIZE)
+ if (l->len == l->capacity)
{
- msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
- return NULL;
+ int capacity = l->capacity + CONNECTION_LIST_SIZE;
+ struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
+ if (re == NULL)
+ {
+ msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
+ return NULL;
+ }
+ l->array = re;
+ l->capacity = capacity;
}
ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
l->array[l->len++] = e;
" or CA path (--capath)"
#endif
" and/or peer fingerprint verification (--peer-fingerprint)";
- msg(M_USAGE, str);
+ msg(M_USAGE, "%s", str);
}
static void
#endif /* ifdef ENABLE_MANAGEMENT */
-#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
+#if !defined(HAVE_XKEY_PROVIDER)
if ((tls_version_max() >= TLS_VER_1_3)
&& (options->management_flags & MF_EXTERNAL_KEY)
&& !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
}
- if (options->tuntap_options.dhcp_options
- && options->windows_driver != WINDOWS_DRIVER_WINTUN
- && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
- && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
+ if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
{
- msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
+ const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
+ if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
+ {
+ msg(M_USAGE, "%s, which is not supported by the selected %s driver",
+ prefix, print_windows_driver(options->windows_driver));
+ }
+ else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
+ && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
+ {
+ msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
+ prefix);
+ }
}
if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
msg(M_USAGE, "--auth-gen-token needs a non-infinite "
"--renegotiate_seconds setting");
}
+ if (options->auth_token_generate && options->auth_token_renewal
+ && options->auth_token_renewal < 2 * options->handshake_window)
+ {
+ msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
+ " two times --hand-window (%d).",
+ options->handshake_window);
+
+ }
{
const bool ccnr = (options->auth_user_pass_verify_script
|| PLUGIN_OPTION_LIST(options)
}
}
- /*
- * Check consistency of replay options
- */
- if (!options->replay
- && (options->replay_window != defaults.replay_window
- || options->replay_time != defaults.replay_time))
- {
- msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
- }
-
/*
* SSL/TLS mode sanity checks.
*/
if (!options->tls_server && !options->tls_client)
{
- msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
- "configuration detected. OpenVPN 2.7 will remove the "
+ int msglevel = M_USAGE;
+ if (options->allow_deprecated_insecure_static_crypto)
+ {
+ msglevel = M_INFO;
+ }
+
+ msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
+ "configuration detected. OpenVPN 2.8 will remove the "
"functionality to run a VPN without TLS. "
"See the examples section in the manual page for "
- "examples of a similar quick setup with peer-fingerprint.");
+ "examples of a similar quick setup with peer-fingerprint."
+ "OpenVPN 2.7 allows using this configuration when using "
+ "--allow-deprecated-insecure-static-crypto but you should move"
+ "to a proper configuration using TLS as soon as possible."
+ );
}
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
{
check_ca_required(options);
#ifdef ENABLE_PKCS11
+ if (!options->pkcs11_providers[0] && options->pkcs11_id)
+ {
+ msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
+ }
+ else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
+ {
+ msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
+ }
+
if (options->pkcs11_providers[0])
{
if (options->pkcs11_id_management && options->pkcs11_id != NULL)
{
msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
}
-#ifdef ENABLE_MANAGEMENT
if (options->management_flags & MF_EXTERNAL_KEY)
{
msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
{
msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
}
-#endif
if (options->pkcs12_file)
{
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
}
else
#endif /* ifdef ENABLE_PKCS11 */
-#ifdef ENABLE_MANAGEMENT
if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
{
msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
}
}
else
-#endif
#ifdef ENABLE_CRYPTOAPI
if (options->cryptoapi_cert)
{
{
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
}
-#ifdef ENABLE_MANAGEMENT
if (options->management_flags & MF_EXTERNAL_KEY)
{
msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
{
msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
}
-#endif
}
else
#endif /* ifdef ENABLE_CRYPTOAPI */
{
msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
}
-#ifdef ENABLE_MANAGEMENT
if (options->management_flags & MF_EXTERNAL_KEY)
{
msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
{
msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
}
-#endif
#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
}
else
{
const int sum =
-#ifdef ENABLE_MANAGEMENT
((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
- +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
-#else
- (options->cert_file != NULL) + (options->priv_key_file != NULL);
-#endif
+ + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
if (sum == 0)
{
"--auth-user-pass");
}
}
- else if (sum == 2)
- {
- }
- else
+ else if (sum != 2)
{
msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
}
}
else
{
-#ifdef ENABLE_MANAGEMENT
if (!(options->management_flags & MF_EXTERNAL_CERT))
-#endif
- notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
-#ifdef ENABLE_MANAGEMENT
+ {
+ notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
+ }
if (!(options->management_flags & MF_EXTERNAL_KEY))
-#endif
- notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
+ {
+ notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
+ }
}
}
if (ce->tls_auth_file && ce->tls_crypt_file)
MUST_BE_UNDEF(cipher_list_tls13);
MUST_BE_UNDEF(tls_cert_profile);
MUST_BE_UNDEF(tls_verify);
- MUST_BE_UNDEF(tls_export_cert);
MUST_BE_UNDEF(verify_x509_name);
MUST_BE_UNDEF(tls_timeout);
MUST_BE_UNDEF(renegotiate_bytes);
o->pre_connect->ping_send_timeout = o->ping_send_timeout;
/* Miscellaneous Options */
-#ifdef USE_COMP
o->pre_connect->comp = o->comp;
-#endif
}
void
o->ping_send_timeout = pp->ping_send_timeout;
/* Miscellaneous Options */
-#ifdef USE_COMP
o->comp = pp->comp;
-#endif
}
o->push_continuation = 0;
o->push_option_types_found = 0;
- o->data_channel_crypto_flags = 0;
+ o->imported_protocol_flags = 0;
}
static void
*
* Disable compression by default starting with 2.6.0 if no other
* compression related option has been explicitly set */
- if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600)
- && (o->comp.flags == 0))
+ if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
{
- o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
+ if (!comp_non_stub_enabled(&o->comp))
+ {
+ o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
+ }
}
+#else /* ifdef USE_COMP */
+ o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
#endif
}
o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
|| !dco_check_startup_option(D_DCO, o);
}
+#ifdef USE_COMP
+ if (dco_enabled(o))
+ {
+ o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
+ }
+#endif
#ifdef _WIN32
if (dco_enabled(o))
o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
}
}
-#endif
-
+#else /* _WIN32 */
if (dco_enabled(o) && o->dev_node)
{
msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
"data channel offload");
o->dev_node = NULL;
}
+#endif /* _WIN32 */
/* this depends on o->windows_driver, which is set above */
options_postprocess_mutate_invariant(o);
+ /* check that compression settings in the options are okay */
+ check_compression_settings_valid(&o->comp, M_USAGE);
+
/*
* Save certain parms before modifying options during connect, especially
* when using --pull
foreign_options_copy_dns(o, es);
#endif
}
+ if (o->auth_token_generate && !o->auth_token_renewal)
+ {
+ o->auth_token_renewal = o->renegotiate_seconds;
+ }
pre_connect_save(o);
}
options->extra_certs_file, R_OK,
"--extra-certs");
-#ifdef ENABLE_MANAGMENT
if (!(options->management_flags & MF_EXTERNAL_KEY))
-#endif
{
errs |= check_file_access_inline(options->priv_key_file_inline,
CHKACC_FILE|CHKACC_PRIVATE,
options->management_user_pass, R_OK,
"--management user/password file");
#endif /* ENABLE_MANAGEMENT */
- errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
- options->auth_user_pass_file, R_OK,
- "--auth-user-pass");
+ errs |= check_file_access_inline(options->auth_user_pass_file_inline,
+ CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
+ options->auth_user_pass_file, R_OK,
+ "--auth-user-pass");
/* ** System related ** */
errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
R_OK|X_OK, "--chroot directory");
R_OK|W_OK, "--status");
/* ** Config related ** */
- errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
- R_OK|W_OK|X_OK, "--tls-export-cert");
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
R_OK|X_OK, "--client-config-dir");
errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
*
* --cipher
* --auth
- * --keysize
* --secret
- * --no-replay
*
* SSL Options:
*
buf_printf(&out, ",link-mtu %u",
(unsigned int) calc_options_string_link_mtu(o, frame));
- buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
+ if (o->ce.occ_mtu != 0)
+ {
+ buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
+ }
+ else
+ {
+ buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
+ }
+
buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
{
buf_printf(&out, ",secret");
}
- if (!o->replay)
- {
- buf_printf(&out, ",no-replay");
- }
#ifdef ENABLE_PREDICTION_RESISTANCE
if (o->use_prediction_resistance)
if (actual_n > 0)
{
actual[actual_n - 1] = 0;
-#ifndef ENABLE_STRICT_OPTIONS_CHECK
if (strncmp(actual, expected, 2))
{
msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
}
else
-#endif
- ret = !strcmp(actual, expected);
+ {
+ ret = !strcmp(actual, expected);
+ }
}
gc_free(&gc);
return ret;
void
options_warning_safe(char *actual, const char *expected, size_t actual_n)
{
- options_warning_safe_ml(M_WARN, actual, expected, actual_n);
+ options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
}
const char *
o.ce.local_port, o.ce.remote_port,
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
o.verbosity,
- o.authname, o.ciphername,
+ o.authname,
o.replay_window, o.replay_time,
o.tls_timeout, o.renegotiate_seconds,
o.handshake_window, o.transition_window);
}
#endif
+void
+show_dco_version(const unsigned int flags)
+{
+#ifdef ENABLE_DCO
+ struct gc_arena gc = gc_new();
+ msg(flags, "DCO version: %s", dco_version_string(&gc));
+ gc_free(&gc);
+#endif
+}
+
void
show_library_versions(const unsigned int flags)
{
#ifdef _WIN32
show_windows_version( M_INFO|M_NOPREFIX );
#endif
+ show_dco_version(M_INFO | M_NOPREFIX);
msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
- msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>");
+ msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>");
#ifndef ENABLE_SMALL
#ifdef CONFIGURE_DEFINES
msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
unsigned int *option_types_found,
struct env_set *es)
{
- int i, j;
-
/* usage message */
if (argc <= 1)
{
/* config filename specified only? */
if (argc == 2 && strncmp(argv[1], "--", 2))
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
CLEAR(p);
p[0] = "config";
p[1] = argv[1];
else
{
/* parse command line */
- for (i = 1; i < argc; ++i)
+ for (int i = 1; i < argc; ++i)
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
CLEAR(p);
p[0] = argv[i];
if (strncmp(p[0], "--", 2))
p[0] += 2;
}
+ int j;
for (j = 1; j < MAX_PARMS; ++j)
{
if (i + j < argc)
return true;
}
+ /* skip leading spaces matching the behaviour of parse_line */
+ while (isspace(*line))
+ {
+ line++;
+ }
+
for (f = o->pull_filter_list->head; f; f = f->next)
{
if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
#endif
}
-#ifdef USE_COMP
static void
show_compression_warning(struct compress_options *info)
{
}
}
}
-#endif
bool
key_is_external(const struct options *options)
{
bool ret = false;
-#ifdef ENABLE_MANAGEMENT
ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
-#endif
#ifdef ENABLE_PKCS11
ret = ret || (options->pkcs11_providers[0] != NULL);
#endif
VERIFY_PERMISSION(OPT_P_GENERAL);
options->management_flags |= MF_CONNECT_AS_CLIENT;
}
-#ifdef ENABLE_MANAGEMENT
else if (streq(p[0], "management-external-key"))
{
VERIFY_PERMISSION(OPT_P_GENERAL);
VERIFY_PERMISSION(OPT_P_GENERAL);
options->management_flags |= MF_CLIENT_AUTH;
}
-#endif /* ifdef ENABLE_MANAGEMENT */
else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
{
int cache;
options->ce.link_mtu = positive_atoi(p[1]);
options->ce.link_mtu_defined = true;
}
- else if (streq(p[0], "tun-mtu") && p[1] && !p[2])
+ else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
{
- VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
options->ce.tun_mtu = positive_atoi(p[1]);
options->ce.tun_mtu_defined = true;
+ if (p[2])
+ {
+ options->ce.occ_mtu = positive_atoi(p[2]);
+ }
+ else
+ {
+ options->ce.occ_mtu = 0;
+ }
+ }
+ else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ int max_mtu = positive_atoi(p[1]);
+ if (max_mtu < 68 || max_mtu > 65536)
+ {
+ msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
+ }
+ else
+ {
+ options->ce.tun_mtu_max = max_mtu;
+ }
}
else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
{
options->ce.tun_mtu_extra = positive_atoi(p[1]);
options->ce.tun_mtu_extra_defined = true;
}
+ else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ int maxmtu = positive_atoi(p[1]);
+ options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
+
+ if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
+ {
+ msg(M_WARN, "Note: max-packet-size value outside of allowed "
+ "control channel packet size (%d to %d), will use %d "
+ "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
+ options->ce.tls_mtu);
+ }
+
+ /* also set mssfix maxmtu mtu */
+ options->ce.mssfix = maxmtu;
+ options->ce.mssfix_default = false;
+ options->ce.mssfix_encap = true;
+ }
#ifdef ENABLE_FRAGMENT
else if (streq(p[0], "mtu-dynamic"))
{
VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
options->ce.fragment = positive_atoi(p[1]);
+ if (options->ce.fragment < 68)
+ {
+ msg(msglevel, "--fragment needs to be at least 68");
+ goto err;
+ }
+
if (p[2] && streq(p[2], "mtu"))
{
options->ce.fragment_encap = true;
}
}
}
+ else if (streq(p[0], "session-timeout") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_TIMER);
+ options->session_timeout = positive_atoi(p[1]);
+ }
else if (streq(p[0], "proto") && p[1] && !p[2])
{
int proto;
if (p[3])
{
/* auto -- try to figure out proxy addr, port, and type automatically */
- /* semiauto -- given proxy addr:port, try to figure out type automatically */
- /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
+ /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
if (streq(p[3], "auto"))
{
ho->auth_retry = PAR_ALL;
VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
if (p[1])
{
+ int mssfix = positive_atoi(p[1]);
+ /* can be 0, but otherwise it needs to be high enough so we can
+ * substract room for headers. */
+ if (mssfix != 0
+ && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
+ {
+ msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
+ goto err;
+ }
+
/* value specified, assume encapsulation is not
* included unless "mtu" follows later */
- options->ce.mssfix = positive_atoi(p[1]);
+ options->ce.mssfix = mssfix;
options->ce.mssfix_encap = false;
options->ce.mssfix_default = false;
}
options->cf_max = cf_max;
options->cf_per = cf_per;
}
+ else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
+ {
+ long cf_max, cf_per;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ char *e1, *e2;
+ cf_max = strtol(p[1], &e1, 10);
+ cf_per = strtol(p[2], &e2, 10);
+ if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
+ {
+ msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
+ goto err;
+ }
+ options->cf_initial_max = cf_max;
+ options->cf_initial_per = cf_per;
+ }
else if (streq(p[0], "max-clients") && p[1] && !p[2])
{
int max_clients;
else if (streq(p[0], "opt-verify") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
+ msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
+ "in OpenVPN 2.7");
options->ssl_flags |= SSLF_OPT_VERIFY;
}
else if (streq(p[0], "auth-user-pass-verify") && p[1])
&options->auth_user_pass_verify_script,
p[1], "auth-user-pass-verify", true);
}
- else if (streq(p[0], "auth-gen-token") && !p[3])
+ else if (streq(p[0], "auth-gen-token"))
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->auth_token_generate = true;
options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
- if (p[2])
+
+ for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
{
- if (streq(p[2], "external-auth"))
+ /* the second parameter can be the renewal time */
+ if (i == 2 && positive_atoi(p[i]))
+ {
+ options->auth_token_renewal = positive_atoi(p[i]);
+ }
+ else if (streq(p[i], "external-auth"))
{
options->auth_token_call_auth = true;
}
else
{
- msg(msglevel, "Invalid argument to auth-gen-token: %s", p[2]);
+ msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
}
}
}
else if (streq(p[0], "auth-user-pass") && !p[2])
{
- VERIFY_PERMISSION(OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
if (p[1])
{
options->auth_user_pass_file = p[1];
+ options->auth_user_pass_file_inline = is_inline;
}
else
{
#ifdef _WIN32
VERIFY_PERMISSION(OPT_P_GENERAL);
HANDLE process = GetCurrentProcess();
- HANDLE handle = (HANDLE) atoll(p[1]);
+ HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
{
struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
- if (streq(p[3], "address") && !p[6])
+ if (streq(p[3], "address") && p[4])
{
- for (int i = 4; p[i]; i++)
+ for (int i = 4; p[i]; ++i)
{
if (!dns_server_addr_parse(server, p[i]))
{
- msg(msglevel, "--dns server %ld: malformed or duplicate address '%s'", priority, p[i]);
+ msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
goto err;
}
}
}
else if (streq(p[3], "resolve-domains"))
{
- if (server->domain_type == DNS_EXCLUDE_DOMAINS)
- {
- msg(msglevel, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority);
- goto err;
- }
- server->domain_type = DNS_RESOLVE_DOMAINS;
- dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
- }
- else if (streq(p[3], "exclude-domains"))
- {
- if (server->domain_type == DNS_RESOLVE_DOMAINS)
- {
- msg(msglevel, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority);
- goto err;
- }
- server->domain_type = DNS_EXCLUDE_DOMAINS;
dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
}
else if (streq(p[3], "dnssec") && !p[5])
{
struct tuntap_options *o = &options->tuntap_options;
VERIFY_PERMISSION(OPT_P_DHCPDNS);
- bool ipv6dns = false;
if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
&& p[2] && !p[3])
{
o->domain = p[2];
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
}
else if (streq(p[1], "NBS") && p[2] && !p[3])
{
o->netbios_scope = p[2];
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
else if (streq(p[1], "NBT") && p[2] && !p[3])
{
goto err;
}
o->netbios_node_type = t;
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
&& (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
{
if (strstr(p[2], ":"))
{
- ipv6dns = true;
dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
}
else
{
dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
}
}
else if (streq(p[1], "WINS") && p[2] && !p[3])
{
dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
}
else if (streq(p[1], "NTP") && p[2] && !p[3])
{
dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
else if (streq(p[1], "NBDD") && p[2] && !p[3])
{
dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
{
msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
p[1], N_SEARCH_LIST_LEN);
}
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
else if (streq(p[1], "DISABLE-NBT") && !p[2])
{
o->disable_nbt = 1;
+ o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
}
#if defined(TARGET_ANDROID)
else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
goto err;
}
-
- /* flag that we have options to give to the TAP driver's DHCPv4 server
- * - skipped for "DNS6", as that's not a DHCPv4 option
- */
- if (!ipv6dns)
- {
- o->dhcp_options = true;
- }
}
#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
#ifdef _WIN32
options->passtos = true;
}
#endif
-#if defined(USE_COMP)
else if (streq(p[0], "allow-compression") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
/* All lzo variants do not use swap */
options->comp.flags &= ~COMP_F_SWAP;
-#if defined(ENABLE_LZO)
+
if (p[1] && streq(p[1], "no"))
-#endif
{
options->comp.alg = COMP_ALG_STUB;
options->comp.flags &= ~COMP_F_ADAPTIVE;
}
-#if defined(ENABLE_LZO)
- else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
- {
- /* Also printed on a push to hint at configuration problems */
- msg(msglevel, "Cannot set comp-lzo to '%s', "
- "allow-compression is set to 'no'", p[1]);
- goto err;
- }
else if (p[1])
{
if (streq(p[1], "yes"))
options->comp.flags |= COMP_F_ADAPTIVE;
}
show_compression_warning(&options->comp);
-#endif /* if defined(ENABLE_LZO) */
}
else if (streq(p[0], "comp-noadapt") && !p[1])
{
else if (streq(p[0], "compress") && !p[2])
{
VERIFY_PERMISSION(OPT_P_COMP);
+ const char *alg = "stub";
if (p[1])
{
- if (streq(p[1], "stub"))
- {
- options->comp.alg = COMP_ALG_STUB;
- options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
- }
- else if (streq(p[1], "stub-v2"))
- {
- options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
- options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
- }
- else if (streq(p[1], "migrate"))
- {
- options->comp.alg = COMP_ALG_UNDEF;
- options->comp.flags = COMP_F_MIGRATE;
-
- }
- else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
- {
- /* Also printed on a push to hint at configuration problems */
- msg(msglevel, "Cannot set compress to '%s', "
- "allow-compression is set to 'no'", p[1]);
- goto err;
- }
-#if defined(ENABLE_LZO)
- else if (streq(p[1], "lzo"))
- {
- options->comp.alg = COMP_ALG_LZO;
- options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
- }
-#endif
-#if defined(ENABLE_LZ4)
- else if (streq(p[1], "lz4"))
- {
- options->comp.alg = COMP_ALG_LZ4;
- options->comp.flags |= COMP_F_SWAP;
- }
- else if (streq(p[1], "lz4-v2"))
- {
- options->comp.alg = COMP_ALGV2_LZ4;
- }
-#endif
- else
- {
- msg(msglevel, "bad comp option: %s", p[1]);
- goto err;
- }
+ alg = p[1];
}
- else
+
+ if (streq(alg, "stub"))
{
options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
+ }
+ else if (streq(alg, "stub-v2"))
+ {
+ options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
+ options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
+ }
+ else if (streq(alg, "migrate"))
+ {
+ options->comp.alg = COMP_ALG_UNDEF;
+ options->comp.flags = COMP_F_MIGRATE;
+ }
+ else if (streq(alg, "lzo"))
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
+ }
+ else if (streq(alg, "lz4"))
+ {
+ options->comp.alg = COMP_ALG_LZ4;
options->comp.flags |= COMP_F_SWAP;
}
+ else if (streq(alg, "lz4-v2"))
+ {
+ options->comp.alg = COMP_ALGV2_LZ4;
+ }
+ else
+ {
+ msg(msglevel, "bad comp option: %s", alg);
+ goto err;
+ }
+
show_compression_warning(&options->comp);
}
-#endif /* USE_COMP */
else if (streq(p[0], "show-ciphers") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
}
}
}
+ else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->allow_deprecated_insecure_static_crypto = true;
+
+ }
else if (streq(p[0], "genkey") && !p[4])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
}
else if (streq(p[0], "key-derivation") && p[1])
{
+ /* NCP only option that is pushed by the server to enable EKM,
+ * should not be used by normal users in config files*/
VERIFY_PERMISSION(OPT_P_NCP)
#ifdef HAVE_EXPORT_KEYING_MATERIAL
if (streq(p[1], "tls-ekm"))
{
- options->data_channel_crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
+ options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
}
else
#endif
msg(msglevel, "Unknown key-derivation method %s", p[1]);
}
}
+ else if (streq(p[0], "protocol-flags") && p[1])
+ {
+ /* NCP only option that is pushed by the server to enable protocol
+ * features that are negotiated, should not be used by normal users
+ * in config files */
+ VERIFY_PERMISSION(OPT_P_NCP)
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
+ {
+ if (streq(p[j], "cc-exit"))
+ {
+ options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
+ }
+#ifdef HAVE_EXPORT_KEYING_MATERIAL
+ else if (streq(p[j], "tls-ekm"))
+ {
+ options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
+ }
+ else if (streq(p[j], "dyn-tls-crypt"))
+ {
+ options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
+ }
+#endif
+ else
+ {
+ msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
+ }
+ }
+ }
else if (streq(p[0], "prng") && p[1] && !p[3])
{
msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
else if (streq(p[0], "no-replay") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
- options->replay = false;
+ /* always error out, this breaks the connection */
+ msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
+ "Update your configuration.");
}
else if (streq(p[0], "replay-window") && !p[3])
{
listend->next = newlist;
}
}
-#ifdef ENABLE_CRYPTOAPI
+#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
string_substitute(p[1], ',', ' ', &options->gc),
"tls-verify", true);
}
-#ifndef ENABLE_CRYPTO_MBEDTLS
- else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
- {
- VERIFY_PERMISSION(OPT_P_GENERAL);
- options->tls_export_cert = p[1];
- }
-#endif
else if (streq(p[0], "compat-names"))
{
VERIFY_PERMISSION(OPT_P_GENERAL);
}
else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
{
+#ifdef ENABLE_CRYPTO_MBEDTLS
+ msg(msglevel, "--ns-cert-type is not available with mbedtls.");
+ goto err;
+#else
VERIFY_PERMISSION(OPT_P_GENERAL);
if (streq(p[1], "server"))
{
msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
goto err;
}
+#endif /* ENABLE_CRYPTO_MBEDTLS */
}
else if (streq(p[0], "remote-cert-ku"))
{
else
{
int i;
- int msglevel = msglevel_fc;
+ int msglevel_unknown = msglevel_fc;
/* Check if an option is in --ignore-unknown-option and
* set warning level to non fatal */
for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
{
if (streq(p[0], options->ignore_unknown_option[i]))
{
- msglevel = M_WARN;
+ msglevel_unknown = M_WARN;
break;
}
}
if (file)
{
- msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
+ msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
}
else
{
- msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
+ msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
}
}
err: