OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2024 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25/*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30#ifdef HAVE_CONFIG_H
31#include "config.h"
32#endif
33#ifdef HAVE_CONFIG_VERSION_H
34#include "config-version.h"
35#endif
36
37#include "syshead.h"
38
39#include "buffer.h"
40#include "error.h"
41#include "common.h"
42#include "run_command.h"
43#include "shaper.h"
44#include "crypto.h"
45#include "ssl.h"
46#include "ssl_ncp.h"
47#include "options.h"
48#include "misc.h"
49#include "socket.h"
50#include "packet_id.h"
51#include "pkcs11.h"
52#include "win32.h"
53#include "push.h"
54#include "pool.h"
55#include "proto.h"
56#include "helper.h"
57#include "manage.h"
58#include "forward.h"
59#include "ssl_verify.h"
60#include "platform.h"
61#include "xkey_common.h"
62#include "dco.h"
63#include "options_util.h"
64
65#include <ctype.h>
66
67#include "memdbg.h"
68
69const char title_string[] =
70 PACKAGE_STRING
71#ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73#endif
74 " " TARGET_ALIAS
75#if defined(ENABLE_CRYPTO_MBEDTLS)
76 " [SSL (mbed TLS)]"
77#elif defined(ENABLE_CRYPTO_OPENSSL)
78 " [SSL (OpenSSL)]"
79#else
80 " [SSL]"
81#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82#ifdef USE_COMP
83#ifdef ENABLE_LZO
84 " [LZO]"
85#endif
86#ifdef ENABLE_LZ4
87 " [LZ4]"
88#endif
89#ifdef ENABLE_COMP_STUB
90 " [COMP_STUB]"
91#endif
92#endif /* USE_COMP */
93#if EPOLL
94 " [EPOLL]"
95#endif
96#ifdef PRODUCT_TAP_DEBUG
97 " [TAPDBG]"
98#endif
99#ifdef ENABLE_PKCS11
100 " [PKCS11]"
101#endif
102#if ENABLE_IP_PKTINFO
103#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104 " [MH/PKTINFO]"
105#elif defined(IP_RECVDSTADDR)
106 " [MH/RECVDA]"
107#endif
108#endif
109 " [AEAD]"
110#ifdef ENABLE_DCO
111 " [DCO]"
112#endif
113#ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
115#endif
116;
117
118#ifndef ENABLE_SMALL
119
120static const char usage_message[] =
121 "%s\n"
122 "\n"
123 "General Options:\n"
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
127 "\n"
128 "Tunnel Options:\n"
129 "--local host|* [port]: Local host name or IP address and port for bind.\n"
130 " If specified, OpenVPN will bindto this address. If unspecified,\n"
131 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
132 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
133 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
134 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
135 " to open multiple listening sockets on different addresses and/or different ports.\n"
136 " In order to specify multiple listen ports without specifying an address, use '*'\n"
137 " to signal 'use what the operating system gives you as default', for\n"
138 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
139 " ``--local`` implies ``--bind``.\n"
140 "--remote host [port] : Remote host name or ip address.\n"
141 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
142 "--remote-random-hostname : Add a random string to remote DNS name.\n"
143 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
144 "--proto p : Use protocol p for communicating with peer.\n"
145 " p = udp (default), tcp-server, tcp-client\n"
146 " udp4, tcp4-server, tcp4-client\n"
147 " udp6, tcp6-server, tcp6-client\n"
148 "--proto-force p : only consider protocol p in list of connection profiles.\n"
149 " p = udp or tcp\n"
150 "--connect-retry n [m] : For client, number of seconds to wait between\n"
151 " connection retries (default=%d). On repeated retries\n"
152 " the wait time is exponentially increased to a maximum of m\n"
153 " (default=%d).\n"
154 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
155 "--http-proxy s p [up] [auth] : Connect to remote host\n"
156 " through an HTTP proxy at address s and port p.\n"
157 " If proxy authentication is required,\n"
158 " up is a file containing username/password on 2 lines, or\n"
159 " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
160 " the proxy requires NTLM authentication.\n"
161 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
162 " determine auth method and query for username/password\n"
163 " if needed. auto-nct disables weak proxy auth methods.\n"
164 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
165 " Repeat to set multiple options.\n"
166 " VERSION version (default=1.0)\n"
167 " AGENT user-agent\n"
168 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
169 " address s and port p (default port = 1080).\n"
170 " If proxy authentication is required,\n"
171 " up is a file containing username/password on 2 lines, or\n"
172 " 'stdin' to prompt for console.\n"
173 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
174 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
175 " resolve for n seconds before failing (disabled by default).\n"
176 " Set n=\"infinite\" to retry indefinitely.\n"
177 "--float : Allow remote to change its IP address/port, such as through\n"
178 " DHCP (this is the default if --remote is not used).\n"
179 "--ipchange cmd : Run command cmd on remote ip address initial\n"
180 " setting or change -- execute as: cmd ip-address port#\n"
181 "--port port : TCP/UDP port # for both local and remote.\n"
182 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
183 "--rport port : TCP/UDP port # for remote (default=%s).\n"
184 "--bind : Bind to local address and port. (This is the default unless\n"
185 " --proto tcp-client"
186 " or --http-proxy"
187 " or --socks-proxy"
188 " is used).\n"
189 "--nobind : Do not bind to local address and port.\n"
190 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
191 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
192 " this option only if the tun/tap device used with --dev\n"
193 " does not begin with \"tun\" or \"tap\".\n"
194 "--dev-node node : Explicitly set the device node rather than using\n"
195 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
196#if defined(ENABLE_DCO)
197 "--disable-dco : Do not attempt using Data Channel Offload.\n"
198#endif
199 "--lladdr hw : Set the link layer address of the tap device.\n"
200 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
201#ifdef ENABLE_IPROUTE
202 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
203#endif
204 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
205 " endpoint and rn as a remote endpoint. l & rn should be\n"
206 " swapped on the other peer. l & rn must be private\n"
207 " addresses outside of the subnets used by either peer.\n"
208 " TAP: configure device to use IP address l as a local\n"
209 " endpoint and rn as a subnet mask.\n"
210 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
211 " endpoint (as a /64) and r as remote endpoint\n"
212 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
213 " pass --ifconfig parms by environment to scripts.\n"
214 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
215 " connection doesn't match the remote side.\n"
216 "--route network [netmask] [gateway] [metric] :\n"
217 " Add route to routing table after connection\n"
218 " is established. Multiple routes can be specified.\n"
219 " netmask default: 255.255.255.255\n"
220 " gateway default: taken from --route-gateway or --ifconfig\n"
221 " Specify default by leaving blank or setting to \"default\".\n"
222 "--route-ipv6 network/bits [gateway] [metric] :\n"
223 " Add IPv6 route to routing table after connection\n"
224 " is established. Multiple routes can be specified.\n"
225 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
226 " in --ifconfig-ipv6\n"
227 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
228 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
229 "--route-metric m : Specify a default metric for use with --route.\n"
230 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
231 " adding routes (may be 0). If not specified, routes will\n"
232 " be added immediately after tun/tap open. On Windows, wait\n"
233 " up to w seconds for TUN/TAP adapter to come up.\n"
234 "--route-up cmd : Run command cmd after routes are added.\n"
235 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
236 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
237 " --route-up script using environmental variables.\n"
238 "--route-nopull : When used with --client or --pull, accept options pushed\n"
239 " by server EXCEPT for routes, dns, and dhcp options.\n"
240 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
241 " --ifconfig, --route, and --route-gateway.\n"
242 "--redirect-gateway [flags]: Automatically execute routing\n"
243 " commands to redirect all outgoing IP traffic through the\n"
244 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
245 " connected via a common subnet, such as with WiFi.\n"
246 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
247 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
248 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
249 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
250 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
251 " the default gateway. Useful when pushing private subnets.\n"
252 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
253 " ICMPv6 host unreachable messages on the client.\n"
254 " (Server) Instead of forwarding IPv6 packets send\n"
255 " ICMPv6 host unreachable packets to the client.\n"
256 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
257 "--push-peer-info : (client only) push client info to server.\n"
258 "--setenv name value : Set a custom environmental variable to pass to script.\n"
259 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
260 " directives for future OpenVPN versions to be ignored.\n"
261 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
262 " these options to be ignored when unknown\n"
263 "--script-security level: Where level can be:\n"
264 " 0 -- strictly no calling of external programs\n"
265 " 1 -- (default) only call built-ins such as ifconfig\n"
266 " 2 -- allow calling of built-ins and scripts\n"
267 " 3 -- allow password to be passed to scripts via env\n"
268 "--shaper n : Restrict output to peer to n bytes per second.\n"
269 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
270 " ping once every n seconds, restart if ping not received\n"
271 " for m seconds.\n"
272 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
273 " produces a combined in/out byte count < bytes.\n"
274 "--session-timeout n: Limit connection time to n seconds.\n"
275 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
276 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
277 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
278 " remote address.\n"
279 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
280#if ENABLE_IP_PKTINFO
281 "--multihome : Configure a multi-homed UDP server.\n"
282#endif
283 "--fast-io : Optimize TUN/TAP/UDP writes.\n"
284 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
285 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
286 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
287 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
288#if PASSTOS_CAPABILITY
289 "--passtos : TOS passthrough (applies to IPv4 only).\n"
290#endif
291 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
292 " TCP/UDP MTU from it (default=%d).\n"
293 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
294 " as n bytes more than the tun-mtu size on read\n"
295 " (default TUN=0 TAP=%d).\n"
296 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
297 " from it.\n"
298 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
299 " 'no' -- Never send DF (Don't Fragment) frames\n"
300 " 'maybe' -- Use per-route hints\n"
301 " 'yes' -- Always DF (Don't Fragment)\n"
302 "--mtu-test : Empirically measure and report MTU.\n"
303#ifdef ENABLE_FRAGMENT
304 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
305 " datagrams are sent which are larger than max bytes.\n"
306 " Adds 4 bytes of overhead per datagram.\n"
307#endif
308 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
309 " or --fragment max value, whichever is lower.\n"
310 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
311 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
312#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
313 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
314 " can be matched in policy routing and packetfilter rules.\n"
315 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
316 " listening for connections. This allows sending encrypted packets\n"
317 " via a VRF present on the system.\n"
318#endif
319 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
320#ifdef ENABLE_MEMSTATS
321 "--memstats file : Write live usage stats to memory mapped binary file.\n"
322#endif
323 "--mlock : Disable Paging -- ensures key material and tunnel\n"
324 " data will never be written to disk.\n"
325 "--up cmd : Run command cmd after successful tun device open.\n"
326 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
327 " ifconfig-local-ip ifconfig-remote-ip\n"
328 " (pre --user or --group UID/GID change)\n"
329 "--up-delay : Delay tun/tap open and possible --up script execution\n"
330 " until after TCP/UDP connection establishment with peer.\n"
331 "--down cmd : Run command cmd after tun device close.\n"
332 " (post --user/--group UID/GID change and/or --chroot)\n"
333 " (command parameters are same as --up option)\n"
334 "--down-pre : Run --down command before TUN/TAP close.\n"
335 "--up-restart : Run up/down commands for all restarts including those\n"
336 " caused by --ping-restart or SIGUSR1\n"
337 "--user user : Set UID to user after initialization.\n"
338 "--group group : Set GID to group after initialization.\n"
339 "--chroot dir : Chroot to this directory after initialization.\n"
340#ifdef ENABLE_SELINUX
341 "--setcon context: Apply this SELinux context after initialization.\n"
342#endif
343 "--cd dir : Change to this directory before initialization.\n"
344 "--daemon [name] : Become a daemon after initialization.\n"
345 " The optional 'name' parameter will be passed\n"
346 " as the program name to the system logger.\n"
347 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
348 " See --daemon above for a description of the 'name' parm.\n"
349 "--log file : Output log to file which is created/truncated on open.\n"
350 "--log-append file : Append log to file, or create file if nonexistent.\n"
351 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
352 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
353 "--writepid file : Write main process ID to file.\n"
354 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
355 "--echo [parms ...] : Echo parameters to log output.\n"
356 "--verb n : Set output verbosity to n (default=%d):\n"
357 " (Level 3 is recommended if you want a good summary\n"
358 " of what's happening without being swamped by output).\n"
359 " : 0 -- no output except fatal errors\n"
360 " : 1 -- startup info + connection initiated messages +\n"
361 " non-fatal encryption & net errors\n"
362 " : 2,3 -- show TLS negotiations & route info\n"
363 " : 4 -- show parameters\n"
364 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
365 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
366 " : 6 to 11 -- debug messages of increasing verbosity\n"
367 "--mute n : Log at most n consecutive messages in the same category.\n"
368 "--status file [n] : Write operational status to file every n seconds.\n"
369 "--status-version [n] : Choose the status file format version number.\n"
370 " Currently, n can be 1, 2, or 3 (default=1).\n"
371 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
372#ifdef ENABLE_DEBUG
373 "--gremlin mask : Special stress testing mode (for debugging only).\n"
374#endif
375#if defined(USE_COMP)
376 "--compress alg : Use compression algorithm alg\n"
377 "--allow-compression: Specify whether compression should be allowed\n"
378#if defined(ENABLE_LZO)
379 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
380 " packet for incompressible data.\n"
381 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
382 " is specified.\n"
383#endif
384#endif
385#ifdef ENABLE_MANAGEMENT
386 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
387 " management functions. pass is a password file\n"
388 " or 'stdin' to prompt from console.\n"
389#if UNIX_SOCK_SUPPORT
390 " To listen on a unix domain socket, specific the pathname\n"
391 " in place of ip and use 'unix' as the port number.\n"
392#endif
393 "--management-client : Management interface will connect as a TCP client to\n"
394 " ip/port rather than listen as a TCP server.\n"
395 "--management-query-passwords : Query management channel for private key\n"
396 " and auth-user-pass passwords.\n"
397 "--management-query-proxy : Query management channel for proxy information.\n"
398 "--management-query-remote : Query management channel for --remote directive.\n"
399 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
400 " of the management interface explicitly starts it.\n"
401 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
402 "--management-forget-disconnect : Forget passwords when management disconnect\n"
403 " event occurs.\n"
404 "--management-up-down : Report tunnel up/down events to management interface.\n"
405 "--management-log-cache n : Cache n lines of log file history for usage\n"
406 " by the management channel.\n"
407#if UNIX_SOCK_SUPPORT
408 "--management-client-user u : When management interface is a unix socket, only\n"
409 " allow connections from user u.\n"
410 "--management-client-group g : When management interface is a unix socket, only\n"
411 " allow connections from group g.\n"
412#endif
413 "--management-client-auth : gives management interface client the responsibility\n"
414 " to authenticate clients after their client certificate\n"
415 " has been verified.\n"
416#endif /* ifdef ENABLE_MANAGEMENT */
417#ifdef ENABLE_PLUGIN
418 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
419 " to its initialization function.\n"
420#endif
421 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
422 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
423 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
424 "\n"
425 "Multi-Client Server options (when --mode server is used):\n"
426 "--server network netmask : Helper option to easily configure server mode.\n"
427 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
428 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
429 " easily configure ethernet bridging server mode.\n"
430 "--push \"option\" : Push a config file option back to the peer for remote\n"
431 " execution. Peer must specify --pull in its config file.\n"
432 "--push-reset : Don't inherit global push list for specific\n"
433 " client instance.\n"
434 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
435 " a specific client instance.\n"
436 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
437 " to be dynamically allocated to connecting clients.\n"
438 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
439 " data to file, at seconds intervals (default=600).\n"
440 " If seconds=0, file will be treated as read-only.\n"
441 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
442 " to be dynamically allocated to connecting clients.\n"
443 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
444 " overrides --ifconfig-pool dynamic allocation.\n"
445 " Only valid in a client-specific config file.\n"
446 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
447 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
448 " Only valid in a client-specific config file.\n"
449 "--iroute network [netmask] : Route subnet to client.\n"
450 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
451 " Sets up internal routes only.\n"
452 " Only valid in a client-specific config file.\n"
453 "--disable : Client is disabled.\n"
454 " Only valid in a client-specific config file.\n"
455 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
456 " mandatory client certificate verification.\n"
457 " Default is to require the client to supply a certificate.\n"
458 "--username-as-common-name : For auth-user-pass authentication, use\n"
459 " the authenticated username as the common name,\n"
460 " rather than the common name from the client cert.\n"
461 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
462 " run command cmd to verify. If method='via-env', pass\n"
463 " user/pass via environment, if method='via-file', pass\n"
464 " user/pass via temporary file.\n"
465 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
466 " to each client, replacing the password. Useful when\n"
467 " OTP based two-factor auth mechanisms are in use and\n"
468 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
469 " for generated tokens can be set.\n"
470 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
471 " with those of the server will be disconnected.\n"
472 "--auth-user-pass-optional : Allow connections by clients that don't\n"
473 " specify a username/password.\n"
474 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
475 " any printable character.\n"
476 "--client-to-client : Internally route client-to-client traffic.\n"
477 "--duplicate-cn : Allow multiple clients with the same common name to\n"
478 " concurrently connect.\n"
479 "--client-connect cmd : Run command cmd on client connection.\n"
480 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
481 "--client-config-dir dir : Directory for custom client config files.\n"
482 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
483 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
484 "--hash-size r v : Set the size of the real address hash table to r and the\n"
485 " virtual address table to v.\n"
486 "--bcast-buffers n : Allocate n broadcast buffers.\n"
487 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
488 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
489 " as well as pushes it to connecting clients.\n"
490 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
491 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
492 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
493 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
494 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
495 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
496 " older than n seconds. Run this check every t\n"
497 " seconds (defaults to n).\n"
498 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
499 " clients. n = 1 - reconnect to same server,\n"
500 " 2 - advance to next server, default=1.\n"
501#if PORT_SHARE
502 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
503 " sessions to a web server at host:port. dir specifies an\n"
504 " optional directory to write origin IP:port data.\n"
505#endif
506 "\n"
507 "Client options (when connecting to a multi-client server):\n"
508 "--client : Helper option to easily configure client mode.\n"
509 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
510 " up is a file containing the username on the first line,\n"
511 " and a password on the second. If either the password or both\n"
512 " the username and the password are omitted OpenVPN will prompt\n"
513 " for them from console.\n"
514 "--pull : Accept certain config file options from the peer as if they\n"
515 " were part of the local config file. Must be specified\n"
516 " when connecting to a '--mode server' remote host.\n"
517 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
518 " server if it starts with the text t. The action flag accept,\n"
519 " ignore or reject causes the option to be allowed, removed or\n"
520 " rejected with error. May be specified multiple times, and\n"
521 " each filter is applied in the order of appearance.\n"
522 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
523 " Valid options are :\n"
524 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
525 " resolve-domains <domain> [domain ...] : split domains\n"
526 " dnssec <yes|no|optional> : option to use DNSSEC\n"
527 " type <DoH|DoT> : query server over HTTPS / TLS\n"
528 " sni <domain> : DNS server name indication\n"
529 "--dns search-domains <domain> [domain ...]:\n"
530 " Add domains to DNS domain search list\n"
531 "--auth-retry t : How to handle auth failures. Set t to\n"
532 " none (default), interact, or nointeract.\n"
533 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
534 " challenge text t, with e indicating echo flag (0|1)\n"
535 " and optional argument scrv1 or concat to use SCRV1 protocol or"
536 " concatenate response with password. Default is scrv1.\n"
537 "--connect-timeout n : when polling possible remote servers to connect to\n"
538 " in a round-robin fashion, spend no more than n seconds\n"
539 " waiting for a response before trying the next server.\n"
540 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
541 " incoming tun packets with same destination as host.\n"
542 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
543 " server/remote. n = # of retries, default=1.\n"
544 "\n"
545 "Data Channel Encryption Options (must be compatible between peers):\n"
546 "(These options are meaningful for both Static Key & TLS-mode)\n"
547 "--auth alg : Authenticate packets with HMAC using message\n"
548 " digest algorithm alg (default=%s).\n"
549 " (usually adds 16 or 20 bytes per packet)\n"
550 " Set alg=none to disable authentication.\n"
551 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
552 " You should usually use --data-ciphers instead.\n"
553 " Set alg=none to disable encryption.\n"
554 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
555#ifndef ENABLE_CRYPTO_MBEDTLS
556 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
557#endif
558 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
559 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
560 " and a time window of t seconds.\n"
561 " Default n=%d t=%d\n"
562 "--replay-persist file : Persist replay-protection state across sessions\n"
563 " using file.\n"
564 "--test-crypto : Run a self-test of crypto features enabled.\n"
565 " For debugging only.\n"
566#ifdef ENABLE_PREDICTION_RESISTANCE
567 "--use-prediction-resistance: Enable prediction resistance on the random\n"
568 " number generator.\n"
569#endif
570 "\n"
571 "TLS Key Negotiation Options:\n"
572 "(These options are meaningful only for TLS-mode)\n"
573 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
574 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
575 "--ca file : Certificate authority file in .pem format containing\n"
576 " root certificate.\n"
577#ifndef ENABLE_CRYPTO_MBEDTLS
578 "--capath dir : A directory of trusted certificates (CAs"
579 " and CRLs).\n"
580#endif /* ENABLE_CRYPTO_MBEDTLS */
581 "--dh file : File containing Diffie Hellman parameters\n"
582 " in .pem format (for --tls-server only).\n"
583 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
584 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
585 " by a Certificate Authority in --ca file used by the peer.\n"
586 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
587 "--key file : Local private key in .pem format or a URI.\n"
588 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
589 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
590 " is specified, require max TLS version supported by SSL implementation.\n"
591 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
592#ifndef ENABLE_CRYPTO_MBEDTLS
593 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
594 " and optionally the root CA certificate.\n"
595#endif
596#ifdef ENABLE_X509ALTUSERNAME
597 "--x509-username-field : Field in x509 certificate containing the username.\n"
598 " Default is CN in the Subject field.\n"
599#endif
600 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
601 " Valid algo flags are SHA1 and SHA256. \n"
602#ifdef _WIN32
603 "--cryptoapicert select-string : Load the certificate and private key from the\n"
604 " Windows Certificate System Store.\n"
605#endif
606 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
607 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
608 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
609 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
610 " (default=legacy).\n"
611 "--providers l : A list l of OpenSSL providers to load.\n"
612 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
613 " if no ACK from remote within n seconds (default=%d).\n"
614 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
615 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
616 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
617 " and at least min (defaults to 90%% of max on servers and equal\n"
618 " to max on clients).\n"
619 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
620 " of handshake initiation by any peer (default=%d).\n"
621 "--tran-window n : Transition window -- old key can live this many seconds\n"
622 " after new key renegotiation begins (default=%d).\n"
623 "--single-session: Allow only one session (reset state on restart).\n"
624 "--tls-exit : Exit on TLS negotiation failure.\n"
625 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
626 " control channel to protect against attacks on the TLS stack\n"
627 " and DoS attacks.\n"
628 " f (required) is a shared-secret key file.\n"
629 " The optional d parameter controls key directionality.\n"
630 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
631 " of the TLS control channel to hide the TLS certificate,\n"
632 " provide basic post-quantum security and protect against\n"
633 " attacks on the TLS stack and DoS attacks.\n"
634 " key (required) provides the pre-shared key file.\n"
635 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
636 " For servers: use key to decrypt client-specific keys. For\n"
637 " key generation (--genkey tls-crypt-v2-client): use key to\n"
638 " encrypt generated client-specific key. (See --tls-crypt.)\n"
639 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
640 " fresh tls-crypt-v2 client key, and store to\n"
641 " keyfile. If supplied, include metadata in wrapped key.\n"
642 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
643 " fresh tls-crypt-v2 server key, and store to keyfile\n"
644 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
645 " client-supplied tls-crypt-v2 client key\n"
646 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
647 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
648 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
649 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
650 " pending TLS connection that has otherwise passed all other\n"
651 " tests of certification. cmd should return 0 to allow\n"
652 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
653 " executed as 'cmd certificate_depth subject')\n"
654 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
655 " DN name. The remote host must also pass all other tests\n"
656 " of verification.\n"
657#ifndef ENABLE_CRYPTO_MBEDTLS
658 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
659 " an explicit nsCertType designation t = 'client' | 'server'.\n"
660#endif
661 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
662 " plugins and management interface.\n"
663#ifdef HAVE_EXPORT_KEYING_MATERIAL
664 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
665 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
666#endif
667 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
668 " explicit key usage, you can specify more than one value.\n"
669 " value should be given in hex format.\n"
670 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
671 " explicit extended key usage. Extended key usage can be encoded\n"
672 " as an object identifier or OpenSSL string representation.\n"
673 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
674 " key usage and extended key usage based on RFC3280 TLS rules.\n"
675 " t = 'client' | 'server'.\n"
676#ifdef ENABLE_PKCS11
677 "\n"
678 "PKCS#11 Options:\n"
679 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
680 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
681 " path. Set for each provider.\n"
682 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
683 " 0 : Try to determine automatically (default).\n"
684 " 1 : Use Sign.\n"
685 " 2 : Use SignRecover.\n"
686 " 4 : Use Decrypt.\n"
687 " 8 : Use Unwrap.\n"
688 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
689 " certificate can be accessed. Set for each provider.\n"
690 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
691 " cache until token is removed.\n"
692 "--pkcs11-id-management : Acquire identity from management interface.\n"
693 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
694#endif /* ENABLE_PKCS11 */
695 "\n"
696 "SSL Library information:\n"
697 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
698 "--show-digests : Show message digest algorithms to use with --auth option.\n"
699 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
700 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
701#ifdef _WIN32
702 "\n"
703 "Windows Specific:\n"
704 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
705 " from SystemRoot environment variable.\n"
706 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
707 " IP address using method = manual, netsh, ipapi,\n"
708 " dynamic, or adaptive (default = adaptive).\n"
709 " Dynamic method allows two optional parameters:\n"
710 " offset: DHCP server address offset (> -256 and < 256).\n"
711 " If 0, use network address, if >0, take nth\n"
712 " address forward from network address, if <0,\n"
713 " take nth address backward from broadcast\n"
714 " address.\n"
715 " Default is 0.\n"
716 " lease-time: Lease time in seconds.\n"
717 " Default is one year.\n"
718 "--route-method : Which method to use for adding routes on Windows?\n"
719 " adaptive (default) -- Try ipapi then fall back to exe.\n"
720 " ipapi -- Use IP helper API.\n"
721 " exe -- Call the route.exe shell command.\n"
722 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
723 " be used with --ip-win32 dynamic. For options\n"
724 " which allow multiple addresses,\n"
725 " --dhcp-option must be repeated.\n"
726 " DOMAIN name : Set DNS suffix\n"
727 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
728 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
729 " NTP : Set NTP server address(es)\n"
730 " NBDD : Set NBDD server address(es)\n"
731 " WINS addr : Set WINS server address(es)\n"
732 " NBT type : Set NetBIOS over TCP/IP Node type\n"
733 " 1: B, 2: P, 4: M, 8: H\n"
734 " NBS id : Set NetBIOS scope ID\n"
735 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
736 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
737 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
738 " startup.\n"
739 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
740 " on connection initiation.\n"
741 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
742 " attempting to set adapter properties.\n"
743 "--pause-exit : When run from a console window, pause before exiting.\n"
744 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
745 " service, and should not be used directly by end-users.\n"
746 " ex is the name of an event object which, when\n"
747 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
748 " optional parameter controls the initial state of ex.\n"
749 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
750 " after TAP adapter is up and routes have been added.\n"
751 "--windows-driver : Which tun driver to use?\n"
752 " ovpn-dco (default)\n"
753 " tap-windows6\n"
754 " wintun\n"
755 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
756 "Windows Standalone Options:\n"
757 "\n"
758 "--show-adapters : Show all TAP-Windows adapters.\n"
759 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
760 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
761 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
762 " to access TAP adapter.\n"
763#endif /* ifdef _WIN32 */
764 "\n"
765 "Generate a new key :\n"
766 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
767 " (for use with --tls-auth or --tls-crypt)."
768#ifdef ENABLE_FEATURE_TUN_PERSIST
769 "\n"
770 "Tun/tap config mode (available with linux 2.4+):\n"
771 "--mktun : Create a persistent tunnel.\n"
772 "--rmtun : Remove a persistent tunnel.\n"
773 "--dev tunX|tapX : tun/tap device\n"
774 "--dev-type dt : Device type. See tunnel options above for details.\n"
775 "--user user : User to set privilege to.\n"
776 "--group group : Group to set privilege to.\n"
777#endif
778#ifdef ENABLE_PKCS11
779 "\n"
780 "PKCS#11 standalone options:\n"
781#ifdef DEFAULT_PKCS11_MODULE
782 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
783#else
784 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
785#endif
786 " --verb option can be added *BEFORE* this.\n"
787#endif /* ENABLE_PKCS11 */
788 "\n"
789 "General Standalone Options:\n"
790#ifdef ENABLE_DEBUG
791 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
792#endif
793;
794
795#endif /* !ENABLE_SMALL */
796
797/*
798 * This is where the options defaults go.
799 * Any option not explicitly set here
800 * will be set to 0.
801 */
802void
803init_options(struct options *o, const bool init_gc)
804{
805 CLEAR(*o);
806 if (init_gc)
807 {
808 gc_init(&o->gc);
809 gc_init(&o->dns_options.gc);
810 o->gc_owned = true;
811 }
812 o->mode = MODE_POINT_TO_POINT;
813 o->topology = TOP_UNDEF;
814 o->ce.proto = PROTO_UDP;
815 o->ce.af = AF_UNSPEC;
816 o->ce.bind_ipv6_only = false;
817 o->ce.connect_retry_seconds = 1;
818 o->ce.connect_retry_seconds_max = 300;
819 o->ce.connect_timeout = 120;
820 o->connect_retry_max = 0;
821 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
822 o->verbosity = 1;
823 o->status_file_update_freq = 60;
824 o->status_file_version = 1;
825 o->ce.bind_local = true;
826 o->ce.tun_mtu = TUN_MTU_DEFAULT;
827 o->ce.occ_mtu = 0;
828 o->ce.link_mtu = LINK_MTU_DEFAULT;
829 o->ce.tls_mtu = TLS_MTU_DEFAULT;
830 o->ce.mtu_discover_type = -1;
831 o->ce.mssfix = 0;
832 o->ce.mssfix_default = true;
833 o->ce.mssfix_encap = true;
834 o->route_delay_window = 30;
835 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
836 o->resolve_in_advance = false;
837 o->proto_force = -1;
838 o->occ = true;
839#ifdef ENABLE_MANAGEMENT
840 o->management_log_history_cache = 250;
841 o->management_echo_buffer_size = 100;
842 o->management_state_buffer_size = 100;
843#endif
844#ifdef ENABLE_FEATURE_TUN_PERSIST
845 o->persist_mode = 1;
846#endif
847#ifdef _WIN32
848#if 0
849 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
850#else
851 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
852#endif
853 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
854 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
855 o->route_method = ROUTE_METHOD_ADAPTIVE;
856 o->block_outside_dns = false;
857 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
858#endif
859 o->vlan_accept = VLAN_ALL;
860 o->vlan_pvid = 1;
861 o->real_hash_size = 256;
862 o->virtual_hash_size = 256;
863 o->n_bcast_buf = 256;
864 o->tcp_queue_limit = 64;
865 o->max_clients = 1024;
866 o->cf_initial_per = 10;
867 o->cf_initial_max = 100;
868 o->max_routes_per_client = 256;
869 o->stale_routes_check_interval = 0;
870 o->ifconfig_pool_persist_refresh_freq = 600;
871 o->scheduled_exit_interval = 5;
872 o->authname = "SHA1";
873 o->replay_window = DEFAULT_SEQ_BACKTRACK;
874 o->replay_time = DEFAULT_TIME_BACKTRACK;
875 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
876#ifdef ENABLE_PREDICTION_RESISTANCE
877 o->use_prediction_resistance = false;
878#endif
879 o->tls_timeout = 2;
880 o->renegotiate_bytes = -1;
881 o->renegotiate_seconds = 3600;
882 o->renegotiate_seconds_min = -1;
883 o->handshake_window = 60;
884 o->transition_window = 3600;
885 o->tls_cert_profile = NULL;
886 o->ecdh_curve = NULL;
887#ifdef ENABLE_X509ALTUSERNAME
888 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
889#endif
890#ifdef ENABLE_PKCS11
891 o->pkcs11_pin_cache_period = -1;
892#endif /* ENABLE_PKCS11 */
893
894 /* P2MP server context features */
895 o->auth_token_generate = false;
896
897 /* Set default --tmp-dir */
898#ifdef _WIN32
899 /* On Windows, find temp dir via environment variables */
900 o->tmp_dir = win_get_tempdir();
901
902 if (!o->tmp_dir)
903 {
904 /* Error out if we can't find a valid temporary directory, which should
905 * be very unlikely. */
906 msg(M_USAGE, "Could not find a suitable temporary directory."
907 " (GetTempPath() failed). Consider using --tmp-dir");
908 }
909#else /* ifdef _WIN32 */
910 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
911 o->tmp_dir = getenv("TMPDIR");
912 if (!o->tmp_dir)
913 {
914 o->tmp_dir = "/tmp";
915 }
916#endif /* _WIN32 */
917 o->allow_recursive_routing = false;
918
919#ifndef ENABLE_DCO
920 o->disable_dco = true;
921#endif /* ENABLE_DCO */
922}
923
924void
925uninit_options(struct options *o)
926{
927 if (o->connection_list)
928 {
929 CLEAR(*o->connection_list);
930 }
931 if (o->remote_list)
932 {
933 CLEAR(*o->remote_list);
934 }
935 if (o->gc_owned)
936 {
937 gc_free(&o->gc);
938 gc_free(&o->dns_options.gc);
939 }
940}
941
942struct pull_filter
943{
944#define PUF_TYPE_UNDEF 0
945#define PUF_TYPE_ACCEPT 1
946#define PUF_TYPE_IGNORE 2
947#define PUF_TYPE_REJECT 3
948 int type;
949 int size;
950 char *pattern;
951 struct pull_filter *next;
952};
953
954struct pull_filter_list
955{
956 struct pull_filter *head;
957 struct pull_filter *tail;
958};
959
960#ifndef ENABLE_SMALL
961
962static const char *
963pull_filter_type_name(int type)
964{
965 if (type == PUF_TYPE_ACCEPT)
966 {
967 return "accept";
968 }
969 if (type == PUF_TYPE_IGNORE)
970 {
971 return "ignore";
972 }
973 if (type == PUF_TYPE_REJECT)
974 {
975 return "reject";
976 }
977 else
978 {
979 return "???";
980 }
981}
982
983#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
984#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
985#define SHOW_STR_INLINE(var) SHOW_PARM(var, \
986 o->var ## _inline ? "[INLINE]" : \
987 (o->var ? o->var : "[UNDEF]"), \
988 "'%s'")
989#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
990#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
991#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
992#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
993#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
994
995#endif /* ifndef ENABLE_SMALL */
996
997static void
998setenv_connection_entry(struct env_set *es,
999 const struct connection_entry *e,
1000 const int i)
1001{
1002 setenv_str_i(es, "remote", e->remote, i);
1003 setenv_str_i(es, "remote_port", e->remote_port, i);
1004
1005 if (e->http_proxy_options)
1006 {
1007 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
1008 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
1009 }
1010 if (e->socks_proxy_server)
1011 {
1012 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1013 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1014 }
1015}
1016
1017static void
1018setenv_local_entry(struct env_set *es,
1019 const struct local_entry *e,
1020 const int i)
1021{
1022 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
1023 setenv_str_i(es, "local", e->local, i);
1024 setenv_str_i(es, "local_port", e->port, i);
1025}
1026
1027void
1028setenv_settings(struct env_set *es, const struct options *o)
1029{
1030 setenv_str(es, "config", o->config);
1031 setenv_int(es, "verb", o->verbosity);
1032 setenv_int(es, "daemon", o->daemon);
1033 setenv_int(es, "daemon_log_redirect", o->log);
1034 setenv_long_long(es, "daemon_start_time", time(NULL));
1035 setenv_int(es, "daemon_pid", platform_getpid());
1036
1037 if (o->connection_list)
1038 {
1039 int i;
1040 for (i = 0; i < o->connection_list->len; ++i)
1041 {
1042 setenv_connection_entry(es, o->connection_list->array[i], i+1);
1043 }
1044 }
1045 else
1046 {
1047 setenv_connection_entry(es, &o->ce, 1);
1048 }
1049
1050 if (o->ce.local_list)
1051 {
1052 for (int i = 0; i < o->ce.local_list->len; i++)
1053 {
1054 setenv_local_entry(es, o->ce.local_list->array[i], i+1);
1055 }
1056 }
1057
1058 if (!o->pull)
1059 {
1060 setenv_dns_options(&o->dns_options, es);
1061 }
1062}
1063
1064#ifndef _WIN32
1065static void
1066setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1067{
1068 if (len > 0)
1069 {
1070 struct gc_arena gc = gc_new();
1071 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1072 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1073 int i;
1074 bool first = true;
1075 bool good = true;
1076
1077 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1078 ++o->foreign_option_index;
1079 for (i = 0; i < len; ++i)
1080 {
1081 if (argv[i])
1082 {
1083 if (!first)
1084 {
1085 good &= buf_printf(&value, " ");
1086 }
1087 good &= buf_printf(&value, "%s", argv[i]);
1088 first = false;
1089 }
1090 }
1091 if (good)
1092 {
1093 setenv_str(es, BSTR(&name), BSTR(&value));
1094 }
1095 else
1096 {
1097 msg(M_WARN, "foreign_option: name/value overflow");
1098 }
1099 gc_free(&gc);
1100 }
1101}
1102#endif /* ifndef _WIN32 */
1103
1104static in_addr_t
1105get_ip_addr(const char *ip_string, int msglevel, bool *error)
1106{
1107 unsigned int flags = GETADDR_HOST_ORDER;
1108 bool succeeded = false;
1109 in_addr_t ret;
1110
1111 if (msglevel & M_FATAL)
1112 {
1113 flags |= GETADDR_FATAL;
1114 }
1115
1116 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1117 if (!succeeded && error)
1118 {
1119 *error = true;
1120 }
1121 return ret;
1122}
1123
1129static char *
1130get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1131{
1132 const char *end = strchr(addr, '/');
1133 char *ret = NULL;
1134 if (NULL == end)
1135 {
1136 ret = string_alloc(addr, gc);
1137 }
1138 else
1139 {
1140 size_t len = end - addr;
1141 ret = gc_malloc(len + 1, true, gc);
1142 memcpy(ret, addr, len);
1143 }
1144 return ret;
1145}
1146
1147static bool
1148ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1149{
1150 struct in6_addr t_addr;
1151 unsigned int t_bits;
1152
1153 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1154}
1155
1156static char *
1157string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1158{
1159 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1160 char *dest = ret;
1161 char c;
1162
1163 do
1164 {
1165 c = *src++;
1166 if (c == from)
1167 {
1168 c = to;
1169 }
1170 *dest++ = c;
1171 }
1172 while (c);
1173 return ret;
1174}
1175
1185static struct verify_hash_list *
1186parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1187{
1188 int i = 0;
1189 const char *cp = str;
1190
1191 struct verify_hash_list *ret;
1192 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1193
1194 char term = 0;
1195 unsigned int byte;
1196
1197 while (*cp && i < nbytes)
1198 {
1199 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1200 if (!isxdigit(cp[0])
1201 || !isxdigit(cp[1])
1202 || (cp[2] != ':' && cp[2] != '\0')
1203 || sscanf(cp, "%x", &byte) != 1)
1204 {
1205 msg(msglevel, "format error in hash fingerprint: %s", str);
1206 break;
1207 }
1208
1209 ret->hash[i++] = (uint8_t)byte;
1210
1211 term = cp[2];
1212 if (term == '\0')
1213 {
1214 break;
1215 }
1216 cp += 3;
1217 }
1218 if (i < nbytes)
1219 {
1220 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1221 }
1222 else if (term != '\0')
1223 {
1224 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1225 }
1226 return ret;
1227}
1228
1239static struct verify_hash_list *
1240parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1241 struct gc_arena *gc)
1242{
1243 struct gc_arena gc_temp = gc_new();
1244 char *lines = string_alloc(str, &gc_temp);
1245
1246 struct verify_hash_list *ret = NULL;
1247
1248 const char *line;
1249 while ((line = strsep(&lines, "\n")))
1250 {
1251 /* ignore leading whitespace */
1252 while (isspace(*line))
1253 {
1254 line++;
1255 }
1256 /* skip empty lines and comment lines */
1257 if (strlen(line) == 0 || *line == '#' || *line == ';')
1258 {
1259 continue;
1260 }
1261
1262 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1263 msglevel, gc);
1264
1265 if (!hash)
1266 {
1267 gc_free(&gc_temp);
1268 return NULL;
1269 }
1270
1271 hash->next = ret;
1272 ret = hash;
1273 }
1274 gc_free(&gc_temp);
1275
1276 return ret;
1277}
1278#ifdef _WIN32
1279
1280#ifndef ENABLE_SMALL
1281
1282static void
1283show_dhcp_option_list(const char *name, const char *const *array, int len)
1284{
1285 int i;
1286 for (i = 0; i < len; ++i)
1287 {
1288 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1289 }
1290}
1291
1292static void
1293show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1294{
1295 struct gc_arena gc = gc_new();
1296 int i;
1297 for (i = 0; i < len; ++i)
1298 {
1299 msg(D_SHOW_PARMS, " %s[%d] = %s",
1300 name,
1301 i,
1302 print_in_addr_t(array[i], 0, &gc));
1303 }
1304 gc_free(&gc);
1305}
1306
1307static void
1308show_tuntap_options(const struct tuntap_options *o)
1309{
1310 SHOW_BOOL(ip_win32_defined);
1311 SHOW_INT(ip_win32_type);
1312 SHOW_INT(dhcp_masq_offset);
1313 SHOW_INT(dhcp_lease_time);
1314 SHOW_INT(tap_sleep);
1315 SHOW_UNSIGNED(dhcp_options);
1316 SHOW_BOOL(dhcp_renew);
1317 SHOW_BOOL(dhcp_pre_release);
1318 SHOW_STR(domain);
1319 SHOW_STR(netbios_scope);
1320 SHOW_INT(netbios_node_type);
1321 SHOW_BOOL(disable_nbt);
1322
1323 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1324 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1325 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1326 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1327 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1328}
1329
1330#endif /* ifndef ENABLE_SMALL */
1331#endif /* ifdef _WIN32 */
1332
1333#if defined(_WIN32) || defined(TARGET_ANDROID)
1334static void
1335dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1336{
1337 struct in6_addr addr;
1338 if (*len >= N_DHCP_ADDR)
1339 {
1340 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1341 N_DHCP_ADDR);
1342 }
1343 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1344 {
1345 dns6_list[(*len)++] = addr;
1346 }
1347}
1348static void
1349dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1350{
1351 if (*len >= N_DHCP_ADDR)
1352 {
1353 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1354 name,
1355 N_DHCP_ADDR,
1356 name);
1357 }
1358 else
1359 {
1360 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1361 {
1362 bool error = false;
1363 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1364 if (!error)
1365 {
1366 array[(*len)++] = addr;
1367 }
1368 }
1369 else
1370 {
1371 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1372 }
1373 }
1374}
1375
1376/*
1377 * If DNS options are set use these for TUN/TAP options as well.
1378 * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1379 * Existing options will be discarded.
1380 */
1381static void
1382tuntap_options_copy_dns(struct options *o)
1383{
1384 struct tuntap_options *tt = &o->tuntap_options;
1385 struct dns_options *dns = &o->dns_options;
1386
1387 if (dns->search_domains)
1388 {
1389 tt->domain_search_list_len = 0;
1390 const struct dns_domain *domain = dns->search_domains;
1391 while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1392 {
1393 tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1394 domain = domain->next;
1395 }
1396 if (domain)
1397 {
1398 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1399 }
1400 tt->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
1401 }
1402
1403 if (dns->servers)
1404 {
1405 tt->dns_len = 0;
1406 tt->dns6_len = 0;
1407 bool overflow = false;
1408 const struct dns_server *server = dns->servers;
1409 while (server)
1410 {
1411 for (int i = 0; i < server->addr_count; ++i)
1412 {
1413 if (server->addr[i].family == AF_INET)
1414 {
1415 if (tt->dns_len >= N_DHCP_ADDR)
1416 {
1417 overflow = true;
1418 continue;
1419 }
1420 tt->dns[tt->dns_len++] = ntohl(server->addr[i].in.a4.s_addr);
1421 }
1422 else
1423 {
1424 if (tt->dns6_len >= N_DHCP_ADDR)
1425 {
1426 overflow = true;
1427 continue;
1428 }
1429 tt->dns6[tt->dns6_len++] = server->addr[i].in.a6;
1430 }
1431 }
1432 server = server->next;
1433 }
1434 if (overflow)
1435 {
1436 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1437 }
1438 tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
1439 }
1440}
1441#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1442static void
1443foreign_options_copy_dns(struct options *o, struct env_set *es)
1444{
1445 const struct dns_domain *domain = o->dns_options.search_domains;
1446 const struct dns_server *server = o->dns_options.servers;
1447 if (!domain && !server)
1448 {
1449 return;
1450 }
1451
1452 /* reset the index since we're starting all over again */
1453 int opt_max = o->foreign_option_index;
1454 o->foreign_option_index = 0;
1455
1456 for (int i = 1; i <= opt_max; ++i)
1457 {
1458 char name[32];
1459 snprintf(name, sizeof(name), "foreign_option_%d", i);
1460
1461 const char *env_str = env_set_get(es, name);
1462 const char *value = strchr(env_str, '=') + 1;
1463 if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1464 || (server && strstr(value, "dhcp-option DNS") == value))
1465 {
1466 setenv_del(es, name);
1467 }
1468 else
1469 {
1470 setenv_foreign_option(o, &value, 1, es);
1471 }
1472 }
1473
1474 struct gc_arena gc = gc_new();
1475
1476 while (server)
1477 {
1478 for (size_t i = 0; i < server->addr_count; ++i)
1479 {
1480 if (server->addr[i].family == AF_INET)
1481 {
1482 const char *argv[] = {
1483 "dhcp-option",
1484 "DNS",
1485 print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc)
1486 };
1487 setenv_foreign_option(o, argv, 3, es);
1488 }
1489 else
1490 {
1491 const char *argv[] = {
1492 "dhcp-option",
1493 "DNS6",
1494 print_in6_addr(server->addr[i].in.a6, 0, &gc)
1495 };
1496 setenv_foreign_option(o, argv, 3, es);
1497 }
1498 }
1499 server = server->next;
1500 }
1501 while (domain)
1502 {
1503 const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1504 setenv_foreign_option(o, argv, 3, es);
1505 domain = domain->next;
1506 }
1507
1508 gc_free(&gc);
1509
1510 /* remove old leftover entries */
1511 while (o->foreign_option_index < opt_max)
1512 {
1513 char name[32];
1514 snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1515 setenv_del(es, name);
1516 }
1517}
1518#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1519
1520#ifndef ENABLE_SMALL
1521static const char *
1522print_vlan_accept(enum vlan_acceptable_frames mode)
1523{
1524 switch (mode)
1525 {
1526 case VLAN_ONLY_TAGGED:
1527 return "tagged";
1528
1529 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1530 return "untagged";
1531
1532 case VLAN_ALL:
1533 return "all";
1534 }
1535 return NULL;
1536}
1537
1538static void
1539show_p2mp_parms(const struct options *o)
1540{
1541 struct gc_arena gc = gc_new();
1542
1543 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1544 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1545 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1546 SHOW_INT(server_netbits_ipv6);
1547 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1548 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1549 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1550 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1551 if (o->push_list.head)
1552 {
1553 const struct push_entry *e = o->push_list.head;
1554 while (e)
1555 {
1556 if (e->enable)
1557 {
1558 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1559 }
1560 e = e->next;
1561 }
1562 }
1563 SHOW_BOOL(ifconfig_pool_defined);
1564 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1565 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1566 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1567 SHOW_STR(ifconfig_pool_persist_filename);
1568 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1569 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1570 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1571 SHOW_INT(ifconfig_ipv6_pool_netbits);
1572 SHOW_INT(n_bcast_buf);
1573 SHOW_INT(tcp_queue_limit);
1574 SHOW_INT(real_hash_size);
1575 SHOW_INT(virtual_hash_size);
1576 SHOW_STR(client_connect_script);
1577 SHOW_STR(learn_address_script);
1578 SHOW_STR(client_disconnect_script);
1579 SHOW_STR(client_crresponse_script);
1580 SHOW_STR(client_config_dir);
1581 SHOW_BOOL(ccd_exclusive);
1582 SHOW_STR(tmp_dir);
1583 SHOW_BOOL(push_ifconfig_defined);
1584 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1585 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1586 SHOW_BOOL(push_ifconfig_ipv6_defined);
1587 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1588 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1589 SHOW_BOOL(enable_c2c);
1590 SHOW_BOOL(duplicate_cn);
1591 SHOW_INT(cf_max);
1592 SHOW_INT(cf_per);
1593 SHOW_INT(cf_initial_max);
1594 SHOW_INT(cf_initial_per);
1595 SHOW_INT(max_clients);
1596 SHOW_INT(max_routes_per_client);
1597 SHOW_STR(auth_user_pass_verify_script);
1598 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1599 SHOW_BOOL(auth_token_generate);
1600 SHOW_BOOL(force_key_material_export);
1601 SHOW_INT(auth_token_lifetime);
1602 SHOW_STR_INLINE(auth_token_secret_file);
1603#if PORT_SHARE
1604 SHOW_STR(port_share_host);
1605 SHOW_STR(port_share_port);
1606#endif
1607 SHOW_BOOL(vlan_tagging);
1608 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1609 SHOW_INT(vlan_pvid);
1610
1611 SHOW_BOOL(client);
1612 SHOW_BOOL(pull);
1613 SHOW_STR_INLINE(auth_user_pass_file);
1614
1615 gc_free(&gc);
1616}
1617
1618#endif /* ! ENABLE_SMALL */
1619
1620static void
1621option_iroute(struct options *o,
1622 const char *network_str,
1623 const char *netmask_str,
1624 int msglevel)
1625{
1626 struct iroute *ir;
1627
1628 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1629 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1630 ir->netbits = 32; /* host route if no netmask given */
1631
1632 if (netmask_str)
1633 {
1634 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1635 ir->netbits = netmask_to_netbits2(netmask);
1636
1637 if (ir->netbits < 0)
1638 {
1639 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1640 network_str,
1641 netmask_str);
1642 return;
1643 }
1644 }
1645
1646 ir->next = o->iroutes;
1647 o->iroutes = ir;
1648}
1649
1650static void
1651option_iroute_ipv6(struct options *o,
1652 const char *prefix_str,
1653 int msglevel)
1654{
1655 struct iroute_ipv6 *ir;
1656
1657 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1658
1659 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1660 {
1661 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1662 prefix_str);
1663 return;
1664 }
1665
1666 ir->next = o->iroutes_ipv6;
1667 o->iroutes_ipv6 = ir;
1668}
1669
1670#ifndef ENABLE_SMALL
1671static void
1672show_http_proxy_options(const struct http_proxy_options *o)
1673{
1674 int i;
1675 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1676 SHOW_STR(server);
1677 SHOW_STR(port);
1678 SHOW_STR(auth_method_string);
1679 SHOW_STR(auth_file);
1680 SHOW_STR(auth_file_up);
1681 SHOW_BOOL(inline_creds);
1682 SHOW_BOOL(nocache);
1683 SHOW_STR(http_version);
1684 SHOW_STR(user_agent);
1685 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1686 {
1687 if (o->custom_headers[i].content)
1688 {
1689 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1690 o->custom_headers[i].name, o->custom_headers[i].content);
1691 }
1692 else
1693 {
1694 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1695 o->custom_headers[i].name);
1696 }
1697 }
1698 msg(D_SHOW_PARMS, "END http_proxy");
1699}
1700#endif /* ifndef ENABLE_SMALL */
1701
1702void
1703options_detach(struct options *o)
1704{
1705 gc_detach(&o->gc);
1706 o->routes = NULL;
1707 o->client_nat = NULL;
1708 clone_push_list(o);
1709}
1710
1711void
1712rol_check_alloc(struct options *options)
1713{
1714 if (!options->routes)
1715 {
1716 options->routes = new_route_option_list(&options->gc);
1717 }
1718}
1719
1720static void
1728
1729static void
1730cnol_check_alloc(struct options *options)
1731{
1732 if (!options->client_nat)
1733 {
1734 options->client_nat = new_client_nat_list(&options->gc);
1735 }
1736}
1737
1738#ifndef ENABLE_SMALL
1739static void
1740show_connection_entry(const struct connection_entry *o)
1741{
1742 /* Display the global proto only in client mode or with no '--local'*/
1743 if (o->local_list->len == 1)
1744 {
1745 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1746 }
1747
1748 msg(D_SHOW_PARMS, " Local Sockets:");
1749 for (int i = 0; i < o->local_list->len; i++)
1750 {
1751 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1752 o->local_list->array[i]->port, proto2ascii(o->local_list->array[i]->proto, o->af, false));
1753 }
1754 SHOW_STR(remote);
1755 SHOW_STR(remote_port);
1756 SHOW_BOOL(remote_float);
1757 SHOW_BOOL(bind_defined);
1758 SHOW_BOOL(bind_local);
1759 SHOW_BOOL(bind_ipv6_only);
1760 SHOW_INT(connect_retry_seconds);
1761 SHOW_INT(connect_timeout);
1762
1763 if (o->http_proxy_options)
1764 {
1765 show_http_proxy_options(o->http_proxy_options);
1766 }
1767 SHOW_STR(socks_proxy_server);
1768 SHOW_STR(socks_proxy_port);
1769 SHOW_INT(tun_mtu);
1770 SHOW_BOOL(tun_mtu_defined);
1771 SHOW_INT(link_mtu);
1772 SHOW_BOOL(link_mtu_defined);
1773 SHOW_INT(tun_mtu_extra);
1774 SHOW_BOOL(tun_mtu_extra_defined);
1775 SHOW_INT(tls_mtu);
1776
1777 SHOW_INT(mtu_discover_type);
1778
1779#ifdef ENABLE_FRAGMENT
1780 SHOW_INT(fragment);
1781#endif
1782 SHOW_INT(mssfix);
1783 SHOW_BOOL(mssfix_encap);
1784 SHOW_BOOL(mssfix_fixed);
1785
1786 SHOW_INT(explicit_exit_notification);
1787
1788 SHOW_STR_INLINE(tls_auth_file);
1789 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1790 "%s");
1791 SHOW_STR_INLINE(tls_crypt_file);
1792 SHOW_STR_INLINE(tls_crypt_v2_file);
1793}
1794
1795
1796static void
1797show_connection_entries(const struct options *o)
1798{
1799 if (o->connection_list)
1800 {
1801 const struct connection_list *l = o->connection_list;
1802 int i;
1803 for (i = 0; i < l->len; ++i)
1804 {
1805 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1806 show_connection_entry(l->array[i]);
1807 }
1808 }
1809 else
1810 {
1811 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1812 show_connection_entry(&o->ce);
1813 }
1814 msg(D_SHOW_PARMS, "Connection profiles END");
1815}
1816
1817static void
1818show_pull_filter_list(const struct pull_filter_list *l)
1819{
1820 struct pull_filter *f;
1821 if (!l)
1822 {
1823 return;
1824 }
1825
1826 msg(D_SHOW_PARMS, " Pull filters:");
1827 for (f = l->head; f; f = f->next)
1828 {
1829 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1830 }
1831}
1832
1833#endif /* ifndef ENABLE_SMALL */
1834
1835void
1836show_settings(const struct options *o)
1837{
1838#ifndef ENABLE_SMALL
1839 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1840
1841 SHOW_STR(config);
1842
1843 SHOW_INT(mode);
1844
1845#ifdef ENABLE_FEATURE_TUN_PERSIST
1846 SHOW_BOOL(persist_config);
1847 SHOW_INT(persist_mode);
1848#endif
1849
1850 SHOW_BOOL(show_ciphers);
1851 SHOW_BOOL(show_digests);
1852 SHOW_BOOL(show_engines);
1853 SHOW_BOOL(genkey);
1854 SHOW_STR(genkey_filename);
1855 SHOW_STR(key_pass_file);
1856 SHOW_BOOL(show_tls_ciphers);
1857
1858 SHOW_INT(connect_retry_max);
1859 show_connection_entries(o);
1860
1861 SHOW_BOOL(remote_random);
1862
1863 SHOW_STR(ipchange);
1864 SHOW_STR(dev);
1865 SHOW_STR(dev_type);
1866 SHOW_STR(dev_node);
1867#if defined(ENABLE_DCO)
1868 SHOW_BOOL(disable_dco);
1869#endif
1870 SHOW_STR(lladdr);
1871 SHOW_INT(topology);
1872 SHOW_STR(ifconfig_local);
1873 SHOW_STR(ifconfig_remote_netmask);
1874 SHOW_BOOL(ifconfig_noexec);
1875 SHOW_BOOL(ifconfig_nowarn);
1876 SHOW_STR(ifconfig_ipv6_local);
1877 SHOW_INT(ifconfig_ipv6_netbits);
1878 SHOW_STR(ifconfig_ipv6_remote);
1879
1880 SHOW_INT(shaper);
1881 SHOW_INT(mtu_test);
1882
1883 SHOW_BOOL(mlock);
1884
1885 SHOW_INT(keepalive_ping);
1886 SHOW_INT(keepalive_timeout);
1887 SHOW_INT(inactivity_timeout);
1888 SHOW_INT(session_timeout);
1889 SHOW_INT64(inactivity_minimum_bytes);
1890 SHOW_INT(ping_send_timeout);
1891 SHOW_INT(ping_rec_timeout);
1892 SHOW_INT(ping_rec_timeout_action);
1893 SHOW_BOOL(ping_timer_remote);
1894 SHOW_INT(remap_sigusr1);
1895 SHOW_BOOL(persist_tun);
1896 SHOW_BOOL(persist_local_ip);
1897 SHOW_BOOL(persist_remote_ip);
1898
1899#if PASSTOS_CAPABILITY
1900 SHOW_BOOL(passtos);
1901#endif
1902
1903 SHOW_INT(resolve_retry_seconds);
1904 SHOW_BOOL(resolve_in_advance);
1905
1906 SHOW_STR(username);
1907 SHOW_STR(groupname);
1908 SHOW_STR(chroot_dir);
1909 SHOW_STR(cd_dir);
1910#ifdef ENABLE_SELINUX
1911 SHOW_STR(selinux_context);
1912#endif
1913 SHOW_STR(writepid);
1914 SHOW_STR(up_script);
1915 SHOW_STR(down_script);
1916 SHOW_BOOL(down_pre);
1917 SHOW_BOOL(up_restart);
1918 SHOW_BOOL(up_delay);
1919 SHOW_BOOL(daemon);
1920 SHOW_BOOL(log);
1921 SHOW_BOOL(suppress_timestamps);
1922 SHOW_BOOL(machine_readable_output);
1923 SHOW_INT(nice);
1924 SHOW_INT(verbosity);
1925 SHOW_INT(mute);
1926#ifdef ENABLE_DEBUG
1927 SHOW_INT(gremlin);
1928#endif
1929 SHOW_STR(status_file);
1930 SHOW_INT(status_file_version);
1931 SHOW_INT(status_file_update_freq);
1932
1933 SHOW_BOOL(occ);
1934 SHOW_INT(rcvbuf);
1935 SHOW_INT(sndbuf);
1936#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1937 SHOW_INT(mark);
1938#endif
1939 SHOW_INT(sockflags);
1940
1941 SHOW_BOOL(fast_io);
1942
1943 SHOW_INT(comp.alg);
1944 SHOW_INT(comp.flags);
1945
1946 SHOW_STR(route_script);
1947 SHOW_STR(route_default_gateway);
1948 SHOW_INT(route_default_metric);
1949 SHOW_BOOL(route_noexec);
1950 SHOW_INT(route_delay);
1951 SHOW_INT(route_delay_window);
1952 SHOW_BOOL(route_delay_defined);
1953 SHOW_BOOL(route_nopull);
1954 SHOW_BOOL(route_gateway_via_dhcp);
1955 SHOW_BOOL(allow_pull_fqdn);
1956 show_pull_filter_list(o->pull_filter_list);
1957
1958 if (o->routes)
1959 {
1960 print_route_options(o->routes, D_SHOW_PARMS);
1961 }
1962
1963 if (o->client_nat)
1964 {
1965 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1966 }
1967
1968 show_dns_options(&o->dns_options);
1969
1970#ifdef ENABLE_MANAGEMENT
1971 SHOW_STR(management_addr);
1972 SHOW_STR(management_port);
1973 SHOW_STR(management_user_pass);
1974 SHOW_INT(management_log_history_cache);
1975 SHOW_INT(management_echo_buffer_size);
1976 SHOW_STR(management_client_user);
1977 SHOW_STR(management_client_group);
1978 SHOW_INT(management_flags);
1979#endif
1980#ifdef ENABLE_PLUGIN
1981 if (o->plugin_list)
1982 {
1983 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1984 }
1985#endif
1986
1987 SHOW_STR_INLINE(shared_secret_file);
1988 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1989 SHOW_STR(ciphername);
1990 SHOW_STR(ncp_ciphers);
1991 SHOW_STR(authname);
1992#ifndef ENABLE_CRYPTO_MBEDTLS
1993 SHOW_BOOL(engine);
1994#endif /* ENABLE_CRYPTO_MBEDTLS */
1995 SHOW_BOOL(mute_replay_warnings);
1996 SHOW_INT(replay_window);
1997 SHOW_INT(replay_time);
1998 SHOW_STR(packet_id_file);
1999 SHOW_BOOL(test_crypto);
2000#ifdef ENABLE_PREDICTION_RESISTANCE
2001 SHOW_BOOL(use_prediction_resistance);
2002#endif
2003
2004 SHOW_BOOL(tls_server);
2005 SHOW_BOOL(tls_client);
2006 SHOW_STR_INLINE(ca_file);
2007 SHOW_STR(ca_path);
2008 SHOW_STR_INLINE(dh_file);
2009 if ((o->management_flags & MF_EXTERNAL_CERT))
2010 {
2011 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
2012 }
2013 else
2014 {
2015 SHOW_STR_INLINE(cert_file);
2016 }
2017 SHOW_STR_INLINE(extra_certs_file);
2018
2019 if ((o->management_flags & MF_EXTERNAL_KEY))
2020 {
2021 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
2022 }
2023 else
2024 {
2025 SHOW_STR_INLINE(priv_key_file);
2026 }
2027#ifndef ENABLE_CRYPTO_MBEDTLS
2028 SHOW_STR_INLINE(pkcs12_file);
2029#endif
2030#ifdef ENABLE_CRYPTOAPI
2031 SHOW_STR(cryptoapi_cert);
2032#endif
2033 SHOW_STR(cipher_list);
2034 SHOW_STR(cipher_list_tls13);
2035 SHOW_STR(tls_cert_profile);
2036 SHOW_STR(tls_verify);
2037 SHOW_STR(tls_export_peer_cert_dir);
2038 SHOW_INT(verify_x509_type);
2039 SHOW_STR(verify_x509_name);
2040 SHOW_STR_INLINE(crl_file);
2041 SHOW_INT(ns_cert_type);
2042 {
2043 int i;
2044 for (i = 0; i<MAX_PARMS; i++)
2045 {
2046 SHOW_INT(remote_cert_ku[i]);
2047 }
2048 }
2049 SHOW_STR(remote_cert_eku);
2050 if (o->verify_hash)
2051 {
2052 SHOW_INT(verify_hash_algo);
2053 SHOW_INT(verify_hash_depth);
2054 struct gc_arena gc = gc_new();
2055 struct verify_hash_list *hl = o->verify_hash;
2056 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2057 SHA256_DIGEST_LENGTH;
2058 while (hl)
2059 {
2060 char *s = format_hex_ex(hl->hash, digest_len, 0,
2061 1, ":", &gc);
2062 SHOW_PARM(verify_hash, s, "%s");
2063 hl = hl->next;
2064 }
2065 gc_free(&gc);
2066 }
2067 SHOW_INT(ssl_flags);
2068
2069 SHOW_INT(tls_timeout);
2070
2071 SHOW_INT64(renegotiate_bytes);
2072 SHOW_INT64(renegotiate_packets);
2073 SHOW_INT(renegotiate_seconds);
2074
2075 SHOW_INT(handshake_window);
2076 SHOW_INT(transition_window);
2077
2078 SHOW_BOOL(single_session);
2079 SHOW_BOOL(push_peer_info);
2080 SHOW_BOOL(tls_exit);
2081
2082 SHOW_STR(tls_crypt_v2_metadata);
2083
2084#ifdef ENABLE_PKCS11
2085 {
2086 int i;
2087 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2088 {
2089 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2090 }
2091 }
2092 {
2093 int i;
2094 for (i = 0; i<MAX_PARMS; i++)
2095 {
2096 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2097 }
2098 }
2099 {
2100 int i;
2101 for (i = 0; i<MAX_PARMS; i++)
2102 {
2103 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2104 }
2105 }
2106 {
2107 int i;
2108 for (i = 0; i<MAX_PARMS; i++)
2109 {
2110 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2111 }
2112 }
2113 SHOW_INT(pkcs11_pin_cache_period);
2114 SHOW_STR(pkcs11_id);
2115 SHOW_BOOL(pkcs11_id_management);
2116#endif /* ENABLE_PKCS11 */
2117
2118 show_p2mp_parms(o);
2119
2120#ifdef _WIN32
2121 SHOW_BOOL(show_net_up);
2122 SHOW_INT(route_method);
2123 SHOW_BOOL(block_outside_dns);
2124 show_tuntap_options(&o->tuntap_options);
2125#endif
2126#endif /* ifndef ENABLE_SMALL */
2127}
2128
2129#undef SHOW_PARM
2130#undef SHOW_STR
2131#undef SHOW_INT
2132#undef SHOW_BOOL
2133
2134#ifdef ENABLE_MANAGEMENT
2135
2136static struct http_proxy_options *
2137parse_http_proxy_override(const char *server,
2138 const char *port,
2139 const char *flags,
2140 struct gc_arena *gc)
2141{
2142 if (server && port)
2143 {
2144 struct http_proxy_options *ho;
2145 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2146 ho->server = string_alloc(server, gc);
2147 ho->port = port;
2148 if (flags && !strcmp(flags, "nct"))
2149 {
2150 ho->auth_retry = PAR_NCT;
2151 }
2152 else
2153 {
2154 ho->auth_retry = PAR_ALL;
2155 }
2156 ho->http_version = "1.0";
2157 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2158 return ho;
2159 }
2160 else
2161 {
2162 return NULL;
2163 }
2164}
2165
2166static void
2167options_postprocess_http_proxy_override(struct options *o)
2168{
2169 const struct connection_list *l = o->connection_list;
2170 int i;
2171 bool succeed = false;
2172 for (i = 0; i < l->len; ++i)
2173 {
2174 struct connection_entry *ce = l->array[i];
2175 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2176 {
2177 ce->http_proxy_options = o->http_proxy_override;
2178 succeed = true;
2179 }
2180 }
2181 if (succeed)
2182 {
2183 for (i = 0; i < l->len; ++i)
2184 {
2185 struct connection_entry *ce = l->array[i];
2186 if (ce->proto == PROTO_UDP)
2187 {
2188 ce->flags |= CE_DISABLED;
2189 }
2190 }
2191 }
2192 else
2193 {
2194 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2195 }
2196}
2197
2198#endif /* ifdef ENABLE_MANAGEMENT */
2199
2200static struct local_list *
2201alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
2202{
2203 if (!ce->local_list)
2204 {
2205 ALLOC_OBJ_CLEAR_GC(ce->local_list, struct local_list, gc);
2206 }
2207 return ce->local_list;
2208}
2209
2210static struct local_entry *
2211alloc_local_entry(struct connection_entry *ce, const int msglevel,
2212 struct gc_arena *gc)
2213{
2214 struct local_list *l = alloc_local_list_if_undef(ce, gc);
2215 struct local_entry *e;
2216
2217 if (l->len >= CONNECTION_LIST_SIZE)
2218 {
2219 msg(msglevel, "Maximum number of 'local' options (%d) exceeded",
2220 CONNECTION_LIST_SIZE);
2221
2222 return NULL;
2223 }
2224
2225 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2226 e->proto = PROTO_NONE;
2227 l->array[l->len++] = e;
2228
2229 return e;
2230}
2231
2232static struct connection_list *
2241
2242static struct connection_entry *
2243alloc_connection_entry(struct options *options, const int msglevel)
2244{
2245 struct connection_list *l = alloc_connection_list_if_undef(options);
2246 struct connection_entry *e;
2247
2248 if (l->len == l->capacity)
2249 {
2250 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2251 struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2252 if (ce == NULL)
2253 {
2254 msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2255 return NULL;
2256 }
2257 l->array = ce;
2258 l->capacity = capacity;
2259 }
2260 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2261 l->array[l->len++] = e;
2262 return e;
2263}
2264
2265static struct remote_list *
2266alloc_remote_list_if_undef(struct options *options)
2267{
2268 if (!options->remote_list)
2269 {
2270 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2271 }
2272 return options->remote_list;
2273}
2274
2275static struct remote_entry *
2276alloc_remote_entry(struct options *options, const int msglevel)
2277{
2278 struct remote_list *l = alloc_remote_list_if_undef(options);
2279 struct remote_entry *e;
2280
2281 if (l->len == l->capacity)
2282 {
2283 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2284 struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2285 if (re == NULL)
2286 {
2287 msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2288 return NULL;
2289 }
2290 l->array = re;
2291 l->capacity = capacity;
2292 }
2293 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2294 l->array[l->len++] = e;
2295 return e;
2296}
2297
2298static struct pull_filter_list *
2299alloc_pull_filter_list(struct options *o)
2300{
2301 if (!o->pull_filter_list)
2302 {
2303 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2304 }
2305 return o->pull_filter_list;
2306}
2307
2308static struct pull_filter *
2309alloc_pull_filter(struct options *o)
2310{
2311 struct pull_filter_list *l = alloc_pull_filter_list(o);
2312 struct pull_filter *f;
2313
2314 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2315 if (l->head)
2316 {
2317 ASSERT(l->tail);
2318 l->tail->next = f;
2319 }
2320 else
2321 {
2322 ASSERT(!l->tail);
2323 l->head = f;
2324 }
2325 l->tail = f;
2326 return f;
2327}
2328
2329static void
2330connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2331{
2332 if (re->remote)
2333 {
2334 ce->remote = re->remote;
2335 }
2336 if (re->remote_port)
2337 {
2338 ce->remote_port = re->remote_port;
2339 }
2340 if (re->proto >= 0)
2341 {
2342 ce->proto = re->proto;
2343 }
2344 if (re->af > 0)
2345 {
2346 ce->af = re->af;
2347 }
2348}
2349
2350static void
2351connection_entry_preload_key(const char **key_file, bool *key_inline,
2352 struct gc_arena *gc)
2353{
2354 if (key_file && *key_file && !(*key_inline))
2355 {
2356 struct buffer in = buffer_read_from_file(*key_file, gc);
2357 if (!buf_valid(&in))
2358 {
2359 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2360 }
2361
2362 *key_file = (const char *) in.data;
2363 *key_inline = true;
2364 }
2365}
2366
2367static void
2368check_ca_required(const struct options *options)
2369{
2370 if (options->verify_hash_no_ca
2371 || options->pkcs12_file
2372 || options->ca_file
2373#ifndef ENABLE_CRYPTO_MBEDTLS
2374 || options->ca_path
2375#endif
2376 )
2377 {
2378 return;
2379 }
2380
2381 const char *const str = "You must define CA file (--ca)"
2382#ifndef ENABLE_CRYPTO_MBEDTLS
2383 " or CA path (--capath)"
2384#endif
2385 " and/or peer fingerprint verification (--peer-fingerprint)";
2386 msg(M_USAGE, "%s", str);
2387}
2388
2389static void
2390options_postprocess_verify_ce(const struct options *options,
2391 const struct connection_entry *ce)
2392{
2393 struct options defaults;
2394 int dev = DEV_TYPE_UNDEF;
2395 bool pull = false;
2396
2397 init_options(&defaults, true);
2398
2399 if (options->test_crypto)
2400 {
2401 notnull(options->shared_secret_file, "key file (--secret)");
2402 }
2403 else
2404 {
2405 notnull(options->dev, "TUN/TAP device (--dev)");
2406 }
2407
2408 /*
2409 * Get tun/tap/null device type
2410 */
2411 dev = dev_type_enum(options->dev, options->dev_type);
2412
2413 /*
2414 * If "proto tcp" is specified, make sure we know whether it is
2415 * tcp-client or tcp-server.
2416 */
2417 if (ce->proto == PROTO_TCP)
2418 {
2419 msg(M_USAGE,
2420 "--proto tcp is ambiguous in this context. Please specify "
2421 "--proto tcp-server or --proto tcp-client");
2422 }
2423
2424 /*
2425 * Sanity check on Client mode
2426 */
2427
2428 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2429 {
2430 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2431 }
2432
2433 if (options->lladdr && dev != DEV_TYPE_TAP)
2434 {
2435 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2436 }
2437
2438 /*
2439 * Sanity check on MTU parameters
2440 */
2441 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2442 {
2443 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2444 }
2445
2446 if (!proto_is_udp(ce->proto) && options->mtu_test)
2447 {
2448 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2449 }
2450
2451 /* will we be pulling options from server? */
2452 pull = options->pull;
2453
2454 /*
2455 * Sanity check on --local, --remote, and --ifconfig
2456 */
2457
2458 if (string_defined_equal(ce->remote, options->ifconfig_local)
2459 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2460 {
2461 msg(M_USAGE,
2462 "--local and --remote addresses must be distinct from --ifconfig "
2463 "addresses");
2464 }
2465
2466 if (string_defined_equal(options->ifconfig_local,
2467 options->ifconfig_remote_netmask))
2468 {
2469 msg(M_USAGE,
2470 "local and remote/netmask --ifconfig addresses must be different");
2471 }
2472
2473 if (ce->bind_defined && !ce->bind_local)
2474 {
2475 msg(M_USAGE, "--bind and --nobind can't be used together");
2476 }
2477
2478 if (ce->local_port_defined && !ce->bind_local)
2479 {
2480 msg(M_USAGE,
2481 "--lport and --nobind don't make sense when used together");
2482 }
2483
2484 if (!ce->remote && !ce->bind_local)
2485 {
2486 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2487 }
2488
2489 for (int i = 0; i < ce->local_list->len; i++)
2490 {
2491 struct local_entry *le = ce->local_list->array[i];
2492
2493 if (proto_is_net(le->proto)
2494 && string_defined_equal(le->local, ce->remote)
2495 && string_defined_equal(le->port, ce->remote_port))
2496 {
2497 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2498 }
2499
2500 if (string_defined_equal(le->local, options->ifconfig_local)
2501 || string_defined_equal(le->local, options->ifconfig_remote_netmask))
2502 {
2503 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2504 }
2505
2506 if (le->local && !ce->bind_local)
2507 {
2508 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2509 }
2510 }
2511
2512 /*
2513 * Check for consistency of management options
2514 */
2515#ifdef ENABLE_MANAGEMENT
2516 if (!options->management_addr
2517 && (options->management_flags
2518 || options->management_log_history_cache != defaults.management_log_history_cache))
2519 {
2520 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2521 }
2522
2523 if ((options->management_client_user || options->management_client_group)
2524 && !(options->management_flags & MF_UNIX_SOCK))
2525 {
2526 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2527 }
2528
2529 if (options->management_addr
2530 && !(options->management_flags & MF_UNIX_SOCK)
2531 && (!options->management_user_pass))
2532 {
2533 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2534 "passwords is STRONGLY discouraged and considered insecure");
2535 }
2536
2537#endif /* ifdef ENABLE_MANAGEMENT */
2538
2539#if !defined(HAVE_XKEY_PROVIDER)
2540 if ((tls_version_max() >= TLS_VER_1_3)
2541 && (options->management_flags & MF_EXTERNAL_KEY)
2542 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2543 )
2544 {
2545 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2546 "nopadding argument/support");
2547 }
2548#endif
2549 /*
2550 * Windows-specific options.
2551 */
2552
2553#ifdef _WIN32
2554 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2555 {
2556 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2557 }
2558
2559 if ((options->tuntap_options.ip_win32_defined)
2560 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2561 {
2562 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2563 }
2564
2565 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2566 {
2567 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2568 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2569 {
2570 msg(M_USAGE, "%s, which is not supported by the selected %s driver",
2571 prefix, print_tun_backend_driver(options->windows_driver));
2572 }
2573 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2574 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2575 {
2576 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2577 prefix);
2578 }
2579 }
2580
2581 if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2582 {
2583 msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2584 }
2585#endif /* ifdef _WIN32 */
2586
2587 /*
2588 * Check that protocol options make sense.
2589 */
2590
2591#ifdef ENABLE_FRAGMENT
2592 if (!proto_is_udp(ce->proto) && ce->fragment)
2593 {
2594 msg(M_USAGE, "--fragment can only be used with --proto udp");
2595 }
2596#endif
2597
2598 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2599 {
2600 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2601 }
2602
2603 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2604 {
2605 msg(M_USAGE,
2606 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2607 "tcp-client)");
2608 }
2609
2610 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2611 {
2612 msg(M_USAGE,
2613 "--http-proxy not specified but other http proxy options present");
2614 }
2615
2616 if (ce->http_proxy_options && ce->socks_proxy_server)
2617 {
2618 msg(M_USAGE,
2619 "--http-proxy can not be used together with --socks-proxy");
2620 }
2621
2622 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2623 {
2624 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2625 }
2626
2627 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2628 {
2629 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2630 }
2631
2632 /*
2633 * Check consistency of --mode server options.
2634 */
2635 if (options->mode == MODE_SERVER)
2636 {
2637#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2638 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2639#ifdef TARGET_ANDROID
2640 msg(M_FATAL, "--mode server not supported on Android");
2641#endif
2642 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2643 {
2644 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2645 }
2646 if (options->pull)
2647 {
2648 msg(M_USAGE, "--pull cannot be used with --mode server");
2649 }
2650 if (options->pull_filter_list)
2651 {
2652 msg(M_WARN, "--pull-filter ignored for --mode server");
2653 }
2654 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2655 {
2656 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2657 }
2658#if PORT_SHARE
2659 if ((options->port_share_host || options->port_share_port)
2660 && (ce->proto != PROTO_TCP_SERVER))
2661 {
2662 msg(M_USAGE, "--port-share only works in TCP server mode "
2663 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2664 }
2665#endif
2666 if (!options->tls_server)
2667 {
2668 msg(M_USAGE, "--mode server requires --tls-server");
2669 }
2670 if (ce->remote)
2671 {
2672 msg(M_USAGE, "--remote cannot be used with --mode server");
2673 }
2674 if (!ce->bind_local)
2675 {
2676 msg(M_USAGE, "--nobind cannot be used with --mode server");
2677 }
2678 if (ce->http_proxy_options)
2679 {
2680 msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2681 }
2682 if (ce->socks_proxy_server)
2683 {
2684 msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2685 }
2686 /* <connection> blocks force to have a remote embedded, so we check
2687 * for the --remote and bail out if it is present
2688 */
2689 if (options->connection_list->len >1
2690 || options->connection_list->array[0]->remote)
2691 {
2692 msg(M_USAGE, "<connection> cannot be used with --mode server");
2693 }
2694
2695 if (options->shaper)
2696 {
2697 msg(M_USAGE, "--shaper cannot be used with --mode server");
2698 }
2699 if (options->ipchange)
2700 {
2701 msg(M_USAGE,
2702 "--ipchange cannot be used with --mode server (use "
2703 "--client-connect instead)");
2704 }
2705 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2706 {
2707 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2708 }
2709 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2710 {
2711 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2712 }
2713 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2714 {
2715 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2716 }
2717 if (options->routes && (options->routes->flags & RG_ENABLE))
2718 {
2719 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2720 }
2721 if (options->route_delay_defined)
2722 {
2723 msg(M_USAGE, "--route-delay cannot be used with --mode server");
2724 }
2725 if (options->up_delay)
2726 {
2727 msg(M_USAGE, "--up-delay cannot be used with --mode server");
2728 }
2729 if (!options->ifconfig_pool_defined
2730 && !options->ifconfig_ipv6_pool_defined
2731 && options->ifconfig_pool_persist_filename)
2732 {
2733 msg(M_USAGE,
2734 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2735 }
2736 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2737 {
2738 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2739 }
2740 if (options->allow_recursive_routing)
2741 {
2742 msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2743 }
2744 if (options->auth_user_pass_file)
2745 {
2746 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2747 }
2748 if (options->ccd_exclusive && !options->client_config_dir)
2749 {
2750 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2751 }
2752 if (options->auth_token_generate && !options->renegotiate_seconds)
2753 {
2754 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2755 "--renegotiate_seconds setting");
2756 }
2757 if (options->auth_token_generate && options->auth_token_renewal
2758 && options->auth_token_renewal < 2 * options->handshake_window)
2759 {
2760 msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2761 " two times --hand-window (%d).",
2762 options->handshake_window);
2763
2764 }
2765 {
2766 const bool ccnr = (options->auth_user_pass_verify_script
2767 || PLUGIN_OPTION_LIST(options)
2768 || MAN_CLIENT_AUTH_ENABLED(options));
2769 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2770 if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2771 {
2772 msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2773 }
2774 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2775 {
2776 msg(M_USAGE, "--username-as-common-name %s", postfix);
2777 }
2778 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2779 {
2780 msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2781 }
2782 }
2783
2784 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2785 {
2786 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2787 }
2788 if (!options->vlan_tagging)
2789 {
2790 if (options->vlan_accept != defaults.vlan_accept)
2791 {
2792 msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2793 }
2794 if (options->vlan_pvid != defaults.vlan_pvid)
2795 {
2796 msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2797 }
2798 }
2799 }
2800 else
2801 {
2802 /*
2803 * When not in server mode, err if parameters are
2804 * specified which require --mode server.
2805 */
2806 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2807 {
2808 msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2809 }
2810 if (options->ifconfig_ipv6_pool_defined)
2811 {
2812 msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2813 }
2814 if (options->real_hash_size != defaults.real_hash_size
2815 || options->virtual_hash_size != defaults.virtual_hash_size)
2816 {
2817 msg(M_USAGE, "--hash-size requires --mode server");
2818 }
2819 if (options->learn_address_script)
2820 {
2821 msg(M_USAGE, "--learn-address requires --mode server");
2822 }
2823 if (options->client_connect_script)
2824 {
2825 msg(M_USAGE, "--client-connect requires --mode server");
2826 }
2827 if (options->client_crresponse_script)
2828 {
2829 msg(M_USAGE, "--client-crresponse requires --mode server");
2830 }
2831 if (options->client_disconnect_script)
2832 {
2833 msg(M_USAGE, "--client-disconnect requires --mode server");
2834 }
2835 if (options->client_config_dir || options->ccd_exclusive)
2836 {
2837 msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2838 }
2839 if (options->enable_c2c)
2840 {
2841 msg(M_USAGE, "--client-to-client requires --mode server");
2842 }
2843 if (options->duplicate_cn)
2844 {
2845 msg(M_USAGE, "--duplicate-cn requires --mode server");
2846 }
2847 if (options->cf_max || options->cf_per)
2848 {
2849 msg(M_USAGE, "--connect-freq requires --mode server");
2850 }
2851 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2852 {
2853 msg(M_USAGE, "--verify-client-cert requires --mode server");
2854 }
2855 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2856 {
2857 msg(M_USAGE, "--username-as-common-name requires --mode server");
2858 }
2859 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2860 {
2861 msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2862 }
2863 if (options->ssl_flags & SSLF_OPT_VERIFY)
2864 {
2865 msg(M_USAGE, "--opt-verify requires --mode server");
2866 }
2867 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2868 {
2869 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2870 "affect the server. To have TCP_NODELAY in both direction use "
2871 "tcp-nodelay in the server configuration instead.");
2872 }
2873 if (options->auth_user_pass_verify_script)
2874 {
2875 msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2876 }
2877 if (options->auth_token_generate)
2878 {
2879 msg(M_USAGE, "--auth-gen-token requires --mode server");
2880 }
2881#if PORT_SHARE
2882 if (options->port_share_host || options->port_share_port)
2883 {
2884 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2885 }
2886#endif
2887
2888 if (options->stale_routes_check_interval)
2889 {
2890 msg(M_USAGE, "--stale-routes-check requires --mode server");
2891 }
2892
2893 if (options->vlan_tagging)
2894 {
2895 msg(M_USAGE, "--vlan-tagging requires --mode server");
2896 }
2897
2898 if (options->force_key_material_export)
2899 {
2900 msg(M_USAGE, "--force-tls-key-material-export requires --mode server");
2901 }
2902 }
2903
2904 /*
2905 * SSL/TLS mode sanity checks.
2906 */
2907 if (options->tls_server + options->tls_client
2908 +(options->shared_secret_file != NULL) > 1)
2909 {
2910 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2911 }
2912
2913 if (!options->tls_server && !options->tls_client)
2914 {
2915 int msglevel = M_USAGE;
2916 if (options->allow_deprecated_insecure_static_crypto)
2917 {
2918 msglevel = M_INFO;
2919 }
2920
2921 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2922 "configuration detected. OpenVPN 2.8 will remove the "
2923 "functionality to run a VPN without TLS. "
2924 "See the examples section in the manual page for "
2925 "examples of a similar quick setup with peer-fingerprint."
2926 "OpenVPN 2.7 allows using this configuration when using "
2927 "--allow-deprecated-insecure-static-crypto but you should move"
2928 "to a proper configuration using TLS as soon as possible."
2929 );
2930 }
2931
2932 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2933 {
2934 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2935 "--verify-client-cert none|optional "
2936 "may accept clients which do not present a certificate");
2937 }
2938
2939 const int tls_version_max =
2940 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2941 & SSLF_TLS_VERSION_MAX_MASK;
2942 const int tls_version_min =
2943 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2944 & SSLF_TLS_VERSION_MIN_MASK;
2945
2946 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2947 {
2948 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2949 }
2950
2951 if (options->tls_server || options->tls_client)
2952 {
2953 check_ca_required(options);
2954#ifdef ENABLE_PKCS11
2955 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2956 {
2957 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2958 }
2959 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2960 {
2961 msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2962 }
2963
2964 if (options->pkcs11_providers[0])
2965 {
2966 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2967 {
2968 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2969 }
2970 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2971 {
2972 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2973 }
2974 if (options->cert_file)
2975 {
2976 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2977 }
2978 if (options->priv_key_file)
2979 {
2980 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2981 }
2982 if (options->management_flags & MF_EXTERNAL_KEY)
2983 {
2984 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2985 }
2986 if (options->management_flags & MF_EXTERNAL_CERT)
2987 {
2988 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2989 }
2990 if (options->pkcs12_file)
2991 {
2992 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2993 }
2994#ifdef ENABLE_CRYPTOAPI
2995 if (options->cryptoapi_cert)
2996 {
2997 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2998 }
2999#endif
3000 }
3001 else
3002#endif /* ifdef ENABLE_PKCS11 */
3003 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
3004 {
3005 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
3006 }
3007 else if ((options->management_flags & MF_EXTERNAL_CERT))
3008 {
3009 if (options->cert_file)
3010 {
3011 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
3012 }
3013 else if (!(options->management_flags & MF_EXTERNAL_KEY))
3014 {
3015 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
3016 }
3017 }
3018 else
3019#ifdef ENABLE_CRYPTOAPI
3020 if (options->cryptoapi_cert)
3021 {
3022 if (options->cert_file)
3023 {
3024 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
3025 }
3026 if (options->priv_key_file)
3027 {
3028 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
3029 }
3030 if (options->pkcs12_file)
3031 {
3032 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
3033 }
3034 if (options->management_flags & MF_EXTERNAL_KEY)
3035 {
3036 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
3037 }
3038 if (options->management_flags & MF_EXTERNAL_CERT)
3039 {
3040 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
3041 }
3042 }
3043 else
3044#endif /* ifdef ENABLE_CRYPTOAPI */
3045 if (options->pkcs12_file)
3046 {
3047#ifdef ENABLE_CRYPTO_MBEDTLS
3048 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
3049#else
3050 if (options->ca_path)
3051 {
3052 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
3053 }
3054 if (options->cert_file)
3055 {
3056 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
3057 }
3058 if (options->priv_key_file)
3059 {
3060 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
3061 }
3062 if (options->management_flags & MF_EXTERNAL_KEY)
3063 {
3064 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
3065 }
3066 if (options->management_flags & MF_EXTERNAL_CERT)
3067 {
3068 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
3069 }
3070#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
3071 }
3072 else
3073 {
3074#ifdef ENABLE_CRYPTO_MBEDTLS
3075 if (options->ca_path)
3076 {
3077 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
3078 }
3079#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
3080 if (pull)
3081 {
3082
3083 const int sum =
3084 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
3085 + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
3086
3087 if (sum == 0)
3088 {
3089 if (!options->auth_user_pass_file)
3090 {
3091 msg(M_USAGE, "No client-side authentication method is "
3092 "specified. You must use either "
3093 "--cert/--key, --pkcs12, or "
3094 "--auth-user-pass");
3095 }
3096 }
3097 else if (sum != 2)
3098 {
3099 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
3100 }
3101 }
3102 else
3103 {
3104 if (!(options->management_flags & MF_EXTERNAL_CERT))
3105 {
3106 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
3107 }
3108 if (!(options->management_flags & MF_EXTERNAL_KEY))
3109 {
3110 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
3111 }
3112 }
3113 }
3114 if (ce->tls_auth_file && ce->tls_crypt_file)
3115 {
3116 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
3117 }
3118 if (options->tls_client && ce->tls_crypt_v2_file
3119 && (ce->tls_auth_file || ce->tls_crypt_file))
3120 {
3121 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3122 }
3123 }
3124 else
3125 {
3126 /*
3127 * Make sure user doesn't specify any TLS options
3128 * when in non-TLS mode.
3129 */
3130
3131#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3132}
3133
3134 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3135
3136 MUST_BE_UNDEF(ca_file);
3137 MUST_BE_UNDEF(ca_path);
3138 MUST_BE_UNDEF(dh_file);
3139 MUST_BE_UNDEF(cert_file);
3140 MUST_BE_UNDEF(priv_key_file);
3141#ifndef ENABLE_CRYPTO_MBEDTLS
3142 MUST_BE_UNDEF(pkcs12_file);
3143#endif
3144 MUST_BE_UNDEF(cipher_list);
3145 MUST_BE_UNDEF(cipher_list_tls13);
3146 MUST_BE_UNDEF(tls_cert_profile);
3147 MUST_BE_UNDEF(tls_verify);
3148 MUST_BE_UNDEF(tls_export_peer_cert_dir);
3149 MUST_BE_UNDEF(verify_x509_name);
3150 MUST_BE_UNDEF(tls_timeout);
3151 MUST_BE_UNDEF(renegotiate_bytes);
3152 MUST_BE_UNDEF(renegotiate_packets);
3153 MUST_BE_UNDEF(renegotiate_seconds);
3154 MUST_BE_UNDEF(handshake_window);
3155 MUST_BE_UNDEF(transition_window);
3156 MUST_BE_UNDEF(tls_auth_file);
3157 MUST_BE_UNDEF(tls_crypt_file);
3158 MUST_BE_UNDEF(tls_crypt_v2_file);
3159 MUST_BE_UNDEF(single_session);
3160 MUST_BE_UNDEF(push_peer_info);
3161 MUST_BE_UNDEF(tls_exit);
3162 MUST_BE_UNDEF(crl_file);
3163 MUST_BE_UNDEF(ns_cert_type);
3164 MUST_BE_UNDEF(remote_cert_ku[0]);
3165 MUST_BE_UNDEF(remote_cert_eku);
3166#ifdef ENABLE_PKCS11
3167 MUST_BE_UNDEF(pkcs11_providers[0]);
3168 MUST_BE_UNDEF(pkcs11_private_mode[0]);
3169 MUST_BE_UNDEF(pkcs11_id);
3170 MUST_BE_UNDEF(pkcs11_id_management);
3171#endif
3172
3173 if (pull)
3174 {
3175 msg(M_USAGE, err, "--pull");
3176 }
3177 }
3178#undef MUST_BE_UNDEF
3179
3180 if (options->auth_user_pass_file && !options->pull)
3181 {
3182 msg(M_USAGE, "--auth-user-pass requires --pull");
3183 }
3184
3185 uninit_options(&defaults);
3186}
3187
3188static void
3189options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3190{
3191 const int dev = dev_type_enum(o->dev, o->dev_type);
3192
3193 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3194 {
3195 if (ce->proto == PROTO_TCP)
3196 {
3197 ce->proto = PROTO_TCP_SERVER;
3198 o->ce.proto = ce->proto;
3199 }
3200 }
3201
3202 if (o->mode != MODE_SERVER)
3203 {
3204 if (ce->proto == PROTO_TCP)
3205 {
3206 ce->proto = PROTO_TCP_CLIENT;
3207 o->ce.proto = ce->proto;
3208 }
3209 }
3210
3211 /* an option is present that requires local bind to enabled */
3212 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
3213
3214 /* socks proxy is enabled */
3215 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3216
3217 /* If binding is not forced by an explicit option and we have (at least)
3218 * one of --tcp-client, --pull (or --client), or socks we do not bind
3219 * locally to have "normal" IP client behaviour of a random source port */
3220 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3221 {
3222 ce->bind_local = false;
3223 }
3224
3225 if (!ce->bind_local)
3226 {
3227 ce->local_port = NULL;
3228 }
3229
3230 /* if protocol forcing is enabled, disable all protocols
3231 * except for the forced one
3232 */
3233 if (o->proto_force >= 0 && o->proto_force != ce->proto)
3234 {
3235 ce->flags |= CE_DISABLED;
3236 }
3237
3238 if (ce->http_proxy_options)
3239 {
3240 ce->http_proxy_options->nocache = ssl_get_auth_nocache();
3241 }
3242
3243 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3244 * so fall back to IPv4-only (trac #1221)
3245 */
3246 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3247 {
3248 if (ce->af == AF_INET6)
3249 {
3250 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3251 "'--socks-proxy' today. Forcing IPv4 mode." );
3252 }
3253 else
3254 {
3255 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3256 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3257 }
3258 ce->af = AF_INET;
3259 }
3260
3261 /*
3262 * Set MTU defaults
3263 */
3264 {
3265 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3266 {
3267 ce->tun_mtu_defined = true;
3268 }
3269 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3270 {
3271 ce->tun_mtu_extra_defined = true;
3272 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3273 }
3274 }
3275
3276 /*
3277 * If --mssfix is supplied without a parameter or not specified at all,
3278 * default it to --fragment value, if --fragment is specified and otherwise
3279 * to the default if tun-mtu is 1500
3280 */
3281 if (o->ce.mssfix_default)
3282 {
3283#ifdef ENABLE_FRAGMENT
3284 if (ce->fragment)
3285 {
3286 ce->mssfix = ce->fragment;
3287 }
3288 else
3289#endif
3290 if (ce->tun_mtu_defined)
3291 {
3292 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3293 {
3294 /* We want to only set mssfix default value if we use a default
3295 * MTU Size, otherwise the different size of tun should either
3296 * already solve the problem or mssfix might artifically make the
3297 * payload packets smaller without mssfix 0 */
3298 ce->mssfix = MSSFIX_DEFAULT;
3299 ce->mssfix_encap = true;
3300 }
3301 else
3302 {
3303 /* We still apply the mssfix value but only adjust it to the
3304 * size of the tun interface. */
3305 ce->mssfix = ce->tun_mtu;
3306 ce->mssfix_fixed = true;
3307 }
3308 }
3309 }
3310
3311 /*
3312 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3313 *
3314 * At the end only one of these will be really set because the parser
3315 * logic prevents configurations where more are set.
3316 */
3317 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3318 {
3319 ce->tls_auth_file = o->tls_auth_file;
3320 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3321 ce->key_direction = o->key_direction;
3322
3323 ce->tls_crypt_file = o->tls_crypt_file;
3324 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3325
3326 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3327 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3328 }
3329
3330 /* Pre-cache tls-auth/crypt(-v2) key file if
3331 * keys were not already embedded in the config file.
3332 */
3333 connection_entry_preload_key(&ce->tls_auth_file,
3334 &ce->tls_auth_file_inline, &o->gc);
3335 connection_entry_preload_key(&ce->tls_crypt_file,
3336 &ce->tls_crypt_file_inline, &o->gc);
3337 connection_entry_preload_key(&ce->tls_crypt_v2_file,
3338 &ce->tls_crypt_v2_file_inline, &o->gc);
3339
3340
3341 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3342 {
3343 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3344 ce->explicit_exit_notification = 0;
3345 }
3346}
3347
3348static void
3349options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
3350{
3351 /* use the global port if none is specified */
3352 if (!le->port)
3353 {
3354 le->port = ce->local_port;
3355 }
3356 /* use the global proto if none is specified and
3357 * allow proto bindings on server mode only */
3358 if (!le->proto || mode == MODE_POINT_TO_POINT)
3359 {
3360 le->proto = ce->proto;
3361 }
3362}
3363
3364#ifdef _WIN32
3365/* If iservice is in use, we need def1 method for redirect-gateway */
3366static void
3367remap_redirect_gateway_flags(struct options *opt)
3368{
3369 if (opt->routes
3370 && opt->route_method == ROUTE_METHOD_SERVICE
3371 && opt->routes->flags & RG_REROUTE_GW
3372 && !(opt->routes->flags & RG_DEF1))
3373 {
3374 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3375 opt->routes->flags |= RG_DEF1;
3376 }
3377}
3378#endif
3379
3380/*
3381 * Save/Restore certain option defaults before --pull is applied.
3382 */
3383
3384static void
3385pre_connect_save(struct options *o)
3386{
3387 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3388 o->pre_connect->tuntap_options = o->tuntap_options;
3389 o->pre_connect->tuntap_options_defined = true;
3390 o->pre_connect->foreign_option_index = o->foreign_option_index;
3391
3392 if (o->routes)
3393 {
3394 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3395 o->pre_connect->routes_defined = true;
3396 }
3397 if (o->routes_ipv6)
3398 {
3399 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3400 o->pre_connect->routes_ipv6_defined = true;
3401 }
3402 if (o->client_nat)
3403 {
3404 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3405 o->pre_connect->client_nat_defined = true;
3406 }
3407
3408 o->pre_connect->route_default_gateway = o->route_default_gateway;
3409 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3410
3411 o->pre_connect->dns_options = clone_dns_options(&o->dns_options, &o->gc);
3412
3413 /* NCP related options that can be overwritten by a push */
3414 o->pre_connect->ciphername = o->ciphername;
3415 o->pre_connect->authname = o->authname;
3416
3417 /* Ping related options should be reset to the config values on reconnect */
3418 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3419 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3420 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3421
3422 /* Miscellaneous Options */
3423 o->pre_connect->comp = o->comp;
3424}
3425
3426void
3427pre_connect_restore(struct options *o, struct gc_arena *gc)
3428{
3429 const struct options_pre_connect *pp = o->pre_connect;
3430 if (pp)
3431 {
3432 CLEAR(o->tuntap_options);
3433 if (pp->tuntap_options_defined)
3434 {
3435 o->tuntap_options = pp->tuntap_options;
3436 }
3437
3438 if (pp->routes_defined)
3439 {
3440 rol_check_alloc(o);
3441 copy_route_option_list(o->routes, pp->routes, gc);
3442 }
3443 else
3444 {
3445 o->routes = NULL;
3446 }
3447
3448 if (pp->routes_ipv6_defined)
3449 {
3450 rol6_check_alloc(o);
3451 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3452 }
3453 else
3454 {
3455 o->routes_ipv6 = NULL;
3456 }
3457
3458 o->route_default_gateway = pp->route_default_gateway;
3459 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3460
3461 /* Free DNS options and reset them to pre-pull state */
3462 gc_free(&o->dns_options.gc);
3463 struct gc_arena dns_gc = gc_new();
3464 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3465 o->dns_options.gc = dns_gc;
3466
3467 if (pp->client_nat_defined)
3468 {
3469 cnol_check_alloc(o);
3470 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3471 }
3472 else
3473 {
3474 o->client_nat = NULL;
3475 }
3476
3477 o->foreign_option_index = pp->foreign_option_index;
3478
3479 o->ciphername = pp->ciphername;
3480 o->authname = pp->authname;
3481
3482 o->ping_rec_timeout = pp->ping_rec_timeout;
3483 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3484 o->ping_send_timeout = pp->ping_send_timeout;
3485
3486 /* Miscellaneous Options */
3487 o->comp = pp->comp;
3488 }
3489
3490 o->push_continuation = 0;
3491 o->push_option_types_found = 0;
3492 o->imported_protocol_flags = 0;
3493}
3494
3495static void
3496options_postprocess_mutate_invariant(struct options *options)
3497{
3498#ifdef _WIN32
3499 const int dev = dev_type_enum(options->dev, options->dev_type);
3500
3501 /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3502 if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3503 || options->windows_driver == DRIVER_DCO)
3504 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3505 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3506 {
3507 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3508 }
3509
3510 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3511 {
3512 /* delay may only be necessary when we perform DHCP handshake */
3513 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3514 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3515 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3516 {
3517 options->route_delay_defined = true;
3518 options->route_delay = 5; /* Vista sometimes has a race without this */
3519 }
3520 }
3521
3522 if (options->ifconfig_noexec)
3523 {
3524 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3525 options->ifconfig_noexec = false;
3526 }
3527
3528 remap_redirect_gateway_flags(options);
3529
3530 /*
3531 * Check consistency of --mode server options.
3532 */
3533 if (options->mode == MODE_SERVER)
3534 {
3535 /*
3536 * We need to explicitly set --tap-sleep because
3537 * we do not schedule event timers in the top-level context.
3538 */
3539 options->tuntap_options.tap_sleep = 10;
3540 if (options->route_delay_defined && options->route_delay)
3541 {
3542 options->tuntap_options.tap_sleep = options->route_delay;
3543 }
3544 options->route_delay_defined = false;
3545 }
3546#endif /* ifdef _WIN32 */
3547
3548#ifdef DEFAULT_PKCS11_MODULE
3549 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3550 * by default if the user asks for PKCS#11 without otherwise specifying
3551 * the module to use. */
3552 if (!options->pkcs11_providers[0]
3553 && (options->pkcs11_id || options->pkcs11_id_management))
3554 {
3555 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3556 }
3557#endif
3558}
3559
3560static void
3561options_postprocess_verify(const struct options *o)
3562{
3563 if (o->connection_list)
3564 {
3565 int i;
3566 for (i = 0; i < o->connection_list->len; ++i)
3567 {
3568 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3569 }
3570 }
3571 else
3572 {
3573 options_postprocess_verify_ce(o, &o->ce);
3574 }
3575
3576 dns_options_verify(M_FATAL, &o->dns_options);
3577
3578 if (dco_enabled(o) && o->enable_c2c)
3579 {
3580 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3581 "channel offload: packets are always sent to the VPN "
3582 "interface and then routed based on the system routing table");
3583 }
3584}
3585
3586static void
3587options_postprocess_cipher(struct options *o)
3588{
3589 if (!o->pull && !(o->mode == MODE_SERVER))
3590 {
3591 /* If the cipher is not set, use the old default of BF-CBC. We will
3592 * warn that this is deprecated on cipher initialisation, no need
3593 * to warn here as well */
3594 if (!o->ciphername)
3595 {
3596 o->ciphername = "BF-CBC";
3597 }
3598 else
3599 {
3600 o->enable_ncp_fallback = true;
3601 }
3602 return;
3603 }
3604
3605 /* pull or P2MP mode */
3606 if (!o->ciphername)
3607 {
3608 /* We still need to set the ciphername to BF-CBC since various other
3609 * parts of OpenVPN assert that the ciphername is set */
3610 o->ciphername = "BF-CBC";
3611
3612 msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3613 "defaulted to BF-CBC as fallback when cipher negotiation "
3614 "failed in this case. If you need this fallback please add "
3615 "'--data-ciphers-fallback BF-CBC' to your configuration "
3616 "and/or add BF-CBC to --data-ciphers. E.g. "
3617 "--data-ciphers %s:BF-CBC", o->ncp_ciphers_conf);
3618 }
3619 else if (!o->enable_ncp_fallback
3620 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3621 {
3622 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3623 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3624 "negotiations. ",
3625 o->ciphername, o->ncp_ciphers_conf);
3626 }
3627}
3628
3643static bool
3644need_compatibility_before(const struct options *o, unsigned int version)
3645{
3646 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3647}
3648
3653static void
3654options_set_backwards_compatible_options(struct options *o)
3655{
3656 /* TLS min version is not set */
3657 int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3658 & SSLF_TLS_VERSION_MIN_MASK;
3659 if (tls_ver_min == 0)
3660 {
3661 int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3662 & SSLF_TLS_VERSION_MAX_MASK;
3663 if (need_compatibility_before(o, 20307))
3664 {
3665 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3666 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3667 }
3668 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3669 {
3670 /* Use TLS 1.2 as proper default */
3671 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3672 }
3673 else
3674 {
3675 /* Maximize the minimum version */
3676 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3677 }
3678 }
3679
3680 if (need_compatibility_before(o, 20400))
3681 {
3682 if (!o->ciphername)
3683 {
3684 /* If ciphername is not set default to BF-CBC when targeting these
3685 * old versions that do not have NCP */
3686 o->ciphername = "BF-CBC";
3687 }
3688 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3689 * not have OCC strings required for "poor man's NCP" */
3690 o->enable_ncp_fallback = true;
3691 }
3692
3693 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3694 * Version 2.4 probably does not need it but NCP was not so
3695 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3696 * Only do this iff --cipher is set (explicitly or by compat mode
3697 * < 2.4.0, see above). This is not 100% correct backwards compatible
3698 * behaviour but 2.5 already behaved like this */
3699 if (o->ciphername && need_compatibility_before(o, 20500)
3700 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3701 {
3702 append_cipher_to_ncp_list(o, o->ciphername);
3703 }
3704
3705#ifdef USE_COMP
3706 /* Compression is deprecated and we do not want to announce support for it
3707 * by default anymore, additionally DCO breaks with compression.
3708 *
3709 * Disable compression by default starting with 2.6.0 if no other
3710 * compression related option has been explicitly set */
3711 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3712 {
3713 if (!comp_non_stub_enabled(&o->comp))
3714 {
3715 o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3716 }
3717 }
3718#else /* ifdef USE_COMP */
3719 o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3720#endif
3721}
3722
3723static void
3724options_process_mutate_prf(struct options *o)
3725{
3726 if (!check_tls_prf_working())
3727 {
3728 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3729 "supported by the TLS library. Your system does not support this "
3730 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3731 "forbids it. Connections will only work with peers running "
3732 "OpenVPN 2.6.0 or higher)");
3733#ifndef HAVE_EXPORT_KEYING_MATERIAL
3734 msg(M_FATAL, "Keying Material Exporters (RFC 5705) not available either. "
3735 "No way to generate data channel keys left.");
3736#endif
3737 if (o->mode == MODE_SERVER)
3738 {
3739 msg(M_WARN, "Automatically enabling option "
3740 "--force-tls-key-material-export");
3741 o->force_key_material_export = true;
3742 }
3743
3744 }
3745}
3746
3747static void
3748options_postprocess_mutate(struct options *o, struct env_set *es)
3749{
3750 int i;
3751 /*
3752 * Process helper-type options which map to other, more complex
3753 * sequences of options.
3754 */
3755 helper_client_server(o);
3756 /* must be called after helpers that might set --mode */
3757 helper_setdefault_topology(o);
3758 helper_keepalive(o);
3759 helper_tcp_nodelay(o);
3760
3761 options_postprocess_setdefault_ncpciphers(o);
3762 options_set_backwards_compatible_options(o);
3763 options_process_mutate_prf(o);
3764
3765 options_postprocess_cipher(o);
3766 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3767 if (o->ncp_ciphers == NULL)
3768 {
3769 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3770 }
3771
3772 if (o->remote_list && !o->connection_list)
3773 {
3774 /*
3775 * Convert remotes into connection list
3776 */
3777 const struct remote_list *rl = o->remote_list;
3778 for (i = 0; i < rl->len; ++i)
3779 {
3780 const struct remote_entry *re = rl->array[i];
3781 struct connection_entry ce = o->ce;
3782 struct connection_entry *ace;
3783
3784 ASSERT(re->remote);
3785 connection_entry_load_re(&ce, re);
3786 ace = alloc_connection_entry(o, M_USAGE);
3787 ASSERT(ace);
3788 *ace = ce;
3789 }
3790 }
3791 else if (!o->remote_list && !o->connection_list)
3792 {
3793 struct connection_entry *ace;
3794 ace = alloc_connection_entry(o, M_USAGE);
3795 ASSERT(ace);
3796 *ace = o->ce;
3797 }
3798
3799 ASSERT(o->connection_list);
3800 for (i = 0; i < o->connection_list->len; ++i)
3801 {
3802 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3803 }
3804
3805 if (o->ce.local_list)
3806 {
3807 for (i = 0; i < o->ce.local_list->len; i++)
3808 {
3809 options_postprocess_mutate_le(&o->ce, o->ce.local_list->array[i], o->mode);
3810 }
3811
3812 for (int i = 0; i < o->ce.local_list->len; i++)
3813 {
3814 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3815 {
3816 o->ce.local_list->array[i]->proto = PROTO_TCP_SERVER;
3817 }
3818 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3819 {
3820 o->ce.local_list->array[i]->proto = o->ce.proto;
3821 }
3822 }
3823 }
3824 else
3825 {
3826 /* if no 'local' directive was specified, convert the global port
3827 * setting to a listen entry */
3828 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3829 ASSERT(e);
3830 e->port = o->ce.local_port;
3831 e->proto = o->ce.proto;
3832 }
3833
3834 /* use the same listen list for every outgoing connection */
3835 for (i = 0; i < o->connection_list->len; ++i)
3836 {
3837 o->connection_list->array[i]->local_list = o->ce.local_list;
3838 }
3839
3840 if (o->tls_server)
3841 {
3842 /* Check that DH file is specified, or explicitly disabled */
3843 notnull(o->dh_file, "DH file (--dh)");
3844 if (streq(o->dh_file, "none"))
3845 {
3846 o->dh_file = NULL;
3847 }
3848 }
3849 else if (o->dh_file)
3850 {
3851 /* DH file is only meaningful in a tls-server context. */
3852 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3853 "include this in your server configuration");
3854 o->dh_file = NULL;
3855 }
3856#if ENABLE_MANAGEMENT
3857 if (o->http_proxy_override)
3858 {
3859 options_postprocess_http_proxy_override(o);
3860 }
3861#endif
3862 if (!o->ca_file && !o->ca_path && o->verify_hash
3863 && o->verify_hash_depth == 0)
3864 {
3865 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3866 "option set). ");
3867 o->verify_hash_no_ca = true;
3868 }
3869
3870 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3871 {
3872 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3873 "incompatible with each other.");
3874 }
3875
3876 if (dco_enabled(o))
3877 {
3878 /* check if any option should force disabling DCO */
3879 o->disable_dco = !dco_check_option(D_DCO, o)
3880 || !dco_check_startup_option(D_DCO, o);
3881 }
3882#ifdef USE_COMP
3883 if (dco_enabled(o))
3884 {
3885 o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3886 }
3887#endif
3888
3889#ifdef _WIN32
3890 if (dco_enabled(o))
3891 {
3892 o->windows_driver = DRIVER_DCO;
3893 }
3894 else
3895 {
3896 if (o->windows_driver == DRIVER_DCO)
3897 {
3898 msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3899 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3900 }
3901 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3902 {
3903 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3904 }
3905 }
3906#else /* _WIN32 */
3907 if (dco_enabled(o) && o->dev_node)
3908 {
3909 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3910 "data channel offload");
3911 o->dev_node = NULL;
3912 }
3913#endif /* _WIN32 */
3914
3915 /* this depends on o->windows_driver, which is set above */
3916 options_postprocess_mutate_invariant(o);
3917
3918 /* check that compression settings in the options are okay */
3919 check_compression_settings_valid(&o->comp, M_USAGE);
3920
3921 /*
3922 * Save certain parms before modifying options during connect, especially
3923 * when using --pull
3924 */
3925 if (o->pull)
3926 {
3927 dns_options_preprocess_pull(&o->dns_options);
3928 }
3929 else
3930 {
3931#if defined(_WIN32) || defined(TARGET_ANDROID)
3932 tuntap_options_copy_dns(o);
3933#else
3934 foreign_options_copy_dns(o, es);
3935#endif
3936 }
3937 if (o->auth_token_generate && !o->auth_token_renewal)
3938 {
3939 o->auth_token_renewal = o->renegotiate_seconds;
3940 }
3941 pre_connect_save(o);
3942}
3943
3944/*
3945 * Check file/directory sanity
3946 *
3947 */
3948#ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */
3949
3950#define CHKACC_FILE (1<<0)
3951#define CHKACC_DIRPATH (1<<1)
3952#define CHKACC_FILEXSTWR (1<<2)
3953#define CHKACC_ACPTSTDIN (1<<3)
3954#define CHKACC_PRIVATE (1<<4)
3955#define CHKACC_ACCEPT_URI (1<<5)
3957static bool
3958check_file_access(const int type, const char *file, const int mode, const char *opt)
3959{
3960 int errcode = 0;
3961
3962 /* If no file configured, no errors to look for */
3963 if (!file)
3964 {
3965 return false;
3966 }
3967
3968 /* If stdin is allowed and the file name is 'stdin', then do no
3969 * further checks as stdin is always available
3970 */
3971 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3972 {
3973 return false;
3974 }
3975
3976 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3977 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3978 */
3979 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3980 {
3981 if (!strncmp(file, "file:", 5))
3982 {
3983 file += 5;
3984 }
3985 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3986 {
3987 return false;
3988 }
3989 }
3990
3991 /* Is the directory path leading to the given file accessible? */
3992 if (type & CHKACC_DIRPATH)
3993 {
3994 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3995 char *dirpath = dirname(fullpath);
3996
3997 if (platform_access(dirpath, mode|X_OK) != 0)
3998 {
3999 errcode = errno;
4000 }
4001 free(fullpath);
4002 }
4003
4004 /* Is the file itself accessible? */
4005 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
4006 {
4007 errcode = errno;
4008 }
4009
4010 /* If the file exists and is accessible, is it writable? */
4011 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
4012 {
4013 if (platform_access(file, W_OK) != 0)
4014 {
4015 errcode = errno;
4016 }
4017 }
4018
4019 /* Warn if a given private file is group/others accessible. */
4020 if (type & CHKACC_PRIVATE)
4021 {
4022 platform_stat_t st;
4023 if (platform_stat(file, &st))
4024 {
4025 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
4026 }
4027#ifndef _WIN32
4028 else
4029 {
4030 if (st.st_mode & (S_IRWXG|S_IRWXO))
4031 {
4032 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4033 }
4034 }
4035#endif
4036 }
4037
4038 /* Scream if an error is found */
4039 if (errcode > 0)
4040 {
4041 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4042 }
4043
4044 /* Return true if an error occurred */
4045 return (errcode != 0 ? true : false);
4046}
4047
4048/* A wrapper for check_file_access() which also takes a chroot directory.
4049 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4050 * otherwise it will look for the file inside the given chroot directory instead.
4051 */
4052static bool
4053check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
4054{
4055 bool ret = false;
4056
4057 /* If no file configured, no errors to look for */
4058 if (!file)
4059 {
4060 return false;
4061 }
4062
4063 /* If chroot is set, look for the file/directory inside the chroot */
4064 if (chroot)
4065 {
4066 struct gc_arena gc = gc_new();
4067 struct buffer chroot_file;
4068
4069 chroot_file = prepend_dir(chroot, file, &gc);
4070 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4071 gc_free(&gc);
4072 }
4073 else
4074 {
4075 /* No chroot in play, just call core file check function */
4076 ret = check_file_access(type, file, mode, opt);
4077 }
4078 return ret;
4079}
4080
4085static bool
4086check_file_access_chroot_inline(bool is_inline, const char *chroot,
4087 const int type, const char *file,
4088 const int mode, const char *opt)
4089{
4090 if (is_inline)
4091 {
4092 return false;
4093 }
4094
4095 return check_file_access_chroot(chroot, type, file, mode, opt);
4096}
4097
4102static bool
4103check_file_access_inline(bool is_inline, const int type, const char *file,
4104 const int mode, const char *opt)
4105{
4106 if (is_inline)
4107 {
4108 return false;
4109 }
4110
4111 return check_file_access(type, file, mode, opt);
4112}
4113
4114/*
4115 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4116 * valid file with appropriate permissions.
4117 *
4118 * "command" consists of a path, optionally followed by a space, which may be
4119 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4120 * performed.
4121 *
4122 * The path and arguments in "command" may be single- or double-quoted or escaped.
4123 *
4124 * The path is extracted from "command", then check_file_access() is called to check it. The
4125 * arguments, if any, are ignored.
4126 *
4127 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4128 * check_file_access() arguments.
4129 */
4130static bool
4131check_cmd_access(const char *command, const char *opt, const char *chroot)
4132{
4133 struct argv argv;
4134 bool return_code;
4135
4136 /* If no command was set, there are no errors to look for */
4137 if (!command)
4138 {
4139 return false;
4140 }
4141
4142 /* Extract executable path and arguments */
4143 argv = argv_new();
4144 argv_parse_cmd(&argv, command);
4145
4146 /* if an executable is specified then check it; otherwise, complain */
4147 if (argv.argv[0])
4148 {
4149 /* Scripts requires R_OK as well, but that might fail on binaries which
4150 * only requires X_OK to function on Unix - a scenario not unlikely to
4151 * be seen on suid binaries.
4152 */
4153 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4154 }
4155 else
4156 {
4157 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
4158 opt, command);
4159 return_code = true;
4160 }
4161
4162 argv_free(&argv);
4163
4164 return return_code;
4165}
4166
4167/*
4168 * Sanity check of all file/dir options. Checks that file/dir
4169 * is accessible by OpenVPN
4170 */
4171static void
4172options_postprocess_filechecks(struct options *options)
4173{
4174 bool errs = false;
4175
4176 /* ** SSL/TLS/crypto related files ** */
4177 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4178 options->dh_file, R_OK, "--dh");
4179
4180 if (!options->verify_hash_no_ca)
4181 {
4182 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4183 options->ca_file, R_OK, "--ca");
4184 }
4185
4186 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4187 options->ca_path, R_OK, "--capath");
4188
4189 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE|CHKACC_ACCEPT_URI,
4190 options->cert_file, R_OK, "--cert");
4191
4192 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4193 options->extra_certs_file, R_OK,
4194 "--extra-certs");
4195
4196 if (!(options->management_flags & MF_EXTERNAL_KEY))
4197 {
4198 errs |= check_file_access_inline(options->priv_key_file_inline,
4199 CHKACC_FILE|CHKACC_PRIVATE|CHKACC_ACCEPT_URI,
4200 options->priv_key_file, R_OK, "--key");
4201 }
4202
4203 errs |= check_file_access_inline(options->pkcs12_file_inline,
4204 CHKACC_FILE|CHKACC_PRIVATE,
4205 options->pkcs12_file, R_OK, "--pkcs12");
4206
4207 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4208 {
4209 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4210 options->crl_file, R_OK|X_OK,
4211 "--crl-verify directory");
4212 }
4213 else
4214 {
4215 errs |= check_file_access_chroot_inline(options->crl_file_inline,
4216 options->chroot_dir,
4217 CHKACC_FILE, options->crl_file,
4218 R_OK, "--crl-verify");
4219 }
4220
4221 if (options->tls_export_peer_cert_dir)
4222 {
4223 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4224 options->tls_export_peer_cert_dir,
4225 W_OK, "--tls-export-cert");
4226 }
4227
4228 ASSERT(options->connection_list);
4229 for (int i = 0; i < options->connection_list->len; ++i)
4230 {
4231 struct connection_entry *ce = options->connection_list->array[i];
4232
4233 errs |= check_file_access_inline(ce->tls_auth_file_inline,
4234 CHKACC_FILE|CHKACC_PRIVATE,
4235 ce->tls_auth_file, R_OK,
4236 "--tls-auth");
4237 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4238 CHKACC_FILE|CHKACC_PRIVATE,
4239 ce->tls_crypt_file, R_OK,
4240 "--tls-crypt");
4241 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4242 CHKACC_FILE|CHKACC_PRIVATE,
4243 ce->tls_crypt_v2_file, R_OK,
4244 "--tls-crypt-v2");
4245 }
4246
4247 errs |= check_file_access_inline(options->shared_secret_file_inline,
4248 CHKACC_FILE|CHKACC_PRIVATE,
4249 options->shared_secret_file, R_OK,
4250 "--secret");
4251
4252 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4253 options->packet_id_file, R_OK|W_OK, "--replay-persist");
4254
4255 /* ** Password files ** */
4256 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4257 options->key_pass_file, R_OK, "--askpass");
4258#ifdef ENABLE_MANAGEMENT
4259 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4260 options->management_user_pass, R_OK,
4261 "--management user/password file");
4262#endif /* ENABLE_MANAGEMENT */
4263 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4264 CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4265 options->auth_user_pass_file, R_OK,
4266 "--auth-user-pass");
4267 /* ** System related ** */
4268 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4269 R_OK|X_OK, "--chroot directory");
4270 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4271 R_OK|W_OK, "--writepid");
4272
4273 /* ** Log related ** */
4274 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4275 R_OK|W_OK, "--status");
4276
4277 /* ** Config related ** */
4278 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4279 R_OK|X_OK, "--client-config-dir");
4280 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4281 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4282
4283 if (errs)
4284 {
4285 msg(M_USAGE, "Please correct these errors.");
4286 }
4287}
4288#endif /* !ENABLE_SMALL */
4289
4290/*
4291 * Sanity check on options.
4292 * Also set some options based on other
4293 * options.
4294 */
4295void
4296options_postprocess(struct options *options, struct env_set *es)
4297{
4298 options_postprocess_mutate(options, es);
4299 options_postprocess_verify(options);
4300#ifndef ENABLE_SMALL
4301 options_postprocess_filechecks(options);
4302#endif /* !ENABLE_SMALL */
4303}
4304
4305/*
4306 * Sanity check on options after more options were pulled from server.
4307 * Also time to modify some options based on other options.
4308 */
4309bool
4310options_postprocess_pull(struct options *o, struct env_set *es)
4311{
4312 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4313 if (success)
4314 {
4315 dns_options_postprocess_pull(&o->dns_options);
4316 setenv_dns_options(&o->dns_options, es);
4317#if defined(_WIN32) || defined(TARGET_ANDROID)
4318 tuntap_options_copy_dns(o);
4319#else
4320 foreign_options_copy_dns(o, es);
4321#endif
4322 }
4323 return success;
4324}
4325
4326/*
4327 * Build an options string to represent data channel encryption options.
4328 * This string must match exactly between peers. The keysize is checked
4329 * separately by read_key().
4330 *
4331 * The following options must match on both peers:
4332 *
4333 * Tunnel options:
4334 *
4335 * --dev tun|tap [unit number need not match]
4336 * --dev-type tun|tap
4337 * --link-mtu
4338 * --udp-mtu
4339 * --tun-mtu
4340 * --proto udp
4341 * --proto tcp-client [matched with --proto tcp-server
4342 * on the other end of the connection]
4343 * --proto tcp-server [matched with --proto tcp-client on
4344 * the other end of the connection]
4345 * --tun-ipv6
4346 * --ifconfig x y [matched with --ifconfig y x on
4347 * the other end of the connection]
4348 *
4349 * --comp-lzo
4350 * --compress alg
4351 * --fragment
4352 *
4353 * Crypto Options:
4354 *
4355 * --cipher
4356 * --auth
4357 * --secret
4358 *
4359 * SSL Options:
4360 *
4361 * --tls-auth
4362 * --tls-client [matched with --tls-server on
4363 * the other end of the connection]
4364 * --tls-server [matched with --tls-client on
4365 * the other end of the connection]
4366 */
4367char *
4368options_string(const struct options *o,
4369 const struct frame *frame,
4370 struct tuntap *tt,
4371 openvpn_net_ctx_t *ctx,
4372 bool remote,
4373 struct gc_arena *gc)
4374{
4375 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4376 bool tt_local = false;
4377
4378 buf_printf(&out, "V4");
4379
4380 /*
4381 * Tunnel Options
4382 */
4383
4384 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4385 /* the link-mtu that we send has only a meaning if have a fixed
4386 * cipher (p2p) or have a fallback cipher configured for older non
4387 * ncp clients. But not sending it will make even 2.4 complain
4388 * about it being missing. So still send it. */
4389 buf_printf(&out, ",link-mtu %u",
4390 (unsigned int) calc_options_string_link_mtu(o, frame));
4391
4392 if (o->ce.occ_mtu != 0)
4393 {
4394 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4395 }
4396 else
4397 {
4398 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4399 }
4400
4401 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4402
4403 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4404 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4405 * is usually pushed by the server, triggering a non-helpful warning
4406 */
4407 if (o->ifconfig_ipv6_local && p2p_nopull)
4408 {
4409 buf_printf(&out, ",tun-ipv6");
4410 }
4411
4412 /*
4413 * Try to get ifconfig parameters into the options string.
4414 * If tt is undefined, make a temporary instantiation.
4415 */
4416 if (!tt)
4417 {
4418 tt = init_tun(o->dev,
4419 o->dev_type,
4420 o->topology,
4421 o->ifconfig_local,
4422 o->ifconfig_remote_netmask,
4423 o->ifconfig_ipv6_local,
4424 o->ifconfig_ipv6_netbits,
4425 o->ifconfig_ipv6_remote,
4426 NULL,
4427 NULL,
4428 false,
4429 NULL,
4430 ctx,
4431 NULL);
4432 if (tt)
4433 {
4434 tt_local = true;
4435 }
4436 }
4437
4438 if (tt && p2p_nopull)
4439 {
4440 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4441 if (ios && strlen(ios))
4442 {
4443 buf_printf(&out, ",ifconfig %s", ios);
4444 }
4445 }
4446 if (tt_local)
4447 {
4448 free(tt);
4449 tt = NULL;
4450 }
4451
4452#ifdef USE_COMP
4453 if (o->comp.alg != COMP_ALG_UNDEF)
4454 {
4455 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4456 }
4457#endif
4458
4459#ifdef ENABLE_FRAGMENT
4460 if (o->ce.fragment)
4461 {
4462 buf_printf(&out, ",mtu-dynamic");
4463 }
4464#endif
4465
4466#define TLS_CLIENT (o->tls_client)
4467#define TLS_SERVER (o->tls_server)
4468
4469 /*
4470 * Key direction
4471 */
4472 {
4473 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4474 if (kd)
4475 {
4476 buf_printf(&out, ",keydir %s", kd);
4477 }
4478 }
4479
4480 /*
4481 * Crypto Options
4482 */
4483 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4484 {
4485 struct key_type kt;
4486
4487 ASSERT((o->shared_secret_file != NULL)
4488 + (TLS_CLIENT == true)
4489 + (TLS_SERVER == true)
4490 <= 1);
4491
4492 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4493 * to work here in the default configuration */
4494 const char *ciphername = o->ciphername;
4495 int keysize = 0;
4496
4497 if (strcmp(o->ciphername, "BF-CBC") == 0)
4498 {
4499 init_key_type(&kt, "none", o->authname, true, false);
4500 keysize = 128;
4501 }
4502 else
4503 {
4504 init_key_type(&kt, o->ciphername, o->authname, true, false);
4505 ciphername = cipher_kt_name(kt.cipher);
4506 if (cipher_defined(o->ciphername))
4507 {
4508 keysize = cipher_kt_key_size(kt.cipher) * 8;
4509 }
4510 }
4511 /* Only announce the cipher to our peer if we are willing to
4512 * support it */
4513 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4514 {
4515 buf_printf(&out, ",cipher %s", ciphername);
4516 }
4517 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4518 buf_printf(&out, ",keysize %d", keysize);
4519 if (o->shared_secret_file)
4520 {
4521 buf_printf(&out, ",secret");
4522 }
4523
4524#ifdef ENABLE_PREDICTION_RESISTANCE
4525 if (o->use_prediction_resistance)
4526 {
4527 buf_printf(&out, ",use-prediction-resistance");
4528 }
4529#endif
4530 }
4531
4532 /*
4533 * SSL Options
4534 */
4535 {
4536 if (TLS_CLIENT || TLS_SERVER)
4537 {
4538 if (o->ce.tls_auth_file)
4539 {
4540 buf_printf(&out, ",tls-auth");
4541 }
4542 /* Not adding tls-crypt here, because we won't reach this code if
4543 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4544 * break stuff, so leaving that in place. */
4545
4546 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4547 }
4548
4549 if (remote)
4550 {
4551 if (TLS_CLIENT)
4552 {
4553 buf_printf(&out, ",tls-server");
4554 }
4555 else if (TLS_SERVER)
4556 {
4557 buf_printf(&out, ",tls-client");
4558 }
4559 }
4560 else
4561 {
4562 if (TLS_CLIENT)
4563 {
4564 buf_printf(&out, ",tls-client");
4565 }
4566 else if (TLS_SERVER)
4567 {
4568 buf_printf(&out, ",tls-server");
4569 }
4570 }
4571 }
4572
4573#undef TLS_CLIENT
4574#undef TLS_SERVER
4575
4576 return BSTR(&out);
4577}
4578
4579/*
4580 * Compare option strings for equality.
4581 * If the first two chars of the strings differ, it means that
4582 * we are looking at different versions of the options string,
4583 * therefore don't compare them and return true.
4584 */
4585
4586bool
4587options_cmp_equal(char *actual, const char *expected)
4588{
4589 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4590}
4591
4592void
4593options_warning(char *actual, const char *expected)
4594{
4595 options_warning_safe(actual, expected, strlen(actual) + 1);
4596}
4597
4598static const char *
4599options_warning_extract_parm1(const char *option_string,
4600 struct gc_arena *gc_ret)
4601{
4602 struct gc_arena gc = gc_new();
4603 struct buffer b = string_alloc_buf(option_string, &gc);
4604 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4605 const char *ret;
4606
4607 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4608 ret = string_alloc(p, gc_ret);
4609 gc_free(&gc);
4610 return ret;
4611}
4612
4613static void
4614options_warning_safe_scan2(const int msglevel,
4615 const int delim,
4616 const bool report_inconsistent,
4617 const char *p1,
4618 const struct buffer *b2_src,
4619 const char *b1_name,
4620 const char *b2_name)
4621{
4622 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4623 * OCC in a future version (because it's not useful). To reduce questions
4624 * when interoperating, we no longer printing a warning about it.
4625 */
4626 if (strprefix(p1, "key-method ")
4627 || strprefix(p1, "keydir ")
4628 || strprefix(p1, "proto ")
4629 || streq(p1, "tls-auth")
4630 || strprefix(p1, "tun-ipv6")
4631 || strprefix(p1, "cipher "))
4632 {
4633 return;
4634 }
4635
4636 if (strlen(p1) > 0)
4637 {
4638 struct gc_arena gc = gc_new();
4639 struct buffer b2 = *b2_src;
4640 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4641 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4642
4643 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4644 {
4645 if (strlen(p2))
4646 {
4647 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4648
4649 if (!strcmp(p1, p2))
4650 {
4651 goto done;
4652 }
4653 if (!strcmp(p1_prefix, p2_prefix))
4654 {
4655 if (report_inconsistent)
4656 {
4657 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4658 safe_print(p1_prefix, &gc),
4659 b1_name,
4660 safe_print(p1, &gc),
4661 b2_name,
4662 safe_print(p2, &gc));
4663 }
4664 goto done;
4665 }
4666 }
4667 }
4668
4669 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4670 safe_print(p1_prefix, &gc),
4671 b1_name,
4672 b2_name,
4673 b1_name,
4674 safe_print(p1, &gc));
4675
4676done:
4677 gc_free(&gc);
4678 }
4679}
4680
4681static void
4682options_warning_safe_scan1(const int msglevel,
4683 const int delim,
4684 const bool report_inconsistent,
4685 const struct buffer *b1_src,
4686 const struct buffer *b2_src,
4687 const char *b1_name,
4688 const char *b2_name)
4689{
4690 struct gc_arena gc = gc_new();
4691 struct buffer b = *b1_src;
4692 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4693
4694 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4695 {
4696 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4697 }
4698
4699 gc_free(&gc);
4700}
4701
4702static void
4703options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4704{
4705 struct gc_arena gc = gc_new();
4706
4707 if (actual_n > 0)
4708 {
4709 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4710 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4711 actual[actual_n - 1] = 0;
4712
4713 buf_printf(&local, "version %s", expected);
4714 buf_printf(&remote, "version %s", actual);
4715
4716 options_warning_safe_scan1(msglevel, ',', true,
4717 &local, &remote,
4718 "local", "remote");
4719
4720 options_warning_safe_scan1(msglevel, ',', false,
4721 &remote, &local,
4722 "remote", "local");
4723 }
4724
4725 gc_free(&gc);
4726}
4727
4728bool
4729options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4730{
4731 struct gc_arena gc = gc_new();
4732 bool ret = true;
4733
4734 if (actual_n > 0)
4735 {
4736 actual[actual_n - 1] = 0;
4737 if (strncmp(actual, expected, 2))
4738 {
4739 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4740 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4741 }
4742 else
4743 {
4744 ret = !strcmp(actual, expected);
4745 }
4746 }
4747 gc_free(&gc);
4748 return ret;
4749}
4750
4751void
4752options_warning_safe(char *actual, const char *expected, size_t actual_n)
4753{
4754 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4755}
4756
4757const char *
4758options_string_version(const char *s, struct gc_arena *gc)
4759{
4760 struct buffer out = alloc_buf_gc(4, gc);
4761 strncpynt((char *) BPTR(&out), s, 3);
4762 return BSTR(&out);
4763}
4764
4765char *
4766options_string_extract_option(const char *options_string, const char *opt_name,
4767 struct gc_arena *gc)
4768{
4769 char *ret = NULL;
4770 const size_t opt_name_len = strlen(opt_name);
4771
4772 const char *p = options_string;
4773 while (p)
4774 {
4775 if (0 == strncmp(p, opt_name, opt_name_len)
4776 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4777 {
4778 /* option found, extract value */
4779 const char *start = &p[opt_name_len+1];
4780 const char *end = strchr(p, ',');
4781 size_t val_len = end ? end - start : strlen(start);
4782 ret = gc_malloc(val_len+1, true, gc);
4783 memcpy(ret, start, val_len);
4784 break;
4785 }
4786 p = strchr(p, ',');
4787 if (p)
4788 {
4789 p++; /* skip delimiter */
4790 }
4791 }
4792 return ret;
4793}
4794
4795#ifdef _WIN32
4803static enum tun_driver_type
4804parse_windows_driver(const char *str, const int msglevel)
4805{
4806 if (streq(str, "tap-windows6"))
4807 {
4808 return WINDOWS_DRIVER_TAP_WINDOWS6;
4809 }
4810 else if (streq(str, "wintun"))
4811 {
4812 return WINDOWS_DRIVER_WINTUN;
4813 }
4814
4815 else if (streq(str, "ovpn-dco"))
4816 {
4817 return DRIVER_DCO;
4818 }
4819 else
4820 {
4821 msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4822 "or ovpn-dco");
4823 return WINDOWS_DRIVER_UNSPECIFIED;
4824 }
4825}
4826#endif /* ifdef _WIN32 */
4827
4828/*
4829 * parse/print topology coding
4830 */
4831
4832int
4833parse_topology(const char *str, const int msglevel)
4834{
4835 if (streq(str, "net30"))
4836 {
4837 return TOP_NET30;
4838 }
4839 else if (streq(str, "p2p"))
4840 {
4841 return TOP_P2P;
4842 }
4843 else if (streq(str, "subnet"))
4844 {
4845 return TOP_SUBNET;
4846 }
4847 else
4848 {
4849 msg(msglevel, "--topology must be net30, p2p, or subnet");
4850 return TOP_UNDEF;
4851 }
4852}
4853
4854const char *
4855print_topology(const int topology)
4856{
4857 switch (topology)
4858 {
4859 case TOP_UNDEF:
4860 return "undef";
4861
4862 case TOP_NET30:
4863 return "net30";
4864
4865 case TOP_P2P:
4866 return "p2p";
4867
4868 case TOP_SUBNET:
4869 return "subnet";
4870
4871 default:
4872 return "unknown";
4873 }
4874}
4875
4876/*
4877 * Manage auth-retry variable
4878 */
4879
4880static int global_auth_retry; /* GLOBAL */
4881
4882int
4883auth_retry_get(void)
4884{
4885 return global_auth_retry;
4886}
4887
4888bool
4889auth_retry_set(const int msglevel, const char *option)
4890{
4891 if (streq(option, "interact"))
4892 {
4893 global_auth_retry = AR_INTERACT;
4894 }
4895 else if (streq(option, "nointeract"))
4896 {
4897 global_auth_retry = AR_NOINTERACT;
4898 }
4899 else if (streq(option, "none"))
4900 {
4901 global_auth_retry = AR_NONE;
4902 }
4903 else
4904 {
4905 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4906 return false;
4907 }
4908 return true;
4909}
4910
4911const char *
4912auth_retry_print(void)
4913{
4914 switch (global_auth_retry)
4915 {
4916 case AR_NONE:
4917 return "none";
4918
4919 case AR_NOINTERACT:
4920 return "nointeract";
4921
4922 case AR_INTERACT:
4923 return "interact";
4924
4925 default:
4926 return "???";
4927 }
4928}
4929
4930/*
4931 * Print the help message.
4932 */
4933static void
4934usage(void)
4935{
4936 FILE *fp = msg_fp(0);
4937
4938#ifdef ENABLE_SMALL
4939
4940 fprintf(fp, "Usage message not available\n");
4941
4942#else
4943
4944 struct options o;
4945 init_options(&o, true);
4946
4947 fprintf(fp, usage_message,
4948 title_string,
4949 o.ce.connect_retry_seconds,
4950 o.ce.connect_retry_seconds_max,
4951 o.ce.local_port, o.ce.remote_port,
4952 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4953 o.verbosity,
4954 o.authname,
4955 o.replay_window, o.replay_time,
4956 o.tls_timeout, o.renegotiate_seconds,
4957 o.handshake_window, o.transition_window);
4958 fflush(fp);
4959
4960#endif /* ENABLE_SMALL */
4961
4962 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4963}
4964
4965void
4966usage_small(void)
4967{
4968 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4969 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4970}
4971
4972#ifdef _WIN32
4973void
4974show_windows_version(const unsigned int flags)
4975{
4976 struct gc_arena gc = gc_new();
4977 msg(flags, "Windows version %s", win32_version_string(&gc, true));
4978 gc_free(&gc);
4979}
4980#endif
4981
4982void
4983show_dco_version(const unsigned int flags)
4984{
4985#ifdef ENABLE_DCO
4986 struct gc_arena gc = gc_new();
4987 msg(flags, "DCO version: %s", dco_version_string(&gc));
4988 gc_free(&gc);
4989#endif
4990}
4991
4992void
4993show_library_versions(const unsigned int flags)
4994{
4995#ifdef ENABLE_LZO
4996#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4997#else
4998#define LZO_LIB_VER_STR "", ""
4999#endif
5000
5001 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
5002 LZO_LIB_VER_STR);
5003
5004#undef LZO_LIB_VER_STR
5005}
5006
5007static void
5008usage_version(void)
5009{
5010 msg(M_INFO|M_NOPREFIX, "%s", title_string);
5011 show_library_versions( M_INFO|M_NOPREFIX );
5012#ifdef _WIN32
5013 show_windows_version( M_INFO|M_NOPREFIX );
5014#endif
5015 show_dco_version(M_INFO | M_NOPREFIX);
5016 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
5017 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>");
5018#ifndef ENABLE_SMALL
5019#ifdef CONFIGURE_DEFINES
5020 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
5021#endif
5022#ifdef CONFIGURE_SPECIAL_BUILD
5023 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
5024#endif
5025#endif
5026 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
5027}
5028
5029void
5030notnull(const char *arg, const char *description)
5031{
5032 if (!arg)
5033 {
5034 msg(M_USAGE, "You must define %s", description);
5035 }
5036}
5037
5038bool
5039string_defined_equal(const char *s1, const char *s2)
5040{
5041 if (s1 && s2)
5042 {
5043 return !strcmp(s1, s2);
5044 }
5045 else
5046 {
5047 return false;
5048 }
5049}
5050
5051#if 0
5052static void
5053ping_rec_err(int msglevel)
5054{
5055 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
5056}
5057#endif
5058
5059#ifdef _WIN32 /* This function is only used when compiling on Windows */
5060static unsigned int
5061atou(const char *str)
5062{
5063 unsigned int val = 0;
5064 sscanf(str, "%u", &val);
5065 return val;
5066}
5067#endif
5068
5069static inline bool
5070space(unsigned char c)
5071{
5072 return c == '\0' || isspace(c);
5073}
5074
5075int
5076parse_line(const char *line,
5077 char *p[],
5078 const int n,
5079 const char *file,
5080 const int line_num,
5081 int msglevel,
5082 struct gc_arena *gc)
5083{
5084 const int STATE_INITIAL = 0;
5085 const int STATE_READING_QUOTED_PARM = 1;
5086 const int STATE_READING_UNQUOTED_PARM = 2;
5087 const int STATE_DONE = 3;
5088 const int STATE_READING_SQUOTED_PARM = 4;
5089
5090 const char *error_prefix = "";
5091
5092 int ret = 0;
5093 const char *c = line;
5094 int state = STATE_INITIAL;
5095 bool backslash = false;
5096 char in, out;
5097
5098 char parm[OPTION_PARM_SIZE];
5099 unsigned int parm_len = 0;
5100
5101 msglevel &= ~M_OPTERR;
5102
5103 if (msglevel & M_MSG_VIRT_OUT)
5104 {
5105 error_prefix = "ERROR: ";
5106 }
5107
5108 do
5109 {
5110 in = *c;
5111 out = 0;
5112
5113 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
5114 {
5115 backslash = true;
5116 }
5117 else
5118 {
5119 if (state == STATE_INITIAL)
5120 {
5121 if (!space(in))
5122 {
5123 if (in == ';' || in == '#') /* comment */
5124 {
5125 break;
5126 }
5127 if (!backslash && in == '\"')
5128 {
5129 state = STATE_READING_QUOTED_PARM;
5130 }
5131 else if (!backslash && in == '\'')
5132 {
5133 state = STATE_READING_SQUOTED_PARM;
5134 }
5135 else
5136 {
5137 out = in;
5138 state = STATE_READING_UNQUOTED_PARM;
5139 }
5140 }
5141 }
5142 else if (state == STATE_READING_UNQUOTED_PARM)
5143 {
5144 if (!backslash && space(in))
5145 {
5146 state = STATE_DONE;
5147 }
5148 else
5149 {
5150 out = in;
5151 }
5152 }
5153 else if (state == STATE_READING_QUOTED_PARM)
5154 {
5155 if (!backslash && in == '\"')
5156 {
5157 state = STATE_DONE;
5158 }
5159 else
5160 {
5161 out = in;
5162 }
5163 }
5164 else if (state == STATE_READING_SQUOTED_PARM)
5165 {
5166 if (in == '\'')
5167 {
5168 state = STATE_DONE;
5169 }
5170 else
5171 {
5172 out = in;
5173 }
5174 }
5175 if (state == STATE_DONE)
5176 {
5177 /* ASSERT (parm_len > 0); */
5178 p[ret] = gc_malloc(parm_len + 1, true, gc);
5179 memcpy(p[ret], parm, parm_len);
5180 p[ret][parm_len] = '\0';
5181 state = STATE_INITIAL;
5182 parm_len = 0;
5183 ++ret;
5184 }
5185
5186 if (backslash && out)
5187 {
5188 if (!(out == '\\' || out == '\"' || space(out)))
5189 {
5190#ifdef ENABLE_SMALL
5191 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5192#else
5193 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5194#endif
5195 return 0;
5196 }
5197 }
5198 backslash = false;
5199 }
5200
5201 /* store parameter character */
5202 if (out)
5203 {
5204 if (parm_len >= SIZE(parm))
5205 {
5206 parm[SIZE(parm) - 1] = 0;
5207 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5208 error_prefix, file, line_num, (int) SIZE(parm), parm);
5209 return 0;
5210 }
5211 parm[parm_len++] = out;
5212 }
5213
5214 /* avoid overflow if too many parms in one config file line */
5215 if (ret >= n)
5216 {
5217 break;
5218 }
5219
5220 } while (*c++ != '\0');
5221
5222 if (state == STATE_READING_QUOTED_PARM)
5223 {
5224 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5225 return 0;
5226 }
5227 if (state == STATE_READING_SQUOTED_PARM)
5228 {
5229 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5230 return 0;
5231 }
5232 if (state != STATE_INITIAL)
5233 {
5234 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5235 return 0;
5236 }
5237#if 0
5238 {
5239 int i;
5240 for (i = 0; i < ret; ++i)
5241 {
5242 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5243 }
5244 }
5245#endif
5246 return ret;
5247}
5248
5249static void
5250bypass_doubledash(char **p)
5251{
5252 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5253 {
5254 *p += 2;
5255 }
5256}
5257
5258struct in_src {
5259#define IS_TYPE_FP 1
5260#define IS_TYPE_BUF 2
5261 int type;
5262 union {
5263 FILE *fp;
5264 struct buffer *multiline;
5265 } u;
5266};
5267
5268static bool
5269in_src_get(const struct in_src *is, char *line, const int size)
5270{
5271 if (is->type == IS_TYPE_FP)
5272 {
5273 return BOOL_CAST(fgets(line, size, is->u.fp));
5274 }
5275 else if (is->type == IS_TYPE_BUF)
5276 {
5277 bool status = buf_parse(is->u.multiline, '\n', line, size);
5278 if ((int) strlen(line) + 1 < size)
5279 {
5280 strcat(line, "\n");
5281 }
5282 return status;
5283 }
5284 else
5285 {
5286 ASSERT(0);
5287 return false;
5288 }
5289}
5290
5291static char *
5292read_inline_file(struct in_src *is, const char *close_tag,
5293 int *num_lines, struct gc_arena *gc)
5294{
5295 char line[OPTION_LINE_SIZE];
5296 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5297 char *ret;
5298 bool endtagfound = false;
5299
5300 while (in_src_get(is, line, sizeof(line)))
5301 {
5302 (*num_lines)++;
5303 char *line_ptr = line;
5304 /* Remove leading spaces */
5305 while (isspace(*line_ptr))
5306 {
5307 line_ptr++;
5308 }
5309 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5310 {
5311 endtagfound = true;
5312 break;
5313 }
5314 if (!buf_safe(&buf, strlen(line)+1))
5315 {
5316 /* Increase buffer size */
5317 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5318 ASSERT(buf_copy(&buf2, &buf));
5319 buf_clear(&buf);
5320 free_buf(&buf);
5321 buf = buf2;
5322 }
5323 buf_printf(&buf, "%s", line);
5324 }
5325 if (!endtagfound)
5326 {
5327 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5328 }
5329 ret = string_alloc(BSTR(&buf), gc);
5330 buf_clear(&buf);
5331 free_buf(&buf);
5332 secure_memzero(line, sizeof(line));
5333 return ret;
5334}
5335
5336static int
5337check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5338{
5339 int num_inline_lines = 0;
5340
5341 if (p[0] && !p[1])
5342 {
5343 char *arg = p[0];
5344 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5345 {
5346 struct buffer close_tag;
5347
5348 arg[strlen(arg) - 1] = '\0';
5349 p[0] = string_alloc(arg + 1, gc);
5350 close_tag = alloc_buf(strlen(p[0]) + 4);
5351 buf_printf(&close_tag, "</%s>", p[0]);
5352 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5353 p[2] = NULL;
5354 free_buf(&close_tag);
5355 }
5356 }
5357 return num_inline_lines;
5358}
5359
5360static int
5361check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5362{
5363 struct in_src is;
5364 is.type = IS_TYPE_FP;
5365 is.u.fp = fp;
5366 return check_inline_file(&is, p, gc);
5367}
5368
5369static int
5370check_inline_file_via_buf(struct buffer *multiline, char *p[],
5371 struct gc_arena *gc)
5372{
5373 struct in_src is;
5374 is.type = IS_TYPE_BUF;
5375 is.u.multiline = multiline;
5376 return check_inline_file(&is, p, gc);
5377}
5378
5379static void
5380add_option(struct options *options,
5381 char *p[],
5382 bool is_inline,
5383 const char *file,
5384 int line,
5385 const int level,
5386 const int msglevel,
5387 const unsigned int permission_mask,
5388 unsigned int *option_types_found,
5389 struct env_set *es);
5390
5391static void
5392read_config_file(struct options *options,
5393 const char *file,
5394 int level,
5395 const char *top_file,
5396 const int top_line,
5397 const int msglevel,
5398 const unsigned int permission_mask,
5399 unsigned int *option_types_found,
5400 struct env_set *es)
5401{
5402 const int max_recursive_levels = 10;
5403 FILE *fp;
5404 int line_num;
5405 char line[OPTION_LINE_SIZE+1];
5406 char *p[MAX_PARMS+1];
5407
5408 ++level;
5409 if (level <= max_recursive_levels)
5410 {
5411 if (streq(file, "stdin"))
5412 {
5413 fp = stdin;
5414 }
5415 else
5416 {
5417 fp = platform_fopen(file, "r");
5418 }
5419 if (fp)
5420 {
5421 line_num = 0;
5422 while (fgets(line, sizeof(line), fp))
5423 {
5424 int offset = 0;
5425 CLEAR(p);
5426 ++line_num;
5427 if (strlen(line) == OPTION_LINE_SIZE)
5428 {
5429 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5430 file, line_num, OPTION_LINE_SIZE, line);
5431 }
5432
5433 /* Ignore UTF-8 BOM at start of stream */
5434 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5435 {
5436 offset = 3;
5437 }
5438 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5439 {
5440 bypass_doubledash(&p[0]);
5441 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5442 add_option(options, p, lines_inline, file, line_num, level,
5443 msglevel, permission_mask, option_types_found,
5444 es);
5445 line_num += lines_inline;
5446 }
5447 }
5448 if (fp != stdin)
5449 {
5450 fclose(fp);
5451 }
5452 }
5453 else
5454 {
5455 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5456 }
5457 }
5458 else
5459 {
5460 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5461 }
5462 secure_memzero(line, sizeof(line));
5463 CLEAR(p);
5464}
5465
5466static void
5467read_config_string(const char *prefix,
5468 struct options *options,
5469 const char *config,
5470 const int msglevel,
5471 const unsigned int permission_mask,
5472 unsigned int *option_types_found,
5473 struct env_set *es)
5474{
5475 char line[OPTION_LINE_SIZE];
5476 struct buffer multiline;
5477 int line_num = 0;
5478
5479 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5480
5481 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5482 {
5483 char *p[MAX_PARMS+1];
5484 CLEAR(p);
5485 ++line_num;
5486 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5487 {
5488 bypass_doubledash(&p[0]);
5489 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5490 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5491 permission_mask, option_types_found, es);
5492 line_num += lines_inline;
5493 }
5494 CLEAR(p);
5495 }
5496 secure_memzero(line, sizeof(line));
5497}
5498
5499void
5500parse_argv(struct options *options,
5501 const int argc,
5502 char *argv[],
5503 const int msglevel,
5504 const unsigned int permission_mask,
5505 unsigned int *option_types_found,
5506 struct env_set *es)
5507{
5508 /* usage message */
5509 if (argc <= 1)
5510 {
5511 usage();
5512 }
5513
5514 /* config filename specified only? */
5515 if (argc == 2 && strncmp(argv[1], "--", 2))
5516 {
5517 char *p[MAX_PARMS+1];
5518 CLEAR(p);
5519 p[0] = "config";
5520 p[1] = argv[1];
5521 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5522 option_types_found, es);
5523 }
5524 else
5525 {
5526 /* parse command line */
5527 for (int i = 1; i < argc; ++i)
5528 {
5529 char *p[MAX_PARMS+1];
5530 CLEAR(p);
5531 p[0] = argv[i];
5532 if (strncmp(p[0], "--", 2))
5533 {
5534 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5535 }
5536 else
5537 {
5538 p[0] += 2;
5539 }
5540
5541 int j;
5542 for (j = 1; j < MAX_PARMS; ++j)
5543 {
5544 if (i + j < argc)
5545 {
5546 char *arg = argv[i + j];
5547 if (strncmp(arg, "--", 2))
5548 {
5549 p[j] = arg;
5550 }
5551 else
5552 {
5553 break;
5554 }
5555 }
5556 }
5557 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5558 option_types_found, es);
5559 i += j - 1;
5560 }
5561 }
5562}
5563
5572static bool
5573apply_pull_filter(const struct options *o, char *line)
5574{
5575 struct pull_filter *f;
5576
5577 if (!o->pull_filter_list)
5578 {
5579 return true;
5580 }
5581
5582 /* skip leading spaces matching the behaviour of parse_line */
5583 while (isspace(*line))
5584 {
5585 line++;
5586 }
5587
5588 for (f = o->pull_filter_list->head; f; f = f->next)
5589 {
5590 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5591 {
5592 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5593 return true;
5594 }
5595 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5596 {
5597 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5598 *line = '\0';
5599 return true;
5600 }
5601 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5602 {
5603 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5604 *line = '\0';
5605 throw_signal_soft(SIGUSR1, "Offending option received from server");
5606 return false;
5607 }
5608 }
5609 return true;
5610}
5611
5612bool
5613apply_push_options(struct options *options,
5614 struct buffer *buf,
5615 unsigned int permission_mask,
5616 unsigned int *option_types_found,
5617 struct env_set *es)
5618{
5619 char line[OPTION_PARM_SIZE];
5620 int line_num = 0;
5621 const char *file = "[PUSH-OPTIONS]";
5622 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5623
5624 while (buf_parse(buf, ',', line, sizeof(line)))
5625 {
5626 char *p[MAX_PARMS+1];
5627 CLEAR(p);
5628 ++line_num;
5629 if (!apply_pull_filter(options, line))
5630 {
5631 return false; /* Cause push/pull error and stop push processing */
5632 }
5633 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5634 {
5635 add_option(options, p, false, file, line_num, 0, msglevel,
5636 permission_mask, option_types_found, es);
5637 }
5638 }
5639 return true;
5640}
5641
5642void
5643options_server_import(struct options *o,
5644 const char *filename,
5645 int msglevel,
5646 unsigned int permission_mask,
5647 unsigned int *option_types_found,
5648 struct env_set *es)
5649{
5650 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5651 read_config_file(o,
5652 filename,
5653 0,
5654 filename,
5655 0,
5656 msglevel,
5657 permission_mask,
5658 option_types_found,
5659 es);
5660}
5661
5662void
5663options_string_import(struct options *options,
5664 const char *config,
5665 const int msglevel,
5666 const unsigned int permission_mask,
5667 unsigned int *option_types_found,
5668 struct env_set *es)
5669{
5670 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5671}
5672
5673#define VERIFY_PERMISSION(mask) { \
5674 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5675 option_types_found, msglevel, options, is_inline)) \
5676 { \
5677 goto err; \
5678 } \
5679}
5680
5681static bool
5682verify_permission(const char *name,
5683 const char *file,
5684 int line,
5685 const unsigned int type,
5686 const unsigned int allowed,
5687 unsigned int *found,
5688 const int msglevel,
5689 struct options *options,
5690 bool is_inline)
5691{
5692 if (!(type & allowed))
5693 {
5694 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5695 return false;
5696 }
5697
5698 if (is_inline && !(type & OPT_P_INLINE))
5699 {
5700 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5701 file, line);
5702 return false;
5703 }
5704
5705 if (found)
5706 {
5707 *found |= type;
5708 }
5709
5710#ifndef ENABLE_SMALL
5711 /* Check if this options is allowed in connection block,
5712 * but we are currently not in a connection block
5713 * unless this is a pushed option.
5714 * Parsing a connection block uses a temporary options struct without
5715 * connection_list
5716 */
5717
5718 if ((type & OPT_P_CONNECTION) && options->connection_list
5719 && !(allowed & OPT_P_PULL_MODE))
5720 {
5721 if (file)
5722 {
5723 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5724 }
5725 else
5726 {
5727 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5728 }
5729 }
5730#endif
5731 return true;
5732}
5733
5734/*
5735 * Check that an option doesn't have too
5736 * many parameters.
5737 */
5738
5739#define NM_QUOTE_HINT (1<<0)
5740
5741static bool
5742no_more_than_n_args(const int msglevel,
5743 char *p[],
5744 const int max,
5745 const unsigned int flags)
5746{
5747 const int len = string_array_len((const char **)p);
5748
5749 if (!len)
5750 {
5751 return false;
5752 }
5753
5754 if (len > max)
5755 {
5756 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5757 p[0],
5758 max - 1,
5759 max >= 3 ? "s" : "",
5760 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5761 return false;
5762 }
5763 else
5764 {
5765 return true;
5766 }
5767}
5768
5769static inline int
5770msglevel_forward_compatible(struct options *options, const int msglevel)
5771{
5772 return options->forward_compatible ? M_WARN : msglevel;
5773}
5774
5775static void
5776set_user_script(struct options *options,
5777 const char **script,
5778 const char *new_script,
5779 const char *type,
5780 bool in_chroot)
5781{
5782 if (*script)
5783 {
5784 msg(M_WARN, "Multiple --%s scripts defined. "
5785 "The previously configured script is overridden.", type);
5786 }
5787 *script = new_script;
5788 options->user_script_used = true;
5789
5790#ifndef ENABLE_SMALL
5791 {
5792 char script_name[100];
5793 snprintf(script_name, sizeof(script_name),
5794 "--%s script", type);
5795
5796 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5797 {
5798 msg(M_USAGE, "Please correct this error.");
5799 }
5800
5801 }
5802#endif
5803}
5804
5805static void
5806show_compression_warning(struct compress_options *info)
5807{
5808 if (comp_non_stub_enabled(info))
5809 {
5810 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5811 "Compression has been used in the past to break encryption. "
5812 "Compression support is deprecated and we recommend to disable "
5813 "it completely.");
5814 }
5815}
5816
5817bool
5818key_is_external(const struct options *options)
5819{
5820 bool ret = false;
5821 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5822#ifdef ENABLE_PKCS11
5823 ret = ret || (options->pkcs11_providers[0] != NULL);
5824#endif
5825#ifdef ENABLE_CRYPTOAPI
5826 ret = ret || options->cryptoapi_cert;
5827#endif
5828
5829 return ret;
5830}
5831
5832static void
5833add_option(struct options *options,
5834 char *p[],
5835 bool is_inline,
5836 const char *file,
5837 int line,
5838 const int level,
5839 const int msglevel,
5840 const unsigned int permission_mask,
5841 unsigned int *option_types_found,
5842 struct env_set *es)
5843{
5844 struct gc_arena gc = gc_new();
5845 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5846 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5847
5848 ASSERT(MAX_PARMS >= 7);
5849
5850 /*
5851 * If directive begins with "setenv opt" prefix, don't raise an error if
5852 * directive is unrecognized.
5853 */
5854 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5855 {
5856 if (!p[2])
5857 {
5858 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5859 }
5860 p += 2;
5861 msglevel_fc = M_WARN;
5862 }
5863
5864 if (!file)
5865 {
5866 file = "[CMD-LINE]";
5867 line = 1;
5868 }
5869 if (streq(p[0], "help"))
5870 {
5871 VERIFY_PERMISSION(OPT_P_GENERAL);
5872 usage();
5873 if (p[1])
5874 {
5875 msg(msglevel, "--help does not accept any parameters");
5876 goto err;
5877 }
5878 }
5879 if (streq(p[0], "version") && !p[1])
5880 {
5881 VERIFY_PERMISSION(OPT_P_GENERAL);
5882 usage_version();
5883 }
5884 else if (streq(p[0], "config") && p[1] && !p[2])
5885 {
5886 VERIFY_PERMISSION(OPT_P_CONFIG);
5887
5888 /* save first config file only in options */
5889 if (!options->config)
5890 {
5891 options->config = p[1];
5892 }
5893
5894 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5895 }
5896#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5897 else if (streq(p[0], "show-gateway") && !p[2])
5898 {
5899 struct route_gateway_info rgi;
5900 struct route_ipv6_gateway_info rgi6;
5901 in_addr_t remote_ipv4 = 0;
5902 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
5903 openvpn_net_ctx_t net_ctx;
5904 VERIFY_PERMISSION(OPT_P_GENERAL);
5905 if (p[1])
5906 {
5907 /* try parsing the argument as a v4 or v6 address - if
5908 * possible, the output will show the exact route there, and
5909 * "the default route" for the other protocol
5910 */
5911 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
5912 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
5913 }
5914 net_ctx_init(NULL, &net_ctx);
5915 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
5916 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
5917 print_default_gateway(M_INFO, &rgi, &rgi6);
5918 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5919 }
5920#endif /* if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) */
5921 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5922 {
5923 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5924 int j;
5925 bool good = true;
5926
5927 VERIFY_PERMISSION(OPT_P_ECHO);
5928
5929 for (j = 1; j < MAX_PARMS; ++j)
5930 {
5931 if (!p[j])
5932 {
5933 break;
5934 }
5935 if (j > 1)
5936 {
5937 good &= buf_printf(&string, " ");
5938 }
5939 good &= buf_printf(&string, "%s", p[j]);
5940 }
5941 if (good)
5942 {
5943 /* only message-related ECHO are logged, since other ECHOs
5944 * can potentially include security-sensitive strings */
5945 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5946 {
5947 msg(M_INFO, "%s:%s",
5948 pull_mode ? "ECHO-PULL" : "ECHO",
5949 BSTR(&string));
5950 }
5951#ifdef ENABLE_MANAGEMENT
5952 if (management)
5953 {
5954 management_echo(management, BSTR(&string), pull_mode);
5955 }
5956#endif
5957 }
5958 else
5959 {
5960 msg(M_WARN, "echo/parameter option overflow");
5961 }
5962 }
5963#ifdef ENABLE_MANAGEMENT
5964 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5965 {
5966 VERIFY_PERMISSION(OPT_P_GENERAL);
5967 if (streq(p[2], "unix"))
5968 {
5969#if UNIX_SOCK_SUPPORT
5970 options->management_flags |= MF_UNIX_SOCK;
5971#else
5972 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5973 goto err;
5974#endif
5975 }
5976
5977 options->management_addr = p[1];
5978 options->management_port = p[2];
5979 if (p[3])
5980 {
5981 options->management_user_pass = p[3];
5982 }
5983 }
5984 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5985 {
5986 VERIFY_PERMISSION(OPT_P_GENERAL);
5987 options->management_client_user = p[1];
5988 }
5989 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5990 {
5991 VERIFY_PERMISSION(OPT_P_GENERAL);
5992 options->management_client_group = p[1];
5993 }
5994 else if (streq(p[0], "management-query-passwords") && !p[1])
5995 {
5996 VERIFY_PERMISSION(OPT_P_GENERAL);
5997 options->management_flags |= MF_QUERY_PASSWORDS;
5998 }
5999 else if (streq(p[0], "management-query-remote") && !p[1])
6000 {
6001 VERIFY_PERMISSION(OPT_P_GENERAL);
6002 options->management_flags |= MF_QUERY_REMOTE;
6003 }
6004 else if (streq(p[0], "management-query-proxy") && !p[1])
6005 {
6006 VERIFY_PERMISSION(OPT_P_GENERAL);
6007 options->management_flags |= MF_QUERY_PROXY;
6008 }
6009 else if (streq(p[0], "management-hold") && !p[1])
6010 {
6011 VERIFY_PERMISSION(OPT_P_GENERAL);
6012 options->management_flags |= MF_HOLD;
6013 }
6014 else if (streq(p[0], "management-signal") && !p[1])
6015 {
6016 VERIFY_PERMISSION(OPT_P_GENERAL);
6017 options->management_flags |= MF_SIGNAL;
6018 }
6019 else if (streq(p[0], "management-forget-disconnect") && !p[1])
6020 {
6021 VERIFY_PERMISSION(OPT_P_GENERAL);
6022 options->management_flags |= MF_FORGET_DISCONNECT;
6023 }
6024 else if (streq(p[0], "management-up-down") && !p[1])
6025 {
6026 VERIFY_PERMISSION(OPT_P_GENERAL);
6027 options->management_flags |= MF_UP_DOWN;
6028 }
6029 else if (streq(p[0], "management-client") && !p[1])
6030 {
6031 VERIFY_PERMISSION(OPT_P_GENERAL);
6032 options->management_flags |= MF_CONNECT_AS_CLIENT;
6033 }
6034 else if (streq(p[0], "management-external-key"))
6035 {
6036 VERIFY_PERMISSION(OPT_P_GENERAL);
6037 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6038 {
6039 if (streq(p[j], "nopadding"))
6040 {
6041 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
6042 }
6043 else if (streq(p[j], "pkcs1"))
6044 {
6045 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
6046 }
6047 else if (streq(p[j], "pss"))
6048 {
6049 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
6050 }
6051 else if (streq(p[j], "digest"))
6052 {
6053 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
6054 }
6055 else
6056 {
6057 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
6058 }
6059 }
6060 /*
6061 * When no option is present, assume that only PKCS1
6062 * padding is supported
6063 */
6064 if (!(options->management_flags
6065 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
6066 {
6067 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
6068 }
6069 options->management_flags |= MF_EXTERNAL_KEY;
6070 }
6071 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
6072 {
6073 VERIFY_PERMISSION(OPT_P_GENERAL);
6074 options->management_flags |= MF_EXTERNAL_CERT;
6075 options->management_certificate = p[1];
6076 }
6077 else if (streq(p[0], "management-client-auth") && !p[1])
6078 {
6079 VERIFY_PERMISSION(OPT_P_GENERAL);
6080 options->management_flags |= MF_CLIENT_AUTH;
6081 }
6082 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
6083 {
6084 int cache;
6085
6086 VERIFY_PERMISSION(OPT_P_GENERAL);
6087 cache = atoi_warn(p[1], msglevel);
6088 if (cache < 1)
6089 {
6090 msg(msglevel, "--management-log-cache parameter is out of range");
6091 goto err;
6092 }
6093 options->management_log_history_cache = cache;
6094 }
6095#endif /* ifdef ENABLE_MANAGEMENT */
6096#ifdef ENABLE_PLUGIN
6097 else if (streq(p[0], "plugin") && p[1])
6098 {
6099 VERIFY_PERMISSION(OPT_P_PLUGIN);
6100 if (!options->plugin_list)
6101 {
6102 options->plugin_list = plugin_option_list_new(&options->gc);
6103 }
6104 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
6105 {
6106 msg(msglevel, "plugin add failed: %s", p[1]);
6107 goto err;
6108 }
6109 }
6110#endif
6111 else if (streq(p[0], "mode") && p[1] && !p[2])
6112 {
6113 VERIFY_PERMISSION(OPT_P_GENERAL);
6114 if (streq(p[1], "p2p"))
6115 {
6116 options->mode = MODE_POINT_TO_POINT;
6117 }
6118 else if (streq(p[1], "server"))
6119 {
6120 options->mode = MODE_SERVER;
6121 }
6122 else
6123 {
6124 msg(msglevel, "Bad --mode parameter: %s", p[1]);
6125 goto err;
6126 }
6127 }
6128 else if (streq(p[0], "dev") && p[1] && !p[2])
6129 {
6130 VERIFY_PERMISSION(OPT_P_GENERAL);
6131 options->dev = p[1];
6132 }
6133 else if (streq(p[0], "dev-type") && p[1] && !p[2])
6134 {
6135 VERIFY_PERMISSION(OPT_P_GENERAL);
6136 options->dev_type = p[1];
6137 }
6138#ifdef _WIN32
6139 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6140 {
6141 VERIFY_PERMISSION(OPT_P_GENERAL);
6142 options->windows_driver = parse_windows_driver(p[1], M_FATAL);
6143 }
6144#endif
6145 else if (streq(p[0], "disable-dco"))
6146 {
6147 options->disable_dco = true;
6148 }
6149 else if (streq(p[0], "dev-node") && p[1] && !p[2])
6150 {
6151 VERIFY_PERMISSION(OPT_P_GENERAL);
6152 options->dev_node = p[1];
6153 }
6154 else if (streq(p[0], "lladdr") && p[1] && !p[2])
6155 {
6156 VERIFY_PERMISSION(OPT_P_UP);
6157 if (mac_addr_safe(p[1])) /* MAC address only */
6158 {
6159 options->lladdr = p[1];
6160 }
6161 else
6162 {
6163 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6164 goto err;
6165 }
6166 }
6167 else if (streq(p[0], "topology") && p[1] && !p[2])
6168 {
6169 VERIFY_PERMISSION(OPT_P_UP);
6170 options->topology = parse_topology(p[1], msglevel);
6171 }
6172 else if (streq(p[0], "tun-ipv6") && !p[1])
6173 {
6174 if (!pull_mode)
6175 {
6176 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6177 }
6178 }
6179#ifdef ENABLE_IPROUTE
6180 else if (streq(p[0], "iproute") && p[1] && !p[2])
6181 {
6182 VERIFY_PERMISSION(OPT_P_GENERAL);
6183 iproute_path = p[1];
6184 }
6185#endif
6186 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6187 {
6188 VERIFY_PERMISSION(OPT_P_UP);
6189 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6190 {
6191 options->ifconfig_local = p[1];
6192 options->ifconfig_remote_netmask = p[2];
6193 }
6194 else
6195 {
6196 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6197 goto err;
6198 }
6199 }
6200 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6201 {
6202 unsigned int netbits;
6203
6204 VERIFY_PERMISSION(OPT_P_UP);
6205 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6206 && ipv6_addr_safe( p[2] ) )
6207 {
6208 if (netbits < 64 || netbits > 124)
6209 {
6210 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6211 goto err;
6212 }
6213
6214 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6215 options->ifconfig_ipv6_netbits = netbits;
6216 options->ifconfig_ipv6_remote = p[2];
6217 }
6218 else
6219 {
6220 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6221 goto err;
6222 }
6223 }
6224 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6225 {
6226 VERIFY_PERMISSION(OPT_P_UP);
6227 options->ifconfig_noexec = true;
6228 }
6229 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6230 {
6231 VERIFY_PERMISSION(OPT_P_UP);
6232 options->ifconfig_nowarn = true;
6233 }
6234 else if (streq(p[0], "local") && p[1] && !p[4])
6235 {
6236 struct local_entry *e;
6237
6238 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6239
6240 e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
6241 ASSERT(e);
6242
6243 /* '*' is treated as 'ask the system to get some socket',
6244 * therefore force binding on a particular address only when
6245 * actually specified. */
6246 if (strcmp(p[1], "*") != 0)
6247 {
6248 e->local = p[1];
6249 }
6250
6251 if (p[2])
6252 {
6253 e->port = p[2];
6254 }
6255
6256 if (p[3])
6257 {
6258 e->proto = ascii2proto(p[3]);
6259 }
6260 }
6261 else if (streq(p[0], "remote-random") && !p[1])
6262 {
6263 VERIFY_PERMISSION(OPT_P_GENERAL);
6264 options->remote_random = true;
6265 }
6266 else if (streq(p[0], "connection") && p[1] && !p[3])
6267 {
6268 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6269 if (is_inline)
6270 {
6271 struct options sub;
6272 struct connection_entry *e;
6273
6274 init_options(&sub, true);
6275 sub.ce = options->ce;
6276 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6277 OPT_P_CONNECTION, option_types_found, es);
6278 if (!sub.ce.remote)
6279 {
6280 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6281 uninit_options(&sub);
6282 goto err;
6283 }
6284
6285 e = alloc_connection_entry(options, msglevel);
6286 if (!e)
6287 {
6288 uninit_options(&sub);
6289 goto err;
6290 }
6291 *e = sub.ce;
6292 gc_transfer(&options->gc, &sub.gc);
6293 uninit_options(&sub);
6294 }
6295 }
6296 else if (streq(p[0], "ignore-unknown-option") && p[1])
6297 {
6298 int i;
6299 int j;
6300 int numignored = 0;
6301 const char **ignore;
6302
6303 VERIFY_PERMISSION(OPT_P_GENERAL);
6304 /* Find out how many options to be ignored */
6305 for (i = 1; p[i]; i++)
6306 {
6307 numignored++;
6308 }
6309
6310 /* add number of options already ignored */
6311 for (i = 0; options->ignore_unknown_option
6312 && options->ignore_unknown_option[i]; i++)
6313 {
6314 numignored++;
6315 }
6316
6317 /* Allocate array */
6318 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6319 for (i = 0; options->ignore_unknown_option
6320 && options->ignore_unknown_option[i]; i++)
6321 {
6322 ignore[i] = options->ignore_unknown_option[i];
6323 }
6324
6325 options->ignore_unknown_option = ignore;
6326
6327 for (j = 1; p[j]; j++)
6328 {
6329 /* Allow the user to specify ignore-unknown-option --opt too */
6330 if (p[j][0]=='-' && p[j][1]=='-')
6331 {
6332 options->ignore_unknown_option[i] = (p[j]+2);
6333 }
6334 else
6335 {
6336 options->ignore_unknown_option[i] = p[j];
6337 }
6338 i++;
6339 }
6340
6341 options->ignore_unknown_option[i] = NULL;
6342 }
6343#if ENABLE_MANAGEMENT
6344 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6345 {
6346 VERIFY_PERMISSION(OPT_P_GENERAL);
6347 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], &options->gc);
6348 if (!options->http_proxy_override)
6349 {
6350 goto err;
6351 }
6352 }
6353#endif
6354 else if (streq(p[0], "remote") && p[1] && !p[4])
6355 {
6356 struct remote_entry re;
6357 re.remote = re.remote_port = NULL;
6358 re.proto = -1;
6359 re.af = 0;
6360
6361 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6362 re.remote = p[1];
6363 if (p[2])
6364 {
6365 re.remote_port = p[2];
6366 if (p[3])
6367 {
6368 const int proto = ascii2proto(p[3]);
6369 const sa_family_t af = ascii2af(p[3]);
6370 if (proto < 0)
6371 {
6372 msg(msglevel,
6373 "remote: bad protocol associated with host %s: '%s'",
6374 p[1], p[3]);
6375 goto err;
6376 }
6377 re.proto = proto;
6378 re.af = af;
6379 }
6380 }
6381 if (permission_mask & OPT_P_GENERAL)
6382 {
6383 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6384 if (!e)
6385 {
6386 goto err;
6387 }
6388 *e = re;
6389 }
6390 else if (permission_mask & OPT_P_CONNECTION)
6391 {
6392 connection_entry_load_re(&options->ce, &re);
6393 }
6394 }
6395 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6396 {
6397 VERIFY_PERMISSION(OPT_P_GENERAL);
6398 if (streq(p[1], "infinite"))
6399 {
6400 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6401 }
6402 else
6403 {
6404 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6405 }
6406 }
6407 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6408 {
6409 VERIFY_PERMISSION(OPT_P_GENERAL);
6410 options->resolve_in_advance = true;
6411 /* Note the ip-remote-hint and the argument p[1] are for
6412 * backward compatibility */
6413 if (p[1])
6414 {
6415 options->ip_remote_hint = p[1];
6416 }
6417 }
6418 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6419 {
6420 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6421 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6422 /*
6423 * Limit the base value of retry wait interval to 16 bits to avoid
6424 * overflow when scaled up for exponential backoff
6425 */
6426 if (options->ce.connect_retry_seconds > 0xFFFF)
6427 {
6428 options->ce.connect_retry_seconds = 0xFFFF;
6429 msg(M_WARN, "connect retry wait interval truncated to %d",
6430 options->ce.connect_retry_seconds);
6431 }
6432
6433 if (p[2])
6434 {
6435 options->ce.connect_retry_seconds_max =
6436 max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
6437 }
6438 }
6439 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6440 && p[1] && !p[2])
6441 {
6442 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6443 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6444 }
6445 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6446 {
6447 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6448 options->connect_retry_max = positive_atoi(p[1], msglevel);
6449 }
6450 else if (streq(p[0], "ipchange") && p[1])
6451 {
6452 VERIFY_PERMISSION(OPT_P_SCRIPT);
6453 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6454 {
6455 goto err;
6456 }
6457 set_user_script(options,
6458 &options->ipchange,
6459 string_substitute(p[1], ',', ' ', &options->gc),
6460 "ipchange", true);
6461 }
6462 else if (streq(p[0], "float") && !p[1])
6463 {
6464 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6465 options->ce.remote_float = true;
6466 }
6467#ifdef ENABLE_DEBUG
6468 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6469 {
6470 VERIFY_PERMISSION(OPT_P_GENERAL);
6471 options->gremlin = positive_atoi(p[1], msglevel);
6472 }
6473#endif
6474 else if (streq(p[0], "chroot") && p[1] && !p[2])
6475 {
6476 VERIFY_PERMISSION(OPT_P_GENERAL);
6477 options->chroot_dir = p[1];
6478 }
6479 else if (streq(p[0], "cd") && p[1] && !p[2])
6480 {
6481 VERIFY_PERMISSION(OPT_P_GENERAL);
6482 if (platform_chdir(p[1]))
6483 {
6484 msg(M_ERR, "cd to '%s' failed", p[1]);
6485 goto err;
6486 }
6487 options->cd_dir = p[1];
6488 }
6489#ifdef ENABLE_SELINUX
6490 else if (streq(p[0], "setcon") && p[1] && !p[2])
6491 {
6492 VERIFY_PERMISSION(OPT_P_GENERAL);
6493 options->selinux_context = p[1];
6494 }
6495#endif
6496 else if (streq(p[0], "writepid") && p[1] && !p[2])
6497 {
6498 VERIFY_PERMISSION(OPT_P_GENERAL);
6499 options->writepid = p[1];
6500 }
6501 else if (streq(p[0], "up") && p[1])
6502 {
6503 VERIFY_PERMISSION(OPT_P_SCRIPT);
6504 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6505 {
6506 goto err;
6507 }
6508 set_user_script(options, &options->up_script, p[1], "up", false);
6509 }
6510 else if (streq(p[0], "down") && p[1])
6511 {
6512 VERIFY_PERMISSION(OPT_P_SCRIPT);
6513 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6514 {
6515 goto err;
6516 }
6517 set_user_script(options, &options->down_script, p[1], "down", true);
6518 }
6519 else if (streq(p[0], "down-pre") && !p[1])
6520 {
6521 VERIFY_PERMISSION(OPT_P_GENERAL);
6522 options->down_pre = true;
6523 }
6524 else if (streq(p[0], "up-delay") && !p[1])
6525 {
6526 VERIFY_PERMISSION(OPT_P_GENERAL);
6527 options->up_delay = true;
6528 }
6529 else if (streq(p[0], "up-restart") && !p[1])
6530 {
6531 VERIFY_PERMISSION(OPT_P_GENERAL);
6532 options->up_restart = true;
6533 }
6534 else if (streq(p[0], "syslog") && !p[2])
6535 {
6536 VERIFY_PERMISSION(OPT_P_GENERAL);
6537 open_syslog(p[1], false);
6538 }
6539 else if (streq(p[0], "daemon") && !p[2])
6540 {
6541 bool didit = false;
6542 VERIFY_PERMISSION(OPT_P_GENERAL);
6543 if (!options->daemon)
6544 {
6545 options->daemon = didit = true;
6546 open_syslog(p[1], false);
6547 }
6548 if (p[1])
6549 {
6550 if (!didit)
6551 {
6552 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6553 goto err;
6554 }
6555 }
6556 }
6557 else if (streq(p[0], "log") && p[1] && !p[2])
6558 {
6559 VERIFY_PERMISSION(OPT_P_GENERAL);
6560 options->log = true;
6561 redirect_stdout_stderr(p[1], false);
6562 }
6563 else if (streq(p[0], "suppress-timestamps") && !p[1])
6564 {
6565 VERIFY_PERMISSION(OPT_P_GENERAL);
6566 options->suppress_timestamps = true;
6567 set_suppress_timestamps(true);
6568 }
6569 else if (streq(p[0], "machine-readable-output") && !p[1])
6570 {
6571 VERIFY_PERMISSION(OPT_P_GENERAL);
6572 options->machine_readable_output = true;
6573 set_machine_readable_output(true);
6574 }
6575 else if (streq(p[0], "log-append") && p[1] && !p[2])
6576 {
6577 VERIFY_PERMISSION(OPT_P_GENERAL);
6578 options->log = true;
6579 redirect_stdout_stderr(p[1], true);
6580 }
6581#ifdef ENABLE_MEMSTATS
6582 else if (streq(p[0], "memstats") && p[1] && !p[2])
6583 {
6584 VERIFY_PERMISSION(OPT_P_GENERAL);
6585 options->memstats_fn = p[1];
6586 }
6587#endif
6588 else if (streq(p[0], "mlock") && !p[1])
6589 {
6590 VERIFY_PERMISSION(OPT_P_GENERAL);
6591 options->mlock = true;
6592 }
6593#if ENABLE_IP_PKTINFO
6594 else if (streq(p[0], "multihome") && !p[1])
6595 {
6596 VERIFY_PERMISSION(OPT_P_GENERAL);
6597 options->sockflags |= SF_USE_IP_PKTINFO;
6598 }
6599#endif
6600 else if (streq(p[0], "verb") && p[1] && !p[2])
6601 {
6602 VERIFY_PERMISSION(OPT_P_MESSAGES);
6603 options->verbosity = positive_atoi(p[1], msglevel);
6604 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6605 {
6606 /* We pass this flag to the SSL library to avoid
6607 * mbed TLS always generating debug level logging */
6608 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6609 }
6610#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6611 /* Warn when a debug verbosity is supplied when built without debug support */
6612 if (options->verbosity >= 7)
6613 {
6614 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6615 options->verbosity);
6616 }
6617#endif
6618 }
6619 else if (streq(p[0], "mute") && p[1] && !p[2])
6620 {
6621 VERIFY_PERMISSION(OPT_P_MESSAGES);
6622 options->mute = positive_atoi(p[1], msglevel);
6623 }
6624 else if (streq(p[0], "errors-to-stderr") && !p[1])
6625 {
6626 VERIFY_PERMISSION(OPT_P_MESSAGES);
6627 errors_to_stderr();
6628 }
6629 else if (streq(p[0], "status") && p[1] && !p[3])
6630 {
6631 VERIFY_PERMISSION(OPT_P_GENERAL);
6632 options->status_file = p[1];
6633 if (p[2])
6634 {
6635 options->status_file_update_freq = positive_atoi(p[2], msglevel);
6636 }
6637 }
6638 else if (streq(p[0], "status-version") && p[1] && !p[2])
6639 {
6640 int version;
6641
6642 VERIFY_PERMISSION(OPT_P_GENERAL);
6643 version = atoi_warn(p[1], msglevel);
6644 if (version < 1 || version > 3)
6645 {
6646 msg(msglevel, "--status-version must be 1 to 3");
6647 goto err;
6648 }
6649 options->status_file_version = version;
6650 }
6651 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6652 {
6653 VERIFY_PERMISSION(OPT_P_GENERAL);
6654 if (streq(p[1], "SIGHUP"))
6655 {
6656 options->remap_sigusr1 = SIGHUP;
6657 }
6658 else if (streq(p[1], "SIGTERM"))
6659 {
6660 options->remap_sigusr1 = SIGTERM;
6661 }
6662 else
6663 {
6664 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6665 goto err;
6666 }
6667 }
6668 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6669 {
6670 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6671 options->ce.link_mtu = positive_atoi(p[1], msglevel);
6672 options->ce.link_mtu_defined = true;
6673 }
6674 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6675 {
6676 VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6677 options->ce.tun_mtu = positive_atoi(p[1], msglevel);
6678 options->ce.tun_mtu_defined = true;
6679 if (p[2])
6680 {
6681 options->ce.occ_mtu = positive_atoi(p[2], msglevel);
6682 }
6683 else
6684 {
6685 options->ce.occ_mtu = 0;
6686 }
6687 }
6688 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6689 {
6690 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6691 int max_mtu = positive_atoi(p[1], msglevel);
6692 if (max_mtu < 68 || max_mtu > 65536)
6693 {
6694 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6695 }
6696 else
6697 {
6698 options->ce.tun_mtu_max = max_mtu;
6699 }
6700 }
6701 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6702 {
6703 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6704 options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel);
6705 options->ce.tun_mtu_extra_defined = true;
6706 }
6707 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6708 {
6709 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6710 int maxmtu = positive_atoi(p[1], msglevel);
6711 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6712
6713 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6714 {
6715 msg(M_WARN, "Note: max-packet-size value outside of allowed "
6716 "control channel packet size (%d to %d), will use %d "
6717 "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6718 options->ce.tls_mtu);
6719 }
6720
6721 /* also set mssfix maxmtu mtu */
6722 options->ce.mssfix = maxmtu;
6723 options->ce.mssfix_default = false;
6724 options->ce.mssfix_encap = true;
6725 }
6726#ifdef ENABLE_FRAGMENT
6727 else if (streq(p[0], "mtu-dynamic"))
6728 {
6729 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6730 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6731 goto err;
6732 }
6733 else if (streq(p[0], "fragment") && p[1] && !p[3])
6734 {
6735 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6736 options->ce.fragment = positive_atoi(p[1], msglevel);
6737
6738 if (options->ce.fragment < 68)
6739 {
6740 msg(msglevel, "--fragment needs to be at least 68");
6741 goto err;
6742 }
6743
6744 if (p[2] && streq(p[2], "mtu"))
6745 {
6746 options->ce.fragment_encap = true;
6747 }
6748 else if (p[2])
6749 {
6750 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6751 }
6752 }
6753#endif /* ifdef ENABLE_FRAGMENT */
6754 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6755 {
6756 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6757 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6758 }
6759 else if (streq(p[0], "mtu-test") && !p[1])
6760 {
6761 VERIFY_PERMISSION(OPT_P_GENERAL);
6762 options->mtu_test = true;
6763 }
6764 else if (streq(p[0], "nice") && p[1] && !p[2])
6765 {
6766 VERIFY_PERMISSION(OPT_P_NICE);
6767 options->nice = atoi_warn(p[1], msglevel);
6768 }
6769 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6770 {
6771 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6772 options->rcvbuf = positive_atoi(p[1], msglevel);
6773 }
6774 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6775 {
6776 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6777 options->sndbuf = positive_atoi(p[1], msglevel);
6778 }
6779 else if (streq(p[0], "mark") && p[1] && !p[2])
6780 {
6781#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6782 VERIFY_PERMISSION(OPT_P_GENERAL);
6783 options->mark = atoi_warn(p[1], msglevel);
6784#endif
6785 }
6786 else if (streq(p[0], "socket-flags"))
6787 {
6788 int j;
6789 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6790 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6791 {
6792 if (streq(p[j], "TCP_NODELAY"))
6793 {
6794 options->sockflags |= SF_TCP_NODELAY;
6795 }
6796 else
6797 {
6798 msg(msglevel, "unknown socket flag: %s", p[j]);
6799 }
6800 }
6801 }
6802#ifdef TARGET_LINUX
6803 else if (streq(p[0], "bind-dev") && p[1])
6804 {
6805 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6806 options->bind_dev = p[1];
6807 }
6808#endif
6809 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6810 {
6811 VERIFY_PERMISSION(OPT_P_GENERAL);
6812#ifdef TARGET_LINUX
6813 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
6814#else
6815 msg(msglevel, "--txqueuelen not supported on this OS");
6816 goto err;
6817#endif
6818 }
6819 else if (streq(p[0], "shaper") && p[1] && !p[2])
6820 {
6821 int shaper;
6822
6823 VERIFY_PERMISSION(OPT_P_SHAPER);
6824 shaper = atoi_warn(p[1], msglevel);
6825 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6826 {
6827 msg(msglevel, "Bad shaper value, must be between %d and %d",
6828 SHAPER_MIN, SHAPER_MAX);
6829 goto err;
6830 }
6831 options->shaper = shaper;
6832 }
6833 else if (streq(p[0], "port") && p[1] && !p[2])
6834 {
6835 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6836 options->ce.local_port = options->ce.remote_port = p[1];
6837 }
6838 else if (streq(p[0], "lport") && p[1] && !p[2])
6839 {
6840 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6841 options->ce.local_port_defined = true;
6842 options->ce.local_port = p[1];
6843 }
6844 else if (streq(p[0], "rport") && p[1] && !p[2])
6845 {
6846 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6847 options->ce.remote_port = p[1];
6848 }
6849 else if (streq(p[0], "bind") && !p[2])
6850 {
6851 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6852 options->ce.bind_defined = true;
6853 if (p[1] && streq(p[1], "ipv6only"))
6854 {
6855 options->ce.bind_ipv6_only = true;
6856 }
6857
6858 }
6859 else if (streq(p[0], "nobind") && !p[1])
6860 {
6861 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6862 options->ce.bind_local = false;
6863 }
6864 else if (streq(p[0], "fast-io") && !p[1])
6865 {
6866 VERIFY_PERMISSION(OPT_P_GENERAL);
6867 options->fast_io = true;
6868 }
6869 else if (streq(p[0], "inactive") && p[1] && !p[3])
6870 {
6871 VERIFY_PERMISSION(OPT_P_TIMER);
6872 options->inactivity_timeout = positive_atoi(p[1], msglevel);
6873 if (p[2])
6874 {
6875 int64_t val = atoll(p[2]);
6876 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6877 if (options->inactivity_minimum_bytes > INT_MAX)
6878 {
6879 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6880 " >2 Gbyte was silently ignored in older versions. If "
6881 " your VPN exits unexpectedly with 'Inactivity timeout'"
6882 " in %d seconds, revisit this value.",
6883 options->inactivity_timeout );
6884 }
6885 }
6886 }
6887 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6888 {
6889 VERIFY_PERMISSION(OPT_P_TIMER);
6890 options->session_timeout = positive_atoi(p[1], msglevel);
6891 }
6892 else if (streq(p[0], "proto") && p[1] && !p[2])
6893 {
6894 int proto;
6895 sa_family_t af;
6896 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6897 proto = ascii2proto(p[1]);
6898 af = ascii2af(p[1]);
6899 if (proto < 0)
6900 {
6901 msg(msglevel,
6902 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6903 p[1],
6904 proto2ascii_all(&gc));
6905 goto err;
6906 }
6907 options->ce.proto = proto;
6908 options->ce.af = af;
6909 }
6910 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6911 {
6912 int proto_force;
6913 VERIFY_PERMISSION(OPT_P_GENERAL);
6914 proto_force = ascii2proto(p[1]);
6915 if (proto_force < 0)
6916 {
6917 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6918 goto err;
6919 }
6920 options->proto_force = proto_force;
6921 }
6922 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6923 {
6924 struct http_proxy_options *ho;
6925
6926 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6927
6928 {
6929 if (!p[2])
6930 {
6931 msg(msglevel, "http-proxy port number not defined");
6932 goto err;
6933 }
6934
6935 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6936
6937 ho->server = p[1];
6938 ho->port = p[2];
6939 }
6940
6941 if (p[3])
6942 {
6943 /* auto -- try to figure out proxy addr, port, and type automatically */
6944 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6945 if (streq(p[3], "auto"))
6946 {
6947 ho->auth_retry = PAR_ALL;
6948 }
6949 else if (streq(p[3], "auto-nct"))
6950 {
6951 ho->auth_retry = PAR_NCT;
6952 }
6953 else
6954 {
6955 ho->auth_method_string = "basic";
6956 ho->auth_file = p[3];
6957
6958 if (p[4])
6959 {
6960 ho->auth_method_string = p[4];
6961 }
6962 }
6963 }
6964 else
6965 {
6966 ho->auth_method_string = "none";
6967 }
6968 }
6969 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6970 {
6971 struct http_proxy_options *ho;
6972 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6973 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6974 ho->auth_file_up = p[1];
6975 ho->inline_creds = is_inline;
6976 }
6977 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6978 {
6979 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6980 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6981 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6982 "Use connect-retry-max 1 to get a similar behavior as before.");
6983 }
6984 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6985 {
6986 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6987 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6988 "server is established is managed with a single timeout set by connect-timeout");
6989 }
6990 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6991 {
6992 struct http_proxy_options *ho;
6993
6994 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6995 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6996
6997 if (streq(p[1], "VERSION") && p[2] && !p[3])
6998 {
6999 ho->http_version = p[2];
7000 }
7001 else if (streq(p[1], "AGENT") && p[2] && !p[3])
7002 {
7003 ho->user_agent = p[2];
7004 }
7005 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
7006 && p[2])
7007 {
7008 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
7009 * with either two argument or one */
7010
7011 struct http_custom_header *custom_header = NULL;
7012 int i;
7013 /* Find the first free header */
7014 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
7015 {
7016 if (!ho->custom_headers[i].name)
7017 {
7018 custom_header = &ho->custom_headers[i];
7019 break;
7020 }
7021 }
7022 if (!custom_header)
7023 {
7024 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
7025 }
7026 else
7027 {
7028 /* We will save p[2] and p[3], the proxy code will detect if
7029 * p[3] is NULL */
7030 custom_header->name = p[2];
7031 custom_header->content = p[3];
7032 }
7033 }
7034 else
7035 {
7036 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
7037 }
7038 }
7039 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
7040 {
7041 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7042
7043 if (p[2])
7044 {
7045 options->ce.socks_proxy_port = p[2];
7046 }
7047 else
7048 {
7049 options->ce.socks_proxy_port = "1080";
7050 }
7051 options->ce.socks_proxy_server = p[1];
7052 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
7053 }
7054 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
7055 {
7056 VERIFY_PERMISSION(OPT_P_GENERAL);
7057 options->keepalive_ping = atoi_warn(p[1], msglevel);
7058 options->keepalive_timeout = atoi_warn(p[2], msglevel);
7059 }
7060 else if (streq(p[0], "ping") && p[1] && !p[2])
7061 {
7062 VERIFY_PERMISSION(OPT_P_TIMER);
7063 options->ping_send_timeout = positive_atoi(p[1], msglevel);
7064 }
7065 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
7066 {
7067 VERIFY_PERMISSION(OPT_P_TIMER);
7068 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7069 options->ping_rec_timeout_action = PING_EXIT;
7070 }
7071 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
7072 {
7073 VERIFY_PERMISSION(OPT_P_TIMER);
7074 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7075 options->ping_rec_timeout_action = PING_RESTART;
7076 }
7077 else if (streq(p[0], "ping-timer-rem") && !p[1])
7078 {
7079 VERIFY_PERMISSION(OPT_P_TIMER);
7080 options->ping_timer_remote = true;
7081 }
7082 else if (streq(p[0], "explicit-exit-notify") && !p[2])
7083 {
7084 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
7085 if (p[1])
7086 {
7087 options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
7088 }
7089 else
7090 {
7091 options->ce.explicit_exit_notification = 1;
7092 }
7093 }
7094 else if (streq(p[0], "persist-tun") && !p[1])
7095 {
7096 VERIFY_PERMISSION(OPT_P_PERSIST);
7097 options->persist_tun = true;
7098 }
7099 else if (streq(p[0], "persist-key") && !p[1])
7100 {
7101 VERIFY_PERMISSION(OPT_P_PERSIST);
7102 msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
7103 "Keys are now always persisted across restarts. ");
7104 }
7105 else if (streq(p[0], "persist-local-ip") && !p[1])
7106 {
7107 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
7108 options->persist_local_ip = true;
7109 }
7110 else if (streq(p[0], "persist-remote-ip") && !p[1])
7111 {
7112 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
7113 options->persist_remote_ip = true;
7114 }
7115 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
7116 {
7117 VERIFY_PERMISSION(OPT_P_ROUTE);
7118 cnol_check_alloc(options);
7119 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
7120 }
7121 else if (streq(p[0], "route") && p[1] && !p[5])
7122 {
7123 VERIFY_PERMISSION(OPT_P_ROUTE);
7124 rol_check_alloc(options);
7125 if (pull_mode)
7126 {
7127 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
7128 {
7129 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
7130 goto err;
7131 }
7132 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
7133 {
7134 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
7135 goto err;
7136 }
7137 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
7138 {
7139 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
7140 goto err;
7141 }
7142 }
7143 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
7144 }
7145 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7146 {
7147 VERIFY_PERMISSION(OPT_P_ROUTE);
7148 rol6_check_alloc(options);
7149 if (pull_mode)
7150 {
7151 if (!ipv6_addr_safe_hexplusbits(p[1]))
7152 {
7153 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
7154 goto err;
7155 }
7156 if (p[2] && !ipv6_addr_safe(p[2]))
7157 {
7158 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
7159 goto err;
7160 }
7161 /* p[3] is metric, if present */
7162 }
7163 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
7164 }
7165 else if (streq(p[0], "max-routes") && !p[2])
7166 {
7167 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
7168 "The number of routes is unlimited as of OpenVPN 2.4. "
7169 "This option will be removed in a future version, "
7170 "please remove it from your configuration.");
7171 }
7172 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7173 {
7174 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7175 if (streq(p[1], "dhcp"))
7176 {
7177 options->route_gateway_via_dhcp = true;
7178 }
7179 else
7180 {
7181 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7182 {
7183 options->route_default_gateway = p[1];
7184 }
7185 else
7186 {
7187 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7188 goto err;
7189 }
7190 }
7191 }
7192 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7193 {
7194 if (ipv6_addr_safe(p[1]))
7195 {
7196 options->route_ipv6_default_gateway = p[1];
7197 }
7198 else
7199 {
7200 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7201 goto err;
7202 }
7203 }
7204 else if (streq(p[0], "route-metric") && p[1] && !p[2])
7205 {
7206 VERIFY_PERMISSION(OPT_P_ROUTE);
7207 options->route_default_metric = positive_atoi(p[1], msglevel);
7208 }
7209 else if (streq(p[0], "route-delay") && !p[3])
7210 {
7211 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7212 options->route_delay_defined = true;
7213 if (p[1])
7214 {
7215 options->route_delay = positive_atoi(p[1], msglevel);
7216 if (p[2])
7217 {
7218 options->route_delay_window = positive_atoi(p[2], msglevel);
7219 }
7220 }
7221 else
7222 {
7223 options->route_delay = 0;
7224 }
7225 }
7226 else if (streq(p[0], "route-up") && p[1])
7227 {
7228 VERIFY_PERMISSION(OPT_P_SCRIPT);
7229 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7230 {
7231 goto err;
7232 }
7233 set_user_script(options, &options->route_script, p[1], "route-up", false);
7234 }
7235 else if (streq(p[0], "route-pre-down") && p[1])
7236 {
7237 VERIFY_PERMISSION(OPT_P_SCRIPT);
7238 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7239 {
7240 goto err;
7241 }
7242 set_user_script(options,
7243 &options->route_predown_script,
7244 p[1],
7245 "route-pre-down", true);
7246 }
7247 else if (streq(p[0], "route-noexec") && !p[1])
7248 {
7249 VERIFY_PERMISSION(OPT_P_SCRIPT);
7250 options->route_noexec = true;
7251 }
7252 else if (streq(p[0], "route-nopull") && !p[1])
7253 {
7254 VERIFY_PERMISSION(OPT_P_GENERAL);
7255 options->route_nopull = true;
7256 }
7257 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7258 {
7259 struct pull_filter *f;
7260 VERIFY_PERMISSION(OPT_P_GENERAL)
7261 f = alloc_pull_filter(options);
7262
7263 if (strcmp("accept", p[1]) == 0)
7264 {
7265 f->type = PUF_TYPE_ACCEPT;
7266 }
7267 else if (strcmp("ignore", p[1]) == 0)
7268 {
7269 f->type = PUF_TYPE_IGNORE;
7270 }
7271 else if (strcmp("reject", p[1]) == 0)
7272 {
7273 f->type = PUF_TYPE_REJECT;
7274 }
7275 else
7276 {
7277 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7278 goto err;
7279 }
7280 f->pattern = p[2];
7281 f->size = strlen(p[2]);
7282 }
7283 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7284 {
7285 VERIFY_PERMISSION(OPT_P_GENERAL);
7286 options->allow_pull_fqdn = true;
7287 }
7288 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7289 {
7290 int j;
7291 VERIFY_PERMISSION(OPT_P_ROUTE);
7292 rol_check_alloc(options);
7293
7294 if (options->routes->flags & RG_ENABLE)
7295 {
7296 msg(M_WARN,
7297 "WARNING: You have specified redirect-gateway and "
7298 "redirect-private at the same time (or the same option "
7299 "multiple times). This is not well supported and may lead to "
7300 "unexpected results");
7301 }
7302
7303 options->routes->flags |= RG_ENABLE;
7304
7305 if (streq(p[0], "redirect-gateway"))
7306 {
7307 options->routes->flags |= RG_REROUTE_GW;
7308 }
7309 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7310 {
7311 if (streq(p[j], "local"))
7312 {
7313 options->routes->flags |= RG_LOCAL;
7314 }
7315 else if (streq(p[j], "autolocal"))
7316 {
7317 options->routes->flags |= RG_AUTO_LOCAL;
7318 }
7319 else if (streq(p[j], "def1"))
7320 {
7321 options->routes->flags |= RG_DEF1;
7322 }
7323 else if (streq(p[j], "bypass-dhcp"))
7324 {
7325 options->routes->flags |= RG_BYPASS_DHCP;
7326 }
7327 else if (streq(p[j], "bypass-dns"))
7328 {
7329 options->routes->flags |= RG_BYPASS_DNS;
7330 }
7331 else if (streq(p[j], "block-local"))
7332 {
7333 options->routes->flags |= RG_BLOCK_LOCAL;
7334 }
7335 else if (streq(p[j], "ipv6"))
7336 {
7337 rol6_check_alloc(options);
7338 options->routes_ipv6->flags |= RG_REROUTE_GW;
7339 }
7340 else if (streq(p[j], "!ipv4"))
7341 {
7342 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7343 }
7344 else
7345 {
7346 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7347 goto err;
7348 }
7349 }
7350#ifdef _WIN32
7351 /* we need this here to handle pushed --redirect-gateway */
7352 remap_redirect_gateway_flags(options);
7353#endif
7354 }
7355 else if (streq(p[0], "block-ipv6") && !p[1])
7356 {
7357 VERIFY_PERMISSION(OPT_P_ROUTE);
7358 options->block_ipv6 = true;
7359 }
7360 else if (streq(p[0], "remote-random-hostname") && !p[1])
7361 {
7362 VERIFY_PERMISSION(OPT_P_GENERAL);
7363 options->sockflags |= SF_HOST_RANDOMIZE;
7364 }
7365 else if (streq(p[0], "setenv") && p[1] && !p[3])
7366 {
7367 VERIFY_PERMISSION(OPT_P_GENERAL);
7368 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7369 {
7370 options->sockflags |= SF_HOST_RANDOMIZE;
7371 }
7372 else if (streq(p[1], "GENERIC_CONFIG"))
7373 {
7374 msg(msglevel, "this is a generic configuration and cannot directly be used");
7375 goto err;
7376 }
7377 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7378 {
7379 options->push_peer_info = true;
7380 }
7381 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7382 {
7383 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7384 }
7385 else
7386 {
7387 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7388 {
7389 options->forward_compatible = true;
7390 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7391 }
7392 setenv_str(es, p[1], p[2] ? p[2] : "");
7393 }
7394 }
7395 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7396 {
7397 unsigned int major, minor, patch;
7398 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7399 {
7400 msg(msglevel, "cannot parse version number for --compat-mode: %s",
7401 p[1]);
7402 goto err;
7403 }
7404
7405 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7406 }
7407 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7408 {
7409 VERIFY_PERMISSION(OPT_P_SETENV);
7410 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7411 }
7412 else if (streq(p[0], "script-security") && p[1] && !p[2])
7413 {
7414 VERIFY_PERMISSION(OPT_P_GENERAL);
7415 script_security_set(atoi_warn(p[1], msglevel));
7416 }
7417 else if (streq(p[0], "mssfix") && !p[3])
7418 {
7419 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7420 if (p[1])
7421 {
7422 int mssfix = positive_atoi(p[1], msglevel);
7423 /* can be 0, but otherwise it needs to be high enough so we can
7424 * substract room for headers. */
7425 if (mssfix != 0
7426 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7427 {
7428 msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7429 goto err;
7430 }
7431
7432 /* value specified, assume encapsulation is not
7433 * included unless "mtu" follows later */
7434 options->ce.mssfix = mssfix;
7435 options->ce.mssfix_encap = false;
7436 options->ce.mssfix_default = false;
7437 }
7438 else
7439 {
7440 /* Set MTU to default values */
7441 options->ce.mssfix_default = true;
7442 options->ce.mssfix_encap = true;
7443 options->ce.mssfix_fixed = false;
7444 }
7445
7446 if (p[2] && streq(p[2], "mtu"))
7447 {
7448 options->ce.mssfix_encap = true;
7449 }
7450 else if (p[2] && streq(p[2], "fixed"))
7451 {
7452 options->ce.mssfix_fixed = true;
7453 }
7454 else if (p[2])
7455 {
7456 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7457 }
7458 }
7459 else if (streq(p[0], "disable-occ") && !p[1])
7460 {
7461 VERIFY_PERMISSION(OPT_P_GENERAL);
7462 options->occ = false;
7463 }
7464 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7465 {
7466 const int lev = M_WARN;
7467 bool error = false;
7468 in_addr_t network, netmask;
7469
7470 VERIFY_PERMISSION(OPT_P_GENERAL);
7471 network = get_ip_addr(p[1], lev, &error);
7472 netmask = get_ip_addr(p[2], lev, &error);
7473 if (error || !network || !netmask)
7474 {
7475 msg(msglevel, "error parsing --server parameters");
7476 goto err;
7477 }
7478 options->server_defined = true;
7479 options->server_network = network;
7480 options->server_netmask = netmask;
7481
7482 if (p[3])
7483 {
7484 if (streq(p[3], "nopool"))
7485 {
7486 options->server_flags |= SF_NOPOOL;
7487 }
7488 else
7489 {
7490 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7491 goto err;
7492 }
7493 }
7494 }
7495 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7496 {
7497 const int lev = M_WARN;
7498 struct in6_addr network;
7499 unsigned int netbits = 0;
7500
7501 VERIFY_PERMISSION(OPT_P_GENERAL);
7502 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7503 {
7504 msg(msglevel, "error parsing --server-ipv6 parameter");
7505 goto err;
7506 }
7507 if (netbits < 64 || netbits > 124)
7508 {
7509 msg(msglevel,
7510 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7511 netbits);
7512
7513 goto err;
7514 }
7515 options->server_ipv6_defined = true;
7516 options->server_network_ipv6 = network;
7517 options->server_netbits_ipv6 = netbits;
7518 }
7519 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7520 {
7521 const int lev = M_WARN;
7522 bool error = false;
7523 in_addr_t ip, netmask, pool_start, pool_end;
7524
7525 VERIFY_PERMISSION(OPT_P_GENERAL);
7526 ip = get_ip_addr(p[1], lev, &error);
7527 netmask = get_ip_addr(p[2], lev, &error);
7528 pool_start = get_ip_addr(p[3], lev, &error);
7529 pool_end = get_ip_addr(p[4], lev, &error);
7530 if (error || !ip || !netmask || !pool_start || !pool_end)
7531 {
7532 msg(msglevel, "error parsing --server-bridge parameters");
7533 goto err;
7534 }
7535 options->server_bridge_defined = true;
7536 options->server_bridge_ip = ip;
7537 options->server_bridge_netmask = netmask;
7538 options->server_bridge_pool_start = pool_start;
7539 options->server_bridge_pool_end = pool_end;
7540 }
7541 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7542 {
7543 VERIFY_PERMISSION(OPT_P_GENERAL);
7544 options->server_bridge_proxy_dhcp = true;
7545 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7546 }
7547 else if (streq(p[0], "server-bridge") && !p[1])
7548 {
7549 VERIFY_PERMISSION(OPT_P_GENERAL);
7550 options->server_bridge_proxy_dhcp = true;
7551 }
7552 else if (streq(p[0], "push") && p[1] && !p[2])
7553 {
7554 VERIFY_PERMISSION(OPT_P_PUSH);
7555 push_options(options, &p[1], msglevel, &options->gc);
7556 }
7557 else if (streq(p[0], "push-reset") && !p[1])
7558 {
7559 VERIFY_PERMISSION(OPT_P_INSTANCE);
7560 push_reset(options);
7561 }
7562 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7563 {
7564 VERIFY_PERMISSION(OPT_P_INSTANCE);
7565 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7566 push_remove_option(options, p[1]);
7567 }
7568 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7569 {
7570 const int lev = M_WARN;
7571 bool error = false;
7572 in_addr_t start, end, netmask = 0;
7573
7574 VERIFY_PERMISSION(OPT_P_GENERAL);
7575 start = get_ip_addr(p[1], lev, &error);
7576 end = get_ip_addr(p[2], lev, &error);
7577 if (p[3])
7578 {
7579 netmask = get_ip_addr(p[3], lev, &error);
7580 }
7581 if (error)
7582 {
7583 msg(msglevel, "error parsing --ifconfig-pool parameters");
7584 goto err;
7585 }
7586 if (!ifconfig_pool_verify_range(msglevel, start, end))
7587 {
7588 goto err;
7589 }
7590
7591 options->ifconfig_pool_defined = true;
7592 options->ifconfig_pool_start = start;
7593 options->ifconfig_pool_end = end;
7594 if (netmask)
7595 {
7596 options->ifconfig_pool_netmask = netmask;
7597 }
7598 }
7599 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7600 {
7601 VERIFY_PERMISSION(OPT_P_GENERAL);
7602 options->ifconfig_pool_persist_filename = p[1];
7603 if (p[2])
7604 {
7605 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2], msglevel);
7606 }
7607 }
7608 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7609 {
7610 const int lev = M_WARN;
7611 struct in6_addr network;
7612 unsigned int netbits = 0;
7613
7614 VERIFY_PERMISSION(OPT_P_GENERAL);
7615 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7616 {
7617 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7618 goto err;
7619 }
7620 if (netbits < 64 || netbits > 124)
7621 {
7622 msg(msglevel,
7623 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7624 netbits);
7625 goto err;
7626 }
7627
7628 options->ifconfig_ipv6_pool_defined = true;
7629 options->ifconfig_ipv6_pool_base = network;
7630 options->ifconfig_ipv6_pool_netbits = netbits;
7631 }
7632 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7633 {
7634 int real, virtual;
7635
7636 VERIFY_PERMISSION(OPT_P_GENERAL);
7637 real = atoi_warn(p[1], msglevel);
7638 virtual = atoi_warn(p[2], msglevel);
7639 if (real < 1 || virtual < 1)
7640 {
7641 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7642 goto err;
7643 }
7644 options->real_hash_size = real;
7645 options->virtual_hash_size = real;
7646 }
7647 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7648 {
7649 int cf_max, cf_per;
7650
7651 VERIFY_PERMISSION(OPT_P_GENERAL);
7652 cf_max = atoi_warn(p[1], msglevel);
7653 cf_per = atoi_warn(p[2], msglevel);
7654 if (cf_max < 0 || cf_per < 0)
7655 {
7656 msg(msglevel, "--connect-freq parms must be > 0");
7657 goto err;
7658 }
7659 options->cf_max = cf_max;
7660 options->cf_per = cf_per;
7661 }
7662 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7663 {
7664 long cf_max, cf_per;
7665
7666 VERIFY_PERMISSION(OPT_P_GENERAL);
7667 char *e1, *e2;
7668 cf_max = strtol(p[1], &e1, 10);
7669 cf_per = strtol(p[2], &e2, 10);
7670 if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7671 {
7672 msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7673 goto err;
7674 }
7675 options->cf_initial_max = cf_max;
7676 options->cf_initial_per = cf_per;
7677 }
7678 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7679 {
7680 int max_clients;
7681
7682 VERIFY_PERMISSION(OPT_P_GENERAL);
7683 max_clients = atoi_warn(p[1], msglevel);
7684 if (max_clients < 0)
7685 {
7686 msg(msglevel, "--max-clients must be at least 1");
7687 goto err;
7688 }
7689 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7690 {
7691 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7692 goto err;
7693 }
7694 options->max_clients = max_clients;
7695 }
7696 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7697 {
7698 VERIFY_PERMISSION(OPT_P_INHERIT);
7699 options->max_routes_per_client = max_int(positive_atoi(p[1], msglevel), 1);
7700 }
7701 else if (streq(p[0], "client-cert-not-required") && !p[1])
7702 {
7703 VERIFY_PERMISSION(OPT_P_GENERAL);
7704 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7705 }
7706 else if (streq(p[0], "verify-client-cert") && !p[2])
7707 {
7708 VERIFY_PERMISSION(OPT_P_GENERAL);
7709
7710 /* Reset any existing flags */
7711 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7712 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7713 if (p[1])
7714 {
7715 if (streq(p[1], "none"))
7716 {
7717 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7718 }
7719 else if (streq(p[1], "optional"))
7720 {
7721 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7722 }
7723 else if (!streq(p[1], "require"))
7724 {
7725 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7726 goto err;
7727 }
7728 }
7729 }
7730 else if (streq(p[0], "username-as-common-name") && !p[1])
7731 {
7732 VERIFY_PERMISSION(OPT_P_GENERAL);
7733 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7734 }
7735 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7736 {
7737 VERIFY_PERMISSION(OPT_P_GENERAL);
7738 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7739 }
7740 else if (streq(p[0], "opt-verify") && !p[1])
7741 {
7742 VERIFY_PERMISSION(OPT_P_GENERAL);
7743 msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7744 "in OpenVPN 2.7");
7745 options->ssl_flags |= SSLF_OPT_VERIFY;
7746 }
7747 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7748 {
7749 VERIFY_PERMISSION(OPT_P_SCRIPT);
7750 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7751 {
7752 goto err;
7753 }
7754 if (p[2])
7755 {
7756 if (streq(p[2], "via-env"))
7757 {
7758 options->auth_user_pass_verify_script_via_file = false;
7759 }
7760 else if (streq(p[2], "via-file"))
7761 {
7762 options->auth_user_pass_verify_script_via_file = true;
7763 }
7764 else
7765 {
7766 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7767 goto err;
7768 }
7769 }
7770 else
7771 {
7772 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7773 goto err;
7774 }
7775 set_user_script(options,
7776 &options->auth_user_pass_verify_script,
7777 p[1], "auth-user-pass-verify", true);
7778 }
7779 else if (streq(p[0], "auth-gen-token"))
7780 {
7781 VERIFY_PERMISSION(OPT_P_GENERAL);
7782 options->auth_token_generate = true;
7783 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
7784
7785 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7786 {
7787 /* the second parameter can be the renewal time */
7788 if (i == 2 && valid_integer(p[i], true))
7789 {
7790 options->auth_token_renewal = positive_atoi(p[i], msglevel);
7791 }
7792 else if (streq(p[i], "external-auth"))
7793 {
7794 options->auth_token_call_auth = true;
7795 }
7796 else
7797 {
7798 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7799 }
7800 }
7801
7802 }
7803 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7804 {
7805 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7806 options->auth_token_secret_file = p[1];
7807 options->auth_token_secret_file_inline = is_inline;
7808
7809 }
7810 else if (streq(p[0], "client-connect") && p[1])
7811 {
7812 VERIFY_PERMISSION(OPT_P_SCRIPT);
7813 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7814 {
7815 goto err;
7816 }
7817 set_user_script(options, &options->client_connect_script,
7818 p[1], "client-connect", true);
7819 }
7820 else if (streq(p[0], "client-crresponse") && p[1])
7821 {
7822 VERIFY_PERMISSION(OPT_P_SCRIPT);
7823 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7824 {
7825 goto err;
7826 }
7827 set_user_script(options, &options->client_crresponse_script,
7828 p[1], "client-crresponse", true);
7829 }
7830 else if (streq(p[0], "client-disconnect") && p[1])
7831 {
7832 VERIFY_PERMISSION(OPT_P_SCRIPT);
7833 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7834 {
7835 goto err;
7836 }
7837 set_user_script(options, &options->client_disconnect_script,
7838 p[1], "client-disconnect", true);
7839 }
7840 else if (streq(p[0], "learn-address") && p[1])
7841 {
7842 VERIFY_PERMISSION(OPT_P_SCRIPT);
7843 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7844 {
7845 goto err;
7846 }
7847 set_user_script(options, &options->learn_address_script,
7848 p[1], "learn-address", true);
7849 }
7850 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7851 {
7852 VERIFY_PERMISSION(OPT_P_GENERAL);
7853 options->tmp_dir = p[1];
7854 }
7855 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7856 {
7857 VERIFY_PERMISSION(OPT_P_GENERAL);
7858 options->client_config_dir = p[1];
7859 }
7860 else if (streq(p[0], "ccd-exclusive") && !p[1])
7861 {
7862 VERIFY_PERMISSION(OPT_P_GENERAL);
7863 options->ccd_exclusive = true;
7864 }
7865 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7866 {
7867 int n_bcast_buf;
7868
7869 VERIFY_PERMISSION(OPT_P_GENERAL);
7870 n_bcast_buf = atoi_warn(p[1], msglevel);
7871 if (n_bcast_buf < 1)
7872 {
7873 msg(msglevel, "--bcast-buffers parameter must be > 0");
7874 }
7875 options->n_bcast_buf = n_bcast_buf;
7876 }
7877 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7878 {
7879 int tcp_queue_limit;
7880
7881 VERIFY_PERMISSION(OPT_P_GENERAL);
7882 tcp_queue_limit = atoi_warn(p[1], msglevel);
7883 if (tcp_queue_limit < 1)
7884 {
7885 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7886 }
7887 options->tcp_queue_limit = tcp_queue_limit;
7888 }
7889#if PORT_SHARE
7890 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7891 {
7892 VERIFY_PERMISSION(OPT_P_GENERAL);
7893 options->port_share_host = p[1];
7894 options->port_share_port = p[2];
7895 options->port_share_journal_dir = p[3];
7896 }
7897#endif
7898 else if (streq(p[0], "client-to-client") && !p[1])
7899 {
7900 VERIFY_PERMISSION(OPT_P_GENERAL);
7901 options->enable_c2c = true;
7902 }
7903 else if (streq(p[0], "duplicate-cn") && !p[1])
7904 {
7905 VERIFY_PERMISSION(OPT_P_GENERAL);
7906 options->duplicate_cn = true;
7907 }
7908 else if (streq(p[0], "iroute") && p[1] && !p[3])
7909 {
7910 VERIFY_PERMISSION(OPT_P_INSTANCE);
7911 option_iroute(options, p[1], p[2], msglevel);
7912 }
7913 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7914 {
7915 VERIFY_PERMISSION(OPT_P_INSTANCE);
7916 option_iroute_ipv6(options, p[1], msglevel);
7917 }
7918 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7919 {
7920 in_addr_t local, remote_netmask;
7921
7922 VERIFY_PERMISSION(OPT_P_INSTANCE);
7923 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7924 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7925 if (local && remote_netmask)
7926 {
7927 options->push_ifconfig_defined = true;
7928 options->push_ifconfig_local = local;
7929 options->push_ifconfig_remote_netmask = remote_netmask;
7930 if (p[3])
7931 {
7932 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7933 }
7934 }
7935 else
7936 {
7937 msg(msglevel, "cannot parse --ifconfig-push addresses");
7938 goto err;
7939 }
7940 }
7941 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7942 {
7943 in_addr_t network, netmask;
7944
7945 VERIFY_PERMISSION(OPT_P_GENERAL);
7946 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7947 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7948 if (network && netmask)
7949 {
7950 options->push_ifconfig_constraint_defined = true;
7951 options->push_ifconfig_constraint_network = network;
7952 options->push_ifconfig_constraint_netmask = netmask;
7953 }
7954 else
7955 {
7956 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7957 goto err;
7958 }
7959 }
7960 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7961 {
7962 struct in6_addr local, remote;
7963 unsigned int netbits;
7964
7965 VERIFY_PERMISSION(OPT_P_INSTANCE);
7966
7967 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7968 {
7969 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7970 goto err;
7971 }
7972
7973 if (p[2])
7974 {
7975 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7976 {
7977 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7978 goto err;
7979 }
7980 }
7981 else
7982 {
7983 if (!options->ifconfig_ipv6_local
7984 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7985 NULL, msglevel ) )
7986 {
7987 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7988 goto err;
7989 }
7990 }
7991
7992 options->push_ifconfig_ipv6_defined = true;
7993 options->push_ifconfig_ipv6_local = local;
7994 options->push_ifconfig_ipv6_netbits = netbits;
7995 options->push_ifconfig_ipv6_remote = remote;
7996 options->push_ifconfig_ipv6_blocked = false;
7997 }
7998 else if (streq(p[0], "disable") && !p[1])
7999 {
8000 VERIFY_PERMISSION(OPT_P_INSTANCE);
8001 options->disable = true;
8002 }
8003 else if (streq(p[0], "tcp-nodelay") && !p[1])
8004 {
8005 VERIFY_PERMISSION(OPT_P_GENERAL);
8006 options->server_flags |= SF_TCP_NODELAY_HELPER;
8007 }
8008 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
8009 {
8010 int ageing_time, check_interval;
8011
8012 VERIFY_PERMISSION(OPT_P_GENERAL);
8013 ageing_time = atoi_warn(p[1], msglevel);
8014 if (p[2])
8015 {
8016 check_interval = atoi_warn(p[2], msglevel);
8017 }
8018 else
8019 {
8020 check_interval = ageing_time;
8021 }
8022
8023 if (ageing_time < 1 || check_interval < 1)
8024 {
8025 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
8026 goto err;
8027 }
8028 options->stale_routes_ageing_time = ageing_time;
8029 options->stale_routes_check_interval = check_interval;
8030 }
8031
8032 else if (streq(p[0], "client") && !p[1])
8033 {
8034 VERIFY_PERMISSION(OPT_P_GENERAL);
8035 options->client = true;
8036 }
8037 else if (streq(p[0], "pull") && !p[1])
8038 {
8039 VERIFY_PERMISSION(OPT_P_GENERAL);
8040 options->pull = true;
8041 }
8042 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
8043 {
8044 VERIFY_PERMISSION(OPT_P_PULL_MODE);
8045 options->push_continuation = atoi_warn(p[1], msglevel);
8046 }
8047 else if (streq(p[0], "auth-user-pass") && !p[2])
8048 {
8049 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8050 if (p[1])
8051 {
8052 options->auth_user_pass_file = p[1];
8053 options->auth_user_pass_file_inline = is_inline;
8054 }
8055 else
8056 {
8057 options->auth_user_pass_file = "stdin";
8058 }
8059 }
8060 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
8061 {
8062 VERIFY_PERMISSION(OPT_P_GENERAL);
8063 auth_retry_set(msglevel, p[1]);
8064 }
8065#ifdef ENABLE_MANAGEMENT
8066 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
8067 {
8068 VERIFY_PERMISSION(OPT_P_GENERAL);
8069 options->sc_info.challenge_text = p[1];
8070 if (atoi_warn(p[2], msglevel))
8071 {
8072 options->sc_info.flags |= SC_ECHO;
8073 }
8074 if (p[3] && streq(p[3], "concat"))
8075 {
8076 options->sc_info.flags |= SC_CONCAT;
8077 }
8078 else if (p[3] && !streq(p[3], "scrv1"))
8079 {
8080 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
8081 goto err;
8082 }
8083 }
8084#endif
8085 else if (streq(p[0], "msg-channel") && p[1])
8086 {
8087#ifdef _WIN32
8088 VERIFY_PERMISSION(OPT_P_GENERAL);
8089 HANDLE process = GetCurrentProcess();
8090 HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
8091 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
8092 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
8093 {
8094 msg(msglevel, "could not duplicate service pipe handle");
8095 goto err;
8096 }
8097 options->route_method = ROUTE_METHOD_SERVICE;
8098#else /* ifdef _WIN32 */
8099 msg(msglevel, "--msg-channel is only supported on Windows");
8100 goto err;
8101#endif
8102 }
8103#ifdef _WIN32
8104 else if (streq(p[0], "win-sys") && p[1] && !p[2])
8105 {
8106 VERIFY_PERMISSION(OPT_P_GENERAL);
8107 if (streq(p[1], "env"))
8108 {
8109 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
8110 "This entry will now be ignored. "
8111 "Please remove this entry from your configuration file.");
8112 }
8113 else
8114 {
8115 set_win_sys_path(p[1], es);
8116 }
8117 }
8118 else if (streq(p[0], "route-method") && p[1] && !p[2])
8119 {
8120 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8121 if (streq(p[1], "adaptive"))
8122 {
8123 options->route_method = ROUTE_METHOD_ADAPTIVE;
8124 }
8125 else if (streq(p[1], "ipapi"))
8126 {
8127 options->route_method = ROUTE_METHOD_IPAPI;
8128 }
8129 else if (streq(p[1], "exe"))
8130 {
8131 options->route_method = ROUTE_METHOD_EXE;
8132 }
8133 else
8134 {
8135 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
8136 goto err;
8137 }
8138 }
8139 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
8140 {
8141 const int index = ascii2ipset(p[1]);
8142 struct tuntap_options *to = &options->tuntap_options;
8143
8144 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8145
8146 if (index < 0)
8147 {
8148 msg(msglevel,
8149 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
8150 p[1],
8151 ipset2ascii_all(&gc));
8152 goto err;
8153 }
8154
8155 if (index == IPW32_SET_ADAPTIVE)
8156 {
8157 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
8158 }
8159
8160 if (index == IPW32_SET_DHCP_MASQ)
8161 {
8162 if (p[2])
8163 {
8164 if (!streq(p[2], "default"))
8165 {
8166 int offset = atoi_warn(p[2], msglevel);
8167
8168 if (!(offset > -256 && offset < 256))
8169 {
8170 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
8171 goto err;
8172 }
8173
8174 to->dhcp_masq_custom_offset = true;
8175 to->dhcp_masq_offset = offset;
8176 }
8177
8178 if (p[3])
8179 {
8180 const int min_lease = 30;
8181 int lease_time;
8182 lease_time = atoi_warn(p[3], msglevel);
8183 if (lease_time < min_lease)
8184 {
8185 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
8186 goto err;
8187 }
8188 to->dhcp_lease_time = lease_time;
8189 }
8190 }
8191 }
8192 to->ip_win32_type = index;
8193 to->ip_win32_defined = true;
8194 }
8195#endif /* ifdef _WIN32 */
8196 else if (streq(p[0], "dns") && p[1])
8197 {
8198 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8199
8200 if (streq(p[1], "search-domains") && p[2])
8201 {
8202 dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
8203 }
8204 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
8205 {
8206 long priority;
8207 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
8208 {
8209 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
8210 goto err;
8211 }
8212
8213 struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8214
8215 if (streq(p[3], "address") && p[4])
8216 {
8217 for (int i = 4; p[i]; ++i)
8218 {
8219 if (!dns_server_addr_parse(server, p[i]))
8220 {
8221 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
8222 goto err;
8223 }
8224 }
8225 }
8226 else if (streq(p[3], "resolve-domains"))
8227 {
8228 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8229 }
8230 else if (streq(p[3], "dnssec") && !p[5])
8231 {
8232 if (streq(p[4], "yes"))
8233 {
8234 server->dnssec = DNS_SECURITY_YES;
8235 }
8236 else if (streq(p[4], "no"))
8237 {
8238 server->dnssec = DNS_SECURITY_NO;
8239 }
8240 else if (streq(p[4], "optional"))
8241 {
8242 server->dnssec = DNS_SECURITY_OPTIONAL;
8243 }
8244 else
8245 {
8246 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8247 goto err;
8248 }
8249 }
8250 else if (streq(p[3], "transport") && !p[5])
8251 {
8252 if (streq(p[4], "plain"))
8253 {
8254 server->transport = DNS_TRANSPORT_PLAIN;
8255 }
8256 else if (streq(p[4], "DoH"))
8257 {
8258 server->transport = DNS_TRANSPORT_HTTPS;
8259 }
8260 else if (streq(p[4], "DoT"))
8261 {
8262 server->transport = DNS_TRANSPORT_TLS;
8263 }
8264 else
8265 {
8266 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8267 goto err;
8268 }
8269 }
8270 else if (streq(p[3], "sni") && !p[5])
8271 {
8272 server->sni = p[4];
8273 }
8274 else
8275 {
8276 msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8277 goto err;
8278 }
8279 }
8280 else
8281 {
8282 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8283 goto err;
8284 }
8285 }
8286#if defined(_WIN32) || defined(TARGET_ANDROID)
8287 else if (streq(p[0], "dhcp-option") && p[1])
8288 {
8289 struct tuntap_options *o = &options->tuntap_options;
8290 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8291
8292 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8293 && p[2] && !p[3])
8294 {
8295 o->domain = p[2];
8296 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8297 }
8298 else if (streq(p[1], "NBS") && p[2] && !p[3])
8299 {
8300 o->netbios_scope = p[2];
8301 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8302 }
8303 else if (streq(p[1], "NBT") && p[2] && !p[3])
8304 {
8305 int t;
8306 t = atoi_warn(p[2], msglevel);
8307 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8308 {
8309 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8310 goto err;
8311 }
8312 o->netbios_node_type = t;
8313 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8314 }
8315 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8316 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8317 {
8318 if (strstr(p[2], ":"))
8319 {
8320 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8321 }
8322 else
8323 {
8324 dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8325 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8326 }
8327 }
8328 else if (streq(p[1], "WINS") && p[2] && !p[3])
8329 {
8330 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8331 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8332 }
8333 else if (streq(p[1], "NTP") && p[2] && !p[3])
8334 {
8335 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8336 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8337 }
8338 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8339 {
8340 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8341 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8342 }
8343 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8344 {
8345 if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8346 {
8347 o->domain_search_list[o->domain_search_list_len++] = p[2];
8348 }
8349 else
8350 {
8351 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8352 p[1], N_SEARCH_LIST_LEN);
8353 }
8354 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8355 }
8356 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8357 {
8358 o->disable_nbt = 1;
8359 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8360 }
8361#if defined(TARGET_ANDROID)
8362 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8363 {
8364 o->http_proxy_port = positive_atoi(p[3], msglevel);
8365 o->http_proxy = p[2];
8366 }
8367#endif
8368 else
8369 {
8370 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8371 goto err;
8372 }
8373 }
8374#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8375#ifdef _WIN32
8376 else if (streq(p[0], "show-adapters") && !p[1])
8377 {
8378 VERIFY_PERMISSION(OPT_P_GENERAL);
8379 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8380 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8381 }
8382 else if (streq(p[0], "show-net") && !p[1])
8383 {
8384 VERIFY_PERMISSION(OPT_P_GENERAL);
8385 show_routes(M_INFO|M_NOPREFIX);
8386 show_adapters(M_INFO|M_NOPREFIX);
8387 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8388 }
8389 else if (streq(p[0], "show-net-up") && !p[1])
8390 {
8391 VERIFY_PERMISSION(OPT_P_UP);
8392 options->show_net_up = true;
8393 }
8394 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8395 {
8396 int s;
8397 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8398 s = atoi_warn(p[1], msglevel);
8399 if (s < 0 || s >= 256)
8400 {
8401 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8402 goto err;
8403 }
8404 options->tuntap_options.tap_sleep = s;
8405 }
8406 else if (streq(p[0], "dhcp-renew") && !p[1])
8407 {
8408 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8409 options->tuntap_options.dhcp_renew = true;
8410 }
8411 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8412 {
8413 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8414 options->tuntap_options.dhcp_pre_release = true;
8415 options->tuntap_options.dhcp_renew = true;
8416 }
8417 else if (streq(p[0], "dhcp-release") && !p[1])
8418 {
8419 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8420 }
8421 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8422 {
8423 unsigned int adapter_index;
8424 VERIFY_PERMISSION(OPT_P_GENERAL);
8425 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8426 adapter_index = atou(p[1]);
8427 sleep(options->tuntap_options.tap_sleep);
8428 if (options->tuntap_options.dhcp_pre_release)
8429 {
8430 dhcp_release_by_adapter_index(adapter_index);
8431 }
8432 if (options->tuntap_options.dhcp_renew)
8433 {
8434 dhcp_renew_by_adapter_index(adapter_index);
8435 }
8436 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8437 }
8438 else if (streq(p[0], "register-dns") && !p[1])
8439 {
8440 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8441 options->tuntap_options.register_dns = true;
8442 }
8443 else if (streq(p[0], "block-outside-dns") && !p[1])
8444 {
8445 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8446 options->block_outside_dns = true;
8447 }
8448 else if (streq(p[0], "rdns-internal") && !p[1])
8449 /* standalone method for internal use
8450 *
8451 * (if --register-dns is set, openvpn needs to call itself in a
8452 * sub-process to execute the required functions in a non-blocking
8453 * way, and uses --rdns-internal to signal that to itself)
8454 */
8455 {
8456 VERIFY_PERMISSION(OPT_P_GENERAL);
8457 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8458 if (options->tuntap_options.register_dns)
8459 {
8460 ipconfig_register_dns(NULL);
8461 }
8462 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8463 }
8464 else if (streq(p[0], "show-valid-subnets") && !p[1])
8465 {
8466 VERIFY_PERMISSION(OPT_P_GENERAL);
8467 show_valid_win32_tun_subnets();
8468 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8469 }
8470 else if (streq(p[0], "pause-exit") && !p[1])
8471 {
8472 VERIFY_PERMISSION(OPT_P_GENERAL);
8473 set_pause_exit_win32();
8474 }
8475 else if (streq(p[0], "service") && p[1] && !p[3])
8476 {
8477 VERIFY_PERMISSION(OPT_P_GENERAL);
8478 options->exit_event_name = p[1];
8479 if (p[2])
8480 {
8481 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8482 }
8483 }
8484 else if (streq(p[0], "allow-nonadmin") && !p[2])
8485 {
8486 VERIFY_PERMISSION(OPT_P_GENERAL);
8487 tap_allow_nonadmin_access(p[1]);
8488 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8489 }
8490 else if (streq(p[0], "user") && p[1] && !p[2])
8491 {
8492 VERIFY_PERMISSION(OPT_P_GENERAL);
8493 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8494 }
8495 else if (streq(p[0], "group") && p[1] && !p[2])
8496 {
8497 VERIFY_PERMISSION(OPT_P_GENERAL);
8498 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8499 }
8500#else /* ifdef _WIN32 */
8501 else if (streq(p[0], "user") && p[1] && !p[2])
8502 {
8503 VERIFY_PERMISSION(OPT_P_GENERAL);
8504 options->username = p[1];
8505 }
8506 else if (streq(p[0], "group") && p[1] && !p[2])
8507 {
8508 VERIFY_PERMISSION(OPT_P_GENERAL);
8509 options->groupname = p[1];
8510 }
8511 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8512 {
8513 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8514 setenv_foreign_option(options, (const char **)p, 3, es);
8515 }
8516 else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8517 {
8518 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8519 }
8520#endif /* ifdef _WIN32 */
8521#if PASSTOS_CAPABILITY
8522 else if (streq(p[0], "passtos") && !p[1])
8523 {
8524 VERIFY_PERMISSION(OPT_P_GENERAL);
8525 options->passtos = true;
8526 }
8527#endif
8528 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8529 {
8530 VERIFY_PERMISSION(OPT_P_GENERAL);
8531
8532 if (streq(p[1], "no"))
8533 {
8534 options->comp.flags =
8535 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8536 if (comp_non_stub_enabled(&options->comp))
8537 {
8538 msg(msglevel, "'--allow-compression no' conflicts with "
8539 " enabling compression");
8540 }
8541 }
8542 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8543 {
8544 /* Also printed on a push to hint at configuration problems */
8545 msg(msglevel, "Cannot set allow-compression to '%s' "
8546 "after set to 'no'", p[1]);
8547 goto err;
8548 }
8549 else if (streq(p[1], "asym"))
8550 {
8551 options->comp.flags |= COMP_F_ALLOW_ASYM;
8552 }
8553 else if (streq(p[1], "yes"))
8554 {
8555 msg(M_WARN, "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8556 "We will use \"asym\" mode instead. See the manual page for more information.");
8557
8558 options->comp.flags |= COMP_F_ALLOW_ASYM;
8559 }
8560 else
8561 {
8562 msg(msglevel, "bad allow-compression option: %s -- "
8563 "must be 'yes', 'no', or 'asym'", p[1]);
8564 goto err;
8565 }
8566 }
8567 else if (streq(p[0], "comp-lzo") && !p[2])
8568 {
8569 VERIFY_PERMISSION(OPT_P_COMP);
8570
8571 /* All lzo variants do not use swap */
8572 options->comp.flags &= ~COMP_F_SWAP;
8573 options->comp.alg = COMP_ALG_LZO;
8574
8575 if (p[1])
8576 {
8577 if (streq(p[1], "no"))
8578 {
8579 options->comp.alg = COMP_ALG_STUB;
8580 }
8581 /* There is no actual difference anymore between these variants.
8582 * We never compress. On the server side we replace this with
8583 * --compress migrate later anyway.
8584 */
8585 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8586 {
8587 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8588 goto err;
8589 }
8590 }
8591 show_compression_warning(&options->comp);
8592 }
8593 else if (streq(p[0], "comp-noadapt") && !p[1])
8594 {
8595 /* NO-OP since we never compress anymore */
8596 }
8597 else if (streq(p[0], "compress") && !p[2])
8598 {
8599 VERIFY_PERMISSION(OPT_P_COMP);
8600 const char *alg = "stub";
8601 if (p[1])
8602 {
8603 alg = p[1];
8604 }
8605
8606 if (streq(alg, "stub"))
8607 {
8608 options->comp.alg = COMP_ALG_STUB;
8609 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8610 }
8611 else if (streq(alg, "stub-v2"))
8612 {
8613 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8614 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8615 }
8616 else if (streq(alg, "migrate"))
8617 {
8618 options->comp.alg = COMP_ALG_UNDEF;
8619 options->comp.flags = COMP_F_MIGRATE;
8620 }
8621 else if (streq(alg, "lzo"))
8622 {
8623 options->comp.alg = COMP_ALG_LZO;
8624 options->comp.flags &= ~COMP_F_SWAP;
8625 }
8626 else if (streq(alg, "lz4"))
8627 {
8628 options->comp.alg = COMP_ALG_LZ4;
8629 options->comp.flags |= COMP_F_SWAP;
8630 }
8631 else if (streq(alg, "lz4-v2"))
8632 {
8633 options->comp.alg = COMP_ALGV2_LZ4;
8634 }
8635 else
8636 {
8637 msg(msglevel, "bad comp option: %s", alg);
8638 goto err;
8639 }
8640
8641 show_compression_warning(&options->comp);
8642 }
8643 else if (streq(p[0], "show-ciphers") && !p[1])
8644 {
8645 VERIFY_PERMISSION(OPT_P_GENERAL);
8646 options->show_ciphers = true;
8647 }
8648 else if (streq(p[0], "show-digests") && !p[1])
8649 {
8650 VERIFY_PERMISSION(OPT_P_GENERAL);
8651 options->show_digests = true;
8652 }
8653 else if (streq(p[0], "show-engines") && !p[1])
8654 {
8655 VERIFY_PERMISSION(OPT_P_GENERAL);
8656 options->show_engines = true;
8657 }
8658 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8659 {
8660 int key_direction;
8661
8662 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8663
8664 key_direction = ascii2keydirection(msglevel, p[1]);
8665 if (key_direction >= 0)
8666 {
8667 if (permission_mask & OPT_P_GENERAL)
8668 {
8669 options->key_direction = key_direction;
8670 }
8671 else if (permission_mask & OPT_P_CONNECTION)
8672 {
8673 options->ce.key_direction = key_direction;
8674 }
8675 }
8676 else
8677 {
8678 goto err;
8679 }
8680 }
8681 else if (streq(p[0], "secret") && p[1] && !p[3])
8682 {
8683 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8684 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8685 options->shared_secret_file = p[1];
8686 options->shared_secret_file_inline = is_inline;
8687 if (!is_inline && p[2])
8688 {
8689 int key_direction;
8690
8691 key_direction = ascii2keydirection(msglevel, p[2]);
8692 if (key_direction >= 0)
8693 {
8694 options->key_direction = key_direction;
8695 }
8696 else
8697 {
8698 goto err;
8699 }
8700 }
8701 }
8702 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8703 {
8704 VERIFY_PERMISSION(OPT_P_GENERAL);
8705 options->allow_deprecated_insecure_static_crypto = true;
8706
8707 }
8708 else if (streq(p[0], "genkey") && !p[4])
8709 {
8710 VERIFY_PERMISSION(OPT_P_GENERAL);
8711 options->genkey = true;
8712 if (!p[1])
8713 {
8714 options->genkey_type = GENKEY_SECRET;
8715 }
8716 else
8717 {
8718 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8719 || streq(p[1], "tls-crypt"))
8720 {
8721 options->genkey_type = GENKEY_SECRET;
8722 }
8723 else if (streq(p[1], "tls-crypt-v2-server"))
8724 {
8725 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8726 }
8727 else if (streq(p[1], "tls-crypt-v2-client"))
8728 {
8729 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8730 if (p[3])
8731 {
8732 options->genkey_extra_data = p[3];
8733 }
8734 }
8735 else if (streq(p[1], "auth-token"))
8736 {
8737 options->genkey_type = GENKEY_AUTH_TOKEN;
8738 }
8739 else
8740 {
8741 msg(msglevel, "unknown --genkey type: %s", p[1]);
8742 }
8743
8744 }
8745 if (p[2])
8746 {
8747 options->genkey_filename = p[2];
8748 }
8749 }
8750 else if (streq(p[0], "auth") && p[1] && !p[2])
8751 {
8752 VERIFY_PERMISSION(OPT_P_GENERAL);
8753 options->authname = p[1];
8754 }
8755 else if (streq(p[0], "cipher") && p[1] && !p[2])
8756 {
8757 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8758 options->ciphername = p[1];
8759 }
8760 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8761 {
8762 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8763 options->ciphername = p[1];
8764 options->enable_ncp_fallback = true;
8765 }
8766 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8767 && p[1] && !p[2])
8768 {
8769 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8770 if (streq(p[0], "ncp-ciphers"))
8771 {
8772 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8773 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8774 }
8775 options->ncp_ciphers = p[1];
8776 }
8777 else if (streq(p[0], "key-derivation") && p[1])
8778 {
8779 /* NCP only option that is pushed by the server to enable EKM,
8780 * should not be used by normal users in config files*/
8781 VERIFY_PERMISSION(OPT_P_NCP)
8782#ifdef HAVE_EXPORT_KEYING_MATERIAL
8783 if (streq(p[1], "tls-ekm"))
8784 {
8785 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8786 }
8787 else
8788#endif
8789 {
8790 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8791 }
8792 }
8793 else if (streq(p[0], "protocol-flags") && p[1])
8794 {
8795 /* NCP only option that is pushed by the server to enable protocol
8796 * features that are negotiated, should not be used by normal users
8797 * in config files */
8798 VERIFY_PERMISSION(OPT_P_NCP)
8799 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8800 {
8801 if (streq(p[j], "cc-exit"))
8802 {
8803 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8804 }
8805#ifdef HAVE_EXPORT_KEYING_MATERIAL
8806 else if (streq(p[j], "tls-ekm"))
8807 {
8808 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8809 }
8810 else if (streq(p[j], "dyn-tls-crypt"))
8811 {
8812 options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8813 }
8814#endif
8815 else if (streq(p[j], "aead-epoch"))
8816 {
8817 options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
8818 }
8819 else
8820 {
8821 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8822 }
8823 }
8824 }
8825 else if (streq(p[0], "force-tls-key-material-export"))
8826 {
8827 VERIFY_PERMISSION(OPT_P_GENERAL);
8828 options->force_key_material_export = true;
8829 }
8830 else if (streq(p[0], "prng") && p[1] && !p[3])
8831 {
8832 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8833 }
8834 else if (streq(p[0], "no-replay") && !p[1])
8835 {
8836 VERIFY_PERMISSION(OPT_P_GENERAL);
8837 /* always error out, this breaks the connection */
8838 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8839 "Update your configuration.");
8840 }
8841 else if (streq(p[0], "replay-window") && !p[3])
8842 {
8843 VERIFY_PERMISSION(OPT_P_GENERAL);
8844 if (p[1])
8845 {
8846 int replay_window;
8847
8848 replay_window = atoi_warn(p[1], msglevel);
8849 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8850 {
8851 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8852 replay_window,
8853 MIN_SEQ_BACKTRACK,
8854 MAX_SEQ_BACKTRACK);
8855 goto err;
8856 }
8857 options->replay_window = replay_window;
8858
8859 if (p[2])
8860 {
8861 int replay_time;
8862
8863 replay_time = atoi_warn(p[2], msglevel);
8864 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8865 {
8866 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8867 replay_time,
8868 MIN_TIME_BACKTRACK,
8869 MAX_TIME_BACKTRACK);
8870 goto err;
8871 }
8872 options->replay_time = replay_time;
8873 }
8874 }
8875 else
8876 {
8877 msg(msglevel, "replay-window option is missing window size parameter");
8878 goto err;
8879 }
8880 }
8881 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8882 {
8883 VERIFY_PERMISSION(OPT_P_GENERAL);
8884 options->mute_replay_warnings = true;
8885 }
8886 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8887 {
8888 VERIFY_PERMISSION(OPT_P_GENERAL);
8889 options->packet_id_file = p[1];
8890 }
8891 else if (streq(p[0], "test-crypto") && !p[1])
8892 {
8893 VERIFY_PERMISSION(OPT_P_GENERAL);
8894 options->test_crypto = true;
8895 }
8896#ifndef ENABLE_CRYPTO_MBEDTLS
8897 else if (streq(p[0], "engine") && !p[2])
8898 {
8899 VERIFY_PERMISSION(OPT_P_GENERAL);
8900 if (p[1])
8901 {
8902 options->engine = p[1];
8903 }
8904 else
8905 {
8906 options->engine = "auto";
8907 }
8908 }
8909#endif /* ENABLE_CRYPTO_MBEDTLS */
8910 else if (streq(p[0], "providers") && p[1])
8911 {
8912 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8913 {
8914 options->providers.names[j] = p[j];
8915 }
8916 }
8917#ifdef ENABLE_PREDICTION_RESISTANCE
8918 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8919 {
8920 VERIFY_PERMISSION(OPT_P_GENERAL);
8921 options->use_prediction_resistance = true;
8922 }
8923#endif
8924 else if (streq(p[0], "show-tls") && !p[1])
8925 {
8926 VERIFY_PERMISSION(OPT_P_GENERAL);
8927 options->show_tls_ciphers = true;
8928 }
8929 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8930 {
8931 VERIFY_PERMISSION(OPT_P_GENERAL);
8932 options->show_curves = true;
8933 }
8934 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8935 {
8936 VERIFY_PERMISSION(OPT_P_GENERAL);
8937 msg(M_WARN, "Consider setting groups/curves preference with "
8938 "tls-groups instead of forcing a specific curve with "
8939 "ecdh-curve.");
8940 options->ecdh_curve = p[1];
8941 }
8942 else if (streq(p[0], "tls-server") && !p[1])
8943 {
8944 VERIFY_PERMISSION(OPT_P_GENERAL);
8945 options->tls_server = true;
8946 }
8947 else if (streq(p[0], "tls-client") && !p[1])
8948 {
8949 VERIFY_PERMISSION(OPT_P_GENERAL);
8950 options->tls_client = true;
8951 }
8952 else if (streq(p[0], "ca") && p[1] && !p[2])
8953 {
8954 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8955 options->ca_file = p[1];
8956 options->ca_file_inline = is_inline;
8957 }
8958#ifndef ENABLE_CRYPTO_MBEDTLS
8959 else if (streq(p[0], "capath") && p[1] && !p[2])
8960 {
8961 VERIFY_PERMISSION(OPT_P_GENERAL);
8962 options->ca_path = p[1];
8963 }
8964#endif /* ENABLE_CRYPTO_MBEDTLS */
8965 else if (streq(p[0], "dh") && p[1] && !p[2])
8966 {
8967 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8968 options->dh_file = p[1];
8969 options->dh_file_inline = is_inline;
8970 }
8971 else if (streq(p[0], "cert") && p[1] && !p[2])
8972 {
8973 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8974 options->cert_file = p[1];
8975 options->cert_file_inline = is_inline;
8976 }
8977 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8978 {
8979 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8980 options->extra_certs_file = p[1];
8981 options->extra_certs_file_inline = is_inline;
8982 }
8983 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8984 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8985 {
8986 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8987
8988 int verify_hash_depth = 0;
8989 if (streq(p[0], "verify-hash"))
8990 {
8991 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8992 "You should switch to the either use the level 1 certificate as "
8993 "--ca option, use --tls-verify or use --peer-fingerprint");
8994 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8995 verify_hash_depth = 1;
8996 }
8997
8998 options->verify_hash_algo = MD_SHA256;
8999
9000 int digest_len = SHA256_DIGEST_LENGTH;
9001
9002 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
9003 {
9004 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
9005 " --peer-fingerprint are mutually exclusive", p[0]);
9006 goto err;
9007 }
9008
9009 if (streq(p[0], "verify-hash"))
9010 {
9011 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
9012 {
9013 options->verify_hash_algo = MD_SHA1;
9014 digest_len = SHA_DIGEST_LENGTH;
9015 }
9016 else if (p[2] && !streq(p[2], "SHA256"))
9017 {
9018 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
9019 "(only SHA1 and SHA256 are supported)", p[2]);
9020 goto err;
9021 }
9022 }
9023
9024 struct verify_hash_list *newlist;
9025 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
9026 msglevel, &options->gc);
9027
9028 /* Append the new list to the end of our current list */
9029 if (!options->verify_hash)
9030 {
9031 options->verify_hash = newlist;
9032 options->verify_hash_depth = verify_hash_depth;
9033 }
9034 else
9035 {
9036 /* since both the old and new list can have multiple entries
9037 * we need to go to the end of one of them to concatenate them */
9038 struct verify_hash_list *listend = options->verify_hash;
9039 while (listend->next)
9040 {
9041 listend = listend->next;
9042 }
9043 listend->next = newlist;
9044 }
9045 }
9046#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
9047 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
9048 {
9049 VERIFY_PERMISSION(OPT_P_GENERAL);
9050 options->cryptoapi_cert = p[1];
9051 }
9052#endif
9053 else if (streq(p[0], "key") && p[1] && !p[2])
9054 {
9055 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9056 options->priv_key_file = p[1];
9057 options->priv_key_file_inline = is_inline;
9058 }
9059 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
9060 {
9061 int ver;
9062 VERIFY_PERMISSION(OPT_P_GENERAL);
9063 ver = tls_version_parse(p[1], p[2]);
9064 if (ver == TLS_VER_BAD)
9065 {
9066 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
9067 goto err;
9068 }
9069
9070#ifdef ENABLE_CRYPTO_MBEDTLS
9071 if (ver < TLS_VER_1_2)
9072 {
9073 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
9074 ver = TLS_VER_1_2;
9075 }
9076#endif
9077
9078 options->ssl_flags &=
9079 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
9080 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
9081 }
9082 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
9083 {
9084 int ver;
9085 VERIFY_PERMISSION(OPT_P_GENERAL);
9086 ver = tls_version_parse(p[1], NULL);
9087 if (ver == TLS_VER_BAD)
9088 {
9089 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
9090 goto err;
9091 }
9092 options->ssl_flags &=
9093 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
9094 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
9095 }
9096#ifndef ENABLE_CRYPTO_MBEDTLS
9097 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
9098 {
9099 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9100 options->pkcs12_file = p[1];
9101 options->pkcs12_file_inline = is_inline;
9102 }
9103#endif /* ENABLE_CRYPTO_MBEDTLS */
9104 else if (streq(p[0], "askpass") && !p[2])
9105 {
9106 VERIFY_PERMISSION(OPT_P_GENERAL);
9107 if (p[1])
9108 {
9109 options->key_pass_file = p[1];
9110 }
9111 else
9112 {
9113 options->key_pass_file = "stdin";
9114 }
9115 }
9116 else if (streq(p[0], "auth-nocache") && !p[1])
9117 {
9118 VERIFY_PERMISSION(OPT_P_GENERAL);
9119 ssl_set_auth_nocache();
9120 }
9121 else if (streq(p[0], "auth-token") && p[1] && !p[2])
9122 {
9123 VERIFY_PERMISSION(OPT_P_ECHO);
9124 ssl_set_auth_token(p[1]);
9125#ifdef ENABLE_MANAGEMENT
9126 if (management)
9127 {
9128 management_auth_token(management, p[1]);
9129 }
9130#endif
9131 }
9132 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
9133 {
9134 VERIFY_PERMISSION(OPT_P_ECHO);
9135 ssl_set_auth_token_user(p[1]);
9136 }
9137 else if (streq(p[0], "single-session") && !p[1])
9138 {
9139 VERIFY_PERMISSION(OPT_P_GENERAL);
9140 options->single_session = true;
9141 }
9142 else if (streq(p[0], "push-peer-info") && !p[1])
9143 {
9144 VERIFY_PERMISSION(OPT_P_GENERAL);
9145 options->push_peer_info = true;
9146 }
9147 else if (streq(p[0], "tls-exit") && !p[1])
9148 {
9149 VERIFY_PERMISSION(OPT_P_GENERAL);
9150 options->tls_exit = true;
9151 }
9152 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9153 {
9154 VERIFY_PERMISSION(OPT_P_GENERAL);
9155 options->cipher_list = p[1];
9156 }
9157 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9158 {
9159 VERIFY_PERMISSION(OPT_P_GENERAL);
9160 options->tls_cert_profile = p[1];
9161 }
9162 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9163 {
9164 VERIFY_PERMISSION(OPT_P_GENERAL);
9165 options->cipher_list_tls13 = p[1];
9166 }
9167 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9168 {
9169 VERIFY_PERMISSION(OPT_P_GENERAL);
9170 options->tls_groups = p[1];
9171 }
9172 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
9173 || !p[2]))
9174 {
9175 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9176 if (p[2] && streq(p[2], "dir"))
9177 {
9178 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
9179 }
9180 options->crl_file = p[1];
9181 options->crl_file_inline = is_inline;
9182 }
9183 else if (streq(p[0], "tls-verify") && p[1])
9184 {
9185 VERIFY_PERMISSION(OPT_P_SCRIPT);
9186 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9187 {
9188 goto err;
9189 }
9190 set_user_script(options, &options->tls_verify,
9191 string_substitute(p[1], ',', ' ', &options->gc),
9192 "tls-verify", true);
9193 }
9194 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9195 {
9196 VERIFY_PERMISSION(OPT_P_SCRIPT);
9197 options->tls_export_peer_cert_dir = p[1];
9198 }
9199 else if (streq(p[0], "compat-names"))
9200 {
9201 VERIFY_PERMISSION(OPT_P_GENERAL);
9202 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9203 "Update your configuration.");
9204 goto err;
9205 }
9206 else if (streq(p[0], "no-name-remapping") && !p[1])
9207 {
9208 VERIFY_PERMISSION(OPT_P_GENERAL);
9209 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9210 "Update your configuration.");
9211 goto err;
9212 }
9213 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9214 {
9215 int type = VERIFY_X509_SUBJECT_DN;
9216 VERIFY_PERMISSION(OPT_P_GENERAL);
9217 if (p[2])
9218 {
9219 if (streq(p[2], "subject"))
9220 {
9221 type = VERIFY_X509_SUBJECT_DN;
9222 }
9223 else if (streq(p[2], "name"))
9224 {
9225 type = VERIFY_X509_SUBJECT_RDN;
9226 }
9227 else if (streq(p[2], "name-prefix"))
9228 {
9229 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9230 }
9231 else
9232 {
9233 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9234 goto err;
9235 }
9236 }
9237 options->verify_x509_type = type;
9238 options->verify_x509_name = p[1];
9239 }
9240 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9241 {
9242#ifdef ENABLE_CRYPTO_MBEDTLS
9243 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9244 goto err;
9245#else
9246 VERIFY_PERMISSION(OPT_P_GENERAL);
9247 if (streq(p[1], "server"))
9248 {
9249 options->ns_cert_type = NS_CERT_CHECK_SERVER;
9250 }
9251 else if (streq(p[1], "client"))
9252 {
9253 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9254 }
9255 else
9256 {
9257 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9258 goto err;
9259 }
9260#endif /* ENABLE_CRYPTO_MBEDTLS */
9261 }
9262 else if (streq(p[0], "remote-cert-ku"))
9263 {
9264 VERIFY_PERMISSION(OPT_P_GENERAL);
9265
9266 size_t j;
9267 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9268 {
9269 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9270 }
9271 if (j == 1)
9272 {
9273 /* No specific KU required, but require KU to be present */
9274 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9275 }
9276 }
9277 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9278 {
9279 VERIFY_PERMISSION(OPT_P_GENERAL);
9280 options->remote_cert_eku = p[1];
9281 }
9282 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9283 {
9284 VERIFY_PERMISSION(OPT_P_GENERAL);
9285
9286 if (streq(p[1], "server"))
9287 {
9288 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9289 options->remote_cert_eku = "TLS Web Server Authentication";
9290 }
9291 else if (streq(p[1], "client"))
9292 {
9293 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9294 options->remote_cert_eku = "TLS Web Client Authentication";
9295 }
9296 else
9297 {
9298 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9299 goto err;
9300 }
9301 }
9302 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9303 {
9304 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9305 options->tls_timeout = positive_atoi(p[1], msglevel);
9306 }
9307 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9308 {
9309 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9310 char *end;
9311 long long reneg_bytes = strtoll(p[1], &end, 10);
9312 if (*end != '\0' || reneg_bytes < 0)
9313 {
9314 msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0");
9315 goto err;
9316 }
9317 options->renegotiate_bytes = reneg_bytes;
9318 }
9319 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9320 {
9321 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9322 char *end;
9323 long long pkt_max = strtoll(p[1], &end, 10);
9324 if (*end != '\0' || pkt_max < 0)
9325 {
9326 msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0");
9327 goto err;
9328 }
9329 options->renegotiate_packets = pkt_max;
9330 }
9331 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9332 {
9333 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9334 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
9335 if (p[2])
9336 {
9337 options->renegotiate_seconds_min = positive_atoi(p[2], msglevel);
9338 }
9339 }
9340 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9341 {
9342 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9343 options->handshake_window = positive_atoi(p[1], msglevel);
9344 }
9345 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9346 {
9347 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9348 options->transition_window = positive_atoi(p[1], msglevel);
9349 }
9350 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9351 {
9352 int key_direction = -1;
9353
9354 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9355
9356 if (permission_mask & OPT_P_GENERAL)
9357 {
9358 options->tls_auth_file = p[1];
9359 options->tls_auth_file_inline = is_inline;
9360
9361 if (!is_inline && p[2])
9362 {
9363 key_direction = ascii2keydirection(msglevel, p[2]);
9364 if (key_direction < 0)
9365 {
9366 goto err;
9367 }
9368 options->key_direction = key_direction;
9369 }
9370
9371 }
9372 else if (permission_mask & OPT_P_CONNECTION)
9373 {
9374 options->ce.tls_auth_file = p[1];
9375 options->ce.tls_auth_file_inline = is_inline;
9376 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9377
9378 if (!is_inline && p[2])
9379 {
9380 key_direction = ascii2keydirection(msglevel, p[2]);
9381 if (key_direction < 0)
9382 {
9383 goto err;
9384 }
9385 options->ce.key_direction = key_direction;
9386 }
9387 }
9388 }
9389 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9390 {
9391 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9392 if (permission_mask & OPT_P_GENERAL)
9393 {
9394 options->tls_crypt_file = p[1];
9395 options->tls_crypt_file_inline = is_inline;
9396 }
9397 else if (permission_mask & OPT_P_CONNECTION)
9398 {
9399 options->ce.tls_crypt_file = p[1];
9400 options->ce.tls_crypt_file_inline = is_inline;
9401 }
9402 }
9403 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9404 {
9405 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9406 if (permission_mask & OPT_P_GENERAL)
9407 {
9408 options->tls_crypt_v2_file = p[1];
9409 options->tls_crypt_v2_file_inline = is_inline;
9410 }
9411 else if (permission_mask & OPT_P_CONNECTION)
9412 {
9413 options->ce.tls_crypt_v2_file = p[1];
9414 options->ce.tls_crypt_v2_file_inline = is_inline;
9415 }
9416
9417 if (p[2] && streq(p[2], "force-cookie"))
9418 {
9419 options->ce.tls_crypt_v2_force_cookie = true;
9420 }
9421 else if (p[2] && streq(p[2], "allow-noncookie"))
9422 {
9423 options->ce.tls_crypt_v2_force_cookie = false;
9424 }
9425 else if (p[2])
9426 {
9427 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9428 }
9429 }
9430 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9431 {
9432 VERIFY_PERMISSION(OPT_P_GENERAL);
9433 options->tls_crypt_v2_verify_script = p[1];
9434 }
9435 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9436 {
9437 VERIFY_PERMISSION(OPT_P_GENERAL);
9438 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9439 }
9440#ifdef ENABLE_X509ALTUSERNAME
9441 else if (streq(p[0], "x509-username-field") && p[1])
9442 {
9443 VERIFY_PERMISSION(OPT_P_GENERAL);
9444 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9445 {
9446 char *s = p[j];
9447
9448 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4))
9449 {
9450 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9451 }
9452 options->x509_username_field[j-1] = p[j];
9453 }
9454 }
9455#endif /* ENABLE_X509ALTUSERNAME */
9456#ifdef ENABLE_PKCS11
9457 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9458 {
9459 char *provider = p[1];
9460 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0 ));
9461
9462#ifdef DEFAULT_PKCS11_MODULE
9463 if (!provider)
9464 {
9465 provider = DEFAULT_PKCS11_MODULE;
9466 }
9467 else if (!p[2])
9468 {
9469 char *endp = NULL;
9470 int i = strtol(provider, &endp, 10);
9471
9472 if (*endp == 0)
9473 {
9474 /* There was one argument, and it was purely numeric.
9475 * Interpret it as the cert_private argument */
9476 provider = DEFAULT_PKCS11_MODULE;
9477 cert_private = i;
9478 }
9479 }
9480#else /* ifdef DEFAULT_PKCS11_MODULE */
9481 if (!provider)
9482 {
9483 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9484 goto err;
9485 }
9486#endif /* ifdef DEFAULT_PKCS11_MODULE */
9487 VERIFY_PERMISSION(OPT_P_GENERAL);
9488
9489 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9490 show_pkcs11_ids(provider, cert_private);
9491 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9492 }
9493 else if (streq(p[0], "pkcs11-providers") && p[1])
9494 {
9495 int j;
9496
9497 VERIFY_PERMISSION(OPT_P_GENERAL);
9498
9499 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9500 {
9501 options->pkcs11_providers[j-1] = p[j];
9502 }
9503 }
9504 else if (streq(p[0], "pkcs11-protected-authentication"))
9505 {
9506 int j;
9507
9508 VERIFY_PERMISSION(OPT_P_GENERAL);
9509
9510 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9511 {
9512 options->pkcs11_protected_authentication[j-1] = atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9513 }
9514 }
9515 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9516 {
9517 int j;
9518
9519 VERIFY_PERMISSION(OPT_P_GENERAL);
9520
9521 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9522 {
9523 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9524 }
9525 }
9526 else if (streq(p[0], "pkcs11-cert-private"))
9527 {
9528 int j;
9529
9530 VERIFY_PERMISSION(OPT_P_GENERAL);
9531
9532 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9533 {
9534 options->pkcs11_cert_private[j-1] = (bool) (atoi_warn(p[j], msglevel));
9535 }
9536 }
9537 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9538 {
9539 VERIFY_PERMISSION(OPT_P_GENERAL);
9540 options->pkcs11_pin_cache_period = atoi_warn(p[1], msglevel);
9541 }
9542 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9543 {
9544 VERIFY_PERMISSION(OPT_P_GENERAL);
9545 options->pkcs11_id = p[1];
9546 }
9547 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9548 {
9549 VERIFY_PERMISSION(OPT_P_GENERAL);
9550 options->pkcs11_id_management = true;
9551 }
9552#endif /* ifdef ENABLE_PKCS11 */
9553 else if (streq(p[0], "rmtun") && !p[1])
9554 {
9555 VERIFY_PERMISSION(OPT_P_GENERAL);
9556 options->persist_config = true;
9557 options->persist_mode = 0;
9558 }
9559 else if (streq(p[0], "mktun") && !p[1])
9560 {
9561 VERIFY_PERMISSION(OPT_P_GENERAL);
9562 options->persist_config = true;
9563 options->persist_mode = 1;
9564 }
9565 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9566 {
9567 VERIFY_PERMISSION(OPT_P_PEER_ID);
9568 options->use_peer_id = true;
9569 options->peer_id = atoi_warn(p[1], msglevel);
9570 }
9571#ifdef HAVE_EXPORT_KEYING_MATERIAL
9572 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9573 {
9574 int ekm_length = positive_atoi(p[2], msglevel);
9575
9576 VERIFY_PERMISSION(OPT_P_GENERAL);
9577
9578 if (strncmp(p[1], "EXPORTER", 8))
9579 {
9580 msg(msglevel, "Keying material exporter label must begin with "
9581 "\"EXPORTER\"");
9582 goto err;
9583 }
9584 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9585 {
9586 msg(msglevel, "Keying material exporter label must not be '"
9587 EXPORT_KEY_DATA_LABEL "'.");
9588 }
9589 if (ekm_length < 16 || ekm_length > 4095)
9590 {
9591 msg(msglevel, "Invalid keying material exporter length");
9592 goto err;
9593 }
9594
9595 options->keying_material_exporter_label = p[1];
9596 options->keying_material_exporter_length = ekm_length;
9597 }
9598#endif /* HAVE_EXPORT_KEYING_MATERIAL */
9599 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9600 {
9601 VERIFY_PERMISSION(OPT_P_GENERAL);
9602 options->allow_recursive_routing = true;
9603 }
9604 else if (streq(p[0], "vlan-tagging") && !p[1])
9605 {
9606 VERIFY_PERMISSION(OPT_P_GENERAL);
9607 options->vlan_tagging = true;
9608 }
9609 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9610 {
9611 VERIFY_PERMISSION(OPT_P_GENERAL);
9612 if (streq(p[1], "tagged"))
9613 {
9614 options->vlan_accept = VLAN_ONLY_TAGGED;
9615 }
9616 else if (streq(p[1], "untagged"))
9617 {
9618 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9619 }
9620 else if (streq(p[1], "all"))
9621 {
9622 options->vlan_accept = VLAN_ALL;
9623 }
9624 else
9625 {
9626 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9627 goto err;
9628 }
9629 }
9630 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9631 {
9632 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9633 options->vlan_pvid = positive_atoi(p[1], msglevel);
9634 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9635 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9636 {
9637 msg(msglevel,
9638 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9639 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9640 goto err;
9641 }
9642 }
9643 else
9644 {
9645 int i;
9646 int msglevel_unknown = msglevel_fc;
9647 /* Check if an option is in --ignore-unknown-option and
9648 * set warning level to non fatal */
9649 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9650 {
9651 if (streq(p[0], options->ignore_unknown_option[i]))
9652 {
9653 msglevel_unknown = M_WARN;
9654 break;
9655 }
9656 }
9657 if (file)
9658 {
9659 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9660 }
9661 else
9662 {
9663 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9664 }
9665 }
9666err:
9667 gc_free(&gc);
9668}
9669
9670bool
9671has_udp_in_local_list(const struct options *options)
9672{
9673 if (options->ce.local_list)
9674 {
9675 for (int i = 0; i < options->ce.local_list->len; i++)
9676 {
9677 if (proto_is_dgram(options->ce.local_list->array[i]->proto))
9678 {
9679 return true;
9680 }
9681 }
9682 }
9683
9684 return false;
9685}
9686
9687bool
9688has_tcp_in_local_list(const struct options *options)
9689{
9690 if (options->ce.local_list)
9691 {
9692 for (int i = 0; i < options->ce.local_list->len; i++)
9693 {
9694 if (!proto_is_dgram(options->ce.local_list->array[i]->proto))
9695 {
9696 return true;
9697 }
9698 }
9699 }
9700
9701 return false;
9702}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:483
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:102
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:88
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:183
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:162
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:460
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:370
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:62
string_array_len
int string_array_len(const char **array)
Definition buffer.c:703
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1358
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:752
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1019
BSTR
#define BSTR(buf)
Definition buffer.h:129
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
BPTR
#define BPTR(buf)
Definition buffer.h:124
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1071
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:234
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1012
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:520
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1092
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:977
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition clinat.c:52
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition clinat.c:106
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:75
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:83
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:92
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:69
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:82
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:163
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Definition comp.h:41
COMP_F_SWAP
#define COMP_F_SWAP
Definition comp.h:39
COMP_ALG_LZ4
#define COMP_ALG_LZ4
Definition comp.h:51
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition comp.h:56
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Definition comp.h:44
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Definition comp.h:43
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:55
COMP_ALG_STUB
#define COMP_ALG_STUB
Definition comp.h:48
COMP_ALG_LZO
#define COMP_ALG_LZO
Definition comp.h:49
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
Definition comp.h:40
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition comp.h:42
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:73
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:47
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:51
dirname
char * dirname(char *path)
Definition compat-dirname.c:62
strsep
char * strsep(char **stringp, const char *delim)
Definition compat-strsep.c:36
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:893
ascii2keydirection
int ascii2keydirection(int msglevel, const char *str)
Definition crypto.c:1653
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1676
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1941
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1229
crypto.h
Data Channel Cryptography Module.
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:230
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:368
MD_SHA256
@ MD_SHA256
Definition crypto_backend.h:54
MD_SHA1
@ MD_SHA1
Definition crypto_backend.h:53
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition crypto_backend.h:219
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1071
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:660
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:680
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition crypto_mbedtls.h:78
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:79
dco_check_startup_option
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition dco.h:288
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:282
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:276
dns_options_verify
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:197
dns_domain_list_append
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
Definition dns.c:141
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:271
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:55
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:175
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:160
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:251
setenv_dns_options
void setenv_dns_options(const struct dns_options *o, struct env_set *es)
Puts the DNS options into an environment set.
Definition dns.c:370
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:432
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:264
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition dns.h:32
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition dns.h:33
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition dns.h:34
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition dns.h:39
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition dns.h:41
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition dns.h:40
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:267
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:404
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:283
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:201
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:289
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:275
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:328
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:151
D_PUSH
#define D_PUSH
Definition errlevel.h:83
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:157
D_DCO
#define D_DCO
Definition errlevel.h:94
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition errlevel.h:96
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:67
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
D_LOW
#define D_LOW
Definition errlevel.h:97
M_INFO
#define M_INFO
Definition errlevel.h:55
forward.h
Interface functions to the internal and external multiplexers.
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:144
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition helper.c:600
helper_client_server
void helper_client_server(struct options *o)
Definition helper.c:172
helper_keepalive
void helper_keepalive(struct options *o)
Definition helper.c:541
max_int
static int max_int(int x, int y)
Definition integer.h:89
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:115
status
static SERVICE_STATUS status
Definition interactive.c:53
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition keyingmaterialexporter.c:166
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3105
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3027
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition manage.h:32
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:39
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition manage.h:34
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:44
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:38
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition manage.h:42
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:37
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition manage.h:41
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition manage.h:29
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:43
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:45
MF_UP_DOWN
#define MF_UP_DOWN
Definition manage.h:40
MF_HOLD
#define MF_HOLD
Definition manage.h:30
MF_SIGNAL
#define MF_SIGNAL
Definition manage.h:31
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition manage.h:36
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition manage.h:33
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:793
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:557
SC_CONCAT
#define SC_CONCAT
Definition misc.h:95
SC_ECHO
#define SC_ECHO
Definition misc.h:94
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:261
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:152
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition mtu.h:80
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:75
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition mtu.h:65
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition mtu.h:70
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition mtu.h:85
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:93
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:48
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:39
BOOL_CAST
#define BOOL_CAST(x)
Definition basic.h:27
CLEAR
#define CLEAR(x)
Definition basic.h:33
SIZE
#define SIZE(x)
Definition basic.h:30
errors_to_stderr
void errors_to_stderr(void)
Definition error.c:185
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:467
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:515
msg_fp
FILE * msg_fp(const unsigned int flags)
Definition error.c:194
openvpn_exit
void openvpn_exit(const int status)
Definition error.c:735
machine_readable_output
static bool machine_readable_output
Definition error.c:78
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition error.c:149
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition error.c:155
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:105
suppress_timestamps
static bool suppress_timestamps
Definition error.c:81
M_OPTERR
#define M_OPTERR
Definition error.h:100
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:177
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:97
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition error.h:87
M_USAGE
#define M_USAGE
Definition error.h:106
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:55
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:53
M_FATAL
#define M_FATAL
Definition error.h:89
M_ERR
#define M_ERR
Definition error.h:105
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
M_MSG_VIRT_OUT
#define M_MSG_VIRT_OUT
Definition error.h:99
M_ERRNO
#define M_ERRNO
Definition error.h:94
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:546
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4587
options_warning_safe_ml
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4703
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.c:945
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition options.c:1721
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3954
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4086
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4053
options_warning_safe_scan2
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4614
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2390
msglevel_forward_compatible
static int msglevel_forward_compatible(struct options *options, const int msglevel)
Definition options.c:5770
alloc_local_entry
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
Definition options.c:2211
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition options.c:5739
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:3189
usage_version
static void usage_version(void)
Definition options.c:5008
in_src_get
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition options.c:5269
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2309
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5643
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
SHOW_BOOL
#define SHOW_BOOL(var)
Definition options.c:993
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3951
pre_connect_save
static void pre_connect_save(struct options *o)
Definition options.c:3385
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3953
parse_windows_driver
static enum tun_driver_type parse_windows_driver(const char *str, const int msglevel)
Parses –windows-driver config option.
Definition options.c:4804
TLS_CLIENT
#define TLS_CLIENT
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:998
check_inline_file_via_buf
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition options.c:5370
global_auth_retry
static int global_auth_retry
Definition options.c:4880
IS_TYPE_BUF
#define IS_TYPE_BUF
Definition options.c:5260
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4310
uninit_options
void uninit_options(struct options *o)
Definition options.c:925
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2330
SHOW_STR
#define SHOW_STR(var)
Definition options.c:984
check_inline_file
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition options.c:5337
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
Definition options.c:5682
read_config_file
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5392
show_windows_version
void show_windows_version(const unsigned int flags)
Definition options.c:4974
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition options.c:5673
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4599
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5818
no_more_than_n_args
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5742
check_ca_required
static void check_ca_required(const struct options *options)
Definition options.c:2368
auth_retry_set
bool auth_retry_set(const int msglevel, const char *option)
Definition options.c:4889
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:2137
read_config_string
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5467
bypass_doubledash
static void bypass_doubledash(char **p)
Definition options.c:5250
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3952
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1130
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.c:946
show_dco_version
void show_dco_version(const unsigned int flags)
Definition options.c:4983
apply_pull_filter
static bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
Definition options.c:5573
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition options.c:1712
alloc_local_list_if_undef
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2201
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition options.c:992
show_settings
void show_settings(const struct options *o)
Definition options.c:1836
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:5776
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
Definition options.c:1105
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5613
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition options.c:1283
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition options.c:1797
options_postprocess_mutate_le
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3349
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
Definition options.c:1651
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4729
parse_argv
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5500
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.c:947
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:5039
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4103
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4296
parse_topology
int parse_topology(const char *str, const int msglevel)
Definition options.c:4833
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition options.c:1293
usage_small
void usage_small(void)
Definition options.c:4966
auth_retry_print
const char * auth_retry_print(void)
Definition options.c:4912
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1672
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4172
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1740
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4752
show_library_versions
void show_library_versions(const unsigned int flags)
Definition options.c:4993
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:1028
CHKACC_ACCEPT_URI
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3955
usage_message
static const char usage_message[]
Definition options.c:120
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition options.c:1157
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1186
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2233
space
static bool space(unsigned char c)
Definition options.c:5070
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4131
options_warning_safe_scan1
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4682
SHOW_INT64
#define SHOW_INT64(var)
Definition options.c:991
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
Definition options.c:2243
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
Definition options.c:1335
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3958
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition options.c:1539
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition options.c:963
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition options.c:1730
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:5076
check_inline_file_via_fp
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition options.c:5361
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
Definition options.c:2276
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3748
options_detach
void options_detach(struct options *o)
Definition options.c:1703
atou
static unsigned int atou(const char *str)
Definition options.c:5061
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3427
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
Definition options.c:1349
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2299
print_topology
const char * print_topology(const int topology)
Definition options.c:4855
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5663
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4766
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition options.c:985
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition options.c:3587
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3654
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1308
init_options
void init_options(struct options *o, const bool init_gc)
Definition options.c:803
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1522
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition options.c:983
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:2167
IS_TYPE_FP
#define IS_TYPE_FP
Definition options.c:5259
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4593
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1818
CHKACC_FILE
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3950
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4758
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3496
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1148
title_string
const char title_string[]
Definition options.c:69
setenv_local_entry
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:1018
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3367
TLS_SERVER
#define TLS_SERVER
usage
static void usage(void)
Definition options.c:4934
auth_retry_get
int auth_retry_get(void)
Definition options.c:4883
add_option
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5833
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1240
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2266
notnull
void notnull(const char *arg, const char *description)
Definition options.c:5030
tuntap_options_copy_dns
static void tuntap_options_copy_dns(struct options *o)
Definition options.c:1382
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition options.c:5806
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition options.c:3724
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm)
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9671
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
Definition options.c:1621
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4368
has_tcp_in_local_list
bool has_tcp_in_local_list(const struct options *options)
Definition options.c:9688
read_inline_file
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition options.c:5292
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition options.c:3561
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2351
SHOW_INT
#define SHOW_INT(var)
Definition options.c:989
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3644
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:258
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition options.h:734
OPT_P_PUSH
#define OPT_P_PUSH
Definition options.h:746
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition options.h:475
OPT_P_UP
#define OPT_P_UP
Definition options.h:731
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition options.h:757
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:747
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:742
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:750
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition options.h:748
MODE_SERVER
#define MODE_SERVER
Definition options.h:259
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition options.h:187
streq
#define streq(x, y)
Definition options.h:725
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:749
AR_INTERACT
#define AR_INTERACT
Definition options.h:903
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:736
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:756
SF_NOPOOL
#define SF_NOPOOL
Definition options.h:474
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:741
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:735
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:755
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:754
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition options.h:57
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:737
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition options.h:730
PING_RESTART
#define PING_RESTART
Definition options.h:354
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:733
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:753
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:237
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:234
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:236
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:235
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:760
AR_NONE
#define AR_NONE
Definition options.h:902
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:904
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:476
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:738
MAX_PARMS
#define MAX_PARMS
Definition options.h:52
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:764
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:784
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition options.h:58
PING_EXIT
#define PING_EXIT
Definition options.h:353
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:740
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition options.h:739
OPT_P_MTU
#define OPT_P_MTU
Definition options.h:744
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:752
OPT_P_NICE
#define OPT_P_NICE
Definition options.h:745
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:758
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition options.h:751
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition options.h:743
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:732
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:790
CE_DISABLED
#define CE_DISABLED
Definition options.h:150
OPT_P_INLINE
#define OPT_P_INLINE
Definition options.h:759
vlan_acceptable_frames
vlan_acceptable_frames
Definition options.h:219
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:221
VLAN_ALL
@ VLAN_ALL
Definition options.h:222
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition options.h:220
positive_atoi
int positive_atoi(const char *str, int msglevel)
Converts a str to a positive number if the string represents a postive integer number.
Definition options_util.c:119
atoi_warn
int atoi_warn(const char *str, int msglevel)
Converts a str to an integer if the string can be represented as an integer number.
Definition options_util.c:135
valid_integer
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
Definition options_util.c:103
options_util.h
packet_id.h
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:86
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:85
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:87
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition packet_id.h:95
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:96
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition packet_id.h:94
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:333
platform_access
int platform_access(const char *path, int mode)
Definition platform.c:458
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:501
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:393
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:527
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:142
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:160
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:168
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
Definition plugin.c:189
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:121
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:311
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:312
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:37
TOP_UNDEF
#define TOP_UNDEF
Definition proto.h:41
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:35
TOP_NET30
#define TOP_NET30
Definition proto.h:42
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:36
TOP_P2P
#define TOP_P2P
Definition proto.h:43
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:44
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:46
PAR_NCT
#define PAR_NCT
Definition proxy.h:50
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
PAR_ALL
#define PAR_ALL
Definition proxy.h:49
push_reset
void push_reset(struct options *o)
Definition push.c:923
clone_push_list
void clone_push_list(struct options *o)
Definition push.c:881
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition push.c:929
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition push.c:897
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:306
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:155
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:4139
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:139
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition route.c:528
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2886
show_routes
void show_routes(int msglev)
Definition route.c:3308
print_route_options
void print_route_options(const struct route_option_list *rol, int level)
Definition route.c:1319
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition route.c:510
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1335
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:173
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:180
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2785
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:164
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:130
RG_LOCAL
#define RG_LOCAL
Definition route.h:85
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:87
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:43
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:41
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:42
RG_DEF1
#define RG_DEF1
Definition route.h:86
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:88
RG_ENABLE
#define RG_ENABLE
Definition route.h:84
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:89
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:40
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:90
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:91
script_security_set
void script_security_set(int level)
Definition run_command.c:49
run_command.h
SHAPER_MAX
#define SHAPER_MAX
Definition shaper.h:41
SHAPER_MIN
#define SHAPER_MIN
Definition shaper.h:40
throw_signal_soft
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition sig.c:206
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket.c:3196
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:226
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition socket.c:823
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition socket.c:3217
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:1123
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition socket.c:3183
proto_remote
const char * proto_remote(int proto, bool remote)
Definition socket.c:3257
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition socket.c:770
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket.c:2994
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition socket.c:806
ascii2proto
int ascii2proto(const char *proto_name)
Definition socket.c:3170
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:2974
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition socket.c:720
proto_is_net
static bool proto_is_net(int proto)
Definition socket.h:576
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket.h:586
GETADDR_FATAL
#define GETADDR_FATAL
Definition socket.h:518
PROTO_NONE
@ PROTO_NONE
Definition socket.h:567
PROTO_UDP
@ PROTO_UDP
Definition socket.h:568
PROTO_TCP
@ PROTO_TCP
Definition socket.h:569
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket.h:571
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition socket.h:570
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket.h:519
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition socket.h:222
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
OPENVPN_PORT
#define OPENVPN_PORT
Definition socket.h:42
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition socket.h:221
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket.h:597
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition socket.h:224
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket.h:517
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:372
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:347
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:431
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:366
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:357
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1946
ssl.h
Control Channel SSL/Data channel negotiation module.
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:117
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:119
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2646
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:104
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:106
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:391
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:108
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:109
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:207
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:423
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:416
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:418
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:415
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:420
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:425
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:424
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:421
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:422
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:417
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition ssl_common.h:419
options_postprocess_setdefault_ncpciphers
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:591
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:210
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:198
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:98
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
ssl_verify.h
Control Channel Verification Module.
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:235
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:65
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:66
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:232
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:67
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:230
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition ssl_verify_openssl.c:424
argv
Definition argv.h:35
argv::argv
char ** argv
Definition argv.h:39
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:62
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:68
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
compress_options
Definition comp.h:67
compress_options::flags
unsigned int flags
Definition comp.h:69
compress_options::alg
int alg
Definition comp.h:68
connection_entry
Definition options.h:105
connection_entry::local_list
struct local_list * local_list
Definition options.h:106
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:127
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:117
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:176
connection_entry::link_mtu
int link_mtu
Definition options.h:132
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:133
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:130
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:118
connection_entry::bind_local
bool bind_local
Definition options.h:116
connection_entry::mssfix
int mssfix
Definition options.h:142
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:167
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:172
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:131
connection_entry::remote
const char * remote
Definition options.h:112
connection_entry::connect_timeout
int connect_timeout
Definition options.h:119
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:122
connection_entry::mssfix_default
bool mssfix_default
Definition options.h:143
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:144
connection_entry::occ_mtu
int occ_mtu
Definition options.h:126
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:120
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:168
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:163
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition options.h:115
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:129
connection_entry::remote_float
bool remote_float
Definition options.h:113
connection_entry::tls_mtu
int tls_mtu
Definition options.h:134
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:148
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:123
connection_entry::remote_port
const char * remote_port
Definition options.h:111
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:140
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:121
connection_entry::fragment
int fragment
Definition options.h:139
connection_entry::mtu_discover_type
int mtu_discover_type
Definition options.h:137
connection_entry::proto
int proto
Definition options.h:107
connection_entry::af
sa_family_t af
Definition options.h:108
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:162
connection_entry::local_port_defined
bool local_port_defined
Definition options.h:110
connection_entry::tun_mtu
int tun_mtu
Definition options.h:125
connection_entry::bind_defined
bool bind_defined
Definition options.h:114
connection_entry::local_port
const char * local_port
Definition options.h:109
connection_entry::key_direction
int key_direction
Definition options.h:164
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:173
connection_entry::flags
unsigned int flags
Definition options.h:159
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition options.h:146
connection_list
Definition options.h:196
connection_list::array
struct connection_entry ** array
Definition options.h:200
connection_list::capacity
int capacity
Definition options.h:197
connection_list::len
int len
Definition options.h:198
dhcp
Definition dhcp.h:53
dns_domain
Definition dns.h:44
dns_domain::next
struct dns_domain * next
Definition dns.h:45
dns_domain::name
const char * name
Definition dns.h:46
dns_options
Definition dns.h:70
dns_options::servers
struct dns_server * servers
Definition dns.h:73
dns_options::gc
struct gc_arena gc
Definition dns.h:74
dns_options::search_domains
struct dns_domain * search_domains
Definition dns.h:71
dns_server_addr::a4
struct in_addr a4
Definition dns.h:52
dns_server_addr::in
union dns_server_addr::@0 in
dns_server_addr::family
sa_family_t family
Definition dns.h:55
dns_server_addr::a6
struct in6_addr a6
Definition dns.h:53
dns_server
Definition dns.h:59
dns_server::addr
struct dns_server_addr addr[8]
Definition dns.h:63
dns_server::dnssec
enum dns_security dnssec
Definition dns.h:65
dns_server::next
struct dns_server * next
Definition dns.h:60
dns_server::priority
long priority
Definition dns.h:61
dns_server::addr_count
size_t addr_count
Definition dns.h:62
dns_server::domains
struct dns_domain * domains
Definition dns.h:64
dns_server::transport
enum dns_server_transport transport
Definition dns.h:66
dns_server::sni
const char * sni
Definition dns.h:67
env_set
Definition env_set.h:42
fragment
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
frame
Packet geometry parameters.
Definition mtu.h:98
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:131
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
hash
Definition list.h:57
http_custom_header
Definition proxy.h:38
http_custom_header::name
const char * name
Definition proxy.h:39
http_custom_header::content
const char * content
Definition proxy.h:40
http_proxy_options
Definition proxy.h:44
http_proxy_options::auth_file
const char * auth_file
Definition proxy.h:54
http_proxy_options::http_version
const char * http_version
Definition proxy.h:56
http_proxy_options::port
const char * port
Definition proxy.h:46
http_proxy_options::inline_creds
bool inline_creds
Definition proxy.h:59
http_proxy_options::user_agent
const char * user_agent
Definition proxy.h:57
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:51
http_proxy_options::auth_method_string
const char * auth_method_string
Definition proxy.h:53
http_proxy_options::nocache
bool nocache
Definition proxy.h:61
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:58
http_proxy_options::auth_file_up
const char * auth_file_up
Definition proxy.h:55
http_proxy_options::server
const char * server
Definition proxy.h:45
in_src
Definition options.c:5258
in_src::multiline
struct buffer * multiline
Definition options.c:5264
in_src::u
union in_src::@9 u
in_src::fp
FILE * fp
Definition options.c:5263
in_src::type
int type
Definition options.c:5261
iroute_ipv6
Definition route.h:247
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:250
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:249
iroute_ipv6::network
struct in6_addr network
Definition route.h:248
iroute::network
in_addr_t network
Definition route.h:242
iroute::netbits
int netbits
Definition route.h:243
iroute::next
struct iroute * next
Definition route.h:244
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
local_entry
Definition options.h:98
local_entry::port
const char * port
Definition options.h:100
local_entry::proto
int proto
Definition options.h:101
local_entry::local
const char * local
Definition options.h:99
local_list
Definition options.h:190
local_list::len
int len
Definition options.h:191
local_list::array
struct local_entry * array[CONNECTION_LIST_SIZE]
Definition options.h:192
options_pre_connect
Definition options.h:64
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:66
options_pre_connect::routes_defined
bool routes_defined
Definition options.h:68
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:87
options_pre_connect::foreign_option_index
int foreign_option_index
Definition options.h:89
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition options.h:65
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition options.h:71
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition options.h:86
options_pre_connect::routes
struct route_option_list * routes
Definition options.h:69
options_pre_connect::comp
struct compress_options comp
Definition options.h:90
options_pre_connect::ciphername
const char * ciphername
Definition options.h:82
options_pre_connect::dns_options
struct dns_options dns_options
Definition options.h:80
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition options.h:74
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition options.h:85
options_pre_connect::authname
const char * authname
Definition options.h:83
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:72
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition options.h:77
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition options.h:78
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:75
options::resolve_retry_seconds
int resolve_retry_seconds
Definition options.h:365
options::rcvbuf
int rcvbuf
Definition options.h:414
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:366
options::route_nopull
bool route_nopull
Definition options.h:437
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:284
options::comp
struct compress_options comp
Definition options.h:411
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition options.h:307
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:522
options::proto_force
int proto_force
Definition options.h:330
options::persist_config
bool persist_config
Definition options.h:272
options::connection_list
struct connection_list * connection_list
Definition options.h:289
options::management_port
const char * management_port
Definition options.h:447
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:667
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:325
options::max_routes_per_client
int max_routes_per_client
Definition options.h:535
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:576
options::status_file_version
int status_file_version
Definition options.h:405
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition options.h:712
options::auth_token_renewal
int auth_token_renewal
Definition options.h:544
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:517
options::tmp_dir
const char * tmp_dir
Definition options.h:466
options::push_peer_info
bool push_peer_info
Definition options.h:681
options::daemon
bool daemon
Definition options.h:389
options::pre_connect
struct options_pre_connect * pre_connect
Definition options.h:560
options::route_default_metric
int route_default_metric
Definition options.h:429
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:647
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:545
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:722
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:612
options::crl_file_inline
bool crl_file_inline
Definition options.h:616
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:638
options::down_script
const char * down_script
Definition options.h:384
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:266
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:622
options::scheduled_exit_interval
int scheduled_exit_interval
Definition options.h:562
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:537
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:605
options::replay_time
int replay_time
Definition options.h:583
options::push_option_types_found
unsigned int push_option_types_found
Definition options.h:557
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:451
options::ca_file
const char * ca_file
Definition options.h:593
options::tls_auth_file
const char * tls_auth_file
Definition options.h:662
options::providers
struct provider_list providers
Definition options.h:580
options::duplicate_cn
bool duplicate_cn
Definition options.h:526
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition options.h:471
options::shaper
int shaper
Definition options.h:328
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:450
options::server_network
in_addr_t server_network
Definition options.h:468
options::show_net_up
bool show_net_up
Definition options.h:694
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:624
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition options.h:439
options::use_peer_id
bool use_peer_id
Definition options.h:700
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:619
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:481
options::status_file
const char * status_file
Definition options.h:404
options::ssl_flags
unsigned int ssl_flags
Definition options.h:625
options::route_noexec
bool route_noexec
Definition options.h:430
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:327
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:620
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:491
options::server_netmask
in_addr_t server_netmask
Definition options.h:469
options::tls_timeout
int tls_timeout
Definition options.h:641
options::test_crypto
bool test_crypto
Definition options.h:585
options::up_delay
bool up_delay
Definition options.h:387
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:479
options::allow_recursive_routing
bool allow_recursive_routing
Definition options.h:719
options::authname
const char * authname
Definition options.h:578
options::exit_event_name
const char * exit_event_name
Definition options.h:692
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:323
options::cf_max
int cf_max
Definition options.h:528
options::dh_file_inline
bool dh_file_inline
Definition options.h:597
options::replay_window
int replay_window
Definition options.h:582
options::disable
bool disable
Definition options.h:507
options::mute
int mute
Definition options.h:398
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:540
options::dev_type
const char * dev_type
Definition options.h:317
options::persist_mode
int persist_mode
Definition options.h:273
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:493
options::show_digests
bool show_digests
Definition options.h:277
options::up_script
const char * up_script
Definition options.h:383
options::single_session
bool single_session
Definition options.h:679
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:512
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:488
options::verify_hash_depth
int verify_hash_depth
Definition options.h:623
options::route_delay_defined
bool route_delay_defined
Definition options.h:433
options::packet_id_file
const char * packet_id_file
Definition options.h:584
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:671
options::management_log_history_cache
int management_log_history_cache
Definition options.h:449
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition options.h:483
options::ip_remote_hint
const char * ip_remote_hint
Definition options.h:367
options::vlan_tagging
bool vlan_tagging
Definition options.h:711
options::peer_id
uint32_t peer_id
Definition options.h:701
options::routes
struct route_option_list * routes
Definition options.h:434
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:490
options::keepalive_timeout
int keepalive_timeout
Definition options.h:341
options::writepid
const char * writepid
Definition options.h:382
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition options.h:344
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:495
options::fast_io
bool fast_io
Definition options.h:409
options::server_flags
unsigned int server_flags
Definition options.h:477
options::block_outside_dns
bool block_outside_dns
Definition options.h:696
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition options.h:524
options::tls_exit
bool tls_exit
Definition options.h:683
options::pkcs12_file
const char * pkcs12_file
Definition options.h:604
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:502
options::show_engines
bool show_engines
Definition options.h:278
options::remote_list
struct remote_list * remote_list
Definition options.h:291
options::msg_channel
HANDLE msg_channel
Definition options.h:691
options::key_pass_file
const char * key_pass_file
Definition options.h:275
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:581
options::tls_crypt_file
const char * tls_crypt_file
Definition options.h:666
options::inactivity_timeout
int inactivity_timeout
Definition options.h:343
options::n_bcast_buf
int n_bcast_buf
Definition options.h:508
options::handshake_window
int handshake_window
Definition options.h:651
options::server_defined
bool server_defined
Definition options.h:467
options::ifconfig_local
const char * ifconfig_local
Definition options.h:321
options::ce
struct connection_entry ce
Definition options.h:288
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:511
options::push_list
struct push_list push_list
Definition options.h:487
options::user_script_used
bool user_script_used
Definition options.h:385
options::tls_groups
const char * tls_groups
Definition options.h:608
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:279
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:369
options::route_method
int route_method
Definition options.h:695
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:621
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:609
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:645
options::management_flags
unsigned int management_flags
Definition options.h:459
options::push_continuation
int push_continuation
Definition options.h:556
options::route_default_gateway
const char * route_default_gateway
Definition options.h:427
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:515
options::dns_options
struct dns_options dns_options
Definition options.h:312
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:693
options::sc_info
struct static_challenge_info sc_info
Definition options.h:565
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:542
options::ipchange
const char * ipchange
Definition options.h:315
options::topology
int topology
Definition options.h:320
options::disable_dco
bool disable_dco
Definition options.h:372
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:577
options::genkey
bool genkey
Definition options.h:281
options::learn_address_script
const char * learn_address_script
Definition options.h:503
options::ciphername
const char * ciphername
Definition options.h:572
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:558
options::forward_compatible
bool forward_compatible
Definition options.h:263
options::username
const char * username
Definition options.h:375
options::cf_initial_max
int cf_initial_max
Definition options.h:531
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:536
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:462
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:543
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:713
options::ns_cert_type
int ns_cert_type
Definition options.h:618
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:676
options::mode
int mode
Definition options.h:260
options::tls_server
bool tls_server
Definition options.h:591
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:539
options::connect_retry_max
int connect_retry_max
Definition options.h:287
options::bind_dev
char * bind_dev
Definition options.h:419
options::extra_certs_file
const char * extra_certs_file
Definition options.h:600
options::client
bool client
Definition options.h:554
options::pull
bool pull
Definition options.h:555
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:497
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:518
options::show_curves
bool show_curves
Definition options.h:280
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:428
options::tls_client
bool tls_client
Definition options.h:592
options::ping_timer_remote
bool ping_timer_remote
Definition options.h:350
options::auth_token_generate
bool auth_token_generate
Definition options.h:541
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:603
options::tls_verify
const char * tls_verify
Definition options.h:611
options::crl_file
const char * crl_file
Definition options.h:615
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:355
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:559
options::show_ciphers
bool show_ciphers
Definition options.h:276
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:573
options::real_hash_size
int real_hash_size
Definition options.h:499
options::route_predown_script
const char * route_predown_script
Definition options.h:426
options::dh_file
const char * dh_file
Definition options.h:596
options::route_delay_window
int route_delay_window
Definition options.h:432
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:513
options::mlock
bool mlock
Definition options.h:338
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition options.h:269
options::sndbuf
int sndbuf
Definition options.h:415
options::foreign_option_index
int foreign_option_index
Definition options.h:688
options::gc
struct gc_arena gc
Definition options.h:251
options::gc_owned
bool gc_owned
Definition options.h:252
options::down_pre
bool down_pre
Definition options.h:386
options::persist_tun
bool persist_tun
Definition options.h:357
options::ca_file_inline
bool ca_file_inline
Definition options.h:594
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:546
options::block_ipv6
bool block_ipv6
Definition options.h:436
options::config
const char * config
Definition options.h:255
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:601
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:516
options::mark
int mark
Definition options.h:418
options::cf_initial_per
int cf_initial_per
Definition options.h:532
options::suppress_timestamps
bool suppress_timestamps
Definition options.h:394
options::force_key_material_export
bool force_key_material_export
Definition options.h:709
options::mtu_test
bool mtu_test
Definition options.h:332
options::iroutes
struct iroute * iroutes
Definition options.h:510
options::verify_x509_type
int verify_x509_type
Definition options.h:613
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:607
options::ecdh_curve
const char * ecdh_curve
Definition options.h:610
options::status_file_update_freq
int status_file_update_freq
Definition options.h:406
options::management_client_user
const char * management_client_user
Definition options.h:453
options::cipher_list
const char * cipher_list
Definition options.h:606
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:506
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition options.h:570
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition options.h:715
options::management_certificate
const char * management_certificate
Definition options.h:456
options::genkey_filename
const char * genkey_filename
Definition options.h:283
options::x509_track
const struct x509_track * x509_track
Definition options.h:685
options::chroot_dir
const char * chroot_dir
Definition options.h:377
options::log
bool log
Definition options.h:393
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:569
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:523
options::ca_path
const char * ca_path
Definition options.h:595
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:646
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:349
options::sockflags
unsigned int sockflags
Definition options.h:422
options::engine
const char * engine
Definition options.h:579
options::management_addr
const char * management_addr
Definition options.h:446
options::client_connect_script
const char * client_connect_script
Definition options.h:501
options::verify_x509_name
const char * verify_x509_name
Definition options.h:614
options::ping_send_timeout
int ping_send_timeout
Definition options.h:348
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition options.h:438
options::remote_random
bool remote_random
Definition options.h:314
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:520
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:509
options::route_delay
int route_delay
Definition options.h:431
options::dev_node
const char * dev_node
Definition options.h:318
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:504
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:435
options::machine_readable_output
bool machine_readable_output
Definition options.h:395
options::key_direction
int key_direction
Definition options.h:571
options::server_ipv6_defined
bool server_ipv6_defined
Definition options.h:470
options::priv_key_file
const char * priv_key_file
Definition options.h:602
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:359
options::up_restart
bool up_restart
Definition options.h:388
options::keepalive_ping
int keepalive_ping
Definition options.h:340
options::virtual_hash_size
int virtual_hash_size
Definition options.h:500
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:663
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:672
options::groupname
const char * groupname
Definition options.h:376
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition options.h:484
options::cd_dir
const char * cd_dir
Definition options.h:378
options::client_nat
struct client_nat_option_list * client_nat
Definition options.h:440
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:521
options::nice
int nice
Definition options.h:396
options::max_clients
int max_clients
Definition options.h:534
options::transition_window
int transition_window
Definition options.h:659
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:322
options::lladdr
const char * lladdr
Definition options.h:319
options::verbosity
int verbosity
Definition options.h:397
options::session_timeout
int session_timeout
Definition options.h:346
options::cert_file
const char * cert_file
Definition options.h:598
options::enable_c2c
bool enable_c2c
Definition options.h:525
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition options.h:485
options::cf_per
int cf_per
Definition options.h:529
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:697
options::cert_file_inline
bool cert_file_inline
Definition options.h:599
options::remap_sigusr1
int remap_sigusr1
Definition options.h:391
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:644
options::route_script
const char * route_script
Definition options.h:425
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:489
options::management_user_pass
const char * management_user_pass
Definition options.h:448
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition options.h:472
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:514
options::occ
bool occ
Definition options.h:443
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition options.h:482
options::shared_secret_file
const char * shared_secret_file
Definition options.h:568
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:326
options::dev
const char * dev
Definition options.h:316
options::management_client_group
const char * management_client_group
Definition options.h:454
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:496
options::client_config_dir
const char * client_config_dir
Definition options.h:505
options::genkey_type
enum genkey_type genkey_type
Definition options.h:282
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:492
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:324
options::persist_local_ip
bool persist_local_ip
Definition options.h:358
provider_list::names
const char * names[MAX_PARMS]
Definition options.h:213
pull_filter_list
Definition options.c:955
pull_filter_list::tail
struct pull_filter * tail
Definition options.c:957
pull_filter_list::head
struct pull_filter * head
Definition options.c:956
pull_filter
Definition options.c:943
pull_filter::type
int type
Definition options.c:948
pull_filter::size
int size
Definition options.c:949
pull_filter::next
struct pull_filter * next
Definition options.c:951
pull_filter::pattern
char * pattern
Definition options.c:950
push_entry
Definition pushlist.h:29
push_entry::next
struct push_entry * next
Definition pushlist.h:30
push_entry::enable
bool enable
Definition pushlist.h:31
push_entry::option
const char * option
Definition pushlist.h:32
push_list::head
struct push_entry * head
Definition pushlist.h:36
remote_entry
Definition options.h:180
remote_entry::proto
int proto
Definition options.h:183
remote_entry::remote
const char * remote
Definition options.h:181
remote_entry::remote_port
const char * remote_port
Definition options.h:182
remote_entry::af
sa_family_t af
Definition options.h:184
remote_list
Definition options.h:204
remote_list::len
int len
Definition options.h:206
remote_list::array
struct remote_entry ** array
Definition options.h:207
remote_list::capacity
int capacity
Definition options.h:205
route_gateway_info
Definition route.h:146
route_ipv6_gateway_info
Definition route.h:181
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:107
route_option_list::flags
unsigned int flags
Definition route.h:94
static_challenge_info::flags
unsigned int flags
Definition misc.h:96
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:98
tuntap_options
Definition tun.h:77
tuntap_options::wins_len
int wins_len
Definition tun.h:119
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:143
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:126
tuntap_options::dns_len
int dns_len
Definition tun.h:115
tuntap_options::dns6_len
int dns6_len
Definition tun.h:144
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:122
tuntap_options::ntp_len
int ntp_len
Definition tun.h:123
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:118
tuntap_options::tap_sleep
int tap_sleep
Definition tun.h:99
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition tun.h:96
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:114
tuntap_options::netbios_scope
const char * netbios_scope
Definition tun.h:107
tuntap_options::nbdd_len
int nbdd_len
Definition tun.h:127
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition tun.h:79
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition tun.h:94
tuntap_options::domain
const char * domain
Definition tun.h:105
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition tun.h:133
tuntap_options::dhcp_renew
bool dhcp_renew
Definition tun.h:138
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:132
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition tun.h:95
tuntap_options::netbios_node_type
int netbios_node_type
Definition tun.h:109
tuntap_options::ip_win32_type
int ip_win32_type
Definition tun.h:87
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition tun.h:139
tuntap_options::register_dns
bool register_dns
Definition tun.h:141
tuntap_options::disable_nbt
bool disable_nbt
Definition tun.h:136
tuntap_options::dhcp_options
int dhcp_options
Definition tun.h:103
tuntap
Definition tun.h:181
verify_hash_list
Definition options.h:241
verify_hash_list::next
struct verify_hash_list * next
Definition options.h:245
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:244
sa_family_t
unsigned short sa_family_t
Definition syshead.h:395
sleep
#define sleep(x)
Definition syshead.h:43
es
struct env_set * es
Definition test_pkcs11.c:141
pkcs11_id_management
static bool pkcs11_id_management
Definition test_pkcs11.c:136
gc
struct gc_arena gc
Definition test_ssl.c:155
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:5269
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:467
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5203
ascii2ipset
int ascii2ipset(const char *name)
Definition tun.c:7009
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:794
show_tap_win_adapters
void show_tap_win_adapters(int msglev, int warnlev)
Definition tun.c:4157
show_adapters
void show_adapters(int msglev)
Definition tun.c:5012
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5163
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:486
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:5061
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:5229
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:653
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:7038
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition tun.c:4124
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition tun.h:82
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition tun.h:85
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:75
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition tun.h:129
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition tun.h:84
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition tun.h:81
tun_driver_type
tun_driver_type
Definition tun.h:45
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition tun.h:48
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:46
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:47
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:55
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:70
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition tun.h:111
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition tun.h:74
win_get_tempdir
const char * win_get_tempdir(void)
Definition win32-util.c:152
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1120
win32_version_string
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition win32.c:1424
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition win32.c:146
xkey_common.h
Generated by doxygen 1.9.8