OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2025 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
27 */
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32#ifdef HAVE_CONFIG_VERSION_H
33#include "config-version.h"
34#endif
35
36#include "syshead.h"
37
38#include "buffer.h"
39#include "error.h"
40#include "common.h"
41#include "run_command.h"
42#include "shaper.h"
43#include "crypto.h"
44#include "ssl.h"
45#include "ssl_ncp.h"
46#include "options.h"
47#include "misc.h"
48#include "socket_util.h"
49#include "packet_id.h"
50#include "pkcs11.h"
51#include "win32.h"
52#include "push.h"
53#include "pool.h"
54#include "proto.h"
55#include "helper.h"
56#include "manage.h"
57#include "forward.h"
58#include "ssl_verify.h"
59#include "platform.h"
60#include "xkey_common.h"
61#include "dco.h"
62#include "options_util.h"
63#include "tun_afunix.h"
64
65#include <ctype.h>
66
67#include "memdbg.h"
68#include "options_util.h"
69
70const char title_string[] = PACKAGE_STRING
71#ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73#endif
74 " " TARGET_ALIAS
75#if defined(ENABLE_CRYPTO_MBEDTLS)
76 " [SSL (mbed TLS)]"
77#elif defined(ENABLE_CRYPTO_OPENSSL)
78 " [SSL (OpenSSL)]"
79#else
80 " [SSL]"
81#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82#ifdef USE_COMP
83#ifdef ENABLE_LZO
84 " [LZO]"
85#endif
86#ifdef ENABLE_LZ4
87 " [LZ4]"
88#endif
89#ifdef ENABLE_COMP_STUB
90 " [COMP_STUB]"
91#endif
92#endif /* USE_COMP */
93#if EPOLL
94 " [EPOLL]"
95#endif
96#ifdef PRODUCT_TAP_DEBUG
97 " [TAPDBG]"
98#endif
99#ifdef ENABLE_PKCS11
100 " [PKCS11]"
101#endif
102#if ENABLE_IP_PKTINFO
103#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104 " [MH/PKTINFO]"
105#elif defined(IP_RECVDSTADDR)
106 " [MH/RECVDA]"
107#endif
108#endif
109 " [AEAD]"
110#ifdef ENABLE_DCO
111 " [DCO]"
112#endif
113#ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
115#endif
116 ;
117
118#ifndef ENABLE_SMALL
119
120static const char usage_message[] =
121 "%s\n"
122 "\n"
123 "General Options:\n"
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
127 "\n"
128 "Tunnel Options:\n"
129 "--local host|* [port]: Local host name or IP address and port for bind.\n"
130 " If specified, OpenVPN will bindto this address. If unspecified,\n"
131 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
132 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
133 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
134 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
135 " to open multiple listening sockets on different addresses and/or different ports.\n"
136 " In order to specify multiple listen ports without specifying an address, use '*'\n"
137 " to signal 'use what the operating system gives you as default', for\n"
138 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
139 " ``--local`` implies ``--bind``.\n"
140 "--remote host [port] : Remote host name or ip address.\n"
141 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
142 "--remote-random-hostname : Add a random string to remote DNS name.\n"
143 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
144 "--proto p : Use protocol p for communicating with peer.\n"
145 " p = udp (default), tcp-server, tcp-client\n"
146 " udp4, tcp4-server, tcp4-client\n"
147 " udp6, tcp6-server, tcp6-client\n"
148 "--proto-force p : only consider protocol p in list of connection profiles.\n"
149 " p = udp or tcp\n"
150 "--connect-retry n [m] : For client, number of seconds to wait between\n"
151 " connection retries (default=%d). On repeated retries\n"
152 " the wait time is exponentially increased to a maximum of m\n"
153 " (default=%d).\n"
154 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
155 "--http-proxy s p [up] [auth] : Connect to remote host\n"
156 " through an HTTP proxy at address s and port p.\n"
157 " If proxy authentication is required,\n"
158 " up is a file containing username/password on 2 lines, or\n"
159 " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
160 " the proxy requires NTLM authentication.\n"
161 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
162 " determine auth method and query for username/password\n"
163 " if needed. auto-nct disables weak proxy auth methods.\n"
164 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
165 " Repeat to set multiple options.\n"
166 " VERSION version (default=1.0)\n"
167 " AGENT user-agent\n"
168 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
169 " address s and port p (default port = 1080).\n"
170 " If proxy authentication is required,\n"
171 " up is a file containing username/password on 2 lines, or\n"
172 " 'stdin' to prompt for console.\n"
173 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
174 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
175 " resolve for n seconds before failing (disabled by default).\n"
176 " Set n=\"infinite\" to retry indefinitely.\n"
177 "--float : Allow remote to change its IP address/port, such as through\n"
178 " DHCP (this is the default if --remote is not used).\n"
179 "--ipchange cmd : Run command cmd on remote ip address initial\n"
180 " setting or change -- execute as: cmd ip-address port#\n"
181 "--port port : TCP/UDP port # for both local and remote.\n"
182 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
183 "--rport port : TCP/UDP port # for remote (default=%s).\n"
184 "--bind : Bind to local address and port. (This is the default unless\n"
185 " --proto tcp-client"
186 " or --http-proxy"
187 " or --socks-proxy"
188 " is used).\n"
189 "--nobind : Do not bind to local address and port.\n"
190 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
191 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
192 " this option only if the tun/tap device used with --dev\n"
193 " does not begin with \"tun\" or \"tap\".\n"
194 "--dev-node node : Explicitly set the device node rather than using\n"
195 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
196#if defined(ENABLE_DCO)
197 "--disable-dco : Do not attempt using Data Channel Offload.\n"
198#endif
199 "--lladdr hw : Set the link layer address of the tap device.\n"
200 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
201#ifdef ENABLE_IPROUTE
202 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
203#endif
204 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
205 " endpoint and rn as a remote endpoint. l & rn should be\n"
206 " swapped on the other peer. l & rn must be private\n"
207 " addresses outside of the subnets used by either peer.\n"
208 " TAP: configure device to use IP address l as a local\n"
209 " endpoint and rn as a subnet mask.\n"
210 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
211 " endpoint (as a /64) and r as remote endpoint\n"
212 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
213 " pass --ifconfig parms by environment to scripts.\n"
214 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
215 " connection doesn't match the remote side.\n"
216#ifdef TARGET_LINUX
217 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
218 " If not specified, the id of the default routing table will be used.\n"
219#endif
220 "--route network [netmask] [gateway] [metric] :\n"
221 " Add route to routing table after connection\n"
222 " is established. Multiple routes can be specified.\n"
223 " netmask default: 255.255.255.255\n"
224 " gateway default: taken from --route-gateway or --ifconfig\n"
225 " Specify default by leaving blank or setting to \"default\".\n"
226 "--route-ipv6 network/bits [gateway] [metric] :\n"
227 " Add IPv6 route to routing table after connection\n"
228 " is established. Multiple routes can be specified.\n"
229 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
230 " in --ifconfig-ipv6\n"
231 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
232 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
233 "--route-metric m : Specify a default metric for use with --route.\n"
234 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
235 " adding routes (may be 0). If not specified, routes will\n"
236 " be added immediately after tun/tap open. On Windows, wait\n"
237 " up to w seconds for TUN/TAP adapter to come up.\n"
238 "--route-up cmd : Run command cmd after routes are added.\n"
239 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
240 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
241 " --route-up script using environmental variables.\n"
242 "--route-nopull : When used with --client or --pull, accept options pushed\n"
243 " by server EXCEPT for routes, dns, and dhcp options.\n"
244 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
245 " --ifconfig, --route, and --route-gateway.\n"
246 "--redirect-gateway [flags]: Automatically execute routing\n"
247 " commands to redirect all outgoing IP traffic through the\n"
248 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
249 " connected via a common subnet, such as with WiFi.\n"
250 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
251 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
252 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
253 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
254 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
255 " the default gateway. Useful when pushing private subnets.\n"
256 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
257 " ICMPv6 host unreachable messages on the client.\n"
258 " (Server) Instead of forwarding IPv6 packets send\n"
259 " ICMPv6 host unreachable packets to the client.\n"
260 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
261 "--push-peer-info : (client only) push client info to server.\n"
262 "--setenv name value : Set a custom environmental variable to pass to script.\n"
263 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
264 " directives for future OpenVPN versions to be ignored.\n"
265 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
266 " these options to be ignored when unknown\n"
267 "--script-security level: Where level can be:\n"
268 " 0 -- strictly no calling of external programs\n"
269 " 1 -- (default) only call built-ins such as ifconfig\n"
270 " 2 -- allow calling of built-ins and scripts\n"
271 " 3 -- allow password to be passed to scripts via env\n"
272 "--shaper n : Restrict output to peer to n bytes per second.\n"
273 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
274 " ping once every n seconds, restart if ping not received\n"
275 " for m seconds.\n"
276 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
277 " produces a combined in/out byte count < bytes.\n"
278 "--session-timeout n: Limit connection time to n seconds.\n"
279 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
280 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
281 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
282 " remote address.\n"
283 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
284#if ENABLE_IP_PKTINFO
285 "--multihome : Configure a multi-homed UDP server.\n"
286#endif
287 "--fast-io : Optimize TUN/TAP/UDP writes.\n"
288 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
289 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
290 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
291 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
292#if PASSTOS_CAPABILITY
293 "--passtos : TOS passthrough (applies to IPv4 only).\n"
294#endif
295 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
296 " TCP/UDP MTU from it (default=%d).\n"
297 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
298 " as n bytes more than the tun-mtu size on read\n"
299 " (default TUN=0 TAP=%d).\n"
300 "--tun-mtu-max n : Maximum pushable MTU (default and minimum=%d).\n"
301 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
302 " from it.\n"
303 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
304 " 'no' -- Never send DF (Don't Fragment) frames\n"
305 " 'maybe' -- Use per-route hints\n"
306 " 'yes' -- Always DF (Don't Fragment)\n"
307 "--mtu-test : Empirically measure and report MTU.\n"
308#ifdef ENABLE_FRAGMENT
309 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
310 " datagrams are sent which are larger than max bytes.\n"
311 " Adds 4 bytes of overhead per datagram.\n"
312#endif
313 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
314 " or --fragment max value, whichever is lower.\n"
315 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
316 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
317#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
318 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
319 " can be matched in policy routing and packetfilter rules.\n"
320 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
321 " listening for connections. This allows sending encrypted packets\n"
322 " via a VRF present on the system.\n"
323#endif
324 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
325#ifdef ENABLE_MEMSTATS
326 "--memstats file : Write live usage stats to memory mapped binary file.\n"
327#endif
328 "--mlock : Disable Paging -- ensures key material and tunnel\n"
329 " data will never be written to disk.\n"
330 "--up cmd : Run command cmd after successful tun device open.\n"
331 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
332 " ifconfig-local-ip ifconfig-remote-ip\n"
333 " (pre --user or --group UID/GID change)\n"
334 "--up-delay : Delay tun/tap open and possible --up script execution\n"
335 " until after TCP/UDP connection establishment with peer.\n"
336 "--down cmd : Run command cmd after tun device close.\n"
337 " (post --user/--group UID/GID change and/or --chroot)\n"
338 " (command parameters are same as --up option)\n"
339 "--down-pre : Run --down command before TUN/TAP close.\n"
340 "--up-restart : Run up/down commands for all restarts including those\n"
341 " caused by --ping-restart or SIGUSR1\n"
342 "--user user : Set UID to user after initialization.\n"
343 "--group group : Set GID to group after initialization.\n"
344 "--chroot dir : Chroot to this directory after initialization.\n"
345#ifdef ENABLE_SELINUX
346 "--setcon context: Apply this SELinux context after initialization.\n"
347#endif
348 "--cd dir : Change to this directory before initialization.\n"
349 "--daemon [name] : Become a daemon after initialization.\n"
350 " The optional 'name' parameter will be passed\n"
351 " as the program name to the system logger.\n"
352 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
353 " See --daemon above for a description of the 'name' parm.\n"
354 "--log file : Output log to file which is created/truncated on open.\n"
355 "--log-append file : Append log to file, or create file if nonexistent.\n"
356 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
357 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
358 "--writepid file : Write main process ID to file.\n"
359 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
360 "--echo [parms ...] : Echo parameters to log output.\n"
361 "--verb n : Set output verbosity to n (default=%d):\n"
362 " (Level 3 is recommended if you want a good summary\n"
363 " of what's happening without being swamped by output).\n"
364 " : 0 -- no output except fatal errors\n"
365 " : 1 -- startup info + connection initiated messages +\n"
366 " non-fatal encryption & net errors\n"
367 " : 2,3 -- show TLS negotiations & route info\n"
368 " : 4 -- show parameters\n"
369 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
370 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
371 " : 6 to 11 -- debug messages of increasing verbosity\n"
372 "--mute n : Log at most n consecutive messages in the same category.\n"
373 "--status file [n] : Write operational status to file every n seconds.\n"
374 "--status-version [n] : Choose the status file format version number.\n"
375 " Currently, n can be 1, 2, or 3 (default=1).\n"
376 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
377#ifdef ENABLE_DEBUG
378 "--gremlin mask : Special stress testing mode (for debugging only).\n"
379#endif
380#if defined(USE_COMP)
381 "--compress alg : Use compression algorithm alg\n"
382 "--allow-compression: Specify whether compression should be allowed\n"
383#if defined(ENABLE_LZO)
384 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
385 " packet for incompressible data.\n"
386 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
387 " is specified.\n"
388#endif
389#endif
390#ifdef ENABLE_MANAGEMENT
391 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
392 " management functions. pass is a password file\n"
393 " or 'stdin' to prompt from console.\n"
394#if UNIX_SOCK_SUPPORT
395 " To listen on a unix domain socket, specific the pathname\n"
396 " in place of ip and use 'unix' as the port number.\n"
397#endif
398 "--management-client : Management interface will connect as a TCP client to\n"
399 " ip/port rather than listen as a TCP server.\n"
400 "--management-query-passwords : Query management channel for private key\n"
401 " and auth-user-pass passwords.\n"
402 "--management-query-proxy : Query management channel for proxy information.\n"
403 "--management-query-remote : Query management channel for --remote directive.\n"
404 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
405 " of the management interface explicitly starts it.\n"
406 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
407 "--management-forget-disconnect : Forget passwords when management disconnect\n"
408 " event occurs.\n"
409 "--management-up-down : Report tunnel up/down events to management interface.\n"
410 "--management-log-cache n : Cache n lines of log file history for usage\n"
411 " by the management channel.\n"
412#if UNIX_SOCK_SUPPORT
413 "--management-client-user u : When management interface is a unix socket, only\n"
414 " allow connections from user u.\n"
415 "--management-client-group g : When management interface is a unix socket, only\n"
416 " allow connections from group g.\n"
417#endif
418 "--management-client-auth : gives management interface client the responsibility\n"
419 " to authenticate clients after their client certificate\n"
420 " has been verified.\n"
421#endif /* ifdef ENABLE_MANAGEMENT */
422#ifdef ENABLE_PLUGIN
423 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
424 " to its initialization function.\n"
425#endif
426 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
427 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
428 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
429 "\n"
430 "Multi-Client Server options (when --mode server is used):\n"
431 "--server network netmask : Helper option to easily configure server mode.\n"
432 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
433 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
434 " easily configure ethernet bridging server mode.\n"
435 "--push \"option\" : Push a config file option back to the peer for remote\n"
436 " execution. Peer must specify --pull in its config file.\n"
437 "--push-reset : Don't inherit global push list for specific\n"
438 " client instance.\n"
439 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
440 " a specific client instance.\n"
441 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
442 " to be dynamically allocated to connecting clients.\n"
443 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
444 " data to file, at seconds intervals (default=600).\n"
445 " If seconds=0, file will be treated as read-only.\n"
446 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
447 " to be dynamically allocated to connecting clients.\n"
448 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
449 " overrides --ifconfig-pool dynamic allocation.\n"
450 " Only valid in a client-specific config file.\n"
451 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
452 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
453 " Only valid in a client-specific config file.\n"
454 "--iroute network [netmask] : Route subnet to client.\n"
455 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
456 " Sets up internal routes only.\n"
457 " Only valid in a client-specific config file.\n"
458 "--disable : Client is disabled.\n"
459 " Only valid in a client-specific config file.\n"
460 "--override-username: Overrides the client-specific username to be used.\n"
461 " Only valid in a client-specific config file.\n"
462 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
463 " mandatory client certificate verification.\n"
464 " Default is to require the client to supply a certificate.\n"
465 "--username-as-common-name : For auth-user-pass authentication, use\n"
466 " the authenticated username as the common name,\n"
467 " rather than the common name from the client cert.\n"
468 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
469 " run command cmd to verify. If method='via-env', pass\n"
470 " user/pass via environment, if method='via-file', pass\n"
471 " user/pass via temporary file.\n"
472 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
473 " to each client, replacing the password. Useful when\n"
474 " OTP based two-factor auth mechanisms are in use and\n"
475 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
476 " for generated tokens can be set.\n"
477 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
478 " with those of the server will be disconnected.\n"
479 "--auth-user-pass-optional : Allow connections by clients that don't\n"
480 " specify a username/password.\n"
481 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
482 " any printable character.\n"
483 "--client-to-client : Internally route client-to-client traffic.\n"
484 "--duplicate-cn : Allow multiple clients with the same common name to\n"
485 " concurrently connect.\n"
486 "--client-connect cmd : Run command cmd on client connection.\n"
487 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
488 "--client-config-dir dir : Directory for custom client config files.\n"
489 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
490 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
491 "--hash-size r v : Set the size of the real address hash table to r and the\n"
492 " virtual address table to v.\n"
493 "--bcast-buffers n : Allocate n broadcast buffers.\n"
494 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
495 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
496 " as well as pushes it to connecting clients.\n"
497 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
498 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
499 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
500 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
501 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
502 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
503 " older than n seconds. Run this check every t\n"
504 " seconds (defaults to n).\n"
505 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
506 " clients. n = 1 - reconnect to same server,\n"
507 " 2 - advance to next server, default=1.\n"
508#if PORT_SHARE
509 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
510 " sessions to a web server at host:port. dir specifies an\n"
511 " optional directory to write origin IP:port data.\n"
512#endif
513 "\n"
514 "Client options (when connecting to a multi-client server):\n"
515 "--client : Helper option to easily configure client mode.\n"
516 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
517 " up is a file containing the username on the first line,\n"
518 " and a password on the second. If either the password or both\n"
519 " the username and the password are omitted OpenVPN will prompt\n"
520 " for them from console.\n"
521 "--pull : Accept certain config file options from the peer as if they\n"
522 " were part of the local config file. Must be specified\n"
523 " when connecting to a '--mode server' remote host.\n"
524 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
525 " server if it starts with the text t. The action flag accept,\n"
526 " ignore or reject causes the option to be allowed, removed or\n"
527 " rejected with error. May be specified multiple times, and\n"
528 " each filter is applied in the order of appearance.\n"
529 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
530 " Valid options are :\n"
531 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
532 " resolve-domains <domain> [domain ...] : split domains\n"
533 " dnssec <yes|no|optional> : option to use DNSSEC\n"
534 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
535 " sni <domain> : DNS server name indication\n"
536 "--dns search-domains <domain> [domain ...]:\n"
537 " Add domains to DNS domain search list\n"
538 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
539 " force running the default script or disable running it.\n"
540 "--auth-retry t : How to handle auth failures. Set t to\n"
541 " none (default), interact, or nointeract.\n"
542 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
543 " challenge text t, with e indicating echo flag (0|1)\n"
544 " and optional argument scrv1 or concat to use SCRV1 protocol or"
545 " concatenate response with password. Default is scrv1.\n"
546 "--connect-timeout n : when polling possible remote servers to connect to\n"
547 " in a round-robin fashion, spend no more than n seconds\n"
548 " waiting for a response before trying the next server.\n"
549 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
550 " incoming tun packets with same destination as host.\n"
551 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
552 " server/remote. n = # of retries, default=1.\n"
553 "\n"
554 "Data Channel Encryption Options (must be compatible between peers):\n"
555 "(These options are meaningful for both Static Key & TLS-mode)\n"
556 "--auth alg : Authenticate packets with HMAC using message\n"
557 " digest algorithm alg (default=%s).\n"
558 " (usually adds 16 or 20 bytes per packet)\n"
559 " Set alg=none to disable authentication.\n"
560 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
561 " You should usually use --data-ciphers instead.\n"
562 " Set alg=none to disable encryption.\n"
563 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
564#ifndef ENABLE_CRYPTO_MBEDTLS
565 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
566#endif
567 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
568 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
569 " and a time window of t seconds.\n"
570 " Default n=%d t=%d\n"
571 "--replay-persist file : Persist replay-protection state across sessions\n"
572 " using file.\n"
573 "--test-crypto : Run a self-test of crypto features enabled.\n"
574 " For debugging only.\n"
575#ifdef ENABLE_PREDICTION_RESISTANCE
576 "--use-prediction-resistance: Enable prediction resistance on the random\n"
577 " number generator.\n"
578#endif
579 "\n"
580 "TLS Key Negotiation Options:\n"
581 "(These options are meaningful only for TLS-mode)\n"
582 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
583 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
584 "--ca file : Certificate authority file in .pem format containing\n"
585 " root certificate.\n"
586#ifndef ENABLE_CRYPTO_MBEDTLS
587 "--capath dir : A directory of trusted certificates (CAs"
588 " and CRLs).\n"
589#endif /* ENABLE_CRYPTO_MBEDTLS */
590 "--dh file : File containing Diffie Hellman parameters\n"
591 " in .pem format (for --tls-server only).\n"
592 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
593 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
594 " by a Certificate Authority in --ca file used by the peer.\n"
595 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
596 "--key file : Local private key in .pem format or a URI.\n"
597 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
598 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
599 " is specified, require max TLS version supported by SSL implementation.\n"
600 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
601#ifndef ENABLE_CRYPTO_MBEDTLS
602 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
603 " and optionally the root CA certificate.\n"
604#endif
605#ifdef ENABLE_X509ALTUSERNAME
606 "--x509-username-field : Field in x509 certificate containing the username.\n"
607 " Default is CN in the Subject field.\n"
608#endif
609 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
610 " Valid algo flags are SHA1 and SHA256. \n"
611#ifdef _WIN32
612 "--cryptoapicert select-string : Load the certificate and private key from the\n"
613 " Windows Certificate System Store.\n"
614#endif
615 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
616 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
617 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
618 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
619 " (default=legacy).\n"
620 "--providers l : A list l of OpenSSL providers to load.\n"
621 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
622 " if no ACK from remote within n seconds (default=%d).\n"
623 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
624 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
625 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
626 " and at least min (defaults to 90%% of max on servers and equal\n"
627 " to max on clients).\n"
628 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
629 " of handshake initiation by any peer (default=%d).\n"
630 "--tran-window n : Transition window -- old key can live this many seconds\n"
631 " after new key renegotiation begins (default=%d).\n"
632 "--single-session: Allow only one session (reset state on restart).\n"
633 "--tls-exit : Exit on TLS negotiation failure.\n"
634 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
635 " control channel to protect against attacks on the TLS stack\n"
636 " and DoS attacks.\n"
637 " f (required) is a shared-secret key file.\n"
638 " The optional d parameter controls key directionality.\n"
639 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
640 " of the TLS control channel to hide the TLS certificate,\n"
641 " provide basic post-quantum security and protect against\n"
642 " attacks on the TLS stack and DoS attacks.\n"
643 " key (required) provides the pre-shared key file.\n"
644 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
645 " For servers: use key to decrypt client-specific keys. For\n"
646 " key generation (--genkey tls-crypt-v2-client): use key to\n"
647 " encrypt generated client-specific key. (See --tls-crypt.)\n"
648 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
649 " fresh tls-crypt-v2 client key, and store to\n"
650 " keyfile. If supplied, include metadata in wrapped key.\n"
651 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
652 " fresh tls-crypt-v2 server key, and store to keyfile\n"
653 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
654 " client-supplied tls-crypt-v2 client key\n"
655 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
656 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
657 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
658 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
659 " pending TLS connection that has otherwise passed all other\n"
660 " tests of certification. cmd should return 0 to allow\n"
661 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
662 " executed as 'cmd certificate_depth subject')\n"
663 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
664 " DN name. The remote host must also pass all other tests\n"
665 " of verification.\n"
666#ifndef ENABLE_CRYPTO_MBEDTLS
667 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
668 " an explicit nsCertType designation t = 'client' | 'server'.\n"
669#endif
670 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
671 " plugins and management interface.\n"
672 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
673 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
674 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
675 " explicit key usage, you can specify more than one value.\n"
676 " value should be given in hex format.\n"
677 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
678 " explicit extended key usage. Extended key usage can be encoded\n"
679 " as an object identifier or OpenSSL string representation.\n"
680 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
681 " key usage and extended key usage based on RFC3280 TLS rules.\n"
682 " t = 'client' | 'server'.\n"
683#ifdef ENABLE_PKCS11
684 "\n"
685 "PKCS#11 Options:\n"
686 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
687 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
688 " path. Set for each provider.\n"
689 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
690 " 0 : Try to determine automatically (default).\n"
691 " 1 : Use Sign.\n"
692 " 2 : Use SignRecover.\n"
693 " 4 : Use Decrypt.\n"
694 " 8 : Use Unwrap.\n"
695 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
696 " certificate can be accessed. Set for each provider.\n"
697 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
698 " cache until token is removed.\n"
699 "--pkcs11-id-management : Acquire identity from management interface.\n"
700 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
701#endif /* ENABLE_PKCS11 */
702 "\n"
703 "SSL Library information:\n"
704 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
705 "--show-digests : Show message digest algorithms to use with --auth option.\n"
706 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
707 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
708#ifdef _WIN32
709 "\n"
710 "Windows Specific:\n"
711 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
712 " from SystemRoot environment variable.\n"
713 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
714 " IP address using method = manual, netsh, ipapi,\n"
715 " dynamic, or adaptive (default = adaptive).\n"
716 " Dynamic method allows two optional parameters:\n"
717 " offset: DHCP server address offset (> -256 and < 256).\n"
718 " If 0, use network address, if >0, take nth\n"
719 " address forward from network address, if <0,\n"
720 " take nth address backward from broadcast\n"
721 " address.\n"
722 " Default is 0.\n"
723 " lease-time: Lease time in seconds.\n"
724 " Default is one year.\n"
725 "--route-method : Which method to use for adding routes on Windows?\n"
726 " adaptive (default) -- Try ipapi then fall back to exe.\n"
727 " ipapi -- Use IP helper API.\n"
728 " exe -- Call the route.exe shell command.\n"
729 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
730 " be used with --ip-win32 dynamic. For options\n"
731 " which allow multiple addresses,\n"
732 " --dhcp-option must be repeated.\n"
733 " DOMAIN name : Set DNS suffix\n"
734 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
735 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
736 " NTP : Set NTP server address(es)\n"
737 " NBDD : Set NBDD server address(es)\n"
738 " WINS addr : Set WINS server address(es)\n"
739 " NBT type : Set NetBIOS over TCP/IP Node type\n"
740 " 1: B, 2: P, 4: M, 8: H\n"
741 " NBS id : Set NetBIOS scope ID\n"
742 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
743 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
744 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
745 " startup.\n"
746 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
747 " on connection initiation.\n"
748 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
749 " attempting to set adapter properties.\n"
750 "--pause-exit : When run from a console window, pause before exiting.\n"
751 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
752 " service, and should not be used directly by end-users.\n"
753 " ex is the name of an event object which, when\n"
754 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
755 " optional parameter controls the initial state of ex.\n"
756 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
757 " after TAP adapter is up and routes have been added.\n"
758 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
759 "Windows Standalone Options:\n"
760 "\n"
761 "--show-adapters : Show all TAP-Windows adapters.\n"
762 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
763 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
764 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
765 " to access TAP adapter.\n"
766#endif /* ifdef _WIN32 */
767 "\n"
768 "Generate a new key :\n"
769 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
770 " (for use with --tls-auth or --tls-crypt)."
771#ifdef ENABLE_FEATURE_TUN_PERSIST
772 "\n"
773 "Tun/tap config mode (available with linux 2.4+):\n"
774 "--mktun : Create a persistent tunnel.\n"
775 "--rmtun : Remove a persistent tunnel.\n"
776 "--dev tunX|tapX : tun/tap device\n"
777 "--dev-type dt : Device type. See tunnel options above for details.\n"
778 "--user user : User to set privilege to.\n"
779 "--group group : Group to set privilege to.\n"
780#endif
781#ifdef ENABLE_PKCS11
782 "\n"
783 "PKCS#11 standalone options:\n"
784#ifdef DEFAULT_PKCS11_MODULE
785 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
786#else
787 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
788#endif
789 " --verb option can be added *BEFORE* this.\n"
790#endif /* ENABLE_PKCS11 */
791 "\n"
792 "General Standalone Options:\n"
793#ifdef ENABLE_DEBUG
794 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
795#endif
796 ;
797
798#endif /* !ENABLE_SMALL */
799
800/*
801 * This is where the options defaults go.
802 * Any option not explicitly set here
803 * will be set to 0.
804 */
805void
806init_options(struct options *o, const bool init_gc)
807{
808 CLEAR(*o);
809 if (init_gc)
810 {
811 gc_init(&o->gc);
813 o->gc_owned = true;
814 }
816 o->topology = TOP_UNDEF;
817 o->ce.proto = PROTO_UDP;
818 o->ce.af = AF_UNSPEC;
819 o->ce.bind_ipv6_only = false;
822 o->ce.connect_timeout = 120;
823 o->connect_retry_max = 0;
825 o->verbosity = 1;
827 o->status_file_version = 1;
828 o->ce.bind_local = true;
830 o->ce.occ_mtu = 0;
833 o->ce.mtu_discover_type = -1;
834 o->ce.mssfix = 0;
835 o->ce.mssfix_default = true;
836 o->ce.mssfix_encap = true;
838 o->route_delay_window = 30;
840 o->resolve_in_advance = false;
841 o->proto_force = -1;
842 o->occ = true;
843#ifdef ENABLE_MANAGEMENT
847#endif
848#ifdef ENABLE_FEATURE_TUN_PERSIST
849 o->persist_mode = 1;
850#endif
851#ifdef _WIN32
852#if 0
854#else
856#endif
857 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
858 /* use network address as internal DHCP server address */
861 o->block_outside_dns = false;
863#endif
865 o->vlan_pvid = 1;
866 o->real_hash_size = 256;
867 o->virtual_hash_size = 256;
868 o->n_bcast_buf = 256;
869 o->tcp_queue_limit = 64;
870 o->max_clients = 1024;
871 o->cf_initial_per = 10;
872 o->cf_initial_max = 100;
873 o->max_routes_per_client = 256;
877 o->authname = "SHA1";
881#ifdef ENABLE_PREDICTION_RESISTANCE
882 o->use_prediction_resistance = false;
883#endif
884 o->tls_timeout = 2;
885 o->renegotiate_bytes = -1;
886 o->renegotiate_seconds = 3600;
888 o->handshake_window = 60;
889 o->transition_window = 3600;
890 o->tls_cert_profile = NULL;
891 o->ecdh_curve = NULL;
892#ifdef ENABLE_X509ALTUSERNAME
893 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
894#endif
895#ifdef ENABLE_PKCS11
896 o->pkcs11_pin_cache_period = -1;
897#endif /* ENABLE_PKCS11 */
898
899 /* P2MP server context features */
900 o->auth_token_generate = false;
901
902 /* Set default --tmp-dir */
903#ifdef _WIN32
904 /* On Windows, find temp dir via environment variables */
906
907 if (!o->tmp_dir)
908 {
909 /* Error out if we can't find a valid temporary directory, which should
910 * be very unlikely. */
911 msg(M_USAGE, "Could not find a suitable temporary directory."
912 " (GetTempPath() failed). Consider using --tmp-dir");
913 }
914#else /* ifdef _WIN32 */
915 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
916 o->tmp_dir = getenv("TMPDIR");
917 if (!o->tmp_dir)
918 {
919 o->tmp_dir = "/tmp";
920 }
921#endif /* _WIN32 */
922 o->allow_recursive_routing = false;
923
924#ifndef ENABLE_DCO
925 o->disable_dco = true;
926#endif /* ENABLE_DCO */
927
928#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
929 o->dns_options.updown = DEFAULT_DNS_UPDOWN;
930#endif /* ENABLE_DNS_UPDOWN_BY_DEFAULT */
931}
932
933void
935{
936 if (o->connection_list)
937 {
939 }
940 if (o->remote_list)
941 {
942 CLEAR(*o->remote_list);
943 }
944 if (o->gc_owned)
945 {
946 gc_free(&o->gc);
948 }
949}
950
951#ifndef ENABLE_SMALL
952
953static const char *
955{
956 if (type == PUF_TYPE_ACCEPT)
957 {
958 return "accept";
959 }
960 if (type == PUF_TYPE_IGNORE)
961 {
962 return "ignore";
963 }
964 if (type == PUF_TYPE_REJECT)
965 {
966 return "reject";
967 }
968 else
969 {
970 return "???";
971 }
972}
973
974#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
975#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
976#define SHOW_STR_INLINE(var) \
977 SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
978#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
979#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
980#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
981#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
982#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
983
984#endif /* ifndef ENABLE_SMALL */
985
986static void
987setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
988{
989 setenv_str_i(es, "remote", e->remote, i);
990 setenv_str_i(es, "remote_port", e->remote_port, i);
991
992 if (e->http_proxy_options)
993 {
994 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
995 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
996 }
997 if (e->socks_proxy_server)
998 {
999 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1000 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1001 }
1002}
1003
1004static void
1005setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
1006{
1007 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
1008 setenv_str_i(es, "local", e->local, i);
1009 setenv_str_i(es, "local_port", e->port, i);
1010}
1011
1012void
1013setenv_settings(struct env_set *es, const struct options *o)
1014{
1015 setenv_str(es, "config", o->config);
1016 setenv_int(es, "verb", o->verbosity);
1017 setenv_int(es, "daemon", o->daemon);
1018 setenv_int(es, "daemon_log_redirect", o->log);
1019 setenv_long_long(es, "daemon_start_time", time(NULL));
1020 setenv_int(es, "daemon_pid", platform_getpid());
1021
1022 if (o->connection_list)
1023 {
1024 int i;
1025 for (i = 0; i < o->connection_list->len; ++i)
1026 {
1028 }
1029 }
1030 else
1031 {
1032 setenv_connection_entry(es, &o->ce, 1);
1033 }
1034
1035 if (o->ce.local_list)
1036 {
1037 for (int i = 0; i < o->ce.local_list->len; i++)
1038 {
1040 }
1041 }
1042}
1043
1044#ifndef _WIN32
1045static void
1046setenv_foreign_option(struct options *o, const char *option, const char *value, struct env_set *es)
1047{
1048 struct gc_arena gc = gc_new();
1051 bool good = true;
1052
1053 good &= buf_printf(&env_name, "foreign_option_%d", o->foreign_option_index + 1);
1054 if (value)
1055 {
1056 good &= buf_printf(&env_value, "dhcp-option %s %s", option, value);
1057 }
1058 else
1059 {
1060 good &= buf_printf(&env_value, "dhcp-option %s", option);
1061 }
1062 if (good)
1063 {
1065 ++o->foreign_option_index;
1066 }
1067 else
1068 {
1069 msg(M_WARN, "foreign_option: name/value overflow");
1070 }
1071 gc_free(&gc);
1072}
1073
1074static void
1075delete_all_dhcp_fo(struct options *o, struct env_item **list)
1076{
1077 struct env_item *current, *prev;
1078
1079 ASSERT(list);
1080
1081 for (current = *list, prev = NULL; current != NULL; current = current->next)
1082 {
1083 char *tmp_value = NULL;
1084 if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1))
1085 {
1086 tmp_value = strchr(current->string, '=');
1087 if (tmp_value && ++tmp_value)
1088 {
1089 if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1))
1090 {
1091 if (prev)
1092 {
1093 prev->next = current->next;
1094 }
1095 else
1096 {
1097 *list = current->next;
1098 }
1100 }
1101 }
1102 }
1103 prev = current;
1104 }
1105}
1106
1107#endif /* ifndef _WIN32 */
1108
1109static in_addr_t
1110get_ip_addr(const char *ip_string, int msglevel, bool *error)
1111{
1112 unsigned int flags = GETADDR_HOST_ORDER;
1113 bool succeeded = false;
1114 in_addr_t ret;
1115
1116 if (msglevel & M_FATAL)
1117 {
1118 flags |= GETADDR_FATAL;
1119 }
1120
1121 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1122 if (!succeeded && error)
1123 {
1124 *error = true;
1125 }
1126 return ret;
1127}
1128
1134static char *
1135get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1136{
1137 const char *end = strchr(addr, '/');
1138 char *ret = NULL;
1139 if (NULL == end)
1140 {
1141 ret = string_alloc(addr, gc);
1142 }
1143 else
1144 {
1145 size_t len = end - addr;
1146 ret = gc_malloc(len + 1, true, gc);
1147 memcpy(ret, addr, len);
1148 }
1149 return ret;
1150}
1151
1152static bool
1153ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
1154{
1155 struct in6_addr t_addr;
1156 unsigned int t_bits;
1157
1158 return get_ipv6_addr(ipv6_prefix_spec, &t_addr, &t_bits, M_WARN);
1159}
1160
1161static char *
1162string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1163{
1164 char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc);
1165 char *dest = ret;
1166 char c;
1167
1168 do
1169 {
1170 c = *src++;
1171 if (c == from)
1172 {
1173 c = to;
1174 }
1175 *dest++ = c;
1176 } while (c);
1177 return ret;
1178}
1179
1189static struct verify_hash_list *
1190parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1191{
1192 int i = 0;
1193 const char *cp = str;
1194
1195 struct verify_hash_list *ret;
1197
1198 char term = 0;
1199 unsigned int byte;
1200
1201 while (*cp && i < nbytes)
1202 {
1203 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1204 if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0')
1205 || sscanf(cp, "%x", &byte) != 1)
1206 {
1207 msg(msglevel, "format error in hash fingerprint: %s", str);
1208 break;
1209 }
1210
1211 ret->hash[i++] = (uint8_t)byte;
1212
1213 term = cp[2];
1214 if (term == '\0')
1215 {
1216 break;
1217 }
1218 cp += 3;
1219 }
1220 if (i < nbytes)
1221 {
1222 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i,
1223 str);
1224 }
1225 else if (term != '\0')
1226 {
1227 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1228 }
1229 return ret;
1230}
1231
1242static struct verify_hash_list *
1243parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1244{
1245 struct gc_arena gc_temp = gc_new();
1246 char *lines = string_alloc(str, &gc_temp);
1247
1248 struct verify_hash_list *ret = NULL;
1249
1250 const char *line;
1251 while ((line = strsep(&lines, "\n")))
1252 {
1253 /* ignore leading whitespace */
1254 while (isspace(*line))
1255 {
1256 line++;
1257 }
1258 /* skip empty lines and comment lines */
1259 if (strlen(line) == 0 || *line == '#' || *line == ';')
1260 {
1261 continue;
1262 }
1263
1264 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc);
1265
1266 if (!hash)
1267 {
1268 gc_free(&gc_temp);
1269 return NULL;
1270 }
1271
1272 hash->next = ret;
1273 ret = hash;
1274 }
1275 gc_free(&gc_temp);
1276
1277 return ret;
1278}
1279#ifdef _WIN32
1280
1281#ifndef ENABLE_SMALL
1282
1283static void
1284show_dhcp_option_list(const char *name, const char *const *array, int len)
1285{
1286 int i;
1287 for (i = 0; i < len; ++i)
1288 {
1289 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i]);
1290 }
1291}
1292
1293static void
1294show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1295{
1296 struct gc_arena gc = gc_new();
1297 int i;
1298 for (i = 0; i < len; ++i)
1299 {
1300 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t(array[i], 0, &gc));
1301 }
1302 gc_free(&gc);
1303}
1304
1305static void
1307{
1308 SHOW_BOOL(ip_win32_defined);
1309 SHOW_INT(ip_win32_type);
1310 SHOW_INT(dhcp_masq_offset);
1311 SHOW_INT(dhcp_lease_time);
1312 SHOW_INT(tap_sleep);
1315 SHOW_BOOL(dhcp_pre_release);
1316 SHOW_STR(domain);
1317 SHOW_STR(netbios_scope);
1318 SHOW_INT(netbios_node_type);
1319 SHOW_BOOL(disable_nbt);
1320
1321 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1322 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1323 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1324 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1326}
1327
1328#endif /* ifndef ENABLE_SMALL */
1329#endif /* ifdef _WIN32 */
1330
1331static void
1332dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1333{
1334 struct in6_addr addr;
1335 if (*len >= N_DHCP_ADDR)
1336 {
1337 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1338 N_DHCP_ADDR);
1339 }
1340 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1341 {
1342 dns6_list[(*len)++] = addr;
1343 }
1344}
1345static void
1346dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len,
1347 int msglevel)
1348{
1349 if (*len >= N_DHCP_ADDR)
1350 {
1351 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name,
1352 N_DHCP_ADDR, name);
1353 }
1354 else
1355 {
1356 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1357 {
1358 bool error = false;
1359 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1360 if (!error)
1361 {
1362 array[(*len)++] = addr;
1363 }
1364 }
1365 else
1366 {
1367 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1368 }
1369 }
1370}
1371
1372#ifndef ENABLE_SMALL
1373static const char *
1375{
1376 switch (mode)
1377 {
1378 case VLAN_ONLY_TAGGED:
1379 return "tagged";
1380
1382 return "untagged";
1383
1384 case VLAN_ALL:
1385 return "all";
1386 }
1387 return NULL;
1388}
1389
1390static void
1391show_p2mp_parms(const struct options *o)
1392{
1393 struct gc_arena gc = gc_new();
1394
1395 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1396 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1397 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc));
1398 SHOW_INT(server_netbits_ipv6);
1399 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1400 msg(D_SHOW_PARMS, " server_bridge_netmask = %s",
1402 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s",
1404 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s",
1406 if (o->push_list.head)
1407 {
1408 const struct push_entry *e = o->push_list.head;
1409 while (e)
1410 {
1411 if (e->enable)
1412 {
1413 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1414 }
1415 e = e->next;
1416 }
1417 }
1418 SHOW_BOOL(ifconfig_pool_defined);
1419 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s",
1421 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1422 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s",
1424 SHOW_STR(ifconfig_pool_persist_filename);
1425 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1426 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1427 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s",
1429 SHOW_INT(ifconfig_ipv6_pool_netbits);
1430 SHOW_INT(n_bcast_buf);
1431 SHOW_INT(tcp_queue_limit);
1432 SHOW_INT(real_hash_size);
1433 SHOW_INT(virtual_hash_size);
1434 SHOW_STR(client_connect_script);
1436 SHOW_STR(client_disconnect_script);
1437 SHOW_STR(client_crresponse_script);
1438 SHOW_STR(client_config_dir);
1439 SHOW_BOOL(ccd_exclusive);
1440 SHOW_STR(tmp_dir);
1441 SHOW_BOOL(push_ifconfig_defined);
1442 msg(D_SHOW_PARMS, " push_ifconfig_local = %s",
1444 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s",
1446 SHOW_BOOL(push_ifconfig_ipv6_defined);
1447 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d",
1449 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s",
1451 SHOW_BOOL(enable_c2c);
1452 SHOW_BOOL(duplicate_cn);
1453 SHOW_INT(cf_max);
1454 SHOW_INT(cf_per);
1455 SHOW_INT(cf_initial_max);
1456 SHOW_INT(cf_initial_per);
1457 SHOW_INT(max_clients);
1458 SHOW_INT(max_routes_per_client);
1459 SHOW_STR(auth_user_pass_verify_script);
1460 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1461 SHOW_BOOL(auth_token_generate);
1462 SHOW_BOOL(force_key_material_export);
1463 SHOW_INT(auth_token_lifetime);
1464 SHOW_STR_INLINE(auth_token_secret_file);
1465#if PORT_SHARE
1466 SHOW_STR(port_share_host);
1467 SHOW_STR(port_share_port);
1468#endif
1469 SHOW_BOOL(vlan_tagging);
1470 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1471 SHOW_INT(vlan_pvid);
1472
1473 SHOW_BOOL(client);
1474 SHOW_BOOL(pull);
1475 SHOW_STR_INLINE(auth_user_pass_file);
1476
1477 gc_free(&gc);
1478}
1479
1480#endif /* ! ENABLE_SMALL */
1481
1482static void
1483option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
1484{
1485 struct iroute *ir;
1486
1487 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1488 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1489 ir->netbits = 32; /* host route if no netmask given */
1490
1491 if (netmask_str)
1492 {
1493 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1494 ir->netbits = netmask_to_netbits2(netmask);
1495
1496 if (ir->netbits < 0)
1497 {
1498 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str,
1499 netmask_str);
1500 return;
1501 }
1502 }
1503
1504 ir->next = o->iroutes;
1505 o->iroutes = ir;
1506}
1507
1508static void
1509option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
1510{
1511 struct iroute_ipv6 *ir;
1512
1513 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1514
1515 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel))
1516 {
1517 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
1518 return;
1519 }
1520
1521 ir->next = o->iroutes_ipv6;
1522 o->iroutes_ipv6 = ir;
1523}
1524
1525#ifndef ENABLE_SMALL
1526static void
1528{
1529 int i;
1530 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1531 SHOW_STR(server);
1532 SHOW_STR(port);
1533 SHOW_STR(auth_method_string);
1534 SHOW_STR(auth_file);
1535 SHOW_STR(auth_file_up);
1536 SHOW_BOOL(inline_creds);
1537 SHOW_BOOL(nocache);
1538 SHOW_STR(http_version);
1539 SHOW_STR(user_agent);
1540 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1541 {
1542 if (o->custom_headers[i].content)
1543 {
1544 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name,
1546 }
1547 else
1548 {
1549 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name);
1550 }
1551 }
1552 msg(D_SHOW_PARMS, "END http_proxy");
1553}
1554#endif /* ifndef ENABLE_SMALL */
1555
1556void
1558{
1559 gc_detach(&o->gc);
1560 o->routes = NULL;
1561 o->client_nat = NULL;
1562 clone_push_list(o);
1563}
1564
1565void
1567{
1568 if (!options->routes)
1569 {
1571 }
1572}
1573
1574static void
1582
1583static void
1585{
1586 if (!options->client_nat)
1587 {
1589 }
1590}
1591
1592#ifndef ENABLE_SMALL
1593static void
1595{
1596 /* Display the global proto only in client mode or with no '--local'*/
1597 if (o->local_list->len == 1)
1598 {
1599 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1600 }
1601
1602 msg(D_SHOW_PARMS, " Local Sockets:");
1603 for (int i = 0; i < o->local_list->len; i++)
1604 {
1605 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1606 o->local_list->array[i]->port,
1607 proto2ascii(o->local_list->array[i]->proto, o->af, false));
1608 }
1609 SHOW_STR(remote);
1610 SHOW_STR(remote_port);
1611 SHOW_BOOL(remote_float);
1612 SHOW_BOOL(bind_defined);
1614 SHOW_BOOL(bind_ipv6_only);
1615 SHOW_INT(connect_retry_seconds);
1616 SHOW_INT(connect_timeout);
1617
1618 if (o->http_proxy_options)
1619 {
1621 }
1622 SHOW_STR(socks_proxy_server);
1623 SHOW_STR(socks_proxy_port);
1624 SHOW_INT(tun_mtu);
1625 SHOW_BOOL(tun_mtu_defined);
1626 SHOW_INT(link_mtu);
1627 SHOW_BOOL(link_mtu_defined);
1628 SHOW_INT(tun_mtu_extra);
1629 SHOW_BOOL(tun_mtu_extra_defined);
1630 SHOW_INT(tls_mtu);
1631
1632 SHOW_INT(mtu_discover_type);
1633
1634#ifdef ENABLE_FRAGMENT
1636#endif
1637 SHOW_INT(mssfix);
1638 SHOW_BOOL(mssfix_encap);
1639 SHOW_BOOL(mssfix_fixed);
1640
1641 SHOW_INT(explicit_exit_notification);
1642
1643 SHOW_STR_INLINE(tls_auth_file);
1644 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1645 SHOW_STR_INLINE(tls_crypt_file);
1646 SHOW_STR_INLINE(tls_crypt_v2_file);
1647}
1648
1649
1650static void
1652{
1653 if (o->connection_list)
1654 {
1655 const struct connection_list *l = o->connection_list;
1656 int i;
1657 for (i = 0; i < l->len; ++i)
1658 {
1659 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1660 show_connection_entry(l->array[i]);
1661 }
1662 }
1663 else
1664 {
1665 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1667 }
1668 msg(D_SHOW_PARMS, "Connection profiles END");
1669}
1670
1671static void
1673{
1674 struct pull_filter *f;
1675 if (!l)
1676 {
1677 return;
1678 }
1679
1680 msg(D_SHOW_PARMS, " Pull filters:");
1681 for (f = l->head; f; f = f->next)
1682 {
1683 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1684 }
1685}
1686
1687#endif /* ifndef ENABLE_SMALL */
1688
1689void
1690show_settings(const struct options *o)
1691{
1692#ifndef ENABLE_SMALL
1693 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1694
1695 SHOW_STR(config);
1696
1697 SHOW_INT(mode);
1698
1699#ifdef ENABLE_FEATURE_TUN_PERSIST
1700 SHOW_BOOL(persist_config);
1701 SHOW_INT(persist_mode);
1702#endif
1703
1704 SHOW_BOOL(show_ciphers);
1705 SHOW_BOOL(show_digests);
1706 SHOW_BOOL(show_engines);
1707 SHOW_BOOL(genkey);
1708 SHOW_STR(genkey_filename);
1709 SHOW_STR(key_pass_file);
1710 SHOW_BOOL(show_tls_ciphers);
1711
1712 SHOW_INT(connect_retry_max);
1714
1715 SHOW_BOOL(remote_random);
1716
1717 SHOW_STR(ipchange);
1718 SHOW_STR(dev);
1719 SHOW_STR(dev_type);
1720 SHOW_STR(dev_node);
1721#if defined(ENABLE_DCO)
1722 SHOW_BOOL(disable_dco);
1723#endif
1724 SHOW_STR(lladdr);
1725 SHOW_INT(topology);
1726 SHOW_STR(ifconfig_local);
1727 SHOW_STR(ifconfig_remote_netmask);
1728 SHOW_BOOL(ifconfig_noexec);
1729 SHOW_BOOL(ifconfig_nowarn);
1730 SHOW_STR(ifconfig_ipv6_local);
1731 SHOW_INT(ifconfig_ipv6_netbits);
1732 SHOW_STR(ifconfig_ipv6_remote);
1733
1735 SHOW_INT(mtu_test);
1736
1737 SHOW_BOOL(mlock);
1738
1739 SHOW_INT(keepalive_ping);
1740 SHOW_INT(keepalive_timeout);
1741 SHOW_INT(inactivity_timeout);
1742 SHOW_INT(session_timeout);
1743 SHOW_INT64(inactivity_minimum_bytes);
1744 SHOW_INT(ping_send_timeout);
1745 SHOW_INT(ping_rec_timeout);
1746 SHOW_INT(ping_rec_timeout_action);
1747 SHOW_BOOL(ping_timer_remote);
1748 SHOW_INT(remap_sigusr1);
1749 SHOW_BOOL(persist_tun);
1750 SHOW_BOOL(persist_local_ip);
1751 SHOW_BOOL(persist_remote_ip);
1752
1753#if PASSTOS_CAPABILITY
1754 SHOW_BOOL(passtos);
1755#endif
1756
1757 SHOW_INT(resolve_retry_seconds);
1758 SHOW_BOOL(resolve_in_advance);
1759
1760 SHOW_STR(username);
1761 SHOW_STR(groupname);
1762 SHOW_STR(chroot_dir);
1763 SHOW_STR(cd_dir);
1764#ifdef ENABLE_SELINUX
1765 SHOW_STR(selinux_context);
1766#endif
1767 SHOW_STR(writepid);
1768 SHOW_STR(up_script);
1769 SHOW_STR(down_script);
1770 SHOW_BOOL(down_pre);
1771 SHOW_BOOL(up_restart);
1772 SHOW_BOOL(up_delay);
1774 SHOW_BOOL(log);
1777 SHOW_INT(nice);
1778 SHOW_INT(verbosity);
1779 SHOW_INT(mute);
1780#ifdef ENABLE_DEBUG
1781 SHOW_INT(gremlin);
1782#endif
1783 SHOW_STR(status_file);
1784 SHOW_INT(status_file_version);
1785 SHOW_INT(status_file_update_freq);
1786
1787 SHOW_BOOL(occ);
1788 SHOW_INT(rcvbuf);
1789 SHOW_INT(sndbuf);
1790#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1791 SHOW_INT(mark);
1792#endif
1793 SHOW_INT(sockflags);
1794
1795 SHOW_BOOL(fast_io);
1796
1797 SHOW_INT(comp.alg);
1798 SHOW_INT(comp.flags);
1799
1800 SHOW_STR(route_script);
1801 SHOW_STR(route_default_gateway);
1802 SHOW_INT(route_default_metric);
1803 SHOW_INT(route_default_table_id);
1804 SHOW_BOOL(route_noexec);
1805 SHOW_INT(route_delay);
1806 SHOW_INT(route_delay_window);
1807 SHOW_BOOL(route_delay_defined);
1808 SHOW_BOOL(route_nopull);
1809 SHOW_BOOL(route_gateway_via_dhcp);
1810 SHOW_BOOL(allow_pull_fqdn);
1812
1813 if (o->routes)
1814 {
1816 }
1817
1818 if (o->client_nat)
1819 {
1821 }
1822
1824
1825#ifdef ENABLE_MANAGEMENT
1826 SHOW_STR(management_addr);
1827 SHOW_STR(management_port);
1828 SHOW_STR(management_user_pass);
1829 SHOW_INT(management_log_history_cache);
1830 SHOW_INT(management_echo_buffer_size);
1831 SHOW_STR(management_client_user);
1832 SHOW_STR(management_client_group);
1833 SHOW_INT(management_flags);
1834#endif
1835#ifdef ENABLE_PLUGIN
1836 if (o->plugin_list)
1837 {
1839 }
1840#endif
1841
1842 SHOW_STR_INLINE(shared_secret_file);
1843 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1844 SHOW_STR(ciphername);
1845 SHOW_STR(ncp_ciphers);
1846 SHOW_STR(authname);
1847#ifndef ENABLE_CRYPTO_MBEDTLS
1848 SHOW_BOOL(engine);
1849#endif /* ENABLE_CRYPTO_MBEDTLS */
1850 SHOW_BOOL(mute_replay_warnings);
1851 SHOW_INT(replay_window);
1852 SHOW_INT(replay_time);
1853 SHOW_STR(packet_id_file);
1855#ifdef ENABLE_PREDICTION_RESISTANCE
1856 SHOW_BOOL(use_prediction_resistance);
1857#endif
1858
1859 SHOW_BOOL(tls_server);
1860 SHOW_BOOL(tls_client);
1861 SHOW_STR_INLINE(ca_file);
1862 SHOW_STR(ca_path);
1863 SHOW_STR_INLINE(dh_file);
1865 {
1866 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1867 }
1868 else
1869 {
1870 SHOW_STR_INLINE(cert_file);
1871 }
1872 SHOW_STR_INLINE(extra_certs_file);
1873
1875 {
1876 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1877 }
1878 else
1879 {
1880 SHOW_STR_INLINE(priv_key_file);
1881 }
1882#ifndef ENABLE_CRYPTO_MBEDTLS
1883 SHOW_STR_INLINE(pkcs12_file);
1884#endif
1885#ifdef ENABLE_CRYPTOAPI
1886 SHOW_STR(cryptoapi_cert);
1887#endif
1888 SHOW_STR(cipher_list);
1889 SHOW_STR(cipher_list_tls13);
1890 SHOW_STR(tls_cert_profile);
1892 SHOW_STR(tls_export_peer_cert_dir);
1893 SHOW_INT(verify_x509_type);
1894 SHOW_STR(verify_x509_name);
1895 SHOW_STR_INLINE(crl_file);
1896 SHOW_INT(ns_cert_type);
1897 {
1898 int i;
1899 for (i = 0; i < MAX_PARMS; i++)
1900 {
1901 SHOW_INT(remote_cert_ku[i]);
1902 }
1903 }
1904 SHOW_STR(remote_cert_eku);
1905 if (o->verify_hash)
1906 {
1907 SHOW_INT(verify_hash_algo);
1908 SHOW_INT(verify_hash_depth);
1909 struct gc_arena gc = gc_new();
1910 struct verify_hash_list *hl = o->verify_hash;
1911 int digest_len =
1913 while (hl)
1914 {
1915 char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc);
1916 SHOW_PARM(verify_hash, s, "%s");
1917 hl = hl->next;
1918 }
1919 gc_free(&gc);
1920 }
1921 SHOW_INT(ssl_flags);
1922
1923 SHOW_INT(tls_timeout);
1924
1925 SHOW_INT64(renegotiate_bytes);
1926 SHOW_INT64(renegotiate_packets);
1927 SHOW_INT(renegotiate_seconds);
1928
1929 SHOW_INT(handshake_window);
1930 SHOW_INT(transition_window);
1931
1932 SHOW_BOOL(single_session);
1934 SHOW_BOOL(tls_exit);
1935
1936 SHOW_STR(tls_crypt_v2_metadata);
1937
1938#ifdef ENABLE_PKCS11
1939 {
1940 int i;
1941 for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1942 {
1943 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1944 }
1945 }
1946 {
1947 int i;
1948 for (i = 0; i < MAX_PARMS; i++)
1949 {
1950 SHOW_PARM(pkcs11_protected_authentication,
1951 o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1952 }
1953 }
1954 {
1955 int i;
1956 for (i = 0; i < MAX_PARMS; i++)
1957 {
1958 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1959 }
1960 }
1961 {
1962 int i;
1963 for (i = 0; i < MAX_PARMS; i++)
1964 {
1965 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED",
1966 "%s");
1967 }
1968 }
1969 SHOW_INT(pkcs11_pin_cache_period);
1970 SHOW_STR(pkcs11_id);
1972#endif /* ENABLE_PKCS11 */
1973
1974 show_p2mp_parms(o);
1975
1976#ifdef _WIN32
1977 SHOW_BOOL(show_net_up);
1978 SHOW_INT(route_method);
1979 SHOW_BOOL(block_outside_dns);
1981#endif
1982#endif /* ifndef ENABLE_SMALL */
1983}
1984
1985#undef SHOW_PARM
1986#undef SHOW_STR
1987#undef SHOW_INT
1988#undef SHOW_BOOL
1989
1990#ifdef ENABLE_MANAGEMENT
1991
1992static struct http_proxy_options *
1993parse_http_proxy_override(const char *server, const char *port, const char *flags,
1994 struct gc_arena *gc)
1995{
1996 if (server && port)
1997 {
1998 struct http_proxy_options *ho;
2000 ho->server = string_alloc(server, gc);
2001 ho->port = port;
2002 if (flags && !strcmp(flags, "nct"))
2003 {
2004 ho->auth_retry = PAR_NCT;
2005 }
2006 else
2007 {
2008 ho->auth_retry = PAR_ALL;
2009 }
2010 ho->http_version = "1.0";
2011 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2012 return ho;
2013 }
2014 else
2015 {
2016 return NULL;
2017 }
2018}
2019
2020static void
2022{
2023 const struct connection_list *l = o->connection_list;
2024 int i;
2025 bool succeed = false;
2026 for (i = 0; i < l->len; ++i)
2027 {
2028 struct connection_entry *ce = l->array[i];
2029 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2030 {
2032 succeed = true;
2033 }
2034 }
2035 if (succeed)
2036 {
2037 for (i = 0; i < l->len; ++i)
2038 {
2039 struct connection_entry *ce = l->array[i];
2040 if (ce->proto == PROTO_UDP)
2041 {
2042 ce->flags |= CE_DISABLED;
2043 }
2044 }
2045 }
2046 else
2047 {
2048 msg(M_WARN,
2049 "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2050 }
2051}
2052
2053#endif /* ifdef ENABLE_MANAGEMENT */
2054
2055static struct local_list *
2057{
2058 if (!ce->local_list)
2059 {
2061 }
2062 return ce->local_list;
2063}
2064
2065static struct local_entry *
2066alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
2067{
2069 struct local_entry *e;
2070
2071 if (l->len >= l->capacity)
2072 {
2073 const int new_cap = l->capacity + 1;
2074 const size_t elem_size = sizeof(*l->array);
2075
2076 struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
2077 if (!new_array)
2078 {
2079 msg(msglevel,
2080 "Unable to process more local options: out of memory. Number of entries = %d",
2081 l->len);
2082 return NULL;
2083 }
2084
2085 l->array = new_array;
2086 l->capacity = new_cap;
2087 }
2088
2089 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2090 e->proto = PROTO_NONE;
2091 l->array[l->len++] = e;
2092
2093 return e;
2094}
2095
2096static struct connection_list *
2105
2106static struct connection_entry *
2107alloc_connection_entry(struct options *options, const int msglevel)
2108{
2110 struct connection_entry *e;
2111
2112 if (l->len == l->capacity)
2113 {
2114 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2115 struct connection_entry **ce =
2116 gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc);
2117 if (ce == NULL)
2118 {
2119 msg(msglevel,
2120 "Unable to process more connection options: out of memory. Number of entries = %d",
2121 l->len);
2122 return NULL;
2123 }
2124 l->array = ce;
2125 l->capacity = capacity;
2126 }
2128 l->array[l->len++] = e;
2129 return e;
2130}
2131
2132static struct remote_list *
2134{
2135 if (!options->remote_list)
2136 {
2138 }
2139 return options->remote_list;
2140}
2141
2142static struct remote_entry *
2143alloc_remote_entry(struct options *options, const int msglevel)
2144{
2146 struct remote_entry *e;
2147
2148 if (l->len == l->capacity)
2149 {
2150 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2151 struct remote_entry **re =
2152 gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc);
2153 if (re == NULL)
2154 {
2155 msg(msglevel,
2156 "Unable to process more remote options: out of memory. Number of entries = %d",
2157 l->len);
2158 return NULL;
2159 }
2160 l->array = re;
2161 l->capacity = capacity;
2162 }
2163 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2164 l->array[l->len++] = e;
2165 return e;
2166}
2167
2168static struct pull_filter_list *
2170{
2171 if (!o->pull_filter_list)
2172 {
2174 }
2175 return o->pull_filter_list;
2176}
2177
2178static struct pull_filter *
2180{
2182 struct pull_filter *f;
2183
2184 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2185 if (l->head)
2186 {
2187 ASSERT(l->tail);
2188 l->tail->next = f;
2189 }
2190 else
2191 {
2192 ASSERT(!l->tail);
2193 l->head = f;
2194 }
2195 l->tail = f;
2196 return f;
2197}
2198
2199static void
2201{
2202 if (re->remote)
2203 {
2204 ce->remote = re->remote;
2205 }
2206 if (re->remote_port)
2207 {
2208 ce->remote_port = re->remote_port;
2209 }
2210 if (re->proto >= 0)
2211 {
2212 ce->proto = re->proto;
2213 }
2214 if (re->af > 0)
2215 {
2216 ce->af = re->af;
2217 }
2218}
2219
2220static void
2221connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
2222{
2223 if (key_file && *key_file && !(*key_inline))
2224 {
2225 struct buffer in = buffer_read_from_file(*key_file, gc);
2226 if (!buf_valid(&in))
2227 {
2228 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2229 }
2230
2231 *key_file = (const char *)in.data;
2232 *key_inline = true;
2233 }
2234}
2235
2236static void
2238{
2239#ifdef ENABLE_CRYPTO_MBEDTLS
2240 if (options->ca_path)
2241 {
2242 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2243 }
2244#endif
2245
2248 || options->ca_path
2249#endif
2250 )
2251 {
2252 return;
2253 }
2254
2255 const char *const str = "You must define CA file (--ca)"
2256#ifndef ENABLE_CRYPTO_MBEDTLS
2257 " or CA path (--capath)"
2258#endif
2259 " and/or peer fingerprint verification (--peer-fingerprint)";
2260 msg(M_USAGE, "%s", str);
2261}
2262
2263#define MUST_BE_UNDEF(parm, parm_name) \
2264 if (options->parm != defaults.parm) \
2265 { \
2266 msg(M_USAGE, use_err, parm_name); \
2267 }
2268#define MUST_BE_FALSE(condition, parm_name) \
2269 if (condition) \
2270 { \
2271 msg(M_USAGE, use_err, parm_name); \
2272 }
2273
2274static void
2276{
2277 struct options defaults;
2278 int dev = DEV_TYPE_UNDEF;
2279 bool pull = false;
2280
2281 init_options(&defaults, true);
2282
2283 if (options->test_crypto)
2284 {
2285 notnull(options->shared_secret_file, "key file (--secret)");
2286 }
2287 else
2288 {
2289 notnull(options->dev, "TUN/TAP device (--dev)");
2290 }
2291
2292 /*
2293 * Get tun/tap/null device type
2294 */
2296
2297 /*
2298 * If "proto tcp" is specified, make sure we know whether it is
2299 * tcp-client or tcp-server.
2300 */
2301 if (ce->proto == PROTO_TCP)
2302 {
2303 msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify "
2304 "--proto tcp-server or --proto tcp-client");
2305 }
2306
2307 /*
2308 * Sanity check on Client mode
2309 */
2310
2311 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2312 {
2313 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2314 }
2315
2316 if (options->lladdr && dev != DEV_TYPE_TAP)
2317 {
2318 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2319 }
2320
2321 /*
2322 * Sanity check on MTU parameters
2323 */
2325 {
2326 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2327 }
2328
2330 {
2331 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2332 }
2333
2334 /* will we be pulling options from server? */
2335 pull = options->pull;
2336
2337 /*
2338 * Sanity check on --local, --remote, and --ifconfig
2339 */
2340
2343 {
2344 msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig "
2345 "addresses");
2346 }
2347
2349 {
2350 msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2351 }
2352
2353 if (ce->bind_defined && !ce->bind_local)
2354 {
2355 msg(M_USAGE, "--bind and --nobind can't be used together");
2356 }
2357
2359 {
2360 msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2361 }
2362
2363 if (!ce->remote && !ce->bind_local)
2364 {
2365 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2366 }
2367
2368 for (int i = 0; i < ce->local_list->len; i++)
2369 {
2370 struct local_entry *le = ce->local_list->array[i];
2371
2372 if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote)
2374 {
2375 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2376 }
2377
2380 {
2381 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2382 }
2383
2384 if (le->local && !ce->bind_local)
2385 {
2386 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2387 }
2388 }
2389
2390 /*
2391 * Check for consistency of management options
2392 */
2393#ifdef ENABLE_MANAGEMENT
2397 {
2398 msg(M_USAGE,
2399 "--management is not specified, however one or more options which modify the behavior of --management were specified");
2400 }
2401
2404 {
2405 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2406 }
2407
2410 {
2411 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2412 "passwords is STRONGLY discouraged and considered insecure");
2413 }
2414
2415#endif /* ifdef ENABLE_MANAGEMENT */
2416
2417#if !defined(HAVE_XKEY_PROVIDER)
2420 {
2421 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2422 "nopadding argument/support");
2423 }
2424#endif
2425 /*
2426 * Windows-specific options.
2427 */
2428
2429#ifdef _WIN32
2430 if (dev == DEV_TYPE_TUN
2432 {
2433 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2434 }
2435
2438 {
2439 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2440 }
2441
2443 {
2444 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2446 {
2447 msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix,
2449 }
2452 {
2453 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix);
2454 }
2455 }
2456#endif /* ifdef _WIN32 */
2457
2458 /*
2459 * Check that protocol options make sense.
2460 */
2461
2462#ifdef ENABLE_FRAGMENT
2463 if (!proto_is_udp(ce->proto) && ce->fragment)
2464 {
2465 msg(M_USAGE, "--fragment can only be used with --proto udp");
2466 }
2467#endif
2468
2469 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2470 {
2471 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2472 }
2473
2474 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2475 {
2476 msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2477 "tcp-client)");
2478 }
2479
2480 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2481 {
2482 msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2483 }
2484
2486 {
2487 msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2488 }
2489
2490 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2491 {
2492 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2493 }
2494
2495 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2496 {
2497 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2498 }
2499
2500 /*
2501 * Check consistency of --mode server options.
2502 */
2503 if (options->mode == MODE_SERVER)
2504 {
2505 const char use_err[] = "--%s cannot be used with --mode server.";
2506
2507#define USAGE_VALID_SERVER_PROTOS \
2508 "--mode server currently only supports " \
2509 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2510#ifdef TARGET_ANDROID
2511 msg(M_FATAL, "--mode server not supported on Android");
2512#endif
2513 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2514 {
2515 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2516 }
2517 MUST_BE_UNDEF(pull, "pull");
2519 {
2520 msg(M_WARN, "--pull-filter ignored for --mode server");
2521 }
2522 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2523 {
2525 }
2526#if PORT_SHARE
2527 if ((options->port_share_host || options->port_share_port)
2528 && (ce->proto != PROTO_TCP_SERVER))
2529 {
2530 msg(M_USAGE, "--port-share only works in TCP server mode "
2531 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2532 }
2533#endif
2534 if (!options->tls_server)
2535 {
2536 msg(M_USAGE, "--mode server requires --tls-server");
2537 }
2538 MUST_BE_FALSE(ce->remote, "remote");
2539 MUST_BE_FALSE(!ce->bind_local, "nobind");
2540 MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2541 MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2542 /* <connection> blocks force to have a remote embedded, so we check
2543 * for the --remote and bail out if it is present
2544 */
2546 {
2547 msg(M_USAGE, "<connection> cannot be used with --mode server");
2548 }
2549
2550 MUST_BE_UNDEF(shaper, "shaper");
2551 if (options->ipchange)
2552 {
2553 msg(M_USAGE, "--ipchange cannot be used with --mode server (use "
2554 "--client-connect instead)");
2555 }
2556 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2557 {
2559 }
2560 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2561 {
2562 msg(M_USAGE,
2563 "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2564 }
2565 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET))
2567 {
2568 msg(M_USAGE,
2569 "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2570 }
2572 {
2573 msg(M_USAGE,
2574 "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2575 }
2576 MUST_BE_UNDEF(route_delay_defined, "route-delay");
2577 MUST_BE_UNDEF(up_delay, "up-delay");
2580 {
2581 msg(M_USAGE,
2582 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2583 }
2585 {
2586 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2587 }
2588 MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2590 {
2591 msg(M_USAGE,
2592 "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2593 }
2595 {
2596 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2597 }
2599 {
2600 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2601 "--renegotiate_seconds setting");
2602 }
2605 {
2606 msg(M_USAGE,
2607 "--auth-gen-token renewal time needs to be at least "
2608 " two times --hand-window (%d).",
2610 }
2613 {
2614 const char *use_err =
2615 "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2616
2619 "verify-client-cert none|optional");
2621 "username-as-common-name");
2623 "auth-user-pass-optional");
2624 }
2625
2626 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2627 {
2628 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2629 }
2630 if (!options->vlan_tagging)
2631 {
2632 const char use_err[] = "--%s requires --vlan-tagging";
2633 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2634 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2635 }
2636 }
2637 else
2638 {
2639 const char use_err[] = "--%s requires --mode server";
2640 /*
2641 * When not in server mode, err if parameters are
2642 * specified which require --mode server.
2643 */
2644 MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2645 MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2646 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2647 MUST_BE_UNDEF(real_hash_size, "hash-size");
2648 MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2649 MUST_BE_UNDEF(learn_address_script, "learn-address");
2650 MUST_BE_UNDEF(client_connect_script, "client-connect");
2651 MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2652 MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2653 MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2654 MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2655 MUST_BE_UNDEF(enable_c2c, "client-to-client");
2656 MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2657 MUST_BE_UNDEF(cf_max, "connect-freq");
2658 MUST_BE_UNDEF(cf_per, "connect-freq");
2661 "verify-client-cert");
2662 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2663 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2666 {
2667 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2668 "affect the server. To have TCP_NODELAY in both direction use "
2669 "tcp-nodelay in the server configuration instead.");
2670 }
2671 MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2672 MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2673#if PORT_SHARE
2674 if (options->port_share_host || options->port_share_port)
2675 {
2676 msg(M_USAGE,
2677 "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2678 }
2679#endif
2680 MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2681 MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2682 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2683 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2684 MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2685 }
2686
2687 /*
2688 * SSL/TLS mode sanity checks.
2689 */
2691 {
2692 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2693 }
2694
2696 {
2697 int msglevel = M_USAGE;
2699 {
2700 msglevel = M_INFO;
2701 }
2702
2703 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2704 "configuration detected. OpenVPN 2.8 will remove the "
2705 "functionality to run a VPN without TLS. "
2706 "See the examples section in the manual page for "
2707 "examples of a similar quick setup with peer-fingerprint. "
2708 "OpenVPN 2.7 allows using this configuration when using "
2709 "--allow-deprecated-insecure-static-crypto but you should move "
2710 "to a proper configuration using TLS as soon as possible.");
2711 }
2712
2714 {
2715 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2716 "--verify-client-cert none|optional "
2717 "may accept clients which do not present a certificate");
2718 }
2719
2720 const int tls_version_max =
2722 const int tls_version_min =
2724
2725 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2726 {
2727 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2728 }
2729
2731 {
2733#ifdef ENABLE_PKCS11
2734 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2735 {
2736 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2737 }
2738 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2739 {
2740 msg(M_WARN,
2741 "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2742 }
2743
2744 if (options->pkcs11_providers[0])
2745 {
2746 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2747 {
2748 msg(M_USAGE,
2749 "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2750 }
2751 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2752 {
2753 msg(M_USAGE,
2754 "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2755 }
2756 const char use_err[] =
2757 "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2758 MUST_BE_UNDEF(cert_file, "cert");
2759 MUST_BE_UNDEF(priv_key_file, "key");
2760 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2761 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2762 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2763#ifdef ENABLE_CRYPTOAPI
2764 MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2765#endif
2766 }
2767 else
2768#endif /* ifdef ENABLE_PKCS11 */
2769#ifdef ENABLE_CRYPTOAPI
2771 {
2772 const char use_err[] =
2773 "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2774 MUST_BE_UNDEF(cert_file, "cert");
2775 MUST_BE_UNDEF(priv_key_file, "key");
2776 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2777 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2778 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2779 }
2780 else
2781#endif
2782 if (options->pkcs12_file)
2783 {
2784#ifdef ENABLE_CRYPTO_MBEDTLS
2785 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2786#else
2787 const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2788 MUST_BE_UNDEF(ca_path, "capath");
2789 MUST_BE_UNDEF(cert_file, "cert");
2790 MUST_BE_UNDEF(priv_key_file, "key");
2791 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2792 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2793#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2794 }
2795 else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2796 {
2798 {
2799 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2800 }
2802 {
2803 if (options->cert_file)
2804 {
2805 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2806 }
2808 {
2809 msg(M_USAGE,
2810 "--management-external-cert must be used with --management-external-key");
2811 }
2812 }
2813 if (pull)
2814 {
2815 const int sum =
2817 + ((options->priv_key_file != NULL)
2819
2820 if (sum == 0)
2821 {
2823 {
2824 msg(M_USAGE, "No client-side authentication method is "
2825 "specified. You must use either "
2826 "--cert/--key, --pkcs12, or "
2827 "--auth-user-pass");
2828 }
2829 }
2830 else if (sum != 2)
2831 {
2832 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2833 }
2834 }
2835 else
2836 {
2838 {
2840 "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2841 }
2843 {
2845 "private key file (--key) or PKCS#12 file (--pkcs12)");
2846 }
2847 }
2848 }
2849 if (ce->tls_auth_file && ce->tls_crypt_file)
2850 {
2851 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2852 }
2854 && (ce->tls_auth_file || ce->tls_crypt_file))
2855 {
2856 msg(M_USAGE,
2857 "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2858 }
2859 }
2860 else
2861 {
2862 /*
2863 * Make sure user doesn't specify any TLS options
2864 * when in non-TLS mode.
2865 */
2866
2867 const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
2868 "i.e. where --tls-server or --tls-client is also specified.";
2869
2870 MUST_BE_UNDEF(ca_file, "ca");
2871 MUST_BE_UNDEF(ca_path, "capath");
2872 MUST_BE_UNDEF(dh_file, "dh");
2873 MUST_BE_UNDEF(cert_file, "cert");
2874 MUST_BE_UNDEF(priv_key_file, "key");
2875#ifndef ENABLE_CRYPTO_MBEDTLS
2876 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2877#endif
2878 MUST_BE_UNDEF(cipher_list, "tls-cipher");
2879 MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
2880 MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
2881 MUST_BE_UNDEF(tls_verify, "tls-verify");
2882 MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
2883 MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
2884 MUST_BE_UNDEF(tls_timeout, "tls-timeout");
2885 MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
2886 MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
2887 MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
2888 MUST_BE_UNDEF(handshake_window, "hand-window");
2889 MUST_BE_UNDEF(transition_window, "tran-window");
2890 MUST_BE_UNDEF(tls_auth_file, "tls-auth");
2891 MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
2892 MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
2893 MUST_BE_UNDEF(single_session, "single-session");
2894 MUST_BE_UNDEF(push_peer_info, "push-peer-info");
2895 MUST_BE_UNDEF(tls_exit, "tls-exit");
2896 MUST_BE_UNDEF(crl_file, "crl-verify");
2897 MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
2898 MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
2899 MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
2900#ifdef ENABLE_PKCS11
2901 MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
2902 MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
2903 MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
2904 MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
2905#endif
2906
2907 if (pull)
2908 {
2909 msg(M_USAGE, use_err, "--pull");
2910 }
2911 }
2913 {
2914 msg(M_USAGE, "--auth-user-pass requires --pull");
2915 }
2916
2917 uninit_options(&defaults);
2918}
2919
2920#undef MUST_BE_UNDEF
2921#undef MUST_BE_FALSE
2922
2923static void
2925{
2926 const int dev = dev_type_enum(o->dev, o->dev_type);
2927
2929 {
2930 if (ce->proto == PROTO_TCP)
2931 {
2932 ce->proto = PROTO_TCP_SERVER;
2933 o->ce.proto = ce->proto;
2934 }
2935 }
2936
2937 if (o->mode != MODE_SERVER)
2938 {
2939 if (ce->proto == PROTO_TCP)
2940 {
2941 ce->proto = PROTO_TCP_CLIENT;
2942 o->ce.proto = ce->proto;
2943 }
2944 }
2945
2946 /* an option is present that requires local bind to enabled */
2947 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
2948
2949 /* socks proxy is enabled */
2950 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
2951
2952 /* If binding is not forced by an explicit option and we have (at least)
2953 * one of --tcp-client, --pull (or --client), or socks we do not bind
2954 * locally to have "normal" IP client behaviour of a random source port */
2955 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
2956 {
2957 ce->bind_local = false;
2958 }
2959
2960 if (!ce->bind_local)
2961 {
2962 ce->local_port = NULL;
2963 }
2964
2965 /* if protocol forcing is enabled, disable all protocols
2966 * except for the forced one
2967 */
2968 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2969 {
2970 ce->flags |= CE_DISABLED;
2971 }
2972
2973 if (ce->http_proxy_options)
2974 {
2976 }
2977
2978 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2979 * so fall back to IPv4-only (trac #1221)
2980 */
2981 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2982 {
2983 if (ce->af == AF_INET6)
2984 {
2985 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2986 "'--socks-proxy' today. Forcing IPv4 mode.");
2987 }
2988 else
2989 {
2990 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2991 "work correctly with '--socks-proxy' today. Forcing IPv4.");
2992 }
2993 ce->af = AF_INET;
2994 }
2995
2996 /*
2997 * Set MTU defaults
2998 */
2999 {
3000 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3001 {
3002 ce->tun_mtu_defined = true;
3003 }
3004 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3005 {
3006 ce->tun_mtu_extra_defined = true;
3008 }
3009 }
3010
3011 /*
3012 * If --mssfix is supplied without a parameter or not specified at all,
3013 * default it to --fragment value, if --fragment is specified and otherwise
3014 * to the default if tun-mtu is 1500
3015 */
3016 if (o->ce.mssfix_default)
3017 {
3018#ifdef ENABLE_FRAGMENT
3019 if (ce->fragment)
3020 {
3021 ce->mssfix = ce->fragment;
3022 }
3023 else
3024#endif
3025 if (ce->tun_mtu_defined)
3026 {
3027 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3028 {
3029 /* We want to only set mssfix default value if we use a default
3030 * MTU Size, otherwise the different size of tun should either
3031 * already solve the problem or mssfix might artifically make the
3032 * payload packets smaller without mssfix 0 */
3033 ce->mssfix = MSSFIX_DEFAULT;
3034 ce->mssfix_encap = true;
3035 }
3036 else
3037 {
3038 /* We still apply the mssfix value but only adjust it to the
3039 * size of the tun interface. */
3040 ce->mssfix = ce->tun_mtu;
3041 ce->mssfix_fixed = true;
3042 }
3043 }
3044 }
3045
3046 /*
3047 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3048 *
3049 * At the end only one of these will be really set because the parser
3050 * logic prevents configurations where more are set.
3051 */
3052 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3053 {
3057
3060
3063 }
3064
3065 /* Pre-cache tls-auth/crypt(-v2) key file if
3066 * keys were not already embedded in the config file.
3067 */
3071
3072
3074 {
3075 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3077 }
3078}
3079
3080static void
3082{
3083 /* use the global port if none is specified */
3084 if (!le->port)
3085 {
3086 le->port = ce->local_port;
3087 }
3088 /* use the global proto if none is specified and
3089 * allow proto bindings on server mode only */
3090 if (!le->proto || mode == MODE_POINT_TO_POINT)
3091 {
3092 le->proto = ce->proto;
3093 }
3094}
3095
3096#ifdef _WIN32
3097/* If iservice is in use, we need def1 method for redirect-gateway */
3098static void
3100{
3101 if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE
3102 && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1))
3103 {
3104 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3105 opt->routes->flags |= RG_DEF1;
3106 }
3107}
3108#endif /* ifdef _WIN32 */
3109
3110/*
3111 * Save/Restore certain option defaults before --pull is applied.
3112 */
3113
3114static void
3116{
3121
3122 if (o->routes)
3123 {
3125 o->pre_connect->routes_defined = true;
3126 }
3127 if (o->routes_ipv6)
3128 {
3131 }
3132 if (o->client_nat)
3133 {
3136 }
3137
3140
3142
3143 /* NCP related options that can be overwritten by a push */
3145 o->pre_connect->authname = o->authname;
3146
3147 /* Ping related options should be reset to the config values on reconnect */
3151
3152 /* Miscellaneous Options */
3153 o->pre_connect->comp = o->comp;
3154}
3155
3156void
3158{
3159 const struct options_pre_connect *pp = o->pre_connect;
3160 if (pp)
3161 {
3163 if (pp->tuntap_options_defined)
3164 {
3166 }
3167
3168 if (pp->routes_defined)
3169 {
3170 rol_check_alloc(o);
3172 }
3173 else
3174 {
3175 o->routes = NULL;
3176 }
3177
3178 if (pp->routes_ipv6_defined)
3179 {
3182 }
3183 else
3184 {
3185 o->routes_ipv6 = NULL;
3186 }
3187
3190
3191 /* Free DNS options and reset them to pre-pull state */
3192 gc_free(&o->dns_options.gc);
3193 struct gc_arena dns_gc = gc_new();
3194 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3195 o->dns_options.gc = dns_gc;
3196
3197 if (pp->client_nat_defined)
3198 {
3201 }
3202 else
3203 {
3204 o->client_nat = NULL;
3205 }
3206
3208
3209 o->ciphername = pp->ciphername;
3210 o->authname = pp->authname;
3211
3215
3216 /* Miscellaneous Options */
3217 o->comp = pp->comp;
3218 }
3219
3220 o->push_continuation = 0;
3223}
3224
3225static void
3227{
3228#ifdef _WIN32
3229 const int dev = dev_type_enum(options->dev, options->dev_type);
3230
3231 /* when using ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3235 {
3237 }
3238
3239 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3240 {
3241 /* delay may only be necessary when we perform DHCP handshake */
3244 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3245 {
3247 options->route_delay = 5; /* Vista sometimes has a race without this */
3248 }
3249 }
3250
3252 {
3254 options->ifconfig_noexec = false;
3255 }
3256
3258
3259 /*
3260 * Check consistency of --mode server options.
3261 */
3262 if (options->mode == MODE_SERVER)
3263 {
3264 /*
3265 * We need to explicitly set --tap-sleep because
3266 * we do not schedule event timers in the top-level context.
3267 */
3270 {
3272 }
3274 }
3275#endif /* ifdef _WIN32 */
3276
3277#ifdef DEFAULT_PKCS11_MODULE
3278 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3279 * by default if the user asks for PKCS#11 without otherwise specifying
3280 * the module to use. */
3281 if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management))
3282 {
3283 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3284 }
3285#endif
3286}
3287
3288static void
3290{
3291 if (o->connection_list)
3292 {
3293 int i;
3294 for (i = 0; i < o->connection_list->len; ++i)
3295 {
3297 }
3298 }
3299 else
3300 {
3302 }
3303
3305
3306 if (dco_enabled(o) && o->enable_c2c)
3307 {
3308 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3309 "channel offload: packets are always sent to the VPN "
3310 "interface and then routed based on the system routing table");
3311 }
3312}
3313
3314static void
3316{
3317 if (!o->pull && !(o->mode == MODE_SERVER))
3318 {
3319 /* If the cipher is not set, use the old default of BF-CBC. We will
3320 * warn that this is deprecated on cipher initialisation, no need
3321 * to warn here as well */
3322 if (!o->ciphername)
3323 {
3324 o->ciphername = "BF-CBC";
3325 }
3326 else
3327 {
3328 o->enable_ncp_fallback = true;
3329 }
3330 return;
3331 }
3332
3333 /* pull or P2MP mode */
3334 if (!o->ciphername)
3335 {
3336 /* We still need to set the ciphername to BF-CBC since various other
3337 * parts of OpenVPN assert that the ciphername is set */
3338 o->ciphername = "BF-CBC";
3339
3340 msg(M_INFO,
3341 "Note: --cipher is not set. OpenVPN versions before 2.5 "
3342 "defaulted to BF-CBC as fallback when cipher negotiation "
3343 "failed in this case. If you need this fallback please add "
3344 "'--data-ciphers-fallback BF-CBC' to your configuration "
3345 "and/or add BF-CBC to --data-ciphers. E.g. "
3346 "--data-ciphers %s:BF-CBC",
3347 o->ncp_ciphers_conf);
3348 }
3350 {
3351 msg(M_WARN,
3352 "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3353 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3354 "negotiations. ",
3356 }
3357}
3358
3374static bool
3375need_compatibility_before(const struct options *o, unsigned int version)
3376{
3377 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3378}
3379
3384static void
3386{
3387 /* TLS min version is not set */
3389 if (tls_ver_min == 0)
3390 {
3392 if (need_compatibility_before(o, 20307))
3393 {
3394 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3396 }
3397 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3398 {
3399 /* Use TLS 1.2 as proper default */
3401 }
3402 else
3403 {
3404 /* Maximize the minimum version */
3405 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3406 }
3407 }
3408
3409 if (need_compatibility_before(o, 20400))
3410 {
3411 if (!o->ciphername)
3412 {
3413 /* If ciphername is not set default to BF-CBC when targeting these
3414 * old versions that do not have NCP */
3415 o->ciphername = "BF-CBC";
3416 }
3417 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3418 * not have OCC strings required for "poor man's NCP" */
3419 o->enable_ncp_fallback = true;
3420 }
3421
3422 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3423 * Version 2.4 probably does not need it but NCP was not so
3424 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3425 * Only do this iff --cipher is set (explicitly or by compat mode
3426 * < 2.4.0, see above). This is not 100% correct backwards compatible
3427 * behaviour but 2.5 already behaved like this */
3428 if (o->ciphername && need_compatibility_before(o, 20500)
3430 {
3432 }
3433
3434#ifdef USE_COMP
3435 /* Compression is deprecated and we do not want to announce support for it
3436 * by default anymore, additionally DCO breaks with compression.
3437 *
3438 * Disable compression by default starting with 2.6.0 if no other
3439 * compression related option has been explicitly set */
3440 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3441 {
3442 if (!comp_non_stub_enabled(&o->comp))
3443 {
3445 }
3446 }
3447#else /* ifdef USE_COMP */
3449#endif
3450}
3451
3452static void
3454{
3455 if (!check_tls_prf_working())
3456 {
3457 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3458 "supported by the TLS library. Your system does not support this "
3459 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3460 "forbids it. Connections will only work with peers running "
3461 "OpenVPN 2.6.0 or higher)");
3462 if (o->mode == MODE_SERVER)
3463 {
3464 msg(M_WARN, "Automatically enabling option "
3465 "--force-tls-key-material-export");
3466 o->force_key_material_export = true;
3467 }
3468 }
3469}
3470
3471#if defined(_WIN32) || defined(TARGET_ANDROID)
3480static void
3482{
3483 struct dns_options *dns = &o->dns_options;
3484 struct tuntap_options *tt = &o->tuntap_options;
3485 if (!dns->servers)
3486 {
3487 /* Copy --dhcp-options to tuntap_options */
3488 struct dhcp_options *dhcp = &dns->from_dhcp;
3489 ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
3490 ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
3491 ASSERT(sizeof(dhcp->domain_search_list) == sizeof(tt->domain_search_list));
3492
3493 tt->domain = dhcp->domain;
3494 tt->dns_len = dhcp->dns_len;
3495 tt->dns6_len = dhcp->dns6_len;
3496
3497 memcpy(tt->dns, dhcp->dns, sizeof(tt->dns));
3498 memcpy(tt->dns6, dhcp->dns6, sizeof(tt->dns6));
3499
3500 tt->domain_search_list_len = dhcp->domain_search_list_len;
3501 for (size_t i = 0; i < SIZE(tt->domain_search_list); ++i)
3502 {
3503 tt->domain_search_list[i] = dhcp->domain_search_list[i];
3504 }
3505
3506 return;
3507 }
3508
3509#if defined(_WIN32)
3511 {
3512 return; /* Not in DHCP mode */
3513 }
3514#endif /* if defined(_WIN32) */
3515
3516 /* Copy --dns options to tuntap_options */
3517
3518 const struct dns_domain *d = dns->search_domains;
3519 if (d)
3520 {
3521 tt->domain_search_list_len = 0;
3522 }
3523
3524 while (d && tt->domain_search_list_len + 1 < N_SEARCH_LIST_LEN)
3525 {
3527 d = d->next;
3528 }
3529 if (d)
3530 {
3531 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3532 }
3533
3534 tt->dns_len = 0;
3535 tt->dns6_len = 0;
3536
3537 const struct dns_server *s = dns->servers;
3538 while (s)
3539 {
3540 bool non_standard_server_port = false;
3541 for (int i = 0; i < s->addr_count; ++i)
3542 {
3543 if (s->addr[i].port && s->addr[i].port != 53)
3544 {
3545 non_standard_server_port = true;
3546 break;
3547 }
3548 }
3549 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3550 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3551 {
3552 /* Skip servers requiring unsupported config to be set */
3553 s = s->next;
3554 }
3555 else
3556 {
3557 bool overflow = false;
3558 for (int i = 0; i < s->addr_count; ++i)
3559 {
3560 if (s->addr[i].family == AF_INET && tt->dns_len + 1 < N_DHCP_ADDR)
3561 {
3562 tt->dns[tt->dns_len++] = ntohl(s->addr[i].in.a4.s_addr);
3563 }
3564 else if (tt->dns6_len + 1 < N_DHCP_ADDR)
3565 {
3566 tt->dns6[tt->dns6_len++] = s->addr[i].in.a6;
3567 }
3568 else
3569 {
3570 overflow = true;
3571 }
3572 }
3573 if (overflow)
3574 {
3575 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3576 }
3578 return;
3579 }
3580 }
3581}
3582
3583#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3584
3595static void
3596dhcp_options_postprocess_dns(struct options *o, struct env_set *es)
3597{
3598 struct gc_arena gc = gc_new();
3599 struct dns_options *dns = &o->dns_options;
3600
3601 if (is_tun_afunix(o->dev_node))
3602 {
3603 /* Disable running dns-updown script with lwipovpn */
3605 dns->updown = NULL;
3606 }
3607
3608 if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
3609 {
3610 /* Clean up env from --dhcp-option DNS config */
3611 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3612 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3613
3614 const int fo_count = o->foreign_option_index;
3615 o->foreign_option_index = 0;
3616
3617 for (int i = 1; i <= fo_count; ++i)
3618 {
3619 buf_clear(&name);
3620 buf_printf(&name, "foreign_option_%d", i);
3621 const char *env_str = env_set_get(es, BSTR(&name));
3622 const char *item_val = strchr(env_str, '=') + 1;
3623 buf_clear(&value);
3624 buf_printf(&value, "%s", item_val);
3625
3626 /* Remove foreign option item from env set */
3627 env_set_del(es, BSTR(&name));
3628
3629 item_val = BSTR(&value);
3630 if (strncmp(item_val, "dhcp-option ", 12) != 0
3631 || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0
3632 && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0
3633 && strncmp(item_val + 12, "DOMAIN ", 7) != 0
3634 && strncmp(item_val + 12, "DNS6 ", 5) != 0
3635 && strncmp(item_val + 12, "DNS ", 4) != 0))
3636 {
3637 /* Re-set the item with potentially updated name */
3638 buf_clear(&name);
3639 buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index);
3640 setenv_str(es, BSTR(&name), BSTR(&value));
3641 }
3642 }
3643 }
3644
3645 if (!dns->servers)
3646 {
3647 /* Copy --dhcp-options to dns_options */
3648 struct dhcp_options *dhcp = &dns->from_dhcp;
3649
3650 if (dhcp->dns_len || dhcp->dns6_len)
3651 {
3652 struct dns_domain **entry = &dns->search_domains;
3653 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3654 struct dns_domain *new = *entry;
3655 new->name = dhcp->domain;
3656 entry = &new->next;
3657
3658 for (size_t i = 0; i < dhcp->domain_search_list_len; ++i)
3659 {
3660 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3661 struct dns_domain *new = *entry;
3662 new->name = dhcp->domain_search_list[i];
3663 entry = &new->next;
3664 }
3665
3666 struct dns_server *server = dns_server_get(&dns->servers, 0, &dns->gc);
3667 const size_t max_addrs = SIZE(server->addr);
3668 for (size_t i = 0; i < dhcp->dns_len && server->addr_count < max_addrs; ++i)
3669 {
3670 server->addr[server->addr_count].in.a4.s_addr = htonl(dhcp->dns[i]);
3671 server->addr[server->addr_count].family = AF_INET;
3672 server->addr_count += 1;
3673 }
3674 for (size_t i = 0; i < dhcp->dns6_len && server->addr_count < max_addrs; ++i)
3675 {
3676 server->addr[server->addr_count].in.a6 = dhcp->dns6[i];
3677 server->addr[server->addr_count].family = AF_INET6;
3678 server->addr_count += 1;
3679 }
3680 }
3681 }
3682 else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
3683 {
3684 /* Set foreign option env vars from --dns config */
3685 const struct dns_domain *d = dns->search_domains;
3686 while (d)
3687 {
3688 setenv_foreign_option(o, "DOMAIN", d->name, es);
3689 d = d->next;
3690 }
3691
3692 const struct dns_server *s = dns->servers;
3693 while (s)
3694 {
3695 bool non_standard_server_port = false;
3696 for (int i = 0; i < s->addr_count; ++i)
3697 {
3698 if (s->addr[i].port && s->addr[i].port != 53)
3699 {
3700 non_standard_server_port = true;
3701 break;
3702 }
3703 }
3704 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3705 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3706 {
3707 /* Skip servers requiring unsupported config to be set */
3708 s = s->next;
3709 }
3710 else
3711 {
3712 for (int i = 0; i < s->addr_count; ++i)
3713 {
3714 const char *option;
3715 const char *value;
3716 if (s->addr[i].family == AF_INET)
3717 {
3718 option = "DNS";
3719 value = print_in_addr_t(s->addr[i].in.a4.s_addr, IA_NET_ORDER, &gc);
3720 }
3721 else
3722 {
3723 option = "DNS6";
3724 value = print_in6_addr(s->addr[i].in.a6, 0, &gc);
3725 }
3726 setenv_foreign_option(o, option, value, es);
3727 }
3728 break;
3729 }
3730 }
3731 }
3732
3733 gc_free(&gc);
3734}
3735#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3736
3737static void
3739{
3740 int i;
3741 /*
3742 * Process helper-type options which map to other, more complex
3743 * sequences of options.
3744 */
3746 /* must be called after helpers that might set --mode */
3750
3754
3757 if (o->ncp_ciphers == NULL)
3758 {
3759 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3760 }
3761
3762 if (o->remote_list && !o->connection_list)
3763 {
3764 /*
3765 * Convert remotes into connection list
3766 */
3767 const struct remote_list *rl = o->remote_list;
3768 for (i = 0; i < rl->len; ++i)
3769 {
3770 const struct remote_entry *re = rl->array[i];
3771 struct connection_entry ce = o->ce;
3772 struct connection_entry *ace;
3773
3774 ASSERT(re->remote);
3775 connection_entry_load_re(&ce, re);
3777 ASSERT(ace);
3778 *ace = ce;
3779 }
3780 }
3781 else if (!o->remote_list && !o->connection_list)
3782 {
3783 struct connection_entry *ace;
3785 ASSERT(ace);
3786 *ace = o->ce;
3787 }
3788
3790 for (i = 0; i < o->connection_list->len; ++i)
3791 {
3793 }
3794
3795 if (o->ce.local_list)
3796 {
3797 for (i = 0; i < o->ce.local_list->len; i++)
3798 {
3800 }
3801
3802 for (int i = 0; i < o->ce.local_list->len; i++)
3803 {
3804 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3805 {
3807 }
3808 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3809 {
3810 o->ce.local_list->array[i]->proto = o->ce.proto;
3811 }
3812 }
3813 }
3814 else
3815 {
3816 /* if no 'local' directive was specified, convert the global port
3817 * setting to a listen entry */
3818 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3819 ASSERT(e);
3820 e->port = o->ce.local_port;
3821 e->proto = o->ce.proto;
3822 }
3823
3824 /* use the same listen list for every outgoing connection */
3825 for (i = 0; i < o->connection_list->len; ++i)
3826 {
3828 }
3829
3830 if (o->tls_server)
3831 {
3832 if (o->dh_file && streq(o->dh_file, "none"))
3833 {
3834 o->dh_file = NULL;
3835 }
3836 }
3837 else if (o->dh_file)
3838 {
3839 /* DH file is only meaningful in a tls-server context. */
3840 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3841 "include this in your server configuration");
3842 o->dh_file = NULL;
3843 }
3844#if ENABLE_MANAGEMENT
3845 if (o->http_proxy_override)
3846 {
3848 }
3849#endif
3850 if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0)
3851 {
3852 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3853 "option set). ");
3854 o->verify_hash_no_ca = true;
3855 }
3856
3857 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3858 {
3859 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3860 "incompatible with each other.");
3861 }
3862
3863 if (dco_enabled(o))
3864 {
3865 /* check if any option should force disabling DCO */
3867 }
3868#ifdef USE_COMP
3869 if (dco_enabled(o))
3870 {
3872 }
3873#endif
3874
3875#ifdef _WIN32
3876 if (dco_enabled(o))
3877 {
3879 }
3880 else
3881 {
3882 if (o->windows_driver == DRIVER_DCO)
3883 {
3884 msg(M_WARN,
3885 "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3887 }
3889 {
3891 }
3892 }
3893#else /* _WIN32 */
3894 if (dco_enabled(o) && o->dev_node)
3895 {
3896 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3897 "data channel offload");
3898 o->dev_node = NULL;
3899 }
3900#endif /* _WIN32 */
3901
3902 /* this depends on o->windows_driver, which is set above */
3904
3905 /* check that compression settings in the options are okay */
3907
3908 /*
3909 * Save certain parms before modifying options during connect, especially
3910 * when using --pull
3911 */
3912 if (o->pull)
3913 {
3915 }
3916 else
3917 {
3918#if defined(_WIN32) || defined(TARGET_ANDROID)
3920#else
3921 dhcp_options_postprocess_dns(o, es);
3922#endif
3923 }
3925 {
3927 }
3929}
3930
3931/*
3932 * Check file/directory sanity
3933 *
3934 */
3935/* Expect people using the stripped down version to know what they do */
3936#ifndef ENABLE_SMALL
3937
3938#define CHKACC_FILE (1 << 0)
3939#define CHKACC_DIRPATH (1 << 1)
3940#define CHKACC_FILEXSTWR (1 << 2)
3941#define CHKACC_ACPTSTDIN (1 << 3)
3942#define CHKACC_PRIVATE (1 << 4)
3943#define CHKACC_ACCEPT_URI (1 << 5)
3945static bool
3946check_file_access(const int type, const char *file, const int mode, const char *opt)
3947{
3948 int errcode = 0;
3949
3950 /* If no file configured, no errors to look for */
3951 if (!file)
3952 {
3953 return false;
3954 }
3955
3956 /* If stdin is allowed and the file name is 'stdin', then do no
3957 * further checks as stdin is always available
3958 */
3959 if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin"))
3960 {
3961 return false;
3962 }
3963
3964 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3965 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3966 */
3967 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3968 {
3969 if (!strncmp(file, "file:", 5))
3970 {
3971 file += 5;
3972 }
3973 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3974 {
3975 return false;
3976 }
3977 }
3978
3979 /* Is the directory path leading to the given file accessible? */
3980 if (type & CHKACC_DIRPATH)
3981 {
3982 char *fullpath =
3983 string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3984 char *dirpath = dirname(fullpath);
3985
3986 if (platform_access(dirpath, mode | X_OK) != 0)
3987 {
3988 errcode = errno;
3989 }
3990 free(fullpath);
3991 }
3992
3993 /* Is the file itself accessible? */
3994 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0))
3995 {
3996 errcode = errno;
3997 }
3998
3999 /* If the file exists and is accessible, is it writable? */
4000 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0))
4001 {
4002 if (platform_access(file, W_OK) != 0)
4003 {
4004 errcode = errno;
4005 }
4006 }
4007
4008 /* Warn if a given private file is group/others accessible. */
4009 if (type & CHKACC_PRIVATE)
4010 {
4011 platform_stat_t st;
4012 if (platform_stat(file, &st))
4013 {
4014 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
4015 }
4016#ifndef _WIN32
4017 else
4018 {
4019 if (st.st_mode & (S_IRWXG | S_IRWXO))
4020 {
4021 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4022 }
4023 }
4024#endif
4025 }
4026
4027 /* Scream if an error is found */
4028 if (errcode > 0)
4029 {
4030 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4031 }
4032
4033 /* Return true if an error occurred */
4034 return (errcode != 0 ? true : false);
4035}
4036
4037/* A wrapper for check_file_access() which also takes a chroot directory.
4038 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4039 * otherwise it will look for the file inside the given chroot directory instead.
4040 */
4041static bool
4042check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode,
4043 const char *opt)
4044{
4045 bool ret = false;
4046
4047 /* If no file configured, no errors to look for */
4048 if (!file)
4049 {
4050 return false;
4051 }
4052
4053 /* If chroot is set, look for the file/directory inside the chroot */
4054 if (chroot)
4055 {
4056 struct gc_arena gc = gc_new();
4057 struct buffer chroot_file;
4058
4059 chroot_file = prepend_dir(chroot, file, &gc);
4060 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4061 gc_free(&gc);
4062 }
4063 else
4064 {
4065 /* No chroot in play, just call core file check function */
4066 ret = check_file_access(type, file, mode, opt);
4067 }
4068 return ret;
4069}
4070
4075static bool
4076check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type,
4077 const char *file, const int mode, const char *opt)
4078{
4079 if (is_inline)
4080 {
4081 return false;
4082 }
4083
4084 return check_file_access_chroot(chroot, type, file, mode, opt);
4085}
4086
4091static bool
4092check_file_access_inline(bool is_inline, const int type, const char *file, const int mode,
4093 const char *opt)
4094{
4095 if (is_inline)
4096 {
4097 return false;
4098 }
4099
4100 return check_file_access(type, file, mode, opt);
4101}
4102
4103/*
4104 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4105 * valid file with appropriate permissions.
4106 *
4107 * "command" consists of a path, optionally followed by a space, which may be
4108 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4109 * performed.
4110 *
4111 * The path and arguments in "command" may be single- or double-quoted or escaped.
4112 *
4113 * The path is extracted from "command", then check_file_access() is called to check it. The
4114 * arguments, if any, are ignored.
4115 *
4116 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4117 * check_file_access() arguments.
4118 */
4119static bool
4120check_cmd_access(const char *command, const char *opt, const char *chroot)
4121{
4122 struct argv argv;
4123 bool return_code;
4124
4125 /* If no command was set, there are no errors to look for */
4126 if (!command)
4127 {
4128 return false;
4129 }
4130
4131 /* Extract executable path and arguments */
4132 argv = argv_new();
4133 argv_parse_cmd(&argv, command);
4134
4135 /* if an executable is specified then check it; otherwise, complain */
4136 if (argv.argv[0])
4137 {
4138 /* Scripts requires R_OK as well, but that might fail on binaries which
4139 * only requires X_OK to function on Unix - a scenario not unlikely to
4140 * be seen on suid binaries.
4141 */
4142 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4143 }
4144 else
4145 {
4146 msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command);
4147 return_code = true;
4148 }
4149
4150 argv_free(&argv);
4151
4152 return return_code;
4153}
4154
4155/*
4156 * Sanity check of all file/dir options. Checks that file/dir
4157 * is accessible by OpenVPN
4158 */
4159static void
4161{
4162 bool errs = false;
4163
4164 /* ** SSL/TLS/crypto related files ** */
4166 "--dh");
4167
4169 {
4171 R_OK, "--ca");
4172 }
4173
4175 "--capath");
4176
4178 options->cert_file, R_OK, "--cert");
4179
4181 options->extra_certs_file, R_OK, "--extra-certs");
4182
4184 {
4187 options->priv_key_file, R_OK, "--key");
4188 }
4189
4191 options->pkcs12_file, R_OK, "--pkcs12");
4192
4194 {
4196 R_OK | X_OK, "--crl-verify directory");
4197 }
4198 else
4199 {
4200 errs |=
4202 CHKACC_FILE, options->crl_file, R_OK, "--crl-verify");
4203 }
4204
4206 {
4207 errs |=
4209 options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert");
4210 }
4211
4213 for (int i = 0; i < options->connection_list->len; ++i)
4214 {
4216
4218 ce->tls_auth_file, R_OK, "--tls-auth");
4220 ce->tls_crypt_file, R_OK, "--tls-crypt");
4222 ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2");
4223 }
4224
4225 errs |=
4227 options->shared_secret_file, R_OK, "--secret");
4228
4230 R_OK | W_OK, "--replay-persist");
4231
4232 /* ** Password files ** */
4234 options->key_pass_file, R_OK, "--askpass");
4235#ifdef ENABLE_MANAGEMENT
4236 errs |=
4238 options->management_user_pass, R_OK, "--management user/password file");
4239#endif /* ENABLE_MANAGEMENT */
4242 options->auth_user_pass_file, R_OK, "--auth-user-pass");
4243 /* ** System related ** */
4244 errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory");
4246 "--writepid");
4247
4248 /* ** Log related ** */
4250 "--status");
4251
4252 /* ** Config related ** */
4254 R_OK | X_OK, "--client-config-dir");
4256 R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)");
4257
4258 if (errs)
4259 {
4260 msg(M_USAGE, "Please correct these errors.");
4261 }
4262}
4263#endif /* !ENABLE_SMALL */
4264
4265/*
4266 * Sanity check on options.
4267 * Also set some options based on other
4268 * options.
4269 */
4270void
4272{
4275#ifndef ENABLE_SMALL
4277#endif /* !ENABLE_SMALL */
4278}
4279
4280/*
4281 * Sanity check on options after more options were pulled from server.
4282 * Also time to modify some options based on other options.
4283 */
4284bool
4286{
4287 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4288 if (success)
4289 {
4291#if defined(_WIN32) || defined(TARGET_ANDROID)
4293#else
4294 dhcp_options_postprocess_dns(o, es);
4295#endif
4296 }
4297 return success;
4298}
4299
4300/*
4301 * Build an options string to represent data channel encryption options.
4302 * This string must match exactly between peers. The keysize is checked
4303 * separately by read_key().
4304 *
4305 * The following options must match on both peers:
4306 *
4307 * Tunnel options:
4308 *
4309 * --dev tun|tap [unit number need not match]
4310 * --dev-type tun|tap
4311 * --link-mtu
4312 * --udp-mtu
4313 * --tun-mtu
4314 * --proto udp
4315 * --proto tcp-client [matched with --proto tcp-server
4316 * on the other end of the connection]
4317 * --proto tcp-server [matched with --proto tcp-client on
4318 * the other end of the connection]
4319 * --tun-ipv6
4320 * --ifconfig x y [matched with --ifconfig y x on
4321 * the other end of the connection]
4322 *
4323 * --comp-lzo
4324 * --compress alg
4325 * --fragment
4326 *
4327 * Crypto Options:
4328 *
4329 * --cipher
4330 * --auth
4331 * --secret
4332 *
4333 * SSL Options:
4334 *
4335 * --tls-auth
4336 * --tls-client [matched with --tls-server on
4337 * the other end of the connection]
4338 * --tls-server [matched with --tls-client on
4339 * the other end of the connection]
4340 */
4341char *
4342options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
4343 openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
4344{
4345 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4346 bool tt_local = false;
4347
4348 buf_printf(&out, "V4");
4349
4350 /*
4351 * Tunnel Options
4352 */
4353
4354 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4355 /* the link-mtu that we send has only a meaning if have a fixed
4356 * cipher (p2p) or have a fallback cipher configured for older non
4357 * ncp clients. But not sending it will make even 2.4 complain
4358 * about it being missing. So still send it. */
4359 buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame));
4360
4361 if (o->ce.occ_mtu != 0)
4362 {
4363 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4364 }
4365 else
4366 {
4367 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4368 }
4369
4370 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4371
4372 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4373 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4374 * is usually pushed by the server, triggering a non-helpful warning
4375 */
4376 if (o->ifconfig_ipv6_local && p2p_nopull)
4377 {
4378 buf_printf(&out, ",tun-ipv6");
4379 }
4380
4381 /*
4382 * Try to get ifconfig parameters into the options string.
4383 * If tt is undefined, make a temporary instantiation.
4384 */
4385 if (!tt)
4386 {
4387 tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local,
4388 o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits,
4389 o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL);
4390 if (tt)
4391 {
4392 tt_local = true;
4393 }
4394 }
4395
4396 if (tt && p2p_nopull)
4397 {
4398 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4399 if (ios && strlen(ios))
4400 {
4401 buf_printf(&out, ",ifconfig %s", ios);
4402 }
4403 }
4404 if (tt_local)
4405 {
4406 free(tt);
4407 tt = NULL;
4408 }
4409
4410#ifdef USE_COMP
4411 if (o->comp.alg != COMP_ALG_UNDEF)
4412 {
4413 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression
4414 context is active, not necessarily LZO per-se */
4415 }
4416#endif
4417
4418#ifdef ENABLE_FRAGMENT
4419 if (o->ce.fragment)
4420 {
4421 buf_printf(&out, ",mtu-dynamic");
4422 }
4423#endif
4424
4425#define TLS_CLIENT (o->tls_client)
4426#define TLS_SERVER (o->tls_server)
4427
4428 /*
4429 * Key direction
4430 */
4431 {
4432 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4433 if (kd)
4434 {
4435 buf_printf(&out, ",keydir %s", kd);
4436 }
4437 }
4438
4439 /*
4440 * Crypto Options
4441 */
4442 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4443 {
4444 struct key_type kt;
4445
4446 ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1);
4447
4448 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4449 * to work here in the default configuration */
4450 const char *ciphername = o->ciphername;
4451 int keysize = 0;
4452
4453 if (strcmp(o->ciphername, "BF-CBC") == 0)
4454 {
4455 init_key_type(&kt, "none", o->authname, true, false);
4456 keysize = 128;
4457 }
4458 else
4459 {
4460 init_key_type(&kt, o->ciphername, o->authname, true, false);
4461 ciphername = cipher_kt_name(kt.cipher);
4462 if (cipher_defined(o->ciphername))
4463 {
4464 keysize = cipher_kt_key_size(kt.cipher) * 8;
4465 }
4466 }
4467 /* Only announce the cipher to our peer if we are willing to
4468 * support it */
4469 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4470 {
4471 buf_printf(&out, ",cipher %s", ciphername);
4472 }
4473 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4474 buf_printf(&out, ",keysize %d", keysize);
4475 if (o->shared_secret_file)
4476 {
4477 buf_printf(&out, ",secret");
4478 }
4479
4480#ifdef ENABLE_PREDICTION_RESISTANCE
4481 if (o->use_prediction_resistance)
4482 {
4483 buf_printf(&out, ",use-prediction-resistance");
4484 }
4485#endif
4486 }
4487
4488 /*
4489 * SSL Options
4490 */
4491 {
4492 if (TLS_CLIENT || TLS_SERVER)
4493 {
4494 if (o->ce.tls_auth_file)
4495 {
4496 buf_printf(&out, ",tls-auth");
4497 }
4498 /* Not adding tls-crypt here, because we won't reach this code if
4499 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4500 * break stuff, so leaving that in place. */
4501
4502 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4503 }
4504
4505 if (remote)
4506 {
4507 if (TLS_CLIENT)
4508 {
4509 buf_printf(&out, ",tls-server");
4510 }
4511 else if (TLS_SERVER)
4512 {
4513 buf_printf(&out, ",tls-client");
4514 }
4515 }
4516 else
4517 {
4518 if (TLS_CLIENT)
4519 {
4520 buf_printf(&out, ",tls-client");
4521 }
4522 else if (TLS_SERVER)
4523 {
4524 buf_printf(&out, ",tls-server");
4525 }
4526 }
4527 }
4528
4529#undef TLS_CLIENT
4530#undef TLS_SERVER
4531
4532 return BSTR(&out);
4533}
4534
4535/*
4536 * Compare option strings for equality.
4537 * If the first two chars of the strings differ, it means that
4538 * we are looking at different versions of the options string,
4539 * therefore don't compare them and return true.
4540 */
4541
4542bool
4543options_cmp_equal(char *actual, const char *expected)
4544{
4545 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4546}
4547
4548void
4549options_warning(char *actual, const char *expected)
4550{
4551 options_warning_safe(actual, expected, strlen(actual) + 1);
4552}
4553
4554static const char *
4555options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
4556{
4557 struct gc_arena gc = gc_new();
4559 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4560 const char *ret;
4561
4562 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4563 ret = string_alloc(p, gc_ret);
4564 gc_free(&gc);
4565 return ret;
4566}
4567
4568static void
4569options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent,
4570 const char *p1, const struct buffer *b2_src, const char *b1_name,
4571 const char *b2_name)
4572{
4573 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4574 * OCC in a future version (because it's not useful). To reduce questions
4575 * when interoperating, we no longer printing a warning about it.
4576 */
4577 if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ")
4578 || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher "))
4579 {
4580 return;
4581 }
4582
4583 if (strlen(p1) > 0)
4584 {
4585 struct gc_arena gc = gc_new();
4586 struct buffer b2 = *b2_src;
4588 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4589
4590 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4591 {
4592 if (strlen(p2))
4593 {
4595
4596 if (!strcmp(p1, p2))
4597 {
4598 goto done;
4599 }
4600 if (!strcmp(p1_prefix, p2_prefix))
4601 {
4603 {
4604 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4606 safe_print(p2, &gc));
4607 }
4608 goto done;
4609 }
4610 }
4611 }
4612
4613 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4615
4616done:
4617 gc_free(&gc);
4618 }
4619}
4620
4621static void
4622options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent,
4623 const struct buffer *b1_src, const struct buffer *b2_src,
4624 const char *b1_name, const char *b2_name)
4625{
4626 struct gc_arena gc = gc_new();
4627 struct buffer b = *b1_src;
4628 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4629
4630 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4631 {
4633 b2_name);
4634 }
4635
4636 gc_free(&gc);
4637}
4638
4639static void
4640options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4641{
4642 struct gc_arena gc = gc_new();
4643
4644 if (actual_n > 0)
4645 {
4646 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4647 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4648 actual[actual_n - 1] = 0;
4649
4650 buf_printf(&local, "version %s", expected);
4651 buf_printf(&remote, "version %s", actual);
4652
4653 options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote");
4654
4655 options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local");
4656 }
4657
4658 gc_free(&gc);
4659}
4660
4661bool
4662options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4663{
4664 struct gc_arena gc = gc_new();
4665 bool ret = true;
4666
4667 if (actual_n > 0)
4668 {
4669 actual[actual_n - 1] = 0;
4670 if (strncmp(actual, expected, 2))
4671 {
4672 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4673 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4674 }
4675 else
4676 {
4677 ret = !strcmp(actual, expected);
4678 }
4679 }
4680 gc_free(&gc);
4681 return ret;
4682}
4683
4684void
4685options_warning_safe(char *actual, const char *expected, size_t actual_n)
4686{
4687 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4688}
4689
4690const char *
4691options_string_version(const char *s, struct gc_arena *gc)
4692{
4693 struct buffer out = alloc_buf_gc(4, gc);
4694 strncpynt((char *)BPTR(&out), s, 3);
4695 return BSTR(&out);
4696}
4697
4698char *
4700{
4701 char *ret = NULL;
4702 const size_t opt_name_len = strlen(opt_name);
4703
4704 const char *p = options_string;
4705 while (p)
4706 {
4707 if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1)
4708 && p[opt_name_len] == ' ')
4709 {
4710 /* option found, extract value */
4711 const char *start = &p[opt_name_len + 1];
4712 const char *end = strchr(p, ',');
4713 size_t val_len = end ? end - start : strlen(start);
4714 ret = gc_malloc(val_len + 1, true, gc);
4715 memcpy(ret, start, val_len);
4716 break;
4717 }
4718 p = strchr(p, ',');
4719 if (p)
4720 {
4721 p++; /* skip delimiter */
4722 }
4723 }
4724 return ret;
4725}
4726
4727/*
4728 * parse/print topology coding
4729 */
4730
4731int
4732parse_topology(const char *str, const int msglevel)
4733{
4734 if (streq(str, "net30"))
4735 {
4736 return TOP_NET30;
4737 }
4738 else if (streq(str, "p2p"))
4739 {
4740 return TOP_P2P;
4741 }
4742 else if (streq(str, "subnet"))
4743 {
4744 return TOP_SUBNET;
4745 }
4746 else
4747 {
4748 msg(msglevel, "--topology must be net30, p2p, or subnet");
4749 return TOP_UNDEF;
4750 }
4751}
4752
4753const char *
4754print_topology(const int topology)
4755{
4756 switch (topology)
4757 {
4758 case TOP_UNDEF:
4759 return "undef";
4760
4761 case TOP_NET30:
4762 return "net30";
4763
4764 case TOP_P2P:
4765 return "p2p";
4766
4767 case TOP_SUBNET:
4768 return "subnet";
4769
4770 default:
4771 return "unknown";
4772 }
4773}
4774
4775/*
4776 * Manage auth-retry variable
4777 */
4778
4779static int global_auth_retry; /* GLOBAL */
4780
4781int
4783{
4784 return global_auth_retry;
4785}
4786
4787bool
4788auth_retry_set(const int msglevel, const char *option)
4789{
4790 if (streq(option, "interact"))
4791 {
4793 }
4794 else if (streq(option, "nointeract"))
4795 {
4797 }
4798 else if (streq(option, "none"))
4799 {
4801 }
4802 else
4803 {
4804 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4805 return false;
4806 }
4807 return true;
4808}
4809
4810const char *
4812{
4813 switch (global_auth_retry)
4814 {
4815 case AR_NONE:
4816 return "none";
4817
4818 case AR_NOINTERACT:
4819 return "nointeract";
4820
4821 case AR_INTERACT:
4822 return "interact";
4823
4824 default:
4825 return "???";
4826 }
4827}
4828
4829/*
4830 * Print the help message.
4831 */
4832static void
4834{
4835 FILE *fp = msg_fp(0);
4836
4837#ifdef ENABLE_SMALL
4838
4839 fprintf(fp, "Usage message not available\n");
4840
4841#else
4842
4843 struct options o;
4844 init_options(&o, true);
4845
4851 fflush(fp);
4852
4853#endif /* ENABLE_SMALL */
4854
4855 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4856}
4857
4858void
4860{
4861 msg(M_WARN | M_NOPREFIX, "Use --help for more information.");
4862 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4863}
4864
4865#ifdef _WIN32
4866void
4867show_windows_version(const unsigned int flags)
4868{
4869 struct gc_arena gc = gc_new();
4870 msg(flags, "Windows version: %s", win32_version_string(&gc));
4871 gc_free(&gc);
4872}
4873#endif
4874
4875void
4876show_dco_version(const unsigned int flags)
4877{
4878#ifdef ENABLE_DCO
4879 struct gc_arena gc = gc_new();
4880 msg(flags, "DCO version: %s", dco_version_string(&gc));
4881 gc_free(&gc);
4882#endif
4883}
4884
4885void
4886show_library_versions(const unsigned int flags)
4887{
4888#ifdef ENABLE_LZO
4889#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4890#else
4891#define LZO_LIB_VER_STR "", ""
4892#endif
4893
4894 msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR);
4895
4896#undef LZO_LIB_VER_STR
4897}
4898
4899static void
4901{
4904#ifdef _WIN32
4906#endif
4908 msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan");
4909 msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>");
4910#ifndef ENABLE_SMALL
4911#ifdef CONFIGURE_DEFINES
4912 msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4913#endif
4914#ifdef CONFIGURE_SPECIAL_BUILD
4915 msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4916#endif
4917#endif
4919}
4920
4921void
4922notnull(const char *arg, const char *description)
4923{
4924 if (!arg)
4925 {
4926 msg(M_USAGE, "You must define %s", description);
4927 }
4928}
4929
4930bool
4931string_defined_equal(const char *s1, const char *s2)
4932{
4933 if (s1 && s2)
4934 {
4935 return !strcmp(s1, s2);
4936 }
4937 else
4938 {
4939 return false;
4940 }
4941}
4942
4943#if 0
4944static void
4945ping_rec_err(int msglevel)
4946{
4947 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4948}
4949#endif
4950
4951#ifdef _WIN32 /* This function is only used when compiling on Windows */
4952static unsigned int
4953atou(const char *str)
4954{
4955 unsigned int val = 0;
4956 sscanf(str, "%u", &val);
4957 return val;
4958}
4959#endif
4960
4961static inline bool
4962space(char c)
4963{
4964 return c == '\0' || isspace(c);
4965}
4966
4967int
4968parse_line(const char *line, char *p[], const int n, const char *file, const int line_num,
4969 int msglevel, struct gc_arena *gc)
4970{
4971 const int STATE_INITIAL = 0;
4972 const int STATE_READING_QUOTED_PARM = 1;
4973 const int STATE_READING_UNQUOTED_PARM = 2;
4974 const int STATE_DONE = 3;
4975 const int STATE_READING_SQUOTED_PARM = 4;
4976
4977 const char *error_prefix = "";
4978
4979 int ret = 0;
4980 const char *c = line;
4981 int state = STATE_INITIAL;
4982 bool backslash = false;
4983 char in, out;
4984
4985 char parm[OPTION_PARM_SIZE];
4986 unsigned int parm_len = 0;
4987
4988 msglevel &= ~M_OPTERR;
4989
4990 if (msglevel & M_MSG_VIRT_OUT)
4991 {
4992 error_prefix = "ERROR: ";
4993 }
4994
4995 do
4996 {
4997 in = *c;
4998 out = 0;
4999
5000 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
5001 {
5002 backslash = true;
5003 }
5004 else
5005 {
5006 if (state == STATE_INITIAL)
5007 {
5008 if (!space(in))
5009 {
5010 if (in == ';' || in == '#') /* comment */
5011 {
5012 break;
5013 }
5014 if (!backslash && in == '\"')
5015 {
5016 state = STATE_READING_QUOTED_PARM;
5017 }
5018 else if (!backslash && in == '\'')
5019 {
5020 state = STATE_READING_SQUOTED_PARM;
5021 }
5022 else
5023 {
5024 out = in;
5025 state = STATE_READING_UNQUOTED_PARM;
5026 }
5027 }
5028 }
5029 else if (state == STATE_READING_UNQUOTED_PARM)
5030 {
5031 if (!backslash && space(in))
5032 {
5033 state = STATE_DONE;
5034 }
5035 else
5036 {
5037 out = in;
5038 }
5039 }
5040 else if (state == STATE_READING_QUOTED_PARM)
5041 {
5042 if (!backslash && in == '\"')
5043 {
5044 state = STATE_DONE;
5045 }
5046 else
5047 {
5048 out = in;
5049 }
5050 }
5051 else if (state == STATE_READING_SQUOTED_PARM)
5052 {
5053 if (in == '\'')
5054 {
5055 state = STATE_DONE;
5056 }
5057 else
5058 {
5059 out = in;
5060 }
5061 }
5062 if (state == STATE_DONE)
5063 {
5064 /* ASSERT (parm_len > 0); */
5065 p[ret] = gc_malloc(parm_len + 1, true, gc);
5066 memcpy(p[ret], parm, parm_len);
5067 p[ret][parm_len] = '\0';
5068 state = STATE_INITIAL;
5069 parm_len = 0;
5070 ++ret;
5071 }
5072
5073 if (backslash && out)
5074 {
5075 if (!(out == '\\' || out == '\"' || space(out)))
5076 {
5077#ifdef ENABLE_SMALL
5078 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d",
5079 error_prefix, file, line_num);
5080#else
5081 msg(msglevel,
5082 "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
5083 "\\\\static.key\"",
5084 error_prefix, file, line_num);
5085#endif
5086 return 0;
5087 }
5088 }
5089 backslash = false;
5090 }
5091
5092 /* store parameter character */
5093 if (out)
5094 {
5095 if (parm_len >= SIZE(parm))
5096 {
5097 parm[SIZE(parm) - 1] = 0;
5098 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5099 error_prefix, file, line_num, (int)SIZE(parm), parm);
5100 return 0;
5101 }
5102 parm[parm_len++] = out;
5103 }
5104
5105 /* avoid overflow if too many parms in one config file line */
5106 if (ret >= n)
5107 {
5108 break;
5109 }
5110
5111 } while (*c++ != '\0');
5112
5113 if (state == STATE_READING_QUOTED_PARM)
5114 {
5115 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file,
5116 line_num);
5117 return 0;
5118 }
5119 if (state == STATE_READING_SQUOTED_PARM)
5120 {
5121 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix,
5122 file, line_num);
5123 return 0;
5124 }
5125 if (state != STATE_INITIAL)
5126 {
5127 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state,
5128 file, line_num);
5129 return 0;
5130 }
5131#if 0
5132 {
5133 int i;
5134 for (i = 0; i < ret; ++i)
5135 {
5136 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5137 }
5138 }
5139#endif
5140 return ret;
5141}
5142
5143static void
5145{
5146 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5147 {
5148 *p += 2;
5149 }
5150}
5151
5153{
5154#define IS_TYPE_FP 1
5155#define IS_TYPE_BUF 2
5156 int type;
5157 union
5158 {
5159 FILE *fp;
5161 } u;
5162};
5163
5164static bool
5165in_src_get(const struct in_src *is, char *line, const int size)
5166{
5167 if (is->type == IS_TYPE_FP)
5168 {
5169 return BOOL_CAST(fgets(line, size, is->u.fp));
5170 }
5171 else if (is->type == IS_TYPE_BUF)
5172 {
5173 bool status = buf_parse(is->u.multiline, '\n', line, size);
5174 if ((int)strlen(line) + 1 < size)
5175 {
5176 strcat(line, "\n");
5177 }
5178 return status;
5179 }
5180 else
5181 {
5182 ASSERT(0);
5183 return false;
5184 }
5185}
5186
5187static char *
5188read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
5189{
5190 char line[OPTION_LINE_SIZE];
5191 struct buffer buf = alloc_buf(8 * OPTION_LINE_SIZE);
5192 char *ret;
5193 bool endtagfound = false;
5194
5195 while (in_src_get(is, line, sizeof(line)))
5196 {
5197 (*num_lines)++;
5198 char *line_ptr = line;
5199 /* Remove leading spaces */
5200 while (isspace(*line_ptr))
5201 {
5202 line_ptr++;
5203 }
5205 {
5206 endtagfound = true;
5207 break;
5208 }
5209 if (!buf_safe(&buf, strlen(line) + 1))
5210 {
5211 /* Increase buffer size */
5212 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5213 ASSERT(buf_copy(&buf2, &buf));
5214 buf_clear(&buf);
5215 free_buf(&buf);
5216 buf = buf2;
5217 }
5218 buf_printf(&buf, "%s", line);
5219 }
5220 if (!endtagfound)
5221 {
5222 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5223 }
5224 ret = string_alloc(BSTR(&buf), gc);
5225 buf_clear(&buf);
5226 free_buf(&buf);
5227 secure_memzero(line, sizeof(line));
5228 return ret;
5229}
5230
5231static int
5232check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5233{
5234 int num_inline_lines = 0;
5235
5236 if (p[0] && !p[1])
5237 {
5238 char *arg = p[0];
5239 if (arg[0] == '<' && arg[strlen(arg) - 1] == '>')
5240 {
5241 struct buffer close_tag;
5242
5243 arg[strlen(arg) - 1] = '\0';
5244 p[0] = string_alloc(arg + 1, gc);
5245 close_tag = alloc_buf(strlen(p[0]) + 4);
5246 buf_printf(&close_tag, "</%s>", p[0]);
5248 p[2] = NULL;
5250 }
5251 }
5252 return num_inline_lines;
5253}
5254
5255static int
5257{
5258 struct in_src is;
5259 is.type = IS_TYPE_FP;
5260 is.u.fp = fp;
5261 return check_inline_file(&is, p, gc);
5262}
5263
5264static int
5266{
5267 struct in_src is;
5268 is.type = IS_TYPE_BUF;
5269 is.u.multiline = multiline;
5270 return check_inline_file(&is, p, gc);
5271}
5272
5273static void add_option(struct options *options, char *p[], bool is_inline, const char *file,
5274 int line, const int level, const int msglevel,
5275 const unsigned int permission_mask, unsigned int *option_types_found,
5276 struct env_set *es);
5277
5278static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5279 const char *file, int line, const int msglevel,
5280 const unsigned int permission_mask, unsigned int *option_types_found,
5281 struct env_set *es);
5282
5283static void update_option(struct context *c, struct options *options, char *p[], bool is_inline,
5284 const char *file, int line, const int level, const int msglevel,
5285 const unsigned int permission_mask, unsigned int *option_types_found,
5286 struct env_set *es, unsigned int *update_options_found);
5287
5288static void
5289read_config_file(struct options *options, const char *file, int level, const char *top_file,
5290 const int top_line, const int msglevel, const unsigned int permission_mask,
5291 unsigned int *option_types_found, struct env_set *es)
5292{
5293 const int max_recursive_levels = 10;
5294 FILE *fp;
5295 int line_num;
5296 char line[OPTION_LINE_SIZE + 1];
5297 char *p[MAX_PARMS + 1];
5298
5299 ++level;
5300 if (level <= max_recursive_levels)
5301 {
5302 if (streq(file, "stdin"))
5303 {
5304 fp = stdin;
5305 }
5306 else
5307 {
5308 fp = platform_fopen(file, "r");
5309 }
5310 if (fp)
5311 {
5312 line_num = 0;
5313 while (fgets(line, sizeof(line), fp))
5314 {
5315 int offset = 0;
5316 CLEAR(p);
5317 ++line_num;
5318 if (strlen(line) == OPTION_LINE_SIZE)
5319 {
5320 msg(msglevel,
5321 "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5322 file, line_num, OPTION_LINE_SIZE, line);
5323 }
5324
5325 /* Ignore UTF-8 BOM at start of stream */
5326 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5327 {
5328 offset = 3;
5329 }
5330 if (parse_line(line + offset, p, SIZE(p) - 1, file, line_num, msglevel,
5331 &options->gc))
5332 {
5333 bypass_doubledash(&p[0]);
5334 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5335 add_option(options, p, lines_inline, file, line_num, level, msglevel,
5336 permission_mask, option_types_found, es);
5337 line_num += lines_inline;
5338 }
5339 }
5340 if (fp != stdin)
5341 {
5342 fclose(fp);
5343 }
5344 }
5345 else
5346 {
5347 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line,
5348 file);
5349 }
5350 }
5351 else
5352 {
5353 msg(msglevel,
5354 "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.",
5355 top_file, top_line, file);
5356 }
5357 secure_memzero(line, sizeof(line));
5358 CLEAR(p);
5359}
5360
5361static void
5362read_config_string(const char *prefix, struct options *options, const char *config,
5363 const int msglevel, const unsigned int permission_mask,
5364 unsigned int *option_types_found, struct env_set *es)
5365{
5366 char line[OPTION_LINE_SIZE];
5367 struct buffer multiline;
5368 int line_num = 0;
5369
5370 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5371
5372 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5373 {
5374 char *p[MAX_PARMS + 1];
5375 CLEAR(p);
5376 ++line_num;
5377 if (parse_line(line, p, SIZE(p) - 1, prefix, line_num, msglevel, &options->gc))
5378 {
5379 bypass_doubledash(&p[0]);
5380 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5381 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel, permission_mask,
5382 option_types_found, es);
5384 }
5385 CLEAR(p);
5386 }
5387 secure_memzero(line, sizeof(line));
5388}
5389
5390void
5391parse_argv(struct options *options, const int argc, char *argv[], const int msglevel,
5392 const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
5393{
5394 /* usage message */
5395 if (argc <= 1)
5396 {
5397 usage();
5398 }
5399
5400 /* config filename specified only? */
5401 if (argc == 2 && strncmp(argv[1], "--", 2))
5402 {
5403 char *p[MAX_PARMS + 1];
5404 CLEAR(p);
5405 p[0] = "config";
5406 p[1] = argv[1];
5407 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found,
5408 es);
5409 }
5410 else
5411 {
5412 /* parse command line */
5413 for (int i = 1; i < argc; ++i)
5414 {
5415 char *p[MAX_PARMS + 1];
5416 CLEAR(p);
5417 p[0] = argv[i];
5418 if (strncmp(p[0], "--", 2))
5419 {
5420 msg(msglevel,
5421 "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'",
5422 p[0]);
5423 }
5424 else
5425 {
5426 p[0] += 2;
5427 }
5428
5429 int j;
5430 for (j = 1; j < MAX_PARMS; ++j)
5431 {
5432 if (i + j < argc)
5433 {
5434 char *arg = argv[i + j];
5435 if (strncmp(arg, "--", 2))
5436 {
5437 p[j] = arg;
5438 }
5439 else
5440 {
5441 break;
5442 }
5443 }
5444 }
5445 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found,
5446 es);
5447 i += j - 1;
5448 }
5449 }
5450}
5451
5452bool
5453apply_push_options(struct context *c, struct options *options, struct buffer *buf,
5454 unsigned int permission_mask, unsigned int *option_types_found,
5455 struct env_set *es, bool is_update)
5456{
5457 char line[OPTION_PARM_SIZE];
5458 int line_num = 0;
5459 const char *file = "[PUSH-OPTIONS]";
5460 const int msglevel = D_PUSH_ERRORS | M_OPTERR;
5461 unsigned int update_options_found = 0;
5462
5463 while (buf_parse(buf, ',', line, sizeof(line)))
5464 {
5465 char *p[MAX_PARMS + 1];
5466 CLEAR(p);
5467 ++line_num;
5468 unsigned int push_update_option_flags = 0;
5469 int i = 0;
5470
5471 /* skip leading spaces matching the behaviour of parse_line */
5472 while (isspace(line[i]))
5473 {
5474 i++;
5475 }
5476
5477 /* If we are not in a 'PUSH_UPDATE' we just check `apply_pull_filter()`
5478 * otherwise we must call `check_push_update_option_flags()` first
5479 */
5482 {
5483 /* In case we are in a `PUSH_UPDATE` and `check_push_update_option_flags()`
5484 * or `apply_pull_filter()` fail but the option is flagged by `PUSH_OPT_OPTIONAL`,
5485 * instead of restarting, we just ignore the option and we process the next one
5486 */
5488 {
5489 continue; /* Ignoring this option */
5490 }
5491 return false; /* Cause push/pull error and stop push processing */
5492 }
5493
5494 if (parse_line(&line[i], p, SIZE(p) - 1, file, line_num, msglevel, &options->gc))
5495 {
5496 if (!is_update)
5497 {
5498 add_option(options, p, false, file, line_num, 0, msglevel, permission_mask,
5499 option_types_found, es);
5500 }
5502 {
5503 remove_option(c, options, p, false, file, line_num, msglevel, permission_mask,
5504 option_types_found, es);
5505 }
5506 else
5507 {
5508 update_option(c, options, p, false, file, line_num, 0, msglevel, permission_mask,
5509 option_types_found, es, &update_options_found);
5510 }
5511 }
5512 }
5513 return true;
5514}
5515
5516void
5517options_server_import(struct options *o, const char *filename, int msglevel,
5518 unsigned int permission_mask, unsigned int *option_types_found,
5519 struct env_set *es)
5520{
5521 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5522 read_config_file(o, filename, 0, filename, 0, msglevel, permission_mask, option_types_found,
5523 es);
5524}
5525
5526void
5527options_string_import(struct options *options, const char *config, const int msglevel,
5528 const unsigned int permission_mask, unsigned int *option_types_found,
5529 struct env_set *es)
5530{
5531 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask,
5532 option_types_found, es);
5533}
5534
5535#define VERIFY_PERMISSION(mask) \
5536 { \
5537 if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
5538 msglevel, options, is_inline)) \
5539 { \
5540 goto err; \
5541 } \
5542 }
5543
5544static bool
5545verify_permission(const char *name, const char *file, int line, const unsigned int type,
5546 const unsigned int allowed, unsigned int *found, const int msglevel,
5547 struct options *options, bool is_inline)
5548{
5549 if (!(type & allowed))
5550 {
5551 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5552 return false;
5553 }
5554
5555 if (is_inline && !(type & OPT_P_INLINE))
5556 {
5557 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line);
5558 return false;
5559 }
5560
5561 if (found)
5562 {
5563 *found |= type;
5564 }
5565
5566#ifndef ENABLE_SMALL
5567 /* Check if this options is allowed in connection block,
5568 * but we are currently not in a connection block
5569 * unless this is a pushed option.
5570 * Parsing a connection block uses a temporary options struct without
5571 * connection_list
5572 */
5573
5575 {
5576 if (file)
5577 {
5578 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
5579 file, line);
5580 }
5581 else
5582 {
5583 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5584 }
5585 }
5586#endif
5587 return true;
5588}
5589
5590/*
5591 * Check that an option doesn't have too
5592 * many parameters.
5593 */
5594
5595#define NM_QUOTE_HINT (1 << 0)
5596
5597static bool
5598no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
5599{
5600 const int len = string_array_len((const char **)p);
5601
5602 if (!len)
5603 {
5604 return false;
5605 }
5606
5607 if (len > max)
5608 {
5609 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1,
5610 max >= 3 ? "s" : "",
5611 (flags & NM_QUOTE_HINT)
5612 ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
5613 : "");
5614 return false;
5615 }
5616 else
5617 {
5618 return true;
5619 }
5620}
5621
5622static inline int
5623msglevel_forward_compatible(struct options *options, const int msglevel)
5624{
5625 return options->forward_compatible ? M_WARN : msglevel;
5626}
5627
5628#define RESET_OPTION_ROUTES(option_ptr, field) \
5629 if (option_ptr) \
5630 { \
5631 option_ptr->field = NULL; \
5632 option_ptr->flags = 0; \
5633 }
5634
5655static void
5656remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5657 const char *file, int line, const int msglevel, const unsigned int permission_mask,
5658 unsigned int *option_types_found, struct env_set *es)
5659{
5661
5662 if (streq(p[0], "ifconfig") && !p[1])
5663 {
5667 }
5668 else if (streq(p[0], "ifconfig-ipv6") && !p[1])
5669 {
5674 }
5675 else if (streq(p[0], "route") && !p[1])
5676 {
5678 if (c->c1.route_list)
5679 {
5680 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es,
5681 &c->net_ctx);
5683 }
5684 }
5685 else if (streq(p[0], "route-ipv6") && !p[1])
5686 {
5688 if (c->c1.route_ipv6_list)
5689 {
5690 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
5691 es, &c->net_ctx);
5693 }
5694 }
5695 else if (streq(p[0], "route-gateway") && !p[1])
5696 {
5700 }
5701 else if (streq(p[0], "route-metric") && !p[1])
5702 {
5705 }
5706 else if (streq(p[0], "push-continuation") && !p[1])
5707 {
5710 }
5711 else if ((streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private")) && !p[1])
5712 {
5714 if (options->routes)
5715 {
5716 options->routes->flags = 0;
5717 }
5718 if (options->routes_ipv6)
5719 {
5721 }
5722 env_set_del(es, "route_redirect_gateway_ipv4");
5723 env_set_del(es, "route_redirect_gateway_ipv6");
5724 }
5725 else if (streq(p[0], "dns") && !p[1])
5726 {
5730 }
5731 else if (streq(p[0], "topology") && !p[1])
5732 {
5736 }
5737 else if (streq(p[0], "tun-mtu") && !p[1])
5738 {
5741 options->ce.tun_mtu_defined = false;
5742 options->ce.occ_mtu = 0;
5743 }
5744 else if (streq(p[0], "block-ipv6") && !p[1])
5745 {
5747 options->block_ipv6 = false;
5748 }
5749#if defined(_WIN32) || defined(TARGET_ANDROID)
5750 else if (streq(p[0], "dhcp-option") && !p[1])
5751 {
5754
5755 o->domain = NULL;
5756 o->netbios_scope = NULL;
5757 o->netbios_node_type = 0;
5758 o->dns6_len = 0;
5759 memset(o->dns6, 0, sizeof(o->dns6));
5760 o->dns_len = 0;
5761 memset(o->dns, 0, sizeof(o->dns));
5762 o->wins_len = 0;
5763 memset(o->wins, 0, sizeof(o->wins));
5764 o->ntp_len = 0;
5765 memset(o->ntp, 0, sizeof(o->ntp));
5766 o->nbdd_len = 0;
5767 memset(o->nbdd, 0, sizeof(o->nbdd));
5768 while (o->domain_search_list_len-- > 0)
5769 {
5771 }
5772 o->disable_nbt = 0;
5773 o->dhcp_options = 0;
5774#if defined(TARGET_ANDROID)
5775 o->http_proxy_port = 0;
5776 o->http_proxy = NULL;
5777#endif
5778 }
5779#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5780#ifdef _WIN32
5781 else if (streq(p[0], "block-outside-dns") && !p[1])
5782 {
5784 options->block_outside_dns = false;
5785 }
5786#else /* ifdef _WIN32 */
5787 else if (streq(p[0], "dhcp-option") && !p[1])
5788 {
5790 delete_all_dhcp_fo(options, &es->list);
5791 }
5792#endif
5793 else
5794 {
5795 int i;
5796 int msglevel_unknown = msglevel_fc;
5797 /* Check if an option is in --ignore-unknown-option and
5798 * set warning level to non fatal */
5800 {
5801 if (streq(p[0], options->ignore_unknown_option[i]))
5802 {
5803 msglevel_unknown = M_WARN;
5804 break;
5805 }
5806 }
5807 msg(msglevel_unknown,
5808 "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
5809 p[0], PACKAGE_VERSION);
5810 }
5811 return;
5812err:
5813 msg(msglevel, "Error occurred trying to remove %s option", p[0]);
5814}
5815
5816
5817static bool
5818check_route_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
5819{
5821 if (pull_mode)
5822 {
5824 && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
5825 {
5826 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
5827 return false;
5828 }
5829 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
5830 {
5831 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
5832 return false;
5833 }
5834 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn)
5835 && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
5836 {
5837 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
5838 return false;
5839 }
5840 }
5841 return true;
5842}
5843
5844
5845static bool
5846check_route6_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
5847{
5849 if (pull_mode)
5850 {
5851 if (!ipv6_addr_safe_hexplusbits(p[1]))
5852 {
5853 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5854 return false;
5855 }
5856 if (p[2] && !ipv6_addr_safe(p[2]))
5857 {
5858 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5859 return false;
5860 }
5861 /* p[3] is metric, if present */
5862 }
5863 return true;
5864}
5865
5866static bool
5867check_dns_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
5868{
5869 if (streq(p[1], "search-domains") && p[2])
5870 {
5873 }
5874 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
5875 {
5876 long priority;
5877 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
5878 {
5879 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
5880 return false;
5881 }
5882
5883 struct dns_server *server =
5885
5886 if (streq(p[3], "address") && p[4])
5887 {
5888 for (int i = 4; p[i]; ++i)
5889 {
5890 if (!dns_server_addr_parse(server, p[i]))
5891 {
5892 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'",
5893 priority, p[i]);
5894 return false;
5895 }
5896 }
5897 }
5898 else if (streq(p[3], "resolve-domains"))
5899 {
5901 }
5902 else if (streq(p[3], "dnssec") && !p[5])
5903 {
5904 if (streq(p[4], "yes"))
5905 {
5906 server->dnssec = DNS_SECURITY_YES;
5907 }
5908 else if (streq(p[4], "no"))
5909 {
5910 server->dnssec = DNS_SECURITY_NO;
5911 }
5912 else if (streq(p[4], "optional"))
5913 {
5914 server->dnssec = DNS_SECURITY_OPTIONAL;
5915 }
5916 else
5917 {
5918 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
5919 return false;
5920 }
5921 }
5922 else if (streq(p[3], "transport") && !p[5])
5923 {
5924 if (streq(p[4], "plain"))
5925 {
5927 }
5928 else if (streq(p[4], "DoH"))
5929 {
5931 }
5932 else if (streq(p[4], "DoT"))
5933 {
5934 server->transport = DNS_TRANSPORT_TLS;
5935 }
5936 else
5937 {
5938 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
5939 return false;
5940 }
5941 }
5942 else if (streq(p[3], "sni") && !p[5])
5943 {
5944 server->sni = p[4];
5945 }
5946 else
5947 {
5948 msg(msglevel,
5949 "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
5950 priority, p[3]);
5951 return false;
5952 }
5953 }
5954 else
5955 {
5956 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
5957 return false;
5958 }
5959 return true;
5960}
5961
5985static void
5986update_option(struct context *c, struct options *options, char *p[], bool is_inline,
5987 const char *file, int line, const int level, const int msglevel,
5988 const unsigned int permission_mask, unsigned int *option_types_found,
5989 struct env_set *es, unsigned int *update_options_found)
5990{
5991 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5992 ASSERT(MAX_PARMS >= 7);
5993
5994 if (streq(p[0], "route") && p[1] && !p[5])
5995 {
5996 if (!(*update_options_found & OPT_P_U_ROUTE))
5997 {
5999 if (!check_route_option(options, p, msglevel, pull_mode))
6000 {
6001 goto err;
6002 }
6003 if (c->c1.route_list)
6004 {
6006 es, &c->net_ctx);
6008 }
6009 *update_options_found |= OPT_P_U_ROUTE;
6010 }
6011 }
6012 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6013 {
6014 if (!(*update_options_found & OPT_P_U_ROUTE6))
6015 {
6017 if (!check_route6_option(options, p, msglevel, pull_mode))
6018 {
6019 goto err;
6020 }
6021 if (c->c1.route_ipv6_list)
6022 {
6026 }
6027 *update_options_found |= OPT_P_U_ROUTE6;
6028 }
6029 }
6030 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
6031 {
6032 if (!(*update_options_found & OPT_P_U_REDIR_GATEWAY))
6033 {
6035 if (options->routes)
6036 {
6037 options->routes->flags = 0;
6038 }
6039 if (options->routes_ipv6)
6040 {
6042 }
6043 env_set_del(es, "route_redirect_gateway_ipv4");
6044 env_set_del(es, "route_redirect_gateway_ipv6");
6045 *update_options_found |= OPT_P_U_REDIR_GATEWAY;
6046 }
6047 }
6048 else if (streq(p[0], "dns") && p[1])
6049 {
6050 if (!(*update_options_found & OPT_P_U_DNS))
6051 {
6053 if (!check_dns_option(options, p, msglevel, pull_mode))
6054 {
6055 goto err;
6056 }
6059 *update_options_found |= OPT_P_U_DNS;
6060 }
6061 }
6062#if defined(_WIN32) || defined(TARGET_ANDROID)
6063 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
6064 {
6065 if (!(*update_options_found & OPT_P_U_DHCP))
6066 {
6069
6070 o->domain = NULL;
6071 o->netbios_scope = NULL;
6072 o->netbios_node_type = 0;
6073 o->dns6_len = 0;
6074 CLEAR(o->dns6);
6075 o->dns_len = 0;
6076 CLEAR(o->dns);
6077 o->wins_len = 0;
6078 CLEAR(o->wins);
6079 o->ntp_len = 0;
6080 CLEAR(o->ntp);
6081 o->nbdd_len = 0;
6082 CLEAR(o->nbdd);
6083 while (o->domain_search_list_len-- > 0)
6084 {
6086 }
6087 o->disable_nbt = 0;
6088 o->dhcp_options = 0;
6089
6091#if defined(TARGET_ANDROID)
6092 o->http_proxy_port = 0;
6093 o->http_proxy = NULL;
6094#endif
6095 *update_options_found |= OPT_P_U_DHCP;
6096 }
6097 }
6098#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
6099 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
6100 {
6101 if (!(*update_options_found & OPT_P_U_DHCP))
6102 {
6104 delete_all_dhcp_fo(options, &es->list);
6105 *update_options_found |= OPT_P_U_DHCP;
6106 }
6107 }
6108#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
6109 add_option(options, p, is_inline, file, line, level, msglevel, permission_mask,
6110 option_types_found, es);
6111 return;
6112err:
6113 msg(msglevel, "Error occurred trying to update %s option", p[0]);
6114}
6115
6116static void
6117set_user_script(struct options *options, const char **script, const char *new_script,
6118 const char *type, bool in_chroot)
6119{
6120 if (*script)
6121 {
6122 msg(M_WARN,
6123 "Multiple --%s scripts defined. "
6124 "The previously configured script is overridden.",
6125 type);
6126 }
6127 *script = new_script;
6128 options->user_script_used = true;
6129
6130#ifndef ENABLE_SMALL
6131 {
6132 char script_name[100];
6133 snprintf(script_name, sizeof(script_name), "--%s script", type);
6134
6135 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
6136 {
6137 msg(M_USAGE, "Please correct this error.");
6138 }
6139 }
6140#endif
6141}
6142
6143static void
6145{
6146 if (comp_non_stub_enabled(info))
6147 {
6148 msg(M_WARN, "WARNING: Compression for receiving enabled. "
6149 "Compression has been used in the past to break encryption. "
6150 "Compression support is deprecated and we recommend to disable "
6151 "it completely.");
6152 }
6153}
6154
6155bool
6157{
6158 bool ret = false;
6159 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
6160#ifdef ENABLE_PKCS11
6161 ret = ret || (options->pkcs11_providers[0] != NULL);
6162#endif
6163#ifdef ENABLE_CRYPTOAPI
6164 ret = ret || options->cryptoapi_cert;
6165#endif
6166
6167 return ret;
6168}
6169
6170static void
6171add_option(struct options *options, char *p[], bool is_inline, const char *file, int line,
6172 const int level, const int msglevel, const unsigned int permission_mask,
6173 unsigned int *option_types_found, struct env_set *es)
6174{
6175 struct gc_arena gc = gc_new();
6176 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
6177 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
6178
6179 ASSERT(MAX_PARMS >= 7);
6180
6181 /*
6182 * If directive begins with "setenv opt" prefix, don't raise an error if
6183 * directive is unrecognized.
6184 */
6185 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
6186 {
6187 if (!p[2])
6188 {
6189 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
6190 }
6191 p += 2;
6192 msglevel_fc = M_WARN;
6193 }
6194
6195 if (!file)
6196 {
6197 file = "[CMD-LINE]";
6198 line = 1;
6199 }
6200 if (streq(p[0], "help"))
6201 {
6203 usage();
6204 if (p[1])
6205 {
6206 msg(msglevel, "--help does not accept any parameters");
6207 goto err;
6208 }
6209 }
6210 if (streq(p[0], "version") && !p[1])
6211 {
6213 usage_version();
6214 }
6215 else if (streq(p[0], "config") && p[1] && !p[2])
6216 {
6218
6219 /* save first config file only in options */
6220 if (!options->config)
6221 {
6222 options->config = p[1];
6223 }
6224
6225 read_config_file(options, p[1], level, file, line, msglevel, permission_mask,
6226 option_types_found, es);
6227 }
6228#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6229 else if (streq(p[0], "show-gateway") && !p[2])
6230 {
6231 struct route_gateway_info rgi;
6232 struct route_ipv6_gateway_info rgi6;
6233 in_addr_t remote_ipv4 = 0;
6234 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
6235 openvpn_net_ctx_t net_ctx;
6237 if (p[1])
6238 {
6239 /* try parsing the argument as a v4 or v6 address - if
6240 * possible, the output will show the exact route there, and
6241 * "the default route" for the other protocol
6242 */
6243 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
6244 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
6245 }
6246 net_ctx_init(NULL, &net_ctx);
6247 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
6248 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
6249 print_default_gateway(M_INFO, &rgi, &rgi6);
6250 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6251 }
6252#endif
6253 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
6254 {
6255 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
6256 int j;
6257 bool good = true;
6258
6260
6261 for (j = 1; j < MAX_PARMS; ++j)
6262 {
6263 if (!p[j])
6264 {
6265 break;
6266 }
6267 if (j > 1)
6268 {
6269 good &= buf_printf(&string, " ");
6270 }
6271 good &= buf_printf(&string, "%s", p[j]);
6272 }
6273 if (good)
6274 {
6275 /* only message-related ECHO are logged, since other ECHOs
6276 * can potentially include security-sensitive strings */
6277 if (p[1] && strncmp(p[1], "msg", 3) == 0)
6278 {
6279 msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string));
6280 }
6281#ifdef ENABLE_MANAGEMENT
6282 if (management)
6283 {
6285 }
6286#endif
6287 }
6288 else
6289 {
6290 msg(M_WARN, "echo/parameter option overflow");
6291 }
6292 }
6293#ifdef ENABLE_MANAGEMENT
6294 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
6295 {
6297 if (streq(p[2], "unix"))
6298 {
6299#if UNIX_SOCK_SUPPORT
6301#else
6302 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
6303 goto err;
6304#endif
6305 }
6306
6309 if (p[3])
6310 {
6312 }
6313 }
6314 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
6315 {
6318 }
6319 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
6320 {
6323 }
6324 else if (streq(p[0], "management-query-passwords") && !p[1])
6325 {
6328 }
6329 else if (streq(p[0], "management-query-remote") && !p[1])
6330 {
6333 }
6334 else if (streq(p[0], "management-query-proxy") && !p[1])
6335 {
6338 }
6339 else if (streq(p[0], "management-hold") && !p[1])
6340 {
6343 }
6344 else if (streq(p[0], "management-signal") && !p[1])
6345 {
6348 }
6349 else if (streq(p[0], "management-forget-disconnect") && !p[1])
6350 {
6353 }
6354 else if (streq(p[0], "management-up-down") && !p[1])
6355 {
6358 }
6359 else if (streq(p[0], "management-client") && !p[1])
6360 {
6363 }
6364 else if (streq(p[0], "management-external-key"))
6365 {
6367 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6368 {
6369 if (streq(p[j], "nopadding"))
6370 {
6372 }
6373 else if (streq(p[j], "pkcs1"))
6374 {
6376 }
6377 else if (streq(p[j], "pss"))
6378 {
6380 }
6381 else if (streq(p[j], "digest"))
6382 {
6384 }
6385 else
6386 {
6387 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
6388 }
6389 }
6390 /*
6391 * When no option is present, assume that only PKCS1
6392 * padding is supported
6393 */
6395 {
6397 }
6399 }
6400 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
6401 {
6405 }
6406 else if (streq(p[0], "management-client-auth") && !p[1])
6407 {
6410 }
6411 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
6412 {
6415 p[0], 1, INT_MAX, msglevel))
6416 {
6417 goto err;
6418 }
6419 }
6420#endif /* ifdef ENABLE_MANAGEMENT */
6421#ifdef ENABLE_PLUGIN
6422 else if (streq(p[0], "plugin") && p[1])
6423 {
6425 if (!options->plugin_list)
6426 {
6428 }
6430 {
6431 msg(msglevel, "plugin add failed: %s", p[1]);
6432 goto err;
6433 }
6434 }
6435#endif
6436 else if (streq(p[0], "mode") && p[1] && !p[2])
6437 {
6439 if (streq(p[1], "p2p"))
6440 {
6442 }
6443 else if (streq(p[1], "server"))
6444 {
6446 }
6447 else
6448 {
6449 msg(msglevel, "Bad --mode parameter: %s", p[1]);
6450 goto err;
6451 }
6452 }
6453 else if (streq(p[0], "dev") && p[1] && !p[2])
6454 {
6456 options->dev = p[1];
6457 }
6458 else if (streq(p[0], "dev-type") && p[1] && !p[2])
6459 {
6461 options->dev_type = p[1];
6462 }
6463#ifdef _WIN32
6464 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6465 {
6467 msg(M_WARN,
6468 "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
6469 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
6470 }
6471#endif
6472 else if (streq(p[0], "disable-dco"))
6473 {
6474 options->disable_dco = true;
6475 }
6476 else if (streq(p[0], "dev-node") && p[1] && !p[2])
6477 {
6479 options->dev_node = p[1];
6480 }
6481 else if (streq(p[0], "lladdr") && p[1] && !p[2])
6482 {
6484 if (mac_addr_safe(p[1])) /* MAC address only */
6485 {
6486 options->lladdr = p[1];
6487 }
6488 else
6489 {
6490 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6491 goto err;
6492 }
6493 }
6494 else if (streq(p[0], "topology") && p[1] && !p[2])
6495 {
6497 options->topology = parse_topology(p[1], msglevel);
6498 }
6499 else if (streq(p[0], "tun-ipv6") && !p[1])
6500 {
6501 if (!pull_mode)
6502 {
6503 msg(M_WARN,
6504 "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6505 }
6506 }
6507#ifdef ENABLE_IPROUTE
6508 else if (streq(p[0], "iproute") && p[1] && !p[2])
6509 {
6511 iproute_path = p[1];
6512 }
6513#endif
6514 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6515 {
6518 && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6519 {
6520 options->ifconfig_local = p[1];
6522 }
6523 else
6524 {
6525 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6526 goto err;
6527 }
6528 }
6529 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6530 {
6531 unsigned int netbits;
6532
6534 if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2]))
6535 {
6537 {
6538 msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
6539 netbits);
6540 goto err;
6541 }
6542
6544 options->ifconfig_ipv6_netbits = netbits;
6546 }
6547 else
6548 {
6549 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6550 goto err;
6551 }
6552 }
6553 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6554 {
6556 options->ifconfig_noexec = true;
6557 }
6558 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6559 {
6561 options->ifconfig_nowarn = true;
6562 }
6563 else if (streq(p[0], "local") && p[1] && !p[4])
6564 {
6565 struct local_entry *e;
6566
6568
6570 ASSERT(e);
6571
6572 /* '*' is treated as 'ask the system to get some socket',
6573 * therefore force binding on a particular address only when
6574 * actually specified. */
6575 if (strcmp(p[1], "*") != 0)
6576 {
6577 e->local = p[1];
6578 }
6579
6580 if (p[2])
6581 {
6582 e->port = p[2];
6583 }
6584
6585 if (p[3])
6586 {
6587 e->proto = ascii2proto(p[3]);
6588 }
6589 }
6590 else if (streq(p[0], "remote-random") && !p[1])
6591 {
6593 options->remote_random = true;
6594 }
6595 else if (streq(p[0], "connection") && p[1] && !p[3])
6596 {
6598 if (is_inline)
6599 {
6600 struct options sub;
6601 struct connection_entry *e;
6602
6603 init_options(&sub, true);
6604 sub.ce = options->ce;
6605 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION,
6606 option_types_found, es);
6607 if (!sub.ce.remote)
6608 {
6609 msg(msglevel,
6610 "Each 'connection' block must contain exactly one 'remote' directive");
6611 uninit_options(&sub);
6612 goto err;
6613 }
6614
6615 e = alloc_connection_entry(options, msglevel);
6616 if (!e)
6617 {
6618 uninit_options(&sub);
6619 goto err;
6620 }
6621 *e = sub.ce;
6622 gc_transfer(&options->gc, &sub.gc);
6623 uninit_options(&sub);
6624 }
6625 }
6626 else if (streq(p[0], "ignore-unknown-option") && p[1])
6627 {
6628 int i;
6629 int j;
6630 int numignored = 0;
6631 const char **ignore;
6632
6634 /* Find out how many options to be ignored */
6635 for (i = 1; p[i]; i++)
6636 {
6637 numignored++;
6638 }
6639
6640 /* add number of options already ignored */
6642 {
6643 numignored++;
6644 }
6645
6646 /* Allocate array */
6647 ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc);
6649 {
6650 ignore[i] = options->ignore_unknown_option[i];
6651 }
6652
6654
6655 for (j = 1; p[j]; j++)
6656 {
6657 /* Allow the user to specify ignore-unknown-option --opt too */
6658 if (p[j][0] == '-' && p[j][1] == '-')
6659 {
6660 options->ignore_unknown_option[i] = (p[j] + 2);
6661 }
6662 else
6663 {
6665 }
6666 i++;
6667 }
6668
6670 }
6671#if ENABLE_MANAGEMENT
6672 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6673 {
6677 {
6678 goto err;
6679 }
6680 }
6681#endif
6682 else if (streq(p[0], "remote") && p[1] && !p[4])
6683 {
6684 struct remote_entry re;
6685 re.remote = re.remote_port = NULL;
6686 re.proto = -1;
6687 re.af = 0;
6688
6690 re.remote = p[1];
6691 if (p[2])
6692 {
6693 re.remote_port = p[2];
6694 if (p[3])
6695 {
6696 const int proto = ascii2proto(p[3]);
6697 const sa_family_t af = ascii2af(p[3]);
6698 if (proto < 0)
6699 {
6700 msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
6701 goto err;
6702 }
6703 re.proto = proto;
6704 re.af = af;
6705 }
6706 }
6707 if (permission_mask & OPT_P_GENERAL)
6708 {
6709 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6710 if (!e)
6711 {
6712 goto err;
6713 }
6714 *e = re;
6715 }
6716 else if (permission_mask & OPT_P_CONNECTION)
6717 {
6719 }
6720 }
6721 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6722 {
6724 if (streq(p[1], "infinite"))
6725 {
6727 }
6728 else
6729 {
6730 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6731 }
6732 }
6733 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6734 {
6737 /* Note the ip-remote-hint and the argument p[1] are for
6738 * backward compatibility */
6739 if (p[1])
6740 {
6741 options->ip_remote_hint = p[1];
6742 }
6743 }
6744 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6745 {
6747 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6748 /*
6749 * Limit the base value of retry wait interval to 16 bits to avoid
6750 * overflow when scaled up for exponential backoff
6751 */
6752 if (options->ce.connect_retry_seconds > 0xFFFF)
6753 {
6755 msg(M_WARN, "connect retry wait interval truncated to %d",
6757 }
6758
6759 if (p[2])
6760 {
6763 }
6764 }
6765 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1]
6766 && !p[2])
6767 {
6769 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6770 }
6771 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6772 {
6774 options->connect_retry_max = positive_atoi(p[1], msglevel);
6775 }
6776 else if (streq(p[0], "ipchange") && p[1])
6777 {
6779 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6780 {
6781 goto err;
6782 }
6784 string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true);
6785 }
6786 else if (streq(p[0], "float") && !p[1])
6787 {
6789 options->ce.remote_float = true;
6790 }
6791#ifdef ENABLE_DEBUG
6792 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6793 {
6795 options->gremlin = positive_atoi(p[1], msglevel);
6796 }
6797#endif
6798 else if (streq(p[0], "chroot") && p[1] && !p[2])
6799 {
6801 options->chroot_dir = p[1];
6802 }
6803 else if (streq(p[0], "cd") && p[1] && !p[2])
6804 {
6806 if (platform_chdir(p[1]))
6807 {
6808 msg(M_ERR, "cd to '%s' failed", p[1]);
6809 goto err;
6810 }
6811 options->cd_dir = p[1];
6812 }
6813#ifdef ENABLE_SELINUX
6814 else if (streq(p[0], "setcon") && p[1] && !p[2])
6815 {
6817 options->selinux_context = p[1];
6818 }
6819#endif
6820 else if (streq(p[0], "writepid") && p[1] && !p[2])
6821 {
6823 options->writepid = p[1];
6824 }
6825 else if (streq(p[0], "up") && p[1])
6826 {
6828 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6829 {
6830 goto err;
6831 }
6832 set_user_script(options, &options->up_script, p[1], "up", false);
6833 }
6834 else if (streq(p[0], "down") && p[1])
6835 {
6837 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6838 {
6839 goto err;
6840 }
6841 set_user_script(options, &options->down_script, p[1], "down", true);
6842 }
6843 else if (streq(p[0], "down-pre") && !p[1])
6844 {
6846 options->down_pre = true;
6847 }
6848 else if (streq(p[0], "up-delay") && !p[1])
6849 {
6851 options->up_delay = true;
6852 }
6853 else if (streq(p[0], "up-restart") && !p[1])
6854 {
6856 options->up_restart = true;
6857 }
6858 else if (streq(p[0], "syslog") && !p[2])
6859 {
6861 open_syslog(p[1], false);
6862 }
6863 else if (streq(p[0], "daemon") && !p[2])
6864 {
6865 bool didit = false;
6867 if (!options->daemon)
6868 {
6869 options->daemon = didit = true;
6870 open_syslog(p[1], false);
6871 }
6872 if (p[1])
6873 {
6874 if (!didit)
6875 {
6876 msg(M_WARN,
6877 "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
6878 p[1]);
6879 goto err;
6880 }
6881 }
6882 }
6883 else if (streq(p[0], "log") && p[1] && !p[2])
6884 {
6886 options->log = true;
6887 redirect_stdout_stderr(p[1], false);
6888 }
6889 else if (streq(p[0], "suppress-timestamps") && !p[1])
6890 {
6894 }
6895 else if (streq(p[0], "machine-readable-output") && !p[1])
6896 {
6900 }
6901 else if (streq(p[0], "log-append") && p[1] && !p[2])
6902 {
6904 options->log = true;
6905 redirect_stdout_stderr(p[1], true);
6906 }
6907#ifdef ENABLE_MEMSTATS
6908 else if (streq(p[0], "memstats") && p[1] && !p[2])
6909 {
6911 options->memstats_fn = p[1];
6912 }
6913#endif
6914 else if (streq(p[0], "mlock") && !p[1])
6915 {
6917 options->mlock = true;
6918 }
6919#if ENABLE_IP_PKTINFO
6920 else if (streq(p[0], "multihome") && !p[1])
6921 {
6924 }
6925#endif
6926 else if (streq(p[0], "verb") && p[1] && !p[2])
6927 {
6929 options->verbosity = positive_atoi(p[1], msglevel);
6931 {
6932 /* We pass this flag to the SSL library to avoid
6933 * mbed TLS always generating debug level logging */
6935 }
6936#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6937 /* Warn when a debug verbosity is supplied when built without debug support */
6938 if (options->verbosity >= 7)
6939 {
6940 msg(M_WARN,
6941 "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6943 }
6944#endif
6945 }
6946 else if (streq(p[0], "mute") && p[1] && !p[2])
6947 {
6949 options->mute = positive_atoi(p[1], msglevel);
6950 }
6951 else if (streq(p[0], "errors-to-stderr") && !p[1])
6952 {
6955 }
6956 else if (streq(p[0], "status") && p[1] && !p[3])
6957 {
6959 options->status_file = p[1];
6960 if (p[2])
6961 {
6963 }
6964 }
6965 else if (streq(p[0], "status-version") && p[1] && !p[2])
6966 {
6968 if (!atoi_constrained(p[1], &options->status_file_version, p[0], 1, 3, msglevel))
6969 {
6970 goto err;
6971 }
6972 }
6973 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6974 {
6976 if (streq(p[1], "SIGHUP"))
6977 {
6978 options->remap_sigusr1 = SIGHUP;
6979 }
6980 else if (streq(p[1], "SIGTERM"))
6981 {
6982 options->remap_sigusr1 = SIGTERM;
6983 }
6984 else
6985 {
6986 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6987 goto err;
6988 }
6989 }
6990 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6991 {
6993 options->ce.link_mtu = positive_atoi(p[1], msglevel);
6994 options->ce.link_mtu_defined = true;
6995 }
6996 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6997 {
6999 options->ce.tun_mtu = positive_atoi(p[1], msglevel);
7000 options->ce.tun_mtu_defined = true;
7001 if (p[2])
7002 {
7003 options->ce.occ_mtu = positive_atoi(p[2], msglevel);
7004 }
7005 else
7006 {
7007 options->ce.occ_mtu = 0;
7008 }
7009 }
7010 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[2])
7011 {
7013 int max_mtu = positive_atoi(p[1], msglevel);
7014 if (max_mtu < 68 || max_mtu > 65536)
7015 {
7016 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
7017 }
7018 else
7019 {
7020 options->ce.tun_mtu_max = max_mtu;
7021 }
7022 }
7023 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
7024 {
7026 options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel);
7028 }
7029 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
7030 {
7032 int maxmtu = positive_atoi(p[1], msglevel);
7034
7035 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
7036 {
7037 msg(M_WARN,
7038 "Note: max-packet-size value outside of allowed "
7039 "control channel packet size (%d to %d), will use %d "
7040 "instead.",
7042 }
7043
7044 /* also set mssfix maxmtu mtu */
7045 options->ce.mssfix = maxmtu;
7046 options->ce.mssfix_default = false;
7047 options->ce.mssfix_encap = true;
7048 }
7049#ifdef ENABLE_FRAGMENT
7050 else if (streq(p[0], "mtu-dynamic"))
7051 {
7053 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
7054 goto err;
7055 }
7056 else if (streq(p[0], "fragment") && p[1] && !p[3])
7057 {
7059 options->ce.fragment = positive_atoi(p[1], msglevel);
7060
7061 if (options->ce.fragment < 68)
7062 {
7063 msg(msglevel, "--fragment needs to be at least 68");
7064 goto err;
7065 }
7066
7067 if (p[2] && streq(p[2], "mtu"))
7068 {
7069 options->ce.fragment_encap = true;
7070 }
7071 else if (p[2])
7072 {
7073 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
7074 }
7075 }
7076#endif /* ifdef ENABLE_FRAGMENT */
7077 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
7078 {
7081 }
7082 else if (streq(p[0], "mtu-test") && !p[1])
7083 {
7085 options->mtu_test = true;
7086 }
7087 else if (streq(p[0], "nice") && p[1] && !p[2])
7088 {
7090 options->nice = atoi_warn(p[1], msglevel);
7091 }
7092 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
7093 {
7095 options->rcvbuf = positive_atoi(p[1], msglevel);
7096 }
7097 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
7098 {
7100 options->sndbuf = positive_atoi(p[1], msglevel);
7101 }
7102 else if (streq(p[0], "mark") && p[1] && !p[2])
7103 {
7104#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
7106 options->mark = atoi_warn(p[1], msglevel);
7107#endif
7108 }
7109 else if (streq(p[0], "socket-flags"))
7110 {
7111 int j;
7113 for (j = 1; j < MAX_PARMS && p[j]; ++j)
7114 {
7115 if (streq(p[j], "TCP_NODELAY"))
7116 {
7118 }
7119 else
7120 {
7121 msg(msglevel, "unknown socket flag: %s", p[j]);
7122 }
7123 }
7124 }
7125#ifdef TARGET_LINUX
7126 else if (streq(p[0], "bind-dev") && p[1])
7127 {
7129 options->bind_dev = p[1];
7130 }
7131#endif
7132 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
7133 {
7135#ifdef TARGET_LINUX
7136 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
7137#else
7138 msg(msglevel, "--txqueuelen not supported on this OS");
7139 goto err;
7140#endif
7141 }
7142 else if (streq(p[0], "shaper") && p[1] && !p[2])
7143 {
7145 if (!atoi_constrained(p[1], &options->shaper, p[0], SHAPER_MIN, SHAPER_MAX, msglevel))
7146 {
7147 goto err;
7148 }
7149 }
7150 else if (streq(p[0], "port") && p[1] && !p[2])
7151 {
7154 }
7155 else if (streq(p[0], "lport") && p[1] && !p[2])
7156 {
7158
7159 /* only trigger bind() if port is not 0 (or --local is used) */
7160 if (!streq(p[1], "0"))
7161 {
7163 }
7164 options->ce.local_port = p[1];
7165 }
7166 else if (streq(p[0], "rport") && p[1] && !p[2])
7167 {
7169 options->ce.remote_port = p[1];
7170 }
7171 else if (streq(p[0], "bind") && !p[2])
7172 {
7174 options->ce.bind_defined = true;
7175 if (p[1] && streq(p[1], "ipv6only"))
7176 {
7177 options->ce.bind_ipv6_only = true;
7178 }
7179 }
7180 else if (streq(p[0], "nobind") && !p[1])
7181 {
7183 options->ce.bind_local = false;
7184 }
7185 else if (streq(p[0], "fast-io") && !p[1])
7186 {
7188 options->fast_io = true;
7189 }
7190 else if (streq(p[0], "inactive") && p[1] && !p[3])
7191 {
7193 options->inactivity_timeout = positive_atoi(p[1], msglevel);
7194 if (p[2])
7195 {
7196 int64_t val = atoll(p[2]);
7197 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
7198 if (options->inactivity_minimum_bytes > INT_MAX)
7199 {
7200 msg(M_WARN,
7201 "WARNING: '--inactive' with a 'bytes' value"
7202 " >2 Gbyte was silently ignored in older versions. If "
7203 " your VPN exits unexpectedly with 'Inactivity timeout'"
7204 " in %d seconds, revisit this value.",
7206 }
7207 }
7208 }
7209 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
7210 {
7212 options->session_timeout = positive_atoi(p[1], msglevel);
7213 }
7214 else if (streq(p[0], "proto") && p[1] && !p[2])
7215 {
7216 int proto;
7219 proto = ascii2proto(p[1]);
7220 af = ascii2af(p[1]);
7221 if (proto < 0)
7222 {
7223 msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
7225 goto err;
7226 }
7227 options->ce.proto = proto;
7228 options->ce.af = af;
7229 }
7230 else if (streq(p[0], "proto-force") && p[1] && !p[2])
7231 {
7232 int proto_force;
7234 proto_force = ascii2proto(p[1]);
7235 if (proto_force < 0)
7236 {
7237 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
7238 goto err;
7239 }
7240 options->proto_force = proto_force;
7241 }
7242 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
7243 {
7244 struct http_proxy_options *ho;
7245
7247
7248 {
7249 if (!p[2])
7250 {
7251 msg(msglevel, "http-proxy port number not defined");
7252 goto err;
7253 }
7254
7256
7257 ho->server = p[1];
7258 ho->port = p[2];
7259 }
7260
7261 if (p[3])
7262 {
7263 /* auto -- try to figure out proxy addr, port, and type automatically */
7264 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
7265 if (streq(p[3], "auto"))
7266 {
7267 ho->auth_retry = PAR_ALL;
7268 }
7269 else if (streq(p[3], "auto-nct"))
7270 {
7271 ho->auth_retry = PAR_NCT;
7272 }
7273 else
7274 {
7275 ho->auth_method_string = "basic";
7276 ho->auth_file = p[3];
7277
7278 if (p[4])
7279 {
7280 ho->auth_method_string = p[4];
7281 }
7282 }
7283 }
7284 else
7285 {
7286 ho->auth_method_string = "none";
7287 }
7288 }
7289 else if (streq(p[0], "http-proxy-user-pass") && p[1])
7290 {
7291 struct http_proxy_options *ho;
7294 ho->auth_file_up = p[1];
7295 ho->inline_creds = is_inline;
7296 }
7297 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
7298 {
7300 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
7301 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
7302 "Use connect-retry-max 1 to get a similar behavior as before.");
7303 }
7304 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
7305 {
7307 msg(M_WARN,
7308 "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
7309 "server is established is managed with a single timeout set by connect-timeout");
7310 }
7311 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
7312 {
7313 struct http_proxy_options *ho;
7314
7317
7318 if (streq(p[1], "VERSION") && p[2] && !p[3])
7319 {
7320 ho->http_version = p[2];
7321 }
7322 else if (streq(p[1], "AGENT") && p[2] && !p[3])
7323 {
7324 ho->user_agent = p[2];
7325 }
7326 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
7327 && p[2])
7328 {
7329 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
7330 * with either two argument or one */
7331
7332 struct http_custom_header *custom_header = NULL;
7333 int i;
7334 /* Find the first free header */
7335 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
7336 {
7337 if (!ho->custom_headers[i].name)
7338 {
7339 custom_header = &ho->custom_headers[i];
7340 break;
7341 }
7342 }
7343 if (!custom_header)
7344 {
7345 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
7347 }
7348 else
7349 {
7350 /* We will save p[2] and p[3], the proxy code will detect if
7351 * p[3] is NULL */
7352 custom_header->name = p[2];
7353 custom_header->content = p[3];
7354 }
7355 }
7356 else
7357 {
7358 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
7359 }
7360 }
7361 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
7362 {
7364
7365 if (p[2])
7366 {
7367 options->ce.socks_proxy_port = p[2];
7368 }
7369 else
7370 {
7371 options->ce.socks_proxy_port = "1080";
7372 }
7374 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
7375 }
7376 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
7377 {
7379 options->keepalive_ping = atoi_warn(p[1], msglevel);
7380 options->keepalive_timeout = atoi_warn(p[2], msglevel);
7381 }
7382 else if (streq(p[0], "ping") && p[1] && !p[2])
7383 {
7385 options->ping_send_timeout = positive_atoi(p[1], msglevel);
7386 }
7387 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
7388 {
7390 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7392 }
7393 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
7394 {
7396 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7398 }
7399 else if (streq(p[0], "ping-timer-rem") && !p[1])
7400 {
7402 options->ping_timer_remote = true;
7403 }
7404 else if (streq(p[0], "explicit-exit-notify") && !p[2])
7405 {
7407 if (p[1])
7408 {
7410 }
7411 else
7412 {
7414 }
7415 }
7416 else if (streq(p[0], "persist-tun") && !p[1])
7417 {
7419 options->persist_tun = true;
7420 }
7421 else if (streq(p[0], "persist-key") && !p[1])
7422 {
7424 msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
7425 "Keys are now always persisted across restarts. ");
7426 }
7427 else if (streq(p[0], "persist-local-ip") && !p[1])
7428 {
7430 options->persist_local_ip = true;
7431 }
7432 else if (streq(p[0], "persist-remote-ip") && !p[1])
7433 {
7435 options->persist_remote_ip = true;
7436 }
7437 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
7438 {
7441 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
7442 }
7443 else if (streq(p[0], "route-table") && p[1] && !p[2])
7444 {
7445#ifndef ENABLE_SITNL
7446 msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
7447#endif
7449 options->route_default_table_id = positive_atoi(p[1], msglevel);
7450 }
7451 else if (streq(p[0], "route") && p[1] && !p[5])
7452 {
7454 if (!check_route_option(options, p, msglevel, pull_mode))
7455 {
7456 goto err;
7457 }
7458 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
7460 }
7461 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7462 {
7464 if (!check_route6_option(options, p, msglevel, pull_mode))
7465 {
7466 goto err;
7467 }
7470 }
7471 else if (streq(p[0], "max-routes") && !p[2])
7472 {
7473 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
7474 "The number of routes is unlimited as of OpenVPN 2.4. "
7475 "This option will be removed in a future version, "
7476 "please remove it from your configuration.");
7477 }
7478 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7479 {
7481 if (streq(p[1], "dhcp"))
7482 {
7484 }
7485 else
7486 {
7488 || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7489 {
7491 }
7492 else
7493 {
7494 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7495 goto err;
7496 }
7497 }
7498 }
7499 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7500 {
7501 if (ipv6_addr_safe(p[1]))
7502 {
7504 }
7505 else
7506 {
7507 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7508 goto err;
7509 }
7510 }
7511 else if (streq(p[0], "route-metric") && p[1] && !p[2])
7512 {
7514 options->route_default_metric = positive_atoi(p[1], msglevel);
7515 }
7516 else if (streq(p[0], "route-delay") && !p[3])
7517 {
7520 if (p[1])
7521 {
7522 options->route_delay = positive_atoi(p[1], msglevel);
7523 if (p[2])
7524 {
7525 options->route_delay_window = positive_atoi(p[2], msglevel);
7526 }
7527 }
7528 else
7529 {
7530 options->route_delay = 0;
7531 }
7532 }
7533 else if (streq(p[0], "route-up") && p[1])
7534 {
7536 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7537 {
7538 goto err;
7539 }
7540 set_user_script(options, &options->route_script, p[1], "route-up", false);
7541 }
7542 else if (streq(p[0], "route-pre-down") && p[1])
7543 {
7545 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7546 {
7547 goto err;
7548 }
7549 set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true);
7550 }
7551 else if (streq(p[0], "route-noexec") && !p[1])
7552 {
7554 options->route_noexec = true;
7555 }
7556 else if (streq(p[0], "route-nopull") && !p[1])
7557 {
7559 options->route_nopull = true;
7560 }
7561 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7562 {
7563 struct pull_filter *f;
7566
7567 if (strcmp("accept", p[1]) == 0)
7568 {
7569 f->type = PUF_TYPE_ACCEPT;
7570 }
7571 else if (strcmp("ignore", p[1]) == 0)
7572 {
7573 f->type = PUF_TYPE_IGNORE;
7574 }
7575 else if (strcmp("reject", p[1]) == 0)
7576 {
7577 f->type = PUF_TYPE_REJECT;
7578 }
7579 else
7580 {
7581 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7582 goto err;
7583 }
7584 f->pattern = p[2];
7585 f->size = strlen(p[2]);
7586 }
7587 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7588 {
7590 options->allow_pull_fqdn = true;
7591 }
7592 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7593 {
7594 int j;
7597
7598 if (options->routes->flags & RG_ENABLE)
7599 {
7600 msg(M_WARN, "WARNING: You have specified redirect-gateway and "
7601 "redirect-private at the same time (or the same option "
7602 "multiple times). This is not well supported and may lead to "
7603 "unexpected results");
7604 }
7605
7607
7608 if (streq(p[0], "redirect-gateway"))
7609 {
7611 }
7612 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7613 {
7614 if (streq(p[j], "local"))
7615 {
7617 }
7618 else if (streq(p[j], "autolocal"))
7619 {
7621 }
7622 else if (streq(p[j], "def1"))
7623 {
7625 }
7626 else if (streq(p[j], "bypass-dhcp"))
7627 {
7629 }
7630 else if (streq(p[j], "bypass-dns"))
7631 {
7633 }
7634 else if (streq(p[j], "block-local"))
7635 {
7637 }
7638 else if (streq(p[j], "ipv6"))
7639 {
7642 }
7643 else if (streq(p[j], "!ipv4"))
7644 {
7646 }
7647 else
7648 {
7649 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7650 goto err;
7651 }
7652 }
7654 {
7655 setenv_int(es, "route_redirect_gateway_ipv4",
7656 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7657 }
7659 {
7660 setenv_int(es, "route_redirect_gateway_ipv6",
7661 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7662 }
7663#ifdef _WIN32
7664 /* we need this here to handle pushed --redirect-gateway */
7666#endif
7667 }
7668 else if (streq(p[0], "block-ipv6") && !p[1])
7669 {
7671 options->block_ipv6 = true;
7672 }
7673 else if (streq(p[0], "remote-random-hostname") && !p[1])
7674 {
7677 }
7678 else if (streq(p[0], "setenv") && p[1] && !p[3])
7679 {
7681 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7682 {
7684 }
7685 else if (streq(p[1], "GENERIC_CONFIG"))
7686 {
7687 msg(msglevel, "this is a generic configuration and cannot directly be used");
7688 goto err;
7689 }
7690 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7691 {
7692 options->push_peer_info = true;
7693 }
7694 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7695 {
7696 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7697 }
7698 else
7699 {
7700 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7701 {
7703 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7704 }
7705 setenv_str(es, p[1], p[2] ? p[2] : "");
7706 }
7707 }
7708 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7709 {
7710 unsigned int major, minor, patch;
7711 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7712 {
7713 msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]);
7714 goto err;
7715 }
7716
7717 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7718 }
7719 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7720 {
7722 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7723 }
7724 else if (streq(p[0], "script-security") && p[1] && !p[2])
7725 {
7727 int security;
7728 if (atoi_constrained(p[1], &security, p[0], SSEC_NONE, SSEC_PW_ENV, msglevel))
7729 {
7730 script_security_set(security);
7731 }
7732 }
7733 else if (streq(p[0], "mssfix") && !p[3])
7734 {
7736 if (p[1])
7737 {
7738 int mssfix = positive_atoi(p[1], msglevel);
7739 /* can be 0, but otherwise it needs to be high enough so we can
7740 * substract room for headers. */
7741 if (mssfix != 0 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7742 {
7743 msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7744 goto err;
7745 }
7746
7747 /* value specified, assume encapsulation is not
7748 * included unless "mtu" follows later */
7749 options->ce.mssfix = mssfix;
7750 options->ce.mssfix_encap = false;
7751 options->ce.mssfix_default = false;
7752 }
7753 else
7754 {
7755 /* Set MTU to default values */
7756 options->ce.mssfix_default = true;
7757 options->ce.mssfix_encap = true;
7758 options->ce.mssfix_fixed = false;
7759 }
7760
7761 if (p[2] && streq(p[2], "mtu"))
7762 {
7763 options->ce.mssfix_encap = true;
7764 }
7765 else if (p[2] && streq(p[2], "fixed"))
7766 {
7767 options->ce.mssfix_fixed = true;
7768 }
7769 else if (p[2])
7770 {
7771 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7772 }
7773 }
7774 else if (streq(p[0], "disable-occ") && !p[1])
7775 {
7777 options->occ = false;
7778 }
7779 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7780 {
7781 const int lev = M_WARN;
7782 bool error = false;
7783 in_addr_t network, netmask;
7784
7786 network = get_ip_addr(p[1], lev, &error);
7787 netmask = get_ip_addr(p[2], lev, &error);
7788 if (error || !network || !netmask)
7789 {
7790 msg(msglevel, "error parsing --server parameters");
7791 goto err;
7792 }
7793 options->server_defined = true;
7794 options->server_network = network;
7795 options->server_netmask = netmask;
7796
7797 if (p[3])
7798 {
7799 if (streq(p[3], "nopool"))
7800 {
7802 }
7803 else
7804 {
7805 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7806 goto err;
7807 }
7808 }
7809 }
7810 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7811 {
7812 const int lev = M_WARN;
7813 struct in6_addr network;
7814 unsigned int netbits = 0;
7815
7817 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7818 {
7819 msg(msglevel, "error parsing --server-ipv6 parameter");
7820 goto err;
7821 }
7822 if (netbits < 64 || netbits > 124)
7823 {
7824 msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7825 netbits);
7826
7827 goto err;
7828 }
7830 options->server_network_ipv6 = network;
7831 options->server_netbits_ipv6 = netbits;
7832 }
7833 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7834 {
7835 const int lev = M_WARN;
7836 bool error = false;
7837 in_addr_t ip, netmask, pool_start, pool_end;
7838
7840 ip = get_ip_addr(p[1], lev, &error);
7841 netmask = get_ip_addr(p[2], lev, &error);
7842 pool_start = get_ip_addr(p[3], lev, &error);
7843 pool_end = get_ip_addr(p[4], lev, &error);
7844 if (error || !ip || !netmask || !pool_start || !pool_end)
7845 {
7846 msg(msglevel, "error parsing --server-bridge parameters");
7847 goto err;
7848 }
7851 options->server_bridge_netmask = netmask;
7852 options->server_bridge_pool_start = pool_start;
7853 options->server_bridge_pool_end = pool_end;
7854 }
7855 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7856 {
7860 }
7861 else if (streq(p[0], "server-bridge") && !p[1])
7862 {
7865 }
7866 else if (streq(p[0], "push") && p[1] && !p[2])
7867 {
7869 push_options(options, &p[1], msglevel, &options->gc);
7870 }
7871 else if (streq(p[0], "push-reset") && !p[1])
7872 {
7875 }
7876 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7877 {
7879 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7881 }
7882 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7883 {
7884 const int lev = M_WARN;
7885 bool error = false;
7886 in_addr_t start, end, netmask = 0;
7887
7889 start = get_ip_addr(p[1], lev, &error);
7890 end = get_ip_addr(p[2], lev, &error);
7891 if (p[3])
7892 {
7893 netmask = get_ip_addr(p[3], lev, &error);
7894 }
7895 if (error)
7896 {
7897 msg(msglevel, "error parsing --ifconfig-pool parameters");
7898 goto err;
7899 }
7900 if (!ifconfig_pool_verify_range(msglevel, start, end))
7901 {
7902 goto err;
7903 }
7904
7908 if (netmask)
7909 {
7910 options->ifconfig_pool_netmask = netmask;
7911 }
7912 }
7913 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7914 {
7917 if (p[2])
7918 {
7920 }
7921 }
7922 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7923 {
7924 const int lev = M_WARN;
7925 struct in6_addr network;
7926 unsigned int netbits = 0;
7927
7929 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7930 {
7931 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7932 goto err;
7933 }
7934 if (netbits < 64 || netbits > 124)
7935 {
7936 msg(msglevel,
7937 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7938 netbits);
7939 goto err;
7940 }
7941
7945 }
7946 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7947 {
7948 int real, virtual;
7949
7951 if (!atoi_constrained(p[1], &real, "hash-size real", 1, INT_MAX, msglevel)
7952 || !atoi_constrained(p[2], &virtual, "hash-size virtual", 1, INT_MAX, msglevel))
7953 {
7954 goto err;
7955 }
7956 options->real_hash_size = real;
7957 options->virtual_hash_size = virtual;
7958 }
7959 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7960 {
7961 int cf_max, cf_per;
7962
7964 if (!atoi_constrained(p[1], &cf_max, "connect-freq n", 1, INT_MAX, msglevel)
7965 || !atoi_constrained(p[2], &cf_per, "connect-freq seconds", 1, INT_MAX, msglevel))
7966 {
7967 goto err;
7968 }
7969 options->cf_max = cf_max;
7970 options->cf_per = cf_per;
7971 }
7972 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7973 {
7974 int cf_max, cf_per;
7975
7977 if (!atoi_constrained(p[1], &cf_max, "connect-freq-initial n", 1, INT_MAX, msglevel)
7978 || !atoi_constrained(p[2], &cf_per, "connect-freq-initial seconds", 1, INT_MAX, msglevel))
7979 {
7980 goto err;
7981 }
7982 options->cf_initial_max = cf_max;
7983 options->cf_initial_per = cf_per;
7984 }
7985 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7986 {
7988 if (!atoi_constrained(p[1], &options->max_clients, p[0], 1, MAX_PEER_ID, msglevel))
7989 {
7990 goto err;
7991 }
7992 }
7993 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7994 {
7996 options->max_routes_per_client = max_int(positive_atoi(p[1], msglevel), 1);
7997 }
7998 else if (streq(p[0], "client-cert-not-required") && !p[1])
7999 {
8001 msg(M_FATAL,
8002 "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
8003 }
8004 else if (streq(p[0], "verify-client-cert") && !p[2])
8005 {
8007
8008 /* Reset any existing flags */
8009 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
8010 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
8011 if (p[1])
8012 {
8013 if (streq(p[1], "none"))
8014 {
8016 }
8017 else if (streq(p[1], "optional"))
8018 {
8020 }
8021 else if (!streq(p[1], "require"))
8022 {
8023 msg(msglevel,
8024 "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
8025 goto err;
8026 }
8027 }
8028 }
8029 else if (streq(p[0], "username-as-common-name") && !p[1])
8030 {
8033 }
8034 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
8035 {
8038 }
8039 else if (streq(p[0], "opt-verify") && !p[1])
8040 {
8042 msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
8043 "in OpenVPN 2.7");
8045 }
8046 else if (streq(p[0], "auth-user-pass-verify") && p[1])
8047 {
8049 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
8050 {
8051 goto err;
8052 }
8053 if (p[2])
8054 {
8055 if (streq(p[2], "via-env"))
8056 {
8058 }
8059 else if (streq(p[2], "via-file"))
8060 {
8062 }
8063 else
8064 {
8065 msg(msglevel,
8066 "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
8067 goto err;
8068 }
8069 }
8070 else
8071 {
8072 msg(msglevel,
8073 "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
8074 goto err;
8075 }
8077 "auth-user-pass-verify", true);
8078 }
8079 else if (streq(p[0], "auth-gen-token"))
8080 {
8083 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
8084
8085 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
8086 {
8087 /* the second parameter can be the renewal time */
8088 if (i == 2 && valid_integer(p[i], true))
8089 {
8090 options->auth_token_renewal = positive_atoi(p[i], msglevel);
8091 }
8092 else if (streq(p[i], "external-auth"))
8093 {
8095 }
8096 else
8097 {
8098 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
8099 }
8100 }
8101 }
8102 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
8103 {
8107 }
8108 else if (streq(p[0], "client-connect") && p[1])
8109 {
8111 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8112 {
8113 goto err;
8114 }
8115 set_user_script(options, &options->client_connect_script, p[1], "client-connect", true);
8116 }
8117 else if (streq(p[0], "client-crresponse") && p[1])
8118 {
8120 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8121 {
8122 goto err;
8123 }
8124 set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse",
8125 true);
8126 }
8127 else if (streq(p[0], "client-disconnect") && p[1])
8128 {
8130 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8131 {
8132 goto err;
8133 }
8134 set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect",
8135 true);
8136 }
8137 else if (streq(p[0], "learn-address") && p[1])
8138 {
8140 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8141 {
8142 goto err;
8143 }
8144 set_user_script(options, &options->learn_address_script, p[1], "learn-address", true);
8145 }
8146 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
8147 {
8149 options->tmp_dir = p[1];
8150 }
8151 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
8152 {
8154 options->client_config_dir = p[1];
8155 }
8156 else if (streq(p[0], "ccd-exclusive") && !p[1])
8157 {
8159 options->ccd_exclusive = true;
8160 }
8161 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
8162 {
8164 atoi_constrained(p[1], &options->n_bcast_buf, p[0], 1, INT_MAX, msglevel);
8165 }
8166 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
8167 {
8169 atoi_constrained(p[1], &options->tcp_queue_limit, p[0], 1, INT_MAX, msglevel);
8170 }
8171#if PORT_SHARE
8172 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
8173 {
8175 options->port_share_host = p[1];
8176 options->port_share_port = p[2];
8177 options->port_share_journal_dir = p[3];
8178 }
8179#endif
8180 else if (streq(p[0], "client-to-client") && !p[1])
8181 {
8183 options->enable_c2c = true;
8184 }
8185 else if (streq(p[0], "duplicate-cn") && !p[1])
8186 {
8188 options->duplicate_cn = true;
8189 }
8190 else if (streq(p[0], "iroute") && p[1] && !p[3])
8191 {
8193 option_iroute(options, p[1], p[2], msglevel);
8194 }
8195 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
8196 {
8198 option_iroute_ipv6(options, p[1], msglevel);
8199 }
8200 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
8201 {
8202 in_addr_t local, remote_netmask;
8203
8205 local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
8206 remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL);
8207 if (local && remote_netmask)
8208 {
8211 options->push_ifconfig_remote_netmask = remote_netmask;
8212 if (p[3])
8213 {
8215 getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL);
8216 }
8217 }
8218 else
8219 {
8220 msg(msglevel, "cannot parse --ifconfig-push addresses");
8221 goto err;
8222 }
8223 }
8224 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
8225 {
8226 in_addr_t network, netmask;
8227
8229 network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
8230 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
8231 if (network && netmask)
8232 {
8236 }
8237 else
8238 {
8239 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
8240 goto err;
8241 }
8242 }
8243 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
8244 {
8245 struct in6_addr local, remote;
8246 unsigned int netbits;
8247
8249
8250 if (!get_ipv6_addr(p[1], &local, &netbits, msglevel))
8251 {
8252 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
8253 goto err;
8254 }
8255
8256 if (p[2])
8257 {
8258 if (!get_ipv6_addr(p[2], &remote, NULL, msglevel))
8259 {
8260 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
8261 goto err;
8262 }
8263 }
8264 else
8265 {
8267 || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel))
8268 {
8269 msg(msglevel,
8270 "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
8271 goto err;
8272 }
8273 }
8274
8280 }
8281 else if (streq(p[0], "disable") && !p[1])
8282 {
8284 options->disable = true;
8285 }
8286 else if (streq(p[0], "override-username") && p[1] && !p[2])
8287 {
8289 if (strlen(p[1]) > USER_PASS_LEN)
8290 {
8291 msg(msglevel,
8292 "override-username exceeds the maximum length of %d "
8293 "characters",
8295
8296 /* disable the connection since ignoring the request to
8297 * set another username might cause serious problems */
8298 options->disable = true;
8299 }
8300 else
8301 {
8302 options->override_username = p[1];
8303 }
8304 }
8305 else if (streq(p[0], "tcp-nodelay") && !p[1])
8306 {
8309 }
8310 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
8311 {
8312 int ageing_time, check_interval;
8313
8315 if (!atoi_constrained(p[1], &ageing_time, "stale-routes-check age", 1, INT_MAX, msglevel))
8316 {
8317 goto err;
8318 }
8319
8320 if (p[2])
8321 {
8322 if (!atoi_constrained(p[2], &check_interval,
8323 "stale-routes-check interval", 1, INT_MAX, msglevel))
8324 {
8325 goto err;
8326 }
8327 }
8328 else
8329 {
8330 check_interval = ageing_time;
8331 }
8332
8333 options->stale_routes_ageing_time = ageing_time;
8334 options->stale_routes_check_interval = check_interval;
8335 }
8336
8337 else if (streq(p[0], "client") && !p[1])
8338 {
8340 options->client = true;
8341 }
8342 else if (streq(p[0], "pull") && !p[1])
8343 {
8345 options->pull = true;
8346 }
8347 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
8348 {
8350 atoi_constrained(p[1], &options->push_continuation, p[0], 0, 2, msglevel);
8351 }
8352 else if (streq(p[0], "auth-user-pass") && !p[2])
8353 {
8355 if (p[1])
8356 {
8359 }
8360 else
8361 {
8362 options->auth_user_pass_file = "stdin";
8363 }
8364 }
8365 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
8366 {
8368 auth_retry_set(msglevel, p[1]);
8369 }
8370#ifdef ENABLE_MANAGEMENT
8371 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
8372 {
8375 if (atoi_warn(p[2], msglevel))
8376 {
8378 }
8379 if (p[3] && streq(p[3], "concat"))
8380 {
8382 }
8383 else if (p[3] && !streq(p[3], "scrv1"))
8384 {
8385 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
8386 goto err;
8387 }
8388 }
8389#endif
8390 else if (streq(p[0], "msg-channel") && p[1])
8391 {
8392#ifdef _WIN32
8394 HANDLE process = GetCurrentProcess();
8395 HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
8396 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE,
8397 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
8398 {
8399 msg(msglevel, "could not duplicate service pipe handle");
8400 goto err;
8401 }
8403#else /* ifdef _WIN32 */
8404 msg(msglevel, "--msg-channel is only supported on Windows");
8405 goto err;
8406#endif
8407 }
8408#ifdef _WIN32
8409 else if (streq(p[0], "win-sys") && p[1] && !p[2])
8410 {
8412 if (streq(p[1], "env"))
8413 {
8414 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
8415 "This entry will now be ignored. "
8416 "Please remove this entry from your configuration file.");
8417 }
8418 else
8419 {
8420 set_win_sys_path(p[1], es);
8421 }
8422 }
8423 else if (streq(p[0], "route-method") && p[1] && !p[2])
8424 {
8426 if (streq(p[1], "adaptive"))
8427 {
8429 }
8430 else if (streq(p[1], "ipapi"))
8431 {
8433 }
8434 else if (streq(p[1], "exe"))
8435 {
8437 }
8438 else
8439 {
8440 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
8441 goto err;
8442 }
8443 }
8444 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
8445 {
8446 const int index = ascii2ipset(p[1]);
8447 struct tuntap_options *to = &options->tuntap_options;
8448
8450
8451 if (index < 0)
8452 {
8453 msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
8455 goto err;
8456 }
8457
8458 if (index == IPW32_SET_ADAPTIVE)
8459 {
8461 }
8462
8463 if (index == IPW32_SET_DHCP_MASQ)
8464 {
8465 if (p[2])
8466 {
8467 if (!streq(p[2], "default"))
8468 {
8469 int offset;
8470
8471 if (!atoi_constrained(p[2], &offset, "ip-win32 offset", -256, 256, msglevel))
8472 {
8473 goto err;
8474 }
8475 to->dhcp_masq_custom_offset = true;
8476 to->dhcp_masq_offset = offset;
8477 }
8478
8479 if (p[3])
8480 {
8481 if (!atoi_constrained(p[3], &to->dhcp_lease_time,
8482 "ip-win32 lease time", 30, INT_MAX, msglevel))
8483 {
8484 goto err;
8485 }
8486 }
8487 }
8488 }
8489 to->ip_win32_type = index;
8490 to->ip_win32_defined = true;
8491 }
8492#endif /* ifdef _WIN32 */
8493 else if (streq(p[0], "dns-updown") && p[1])
8494 {
8496 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8497 {
8498 goto err;
8499 }
8500 struct dns_options *dns = &options->dns_options;
8501 if (streq(p[1], "disable"))
8502 {
8503 dns->updown = NULL;
8505 }
8506 else if (streq(p[1], "force"))
8507 {
8508 /* force dns-updown run, even if a --up script is defined */
8509 if (!dns_updown_user_set(dns))
8510 {
8511 dns->updown = DEFAULT_DNS_UPDOWN;
8513 }
8514 }
8515 else
8516 {
8517 if (streq(dns->updown, DEFAULT_DNS_UPDOWN))
8518 {
8519 /* Unset the default command to prevent warnings */
8520 dns->updown = NULL;
8521 }
8522 set_user_script(options, &dns->updown, p[1], p[0], false);
8524 }
8525 }
8526 else if (streq(p[0], "dns") && p[1])
8527 {
8529 if (!check_dns_option(options, p, msglevel, pull_mode))
8530 {
8531 goto err;
8532 }
8533 }
8534 else if (streq(p[0], "dhcp-option") && p[1])
8535 {
8537#if defined(_WIN32) || defined(TARGET_ANDROID)
8539#endif
8541
8542 bool dhcp_optional = false;
8543
8544 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
8545 {
8546 dhcp->domain = p[2];
8547 dhcp_optional = true;
8548 }
8549 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8550 {
8551 if (dhcp->domain_search_list_len < N_SEARCH_LIST_LEN)
8552 {
8553 dhcp->domain_search_list[dhcp->domain_search_list_len++] = p[2];
8554 }
8555 else
8556 {
8557 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8558 p[1], N_SEARCH_LIST_LEN);
8559 }
8560 dhcp_optional = true;
8561 }
8562 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8563 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8564 {
8565 if (strstr(p[2], ":"))
8566 {
8567 dhcp_option_dns6_parse(p[2], dhcp->dns6, &dhcp->dns6_len, msglevel);
8568 }
8569 else
8570 {
8571 dhcp_option_address_parse("DNS", p[2], dhcp->dns, &dhcp->dns_len, msglevel);
8572 dhcp_optional = true;
8573 }
8574 }
8575#if defined(_WIN32) || defined(TARGET_ANDROID)
8576 else if (streq(p[1], "NBS") && p[2] && !p[3])
8577 {
8578 o->netbios_scope = p[2];
8580 }
8581 else if (streq(p[1], "NBT") && p[2] && !p[3])
8582 {
8583 int t = atoi_warn(p[2], msglevel);
8584 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8585 {
8586 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8587 goto err;
8588 }
8589 o->netbios_node_type = t;
8591 }
8592 else if (streq(p[1], "WINS") && p[2] && !p[3])
8593 {
8594 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8596 }
8597 else if (streq(p[1], "NTP") && p[2] && !p[3])
8598 {
8599 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8601 }
8602 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8603 {
8604 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8606 }
8607 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8608 {
8609 o->disable_nbt = 1;
8611 }
8612#if defined(TARGET_ANDROID)
8613 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8614 {
8615 o->http_proxy_port = positive_atoi(p[3], msglevel);
8616 o->http_proxy = p[2];
8617 }
8618#endif
8619 else
8620 {
8621 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter",
8622 p[1]);
8623 goto err;
8624 }
8625#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8626 setenv_foreign_option(options, p[1], p[2], es);
8627#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8628
8629 if (dhcp_optional)
8630 {
8631#if defined(_WIN32) || defined(TARGET_ANDROID)
8633#endif
8634 }
8635 }
8636#ifdef _WIN32
8637 else if (streq(p[0], "show-adapters") && !p[1])
8638 {
8641 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8642 }
8643 else if (streq(p[0], "show-net") && !p[1])
8644 {
8648 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8649 }
8650 else if (streq(p[0], "show-net-up") && !p[1])
8651 {
8653 options->show_net_up = true;
8654 }
8655 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8656 {
8658 if (!atoi_constrained(p[1], &options->tuntap_options.tap_sleep, p[0], 0, 255, msglevel))
8659 {
8660 goto err;
8661 }
8662 }
8663 else if (streq(p[0], "dhcp-renew") && !p[1])
8664 {
8667 }
8668 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8669 {
8673 }
8674 else if (streq(p[0], "dhcp-release") && !p[1])
8675 {
8676 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8677 }
8678 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8679 {
8680 unsigned int adapter_index;
8683 adapter_index = atou(p[1]);
8686 {
8687 dhcp_release_by_adapter_index(adapter_index);
8688 }
8690 {
8691 dhcp_renew_by_adapter_index(adapter_index);
8692 }
8693 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8694 }
8695 else if (streq(p[0], "register-dns") && !p[1])
8696 {
8699 }
8700 else if (streq(p[0], "block-outside-dns") && !p[1])
8701 {
8703 options->block_outside_dns = true;
8704 }
8705 else if (streq(p[0], "rdns-internal") && !p[1])
8706 /* standalone method for internal use
8707 *
8708 * (if --register-dns is set, openvpn needs to call itself in a
8709 * sub-process to execute the required functions in a non-blocking
8710 * way, and uses --rdns-internal to signal that to itself)
8711 */
8712 {
8716 {
8718 }
8719 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8720 }
8721 else if (streq(p[0], "show-valid-subnets") && !p[1])
8722 {
8725 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8726 }
8727 else if (streq(p[0], "pause-exit") && !p[1])
8728 {
8731 }
8732 else if (streq(p[0], "service") && p[1] && !p[3])
8733 {
8735 options->exit_event_name = p[1];
8736 if (p[2])
8737 {
8738 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8739 }
8740 }
8741 else if (streq(p[0], "allow-nonadmin") && !p[2])
8742 {
8745 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8746 }
8747 else if (streq(p[0], "user") && p[1] && !p[2])
8748 {
8750 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8751 }
8752 else if (streq(p[0], "group") && p[1] && !p[2])
8753 {
8755 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8756 }
8757#else /* ifdef _WIN32 */
8758 else if (streq(p[0], "user") && p[1] && !p[2])
8759 {
8761 options->username = p[1];
8762 }
8763 else if (streq(p[0], "group") && p[1] && !p[2])
8764 {
8766 options->groupname = p[1];
8767 }
8768 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8769 {
8771 setenv_foreign_option(options, p[1], p[2], es);
8772 }
8773 else if (streq(p[0], "route-method") && p[1] && !p[2])
8774 {
8776 /* ignore when pushed to non-Windows OS */
8777 }
8778#endif /* ifdef _WIN32 */
8779#if PASSTOS_CAPABILITY
8780 else if (streq(p[0], "passtos") && !p[1])
8781 {
8783 options->passtos = true;
8784 }
8785#endif
8786 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8787 {
8789
8790 if (streq(p[1], "no"))
8791 {
8794 {
8795 msg(msglevel, "'--allow-compression no' conflicts with "
8796 " enabling compression");
8797 }
8798 }
8800 {
8801 /* Also printed on a push to hint at configuration problems */
8802 msg(msglevel,
8803 "Cannot set allow-compression to '%s' "
8804 "after set to 'no'",
8805 p[1]);
8806 goto err;
8807 }
8808 else if (streq(p[1], "asym"))
8809 {
8811 }
8812 else if (streq(p[1], "yes"))
8813 {
8814 msg(M_WARN,
8815 "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8816 "We will use \"asym\" mode instead. See the manual page for more information.");
8817
8819 }
8820 else
8821 {
8822 msg(msglevel,
8823 "bad allow-compression option: %s -- "
8824 "must be 'yes', 'no', or 'asym'",
8825 p[1]);
8826 goto err;
8827 }
8828 }
8829 else if (streq(p[0], "comp-lzo") && !p[2])
8830 {
8832
8833 /* All lzo variants do not use swap */
8834 options->comp.flags &= ~COMP_F_SWAP;
8836
8837 if (p[1])
8838 {
8839 if (streq(p[1], "no"))
8840 {
8842 }
8843 /* There is no actual difference anymore between these variants.
8844 * We never compress. On the server side we replace this with
8845 * --compress migrate later anyway.
8846 */
8847 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8848 {
8849 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
8850 p[1]);
8851 goto err;
8852 }
8853 }
8855 }
8856 else if (streq(p[0], "comp-noadapt") && !p[1])
8857 {
8858 /* NO-OP since we never compress anymore */
8859 }
8860 else if (streq(p[0], "compress") && !p[2])
8861 {
8863 const char *alg = "stub";
8864 if (p[1])
8865 {
8866 alg = p[1];
8867 }
8868
8869 if (streq(alg, "stub"))
8870 {
8873 }
8874 else if (streq(alg, "stub-v2"))
8875 {
8878 }
8879 else if (streq(alg, "migrate"))
8880 {
8883 }
8884 else if (streq(alg, "lzo"))
8885 {
8887 options->comp.flags &= ~COMP_F_SWAP;
8888 }
8889 else if (streq(alg, "lz4"))
8890 {
8893 }
8894 else if (streq(alg, "lz4-v2"))
8895 {
8897 }
8898 else
8899 {
8900 msg(msglevel, "bad comp option: %s", alg);
8901 goto err;
8902 }
8903
8905 }
8906 else if (streq(p[0], "show-ciphers") && !p[1])
8907 {
8909 options->show_ciphers = true;
8910 }
8911 else if (streq(p[0], "show-digests") && !p[1])
8912 {
8914 options->show_digests = true;
8915 }
8916 else if (streq(p[0], "show-engines") && !p[1])
8917 {
8919 options->show_engines = true;
8920 }
8921 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8922 {
8923 int key_direction;
8924
8926
8927 key_direction = ascii2keydirection(msglevel, p[1]);
8928 if (key_direction >= 0)
8929 {
8930 if (permission_mask & OPT_P_GENERAL)
8931 {
8932 options->key_direction = key_direction;
8933 }
8934 else if (permission_mask & OPT_P_CONNECTION)
8935 {
8936 options->ce.key_direction = key_direction;
8937 }
8938 }
8939 else
8940 {
8941 goto err;
8942 }
8943 }
8944 else if (streq(p[0], "secret") && p[1] && !p[3])
8945 {
8946 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8950 if (!is_inline && p[2])
8951 {
8952 int key_direction;
8953
8954 key_direction = ascii2keydirection(msglevel, p[2]);
8955 if (key_direction >= 0)
8956 {
8957 options->key_direction = key_direction;
8958 }
8959 else
8960 {
8961 goto err;
8962 }
8963 }
8964 }
8965 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8966 {
8969 }
8970 else if (streq(p[0], "genkey") && !p[4])
8971 {
8973 options->genkey = true;
8974 if (!p[1])
8975 {
8977 }
8978 else
8979 {
8980 if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt"))
8981 {
8983 }
8984 else if (streq(p[1], "tls-crypt-v2-server"))
8985 {
8987 }
8988 else if (streq(p[1], "tls-crypt-v2-client"))
8989 {
8991 if (p[3])
8992 {
8993 options->genkey_extra_data = p[3];
8994 }
8995 }
8996 else if (streq(p[1], "auth-token"))
8997 {
8999 }
9000 else
9001 {
9002 msg(msglevel, "unknown --genkey type: %s", p[1]);
9003 }
9004 }
9005 if (p[2])
9006 {
9007 options->genkey_filename = p[2];
9008 }
9009 }
9010 else if (streq(p[0], "auth") && p[1] && !p[2])
9011 {
9013 options->authname = p[1];
9014 }
9015 else if (streq(p[0], "cipher") && p[1] && !p[2])
9016 {
9018 options->ciphername = p[1];
9019 }
9020 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
9021 {
9023 options->ciphername = p[1];
9025 }
9026 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2])
9027 {
9029 if (streq(p[0], "ncp-ciphers"))
9030 {
9031 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
9032 " '--data-ciphers' (renamed in OpenVPN 2.5).");
9033 }
9034 options->ncp_ciphers = p[1];
9035 }
9036 else if (streq(p[0], "key-derivation") && p[1])
9037 {
9038 /* NCP only option that is pushed by the server to enable EKM,
9039 * should not be used by normal users in config files*/
9041 if (streq(p[1], "tls-ekm"))
9042 {
9044 }
9045 else
9046 {
9047 msg(msglevel, "Unknown key-derivation method %s", p[1]);
9048 }
9049 }
9050 else if (streq(p[0], "protocol-flags") && p[1])
9051 {
9052 /* NCP only option that is pushed by the server to enable protocol
9053 * features that are negotiated, should not be used by normal users
9054 * in config files */
9056 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
9057 {
9058 if (streq(p[j], "cc-exit"))
9059 {
9061 }
9062 else if (streq(p[j], "tls-ekm"))
9063 {
9065 }
9066 else if (streq(p[j], "dyn-tls-crypt"))
9067 {
9069 }
9070 else if (streq(p[j], "aead-epoch"))
9071 {
9073 }
9074 else
9075 {
9076 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
9077 }
9078 }
9079 }
9080 else if (streq(p[0], "force-tls-key-material-export"))
9081 {
9084 }
9085 else if (streq(p[0], "prng") && p[1] && !p[3])
9086 {
9087 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
9088 }
9089 else if (streq(p[0], "no-replay") && !p[1])
9090 {
9092 /* always error out, this breaks the connection */
9093 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
9094 "Update your configuration.");
9095 }
9096 else if (streq(p[0], "replay-window") && !p[3])
9097 {
9099 if (p[1])
9100 {
9101 if (!atoi_constrained(p[1], &options->replay_window, "replay-window windows size",
9103 {
9104 goto err;
9105 }
9106
9107 if (p[2])
9108 {
9109 if (!atoi_constrained(p[2], &options->replay_time, "replay-window time window",
9111 {
9112 goto err;
9113 }
9114 }
9115 }
9116 else
9117 {
9118 msg(msglevel, "replay-window option is missing window size parameter");
9119 goto err;
9120 }
9121 }
9122 else if (streq(p[0], "mute-replay-warnings") && !p[1])
9123 {
9126 }
9127 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
9128 {
9130 options->packet_id_file = p[1];
9131 }
9132 else if (streq(p[0], "test-crypto") && !p[1])
9133 {
9135 options->test_crypto = true;
9136 }
9137#ifndef ENABLE_CRYPTO_MBEDTLS
9138 else if (streq(p[0], "engine") && !p[2])
9139 {
9141 if (p[1])
9142 {
9143 options->engine = p[1];
9144 }
9145 else
9146 {
9147 options->engine = "auto";
9148 }
9149 }
9150#endif /* ENABLE_CRYPTO_MBEDTLS */
9151 else if (streq(p[0], "providers") && p[1])
9152 {
9153 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
9154 {
9155 options->providers.names[j] = p[j];
9156 }
9157 }
9158#ifdef ENABLE_PREDICTION_RESISTANCE
9159 else if (streq(p[0], "use-prediction-resistance") && !p[1])
9160 {
9162 options->use_prediction_resistance = true;
9163 }
9164#endif
9165 else if (streq(p[0], "show-tls") && !p[1])
9166 {
9168 options->show_tls_ciphers = true;
9169 }
9170 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
9171 {
9173 options->show_curves = true;
9174 }
9175 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
9176 {
9178 msg(M_WARN, "Consider setting groups/curves preference with "
9179 "tls-groups instead of forcing a specific curve with "
9180 "ecdh-curve.");
9181 options->ecdh_curve = p[1];
9182 }
9183 else if (streq(p[0], "tls-server") && !p[1])
9184 {
9186 options->tls_server = true;
9187 }
9188 else if (streq(p[0], "tls-client") && !p[1])
9189 {
9191 options->tls_client = true;
9192 }
9193 else if (streq(p[0], "ca") && p[1] && !p[2])
9194 {
9196 options->ca_file = p[1];
9197 options->ca_file_inline = is_inline;
9198 }
9199#ifndef ENABLE_CRYPTO_MBEDTLS
9200 else if (streq(p[0], "capath") && p[1] && !p[2])
9201 {
9203 options->ca_path = p[1];
9204 }
9205#endif /* ENABLE_CRYPTO_MBEDTLS */
9206 else if (streq(p[0], "dh") && p[1] && !p[2])
9207 {
9209 options->dh_file = p[1];
9210 options->dh_file_inline = is_inline;
9211 }
9212 else if (streq(p[0], "cert") && p[1] && !p[2])
9213 {
9215 options->cert_file = p[1];
9216 options->cert_file_inline = is_inline;
9217 }
9218 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
9219 {
9221 options->extra_certs_file = p[1];
9222 options->extra_certs_file_inline = is_inline;
9223 }
9224 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
9225 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
9226 {
9228
9229 int verify_hash_depth = 0;
9230 if (streq(p[0], "verify-hash"))
9231 {
9232 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
9233 "You should switch to the either use the level 1 certificate as "
9234 "--ca option, use --tls-verify or use --peer-fingerprint");
9235 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
9236 verify_hash_depth = 1;
9237 }
9238
9240
9241 int digest_len = SHA256_DIGEST_LENGTH;
9242
9243 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
9244 {
9245 msg(msglevel,
9246 "ERROR: Setting %s not allowed. --verify-hash and"
9247 " --peer-fingerprint are mutually exclusive",
9248 p[0]);
9249 goto err;
9250 }
9251
9252 if (streq(p[0], "verify-hash"))
9253 {
9254 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
9255 {
9257 digest_len = SHA_DIGEST_LENGTH;
9258 }
9259 else if (p[2] && !streq(p[2], "SHA256"))
9260 {
9261 msg(msglevel,
9262 "invalid or unsupported hashing algorithm: %s "
9263 "(only SHA1 and SHA256 are supported)",
9264 p[2]);
9265 goto err;
9266 }
9267 }
9268
9269 struct verify_hash_list *newlist;
9270 newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc);
9271
9272 /* Append the new list to the end of our current list */
9273 if (!options->verify_hash)
9274 {
9275 options->verify_hash = newlist;
9276 options->verify_hash_depth = verify_hash_depth;
9277 }
9278 else
9279 {
9280 /* since both the old and new list can have multiple entries
9281 * we need to go to the end of one of them to concatenate them */
9282 struct verify_hash_list *listend = options->verify_hash;
9283 while (listend->next)
9284 {
9285 listend = listend->next;
9286 }
9287 listend->next = newlist;
9288 }
9289 }
9290#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
9291 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
9292 {
9294 options->cryptoapi_cert = p[1];
9295 }
9296#endif
9297 else if (streq(p[0], "key") && p[1] && !p[2])
9298 {
9300 options->priv_key_file = p[1];
9301 options->priv_key_file_inline = is_inline;
9302 }
9303 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
9304 {
9305 int ver;
9307 ver = tls_version_parse(p[1], p[2]);
9308 if (ver == TLS_VER_BAD)
9309 {
9310 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
9311 goto err;
9312 }
9313
9314#ifdef ENABLE_CRYPTO_MBEDTLS
9315 if (ver < TLS_VER_1_2)
9316 {
9317 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
9318 ver = TLS_VER_1_2;
9319 }
9320#endif
9321
9324 }
9325 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
9326 {
9327 int ver;
9329 ver = tls_version_parse(p[1], NULL);
9330 if (ver == TLS_VER_BAD)
9331 {
9332 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
9333 goto err;
9334 }
9337 }
9338#ifndef ENABLE_CRYPTO_MBEDTLS
9339 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
9340 {
9342 options->pkcs12_file = p[1];
9343 options->pkcs12_file_inline = is_inline;
9344 }
9345#endif /* ENABLE_CRYPTO_MBEDTLS */
9346 else if (streq(p[0], "askpass") && !p[2])
9347 {
9349 if (p[1])
9350 {
9351 options->key_pass_file = p[1];
9352 }
9353 else
9354 {
9355 options->key_pass_file = "stdin";
9356 }
9357 }
9358 else if (streq(p[0], "auth-nocache") && !p[1])
9359 {
9362 }
9363 else if (streq(p[0], "auth-token") && p[1] && !p[2])
9364 {
9366 ssl_set_auth_token(p[1]);
9367#ifdef ENABLE_MANAGEMENT
9368 if (management)
9369 {
9371 }
9372#endif
9373 }
9374 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
9375 {
9378 }
9379 else if (streq(p[0], "single-session") && !p[1])
9380 {
9382 options->single_session = true;
9383 }
9384 else if (streq(p[0], "push-peer-info") && !p[1])
9385 {
9387 options->push_peer_info = true;
9388 }
9389 else if (streq(p[0], "tls-exit") && !p[1])
9390 {
9392 options->tls_exit = true;
9393 }
9394 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9395 {
9397 options->cipher_list = p[1];
9398 }
9399 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9400 {
9402 options->tls_cert_profile = p[1];
9403 }
9404 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9405 {
9407 options->cipher_list_tls13 = p[1];
9408 }
9409 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9410 {
9412 options->tls_groups = p[1];
9413 }
9414 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]))
9415 {
9417 if (p[2] && streq(p[2], "dir"))
9418 {
9420 }
9421 options->crl_file = p[1];
9422 options->crl_file_inline = is_inline;
9423 }
9424 else if (streq(p[0], "tls-verify") && p[1])
9425 {
9427 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9428 {
9429 goto err;
9430 }
9432 string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true);
9433 }
9434 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9435 {
9438 }
9439 else if (streq(p[0], "compat-names"))
9440 {
9442 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9443 "Update your configuration.");
9444 goto err;
9445 }
9446 else if (streq(p[0], "no-name-remapping") && !p[1])
9447 {
9449 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9450 "Update your configuration.");
9451 goto err;
9452 }
9453 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9454 {
9455 int type = VERIFY_X509_SUBJECT_DN;
9457 if (p[2])
9458 {
9459 if (streq(p[2], "subject"))
9460 {
9462 }
9463 else if (streq(p[2], "name"))
9464 {
9466 }
9467 else if (streq(p[2], "name-prefix"))
9468 {
9470 }
9471 else
9472 {
9473 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9474 goto err;
9475 }
9476 }
9477 options->verify_x509_type = type;
9478 options->verify_x509_name = p[1];
9479 }
9480 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9481 {
9482#ifdef ENABLE_CRYPTO_MBEDTLS
9483 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9484 goto err;
9485#else
9487 if (streq(p[1], "server"))
9488 {
9490 }
9491 else if (streq(p[1], "client"))
9492 {
9494 }
9495 else
9496 {
9497 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9498 goto err;
9499 }
9500#endif /* ENABLE_CRYPTO_MBEDTLS */
9501 }
9502 else if (streq(p[0], "remote-cert-ku"))
9503 {
9505
9506 size_t j;
9507 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9508 {
9509 sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1]));
9510 }
9511 if (j == 1)
9512 {
9513 /* No specific KU required, but require KU to be present */
9515 }
9516 }
9517 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9518 {
9520 options->remote_cert_eku = p[1];
9521 }
9522 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9523 {
9525
9526 if (streq(p[1], "server"))
9527 {
9529 options->remote_cert_eku = "TLS Web Server Authentication";
9530 }
9531 else if (streq(p[1], "client"))
9532 {
9534 options->remote_cert_eku = "TLS Web Client Authentication";
9535 }
9536 else
9537 {
9538 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9539 goto err;
9540 }
9541 }
9542 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9543 {
9545 options->tls_timeout = positive_atoi(p[1], msglevel);
9546 }
9547 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9548 {
9550 char *end;
9551 long long reneg_bytes = strtoll(p[1], &end, 10);
9552 if (*end != '\0' || reneg_bytes < 0)
9553 {
9554 msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0");
9555 goto err;
9556 }
9557 options->renegotiate_bytes = reneg_bytes;
9558 }
9559 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9560 {
9562 char *end;
9563 long long pkt_max = strtoll(p[1], &end, 10);
9564 if (*end != '\0' || pkt_max < 0)
9565 {
9566 msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0");
9567 goto err;
9568 }
9569 options->renegotiate_packets = pkt_max;
9570 }
9571 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9572 {
9574 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
9575 if (p[2])
9576 {
9578 }
9579 }
9580 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9581 {
9583 options->handshake_window = positive_atoi(p[1], msglevel);
9584 }
9585 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9586 {
9588 options->transition_window = positive_atoi(p[1], msglevel);
9589 }
9590 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9591 {
9592 int key_direction = -1;
9593
9595
9596 if (permission_mask & OPT_P_GENERAL)
9597 {
9598 options->tls_auth_file = p[1];
9599 options->tls_auth_file_inline = is_inline;
9600
9601 if (!is_inline && p[2])
9602 {
9603 key_direction = ascii2keydirection(msglevel, p[2]);
9604 if (key_direction < 0)
9605 {
9606 goto err;
9607 }
9608 options->key_direction = key_direction;
9609 }
9610 }
9611 else if (permission_mask & OPT_P_CONNECTION)
9612 {
9613 options->ce.tls_auth_file = p[1];
9614 options->ce.tls_auth_file_inline = is_inline;
9616
9617 if (!is_inline && p[2])
9618 {
9619 key_direction = ascii2keydirection(msglevel, p[2]);
9620 if (key_direction < 0)
9621 {
9622 goto err;
9623 }
9624 options->ce.key_direction = key_direction;
9625 }
9626 }
9627 }
9628 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9629 {
9631 if (permission_mask & OPT_P_GENERAL)
9632 {
9633 options->tls_crypt_file = p[1];
9634 options->tls_crypt_file_inline = is_inline;
9635 }
9636 else if (permission_mask & OPT_P_CONNECTION)
9637 {
9638 options->ce.tls_crypt_file = p[1];
9639 options->ce.tls_crypt_file_inline = is_inline;
9640 }
9641 }
9642 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9643 {
9645 if (permission_mask & OPT_P_GENERAL)
9646 {
9647 options->tls_crypt_v2_file = p[1];
9648 options->tls_crypt_v2_file_inline = is_inline;
9649 }
9650 else if (permission_mask & OPT_P_CONNECTION)
9651 {
9653 options->ce.tls_crypt_v2_file_inline = is_inline;
9654 }
9655
9656 if (p[2] && streq(p[2], "force-cookie"))
9657 {
9659 }
9660 else if (p[2] && streq(p[2], "allow-noncookie"))
9661 {
9663 }
9664 else if (p[2])
9665 {
9666 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9667 }
9668 }
9669 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9670 {
9673 }
9674 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9675 {
9677 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9678 }
9679#ifdef ENABLE_X509ALTUSERNAME
9680 else if (streq(p[0], "x509-username-field") && p[1])
9681 {
9683 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9684 {
9685 char *s = p[j];
9686
9687 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
9688 {
9689 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9690 }
9691 options->x509_username_field[j - 1] = p[j];
9692 }
9693 }
9694#endif /* ENABLE_X509ALTUSERNAME */
9695#ifdef ENABLE_PKCS11
9696 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9697 {
9698 char *provider = p[1];
9699 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0));
9700
9701#ifdef DEFAULT_PKCS11_MODULE
9702 if (!provider)
9703 {
9704 provider = DEFAULT_PKCS11_MODULE;
9705 }
9706 else if (!p[2])
9707 {
9708 char *endp = NULL;
9709 long i = strtol(provider, &endp, 10);
9710
9711 if (*endp == 0)
9712 {
9713 /* There was one argument, and it was purely numeric.
9714 * Interpret it as the cert_private argument */
9715 provider = DEFAULT_PKCS11_MODULE;
9716 cert_private = i;
9717 }
9718 }
9719#else /* ifdef DEFAULT_PKCS11_MODULE */
9720 if (!provider)
9721 {
9722 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9723 goto err;
9724 }
9725#endif /* ifdef DEFAULT_PKCS11_MODULE */
9727
9729 show_pkcs11_ids(provider, cert_private);
9730 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9731 }
9732 else if (streq(p[0], "pkcs11-providers") && p[1])
9733 {
9734 int j;
9735
9737
9738 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9739 {
9740 options->pkcs11_providers[j - 1] = p[j];
9741 }
9742 }
9743 else if (streq(p[0], "pkcs11-protected-authentication"))
9744 {
9745 int j;
9746
9748
9749 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9750 {
9751 options->pkcs11_protected_authentication[j - 1] =
9752 atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9753 }
9754 }
9755 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9756 {
9757 int j;
9758
9760
9761 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9762 {
9763 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1]));
9764 }
9765 }
9766 else if (streq(p[0], "pkcs11-cert-private"))
9767 {
9768 int j;
9769
9771
9772 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9773 {
9774 options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel));
9775 }
9776 }
9777 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9778 {
9780 options->pkcs11_pin_cache_period = positive_atoi(p[1], msglevel);
9781 }
9782 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9783 {
9785 options->pkcs11_id = p[1];
9786 }
9787 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9788 {
9790 options->pkcs11_id_management = true;
9791 }
9792#endif /* ifdef ENABLE_PKCS11 */
9793 else if (streq(p[0], "rmtun") && !p[1])
9794 {
9796 options->persist_config = true;
9797 options->persist_mode = 0;
9798 }
9799 else if (streq(p[0], "mktun") && !p[1])
9800 {
9802 options->persist_config = true;
9803 options->persist_mode = 1;
9804 }
9805 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9806 {
9808 options->use_peer_id = true;
9809 options->peer_id = atoi_warn(p[1], msglevel);
9810 }
9811 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9812 {
9813 int ekm_length = positive_atoi(p[2], msglevel);
9814
9816
9817 if (strncmp(p[1], "EXPORTER", 8))
9818 {
9819 msg(msglevel, "Keying material exporter label must begin with "
9820 "\"EXPORTER\"");
9821 goto err;
9822 }
9823 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9824 {
9825 msg(msglevel,
9826 "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'.");
9827 }
9828 if (ekm_length < 16 || ekm_length > 4095)
9829 {
9830 msg(msglevel, "Invalid keying material exporter length");
9831 goto err;
9832 }
9833
9836 }
9837 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9838 {
9841 }
9842 else if (streq(p[0], "vlan-tagging") && !p[1])
9843 {
9845 options->vlan_tagging = true;
9846 }
9847 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9848 {
9850 if (streq(p[1], "tagged"))
9851 {
9853 }
9854 else if (streq(p[1], "untagged"))
9855 {
9857 }
9858 else if (streq(p[1], "all"))
9859 {
9861 }
9862 else
9863 {
9864 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9865 goto err;
9866 }
9867 }
9868 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9869 {
9871 options->vlan_pvid = positive_atoi(p[1], msglevel);
9874 {
9875 msg(msglevel, "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9877 goto err;
9878 }
9879 }
9880 else
9881 {
9882 int i;
9883 int msglevel_unknown = msglevel_fc;
9884 /* Check if an option is in --ignore-unknown-option and
9885 * set warning level to non fatal */
9887 {
9888 if (streq(p[0], options->ignore_unknown_option[i]))
9889 {
9890 msglevel_unknown = M_WARN;
9891 break;
9892 }
9893 }
9894 if (file)
9895 {
9896 msg(msglevel_unknown,
9897 "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
9898 line, p[0], PACKAGE_VERSION);
9899 }
9900 else
9901 {
9902 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)",
9903 p[0], PACKAGE_VERSION);
9904 }
9905 }
9906err:
9907 gc_free(&gc);
9908}
9909
9910bool
9912{
9913 if (options->ce.local_list)
9914 {
9915 for (int i = 0; i < options->ce.local_list->len; i++)
9916 {
9918 {
9919 return true;
9920 }
9921 }
9922 }
9923
9924 return false;
9925}
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
void free_buf(struct buffer *buf)
Definition buffer.c:184
void buf_clear(struct buffer *buf)
Definition buffer.c:163
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:460
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:370
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
int string_array_len(const char **array)
Definition buffer.c:703
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1348
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:752
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1001
#define BSTR(buf)
Definition buffer.h:128
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
#define BPTR(buf)
Definition buffer.h:123
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1053
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:234
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:959
static struct gc_arena gc_new(void)
Definition buffer.h:1007
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition clinat.c:50
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition clinat.c:102
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:71
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:79
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:88
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:68
#define TLS_CHANNEL_MTU_MIN
Definition common.h:81
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
Definition comp.h:45
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
Definition comp.h:40
#define COMP_ALG_LZ4
LZ4 algorithm.
Definition comp.h:59
#define COMP_ALGV2_LZ4
Definition comp.h:64
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
Definition comp.h:51
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:63
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
Definition comp.h:42
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:81
#define COMP_ALG_UNDEF
Definition comp.h:54
int daemon(int nochdir, int noclose)
char * dirname(char *path)
char * strsep(char **stringp, const char *delim)
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:869
int ascii2keydirection(int msglevel, const char *str)
Definition crypto.c:1612
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1635
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1895
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1193
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:231
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
@ MD_SHA256
@ MD_SHA1
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
#define SHA_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition dco.h:282
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:276
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:270
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:203
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
Definition dns.c:147
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:279
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:61
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:181
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:166
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:257
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:769
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:272
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
Definition dns.h:217
@ DNS_UPDOWN_FORCED
Definition dns.h:50
@ DNS_UPDOWN_NO_FLAGS
Definition dns.h:48
@ DNS_UPDOWN_USER_SET
Definition dns.h:49
@ DNS_SECURITY_NO
Definition dns.h:33
@ DNS_SECURITY_YES
Definition dns.h:34
@ DNS_SECURITY_OPTIONAL
Definition dns.h:35
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
Definition dns.h:228
@ DNS_TRANSPORT_PLAIN
Definition dns.h:41
@ DNS_TRANSPORT_TLS
Definition dns.h:43
@ DNS_TRANSPORT_HTTPS
Definition dns.h:42
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:423
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:201
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:313
bool env_set_del(struct env_set *es, const char *str)
Definition env_set.c:183
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
#define D_SHOW_OCC
Definition errlevel.h:150
#define D_PUSH
Definition errlevel.h:82
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
#define D_DCO
Definition errlevel.h:93
#define D_SHOW_PARMS
Definition errlevel.h:95
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_TLS_ERRORS
Definition errlevel.h:58
#define M_INFO
Definition errlevel.h:54
Interface functions to the internal and external multiplexers.
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:137
void helper_tcp_nodelay(struct options *o)
Definition helper.c:608
void helper_client_server(struct options *o)
Definition helper.c:165
void helper_keepalive(struct options *o)
Definition helper.c:548
static int max_int(int x, int y)
Definition integer.h:92
static int constrain_int(int x, int min, int max)
Definition integer.h:118
static SERVICE_STATUS status
Definition interactive.c:51
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3119
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3040
#define MF_FORGET_DISCONNECT
Definition manage.h:31
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:38
#define MF_CLIENT_AUTH
Definition manage.h:33
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:43
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:37
#define MF_QUERY_PROXY
Definition manage.h:41
#define MF_EXTERNAL_KEY
Definition manage.h:36
#define MF_QUERY_REMOTE
Definition manage.h:40
#define MF_QUERY_PASSWORDS
Definition manage.h:28
#define MF_EXTERNAL_CERT
Definition manage.h:42
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:44
#define MF_UP_DOWN
Definition manage.h:39
#define MF_HOLD
Definition manage.h:29
#define MF_SIGNAL
Definition manage.h:30
#define MF_UNIX_SOCK
Definition manage.h:35
#define MF_CONNECT_AS_CLIENT
Definition manage.h:32
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:772
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:538
#define USER_PASS_LEN
Definition misc.h:64
#define SC_CONCAT
Definition misc.h:92
#define SC_ECHO
Definition misc.h:91
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:253
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:147
#define MSSFIX_DEFAULT
Definition mtu.h:84
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:79
#define LINK_MTU_DEFAULT
Definition mtu.h:64
#define TUN_MTU_DEFAULT
Definition mtu.h:69
#define TLS_MTU_DEFAULT
Definition mtu.h:89
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:94
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:47
void * openvpn_net_ctx_t
Definition networking.h:38
#define BOOL_CAST(x)
Definition basic.h:26
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
void errors_to_stderr(void)
Definition error.c:184
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:447
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:496
FILE * msg_fp(const unsigned int flags)
Definition error.c:193
void openvpn_exit(const int status)
Definition error.c:705
static bool machine_readable_output
Definition error.c:77
void set_suppress_timestamps(bool suppressed)
Definition error.c:148
void set_machine_readable_output(bool parsable)
Definition error.c:154
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
static bool suppress_timestamps
Definition error.c:80
#define M_OPTERR
Definition error.h:99
#define SDL_CONSTRAIN
Definition error.h:199
#define M_NOPREFIX
Definition error.h:96
#define M_DEBUG_LEVEL
Definition error.h:86
#define M_USAGE
Definition error.h:105
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:54
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:52
#define M_FATAL
Definition error.h:88
#define M_ERR
Definition error.h:104
#define msg(flags,...)
Definition error.h:150
#define ASSERT(x)
Definition error.h:217
#define M_WARN
Definition error.h:90
#define M_MSG_VIRT_OUT
Definition error.h:98
#define M_ERRNO
Definition error.h:93
#define MAX_PEER_ID
Definition openvpn.h:554
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4543
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4640
#define RESET_OPTION_ROUTES(option_ptr, field)
Definition options.c:5628
static void rol6_check_alloc(struct options *options)
Definition options.c:1575
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3942
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4076
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4042
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4569
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2275
static int msglevel_forward_compatible(struct options *options, const int msglevel)
Definition options.c:5623
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
Definition options.c:2066
#define NM_QUOTE_HINT
Definition options.c:5595
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:2924
static void update_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, unsigned int *update_options_found)
Processes an option to update.
Definition options.c:5986
static void usage_version(void)
Definition options.c:4900
static bool check_route_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
Definition options.c:5818
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition options.c:5165
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2179
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5517
#define USAGE_VALID_SERVER_PROTOS
#define SHOW_BOOL(var)
Definition options.c:982
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3939
static void pre_connect_save(struct options *o)
Definition options.c:3115
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3941
#define TLS_CLIENT
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:987
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition options.c:5265
static int global_auth_retry
Definition options.c:4779
#define IS_TYPE_BUF
Definition options.c:5155
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4285
void uninit_options(struct options *o)
Definition options.c:934
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2200
#define SHOW_STR(var)
Definition options.c:975
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition options.c:5232
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
Definition options.c:5545
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5289
void show_windows_version(const unsigned int flags)
Definition options.c:4867
#define VERIFY_PERMISSION(mask)
Definition options.c:5535
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4555
bool key_is_external(const struct options *options)
Definition options.c:6156
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5598
static void check_ca_required(const struct options *options)
Definition options.c:2237
bool auth_retry_set(const int msglevel, const char *option)
Definition options.c:4788
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:1993
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5362
static bool space(char c)
Definition options.c:4962
static void bypass_doubledash(char **p)
Definition options.c:5144
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3940
static bool check_dns_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
Definition options.c:5867
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
Definition options.c:3481
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1135
void show_dco_version(const unsigned int flags)
Definition options.c:4876
void rol_check_alloc(struct options *options)
Definition options.c:1566
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2056
#define SHOW_UNSIGNED(var)
Definition options.c:981
void show_settings(const struct options *o)
Definition options.c:1690
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:6117
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
Definition options.c:1110
#define LZO_LIB_VER_STR
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition options.c:1284
static bool check_route6_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
Definition options.c:5846
static void show_connection_entries(const struct options *o)
Definition options.c:1651
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3081
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
Definition options.c:1509
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4662
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5391
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:4931
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4092
static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Resets options found in the PUSH_UPDATE message that are preceded by the - flag.
Definition options.c:5656
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4271
int parse_topology(const char *str, const int msglevel)
Definition options.c:4732
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition options.c:1294
void usage_small(void)
Definition options.c:4859
const char * auth_retry_print(void)
Definition options.c:4811
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1527
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4160
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1594
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4685
void show_library_versions(const unsigned int flags)
Definition options.c:4886
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:1013
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3943
static const char usage_message[]
Definition options.c:120
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition options.c:1162
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1190
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2097
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4120
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4622
#define SHOW_INT64(var)
Definition options.c:980
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
Definition options.c:2107
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
Definition options.c:1332
bool apply_push_options(struct context *c, struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, bool is_update)
Definition options.c:5453
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3946
static void show_p2mp_parms(const struct options *o)
Definition options.c:1391
static const char * pull_filter_type_name(int type)
Definition options.c:954
static void cnol_check_alloc(struct options *options)
Definition options.c:1584
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:4968
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition options.c:5256
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
Definition options.c:2143
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3738
void options_detach(struct options *o)
Definition options.c:1557
static unsigned int atou(const char *str)
Definition options.c:4953
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3157
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
Definition options.c:1346
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2169
const char * print_topology(const int topology)
Definition options.c:4754
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5527
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4699
#define SHOW_STR_INLINE(var)
Definition options.c:976
static void options_postprocess_cipher(struct options *o)
Definition options.c:3315
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3385
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1306
void init_options(struct options *o, const bool init_gc)
Definition options.c:806
#define MUST_BE_FALSE(condition, parm_name)
Definition options.c:2268
#define MUST_BE_UNDEF(parm, parm_name)
Definition options.c:2263
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1374
#define SHOW_PARM(name, value, format)
Definition options.c:974
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:2021
#define IS_TYPE_FP
Definition options.c:5154
void options_warning(char *actual, const char *expected)
Definition options.c:4549
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1672
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3938
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4691
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3226
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1153
const char title_string[]
Definition options.c:70
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:1005
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3099
#define TLS_SERVER
static void usage(void)
Definition options.c:4833
int auth_retry_get(void)
Definition options.c:4782
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:6171
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1243
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2133
void notnull(const char *arg, const char *description)
Definition options.c:4922
static void show_compression_warning(struct compress_options *info)
Definition options.c:6144
static void options_process_mutate_prf(struct options *o)
Definition options.c:3453
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9911
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
Definition options.c:1483
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4342
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition options.c:5188
static void options_postprocess_verify(const struct options *o)
Definition options.c:3289
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2221
#define SHOW_INT(var)
Definition options.c:978
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3375
#define MODE_POINT_TO_POINT
Definition options.h:260
#define OPT_P_SCRIPT
Definition options.h:736
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.h:810
#define OPT_P_PUSH
Definition options.h:748
#define SF_TCP_NODELAY_HELPER
Definition options.h:478
#define OPT_P_UP
Definition options.h:733
#define OPT_P_CONNECTION
Definition options.h:759
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:749
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:744
#define OPT_P_ECHO
Definition options.h:752
#define OPT_P_ROUTE_TABLE
Definition options.h:763
#define OPT_P_CONFIG
Definition options.h:750
#define MODE_SERVER
Definition options.h:261
#define CONNECTION_LIST_SIZE
Definition options.h:187
#define streq(x, y)
Definition options.h:727
#define OPT_P_U_REDIR_GATEWAY
Definition options.h:805
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:751
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.h:811
#define AR_INTERACT
Definition options.h:915
#define OPT_P_SHAPER
Definition options.h:738
#define OPT_P_U_ROUTE6
Definition options.h:802
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
#define OPT_P_SOCKFLAGS
Definition options.h:758
#define SF_NOPOOL
Definition options.h:477
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.h:812
#define OPT_P_MESSAGES
Definition options.h:743
#define OPT_P_SETENV
Definition options.h:737
#define OPT_P_SOCKBUF
Definition options.h:757
#define OPT_P_PLUGIN
Definition options.h:756
#define OPTION_PARM_SIZE
Definition options.h:56
#define OPT_P_TIMER
Definition options.h:739
#define OPT_P_GENERAL
Definition options.h:732
#define PING_RESTART
Definition options.h:356
#define OPT_P_DHCPDNS
Definition options.h:735
#define OPT_P_PULL_MODE
Definition options.h:755
@ GENKEY_AUTH_TOKEN
Definition options.h:239
@ GENKEY_SECRET
Definition options.h:236
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:238
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:237
#define OPT_P_PUSH_MTU
Definition options.h:762
#define AR_NONE
Definition options.h:914
#define AR_NOINTERACT
Definition options.h:916
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:479
#define OPT_P_PERSIST
Definition options.h:740
#define MAX_PARMS
Definition options.h:51
#define PULL_DEFINED(opt)
Definition options.h:767
#define OPT_P_U_DNS
Definition options.h:803
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:787
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:779
#define OPTION_LINE_SIZE
Definition options.h:57
#define OPT_P_U_ROUTE
Definition options.h:801
#define PING_EXIT
Definition options.h:355
#define OPT_P_COMP
Definition options.h:742
#define OPT_P_PERSIST_IP
Definition options.h:741
#define OPT_P_MTU
Definition options.h:746
#define OPT_P_ROUTE_EXTRAS
Definition options.h:754
#define OPT_P_U_DHCP
Definition options.h:804
#define OPT_P_NICE
Definition options.h:747
#define OPT_P_PEER_ID
Definition options.h:760
#define OPT_P_INHERIT
Definition options.h:753
#define OPT_P_TLS_PARMS
Definition options.h:745
#define OPT_P_ROUTE
Definition options.h:734
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:793
#define CE_DISABLED
Definition options.h:150
#define OPT_P_INLINE
Definition options.h:761
vlan_acceptable_frames
Definition options.h:220
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:222
@ VLAN_ALL
Definition options.h:223
@ VLAN_ONLY_TAGGED
Definition options.h:221
bool check_push_update_option_flags(char *line, int *i, unsigned int *flags)
Checks the formatting and validity of options inside push-update messages.
bool atoi_constrained(const char *str, int *value, const char *name, int min, int max, int msglevel)
Converts a str to an integer if the string can be represented as an integer number and is between min...
int positive_atoi(const char *str, int msglevel)
Converts a str to a positive number if the string represents a postive integer number.
int atoi_warn(const char *str, int msglevel)
Converts a str to an integer if the string can be represented as an integer number.
bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:85
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:84
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:86
#define MAX_TIME_BACKTRACK
Definition packet_id.h:94
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:95
#define MIN_TIME_BACKTRACK
Definition packet_id.h:93
unsigned int platform_getpid(void)
Definition platform.c:337
int platform_access(const char *path, int mode)
Definition platform.c:461
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:504
int platform_chdir(const char *dir)
Definition platform.c:396
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:530
struct _stat platform_stat_t
Definition platform.h:142
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:159
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:167
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
Definition plugin.c:187
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:117
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:316
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:317
#define DEV_TYPE_TAP
Definition proto.h:36
#define TOP_UNDEF
Definition proto.h:40
#define DEV_TYPE_UNDEF
Definition proto.h:34
#define TOP_NET30
Definition proto.h:41
#define DEV_TYPE_TUN
Definition proto.h:35
#define TOP_P2P
Definition proto.h:42
#define TOP_SUBNET
Definition proto.h:43
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
#define PAR_NCT
Definition proxy.h:51
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
#define PAR_ALL
Definition proxy.h:50
void push_reset(struct options *o)
Definition push.c:931
void clone_push_list(struct options *o)
Definition push.c:890
void push_remove_option(struct options *o, const char *p)
Definition push.c:937
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition push.c:905
#define PUSH_OPT_TO_REMOVE
Definition push.h:41
#define PUSH_OPT_OPTIONAL
Definition push.h:42
bool is_special_addr(const char *addr_str)
Definition route.c:299
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:153
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3891
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:137
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1196
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2659
void show_routes(int msglev)
Definition route.c:3062
void print_route_options(const struct route_option_list *rol, int level)
Definition route.c:1238
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1252
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:171
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:179
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2561
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:162
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:128
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1174
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:492
#define RG_LOCAL
Definition route.h:87
#define RG_BYPASS_DHCP
Definition route.h:89
#define ROUTE_METHOD_SERVICE
Definition route.h:42
#define ROUTE_METHOD_IPAPI
Definition route.h:40
#define ROUTE_METHOD_EXE
Definition route.h:41
#define RG_DEF1
Definition route.h:88
#define RG_BYPASS_DNS
Definition route.h:90
#define RG_ENABLE
Definition route.h:86
#define RG_REROUTE_GW
Definition route.h:91
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
#define RG_AUTO_LOCAL
Definition route.h:92
#define RG_BLOCK_LOCAL
Definition route.h:93
void script_security_set(int level)
Definition run_command.c:48
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
#define SSEC_NONE
strictly no calling of external programs
Definition run_command.h:31
#define SHAPER_MAX
Definition shaper.h:40
#define SHAPER_MIN
Definition shaper.h:39
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:214
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:651
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:187
#define SF_TCP_NODELAY
Definition socket.h:192
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
#define OPENVPN_PORT
Definition socket.h:42
#define SF_USE_IP_PKTINFO
Definition socket.h:191
#define SF_HOST_RANDOMIZE
Definition socket.h:194
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
bool mac_addr_safe(const char *mac_addr)
const char * proto2ascii_all(struct gc_arena *gc)
sa_family_t ascii2af(const char *proto_name)
const char * proto_remote(int proto, bool remote)
bool ipv6_addr_safe(const char *ipv6_text_addr)
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
int ascii2proto(const char *proto_name)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
static bool proto_is_net(int proto)
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
#define GETADDR_FATAL
@ PROTO_NONE
@ PROTO_UDP
@ PROTO_TCP
@ PROTO_TCP_CLIENT
@ PROTO_TCP_SERVER
#define GETADDR_HOST_ORDER
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
#define GETADDR_RESOLVE
#define IA_NET_ORDER
Definition socket_util.h:90
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:362
void ssl_set_auth_nocache(void)
Definition ssl.c:337
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:421
void ssl_set_auth_token(const char *token)
Definition ssl.c:356
bool ssl_get_auth_nocache(void)
Definition ssl.c:347
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1869
Control Channel SSL/Data channel negotiation module.
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
#define KEY_METHOD_2
Definition ssl.h:122
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
#define TLS_VER_BAD
Parse a TLS version specifier.
#define TLS_VER_1_0
#define EXPORT_KEY_DATA_LABEL
#define TLS_VER_1_2
#define TLS_VER_1_3
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:432
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:425
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:427
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:424
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:429
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:434
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:433
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:430
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:431
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:426
#define SSLF_OPT_VERIFY
Definition ssl_common.h:428
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:575
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:195
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:96
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
Control Channel Verification Module.
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:257
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:69
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:70
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:254
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:71
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition argv.h:35
char ** argv
Definition argv.h:39
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:61
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
unsigned int flags
Definition comp.h:77
Definition options.h:104
struct local_list * local_list
Definition options.h:105
int tun_mtu_max
Definition options.h:126
int connect_retry_seconds
Definition options.h:116
bool tls_crypt_v2_force_cookie
Definition options.h:176
int link_mtu
Definition options.h:131
bool link_mtu_defined
Definition options.h:132
int tun_mtu_extra
Definition options.h:129
int connect_retry_seconds_max
Definition options.h:117
bool bind_local
Definition options.h:115
int mssfix
Definition options.h:141
const char * tls_crypt_file
Definition options.h:167
const char * tls_crypt_v2_file
Definition options.h:172
bool tun_mtu_extra_defined
Definition options.h:130
const char * remote
Definition options.h:111
int connect_timeout
Definition options.h:118
const char * socks_proxy_port
Definition options.h:121
bool mssfix_default
Definition options.h:142
bool mssfix_encap
Definition options.h:143
int occ_mtu
Definition options.h:125
struct http_proxy_options * http_proxy_options
Definition options.h:119
bool tls_crypt_file_inline
Definition options.h:168
bool tls_auth_file_inline
Definition options.h:163
bool bind_ipv6_only
Definition options.h:114
bool tun_mtu_defined
Definition options.h:128
bool remote_float
Definition options.h:112
int tls_mtu
Definition options.h:133
int explicit_exit_notification
Definition options.h:147
const char * socks_proxy_authfile
Definition options.h:122
const char * remote_port
Definition options.h:110
bool fragment_encap
Definition options.h:139
const char * socks_proxy_server
Definition options.h:120
int fragment
Definition options.h:138
int mtu_discover_type
Definition options.h:136
int proto
Definition options.h:106
sa_family_t af
Definition options.h:107
const char * tls_auth_file
Definition options.h:162
bool local_port_defined
Definition options.h:109
int tun_mtu
Definition options.h:124
bool bind_defined
Definition options.h:113
const char * local_port
Definition options.h:108
int key_direction
Definition options.h:164
bool tls_crypt_v2_file_inline
Definition options.h:173
unsigned int flags
Definition options.h:159
bool mssfix_fixed
Definition options.h:145
struct connection_entry ** array
Definition options.h:201
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
Contains all state information for one tunnel.
Definition openvpn.h:474
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
in_addr_t dns[N_DHCP_ADDR]
Definition dns.h:101
Definition dhcp.h:53
struct dns_domain * next
Definition dns.h:55
const char * name
Definition dns.h:56
struct dns_server * servers
Definition dns.h:117
const char * updown
Definition dns.h:119
struct dhcp_options from_dhcp
Definition dns.h:114
struct gc_arena gc
Definition dns.h:118
enum dns_updown_flags updown_flags
Definition dns.h:120
struct dns_domain * search_domains
Definition dns.h:115
struct in_addr a4
Definition dns.h:63
union dns_server_addr::@0 in
sa_family_t family
Definition dns.h:66
struct in6_addr a6
Definition dns.h:64
in_port_t port
Definition dns.h:67
struct dns_server_addr addr[8]
Definition dns.h:75
enum dns_security dnssec
Definition dns.h:77
struct dns_server * next
Definition dns.h:72
long priority
Definition dns.h:73
size_t addr_count
Definition dns.h:74
struct dns_domain * domains
Definition dns.h:76
enum dns_server_transport transport
Definition dns.h:78
const char * sni
Definition dns.h:79
char * string
Definition env_set.h:38
struct env_item * next
Definition env_set.h:39
struct env_item * list
Definition env_set.h:45
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
Packet geometry parameters.
Definition mtu.h:103
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Definition list.h:56
const char * name
Definition proxy.h:39
const char * content
Definition proxy.h:40
const char * auth_file
Definition proxy.h:55
const char * http_version
Definition proxy.h:57
const char * port
Definition proxy.h:47
bool inline_creds
Definition proxy.h:60
const char * user_agent
Definition proxy.h:58
const char * auth_method_string
Definition proxy.h:54
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:59
const char * auth_file_up
Definition proxy.h:56
const char * server
Definition proxy.h:46
struct buffer * multiline
Definition options.c:5160
union in_src::@9 u
FILE * fp
Definition options.c:5159
int type
Definition options.c:5156
struct iroute_ipv6 * next
Definition route.h:269
unsigned int netbits
Definition route.h:268
struct in6_addr network
Definition route.h:267
in_addr_t network
Definition route.h:260
int netbits
Definition route.h:261
struct iroute * next
Definition route.h:262
const char * cipher
const name of the cipher
Definition crypto.h:142
const char * digest
Message digest static parameters.
Definition crypto.h:143
Definition options.h:97
const char * port
Definition options.h:99
int proto
Definition options.h:100
const char * local
Definition options.h:98
struct local_entry ** array
Definition options.h:193
int capacity
Definition options.h:191
struct tuntap_options tuntap_options
Definition options.h:65
int ping_rec_timeout_action
Definition options.h:86
bool tuntap_options_defined
Definition options.h:64
bool routes_ipv6_defined
Definition options.h:70
struct route_option_list * routes
Definition options.h:68
struct compress_options comp
Definition options.h:89
const char * ciphername
Definition options.h:81
struct dns_options dns_options
Definition options.h:79
const char * route_default_gateway
Definition options.h:73
const char * authname
Definition options.h:82
struct route_ipv6_option_list * routes_ipv6
Definition options.h:71
bool client_nat_defined
Definition options.h:76
struct client_nat_option_list * client_nat
Definition options.h:77
const char * route_ipv6_default_gateway
Definition options.h:74
int resolve_retry_seconds
Definition options.h:367
int rcvbuf
Definition options.h:416
bool resolve_in_advance
Definition options.h:368
bool route_nopull
Definition options.h:440
const char * genkey_extra_data
Definition options.h:286
struct compress_options comp
Definition options.h:413
struct http_proxy_options * http_proxy_override
Definition options.h:309
int push_ifconfig_ipv6_netbits
Definition options.h:526
int proto_force
Definition options.h:332
bool persist_config
Definition options.h:274
struct connection_list * connection_list
Definition options.h:291
const char * management_port
Definition options.h:450
bool tls_crypt_file_inline
Definition options.h:671
const char * ifconfig_ipv6_remote
Definition options.h:327
int max_routes_per_client
Definition options.h:539
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:580
int status_file_version
Definition options.h:407
enum vlan_acceptable_frames vlan_accept
Definition options.h:714
int auth_token_renewal
Definition options.h:548
in_addr_t push_ifconfig_constraint_network
Definition options.h:521
const char * tmp_dir
Definition options.h:469
bool push_peer_info
Definition options.h:685
bool daemon
Definition options.h:391
struct options_pre_connect * pre_connect
Definition options.h:564
int route_default_metric
Definition options.h:432
int renegotiate_seconds_min
Definition options.h:651
const char * auth_token_secret_file
Definition options.h:549
unsigned int imported_protocol_flags
Definition options.h:724
const char * tls_export_peer_cert_dir
Definition options.h:616
bool crl_file_inline
Definition options.h:620
const char * cryptoapi_cert
Definition options.h:642
const char * down_script
Definition options.h:386
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:268
hash_algo_type verify_hash_algo
Definition options.h:626
int scheduled_exit_interval
Definition options.h:566
int stale_routes_ageing_time
Definition options.h:541
bool pkcs12_file_inline
Definition options.h:609
int replay_time
Definition options.h:587
unsigned int push_option_types_found
Definition options.h:561
int management_state_buffer_size
Definition options.h:454
const char * ca_file
Definition options.h:597
const char * tls_auth_file
Definition options.h:666
struct provider_list providers
Definition options.h:584
bool duplicate_cn
Definition options.h:530
struct in6_addr server_network_ipv6
Definition options.h:474
int shaper
Definition options.h:330
int management_echo_buffer_size
Definition options.h:453
in_addr_t server_network
Definition options.h:471
bool show_net_up
Definition options.h:698
bool verify_hash_no_ca
Definition options.h:628
bool allow_pull_fqdn
Definition options.h:442
bool use_peer_id
Definition options.h:704
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:623
bool server_bridge_defined
Definition options.h:484
const char * keying_material_exporter_label
Definition options.h:708
const char * status_file
Definition options.h:406
unsigned int ssl_flags
Definition options.h:629
bool route_noexec
Definition options.h:433
bool ifconfig_nowarn
Definition options.h:329
const char * remote_cert_eku
Definition options.h:624
in_addr_t ifconfig_pool_netmask
Definition options.h:494
in_addr_t server_netmask
Definition options.h:472
int tls_timeout
Definition options.h:645
bool test_crypto
Definition options.h:589
bool up_delay
Definition options.h:389
bool server_bridge_proxy_dhcp
Definition options.h:482
bool allow_recursive_routing
Definition options.h:721
const char * authname
Definition options.h:582
const char * exit_event_name
Definition options.h:696
const char * ifconfig_ipv6_local
Definition options.h:325
int cf_max
Definition options.h:532
bool dh_file_inline
Definition options.h:601
int replay_window
Definition options.h:586
bool disable
Definition options.h:510
int mute
Definition options.h:400
bool auth_user_pass_verify_script_via_file
Definition options.h:544
const char * dev_type
Definition options.h:319
int persist_mode
Definition options.h:275
int ifconfig_pool_persist_refresh_freq
Definition options.h:496
bool show_digests
Definition options.h:279
const char * up_script
Definition options.h:385
bool single_session
Definition options.h:683
bool push_ifconfig_defined
Definition options.h:516
bool ifconfig_pool_defined
Definition options.h:491
int verify_hash_depth
Definition options.h:627
bool route_delay_defined
Definition options.h:436
const char * packet_id_file
Definition options.h:588
const char * tls_crypt_v2_file
Definition options.h:675
int management_log_history_cache
Definition options.h:452
in_addr_t server_bridge_netmask
Definition options.h:486
const char * ip_remote_hint
Definition options.h:369
bool vlan_tagging
Definition options.h:713
uint32_t peer_id
Definition options.h:705
struct route_option_list * routes
Definition options.h:437
in_addr_t ifconfig_pool_end
Definition options.h:493
int keepalive_timeout
Definition options.h:343
const char * writepid
Definition options.h:384
int64_t inactivity_minimum_bytes
Definition options.h:346
bool ifconfig_ipv6_pool_defined
Definition options.h:498
bool fast_io
Definition options.h:411
unsigned int server_flags
Definition options.h:480
bool block_outside_dns
Definition options.h:700
bool push_ifconfig_ipv6_blocked
Definition options.h:528
bool tls_exit
Definition options.h:687
const char * pkcs12_file
Definition options.h:608
const char * client_disconnect_script
Definition options.h:505
bool show_engines
Definition options.h:280
struct remote_list * remote_list
Definition options.h:293
HANDLE msg_channel
Definition options.h:695
const char * key_pass_file
Definition options.h:277
bool mute_replay_warnings
Definition options.h:585
const char * tls_crypt_file
Definition options.h:670
int inactivity_timeout
Definition options.h:345
int n_bcast_buf
Definition options.h:512
int handshake_window
Definition options.h:655
bool server_defined
Definition options.h:470
const char * ifconfig_local
Definition options.h:323
struct connection_entry ce
Definition options.h:290
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:515
struct push_list push_list
Definition options.h:490
bool user_script_used
Definition options.h:387
const char * tls_groups
Definition options.h:612
bool show_tls_ciphers
Definition options.h:281
struct tuntap_options tuntap_options
Definition options.h:371
int route_method
Definition options.h:699
struct verify_hash_list * verify_hash
Definition options.h:625
const char * tls_cert_profile
Definition options.h:613
int64_t renegotiate_packets
Definition options.h:649
unsigned int management_flags
Definition options.h:462
int push_continuation
Definition options.h:560
const char * route_default_gateway
Definition options.h:429
in_addr_t push_ifconfig_local_alias
Definition options.h:519
struct dns_options dns_options
Definition options.h:314
bool exit_event_initial_state
Definition options.h:697
struct static_challenge_info sc_info
Definition options.h:569
bool auth_token_call_auth
Definition options.h:546
const char * ipchange
Definition options.h:317
int topology
Definition options.h:322
bool disable_dco
Definition options.h:374
const char * ncp_ciphers
Definition options.h:581
bool genkey
Definition options.h:283
const char * learn_address_script
Definition options.h:506
const char * ciphername
Definition options.h:576
const char * auth_user_pass_file
Definition options.h:562
bool forward_compatible
Definition options.h:265
const char * username
Definition options.h:377
int cf_initial_max
Definition options.h:535
int stale_routes_check_interval
Definition options.h:540
struct plugin_option_list * plugin_list
Definition options.h:465
int auth_token_lifetime
Definition options.h:547
uint16_t vlan_pvid
Definition options.h:715
int ns_cert_type
Definition options.h:622
const char * tls_crypt_v2_verify_script
Definition options.h:680
int mode
Definition options.h:262
bool tls_server
Definition options.h:595
const char * auth_user_pass_verify_script
Definition options.h:543
int connect_retry_max
Definition options.h:289
char * bind_dev
Definition options.h:421
const char * extra_certs_file
Definition options.h:604
bool client
Definition options.h:558
bool pull
Definition options.h:559
int ifconfig_ipv6_pool_netbits
Definition options.h:500
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:522
bool show_curves
Definition options.h:282
const char * route_ipv6_default_gateway
Definition options.h:430
bool tls_client
Definition options.h:596
bool ping_timer_remote
Definition options.h:352
bool auth_token_generate
Definition options.h:545
bool priv_key_file_inline
Definition options.h:607
const char * tls_verify
Definition options.h:615
const char * crl_file
Definition options.h:619
int ping_rec_timeout_action
Definition options.h:357
bool auth_user_pass_file_inline
Definition options.h:563
bool show_ciphers
Definition options.h:278
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
int real_hash_size
Definition options.h:502
const char * route_predown_script
Definition options.h:428
const char * dh_file
Definition options.h:600
int route_delay_window
Definition options.h:435
in_addr_t push_ifconfig_local
Definition options.h:517
bool mlock
Definition options.h:340
const char ** ignore_unknown_option
Definition options.h:271
int sndbuf
Definition options.h:417
int foreign_option_index
Definition options.h:692
struct gc_arena gc
Definition options.h:253
bool gc_owned
Definition options.h:254
bool down_pre
Definition options.h:388
bool persist_tun
Definition options.h:359
int route_default_table_id
Definition options.h:431
bool ca_file_inline
Definition options.h:598
bool auth_token_secret_file_inline
Definition options.h:550
bool block_ipv6
Definition options.h:439
const char * config
Definition options.h:257
bool extra_certs_file_inline
Definition options.h:605
bool push_ifconfig_constraint_defined
Definition options.h:520
int mark
Definition options.h:420
int cf_initial_per
Definition options.h:536
int keying_material_exporter_length
Definition options.h:709
bool suppress_timestamps
Definition options.h:396
bool force_key_material_export
Definition options.h:711
bool mtu_test
Definition options.h:334
struct iroute * iroutes
Definition options.h:514
int verify_x509_type
Definition options.h:617
const char * cipher_list_tls13
Definition options.h:611
const char * ecdh_curve
Definition options.h:614
int status_file_update_freq
Definition options.h:408
const char * management_client_user
Definition options.h:456
const char * cipher_list
Definition options.h:610
bool ccd_exclusive
Definition options.h:509
bool allow_deprecated_insecure_static_crypto
Definition options.h:574
struct pull_filter_list * pull_filter_list
Definition options.h:717
const char * management_certificate
Definition options.h:459
const char * genkey_filename
Definition options.h:285
const struct x509_track * x509_track
Definition options.h:689
const char * chroot_dir
Definition options.h:379
bool log
Definition options.h:395
bool shared_secret_file_inline
Definition options.h:573
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:527
const char * ca_path
Definition options.h:599
int renegotiate_seconds
Definition options.h:650
int ping_rec_timeout
Definition options.h:351
unsigned int sockflags
Definition options.h:424
const char * engine
Definition options.h:583
const char * management_addr
Definition options.h:449
const char * client_connect_script
Definition options.h:504
const char * verify_x509_name
Definition options.h:618
int ping_send_timeout
Definition options.h:350
bool route_gateway_via_dhcp
Definition options.h:441
bool remote_random
Definition options.h:316
bool push_ifconfig_ipv6_defined
Definition options.h:524
int tcp_queue_limit
Definition options.h:513
int route_delay
Definition options.h:434
const char * dev_node
Definition options.h:320
const char * override_username
Definition options.h:511
const char * client_crresponse_script
Definition options.h:507
struct route_ipv6_option_list * routes_ipv6
Definition options.h:438
bool machine_readable_output
Definition options.h:397
int key_direction
Definition options.h:575
bool server_ipv6_defined
Definition options.h:473
const char * priv_key_file
Definition options.h:606
bool persist_remote_ip
Definition options.h:361
bool up_restart
Definition options.h:390
int keepalive_ping
Definition options.h:342
int virtual_hash_size
Definition options.h:503
bool tls_auth_file_inline
Definition options.h:667
bool tls_crypt_v2_file_inline
Definition options.h:676
const char * groupname
Definition options.h:378
in_addr_t server_bridge_pool_start
Definition options.h:487
const char * cd_dir
Definition options.h:380
struct client_nat_option_list * client_nat
Definition options.h:443
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:525
int nice
Definition options.h:398
int max_clients
Definition options.h:538
int transition_window
Definition options.h:663
const char * ifconfig_remote_netmask
Definition options.h:324
const char * lladdr
Definition options.h:321
int verbosity
Definition options.h:399
int session_timeout
Definition options.h:348
const char * cert_file
Definition options.h:602
bool enable_c2c
Definition options.h:529
in_addr_t server_bridge_pool_end
Definition options.h:488
int cf_per
Definition options.h:533
enum tun_driver_type windows_driver
Definition options.h:701
bool cert_file_inline
Definition options.h:603
int remap_sigusr1
Definition options.h:393
int64_t renegotiate_bytes
Definition options.h:648
const char * route_script
Definition options.h:427
in_addr_t ifconfig_pool_start
Definition options.h:492
const char * management_user_pass
Definition options.h:451
unsigned int server_netbits_ipv6
Definition options.h:475
in_addr_t push_ifconfig_remote_netmask
Definition options.h:518
bool occ
Definition options.h:446
in_addr_t server_bridge_ip
Definition options.h:485
const char * shared_secret_file
Definition options.h:572
bool ifconfig_noexec
Definition options.h:328
const char * dev
Definition options.h:318
const char * management_client_group
Definition options.h:457
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:499
const char * client_config_dir
Definition options.h:508
enum genkey_type genkey_type
Definition options.h:284
const char * ifconfig_pool_persist_filename
Definition options.h:495
int ifconfig_ipv6_netbits
Definition options.h:326
bool persist_local_ip
Definition options.h:360
const char * names[MAX_PARMS]
Definition options.h:214
struct pull_filter * tail
Definition options.h:822
struct pull_filter * head
Definition options.h:821
struct pull_filter * next
Definition options.h:816
char * pattern
Definition options.h:815
Definition pushlist.h:29
struct push_entry * next
Definition pushlist.h:30
bool enable
Definition pushlist.h:31
const char * option
Definition pushlist.h:32
struct push_entry * head
Definition pushlist.h:37
Definition options.h:180
int proto
Definition options.h:183
const char * remote
Definition options.h:181
const char * remote_port
Definition options.h:182
sa_family_t af
Definition options.h:184
struct remote_entry ** array
Definition options.h:208
int capacity
Definition options.h:206
unsigned int flags
Definition route.h:113
unsigned int flags
Definition route.h:97
unsigned int flags
Definition misc.h:93
const char * challenge_text
Definition misc.h:95
int wins_len
Definition tun.h:118
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:142
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:125
int dns_len
Definition tun.h:114
int dns6_len
Definition tun.h:143
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:121
int ntp_len
Definition tun.h:122
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:117
int tap_sleep
Definition tun.h:97
int dhcp_lease_time
Definition tun.h:94
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:113
const char * netbios_scope
Definition tun.h:105
int nbdd_len
Definition tun.h:126
bool ip_win32_defined
Definition tun.h:77
bool dhcp_masq_custom_offset
Definition tun.h:92
const char * domain
Definition tun.h:103
int domain_search_list_len
Definition tun.h:132
bool dhcp_renew
Definition tun.h:137
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:131
int dhcp_masq_offset
Definition tun.h:93
int netbios_node_type
Definition tun.h:107
int ip_win32_type
Definition tun.h:85
bool dhcp_pre_release
Definition tun.h:138
bool register_dns
Definition tun.h:140
bool disable_nbt
Definition tun.h:135
int dhcp_options
Definition tun.h:101
Definition tun.h:183
struct verify_hash_list * next
Definition options.h:247
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:246
unsigned short sa_family_t
Definition syshead.h:396
#define sleep(x)
Definition syshead.h:42
struct env_set * es
static bool pkcs11_id_management
struct gc_arena gc
Definition test_ssl.c:154
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:5075
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:517
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5008
int ascii2ipset(const char *name)
Definition tun.c:6623
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:826
void show_tap_win_adapters(int msglev, int warnlev)
Definition tun.c:4001
void show_adapters(int msglev)
Definition tun.c:4838
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:4967
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:536
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:4887
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:5034
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:690
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:6652
void show_valid_win32_tun_subnets(void)
Definition tun.c:3968
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:58
#define IPW32_SET_NETSH
Definition tun.h:80
#define IPW32_SET_ADAPTIVE
Definition tun.h:83
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:72
#define N_SEARCH_LIST_LEN
Definition tun.h:128
#define IPW32_SET_DHCP_MASQ
Definition tun.h:82
#define IPW32_SET_MANUAL
Definition tun.h:79
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:45
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:46
@ DRIVER_DCO
Definition tun.h:53
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:67
#define N_DHCP_ADDR
Definition tun.h:109
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition tun.h:71
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
const char * win_get_tempdir(void)
Definition win32-util.c:151
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1115
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1380
void set_pause_exit_win32(void)
Definition win32.c:144