OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2025 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25/*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30#ifdef HAVE_CONFIG_H
31#include "config.h"
32#endif
33#ifdef HAVE_CONFIG_VERSION_H
34#include "config-version.h"
35#endif
36
37#include "syshead.h"
38
39#include "buffer.h"
40#include "error.h"
41#include "common.h"
42#include "run_command.h"
43#include "shaper.h"
44#include "crypto.h"
45#include "ssl.h"
46#include "ssl_ncp.h"
47#include "options.h"
48#include "misc.h"
49#include "socket.h"
50#include "packet_id.h"
51#include "pkcs11.h"
52#include "win32.h"
53#include "push.h"
54#include "pool.h"
55#include "proto.h"
56#include "helper.h"
57#include "manage.h"
58#include "forward.h"
59#include "ssl_verify.h"
60#include "platform.h"
61#include "xkey_common.h"
62#include "dco.h"
63#include "options_util.h"
64
65#include <ctype.h>
66
67#include "memdbg.h"
68
69const char title_string[] =
70 PACKAGE_STRING
71#ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73#endif
74 " " TARGET_ALIAS
75#if defined(ENABLE_CRYPTO_MBEDTLS)
76 " [SSL (mbed TLS)]"
77#elif defined(ENABLE_CRYPTO_OPENSSL)
78 " [SSL (OpenSSL)]"
79#else
80 " [SSL]"
81#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82#ifdef USE_COMP
83#ifdef ENABLE_LZO
84 " [LZO]"
85#endif
86#ifdef ENABLE_LZ4
87 " [LZ4]"
88#endif
89#ifdef ENABLE_COMP_STUB
90 " [COMP_STUB]"
91#endif
92#endif /* USE_COMP */
93#if EPOLL
94 " [EPOLL]"
95#endif
96#ifdef PRODUCT_TAP_DEBUG
97 " [TAPDBG]"
98#endif
99#ifdef ENABLE_PKCS11
100 " [PKCS11]"
101#endif
102#if ENABLE_IP_PKTINFO
103#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104 " [MH/PKTINFO]"
105#elif defined(IP_RECVDSTADDR)
106 " [MH/RECVDA]"
107#endif
108#endif
109 " [AEAD]"
110#ifdef ENABLE_DCO
111 " [DCO]"
112#endif
113#ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
115#endif
116;
117
118#ifndef ENABLE_SMALL
119
120static const char usage_message[] =
121 "%s\n"
122 "\n"
123 "General Options:\n"
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
127 "\n"
128 "Tunnel Options:\n"
129 "--local host|* [port]: Local host name or IP address and port for bind.\n"
130 " If specified, OpenVPN will bindto this address. If unspecified,\n"
131 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
132 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
133 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
134 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
135 " to open multiple listening sockets on different addresses and/or different ports.\n"
136 " In order to specify multiple listen ports without specifying an address, use '*'\n"
137 " to signal 'use what the operating system gives you as default', for\n"
138 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
139 " ``--local`` implies ``--bind``.\n"
140 "--remote host [port] : Remote host name or ip address.\n"
141 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
142 "--remote-random-hostname : Add a random string to remote DNS name.\n"
143 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
144 "--proto p : Use protocol p for communicating with peer.\n"
145 " p = udp (default), tcp-server, tcp-client\n"
146 " udp4, tcp4-server, tcp4-client\n"
147 " udp6, tcp6-server, tcp6-client\n"
148 "--proto-force p : only consider protocol p in list of connection profiles.\n"
149 " p = udp or tcp\n"
150 "--connect-retry n [m] : For client, number of seconds to wait between\n"
151 " connection retries (default=%d). On repeated retries\n"
152 " the wait time is exponentially increased to a maximum of m\n"
153 " (default=%d).\n"
154 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
155 "--http-proxy s p [up] [auth] : Connect to remote host\n"
156 " through an HTTP proxy at address s and port p.\n"
157 " If proxy authentication is required,\n"
158 " up is a file containing username/password on 2 lines, or\n"
159 " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
160 " the proxy requires NTLM authentication.\n"
161 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
162 " determine auth method and query for username/password\n"
163 " if needed. auto-nct disables weak proxy auth methods.\n"
164 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
165 " Repeat to set multiple options.\n"
166 " VERSION version (default=1.0)\n"
167 " AGENT user-agent\n"
168 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
169 " address s and port p (default port = 1080).\n"
170 " If proxy authentication is required,\n"
171 " up is a file containing username/password on 2 lines, or\n"
172 " 'stdin' to prompt for console.\n"
173 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
174 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
175 " resolve for n seconds before failing (disabled by default).\n"
176 " Set n=\"infinite\" to retry indefinitely.\n"
177 "--float : Allow remote to change its IP address/port, such as through\n"
178 " DHCP (this is the default if --remote is not used).\n"
179 "--ipchange cmd : Run command cmd on remote ip address initial\n"
180 " setting or change -- execute as: cmd ip-address port#\n"
181 "--port port : TCP/UDP port # for both local and remote.\n"
182 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
183 "--rport port : TCP/UDP port # for remote (default=%s).\n"
184 "--bind : Bind to local address and port. (This is the default unless\n"
185 " --proto tcp-client"
186 " or --http-proxy"
187 " or --socks-proxy"
188 " is used).\n"
189 "--nobind : Do not bind to local address and port.\n"
190 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
191 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
192 " this option only if the tun/tap device used with --dev\n"
193 " does not begin with \"tun\" or \"tap\".\n"
194 "--dev-node node : Explicitly set the device node rather than using\n"
195 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
196#if defined(ENABLE_DCO)
197 "--disable-dco : Do not attempt using Data Channel Offload.\n"
198#endif
199 "--lladdr hw : Set the link layer address of the tap device.\n"
200 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
201#ifdef ENABLE_IPROUTE
202 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
203#endif
204 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
205 " endpoint and rn as a remote endpoint. l & rn should be\n"
206 " swapped on the other peer. l & rn must be private\n"
207 " addresses outside of the subnets used by either peer.\n"
208 " TAP: configure device to use IP address l as a local\n"
209 " endpoint and rn as a subnet mask.\n"
210 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
211 " endpoint (as a /64) and r as remote endpoint\n"
212 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
213 " pass --ifconfig parms by environment to scripts.\n"
214 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
215 " connection doesn't match the remote side.\n"
216#ifdef TARGET_LINUX
217 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
218 " If not specified, the id of the default routing table will be used.\n"
219#endif
220 "--route network [netmask] [gateway] [metric] :\n"
221 " Add route to routing table after connection\n"
222 " is established. Multiple routes can be specified.\n"
223 " netmask default: 255.255.255.255\n"
224 " gateway default: taken from --route-gateway or --ifconfig\n"
225 " Specify default by leaving blank or setting to \"default\".\n"
226 "--route-ipv6 network/bits [gateway] [metric] :\n"
227 " Add IPv6 route to routing table after connection\n"
228 " is established. Multiple routes can be specified.\n"
229 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
230 " in --ifconfig-ipv6\n"
231 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
232 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
233 "--route-metric m : Specify a default metric for use with --route.\n"
234 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
235 " adding routes (may be 0). If not specified, routes will\n"
236 " be added immediately after tun/tap open. On Windows, wait\n"
237 " up to w seconds for TUN/TAP adapter to come up.\n"
238 "--route-up cmd : Run command cmd after routes are added.\n"
239 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
240 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
241 " --route-up script using environmental variables.\n"
242 "--route-nopull : When used with --client or --pull, accept options pushed\n"
243 " by server EXCEPT for routes, dns, and dhcp options.\n"
244 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
245 " --ifconfig, --route, and --route-gateway.\n"
246 "--redirect-gateway [flags]: Automatically execute routing\n"
247 " commands to redirect all outgoing IP traffic through the\n"
248 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
249 " connected via a common subnet, such as with WiFi.\n"
250 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
251 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
252 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
253 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
254 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
255 " the default gateway. Useful when pushing private subnets.\n"
256 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
257 " ICMPv6 host unreachable messages on the client.\n"
258 " (Server) Instead of forwarding IPv6 packets send\n"
259 " ICMPv6 host unreachable packets to the client.\n"
260 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
261 "--push-peer-info : (client only) push client info to server.\n"
262 "--setenv name value : Set a custom environmental variable to pass to script.\n"
263 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
264 " directives for future OpenVPN versions to be ignored.\n"
265 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
266 " these options to be ignored when unknown\n"
267 "--script-security level: Where level can be:\n"
268 " 0 -- strictly no calling of external programs\n"
269 " 1 -- (default) only call built-ins such as ifconfig\n"
270 " 2 -- allow calling of built-ins and scripts\n"
271 " 3 -- allow password to be passed to scripts via env\n"
272 "--shaper n : Restrict output to peer to n bytes per second.\n"
273 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
274 " ping once every n seconds, restart if ping not received\n"
275 " for m seconds.\n"
276 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
277 " produces a combined in/out byte count < bytes.\n"
278 "--session-timeout n: Limit connection time to n seconds.\n"
279 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
280 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
281 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
282 " remote address.\n"
283 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
284#if ENABLE_IP_PKTINFO
285 "--multihome : Configure a multi-homed UDP server.\n"
286#endif
287 "--fast-io : Optimize TUN/TAP/UDP writes.\n"
288 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
289 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
290 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
291 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
292#if PASSTOS_CAPABILITY
293 "--passtos : TOS passthrough (applies to IPv4 only).\n"
294#endif
295 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
296 " TCP/UDP MTU from it (default=%d).\n"
297 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
298 " as n bytes more than the tun-mtu size on read\n"
299 " (default TUN=0 TAP=%d).\n"
300 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
301 " from it.\n"
302 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
303 " 'no' -- Never send DF (Don't Fragment) frames\n"
304 " 'maybe' -- Use per-route hints\n"
305 " 'yes' -- Always DF (Don't Fragment)\n"
306 "--mtu-test : Empirically measure and report MTU.\n"
307#ifdef ENABLE_FRAGMENT
308 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
309 " datagrams are sent which are larger than max bytes.\n"
310 " Adds 4 bytes of overhead per datagram.\n"
311#endif
312 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
313 " or --fragment max value, whichever is lower.\n"
314 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
315 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
316#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
317 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
318 " can be matched in policy routing and packetfilter rules.\n"
319 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
320 " listening for connections. This allows sending encrypted packets\n"
321 " via a VRF present on the system.\n"
322#endif
323 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
324#ifdef ENABLE_MEMSTATS
325 "--memstats file : Write live usage stats to memory mapped binary file.\n"
326#endif
327 "--mlock : Disable Paging -- ensures key material and tunnel\n"
328 " data will never be written to disk.\n"
329 "--up cmd : Run command cmd after successful tun device open.\n"
330 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
331 " ifconfig-local-ip ifconfig-remote-ip\n"
332 " (pre --user or --group UID/GID change)\n"
333 "--up-delay : Delay tun/tap open and possible --up script execution\n"
334 " until after TCP/UDP connection establishment with peer.\n"
335 "--down cmd : Run command cmd after tun device close.\n"
336 " (post --user/--group UID/GID change and/or --chroot)\n"
337 " (command parameters are same as --up option)\n"
338 "--down-pre : Run --down command before TUN/TAP close.\n"
339 "--up-restart : Run up/down commands for all restarts including those\n"
340 " caused by --ping-restart or SIGUSR1\n"
341 "--user user : Set UID to user after initialization.\n"
342 "--group group : Set GID to group after initialization.\n"
343 "--chroot dir : Chroot to this directory after initialization.\n"
344#ifdef ENABLE_SELINUX
345 "--setcon context: Apply this SELinux context after initialization.\n"
346#endif
347 "--cd dir : Change to this directory before initialization.\n"
348 "--daemon [name] : Become a daemon after initialization.\n"
349 " The optional 'name' parameter will be passed\n"
350 " as the program name to the system logger.\n"
351 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
352 " See --daemon above for a description of the 'name' parm.\n"
353 "--log file : Output log to file which is created/truncated on open.\n"
354 "--log-append file : Append log to file, or create file if nonexistent.\n"
355 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
356 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
357 "--writepid file : Write main process ID to file.\n"
358 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
359 "--echo [parms ...] : Echo parameters to log output.\n"
360 "--verb n : Set output verbosity to n (default=%d):\n"
361 " (Level 3 is recommended if you want a good summary\n"
362 " of what's happening without being swamped by output).\n"
363 " : 0 -- no output except fatal errors\n"
364 " : 1 -- startup info + connection initiated messages +\n"
365 " non-fatal encryption & net errors\n"
366 " : 2,3 -- show TLS negotiations & route info\n"
367 " : 4 -- show parameters\n"
368 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
369 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
370 " : 6 to 11 -- debug messages of increasing verbosity\n"
371 "--mute n : Log at most n consecutive messages in the same category.\n"
372 "--status file [n] : Write operational status to file every n seconds.\n"
373 "--status-version [n] : Choose the status file format version number.\n"
374 " Currently, n can be 1, 2, or 3 (default=1).\n"
375 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
376#ifdef ENABLE_DEBUG
377 "--gremlin mask : Special stress testing mode (for debugging only).\n"
378#endif
379#if defined(USE_COMP)
380 "--compress alg : Use compression algorithm alg\n"
381 "--allow-compression: Specify whether compression should be allowed\n"
382#if defined(ENABLE_LZO)
383 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
384 " packet for incompressible data.\n"
385 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
386 " is specified.\n"
387#endif
388#endif
389#ifdef ENABLE_MANAGEMENT
390 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
391 " management functions. pass is a password file\n"
392 " or 'stdin' to prompt from console.\n"
393#if UNIX_SOCK_SUPPORT
394 " To listen on a unix domain socket, specific the pathname\n"
395 " in place of ip and use 'unix' as the port number.\n"
396#endif
397 "--management-client : Management interface will connect as a TCP client to\n"
398 " ip/port rather than listen as a TCP server.\n"
399 "--management-query-passwords : Query management channel for private key\n"
400 " and auth-user-pass passwords.\n"
401 "--management-query-proxy : Query management channel for proxy information.\n"
402 "--management-query-remote : Query management channel for --remote directive.\n"
403 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
404 " of the management interface explicitly starts it.\n"
405 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
406 "--management-forget-disconnect : Forget passwords when management disconnect\n"
407 " event occurs.\n"
408 "--management-up-down : Report tunnel up/down events to management interface.\n"
409 "--management-log-cache n : Cache n lines of log file history for usage\n"
410 " by the management channel.\n"
411#if UNIX_SOCK_SUPPORT
412 "--management-client-user u : When management interface is a unix socket, only\n"
413 " allow connections from user u.\n"
414 "--management-client-group g : When management interface is a unix socket, only\n"
415 " allow connections from group g.\n"
416#endif
417 "--management-client-auth : gives management interface client the responsibility\n"
418 " to authenticate clients after their client certificate\n"
419 " has been verified.\n"
420#endif /* ifdef ENABLE_MANAGEMENT */
421#ifdef ENABLE_PLUGIN
422 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
423 " to its initialization function.\n"
424#endif
425 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
426 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
427 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
428 "\n"
429 "Multi-Client Server options (when --mode server is used):\n"
430 "--server network netmask : Helper option to easily configure server mode.\n"
431 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
432 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
433 " easily configure ethernet bridging server mode.\n"
434 "--push \"option\" : Push a config file option back to the peer for remote\n"
435 " execution. Peer must specify --pull in its config file.\n"
436 "--push-reset : Don't inherit global push list for specific\n"
437 " client instance.\n"
438 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
439 " a specific client instance.\n"
440 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
441 " to be dynamically allocated to connecting clients.\n"
442 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
443 " data to file, at seconds intervals (default=600).\n"
444 " If seconds=0, file will be treated as read-only.\n"
445 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
446 " to be dynamically allocated to connecting clients.\n"
447 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
448 " overrides --ifconfig-pool dynamic allocation.\n"
449 " Only valid in a client-specific config file.\n"
450 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
451 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
452 " Only valid in a client-specific config file.\n"
453 "--iroute network [netmask] : Route subnet to client.\n"
454 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
455 " Sets up internal routes only.\n"
456 " Only valid in a client-specific config file.\n"
457 "--disable : Client is disabled.\n"
458 " Only valid in a client-specific config file.\n"
459 "--override-username: Overrides the client-specific username to be used.\n"
460 " Only valid in a client-specific config file.\n"
461 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
462 " mandatory client certificate verification.\n"
463 " Default is to require the client to supply a certificate.\n"
464 "--username-as-common-name : For auth-user-pass authentication, use\n"
465 " the authenticated username as the common name,\n"
466 " rather than the common name from the client cert.\n"
467 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
468 " run command cmd to verify. If method='via-env', pass\n"
469 " user/pass via environment, if method='via-file', pass\n"
470 " user/pass via temporary file.\n"
471 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
472 " to each client, replacing the password. Useful when\n"
473 " OTP based two-factor auth mechanisms are in use and\n"
474 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
475 " for generated tokens can be set.\n"
476 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
477 " with those of the server will be disconnected.\n"
478 "--auth-user-pass-optional : Allow connections by clients that don't\n"
479 " specify a username/password.\n"
480 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
481 " any printable character.\n"
482 "--client-to-client : Internally route client-to-client traffic.\n"
483 "--duplicate-cn : Allow multiple clients with the same common name to\n"
484 " concurrently connect.\n"
485 "--client-connect cmd : Run command cmd on client connection.\n"
486 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
487 "--client-config-dir dir : Directory for custom client config files.\n"
488 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
489 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
490 "--hash-size r v : Set the size of the real address hash table to r and the\n"
491 " virtual address table to v.\n"
492 "--bcast-buffers n : Allocate n broadcast buffers.\n"
493 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
494 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
495 " as well as pushes it to connecting clients.\n"
496 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
497 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
498 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
499 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
500 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
501 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
502 " older than n seconds. Run this check every t\n"
503 " seconds (defaults to n).\n"
504 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
505 " clients. n = 1 - reconnect to same server,\n"
506 " 2 - advance to next server, default=1.\n"
507#if PORT_SHARE
508 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
509 " sessions to a web server at host:port. dir specifies an\n"
510 " optional directory to write origin IP:port data.\n"
511#endif
512 "\n"
513 "Client options (when connecting to a multi-client server):\n"
514 "--client : Helper option to easily configure client mode.\n"
515 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
516 " up is a file containing the username on the first line,\n"
517 " and a password on the second. If either the password or both\n"
518 " the username and the password are omitted OpenVPN will prompt\n"
519 " for them from console.\n"
520 "--pull : Accept certain config file options from the peer as if they\n"
521 " were part of the local config file. Must be specified\n"
522 " when connecting to a '--mode server' remote host.\n"
523 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
524 " server if it starts with the text t. The action flag accept,\n"
525 " ignore or reject causes the option to be allowed, removed or\n"
526 " rejected with error. May be specified multiple times, and\n"
527 " each filter is applied in the order of appearance.\n"
528 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
529 " Valid options are :\n"
530 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
531 " resolve-domains <domain> [domain ...] : split domains\n"
532 " dnssec <yes|no|optional> : option to use DNSSEC\n"
533 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
534 " sni <domain> : DNS server name indication\n"
535 "--dns search-domains <domain> [domain ...]:\n"
536 " Add domains to DNS domain search list\n"
537 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
538 " force running the default script or disable running it.\n"
539 "--auth-retry t : How to handle auth failures. Set t to\n"
540 " none (default), interact, or nointeract.\n"
541 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
542 " challenge text t, with e indicating echo flag (0|1)\n"
543 " and optional argument scrv1 or concat to use SCRV1 protocol or"
544 " concatenate response with password. Default is scrv1.\n"
545 "--connect-timeout n : when polling possible remote servers to connect to\n"
546 " in a round-robin fashion, spend no more than n seconds\n"
547 " waiting for a response before trying the next server.\n"
548 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
549 " incoming tun packets with same destination as host.\n"
550 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
551 " server/remote. n = # of retries, default=1.\n"
552 "\n"
553 "Data Channel Encryption Options (must be compatible between peers):\n"
554 "(These options are meaningful for both Static Key & TLS-mode)\n"
555 "--auth alg : Authenticate packets with HMAC using message\n"
556 " digest algorithm alg (default=%s).\n"
557 " (usually adds 16 or 20 bytes per packet)\n"
558 " Set alg=none to disable authentication.\n"
559 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
560 " You should usually use --data-ciphers instead.\n"
561 " Set alg=none to disable encryption.\n"
562 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
563#ifndef ENABLE_CRYPTO_MBEDTLS
564 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
565#endif
566 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
567 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
568 " and a time window of t seconds.\n"
569 " Default n=%d t=%d\n"
570 "--replay-persist file : Persist replay-protection state across sessions\n"
571 " using file.\n"
572 "--test-crypto : Run a self-test of crypto features enabled.\n"
573 " For debugging only.\n"
574#ifdef ENABLE_PREDICTION_RESISTANCE
575 "--use-prediction-resistance: Enable prediction resistance on the random\n"
576 " number generator.\n"
577#endif
578 "\n"
579 "TLS Key Negotiation Options:\n"
580 "(These options are meaningful only for TLS-mode)\n"
581 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
582 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
583 "--ca file : Certificate authority file in .pem format containing\n"
584 " root certificate.\n"
585#ifndef ENABLE_CRYPTO_MBEDTLS
586 "--capath dir : A directory of trusted certificates (CAs"
587 " and CRLs).\n"
588#endif /* ENABLE_CRYPTO_MBEDTLS */
589 "--dh file : File containing Diffie Hellman parameters\n"
590 " in .pem format (for --tls-server only).\n"
591 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
592 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
593 " by a Certificate Authority in --ca file used by the peer.\n"
594 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
595 "--key file : Local private key in .pem format or a URI.\n"
596 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
597 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
598 " is specified, require max TLS version supported by SSL implementation.\n"
599 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
600#ifndef ENABLE_CRYPTO_MBEDTLS
601 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
602 " and optionally the root CA certificate.\n"
603#endif
604#ifdef ENABLE_X509ALTUSERNAME
605 "--x509-username-field : Field in x509 certificate containing the username.\n"
606 " Default is CN in the Subject field.\n"
607#endif
608 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
609 " Valid algo flags are SHA1 and SHA256. \n"
610#ifdef _WIN32
611 "--cryptoapicert select-string : Load the certificate and private key from the\n"
612 " Windows Certificate System Store.\n"
613#endif
614 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
615 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
616 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
617 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
618 " (default=legacy).\n"
619 "--providers l : A list l of OpenSSL providers to load.\n"
620 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
621 " if no ACK from remote within n seconds (default=%d).\n"
622 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
623 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
624 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
625 " and at least min (defaults to 90%% of max on servers and equal\n"
626 " to max on clients).\n"
627 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
628 " of handshake initiation by any peer (default=%d).\n"
629 "--tran-window n : Transition window -- old key can live this many seconds\n"
630 " after new key renegotiation begins (default=%d).\n"
631 "--single-session: Allow only one session (reset state on restart).\n"
632 "--tls-exit : Exit on TLS negotiation failure.\n"
633 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
634 " control channel to protect against attacks on the TLS stack\n"
635 " and DoS attacks.\n"
636 " f (required) is a shared-secret key file.\n"
637 " The optional d parameter controls key directionality.\n"
638 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
639 " of the TLS control channel to hide the TLS certificate,\n"
640 " provide basic post-quantum security and protect against\n"
641 " attacks on the TLS stack and DoS attacks.\n"
642 " key (required) provides the pre-shared key file.\n"
643 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
644 " For servers: use key to decrypt client-specific keys. For\n"
645 " key generation (--genkey tls-crypt-v2-client): use key to\n"
646 " encrypt generated client-specific key. (See --tls-crypt.)\n"
647 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
648 " fresh tls-crypt-v2 client key, and store to\n"
649 " keyfile. If supplied, include metadata in wrapped key.\n"
650 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
651 " fresh tls-crypt-v2 server key, and store to keyfile\n"
652 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
653 " client-supplied tls-crypt-v2 client key\n"
654 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
655 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
656 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
657 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
658 " pending TLS connection that has otherwise passed all other\n"
659 " tests of certification. cmd should return 0 to allow\n"
660 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
661 " executed as 'cmd certificate_depth subject')\n"
662 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
663 " DN name. The remote host must also pass all other tests\n"
664 " of verification.\n"
665#ifndef ENABLE_CRYPTO_MBEDTLS
666 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
667 " an explicit nsCertType designation t = 'client' | 'server'.\n"
668#endif
669 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
670 " plugins and management interface.\n"
671 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
672 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
673 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
674 " explicit key usage, you can specify more than one value.\n"
675 " value should be given in hex format.\n"
676 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
677 " explicit extended key usage. Extended key usage can be encoded\n"
678 " as an object identifier or OpenSSL string representation.\n"
679 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
680 " key usage and extended key usage based on RFC3280 TLS rules.\n"
681 " t = 'client' | 'server'.\n"
682#ifdef ENABLE_PKCS11
683 "\n"
684 "PKCS#11 Options:\n"
685 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
686 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
687 " path. Set for each provider.\n"
688 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
689 " 0 : Try to determine automatically (default).\n"
690 " 1 : Use Sign.\n"
691 " 2 : Use SignRecover.\n"
692 " 4 : Use Decrypt.\n"
693 " 8 : Use Unwrap.\n"
694 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
695 " certificate can be accessed. Set for each provider.\n"
696 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
697 " cache until token is removed.\n"
698 "--pkcs11-id-management : Acquire identity from management interface.\n"
699 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
700#endif /* ENABLE_PKCS11 */
701 "\n"
702 "SSL Library information:\n"
703 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
704 "--show-digests : Show message digest algorithms to use with --auth option.\n"
705 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
706 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
707#ifdef _WIN32
708 "\n"
709 "Windows Specific:\n"
710 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
711 " from SystemRoot environment variable.\n"
712 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
713 " IP address using method = manual, netsh, ipapi,\n"
714 " dynamic, or adaptive (default = adaptive).\n"
715 " Dynamic method allows two optional parameters:\n"
716 " offset: DHCP server address offset (> -256 and < 256).\n"
717 " If 0, use network address, if >0, take nth\n"
718 " address forward from network address, if <0,\n"
719 " take nth address backward from broadcast\n"
720 " address.\n"
721 " Default is 0.\n"
722 " lease-time: Lease time in seconds.\n"
723 " Default is one year.\n"
724 "--route-method : Which method to use for adding routes on Windows?\n"
725 " adaptive (default) -- Try ipapi then fall back to exe.\n"
726 " ipapi -- Use IP helper API.\n"
727 " exe -- Call the route.exe shell command.\n"
728 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
729 " be used with --ip-win32 dynamic. For options\n"
730 " which allow multiple addresses,\n"
731 " --dhcp-option must be repeated.\n"
732 " DOMAIN name : Set DNS suffix\n"
733 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
734 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
735 " NTP : Set NTP server address(es)\n"
736 " NBDD : Set NBDD server address(es)\n"
737 " WINS addr : Set WINS server address(es)\n"
738 " NBT type : Set NetBIOS over TCP/IP Node type\n"
739 " 1: B, 2: P, 4: M, 8: H\n"
740 " NBS id : Set NetBIOS scope ID\n"
741 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
742 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
743 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
744 " startup.\n"
745 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
746 " on connection initiation.\n"
747 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
748 " attempting to set adapter properties.\n"
749 "--pause-exit : When run from a console window, pause before exiting.\n"
750 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
751 " service, and should not be used directly by end-users.\n"
752 " ex is the name of an event object which, when\n"
753 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
754 " optional parameter controls the initial state of ex.\n"
755 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
756 " after TAP adapter is up and routes have been added.\n"
757 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
758 "Windows Standalone Options:\n"
759 "\n"
760 "--show-adapters : Show all TAP-Windows adapters.\n"
761 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
762 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
763 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
764 " to access TAP adapter.\n"
765#endif /* ifdef _WIN32 */
766 "\n"
767 "Generate a new key :\n"
768 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
769 " (for use with --tls-auth or --tls-crypt)."
770#ifdef ENABLE_FEATURE_TUN_PERSIST
771 "\n"
772 "Tun/tap config mode (available with linux 2.4+):\n"
773 "--mktun : Create a persistent tunnel.\n"
774 "--rmtun : Remove a persistent tunnel.\n"
775 "--dev tunX|tapX : tun/tap device\n"
776 "--dev-type dt : Device type. See tunnel options above for details.\n"
777 "--user user : User to set privilege to.\n"
778 "--group group : Group to set privilege to.\n"
779#endif
780#ifdef ENABLE_PKCS11
781 "\n"
782 "PKCS#11 standalone options:\n"
783#ifdef DEFAULT_PKCS11_MODULE
784 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
785#else
786 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
787#endif
788 " --verb option can be added *BEFORE* this.\n"
789#endif /* ENABLE_PKCS11 */
790 "\n"
791 "General Standalone Options:\n"
792#ifdef ENABLE_DEBUG
793 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
794#endif
795;
796
797#endif /* !ENABLE_SMALL */
798
799/*
800 * This is where the options defaults go.
801 * Any option not explicitly set here
802 * will be set to 0.
803 */
804void
805init_options(struct options *o, const bool init_gc)
806{
807 CLEAR(*o);
808 if (init_gc)
809 {
810 gc_init(&o->gc);
811 gc_init(&o->dns_options.gc);
812 o->gc_owned = true;
813 }
814 o->mode = MODE_POINT_TO_POINT;
815 o->topology = TOP_UNDEF;
816 o->ce.proto = PROTO_UDP;
817 o->ce.af = AF_UNSPEC;
818 o->ce.bind_ipv6_only = false;
819 o->ce.connect_retry_seconds = 1;
820 o->ce.connect_retry_seconds_max = 300;
821 o->ce.connect_timeout = 120;
822 o->connect_retry_max = 0;
823 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
824 o->verbosity = 1;
825 o->status_file_update_freq = 60;
826 o->status_file_version = 1;
827 o->ce.bind_local = true;
828 o->ce.tun_mtu = TUN_MTU_DEFAULT;
829 o->ce.occ_mtu = 0;
830 o->ce.link_mtu = LINK_MTU_DEFAULT;
831 o->ce.tls_mtu = TLS_MTU_DEFAULT;
832 o->ce.mtu_discover_type = -1;
833 o->ce.mssfix = 0;
834 o->ce.mssfix_default = true;
835 o->ce.mssfix_encap = true;
836 o->route_default_table_id = 0;
837 o->route_delay_window = 30;
838 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
839 o->resolve_in_advance = false;
840 o->proto_force = -1;
841 o->occ = true;
842#ifdef ENABLE_MANAGEMENT
843 o->management_log_history_cache = 250;
844 o->management_echo_buffer_size = 100;
845 o->management_state_buffer_size = 100;
846#endif
847#ifdef ENABLE_FEATURE_TUN_PERSIST
848 o->persist_mode = 1;
849#endif
850#ifdef _WIN32
851#if 0
852 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
853#else
854 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
855#endif
856 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
857 /* use network address as internal DHCP server address */
858 o->tuntap_options.dhcp_masq_offset = 0;
859 o->route_method = ROUTE_METHOD_ADAPTIVE;
860 o->block_outside_dns = false;
861 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
862#endif
863 o->vlan_accept = VLAN_ALL;
864 o->vlan_pvid = 1;
865 o->real_hash_size = 256;
866 o->virtual_hash_size = 256;
867 o->n_bcast_buf = 256;
868 o->tcp_queue_limit = 64;
869 o->max_clients = 1024;
870 o->cf_initial_per = 10;
871 o->cf_initial_max = 100;
872 o->max_routes_per_client = 256;
873 o->stale_routes_check_interval = 0;
874 o->ifconfig_pool_persist_refresh_freq = 600;
875 o->scheduled_exit_interval = 5;
876 o->authname = "SHA1";
877 o->replay_window = DEFAULT_SEQ_BACKTRACK;
878 o->replay_time = DEFAULT_TIME_BACKTRACK;
879 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
880#ifdef ENABLE_PREDICTION_RESISTANCE
881 o->use_prediction_resistance = false;
882#endif
883 o->tls_timeout = 2;
884 o->renegotiate_bytes = -1;
885 o->renegotiate_seconds = 3600;
886 o->renegotiate_seconds_min = -1;
887 o->handshake_window = 60;
888 o->transition_window = 3600;
889 o->tls_cert_profile = NULL;
890 o->ecdh_curve = NULL;
891#ifdef ENABLE_X509ALTUSERNAME
892 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
893#endif
894#ifdef ENABLE_PKCS11
895 o->pkcs11_pin_cache_period = -1;
896#endif /* ENABLE_PKCS11 */
897
898 /* P2MP server context features */
899 o->auth_token_generate = false;
900
901 /* Set default --tmp-dir */
902#ifdef _WIN32
903 /* On Windows, find temp dir via environment variables */
904 o->tmp_dir = win_get_tempdir();
905
906 if (!o->tmp_dir)
907 {
908 /* Error out if we can't find a valid temporary directory, which should
909 * be very unlikely. */
910 msg(M_USAGE, "Could not find a suitable temporary directory."
911 " (GetTempPath() failed). Consider using --tmp-dir");
912 }
913#else /* ifdef _WIN32 */
914 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
915 o->tmp_dir = getenv("TMPDIR");
916 if (!o->tmp_dir)
917 {
918 o->tmp_dir = "/tmp";
919 }
920#endif /* _WIN32 */
921 o->allow_recursive_routing = false;
922
923#ifndef ENABLE_DCO
924 o->disable_dco = true;
925#endif /* ENABLE_DCO */
926
927#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
928 o->dns_options.updown = DEFAULT_DNS_UPDOWN;
929#endif /* ENABLE_DNS_UPDOWN_BY_DEFAULT */
930}
931
932void
933uninit_options(struct options *o)
934{
935 if (o->connection_list)
936 {
937 CLEAR(*o->connection_list);
938 }
939 if (o->remote_list)
940 {
941 CLEAR(*o->remote_list);
942 }
943 if (o->gc_owned)
944 {
945 gc_free(&o->gc);
946 gc_free(&o->dns_options.gc);
947 }
948}
949
950struct pull_filter
951{
952#define PUF_TYPE_UNDEF 0
953#define PUF_TYPE_ACCEPT 1
954#define PUF_TYPE_IGNORE 2
955#define PUF_TYPE_REJECT 3
956 int type;
957 int size;
958 char *pattern;
959 struct pull_filter *next;
960};
961
962struct pull_filter_list
963{
964 struct pull_filter *head;
965 struct pull_filter *tail;
966};
967
968#ifndef ENABLE_SMALL
969
970static const char *
971pull_filter_type_name(int type)
972{
973 if (type == PUF_TYPE_ACCEPT)
974 {
975 return "accept";
976 }
977 if (type == PUF_TYPE_IGNORE)
978 {
979 return "ignore";
980 }
981 if (type == PUF_TYPE_REJECT)
982 {
983 return "reject";
984 }
985 else
986 {
987 return "???";
988 }
989}
990
991#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
992#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
993#define SHOW_STR_INLINE(var) SHOW_PARM(var, \
994 o->var ## _inline ? "[INLINE]" : \
995 (o->var ? o->var : "[UNDEF]"), \
996 "'%s'")
997#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
998#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
999#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
1000#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
1001#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
1002
1003#endif /* ifndef ENABLE_SMALL */
1004
1005static void
1006setenv_connection_entry(struct env_set *es,
1007 const struct connection_entry *e,
1008 const int i)
1009{
1010 setenv_str_i(es, "remote", e->remote, i);
1011 setenv_str_i(es, "remote_port", e->remote_port, i);
1012
1013 if (e->http_proxy_options)
1014 {
1015 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
1016 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
1017 }
1018 if (e->socks_proxy_server)
1019 {
1020 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1021 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1022 }
1023}
1024
1025static void
1026setenv_local_entry(struct env_set *es,
1027 const struct local_entry *e,
1028 const int i)
1029{
1030 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
1031 setenv_str_i(es, "local", e->local, i);
1032 setenv_str_i(es, "local_port", e->port, i);
1033}
1034
1035void
1036setenv_settings(struct env_set *es, const struct options *o)
1037{
1038 setenv_str(es, "config", o->config);
1039 setenv_int(es, "verb", o->verbosity);
1040 setenv_int(es, "daemon", o->daemon);
1041 setenv_int(es, "daemon_log_redirect", o->log);
1042 setenv_long_long(es, "daemon_start_time", time(NULL));
1043 setenv_int(es, "daemon_pid", platform_getpid());
1044
1045 if (o->connection_list)
1046 {
1047 int i;
1048 for (i = 0; i < o->connection_list->len; ++i)
1049 {
1050 setenv_connection_entry(es, o->connection_list->array[i], i+1);
1051 }
1052 }
1053 else
1054 {
1055 setenv_connection_entry(es, &o->ce, 1);
1056 }
1057
1058 if (o->ce.local_list)
1059 {
1060 for (int i = 0; i < o->ce.local_list->len; i++)
1061 {
1062 setenv_local_entry(es, o->ce.local_list->array[i], i+1);
1063 }
1064 }
1065}
1066
1067#ifndef _WIN32
1068static void
1069setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1070{
1071 if (len > 0)
1072 {
1073 struct gc_arena gc = gc_new();
1074 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1075 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1076 int i;
1077 bool first = true;
1078 bool good = true;
1079
1080 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1081 ++o->foreign_option_index;
1082 for (i = 0; i < len; ++i)
1083 {
1084 if (argv[i])
1085 {
1086 if (!first)
1087 {
1088 good &= buf_printf(&value, " ");
1089 }
1090 good &= buf_printf(&value, "%s", argv[i]);
1091 first = false;
1092 }
1093 }
1094 if (good)
1095 {
1096 setenv_str(es, BSTR(&name), BSTR(&value));
1097 }
1098 else
1099 {
1100 msg(M_WARN, "foreign_option: name/value overflow");
1101 }
1102 gc_free(&gc);
1103 }
1104}
1105#endif /* ifndef _WIN32 */
1106
1107static in_addr_t
1108get_ip_addr(const char *ip_string, int msglevel, bool *error)
1109{
1110 unsigned int flags = GETADDR_HOST_ORDER;
1111 bool succeeded = false;
1112 in_addr_t ret;
1113
1114 if (msglevel & M_FATAL)
1115 {
1116 flags |= GETADDR_FATAL;
1117 }
1118
1119 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1120 if (!succeeded && error)
1121 {
1122 *error = true;
1123 }
1124 return ret;
1125}
1126
1132static char *
1133get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1134{
1135 const char *end = strchr(addr, '/');
1136 char *ret = NULL;
1137 if (NULL == end)
1138 {
1139 ret = string_alloc(addr, gc);
1140 }
1141 else
1142 {
1143 size_t len = end - addr;
1144 ret = gc_malloc(len + 1, true, gc);
1145 memcpy(ret, addr, len);
1146 }
1147 return ret;
1148}
1149
1150static bool
1151ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1152{
1153 struct in6_addr t_addr;
1154 unsigned int t_bits;
1155
1156 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1157}
1158
1159static char *
1160string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1161{
1162 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1163 char *dest = ret;
1164 char c;
1165
1166 do
1167 {
1168 c = *src++;
1169 if (c == from)
1170 {
1171 c = to;
1172 }
1173 *dest++ = c;
1174 }
1175 while (c);
1176 return ret;
1177}
1178
1188static struct verify_hash_list *
1189parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1190{
1191 int i = 0;
1192 const char *cp = str;
1193
1194 struct verify_hash_list *ret;
1195 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1196
1197 char term = 0;
1198 unsigned int byte;
1199
1200 while (*cp && i < nbytes)
1201 {
1202 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1203 if (!isxdigit(cp[0])
1204 || !isxdigit(cp[1])
1205 || (cp[2] != ':' && cp[2] != '\0')
1206 || sscanf(cp, "%x", &byte) != 1)
1207 {
1208 msg(msglevel, "format error in hash fingerprint: %s", str);
1209 break;
1210 }
1211
1212 ret->hash[i++] = (uint8_t)byte;
1213
1214 term = cp[2];
1215 if (term == '\0')
1216 {
1217 break;
1218 }
1219 cp += 3;
1220 }
1221 if (i < nbytes)
1222 {
1223 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1224 }
1225 else if (term != '\0')
1226 {
1227 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1228 }
1229 return ret;
1230}
1231
1242static struct verify_hash_list *
1243parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1244 struct gc_arena *gc)
1245{
1246 struct gc_arena gc_temp = gc_new();
1247 char *lines = string_alloc(str, &gc_temp);
1248
1249 struct verify_hash_list *ret = NULL;
1250
1251 const char *line;
1252 while ((line = strsep(&lines, "\n")))
1253 {
1254 /* ignore leading whitespace */
1255 while (isspace(*line))
1256 {
1257 line++;
1258 }
1259 /* skip empty lines and comment lines */
1260 if (strlen(line) == 0 || *line == '#' || *line == ';')
1261 {
1262 continue;
1263 }
1264
1265 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1266 msglevel, gc);
1267
1268 if (!hash)
1269 {
1270 gc_free(&gc_temp);
1271 return NULL;
1272 }
1273
1274 hash->next = ret;
1275 ret = hash;
1276 }
1277 gc_free(&gc_temp);
1278
1279 return ret;
1280}
1281#ifdef _WIN32
1282
1283#ifndef ENABLE_SMALL
1284
1285static void
1286show_dhcp_option_list(const char *name, const char *const *array, int len)
1287{
1288 int i;
1289 for (i = 0; i < len; ++i)
1290 {
1291 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1292 }
1293}
1294
1295static void
1296show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1297{
1298 struct gc_arena gc = gc_new();
1299 int i;
1300 for (i = 0; i < len; ++i)
1301 {
1302 msg(D_SHOW_PARMS, " %s[%d] = %s",
1303 name,
1304 i,
1305 print_in_addr_t(array[i], 0, &gc));
1306 }
1307 gc_free(&gc);
1308}
1309
1310static void
1311show_tuntap_options(const struct tuntap_options *o)
1312{
1313 SHOW_BOOL(ip_win32_defined);
1314 SHOW_INT(ip_win32_type);
1315 SHOW_INT(dhcp_masq_offset);
1316 SHOW_INT(dhcp_lease_time);
1317 SHOW_INT(tap_sleep);
1318 SHOW_UNSIGNED(dhcp_options);
1319 SHOW_BOOL(dhcp_renew);
1320 SHOW_BOOL(dhcp_pre_release);
1321 SHOW_STR(domain);
1322 SHOW_STR(netbios_scope);
1323 SHOW_INT(netbios_node_type);
1324 SHOW_BOOL(disable_nbt);
1325
1326 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1327 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1328 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1329 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1330 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1331}
1332
1333#endif /* ifndef ENABLE_SMALL */
1334#endif /* ifdef _WIN32 */
1335
1336static void
1337dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1338{
1339 struct in6_addr addr;
1340 if (*len >= N_DHCP_ADDR)
1341 {
1342 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1343 N_DHCP_ADDR);
1344 }
1345 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1346 {
1347 dns6_list[(*len)++] = addr;
1348 }
1349}
1350static void
1351dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1352{
1353 if (*len >= N_DHCP_ADDR)
1354 {
1355 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1356 name,
1357 N_DHCP_ADDR,
1358 name);
1359 }
1360 else
1361 {
1362 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1363 {
1364 bool error = false;
1365 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1366 if (!error)
1367 {
1368 array[(*len)++] = addr;
1369 }
1370 }
1371 else
1372 {
1373 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1374 }
1375 }
1376}
1377
1378#ifndef ENABLE_SMALL
1379static const char *
1380print_vlan_accept(enum vlan_acceptable_frames mode)
1381{
1382 switch (mode)
1383 {
1384 case VLAN_ONLY_TAGGED:
1385 return "tagged";
1386
1387 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1388 return "untagged";
1389
1390 case VLAN_ALL:
1391 return "all";
1392 }
1393 return NULL;
1394}
1395
1396static void
1397show_p2mp_parms(const struct options *o)
1398{
1399 struct gc_arena gc = gc_new();
1400
1401 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1402 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1403 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1404 SHOW_INT(server_netbits_ipv6);
1405 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1406 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1407 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1408 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1409 if (o->push_list.head)
1410 {
1411 const struct push_entry *e = o->push_list.head;
1412 while (e)
1413 {
1414 if (e->enable)
1415 {
1416 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1417 }
1418 e = e->next;
1419 }
1420 }
1421 SHOW_BOOL(ifconfig_pool_defined);
1422 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1423 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1424 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1425 SHOW_STR(ifconfig_pool_persist_filename);
1426 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1427 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1428 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1429 SHOW_INT(ifconfig_ipv6_pool_netbits);
1430 SHOW_INT(n_bcast_buf);
1431 SHOW_INT(tcp_queue_limit);
1432 SHOW_INT(real_hash_size);
1433 SHOW_INT(virtual_hash_size);
1434 SHOW_STR(client_connect_script);
1435 SHOW_STR(learn_address_script);
1436 SHOW_STR(client_disconnect_script);
1437 SHOW_STR(client_crresponse_script);
1438 SHOW_STR(client_config_dir);
1439 SHOW_BOOL(ccd_exclusive);
1440 SHOW_STR(tmp_dir);
1441 SHOW_BOOL(push_ifconfig_defined);
1442 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1443 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1444 SHOW_BOOL(push_ifconfig_ipv6_defined);
1445 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1446 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1447 SHOW_BOOL(enable_c2c);
1448 SHOW_BOOL(duplicate_cn);
1449 SHOW_INT(cf_max);
1450 SHOW_INT(cf_per);
1451 SHOW_INT(cf_initial_max);
1452 SHOW_INT(cf_initial_per);
1453 SHOW_INT(max_clients);
1454 SHOW_INT(max_routes_per_client);
1455 SHOW_STR(auth_user_pass_verify_script);
1456 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1457 SHOW_BOOL(auth_token_generate);
1458 SHOW_BOOL(force_key_material_export);
1459 SHOW_INT(auth_token_lifetime);
1460 SHOW_STR_INLINE(auth_token_secret_file);
1461#if PORT_SHARE
1462 SHOW_STR(port_share_host);
1463 SHOW_STR(port_share_port);
1464#endif
1465 SHOW_BOOL(vlan_tagging);
1466 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1467 SHOW_INT(vlan_pvid);
1468
1469 SHOW_BOOL(client);
1470 SHOW_BOOL(pull);
1471 SHOW_STR_INLINE(auth_user_pass_file);
1472
1473 gc_free(&gc);
1474}
1475
1476#endif /* ! ENABLE_SMALL */
1477
1478static void
1479option_iroute(struct options *o,
1480 const char *network_str,
1481 const char *netmask_str,
1482 int msglevel)
1483{
1484 struct iroute *ir;
1485
1486 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1487 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1488 ir->netbits = 32; /* host route if no netmask given */
1489
1490 if (netmask_str)
1491 {
1492 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1493 ir->netbits = netmask_to_netbits2(netmask);
1494
1495 if (ir->netbits < 0)
1496 {
1497 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1498 network_str,
1499 netmask_str);
1500 return;
1501 }
1502 }
1503
1504 ir->next = o->iroutes;
1505 o->iroutes = ir;
1506}
1507
1508static void
1509option_iroute_ipv6(struct options *o,
1510 const char *prefix_str,
1511 int msglevel)
1512{
1513 struct iroute_ipv6 *ir;
1514
1515 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1516
1517 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1518 {
1519 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1520 prefix_str);
1521 return;
1522 }
1523
1524 ir->next = o->iroutes_ipv6;
1525 o->iroutes_ipv6 = ir;
1526}
1527
1528#ifndef ENABLE_SMALL
1529static void
1530show_http_proxy_options(const struct http_proxy_options *o)
1531{
1532 int i;
1533 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1534 SHOW_STR(server);
1535 SHOW_STR(port);
1536 SHOW_STR(auth_method_string);
1537 SHOW_STR(auth_file);
1538 SHOW_STR(auth_file_up);
1539 SHOW_BOOL(inline_creds);
1540 SHOW_BOOL(nocache);
1541 SHOW_STR(http_version);
1542 SHOW_STR(user_agent);
1543 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1544 {
1545 if (o->custom_headers[i].content)
1546 {
1547 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1548 o->custom_headers[i].name, o->custom_headers[i].content);
1549 }
1550 else
1551 {
1552 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1553 o->custom_headers[i].name);
1554 }
1555 }
1556 msg(D_SHOW_PARMS, "END http_proxy");
1557}
1558#endif /* ifndef ENABLE_SMALL */
1559
1560void
1561options_detach(struct options *o)
1562{
1563 gc_detach(&o->gc);
1564 o->routes = NULL;
1565 o->client_nat = NULL;
1566 clone_push_list(o);
1567}
1568
1569void
1570rol_check_alloc(struct options *options)
1571{
1572 if (!options->routes)
1573 {
1574 options->routes = new_route_option_list(&options->gc);
1575 }
1576}
1577
1578static void
1586
1587static void
1588cnol_check_alloc(struct options *options)
1589{
1590 if (!options->client_nat)
1591 {
1592 options->client_nat = new_client_nat_list(&options->gc);
1593 }
1594}
1595
1596#ifndef ENABLE_SMALL
1597static void
1598show_connection_entry(const struct connection_entry *o)
1599{
1600 /* Display the global proto only in client mode or with no '--local'*/
1601 if (o->local_list->len == 1)
1602 {
1603 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1604 }
1605
1606 msg(D_SHOW_PARMS, " Local Sockets:");
1607 for (int i = 0; i < o->local_list->len; i++)
1608 {
1609 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1610 o->local_list->array[i]->port, proto2ascii(o->local_list->array[i]->proto, o->af, false));
1611 }
1612 SHOW_STR(remote);
1613 SHOW_STR(remote_port);
1614 SHOW_BOOL(remote_float);
1615 SHOW_BOOL(bind_defined);
1616 SHOW_BOOL(bind_local);
1617 SHOW_BOOL(bind_ipv6_only);
1618 SHOW_INT(connect_retry_seconds);
1619 SHOW_INT(connect_timeout);
1620
1621 if (o->http_proxy_options)
1622 {
1623 show_http_proxy_options(o->http_proxy_options);
1624 }
1625 SHOW_STR(socks_proxy_server);
1626 SHOW_STR(socks_proxy_port);
1627 SHOW_INT(tun_mtu);
1628 SHOW_BOOL(tun_mtu_defined);
1629 SHOW_INT(link_mtu);
1630 SHOW_BOOL(link_mtu_defined);
1631 SHOW_INT(tun_mtu_extra);
1632 SHOW_BOOL(tun_mtu_extra_defined);
1633 SHOW_INT(tls_mtu);
1634
1635 SHOW_INT(mtu_discover_type);
1636
1637#ifdef ENABLE_FRAGMENT
1638 SHOW_INT(fragment);
1639#endif
1640 SHOW_INT(mssfix);
1641 SHOW_BOOL(mssfix_encap);
1642 SHOW_BOOL(mssfix_fixed);
1643
1644 SHOW_INT(explicit_exit_notification);
1645
1646 SHOW_STR_INLINE(tls_auth_file);
1647 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1648 "%s");
1649 SHOW_STR_INLINE(tls_crypt_file);
1650 SHOW_STR_INLINE(tls_crypt_v2_file);
1651}
1652
1653
1654static void
1655show_connection_entries(const struct options *o)
1656{
1657 if (o->connection_list)
1658 {
1659 const struct connection_list *l = o->connection_list;
1660 int i;
1661 for (i = 0; i < l->len; ++i)
1662 {
1663 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1664 show_connection_entry(l->array[i]);
1665 }
1666 }
1667 else
1668 {
1669 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1670 show_connection_entry(&o->ce);
1671 }
1672 msg(D_SHOW_PARMS, "Connection profiles END");
1673}
1674
1675static void
1676show_pull_filter_list(const struct pull_filter_list *l)
1677{
1678 struct pull_filter *f;
1679 if (!l)
1680 {
1681 return;
1682 }
1683
1684 msg(D_SHOW_PARMS, " Pull filters:");
1685 for (f = l->head; f; f = f->next)
1686 {
1687 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1688 }
1689}
1690
1691#endif /* ifndef ENABLE_SMALL */
1692
1693void
1694show_settings(const struct options *o)
1695{
1696#ifndef ENABLE_SMALL
1697 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1698
1699 SHOW_STR(config);
1700
1701 SHOW_INT(mode);
1702
1703#ifdef ENABLE_FEATURE_TUN_PERSIST
1704 SHOW_BOOL(persist_config);
1705 SHOW_INT(persist_mode);
1706#endif
1707
1708 SHOW_BOOL(show_ciphers);
1709 SHOW_BOOL(show_digests);
1710 SHOW_BOOL(show_engines);
1711 SHOW_BOOL(genkey);
1712 SHOW_STR(genkey_filename);
1713 SHOW_STR(key_pass_file);
1714 SHOW_BOOL(show_tls_ciphers);
1715
1716 SHOW_INT(connect_retry_max);
1717 show_connection_entries(o);
1718
1719 SHOW_BOOL(remote_random);
1720
1721 SHOW_STR(ipchange);
1722 SHOW_STR(dev);
1723 SHOW_STR(dev_type);
1724 SHOW_STR(dev_node);
1725#if defined(ENABLE_DCO)
1726 SHOW_BOOL(disable_dco);
1727#endif
1728 SHOW_STR(lladdr);
1729 SHOW_INT(topology);
1730 SHOW_STR(ifconfig_local);
1731 SHOW_STR(ifconfig_remote_netmask);
1732 SHOW_BOOL(ifconfig_noexec);
1733 SHOW_BOOL(ifconfig_nowarn);
1734 SHOW_STR(ifconfig_ipv6_local);
1735 SHOW_INT(ifconfig_ipv6_netbits);
1736 SHOW_STR(ifconfig_ipv6_remote);
1737
1738 SHOW_INT(shaper);
1739 SHOW_INT(mtu_test);
1740
1741 SHOW_BOOL(mlock);
1742
1743 SHOW_INT(keepalive_ping);
1744 SHOW_INT(keepalive_timeout);
1745 SHOW_INT(inactivity_timeout);
1746 SHOW_INT(session_timeout);
1747 SHOW_INT64(inactivity_minimum_bytes);
1748 SHOW_INT(ping_send_timeout);
1749 SHOW_INT(ping_rec_timeout);
1750 SHOW_INT(ping_rec_timeout_action);
1751 SHOW_BOOL(ping_timer_remote);
1752 SHOW_INT(remap_sigusr1);
1753 SHOW_BOOL(persist_tun);
1754 SHOW_BOOL(persist_local_ip);
1755 SHOW_BOOL(persist_remote_ip);
1756
1757#if PASSTOS_CAPABILITY
1758 SHOW_BOOL(passtos);
1759#endif
1760
1761 SHOW_INT(resolve_retry_seconds);
1762 SHOW_BOOL(resolve_in_advance);
1763
1764 SHOW_STR(username);
1765 SHOW_STR(groupname);
1766 SHOW_STR(chroot_dir);
1767 SHOW_STR(cd_dir);
1768#ifdef ENABLE_SELINUX
1769 SHOW_STR(selinux_context);
1770#endif
1771 SHOW_STR(writepid);
1772 SHOW_STR(up_script);
1773 SHOW_STR(down_script);
1774 SHOW_BOOL(down_pre);
1775 SHOW_BOOL(up_restart);
1776 SHOW_BOOL(up_delay);
1777 SHOW_BOOL(daemon);
1778 SHOW_BOOL(log);
1779 SHOW_BOOL(suppress_timestamps);
1780 SHOW_BOOL(machine_readable_output);
1781 SHOW_INT(nice);
1782 SHOW_INT(verbosity);
1783 SHOW_INT(mute);
1784#ifdef ENABLE_DEBUG
1785 SHOW_INT(gremlin);
1786#endif
1787 SHOW_STR(status_file);
1788 SHOW_INT(status_file_version);
1789 SHOW_INT(status_file_update_freq);
1790
1791 SHOW_BOOL(occ);
1792 SHOW_INT(rcvbuf);
1793 SHOW_INT(sndbuf);
1794#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1795 SHOW_INT(mark);
1796#endif
1797 SHOW_INT(sockflags);
1798
1799 SHOW_BOOL(fast_io);
1800
1801 SHOW_INT(comp.alg);
1802 SHOW_INT(comp.flags);
1803
1804 SHOW_STR(route_script);
1805 SHOW_STR(route_default_gateway);
1806 SHOW_INT(route_default_metric);
1807 SHOW_INT(route_default_table_id);
1808 SHOW_BOOL(route_noexec);
1809 SHOW_INT(route_delay);
1810 SHOW_INT(route_delay_window);
1811 SHOW_BOOL(route_delay_defined);
1812 SHOW_BOOL(route_nopull);
1813 SHOW_BOOL(route_gateway_via_dhcp);
1814 SHOW_BOOL(allow_pull_fqdn);
1815 show_pull_filter_list(o->pull_filter_list);
1816
1817 if (o->routes)
1818 {
1819 print_route_options(o->routes, D_SHOW_PARMS);
1820 }
1821
1822 if (o->client_nat)
1823 {
1824 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1825 }
1826
1827 show_dns_options(&o->dns_options);
1828
1829#ifdef ENABLE_MANAGEMENT
1830 SHOW_STR(management_addr);
1831 SHOW_STR(management_port);
1832 SHOW_STR(management_user_pass);
1833 SHOW_INT(management_log_history_cache);
1834 SHOW_INT(management_echo_buffer_size);
1835 SHOW_STR(management_client_user);
1836 SHOW_STR(management_client_group);
1837 SHOW_INT(management_flags);
1838#endif
1839#ifdef ENABLE_PLUGIN
1840 if (o->plugin_list)
1841 {
1842 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1843 }
1844#endif
1845
1846 SHOW_STR_INLINE(shared_secret_file);
1847 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1848 SHOW_STR(ciphername);
1849 SHOW_STR(ncp_ciphers);
1850 SHOW_STR(authname);
1851#ifndef ENABLE_CRYPTO_MBEDTLS
1852 SHOW_BOOL(engine);
1853#endif /* ENABLE_CRYPTO_MBEDTLS */
1854 SHOW_BOOL(mute_replay_warnings);
1855 SHOW_INT(replay_window);
1856 SHOW_INT(replay_time);
1857 SHOW_STR(packet_id_file);
1858 SHOW_BOOL(test_crypto);
1859#ifdef ENABLE_PREDICTION_RESISTANCE
1860 SHOW_BOOL(use_prediction_resistance);
1861#endif
1862
1863 SHOW_BOOL(tls_server);
1864 SHOW_BOOL(tls_client);
1865 SHOW_STR_INLINE(ca_file);
1866 SHOW_STR(ca_path);
1867 SHOW_STR_INLINE(dh_file);
1868 if ((o->management_flags & MF_EXTERNAL_CERT))
1869 {
1870 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1871 }
1872 else
1873 {
1874 SHOW_STR_INLINE(cert_file);
1875 }
1876 SHOW_STR_INLINE(extra_certs_file);
1877
1878 if ((o->management_flags & MF_EXTERNAL_KEY))
1879 {
1880 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1881 }
1882 else
1883 {
1884 SHOW_STR_INLINE(priv_key_file);
1885 }
1886#ifndef ENABLE_CRYPTO_MBEDTLS
1887 SHOW_STR_INLINE(pkcs12_file);
1888#endif
1889#ifdef ENABLE_CRYPTOAPI
1890 SHOW_STR(cryptoapi_cert);
1891#endif
1892 SHOW_STR(cipher_list);
1893 SHOW_STR(cipher_list_tls13);
1894 SHOW_STR(tls_cert_profile);
1895 SHOW_STR(tls_verify);
1896 SHOW_STR(tls_export_peer_cert_dir);
1897 SHOW_INT(verify_x509_type);
1898 SHOW_STR(verify_x509_name);
1899 SHOW_STR_INLINE(crl_file);
1900 SHOW_INT(ns_cert_type);
1901 {
1902 int i;
1903 for (i = 0; i<MAX_PARMS; i++)
1904 {
1905 SHOW_INT(remote_cert_ku[i]);
1906 }
1907 }
1908 SHOW_STR(remote_cert_eku);
1909 if (o->verify_hash)
1910 {
1911 SHOW_INT(verify_hash_algo);
1912 SHOW_INT(verify_hash_depth);
1913 struct gc_arena gc = gc_new();
1914 struct verify_hash_list *hl = o->verify_hash;
1915 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
1916 SHA256_DIGEST_LENGTH;
1917 while (hl)
1918 {
1919 char *s = format_hex_ex(hl->hash, digest_len, 0,
1920 1, ":", &gc);
1921 SHOW_PARM(verify_hash, s, "%s");
1922 hl = hl->next;
1923 }
1924 gc_free(&gc);
1925 }
1926 SHOW_INT(ssl_flags);
1927
1928 SHOW_INT(tls_timeout);
1929
1930 SHOW_INT64(renegotiate_bytes);
1931 SHOW_INT64(renegotiate_packets);
1932 SHOW_INT(renegotiate_seconds);
1933
1934 SHOW_INT(handshake_window);
1935 SHOW_INT(transition_window);
1936
1937 SHOW_BOOL(single_session);
1938 SHOW_BOOL(push_peer_info);
1939 SHOW_BOOL(tls_exit);
1940
1941 SHOW_STR(tls_crypt_v2_metadata);
1942
1943#ifdef ENABLE_PKCS11
1944 {
1945 int i;
1946 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1947 {
1948 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1949 }
1950 }
1951 {
1952 int i;
1953 for (i = 0; i<MAX_PARMS; i++)
1954 {
1955 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1956 }
1957 }
1958 {
1959 int i;
1960 for (i = 0; i<MAX_PARMS; i++)
1961 {
1962 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1963 }
1964 }
1965 {
1966 int i;
1967 for (i = 0; i<MAX_PARMS; i++)
1968 {
1969 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1970 }
1971 }
1972 SHOW_INT(pkcs11_pin_cache_period);
1973 SHOW_STR(pkcs11_id);
1974 SHOW_BOOL(pkcs11_id_management);
1975#endif /* ENABLE_PKCS11 */
1976
1977 show_p2mp_parms(o);
1978
1979#ifdef _WIN32
1980 SHOW_BOOL(show_net_up);
1981 SHOW_INT(route_method);
1982 SHOW_BOOL(block_outside_dns);
1983 show_tuntap_options(&o->tuntap_options);
1984#endif
1985#endif /* ifndef ENABLE_SMALL */
1986}
1987
1988#undef SHOW_PARM
1989#undef SHOW_STR
1990#undef SHOW_INT
1991#undef SHOW_BOOL
1992
1993#ifdef ENABLE_MANAGEMENT
1994
1995static struct http_proxy_options *
1996parse_http_proxy_override(const char *server,
1997 const char *port,
1998 const char *flags,
1999 struct gc_arena *gc)
2000{
2001 if (server && port)
2002 {
2003 struct http_proxy_options *ho;
2004 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2005 ho->server = string_alloc(server, gc);
2006 ho->port = port;
2007 if (flags && !strcmp(flags, "nct"))
2008 {
2009 ho->auth_retry = PAR_NCT;
2010 }
2011 else
2012 {
2013 ho->auth_retry = PAR_ALL;
2014 }
2015 ho->http_version = "1.0";
2016 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2017 return ho;
2018 }
2019 else
2020 {
2021 return NULL;
2022 }
2023}
2024
2025static void
2026options_postprocess_http_proxy_override(struct options *o)
2027{
2028 const struct connection_list *l = o->connection_list;
2029 int i;
2030 bool succeed = false;
2031 for (i = 0; i < l->len; ++i)
2032 {
2033 struct connection_entry *ce = l->array[i];
2034 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2035 {
2036 ce->http_proxy_options = o->http_proxy_override;
2037 succeed = true;
2038 }
2039 }
2040 if (succeed)
2041 {
2042 for (i = 0; i < l->len; ++i)
2043 {
2044 struct connection_entry *ce = l->array[i];
2045 if (ce->proto == PROTO_UDP)
2046 {
2047 ce->flags |= CE_DISABLED;
2048 }
2049 }
2050 }
2051 else
2052 {
2053 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2054 }
2055}
2056
2057#endif /* ifdef ENABLE_MANAGEMENT */
2058
2059static struct local_list *
2060alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
2061{
2062 if (!ce->local_list)
2063 {
2064 ALLOC_OBJ_CLEAR_GC(ce->local_list, struct local_list, gc);
2065 }
2066 return ce->local_list;
2067}
2068
2069static struct local_entry *
2070alloc_local_entry(struct connection_entry *ce, const int msglevel,
2071 struct gc_arena *gc)
2072{
2073 struct local_list *l = alloc_local_list_if_undef(ce, gc);
2074 struct local_entry *e;
2075
2076 if (l->len >= l->capacity)
2077 {
2078 const int new_cap = l->capacity + 1;
2079 const size_t elem_size = sizeof(*l->array);
2080
2081 struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
2082 if (!new_array)
2083 {
2084 msg(msglevel, "Unable to process more local options: out of memory. Number of entries = %d", l->len);
2085 return NULL;
2086 }
2087
2088 l->array = new_array;
2089 l->capacity = new_cap;
2090 }
2091
2092 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2093 e->proto = PROTO_NONE;
2094 l->array[l->len++] = e;
2095
2096 return e;
2097}
2098
2099static struct connection_list *
2108
2109static struct connection_entry *
2110alloc_connection_entry(struct options *options, const int msglevel)
2111{
2112 struct connection_list *l = alloc_connection_list_if_undef(options);
2113 struct connection_entry *e;
2114
2115 if (l->len == l->capacity)
2116 {
2117 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2118 struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2119 if (ce == NULL)
2120 {
2121 msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2122 return NULL;
2123 }
2124 l->array = ce;
2125 l->capacity = capacity;
2126 }
2127 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2128 l->array[l->len++] = e;
2129 return e;
2130}
2131
2132static struct remote_list *
2133alloc_remote_list_if_undef(struct options *options)
2134{
2135 if (!options->remote_list)
2136 {
2137 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2138 }
2139 return options->remote_list;
2140}
2141
2142static struct remote_entry *
2143alloc_remote_entry(struct options *options, const int msglevel)
2144{
2145 struct remote_list *l = alloc_remote_list_if_undef(options);
2146 struct remote_entry *e;
2147
2148 if (l->len == l->capacity)
2149 {
2150 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2151 struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2152 if (re == NULL)
2153 {
2154 msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2155 return NULL;
2156 }
2157 l->array = re;
2158 l->capacity = capacity;
2159 }
2160 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2161 l->array[l->len++] = e;
2162 return e;
2163}
2164
2165static struct pull_filter_list *
2166alloc_pull_filter_list(struct options *o)
2167{
2168 if (!o->pull_filter_list)
2169 {
2170 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2171 }
2172 return o->pull_filter_list;
2173}
2174
2175static struct pull_filter *
2176alloc_pull_filter(struct options *o)
2177{
2178 struct pull_filter_list *l = alloc_pull_filter_list(o);
2179 struct pull_filter *f;
2180
2181 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2182 if (l->head)
2183 {
2184 ASSERT(l->tail);
2185 l->tail->next = f;
2186 }
2187 else
2188 {
2189 ASSERT(!l->tail);
2190 l->head = f;
2191 }
2192 l->tail = f;
2193 return f;
2194}
2195
2196static void
2197connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2198{
2199 if (re->remote)
2200 {
2201 ce->remote = re->remote;
2202 }
2203 if (re->remote_port)
2204 {
2205 ce->remote_port = re->remote_port;
2206 }
2207 if (re->proto >= 0)
2208 {
2209 ce->proto = re->proto;
2210 }
2211 if (re->af > 0)
2212 {
2213 ce->af = re->af;
2214 }
2215}
2216
2217static void
2218connection_entry_preload_key(const char **key_file, bool *key_inline,
2219 struct gc_arena *gc)
2220{
2221 if (key_file && *key_file && !(*key_inline))
2222 {
2223 struct buffer in = buffer_read_from_file(*key_file, gc);
2224 if (!buf_valid(&in))
2225 {
2226 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2227 }
2228
2229 *key_file = (const char *) in.data;
2230 *key_inline = true;
2231 }
2232}
2233
2234static void
2235check_ca_required(const struct options *options)
2236{
2237#ifdef ENABLE_CRYPTO_MBEDTLS
2238 if (options->ca_path)
2239 {
2240 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2241 }
2242#endif
2243
2244 if (options->verify_hash_no_ca
2245 || options->pkcs12_file
2246 || options->ca_file
2247#ifndef ENABLE_CRYPTO_MBEDTLS
2248 || options->ca_path
2249#endif
2250 )
2251 {
2252 return;
2253 }
2254
2255 const char *const str = "You must define CA file (--ca)"
2256#ifndef ENABLE_CRYPTO_MBEDTLS
2257 " or CA path (--capath)"
2258#endif
2259 " and/or peer fingerprint verification (--peer-fingerprint)";
2260 msg(M_USAGE, "%s", str);
2261}
2262
2263#define MUST_BE_UNDEF(parm, parm_name) \
2264 if (options->parm != defaults.parm) { msg(M_USAGE, use_err, parm_name); }
2265#define MUST_BE_FALSE(condition, parm_name) \
2266 if (condition) { msg(M_USAGE, use_err, parm_name); }
2267
2268static void
2269options_postprocess_verify_ce(const struct options *options,
2270 const struct connection_entry *ce)
2271{
2272 struct options defaults;
2273 int dev = DEV_TYPE_UNDEF;
2274 bool pull = false;
2275
2276 init_options(&defaults, true);
2277
2278 if (options->test_crypto)
2279 {
2280 notnull(options->shared_secret_file, "key file (--secret)");
2281 }
2282 else
2283 {
2284 notnull(options->dev, "TUN/TAP device (--dev)");
2285 }
2286
2287 /*
2288 * Get tun/tap/null device type
2289 */
2290 dev = dev_type_enum(options->dev, options->dev_type);
2291
2292 /*
2293 * If "proto tcp" is specified, make sure we know whether it is
2294 * tcp-client or tcp-server.
2295 */
2296 if (ce->proto == PROTO_TCP)
2297 {
2298 msg(M_USAGE,
2299 "--proto tcp is ambiguous in this context. Please specify "
2300 "--proto tcp-server or --proto tcp-client");
2301 }
2302
2303 /*
2304 * Sanity check on Client mode
2305 */
2306
2307 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2308 {
2309 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2310 }
2311
2312 if (options->lladdr && dev != DEV_TYPE_TAP)
2313 {
2314 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2315 }
2316
2317 /*
2318 * Sanity check on MTU parameters
2319 */
2320 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2321 {
2322 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2323 }
2324
2325 if (!proto_is_udp(ce->proto) && options->mtu_test)
2326 {
2327 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2328 }
2329
2330 /* will we be pulling options from server? */
2331 pull = options->pull;
2332
2333 /*
2334 * Sanity check on --local, --remote, and --ifconfig
2335 */
2336
2337 if (string_defined_equal(ce->remote, options->ifconfig_local)
2338 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2339 {
2340 msg(M_USAGE,
2341 "--local and --remote addresses must be distinct from --ifconfig "
2342 "addresses");
2343 }
2344
2345 if (string_defined_equal(options->ifconfig_local,
2346 options->ifconfig_remote_netmask))
2347 {
2348 msg(M_USAGE,
2349 "local and remote/netmask --ifconfig addresses must be different");
2350 }
2351
2352 if (ce->bind_defined && !ce->bind_local)
2353 {
2354 msg(M_USAGE, "--bind and --nobind can't be used together");
2355 }
2356
2357 if (ce->local_port_defined && !ce->bind_local)
2358 {
2359 msg(M_USAGE,
2360 "--lport and --nobind don't make sense when used together");
2361 }
2362
2363 if (!ce->remote && !ce->bind_local)
2364 {
2365 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2366 }
2367
2368 for (int i = 0; i < ce->local_list->len; i++)
2369 {
2370 struct local_entry *le = ce->local_list->array[i];
2371
2372 if (proto_is_net(le->proto)
2373 && string_defined_equal(le->local, ce->remote)
2374 && string_defined_equal(le->port, ce->remote_port))
2375 {
2376 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2377 }
2378
2379 if (string_defined_equal(le->local, options->ifconfig_local)
2380 || string_defined_equal(le->local, options->ifconfig_remote_netmask))
2381 {
2382 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2383 }
2384
2385 if (le->local && !ce->bind_local)
2386 {
2387 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2388 }
2389 }
2390
2391 /*
2392 * Check for consistency of management options
2393 */
2394#ifdef ENABLE_MANAGEMENT
2395 if (!options->management_addr
2396 && (options->management_flags
2397 || options->management_log_history_cache != defaults.management_log_history_cache))
2398 {
2399 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2400 }
2401
2402 if ((options->management_client_user || options->management_client_group)
2403 && !(options->management_flags & MF_UNIX_SOCK))
2404 {
2405 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2406 }
2407
2408 if (options->management_addr
2409 && !(options->management_flags & MF_UNIX_SOCK)
2410 && (!options->management_user_pass))
2411 {
2412 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2413 "passwords is STRONGLY discouraged and considered insecure");
2414 }
2415
2416#endif /* ifdef ENABLE_MANAGEMENT */
2417
2418#if !defined(HAVE_XKEY_PROVIDER)
2419 if ((tls_version_max() >= TLS_VER_1_3)
2420 && (options->management_flags & MF_EXTERNAL_KEY)
2421 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2422 )
2423 {
2424 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2425 "nopadding argument/support");
2426 }
2427#endif
2428 /*
2429 * Windows-specific options.
2430 */
2431
2432#ifdef _WIN32
2433 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2434 {
2435 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2436 }
2437
2438 if ((options->tuntap_options.ip_win32_defined)
2439 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2440 {
2441 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2442 }
2443
2444 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2445 {
2446 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2447 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2448 {
2449 msg(M_USAGE, "%s, which is not supported by the selected %s driver",
2450 prefix, print_tun_backend_driver(options->windows_driver));
2451 }
2452 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2453 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2454 {
2455 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2456 prefix);
2457 }
2458 }
2459#endif /* ifdef _WIN32 */
2460
2461 /*
2462 * Check that protocol options make sense.
2463 */
2464
2465#ifdef ENABLE_FRAGMENT
2466 if (!proto_is_udp(ce->proto) && ce->fragment)
2467 {
2468 msg(M_USAGE, "--fragment can only be used with --proto udp");
2469 }
2470#endif
2471
2472 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2473 {
2474 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2475 }
2476
2477 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2478 {
2479 msg(M_USAGE,
2480 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2481 "tcp-client)");
2482 }
2483
2484 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2485 {
2486 msg(M_USAGE,
2487 "--http-proxy not specified but other http proxy options present");
2488 }
2489
2490 if (ce->http_proxy_options && ce->socks_proxy_server)
2491 {
2492 msg(M_USAGE,
2493 "--http-proxy can not be used together with --socks-proxy");
2494 }
2495
2496 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2497 {
2498 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2499 }
2500
2501 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2502 {
2503 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2504 }
2505
2506 /*
2507 * Check consistency of --mode server options.
2508 */
2509 if (options->mode == MODE_SERVER)
2510 {
2511 const char use_err[] = "--%s cannot be used with --mode server.";
2512
2513#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2514 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2515#ifdef TARGET_ANDROID
2516 msg(M_FATAL, "--mode server not supported on Android");
2517#endif
2518 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2519 {
2520 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2521 }
2522 MUST_BE_UNDEF(pull, "pull");
2523 if (options->pull_filter_list)
2524 {
2525 msg(M_WARN, "--pull-filter ignored for --mode server");
2526 }
2527 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2528 {
2529 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2530 }
2531#if PORT_SHARE
2532 if ((options->port_share_host || options->port_share_port)
2533 && (ce->proto != PROTO_TCP_SERVER))
2534 {
2535 msg(M_USAGE, "--port-share only works in TCP server mode "
2536 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2537 }
2538#endif
2539 if (!options->tls_server)
2540 {
2541 msg(M_USAGE, "--mode server requires --tls-server");
2542 }
2543 MUST_BE_FALSE(ce->remote, "remote");
2544 MUST_BE_FALSE(!ce->bind_local, "nobind");
2545 MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2546 MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2547 /* <connection> blocks force to have a remote embedded, so we check
2548 * for the --remote and bail out if it is present
2549 */
2550 if (options->connection_list->len >1
2551 || options->connection_list->array[0]->remote)
2552 {
2553 msg(M_USAGE, "<connection> cannot be used with --mode server");
2554 }
2555
2556 MUST_BE_UNDEF(shaper, "shaper");
2557 if (options->ipchange)
2558 {
2559 msg(M_USAGE,
2560 "--ipchange cannot be used with --mode server (use "
2561 "--client-connect instead)");
2562 }
2563 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2564 {
2565 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2566 }
2567 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2568 {
2569 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2570 }
2571 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2572 {
2573 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2574 }
2575 if (options->routes && (options->routes->flags & RG_ENABLE))
2576 {
2577 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2578 }
2579 MUST_BE_UNDEF(route_delay_defined, "route-delay");
2580 MUST_BE_UNDEF(up_delay, "up-delay");
2581 if (!options->ifconfig_pool_defined
2582 && !options->ifconfig_ipv6_pool_defined
2583 && options->ifconfig_pool_persist_filename)
2584 {
2585 msg(M_USAGE,
2586 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2587 }
2588 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2589 {
2590 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2591 }
2592 MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2593 if (options->auth_user_pass_file)
2594 {
2595 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2596 }
2597 if (options->ccd_exclusive && !options->client_config_dir)
2598 {
2599 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2600 }
2601 if (options->auth_token_generate && !options->renegotiate_seconds)
2602 {
2603 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2604 "--renegotiate_seconds setting");
2605 }
2606 if (options->auth_token_generate && options->auth_token_renewal
2607 && options->auth_token_renewal < 2 * options->handshake_window)
2608 {
2609 msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2610 " two times --hand-window (%d).",
2611 options->handshake_window);
2612
2613 }
2614 if (!options->auth_user_pass_verify_script
2615 && !PLUGIN_OPTION_LIST(options)
2616 && !MAN_CLIENT_AUTH_ENABLED(options))
2617 {
2618 const char *use_err = "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2619
2620 MUST_BE_FALSE(options->ssl_flags
2621 & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
2622 "verify-client-cert none|optional");
2623 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
2624 "username-as-common-name");
2625 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL,
2626 "auth-user-pass-optional");
2627 }
2628
2629 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2630 {
2631 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2632 }
2633 if (!options->vlan_tagging)
2634 {
2635 const char use_err[] = "--%s requires --vlan-tagging";
2636 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2637 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2638 }
2639 }
2640 else
2641 {
2642 const char use_err[] = "--%s requires --mode server";
2643 /*
2644 * When not in server mode, err if parameters are
2645 * specified which require --mode server.
2646 */
2647 MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2648 MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2649 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2650 MUST_BE_UNDEF(real_hash_size, "hash-size");
2651 MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2652 MUST_BE_UNDEF(learn_address_script, "learn-address");
2653 MUST_BE_UNDEF(client_connect_script, "client-connect");
2654 MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2655 MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2656 MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2657 MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2658 MUST_BE_UNDEF(enable_c2c, "client-to-client");
2659 MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2660 MUST_BE_UNDEF(cf_max, "connect-freq");
2661 MUST_BE_UNDEF(cf_per, "connect-freq");
2662 MUST_BE_FALSE(options->ssl_flags
2663 & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
2664 "verify-client-cert");
2665 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2666 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2667 MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify");
2668 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2669 {
2670 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2671 "affect the server. To have TCP_NODELAY in both direction use "
2672 "tcp-nodelay in the server configuration instead.");
2673 }
2674 MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2675 MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2676#if PORT_SHARE
2677 if (options->port_share_host || options->port_share_port)
2678 {
2679 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2680 }
2681#endif
2682 MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2683 MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2684 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2685 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2686 MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2687 }
2688
2689 /*
2690 * SSL/TLS mode sanity checks.
2691 */
2692 if (options->tls_server + options->tls_client
2693 + (options->shared_secret_file != NULL) > 1)
2694 {
2695 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2696 }
2697
2698 if (!options->tls_server && !options->tls_client)
2699 {
2700 int msglevel = M_USAGE;
2701 if (options->allow_deprecated_insecure_static_crypto)
2702 {
2703 msglevel = M_INFO;
2704 }
2705
2706 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2707 "configuration detected. OpenVPN 2.8 will remove the "
2708 "functionality to run a VPN without TLS. "
2709 "See the examples section in the manual page for "
2710 "examples of a similar quick setup with peer-fingerprint. "
2711 "OpenVPN 2.7 allows using this configuration when using "
2712 "--allow-deprecated-insecure-static-crypto but you should move "
2713 "to a proper configuration using TLS as soon as possible."
2714 );
2715 }
2716
2717 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2718 {
2719 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2720 "--verify-client-cert none|optional "
2721 "may accept clients which do not present a certificate");
2722 }
2723
2724 const int tls_version_max =
2725 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2726 & SSLF_TLS_VERSION_MAX_MASK;
2727 const int tls_version_min =
2728 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2729 & SSLF_TLS_VERSION_MIN_MASK;
2730
2731 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2732 {
2733 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2734 }
2735
2736 if (options->tls_server || options->tls_client)
2737 {
2738 check_ca_required(options);
2739#ifdef ENABLE_PKCS11
2740 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2741 {
2742 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2743 }
2744 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2745 {
2746 msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2747 }
2748
2749 if (options->pkcs11_providers[0])
2750 {
2751 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2752 {
2753 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2754 }
2755 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2756 {
2757 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2758 }
2759 const char use_err[] = "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2760 MUST_BE_UNDEF(cert_file, "cert");
2761 MUST_BE_UNDEF(priv_key_file, "key");
2762 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2763 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2764 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2765#ifdef ENABLE_CRYPTOAPI
2766 MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2767#endif
2768 }
2769 else
2770#endif /* ifdef ENABLE_PKCS11 */
2771#ifdef ENABLE_CRYPTOAPI
2772 if (options->cryptoapi_cert)
2773 {
2774 const char use_err[] = "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2775 MUST_BE_UNDEF(cert_file, "cert");
2776 MUST_BE_UNDEF(priv_key_file, "key");
2777 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2778 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2779 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2780 }
2781 else
2782#endif
2783 if (options->pkcs12_file)
2784 {
2785#ifdef ENABLE_CRYPTO_MBEDTLS
2786 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2787#else
2788 const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2789 MUST_BE_UNDEF(ca_path, "capath");
2790 MUST_BE_UNDEF(cert_file, "cert");
2791 MUST_BE_UNDEF(priv_key_file, "key");
2792 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2793 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2794#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2795 }
2796 else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2797 {
2798 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2799 {
2800 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2801 }
2802 if ((options->management_flags & MF_EXTERNAL_CERT))
2803 {
2804 if (options->cert_file)
2805 {
2806 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2807 }
2808 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2809 {
2810 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2811 }
2812 }
2813 if (pull)
2814 {
2815
2816 const int sum =
2817 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2818 + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2819
2820 if (sum == 0)
2821 {
2822 if (!options->auth_user_pass_file)
2823 {
2824 msg(M_USAGE, "No client-side authentication method is "
2825 "specified. You must use either "
2826 "--cert/--key, --pkcs12, or "
2827 "--auth-user-pass");
2828 }
2829 }
2830 else if (sum != 2)
2831 {
2832 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2833 }
2834 }
2835 else
2836 {
2837 if (!(options->management_flags & MF_EXTERNAL_CERT))
2838 {
2839 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2840 }
2841 if (!(options->management_flags & MF_EXTERNAL_KEY))
2842 {
2843 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2844 }
2845 }
2846 }
2847 if (ce->tls_auth_file && ce->tls_crypt_file)
2848 {
2849 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2850 }
2851 if (options->tls_client && ce->tls_crypt_v2_file
2852 && (ce->tls_auth_file || ce->tls_crypt_file))
2853 {
2854 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2855 }
2856 }
2857 else
2858 {
2859 /*
2860 * Make sure user doesn't specify any TLS options
2861 * when in non-TLS mode.
2862 */
2863
2864 const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
2865 "i.e. where --tls-server or --tls-client is also specified.";
2866
2867 MUST_BE_UNDEF(ca_file, "ca");
2868 MUST_BE_UNDEF(ca_path, "capath");
2869 MUST_BE_UNDEF(dh_file, "dh");
2870 MUST_BE_UNDEF(cert_file, "cert");
2871 MUST_BE_UNDEF(priv_key_file, "key");
2872#ifndef ENABLE_CRYPTO_MBEDTLS
2873 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2874#endif
2875 MUST_BE_UNDEF(cipher_list, "tls-cipher");
2876 MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
2877 MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
2878 MUST_BE_UNDEF(tls_verify, "tls-verify");
2879 MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
2880 MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
2881 MUST_BE_UNDEF(tls_timeout, "tls-timeout");
2882 MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
2883 MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
2884 MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
2885 MUST_BE_UNDEF(handshake_window, "hand-window");
2886 MUST_BE_UNDEF(transition_window, "tran-window");
2887 MUST_BE_UNDEF(tls_auth_file, "tls-auth");
2888 MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
2889 MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
2890 MUST_BE_UNDEF(single_session, "single-session");
2891 MUST_BE_UNDEF(push_peer_info, "push-peer-info");
2892 MUST_BE_UNDEF(tls_exit, "tls-exit");
2893 MUST_BE_UNDEF(crl_file, "crl-verify");
2894 MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
2895 MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
2896 MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
2897#ifdef ENABLE_PKCS11
2898 MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
2899 MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
2900 MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
2901 MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
2902#endif
2903
2904 if (pull)
2905 {
2906 msg(M_USAGE, use_err, "--pull");
2907 }
2908 }
2909 if (options->auth_user_pass_file && !options->pull)
2910 {
2911 msg(M_USAGE, "--auth-user-pass requires --pull");
2912 }
2913
2914 uninit_options(&defaults);
2915}
2916
2917#undef MUST_BE_UNDEF
2918#undef MUST_BE_FALSE
2919
2920static void
2921options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
2922{
2923 const int dev = dev_type_enum(o->dev, o->dev_type);
2924
2925 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2926 {
2927 if (ce->proto == PROTO_TCP)
2928 {
2929 ce->proto = PROTO_TCP_SERVER;
2930 o->ce.proto = ce->proto;
2931 }
2932 }
2933
2934 if (o->mode != MODE_SERVER)
2935 {
2936 if (ce->proto == PROTO_TCP)
2937 {
2938 ce->proto = PROTO_TCP_CLIENT;
2939 o->ce.proto = ce->proto;
2940 }
2941 }
2942
2943 /* an option is present that requires local bind to enabled */
2944 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
2945
2946 /* socks proxy is enabled */
2947 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
2948
2949 /* If binding is not forced by an explicit option and we have (at least)
2950 * one of --tcp-client, --pull (or --client), or socks we do not bind
2951 * locally to have "normal" IP client behaviour of a random source port */
2952 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
2953 {
2954 ce->bind_local = false;
2955 }
2956
2957 if (!ce->bind_local)
2958 {
2959 ce->local_port = NULL;
2960 }
2961
2962 /* if protocol forcing is enabled, disable all protocols
2963 * except for the forced one
2964 */
2965 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2966 {
2967 ce->flags |= CE_DISABLED;
2968 }
2969
2970 if (ce->http_proxy_options)
2971 {
2972 ce->http_proxy_options->nocache = ssl_get_auth_nocache();
2973 }
2974
2975 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2976 * so fall back to IPv4-only (trac #1221)
2977 */
2978 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2979 {
2980 if (ce->af == AF_INET6)
2981 {
2982 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2983 "'--socks-proxy' today. Forcing IPv4 mode." );
2984 }
2985 else
2986 {
2987 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2988 "work correctly with '--socks-proxy' today. Forcing IPv4." );
2989 }
2990 ce->af = AF_INET;
2991 }
2992
2993 /*
2994 * Set MTU defaults
2995 */
2996 {
2997 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2998 {
2999 ce->tun_mtu_defined = true;
3000 }
3001 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3002 {
3003 ce->tun_mtu_extra_defined = true;
3004 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3005 }
3006 }
3007
3008 /*
3009 * If --mssfix is supplied without a parameter or not specified at all,
3010 * default it to --fragment value, if --fragment is specified and otherwise
3011 * to the default if tun-mtu is 1500
3012 */
3013 if (o->ce.mssfix_default)
3014 {
3015#ifdef ENABLE_FRAGMENT
3016 if (ce->fragment)
3017 {
3018 ce->mssfix = ce->fragment;
3019 }
3020 else
3021#endif
3022 if (ce->tun_mtu_defined)
3023 {
3024 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3025 {
3026 /* We want to only set mssfix default value if we use a default
3027 * MTU Size, otherwise the different size of tun should either
3028 * already solve the problem or mssfix might artifically make the
3029 * payload packets smaller without mssfix 0 */
3030 ce->mssfix = MSSFIX_DEFAULT;
3031 ce->mssfix_encap = true;
3032 }
3033 else
3034 {
3035 /* We still apply the mssfix value but only adjust it to the
3036 * size of the tun interface. */
3037 ce->mssfix = ce->tun_mtu;
3038 ce->mssfix_fixed = true;
3039 }
3040 }
3041 }
3042
3043 /*
3044 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3045 *
3046 * At the end only one of these will be really set because the parser
3047 * logic prevents configurations where more are set.
3048 */
3049 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3050 {
3051 ce->tls_auth_file = o->tls_auth_file;
3052 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3053 ce->key_direction = o->key_direction;
3054
3055 ce->tls_crypt_file = o->tls_crypt_file;
3056 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3057
3058 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3059 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3060 }
3061
3062 /* Pre-cache tls-auth/crypt(-v2) key file if
3063 * keys were not already embedded in the config file.
3064 */
3065 connection_entry_preload_key(&ce->tls_auth_file,
3066 &ce->tls_auth_file_inline, &o->gc);
3067 connection_entry_preload_key(&ce->tls_crypt_file,
3068 &ce->tls_crypt_file_inline, &o->gc);
3069 connection_entry_preload_key(&ce->tls_crypt_v2_file,
3070 &ce->tls_crypt_v2_file_inline, &o->gc);
3071
3072
3073 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3074 {
3075 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3076 ce->explicit_exit_notification = 0;
3077 }
3078}
3079
3080static void
3081options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
3082{
3083 /* use the global port if none is specified */
3084 if (!le->port)
3085 {
3086 le->port = ce->local_port;
3087 }
3088 /* use the global proto if none is specified and
3089 * allow proto bindings on server mode only */
3090 if (!le->proto || mode == MODE_POINT_TO_POINT)
3091 {
3092 le->proto = ce->proto;
3093 }
3094}
3095
3096#ifdef _WIN32
3097/* If iservice is in use, we need def1 method for redirect-gateway */
3098static void
3099remap_redirect_gateway_flags(struct options *opt)
3100{
3101 if (opt->routes
3102 && opt->route_method == ROUTE_METHOD_SERVICE
3103 && opt->routes->flags & RG_REROUTE_GW
3104 && !(opt->routes->flags & RG_DEF1))
3105 {
3106 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3107 opt->routes->flags |= RG_DEF1;
3108 }
3109}
3110#endif
3111
3112/*
3113 * Save/Restore certain option defaults before --pull is applied.
3114 */
3115
3116static void
3117pre_connect_save(struct options *o)
3118{
3119 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3120 o->pre_connect->tuntap_options = o->tuntap_options;
3121 o->pre_connect->tuntap_options_defined = true;
3122 o->pre_connect->foreign_option_index = o->foreign_option_index;
3123
3124 if (o->routes)
3125 {
3126 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3127 o->pre_connect->routes_defined = true;
3128 }
3129 if (o->routes_ipv6)
3130 {
3131 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3132 o->pre_connect->routes_ipv6_defined = true;
3133 }
3134 if (o->client_nat)
3135 {
3136 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3137 o->pre_connect->client_nat_defined = true;
3138 }
3139
3140 o->pre_connect->route_default_gateway = o->route_default_gateway;
3141 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3142
3143 o->pre_connect->dns_options = clone_dns_options(&o->dns_options, &o->gc);
3144
3145 /* NCP related options that can be overwritten by a push */
3146 o->pre_connect->ciphername = o->ciphername;
3147 o->pre_connect->authname = o->authname;
3148
3149 /* Ping related options should be reset to the config values on reconnect */
3150 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3151 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3152 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3153
3154 /* Miscellaneous Options */
3155 o->pre_connect->comp = o->comp;
3156}
3157
3158void
3159pre_connect_restore(struct options *o, struct gc_arena *gc)
3160{
3161 const struct options_pre_connect *pp = o->pre_connect;
3162 if (pp)
3163 {
3164 CLEAR(o->tuntap_options);
3165 if (pp->tuntap_options_defined)
3166 {
3167 o->tuntap_options = pp->tuntap_options;
3168 }
3169
3170 if (pp->routes_defined)
3171 {
3172 rol_check_alloc(o);
3173 copy_route_option_list(o->routes, pp->routes, gc);
3174 }
3175 else
3176 {
3177 o->routes = NULL;
3178 }
3179
3180 if (pp->routes_ipv6_defined)
3181 {
3182 rol6_check_alloc(o);
3183 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3184 }
3185 else
3186 {
3187 o->routes_ipv6 = NULL;
3188 }
3189
3190 o->route_default_gateway = pp->route_default_gateway;
3191 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3192
3193 /* Free DNS options and reset them to pre-pull state */
3194 gc_free(&o->dns_options.gc);
3195 struct gc_arena dns_gc = gc_new();
3196 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3197 o->dns_options.gc = dns_gc;
3198
3199 if (pp->client_nat_defined)
3200 {
3201 cnol_check_alloc(o);
3202 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3203 }
3204 else
3205 {
3206 o->client_nat = NULL;
3207 }
3208
3209 o->foreign_option_index = pp->foreign_option_index;
3210
3211 o->ciphername = pp->ciphername;
3212 o->authname = pp->authname;
3213
3214 o->ping_rec_timeout = pp->ping_rec_timeout;
3215 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3216 o->ping_send_timeout = pp->ping_send_timeout;
3217
3218 /* Miscellaneous Options */
3219 o->comp = pp->comp;
3220 }
3221
3222 o->push_continuation = 0;
3223 o->push_option_types_found = 0;
3224 o->imported_protocol_flags = 0;
3225}
3226
3227static void
3228options_postprocess_mutate_invariant(struct options *options)
3229{
3230#ifdef _WIN32
3231 const int dev = dev_type_enum(options->dev, options->dev_type);
3232
3233 /* when using ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3234 if ((options->windows_driver == DRIVER_DCO)
3235 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3236 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3237 {
3238 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3239 }
3240
3241 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3242 {
3243 /* delay may only be necessary when we perform DHCP handshake */
3244 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3245 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3246 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3247 {
3248 options->route_delay_defined = true;
3249 options->route_delay = 5; /* Vista sometimes has a race without this */
3250 }
3251 }
3252
3253 if (options->ifconfig_noexec)
3254 {
3255 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3256 options->ifconfig_noexec = false;
3257 }
3258
3259 remap_redirect_gateway_flags(options);
3260
3261 /*
3262 * Check consistency of --mode server options.
3263 */
3264 if (options->mode == MODE_SERVER)
3265 {
3266 /*
3267 * We need to explicitly set --tap-sleep because
3268 * we do not schedule event timers in the top-level context.
3269 */
3270 options->tuntap_options.tap_sleep = 10;
3271 if (options->route_delay_defined && options->route_delay)
3272 {
3273 options->tuntap_options.tap_sleep = options->route_delay;
3274 }
3275 options->route_delay_defined = false;
3276 }
3277#endif /* ifdef _WIN32 */
3278
3279#ifdef DEFAULT_PKCS11_MODULE
3280 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3281 * by default if the user asks for PKCS#11 without otherwise specifying
3282 * the module to use. */
3283 if (!options->pkcs11_providers[0]
3284 && (options->pkcs11_id || options->pkcs11_id_management))
3285 {
3286 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3287 }
3288#endif
3289}
3290
3291static void
3292options_postprocess_verify(const struct options *o)
3293{
3294 if (o->connection_list)
3295 {
3296 int i;
3297 for (i = 0; i < o->connection_list->len; ++i)
3298 {
3299 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3300 }
3301 }
3302 else
3303 {
3304 options_postprocess_verify_ce(o, &o->ce);
3305 }
3306
3307 dns_options_verify(M_FATAL, &o->dns_options);
3308
3309 if (dco_enabled(o) && o->enable_c2c)
3310 {
3311 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3312 "channel offload: packets are always sent to the VPN "
3313 "interface and then routed based on the system routing table");
3314 }
3315}
3316
3317static void
3318options_postprocess_cipher(struct options *o)
3319{
3320 if (!o->pull && !(o->mode == MODE_SERVER))
3321 {
3322 /* If the cipher is not set, use the old default of BF-CBC. We will
3323 * warn that this is deprecated on cipher initialisation, no need
3324 * to warn here as well */
3325 if (!o->ciphername)
3326 {
3327 o->ciphername = "BF-CBC";
3328 }
3329 else
3330 {
3331 o->enable_ncp_fallback = true;
3332 }
3333 return;
3334 }
3335
3336 /* pull or P2MP mode */
3337 if (!o->ciphername)
3338 {
3339 /* We still need to set the ciphername to BF-CBC since various other
3340 * parts of OpenVPN assert that the ciphername is set */
3341 o->ciphername = "BF-CBC";
3342
3343 msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3344 "defaulted to BF-CBC as fallback when cipher negotiation "
3345 "failed in this case. If you need this fallback please add "
3346 "'--data-ciphers-fallback BF-CBC' to your configuration "
3347 "and/or add BF-CBC to --data-ciphers. E.g. "
3348 "--data-ciphers %s:BF-CBC", o->ncp_ciphers_conf);
3349 }
3350 else if (!o->enable_ncp_fallback
3351 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3352 {
3353 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3354 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3355 "negotiations. ",
3356 o->ciphername, o->ncp_ciphers_conf);
3357 }
3358}
3359
3375static bool
3376need_compatibility_before(const struct options *o, unsigned int version)
3377{
3378 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3379}
3380
3385static void
3386options_set_backwards_compatible_options(struct options *o)
3387{
3388 /* TLS min version is not set */
3389 int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3390 & SSLF_TLS_VERSION_MIN_MASK;
3391 if (tls_ver_min == 0)
3392 {
3393 int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3394 & SSLF_TLS_VERSION_MAX_MASK;
3395 if (need_compatibility_before(o, 20307))
3396 {
3397 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3398 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3399 }
3400 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3401 {
3402 /* Use TLS 1.2 as proper default */
3403 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3404 }
3405 else
3406 {
3407 /* Maximize the minimum version */
3408 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3409 }
3410 }
3411
3412 if (need_compatibility_before(o, 20400))
3413 {
3414 if (!o->ciphername)
3415 {
3416 /* If ciphername is not set default to BF-CBC when targeting these
3417 * old versions that do not have NCP */
3418 o->ciphername = "BF-CBC";
3419 }
3420 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3421 * not have OCC strings required for "poor man's NCP" */
3422 o->enable_ncp_fallback = true;
3423 }
3424
3425 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3426 * Version 2.4 probably does not need it but NCP was not so
3427 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3428 * Only do this iff --cipher is set (explicitly or by compat mode
3429 * < 2.4.0, see above). This is not 100% correct backwards compatible
3430 * behaviour but 2.5 already behaved like this */
3431 if (o->ciphername && need_compatibility_before(o, 20500)
3432 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3433 {
3434 append_cipher_to_ncp_list(o, o->ciphername);
3435 }
3436
3437#ifdef USE_COMP
3438 /* Compression is deprecated and we do not want to announce support for it
3439 * by default anymore, additionally DCO breaks with compression.
3440 *
3441 * Disable compression by default starting with 2.6.0 if no other
3442 * compression related option has been explicitly set */
3443 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3444 {
3445 if (!comp_non_stub_enabled(&o->comp))
3446 {
3447 o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3448 }
3449 }
3450#else /* ifdef USE_COMP */
3451 o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3452#endif
3453}
3454
3455static void
3456options_process_mutate_prf(struct options *o)
3457{
3458 if (!check_tls_prf_working())
3459 {
3460 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3461 "supported by the TLS library. Your system does not support this "
3462 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3463 "forbids it. Connections will only work with peers running "
3464 "OpenVPN 2.6.0 or higher)");
3465 if (o->mode == MODE_SERVER)
3466 {
3467 msg(M_WARN, "Automatically enabling option "
3468 "--force-tls-key-material-export");
3469 o->force_key_material_export = true;
3470 }
3471
3472 }
3473}
3474
3475#if defined(_WIN32) || defined(TARGET_ANDROID)
3484static void
3485tuntap_options_postprocess_dns(struct options *o)
3486{
3487 struct dns_options *dns = &o->dns_options;
3488 struct tuntap_options *tt = &o->tuntap_options;
3489 if (!dns->servers)
3490 {
3491 /* Copy --dhcp-options to tuntap_options */
3492 struct dhcp_options *dhcp = &dns->from_dhcp;
3493 assert(sizeof(dhcp->dns) == sizeof(tt->dns));
3494 assert(sizeof(dhcp->dns6) == sizeof(tt->dns6));
3495 assert(sizeof(dhcp->domain_search_list) == sizeof(tt->domain_search_list));
3496
3497 tt->domain = dhcp->domain;
3498 tt->dns_len = dhcp->dns_len;
3499 tt->dns6_len = dhcp->dns6_len;
3500
3501 memcpy(tt->dns, dhcp->dns, sizeof(tt->dns));
3502 memcpy(tt->dns6, dhcp->dns6, sizeof(tt->dns6));
3503
3504 tt->domain_search_list_len = dhcp->domain_search_list_len;
3505 for (size_t i = 0; i < SIZE(tt->domain_search_list); ++i)
3506 {
3507 tt->domain_search_list[i] = dhcp->domain_search_list[i];
3508 }
3509
3510 return;
3511 }
3512
3513#if defined(_WIN32)
3514 if (tt->ip_win32_type != IPW32_SET_DHCP_MASQ && tt->ip_win32_type != IPW32_SET_ADAPTIVE)
3515 {
3516 return; /* Not in DHCP mode */
3517 }
3518#endif /* if defined(_WIN32) */
3519
3520 /* Copy --dns options to tuntap_options */
3521 const struct dns_domain *d = dns->search_domains;
3522 while (d && tt->domain_search_list_len + 1 < N_SEARCH_LIST_LEN)
3523 {
3524 tt->domain_search_list[tt->domain_search_list_len++] = d->name;
3525 d = d->next;
3526 }
3527 if (d)
3528 {
3529 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3530 }
3531
3532 const struct dns_server *s = dns->servers;
3533 while (s)
3534 {
3535 bool non_standard_server_port = false;
3536 for (int i = 0; i < s->addr_count; ++i)
3537 {
3538 if (s->addr[i].port && s->addr[i].port != 53)
3539 {
3540 non_standard_server_port = true;
3541 break;
3542 }
3543 }
3544 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3545 || (s->dnssec && s->dnssec != DNS_SECURITY_NO)
3546 || non_standard_server_port)
3547 {
3548 /* Skip servers requiring unsupported config to be set */
3549 s = s->next;
3550 }
3551 else
3552 {
3553 bool overflow = false;
3554 for (int i = 0; i < s->addr_count; ++i)
3555 {
3556 if (s->addr[i].family == AF_INET && tt->dns_len + 1 < N_DHCP_ADDR)
3557 {
3558 tt->dns[tt->dns_len++] = s->addr[i].in.a4.s_addr;
3559 }
3560 else if (tt->dns6_len + 1 < N_DHCP_ADDR)
3561 {
3562 tt->dns6[tt->dns6_len++] = s->addr[i].in.a6;
3563 }
3564 else
3565 {
3566 overflow = true;
3567 }
3568 }
3569 if (overflow)
3570 {
3571 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3572 }
3573 return;
3574 }
3575 }
3576}
3577
3578#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3579
3590static void
3591dhcp_options_postprocess_dns(struct options *o, struct env_set *es)
3592{
3593 struct gc_arena gc = gc_new();
3594 struct dns_options *dns = &o->dns_options;
3595
3596 if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
3597 {
3598 /* Clean up env from --dhcp-option DNS config */
3599 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3600 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3601
3602 const int fo_count = o->foreign_option_index;
3603 o->foreign_option_index = 0;
3604
3605 for (int i = 1; i <= fo_count; ++i)
3606 {
3607 buf_clear(&name);
3608 buf_printf(&name, "foreign_option_%d", i);
3609 const char *env_str = env_set_get(es, BSTR(&name));
3610 const char *item_val = strchr(env_str, '=') + 1;
3611 buf_clear(&value);
3612 buf_printf(&value, "%s", item_val);
3613
3614 /* Remove foreign option item from env set */
3615 env_set_del(es, BSTR(&name));
3616
3617 item_val = BSTR(&value);
3618 if (strncmp(item_val, "dhcp-option ", 12) != 0
3619 || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0
3620 && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0
3621 && strncmp(item_val + 12, "DOMAIN ", 7) != 0
3622 && strncmp(item_val + 12, "DNS6 ", 5) != 0
3623 && strncmp(item_val + 12, "DNS ", 4) != 0))
3624 {
3625 /* Re-set the item with potentially updated name */
3626 buf_clear(&name);
3627 buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index);
3628 setenv_str(es, BSTR(&name), BSTR(&value));
3629 }
3630 }
3631 }
3632
3633 if (!dns->servers)
3634 {
3635 /* Copy --dhcp-options to dns_options */
3636 struct dhcp_options *dhcp = &dns->from_dhcp;
3637
3638 if (dhcp->dns_len || dhcp->dns6_len)
3639 {
3640 struct dns_domain **entry = &dns->search_domains;
3641 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3642 struct dns_domain *new = *entry;
3643 new->name = dhcp->domain;
3644 entry = &new->next;
3645
3646 for (size_t i = 0; i < dhcp->domain_search_list_len; ++i)
3647 {
3648 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3649 struct dns_domain *new = *entry;
3650 new->name = dhcp->domain_search_list[i];
3651 entry = &new->next;
3652 }
3653
3654 struct dns_server *server = dns_server_get(&dns->servers, 0, &dns->gc);
3655 const size_t max_addrs = SIZE(server->addr);
3656 for (size_t i = 0; i < dhcp->dns_len && server->addr_count < max_addrs; ++i)
3657 {
3658 server->addr[server->addr_count].in.a4.s_addr = htonl(dhcp->dns[i]);
3659 server->addr[server->addr_count].family = AF_INET;
3660 server->addr_count += 1;
3661 }
3662 for (size_t i = 0; i < dhcp->dns6_len && server->addr_count < max_addrs; ++i)
3663 {
3664 server->addr[server->addr_count].in.a6 = dhcp->dns6[i];
3665 server->addr[server->addr_count].family = AF_INET6;
3666 server->addr_count += 1;
3667 }
3668 }
3669 }
3670 else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
3671 {
3672 /* Set foreign option env vars from --dns config */
3673 const char *p[] = { "dhcp-option", NULL, NULL };
3674 size_t p_len = sizeof(p) / sizeof(p[0]);
3675
3676 p[1] = "DOMAIN";
3677 const struct dns_domain *d = dns->search_domains;
3678 while (d)
3679 {
3680 p[2] = d->name;
3681 setenv_foreign_option(o, (const char **)p, p_len, es);
3682 d = d->next;
3683 }
3684
3685 const struct dns_server *s = dns->servers;
3686 while (s)
3687 {
3688 bool non_standard_server_port = false;
3689 for (int i = 0; i < s->addr_count; ++i)
3690 {
3691 if (s->addr[i].port && s->addr[i].port != 53)
3692 {
3693 non_standard_server_port = true;
3694 break;
3695 }
3696 }
3697 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3698 || (s->dnssec && s->dnssec != DNS_SECURITY_NO)
3699 || non_standard_server_port)
3700 {
3701 /* Skip servers requiring unsupported config to be set */
3702 s = s->next;
3703 }
3704 else
3705 {
3706 for (int i = 0; i < s->addr_count; ++i)
3707 {
3708 if (s->addr[i].family == AF_INET)
3709 {
3710 p[1] = "DNS";
3711 p[2] = print_in_addr_t(s->addr[i].in.a4.s_addr, IA_NET_ORDER, &gc);
3712 }
3713 else
3714 {
3715 p[1] = "DNS6";
3716 p[2] = print_in6_addr(s->addr[i].in.a6, 0, &gc);
3717 }
3718 setenv_foreign_option(o, (const char **)p, p_len, es);
3719 }
3720 break;
3721 }
3722 }
3723 }
3724
3725 gc_free(&gc);
3726}
3727#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3728
3729static void
3730options_postprocess_mutate(struct options *o, struct env_set *es)
3731{
3732 int i;
3733 /*
3734 * Process helper-type options which map to other, more complex
3735 * sequences of options.
3736 */
3737 helper_client_server(o);
3738 /* must be called after helpers that might set --mode */
3739 helper_setdefault_topology(o);
3740 helper_keepalive(o);
3741 helper_tcp_nodelay(o);
3742
3743 options_postprocess_setdefault_ncpciphers(o);
3744 options_set_backwards_compatible_options(o);
3745 options_process_mutate_prf(o);
3746
3747 options_postprocess_cipher(o);
3748 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3749 if (o->ncp_ciphers == NULL)
3750 {
3751 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3752 }
3753
3754 if (o->remote_list && !o->connection_list)
3755 {
3756 /*
3757 * Convert remotes into connection list
3758 */
3759 const struct remote_list *rl = o->remote_list;
3760 for (i = 0; i < rl->len; ++i)
3761 {
3762 const struct remote_entry *re = rl->array[i];
3763 struct connection_entry ce = o->ce;
3764 struct connection_entry *ace;
3765
3766 ASSERT(re->remote);
3767 connection_entry_load_re(&ce, re);
3768 ace = alloc_connection_entry(o, M_USAGE);
3769 ASSERT(ace);
3770 *ace = ce;
3771 }
3772 }
3773 else if (!o->remote_list && !o->connection_list)
3774 {
3775 struct connection_entry *ace;
3776 ace = alloc_connection_entry(o, M_USAGE);
3777 ASSERT(ace);
3778 *ace = o->ce;
3779 }
3780
3781 ASSERT(o->connection_list);
3782 for (i = 0; i < o->connection_list->len; ++i)
3783 {
3784 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3785 }
3786
3787 if (o->ce.local_list)
3788 {
3789 for (i = 0; i < o->ce.local_list->len; i++)
3790 {
3791 options_postprocess_mutate_le(&o->ce, o->ce.local_list->array[i], o->mode);
3792 }
3793
3794 for (int i = 0; i < o->ce.local_list->len; i++)
3795 {
3796 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3797 {
3798 o->ce.local_list->array[i]->proto = PROTO_TCP_SERVER;
3799 }
3800 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3801 {
3802 o->ce.local_list->array[i]->proto = o->ce.proto;
3803 }
3804 }
3805 }
3806 else
3807 {
3808 /* if no 'local' directive was specified, convert the global port
3809 * setting to a listen entry */
3810 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3811 ASSERT(e);
3812 e->port = o->ce.local_port;
3813 e->proto = o->ce.proto;
3814 }
3815
3816 /* use the same listen list for every outgoing connection */
3817 for (i = 0; i < o->connection_list->len; ++i)
3818 {
3819 o->connection_list->array[i]->local_list = o->ce.local_list;
3820 }
3821
3822 if (o->tls_server)
3823 {
3824 if (o->dh_file && streq(o->dh_file, "none"))
3825 {
3826 o->dh_file = NULL;
3827 }
3828 }
3829 else if (o->dh_file)
3830 {
3831 /* DH file is only meaningful in a tls-server context. */
3832 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3833 "include this in your server configuration");
3834 o->dh_file = NULL;
3835 }
3836#if ENABLE_MANAGEMENT
3837 if (o->http_proxy_override)
3838 {
3839 options_postprocess_http_proxy_override(o);
3840 }
3841#endif
3842 if (!o->ca_file && !o->ca_path && o->verify_hash
3843 && o->verify_hash_depth == 0)
3844 {
3845 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3846 "option set). ");
3847 o->verify_hash_no_ca = true;
3848 }
3849
3850 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3851 {
3852 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3853 "incompatible with each other.");
3854 }
3855
3856 if (dco_enabled(o))
3857 {
3858 /* check if any option should force disabling DCO */
3859 o->disable_dco = !dco_check_option(D_DCO, o)
3860 || !dco_check_startup_option(D_DCO, o);
3861 }
3862#ifdef USE_COMP
3863 if (dco_enabled(o))
3864 {
3865 o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3866 }
3867#endif
3868
3869#ifdef _WIN32
3870 if (dco_enabled(o))
3871 {
3872 o->windows_driver = DRIVER_DCO;
3873 }
3874 else
3875 {
3876 if (o->windows_driver == DRIVER_DCO)
3877 {
3878 msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3879 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3880 }
3881 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3882 {
3883 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3884 }
3885 }
3886#else /* _WIN32 */
3887 if (dco_enabled(o) && o->dev_node)
3888 {
3889 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3890 "data channel offload");
3891 o->dev_node = NULL;
3892 }
3893#endif /* _WIN32 */
3894
3895 /* this depends on o->windows_driver, which is set above */
3896 options_postprocess_mutate_invariant(o);
3897
3898 /* check that compression settings in the options are okay */
3899 check_compression_settings_valid(&o->comp, M_USAGE);
3900
3901 /*
3902 * Save certain parms before modifying options during connect, especially
3903 * when using --pull
3904 */
3905 if (o->pull)
3906 {
3907 dns_options_preprocess_pull(&o->dns_options);
3908 }
3909 else
3910 {
3911#if defined(_WIN32) || defined(TARGET_ANDROID)
3912 tuntap_options_postprocess_dns(o);
3913#else
3914 dhcp_options_postprocess_dns(o, es);
3915#endif
3916 }
3917 if (o->auth_token_generate && !o->auth_token_renewal)
3918 {
3919 o->auth_token_renewal = o->renegotiate_seconds;
3920 }
3921 pre_connect_save(o);
3922}
3923
3924/*
3925 * Check file/directory sanity
3926 *
3927 */
3928#ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */
3929
3930#define CHKACC_FILE (1<<0)
3931#define CHKACC_DIRPATH (1<<1)
3932#define CHKACC_FILEXSTWR (1<<2)
3933#define CHKACC_ACPTSTDIN (1<<3)
3934#define CHKACC_PRIVATE (1<<4)
3935#define CHKACC_ACCEPT_URI (1<<5)
3937static bool
3938check_file_access(const int type, const char *file, const int mode, const char *opt)
3939{
3940 int errcode = 0;
3941
3942 /* If no file configured, no errors to look for */
3943 if (!file)
3944 {
3945 return false;
3946 }
3947
3948 /* If stdin is allowed and the file name is 'stdin', then do no
3949 * further checks as stdin is always available
3950 */
3951 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3952 {
3953 return false;
3954 }
3955
3956 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3957 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3958 */
3959 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3960 {
3961 if (!strncmp(file, "file:", 5))
3962 {
3963 file += 5;
3964 }
3965 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3966 {
3967 return false;
3968 }
3969 }
3970
3971 /* Is the directory path leading to the given file accessible? */
3972 if (type & CHKACC_DIRPATH)
3973 {
3974 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3975 char *dirpath = dirname(fullpath);
3976
3977 if (platform_access(dirpath, mode|X_OK) != 0)
3978 {
3979 errcode = errno;
3980 }
3981 free(fullpath);
3982 }
3983
3984 /* Is the file itself accessible? */
3985 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3986 {
3987 errcode = errno;
3988 }
3989
3990 /* If the file exists and is accessible, is it writable? */
3991 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3992 {
3993 if (platform_access(file, W_OK) != 0)
3994 {
3995 errcode = errno;
3996 }
3997 }
3998
3999 /* Warn if a given private file is group/others accessible. */
4000 if (type & CHKACC_PRIVATE)
4001 {
4002 platform_stat_t st;
4003 if (platform_stat(file, &st))
4004 {
4005 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
4006 }
4007#ifndef _WIN32
4008 else
4009 {
4010 if (st.st_mode & (S_IRWXG|S_IRWXO))
4011 {
4012 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4013 }
4014 }
4015#endif
4016 }
4017
4018 /* Scream if an error is found */
4019 if (errcode > 0)
4020 {
4021 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4022 }
4023
4024 /* Return true if an error occurred */
4025 return (errcode != 0 ? true : false);
4026}
4027
4028/* A wrapper for check_file_access() which also takes a chroot directory.
4029 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4030 * otherwise it will look for the file inside the given chroot directory instead.
4031 */
4032static bool
4033check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
4034{
4035 bool ret = false;
4036
4037 /* If no file configured, no errors to look for */
4038 if (!file)
4039 {
4040 return false;
4041 }
4042
4043 /* If chroot is set, look for the file/directory inside the chroot */
4044 if (chroot)
4045 {
4046 struct gc_arena gc = gc_new();
4047 struct buffer chroot_file;
4048
4049 chroot_file = prepend_dir(chroot, file, &gc);
4050 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4051 gc_free(&gc);
4052 }
4053 else
4054 {
4055 /* No chroot in play, just call core file check function */
4056 ret = check_file_access(type, file, mode, opt);
4057 }
4058 return ret;
4059}
4060
4065static bool
4066check_file_access_chroot_inline(bool is_inline, const char *chroot,
4067 const int type, const char *file,
4068 const int mode, const char *opt)
4069{
4070 if (is_inline)
4071 {
4072 return false;
4073 }
4074
4075 return check_file_access_chroot(chroot, type, file, mode, opt);
4076}
4077
4082static bool
4083check_file_access_inline(bool is_inline, const int type, const char *file,
4084 const int mode, const char *opt)
4085{
4086 if (is_inline)
4087 {
4088 return false;
4089 }
4090
4091 return check_file_access(type, file, mode, opt);
4092}
4093
4094/*
4095 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4096 * valid file with appropriate permissions.
4097 *
4098 * "command" consists of a path, optionally followed by a space, which may be
4099 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4100 * performed.
4101 *
4102 * The path and arguments in "command" may be single- or double-quoted or escaped.
4103 *
4104 * The path is extracted from "command", then check_file_access() is called to check it. The
4105 * arguments, if any, are ignored.
4106 *
4107 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4108 * check_file_access() arguments.
4109 */
4110static bool
4111check_cmd_access(const char *command, const char *opt, const char *chroot)
4112{
4113 struct argv argv;
4114 bool return_code;
4115
4116 /* If no command was set, there are no errors to look for */
4117 if (!command)
4118 {
4119 return false;
4120 }
4121
4122 /* Extract executable path and arguments */
4123 argv = argv_new();
4124 argv_parse_cmd(&argv, command);
4125
4126 /* if an executable is specified then check it; otherwise, complain */
4127 if (argv.argv[0])
4128 {
4129 /* Scripts requires R_OK as well, but that might fail on binaries which
4130 * only requires X_OK to function on Unix - a scenario not unlikely to
4131 * be seen on suid binaries.
4132 */
4133 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4134 }
4135 else
4136 {
4137 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
4138 opt, command);
4139 return_code = true;
4140 }
4141
4142 argv_free(&argv);
4143
4144 return return_code;
4145}
4146
4147/*
4148 * Sanity check of all file/dir options. Checks that file/dir
4149 * is accessible by OpenVPN
4150 */
4151static void
4152options_postprocess_filechecks(struct options *options)
4153{
4154 bool errs = false;
4155
4156 /* ** SSL/TLS/crypto related files ** */
4157 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4158 options->dh_file, R_OK, "--dh");
4159
4160 if (!options->verify_hash_no_ca)
4161 {
4162 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4163 options->ca_file, R_OK, "--ca");
4164 }
4165
4166 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4167 options->ca_path, R_OK, "--capath");
4168
4169 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE|CHKACC_ACCEPT_URI,
4170 options->cert_file, R_OK, "--cert");
4171
4172 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4173 options->extra_certs_file, R_OK,
4174 "--extra-certs");
4175
4176 if (!(options->management_flags & MF_EXTERNAL_KEY))
4177 {
4178 errs |= check_file_access_inline(options->priv_key_file_inline,
4179 CHKACC_FILE|CHKACC_PRIVATE|CHKACC_ACCEPT_URI,
4180 options->priv_key_file, R_OK, "--key");
4181 }
4182
4183 errs |= check_file_access_inline(options->pkcs12_file_inline,
4184 CHKACC_FILE|CHKACC_PRIVATE,
4185 options->pkcs12_file, R_OK, "--pkcs12");
4186
4187 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4188 {
4189 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4190 options->crl_file, R_OK|X_OK,
4191 "--crl-verify directory");
4192 }
4193 else
4194 {
4195 errs |= check_file_access_chroot_inline(options->crl_file_inline,
4196 options->chroot_dir,
4197 CHKACC_FILE, options->crl_file,
4198 R_OK, "--crl-verify");
4199 }
4200
4201 if (options->tls_export_peer_cert_dir)
4202 {
4203 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4204 options->tls_export_peer_cert_dir,
4205 W_OK, "--tls-export-cert");
4206 }
4207
4208 ASSERT(options->connection_list);
4209 for (int i = 0; i < options->connection_list->len; ++i)
4210 {
4211 struct connection_entry *ce = options->connection_list->array[i];
4212
4213 errs |= check_file_access_inline(ce->tls_auth_file_inline,
4214 CHKACC_FILE|CHKACC_PRIVATE,
4215 ce->tls_auth_file, R_OK,
4216 "--tls-auth");
4217 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4218 CHKACC_FILE|CHKACC_PRIVATE,
4219 ce->tls_crypt_file, R_OK,
4220 "--tls-crypt");
4221 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4222 CHKACC_FILE|CHKACC_PRIVATE,
4223 ce->tls_crypt_v2_file, R_OK,
4224 "--tls-crypt-v2");
4225 }
4226
4227 errs |= check_file_access_inline(options->shared_secret_file_inline,
4228 CHKACC_FILE|CHKACC_PRIVATE,
4229 options->shared_secret_file, R_OK,
4230 "--secret");
4231
4232 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4233 options->packet_id_file, R_OK|W_OK, "--replay-persist");
4234
4235 /* ** Password files ** */
4236 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4237 options->key_pass_file, R_OK, "--askpass");
4238#ifdef ENABLE_MANAGEMENT
4239 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4240 options->management_user_pass, R_OK,
4241 "--management user/password file");
4242#endif /* ENABLE_MANAGEMENT */
4243 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4244 CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4245 options->auth_user_pass_file, R_OK,
4246 "--auth-user-pass");
4247 /* ** System related ** */
4248 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4249 R_OK|X_OK, "--chroot directory");
4250 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4251 R_OK|W_OK, "--writepid");
4252
4253 /* ** Log related ** */
4254 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4255 R_OK|W_OK, "--status");
4256
4257 /* ** Config related ** */
4258 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4259 R_OK|X_OK, "--client-config-dir");
4260 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4261 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4262
4263 if (errs)
4264 {
4265 msg(M_USAGE, "Please correct these errors.");
4266 }
4267}
4268#endif /* !ENABLE_SMALL */
4269
4270/*
4271 * Sanity check on options.
4272 * Also set some options based on other
4273 * options.
4274 */
4275void
4276options_postprocess(struct options *options, struct env_set *es)
4277{
4278 options_postprocess_mutate(options, es);
4279 options_postprocess_verify(options);
4280#ifndef ENABLE_SMALL
4281 options_postprocess_filechecks(options);
4282#endif /* !ENABLE_SMALL */
4283}
4284
4285/*
4286 * Sanity check on options after more options were pulled from server.
4287 * Also time to modify some options based on other options.
4288 */
4289bool
4290options_postprocess_pull(struct options *o, struct env_set *es)
4291{
4292 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4293 if (success)
4294 {
4295 dns_options_postprocess_pull(&o->dns_options);
4296#if defined(_WIN32) || defined(TARGET_ANDROID)
4297 tuntap_options_postprocess_dns(o);
4298#else
4299 dhcp_options_postprocess_dns(o, es);
4300#endif
4301 }
4302 return success;
4303}
4304
4305/*
4306 * Build an options string to represent data channel encryption options.
4307 * This string must match exactly between peers. The keysize is checked
4308 * separately by read_key().
4309 *
4310 * The following options must match on both peers:
4311 *
4312 * Tunnel options:
4313 *
4314 * --dev tun|tap [unit number need not match]
4315 * --dev-type tun|tap
4316 * --link-mtu
4317 * --udp-mtu
4318 * --tun-mtu
4319 * --proto udp
4320 * --proto tcp-client [matched with --proto tcp-server
4321 * on the other end of the connection]
4322 * --proto tcp-server [matched with --proto tcp-client on
4323 * the other end of the connection]
4324 * --tun-ipv6
4325 * --ifconfig x y [matched with --ifconfig y x on
4326 * the other end of the connection]
4327 *
4328 * --comp-lzo
4329 * --compress alg
4330 * --fragment
4331 *
4332 * Crypto Options:
4333 *
4334 * --cipher
4335 * --auth
4336 * --secret
4337 *
4338 * SSL Options:
4339 *
4340 * --tls-auth
4341 * --tls-client [matched with --tls-server on
4342 * the other end of the connection]
4343 * --tls-server [matched with --tls-client on
4344 * the other end of the connection]
4345 */
4346char *
4347options_string(const struct options *o,
4348 const struct frame *frame,
4349 struct tuntap *tt,
4350 openvpn_net_ctx_t *ctx,
4351 bool remote,
4352 struct gc_arena *gc)
4353{
4354 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4355 bool tt_local = false;
4356
4357 buf_printf(&out, "V4");
4358
4359 /*
4360 * Tunnel Options
4361 */
4362
4363 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4364 /* the link-mtu that we send has only a meaning if have a fixed
4365 * cipher (p2p) or have a fallback cipher configured for older non
4366 * ncp clients. But not sending it will make even 2.4 complain
4367 * about it being missing. So still send it. */
4368 buf_printf(&out, ",link-mtu %u",
4369 (unsigned int) calc_options_string_link_mtu(o, frame));
4370
4371 if (o->ce.occ_mtu != 0)
4372 {
4373 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4374 }
4375 else
4376 {
4377 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4378 }
4379
4380 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4381
4382 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4383 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4384 * is usually pushed by the server, triggering a non-helpful warning
4385 */
4386 if (o->ifconfig_ipv6_local && p2p_nopull)
4387 {
4388 buf_printf(&out, ",tun-ipv6");
4389 }
4390
4391 /*
4392 * Try to get ifconfig parameters into the options string.
4393 * If tt is undefined, make a temporary instantiation.
4394 */
4395 if (!tt)
4396 {
4397 tt = init_tun(o->dev,
4398 o->dev_type,
4399 o->topology,
4400 o->ifconfig_local,
4401 o->ifconfig_remote_netmask,
4402 o->ifconfig_ipv6_local,
4403 o->ifconfig_ipv6_netbits,
4404 o->ifconfig_ipv6_remote,
4405 NULL,
4406 NULL,
4407 false,
4408 NULL,
4409 ctx,
4410 NULL);
4411 if (tt)
4412 {
4413 tt_local = true;
4414 }
4415 }
4416
4417 if (tt && p2p_nopull)
4418 {
4419 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4420 if (ios && strlen(ios))
4421 {
4422 buf_printf(&out, ",ifconfig %s", ios);
4423 }
4424 }
4425 if (tt_local)
4426 {
4427 free(tt);
4428 tt = NULL;
4429 }
4430
4431#ifdef USE_COMP
4432 if (o->comp.alg != COMP_ALG_UNDEF)
4433 {
4434 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4435 }
4436#endif
4437
4438#ifdef ENABLE_FRAGMENT
4439 if (o->ce.fragment)
4440 {
4441 buf_printf(&out, ",mtu-dynamic");
4442 }
4443#endif
4444
4445#define TLS_CLIENT (o->tls_client)
4446#define TLS_SERVER (o->tls_server)
4447
4448 /*
4449 * Key direction
4450 */
4451 {
4452 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4453 if (kd)
4454 {
4455 buf_printf(&out, ",keydir %s", kd);
4456 }
4457 }
4458
4459 /*
4460 * Crypto Options
4461 */
4462 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4463 {
4464 struct key_type kt;
4465
4466 ASSERT((o->shared_secret_file != NULL)
4467 + (TLS_CLIENT == true)
4468 + (TLS_SERVER == true)
4469 <= 1);
4470
4471 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4472 * to work here in the default configuration */
4473 const char *ciphername = o->ciphername;
4474 int keysize = 0;
4475
4476 if (strcmp(o->ciphername, "BF-CBC") == 0)
4477 {
4478 init_key_type(&kt, "none", o->authname, true, false);
4479 keysize = 128;
4480 }
4481 else
4482 {
4483 init_key_type(&kt, o->ciphername, o->authname, true, false);
4484 ciphername = cipher_kt_name(kt.cipher);
4485 if (cipher_defined(o->ciphername))
4486 {
4487 keysize = cipher_kt_key_size(kt.cipher) * 8;
4488 }
4489 }
4490 /* Only announce the cipher to our peer if we are willing to
4491 * support it */
4492 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4493 {
4494 buf_printf(&out, ",cipher %s", ciphername);
4495 }
4496 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4497 buf_printf(&out, ",keysize %d", keysize);
4498 if (o->shared_secret_file)
4499 {
4500 buf_printf(&out, ",secret");
4501 }
4502
4503#ifdef ENABLE_PREDICTION_RESISTANCE
4504 if (o->use_prediction_resistance)
4505 {
4506 buf_printf(&out, ",use-prediction-resistance");
4507 }
4508#endif
4509 }
4510
4511 /*
4512 * SSL Options
4513 */
4514 {
4515 if (TLS_CLIENT || TLS_SERVER)
4516 {
4517 if (o->ce.tls_auth_file)
4518 {
4519 buf_printf(&out, ",tls-auth");
4520 }
4521 /* Not adding tls-crypt here, because we won't reach this code if
4522 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4523 * break stuff, so leaving that in place. */
4524
4525 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4526 }
4527
4528 if (remote)
4529 {
4530 if (TLS_CLIENT)
4531 {
4532 buf_printf(&out, ",tls-server");
4533 }
4534 else if (TLS_SERVER)
4535 {
4536 buf_printf(&out, ",tls-client");
4537 }
4538 }
4539 else
4540 {
4541 if (TLS_CLIENT)
4542 {
4543 buf_printf(&out, ",tls-client");
4544 }
4545 else if (TLS_SERVER)
4546 {
4547 buf_printf(&out, ",tls-server");
4548 }
4549 }
4550 }
4551
4552#undef TLS_CLIENT
4553#undef TLS_SERVER
4554
4555 return BSTR(&out);
4556}
4557
4558/*
4559 * Compare option strings for equality.
4560 * If the first two chars of the strings differ, it means that
4561 * we are looking at different versions of the options string,
4562 * therefore don't compare them and return true.
4563 */
4564
4565bool
4566options_cmp_equal(char *actual, const char *expected)
4567{
4568 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4569}
4570
4571void
4572options_warning(char *actual, const char *expected)
4573{
4574 options_warning_safe(actual, expected, strlen(actual) + 1);
4575}
4576
4577static const char *
4578options_warning_extract_parm1(const char *option_string,
4579 struct gc_arena *gc_ret)
4580{
4581 struct gc_arena gc = gc_new();
4582 struct buffer b = string_alloc_buf(option_string, &gc);
4583 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4584 const char *ret;
4585
4586 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4587 ret = string_alloc(p, gc_ret);
4588 gc_free(&gc);
4589 return ret;
4590}
4591
4592static void
4593options_warning_safe_scan2(const int msglevel,
4594 const int delim,
4595 const bool report_inconsistent,
4596 const char *p1,
4597 const struct buffer *b2_src,
4598 const char *b1_name,
4599 const char *b2_name)
4600{
4601 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4602 * OCC in a future version (because it's not useful). To reduce questions
4603 * when interoperating, we no longer printing a warning about it.
4604 */
4605 if (strprefix(p1, "key-method ")
4606 || strprefix(p1, "keydir ")
4607 || strprefix(p1, "proto ")
4608 || streq(p1, "tls-auth")
4609 || strprefix(p1, "tun-ipv6")
4610 || strprefix(p1, "cipher "))
4611 {
4612 return;
4613 }
4614
4615 if (strlen(p1) > 0)
4616 {
4617 struct gc_arena gc = gc_new();
4618 struct buffer b2 = *b2_src;
4619 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4620 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4621
4622 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4623 {
4624 if (strlen(p2))
4625 {
4626 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4627
4628 if (!strcmp(p1, p2))
4629 {
4630 goto done;
4631 }
4632 if (!strcmp(p1_prefix, p2_prefix))
4633 {
4634 if (report_inconsistent)
4635 {
4636 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4637 safe_print(p1_prefix, &gc),
4638 b1_name,
4639 safe_print(p1, &gc),
4640 b2_name,
4641 safe_print(p2, &gc));
4642 }
4643 goto done;
4644 }
4645 }
4646 }
4647
4648 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4649 safe_print(p1_prefix, &gc),
4650 b1_name,
4651 b2_name,
4652 b1_name,
4653 safe_print(p1, &gc));
4654
4655done:
4656 gc_free(&gc);
4657 }
4658}
4659
4660static void
4661options_warning_safe_scan1(const int msglevel,
4662 const int delim,
4663 const bool report_inconsistent,
4664 const struct buffer *b1_src,
4665 const struct buffer *b2_src,
4666 const char *b1_name,
4667 const char *b2_name)
4668{
4669 struct gc_arena gc = gc_new();
4670 struct buffer b = *b1_src;
4671 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4672
4673 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4674 {
4675 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4676 }
4677
4678 gc_free(&gc);
4679}
4680
4681static void
4682options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4683{
4684 struct gc_arena gc = gc_new();
4685
4686 if (actual_n > 0)
4687 {
4688 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4689 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4690 actual[actual_n - 1] = 0;
4691
4692 buf_printf(&local, "version %s", expected);
4693 buf_printf(&remote, "version %s", actual);
4694
4695 options_warning_safe_scan1(msglevel, ',', true,
4696 &local, &remote,
4697 "local", "remote");
4698
4699 options_warning_safe_scan1(msglevel, ',', false,
4700 &remote, &local,
4701 "remote", "local");
4702 }
4703
4704 gc_free(&gc);
4705}
4706
4707bool
4708options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4709{
4710 struct gc_arena gc = gc_new();
4711 bool ret = true;
4712
4713 if (actual_n > 0)
4714 {
4715 actual[actual_n - 1] = 0;
4716 if (strncmp(actual, expected, 2))
4717 {
4718 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4719 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4720 }
4721 else
4722 {
4723 ret = !strcmp(actual, expected);
4724 }
4725 }
4726 gc_free(&gc);
4727 return ret;
4728}
4729
4730void
4731options_warning_safe(char *actual, const char *expected, size_t actual_n)
4732{
4733 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4734}
4735
4736const char *
4737options_string_version(const char *s, struct gc_arena *gc)
4738{
4739 struct buffer out = alloc_buf_gc(4, gc);
4740 strncpynt((char *) BPTR(&out), s, 3);
4741 return BSTR(&out);
4742}
4743
4744char *
4745options_string_extract_option(const char *options_string, const char *opt_name,
4746 struct gc_arena *gc)
4747{
4748 char *ret = NULL;
4749 const size_t opt_name_len = strlen(opt_name);
4750
4751 const char *p = options_string;
4752 while (p)
4753 {
4754 if (0 == strncmp(p, opt_name, opt_name_len)
4755 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4756 {
4757 /* option found, extract value */
4758 const char *start = &p[opt_name_len+1];
4759 const char *end = strchr(p, ',');
4760 size_t val_len = end ? end - start : strlen(start);
4761 ret = gc_malloc(val_len+1, true, gc);
4762 memcpy(ret, start, val_len);
4763 break;
4764 }
4765 p = strchr(p, ',');
4766 if (p)
4767 {
4768 p++; /* skip delimiter */
4769 }
4770 }
4771 return ret;
4772}
4773
4774/*
4775 * parse/print topology coding
4776 */
4777
4778int
4779parse_topology(const char *str, const int msglevel)
4780{
4781 if (streq(str, "net30"))
4782 {
4783 return TOP_NET30;
4784 }
4785 else if (streq(str, "p2p"))
4786 {
4787 return TOP_P2P;
4788 }
4789 else if (streq(str, "subnet"))
4790 {
4791 return TOP_SUBNET;
4792 }
4793 else
4794 {
4795 msg(msglevel, "--topology must be net30, p2p, or subnet");
4796 return TOP_UNDEF;
4797 }
4798}
4799
4800const char *
4801print_topology(const int topology)
4802{
4803 switch (topology)
4804 {
4805 case TOP_UNDEF:
4806 return "undef";
4807
4808 case TOP_NET30:
4809 return "net30";
4810
4811 case TOP_P2P:
4812 return "p2p";
4813
4814 case TOP_SUBNET:
4815 return "subnet";
4816
4817 default:
4818 return "unknown";
4819 }
4820}
4821
4822/*
4823 * Manage auth-retry variable
4824 */
4825
4826static int global_auth_retry; /* GLOBAL */
4827
4828int
4829auth_retry_get(void)
4830{
4831 return global_auth_retry;
4832}
4833
4834bool
4835auth_retry_set(const int msglevel, const char *option)
4836{
4837 if (streq(option, "interact"))
4838 {
4839 global_auth_retry = AR_INTERACT;
4840 }
4841 else if (streq(option, "nointeract"))
4842 {
4843 global_auth_retry = AR_NOINTERACT;
4844 }
4845 else if (streq(option, "none"))
4846 {
4847 global_auth_retry = AR_NONE;
4848 }
4849 else
4850 {
4851 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4852 return false;
4853 }
4854 return true;
4855}
4856
4857const char *
4858auth_retry_print(void)
4859{
4860 switch (global_auth_retry)
4861 {
4862 case AR_NONE:
4863 return "none";
4864
4865 case AR_NOINTERACT:
4866 return "nointeract";
4867
4868 case AR_INTERACT:
4869 return "interact";
4870
4871 default:
4872 return "???";
4873 }
4874}
4875
4876/*
4877 * Print the help message.
4878 */
4879static void
4880usage(void)
4881{
4882 FILE *fp = msg_fp(0);
4883
4884#ifdef ENABLE_SMALL
4885
4886 fprintf(fp, "Usage message not available\n");
4887
4888#else
4889
4890 struct options o;
4891 init_options(&o, true);
4892
4893 fprintf(fp, usage_message,
4894 title_string,
4895 o.ce.connect_retry_seconds,
4896 o.ce.connect_retry_seconds_max,
4897 o.ce.local_port, o.ce.remote_port,
4898 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4899 o.verbosity,
4900 o.authname,
4901 o.replay_window, o.replay_time,
4902 o.tls_timeout, o.renegotiate_seconds,
4903 o.handshake_window, o.transition_window);
4904 fflush(fp);
4905
4906#endif /* ENABLE_SMALL */
4907
4908 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4909}
4910
4911void
4912usage_small(void)
4913{
4914 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4915 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4916}
4917
4918#ifdef _WIN32
4919void
4920show_windows_version(const unsigned int flags)
4921{
4922 struct gc_arena gc = gc_new();
4923 msg(flags, "Windows version: %s", win32_version_string(&gc));
4924 gc_free(&gc);
4925}
4926#endif
4927
4928void
4929show_dco_version(const unsigned int flags)
4930{
4931#ifdef ENABLE_DCO
4932 struct gc_arena gc = gc_new();
4933 msg(flags, "DCO version: %s", dco_version_string(&gc));
4934 gc_free(&gc);
4935#endif
4936}
4937
4938void
4939show_library_versions(const unsigned int flags)
4940{
4941#ifdef ENABLE_LZO
4942#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4943#else
4944#define LZO_LIB_VER_STR "", ""
4945#endif
4946
4947 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4948 LZO_LIB_VER_STR);
4949
4950#undef LZO_LIB_VER_STR
4951}
4952
4953static void
4954usage_version(void)
4955{
4956 msg(M_INFO|M_NOPREFIX, "%s", title_string);
4957 show_library_versions( M_INFO|M_NOPREFIX );
4958#ifdef _WIN32
4959 show_windows_version( M_INFO|M_NOPREFIX );
4960#endif
4961 show_dco_version(M_INFO | M_NOPREFIX);
4962 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4963 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>");
4964#ifndef ENABLE_SMALL
4965#ifdef CONFIGURE_DEFINES
4966 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4967#endif
4968#ifdef CONFIGURE_SPECIAL_BUILD
4969 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4970#endif
4971#endif
4972 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4973}
4974
4975void
4976notnull(const char *arg, const char *description)
4977{
4978 if (!arg)
4979 {
4980 msg(M_USAGE, "You must define %s", description);
4981 }
4982}
4983
4984bool
4985string_defined_equal(const char *s1, const char *s2)
4986{
4987 if (s1 && s2)
4988 {
4989 return !strcmp(s1, s2);
4990 }
4991 else
4992 {
4993 return false;
4994 }
4995}
4996
4997#if 0
4998static void
4999ping_rec_err(int msglevel)
5000{
5001 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
5002}
5003#endif
5004
5005#ifdef _WIN32 /* This function is only used when compiling on Windows */
5006static unsigned int
5007atou(const char *str)
5008{
5009 unsigned int val = 0;
5010 sscanf(str, "%u", &val);
5011 return val;
5012}
5013#endif
5014
5015static inline bool
5016space(unsigned char c)
5017{
5018 return c == '\0' || isspace(c);
5019}
5020
5021int
5022parse_line(const char *line,
5023 char *p[],
5024 const int n,
5025 const char *file,
5026 const int line_num,
5027 int msglevel,
5028 struct gc_arena *gc)
5029{
5030 const int STATE_INITIAL = 0;
5031 const int STATE_READING_QUOTED_PARM = 1;
5032 const int STATE_READING_UNQUOTED_PARM = 2;
5033 const int STATE_DONE = 3;
5034 const int STATE_READING_SQUOTED_PARM = 4;
5035
5036 const char *error_prefix = "";
5037
5038 int ret = 0;
5039 const char *c = line;
5040 int state = STATE_INITIAL;
5041 bool backslash = false;
5042 char in, out;
5043
5044 char parm[OPTION_PARM_SIZE];
5045 unsigned int parm_len = 0;
5046
5047 msglevel &= ~M_OPTERR;
5048
5049 if (msglevel & M_MSG_VIRT_OUT)
5050 {
5051 error_prefix = "ERROR: ";
5052 }
5053
5054 do
5055 {
5056 in = *c;
5057 out = 0;
5058
5059 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
5060 {
5061 backslash = true;
5062 }
5063 else
5064 {
5065 if (state == STATE_INITIAL)
5066 {
5067 if (!space(in))
5068 {
5069 if (in == ';' || in == '#') /* comment */
5070 {
5071 break;
5072 }
5073 if (!backslash && in == '\"')
5074 {
5075 state = STATE_READING_QUOTED_PARM;
5076 }
5077 else if (!backslash && in == '\'')
5078 {
5079 state = STATE_READING_SQUOTED_PARM;
5080 }
5081 else
5082 {
5083 out = in;
5084 state = STATE_READING_UNQUOTED_PARM;
5085 }
5086 }
5087 }
5088 else if (state == STATE_READING_UNQUOTED_PARM)
5089 {
5090 if (!backslash && space(in))
5091 {
5092 state = STATE_DONE;
5093 }
5094 else
5095 {
5096 out = in;
5097 }
5098 }
5099 else if (state == STATE_READING_QUOTED_PARM)
5100 {
5101 if (!backslash && in == '\"')
5102 {
5103 state = STATE_DONE;
5104 }
5105 else
5106 {
5107 out = in;
5108 }
5109 }
5110 else if (state == STATE_READING_SQUOTED_PARM)
5111 {
5112 if (in == '\'')
5113 {
5114 state = STATE_DONE;
5115 }
5116 else
5117 {
5118 out = in;
5119 }
5120 }
5121 if (state == STATE_DONE)
5122 {
5123 /* ASSERT (parm_len > 0); */
5124 p[ret] = gc_malloc(parm_len + 1, true, gc);
5125 memcpy(p[ret], parm, parm_len);
5126 p[ret][parm_len] = '\0';
5127 state = STATE_INITIAL;
5128 parm_len = 0;
5129 ++ret;
5130 }
5131
5132 if (backslash && out)
5133 {
5134 if (!(out == '\\' || out == '\"' || space(out)))
5135 {
5136#ifdef ENABLE_SMALL
5137 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5138#else
5139 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5140#endif
5141 return 0;
5142 }
5143 }
5144 backslash = false;
5145 }
5146
5147 /* store parameter character */
5148 if (out)
5149 {
5150 if (parm_len >= SIZE(parm))
5151 {
5152 parm[SIZE(parm) - 1] = 0;
5153 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5154 error_prefix, file, line_num, (int) SIZE(parm), parm);
5155 return 0;
5156 }
5157 parm[parm_len++] = out;
5158 }
5159
5160 /* avoid overflow if too many parms in one config file line */
5161 if (ret >= n)
5162 {
5163 break;
5164 }
5165
5166 } while (*c++ != '\0');
5167
5168 if (state == STATE_READING_QUOTED_PARM)
5169 {
5170 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5171 return 0;
5172 }
5173 if (state == STATE_READING_SQUOTED_PARM)
5174 {
5175 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5176 return 0;
5177 }
5178 if (state != STATE_INITIAL)
5179 {
5180 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5181 return 0;
5182 }
5183#if 0
5184 {
5185 int i;
5186 for (i = 0; i < ret; ++i)
5187 {
5188 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5189 }
5190 }
5191#endif
5192 return ret;
5193}
5194
5195static void
5196bypass_doubledash(char **p)
5197{
5198 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5199 {
5200 *p += 2;
5201 }
5202}
5203
5204struct in_src {
5205#define IS_TYPE_FP 1
5206#define IS_TYPE_BUF 2
5207 int type;
5208 union {
5209 FILE *fp;
5210 struct buffer *multiline;
5211 } u;
5212};
5213
5214static bool
5215in_src_get(const struct in_src *is, char *line, const int size)
5216{
5217 if (is->type == IS_TYPE_FP)
5218 {
5219 return BOOL_CAST(fgets(line, size, is->u.fp));
5220 }
5221 else if (is->type == IS_TYPE_BUF)
5222 {
5223 bool status = buf_parse(is->u.multiline, '\n', line, size);
5224 if ((int) strlen(line) + 1 < size)
5225 {
5226 strcat(line, "\n");
5227 }
5228 return status;
5229 }
5230 else
5231 {
5232 ASSERT(0);
5233 return false;
5234 }
5235}
5236
5237static char *
5238read_inline_file(struct in_src *is, const char *close_tag,
5239 int *num_lines, struct gc_arena *gc)
5240{
5241 char line[OPTION_LINE_SIZE];
5242 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5243 char *ret;
5244 bool endtagfound = false;
5245
5246 while (in_src_get(is, line, sizeof(line)))
5247 {
5248 (*num_lines)++;
5249 char *line_ptr = line;
5250 /* Remove leading spaces */
5251 while (isspace(*line_ptr))
5252 {
5253 line_ptr++;
5254 }
5255 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5256 {
5257 endtagfound = true;
5258 break;
5259 }
5260 if (!buf_safe(&buf, strlen(line)+1))
5261 {
5262 /* Increase buffer size */
5263 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5264 ASSERT(buf_copy(&buf2, &buf));
5265 buf_clear(&buf);
5266 free_buf(&buf);
5267 buf = buf2;
5268 }
5269 buf_printf(&buf, "%s", line);
5270 }
5271 if (!endtagfound)
5272 {
5273 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5274 }
5275 ret = string_alloc(BSTR(&buf), gc);
5276 buf_clear(&buf);
5277 free_buf(&buf);
5278 secure_memzero(line, sizeof(line));
5279 return ret;
5280}
5281
5282static int
5283check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5284{
5285 int num_inline_lines = 0;
5286
5287 if (p[0] && !p[1])
5288 {
5289 char *arg = p[0];
5290 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5291 {
5292 struct buffer close_tag;
5293
5294 arg[strlen(arg) - 1] = '\0';
5295 p[0] = string_alloc(arg + 1, gc);
5296 close_tag = alloc_buf(strlen(p[0]) + 4);
5297 buf_printf(&close_tag, "</%s>", p[0]);
5298 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5299 p[2] = NULL;
5300 free_buf(&close_tag);
5301 }
5302 }
5303 return num_inline_lines;
5304}
5305
5306static int
5307check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5308{
5309 struct in_src is;
5310 is.type = IS_TYPE_FP;
5311 is.u.fp = fp;
5312 return check_inline_file(&is, p, gc);
5313}
5314
5315static int
5316check_inline_file_via_buf(struct buffer *multiline, char *p[],
5317 struct gc_arena *gc)
5318{
5319 struct in_src is;
5320 is.type = IS_TYPE_BUF;
5321 is.u.multiline = multiline;
5322 return check_inline_file(&is, p, gc);
5323}
5324
5325static void
5326add_option(struct options *options,
5327 char *p[],
5328 bool is_inline,
5329 const char *file,
5330 int line,
5331 const int level,
5332 const int msglevel,
5333 const unsigned int permission_mask,
5334 unsigned int *option_types_found,
5335 struct env_set *es);
5336
5337static void
5338read_config_file(struct options *options,
5339 const char *file,
5340 int level,
5341 const char *top_file,
5342 const int top_line,
5343 const int msglevel,
5344 const unsigned int permission_mask,
5345 unsigned int *option_types_found,
5346 struct env_set *es)
5347{
5348 const int max_recursive_levels = 10;
5349 FILE *fp;
5350 int line_num;
5351 char line[OPTION_LINE_SIZE+1];
5352 char *p[MAX_PARMS+1];
5353
5354 ++level;
5355 if (level <= max_recursive_levels)
5356 {
5357 if (streq(file, "stdin"))
5358 {
5359 fp = stdin;
5360 }
5361 else
5362 {
5363 fp = platform_fopen(file, "r");
5364 }
5365 if (fp)
5366 {
5367 line_num = 0;
5368 while (fgets(line, sizeof(line), fp))
5369 {
5370 int offset = 0;
5371 CLEAR(p);
5372 ++line_num;
5373 if (strlen(line) == OPTION_LINE_SIZE)
5374 {
5375 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5376 file, line_num, OPTION_LINE_SIZE, line);
5377 }
5378
5379 /* Ignore UTF-8 BOM at start of stream */
5380 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5381 {
5382 offset = 3;
5383 }
5384 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5385 {
5386 bypass_doubledash(&p[0]);
5387 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5388 add_option(options, p, lines_inline, file, line_num, level,
5389 msglevel, permission_mask, option_types_found,
5390 es);
5391 line_num += lines_inline;
5392 }
5393 }
5394 if (fp != stdin)
5395 {
5396 fclose(fp);
5397 }
5398 }
5399 else
5400 {
5401 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5402 }
5403 }
5404 else
5405 {
5406 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5407 }
5408 secure_memzero(line, sizeof(line));
5409 CLEAR(p);
5410}
5411
5412static void
5413read_config_string(const char *prefix,
5414 struct options *options,
5415 const char *config,
5416 const int msglevel,
5417 const unsigned int permission_mask,
5418 unsigned int *option_types_found,
5419 struct env_set *es)
5420{
5421 char line[OPTION_LINE_SIZE];
5422 struct buffer multiline;
5423 int line_num = 0;
5424
5425 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5426
5427 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5428 {
5429 char *p[MAX_PARMS+1];
5430 CLEAR(p);
5431 ++line_num;
5432 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5433 {
5434 bypass_doubledash(&p[0]);
5435 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5436 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5437 permission_mask, option_types_found, es);
5438 line_num += lines_inline;
5439 }
5440 CLEAR(p);
5441 }
5442 secure_memzero(line, sizeof(line));
5443}
5444
5445void
5446parse_argv(struct options *options,
5447 const int argc,
5448 char *argv[],
5449 const int msglevel,
5450 const unsigned int permission_mask,
5451 unsigned int *option_types_found,
5452 struct env_set *es)
5453{
5454 /* usage message */
5455 if (argc <= 1)
5456 {
5457 usage();
5458 }
5459
5460 /* config filename specified only? */
5461 if (argc == 2 && strncmp(argv[1], "--", 2))
5462 {
5463 char *p[MAX_PARMS+1];
5464 CLEAR(p);
5465 p[0] = "config";
5466 p[1] = argv[1];
5467 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5468 option_types_found, es);
5469 }
5470 else
5471 {
5472 /* parse command line */
5473 for (int i = 1; i < argc; ++i)
5474 {
5475 char *p[MAX_PARMS+1];
5476 CLEAR(p);
5477 p[0] = argv[i];
5478 if (strncmp(p[0], "--", 2))
5479 {
5480 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5481 }
5482 else
5483 {
5484 p[0] += 2;
5485 }
5486
5487 int j;
5488 for (j = 1; j < MAX_PARMS; ++j)
5489 {
5490 if (i + j < argc)
5491 {
5492 char *arg = argv[i + j];
5493 if (strncmp(arg, "--", 2))
5494 {
5495 p[j] = arg;
5496 }
5497 else
5498 {
5499 break;
5500 }
5501 }
5502 }
5503 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5504 option_types_found, es);
5505 i += j - 1;
5506 }
5507 }
5508}
5509
5518static bool
5519apply_pull_filter(const struct options *o, char *line)
5520{
5521 struct pull_filter *f;
5522
5523 if (!o->pull_filter_list)
5524 {
5525 return true;
5526 }
5527
5528 /* skip leading spaces matching the behaviour of parse_line */
5529 while (isspace(*line))
5530 {
5531 line++;
5532 }
5533
5534 for (f = o->pull_filter_list->head; f; f = f->next)
5535 {
5536 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5537 {
5538 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5539 return true;
5540 }
5541 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5542 {
5543 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5544 *line = '\0';
5545 return true;
5546 }
5547 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5548 {
5549 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5550 *line = '\0';
5551 throw_signal_soft(SIGUSR1, "Offending option received from server");
5552 return false;
5553 }
5554 }
5555 return true;
5556}
5557
5558bool
5559apply_push_options(struct options *options,
5560 struct buffer *buf,
5561 unsigned int permission_mask,
5562 unsigned int *option_types_found,
5563 struct env_set *es)
5564{
5565 char line[OPTION_PARM_SIZE];
5566 int line_num = 0;
5567 const char *file = "[PUSH-OPTIONS]";
5568 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5569
5570 while (buf_parse(buf, ',', line, sizeof(line)))
5571 {
5572 char *p[MAX_PARMS+1];
5573 CLEAR(p);
5574 ++line_num;
5575 if (!apply_pull_filter(options, line))
5576 {
5577 return false; /* Cause push/pull error and stop push processing */
5578 }
5579 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5580 {
5581 add_option(options, p, false, file, line_num, 0, msglevel,
5582 permission_mask, option_types_found, es);
5583 }
5584 }
5585 return true;
5586}
5587
5588void
5589options_server_import(struct options *o,
5590 const char *filename,
5591 int msglevel,
5592 unsigned int permission_mask,
5593 unsigned int *option_types_found,
5594 struct env_set *es)
5595{
5596 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5597 read_config_file(o,
5598 filename,
5599 0,
5600 filename,
5601 0,
5602 msglevel,
5603 permission_mask,
5604 option_types_found,
5605 es);
5606}
5607
5608void
5609options_string_import(struct options *options,
5610 const char *config,
5611 const int msglevel,
5612 const unsigned int permission_mask,
5613 unsigned int *option_types_found,
5614 struct env_set *es)
5615{
5616 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5617}
5618
5619#define VERIFY_PERMISSION(mask) { \
5620 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5621 option_types_found, msglevel, options, is_inline)) \
5622 { \
5623 goto err; \
5624 } \
5625}
5626
5627static bool
5628verify_permission(const char *name,
5629 const char *file,
5630 int line,
5631 const unsigned int type,
5632 const unsigned int allowed,
5633 unsigned int *found,
5634 const int msglevel,
5635 struct options *options,
5636 bool is_inline)
5637{
5638 if (!(type & allowed))
5639 {
5640 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5641 return false;
5642 }
5643
5644 if (is_inline && !(type & OPT_P_INLINE))
5645 {
5646 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5647 file, line);
5648 return false;
5649 }
5650
5651 if (found)
5652 {
5653 *found |= type;
5654 }
5655
5656#ifndef ENABLE_SMALL
5657 /* Check if this options is allowed in connection block,
5658 * but we are currently not in a connection block
5659 * unless this is a pushed option.
5660 * Parsing a connection block uses a temporary options struct without
5661 * connection_list
5662 */
5663
5664 if ((type & OPT_P_CONNECTION) && options->connection_list
5665 && !(allowed & OPT_P_PULL_MODE))
5666 {
5667 if (file)
5668 {
5669 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5670 }
5671 else
5672 {
5673 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5674 }
5675 }
5676#endif
5677 return true;
5678}
5679
5680/*
5681 * Check that an option doesn't have too
5682 * many parameters.
5683 */
5684
5685#define NM_QUOTE_HINT (1<<0)
5686
5687static bool
5688no_more_than_n_args(const int msglevel,
5689 char *p[],
5690 const int max,
5691 const unsigned int flags)
5692{
5693 const int len = string_array_len((const char **)p);
5694
5695 if (!len)
5696 {
5697 return false;
5698 }
5699
5700 if (len > max)
5701 {
5702 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5703 p[0],
5704 max - 1,
5705 max >= 3 ? "s" : "",
5706 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5707 return false;
5708 }
5709 else
5710 {
5711 return true;
5712 }
5713}
5714
5715static inline int
5716msglevel_forward_compatible(struct options *options, const int msglevel)
5717{
5718 return options->forward_compatible ? M_WARN : msglevel;
5719}
5720
5721static void
5722set_user_script(struct options *options,
5723 const char **script,
5724 const char *new_script,
5725 const char *type,
5726 bool in_chroot)
5727{
5728 if (*script)
5729 {
5730 msg(M_WARN, "Multiple --%s scripts defined. "
5731 "The previously configured script is overridden.", type);
5732 }
5733 *script = new_script;
5734 options->user_script_used = true;
5735
5736#ifndef ENABLE_SMALL
5737 {
5738 char script_name[100];
5739 snprintf(script_name, sizeof(script_name),
5740 "--%s script", type);
5741
5742 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5743 {
5744 msg(M_USAGE, "Please correct this error.");
5745 }
5746
5747 }
5748#endif
5749}
5750
5751static void
5752show_compression_warning(struct compress_options *info)
5753{
5754 if (comp_non_stub_enabled(info))
5755 {
5756 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5757 "Compression has been used in the past to break encryption. "
5758 "Compression support is deprecated and we recommend to disable "
5759 "it completely.");
5760 }
5761}
5762
5763bool
5764key_is_external(const struct options *options)
5765{
5766 bool ret = false;
5767 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5768#ifdef ENABLE_PKCS11
5769 ret = ret || (options->pkcs11_providers[0] != NULL);
5770#endif
5771#ifdef ENABLE_CRYPTOAPI
5772 ret = ret || options->cryptoapi_cert;
5773#endif
5774
5775 return ret;
5776}
5777
5778static void
5779add_option(struct options *options,
5780 char *p[],
5781 bool is_inline,
5782 const char *file,
5783 int line,
5784 const int level,
5785 const int msglevel,
5786 const unsigned int permission_mask,
5787 unsigned int *option_types_found,
5788 struct env_set *es)
5789{
5790 struct gc_arena gc = gc_new();
5791 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5792 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5793
5794 ASSERT(MAX_PARMS >= 7);
5795
5796 /*
5797 * If directive begins with "setenv opt" prefix, don't raise an error if
5798 * directive is unrecognized.
5799 */
5800 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5801 {
5802 if (!p[2])
5803 {
5804 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5805 }
5806 p += 2;
5807 msglevel_fc = M_WARN;
5808 }
5809
5810 if (!file)
5811 {
5812 file = "[CMD-LINE]";
5813 line = 1;
5814 }
5815 if (streq(p[0], "help"))
5816 {
5817 VERIFY_PERMISSION(OPT_P_GENERAL);
5818 usage();
5819 if (p[1])
5820 {
5821 msg(msglevel, "--help does not accept any parameters");
5822 goto err;
5823 }
5824 }
5825 if (streq(p[0], "version") && !p[1])
5826 {
5827 VERIFY_PERMISSION(OPT_P_GENERAL);
5828 usage_version();
5829 }
5830 else if (streq(p[0], "config") && p[1] && !p[2])
5831 {
5832 VERIFY_PERMISSION(OPT_P_CONFIG);
5833
5834 /* save first config file only in options */
5835 if (!options->config)
5836 {
5837 options->config = p[1];
5838 }
5839
5840 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5841 }
5842#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5843 else if (streq(p[0], "show-gateway") && !p[2])
5844 {
5845 struct route_gateway_info rgi;
5846 struct route_ipv6_gateway_info rgi6;
5847 in_addr_t remote_ipv4 = 0;
5848 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
5849 openvpn_net_ctx_t net_ctx;
5850 VERIFY_PERMISSION(OPT_P_GENERAL);
5851 if (p[1])
5852 {
5853 /* try parsing the argument as a v4 or v6 address - if
5854 * possible, the output will show the exact route there, and
5855 * "the default route" for the other protocol
5856 */
5857 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
5858 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
5859 }
5860 net_ctx_init(NULL, &net_ctx);
5861 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
5862 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
5863 print_default_gateway(M_INFO, &rgi, &rgi6);
5864 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5865 }
5866#endif /* if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) */
5867 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5868 {
5869 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5870 int j;
5871 bool good = true;
5872
5873 VERIFY_PERMISSION(OPT_P_ECHO);
5874
5875 for (j = 1; j < MAX_PARMS; ++j)
5876 {
5877 if (!p[j])
5878 {
5879 break;
5880 }
5881 if (j > 1)
5882 {
5883 good &= buf_printf(&string, " ");
5884 }
5885 good &= buf_printf(&string, "%s", p[j]);
5886 }
5887 if (good)
5888 {
5889 /* only message-related ECHO are logged, since other ECHOs
5890 * can potentially include security-sensitive strings */
5891 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5892 {
5893 msg(M_INFO, "%s:%s",
5894 pull_mode ? "ECHO-PULL" : "ECHO",
5895 BSTR(&string));
5896 }
5897#ifdef ENABLE_MANAGEMENT
5898 if (management)
5899 {
5900 management_echo(management, BSTR(&string), pull_mode);
5901 }
5902#endif
5903 }
5904 else
5905 {
5906 msg(M_WARN, "echo/parameter option overflow");
5907 }
5908 }
5909#ifdef ENABLE_MANAGEMENT
5910 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5911 {
5912 VERIFY_PERMISSION(OPT_P_GENERAL);
5913 if (streq(p[2], "unix"))
5914 {
5915#if UNIX_SOCK_SUPPORT
5916 options->management_flags |= MF_UNIX_SOCK;
5917#else
5918 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5919 goto err;
5920#endif
5921 }
5922
5923 options->management_addr = p[1];
5924 options->management_port = p[2];
5925 if (p[3])
5926 {
5927 options->management_user_pass = p[3];
5928 }
5929 }
5930 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5931 {
5932 VERIFY_PERMISSION(OPT_P_GENERAL);
5933 options->management_client_user = p[1];
5934 }
5935 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5936 {
5937 VERIFY_PERMISSION(OPT_P_GENERAL);
5938 options->management_client_group = p[1];
5939 }
5940 else if (streq(p[0], "management-query-passwords") && !p[1])
5941 {
5942 VERIFY_PERMISSION(OPT_P_GENERAL);
5943 options->management_flags |= MF_QUERY_PASSWORDS;
5944 }
5945 else if (streq(p[0], "management-query-remote") && !p[1])
5946 {
5947 VERIFY_PERMISSION(OPT_P_GENERAL);
5948 options->management_flags |= MF_QUERY_REMOTE;
5949 }
5950 else if (streq(p[0], "management-query-proxy") && !p[1])
5951 {
5952 VERIFY_PERMISSION(OPT_P_GENERAL);
5953 options->management_flags |= MF_QUERY_PROXY;
5954 }
5955 else if (streq(p[0], "management-hold") && !p[1])
5956 {
5957 VERIFY_PERMISSION(OPT_P_GENERAL);
5958 options->management_flags |= MF_HOLD;
5959 }
5960 else if (streq(p[0], "management-signal") && !p[1])
5961 {
5962 VERIFY_PERMISSION(OPT_P_GENERAL);
5963 options->management_flags |= MF_SIGNAL;
5964 }
5965 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5966 {
5967 VERIFY_PERMISSION(OPT_P_GENERAL);
5968 options->management_flags |= MF_FORGET_DISCONNECT;
5969 }
5970 else if (streq(p[0], "management-up-down") && !p[1])
5971 {
5972 VERIFY_PERMISSION(OPT_P_GENERAL);
5973 options->management_flags |= MF_UP_DOWN;
5974 }
5975 else if (streq(p[0], "management-client") && !p[1])
5976 {
5977 VERIFY_PERMISSION(OPT_P_GENERAL);
5978 options->management_flags |= MF_CONNECT_AS_CLIENT;
5979 }
5980 else if (streq(p[0], "management-external-key"))
5981 {
5982 VERIFY_PERMISSION(OPT_P_GENERAL);
5983 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5984 {
5985 if (streq(p[j], "nopadding"))
5986 {
5987 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5988 }
5989 else if (streq(p[j], "pkcs1"))
5990 {
5991 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5992 }
5993 else if (streq(p[j], "pss"))
5994 {
5995 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5996 }
5997 else if (streq(p[j], "digest"))
5998 {
5999 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
6000 }
6001 else
6002 {
6003 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
6004 }
6005 }
6006 /*
6007 * When no option is present, assume that only PKCS1
6008 * padding is supported
6009 */
6010 if (!(options->management_flags
6011 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
6012 {
6013 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
6014 }
6015 options->management_flags |= MF_EXTERNAL_KEY;
6016 }
6017 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
6018 {
6019 VERIFY_PERMISSION(OPT_P_GENERAL);
6020 options->management_flags |= MF_EXTERNAL_CERT;
6021 options->management_certificate = p[1];
6022 }
6023 else if (streq(p[0], "management-client-auth") && !p[1])
6024 {
6025 VERIFY_PERMISSION(OPT_P_GENERAL);
6026 options->management_flags |= MF_CLIENT_AUTH;
6027 }
6028 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
6029 {
6030 int cache;
6031
6032 VERIFY_PERMISSION(OPT_P_GENERAL);
6033 cache = atoi_warn(p[1], msglevel);
6034 if (cache < 1)
6035 {
6036 msg(msglevel, "--management-log-cache parameter is out of range");
6037 goto err;
6038 }
6039 options->management_log_history_cache = cache;
6040 }
6041#endif /* ifdef ENABLE_MANAGEMENT */
6042#ifdef ENABLE_PLUGIN
6043 else if (streq(p[0], "plugin") && p[1])
6044 {
6045 VERIFY_PERMISSION(OPT_P_PLUGIN);
6046 if (!options->plugin_list)
6047 {
6048 options->plugin_list = plugin_option_list_new(&options->gc);
6049 }
6050 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
6051 {
6052 msg(msglevel, "plugin add failed: %s", p[1]);
6053 goto err;
6054 }
6055 }
6056#endif
6057 else if (streq(p[0], "mode") && p[1] && !p[2])
6058 {
6059 VERIFY_PERMISSION(OPT_P_GENERAL);
6060 if (streq(p[1], "p2p"))
6061 {
6062 options->mode = MODE_POINT_TO_POINT;
6063 }
6064 else if (streq(p[1], "server"))
6065 {
6066 options->mode = MODE_SERVER;
6067 }
6068 else
6069 {
6070 msg(msglevel, "Bad --mode parameter: %s", p[1]);
6071 goto err;
6072 }
6073 }
6074 else if (streq(p[0], "dev") && p[1] && !p[2])
6075 {
6076 VERIFY_PERMISSION(OPT_P_GENERAL);
6077 options->dev = p[1];
6078 }
6079 else if (streq(p[0], "dev-type") && p[1] && !p[2])
6080 {
6081 VERIFY_PERMISSION(OPT_P_GENERAL);
6082 options->dev_type = p[1];
6083 }
6084#ifdef _WIN32
6085 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6086 {
6087 VERIFY_PERMISSION(OPT_P_GENERAL);
6088 msg(M_WARN, "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
6089 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
6090 }
6091#endif
6092 else if (streq(p[0], "disable-dco"))
6093 {
6094 options->disable_dco = true;
6095 }
6096 else if (streq(p[0], "dev-node") && p[1] && !p[2])
6097 {
6098 VERIFY_PERMISSION(OPT_P_GENERAL);
6099 options->dev_node = p[1];
6100 }
6101 else if (streq(p[0], "lladdr") && p[1] && !p[2])
6102 {
6103 VERIFY_PERMISSION(OPT_P_UP);
6104 if (mac_addr_safe(p[1])) /* MAC address only */
6105 {
6106 options->lladdr = p[1];
6107 }
6108 else
6109 {
6110 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6111 goto err;
6112 }
6113 }
6114 else if (streq(p[0], "topology") && p[1] && !p[2])
6115 {
6116 VERIFY_PERMISSION(OPT_P_UP);
6117 options->topology = parse_topology(p[1], msglevel);
6118 }
6119 else if (streq(p[0], "tun-ipv6") && !p[1])
6120 {
6121 if (!pull_mode)
6122 {
6123 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6124 }
6125 }
6126#ifdef ENABLE_IPROUTE
6127 else if (streq(p[0], "iproute") && p[1] && !p[2])
6128 {
6129 VERIFY_PERMISSION(OPT_P_GENERAL);
6130 iproute_path = p[1];
6131 }
6132#endif
6133 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6134 {
6135 VERIFY_PERMISSION(OPT_P_UP);
6136 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6137 {
6138 options->ifconfig_local = p[1];
6139 options->ifconfig_remote_netmask = p[2];
6140 }
6141 else
6142 {
6143 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6144 goto err;
6145 }
6146 }
6147 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6148 {
6149 unsigned int netbits;
6150
6151 VERIFY_PERMISSION(OPT_P_UP);
6152 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6153 && ipv6_addr_safe( p[2] ) )
6154 {
6155 if (netbits < 64 || netbits > 124)
6156 {
6157 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6158 goto err;
6159 }
6160
6161 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6162 options->ifconfig_ipv6_netbits = netbits;
6163 options->ifconfig_ipv6_remote = p[2];
6164 }
6165 else
6166 {
6167 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6168 goto err;
6169 }
6170 }
6171 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6172 {
6173 VERIFY_PERMISSION(OPT_P_UP);
6174 options->ifconfig_noexec = true;
6175 }
6176 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6177 {
6178 VERIFY_PERMISSION(OPT_P_UP);
6179 options->ifconfig_nowarn = true;
6180 }
6181 else if (streq(p[0], "local") && p[1] && !p[4])
6182 {
6183 struct local_entry *e;
6184
6185 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6186
6187 e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
6188 ASSERT(e);
6189
6190 /* '*' is treated as 'ask the system to get some socket',
6191 * therefore force binding on a particular address only when
6192 * actually specified. */
6193 if (strcmp(p[1], "*") != 0)
6194 {
6195 e->local = p[1];
6196 }
6197
6198 if (p[2])
6199 {
6200 e->port = p[2];
6201 }
6202
6203 if (p[3])
6204 {
6205 e->proto = ascii2proto(p[3]);
6206 }
6207 }
6208 else if (streq(p[0], "remote-random") && !p[1])
6209 {
6210 VERIFY_PERMISSION(OPT_P_GENERAL);
6211 options->remote_random = true;
6212 }
6213 else if (streq(p[0], "connection") && p[1] && !p[3])
6214 {
6215 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6216 if (is_inline)
6217 {
6218 struct options sub;
6219 struct connection_entry *e;
6220
6221 init_options(&sub, true);
6222 sub.ce = options->ce;
6223 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6224 OPT_P_CONNECTION, option_types_found, es);
6225 if (!sub.ce.remote)
6226 {
6227 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6228 uninit_options(&sub);
6229 goto err;
6230 }
6231
6232 e = alloc_connection_entry(options, msglevel);
6233 if (!e)
6234 {
6235 uninit_options(&sub);
6236 goto err;
6237 }
6238 *e = sub.ce;
6239 gc_transfer(&options->gc, &sub.gc);
6240 uninit_options(&sub);
6241 }
6242 }
6243 else if (streq(p[0], "ignore-unknown-option") && p[1])
6244 {
6245 int i;
6246 int j;
6247 int numignored = 0;
6248 const char **ignore;
6249
6250 VERIFY_PERMISSION(OPT_P_GENERAL);
6251 /* Find out how many options to be ignored */
6252 for (i = 1; p[i]; i++)
6253 {
6254 numignored++;
6255 }
6256
6257 /* add number of options already ignored */
6258 for (i = 0; options->ignore_unknown_option
6259 && options->ignore_unknown_option[i]; i++)
6260 {
6261 numignored++;
6262 }
6263
6264 /* Allocate array */
6265 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6266 for (i = 0; options->ignore_unknown_option
6267 && options->ignore_unknown_option[i]; i++)
6268 {
6269 ignore[i] = options->ignore_unknown_option[i];
6270 }
6271
6272 options->ignore_unknown_option = ignore;
6273
6274 for (j = 1; p[j]; j++)
6275 {
6276 /* Allow the user to specify ignore-unknown-option --opt too */
6277 if (p[j][0]=='-' && p[j][1]=='-')
6278 {
6279 options->ignore_unknown_option[i] = (p[j]+2);
6280 }
6281 else
6282 {
6283 options->ignore_unknown_option[i] = p[j];
6284 }
6285 i++;
6286 }
6287
6288 options->ignore_unknown_option[i] = NULL;
6289 }
6290#if ENABLE_MANAGEMENT
6291 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6292 {
6293 VERIFY_PERMISSION(OPT_P_GENERAL);
6294 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], &options->gc);
6295 if (!options->http_proxy_override)
6296 {
6297 goto err;
6298 }
6299 }
6300#endif
6301 else if (streq(p[0], "remote") && p[1] && !p[4])
6302 {
6303 struct remote_entry re;
6304 re.remote = re.remote_port = NULL;
6305 re.proto = -1;
6306 re.af = 0;
6307
6308 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6309 re.remote = p[1];
6310 if (p[2])
6311 {
6312 re.remote_port = p[2];
6313 if (p[3])
6314 {
6315 const int proto = ascii2proto(p[3]);
6316 const sa_family_t af = ascii2af(p[3]);
6317 if (proto < 0)
6318 {
6319 msg(msglevel,
6320 "remote: bad protocol associated with host %s: '%s'",
6321 p[1], p[3]);
6322 goto err;
6323 }
6324 re.proto = proto;
6325 re.af = af;
6326 }
6327 }
6328 if (permission_mask & OPT_P_GENERAL)
6329 {
6330 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6331 if (!e)
6332 {
6333 goto err;
6334 }
6335 *e = re;
6336 }
6337 else if (permission_mask & OPT_P_CONNECTION)
6338 {
6339 connection_entry_load_re(&options->ce, &re);
6340 }
6341 }
6342 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6343 {
6344 VERIFY_PERMISSION(OPT_P_GENERAL);
6345 if (streq(p[1], "infinite"))
6346 {
6347 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6348 }
6349 else
6350 {
6351 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6352 }
6353 }
6354 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6355 {
6356 VERIFY_PERMISSION(OPT_P_GENERAL);
6357 options->resolve_in_advance = true;
6358 /* Note the ip-remote-hint and the argument p[1] are for
6359 * backward compatibility */
6360 if (p[1])
6361 {
6362 options->ip_remote_hint = p[1];
6363 }
6364 }
6365 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6366 {
6367 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6368 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6369 /*
6370 * Limit the base value of retry wait interval to 16 bits to avoid
6371 * overflow when scaled up for exponential backoff
6372 */
6373 if (options->ce.connect_retry_seconds > 0xFFFF)
6374 {
6375 options->ce.connect_retry_seconds = 0xFFFF;
6376 msg(M_WARN, "connect retry wait interval truncated to %d",
6377 options->ce.connect_retry_seconds);
6378 }
6379
6380 if (p[2])
6381 {
6382 options->ce.connect_retry_seconds_max =
6383 max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
6384 }
6385 }
6386 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6387 && p[1] && !p[2])
6388 {
6389 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6390 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6391 }
6392 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6393 {
6394 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6395 options->connect_retry_max = positive_atoi(p[1], msglevel);
6396 }
6397 else if (streq(p[0], "ipchange") && p[1])
6398 {
6399 VERIFY_PERMISSION(OPT_P_SCRIPT);
6400 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6401 {
6402 goto err;
6403 }
6404 set_user_script(options,
6405 &options->ipchange,
6406 string_substitute(p[1], ',', ' ', &options->gc),
6407 "ipchange", true);
6408 }
6409 else if (streq(p[0], "float") && !p[1])
6410 {
6411 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6412 options->ce.remote_float = true;
6413 }
6414#ifdef ENABLE_DEBUG
6415 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6416 {
6417 VERIFY_PERMISSION(OPT_P_GENERAL);
6418 options->gremlin = positive_atoi(p[1], msglevel);
6419 }
6420#endif
6421 else if (streq(p[0], "chroot") && p[1] && !p[2])
6422 {
6423 VERIFY_PERMISSION(OPT_P_GENERAL);
6424 options->chroot_dir = p[1];
6425 }
6426 else if (streq(p[0], "cd") && p[1] && !p[2])
6427 {
6428 VERIFY_PERMISSION(OPT_P_GENERAL);
6429 if (platform_chdir(p[1]))
6430 {
6431 msg(M_ERR, "cd to '%s' failed", p[1]);
6432 goto err;
6433 }
6434 options->cd_dir = p[1];
6435 }
6436#ifdef ENABLE_SELINUX
6437 else if (streq(p[0], "setcon") && p[1] && !p[2])
6438 {
6439 VERIFY_PERMISSION(OPT_P_GENERAL);
6440 options->selinux_context = p[1];
6441 }
6442#endif
6443 else if (streq(p[0], "writepid") && p[1] && !p[2])
6444 {
6445 VERIFY_PERMISSION(OPT_P_GENERAL);
6446 options->writepid = p[1];
6447 }
6448 else if (streq(p[0], "up") && p[1])
6449 {
6450 VERIFY_PERMISSION(OPT_P_SCRIPT);
6451 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6452 {
6453 goto err;
6454 }
6455 set_user_script(options, &options->up_script, p[1], "up", false);
6456 }
6457 else if (streq(p[0], "down") && p[1])
6458 {
6459 VERIFY_PERMISSION(OPT_P_SCRIPT);
6460 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6461 {
6462 goto err;
6463 }
6464 set_user_script(options, &options->down_script, p[1], "down", true);
6465 }
6466 else if (streq(p[0], "down-pre") && !p[1])
6467 {
6468 VERIFY_PERMISSION(OPT_P_GENERAL);
6469 options->down_pre = true;
6470 }
6471 else if (streq(p[0], "up-delay") && !p[1])
6472 {
6473 VERIFY_PERMISSION(OPT_P_GENERAL);
6474 options->up_delay = true;
6475 }
6476 else if (streq(p[0], "up-restart") && !p[1])
6477 {
6478 VERIFY_PERMISSION(OPT_P_GENERAL);
6479 options->up_restart = true;
6480 }
6481 else if (streq(p[0], "syslog") && !p[2])
6482 {
6483 VERIFY_PERMISSION(OPT_P_GENERAL);
6484 open_syslog(p[1], false);
6485 }
6486 else if (streq(p[0], "daemon") && !p[2])
6487 {
6488 bool didit = false;
6489 VERIFY_PERMISSION(OPT_P_GENERAL);
6490 if (!options->daemon)
6491 {
6492 options->daemon = didit = true;
6493 open_syslog(p[1], false);
6494 }
6495 if (p[1])
6496 {
6497 if (!didit)
6498 {
6499 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6500 goto err;
6501 }
6502 }
6503 }
6504 else if (streq(p[0], "log") && p[1] && !p[2])
6505 {
6506 VERIFY_PERMISSION(OPT_P_GENERAL);
6507 options->log = true;
6508 redirect_stdout_stderr(p[1], false);
6509 }
6510 else if (streq(p[0], "suppress-timestamps") && !p[1])
6511 {
6512 VERIFY_PERMISSION(OPT_P_GENERAL);
6513 options->suppress_timestamps = true;
6514 set_suppress_timestamps(true);
6515 }
6516 else if (streq(p[0], "machine-readable-output") && !p[1])
6517 {
6518 VERIFY_PERMISSION(OPT_P_GENERAL);
6519 options->machine_readable_output = true;
6520 set_machine_readable_output(true);
6521 }
6522 else if (streq(p[0], "log-append") && p[1] && !p[2])
6523 {
6524 VERIFY_PERMISSION(OPT_P_GENERAL);
6525 options->log = true;
6526 redirect_stdout_stderr(p[1], true);
6527 }
6528#ifdef ENABLE_MEMSTATS
6529 else if (streq(p[0], "memstats") && p[1] && !p[2])
6530 {
6531 VERIFY_PERMISSION(OPT_P_GENERAL);
6532 options->memstats_fn = p[1];
6533 }
6534#endif
6535 else if (streq(p[0], "mlock") && !p[1])
6536 {
6537 VERIFY_PERMISSION(OPT_P_GENERAL);
6538 options->mlock = true;
6539 }
6540#if ENABLE_IP_PKTINFO
6541 else if (streq(p[0], "multihome") && !p[1])
6542 {
6543 VERIFY_PERMISSION(OPT_P_GENERAL);
6544 options->sockflags |= SF_USE_IP_PKTINFO;
6545 }
6546#endif
6547 else if (streq(p[0], "verb") && p[1] && !p[2])
6548 {
6549 VERIFY_PERMISSION(OPT_P_MESSAGES);
6550 options->verbosity = positive_atoi(p[1], msglevel);
6551 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6552 {
6553 /* We pass this flag to the SSL library to avoid
6554 * mbed TLS always generating debug level logging */
6555 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6556 }
6557#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6558 /* Warn when a debug verbosity is supplied when built without debug support */
6559 if (options->verbosity >= 7)
6560 {
6561 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6562 options->verbosity);
6563 }
6564#endif
6565 }
6566 else if (streq(p[0], "mute") && p[1] && !p[2])
6567 {
6568 VERIFY_PERMISSION(OPT_P_MESSAGES);
6569 options->mute = positive_atoi(p[1], msglevel);
6570 }
6571 else if (streq(p[0], "errors-to-stderr") && !p[1])
6572 {
6573 VERIFY_PERMISSION(OPT_P_MESSAGES);
6574 errors_to_stderr();
6575 }
6576 else if (streq(p[0], "status") && p[1] && !p[3])
6577 {
6578 VERIFY_PERMISSION(OPT_P_GENERAL);
6579 options->status_file = p[1];
6580 if (p[2])
6581 {
6582 options->status_file_update_freq = positive_atoi(p[2], msglevel);
6583 }
6584 }
6585 else if (streq(p[0], "status-version") && p[1] && !p[2])
6586 {
6587 int version;
6588
6589 VERIFY_PERMISSION(OPT_P_GENERAL);
6590 version = atoi_warn(p[1], msglevel);
6591 if (version < 1 || version > 3)
6592 {
6593 msg(msglevel, "--status-version must be 1 to 3");
6594 goto err;
6595 }
6596 options->status_file_version = version;
6597 }
6598 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6599 {
6600 VERIFY_PERMISSION(OPT_P_GENERAL);
6601 if (streq(p[1], "SIGHUP"))
6602 {
6603 options->remap_sigusr1 = SIGHUP;
6604 }
6605 else if (streq(p[1], "SIGTERM"))
6606 {
6607 options->remap_sigusr1 = SIGTERM;
6608 }
6609 else
6610 {
6611 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6612 goto err;
6613 }
6614 }
6615 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6616 {
6617 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6618 options->ce.link_mtu = positive_atoi(p[1], msglevel);
6619 options->ce.link_mtu_defined = true;
6620 }
6621 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6622 {
6623 VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6624 options->ce.tun_mtu = positive_atoi(p[1], msglevel);
6625 options->ce.tun_mtu_defined = true;
6626 if (p[2])
6627 {
6628 options->ce.occ_mtu = positive_atoi(p[2], msglevel);
6629 }
6630 else
6631 {
6632 options->ce.occ_mtu = 0;
6633 }
6634 }
6635 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6636 {
6637 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6638 int max_mtu = positive_atoi(p[1], msglevel);
6639 if (max_mtu < 68 || max_mtu > 65536)
6640 {
6641 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6642 }
6643 else
6644 {
6645 options->ce.tun_mtu_max = max_mtu;
6646 }
6647 }
6648 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6649 {
6650 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6651 options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel);
6652 options->ce.tun_mtu_extra_defined = true;
6653 }
6654 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6655 {
6656 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6657 int maxmtu = positive_atoi(p[1], msglevel);
6658 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6659
6660 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6661 {
6662 msg(M_WARN, "Note: max-packet-size value outside of allowed "
6663 "control channel packet size (%d to %d), will use %d "
6664 "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6665 options->ce.tls_mtu);
6666 }
6667
6668 /* also set mssfix maxmtu mtu */
6669 options->ce.mssfix = maxmtu;
6670 options->ce.mssfix_default = false;
6671 options->ce.mssfix_encap = true;
6672 }
6673#ifdef ENABLE_FRAGMENT
6674 else if (streq(p[0], "mtu-dynamic"))
6675 {
6676 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6677 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6678 goto err;
6679 }
6680 else if (streq(p[0], "fragment") && p[1] && !p[3])
6681 {
6682 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6683 options->ce.fragment = positive_atoi(p[1], msglevel);
6684
6685 if (options->ce.fragment < 68)
6686 {
6687 msg(msglevel, "--fragment needs to be at least 68");
6688 goto err;
6689 }
6690
6691 if (p[2] && streq(p[2], "mtu"))
6692 {
6693 options->ce.fragment_encap = true;
6694 }
6695 else if (p[2])
6696 {
6697 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6698 }
6699 }
6700#endif /* ifdef ENABLE_FRAGMENT */
6701 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6702 {
6703 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6704 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6705 }
6706 else if (streq(p[0], "mtu-test") && !p[1])
6707 {
6708 VERIFY_PERMISSION(OPT_P_GENERAL);
6709 options->mtu_test = true;
6710 }
6711 else if (streq(p[0], "nice") && p[1] && !p[2])
6712 {
6713 VERIFY_PERMISSION(OPT_P_NICE);
6714 options->nice = atoi_warn(p[1], msglevel);
6715 }
6716 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6717 {
6718 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6719 options->rcvbuf = positive_atoi(p[1], msglevel);
6720 }
6721 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6722 {
6723 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6724 options->sndbuf = positive_atoi(p[1], msglevel);
6725 }
6726 else if (streq(p[0], "mark") && p[1] && !p[2])
6727 {
6728#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6729 VERIFY_PERMISSION(OPT_P_GENERAL);
6730 options->mark = atoi_warn(p[1], msglevel);
6731#endif
6732 }
6733 else if (streq(p[0], "socket-flags"))
6734 {
6735 int j;
6736 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6737 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6738 {
6739 if (streq(p[j], "TCP_NODELAY"))
6740 {
6741 options->sockflags |= SF_TCP_NODELAY;
6742 }
6743 else
6744 {
6745 msg(msglevel, "unknown socket flag: %s", p[j]);
6746 }
6747 }
6748 }
6749#ifdef TARGET_LINUX
6750 else if (streq(p[0], "bind-dev") && p[1])
6751 {
6752 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6753 options->bind_dev = p[1];
6754 }
6755#endif
6756 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6757 {
6758 VERIFY_PERMISSION(OPT_P_GENERAL);
6759#ifdef TARGET_LINUX
6760 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
6761#else
6762 msg(msglevel, "--txqueuelen not supported on this OS");
6763 goto err;
6764#endif
6765 }
6766 else if (streq(p[0], "shaper") && p[1] && !p[2])
6767 {
6768 int shaper;
6769
6770 VERIFY_PERMISSION(OPT_P_SHAPER);
6771 shaper = atoi_warn(p[1], msglevel);
6772 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6773 {
6774 msg(msglevel, "Bad shaper value, must be between %d and %d",
6775 SHAPER_MIN, SHAPER_MAX);
6776 goto err;
6777 }
6778 options->shaper = shaper;
6779 }
6780 else if (streq(p[0], "port") && p[1] && !p[2])
6781 {
6782 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6783 options->ce.local_port = options->ce.remote_port = p[1];
6784 }
6785 else if (streq(p[0], "lport") && p[1] && !p[2])
6786 {
6787 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6788
6789 /* only trigger bind() if port is not 0 (or --local is used) */
6790 if (!streq(p[1], "0"))
6791 {
6792 options->ce.local_port_defined = true;
6793 }
6794 options->ce.local_port = p[1];
6795 }
6796 else if (streq(p[0], "rport") && p[1] && !p[2])
6797 {
6798 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6799 options->ce.remote_port = p[1];
6800 }
6801 else if (streq(p[0], "bind") && !p[2])
6802 {
6803 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6804 options->ce.bind_defined = true;
6805 if (p[1] && streq(p[1], "ipv6only"))
6806 {
6807 options->ce.bind_ipv6_only = true;
6808 }
6809
6810 }
6811 else if (streq(p[0], "nobind") && !p[1])
6812 {
6813 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6814 options->ce.bind_local = false;
6815 }
6816 else if (streq(p[0], "fast-io") && !p[1])
6817 {
6818 VERIFY_PERMISSION(OPT_P_GENERAL);
6819 options->fast_io = true;
6820 }
6821 else if (streq(p[0], "inactive") && p[1] && !p[3])
6822 {
6823 VERIFY_PERMISSION(OPT_P_TIMER);
6824 options->inactivity_timeout = positive_atoi(p[1], msglevel);
6825 if (p[2])
6826 {
6827 int64_t val = atoll(p[2]);
6828 options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6829 if (options->inactivity_minimum_bytes > INT_MAX)
6830 {
6831 msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6832 " >2 Gbyte was silently ignored in older versions. If "
6833 " your VPN exits unexpectedly with 'Inactivity timeout'"
6834 " in %d seconds, revisit this value.",
6835 options->inactivity_timeout );
6836 }
6837 }
6838 }
6839 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6840 {
6841 VERIFY_PERMISSION(OPT_P_TIMER);
6842 options->session_timeout = positive_atoi(p[1], msglevel);
6843 }
6844 else if (streq(p[0], "proto") && p[1] && !p[2])
6845 {
6846 int proto;
6847 sa_family_t af;
6848 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6849 proto = ascii2proto(p[1]);
6850 af = ascii2af(p[1]);
6851 if (proto < 0)
6852 {
6853 msg(msglevel,
6854 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6855 p[1],
6856 proto2ascii_all(&gc));
6857 goto err;
6858 }
6859 options->ce.proto = proto;
6860 options->ce.af = af;
6861 }
6862 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6863 {
6864 int proto_force;
6865 VERIFY_PERMISSION(OPT_P_GENERAL);
6866 proto_force = ascii2proto(p[1]);
6867 if (proto_force < 0)
6868 {
6869 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6870 goto err;
6871 }
6872 options->proto_force = proto_force;
6873 }
6874 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6875 {
6876 struct http_proxy_options *ho;
6877
6878 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6879
6880 {
6881 if (!p[2])
6882 {
6883 msg(msglevel, "http-proxy port number not defined");
6884 goto err;
6885 }
6886
6887 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6888
6889 ho->server = p[1];
6890 ho->port = p[2];
6891 }
6892
6893 if (p[3])
6894 {
6895 /* auto -- try to figure out proxy addr, port, and type automatically */
6896 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6897 if (streq(p[3], "auto"))
6898 {
6899 ho->auth_retry = PAR_ALL;
6900 }
6901 else if (streq(p[3], "auto-nct"))
6902 {
6903 ho->auth_retry = PAR_NCT;
6904 }
6905 else
6906 {
6907 ho->auth_method_string = "basic";
6908 ho->auth_file = p[3];
6909
6910 if (p[4])
6911 {
6912 ho->auth_method_string = p[4];
6913 }
6914 }
6915 }
6916 else
6917 {
6918 ho->auth_method_string = "none";
6919 }
6920 }
6921 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6922 {
6923 struct http_proxy_options *ho;
6924 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6925 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6926 ho->auth_file_up = p[1];
6927 ho->inline_creds = is_inline;
6928 }
6929 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6930 {
6931 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6932 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6933 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6934 "Use connect-retry-max 1 to get a similar behavior as before.");
6935 }
6936 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6937 {
6938 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6939 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6940 "server is established is managed with a single timeout set by connect-timeout");
6941 }
6942 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6943 {
6944 struct http_proxy_options *ho;
6945
6946 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6947 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6948
6949 if (streq(p[1], "VERSION") && p[2] && !p[3])
6950 {
6951 ho->http_version = p[2];
6952 }
6953 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6954 {
6955 ho->user_agent = p[2];
6956 }
6957 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6958 && p[2])
6959 {
6960 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6961 * with either two argument or one */
6962
6963 struct http_custom_header *custom_header = NULL;
6964 int i;
6965 /* Find the first free header */
6966 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6967 {
6968 if (!ho->custom_headers[i].name)
6969 {
6970 custom_header = &ho->custom_headers[i];
6971 break;
6972 }
6973 }
6974 if (!custom_header)
6975 {
6976 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6977 }
6978 else
6979 {
6980 /* We will save p[2] and p[3], the proxy code will detect if
6981 * p[3] is NULL */
6982 custom_header->name = p[2];
6983 custom_header->content = p[3];
6984 }
6985 }
6986 else
6987 {
6988 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6989 }
6990 }
6991 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6992 {
6993 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6994
6995 if (p[2])
6996 {
6997 options->ce.socks_proxy_port = p[2];
6998 }
6999 else
7000 {
7001 options->ce.socks_proxy_port = "1080";
7002 }
7003 options->ce.socks_proxy_server = p[1];
7004 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
7005 }
7006 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
7007 {
7008 VERIFY_PERMISSION(OPT_P_GENERAL);
7009 options->keepalive_ping = atoi_warn(p[1], msglevel);
7010 options->keepalive_timeout = atoi_warn(p[2], msglevel);
7011 }
7012 else if (streq(p[0], "ping") && p[1] && !p[2])
7013 {
7014 VERIFY_PERMISSION(OPT_P_TIMER);
7015 options->ping_send_timeout = positive_atoi(p[1], msglevel);
7016 }
7017 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
7018 {
7019 VERIFY_PERMISSION(OPT_P_TIMER);
7020 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7021 options->ping_rec_timeout_action = PING_EXIT;
7022 }
7023 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
7024 {
7025 VERIFY_PERMISSION(OPT_P_TIMER);
7026 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7027 options->ping_rec_timeout_action = PING_RESTART;
7028 }
7029 else if (streq(p[0], "ping-timer-rem") && !p[1])
7030 {
7031 VERIFY_PERMISSION(OPT_P_TIMER);
7032 options->ping_timer_remote = true;
7033 }
7034 else if (streq(p[0], "explicit-exit-notify") && !p[2])
7035 {
7036 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
7037 if (p[1])
7038 {
7039 options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
7040 }
7041 else
7042 {
7043 options->ce.explicit_exit_notification = 1;
7044 }
7045 }
7046 else if (streq(p[0], "persist-tun") && !p[1])
7047 {
7048 VERIFY_PERMISSION(OPT_P_PERSIST);
7049 options->persist_tun = true;
7050 }
7051 else if (streq(p[0], "persist-key") && !p[1])
7052 {
7053 VERIFY_PERMISSION(OPT_P_PERSIST);
7054 msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
7055 "Keys are now always persisted across restarts. ");
7056 }
7057 else if (streq(p[0], "persist-local-ip") && !p[1])
7058 {
7059 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
7060 options->persist_local_ip = true;
7061 }
7062 else if (streq(p[0], "persist-remote-ip") && !p[1])
7063 {
7064 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
7065 options->persist_remote_ip = true;
7066 }
7067 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
7068 {
7069 VERIFY_PERMISSION(OPT_P_ROUTE);
7070 cnol_check_alloc(options);
7071 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
7072 }
7073 else if (streq(p[0], "route-table") && p[1] && !p[2])
7074 {
7075#ifndef ENABLE_SITNL
7076 msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
7077#endif
7078 VERIFY_PERMISSION(OPT_P_ROUTE_TABLE);
7079 options->route_default_table_id = positive_atoi(p[1], msglevel);
7080 }
7081 else if (streq(p[0], "route") && p[1] && !p[5])
7082 {
7083 VERIFY_PERMISSION(OPT_P_ROUTE);
7084 rol_check_alloc(options);
7085 if (pull_mode)
7086 {
7087 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
7088 {
7089 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
7090 goto err;
7091 }
7092 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
7093 {
7094 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
7095 goto err;
7096 }
7097 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
7098 {
7099 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
7100 goto err;
7101 }
7102 /* p[4] is metric, if specified */
7103 }
7104 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4], options->route_default_table_id);
7105 }
7106 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7107 {
7108 VERIFY_PERMISSION(OPT_P_ROUTE);
7109 rol6_check_alloc(options);
7110 if (pull_mode)
7111 {
7112 if (!ipv6_addr_safe_hexplusbits(p[1]))
7113 {
7114 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
7115 goto err;
7116 }
7117 if (p[2] && !ipv6_addr_safe(p[2]))
7118 {
7119 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
7120 goto err;
7121 }
7122 /* p[3] is metric, if specified */
7123 }
7124 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3], options->route_default_table_id);
7125 }
7126 else if (streq(p[0], "max-routes") && !p[2])
7127 {
7128 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
7129 "The number of routes is unlimited as of OpenVPN 2.4. "
7130 "This option will be removed in a future version, "
7131 "please remove it from your configuration.");
7132 }
7133 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7134 {
7135 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7136 if (streq(p[1], "dhcp"))
7137 {
7138 options->route_gateway_via_dhcp = true;
7139 }
7140 else
7141 {
7142 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7143 {
7144 options->route_default_gateway = p[1];
7145 }
7146 else
7147 {
7148 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7149 goto err;
7150 }
7151 }
7152 }
7153 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7154 {
7155 if (ipv6_addr_safe(p[1]))
7156 {
7157 options->route_ipv6_default_gateway = p[1];
7158 }
7159 else
7160 {
7161 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7162 goto err;
7163 }
7164 }
7165 else if (streq(p[0], "route-metric") && p[1] && !p[2])
7166 {
7167 VERIFY_PERMISSION(OPT_P_ROUTE);
7168 options->route_default_metric = positive_atoi(p[1], msglevel);
7169 }
7170 else if (streq(p[0], "route-delay") && !p[3])
7171 {
7172 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7173 options->route_delay_defined = true;
7174 if (p[1])
7175 {
7176 options->route_delay = positive_atoi(p[1], msglevel);
7177 if (p[2])
7178 {
7179 options->route_delay_window = positive_atoi(p[2], msglevel);
7180 }
7181 }
7182 else
7183 {
7184 options->route_delay = 0;
7185 }
7186 }
7187 else if (streq(p[0], "route-up") && p[1])
7188 {
7189 VERIFY_PERMISSION(OPT_P_SCRIPT);
7190 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7191 {
7192 goto err;
7193 }
7194 set_user_script(options, &options->route_script, p[1], "route-up", false);
7195 }
7196 else if (streq(p[0], "route-pre-down") && p[1])
7197 {
7198 VERIFY_PERMISSION(OPT_P_SCRIPT);
7199 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7200 {
7201 goto err;
7202 }
7203 set_user_script(options,
7204 &options->route_predown_script,
7205 p[1],
7206 "route-pre-down", true);
7207 }
7208 else if (streq(p[0], "route-noexec") && !p[1])
7209 {
7210 VERIFY_PERMISSION(OPT_P_SCRIPT);
7211 options->route_noexec = true;
7212 }
7213 else if (streq(p[0], "route-nopull") && !p[1])
7214 {
7215 VERIFY_PERMISSION(OPT_P_GENERAL);
7216 options->route_nopull = true;
7217 }
7218 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7219 {
7220 struct pull_filter *f;
7221 VERIFY_PERMISSION(OPT_P_GENERAL)
7222 f = alloc_pull_filter(options);
7223
7224 if (strcmp("accept", p[1]) == 0)
7225 {
7226 f->type = PUF_TYPE_ACCEPT;
7227 }
7228 else if (strcmp("ignore", p[1]) == 0)
7229 {
7230 f->type = PUF_TYPE_IGNORE;
7231 }
7232 else if (strcmp("reject", p[1]) == 0)
7233 {
7234 f->type = PUF_TYPE_REJECT;
7235 }
7236 else
7237 {
7238 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7239 goto err;
7240 }
7241 f->pattern = p[2];
7242 f->size = strlen(p[2]);
7243 }
7244 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7245 {
7246 VERIFY_PERMISSION(OPT_P_GENERAL);
7247 options->allow_pull_fqdn = true;
7248 }
7249 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7250 {
7251 int j;
7252 VERIFY_PERMISSION(OPT_P_ROUTE);
7253 rol_check_alloc(options);
7254
7255 if (options->routes->flags & RG_ENABLE)
7256 {
7257 msg(M_WARN,
7258 "WARNING: You have specified redirect-gateway and "
7259 "redirect-private at the same time (or the same option "
7260 "multiple times). This is not well supported and may lead to "
7261 "unexpected results");
7262 }
7263
7264 options->routes->flags |= RG_ENABLE;
7265
7266 if (streq(p[0], "redirect-gateway"))
7267 {
7268 options->routes->flags |= RG_REROUTE_GW;
7269 }
7270 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7271 {
7272 if (streq(p[j], "local"))
7273 {
7274 options->routes->flags |= RG_LOCAL;
7275 }
7276 else if (streq(p[j], "autolocal"))
7277 {
7278 options->routes->flags |= RG_AUTO_LOCAL;
7279 }
7280 else if (streq(p[j], "def1"))
7281 {
7282 options->routes->flags |= RG_DEF1;
7283 }
7284 else if (streq(p[j], "bypass-dhcp"))
7285 {
7286 options->routes->flags |= RG_BYPASS_DHCP;
7287 }
7288 else if (streq(p[j], "bypass-dns"))
7289 {
7290 options->routes->flags |= RG_BYPASS_DNS;
7291 }
7292 else if (streq(p[j], "block-local"))
7293 {
7294 options->routes->flags |= RG_BLOCK_LOCAL;
7295 }
7296 else if (streq(p[j], "ipv6"))
7297 {
7298 rol6_check_alloc(options);
7299 options->routes_ipv6->flags |= RG_REROUTE_GW;
7300 }
7301 else if (streq(p[j], "!ipv4"))
7302 {
7303 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7304 }
7305 else
7306 {
7307 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7308 goto err;
7309 }
7310 }
7311#ifdef _WIN32
7312 /* we need this here to handle pushed --redirect-gateway */
7313 remap_redirect_gateway_flags(options);
7314#endif
7315 }
7316 else if (streq(p[0], "block-ipv6") && !p[1])
7317 {
7318 VERIFY_PERMISSION(OPT_P_ROUTE);
7319 options->block_ipv6 = true;
7320 }
7321 else if (streq(p[0], "remote-random-hostname") && !p[1])
7322 {
7323 VERIFY_PERMISSION(OPT_P_GENERAL);
7324 options->sockflags |= SF_HOST_RANDOMIZE;
7325 }
7326 else if (streq(p[0], "setenv") && p[1] && !p[3])
7327 {
7328 VERIFY_PERMISSION(OPT_P_GENERAL);
7329 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7330 {
7331 options->sockflags |= SF_HOST_RANDOMIZE;
7332 }
7333 else if (streq(p[1], "GENERIC_CONFIG"))
7334 {
7335 msg(msglevel, "this is a generic configuration and cannot directly be used");
7336 goto err;
7337 }
7338 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7339 {
7340 options->push_peer_info = true;
7341 }
7342 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7343 {
7344 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7345 }
7346 else
7347 {
7348 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7349 {
7350 options->forward_compatible = true;
7351 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7352 }
7353 setenv_str(es, p[1], p[2] ? p[2] : "");
7354 }
7355 }
7356 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7357 {
7358 unsigned int major, minor, patch;
7359 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7360 {
7361 msg(msglevel, "cannot parse version number for --compat-mode: %s",
7362 p[1]);
7363 goto err;
7364 }
7365
7366 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7367 }
7368 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7369 {
7370 VERIFY_PERMISSION(OPT_P_SETENV);
7371 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7372 }
7373 else if (streq(p[0], "script-security") && p[1] && !p[2])
7374 {
7375 VERIFY_PERMISSION(OPT_P_GENERAL);
7376 script_security_set(atoi_warn(p[1], msglevel));
7377 }
7378 else if (streq(p[0], "mssfix") && !p[3])
7379 {
7380 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7381 if (p[1])
7382 {
7383 int mssfix = positive_atoi(p[1], msglevel);
7384 /* can be 0, but otherwise it needs to be high enough so we can
7385 * substract room for headers. */
7386 if (mssfix != 0
7387 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7388 {
7389 msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7390 goto err;
7391 }
7392
7393 /* value specified, assume encapsulation is not
7394 * included unless "mtu" follows later */
7395 options->ce.mssfix = mssfix;
7396 options->ce.mssfix_encap = false;
7397 options->ce.mssfix_default = false;
7398 }
7399 else
7400 {
7401 /* Set MTU to default values */
7402 options->ce.mssfix_default = true;
7403 options->ce.mssfix_encap = true;
7404 options->ce.mssfix_fixed = false;
7405 }
7406
7407 if (p[2] && streq(p[2], "mtu"))
7408 {
7409 options->ce.mssfix_encap = true;
7410 }
7411 else if (p[2] && streq(p[2], "fixed"))
7412 {
7413 options->ce.mssfix_fixed = true;
7414 }
7415 else if (p[2])
7416 {
7417 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7418 }
7419 }
7420 else if (streq(p[0], "disable-occ") && !p[1])
7421 {
7422 VERIFY_PERMISSION(OPT_P_GENERAL);
7423 options->occ = false;
7424 }
7425 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7426 {
7427 const int lev = M_WARN;
7428 bool error = false;
7429 in_addr_t network, netmask;
7430
7431 VERIFY_PERMISSION(OPT_P_GENERAL);
7432 network = get_ip_addr(p[1], lev, &error);
7433 netmask = get_ip_addr(p[2], lev, &error);
7434 if (error || !network || !netmask)
7435 {
7436 msg(msglevel, "error parsing --server parameters");
7437 goto err;
7438 }
7439 options->server_defined = true;
7440 options->server_network = network;
7441 options->server_netmask = netmask;
7442
7443 if (p[3])
7444 {
7445 if (streq(p[3], "nopool"))
7446 {
7447 options->server_flags |= SF_NOPOOL;
7448 }
7449 else
7450 {
7451 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7452 goto err;
7453 }
7454 }
7455 }
7456 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7457 {
7458 const int lev = M_WARN;
7459 struct in6_addr network;
7460 unsigned int netbits = 0;
7461
7462 VERIFY_PERMISSION(OPT_P_GENERAL);
7463 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7464 {
7465 msg(msglevel, "error parsing --server-ipv6 parameter");
7466 goto err;
7467 }
7468 if (netbits < 64 || netbits > 124)
7469 {
7470 msg(msglevel,
7471 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7472 netbits);
7473
7474 goto err;
7475 }
7476 options->server_ipv6_defined = true;
7477 options->server_network_ipv6 = network;
7478 options->server_netbits_ipv6 = netbits;
7479 }
7480 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7481 {
7482 const int lev = M_WARN;
7483 bool error = false;
7484 in_addr_t ip, netmask, pool_start, pool_end;
7485
7486 VERIFY_PERMISSION(OPT_P_GENERAL);
7487 ip = get_ip_addr(p[1], lev, &error);
7488 netmask = get_ip_addr(p[2], lev, &error);
7489 pool_start = get_ip_addr(p[3], lev, &error);
7490 pool_end = get_ip_addr(p[4], lev, &error);
7491 if (error || !ip || !netmask || !pool_start || !pool_end)
7492 {
7493 msg(msglevel, "error parsing --server-bridge parameters");
7494 goto err;
7495 }
7496 options->server_bridge_defined = true;
7497 options->server_bridge_ip = ip;
7498 options->server_bridge_netmask = netmask;
7499 options->server_bridge_pool_start = pool_start;
7500 options->server_bridge_pool_end = pool_end;
7501 }
7502 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7503 {
7504 VERIFY_PERMISSION(OPT_P_GENERAL);
7505 options->server_bridge_proxy_dhcp = true;
7506 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7507 }
7508 else if (streq(p[0], "server-bridge") && !p[1])
7509 {
7510 VERIFY_PERMISSION(OPT_P_GENERAL);
7511 options->server_bridge_proxy_dhcp = true;
7512 }
7513 else if (streq(p[0], "push") && p[1] && !p[2])
7514 {
7515 VERIFY_PERMISSION(OPT_P_PUSH);
7516 push_options(options, &p[1], msglevel, &options->gc);
7517 }
7518 else if (streq(p[0], "push-reset") && !p[1])
7519 {
7520 VERIFY_PERMISSION(OPT_P_INSTANCE);
7521 push_reset(options);
7522 }
7523 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7524 {
7525 VERIFY_PERMISSION(OPT_P_INSTANCE);
7526 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7527 push_remove_option(options, p[1]);
7528 }
7529 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7530 {
7531 const int lev = M_WARN;
7532 bool error = false;
7533 in_addr_t start, end, netmask = 0;
7534
7535 VERIFY_PERMISSION(OPT_P_GENERAL);
7536 start = get_ip_addr(p[1], lev, &error);
7537 end = get_ip_addr(p[2], lev, &error);
7538 if (p[3])
7539 {
7540 netmask = get_ip_addr(p[3], lev, &error);
7541 }
7542 if (error)
7543 {
7544 msg(msglevel, "error parsing --ifconfig-pool parameters");
7545 goto err;
7546 }
7547 if (!ifconfig_pool_verify_range(msglevel, start, end))
7548 {
7549 goto err;
7550 }
7551
7552 options->ifconfig_pool_defined = true;
7553 options->ifconfig_pool_start = start;
7554 options->ifconfig_pool_end = end;
7555 if (netmask)
7556 {
7557 options->ifconfig_pool_netmask = netmask;
7558 }
7559 }
7560 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7561 {
7562 VERIFY_PERMISSION(OPT_P_GENERAL);
7563 options->ifconfig_pool_persist_filename = p[1];
7564 if (p[2])
7565 {
7566 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2], msglevel);
7567 }
7568 }
7569 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7570 {
7571 const int lev = M_WARN;
7572 struct in6_addr network;
7573 unsigned int netbits = 0;
7574
7575 VERIFY_PERMISSION(OPT_P_GENERAL);
7576 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7577 {
7578 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7579 goto err;
7580 }
7581 if (netbits < 64 || netbits > 124)
7582 {
7583 msg(msglevel,
7584 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7585 netbits);
7586 goto err;
7587 }
7588
7589 options->ifconfig_ipv6_pool_defined = true;
7590 options->ifconfig_ipv6_pool_base = network;
7591 options->ifconfig_ipv6_pool_netbits = netbits;
7592 }
7593 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7594 {
7595 int real, virtual;
7596
7597 VERIFY_PERMISSION(OPT_P_GENERAL);
7598 real = atoi_warn(p[1], msglevel);
7599 virtual = atoi_warn(p[2], msglevel);
7600 if (real < 1 || virtual < 1)
7601 {
7602 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7603 goto err;
7604 }
7605 options->real_hash_size = real;
7606 options->virtual_hash_size = real;
7607 }
7608 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7609 {
7610 int cf_max, cf_per;
7611
7612 VERIFY_PERMISSION(OPT_P_GENERAL);
7613 cf_max = atoi_warn(p[1], msglevel);
7614 cf_per = atoi_warn(p[2], msglevel);
7615 if (cf_max < 0 || cf_per < 0)
7616 {
7617 msg(msglevel, "--connect-freq parms must be > 0");
7618 goto err;
7619 }
7620 options->cf_max = cf_max;
7621 options->cf_per = cf_per;
7622 }
7623 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7624 {
7625 long cf_max, cf_per;
7626
7627 VERIFY_PERMISSION(OPT_P_GENERAL);
7628 char *e1, *e2;
7629 cf_max = strtol(p[1], &e1, 10);
7630 cf_per = strtol(p[2], &e2, 10);
7631 if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7632 {
7633 msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7634 goto err;
7635 }
7636 options->cf_initial_max = cf_max;
7637 options->cf_initial_per = cf_per;
7638 }
7639 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7640 {
7641 int max_clients;
7642
7643 VERIFY_PERMISSION(OPT_P_GENERAL);
7644 max_clients = atoi_warn(p[1], msglevel);
7645 if (max_clients < 0)
7646 {
7647 msg(msglevel, "--max-clients must be at least 1");
7648 goto err;
7649 }
7650 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7651 {
7652 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7653 goto err;
7654 }
7655 options->max_clients = max_clients;
7656 }
7657 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7658 {
7659 VERIFY_PERMISSION(OPT_P_INHERIT);
7660 options->max_routes_per_client = max_int(positive_atoi(p[1], msglevel), 1);
7661 }
7662 else if (streq(p[0], "client-cert-not-required") && !p[1])
7663 {
7664 VERIFY_PERMISSION(OPT_P_GENERAL);
7665 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7666 }
7667 else if (streq(p[0], "verify-client-cert") && !p[2])
7668 {
7669 VERIFY_PERMISSION(OPT_P_GENERAL);
7670
7671 /* Reset any existing flags */
7672 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7673 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7674 if (p[1])
7675 {
7676 if (streq(p[1], "none"))
7677 {
7678 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7679 }
7680 else if (streq(p[1], "optional"))
7681 {
7682 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7683 }
7684 else if (!streq(p[1], "require"))
7685 {
7686 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7687 goto err;
7688 }
7689 }
7690 }
7691 else if (streq(p[0], "username-as-common-name") && !p[1])
7692 {
7693 VERIFY_PERMISSION(OPT_P_GENERAL);
7694 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7695 }
7696 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7697 {
7698 VERIFY_PERMISSION(OPT_P_GENERAL);
7699 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7700 }
7701 else if (streq(p[0], "opt-verify") && !p[1])
7702 {
7703 VERIFY_PERMISSION(OPT_P_GENERAL);
7704 msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7705 "in OpenVPN 2.7");
7706 options->ssl_flags |= SSLF_OPT_VERIFY;
7707 }
7708 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7709 {
7710 VERIFY_PERMISSION(OPT_P_SCRIPT);
7711 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7712 {
7713 goto err;
7714 }
7715 if (p[2])
7716 {
7717 if (streq(p[2], "via-env"))
7718 {
7719 options->auth_user_pass_verify_script_via_file = false;
7720 }
7721 else if (streq(p[2], "via-file"))
7722 {
7723 options->auth_user_pass_verify_script_via_file = true;
7724 }
7725 else
7726 {
7727 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7728 goto err;
7729 }
7730 }
7731 else
7732 {
7733 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7734 goto err;
7735 }
7736 set_user_script(options,
7737 &options->auth_user_pass_verify_script,
7738 p[1], "auth-user-pass-verify", true);
7739 }
7740 else if (streq(p[0], "auth-gen-token"))
7741 {
7742 VERIFY_PERMISSION(OPT_P_GENERAL);
7743 options->auth_token_generate = true;
7744 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
7745
7746 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7747 {
7748 /* the second parameter can be the renewal time */
7749 if (i == 2 && valid_integer(p[i], true))
7750 {
7751 options->auth_token_renewal = positive_atoi(p[i], msglevel);
7752 }
7753 else if (streq(p[i], "external-auth"))
7754 {
7755 options->auth_token_call_auth = true;
7756 }
7757 else
7758 {
7759 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7760 }
7761 }
7762
7763 }
7764 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7765 {
7766 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7767 options->auth_token_secret_file = p[1];
7768 options->auth_token_secret_file_inline = is_inline;
7769
7770 }
7771 else if (streq(p[0], "client-connect") && p[1])
7772 {
7773 VERIFY_PERMISSION(OPT_P_SCRIPT);
7774 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7775 {
7776 goto err;
7777 }
7778 set_user_script(options, &options->client_connect_script,
7779 p[1], "client-connect", true);
7780 }
7781 else if (streq(p[0], "client-crresponse") && p[1])
7782 {
7783 VERIFY_PERMISSION(OPT_P_SCRIPT);
7784 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7785 {
7786 goto err;
7787 }
7788 set_user_script(options, &options->client_crresponse_script,
7789 p[1], "client-crresponse", true);
7790 }
7791 else if (streq(p[0], "client-disconnect") && p[1])
7792 {
7793 VERIFY_PERMISSION(OPT_P_SCRIPT);
7794 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7795 {
7796 goto err;
7797 }
7798 set_user_script(options, &options->client_disconnect_script,
7799 p[1], "client-disconnect", true);
7800 }
7801 else if (streq(p[0], "learn-address") && p[1])
7802 {
7803 VERIFY_PERMISSION(OPT_P_SCRIPT);
7804 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7805 {
7806 goto err;
7807 }
7808 set_user_script(options, &options->learn_address_script,
7809 p[1], "learn-address", true);
7810 }
7811 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7812 {
7813 VERIFY_PERMISSION(OPT_P_GENERAL);
7814 options->tmp_dir = p[1];
7815 }
7816 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7817 {
7818 VERIFY_PERMISSION(OPT_P_GENERAL);
7819 options->client_config_dir = p[1];
7820 }
7821 else if (streq(p[0], "ccd-exclusive") && !p[1])
7822 {
7823 VERIFY_PERMISSION(OPT_P_GENERAL);
7824 options->ccd_exclusive = true;
7825 }
7826 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7827 {
7828 int n_bcast_buf;
7829
7830 VERIFY_PERMISSION(OPT_P_GENERAL);
7831 n_bcast_buf = atoi_warn(p[1], msglevel);
7832 if (n_bcast_buf < 1)
7833 {
7834 msg(msglevel, "--bcast-buffers parameter must be > 0");
7835 }
7836 options->n_bcast_buf = n_bcast_buf;
7837 }
7838 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7839 {
7840 int tcp_queue_limit;
7841
7842 VERIFY_PERMISSION(OPT_P_GENERAL);
7843 tcp_queue_limit = atoi_warn(p[1], msglevel);
7844 if (tcp_queue_limit < 1)
7845 {
7846 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7847 }
7848 options->tcp_queue_limit = tcp_queue_limit;
7849 }
7850#if PORT_SHARE
7851 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7852 {
7853 VERIFY_PERMISSION(OPT_P_GENERAL);
7854 options->port_share_host = p[1];
7855 options->port_share_port = p[2];
7856 options->port_share_journal_dir = p[3];
7857 }
7858#endif
7859 else if (streq(p[0], "client-to-client") && !p[1])
7860 {
7861 VERIFY_PERMISSION(OPT_P_GENERAL);
7862 options->enable_c2c = true;
7863 }
7864 else if (streq(p[0], "duplicate-cn") && !p[1])
7865 {
7866 VERIFY_PERMISSION(OPT_P_GENERAL);
7867 options->duplicate_cn = true;
7868 }
7869 else if (streq(p[0], "iroute") && p[1] && !p[3])
7870 {
7871 VERIFY_PERMISSION(OPT_P_INSTANCE);
7872 option_iroute(options, p[1], p[2], msglevel);
7873 }
7874 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7875 {
7876 VERIFY_PERMISSION(OPT_P_INSTANCE);
7877 option_iroute_ipv6(options, p[1], msglevel);
7878 }
7879 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7880 {
7881 in_addr_t local, remote_netmask;
7882
7883 VERIFY_PERMISSION(OPT_P_INSTANCE);
7884 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7885 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7886 if (local && remote_netmask)
7887 {
7888 options->push_ifconfig_defined = true;
7889 options->push_ifconfig_local = local;
7890 options->push_ifconfig_remote_netmask = remote_netmask;
7891 if (p[3])
7892 {
7893 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7894 }
7895 }
7896 else
7897 {
7898 msg(msglevel, "cannot parse --ifconfig-push addresses");
7899 goto err;
7900 }
7901 }
7902 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7903 {
7904 in_addr_t network, netmask;
7905
7906 VERIFY_PERMISSION(OPT_P_GENERAL);
7907 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7908 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7909 if (network && netmask)
7910 {
7911 options->push_ifconfig_constraint_defined = true;
7912 options->push_ifconfig_constraint_network = network;
7913 options->push_ifconfig_constraint_netmask = netmask;
7914 }
7915 else
7916 {
7917 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7918 goto err;
7919 }
7920 }
7921 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7922 {
7923 struct in6_addr local, remote;
7924 unsigned int netbits;
7925
7926 VERIFY_PERMISSION(OPT_P_INSTANCE);
7927
7928 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7929 {
7930 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7931 goto err;
7932 }
7933
7934 if (p[2])
7935 {
7936 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7937 {
7938 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7939 goto err;
7940 }
7941 }
7942 else
7943 {
7944 if (!options->ifconfig_ipv6_local
7945 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7946 NULL, msglevel ) )
7947 {
7948 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7949 goto err;
7950 }
7951 }
7952
7953 options->push_ifconfig_ipv6_defined = true;
7954 options->push_ifconfig_ipv6_local = local;
7955 options->push_ifconfig_ipv6_netbits = netbits;
7956 options->push_ifconfig_ipv6_remote = remote;
7957 options->push_ifconfig_ipv6_blocked = false;
7958 }
7959 else if (streq(p[0], "disable") && !p[1])
7960 {
7961 VERIFY_PERMISSION(OPT_P_INSTANCE);
7962 options->disable = true;
7963 }
7964 else if (streq(p[0], "override-username") && p[1] && !p[2])
7965 {
7966 VERIFY_PERMISSION(OPT_P_INSTANCE);
7967 if (strlen(p[1]) > USER_PASS_LEN)
7968 {
7969 msg(msglevel, "override-username exceeds the maximum length of %d "
7970 "characters", USER_PASS_LEN);
7971
7972 /* disable the connection since ignoring the request to
7973 * set another username might cause serious problems */
7974 options->disable = true;
7975 }
7976 else
7977 {
7978 options->override_username = p[1];
7979 }
7980 }
7981 else if (streq(p[0], "tcp-nodelay") && !p[1])
7982 {
7983 VERIFY_PERMISSION(OPT_P_GENERAL);
7984 options->server_flags |= SF_TCP_NODELAY_HELPER;
7985 }
7986 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7987 {
7988 int ageing_time, check_interval;
7989
7990 VERIFY_PERMISSION(OPT_P_GENERAL);
7991 ageing_time = atoi_warn(p[1], msglevel);
7992 if (p[2])
7993 {
7994 check_interval = atoi_warn(p[2], msglevel);
7995 }
7996 else
7997 {
7998 check_interval = ageing_time;
7999 }
8000
8001 if (ageing_time < 1 || check_interval < 1)
8002 {
8003 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
8004 goto err;
8005 }
8006 options->stale_routes_ageing_time = ageing_time;
8007 options->stale_routes_check_interval = check_interval;
8008 }
8009
8010 else if (streq(p[0], "client") && !p[1])
8011 {
8012 VERIFY_PERMISSION(OPT_P_GENERAL);
8013 options->client = true;
8014 }
8015 else if (streq(p[0], "pull") && !p[1])
8016 {
8017 VERIFY_PERMISSION(OPT_P_GENERAL);
8018 options->pull = true;
8019 }
8020 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
8021 {
8022 VERIFY_PERMISSION(OPT_P_PULL_MODE);
8023 options->push_continuation = atoi_warn(p[1], msglevel);
8024 }
8025 else if (streq(p[0], "auth-user-pass") && !p[2])
8026 {
8027 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8028 if (p[1])
8029 {
8030 options->auth_user_pass_file = p[1];
8031 options->auth_user_pass_file_inline = is_inline;
8032 }
8033 else
8034 {
8035 options->auth_user_pass_file = "stdin";
8036 }
8037 }
8038 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
8039 {
8040 VERIFY_PERMISSION(OPT_P_GENERAL);
8041 auth_retry_set(msglevel, p[1]);
8042 }
8043#ifdef ENABLE_MANAGEMENT
8044 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
8045 {
8046 VERIFY_PERMISSION(OPT_P_GENERAL);
8047 options->sc_info.challenge_text = p[1];
8048 if (atoi_warn(p[2], msglevel))
8049 {
8050 options->sc_info.flags |= SC_ECHO;
8051 }
8052 if (p[3] && streq(p[3], "concat"))
8053 {
8054 options->sc_info.flags |= SC_CONCAT;
8055 }
8056 else if (p[3] && !streq(p[3], "scrv1"))
8057 {
8058 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
8059 goto err;
8060 }
8061 }
8062#endif
8063 else if (streq(p[0], "msg-channel") && p[1])
8064 {
8065#ifdef _WIN32
8066 VERIFY_PERMISSION(OPT_P_GENERAL);
8067 HANDLE process = GetCurrentProcess();
8068 HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
8069 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
8070 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
8071 {
8072 msg(msglevel, "could not duplicate service pipe handle");
8073 goto err;
8074 }
8075 options->route_method = ROUTE_METHOD_SERVICE;
8076#else /* ifdef _WIN32 */
8077 msg(msglevel, "--msg-channel is only supported on Windows");
8078 goto err;
8079#endif
8080 }
8081#ifdef _WIN32
8082 else if (streq(p[0], "win-sys") && p[1] && !p[2])
8083 {
8084 VERIFY_PERMISSION(OPT_P_GENERAL);
8085 if (streq(p[1], "env"))
8086 {
8087 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
8088 "This entry will now be ignored. "
8089 "Please remove this entry from your configuration file.");
8090 }
8091 else
8092 {
8093 set_win_sys_path(p[1], es);
8094 }
8095 }
8096 else if (streq(p[0], "route-method") && p[1] && !p[2])
8097 {
8098 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8099 if (streq(p[1], "adaptive"))
8100 {
8101 options->route_method = ROUTE_METHOD_ADAPTIVE;
8102 }
8103 else if (streq(p[1], "ipapi"))
8104 {
8105 options->route_method = ROUTE_METHOD_IPAPI;
8106 }
8107 else if (streq(p[1], "exe"))
8108 {
8109 options->route_method = ROUTE_METHOD_EXE;
8110 }
8111 else
8112 {
8113 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
8114 goto err;
8115 }
8116 }
8117 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
8118 {
8119 const int index = ascii2ipset(p[1]);
8120 struct tuntap_options *to = &options->tuntap_options;
8121
8122 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8123
8124 if (index < 0)
8125 {
8126 msg(msglevel,
8127 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
8128 p[1],
8129 ipset2ascii_all(&gc));
8130 goto err;
8131 }
8132
8133 if (index == IPW32_SET_ADAPTIVE)
8134 {
8135 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
8136 }
8137
8138 if (index == IPW32_SET_DHCP_MASQ)
8139 {
8140 if (p[2])
8141 {
8142 if (!streq(p[2], "default"))
8143 {
8144 int offset = atoi_warn(p[2], msglevel);
8145
8146 if (!(offset > -256 && offset < 256))
8147 {
8148 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
8149 goto err;
8150 }
8151
8152 to->dhcp_masq_custom_offset = true;
8153 to->dhcp_masq_offset = offset;
8154 }
8155
8156 if (p[3])
8157 {
8158 const int min_lease = 30;
8159 int lease_time;
8160 lease_time = atoi_warn(p[3], msglevel);
8161 if (lease_time < min_lease)
8162 {
8163 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
8164 goto err;
8165 }
8166 to->dhcp_lease_time = lease_time;
8167 }
8168 }
8169 }
8170 to->ip_win32_type = index;
8171 to->ip_win32_defined = true;
8172 }
8173#endif /* ifdef _WIN32 */
8174 else if (streq(p[0], "dns-updown") && p[1])
8175 {
8176 VERIFY_PERMISSION(OPT_P_SCRIPT);
8177 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8178 {
8179 goto err;
8180 }
8181 struct dns_options *dns = &options->dns_options;
8182 if (streq(p[1], "disable"))
8183 {
8184 dns->updown = NULL;
8185 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
8186 }
8187 else if (streq(p[1], "force"))
8188 {
8189 /* force dns-updown run, even if a --up script is defined */
8190 if (!dns_updown_user_set(dns))
8191 {
8192 dns->updown = DEFAULT_DNS_UPDOWN;
8193 dns->updown_flags = DNS_UPDOWN_FORCED;
8194 }
8195 }
8196 else
8197 {
8198 if (streq(dns->updown, DEFAULT_DNS_UPDOWN))
8199 {
8200 /* Unset the default command to prevent warnings */
8201 dns->updown = NULL;
8202 }
8203 set_user_script(options, &dns->updown, p[1], p[0], false);
8204 dns->updown_flags = DNS_UPDOWN_USER_SET;
8205 }
8206 }
8207 else if (streq(p[0], "dns") && p[1])
8208 {
8209 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8210
8211 if (streq(p[1], "search-domains") && p[2])
8212 {
8213 dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
8214 }
8215 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
8216 {
8217 long priority;
8218 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
8219 {
8220 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
8221 goto err;
8222 }
8223
8224 struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8225
8226 if (streq(p[3], "address") && p[4])
8227 {
8228 for (int i = 4; p[i]; ++i)
8229 {
8230 if (!dns_server_addr_parse(server, p[i]))
8231 {
8232 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
8233 goto err;
8234 }
8235 }
8236 }
8237 else if (streq(p[3], "resolve-domains"))
8238 {
8239 dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8240 }
8241 else if (streq(p[3], "dnssec") && !p[5])
8242 {
8243 if (streq(p[4], "yes"))
8244 {
8245 server->dnssec = DNS_SECURITY_YES;
8246 }
8247 else if (streq(p[4], "no"))
8248 {
8249 server->dnssec = DNS_SECURITY_NO;
8250 }
8251 else if (streq(p[4], "optional"))
8252 {
8253 server->dnssec = DNS_SECURITY_OPTIONAL;
8254 }
8255 else
8256 {
8257 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8258 goto err;
8259 }
8260 }
8261 else if (streq(p[3], "transport") && !p[5])
8262 {
8263 if (streq(p[4], "plain"))
8264 {
8265 server->transport = DNS_TRANSPORT_PLAIN;
8266 }
8267 else if (streq(p[4], "DoH"))
8268 {
8269 server->transport = DNS_TRANSPORT_HTTPS;
8270 }
8271 else if (streq(p[4], "DoT"))
8272 {
8273 server->transport = DNS_TRANSPORT_TLS;
8274 }
8275 else
8276 {
8277 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8278 goto err;
8279 }
8280 }
8281 else if (streq(p[3], "sni") && !p[5])
8282 {
8283 server->sni = p[4];
8284 }
8285 else
8286 {
8287 msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8288 goto err;
8289 }
8290 }
8291 else
8292 {
8293 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8294 goto err;
8295 }
8296 }
8297 else if (streq(p[0], "dhcp-option") && p[1])
8298 {
8299 struct dhcp_options *dhcp = &options->dns_options.from_dhcp;
8300#if defined(_WIN32) || defined(TARGET_ANDROID)
8301 struct tuntap_options *o = &options->tuntap_options;
8302#endif
8303 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8304
8305 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
8306 {
8307 dhcp->domain = p[2];
8308 }
8309 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8310 {
8311 if (dhcp->domain_search_list_len < N_SEARCH_LIST_LEN)
8312 {
8313 dhcp->domain_search_list[dhcp->domain_search_list_len++] = p[2];
8314 }
8315 else
8316 {
8317 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8318 p[1], N_SEARCH_LIST_LEN);
8319 }
8320 }
8321 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8322 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8323 {
8324 if (strstr(p[2], ":"))
8325 {
8326 dhcp_option_dns6_parse(p[2], dhcp->dns6, &dhcp->dns6_len, msglevel);
8327 }
8328 else
8329 {
8330 dhcp_option_address_parse("DNS", p[2], dhcp->dns, &dhcp->dns_len, msglevel);
8331 }
8332 }
8333#if defined(_WIN32) || defined(TARGET_ANDROID)
8334 else if (streq(p[1], "NBS") && p[2] && !p[3])
8335 {
8336 o->netbios_scope = p[2];
8337 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8338 }
8339 else if (streq(p[1], "NBT") && p[2] && !p[3])
8340 {
8341 int t;
8342 t = atoi_warn(p[2], msglevel);
8343 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8344 {
8345 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8346 goto err;
8347 }
8348 o->netbios_node_type = t;
8349 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8350 }
8351 else if (streq(p[1], "WINS") && p[2] && !p[3])
8352 {
8353 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8354 }
8355 else if (streq(p[1], "NTP") && p[2] && !p[3])
8356 {
8357 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8358 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8359 }
8360 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8361 {
8362 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8363 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8364 }
8365 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8366 {
8367 o->disable_nbt = 1;
8368 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8369 }
8370#if defined(TARGET_ANDROID)
8371 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8372 {
8373 o->http_proxy_port = positive_atoi(p[3], msglevel);
8374 o->http_proxy = p[2];
8375 }
8376#endif
8377 else
8378 {
8379 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8380 goto err;
8381 }
8382#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8383 setenv_foreign_option(options, (const char **)p, 3, es);
8384#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8385 }
8386#ifdef _WIN32
8387 else if (streq(p[0], "show-adapters") && !p[1])
8388 {
8389 VERIFY_PERMISSION(OPT_P_GENERAL);
8390 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8391 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8392 }
8393 else if (streq(p[0], "show-net") && !p[1])
8394 {
8395 VERIFY_PERMISSION(OPT_P_GENERAL);
8396 show_routes(M_INFO|M_NOPREFIX);
8397 show_adapters(M_INFO|M_NOPREFIX);
8398 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8399 }
8400 else if (streq(p[0], "show-net-up") && !p[1])
8401 {
8402 VERIFY_PERMISSION(OPT_P_UP);
8403 options->show_net_up = true;
8404 }
8405 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8406 {
8407 int s;
8408 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8409 s = atoi_warn(p[1], msglevel);
8410 if (s < 0 || s >= 256)
8411 {
8412 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8413 goto err;
8414 }
8415 options->tuntap_options.tap_sleep = s;
8416 }
8417 else if (streq(p[0], "dhcp-renew") && !p[1])
8418 {
8419 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8420 options->tuntap_options.dhcp_renew = true;
8421 }
8422 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8423 {
8424 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8425 options->tuntap_options.dhcp_pre_release = true;
8426 options->tuntap_options.dhcp_renew = true;
8427 }
8428 else if (streq(p[0], "dhcp-release") && !p[1])
8429 {
8430 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8431 }
8432 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8433 {
8434 unsigned int adapter_index;
8435 VERIFY_PERMISSION(OPT_P_GENERAL);
8436 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8437 adapter_index = atou(p[1]);
8438 sleep(options->tuntap_options.tap_sleep);
8439 if (options->tuntap_options.dhcp_pre_release)
8440 {
8441 dhcp_release_by_adapter_index(adapter_index);
8442 }
8443 if (options->tuntap_options.dhcp_renew)
8444 {
8445 dhcp_renew_by_adapter_index(adapter_index);
8446 }
8447 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8448 }
8449 else if (streq(p[0], "register-dns") && !p[1])
8450 {
8451 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8452 options->tuntap_options.register_dns = true;
8453 }
8454 else if (streq(p[0], "block-outside-dns") && !p[1])
8455 {
8456 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8457 options->block_outside_dns = true;
8458 }
8459 else if (streq(p[0], "rdns-internal") && !p[1])
8460 /* standalone method for internal use
8461 *
8462 * (if --register-dns is set, openvpn needs to call itself in a
8463 * sub-process to execute the required functions in a non-blocking
8464 * way, and uses --rdns-internal to signal that to itself)
8465 */
8466 {
8467 VERIFY_PERMISSION(OPT_P_GENERAL);
8468 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8469 if (options->tuntap_options.register_dns)
8470 {
8471 ipconfig_register_dns(NULL);
8472 }
8473 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8474 }
8475 else if (streq(p[0], "show-valid-subnets") && !p[1])
8476 {
8477 VERIFY_PERMISSION(OPT_P_GENERAL);
8478 show_valid_win32_tun_subnets();
8479 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8480 }
8481 else if (streq(p[0], "pause-exit") && !p[1])
8482 {
8483 VERIFY_PERMISSION(OPT_P_GENERAL);
8484 set_pause_exit_win32();
8485 }
8486 else if (streq(p[0], "service") && p[1] && !p[3])
8487 {
8488 VERIFY_PERMISSION(OPT_P_GENERAL);
8489 options->exit_event_name = p[1];
8490 if (p[2])
8491 {
8492 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8493 }
8494 }
8495 else if (streq(p[0], "allow-nonadmin") && !p[2])
8496 {
8497 VERIFY_PERMISSION(OPT_P_GENERAL);
8498 tap_allow_nonadmin_access(p[1]);
8499 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8500 }
8501 else if (streq(p[0], "user") && p[1] && !p[2])
8502 {
8503 VERIFY_PERMISSION(OPT_P_GENERAL);
8504 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8505 }
8506 else if (streq(p[0], "group") && p[1] && !p[2])
8507 {
8508 VERIFY_PERMISSION(OPT_P_GENERAL);
8509 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8510 }
8511#else /* ifdef _WIN32 */
8512 else if (streq(p[0], "user") && p[1] && !p[2])
8513 {
8514 VERIFY_PERMISSION(OPT_P_GENERAL);
8515 options->username = p[1];
8516 }
8517 else if (streq(p[0], "group") && p[1] && !p[2])
8518 {
8519 VERIFY_PERMISSION(OPT_P_GENERAL);
8520 options->groupname = p[1];
8521 }
8522 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8523 {
8524 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8525 setenv_foreign_option(options, (const char **)p, 3, es);
8526 }
8527 else if (streq(p[0], "route-method") && p[1] && !p[2])
8528 {
8529 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8530 /* ignore when pushed to non-Windows OS */
8531 }
8532#endif /* ifdef _WIN32 */
8533#if PASSTOS_CAPABILITY
8534 else if (streq(p[0], "passtos") && !p[1])
8535 {
8536 VERIFY_PERMISSION(OPT_P_GENERAL);
8537 options->passtos = true;
8538 }
8539#endif
8540 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8541 {
8542 VERIFY_PERMISSION(OPT_P_GENERAL);
8543
8544 if (streq(p[1], "no"))
8545 {
8546 options->comp.flags =
8547 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8548 if (comp_non_stub_enabled(&options->comp))
8549 {
8550 msg(msglevel, "'--allow-compression no' conflicts with "
8551 " enabling compression");
8552 }
8553 }
8554 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8555 {
8556 /* Also printed on a push to hint at configuration problems */
8557 msg(msglevel, "Cannot set allow-compression to '%s' "
8558 "after set to 'no'", p[1]);
8559 goto err;
8560 }
8561 else if (streq(p[1], "asym"))
8562 {
8563 options->comp.flags |= COMP_F_ALLOW_ASYM;
8564 }
8565 else if (streq(p[1], "yes"))
8566 {
8567 msg(M_WARN, "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8568 "We will use \"asym\" mode instead. See the manual page for more information.");
8569
8570 options->comp.flags |= COMP_F_ALLOW_ASYM;
8571 }
8572 else
8573 {
8574 msg(msglevel, "bad allow-compression option: %s -- "
8575 "must be 'yes', 'no', or 'asym'", p[1]);
8576 goto err;
8577 }
8578 }
8579 else if (streq(p[0], "comp-lzo") && !p[2])
8580 {
8581 VERIFY_PERMISSION(OPT_P_COMP);
8582
8583 /* All lzo variants do not use swap */
8584 options->comp.flags &= ~COMP_F_SWAP;
8585 options->comp.alg = COMP_ALG_LZO;
8586
8587 if (p[1])
8588 {
8589 if (streq(p[1], "no"))
8590 {
8591 options->comp.alg = COMP_ALG_STUB;
8592 }
8593 /* There is no actual difference anymore between these variants.
8594 * We never compress. On the server side we replace this with
8595 * --compress migrate later anyway.
8596 */
8597 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8598 {
8599 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8600 goto err;
8601 }
8602 }
8603 show_compression_warning(&options->comp);
8604 }
8605 else if (streq(p[0], "comp-noadapt") && !p[1])
8606 {
8607 /* NO-OP since we never compress anymore */
8608 }
8609 else if (streq(p[0], "compress") && !p[2])
8610 {
8611 VERIFY_PERMISSION(OPT_P_COMP);
8612 const char *alg = "stub";
8613 if (p[1])
8614 {
8615 alg = p[1];
8616 }
8617
8618 if (streq(alg, "stub"))
8619 {
8620 options->comp.alg = COMP_ALG_STUB;
8621 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8622 }
8623 else if (streq(alg, "stub-v2"))
8624 {
8625 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8626 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8627 }
8628 else if (streq(alg, "migrate"))
8629 {
8630 options->comp.alg = COMP_ALG_UNDEF;
8631 options->comp.flags = COMP_F_MIGRATE;
8632 }
8633 else if (streq(alg, "lzo"))
8634 {
8635 options->comp.alg = COMP_ALG_LZO;
8636 options->comp.flags &= ~COMP_F_SWAP;
8637 }
8638 else if (streq(alg, "lz4"))
8639 {
8640 options->comp.alg = COMP_ALG_LZ4;
8641 options->comp.flags |= COMP_F_SWAP;
8642 }
8643 else if (streq(alg, "lz4-v2"))
8644 {
8645 options->comp.alg = COMP_ALGV2_LZ4;
8646 }
8647 else
8648 {
8649 msg(msglevel, "bad comp option: %s", alg);
8650 goto err;
8651 }
8652
8653 show_compression_warning(&options->comp);
8654 }
8655 else if (streq(p[0], "show-ciphers") && !p[1])
8656 {
8657 VERIFY_PERMISSION(OPT_P_GENERAL);
8658 options->show_ciphers = true;
8659 }
8660 else if (streq(p[0], "show-digests") && !p[1])
8661 {
8662 VERIFY_PERMISSION(OPT_P_GENERAL);
8663 options->show_digests = true;
8664 }
8665 else if (streq(p[0], "show-engines") && !p[1])
8666 {
8667 VERIFY_PERMISSION(OPT_P_GENERAL);
8668 options->show_engines = true;
8669 }
8670 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8671 {
8672 int key_direction;
8673
8674 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8675
8676 key_direction = ascii2keydirection(msglevel, p[1]);
8677 if (key_direction >= 0)
8678 {
8679 if (permission_mask & OPT_P_GENERAL)
8680 {
8681 options->key_direction = key_direction;
8682 }
8683 else if (permission_mask & OPT_P_CONNECTION)
8684 {
8685 options->ce.key_direction = key_direction;
8686 }
8687 }
8688 else
8689 {
8690 goto err;
8691 }
8692 }
8693 else if (streq(p[0], "secret") && p[1] && !p[3])
8694 {
8695 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8696 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8697 options->shared_secret_file = p[1];
8698 options->shared_secret_file_inline = is_inline;
8699 if (!is_inline && p[2])
8700 {
8701 int key_direction;
8702
8703 key_direction = ascii2keydirection(msglevel, p[2]);
8704 if (key_direction >= 0)
8705 {
8706 options->key_direction = key_direction;
8707 }
8708 else
8709 {
8710 goto err;
8711 }
8712 }
8713 }
8714 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8715 {
8716 VERIFY_PERMISSION(OPT_P_GENERAL);
8717 options->allow_deprecated_insecure_static_crypto = true;
8718
8719 }
8720 else if (streq(p[0], "genkey") && !p[4])
8721 {
8722 VERIFY_PERMISSION(OPT_P_GENERAL);
8723 options->genkey = true;
8724 if (!p[1])
8725 {
8726 options->genkey_type = GENKEY_SECRET;
8727 }
8728 else
8729 {
8730 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8731 || streq(p[1], "tls-crypt"))
8732 {
8733 options->genkey_type = GENKEY_SECRET;
8734 }
8735 else if (streq(p[1], "tls-crypt-v2-server"))
8736 {
8737 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8738 }
8739 else if (streq(p[1], "tls-crypt-v2-client"))
8740 {
8741 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8742 if (p[3])
8743 {
8744 options->genkey_extra_data = p[3];
8745 }
8746 }
8747 else if (streq(p[1], "auth-token"))
8748 {
8749 options->genkey_type = GENKEY_AUTH_TOKEN;
8750 }
8751 else
8752 {
8753 msg(msglevel, "unknown --genkey type: %s", p[1]);
8754 }
8755
8756 }
8757 if (p[2])
8758 {
8759 options->genkey_filename = p[2];
8760 }
8761 }
8762 else if (streq(p[0], "auth") && p[1] && !p[2])
8763 {
8764 VERIFY_PERMISSION(OPT_P_GENERAL);
8765 options->authname = p[1];
8766 }
8767 else if (streq(p[0], "cipher") && p[1] && !p[2])
8768 {
8769 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8770 options->ciphername = p[1];
8771 }
8772 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8773 {
8774 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8775 options->ciphername = p[1];
8776 options->enable_ncp_fallback = true;
8777 }
8778 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8779 && p[1] && !p[2])
8780 {
8781 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8782 if (streq(p[0], "ncp-ciphers"))
8783 {
8784 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8785 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8786 }
8787 options->ncp_ciphers = p[1];
8788 }
8789 else if (streq(p[0], "key-derivation") && p[1])
8790 {
8791 /* NCP only option that is pushed by the server to enable EKM,
8792 * should not be used by normal users in config files*/
8793 VERIFY_PERMISSION(OPT_P_NCP)
8794 if (streq(p[1], "tls-ekm"))
8795 {
8796 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8797 }
8798 else
8799 {
8800 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8801 }
8802 }
8803 else if (streq(p[0], "protocol-flags") && p[1])
8804 {
8805 /* NCP only option that is pushed by the server to enable protocol
8806 * features that are negotiated, should not be used by normal users
8807 * in config files */
8808 VERIFY_PERMISSION(OPT_P_NCP)
8809 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8810 {
8811 if (streq(p[j], "cc-exit"))
8812 {
8813 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8814 }
8815 else if (streq(p[j], "tls-ekm"))
8816 {
8817 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8818 }
8819 else if (streq(p[j], "dyn-tls-crypt"))
8820 {
8821 options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8822 }
8823 else if (streq(p[j], "aead-epoch"))
8824 {
8825 options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
8826 }
8827 else
8828 {
8829 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8830 }
8831 }
8832 }
8833 else if (streq(p[0], "force-tls-key-material-export"))
8834 {
8835 VERIFY_PERMISSION(OPT_P_GENERAL);
8836 options->force_key_material_export = true;
8837 }
8838 else if (streq(p[0], "prng") && p[1] && !p[3])
8839 {
8840 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8841 }
8842 else if (streq(p[0], "no-replay") && !p[1])
8843 {
8844 VERIFY_PERMISSION(OPT_P_GENERAL);
8845 /* always error out, this breaks the connection */
8846 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8847 "Update your configuration.");
8848 }
8849 else if (streq(p[0], "replay-window") && !p[3])
8850 {
8851 VERIFY_PERMISSION(OPT_P_GENERAL);
8852 if (p[1])
8853 {
8854 int replay_window;
8855
8856 replay_window = atoi_warn(p[1], msglevel);
8857 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8858 {
8859 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8860 replay_window,
8861 MIN_SEQ_BACKTRACK,
8862 MAX_SEQ_BACKTRACK);
8863 goto err;
8864 }
8865 options->replay_window = replay_window;
8866
8867 if (p[2])
8868 {
8869 int replay_time;
8870
8871 replay_time = atoi_warn(p[2], msglevel);
8872 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8873 {
8874 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8875 replay_time,
8876 MIN_TIME_BACKTRACK,
8877 MAX_TIME_BACKTRACK);
8878 goto err;
8879 }
8880 options->replay_time = replay_time;
8881 }
8882 }
8883 else
8884 {
8885 msg(msglevel, "replay-window option is missing window size parameter");
8886 goto err;
8887 }
8888 }
8889 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8890 {
8891 VERIFY_PERMISSION(OPT_P_GENERAL);
8892 options->mute_replay_warnings = true;
8893 }
8894 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8895 {
8896 VERIFY_PERMISSION(OPT_P_GENERAL);
8897 options->packet_id_file = p[1];
8898 }
8899 else if (streq(p[0], "test-crypto") && !p[1])
8900 {
8901 VERIFY_PERMISSION(OPT_P_GENERAL);
8902 options->test_crypto = true;
8903 }
8904#ifndef ENABLE_CRYPTO_MBEDTLS
8905 else if (streq(p[0], "engine") && !p[2])
8906 {
8907 VERIFY_PERMISSION(OPT_P_GENERAL);
8908 if (p[1])
8909 {
8910 options->engine = p[1];
8911 }
8912 else
8913 {
8914 options->engine = "auto";
8915 }
8916 }
8917#endif /* ENABLE_CRYPTO_MBEDTLS */
8918 else if (streq(p[0], "providers") && p[1])
8919 {
8920 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8921 {
8922 options->providers.names[j] = p[j];
8923 }
8924 }
8925#ifdef ENABLE_PREDICTION_RESISTANCE
8926 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8927 {
8928 VERIFY_PERMISSION(OPT_P_GENERAL);
8929 options->use_prediction_resistance = true;
8930 }
8931#endif
8932 else if (streq(p[0], "show-tls") && !p[1])
8933 {
8934 VERIFY_PERMISSION(OPT_P_GENERAL);
8935 options->show_tls_ciphers = true;
8936 }
8937 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8938 {
8939 VERIFY_PERMISSION(OPT_P_GENERAL);
8940 options->show_curves = true;
8941 }
8942 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8943 {
8944 VERIFY_PERMISSION(OPT_P_GENERAL);
8945 msg(M_WARN, "Consider setting groups/curves preference with "
8946 "tls-groups instead of forcing a specific curve with "
8947 "ecdh-curve.");
8948 options->ecdh_curve = p[1];
8949 }
8950 else if (streq(p[0], "tls-server") && !p[1])
8951 {
8952 VERIFY_PERMISSION(OPT_P_GENERAL);
8953 options->tls_server = true;
8954 }
8955 else if (streq(p[0], "tls-client") && !p[1])
8956 {
8957 VERIFY_PERMISSION(OPT_P_GENERAL);
8958 options->tls_client = true;
8959 }
8960 else if (streq(p[0], "ca") && p[1] && !p[2])
8961 {
8962 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8963 options->ca_file = p[1];
8964 options->ca_file_inline = is_inline;
8965 }
8966#ifndef ENABLE_CRYPTO_MBEDTLS
8967 else if (streq(p[0], "capath") && p[1] && !p[2])
8968 {
8969 VERIFY_PERMISSION(OPT_P_GENERAL);
8970 options->ca_path = p[1];
8971 }
8972#endif /* ENABLE_CRYPTO_MBEDTLS */
8973 else if (streq(p[0], "dh") && p[1] && !p[2])
8974 {
8975 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8976 options->dh_file = p[1];
8977 options->dh_file_inline = is_inline;
8978 }
8979 else if (streq(p[0], "cert") && p[1] && !p[2])
8980 {
8981 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8982 options->cert_file = p[1];
8983 options->cert_file_inline = is_inline;
8984 }
8985 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8986 {
8987 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8988 options->extra_certs_file = p[1];
8989 options->extra_certs_file_inline = is_inline;
8990 }
8991 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8992 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8993 {
8994 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8995
8996 int verify_hash_depth = 0;
8997 if (streq(p[0], "verify-hash"))
8998 {
8999 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
9000 "You should switch to the either use the level 1 certificate as "
9001 "--ca option, use --tls-verify or use --peer-fingerprint");
9002 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
9003 verify_hash_depth = 1;
9004 }
9005
9006 options->verify_hash_algo = MD_SHA256;
9007
9008 int digest_len = SHA256_DIGEST_LENGTH;
9009
9010 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
9011 {
9012 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
9013 " --peer-fingerprint are mutually exclusive", p[0]);
9014 goto err;
9015 }
9016
9017 if (streq(p[0], "verify-hash"))
9018 {
9019 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
9020 {
9021 options->verify_hash_algo = MD_SHA1;
9022 digest_len = SHA_DIGEST_LENGTH;
9023 }
9024 else if (p[2] && !streq(p[2], "SHA256"))
9025 {
9026 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
9027 "(only SHA1 and SHA256 are supported)", p[2]);
9028 goto err;
9029 }
9030 }
9031
9032 struct verify_hash_list *newlist;
9033 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
9034 msglevel, &options->gc);
9035
9036 /* Append the new list to the end of our current list */
9037 if (!options->verify_hash)
9038 {
9039 options->verify_hash = newlist;
9040 options->verify_hash_depth = verify_hash_depth;
9041 }
9042 else
9043 {
9044 /* since both the old and new list can have multiple entries
9045 * we need to go to the end of one of them to concatenate them */
9046 struct verify_hash_list *listend = options->verify_hash;
9047 while (listend->next)
9048 {
9049 listend = listend->next;
9050 }
9051 listend->next = newlist;
9052 }
9053 }
9054#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
9055 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
9056 {
9057 VERIFY_PERMISSION(OPT_P_GENERAL);
9058 options->cryptoapi_cert = p[1];
9059 }
9060#endif
9061 else if (streq(p[0], "key") && p[1] && !p[2])
9062 {
9063 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9064 options->priv_key_file = p[1];
9065 options->priv_key_file_inline = is_inline;
9066 }
9067 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
9068 {
9069 int ver;
9070 VERIFY_PERMISSION(OPT_P_GENERAL);
9071 ver = tls_version_parse(p[1], p[2]);
9072 if (ver == TLS_VER_BAD)
9073 {
9074 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
9075 goto err;
9076 }
9077
9078#ifdef ENABLE_CRYPTO_MBEDTLS
9079 if (ver < TLS_VER_1_2)
9080 {
9081 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
9082 ver = TLS_VER_1_2;
9083 }
9084#endif
9085
9086 options->ssl_flags &=
9087 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
9088 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
9089 }
9090 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
9091 {
9092 int ver;
9093 VERIFY_PERMISSION(OPT_P_GENERAL);
9094 ver = tls_version_parse(p[1], NULL);
9095 if (ver == TLS_VER_BAD)
9096 {
9097 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
9098 goto err;
9099 }
9100 options->ssl_flags &=
9101 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
9102 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
9103 }
9104#ifndef ENABLE_CRYPTO_MBEDTLS
9105 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
9106 {
9107 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9108 options->pkcs12_file = p[1];
9109 options->pkcs12_file_inline = is_inline;
9110 }
9111#endif /* ENABLE_CRYPTO_MBEDTLS */
9112 else if (streq(p[0], "askpass") && !p[2])
9113 {
9114 VERIFY_PERMISSION(OPT_P_GENERAL);
9115 if (p[1])
9116 {
9117 options->key_pass_file = p[1];
9118 }
9119 else
9120 {
9121 options->key_pass_file = "stdin";
9122 }
9123 }
9124 else if (streq(p[0], "auth-nocache") && !p[1])
9125 {
9126 VERIFY_PERMISSION(OPT_P_GENERAL);
9127 ssl_set_auth_nocache();
9128 }
9129 else if (streq(p[0], "auth-token") && p[1] && !p[2])
9130 {
9131 VERIFY_PERMISSION(OPT_P_ECHO);
9132 ssl_set_auth_token(p[1]);
9133#ifdef ENABLE_MANAGEMENT
9134 if (management)
9135 {
9136 management_auth_token(management, p[1]);
9137 }
9138#endif
9139 }
9140 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
9141 {
9142 VERIFY_PERMISSION(OPT_P_ECHO);
9143 ssl_set_auth_token_user(p[1]);
9144 }
9145 else if (streq(p[0], "single-session") && !p[1])
9146 {
9147 VERIFY_PERMISSION(OPT_P_GENERAL);
9148 options->single_session = true;
9149 }
9150 else if (streq(p[0], "push-peer-info") && !p[1])
9151 {
9152 VERIFY_PERMISSION(OPT_P_GENERAL);
9153 options->push_peer_info = true;
9154 }
9155 else if (streq(p[0], "tls-exit") && !p[1])
9156 {
9157 VERIFY_PERMISSION(OPT_P_GENERAL);
9158 options->tls_exit = true;
9159 }
9160 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9161 {
9162 VERIFY_PERMISSION(OPT_P_GENERAL);
9163 options->cipher_list = p[1];
9164 }
9165 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9166 {
9167 VERIFY_PERMISSION(OPT_P_GENERAL);
9168 options->tls_cert_profile = p[1];
9169 }
9170 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9171 {
9172 VERIFY_PERMISSION(OPT_P_GENERAL);
9173 options->cipher_list_tls13 = p[1];
9174 }
9175 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9176 {
9177 VERIFY_PERMISSION(OPT_P_GENERAL);
9178 options->tls_groups = p[1];
9179 }
9180 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
9181 || !p[2]))
9182 {
9183 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9184 if (p[2] && streq(p[2], "dir"))
9185 {
9186 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
9187 }
9188 options->crl_file = p[1];
9189 options->crl_file_inline = is_inline;
9190 }
9191 else if (streq(p[0], "tls-verify") && p[1])
9192 {
9193 VERIFY_PERMISSION(OPT_P_SCRIPT);
9194 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9195 {
9196 goto err;
9197 }
9198 set_user_script(options, &options->tls_verify,
9199 string_substitute(p[1], ',', ' ', &options->gc),
9200 "tls-verify", true);
9201 }
9202 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9203 {
9204 VERIFY_PERMISSION(OPT_P_SCRIPT);
9205 options->tls_export_peer_cert_dir = p[1];
9206 }
9207 else if (streq(p[0], "compat-names"))
9208 {
9209 VERIFY_PERMISSION(OPT_P_GENERAL);
9210 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9211 "Update your configuration.");
9212 goto err;
9213 }
9214 else if (streq(p[0], "no-name-remapping") && !p[1])
9215 {
9216 VERIFY_PERMISSION(OPT_P_GENERAL);
9217 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9218 "Update your configuration.");
9219 goto err;
9220 }
9221 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9222 {
9223 int type = VERIFY_X509_SUBJECT_DN;
9224 VERIFY_PERMISSION(OPT_P_GENERAL);
9225 if (p[2])
9226 {
9227 if (streq(p[2], "subject"))
9228 {
9229 type = VERIFY_X509_SUBJECT_DN;
9230 }
9231 else if (streq(p[2], "name"))
9232 {
9233 type = VERIFY_X509_SUBJECT_RDN;
9234 }
9235 else if (streq(p[2], "name-prefix"))
9236 {
9237 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9238 }
9239 else
9240 {
9241 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9242 goto err;
9243 }
9244 }
9245 options->verify_x509_type = type;
9246 options->verify_x509_name = p[1];
9247 }
9248 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9249 {
9250#ifdef ENABLE_CRYPTO_MBEDTLS
9251 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9252 goto err;
9253#else
9254 VERIFY_PERMISSION(OPT_P_GENERAL);
9255 if (streq(p[1], "server"))
9256 {
9257 options->ns_cert_type = NS_CERT_CHECK_SERVER;
9258 }
9259 else if (streq(p[1], "client"))
9260 {
9261 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9262 }
9263 else
9264 {
9265 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9266 goto err;
9267 }
9268#endif /* ENABLE_CRYPTO_MBEDTLS */
9269 }
9270 else if (streq(p[0], "remote-cert-ku"))
9271 {
9272 VERIFY_PERMISSION(OPT_P_GENERAL);
9273
9274 size_t j;
9275 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9276 {
9277 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9278 }
9279 if (j == 1)
9280 {
9281 /* No specific KU required, but require KU to be present */
9282 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9283 }
9284 }
9285 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9286 {
9287 VERIFY_PERMISSION(OPT_P_GENERAL);
9288 options->remote_cert_eku = p[1];
9289 }
9290 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9291 {
9292 VERIFY_PERMISSION(OPT_P_GENERAL);
9293
9294 if (streq(p[1], "server"))
9295 {
9296 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9297 options->remote_cert_eku = "TLS Web Server Authentication";
9298 }
9299 else if (streq(p[1], "client"))
9300 {
9301 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9302 options->remote_cert_eku = "TLS Web Client Authentication";
9303 }
9304 else
9305 {
9306 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9307 goto err;
9308 }
9309 }
9310 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9311 {
9312 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9313 options->tls_timeout = positive_atoi(p[1], msglevel);
9314 }
9315 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9316 {
9317 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9318 char *end;
9319 long long reneg_bytes = strtoll(p[1], &end, 10);
9320 if (*end != '\0' || reneg_bytes < 0)
9321 {
9322 msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0");
9323 goto err;
9324 }
9325 options->renegotiate_bytes = reneg_bytes;
9326 }
9327 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9328 {
9329 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9330 char *end;
9331 long long pkt_max = strtoll(p[1], &end, 10);
9332 if (*end != '\0' || pkt_max < 0)
9333 {
9334 msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0");
9335 goto err;
9336 }
9337 options->renegotiate_packets = pkt_max;
9338 }
9339 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9340 {
9341 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9342 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
9343 if (p[2])
9344 {
9345 options->renegotiate_seconds_min = positive_atoi(p[2], msglevel);
9346 }
9347 }
9348 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9349 {
9350 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9351 options->handshake_window = positive_atoi(p[1], msglevel);
9352 }
9353 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9354 {
9355 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9356 options->transition_window = positive_atoi(p[1], msglevel);
9357 }
9358 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9359 {
9360 int key_direction = -1;
9361
9362 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9363
9364 if (permission_mask & OPT_P_GENERAL)
9365 {
9366 options->tls_auth_file = p[1];
9367 options->tls_auth_file_inline = is_inline;
9368
9369 if (!is_inline && p[2])
9370 {
9371 key_direction = ascii2keydirection(msglevel, p[2]);
9372 if (key_direction < 0)
9373 {
9374 goto err;
9375 }
9376 options->key_direction = key_direction;
9377 }
9378
9379 }
9380 else if (permission_mask & OPT_P_CONNECTION)
9381 {
9382 options->ce.tls_auth_file = p[1];
9383 options->ce.tls_auth_file_inline = is_inline;
9384 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9385
9386 if (!is_inline && p[2])
9387 {
9388 key_direction = ascii2keydirection(msglevel, p[2]);
9389 if (key_direction < 0)
9390 {
9391 goto err;
9392 }
9393 options->ce.key_direction = key_direction;
9394 }
9395 }
9396 }
9397 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9398 {
9399 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9400 if (permission_mask & OPT_P_GENERAL)
9401 {
9402 options->tls_crypt_file = p[1];
9403 options->tls_crypt_file_inline = is_inline;
9404 }
9405 else if (permission_mask & OPT_P_CONNECTION)
9406 {
9407 options->ce.tls_crypt_file = p[1];
9408 options->ce.tls_crypt_file_inline = is_inline;
9409 }
9410 }
9411 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9412 {
9413 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9414 if (permission_mask & OPT_P_GENERAL)
9415 {
9416 options->tls_crypt_v2_file = p[1];
9417 options->tls_crypt_v2_file_inline = is_inline;
9418 }
9419 else if (permission_mask & OPT_P_CONNECTION)
9420 {
9421 options->ce.tls_crypt_v2_file = p[1];
9422 options->ce.tls_crypt_v2_file_inline = is_inline;
9423 }
9424
9425 if (p[2] && streq(p[2], "force-cookie"))
9426 {
9427 options->ce.tls_crypt_v2_force_cookie = true;
9428 }
9429 else if (p[2] && streq(p[2], "allow-noncookie"))
9430 {
9431 options->ce.tls_crypt_v2_force_cookie = false;
9432 }
9433 else if (p[2])
9434 {
9435 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9436 }
9437 }
9438 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9439 {
9440 VERIFY_PERMISSION(OPT_P_GENERAL);
9441 options->tls_crypt_v2_verify_script = p[1];
9442 }
9443 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9444 {
9445 VERIFY_PERMISSION(OPT_P_GENERAL);
9446 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9447 }
9448#ifdef ENABLE_X509ALTUSERNAME
9449 else if (streq(p[0], "x509-username-field") && p[1])
9450 {
9451 VERIFY_PERMISSION(OPT_P_GENERAL);
9452 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9453 {
9454 char *s = p[j];
9455
9456 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4))
9457 {
9458 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9459 }
9460 options->x509_username_field[j-1] = p[j];
9461 }
9462 }
9463#endif /* ENABLE_X509ALTUSERNAME */
9464#ifdef ENABLE_PKCS11
9465 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9466 {
9467 char *provider = p[1];
9468 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0 ));
9469
9470#ifdef DEFAULT_PKCS11_MODULE
9471 if (!provider)
9472 {
9473 provider = DEFAULT_PKCS11_MODULE;
9474 }
9475 else if (!p[2])
9476 {
9477 char *endp = NULL;
9478 int i = strtol(provider, &endp, 10);
9479
9480 if (*endp == 0)
9481 {
9482 /* There was one argument, and it was purely numeric.
9483 * Interpret it as the cert_private argument */
9484 provider = DEFAULT_PKCS11_MODULE;
9485 cert_private = i;
9486 }
9487 }
9488#else /* ifdef DEFAULT_PKCS11_MODULE */
9489 if (!provider)
9490 {
9491 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9492 goto err;
9493 }
9494#endif /* ifdef DEFAULT_PKCS11_MODULE */
9495 VERIFY_PERMISSION(OPT_P_GENERAL);
9496
9497 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9498 show_pkcs11_ids(provider, cert_private);
9499 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9500 }
9501 else if (streq(p[0], "pkcs11-providers") && p[1])
9502 {
9503 int j;
9504
9505 VERIFY_PERMISSION(OPT_P_GENERAL);
9506
9507 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9508 {
9509 options->pkcs11_providers[j-1] = p[j];
9510 }
9511 }
9512 else if (streq(p[0], "pkcs11-protected-authentication"))
9513 {
9514 int j;
9515
9516 VERIFY_PERMISSION(OPT_P_GENERAL);
9517
9518 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9519 {
9520 options->pkcs11_protected_authentication[j-1] = atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9521 }
9522 }
9523 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9524 {
9525 int j;
9526
9527 VERIFY_PERMISSION(OPT_P_GENERAL);
9528
9529 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9530 {
9531 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9532 }
9533 }
9534 else if (streq(p[0], "pkcs11-cert-private"))
9535 {
9536 int j;
9537
9538 VERIFY_PERMISSION(OPT_P_GENERAL);
9539
9540 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9541 {
9542 options->pkcs11_cert_private[j-1] = (bool) (atoi_warn(p[j], msglevel));
9543 }
9544 }
9545 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9546 {
9547 VERIFY_PERMISSION(OPT_P_GENERAL);
9548 options->pkcs11_pin_cache_period = atoi_warn(p[1], msglevel);
9549 }
9550 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9551 {
9552 VERIFY_PERMISSION(OPT_P_GENERAL);
9553 options->pkcs11_id = p[1];
9554 }
9555 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9556 {
9557 VERIFY_PERMISSION(OPT_P_GENERAL);
9558 options->pkcs11_id_management = true;
9559 }
9560#endif /* ifdef ENABLE_PKCS11 */
9561 else if (streq(p[0], "rmtun") && !p[1])
9562 {
9563 VERIFY_PERMISSION(OPT_P_GENERAL);
9564 options->persist_config = true;
9565 options->persist_mode = 0;
9566 }
9567 else if (streq(p[0], "mktun") && !p[1])
9568 {
9569 VERIFY_PERMISSION(OPT_P_GENERAL);
9570 options->persist_config = true;
9571 options->persist_mode = 1;
9572 }
9573 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9574 {
9575 VERIFY_PERMISSION(OPT_P_PEER_ID);
9576 options->use_peer_id = true;
9577 options->peer_id = atoi_warn(p[1], msglevel);
9578 }
9579 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9580 {
9581 int ekm_length = positive_atoi(p[2], msglevel);
9582
9583 VERIFY_PERMISSION(OPT_P_GENERAL);
9584
9585 if (strncmp(p[1], "EXPORTER", 8))
9586 {
9587 msg(msglevel, "Keying material exporter label must begin with "
9588 "\"EXPORTER\"");
9589 goto err;
9590 }
9591 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9592 {
9593 msg(msglevel, "Keying material exporter label must not be '"
9594 EXPORT_KEY_DATA_LABEL "'.");
9595 }
9596 if (ekm_length < 16 || ekm_length > 4095)
9597 {
9598 msg(msglevel, "Invalid keying material exporter length");
9599 goto err;
9600 }
9601
9602 options->keying_material_exporter_label = p[1];
9603 options->keying_material_exporter_length = ekm_length;
9604 }
9605 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9606 {
9607 VERIFY_PERMISSION(OPT_P_GENERAL);
9608 options->allow_recursive_routing = true;
9609 }
9610 else if (streq(p[0], "vlan-tagging") && !p[1])
9611 {
9612 VERIFY_PERMISSION(OPT_P_GENERAL);
9613 options->vlan_tagging = true;
9614 }
9615 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9616 {
9617 VERIFY_PERMISSION(OPT_P_GENERAL);
9618 if (streq(p[1], "tagged"))
9619 {
9620 options->vlan_accept = VLAN_ONLY_TAGGED;
9621 }
9622 else if (streq(p[1], "untagged"))
9623 {
9624 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9625 }
9626 else if (streq(p[1], "all"))
9627 {
9628 options->vlan_accept = VLAN_ALL;
9629 }
9630 else
9631 {
9632 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9633 goto err;
9634 }
9635 }
9636 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9637 {
9638 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9639 options->vlan_pvid = positive_atoi(p[1], msglevel);
9640 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9641 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9642 {
9643 msg(msglevel,
9644 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9645 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9646 goto err;
9647 }
9648 }
9649 else
9650 {
9651 int i;
9652 int msglevel_unknown = msglevel_fc;
9653 /* Check if an option is in --ignore-unknown-option and
9654 * set warning level to non fatal */
9655 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9656 {
9657 if (streq(p[0], options->ignore_unknown_option[i]))
9658 {
9659 msglevel_unknown = M_WARN;
9660 break;
9661 }
9662 }
9663 if (file)
9664 {
9665 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9666 }
9667 else
9668 {
9669 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9670 }
9671 }
9672err:
9673 gc_free(&gc);
9674}
9675
9676bool
9677has_udp_in_local_list(const struct options *options)
9678{
9679 if (options->ce.local_list)
9680 {
9681 for (int i = 0; i < options->ce.local_list->len; i++)
9682 {
9683 if (proto_is_dgram(options->ce.local_list->array[i]->proto))
9684 {
9685 return true;
9686 }
9687 }
9688 }
9689
9690 return false;
9691}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:483
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:102
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:88
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:183
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:162
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:460
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:370
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:62
string_array_len
int string_array_len(const char **array)
Definition buffer.c:703
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1359
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:752
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1019
BSTR
#define BSTR(buf)
Definition buffer.h:129
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
BPTR
#define BPTR(buf)
Definition buffer.h:124
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1071
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:234
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1012
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:520
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1092
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:977
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition clinat.c:52
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition clinat.c:106
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:75
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:83
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:92
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:69
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:82
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition comp.c:163
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
Definition comp.h:45
COMP_F_SWAP
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
Definition comp.h:40
COMP_ALG_LZ4
#define COMP_ALG_LZ4
LZ4 algorithm.
Definition comp.h:59
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition comp.h:64
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
Definition comp.h:51
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:63
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_ALG_LZO
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
Definition comp.h:42
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:81
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:54
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:51
dirname
char * dirname(char *path)
Definition compat-dirname.c:62
strsep
char * strsep(char **stringp, const char *delim)
Definition compat-strsep.c:36
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:893
ascii2keydirection
int ascii2keydirection(int msglevel, const char *str)
Definition crypto.c:1653
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1676
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1941
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1229
crypto.h
Data Channel Cryptography Module.
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:230
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:368
MD_SHA256
@ MD_SHA256
Definition crypto_backend.h:54
MD_SHA1
@ MD_SHA1
Definition crypto_backend.h:53
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition crypto_backend.h:219
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1071
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:660
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:680
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition crypto_mbedtls.h:78
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:79
dco_check_startup_option
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition dco.h:288
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition dco.h:282
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:276
dns_options_verify
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:204
dns_domain_list_append
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
Definition dns.c:148
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:280
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:62
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:182
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:167
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:258
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:771
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:273
dns_updown_user_set
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
Definition dns.h:209
DNS_UPDOWN_FORCED
@ DNS_UPDOWN_FORCED
Definition dns.h:48
DNS_UPDOWN_NO_FLAGS
@ DNS_UPDOWN_NO_FLAGS
Definition dns.h:46
DNS_UPDOWN_USER_SET
@ DNS_UPDOWN_USER_SET
Definition dns.h:47
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition dns.h:33
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition dns.h:34
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition dns.h:35
dns_updown_forced
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
Definition dns.h:220
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition dns.h:40
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition dns.h:42
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition dns.h:41
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:292
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:429
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:308
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:202
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:314
env_set_del
bool env_set_del(struct env_set *es, const char *str)
Definition env_set.c:184
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:300
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:151
D_PUSH
#define D_PUSH
Definition errlevel.h:83
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:157
D_DCO
#define D_DCO
Definition errlevel.h:94
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition errlevel.h:96
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:67
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
D_LOW
#define D_LOW
Definition errlevel.h:97
M_INFO
#define M_INFO
Definition errlevel.h:55
forward.h
Interface functions to the internal and external multiplexers.
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:145
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition helper.c:601
helper_client_server
void helper_client_server(struct options *o)
Definition helper.c:173
helper_keepalive
void helper_keepalive(struct options *o)
Definition helper.c:542
max_int
static int max_int(int x, int y)
Definition integer.h:89
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:115
status
static SERVICE_STATUS status
Definition interactive.c:52
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition keyingmaterialexporter.c:166
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3106
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3028
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition manage.h:32
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:39
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition manage.h:34
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:44
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:38
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition manage.h:42
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:37
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition manage.h:41
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition manage.h:29
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:43
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:45
MF_UP_DOWN
#define MF_UP_DOWN
Definition manage.h:40
MF_HOLD
#define MF_HOLD
Definition manage.h:30
MF_SIGNAL
#define MF_SIGNAL
Definition manage.h:31
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition manage.h:36
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition manage.h:33
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:793
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:557
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:69
SC_CONCAT
#define SC_CONCAT
Definition misc.h:95
SC_ECHO
#define SC_ECHO
Definition misc.h:94
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:261
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:152
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition mtu.h:80
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:75
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition mtu.h:65
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition mtu.h:70
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition mtu.h:85
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:95
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:48
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:39
BOOL_CAST
#define BOOL_CAST(x)
Definition basic.h:27
CLEAR
#define CLEAR(x)
Definition basic.h:33
SIZE
#define SIZE(x)
Definition basic.h:30
errors_to_stderr
void errors_to_stderr(void)
Definition error.c:185
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:467
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:515
msg_fp
FILE * msg_fp(const unsigned int flags)
Definition error.c:194
openvpn_exit
void openvpn_exit(const int status)
Definition error.c:735
machine_readable_output
static bool machine_readable_output
Definition error.c:78
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition error.c:149
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition error.c:155
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:105
suppress_timestamps
static bool suppress_timestamps
Definition error.c:81
M_OPTERR
#define M_OPTERR
Definition error.h:100
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:177
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:97
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition error.h:87
M_USAGE
#define M_USAGE
Definition error.h:106
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:55
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:53
M_FATAL
#define M_FATAL
Definition error.h:89
M_ERR
#define M_ERR
Definition error.h:105
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
M_MSG_VIRT_OUT
#define M_MSG_VIRT_OUT
Definition error.h:99
M_ERRNO
#define M_ERRNO
Definition error.h:94
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:548
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4566
options_warning_safe_ml
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4682
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.c:953
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition options.c:1579
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3934
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4066
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4033
options_warning_safe_scan2
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4593
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2269
msglevel_forward_compatible
static int msglevel_forward_compatible(struct options *options, const int msglevel)
Definition options.c:5716
alloc_local_entry
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
Definition options.c:2070
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition options.c:5685
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:2921
usage_version
static void usage_version(void)
Definition options.c:4954
in_src_get
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition options.c:5215
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2176
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5589
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
SHOW_BOOL
#define SHOW_BOOL(var)
Definition options.c:1001
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3931
pre_connect_save
static void pre_connect_save(struct options *o)
Definition options.c:3117
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3933
TLS_CLIENT
#define TLS_CLIENT
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:1006
check_inline_file_via_buf
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition options.c:5316
global_auth_retry
static int global_auth_retry
Definition options.c:4826
IS_TYPE_BUF
#define IS_TYPE_BUF
Definition options.c:5206
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4290
uninit_options
void uninit_options(struct options *o)
Definition options.c:933
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2197
SHOW_STR
#define SHOW_STR(var)
Definition options.c:992
check_inline_file
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition options.c:5283
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
Definition options.c:5628
read_config_file
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5338
show_windows_version
void show_windows_version(const unsigned int flags)
Definition options.c:4920
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition options.c:5619
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4578
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5764
no_more_than_n_args
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5688
check_ca_required
static void check_ca_required(const struct options *options)
Definition options.c:2235
auth_retry_set
bool auth_retry_set(const int msglevel, const char *option)
Definition options.c:4835
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:1996
read_config_string
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5413
bypass_doubledash
static void bypass_doubledash(char **p)
Definition options.c:5196
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3932
tuntap_options_postprocess_dns
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
Definition options.c:3485
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1133
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.c:954
show_dco_version
void show_dco_version(const unsigned int flags)
Definition options.c:4929
apply_pull_filter
static bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
Definition options.c:5519
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition options.c:1570
alloc_local_list_if_undef
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2060
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition options.c:1000
show_settings
void show_settings(const struct options *o)
Definition options.c:1694
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:5722
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
Definition options.c:1108
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5559
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition options.c:1286
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition options.c:1655
options_postprocess_mutate_le
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3081
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
Definition options.c:1509
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4708
parse_argv
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5446
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.c:955
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:4985
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4083
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4276
parse_topology
int parse_topology(const char *str, const int msglevel)
Definition options.c:4779
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition options.c:1296
usage_small
void usage_small(void)
Definition options.c:4912
auth_retry_print
const char * auth_retry_print(void)
Definition options.c:4858
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1530
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4152
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1598
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4731
show_library_versions
void show_library_versions(const unsigned int flags)
Definition options.c:4939
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:1036
CHKACC_ACCEPT_URI
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3935
usage_message
static const char usage_message[]
Definition options.c:120
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition options.c:1160
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1189
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2100
space
static bool space(unsigned char c)
Definition options.c:5016
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4111
options_warning_safe_scan1
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4661
SHOW_INT64
#define SHOW_INT64(var)
Definition options.c:999
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
Definition options.c:2110
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
Definition options.c:1337
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3938
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition options.c:1397
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition options.c:971
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition options.c:1588
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition options.c:5022
check_inline_file_via_fp
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition options.c:5307
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
Definition options.c:2143
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3730
options_detach
void options_detach(struct options *o)
Definition options.c:1561
atou
static unsigned int atou(const char *str)
Definition options.c:5007
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3159
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
Definition options.c:1351
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2166
print_topology
const char * print_topology(const int topology)
Definition options.c:4801
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5609
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4745
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition options.c:993
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition options.c:3318
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3386
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1311
init_options
void init_options(struct options *o, const bool init_gc)
Definition options.c:805
MUST_BE_FALSE
#define MUST_BE_FALSE(condition, parm_name)
Definition options.c:2265
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm, parm_name)
Definition options.c:2263
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1380
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition options.c:991
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:2026
IS_TYPE_FP
#define IS_TYPE_FP
Definition options.c:5205
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4572
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1676
CHKACC_FILE
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3930
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4737
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3228
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1151
title_string
const char title_string[]
Definition options.c:69
setenv_local_entry
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:1026
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3099
TLS_SERVER
#define TLS_SERVER
usage
static void usage(void)
Definition options.c:4880
auth_retry_get
int auth_retry_get(void)
Definition options.c:4829
add_option
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5779
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1243
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2133
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4976
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition options.c:5752
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition options.c:3456
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9677
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
Definition options.c:1479
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4347
read_inline_file
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition options.c:5238
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition options.c:3292
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2218
SHOW_INT
#define SHOW_INT(var)
Definition options.c:997
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3376
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:259
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition options.h:735
OPT_P_PUSH
#define OPT_P_PUSH
Definition options.h:747
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition options.h:477
OPT_P_UP
#define OPT_P_UP
Definition options.h:732
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition options.h:758
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:748
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:743
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:751
OPT_P_ROUTE_TABLE
#define OPT_P_ROUTE_TABLE
Definition options.h:762
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition options.h:749
MODE_SERVER
#define MODE_SERVER
Definition options.h:260
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition options.h:187
streq
#define streq(x, y)
Definition options.h:726
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:750
AR_INTERACT
#define AR_INTERACT
Definition options.h:905
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:737
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:757
SF_NOPOOL
#define SF_NOPOOL
Definition options.h:476
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:742
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:736
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:756
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:755
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition options.h:57
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:738
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition options.h:731
PING_RESTART
#define PING_RESTART
Definition options.h:355
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:734
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:754
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:238
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:235
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:237
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:236
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:761
AR_NONE
#define AR_NONE
Definition options.h:904
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:906
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:478
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:739
MAX_PARMS
#define MAX_PARMS
Definition options.h:52
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:766
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:786
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition options.h:58
PING_EXIT
#define PING_EXIT
Definition options.h:354
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:741
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition options.h:740
OPT_P_MTU
#define OPT_P_MTU
Definition options.h:745
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:753
OPT_P_NICE
#define OPT_P_NICE
Definition options.h:746
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:759
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition options.h:752
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition options.h:744
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:733
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:792
CE_DISABLED
#define CE_DISABLED
Definition options.h:150
OPT_P_INLINE
#define OPT_P_INLINE
Definition options.h:760
vlan_acceptable_frames
vlan_acceptable_frames
Definition options.h:220
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:222
VLAN_ALL
@ VLAN_ALL
Definition options.h:223
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition options.h:221
positive_atoi
int positive_atoi(const char *str, int msglevel)
Converts a str to a positive number if the string represents a postive integer number.
Definition options_util.c:119
atoi_warn
int atoi_warn(const char *str, int msglevel)
Converts a str to an integer if the string can be represented as an integer number.
Definition options_util.c:135
valid_integer
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
Definition options_util.c:103
options_util.h
packet_id.h
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:86
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:85
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:87
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition packet_id.h:95
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:96
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition packet_id.h:94
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:333
platform_access
int platform_access(const char *path, int mode)
Definition platform.c:458
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:501
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:393
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:527
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:142
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:160
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:168
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
Definition plugin.c:189
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:121
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:311
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:312
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:37
TOP_UNDEF
#define TOP_UNDEF
Definition proto.h:41
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:35
TOP_NET30
#define TOP_NET30
Definition proto.h:42
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:36
TOP_P2P
#define TOP_P2P
Definition proto.h:43
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:44
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:46
PAR_NCT
#define PAR_NCT
Definition proxy.h:50
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
PAR_ALL
#define PAR_ALL
Definition proxy.h:49
push_reset
void push_reset(struct options *o)
Definition push.c:933
clone_push_list
void clone_push_list(struct options *o)
Definition push.c:891
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition push.c:939
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition push.c:907
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:306
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:155
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:4148
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:139
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2895
show_routes
void show_routes(int msglev)
Definition route.c:3317
print_route_options
void print_route_options(const struct route_option_list *rol, int level)
Definition route.c:1327
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:534
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1343
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:173
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:180
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2794
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:164
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:130
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:514
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:43
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:41
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:42
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:40
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
script_security_set
void script_security_set(int level)
Definition run_command.c:49
run_command.h
SHAPER_MAX
#define SHAPER_MAX
Definition shaper.h:41
SHAPER_MIN
#define SHAPER_MIN
Definition shaper.h:40
throw_signal_soft
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition sig.c:206
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket.c:3225
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:226
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition socket.c:840
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition socket.c:3246
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:1140
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition socket.c:3212
proto_remote
const char * proto_remote(int proto, bool remote)
Definition socket.c:3286
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition socket.c:787
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3027
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition socket.c:823
ascii2proto
int ascii2proto(const char *proto_name)
Definition socket.c:3199
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket.c:3007
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition socket.c:737
proto_is_net
static bool proto_is_net(int proto)
Definition socket.h:576
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket.h:586
GETADDR_FATAL
#define GETADDR_FATAL
Definition socket.h:518
PROTO_NONE
@ PROTO_NONE
Definition socket.h:567
PROTO_UDP
@ PROTO_UDP
Definition socket.h:568
PROTO_TCP
@ PROTO_TCP
Definition socket.h:569
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket.h:571
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition socket.h:570
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket.h:519
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition socket.h:222
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
OPENVPN_PORT
#define OPENVPN_PORT
Definition socket.h:42
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition socket.h:221
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket.h:597
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition socket.h:224
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket.h:517
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket.h:402
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:372
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:347
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:431
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:366
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:357
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1950
ssl.h
Control Channel SSL/Data channel negotiation module.
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:117
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:119
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2663
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:104
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:106
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:396
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:108
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:109
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:207
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:426
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:419
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:421
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:418
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:423
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:428
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:427
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:424
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:425
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:420
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition ssl_common.h:422
options_postprocess_setdefault_ncpciphers
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:589
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:210
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:198
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:98
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
ssl_verify.h
Control Channel Verification Module.
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:262
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:68
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:69
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:259
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:70
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:257
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition ssl_verify_openssl.c:424
argv
Definition argv.h:35
argv::argv
char ** argv
Definition argv.h:39
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:62
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:68
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
compress_options
Definition comp.h:75
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry
Definition options.h:105
connection_entry::local_list
struct local_list * local_list
Definition options.h:106
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:127
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:117
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:176
connection_entry::link_mtu
int link_mtu
Definition options.h:132
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:133
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:130
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:118
connection_entry::bind_local
bool bind_local
Definition options.h:116
connection_entry::mssfix
int mssfix
Definition options.h:142
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:167
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:172
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:131
connection_entry::remote
const char * remote
Definition options.h:112
connection_entry::connect_timeout
int connect_timeout
Definition options.h:119
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:122
connection_entry::mssfix_default
bool mssfix_default
Definition options.h:143
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:144
connection_entry::occ_mtu
int occ_mtu
Definition options.h:126
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:120
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:168
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:163
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition options.h:115
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:129
connection_entry::remote_float
bool remote_float
Definition options.h:113
connection_entry::tls_mtu
int tls_mtu
Definition options.h:134
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:148
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:123
connection_entry::remote_port
const char * remote_port
Definition options.h:111
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:140
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:121
connection_entry::fragment
int fragment
Definition options.h:139
connection_entry::mtu_discover_type
int mtu_discover_type
Definition options.h:137
connection_entry::proto
int proto
Definition options.h:107
connection_entry::af
sa_family_t af
Definition options.h:108
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:162
connection_entry::local_port_defined
bool local_port_defined
Definition options.h:110
connection_entry::tun_mtu
int tun_mtu
Definition options.h:125
connection_entry::bind_defined
bool bind_defined
Definition options.h:114
connection_entry::local_port
const char * local_port
Definition options.h:109
connection_entry::key_direction
int key_direction
Definition options.h:164
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:173
connection_entry::flags
unsigned int flags
Definition options.h:159
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition options.h:146
connection_list
Definition options.h:197
connection_list::array
struct connection_entry ** array
Definition options.h:201
connection_list::capacity
int capacity
Definition options.h:198
connection_list::len
int len
Definition options.h:199
dhcp_options
Definition dns.h:92
dhcp_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition dns.h:93
dhcp
Definition dhcp.h:53
dns_domain
Definition dns.h:51
dns_domain::next
struct dns_domain * next
Definition dns.h:52
dns_domain::name
const char * name
Definition dns.h:53
dns_options
Definition dns.h:104
dns_options::servers
struct dns_server * servers
Definition dns.h:108
dns_options::updown
const char * updown
Definition dns.h:110
dns_options::from_dhcp
struct dhcp_options from_dhcp
Definition dns.h:105
dns_options::gc
struct gc_arena gc
Definition dns.h:109
dns_options::updown_flags
enum dns_updown_flags updown_flags
Definition dns.h:111
dns_options::search_domains
struct dns_domain * search_domains
Definition dns.h:106
dns_server_addr::a4
struct in_addr a4
Definition dns.h:58
dns_server_addr::in
union dns_server_addr::@0 in
dns_server_addr::family
sa_family_t family
Definition dns.h:61
dns_server_addr::a6
struct in6_addr a6
Definition dns.h:59
dns_server_addr::port
in_port_t port
Definition dns.h:62
dns_server
Definition dns.h:65
dns_server::addr
struct dns_server_addr addr[8]
Definition dns.h:69
dns_server::dnssec
enum dns_security dnssec
Definition dns.h:71
dns_server::next
struct dns_server * next
Definition dns.h:66
dns_server::priority
long priority
Definition dns.h:67
dns_server::addr_count
size_t addr_count
Definition dns.h:68
dns_server::domains
struct dns_domain * domains
Definition dns.h:70
dns_server::transport
enum dns_server_transport transport
Definition dns.h:72
dns_server::sni
const char * sni
Definition dns.h:73
env_set
Definition env_set.h:42
fragment
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
frame
Packet geometry parameters.
Definition mtu.h:98
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:131
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
hash
Definition list.h:57
http_custom_header
Definition proxy.h:38
http_custom_header::name
const char * name
Definition proxy.h:39
http_custom_header::content
const char * content
Definition proxy.h:40
http_proxy_options
Definition proxy.h:44
http_proxy_options::auth_file
const char * auth_file
Definition proxy.h:54
http_proxy_options::http_version
const char * http_version
Definition proxy.h:56
http_proxy_options::port
const char * port
Definition proxy.h:46
http_proxy_options::inline_creds
bool inline_creds
Definition proxy.h:59
http_proxy_options::user_agent
const char * user_agent
Definition proxy.h:57
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:51
http_proxy_options::auth_method_string
const char * auth_method_string
Definition proxy.h:53
http_proxy_options::nocache
bool nocache
Definition proxy.h:61
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:58
http_proxy_options::auth_file_up
const char * auth_file_up
Definition proxy.h:55
http_proxy_options::server
const char * server
Definition proxy.h:45
in_src
Definition options.c:5204
in_src::multiline
struct buffer * multiline
Definition options.c:5210
in_src::u
union in_src::@9 u
in_src::fp
FILE * fp
Definition options.c:5209
in_src::type
int type
Definition options.c:5207
iroute_ipv6
Definition route.h:252
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:255
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:254
iroute_ipv6::network
struct in6_addr network
Definition route.h:253
iroute::network
in_addr_t network
Definition route.h:247
iroute::netbits
int netbits
Definition route.h:248
iroute::next
struct iroute * next
Definition route.h:249
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
local_entry
Definition options.h:98
local_entry::port
const char * port
Definition options.h:100
local_entry::proto
int proto
Definition options.h:101
local_entry::local
const char * local
Definition options.h:99
local_list
Definition options.h:190
local_list::array
struct local_entry ** array
Definition options.h:193
local_list::len
int len
Definition options.h:192
local_list::capacity
int capacity
Definition options.h:191
options_pre_connect
Definition options.h:64
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:66
options_pre_connect::routes_defined
bool routes_defined
Definition options.h:68
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:87
options_pre_connect::foreign_option_index
int foreign_option_index
Definition options.h:89
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition options.h:65
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition options.h:71
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition options.h:86
options_pre_connect::routes
struct route_option_list * routes
Definition options.h:69
options_pre_connect::comp
struct compress_options comp
Definition options.h:90
options_pre_connect::ciphername
const char * ciphername
Definition options.h:82
options_pre_connect::dns_options
struct dns_options dns_options
Definition options.h:80
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition options.h:74
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition options.h:85
options_pre_connect::authname
const char * authname
Definition options.h:83
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:72
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition options.h:77
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition options.h:78
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:75
options::resolve_retry_seconds
int resolve_retry_seconds
Definition options.h:366
options::rcvbuf
int rcvbuf
Definition options.h:415
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:367
options::route_nopull
bool route_nopull
Definition options.h:439
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:285
options::comp
struct compress_options comp
Definition options.h:412
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition options.h:308
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:525
options::proto_force
int proto_force
Definition options.h:331
options::persist_config
bool persist_config
Definition options.h:273
options::connection_list
struct connection_list * connection_list
Definition options.h:290
options::management_port
const char * management_port
Definition options.h:449
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:670
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:326
options::max_routes_per_client
int max_routes_per_client
Definition options.h:538
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:579
options::status_file_version
int status_file_version
Definition options.h:406
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition options.h:713
options::auth_token_renewal
int auth_token_renewal
Definition options.h:547
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:520
options::tmp_dir
const char * tmp_dir
Definition options.h:468
options::push_peer_info
bool push_peer_info
Definition options.h:684
options::daemon
bool daemon
Definition options.h:390
options::pre_connect
struct options_pre_connect * pre_connect
Definition options.h:563
options::route_default_metric
int route_default_metric
Definition options.h:431
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:650
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:548
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:723
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:615
options::crl_file_inline
bool crl_file_inline
Definition options.h:619
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:641
options::down_script
const char * down_script
Definition options.h:385
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:267
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:625
options::scheduled_exit_interval
int scheduled_exit_interval
Definition options.h:565
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:540
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:608
options::replay_time
int replay_time
Definition options.h:586
options::push_option_types_found
unsigned int push_option_types_found
Definition options.h:560
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:453
options::ca_file
const char * ca_file
Definition options.h:596
options::tls_auth_file
const char * tls_auth_file
Definition options.h:665
options::providers
struct provider_list providers
Definition options.h:583
options::duplicate_cn
bool duplicate_cn
Definition options.h:529
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition options.h:473
options::shaper
int shaper
Definition options.h:329
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:452
options::server_network
in_addr_t server_network
Definition options.h:470
options::show_net_up
bool show_net_up
Definition options.h:697
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:627
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition options.h:441
options::use_peer_id
bool use_peer_id
Definition options.h:703
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:622
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:483
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:707
options::status_file
const char * status_file
Definition options.h:405
options::ssl_flags
unsigned int ssl_flags
Definition options.h:628
options::route_noexec
bool route_noexec
Definition options.h:432
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:328
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:623
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:493
options::server_netmask
in_addr_t server_netmask
Definition options.h:471
options::tls_timeout
int tls_timeout
Definition options.h:644
options::test_crypto
bool test_crypto
Definition options.h:588
options::up_delay
bool up_delay
Definition options.h:388
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:481
options::allow_recursive_routing
bool allow_recursive_routing
Definition options.h:720
options::authname
const char * authname
Definition options.h:581
options::exit_event_name
const char * exit_event_name
Definition options.h:695
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:324
options::cf_max
int cf_max
Definition options.h:531
options::dh_file_inline
bool dh_file_inline
Definition options.h:600
options::replay_window
int replay_window
Definition options.h:585
options::disable
bool disable
Definition options.h:509
options::mute
int mute
Definition options.h:399
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:543
options::dev_type
const char * dev_type
Definition options.h:318
options::persist_mode
int persist_mode
Definition options.h:274
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:495
options::show_digests
bool show_digests
Definition options.h:278
options::up_script
const char * up_script
Definition options.h:384
options::single_session
bool single_session
Definition options.h:682
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:515
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:490
options::verify_hash_depth
int verify_hash_depth
Definition options.h:626
options::route_delay_defined
bool route_delay_defined
Definition options.h:435
options::packet_id_file
const char * packet_id_file
Definition options.h:587
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:674
options::management_log_history_cache
int management_log_history_cache
Definition options.h:451
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition options.h:485
options::ip_remote_hint
const char * ip_remote_hint
Definition options.h:368
options::vlan_tagging
bool vlan_tagging
Definition options.h:712
options::peer_id
uint32_t peer_id
Definition options.h:704
options::routes
struct route_option_list * routes
Definition options.h:436
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:492
options::keepalive_timeout
int keepalive_timeout
Definition options.h:342
options::writepid
const char * writepid
Definition options.h:383
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition options.h:345
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:497
options::fast_io
bool fast_io
Definition options.h:410
options::server_flags
unsigned int server_flags
Definition options.h:479
options::block_outside_dns
bool block_outside_dns
Definition options.h:699
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition options.h:527
options::tls_exit
bool tls_exit
Definition options.h:686
options::pkcs12_file
const char * pkcs12_file
Definition options.h:607
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:504
options::show_engines
bool show_engines
Definition options.h:279
options::remote_list
struct remote_list * remote_list
Definition options.h:292
options::msg_channel
HANDLE msg_channel
Definition options.h:694
options::key_pass_file
const char * key_pass_file
Definition options.h:276
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:584
options::tls_crypt_file
const char * tls_crypt_file
Definition options.h:669
options::inactivity_timeout
int inactivity_timeout
Definition options.h:344
options::n_bcast_buf
int n_bcast_buf
Definition options.h:511
options::handshake_window
int handshake_window
Definition options.h:654
options::server_defined
bool server_defined
Definition options.h:469
options::ifconfig_local
const char * ifconfig_local
Definition options.h:322
options::ce
struct connection_entry ce
Definition options.h:289
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:514
options::push_list
struct push_list push_list
Definition options.h:489
options::user_script_used
bool user_script_used
Definition options.h:386
options::tls_groups
const char * tls_groups
Definition options.h:611
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:280
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:370
options::route_method
int route_method
Definition options.h:698
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:624
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:612
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:648
options::management_flags
unsigned int management_flags
Definition options.h:461
options::push_continuation
int push_continuation
Definition options.h:559
options::route_default_gateway
const char * route_default_gateway
Definition options.h:428
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:518
options::dns_options
struct dns_options dns_options
Definition options.h:313
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:696
options::sc_info
struct static_challenge_info sc_info
Definition options.h:568
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:545
options::ipchange
const char * ipchange
Definition options.h:316
options::topology
int topology
Definition options.h:321
options::disable_dco
bool disable_dco
Definition options.h:373
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:580
options::genkey
bool genkey
Definition options.h:282
options::learn_address_script
const char * learn_address_script
Definition options.h:505
options::ciphername
const char * ciphername
Definition options.h:575
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:561
options::forward_compatible
bool forward_compatible
Definition options.h:264
options::username
const char * username
Definition options.h:376
options::cf_initial_max
int cf_initial_max
Definition options.h:534
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:539
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:464
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:546
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:714
options::ns_cert_type
int ns_cert_type
Definition options.h:621
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:679
options::mode
int mode
Definition options.h:261
options::tls_server
bool tls_server
Definition options.h:594
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:542
options::connect_retry_max
int connect_retry_max
Definition options.h:288
options::bind_dev
char * bind_dev
Definition options.h:420
options::extra_certs_file
const char * extra_certs_file
Definition options.h:603
options::client
bool client
Definition options.h:557
options::pull
bool pull
Definition options.h:558
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:499
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:521
options::show_curves
bool show_curves
Definition options.h:281
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:429
options::tls_client
bool tls_client
Definition options.h:595
options::ping_timer_remote
bool ping_timer_remote
Definition options.h:351
options::auth_token_generate
bool auth_token_generate
Definition options.h:544
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:606
options::tls_verify
const char * tls_verify
Definition options.h:614
options::crl_file
const char * crl_file
Definition options.h:618
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:356
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:562
options::show_ciphers
bool show_ciphers
Definition options.h:277
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:576
options::real_hash_size
int real_hash_size
Definition options.h:501
options::route_predown_script
const char * route_predown_script
Definition options.h:427
options::dh_file
const char * dh_file
Definition options.h:599
options::route_delay_window
int route_delay_window
Definition options.h:434
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:516
options::mlock
bool mlock
Definition options.h:339
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition options.h:270
options::sndbuf
int sndbuf
Definition options.h:416
options::foreign_option_index
int foreign_option_index
Definition options.h:691
options::gc
struct gc_arena gc
Definition options.h:252
options::gc_owned
bool gc_owned
Definition options.h:253
options::down_pre
bool down_pre
Definition options.h:387
options::persist_tun
bool persist_tun
Definition options.h:358
options::route_default_table_id
int route_default_table_id
Definition options.h:430
options::ca_file_inline
bool ca_file_inline
Definition options.h:597
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:549
options::block_ipv6
bool block_ipv6
Definition options.h:438
options::config
const char * config
Definition options.h:256
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:604
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:519
options::mark
int mark
Definition options.h:419
options::cf_initial_per
int cf_initial_per
Definition options.h:535
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:708
options::suppress_timestamps
bool suppress_timestamps
Definition options.h:395
options::force_key_material_export
bool force_key_material_export
Definition options.h:710
options::mtu_test
bool mtu_test
Definition options.h:333
options::iroutes
struct iroute * iroutes
Definition options.h:513
options::verify_x509_type
int verify_x509_type
Definition options.h:616
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:610
options::ecdh_curve
const char * ecdh_curve
Definition options.h:613
options::status_file_update_freq
int status_file_update_freq
Definition options.h:407
options::management_client_user
const char * management_client_user
Definition options.h:455
options::cipher_list
const char * cipher_list
Definition options.h:609
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:508
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition options.h:573
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition options.h:716
options::management_certificate
const char * management_certificate
Definition options.h:458
options::genkey_filename
const char * genkey_filename
Definition options.h:284
options::x509_track
const struct x509_track * x509_track
Definition options.h:688
options::chroot_dir
const char * chroot_dir
Definition options.h:378
options::log
bool log
Definition options.h:394
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:572
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:526
options::ca_path
const char * ca_path
Definition options.h:598
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:649
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:350
options::sockflags
unsigned int sockflags
Definition options.h:423
options::engine
const char * engine
Definition options.h:582
options::management_addr
const char * management_addr
Definition options.h:448
options::client_connect_script
const char * client_connect_script
Definition options.h:503
options::verify_x509_name
const char * verify_x509_name
Definition options.h:617
options::ping_send_timeout
int ping_send_timeout
Definition options.h:349
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition options.h:440
options::remote_random
bool remote_random
Definition options.h:315
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:523
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:512
options::route_delay
int route_delay
Definition options.h:433
options::dev_node
const char * dev_node
Definition options.h:319
options::override_username
const char * override_username
Definition options.h:510
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:506
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:437
options::machine_readable_output
bool machine_readable_output
Definition options.h:396
options::key_direction
int key_direction
Definition options.h:574
options::server_ipv6_defined
bool server_ipv6_defined
Definition options.h:472
options::priv_key_file
const char * priv_key_file
Definition options.h:605
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:360
options::up_restart
bool up_restart
Definition options.h:389
options::keepalive_ping
int keepalive_ping
Definition options.h:341
options::virtual_hash_size
int virtual_hash_size
Definition options.h:502
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:666
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:675
options::groupname
const char * groupname
Definition options.h:377
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition options.h:486
options::cd_dir
const char * cd_dir
Definition options.h:379
options::client_nat
struct client_nat_option_list * client_nat
Definition options.h:442
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:524
options::nice
int nice
Definition options.h:397
options::max_clients
int max_clients
Definition options.h:537
options::transition_window
int transition_window
Definition options.h:662
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:323
options::lladdr
const char * lladdr
Definition options.h:320
options::verbosity
int verbosity
Definition options.h:398
options::session_timeout
int session_timeout
Definition options.h:347
options::cert_file
const char * cert_file
Definition options.h:601
options::enable_c2c
bool enable_c2c
Definition options.h:528
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition options.h:487
options::cf_per
int cf_per
Definition options.h:532
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:700
options::cert_file_inline
bool cert_file_inline
Definition options.h:602
options::remap_sigusr1
int remap_sigusr1
Definition options.h:392
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:647
options::route_script
const char * route_script
Definition options.h:426
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:491
options::management_user_pass
const char * management_user_pass
Definition options.h:450
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition options.h:474
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:517
options::occ
bool occ
Definition options.h:445
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition options.h:484
options::shared_secret_file
const char * shared_secret_file
Definition options.h:571
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:327
options::dev
const char * dev
Definition options.h:317
options::management_client_group
const char * management_client_group
Definition options.h:456
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:498
options::client_config_dir
const char * client_config_dir
Definition options.h:507
options::genkey_type
enum genkey_type genkey_type
Definition options.h:283
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:494
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:325
options::persist_local_ip
bool persist_local_ip
Definition options.h:359
provider_list::names
const char * names[MAX_PARMS]
Definition options.h:214
pull_filter_list
Definition options.c:963
pull_filter_list::tail
struct pull_filter * tail
Definition options.c:965
pull_filter_list::head
struct pull_filter * head
Definition options.c:964
pull_filter
Definition options.c:951
pull_filter::type
int type
Definition options.c:956
pull_filter::size
int size
Definition options.c:957
pull_filter::next
struct pull_filter * next
Definition options.c:959
pull_filter::pattern
char * pattern
Definition options.c:958
push_entry
Definition pushlist.h:29
push_entry::next
struct push_entry * next
Definition pushlist.h:30
push_entry::enable
bool enable
Definition pushlist.h:31
push_entry::option
const char * option
Definition pushlist.h:32
push_list::head
struct push_entry * head
Definition pushlist.h:36
remote_entry
Definition options.h:180
remote_entry::proto
int proto
Definition options.h:183
remote_entry::remote
const char * remote
Definition options.h:181
remote_entry::remote_port
const char * remote_port
Definition options.h:182
remote_entry::af
sa_family_t af
Definition options.h:184
remote_list
Definition options.h:205
remote_list::len
int len
Definition options.h:207
remote_list::array
struct remote_entry ** array
Definition options.h:208
remote_list::capacity
int capacity
Definition options.h:206
route_gateway_info
Definition route.h:151
route_ipv6_gateway_info
Definition route.h:186
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:110
route_option_list::flags
unsigned int flags
Definition route.h:96
static_challenge_info::flags
unsigned int flags
Definition misc.h:96
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:98
tuntap_options
Definition tun.h:74
tuntap_options::wins_len
int wins_len
Definition tun.h:116
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:140
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:123
tuntap_options::dns_len
int dns_len
Definition tun.h:112
tuntap_options::dns6_len
int dns6_len
Definition tun.h:141
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:119
tuntap_options::ntp_len
int ntp_len
Definition tun.h:120
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:115
tuntap_options::tap_sleep
int tap_sleep
Definition tun.h:96
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition tun.h:93
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:111
tuntap_options::netbios_scope
const char * netbios_scope
Definition tun.h:104
tuntap_options::nbdd_len
int nbdd_len
Definition tun.h:124
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition tun.h:76
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition tun.h:91
tuntap_options::domain
const char * domain
Definition tun.h:102
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition tun.h:130
tuntap_options::dhcp_renew
bool dhcp_renew
Definition tun.h:135
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:129
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition tun.h:92
tuntap_options::netbios_node_type
int netbios_node_type
Definition tun.h:106
tuntap_options::ip_win32_type
int ip_win32_type
Definition tun.h:84
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition tun.h:136
tuntap_options::register_dns
bool register_dns
Definition tun.h:138
tuntap_options::disable_nbt
bool disable_nbt
Definition tun.h:133
tuntap_options::dhcp_options
int dhcp_options
Definition tun.h:100
tuntap
Definition tun.h:178
verify_hash_list
Definition options.h:242
verify_hash_list::next
struct verify_hash_list * next
Definition options.h:246
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:245
sa_family_t
unsigned short sa_family_t
Definition syshead.h:395
sleep
#define sleep(x)
Definition syshead.h:43
es
struct env_set * es
Definition test_pkcs11.c:141
pkcs11_id_management
static bool pkcs11_id_management
Definition test_pkcs11.c:136
gc
struct gc_arena gc
Definition test_ssl.c:155
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:5316
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:547
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5250
ascii2ipset
int ascii2ipset(const char *name)
Definition tun.c:6952
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:874
show_tap_win_adapters
void show_tap_win_adapters(int msglev, int warnlev)
Definition tun.c:4204
show_adapters
void show_adapters(int msglev)
Definition tun.c:5059
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5210
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:566
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:5108
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:5276
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:733
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:6981
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition tun.c:4171
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition tun.h:79
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition tun.h:82
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:72
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition tun.h:126
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition tun.h:81
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition tun.h:78
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:45
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:46
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:67
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition tun.h:108
win_get_tempdir
const char * win_get_tempdir(void)
Definition win32-util.c:152
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1120
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1390
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition win32.c:146
xkey_common.h
Generated by doxygen 1.9.8