OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2025 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, https://cmeerw.org)
27 */
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32#ifdef HAVE_CONFIG_VERSION_H
33#include "config-version.h"
34#endif
35
36#include "syshead.h"
37
38#include "buffer.h"
39#include "error.h"
40#include "common.h"
41#include "run_command.h"
42#include "shaper.h"
43#include "crypto.h"
44#include "ssl.h"
45#include "ssl_ncp.h"
46#include "options.h"
47#include "misc.h"
48#include "socket_util.h"
49#include "packet_id.h"
50#include "pkcs11.h"
51#include "win32.h"
52#include "push.h"
53#include "pool.h"
54#include "proto.h"
55#include "helper.h"
56#include "manage.h"
57#include "forward.h"
58#include "ssl_verify.h"
59#include "platform.h"
60#include "xkey_common.h"
61#include "dco.h"
62#include "options_util.h"
63#include "tun_afunix.h"
64#include "domain_helper.h"
65
66#include <ctype.h>
67
68#include "memdbg.h"
69#include "options_util.h"
70
71const char title_string[] = PACKAGE_STRING
72#ifdef CONFIGURE_GIT_REVISION
73 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
74#endif
75 " " TARGET_ALIAS
76#if defined(ENABLE_CRYPTO_MBEDTLS)
77 " [SSL (mbed TLS)]"
78#elif defined(ENABLE_CRYPTO_OPENSSL)
79 " [SSL (OpenSSL)]"
80#else
81 " [SSL]"
82#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
83#ifdef USE_COMP
84#ifdef ENABLE_LZO
85 " [LZO]"
86#endif
87#ifdef ENABLE_LZ4
88 " [LZ4]"
89#endif
90#ifdef ENABLE_COMP_STUB
91 " [COMP_STUB]"
92#endif
93#endif /* USE_COMP */
94#if EPOLL
95 " [EPOLL]"
96#endif
97#ifdef PRODUCT_TAP_DEBUG
98 " [TAPDBG]"
99#endif
100#ifdef ENABLE_PKCS11
101 " [PKCS11]"
102#endif
103#if ENABLE_IP_PKTINFO
104#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
105 " [MH/PKTINFO]"
106#elif defined(IP_RECVDSTADDR)
107 " [MH/RECVDA]"
108#endif
109#endif
110 " [AEAD]"
111#ifdef ENABLE_DCO
112 " [DCO]"
113#endif
114#ifdef CONFIGURE_GIT_REVISION
115 " built on " __DATE__
116#endif
117 ;
118
119#ifndef ENABLE_SMALL
120
121static const char usage_message[] =
122 "%s\n"
123 "\n"
124 "General Options:\n"
125 "--config file : Read configuration options from file.\n"
126 "--help : Show options.\n"
127 "--version : Show copyright and version information.\n"
128 "\n"
129 "Tunnel Options:\n"
130 "--local host|* [port]: Local host name or IP address and port for bind.\n"
131 " If specified, OpenVPN will bindto this address. If unspecified,\n"
132 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
133 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
134 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
135 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
136 " to open multiple listening sockets on different addresses and/or different ports.\n"
137 " In order to specify multiple listen ports without specifying an address, use '*'\n"
138 " to signal 'use what the operating system gives you as default', for\n"
139 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
140 " ``--local`` implies ``--bind``.\n"
141 "--remote host [port] : Remote host name or ip address.\n"
142 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
143 "--remote-random-hostname : Add a random string to remote DNS name.\n"
144 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
145 "--proto p : Use protocol p for communicating with peer.\n"
146 " p = udp (default), tcp-server, tcp-client\n"
147 " udp4, tcp4-server, tcp4-client\n"
148 " udp6, tcp6-server, tcp6-client\n"
149 "--proto-force p : only consider protocol p in list of connection profiles.\n"
150 " p = udp or tcp\n"
151 "--connect-retry n [m] : For client, number of seconds to wait between\n"
152 " connection retries (default=%d). On repeated retries\n"
153 " the wait time is exponentially increased to a maximum of m\n"
154 " (default=%d).\n"
155 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
156 "--http-proxy s p [up] [auth] : Connect to remote host\n"
157 " through an HTTP proxy at address s and port p.\n"
158 " If proxy authentication is required,\n"
159 " up is a file containing username/password on 2 lines, or\n"
160 " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
161 " the proxy requires NTLM authentication.\n"
162 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
163 " determine auth method and query for username/password\n"
164 " if needed. auto-nct disables weak proxy auth methods.\n"
165 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
166 " Repeat to set multiple options.\n"
167 " VERSION version (default=1.0)\n"
168 " AGENT user-agent\n"
169 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
170 " address s and port p (default port = 1080).\n"
171 " If proxy authentication is required,\n"
172 " up is a file containing username/password on 2 lines, or\n"
173 " 'stdin' to prompt for console.\n"
174 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
175 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
176 " resolve for n seconds before failing (disabled by default).\n"
177 " Set n=\"infinite\" to retry indefinitely.\n"
178 "--float : Allow remote to change its IP address/port, such as through\n"
179 " DHCP (this is the default if --remote is not used).\n"
180 "--ipchange cmd : Run command cmd on remote ip address initial\n"
181 " setting or change -- execute as: cmd ip-address port#\n"
182 "--port port : TCP/UDP port # for both local and remote.\n"
183 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
184 "--rport port : TCP/UDP port # for remote (default=%s).\n"
185 "--bind : Bind to local address and port. (This is the default unless\n"
186 " --proto tcp-client"
187 " or --http-proxy"
188 " or --socks-proxy"
189 " is used).\n"
190 "--nobind : Do not bind to local address and port.\n"
191 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
192 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
193 " this option only if the tun/tap device used with --dev\n"
194 " does not begin with \"tun\" or \"tap\".\n"
195 "--dev-node node : Explicitly set the device node rather than using\n"
196 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
197#if defined(ENABLE_DCO)
198 "--disable-dco : Do not attempt using Data Channel Offload.\n"
199#endif
200 "--lladdr hw : Set the link layer address of the tap device.\n"
201 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
202#ifdef ENABLE_IPROUTE
203 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
204#endif
205 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
206 " endpoint and rn as a remote endpoint. l & rn should be\n"
207 " swapped on the other peer. l & rn must be private\n"
208 " addresses outside of the subnets used by either peer.\n"
209 " TAP: configure device to use IP address l as a local\n"
210 " endpoint and rn as a subnet mask.\n"
211 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
212 " endpoint (as a /64) and r as remote endpoint\n"
213 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
214 " pass --ifconfig parms by environment to scripts.\n"
215 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
216 " connection doesn't match the remote side.\n"
217#ifdef TARGET_LINUX
218 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
219 " If not specified, the id of the default routing table will be used.\n"
220#endif
221 "--route network [netmask] [gateway] [metric] :\n"
222 " Add route to routing table after connection\n"
223 " is established. Multiple routes can be specified.\n"
224 " netmask default: 255.255.255.255\n"
225 " gateway default: taken from --route-gateway or --ifconfig\n"
226 " Specify default by leaving blank or setting to \"default\".\n"
227 "--route-ipv6 network/bits [gateway] [metric] :\n"
228 " Add IPv6 route to routing table after connection\n"
229 " is established. Multiple routes can be specified.\n"
230 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
231 " in --ifconfig-ipv6\n"
232 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
233 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
234 "--route-metric m : Specify a default metric for use with --route.\n"
235 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
236 " adding routes (may be 0). If not specified, routes will\n"
237 " be added immediately after tun/tap open. On Windows, wait\n"
238 " up to w seconds for TUN/TAP adapter to come up.\n"
239 "--route-up cmd : Run command cmd after routes are added.\n"
240 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
241 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
242 " --route-up script using environmental variables.\n"
243 "--route-nopull : When used with --client or --pull, accept options pushed\n"
244 " by server EXCEPT for routes, dns, and dhcp options.\n"
245 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
246 " --ifconfig, --route, and --route-gateway.\n"
247 "--redirect-gateway [flags]: Automatically execute routing\n"
248 " commands to redirect all outgoing IP traffic through the\n"
249 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
250 " connected via a common subnet, such as with WiFi.\n"
251 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
252 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
253 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
254 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
255 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
256 " the default gateway. Useful when pushing private subnets.\n"
257 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
258 " ICMPv6 host unreachable messages on the client.\n"
259 " (Server) Instead of forwarding IPv6 packets send\n"
260 " ICMPv6 host unreachable packets to the client.\n"
261 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
262 "--push-peer-info : (client only) push client info to server.\n"
263 "--setenv name value : Set a custom environmental variable to pass to script.\n"
264 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
265 " directives for future OpenVPN versions to be ignored.\n"
266 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
267 " these options to be ignored when unknown\n"
268 "--script-security level: Where level can be:\n"
269 " 0 -- strictly no calling of external programs\n"
270 " 1 -- (default) only call built-ins such as ifconfig\n"
271 " 2 -- allow calling of built-ins and scripts\n"
272 " 3 -- allow password to be passed to scripts via env\n"
273 "--shaper n : Restrict output to peer to n bytes per second.\n"
274 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
275 " ping once every n seconds, restart if ping not received\n"
276 " for m seconds.\n"
277 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
278 " produces a combined in/out byte count < bytes.\n"
279 "--session-timeout n: Limit connection time to n seconds.\n"
280 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
281 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
282 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
283 " remote address.\n"
284 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
285#if ENABLE_IP_PKTINFO
286 "--multihome : Configure a multi-homed UDP server.\n"
287#endif
288 "--fast-io : Optimize TUN/TAP/UDP writes.\n"
289 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
290 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
291 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
292 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
293#if PASSTOS_CAPABILITY
294 "--passtos : TOS passthrough (applies to IPv4 only).\n"
295#endif
296 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
297 " TCP/UDP MTU from it (default=%d).\n"
298 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
299 " as n bytes more than the tun-mtu size on read\n"
300 " (default TUN=0 TAP=%d).\n"
301 "--tun-mtu-max n : Maximum pushable MTU (default and minimum=%d).\n"
302 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
303 " from it.\n"
304 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
305 " 'no' -- Never send DF (Don't Fragment) frames\n"
306 " 'maybe' -- Use per-route hints\n"
307 " 'yes' -- Always DF (Don't Fragment)\n"
308 "--mtu-test : Empirically measure and report MTU.\n"
309#ifdef ENABLE_FRAGMENT
310 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
311 " datagrams are sent which are larger than max bytes.\n"
312 " Adds 4 bytes of overhead per datagram.\n"
313#endif
314 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
315 " or --fragment max value, whichever is lower.\n"
316 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
317 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
318#if defined(TARGET_LINUX)
319 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
320 " can be matched in policy routing and packetfilter rules.\n"
321 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
322 " listening for connections. This allows sending encrypted packets\n"
323 " via a VRF present on the system.\n"
324#endif
325 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
326 "--mlock : Disable Paging -- ensures key material and tunnel\n"
327 " data will never be written to disk.\n"
328 "--up cmd : Run command cmd after successful tun device open.\n"
329 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
330 " ifconfig-local-ip ifconfig-remote-ip\n"
331 " (pre --user or --group UID/GID change)\n"
332 "--up-delay : Delay tun/tap open and possible --up script execution\n"
333 " until after TCP/UDP connection establishment with peer.\n"
334 "--down cmd : Run command cmd after tun device close.\n"
335 " (post --user/--group UID/GID change and/or --chroot)\n"
336 " (command parameters are same as --up option)\n"
337 "--down-pre : Run --down command before TUN/TAP close.\n"
338 "--up-restart : Run up/down commands for all restarts including those\n"
339 " caused by --ping-restart or SIGUSR1\n"
340 "--user user : Set UID to user after initialization.\n"
341 "--group group : Set GID to group after initialization.\n"
342 "--chroot dir : Chroot to this directory after initialization.\n"
343#ifdef ENABLE_SELINUX
344 "--setcon context: Apply this SELinux context after initialization.\n"
345#endif
346 "--cd dir : Change to this directory before initialization.\n"
347 "--daemon [name] : Become a daemon after initialization.\n"
348 " The optional 'name' parameter will be passed\n"
349 " as the program name to the system logger.\n"
350 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
351 " See --daemon above for a description of the 'name' parm.\n"
352 "--log file : Output log to file which is created/truncated on open.\n"
353 "--log-append file : Append log to file, or create file if nonexistent.\n"
354 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
355 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
356 "--writepid file : Write main process ID to file.\n"
357 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
358 "--echo [parms ...] : Echo parameters to log output.\n"
359 "--verb n : Set output verbosity to n (default=%d):\n"
360 " (Level 3 is recommended if you want a good summary\n"
361 " of what's happening without being swamped by output).\n"
362 " : 0 -- no output except fatal errors\n"
363 " : 1 -- startup info + connection initiated messages +\n"
364 " non-fatal encryption & net errors\n"
365 " : 2,3 -- show TLS negotiations & route info\n"
366 " : 4 -- show parameters\n"
367 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
368 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
369 " : 6 to 11 -- debug messages of increasing verbosity\n"
370 "--mute n : Log at most n consecutive messages in the same category.\n"
371 "--status file [n] : Write operational status to file every n seconds.\n"
372 "--status-version [n] : Choose the status file format version number.\n"
373 " Currently, n can be 1, 2, or 3 (default=1).\n"
374 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
375#ifdef ENABLE_DEBUG
376 "--gremlin mask : Special stress testing mode (for debugging only).\n"
377#endif
378#if defined(USE_COMP)
379 "--compress alg : Use compression algorithm alg\n"
380 "--allow-compression: Specify whether compression should be allowed\n"
381#if defined(ENABLE_LZO)
382 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
383 " packet for incompressible data.\n"
384 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
385 " is specified.\n"
386#endif
387#endif
388#ifdef ENABLE_MANAGEMENT
389 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
390 " management functions. pass is a password file\n"
391 " or 'stdin' to prompt from console.\n"
392#if UNIX_SOCK_SUPPORT
393 " To listen on a unix domain socket, specific the pathname\n"
394 " in place of ip and use 'unix' as the port number.\n"
395#endif
396 "--management-client : Management interface will connect as a TCP client to\n"
397 " ip/port rather than listen as a TCP server.\n"
398 "--management-query-passwords : Query management channel for private key\n"
399 " and auth-user-pass passwords.\n"
400 "--management-query-proxy : Query management channel for proxy information.\n"
401 "--management-query-remote : Query management channel for --remote directive.\n"
402 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
403 " of the management interface explicitly starts it.\n"
404 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
405 "--management-forget-disconnect : Forget passwords when management disconnect\n"
406 " event occurs.\n"
407 "--management-up-down : Report tunnel up/down events to management interface.\n"
408 "--management-log-cache n : Cache n lines of log file history for usage\n"
409 " by the management channel.\n"
410#if UNIX_SOCK_SUPPORT
411 "--management-client-user u : When management interface is a unix socket, only\n"
412 " allow connections from user u.\n"
413 "--management-client-group g : When management interface is a unix socket, only\n"
414 " allow connections from group g.\n"
415#endif
416 "--management-client-auth : gives management interface client the responsibility\n"
417 " to authenticate clients after their client certificate\n"
418 " has been verified.\n"
419#endif /* ifdef ENABLE_MANAGEMENT */
420#ifdef ENABLE_PLUGIN
421 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
422 " to its initialization function.\n"
423#endif
424 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
425 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
426 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
427 "\n"
428 "Multi-Client Server options (when --mode server is used):\n"
429 "--server network netmask : Helper option to easily configure server mode.\n"
430 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
431 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
432 " easily configure ethernet bridging server mode.\n"
433 "--push \"option\" : Push a config file option back to the peer for remote\n"
434 " execution. Peer must specify --pull in its config file.\n"
435 "--push-reset : Don't inherit global push list for specific\n"
436 " client instance.\n"
437 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
438 " a specific client instance.\n"
439 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
440 " to be dynamically allocated to connecting clients.\n"
441 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
442 " data to file, at seconds intervals (default=600).\n"
443 " If seconds=0, file will be treated as read-only.\n"
444 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
445 " to be dynamically allocated to connecting clients.\n"
446 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
447 " overrides --ifconfig-pool dynamic allocation.\n"
448 " Only valid in a client-specific config file.\n"
449 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
450 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
451 " Only valid in a client-specific config file.\n"
452 "--iroute network [netmask] : Route subnet to client.\n"
453 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
454 " Sets up internal routes only.\n"
455 " Only valid in a client-specific config file.\n"
456 "--disable : Client is disabled.\n"
457 " Only valid in a client-specific config file.\n"
458 "--override-username: Overrides the client-specific username to be used.\n"
459 " Only valid in a client-specific config file.\n"
460 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
461 " mandatory client certificate verification.\n"
462 " Default is to require the client to supply a certificate.\n"
463 "--username-as-common-name : For auth-user-pass authentication, use\n"
464 " the authenticated username as the common name,\n"
465 " rather than the common name from the client cert.\n"
466 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
467 " run command cmd to verify. If method='via-env', pass\n"
468 " user/pass via environment, if method='via-file', pass\n"
469 " user/pass via temporary file.\n"
470 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
471 " to each client, replacing the password. Useful when\n"
472 " OTP based two-factor auth mechanisms are in use and\n"
473 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
474 " for generated tokens can be set.\n"
475 "--auth-user-pass-optional : Allow connections by clients that don't\n"
476 " specify a username/password.\n"
477 "--client-to-client : Internally route client-to-client traffic.\n"
478 "--duplicate-cn : Allow multiple clients with the same common name to\n"
479 " concurrently connect.\n"
480 "--client-connect cmd : Run command cmd on client connection.\n"
481 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
482 "--client-config-dir dir : Directory for custom client config files.\n"
483 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
484 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
485 "--hash-size r v : Set the size of the real address hash table to r and the\n"
486 " virtual address table to v.\n"
487 "--bcast-buffers n : Allocate n broadcast buffers.\n"
488 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
489 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
490 " as well as pushes it to connecting clients.\n"
491 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
492 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
493 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
494 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
495 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
496 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
497 " older than n seconds. Run this check every t\n"
498 " seconds (defaults to n).\n"
499 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
500 " clients. n = 1 - reconnect to same server,\n"
501 " 2 - advance to next server, default=1.\n"
502#if PORT_SHARE
503 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
504 " sessions to a web server at host:port. dir specifies an\n"
505 " optional directory to write origin IP:port data.\n"
506#endif
507 "\n"
508 "Client options (when connecting to a multi-client server):\n"
509 "--client : Helper option to easily configure client mode.\n"
510 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
511 " up is a file containing the username on the first line,\n"
512 " and a password on the second. If either the password or both\n"
513 " the username and the password are omitted OpenVPN will prompt\n"
514 " for them from console.\n"
515 "--pull : Accept certain config file options from the peer as if they\n"
516 " were part of the local config file. Must be specified\n"
517 " when connecting to a '--mode server' remote host.\n"
518 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
519 " server if it starts with the text t. The action flag accept,\n"
520 " ignore or reject causes the option to be allowed, removed or\n"
521 " rejected with error. May be specified multiple times, and\n"
522 " each filter is applied in the order of appearance.\n"
523 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
524 " Valid options are :\n"
525 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
526 " resolve-domains <domain> [domain ...] : split domains\n"
527 " dnssec <yes|no|optional> : option to use DNSSEC\n"
528 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
529 " sni <domain> : DNS server name indication\n"
530 "--dns search-domains <domain> [domain ...]:\n"
531 " Add domains to DNS domain search list\n"
532 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
533 " force running the default script or disable running it.\n"
534 "--auth-retry t : How to handle auth failures. Set t to\n"
535 " none (default), interact, or nointeract.\n"
536 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
537 " challenge text t, with e indicating echo flag (0|1)\n"
538 " and optional argument scrv1 or concat to use SCRV1 protocol or"
539 " concatenate response with password. Default is scrv1.\n"
540 "--connect-timeout n : when polling possible remote servers to connect to\n"
541 " in a round-robin fashion, spend no more than n seconds\n"
542 " waiting for a response before trying the next server.\n"
543 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
544 " incoming tun packets with same destination as host.\n"
545 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
546 " server/remote. n = # of retries, default=1.\n"
547 "\n"
548 "Data Channel Encryption Options (must be compatible between peers):\n"
549 "(These options are meaningful for both Static Key & TLS-mode)\n"
550 "--auth alg : Authenticate packets with HMAC using message\n"
551 " digest algorithm alg (default=%s).\n"
552 " (usually adds 16 or 20 bytes per packet)\n"
553 " Set alg=none to disable authentication.\n"
554 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
555 " You should usually use --data-ciphers instead.\n"
556 " Set alg=none to disable encryption.\n"
557 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
558#ifndef ENABLE_CRYPTO_MBEDTLS
559 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
560#endif
561 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
562 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
563 " and a time window of t seconds.\n"
564 " Default n=%d t=%d\n"
565 "--replay-persist file : Persist replay-protection state across sessions\n"
566 " using file.\n"
567 "--test-crypto : Run a self-test of crypto features enabled.\n"
568 " For debugging only.\n"
569#ifdef ENABLE_PREDICTION_RESISTANCE
570 "--use-prediction-resistance: Enable prediction resistance on the random\n"
571 " number generator.\n"
572#endif
573 "\n"
574 "TLS Key Negotiation Options:\n"
575 "(These options are meaningful only for TLS-mode)\n"
576 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
577 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
578 "--ca file : Certificate authority file in .pem format containing\n"
579 " root certificate.\n"
580#ifndef ENABLE_CRYPTO_MBEDTLS
581 "--capath dir : A directory of trusted certificates (CAs"
582 " and CRLs).\n"
583#endif /* ENABLE_CRYPTO_MBEDTLS */
584 "--dh file : File containing Diffie Hellman parameters\n"
585 " in .pem format (for --tls-server only).\n"
586 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
587 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
588 " by a Certificate Authority in --ca file used by the peer.\n"
589 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
590 "--key file : Local private key in .pem format or a URI.\n"
591 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
592 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
593 " is specified, require max TLS version supported by SSL implementation.\n"
594 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
595#ifndef ENABLE_CRYPTO_MBEDTLS
596 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
597 " and optionally the root CA certificate.\n"
598#endif
599#ifdef ENABLE_X509ALTUSERNAME
600 "--x509-username-field : Field in x509 certificate containing the username.\n"
601 " Default is CN in the Subject field.\n"
602#endif
603 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
604 " Valid algo flags are SHA1 and SHA256. \n"
605#ifdef _WIN32
606 "--cryptoapicert select-string : Load the certificate and private key from the\n"
607 " Windows Certificate System Store.\n"
608#endif
609 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
610 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
611 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
612 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
613 " (default=legacy).\n"
614 "--providers l : A list l of OpenSSL providers to load.\n"
615 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
616 " if no ACK from remote within n seconds (default=%d).\n"
617 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
618 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
619 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
620 " and at least min (defaults to 90%% of max on servers and equal\n"
621 " to max on clients).\n"
622 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
623 " of handshake initiation by any peer (default=%d).\n"
624 "--tran-window n : Transition window -- old key can live this many seconds\n"
625 " after new key renegotiation begins (default=%d).\n"
626 "--single-session: Allow only one session (reset state on restart).\n"
627 "--tls-exit : Exit on TLS negotiation failure.\n"
628 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
629 " control channel to protect against attacks on the TLS stack\n"
630 " and DoS attacks.\n"
631 " f (required) is a shared-secret key file.\n"
632 " The optional d parameter controls key directionality.\n"
633 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
634 " of the TLS control channel to hide the TLS certificate,\n"
635 " provide basic post-quantum security and protect against\n"
636 " attacks on the TLS stack and DoS attacks.\n"
637 " key (required) provides the pre-shared key file.\n"
638 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
639 " For servers: use key to decrypt client-specific keys. For\n"
640 " key generation (--genkey tls-crypt-v2-client): use key to\n"
641 " encrypt generated client-specific key. (See --tls-crypt.)\n"
642 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
643 " fresh tls-crypt-v2 client key, and store to\n"
644 " keyfile. If supplied, include metadata in wrapped key.\n"
645 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
646 " fresh tls-crypt-v2 server key, and store to keyfile\n"
647 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
648 " client-supplied tls-crypt-v2 client key\n"
649 "--tls-crypt-v2-max-age n : Only accept tls-crypt-v2 client keys that have a\n"
650 " timestamp which is at most n days old.\n"
651 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
652 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
653 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
654 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
655 " pending TLS connection that has otherwise passed all other\n"
656 " tests of certification. cmd should return 0 to allow\n"
657 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
658 " executed as 'cmd certificate_depth subject')\n"
659 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
660 " DN name. The remote host must also pass all other tests\n"
661 " of verification.\n"
662#ifndef ENABLE_CRYPTO_MBEDTLS
663 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
664 " an explicit nsCertType designation t = 'client' | 'server'.\n"
665#endif
666 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
667 " plugins and management interface.\n"
668 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
669 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
670 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
671 " explicit key usage, you can specify more than one value.\n"
672 " value should be given in hex format.\n"
673 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
674 " explicit extended key usage. Extended key usage can be encoded\n"
675 " as an object identifier or OpenSSL string representation.\n"
676 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
677 " key usage and extended key usage based on RFC3280 TLS rules.\n"
678 " t = 'client' | 'server'.\n"
679#ifdef ENABLE_PKCS11
680 "\n"
681 "PKCS#11 Options:\n"
682 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
683 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
684 " path. Set for each provider.\n"
685 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
686 " 0 : Try to determine automatically (default).\n"
687 " 1 : Use Sign.\n"
688 " 2 : Use SignRecover.\n"
689 " 4 : Use Decrypt.\n"
690 " 8 : Use Unwrap.\n"
691 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
692 " certificate can be accessed. Set for each provider.\n"
693 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
694 " cache until token is removed.\n"
695 "--pkcs11-id-management : Acquire identity from management interface.\n"
696 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
697#endif /* ENABLE_PKCS11 */
698 "\n"
699 "SSL Library information:\n"
700 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
701 "--show-digests : Show message digest algorithms to use with --auth option.\n"
702 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
703 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
704#ifdef _WIN32
705 "\n"
706 "Windows Specific:\n"
707 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
708 " from SystemRoot environment variable.\n"
709 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
710 " IP address using method = manual, netsh, ipapi,\n"
711 " dynamic, or adaptive (default = adaptive).\n"
712 " Dynamic method allows two optional parameters:\n"
713 " offset: DHCP server address offset (> -256 and < 256).\n"
714 " If 0, use network address, if >0, take nth\n"
715 " address forward from network address, if <0,\n"
716 " take nth address backward from broadcast\n"
717 " address.\n"
718 " Default is 0.\n"
719 " lease-time: Lease time in seconds.\n"
720 " Default is one year.\n"
721 "--route-method : Which method to use for adding routes on Windows?\n"
722 " adaptive (default) -- Try ipapi then fall back to exe.\n"
723 " ipapi -- Use IP helper API.\n"
724 " exe -- Call the route.exe shell command.\n"
725 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
726 " be used with --ip-win32 dynamic. For options\n"
727 " which allow multiple addresses,\n"
728 " --dhcp-option must be repeated.\n"
729 " DOMAIN name : Set DNS suffix\n"
730 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
731 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
732 " NTP : Set NTP server address(es)\n"
733 " NBDD : Set NBDD server address(es)\n"
734 " WINS addr : Set WINS server address(es)\n"
735 " NBT type : Set NetBIOS over TCP/IP Node type\n"
736 " 1: B, 2: P, 4: M, 8: H\n"
737 " NBS id : Set NetBIOS scope ID\n"
738 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
739 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
740 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
741 " startup.\n"
742 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
743 " on connection initiation.\n"
744 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
745 " attempting to set adapter properties.\n"
746 "--pause-exit : When run from a console window, pause before exiting.\n"
747 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
748 " service, and should not be used directly by end-users.\n"
749 " ex is the name of an event object which, when\n"
750 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
751 " optional parameter controls the initial state of ex.\n"
752 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
753 " after TAP adapter is up and routes have been added.\n"
754 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
755 "Windows Standalone Options:\n"
756 "\n"
757 "--show-adapters : Show all TAP-Windows adapters.\n"
758 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
759 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
760 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
761 " to access TAP adapter.\n"
762#endif /* ifdef _WIN32 */
763 "\n"
764 "Generate a new key :\n"
765 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
766 " (for use with --tls-auth or --tls-crypt)."
767#ifdef ENABLE_FEATURE_TUN_PERSIST
768 "\n"
769 "Tun/tap config mode:\n"
770 "--mktun : Create a persistent tunnel.\n"
771 "--rmtun : Remove a persistent tunnel.\n"
772 "--dev tunX|tapX : tun/tap device\n"
773 "--dev-type dt : Device type. See tunnel options above for details.\n"
774 "--user user : User to set privilege to.\n"
775 "--group group : Group to set privilege to.\n"
776#endif
777#ifdef ENABLE_PKCS11
778 "\n"
779 "PKCS#11 standalone options:\n"
780#ifdef DEFAULT_PKCS11_MODULE
781 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
782#else
783 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
784#endif
785 " --verb option can be added *BEFORE* this.\n"
786#endif /* ENABLE_PKCS11 */
787 "\n"
788 "General Standalone Options:\n"
789#ifdef ENABLE_DEBUG
790 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
791#endif
792 ;
793
794#endif /* !ENABLE_SMALL */
795
796/*
797 * This is where the options defaults go.
798 * Any option not explicitly set here
799 * will be set to 0.
800 */
801void
802init_options(struct options *o, const bool init_gc)
803{
804 CLEAR(*o);
805 if (init_gc)
806 {
807 gc_init(&o->gc);
808 gc_init(&o->dns_options.gc);
809 o->gc_owned = true;
810 }
811 o->mode = MODE_POINT_TO_POINT;
812 o->topology = TOP_UNDEF;
813 o->ce.proto = PROTO_UDP;
814 o->ce.af = AF_UNSPEC;
815 o->ce.bind_ipv6_only = false;
816 o->ce.connect_retry_seconds = 1;
817 o->ce.connect_retry_seconds_max = 300;
818 o->ce.connect_timeout = 120;
819 o->connect_retry_max = 0;
820 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
821 o->verbosity = 1;
822 o->status_file_update_freq = 60;
823 o->status_file_version = 1;
824 o->ce.bind_local = true;
825 o->ce.tun_mtu = TUN_MTU_DEFAULT;
826 o->ce.occ_mtu = 0;
827 o->ce.link_mtu = LINK_MTU_DEFAULT;
828 o->ce.tls_mtu = TLS_MTU_DEFAULT;
829 o->ce.mtu_discover_type = -1;
830 o->ce.mssfix = 0;
831 o->ce.mssfix_default = true;
832 o->ce.mssfix_encap = true;
833 o->route_default_table_id = 0;
834 o->route_delay_window = 30;
835 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
836 o->resolve_in_advance = false;
837 o->proto_force = -1;
838 o->occ = true;
839#ifdef ENABLE_MANAGEMENT
840 o->management_log_history_cache = 250;
841 o->management_echo_buffer_size = 100;
842 o->management_state_buffer_size = 100;
843#endif
844#ifdef ENABLE_FEATURE_TUN_PERSIST
845 o->persist_mode = 1;
846#endif
847#ifdef _WIN32
848#if 0
849 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
850#else
851 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
852#endif
853 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
854 /* use network address as internal DHCP server address */
855 o->tuntap_options.dhcp_masq_offset = 0;
856 o->route_method = ROUTE_METHOD_ADAPTIVE;
857 o->block_outside_dns = false;
858 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
859#endif
860 o->vlan_accept = VLAN_ALL;
861 o->vlan_pvid = 1;
862 o->real_hash_size = 256;
863 o->virtual_hash_size = 256;
864 o->n_bcast_buf = 256;
865 o->tcp_queue_limit = 64;
866 o->max_clients = 1024;
867 o->cf_initial_per = 10;
868 o->cf_initial_max = 100;
869 o->max_routes_per_client = 256;
870 o->stale_routes_check_interval = 0;
871 o->ifconfig_pool_persist_refresh_freq = 600;
872 o->scheduled_exit_interval = 5;
873 o->authname = "SHA1";
874 o->replay_window = DEFAULT_SEQ_BACKTRACK;
875 o->replay_time = DEFAULT_TIME_BACKTRACK;
876 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
877#ifdef ENABLE_PREDICTION_RESISTANCE
878 o->use_prediction_resistance = false;
879#endif
880 o->tls_timeout = 2;
881 o->renegotiate_bytes = -1;
882 o->renegotiate_seconds = 3600;
883 o->renegotiate_seconds_min = -1;
884 o->handshake_window = 60;
885 o->transition_window = 3600;
886 o->tls_cert_profile = NULL;
887 o->ecdh_curve = NULL;
888#ifdef ENABLE_X509ALTUSERNAME
889 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
890#endif
891#ifdef ENABLE_PKCS11
892 o->pkcs11_pin_cache_period = -1;
893#endif /* ENABLE_PKCS11 */
894
895 /* P2MP server context features */
896 o->auth_token_generate = false;
897
898 /* Set default --tmp-dir */
899#ifdef _WIN32
900 /* On Windows, find temp dir via environment variables */
901 o->tmp_dir = win_get_tempdir();
902
903 if (!o->tmp_dir)
904 {
905 /* Error out if we can't find a valid temporary directory, which should
906 * be very unlikely. */
907 msg(M_USAGE, "Could not find a suitable temporary directory."
908 " (GetTempPath() failed). Consider using --tmp-dir");
909 }
910#else /* ifdef _WIN32 */
911 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
912 o->tmp_dir = getenv("TMPDIR");
913 if (!o->tmp_dir)
914 {
915 o->tmp_dir = "/tmp";
916 }
917#endif /* _WIN32 */
918 o->allow_recursive_routing = false;
919
920#ifndef ENABLE_DCO
921 o->disable_dco = true;
922#endif /* ENABLE_DCO */
923
924#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
925 o->dns_options.updown = DEFAULT_DNS_UPDOWN;
926#endif /* ENABLE_DNS_UPDOWN_BY_DEFAULT */
927}
928
929void
930uninit_options(struct options *o)
931{
932 if (o->connection_list)
933 {
934 CLEAR(*o->connection_list);
935 }
936 if (o->remote_list)
937 {
938 CLEAR(*o->remote_list);
939 }
940 if (o->gc_owned)
941 {
942 gc_free(&o->gc);
943 gc_free(&o->dns_options.gc);
944 }
945}
946
947#ifndef ENABLE_SMALL
948
949static const char *
950pull_filter_type_name(int type)
951{
952 if (type == PUF_TYPE_ACCEPT)
953 {
954 return "accept";
955 }
956 if (type == PUF_TYPE_IGNORE)
957 {
958 return "ignore";
959 }
960 if (type == PUF_TYPE_REJECT)
961 {
962 return "reject";
963 }
964 else
965 {
966 return "???";
967 }
968}
969
970#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
971#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
972#define SHOW_STR_INLINE(var) \
973 SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
974#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
975#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
976#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
977#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
978#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
979
980#endif /* ifndef ENABLE_SMALL */
981
982static void
983setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
984{
985 setenv_str_i(es, "remote", e->remote, i);
986 setenv_str_i(es, "remote_port", e->remote_port, i);
987
988 if (e->http_proxy_options)
989 {
990 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
991 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
992 }
993 if (e->socks_proxy_server)
994 {
995 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
996 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
997 }
998}
999
1000static void
1001setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
1002{
1003 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
1004 setenv_str_i(es, "local", e->local, i);
1005 setenv_str_i(es, "local_port", e->port, i);
1006}
1007
1008void
1009setenv_settings(struct env_set *es, const struct options *o)
1010{
1011 setenv_str(es, "config", o->config);
1012 setenv_int(es, "verb", o->verbosity);
1013 setenv_int(es, "daemon", o->daemon);
1014 setenv_int(es, "daemon_log_redirect", o->log);
1015 setenv_long_long(es, "daemon_start_time", time(NULL));
1016 setenv_int(es, "daemon_pid", platform_getpid());
1017
1018 if (o->connection_list)
1019 {
1020 int i;
1021 for (i = 0; i < o->connection_list->len; ++i)
1022 {
1023 setenv_connection_entry(es, o->connection_list->array[i], i + 1);
1024 }
1025 }
1026 else
1027 {
1028 setenv_connection_entry(es, &o->ce, 1);
1029 }
1030
1031 if (o->ce.local_list)
1032 {
1033 for (int i = 0; i < o->ce.local_list->len; i++)
1034 {
1035 setenv_local_entry(es, o->ce.local_list->array[i], i + 1);
1036 }
1037 }
1038}
1039
1040#ifndef _WIN32
1041static void
1042setenv_foreign_option(struct options *o, const char *option, const char *value, struct env_set *es)
1043{
1044 struct gc_arena gc = gc_new();
1045 struct buffer env_name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1046 struct buffer env_value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1047 bool good = true;
1048
1049 good &= buf_printf(&env_name, "foreign_option_%d", o->foreign_option_index + 1);
1050 if (value)
1051 {
1052 good &= buf_printf(&env_value, "dhcp-option %s %s", option, value);
1053 }
1054 else
1055 {
1056 good &= buf_printf(&env_value, "dhcp-option %s", option);
1057 }
1058 if (good)
1059 {
1060 setenv_str(es, BSTR(&env_name), BSTR(&env_value));
1061 ++o->foreign_option_index;
1062 }
1063 else
1064 {
1065 msg(M_WARN, "foreign_option: name/value overflow");
1066 }
1067 gc_free(&gc);
1068}
1069
1070static void
1071delete_all_dhcp_fo(struct options *o, struct env_item **list)
1072{
1073 struct env_item *current, *prev;
1074
1075 ASSERT(list);
1076
1077 for (current = *list, prev = NULL; current != NULL; current = current->next)
1078 {
1079 char *tmp_value = NULL;
1080 if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1))
1081 {
1082 tmp_value = strchr(current->string, '=');
1083 if (tmp_value && ++tmp_value)
1084 {
1085 if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1))
1086 {
1087 if (prev)
1088 {
1089 prev->next = current->next;
1090 }
1091 else
1092 {
1093 *list = current->next;
1094 }
1095 o->foreign_option_index--;
1096 }
1097 }
1098 }
1099 prev = current;
1100 }
1101}
1102
1103#endif /* ifndef _WIN32 */
1104
1105static in_addr_t
1106get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
1107{
1108 unsigned int flags = GETADDR_HOST_ORDER;
1109 bool succeeded = false;
1110 in_addr_t ret;
1111
1112 if (msglevel & M_FATAL)
1113 {
1114 flags |= GETADDR_FATAL;
1115 }
1116
1117 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1118 if (!succeeded && error)
1119 {
1120 *error = true;
1121 }
1122 return ret;
1123}
1124
1130static char *
1131get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1132{
1133 const char *end = strchr(addr, '/');
1134 char *ret = NULL;
1135 if (NULL == end)
1136 {
1137 ret = string_alloc(addr, gc);
1138 }
1139 else
1140 {
1141 size_t len = end - addr;
1142 ret = gc_malloc(len + 1, true, gc);
1143 memcpy(ret, addr, len);
1144 }
1145 return ret;
1146}
1147
1148static bool
1149ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
1150{
1151 struct in6_addr t_addr;
1152 unsigned int t_bits;
1153
1154 return get_ipv6_addr(ipv6_prefix_spec, &t_addr, &t_bits, M_WARN);
1155}
1156
1157#if defined(__GNUC__) || defined(__clang__)
1158#pragma GCC diagnostic push
1159#pragma GCC diagnostic ignored "-Wconversion"
1160#endif
1161
1162static char *
1163string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1164{
1165 char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc);
1166 char *dest = ret;
1167 char c;
1168
1169 do
1170 {
1171 c = *src++;
1172 if (c == from)
1173 {
1174 c = to;
1175 }
1176 *dest++ = c;
1177 } while (c);
1178 return ret;
1179}
1180
1190static struct verify_hash_list *
1191parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
1192{
1193 int i = 0;
1194 const char *cp = str;
1195
1196 struct verify_hash_list *ret;
1197 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1198
1199 char term = 0;
1200 unsigned int byte;
1201
1202 while (*cp && i < nbytes)
1203 {
1204 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1205 if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0')
1206 || sscanf(cp, "%x", &byte) != 1)
1207 {
1208 msg(msglevel, "format error in hash fingerprint: %s", str);
1209 break;
1210 }
1211
1212 ret->hash[i++] = (uint8_t)byte;
1213
1214 term = cp[2];
1215 if (term == '\0')
1216 {
1217 break;
1218 }
1219 cp += 3;
1220 }
1221 if (i < nbytes)
1222 {
1223 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i,
1224 str);
1225 }
1226 else if (term != '\0')
1227 {
1228 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1229 }
1230 return ret;
1231}
1232
1243static struct verify_hash_list *
1244parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel,
1245 struct gc_arena *gc)
1246{
1247 struct gc_arena gc_temp = gc_new();
1248 char *lines = string_alloc(str, &gc_temp);
1249
1250 struct verify_hash_list *ret = NULL;
1251
1252 const char *line;
1253 while ((line = strsep(&lines, "\n")))
1254 {
1255 /* ignore leading whitespace */
1256 while (isspace(*line))
1257 {
1258 line++;
1259 }
1260 /* skip empty lines and comment lines */
1261 if (strlen(line) == 0 || *line == '#' || *line == ';')
1262 {
1263 continue;
1264 }
1265
1266 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc);
1267
1268 if (!hash)
1269 {
1270 gc_free(&gc_temp);
1271 return NULL;
1272 }
1273
1274 hash->next = ret;
1275 ret = hash;
1276 }
1277 gc_free(&gc_temp);
1278
1279 return ret;
1280}
1281#ifdef _WIN32
1282
1283#ifndef ENABLE_SMALL
1284
1285static void
1286show_dhcp_option_list(const char *name, const char *const *array, int len)
1287{
1288 int i;
1289 for (i = 0; i < len; ++i)
1290 {
1291 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i]);
1292 }
1293}
1294
1295static void
1296show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1297{
1298 struct gc_arena gc = gc_new();
1299 int i;
1300 for (i = 0; i < len; ++i)
1301 {
1302 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t(array[i], 0, &gc));
1303 }
1304 gc_free(&gc);
1305}
1306
1307static void
1308show_tuntap_options(const struct tuntap_options *o)
1309{
1310 SHOW_BOOL(ip_win32_defined);
1311 SHOW_INT(ip_win32_type);
1312 SHOW_INT(dhcp_masq_offset);
1313 SHOW_INT(dhcp_lease_time);
1314 SHOW_INT(tap_sleep);
1315 SHOW_UNSIGNED(dhcp_options);
1316 SHOW_BOOL(dhcp_renew);
1317 SHOW_BOOL(dhcp_pre_release);
1318 SHOW_STR(domain);
1319 SHOW_STR(netbios_scope);
1320 SHOW_UNSIGNED(netbios_node_type);
1321 SHOW_BOOL(disable_nbt);
1322
1323 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1324 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1325 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1326 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1327 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1328}
1329
1330#endif /* ifndef ENABLE_SMALL */
1331#endif /* ifdef _WIN32 */
1332
1333static void
1334dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, msglvl_t msglevel)
1335{
1336 struct in6_addr addr;
1337 if (*len >= N_DHCP_ADDR)
1338 {
1339 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1340 N_DHCP_ADDR);
1341 }
1342 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1343 {
1344 dns6_list[(*len)++] = addr;
1345 }
1346}
1347static void
1348dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len,
1349 msglvl_t msglevel)
1350{
1351 if (*len >= N_DHCP_ADDR)
1352 {
1353 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name,
1354 N_DHCP_ADDR, name);
1355 }
1356 else
1357 {
1358 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1359 {
1360 bool error = false;
1361 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1362 if (!error)
1363 {
1364 array[(*len)++] = addr;
1365 }
1366 }
1367 else
1368 {
1369 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1370 }
1371 }
1372}
1373
1374#ifndef ENABLE_SMALL
1375static const char *
1376print_vlan_accept(enum vlan_acceptable_frames mode)
1377{
1378 switch (mode)
1379 {
1380 case VLAN_ONLY_TAGGED:
1381 return "tagged";
1382
1383 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1384 return "untagged";
1385
1386 case VLAN_ALL:
1387 return "all";
1388 }
1389 return NULL;
1390}
1391
1392static void
1393show_p2mp_parms(const struct options *o)
1394{
1395 struct gc_arena gc = gc_new();
1396
1397 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1398 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1399 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc));
1400 SHOW_INT(server_netbits_ipv6);
1401 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1402 msg(D_SHOW_PARMS, " server_bridge_netmask = %s",
1403 print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1404 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s",
1405 print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1406 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s",
1407 print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1408 if (o->push_list.head)
1409 {
1410 const struct push_entry *e = o->push_list.head;
1411 while (e)
1412 {
1413 if (e->enable)
1414 {
1415 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1416 }
1417 e = e->next;
1418 }
1419 }
1420 SHOW_BOOL(ifconfig_pool_defined);
1421 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s",
1422 print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1423 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1424 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s",
1425 print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1426 SHOW_STR(ifconfig_pool_persist_filename);
1427 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1428 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1429 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s",
1430 print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1431 SHOW_INT(ifconfig_ipv6_pool_netbits);
1432 SHOW_INT(n_bcast_buf);
1433 SHOW_INT(tcp_queue_limit);
1434 SHOW_INT(real_hash_size);
1435 SHOW_INT(virtual_hash_size);
1436 SHOW_STR(client_connect_script);
1437 SHOW_STR(learn_address_script);
1438 SHOW_STR(client_disconnect_script);
1439 SHOW_STR(client_crresponse_script);
1440 SHOW_STR(client_config_dir);
1441 SHOW_BOOL(ccd_exclusive);
1442 SHOW_STR(tmp_dir);
1443 SHOW_BOOL(push_ifconfig_defined);
1444 msg(D_SHOW_PARMS, " push_ifconfig_local = %s",
1445 print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1446 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s",
1447 print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1448 SHOW_BOOL(push_ifconfig_ipv6_defined);
1449 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d",
1450 print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits);
1451 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s",
1452 print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1453 SHOW_BOOL(enable_c2c);
1454 SHOW_BOOL(duplicate_cn);
1455 SHOW_INT(cf_max);
1456 SHOW_INT(cf_per);
1457 SHOW_INT(cf_initial_max);
1458 SHOW_INT(cf_initial_per);
1459 SHOW_INT(max_clients);
1460 SHOW_INT(max_routes_per_client);
1461 SHOW_STR(auth_user_pass_verify_script);
1462 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1463 SHOW_BOOL(auth_token_generate);
1464 SHOW_BOOL(force_key_material_export);
1465 SHOW_INT(auth_token_lifetime);
1466 SHOW_STR_INLINE(auth_token_secret_file);
1467#if PORT_SHARE
1468 SHOW_STR(port_share_host);
1469 SHOW_STR(port_share_port);
1470#endif
1471 SHOW_BOOL(vlan_tagging);
1472 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1473 SHOW_INT(vlan_pvid);
1474
1475 SHOW_BOOL(client);
1476 SHOW_BOOL(pull);
1477 SHOW_STR_INLINE(auth_user_pass_file);
1478
1479 gc_free(&gc);
1480}
1481
1482#endif /* ! ENABLE_SMALL */
1483
1484static void
1485option_iroute(struct options *o, const char *network_str, const char *netmask_str,
1486 msglvl_t msglevel)
1487{
1488 struct iroute *ir;
1489
1490 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1491 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1492 ir->netbits = 32; /* host route if no netmask given */
1493
1494 if (netmask_str)
1495 {
1496 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1497 ir->netbits = netmask_to_netbits2(netmask);
1498
1499 if (ir->netbits < 0)
1500 {
1501 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str,
1502 netmask_str);
1503 return;
1504 }
1505 }
1506
1507 ir->next = o->iroutes;
1508 o->iroutes = ir;
1509}
1510
1511static void
1512option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
1513{
1514 struct iroute_ipv6 *ir;
1515
1516 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1517
1518 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel))
1519 {
1520 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
1521 return;
1522 }
1523
1524 ir->next = o->iroutes_ipv6;
1525 o->iroutes_ipv6 = ir;
1526}
1527
1528#ifndef ENABLE_SMALL
1529static void
1530show_http_proxy_options(const struct http_proxy_options *o)
1531{
1532 int i;
1533 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1534 SHOW_STR(server);
1535 SHOW_STR(port);
1536 SHOW_STR(auth_method_string);
1537 SHOW_STR(auth_file);
1538 SHOW_STR(auth_file_up);
1539 SHOW_BOOL(inline_creds);
1540 SHOW_BOOL(nocache);
1541 SHOW_STR(http_version);
1542 SHOW_STR(user_agent);
1543 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1544 {
1545 if (o->custom_headers[i].content)
1546 {
1547 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name,
1548 o->custom_headers[i].content);
1549 }
1550 else
1551 {
1552 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name);
1553 }
1554 }
1555 msg(D_SHOW_PARMS, "END http_proxy");
1556}
1557#endif /* ifndef ENABLE_SMALL */
1558
1559void
1560options_detach(struct options *o)
1561{
1562 gc_detach(&o->gc);
1563 o->routes = NULL;
1564 o->client_nat = NULL;
1565 clone_push_list(o);
1566}
1567
1568void
1569rol_check_alloc(struct options *options)
1570{
1571 if (!options->routes)
1572 {
1573 options->routes = new_route_option_list(&options->gc);
1574 }
1575}
1576
1577static void
1585
1586static void
1587cnol_check_alloc(struct options *options)
1588{
1589 if (!options->client_nat)
1590 {
1591 options->client_nat = new_client_nat_list(&options->gc);
1592 }
1593}
1594
1595#ifndef ENABLE_SMALL
1596static void
1597show_connection_entry(const struct connection_entry *o)
1598{
1599 /* Display the global proto only in client mode or with no '--local'*/
1600 if (o->local_list->len == 1)
1601 {
1602 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1603 }
1604
1605 msg(D_SHOW_PARMS, " Local Sockets:");
1606 for (int i = 0; i < o->local_list->len; i++)
1607 {
1608 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1609 o->local_list->array[i]->port,
1610 proto2ascii(o->local_list->array[i]->proto, o->af, false));
1611 }
1612 SHOW_STR(remote);
1613 SHOW_STR(remote_port);
1614 SHOW_BOOL(remote_float);
1615 SHOW_BOOL(bind_defined);
1616 SHOW_BOOL(bind_local);
1617 SHOW_BOOL(bind_ipv6_only);
1618 SHOW_INT(connect_retry_seconds);
1619 SHOW_INT(connect_timeout);
1620
1621 if (o->http_proxy_options)
1622 {
1623 show_http_proxy_options(o->http_proxy_options);
1624 }
1625 SHOW_STR(socks_proxy_server);
1626 SHOW_STR(socks_proxy_port);
1627 SHOW_INT(tun_mtu);
1628 SHOW_BOOL(tun_mtu_defined);
1629 SHOW_INT(link_mtu);
1630 SHOW_BOOL(link_mtu_defined);
1631 SHOW_INT(tun_mtu_extra);
1632 SHOW_BOOL(tun_mtu_extra_defined);
1633 SHOW_INT(tls_mtu);
1634
1635 SHOW_INT(mtu_discover_type);
1636
1637#ifdef ENABLE_FRAGMENT
1638 SHOW_INT(fragment);
1639#endif
1640 SHOW_INT(mssfix);
1641 SHOW_BOOL(mssfix_encap);
1642 SHOW_BOOL(mssfix_fixed);
1643
1644 SHOW_INT(explicit_exit_notification);
1645
1646 SHOW_STR_INLINE(tls_auth_file);
1647 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1648 SHOW_STR_INLINE(tls_crypt_file);
1649 SHOW_STR_INLINE(tls_crypt_v2_file);
1650}
1651
1652
1653static void
1654show_connection_entries(const struct options *o)
1655{
1656 if (o->connection_list)
1657 {
1658 const struct connection_list *l = o->connection_list;
1659 int i;
1660 for (i = 0; i < l->len; ++i)
1661 {
1662 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1663 show_connection_entry(l->array[i]);
1664 }
1665 }
1666 else
1667 {
1668 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1669 show_connection_entry(&o->ce);
1670 }
1671 msg(D_SHOW_PARMS, "Connection profiles END");
1672}
1673
1674static void
1675show_pull_filter_list(const struct pull_filter_list *l)
1676{
1677 struct pull_filter *f;
1678 if (!l)
1679 {
1680 return;
1681 }
1682
1683 msg(D_SHOW_PARMS, " Pull filters:");
1684 for (f = l->head; f; f = f->next)
1685 {
1686 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1687 }
1688}
1689
1690#endif /* ifndef ENABLE_SMALL */
1691
1692void
1693show_settings(const struct options *o)
1694{
1695#ifndef ENABLE_SMALL
1696 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1697
1698 SHOW_STR(config);
1699
1700 SHOW_INT(mode);
1701
1702#ifdef ENABLE_FEATURE_TUN_PERSIST
1703 SHOW_BOOL(persist_config);
1704 SHOW_INT(persist_mode);
1705#endif
1706
1707 SHOW_BOOL(show_ciphers);
1708 SHOW_BOOL(show_digests);
1709 SHOW_BOOL(show_engines);
1710 SHOW_BOOL(genkey);
1711 SHOW_STR(genkey_filename);
1712 SHOW_STR(key_pass_file);
1713 SHOW_BOOL(show_tls_ciphers);
1714
1715 SHOW_INT(connect_retry_max);
1716 show_connection_entries(o);
1717
1718 SHOW_BOOL(remote_random);
1719
1720 SHOW_STR(ipchange);
1721 SHOW_STR(dev);
1722 SHOW_STR(dev_type);
1723 SHOW_STR(dev_node);
1724#if defined(ENABLE_DCO)
1725 SHOW_BOOL(disable_dco);
1726#endif
1727 SHOW_STR(lladdr);
1728 SHOW_INT(topology);
1729 SHOW_STR(ifconfig_local);
1730 SHOW_STR(ifconfig_remote_netmask);
1731 SHOW_BOOL(ifconfig_noexec);
1732 SHOW_BOOL(ifconfig_nowarn);
1733 SHOW_STR(ifconfig_ipv6_local);
1734 SHOW_INT(ifconfig_ipv6_netbits);
1735 SHOW_STR(ifconfig_ipv6_remote);
1736
1737 SHOW_INT(shaper);
1738 SHOW_INT(mtu_test);
1739
1740 SHOW_BOOL(mlock);
1741
1742 SHOW_INT(keepalive_ping);
1743 SHOW_INT(keepalive_timeout);
1744 SHOW_INT(inactivity_timeout);
1745 SHOW_INT(session_timeout);
1746 SHOW_INT64(inactivity_minimum_bytes);
1747 SHOW_INT(ping_send_timeout);
1748 SHOW_INT(ping_rec_timeout);
1749 SHOW_INT(ping_rec_timeout_action);
1750 SHOW_BOOL(ping_timer_remote);
1751 SHOW_INT(remap_sigusr1);
1752 SHOW_BOOL(persist_tun);
1753 SHOW_BOOL(persist_local_ip);
1754 SHOW_BOOL(persist_remote_ip);
1755
1756#if PASSTOS_CAPABILITY
1757 SHOW_BOOL(passtos);
1758#endif
1759
1760 SHOW_INT(resolve_retry_seconds);
1761 SHOW_BOOL(resolve_in_advance);
1762
1763 SHOW_STR(username);
1764 SHOW_STR(groupname);
1765 SHOW_STR(chroot_dir);
1766 SHOW_STR(cd_dir);
1767#ifdef ENABLE_SELINUX
1768 SHOW_STR(selinux_context);
1769#endif
1770 SHOW_STR(writepid);
1771 SHOW_STR(up_script);
1772 SHOW_STR(down_script);
1773 SHOW_BOOL(down_pre);
1774 SHOW_BOOL(up_restart);
1775 SHOW_BOOL(up_delay);
1776 SHOW_BOOL(daemon);
1777 SHOW_BOOL(log);
1778 SHOW_BOOL(suppress_timestamps);
1779 SHOW_BOOL(machine_readable_output);
1780 SHOW_INT(nice);
1781 SHOW_INT(verbosity);
1782 SHOW_INT(mute);
1783#ifdef ENABLE_DEBUG
1784 SHOW_INT(gremlin);
1785#endif
1786 SHOW_STR(status_file);
1787 SHOW_INT(status_file_version);
1788 SHOW_INT(status_file_update_freq);
1789
1790 SHOW_BOOL(occ);
1791 SHOW_INT(rcvbuf);
1792 SHOW_INT(sndbuf);
1793#if defined(TARGET_LINUX)
1794 SHOW_INT(mark);
1795#endif
1796 SHOW_INT(sockflags);
1797
1798 SHOW_BOOL(fast_io);
1799
1800 SHOW_INT(comp.alg);
1801 SHOW_INT(comp.flags);
1802
1803 SHOW_STR(route_script);
1804 SHOW_STR(route_default_gateway);
1805 SHOW_INT(route_default_metric);
1806 SHOW_INT(route_default_table_id);
1807 SHOW_BOOL(route_noexec);
1808 SHOW_INT(route_delay);
1809 SHOW_INT(route_delay_window);
1810 SHOW_BOOL(route_delay_defined);
1811 SHOW_BOOL(route_nopull);
1812 SHOW_BOOL(route_gateway_via_dhcp);
1813 SHOW_BOOL(allow_pull_fqdn);
1814 show_pull_filter_list(o->pull_filter_list);
1815
1816 if (o->routes)
1817 {
1818 print_route_options(o->routes, D_SHOW_PARMS);
1819 }
1820
1821 if (o->client_nat)
1822 {
1823 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1824 }
1825
1826 show_dns_options(&o->dns_options);
1827
1828#ifdef ENABLE_MANAGEMENT
1829 SHOW_STR(management_addr);
1830 SHOW_STR(management_port);
1831 SHOW_STR(management_user_pass);
1832 SHOW_INT(management_log_history_cache);
1833 SHOW_INT(management_echo_buffer_size);
1834 SHOW_STR(management_client_user);
1835 SHOW_STR(management_client_group);
1836 SHOW_INT(management_flags);
1837#endif
1838#ifdef ENABLE_PLUGIN
1839 if (o->plugin_list)
1840 {
1841 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1842 }
1843#endif
1844
1845 SHOW_STR_INLINE(shared_secret_file);
1846 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1847 SHOW_STR(ciphername);
1848 SHOW_STR(ncp_ciphers);
1849 SHOW_STR(authname);
1850#ifndef ENABLE_CRYPTO_MBEDTLS
1851 SHOW_BOOL(engine);
1852#endif /* ENABLE_CRYPTO_MBEDTLS */
1853 SHOW_BOOL(mute_replay_warnings);
1854 SHOW_INT(replay_window);
1855 SHOW_INT(replay_time);
1856 SHOW_STR(packet_id_file);
1857 SHOW_BOOL(test_crypto);
1858#ifdef ENABLE_PREDICTION_RESISTANCE
1859 SHOW_BOOL(use_prediction_resistance);
1860#endif
1861
1862 SHOW_BOOL(tls_server);
1863 SHOW_BOOL(tls_client);
1864 SHOW_STR_INLINE(ca_file);
1865 SHOW_STR(ca_path);
1866 SHOW_STR_INLINE(dh_file);
1867 if ((o->management_flags & MF_EXTERNAL_CERT))
1868 {
1869 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1870 }
1871 else
1872 {
1873 SHOW_STR_INLINE(cert_file);
1874 }
1875 SHOW_STR_INLINE(extra_certs_file);
1876
1877 if ((o->management_flags & MF_EXTERNAL_KEY))
1878 {
1879 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1880 }
1881 else
1882 {
1883 SHOW_STR_INLINE(priv_key_file);
1884 }
1885#ifndef ENABLE_CRYPTO_MBEDTLS
1886 SHOW_STR_INLINE(pkcs12_file);
1887#endif
1888#ifdef ENABLE_CRYPTOAPI
1889 SHOW_STR(cryptoapi_cert);
1890#endif
1891 SHOW_STR(cipher_list);
1892 SHOW_STR(cipher_list_tls13);
1893 SHOW_STR(tls_cert_profile);
1894 SHOW_STR(tls_verify);
1895 SHOW_STR(tls_export_peer_cert_dir);
1896 SHOW_INT(verify_x509_type);
1897 SHOW_STR(verify_x509_name);
1898 SHOW_STR_INLINE(crl_file);
1899 SHOW_INT(ns_cert_type);
1900 {
1901 int i;
1902 for (i = 0; i < MAX_PARMS; i++)
1903 {
1904 SHOW_INT(remote_cert_ku[i]);
1905 }
1906 }
1907 SHOW_STR(remote_cert_eku);
1908 if (o->verify_hash)
1909 {
1910 SHOW_INT(verify_hash_algo);
1911 SHOW_INT(verify_hash_depth);
1912 struct gc_arena gc = gc_new();
1913 struct verify_hash_list *hl = o->verify_hash;
1914 int digest_len =
1915 (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH : SHA256_DIGEST_LENGTH;
1916 while (hl)
1917 {
1918 char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc);
1919 SHOW_PARM(verify_hash, s, "%s");
1920 hl = hl->next;
1921 }
1922 gc_free(&gc);
1923 }
1924 SHOW_INT(ssl_flags);
1925
1926 SHOW_INT(tls_timeout);
1927
1928 SHOW_INT64(renegotiate_bytes);
1929 SHOW_INT64(renegotiate_packets);
1930 SHOW_INT(renegotiate_seconds);
1931
1932 SHOW_INT(handshake_window);
1933 SHOW_INT(transition_window);
1934
1935 SHOW_BOOL(single_session);
1936 SHOW_BOOL(push_peer_info);
1937 SHOW_BOOL(tls_exit);
1938
1939 SHOW_STR(tls_crypt_v2_metadata);
1940
1941#ifdef ENABLE_PKCS11
1942 {
1943 int i;
1944 for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1945 {
1946 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1947 }
1948 }
1949 {
1950 int i;
1951 for (i = 0; i < MAX_PARMS; i++)
1952 {
1953 SHOW_PARM(pkcs11_protected_authentication,
1954 o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1955 }
1956 }
1957 {
1958 int i;
1959 for (i = 0; i < MAX_PARMS; i++)
1960 {
1961 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1962 }
1963 }
1964 {
1965 int i;
1966 for (i = 0; i < MAX_PARMS; i++)
1967 {
1968 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED",
1969 "%s");
1970 }
1971 }
1972 SHOW_INT(pkcs11_pin_cache_period);
1973 SHOW_STR(pkcs11_id);
1974 SHOW_BOOL(pkcs11_id_management);
1975#endif /* ENABLE_PKCS11 */
1976
1977 show_p2mp_parms(o);
1978
1979#ifdef _WIN32
1980 SHOW_BOOL(show_net_up);
1981 SHOW_INT(route_method);
1982 SHOW_BOOL(block_outside_dns);
1983 show_tuntap_options(&o->tuntap_options);
1984#endif
1985#endif /* ifndef ENABLE_SMALL */
1986}
1987
1988#undef SHOW_PARM
1989#undef SHOW_STR
1990#undef SHOW_INT
1991#undef SHOW_BOOL
1992
1993#ifdef ENABLE_MANAGEMENT
1994
1995static struct http_proxy_options *
1996parse_http_proxy_override(const char *server, const char *port, const char *flags,
1997 struct gc_arena *gc)
1998{
1999 if (server && port)
2000 {
2001 struct http_proxy_options *ho;
2002 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2003 ho->server = string_alloc(server, gc);
2004 ho->port = port;
2005 if (flags && !strcmp(flags, "nct"))
2006 {
2007 ho->auth_retry = PAR_NCT;
2008 }
2009 else
2010 {
2011 ho->auth_retry = PAR_ALL;
2012 }
2013 ho->http_version = "1.0";
2014 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2015 return ho;
2016 }
2017 else
2018 {
2019 return NULL;
2020 }
2021}
2022
2023static void
2024options_postprocess_http_proxy_override(struct options *o)
2025{
2026 const struct connection_list *l = o->connection_list;
2027 int i;
2028 bool succeed = false;
2029 for (i = 0; i < l->len; ++i)
2030 {
2031 struct connection_entry *ce = l->array[i];
2032 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2033 {
2034 ce->http_proxy_options = o->http_proxy_override;
2035 succeed = true;
2036 }
2037 }
2038 if (succeed)
2039 {
2040 for (i = 0; i < l->len; ++i)
2041 {
2042 struct connection_entry *ce = l->array[i];
2043 if (ce->proto == PROTO_UDP)
2044 {
2045 ce->flags |= CE_DISABLED;
2046 }
2047 }
2048 }
2049 else
2050 {
2051 msg(M_WARN,
2052 "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2053 }
2054}
2055
2056#endif /* ifdef ENABLE_MANAGEMENT */
2057
2058static struct local_list *
2059alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
2060{
2061 if (!ce->local_list)
2062 {
2063 ALLOC_OBJ_CLEAR_GC(ce->local_list, struct local_list, gc);
2064 }
2065 return ce->local_list;
2066}
2067
2068static struct local_entry *
2069alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
2070{
2071 struct local_list *l = alloc_local_list_if_undef(ce, gc);
2072 struct local_entry *e;
2073
2074 if (l->len >= l->capacity)
2075 {
2076 const int new_cap = l->capacity + 1;
2077 const size_t elem_size = sizeof(*l->array);
2078
2079 struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
2080 if (!new_array)
2081 {
2082 msg(msglevel,
2083 "Unable to process more local options: out of memory. Number of entries = %d",
2084 l->len);
2085 return NULL;
2086 }
2087
2088 l->array = new_array;
2089 l->capacity = new_cap;
2090 }
2091
2092 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2093 e->proto = PROTO_NONE;
2094 l->array[l->len++] = e;
2095
2096 return e;
2097}
2098
2099static struct connection_list *
2108
2109static struct connection_entry *
2110alloc_connection_entry(struct options *options, const msglvl_t msglevel)
2111{
2112 struct connection_list *l = alloc_connection_list_if_undef(options);
2113 struct connection_entry *e;
2114
2115 if (l->len == l->capacity)
2116 {
2117 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2118 struct connection_entry **ce =
2119 gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc);
2120 if (ce == NULL)
2121 {
2122 msg(msglevel,
2123 "Unable to process more connection options: out of memory. Number of entries = %d",
2124 l->len);
2125 return NULL;
2126 }
2127 l->array = ce;
2128 l->capacity = capacity;
2129 }
2130 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2131 l->array[l->len++] = e;
2132 return e;
2133}
2134
2135static struct remote_list *
2136alloc_remote_list_if_undef(struct options *options)
2137{
2138 if (!options->remote_list)
2139 {
2140 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2141 }
2142 return options->remote_list;
2143}
2144
2145static struct remote_entry *
2146alloc_remote_entry(struct options *options, const msglvl_t msglevel)
2147{
2148 struct remote_list *l = alloc_remote_list_if_undef(options);
2149 struct remote_entry *e;
2150
2151 if (l->len == l->capacity)
2152 {
2153 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2154 struct remote_entry **re =
2155 gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc);
2156 if (re == NULL)
2157 {
2158 msg(msglevel,
2159 "Unable to process more remote options: out of memory. Number of entries = %d",
2160 l->len);
2161 return NULL;
2162 }
2163 l->array = re;
2164 l->capacity = capacity;
2165 }
2166 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2167 l->array[l->len++] = e;
2168 return e;
2169}
2170
2171static struct pull_filter_list *
2172alloc_pull_filter_list(struct options *o)
2173{
2174 if (!o->pull_filter_list)
2175 {
2176 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2177 }
2178 return o->pull_filter_list;
2179}
2180
2181static struct pull_filter *
2182alloc_pull_filter(struct options *o)
2183{
2184 struct pull_filter_list *l = alloc_pull_filter_list(o);
2185 struct pull_filter *f;
2186
2187 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2188 if (l->head)
2189 {
2190 ASSERT(l->tail);
2191 l->tail->next = f;
2192 }
2193 else
2194 {
2195 ASSERT(!l->tail);
2196 l->head = f;
2197 }
2198 l->tail = f;
2199 return f;
2200}
2201
2202static void
2203connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2204{
2205 if (re->remote)
2206 {
2207 ce->remote = re->remote;
2208 }
2209 if (re->remote_port)
2210 {
2211 ce->remote_port = re->remote_port;
2212 }
2213 if (re->proto >= 0)
2214 {
2215 ce->proto = re->proto;
2216 }
2217 if (re->af > 0)
2218 {
2219 ce->af = re->af;
2220 }
2221}
2222
2223static void
2224connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
2225{
2226 if (key_file && *key_file && !(*key_inline))
2227 {
2228 struct buffer in = buffer_read_from_file(*key_file, gc);
2229 if (!buf_valid(&in))
2230 {
2231 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2232 }
2233
2234 *key_file = (const char *)in.data;
2235 *key_inline = true;
2236 }
2237}
2238
2239static void
2240check_ca_required(const struct options *options)
2241{
2242#ifdef ENABLE_CRYPTO_MBEDTLS
2243 if (options->ca_path)
2244 {
2245 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2246 }
2247#endif
2248
2249 if (options->verify_hash_no_ca || options->pkcs12_file || options->ca_file
2250#ifndef ENABLE_CRYPTO_MBEDTLS
2251 || options->ca_path
2252#endif
2253 )
2254 {
2255 return;
2256 }
2257
2258 const char *const str = "You must define CA file (--ca)"
2259#ifndef ENABLE_CRYPTO_MBEDTLS
2260 " or CA path (--capath)"
2261#endif
2262 " and/or peer fingerprint verification (--peer-fingerprint)";
2263 msg(M_USAGE, "%s", str);
2264}
2265
2266#define MUST_BE_UNDEF(parm, parm_name) \
2267 if (options->parm != defaults.parm) \
2268 { \
2269 msg(M_USAGE, use_err, parm_name); \
2270 }
2271#define MUST_BE_FALSE(condition, parm_name) \
2272 if (condition) \
2273 { \
2274 msg(M_USAGE, use_err, parm_name); \
2275 }
2276
2277static void
2278options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
2279{
2280 struct options defaults;
2281 int dev = DEV_TYPE_UNDEF;
2282 bool pull = false;
2283
2284 init_options(&defaults, true);
2285
2286 if (options->test_crypto)
2287 {
2288 notnull(options->shared_secret_file, "key file (--secret)");
2289 }
2290 else
2291 {
2292 notnull(options->dev, "TUN/TAP device (--dev)");
2293 }
2294
2295 /*
2296 * Get tun/tap/null device type
2297 */
2298 dev = dev_type_enum(options->dev, options->dev_type);
2299
2300 /*
2301 * If "proto tcp" is specified, make sure we know whether it is
2302 * tcp-client or tcp-server.
2303 */
2304 if (ce->proto == PROTO_TCP)
2305 {
2306 msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify "
2307 "--proto tcp-server or --proto tcp-client");
2308 }
2309
2310 /*
2311 * Sanity check on Client mode
2312 */
2313
2314 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2315 {
2316 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2317 }
2318
2319 if (options->lladdr && dev != DEV_TYPE_TAP)
2320 {
2321 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2322 }
2323
2324 /*
2325 * Sanity check on MTU parameters
2326 */
2327 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2328 {
2329 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2330 }
2331
2332 if (!proto_is_udp(ce->proto) && options->mtu_test)
2333 {
2334 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2335 }
2336
2337 /* will we be pulling options from server? */
2338 pull = options->pull;
2339
2340 /*
2341 * Sanity check on --local, --remote, and --ifconfig
2342 */
2343
2344 if (string_defined_equal(ce->remote, options->ifconfig_local)
2345 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2346 {
2347 msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig "
2348 "addresses");
2349 }
2350
2351 if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask))
2352 {
2353 msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2354 }
2355
2356 if (ce->bind_defined && !ce->bind_local)
2357 {
2358 msg(M_USAGE, "--bind and --nobind can't be used together");
2359 }
2360
2361 if (ce->local_port_defined && !ce->bind_local)
2362 {
2363 msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2364 }
2365
2366 if (!ce->remote && !ce->bind_local)
2367 {
2368 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2369 }
2370
2371 for (int i = 0; i < ce->local_list->len; i++)
2372 {
2373 struct local_entry *le = ce->local_list->array[i];
2374
2375 if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote)
2376 && string_defined_equal(le->port, ce->remote_port))
2377 {
2378 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2379 }
2380
2381 if (string_defined_equal(le->local, options->ifconfig_local)
2382 || string_defined_equal(le->local, options->ifconfig_remote_netmask))
2383 {
2384 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2385 }
2386
2387 if (le->local && !ce->bind_local)
2388 {
2389 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2390 }
2391 }
2392
2393 /*
2394 * Check for consistency of management options
2395 */
2396#ifdef ENABLE_MANAGEMENT
2397 if (!options->management_addr
2398 && (options->management_flags
2399 || options->management_log_history_cache != defaults.management_log_history_cache))
2400 {
2401 msg(M_USAGE,
2402 "--management is not specified, however one or more options which modify the behavior of --management were specified");
2403 }
2404
2405 if ((options->management_client_user || options->management_client_group)
2406 && !(options->management_flags & MF_UNIX_SOCK))
2407 {
2408 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2409 }
2410
2411 if (options->management_addr && !(options->management_flags & MF_UNIX_SOCK)
2412 && (!options->management_user_pass))
2413 {
2414 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2415 "passwords is STRONGLY discouraged and considered insecure");
2416 }
2417
2418#endif /* ifdef ENABLE_MANAGEMENT */
2419
2420#if !defined(HAVE_XKEY_PROVIDER)
2421 if ((tls_version_max() >= TLS_VER_1_3) && (options->management_flags & MF_EXTERNAL_KEY)
2422 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)))
2423 {
2424 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2425 "nopadding argument/support");
2426 }
2427#endif
2428 /*
2429 * Windows-specific options.
2430 */
2431
2432#ifdef _WIN32
2433 if (dev == DEV_TYPE_TUN
2434 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2435 {
2436 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2437 }
2438
2439 if ((options->tuntap_options.ip_win32_defined)
2440 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2441 {
2442 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2443 }
2444
2445 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2446 {
2447 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2448 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2449 {
2450 msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix,
2451 print_tun_backend_driver(options->windows_driver));
2452 }
2453 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2454 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2455 {
2456 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix);
2457 }
2458 }
2459#endif /* ifdef _WIN32 */
2460
2461 /*
2462 * Check that protocol options make sense.
2463 */
2464
2465#ifdef ENABLE_FRAGMENT
2466 if (!proto_is_udp(ce->proto) && ce->fragment)
2467 {
2468 msg(M_USAGE, "--fragment can only be used with --proto udp");
2469 }
2470#endif
2471
2472 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2473 {
2474 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2475 }
2476
2477 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2478 {
2479 msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2480 "tcp-client)");
2481 }
2482
2483 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2484 {
2485 msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2486 }
2487
2488 if (ce->http_proxy_options && ce->socks_proxy_server)
2489 {
2490 msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2491 }
2492
2493 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2494 {
2495 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2496 }
2497
2498 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2499 {
2500 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2501 }
2502
2503 /*
2504 * Check consistency of --mode server options.
2505 */
2506 if (options->mode == MODE_SERVER)
2507 {
2508 const char use_err[] = "--%s cannot be used with --mode server.";
2509
2510#define USAGE_VALID_SERVER_PROTOS \
2511 "--mode server currently only supports " \
2512 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2513#ifdef TARGET_ANDROID
2514 msg(M_FATAL, "--mode server not supported on Android");
2515#endif
2516 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2517 {
2518 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2519 }
2520 MUST_BE_UNDEF(pull, "pull");
2521 if (options->pull_filter_list)
2522 {
2523 msg(M_WARN, "--pull-filter ignored for --mode server");
2524 }
2525 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2526 {
2527 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2528 }
2529#if PORT_SHARE
2530 if ((options->port_share_host || options->port_share_port)
2531 && (ce->proto != PROTO_TCP_SERVER))
2532 {
2533 msg(M_USAGE, "--port-share only works in TCP server mode "
2534 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2535 }
2536#endif
2537 if (!options->tls_server)
2538 {
2539 msg(M_USAGE, "--mode server requires --tls-server");
2540 }
2541 MUST_BE_FALSE(ce->remote, "remote");
2542 MUST_BE_FALSE(!ce->bind_local, "nobind");
2543 MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2544 MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2545 /* <connection> blocks force to have a remote embedded, so we check
2546 * for the --remote and bail out if it is present
2547 */
2548 if (options->connection_list->len > 1 || options->connection_list->array[0]->remote)
2549 {
2550 msg(M_USAGE, "<connection> cannot be used with --mode server");
2551 }
2552
2553 MUST_BE_UNDEF(shaper, "shaper");
2554 if (options->ipchange)
2555 {
2556 msg(M_USAGE, "--ipchange cannot be used with --mode server (use "
2557 "--client-connect instead)");
2558 }
2559 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2560 {
2561 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2562 }
2563 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2564 {
2565 msg(M_USAGE,
2566 "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2567 }
2568 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET))
2569 && options->ifconfig_pool_netmask)
2570 {
2571 msg(M_USAGE,
2572 "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2573 }
2574 if (options->routes && (options->routes->flags & RG_ENABLE))
2575 {
2576 msg(M_USAGE,
2577 "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2578 }
2579 MUST_BE_UNDEF(route_delay_defined, "route-delay");
2580 MUST_BE_UNDEF(up_delay, "up-delay");
2581 if (!options->ifconfig_pool_defined && !options->ifconfig_ipv6_pool_defined
2582 && options->ifconfig_pool_persist_filename)
2583 {
2584 msg(M_USAGE,
2585 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2586 }
2587 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2588 {
2589 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2590 }
2591 MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2592 if (options->auth_user_pass_file)
2593 {
2594 msg(M_USAGE,
2595 "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2596 }
2597 if (options->ccd_exclusive && !options->client_config_dir)
2598 {
2599 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2600 }
2601 if (options->auth_token_generate && !options->renegotiate_seconds)
2602 {
2603 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2604 "--renegotiate_seconds setting");
2605 }
2606 if (options->auth_token_generate && options->auth_token_renewal
2607 && options->auth_token_renewal < 2 * options->handshake_window)
2608 {
2609 msg(M_USAGE,
2610 "--auth-gen-token renewal time needs to be at least "
2611 " two times --hand-window (%d).",
2612 options->handshake_window);
2613 }
2614 if (!options->auth_user_pass_verify_script && !PLUGIN_OPTION_LIST(options)
2615 && !MAN_CLIENT_AUTH_ENABLED(options))
2616 {
2617 const char *use_err =
2618 "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2619
2620 MUST_BE_FALSE(options->ssl_flags
2621 & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
2622 "verify-client-cert none|optional");
2623 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
2624 "username-as-common-name");
2625 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL,
2626 "auth-user-pass-optional");
2627 }
2628
2629 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2630 {
2631 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2632 }
2633 if (!options->vlan_tagging)
2634 {
2635 const char use_err[] = "--%s requires --vlan-tagging";
2636 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2637 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2638 }
2639 }
2640 else
2641 {
2642 const char use_err[] = "--%s requires --mode server";
2643 /*
2644 * When not in server mode, err if parameters are
2645 * specified which require --mode server.
2646 */
2647 MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2648 MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2649 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2650 MUST_BE_UNDEF(real_hash_size, "hash-size");
2651 MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2652 MUST_BE_UNDEF(learn_address_script, "learn-address");
2653 MUST_BE_UNDEF(client_connect_script, "client-connect");
2654 MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2655 MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2656 MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2657 MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2658 MUST_BE_UNDEF(enable_c2c, "client-to-client");
2659 MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2660 MUST_BE_UNDEF(cf_max, "connect-freq");
2661 MUST_BE_UNDEF(cf_per, "connect-freq");
2662 MUST_BE_FALSE(options->ssl_flags
2663 & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
2664 "verify-client-cert");
2665 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2666 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2667 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2668 {
2669 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2670 "affect the server. To have TCP_NODELAY in both direction use "
2671 "tcp-nodelay in the server configuration instead.");
2672 }
2673 MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2674 MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2675#if PORT_SHARE
2676 if (options->port_share_host || options->port_share_port)
2677 {
2678 msg(M_USAGE,
2679 "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2680 }
2681#endif
2682 MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2683 MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2684 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2685 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2686 MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2687
2688 if (options->push_list.head)
2689 {
2690 msg(M_WARN, "Note: Using --push without --mode server is an "
2691 "unsupported configuration. Negotiation of OpenVPN "
2692 "features is expected to fail.");
2693 }
2694 }
2695
2696 /*
2697 * SSL/TLS mode sanity checks.
2698 */
2699 if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1)
2700 {
2701 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2702 }
2703
2704 if (!options->tls_server && !options->tls_client)
2705 {
2706 msglvl_t msglevel = M_USAGE;
2707 if (options->allow_deprecated_insecure_static_crypto)
2708 {
2709 msglevel = M_INFO;
2710 }
2711
2712 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2713 "configuration detected. OpenVPN 2.8 will remove the "
2714 "functionality to run a VPN without TLS. "
2715 "See the examples section in the manual page for "
2716 "examples of a similar quick setup with peer-fingerprint. "
2717 "OpenVPN 2.7 allows using this configuration when using "
2718 "--allow-deprecated-insecure-static-crypto but you should move "
2719 "to a proper configuration using TLS as soon as possible.");
2720 }
2721
2722 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL))
2723 {
2724 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2725 "--verify-client-cert none|optional "
2726 "may accept clients which do not present a certificate");
2727 }
2728
2729 const unsigned int tls_version_max =
2730 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
2731 const unsigned int tls_version_min =
2732 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
2733
2734 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2735 {
2736 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2737 }
2738
2739 if (options->tls_server || options->tls_client)
2740 {
2741 check_ca_required(options);
2742#ifdef ENABLE_PKCS11
2743 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2744 {
2745 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2746 }
2747 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2748 {
2749 msg(M_WARN,
2750 "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2751 }
2752
2753 if (options->pkcs11_providers[0])
2754 {
2755 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2756 {
2757 msg(M_USAGE,
2758 "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2759 }
2760 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2761 {
2762 msg(M_USAGE,
2763 "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2764 }
2765 const char use_err[] =
2766 "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2767 MUST_BE_UNDEF(cert_file, "cert");
2768 MUST_BE_UNDEF(priv_key_file, "key");
2769 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2770 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2771 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2772#ifdef ENABLE_CRYPTOAPI
2773 MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2774#endif
2775 }
2776 else
2777#endif /* ifdef ENABLE_PKCS11 */
2778#ifdef ENABLE_CRYPTOAPI
2779 if (options->cryptoapi_cert)
2780 {
2781 const char use_err[] =
2782 "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2783 MUST_BE_UNDEF(cert_file, "cert");
2784 MUST_BE_UNDEF(priv_key_file, "key");
2785 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2786 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2787 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2788 }
2789 else
2790#endif
2791 if (options->pkcs12_file)
2792 {
2793#ifdef ENABLE_CRYPTO_MBEDTLS
2794 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2795#else
2796 const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2797 MUST_BE_UNDEF(ca_path, "capath");
2798 MUST_BE_UNDEF(cert_file, "cert");
2799 MUST_BE_UNDEF(priv_key_file, "key");
2800 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2801 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2802#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2803 }
2804 else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2805 {
2806 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2807 {
2808 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2809 }
2810 if ((options->management_flags & MF_EXTERNAL_CERT))
2811 {
2812 if (options->cert_file)
2813 {
2814 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2815 }
2816 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2817 {
2818 msg(M_USAGE,
2819 "--management-external-cert must be used with --management-external-key");
2820 }
2821 }
2822 if (pull)
2823 {
2824 const int sum =
2825 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2826 + ((options->priv_key_file != NULL)
2827 || (options->management_flags & MF_EXTERNAL_KEY));
2828
2829 if (sum == 0)
2830 {
2831 if (!options->auth_user_pass_file)
2832 {
2833 msg(M_USAGE, "No client-side authentication method is "
2834 "specified. You must use either "
2835 "--cert/--key, --pkcs12, or "
2836 "--auth-user-pass");
2837 }
2838 }
2839 else if (sum != 2)
2840 {
2841 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2842 }
2843 }
2844 else
2845 {
2846 if (!(options->management_flags & MF_EXTERNAL_CERT))
2847 {
2848 notnull(options->cert_file,
2849 "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2850 }
2851 if (!(options->management_flags & MF_EXTERNAL_KEY))
2852 {
2853 notnull(options->priv_key_file,
2854 "private key file (--key) or PKCS#12 file (--pkcs12)");
2855 }
2856 }
2857 }
2858 if (ce->tls_auth_file && ce->tls_crypt_file)
2859 {
2860 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2861 }
2862 if (options->tls_client && ce->tls_crypt_v2_file
2863 && (ce->tls_auth_file || ce->tls_crypt_file))
2864 {
2865 msg(M_USAGE,
2866 "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2867 }
2868 }
2869 else
2870 {
2871 /*
2872 * Make sure user doesn't specify any TLS options
2873 * when in non-TLS mode.
2874 */
2875
2876 const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
2877 "i.e. where --tls-server or --tls-client is also specified.";
2878
2879 MUST_BE_UNDEF(ca_file, "ca");
2880 MUST_BE_UNDEF(ca_path, "capath");
2881 MUST_BE_UNDEF(dh_file, "dh");
2882 MUST_BE_UNDEF(cert_file, "cert");
2883 MUST_BE_UNDEF(priv_key_file, "key");
2884#ifndef ENABLE_CRYPTO_MBEDTLS
2885 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2886#endif
2887 MUST_BE_UNDEF(cipher_list, "tls-cipher");
2888 MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
2889 MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
2890 MUST_BE_UNDEF(tls_verify, "tls-verify");
2891 MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
2892 MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
2893 MUST_BE_UNDEF(tls_timeout, "tls-timeout");
2894 MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
2895 MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
2896 MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
2897 MUST_BE_UNDEF(handshake_window, "hand-window");
2898 MUST_BE_UNDEF(transition_window, "tran-window");
2899 MUST_BE_UNDEF(tls_auth_file, "tls-auth");
2900 MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
2901 MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
2902 MUST_BE_UNDEF(single_session, "single-session");
2903 MUST_BE_UNDEF(push_peer_info, "push-peer-info");
2904 MUST_BE_UNDEF(tls_exit, "tls-exit");
2905 MUST_BE_UNDEF(crl_file, "crl-verify");
2906 MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
2907 MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
2908 MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
2909#ifdef ENABLE_PKCS11
2910 MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
2911 MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
2912 MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
2913 MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
2914#endif
2915
2916 if (pull)
2917 {
2918 msg(M_USAGE, use_err, "--pull");
2919 }
2920 }
2921 if (options->auth_user_pass_file && !options->pull)
2922 {
2923 msg(M_USAGE, "--auth-user-pass requires --pull");
2924 }
2925
2926 uninit_options(&defaults);
2927}
2928
2929#undef MUST_BE_UNDEF
2930#undef MUST_BE_FALSE
2931
2932static void
2933options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
2934{
2935 const int dev = dev_type_enum(o->dev, o->dev_type);
2936
2937 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2938 {
2939 if (ce->proto == PROTO_TCP)
2940 {
2941 ce->proto = PROTO_TCP_SERVER;
2942 o->ce.proto = ce->proto;
2943 }
2944 }
2945
2946 if (o->mode != MODE_SERVER)
2947 {
2948 if (ce->proto == PROTO_TCP)
2949 {
2950 ce->proto = PROTO_TCP_CLIENT;
2951 o->ce.proto = ce->proto;
2952 }
2953 }
2954
2955 /* an option is present that requires local bind to enabled */
2956 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
2957
2958 /* socks proxy is enabled */
2959 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
2960
2961 /* If binding is not forced by an explicit option and we have (at least)
2962 * one of --tcp-client, --pull (or --client), or socks we do not bind
2963 * locally to have "normal" IP client behaviour of a random source port */
2964 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
2965 {
2966 ce->bind_local = false;
2967 }
2968
2969 if (!ce->bind_local)
2970 {
2971 ce->local_port = NULL;
2972 }
2973
2974 /* if protocol forcing is enabled, disable all protocols
2975 * except for the forced one
2976 */
2977 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2978 {
2979 ce->flags |= CE_DISABLED;
2980 }
2981
2982 if (ce->http_proxy_options)
2983 {
2984 ce->http_proxy_options->nocache = ssl_get_auth_nocache();
2985 }
2986
2987 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2988 * so fall back to IPv4-only (trac #1221)
2989 */
2990 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2991 {
2992 if (ce->af == AF_INET6)
2993 {
2994 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2995 "'--socks-proxy' today. Forcing IPv4 mode.");
2996 }
2997 else
2998 {
2999 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3000 "work correctly with '--socks-proxy' today. Forcing IPv4.");
3001 }
3002 ce->af = AF_INET;
3003 }
3004
3005 /*
3006 * Set MTU defaults
3007 */
3008 {
3009 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3010 {
3011 ce->tun_mtu_defined = true;
3012 }
3013 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3014 {
3015 ce->tun_mtu_extra_defined = true;
3016 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3017 }
3018 }
3019
3020 /*
3021 * If --mssfix is supplied without a parameter or not specified at all,
3022 * default it to --fragment value, if --fragment is specified and otherwise
3023 * to the default if tun-mtu is 1500
3024 */
3025 if (o->ce.mssfix_default)
3026 {
3027#ifdef ENABLE_FRAGMENT
3028 if (ce->fragment)
3029 {
3030 ce->mssfix = ce->fragment;
3031 }
3032 else
3033#endif
3034 if (ce->tun_mtu_defined)
3035 {
3036 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3037 {
3038 /* We want to only set mssfix default value if we use a default
3039 * MTU Size, otherwise the different size of tun should either
3040 * already solve the problem or mssfix might artifically make the
3041 * payload packets smaller without mssfix 0 */
3042 ce->mssfix = MSSFIX_DEFAULT;
3043 ce->mssfix_encap = true;
3044 }
3045 else
3046 {
3047 /* We still apply the mssfix value but only adjust it to the
3048 * size of the tun interface. */
3049 ce->mssfix = ce->tun_mtu;
3050 ce->mssfix_fixed = true;
3051 }
3052 }
3053 }
3054
3055 /*
3056 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3057 *
3058 * At the end only one of these will be really set because the parser
3059 * logic prevents configurations where more are set.
3060 */
3061 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3062 {
3063 ce->tls_auth_file = o->tls_auth_file;
3064 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3065 ce->key_direction = o->key_direction;
3066
3067 ce->tls_crypt_file = o->tls_crypt_file;
3068 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3069
3070 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3071 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3072 }
3073
3074 /* Pre-cache tls-auth/crypt(-v2) key file if
3075 * keys were not already embedded in the config file.
3076 */
3077 connection_entry_preload_key(&ce->tls_auth_file, &ce->tls_auth_file_inline, &o->gc);
3078 connection_entry_preload_key(&ce->tls_crypt_file, &ce->tls_crypt_file_inline, &o->gc);
3079 connection_entry_preload_key(&ce->tls_crypt_v2_file, &ce->tls_crypt_v2_file_inline, &o->gc);
3080
3081
3082 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3083 {
3084 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3085 ce->explicit_exit_notification = 0;
3086 }
3087}
3088
3089static void
3090options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
3091{
3092 /* use the global port if none is specified */
3093 if (!le->port)
3094 {
3095 le->port = ce->local_port;
3096 }
3097 /* use the global proto if none is specified and
3098 * allow proto bindings on server mode only */
3099 if (!le->proto || mode == MODE_POINT_TO_POINT)
3100 {
3101 le->proto = ce->proto;
3102 }
3103}
3104
3105#ifdef _WIN32
3106/* If iservice is in use, we need def1 method for redirect-gateway */
3107static void
3108remap_redirect_gateway_flags(struct options *opt)
3109{
3110 if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE
3111 && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1))
3112 {
3113 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3114 opt->routes->flags |= RG_DEF1;
3115 }
3116}
3117#endif /* ifdef _WIN32 */
3118
3119/*
3120 * Save/Restore certain option defaults before --pull is applied.
3121 */
3122
3123static void
3124pre_connect_save(struct options *o)
3125{
3126 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3127 o->pre_connect->tuntap_options = o->tuntap_options;
3128 o->pre_connect->tuntap_options_defined = true;
3129 o->pre_connect->foreign_option_index = o->foreign_option_index;
3130
3131 if (o->routes)
3132 {
3133 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3134 o->pre_connect->routes_defined = true;
3135 }
3136 if (o->routes_ipv6)
3137 {
3138 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3139 o->pre_connect->routes_ipv6_defined = true;
3140 }
3141 if (o->client_nat)
3142 {
3143 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3144 o->pre_connect->client_nat_defined = true;
3145 }
3146
3147 o->pre_connect->ifconfig_local = o->ifconfig_local;
3148 o->pre_connect->ifconfig_ipv6_local = o->ifconfig_ipv6_local;
3149
3150 o->pre_connect->route_default_gateway = o->route_default_gateway;
3151 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3152
3153 o->pre_connect->dns_options = clone_dns_options(&o->dns_options, &o->gc);
3154
3155 /* NCP related options that can be overwritten by a push */
3156 o->pre_connect->ciphername = o->ciphername;
3157 o->pre_connect->authname = o->authname;
3158
3159 /* Ping related options should be reset to the config values on reconnect */
3160 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3161 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3162 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3163
3164 /* Miscellaneous Options */
3165 o->pre_connect->comp = o->comp;
3166}
3167
3168void
3169pre_connect_restore(struct options *o, struct gc_arena *gc)
3170{
3171 const struct options_pre_connect *pp = o->pre_connect;
3172 if (pp)
3173 {
3174 CLEAR(o->tuntap_options);
3175 if (pp->tuntap_options_defined)
3176 {
3177 o->tuntap_options = pp->tuntap_options;
3178 }
3179
3180 if (pp->routes_defined)
3181 {
3182 rol_check_alloc(o);
3183 copy_route_option_list(o->routes, pp->routes, gc);
3184 }
3185 else
3186 {
3187 o->routes = NULL;
3188 }
3189
3190 if (pp->routes_ipv6_defined)
3191 {
3192 rol6_check_alloc(o);
3193 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3194 }
3195 else
3196 {
3197 o->routes_ipv6 = NULL;
3198 }
3199
3200 o->ifconfig_local = pp->ifconfig_local;
3201 o->ifconfig_ipv6_local = pp->ifconfig_ipv6_local;
3202
3203 o->route_default_gateway = pp->route_default_gateway;
3204 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3205
3206 /* Free DNS options and reset them to pre-pull state */
3207 gc_free(&o->dns_options.gc);
3208 struct gc_arena dns_gc = gc_new();
3209 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3210 o->dns_options.gc = dns_gc;
3211
3212 if (pp->client_nat_defined)
3213 {
3214 cnol_check_alloc(o);
3215 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3216 }
3217 else
3218 {
3219 o->client_nat = NULL;
3220 }
3221
3222 o->foreign_option_index = pp->foreign_option_index;
3223
3224 o->ciphername = pp->ciphername;
3225 o->authname = pp->authname;
3226
3227 o->ping_rec_timeout = pp->ping_rec_timeout;
3228 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3229 o->ping_send_timeout = pp->ping_send_timeout;
3230
3231 /* Miscellaneous Options */
3232 o->comp = pp->comp;
3233 }
3234
3235 o->push_continuation = 0;
3236 o->push_option_types_found = 0;
3237 o->imported_protocol_flags = 0;
3238}
3239
3240static void
3241options_postprocess_mutate_invariant(struct options *options)
3242{
3243#ifdef _WIN32
3244 const int dev = dev_type_enum(options->dev, options->dev_type);
3245
3246 /* when using ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3247 if ((options->windows_driver == DRIVER_DCO)
3248 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3249 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3250 {
3251 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3252 }
3253
3254 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3255 {
3256 /* delay may only be necessary when we perform DHCP handshake */
3257 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3258 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3259 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3260 {
3261 options->route_delay_defined = true;
3262 options->route_delay = 5; /* Vista sometimes has a race without this */
3263 }
3264 }
3265
3266 if (options->ifconfig_noexec)
3267 {
3268 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3269 options->ifconfig_noexec = false;
3270 }
3271
3272 remap_redirect_gateway_flags(options);
3273
3274 /*
3275 * Check consistency of --mode server options.
3276 */
3277 if (options->mode == MODE_SERVER)
3278 {
3279 /*
3280 * We need to explicitly set --tap-sleep because
3281 * we do not schedule event timers in the top-level context.
3282 */
3283 options->tuntap_options.tap_sleep = 10;
3284 if (options->route_delay_defined && options->route_delay)
3285 {
3286 options->tuntap_options.tap_sleep = options->route_delay;
3287 }
3288 options->route_delay_defined = false;
3289 }
3290#endif /* ifdef _WIN32 */
3291
3292#ifdef DEFAULT_PKCS11_MODULE
3293 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3294 * by default if the user asks for PKCS#11 without otherwise specifying
3295 * the module to use. */
3296 if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management))
3297 {
3298 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3299 }
3300#endif
3301}
3302
3303static void
3304options_postprocess_verify(const struct options *o)
3305{
3306 if (o->connection_list)
3307 {
3308 int i;
3309 for (i = 0; i < o->connection_list->len; ++i)
3310 {
3311 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3312 }
3313 }
3314 else
3315 {
3316 options_postprocess_verify_ce(o, &o->ce);
3317 }
3318
3319 dns_options_verify(M_FATAL, &o->dns_options);
3320
3321 if (dco_enabled(o))
3322 {
3323 if (o->enable_c2c)
3324 {
3325 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3326 "channel offload: packets are always sent to the VPN "
3327 "interface and then routed based on the system routing table");
3328 }
3329
3330 if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
3331 {
3332 msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported "
3333 "by data channel offload; automatic key renegotiation "
3334 "mechanisms are sufficient for modern ciphers. "
3335 "Ignoring these options.");
3336 }
3337 }
3338}
3339
3340static void
3341options_postprocess_cipher(struct options *o)
3342{
3343 if (!o->pull && !(o->mode == MODE_SERVER))
3344 {
3345 /* If the cipher is not set, use the old default of BF-CBC. We will
3346 * warn that this is deprecated on cipher initialisation, no need
3347 * to warn here as well */
3348 if (!o->ciphername)
3349 {
3350 o->ciphername = "BF-CBC";
3351 }
3352 else
3353 {
3354 o->enable_ncp_fallback = true;
3355 }
3356 return;
3357 }
3358
3359 /* pull or P2MP mode */
3360 if (!o->ciphername)
3361 {
3362 /* We still need to set the ciphername to BF-CBC since various other
3363 * parts of OpenVPN assert that the ciphername is set */
3364 o->ciphername = "BF-CBC";
3365
3366 msg(M_INFO,
3367 "Note: --cipher is not set. OpenVPN versions before 2.5 "
3368 "defaulted to BF-CBC as fallback when cipher negotiation "
3369 "failed in this case. If you need this fallback please add "
3370 "'--data-ciphers-fallback BF-CBC' to your configuration "
3371 "and/or add BF-CBC to --data-ciphers. E.g. "
3372 "--data-ciphers %s:BF-CBC",
3373 o->ncp_ciphers_conf);
3374 }
3375 else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3376 {
3377 msg(M_WARN,
3378 "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3379 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3380 "negotiations. ",
3381 o->ciphername, o->ncp_ciphers_conf);
3382 }
3383}
3384
3400static bool
3401need_compatibility_before(const struct options *o, unsigned int version)
3402{
3403 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3404}
3405
3410static void
3411options_set_backwards_compatible_options(struct options *o)
3412{
3413 /* TLS min version is not set */
3414 unsigned int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
3415 if (tls_ver_min == 0)
3416 {
3417 unsigned int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
3418 if (need_compatibility_before(o, 20307))
3419 {
3420 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3421 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3422 }
3423 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3424 {
3425 /* Use TLS 1.2 as proper default */
3426 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3427 }
3428 else
3429 {
3430 /* Maximize the minimum version */
3431 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3432 }
3433 }
3434
3435 if (need_compatibility_before(o, 20400))
3436 {
3437 if (!o->ciphername)
3438 {
3439 /* If ciphername is not set default to BF-CBC when targeting these
3440 * old versions that do not have NCP */
3441 o->ciphername = "BF-CBC";
3442 }
3443 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3444 * not have OCC strings required for "poor man's NCP" */
3445 o->enable_ncp_fallback = true;
3446 }
3447
3448 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3449 * Version 2.4 probably does not need it but NCP was not so
3450 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3451 * Only do this iff --cipher is set (explicitly or by compat mode
3452 * < 2.4.0, see above). This is not 100% correct backwards compatible
3453 * behaviour but 2.5 already behaved like this */
3454 if (o->ciphername && need_compatibility_before(o, 20500)
3455 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3456 {
3457 append_cipher_to_ncp_list(o, o->ciphername);
3458 }
3459
3460#ifdef USE_COMP
3461 /* Compression is deprecated and we do not want to announce support for it
3462 * by default anymore, additionally DCO breaks with compression.
3463 *
3464 * Disable compression by default starting with 2.6.0 if no other
3465 * compression related option has been explicitly set */
3466 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3467 {
3468 if (!comp_non_stub_enabled(&o->comp))
3469 {
3470 o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3471 }
3472 }
3473#else /* ifdef USE_COMP */
3474 o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3475#endif
3476}
3477
3478static void
3479options_process_mutate_prf(struct options *o)
3480{
3481 if (!check_tls_prf_working())
3482 {
3483 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3484 "supported by the TLS library. Your system does not support this "
3485 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3486 "forbids it. Connections will only work with peers running "
3487 "OpenVPN 2.6.0 or higher)");
3488 if (o->mode == MODE_SERVER)
3489 {
3490 msg(M_WARN, "Automatically enabling option "
3491 "--force-tls-key-material-export");
3492 o->force_key_material_export = true;
3493 }
3494 }
3495}
3496
3497#if defined(_WIN32) || defined(TARGET_ANDROID)
3506static void
3507tuntap_options_postprocess_dns(struct options *o)
3508{
3509 struct dns_options *dns = &o->dns_options;
3510 struct tuntap_options *tt = &o->tuntap_options;
3511 if (!dns->servers)
3512 {
3513 /* Copy --dhcp-options to tuntap_options */
3514 struct dhcp_options *dhcp = &dns->from_dhcp;
3515 ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
3516 ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
3517 ASSERT(sizeof(dhcp->domain_search_list) == sizeof(tt->domain_search_list));
3518
3519 tt->domain = dhcp->domain;
3520 tt->dns_len = dhcp->dns_len;
3521 tt->dns6_len = dhcp->dns6_len;
3522
3523 memcpy(tt->dns, dhcp->dns, sizeof(tt->dns));
3524 memcpy(tt->dns6, dhcp->dns6, sizeof(tt->dns6));
3525
3526 tt->domain_search_list_len = dhcp->domain_search_list_len;
3527 for (size_t i = 0; i < SIZE(tt->domain_search_list); ++i)
3528 {
3529 tt->domain_search_list[i] = dhcp->domain_search_list[i];
3530 }
3531
3532 return;
3533 }
3534
3535#if defined(_WIN32)
3536 if (tt->ip_win32_type != IPW32_SET_DHCP_MASQ && tt->ip_win32_type != IPW32_SET_ADAPTIVE)
3537 {
3538 return; /* Not in DHCP mode */
3539 }
3540#endif /* if defined(_WIN32) */
3541
3542 /* Copy --dns options to tuntap_options */
3543
3544 const struct dns_domain *d = dns->search_domains;
3545 if (d)
3546 {
3547 tt->domain_search_list_len = 0;
3548 }
3549
3550 while (d && tt->domain_search_list_len + 1 < N_SEARCH_LIST_LEN)
3551 {
3552 tt->domain_search_list[tt->domain_search_list_len++] = d->name;
3553 d = d->next;
3554 }
3555 if (d)
3556 {
3557 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3558 }
3559
3560 tt->dns_len = 0;
3561 tt->dns6_len = 0;
3562
3563 const struct dns_server *s = dns->servers;
3564 while (s)
3565 {
3566 bool non_standard_server_port = false;
3567 for (int i = 0; i < s->addr_count; ++i)
3568 {
3569 if (s->addr[i].port && s->addr[i].port != 53)
3570 {
3571 non_standard_server_port = true;
3572 break;
3573 }
3574 }
3575 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3576 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3577 {
3578 /* Skip servers requiring unsupported config to be set */
3579 s = s->next;
3580 }
3581 else
3582 {
3583 bool overflow = false;
3584 for (int i = 0; i < s->addr_count; ++i)
3585 {
3586 if (s->addr[i].family == AF_INET && tt->dns_len + 1 < N_DHCP_ADDR)
3587 {
3588 tt->dns[tt->dns_len++] = ntohl(s->addr[i].in.a4.s_addr);
3589 }
3590 else if (tt->dns6_len + 1 < N_DHCP_ADDR)
3591 {
3592 tt->dns6[tt->dns6_len++] = s->addr[i].in.a6;
3593 }
3594 else
3595 {
3596 overflow = true;
3597 }
3598 }
3599 if (overflow)
3600 {
3601 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3602 }
3603 tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
3604 return;
3605 }
3606 }
3607}
3608
3609#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3610
3621static void
3622dhcp_options_postprocess_dns(struct options *o, struct env_set *es)
3623{
3624 struct gc_arena gc = gc_new();
3625 struct dns_options *dns = &o->dns_options;
3626
3627 if (is_tun_afunix(o->dev_node))
3628 {
3629 /* Disable running dns-updown script with lwipovpn */
3630 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
3631 dns->updown = NULL;
3632 }
3633
3634 if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
3635 {
3636 /* Clean up env from --dhcp-option DNS config */
3637 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3638 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3639
3640 const int fo_count = o->foreign_option_index;
3641 o->foreign_option_index = 0;
3642
3643 for (int i = 1; i <= fo_count; ++i)
3644 {
3645 buf_clear(&name);
3646 buf_printf(&name, "foreign_option_%d", i);
3647 const char *env_str = env_set_get(es, BSTR(&name));
3648 const char *item_val = strchr(env_str, '=') + 1;
3649 buf_clear(&value);
3650 buf_printf(&value, "%s", item_val);
3651
3652 /* Remove foreign option item from env set */
3653 env_set_del(es, BSTR(&name));
3654
3655 item_val = BSTR(&value);
3656 if (strncmp(item_val, "dhcp-option ", 12) != 0
3657 || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0
3658 && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0
3659 && strncmp(item_val + 12, "DOMAIN ", 7) != 0
3660 && strncmp(item_val + 12, "DNS6 ", 5) != 0
3661 && strncmp(item_val + 12, "DNS ", 4) != 0))
3662 {
3663 /* Re-set the item with potentially updated name */
3664 buf_clear(&name);
3665 buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index);
3666 setenv_str(es, BSTR(&name), BSTR(&value));
3667 }
3668 }
3669 }
3670
3671 if (!dns->servers)
3672 {
3673 /* Copy --dhcp-options to dns_options */
3674 struct dhcp_options *dhcp = &dns->from_dhcp;
3675
3676 if (dhcp->dns_len || dhcp->dns6_len)
3677 {
3678 struct dns_domain **entry = &dns->search_domains;
3679 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3680 struct dns_domain *new = *entry;
3681 new->name = dhcp->domain;
3682 entry = &new->next;
3683
3684 for (size_t i = 0; i < dhcp->domain_search_list_len; ++i)
3685 {
3686 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3687 struct dns_domain *new = *entry;
3688 new->name = dhcp->domain_search_list[i];
3689 entry = &new->next;
3690 }
3691
3692 struct dns_server *server = dns_server_get(&dns->servers, 0, &dns->gc);
3693 const size_t max_addrs = SIZE(server->addr);
3694 for (size_t i = 0; i < dhcp->dns_len && server->addr_count < max_addrs; ++i)
3695 {
3696 server->addr[server->addr_count].in.a4.s_addr = htonl(dhcp->dns[i]);
3697 server->addr[server->addr_count].family = AF_INET;
3698 server->addr_count += 1;
3699 }
3700 for (size_t i = 0; i < dhcp->dns6_len && server->addr_count < max_addrs; ++i)
3701 {
3702 server->addr[server->addr_count].in.a6 = dhcp->dns6[i];
3703 server->addr[server->addr_count].family = AF_INET6;
3704 server->addr_count += 1;
3705 }
3706 }
3707 }
3708 else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
3709 {
3710 /* Set foreign option env vars from --dns config */
3711 const struct dns_domain *d = dns->search_domains;
3712 while (d)
3713 {
3714 setenv_foreign_option(o, "DOMAIN", d->name, es);
3715 d = d->next;
3716 }
3717
3718 const struct dns_server *s = dns->servers;
3719 while (s)
3720 {
3721 bool non_standard_server_port = false;
3722 for (int i = 0; i < s->addr_count; ++i)
3723 {
3724 if (s->addr[i].port && s->addr[i].port != 53)
3725 {
3726 non_standard_server_port = true;
3727 break;
3728 }
3729 }
3730 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3731 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3732 {
3733 /* Skip servers requiring unsupported config to be set */
3734 s = s->next;
3735 }
3736 else
3737 {
3738 for (int i = 0; i < s->addr_count; ++i)
3739 {
3740 const char *option;
3741 const char *value;
3742 if (s->addr[i].family == AF_INET)
3743 {
3744 option = "DNS";
3745 value = print_in_addr_t(s->addr[i].in.a4.s_addr, IA_NET_ORDER, &gc);
3746 }
3747 else
3748 {
3749 option = "DNS6";
3750 value = print_in6_addr(s->addr[i].in.a6, 0, &gc);
3751 }
3752 setenv_foreign_option(o, option, value, es);
3753 }
3754 break;
3755 }
3756 }
3757 }
3758
3759 gc_free(&gc);
3760}
3761#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3762
3763static void
3764options_postprocess_mutate(struct options *o, struct env_set *es)
3765{
3766 int i;
3767 /*
3768 * Process helper-type options which map to other, more complex
3769 * sequences of options.
3770 */
3771 helper_client_server(o);
3772 /* must be called after helpers that might set --mode */
3773 helper_setdefault_topology(o);
3774 helper_keepalive(o);
3775 helper_tcp_nodelay(o);
3776
3777 options_postprocess_setdefault_ncpciphers(o);
3778 options_set_backwards_compatible_options(o);
3779 options_process_mutate_prf(o);
3780
3781 options_postprocess_cipher(o);
3782 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3783 if (o->ncp_ciphers == NULL)
3784 {
3785 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3786 }
3787
3788 if (o->remote_list && !o->connection_list)
3789 {
3790 /*
3791 * Convert remotes into connection list
3792 */
3793 const struct remote_list *rl = o->remote_list;
3794 for (i = 0; i < rl->len; ++i)
3795 {
3796 const struct remote_entry *re = rl->array[i];
3797 struct connection_entry ce = o->ce;
3798 struct connection_entry *ace;
3799
3800 ASSERT(re->remote);
3801 connection_entry_load_re(&ce, re);
3802 ace = alloc_connection_entry(o, M_USAGE);
3803 ASSERT(ace);
3804 *ace = ce;
3805 }
3806 }
3807 else if (!o->remote_list && !o->connection_list)
3808 {
3809 struct connection_entry *ace;
3810 ace = alloc_connection_entry(o, M_USAGE);
3811 ASSERT(ace);
3812 *ace = o->ce;
3813 }
3814
3815 ASSERT(o->connection_list);
3816 for (i = 0; i < o->connection_list->len; ++i)
3817 {
3818 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3819 }
3820
3821 if (o->ce.local_list)
3822 {
3823 for (i = 0; i < o->ce.local_list->len; i++)
3824 {
3825 options_postprocess_mutate_le(&o->ce, o->ce.local_list->array[i], o->mode);
3826 }
3827
3828 for (int i = 0; i < o->ce.local_list->len; i++)
3829 {
3830 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3831 {
3832 o->ce.local_list->array[i]->proto = PROTO_TCP_SERVER;
3833 }
3834 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3835 {
3836 o->ce.local_list->array[i]->proto = o->ce.proto;
3837 }
3838 }
3839 }
3840 else
3841 {
3842 /* if no 'local' directive was specified, convert the global port
3843 * setting to a listen entry */
3844 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3845 ASSERT(e);
3846 e->port = o->ce.local_port;
3847 e->proto = o->ce.proto;
3848 }
3849
3850 /* use the same listen list for every outgoing connection */
3851 for (i = 0; i < o->connection_list->len; ++i)
3852 {
3853 o->connection_list->array[i]->local_list = o->ce.local_list;
3854 }
3855
3856 if (o->tls_server)
3857 {
3858 if (o->dh_file && streq(o->dh_file, "none"))
3859 {
3860 o->dh_file = NULL;
3861 }
3862 }
3863 else if (o->dh_file)
3864 {
3865 /* DH file is only meaningful in a tls-server context. */
3866 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3867 "include this in your server configuration");
3868 o->dh_file = NULL;
3869 }
3870#if ENABLE_MANAGEMENT
3871 if (o->http_proxy_override)
3872 {
3873 options_postprocess_http_proxy_override(o);
3874 }
3875#endif
3876 if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0)
3877 {
3878 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3879 "option set). ");
3880 o->verify_hash_no_ca = true;
3881 }
3882
3883 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3884 {
3885 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3886 "incompatible with each other.");
3887 }
3888
3889 if (dco_enabled(o))
3890 {
3891 /* check if any option should force disabling DCO */
3892 o->disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o);
3893 }
3894#ifdef USE_COMP
3895 if (dco_enabled(o))
3896 {
3897 o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3898 }
3899#endif
3900
3901#ifdef _WIN32
3902 if (dco_enabled(o))
3903 {
3904 o->windows_driver = DRIVER_DCO;
3905 }
3906 else
3907 {
3908 if (o->windows_driver == DRIVER_DCO)
3909 {
3910 msg(M_WARN,
3911 "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3912 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3913 }
3914 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3915 {
3916 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3917 }
3918 }
3919#else /* _WIN32 */
3920 if (dco_enabled(o) && o->dev_node)
3921 {
3922 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3923 "data channel offload");
3924 o->dev_node = NULL;
3925 }
3926#endif /* _WIN32 */
3927
3928 /* this depends on o->windows_driver, which is set above */
3929 options_postprocess_mutate_invariant(o);
3930
3931 /* check that compression settings in the options are okay */
3932 check_compression_settings_valid(&o->comp, M_USAGE);
3933
3934 /*
3935 * Save certain parms before modifying options during connect, especially
3936 * when using --pull
3937 */
3938 if (o->pull)
3939 {
3940 dns_options_preprocess_pull(&o->dns_options);
3941 }
3942 else
3943 {
3944#if defined(_WIN32) || defined(TARGET_ANDROID)
3945 tuntap_options_postprocess_dns(o);
3946#else
3947 dhcp_options_postprocess_dns(o, es);
3948#endif
3949 }
3950 if (o->auth_token_generate && !o->auth_token_renewal)
3951 {
3952 o->auth_token_renewal = o->renegotiate_seconds;
3953 }
3954 pre_connect_save(o);
3955}
3956
3957/*
3958 * Check file/directory sanity
3959 *
3960 */
3961/* Expect people using the stripped down version to know what they do */
3962#ifndef ENABLE_SMALL
3963
3964#define CHKACC_FILE (1 << 0)
3965#define CHKACC_DIRPATH (1 << 1)
3966#define CHKACC_FILEXSTWR (1 << 2)
3967#define CHKACC_ACPTSTDIN (1 << 3)
3968#define CHKACC_PRIVATE (1 << 4)
3969#define CHKACC_ACCEPT_URI (1 << 5)
3971static bool
3972check_file_access(const int type, const char *file, const int mode, const char *opt)
3973{
3974 int errcode = 0;
3975
3976 /* If no file configured, no errors to look for */
3977 if (!file)
3978 {
3979 return false;
3980 }
3981
3982 /* If stdin is allowed and the file name is 'stdin', then do no
3983 * further checks as stdin is always available
3984 */
3985 if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin"))
3986 {
3987 return false;
3988 }
3989
3990 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3991 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3992 */
3993 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3994 {
3995 if (!strncmp(file, "file:", 5))
3996 {
3997 file += 5;
3998 }
3999 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
4000 {
4001 return false;
4002 }
4003 }
4004
4005 /* Is the directory path leading to the given file accessible? */
4006 if (type & CHKACC_DIRPATH)
4007 {
4008 char *fullpath =
4009 string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
4010 char *dirpath = dirname(fullpath);
4011
4012 if (platform_access(dirpath, mode | X_OK) != 0)
4013 {
4014 errcode = errno;
4015 }
4016 free(fullpath);
4017 }
4018
4019 /* Is the file itself accessible? */
4020 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0))
4021 {
4022 errcode = errno;
4023 }
4024
4025 /* If the file exists and is accessible, is it writable? */
4026 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0))
4027 {
4028 if (platform_access(file, W_OK) != 0)
4029 {
4030 errcode = errno;
4031 }
4032 }
4033
4034 /* Warn if a given private file is group/others accessible. */
4035 if (type & CHKACC_PRIVATE)
4036 {
4037 platform_stat_t st;
4038 if (platform_stat(file, &st))
4039 {
4040 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
4041 }
4042#ifndef _WIN32
4043 else
4044 {
4045 if (st.st_mode & (S_IRWXG | S_IRWXO))
4046 {
4047 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4048 }
4049 }
4050#endif
4051 }
4052
4053 /* Scream if an error is found */
4054 if (errcode > 0)
4055 {
4056 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4057 }
4058
4059 /* Return true if an error occurred */
4060 return (errcode != 0 ? true : false);
4061}
4062
4063/* A wrapper for check_file_access() which also takes a chroot directory.
4064 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4065 * otherwise it will look for the file inside the given chroot directory instead.
4066 */
4067static bool
4068check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode,
4069 const char *opt)
4070{
4071 bool ret = false;
4072
4073 /* If no file configured, no errors to look for */
4074 if (!file)
4075 {
4076 return false;
4077 }
4078
4079 /* If chroot is set, look for the file/directory inside the chroot */
4080 if (chroot)
4081 {
4082 struct gc_arena gc = gc_new();
4083 struct buffer chroot_file;
4084
4085 chroot_file = prepend_dir(chroot, file, &gc);
4086 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4087 gc_free(&gc);
4088 }
4089 else
4090 {
4091 /* No chroot in play, just call core file check function */
4092 ret = check_file_access(type, file, mode, opt);
4093 }
4094 return ret;
4095}
4096
4101static bool
4102check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type,
4103 const char *file, const int mode, const char *opt)
4104{
4105 if (is_inline)
4106 {
4107 return false;
4108 }
4109
4110 return check_file_access_chroot(chroot, type, file, mode, opt);
4111}
4112
4117static bool
4118check_file_access_inline(bool is_inline, const int type, const char *file, const int mode,
4119 const char *opt)
4120{
4121 if (is_inline)
4122 {
4123 return false;
4124 }
4125
4126 return check_file_access(type, file, mode, opt);
4127}
4128
4129/*
4130 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4131 * valid file with appropriate permissions.
4132 *
4133 * "command" consists of a path, optionally followed by a space, which may be
4134 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4135 * performed.
4136 *
4137 * The path and arguments in "command" may be single- or double-quoted or escaped.
4138 *
4139 * The path is extracted from "command", then check_file_access() is called to check it. The
4140 * arguments, if any, are ignored.
4141 *
4142 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4143 * check_file_access() arguments.
4144 */
4145static bool
4146check_cmd_access(const char *command, const char *opt, const char *chroot)
4147{
4148 struct argv argv;
4149 bool return_code;
4150
4151 /* If no command was set, there are no errors to look for */
4152 if (!command)
4153 {
4154 return false;
4155 }
4156
4157 /* Extract executable path and arguments */
4158 argv = argv_new();
4159 argv_parse_cmd(&argv, command);
4160
4161 /* if an executable is specified then check it; otherwise, complain */
4162 if (argv.argv[0])
4163 {
4164 /* Scripts requires R_OK as well, but that might fail on binaries which
4165 * only requires X_OK to function on Unix - a scenario not unlikely to
4166 * be seen on suid binaries.
4167 */
4168 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4169 }
4170 else
4171 {
4172 msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command);
4173 return_code = true;
4174 }
4175
4176 argv_free(&argv);
4177
4178 return return_code;
4179}
4180
4181/*
4182 * Sanity check of all file/dir options. Checks that file/dir
4183 * is accessible by OpenVPN
4184 */
4185static void
4186options_postprocess_filechecks(struct options *options)
4187{
4188 bool errs = false;
4189
4190 /* ** SSL/TLS/crypto related files ** */
4191 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK,
4192 "--dh");
4193
4194 if (!options->verify_hash_no_ca)
4195 {
4196 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, options->ca_file,
4197 R_OK, "--ca");
4198 }
4199
4200 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK,
4201 "--capath");
4202
4203 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE | CHKACC_ACCEPT_URI,
4204 options->cert_file, R_OK, "--cert");
4205
4206 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4207 options->extra_certs_file, R_OK, "--extra-certs");
4208
4209 if (!(options->management_flags & MF_EXTERNAL_KEY))
4210 {
4211 errs |= check_file_access_inline(options->priv_key_file_inline,
4212 CHKACC_FILE | CHKACC_PRIVATE | CHKACC_ACCEPT_URI,
4213 options->priv_key_file, R_OK, "--key");
4214 }
4215
4216 errs |= check_file_access_inline(options->pkcs12_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4217 options->pkcs12_file, R_OK, "--pkcs12");
4218
4219 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4220 {
4221 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file,
4222 R_OK | X_OK, "--crl-verify directory");
4223 }
4224 else
4225 {
4226 errs |=
4227 check_file_access_chroot_inline(options->crl_file_inline, options->chroot_dir,
4228 CHKACC_FILE, options->crl_file, R_OK, "--crl-verify");
4229 }
4230
4231 if (options->tls_export_peer_cert_dir)
4232 {
4233 errs |=
4234 check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4235 options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert");
4236 }
4237
4238 ASSERT(options->connection_list);
4239 for (int i = 0; i < options->connection_list->len; ++i)
4240 {
4241 struct connection_entry *ce = options->connection_list->array[i];
4242
4243 errs |= check_file_access_inline(ce->tls_auth_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4244 ce->tls_auth_file, R_OK, "--tls-auth");
4245 errs |= check_file_access_inline(ce->tls_crypt_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4246 ce->tls_crypt_file, R_OK, "--tls-crypt");
4247 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4248 ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2");
4249 }
4250
4251 errs |=
4252 check_file_access_inline(options->shared_secret_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4253 options->shared_secret_file, R_OK, "--secret");
4254
4255 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->packet_id_file,
4256 R_OK | W_OK, "--replay-persist");
4257
4258 /* ** Password files ** */
4259 errs |= check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4260 options->key_pass_file, R_OK, "--askpass");
4261#ifdef ENABLE_MANAGEMENT
4262 errs |=
4263 check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4264 options->management_user_pass, R_OK, "--management user/password file");
4265#endif /* ENABLE_MANAGEMENT */
4266 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4267 CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4268 options->auth_user_pass_file, R_OK, "--auth-user-pass");
4269 /* ** System related ** */
4270 errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory");
4271 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->writepid, R_OK | W_OK,
4272 "--writepid");
4273
4274 /* ** Log related ** */
4275 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->status_file, R_OK | W_OK,
4276 "--status");
4277
4278 /* ** Config related ** */
4279 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4280 R_OK | X_OK, "--client-config-dir");
4281 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4282 R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)");
4283
4284 if (errs)
4285 {
4286 msg(M_USAGE, "Please correct these errors.");
4287 }
4288}
4289#endif /* !ENABLE_SMALL */
4290
4291/*
4292 * Sanity check on options.
4293 * Also set some options based on other
4294 * options.
4295 */
4296void
4297options_postprocess(struct options *options, struct env_set *es)
4298{
4299 options_postprocess_mutate(options, es);
4300 options_postprocess_verify(options);
4301#ifndef ENABLE_SMALL
4302 options_postprocess_filechecks(options);
4303#endif /* !ENABLE_SMALL */
4304}
4305
4306/*
4307 * Sanity check on options after more options were pulled from server.
4308 * Also time to modify some options based on other options.
4309 */
4310bool
4311options_postprocess_pull(struct options *o, struct env_set *es)
4312{
4313 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4314 if (success)
4315 {
4316 dns_options_postprocess_pull(&o->dns_options);
4317#if defined(_WIN32) || defined(TARGET_ANDROID)
4318 tuntap_options_postprocess_dns(o);
4319#else
4320 dhcp_options_postprocess_dns(o, es);
4321#endif
4322 }
4323 return success;
4324}
4325
4326/*
4327 * Build an options string to represent data channel encryption options.
4328 * This string must match exactly between peers. The keysize is checked
4329 * separately by read_key().
4330 *
4331 * The following options must match on both peers:
4332 *
4333 * Tunnel options:
4334 *
4335 * --dev tun|tap [unit number need not match]
4336 * --dev-type tun|tap
4337 * --link-mtu
4338 * --udp-mtu
4339 * --tun-mtu
4340 * --proto udp
4341 * --proto tcp-client [matched with --proto tcp-server
4342 * on the other end of the connection]
4343 * --proto tcp-server [matched with --proto tcp-client on
4344 * the other end of the connection]
4345 * --tun-ipv6
4346 * --ifconfig x y [matched with --ifconfig y x on
4347 * the other end of the connection]
4348 *
4349 * --comp-lzo
4350 * --compress alg
4351 * --fragment
4352 *
4353 * Crypto Options:
4354 *
4355 * --cipher
4356 * --auth
4357 * --secret
4358 *
4359 * SSL Options:
4360 *
4361 * --tls-auth
4362 * --tls-client [matched with --tls-server on
4363 * the other end of the connection]
4364 * --tls-server [matched with --tls-client on
4365 * the other end of the connection]
4366 */
4367char *
4368options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
4369 openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
4370{
4371 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4372 bool tt_local = false;
4373
4374 buf_printf(&out, "V4");
4375
4376 /*
4377 * Tunnel Options
4378 */
4379
4380 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4381 /* the link-mtu that we send has only a meaning if have a fixed
4382 * cipher (p2p) or have a fallback cipher configured for older non
4383 * ncp clients. But not sending it will make even 2.4 complain
4384 * about it being missing. So still send it. */
4385 buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame));
4386
4387 if (o->ce.occ_mtu != 0)
4388 {
4389 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4390 }
4391 else
4392 {
4393 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4394 }
4395
4396 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4397
4398 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4399 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4400 * is usually pushed by the server, triggering a non-helpful warning
4401 */
4402 if (o->ifconfig_ipv6_local && p2p_nopull)
4403 {
4404 buf_printf(&out, ",tun-ipv6");
4405 }
4406
4407 /*
4408 * Try to get ifconfig parameters into the options string.
4409 * If tt is undefined, make a temporary instantiation.
4410 */
4411 if (!tt)
4412 {
4413 tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local,
4414 o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits,
4415 o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL);
4416 if (tt)
4417 {
4418 tt_local = true;
4419 }
4420 }
4421
4422 if (tt && p2p_nopull)
4423 {
4424 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4425 if (ios && strlen(ios))
4426 {
4427 buf_printf(&out, ",ifconfig %s", ios);
4428 }
4429 }
4430 if (tt_local)
4431 {
4432 free(tt);
4433 tt = NULL;
4434 }
4435
4436#ifdef USE_COMP
4437 if (o->comp.alg != COMP_ALG_UNDEF)
4438 {
4439 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression
4440 context is active, not necessarily LZO per-se */
4441 }
4442#endif
4443
4444#ifdef ENABLE_FRAGMENT
4445 if (o->ce.fragment)
4446 {
4447 buf_printf(&out, ",mtu-dynamic");
4448 }
4449#endif
4450
4451#define TLS_CLIENT (o->tls_client)
4452#define TLS_SERVER (o->tls_server)
4453
4454 /*
4455 * Key direction
4456 */
4457 {
4458 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4459 if (kd)
4460 {
4461 buf_printf(&out, ",keydir %s", kd);
4462 }
4463 }
4464
4465 /*
4466 * Crypto Options
4467 */
4468 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4469 {
4470 struct key_type kt;
4471
4472 ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1);
4473
4474 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4475 * to work here in the default configuration */
4476 const char *ciphername = o->ciphername;
4477 int keysize = 0;
4478
4479 if (strcmp(o->ciphername, "BF-CBC") == 0)
4480 {
4481 init_key_type(&kt, "none", o->authname, true, false);
4482 keysize = 128;
4483 }
4484 else
4485 {
4486 init_key_type(&kt, o->ciphername, o->authname, true, false);
4487 ciphername = cipher_kt_name(kt.cipher);
4488 if (cipher_defined(o->ciphername))
4489 {
4490 keysize = cipher_kt_key_size(kt.cipher) * 8;
4491 }
4492 }
4493 /* Only announce the cipher to our peer if we are willing to
4494 * support it */
4495 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4496 {
4497 buf_printf(&out, ",cipher %s", ciphername);
4498 }
4499 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4500 buf_printf(&out, ",keysize %d", keysize);
4501 if (o->shared_secret_file)
4502 {
4503 buf_printf(&out, ",secret");
4504 }
4505
4506#ifdef ENABLE_PREDICTION_RESISTANCE
4507 if (o->use_prediction_resistance)
4508 {
4509 buf_printf(&out, ",use-prediction-resistance");
4510 }
4511#endif
4512 }
4513
4514 /*
4515 * SSL Options
4516 */
4517 {
4518 if (TLS_CLIENT || TLS_SERVER)
4519 {
4520 if (o->ce.tls_auth_file)
4521 {
4522 buf_printf(&out, ",tls-auth");
4523 }
4524 /* Not adding tls-crypt here, because we won't reach this code if
4525 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4526 * break stuff, so leaving that in place. */
4527
4528 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4529 }
4530
4531 if (remote)
4532 {
4533 if (TLS_CLIENT)
4534 {
4535 buf_printf(&out, ",tls-server");
4536 }
4537 else if (TLS_SERVER)
4538 {
4539 buf_printf(&out, ",tls-client");
4540 }
4541 }
4542 else
4543 {
4544 if (TLS_CLIENT)
4545 {
4546 buf_printf(&out, ",tls-client");
4547 }
4548 else if (TLS_SERVER)
4549 {
4550 buf_printf(&out, ",tls-server");
4551 }
4552 }
4553 }
4554
4555#undef TLS_CLIENT
4556#undef TLS_SERVER
4557
4558 return BSTR(&out);
4559}
4560
4561/*
4562 * Compare option strings for equality.
4563 * If the first two chars of the strings differ, it means that
4564 * we are looking at different versions of the options string,
4565 * therefore don't compare them and return true.
4566 */
4567
4568bool
4569options_cmp_equal(char *actual, const char *expected)
4570{
4571 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4572}
4573
4574void
4575options_warning(char *actual, const char *expected)
4576{
4577 options_warning_safe(actual, expected, strlen(actual) + 1);
4578}
4579
4580static const char *
4581options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
4582{
4583 struct gc_arena gc = gc_new();
4584 struct buffer b = string_alloc_buf(option_string, &gc);
4585 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4586 const char *ret;
4587
4588 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4589 ret = string_alloc(p, gc_ret);
4590 gc_free(&gc);
4591 return ret;
4592}
4593
4594static void
4595options_warning_safe_scan2(const msglvl_t msglevel, const int delim,
4596 const bool report_inconsistent, const char *p1,
4597 const struct buffer *b2_src, const char *b1_name,
4598 const char *b2_name)
4599{
4600 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4601 * OCC in a future version (because it's not useful). To reduce questions
4602 * when interoperating, we no longer printing a warning about it.
4603 */
4604 if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ")
4605 || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher "))
4606 {
4607 return;
4608 }
4609
4610 if (strlen(p1) > 0)
4611 {
4612 struct gc_arena gc = gc_new();
4613 struct buffer b2 = *b2_src;
4614 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4615 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4616
4617 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4618 {
4619 if (strlen(p2))
4620 {
4621 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4622
4623 if (!strcmp(p1, p2))
4624 {
4625 goto done;
4626 }
4627 if (!strcmp(p1_prefix, p2_prefix))
4628 {
4629 if (report_inconsistent)
4630 {
4631 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4632 safe_print(p1_prefix, &gc), b1_name, safe_print(p1, &gc), b2_name,
4633 safe_print(p2, &gc));
4634 }
4635 goto done;
4636 }
4637 }
4638 }
4639
4640 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4641 safe_print(p1_prefix, &gc), b1_name, b2_name, b1_name, safe_print(p1, &gc));
4642
4643done:
4644 gc_free(&gc);
4645 }
4646}
4647
4648static void
4649options_warning_safe_scan1(const msglvl_t msglevel, const int delim,
4650 const bool report_inconsistent, const struct buffer *b1_src,
4651 const struct buffer *b2_src, const char *b1_name, const char *b2_name)
4652{
4653 struct gc_arena gc = gc_new();
4654 struct buffer b = *b1_src;
4655 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4656
4657 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4658 {
4659 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name,
4660 b2_name);
4661 }
4662
4663 gc_free(&gc);
4664}
4665
4666static void
4667options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
4668{
4669 struct gc_arena gc = gc_new();
4670
4671 if (actual_n > 0)
4672 {
4673 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4674 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4675 actual[actual_n - 1] = 0;
4676
4677 buf_printf(&local, "version %s", expected);
4678 buf_printf(&remote, "version %s", actual);
4679
4680 options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote");
4681
4682 options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local");
4683 }
4684
4685 gc_free(&gc);
4686}
4687
4688bool
4689options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4690{
4691 struct gc_arena gc = gc_new();
4692 bool ret = true;
4693
4694 if (actual_n > 0)
4695 {
4696 actual[actual_n - 1] = 0;
4697 if (strncmp(actual, expected, 2))
4698 {
4699 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4700 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4701 }
4702 else
4703 {
4704 ret = !strcmp(actual, expected);
4705 }
4706 }
4707 gc_free(&gc);
4708 return ret;
4709}
4710
4711void
4712options_warning_safe(char *actual, const char *expected, size_t actual_n)
4713{
4714 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4715}
4716
4717const char *
4718options_string_version(const char *s, struct gc_arena *gc)
4719{
4720 struct buffer out = alloc_buf_gc(4, gc);
4721 strncpynt((char *)BPTR(&out), s, 3);
4722 return BSTR(&out);
4723}
4724
4725char *
4726options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
4727{
4728 char *ret = NULL;
4729 const size_t opt_name_len = strlen(opt_name);
4730
4731 const char *p = options_string;
4732 while (p)
4733 {
4734 if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1)
4735 && p[opt_name_len] == ' ')
4736 {
4737 /* option found, extract value */
4738 const char *start = &p[opt_name_len + 1];
4739 const char *end = strchr(p, ',');
4740 size_t val_len = end ? end - start : strlen(start);
4741 ret = gc_malloc(val_len + 1, true, gc);
4742 memcpy(ret, start, val_len);
4743 break;
4744 }
4745 p = strchr(p, ',');
4746 if (p)
4747 {
4748 p++; /* skip delimiter */
4749 }
4750 }
4751 return ret;
4752}
4753
4754/*
4755 * parse/print topology coding
4756 */
4757
4758int
4759parse_topology(const char *str, const msglvl_t msglevel)
4760{
4761 if (streq(str, "net30"))
4762 {
4763 return TOP_NET30;
4764 }
4765 else if (streq(str, "p2p"))
4766 {
4767 return TOP_P2P;
4768 }
4769 else if (streq(str, "subnet"))
4770 {
4771 return TOP_SUBNET;
4772 }
4773 else
4774 {
4775 msg(msglevel, "--topology must be net30, p2p, or subnet");
4776 return TOP_UNDEF;
4777 }
4778}
4779
4780const char *
4781print_topology(const int topology)
4782{
4783 switch (topology)
4784 {
4785 case TOP_UNDEF:
4786 return "undef";
4787
4788 case TOP_NET30:
4789 return "net30";
4790
4791 case TOP_P2P:
4792 return "p2p";
4793
4794 case TOP_SUBNET:
4795 return "subnet";
4796
4797 default:
4798 return "unknown";
4799 }
4800}
4801
4802/*
4803 * Manage auth-retry variable
4804 */
4805
4806static int global_auth_retry; /* GLOBAL */
4807
4808int
4809auth_retry_get(void)
4810{
4811 return global_auth_retry;
4812}
4813
4814bool
4815auth_retry_set(const msglvl_t msglevel, const char *option)
4816{
4817 if (streq(option, "interact"))
4818 {
4819 global_auth_retry = AR_INTERACT;
4820 }
4821 else if (streq(option, "nointeract"))
4822 {
4823 global_auth_retry = AR_NOINTERACT;
4824 }
4825 else if (streq(option, "none"))
4826 {
4827 global_auth_retry = AR_NONE;
4828 }
4829 else
4830 {
4831 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4832 return false;
4833 }
4834 return true;
4835}
4836
4837const char *
4838auth_retry_print(void)
4839{
4840 switch (global_auth_retry)
4841 {
4842 case AR_NONE:
4843 return "none";
4844
4845 case AR_NOINTERACT:
4846 return "nointeract";
4847
4848 case AR_INTERACT:
4849 return "interact";
4850
4851 default:
4852 return "???";
4853 }
4854}
4855
4856/*
4857 * Print the help message.
4858 */
4859void
4860usage(void)
4861{
4862 FILE *fp = msg_fp(0);
4863
4864#ifdef ENABLE_SMALL
4865
4866 fprintf(fp, "Usage message not available\n");
4867
4868#else
4869
4870 struct options o;
4871 init_options(&o, true);
4872
4873 fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds,
4874 o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT,
4875 TAP_MTU_EXTRA_DEFAULT, TUN_MTU_MAX_MIN, o.verbosity, o.authname, o.replay_window,
4876 o.replay_time, o.tls_timeout, o.renegotiate_seconds, o.handshake_window,
4877 o.transition_window);
4878 fflush(fp);
4879
4880#endif /* ENABLE_SMALL */
4881
4882 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4883}
4884
4885void
4886usage_small(void)
4887{
4888 msg(M_WARN | M_NOPREFIX, "Use --help for more information.");
4889 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4890}
4891
4892#ifdef _WIN32
4893void
4894show_windows_version(const unsigned int flags)
4895{
4896 struct gc_arena gc = gc_new();
4897 msg(flags, "Windows version: %s", win32_version_string(&gc));
4898 gc_free(&gc);
4899}
4900#endif
4901
4902void
4903show_dco_version(const unsigned int flags)
4904{
4905#ifdef ENABLE_DCO
4906 struct gc_arena gc = gc_new();
4907 msg(flags, "DCO version: %s", dco_version_string(&gc));
4908 gc_free(&gc);
4909#endif
4910}
4911
4912void
4913show_library_versions(const unsigned int flags)
4914{
4915#ifdef ENABLE_LZO
4916#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4917#else
4918#define LZO_LIB_VER_STR "", ""
4919#endif
4920
4921 msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR);
4922
4923#undef LZO_LIB_VER_STR
4924}
4925
4926static void
4927usage_version(void)
4928{
4929 msg(M_INFO | M_NOPREFIX, "%s", title_string);
4930 show_library_versions(M_INFO | M_NOPREFIX);
4931#ifdef _WIN32
4932 show_windows_version(M_INFO | M_NOPREFIX);
4933#endif
4934 show_dco_version(M_INFO | M_NOPREFIX);
4935 msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan");
4936 msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>");
4937#ifndef ENABLE_SMALL
4938#ifdef CONFIGURE_DEFINES
4939 msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4940#endif
4941#ifdef CONFIGURE_SPECIAL_BUILD
4942 msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4943#endif
4944#endif
4945 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4946}
4947
4948void
4949notnull(const char *arg, const char *description)
4950{
4951 if (!arg)
4952 {
4953 msg(M_USAGE, "You must define %s", description);
4954 }
4955}
4956
4957bool
4958string_defined_equal(const char *s1, const char *s2)
4959{
4960 if (s1 && s2)
4961 {
4962 return !strcmp(s1, s2);
4963 }
4964 else
4965 {
4966 return false;
4967 }
4968}
4969
4970#if 0
4971static void
4972ping_rec_err(msglvl_t msglevel)
4973{
4974 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4975}
4976#endif
4977
4978#ifdef _WIN32 /* This function is only used when compiling on Windows */
4979static unsigned int
4980atou(const char *str)
4981{
4982 unsigned int val = 0;
4983 sscanf(str, "%u", &val);
4984 return val;
4985}
4986#endif
4987
4988#define VERIFY_PERMISSION(mask) \
4989 { \
4990 if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
4991 msglevel, options, is_inline)) \
4992 { \
4993 goto err; \
4994 } \
4995 }
4996
4997static bool
4998verify_permission(const char *name, const char *file, int line, const unsigned int type,
4999 const unsigned int allowed, unsigned int *found, const msglvl_t msglevel,
5000 struct options *options, bool is_inline)
5001{
5002 if (!(type & allowed))
5003 {
5004 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5005 return false;
5006 }
5007
5008 if (is_inline && !(type & OPT_P_INLINE))
5009 {
5010 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line);
5011 return false;
5012 }
5013
5014 if (found)
5015 {
5016 *found |= type;
5017 }
5018
5019#ifndef ENABLE_SMALL
5020 /* Check if this options is allowed in connection block,
5021 * but we are currently not in a connection block
5022 * unless this is a pushed option.
5023 * Parsing a connection block uses a temporary options struct without
5024 * connection_list
5025 */
5026
5027 if ((type & OPT_P_CONNECTION) && options->connection_list && !(allowed & OPT_P_PULL_MODE))
5028 {
5029 if (file)
5030 {
5031 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
5032 file, line);
5033 }
5034 else
5035 {
5036 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5037 }
5038 }
5039#endif
5040 return true;
5041}
5042
5043/*
5044 * Check that an option doesn't have too
5045 * many parameters.
5046 */
5047
5048#define NM_QUOTE_HINT (1 << 0)
5049
5050static bool
5051no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
5052{
5053 const int len = string_array_len((const char **)p);
5054
5055 if (!len)
5056 {
5057 return false;
5058 }
5059
5060 if (len > max)
5061 {
5062 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1,
5063 max >= 3 ? "s" : "",
5064 (flags & NM_QUOTE_HINT)
5065 ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
5066 : "");
5067 return false;
5068 }
5069 else
5070 {
5071 return true;
5072 }
5073}
5074
5075static inline msglvl_t
5076msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
5077{
5078 return options->forward_compatible ? M_WARN : msglevel;
5079}
5080
5081#define RESET_OPTION_ROUTES(option_ptr, field) \
5082 if (option_ptr) \
5083 { \
5084 option_ptr->field = NULL; \
5085 option_ptr->flags = 0; \
5086 }
5087
5088void
5089remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5090 const char *file, int line, const msglvl_t msglevel,
5091 const unsigned int permission_mask, unsigned int *option_types_found,
5092 struct env_set *es)
5093{
5094 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5095
5096 if (streq(p[0], "ifconfig") && !p[1])
5097 {
5098 VERIFY_PERMISSION(OPT_P_UP);
5099 options->ifconfig_local = NULL;
5100 options->ifconfig_remote_netmask = NULL;
5101 }
5102 else if (streq(p[0], "ifconfig-ipv6") && !p[1])
5103 {
5104 VERIFY_PERMISSION(OPT_P_UP);
5105 options->ifconfig_ipv6_local = NULL;
5106 options->ifconfig_ipv6_netbits = 0;
5107 options->ifconfig_ipv6_remote = NULL;
5108 }
5109 else if (streq(p[0], "route") && !p[1])
5110 {
5111 VERIFY_PERMISSION(OPT_P_ROUTE);
5112 if (c->c1.route_list)
5113 {
5114 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es,
5115 &c->net_ctx);
5116 RESET_OPTION_ROUTES(options->routes, routes);
5117 }
5118 }
5119 else if (streq(p[0], "route-ipv6") && !p[1])
5120 {
5121 VERIFY_PERMISSION(OPT_P_ROUTE);
5122 if (c->c1.route_ipv6_list)
5123 {
5124 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
5125 es, &c->net_ctx);
5126 RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
5127 }
5128 }
5129 else if (streq(p[0], "route-gateway") && !p[1])
5130 {
5131 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
5132 options->route_gateway_via_dhcp = false;
5133 options->route_default_gateway = NULL;
5134 }
5135 else if (streq(p[0], "route-metric") && !p[1])
5136 {
5137 VERIFY_PERMISSION(OPT_P_ROUTE);
5138 options->route_default_metric = 0;
5139 }
5140 else if (streq(p[0], "push-continuation") && !p[1])
5141 {
5142 VERIFY_PERMISSION(OPT_P_PULL_MODE);
5143 options->push_continuation = 0;
5144 }
5145 else if ((streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private")) && !p[1])
5146 {
5147 VERIFY_PERMISSION(OPT_P_ROUTE);
5148 if (options->routes)
5149 {
5150 options->routes->flags = 0;
5151 }
5152 if (options->routes_ipv6)
5153 {
5154 options->routes_ipv6->flags = 0;
5155 }
5156 env_set_del(es, "route_redirect_gateway_ipv4");
5157 env_set_del(es, "route_redirect_gateway_ipv6");
5158 }
5159 else if (streq(p[0], "dns") && !p[1])
5160 {
5161 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5162 gc_free(&options->dns_options.gc);
5163 CLEAR(options->dns_options);
5164 }
5165 else if (streq(p[0], "topology") && !p[1])
5166 {
5167 VERIFY_PERMISSION(OPT_P_UP);
5168 options->topology = TOP_UNDEF;
5169 helper_setdefault_topology(options);
5170 }
5171 else if (streq(p[0], "tun-mtu") && !p[1])
5172 {
5173 VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
5174 options->ce.tun_mtu = TUN_MTU_DEFAULT;
5175 options->ce.tun_mtu_defined = false;
5176 options->ce.occ_mtu = 0;
5177 }
5178 else if (streq(p[0], "block-ipv6") && !p[1])
5179 {
5180 VERIFY_PERMISSION(OPT_P_ROUTE);
5181 options->block_ipv6 = false;
5182 }
5183#if defined(_WIN32) || defined(TARGET_ANDROID)
5184 else if (streq(p[0], "dhcp-option") && !p[1])
5185 {
5186 struct tuntap_options *o = &options->tuntap_options;
5187 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5188
5189 o->domain = NULL;
5190 o->netbios_scope = NULL;
5191 o->netbios_node_type = 0;
5192 o->dns6_len = 0;
5193 memset(o->dns6, 0, sizeof(o->dns6));
5194 o->dns_len = 0;
5195 memset(o->dns, 0, sizeof(o->dns));
5196 o->wins_len = 0;
5197 memset(o->wins, 0, sizeof(o->wins));
5198 o->ntp_len = 0;
5199 memset(o->ntp, 0, sizeof(o->ntp));
5200 o->nbdd_len = 0;
5201 memset(o->nbdd, 0, sizeof(o->nbdd));
5202 while (o->domain_search_list_len-- > 0)
5203 {
5204 o->domain_search_list[o->domain_search_list_len] = NULL;
5205 }
5206 o->disable_nbt = 0;
5207 o->dhcp_options = 0;
5208#if defined(TARGET_ANDROID)
5209 o->http_proxy_port = 0;
5210 o->http_proxy = NULL;
5211#endif
5212 }
5213#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5214#ifdef _WIN32
5215 else if (streq(p[0], "block-outside-dns") && !p[1])
5216 {
5217 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5218 options->block_outside_dns = false;
5219 }
5220#else /* ifdef _WIN32 */
5221 else if (streq(p[0], "dhcp-option") && !p[1])
5222 {
5223 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5224 delete_all_dhcp_fo(options, &es->list);
5225 }
5226#endif
5227 else
5228 {
5229 msglvl_t msglevel_unknown = msglevel_fc;
5230 /* Check if an option is in --ignore-unknown-option and
5231 * set warning level to non fatal */
5232 for (int i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
5233 {
5234 if (streq(p[0], options->ignore_unknown_option[i]))
5235 {
5236 msglevel_unknown = M_WARN;
5237 break;
5238 }
5239 }
5240 msg(msglevel_unknown,
5241 "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
5242 p[0], PACKAGE_VERSION);
5243 }
5244 return;
5245err:
5246 msg(msglevel, "Error occurred trying to remove %s option", p[0]);
5247}
5248
5249
5250static bool
5251check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5252{
5253 rol_check_alloc(options);
5254 if (pull_mode)
5255 {
5256 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
5257 && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
5258 {
5259 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
5260 return false;
5261 }
5262 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
5263 {
5264 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
5265 return false;
5266 }
5267 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn)
5268 && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
5269 {
5270 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
5271 return false;
5272 }
5273 }
5274 return true;
5275}
5276
5277
5278static bool
5279check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5280{
5281 rol6_check_alloc(options);
5282 if (pull_mode)
5283 {
5284 if (!ipv6_addr_safe_hexplusbits(p[1]))
5285 {
5286 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5287 return false;
5288 }
5289 if (p[2] && !ipv6_addr_safe(p[2]))
5290 {
5291 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5292 return false;
5293 }
5294 /* p[3] is metric, if present */
5295 }
5296 return true;
5297}
5298
5299static bool
5300check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5301{
5302 if (streq(p[1], "search-domains") && p[2])
5303 {
5304 if (!dns_domain_list_append(&options->dns_options.search_domains, &p[2],
5305 &options->dns_options.gc))
5306 {
5307 msg(msglevel, "--dns %s contain invalid characters", p[1]);
5308 return false;
5309 }
5310 }
5311 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
5312 {
5313 long priority;
5314 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
5315 {
5316 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
5317 return false;
5318 }
5319
5320 struct dns_server *server =
5321 dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
5322
5323 if (streq(p[3], "address") && p[4])
5324 {
5325 for (int i = 4; p[i]; ++i)
5326 {
5327 if (!dns_server_addr_parse(server, p[i]))
5328 {
5329 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'",
5330 priority, p[i]);
5331 return false;
5332 }
5333 }
5334 }
5335 else if (streq(p[3], "resolve-domains"))
5336 {
5337 if (!dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc))
5338 {
5339 msg(msglevel, "--dns server %ld: %s contain invalid characters", priority, p[3]);
5340 return false;
5341 }
5342 }
5343 else if (streq(p[3], "dnssec") && !p[5])
5344 {
5345 if (streq(p[4], "yes"))
5346 {
5347 server->dnssec = DNS_SECURITY_YES;
5348 }
5349 else if (streq(p[4], "no"))
5350 {
5351 server->dnssec = DNS_SECURITY_NO;
5352 }
5353 else if (streq(p[4], "optional"))
5354 {
5355 server->dnssec = DNS_SECURITY_OPTIONAL;
5356 }
5357 else
5358 {
5359 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
5360 return false;
5361 }
5362 }
5363 else if (streq(p[3], "transport") && !p[5])
5364 {
5365 if (streq(p[4], "plain"))
5366 {
5367 server->transport = DNS_TRANSPORT_PLAIN;
5368 }
5369 else if (streq(p[4], "DoH"))
5370 {
5371 server->transport = DNS_TRANSPORT_HTTPS;
5372 }
5373 else if (streq(p[4], "DoT"))
5374 {
5375 server->transport = DNS_TRANSPORT_TLS;
5376 }
5377 else
5378 {
5379 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
5380 return false;
5381 }
5382 }
5383 else if (streq(p[3], "sni") && !p[5])
5384 {
5385 if (!validate_domain(p[4]))
5386 {
5387 msg(msglevel, "--dns server %ld: %s contains invalid characters", priority, p[3]);
5388 return false;
5389 }
5390 server->sni = p[4];
5391 }
5392 else
5393 {
5394 msg(msglevel,
5395 "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
5396 priority, p[3]);
5397 return false;
5398 }
5399 }
5400 else
5401 {
5402 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
5403 return false;
5404 }
5405 return true;
5406}
5407
5408void
5409update_option(struct context *c, struct options *options, char *p[], bool is_inline,
5410 const char *file, int line, const int level, const msglvl_t msglevel,
5411 const unsigned int permission_mask, unsigned int *option_types_found,
5412 struct env_set *es, unsigned int *update_options_found)
5413{
5414 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5415 ASSERT(MAX_PARMS >= 7);
5416
5417 if (streq(p[0], "route") && p[1] && !p[5])
5418 {
5419 if (!(*update_options_found & OPT_P_U_ROUTE))
5420 {
5421 VERIFY_PERMISSION(OPT_P_ROUTE);
5422 if (!check_route_option(options, p, msglevel, pull_mode))
5423 {
5424 goto err;
5425 }
5426 if (c->c1.route_list)
5427 {
5428 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
5429 es, &c->net_ctx);
5430 RESET_OPTION_ROUTES(options->routes, routes);
5431 }
5432 *update_options_found |= OPT_P_U_ROUTE;
5433 }
5434 }
5435 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
5436 {
5437 if (!(*update_options_found & OPT_P_U_ROUTE6))
5438 {
5439 VERIFY_PERMISSION(OPT_P_ROUTE);
5440 if (!check_route6_option(options, p, msglevel, pull_mode))
5441 {
5442 goto err;
5443 }
5444 if (c->c1.route_ipv6_list)
5445 {
5446 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
5447 ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx);
5448 RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
5449 }
5450 *update_options_found |= OPT_P_U_ROUTE6;
5451 }
5452 }
5453 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
5454 {
5455 if (!(*update_options_found & OPT_P_U_REDIR_GATEWAY))
5456 {
5457 VERIFY_PERMISSION(OPT_P_ROUTE);
5458 if (options->routes)
5459 {
5460 options->routes->flags = 0;
5461 }
5462 if (options->routes_ipv6)
5463 {
5464 options->routes_ipv6->flags = 0;
5465 }
5466 env_set_del(es, "route_redirect_gateway_ipv4");
5467 env_set_del(es, "route_redirect_gateway_ipv6");
5468 *update_options_found |= OPT_P_U_REDIR_GATEWAY;
5469 }
5470 }
5471 else if (streq(p[0], "dns") && p[1])
5472 {
5473 if (!(*update_options_found & OPT_P_U_DNS))
5474 {
5475 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5476 if (!check_dns_option(options, p, msglevel, pull_mode))
5477 {
5478 goto err;
5479 }
5480 gc_free(&options->dns_options.gc);
5481 CLEAR(options->dns_options);
5482 *update_options_found |= OPT_P_U_DNS;
5483 }
5484 }
5485#if defined(_WIN32) || defined(TARGET_ANDROID)
5486 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
5487 {
5488 if (!(*update_options_found & OPT_P_U_DHCP))
5489 {
5490 struct tuntap_options *o = &options->tuntap_options;
5491 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5492
5493 o->domain = NULL;
5494 o->netbios_scope = NULL;
5495 o->netbios_node_type = 0;
5496 o->dns6_len = 0;
5497 CLEAR(o->dns6);
5498 o->dns_len = 0;
5499 CLEAR(o->dns);
5500 o->wins_len = 0;
5501 CLEAR(o->wins);
5502 o->ntp_len = 0;
5503 CLEAR(o->ntp);
5504 o->nbdd_len = 0;
5505 CLEAR(o->nbdd);
5506 while (o->domain_search_list_len-- > 0)
5507 {
5508 o->domain_search_list[o->domain_search_list_len] = NULL;
5509 }
5510 o->disable_nbt = 0;
5511 o->dhcp_options = 0;
5512
5513 CLEAR(options->dns_options.from_dhcp);
5514#if defined(TARGET_ANDROID)
5515 o->http_proxy_port = 0;
5516 o->http_proxy = NULL;
5517#endif
5518 *update_options_found |= OPT_P_U_DHCP;
5519 }
5520 }
5521#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5522 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
5523 {
5524 if (!(*update_options_found & OPT_P_U_DHCP))
5525 {
5526 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5527 delete_all_dhcp_fo(options, &es->list);
5528 *update_options_found |= OPT_P_U_DHCP;
5529 }
5530 }
5531#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5532 add_option(options, p, is_inline, file, line, level, msglevel, permission_mask,
5533 option_types_found, es);
5534 return;
5535err:
5536 msg(msglevel, "Error occurred trying to update %s option", p[0]);
5537}
5538
5539static void
5540set_user_script(struct options *options, const char **script, const char *new_script,
5541 const char *type, bool in_chroot)
5542{
5543 if (*script)
5544 {
5545 msg(M_WARN,
5546 "Multiple --%s scripts defined. "
5547 "The previously configured script is overridden.",
5548 type);
5549 }
5550 *script = new_script;
5551 options->user_script_used = true;
5552
5553#ifndef ENABLE_SMALL
5554 {
5555 char script_name[100];
5556 snprintf(script_name, sizeof(script_name), "--%s script", type);
5557
5558 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5559 {
5560 msg(M_USAGE, "Please correct this error.");
5561 }
5562 }
5563#endif
5564}
5565
5566static void
5567show_compression_warning(struct compress_options *info)
5568{
5569 if (comp_non_stub_enabled(info))
5570 {
5571 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5572 "Compression has been used in the past to break encryption. "
5573 "Compression support is deprecated and we recommend to disable "
5574 "it completely.");
5575 }
5576}
5577
5578bool
5579key_is_external(const struct options *options)
5580{
5581 bool ret = false;
5582 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5583#ifdef ENABLE_PKCS11
5584 ret = ret || (options->pkcs11_providers[0] != NULL);
5585#endif
5586#ifdef ENABLE_CRYPTOAPI
5587 ret = ret || options->cryptoapi_cert;
5588#endif
5589
5590 return ret;
5591}
5592
5593void
5594add_option(struct options *options, char *p[], bool is_inline, const char *file, int line,
5595 const int level, const msglvl_t msglevel, const unsigned int permission_mask,
5596 unsigned int *option_types_found, struct env_set *es)
5597{
5598 struct gc_arena gc = gc_new();
5599 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5600 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5601
5602 ASSERT(MAX_PARMS >= 7);
5603
5604 /*
5605 * If directive begins with "setenv opt" prefix, don't raise an error if
5606 * directive is unrecognized.
5607 */
5608 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5609 {
5610 if (!p[2])
5611 {
5612 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5613 }
5614 p += 2;
5615 msglevel_fc = M_WARN;
5616 }
5617
5618 if (!file)
5619 {
5620 file = "[CMD-LINE]";
5621 line = 1;
5622 }
5623 if (streq(p[0], "help"))
5624 {
5625 VERIFY_PERMISSION(OPT_P_GENERAL);
5626 usage();
5627 if (p[1])
5628 {
5629 msg(msglevel, "--help does not accept any parameters");
5630 goto err;
5631 }
5632 }
5633 if (streq(p[0], "version") && !p[1])
5634 {
5635 VERIFY_PERMISSION(OPT_P_GENERAL);
5636 usage_version();
5637 }
5638 else if (streq(p[0], "config") && p[1] && !p[2])
5639 {
5640 VERIFY_PERMISSION(OPT_P_CONFIG);
5641
5642 /* save first config file only in options */
5643 if (!options->config)
5644 {
5645 options->config = p[1];
5646 }
5647
5648 read_config_file(options, p[1], level, file, line, msglevel, permission_mask,
5649 option_types_found, es);
5650 }
5651#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5652 else if (streq(p[0], "show-gateway") && !p[2])
5653 {
5654 struct route_gateway_info rgi;
5655 struct route_ipv6_gateway_info rgi6;
5656 in_addr_t remote_ipv4 = 0;
5657 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
5658 openvpn_net_ctx_t net_ctx;
5659 VERIFY_PERMISSION(OPT_P_GENERAL);
5660 if (p[1])
5661 {
5662 /* try parsing the argument as a v4 or v6 address - if
5663 * possible, the output will show the exact route there, and
5664 * "the default route" for the other protocol
5665 */
5666 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
5667 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
5668 }
5669 net_ctx_init(NULL, &net_ctx);
5670 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
5671 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
5672 print_default_gateway(M_INFO, &rgi, &rgi6);
5673 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5674 }
5675#endif
5676 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5677 {
5678 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5679 int j;
5680 bool good = true;
5681
5682 VERIFY_PERMISSION(OPT_P_ECHO);
5683
5684 for (j = 1; j < MAX_PARMS; ++j)
5685 {
5686 if (!p[j])
5687 {
5688 break;
5689 }
5690 if (j > 1)
5691 {
5692 good &= buf_printf(&string, " ");
5693 }
5694 good &= buf_printf(&string, "%s", p[j]);
5695 }
5696 if (good)
5697 {
5698 /* only message-related ECHO are logged, since other ECHOs
5699 * can potentially include security-sensitive strings */
5700 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5701 {
5702 msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string));
5703 }
5704#ifdef ENABLE_MANAGEMENT
5705 if (management)
5706 {
5707 management_echo(management, BSTR(&string), pull_mode);
5708 }
5709#endif
5710 }
5711 else
5712 {
5713 msg(M_WARN, "echo/parameter option overflow");
5714 }
5715 }
5716#ifdef ENABLE_MANAGEMENT
5717 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5718 {
5719 VERIFY_PERMISSION(OPT_P_GENERAL);
5720 if (streq(p[2], "unix"))
5721 {
5722#if UNIX_SOCK_SUPPORT
5723 options->management_flags |= MF_UNIX_SOCK;
5724#else
5725 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5726 goto err;
5727#endif
5728 }
5729
5730 options->management_addr = p[1];
5731 options->management_port = p[2];
5732 if (p[3])
5733 {
5734 options->management_user_pass = p[3];
5735 }
5736 }
5737 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5738 {
5739 VERIFY_PERMISSION(OPT_P_GENERAL);
5740 options->management_client_user = p[1];
5741 }
5742 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5743 {
5744 VERIFY_PERMISSION(OPT_P_GENERAL);
5745 options->management_client_group = p[1];
5746 }
5747 else if (streq(p[0], "management-query-passwords") && !p[1])
5748 {
5749 VERIFY_PERMISSION(OPT_P_GENERAL);
5750 options->management_flags |= MF_QUERY_PASSWORDS;
5751 }
5752 else if (streq(p[0], "management-query-remote") && !p[1])
5753 {
5754 VERIFY_PERMISSION(OPT_P_GENERAL);
5755 options->management_flags |= MF_QUERY_REMOTE;
5756 }
5757 else if (streq(p[0], "management-query-proxy") && !p[1])
5758 {
5759 VERIFY_PERMISSION(OPT_P_GENERAL);
5760 options->management_flags |= MF_QUERY_PROXY;
5761 }
5762 else if (streq(p[0], "management-hold") && !p[1])
5763 {
5764 VERIFY_PERMISSION(OPT_P_GENERAL);
5765 options->management_flags |= MF_HOLD;
5766 }
5767 else if (streq(p[0], "management-signal") && !p[1])
5768 {
5769 VERIFY_PERMISSION(OPT_P_GENERAL);
5770 options->management_flags |= MF_SIGNAL;
5771 }
5772 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5773 {
5774 VERIFY_PERMISSION(OPT_P_GENERAL);
5775 options->management_flags |= MF_FORGET_DISCONNECT;
5776 }
5777 else if (streq(p[0], "management-up-down") && !p[1])
5778 {
5779 VERIFY_PERMISSION(OPT_P_GENERAL);
5780 options->management_flags |= MF_UP_DOWN;
5781 }
5782 else if (streq(p[0], "management-client") && !p[1])
5783 {
5784 VERIFY_PERMISSION(OPT_P_GENERAL);
5785 options->management_flags |= MF_CONNECT_AS_CLIENT;
5786 }
5787 else if (streq(p[0], "management-external-key"))
5788 {
5789 VERIFY_PERMISSION(OPT_P_GENERAL);
5790 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5791 {
5792 if (streq(p[j], "nopadding"))
5793 {
5794 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5795 }
5796 else if (streq(p[j], "pkcs1"))
5797 {
5798 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5799 }
5800 else if (streq(p[j], "pss"))
5801 {
5802 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5803 }
5804 else if (streq(p[j], "digest"))
5805 {
5806 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5807 }
5808 else
5809 {
5810 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5811 }
5812 }
5813 /*
5814 * When no option is present, assume that only PKCS1
5815 * padding is supported
5816 */
5817 if (!(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5818 {
5819 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5820 }
5821 options->management_flags |= MF_EXTERNAL_KEY;
5822 }
5823 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5824 {
5825 VERIFY_PERMISSION(OPT_P_GENERAL);
5826 options->management_flags |= MF_EXTERNAL_CERT;
5827 options->management_certificate = p[1];
5828 }
5829 else if (streq(p[0], "management-client-auth") && !p[1])
5830 {
5831 VERIFY_PERMISSION(OPT_P_GENERAL);
5832 options->management_flags |= MF_CLIENT_AUTH;
5833 }
5834 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5835 {
5836 VERIFY_PERMISSION(OPT_P_GENERAL);
5837 if (!atoi_constrained(p[1], &options->management_log_history_cache,
5838 p[0], 1, INT_MAX, msglevel))
5839 {
5840 goto err;
5841 }
5842 }
5843#endif /* ifdef ENABLE_MANAGEMENT */
5844#ifdef ENABLE_PLUGIN
5845 else if (streq(p[0], "plugin") && p[1])
5846 {
5847 VERIFY_PERMISSION(OPT_P_PLUGIN);
5848 if (!options->plugin_list)
5849 {
5850 options->plugin_list = plugin_option_list_new(&options->gc);
5851 }
5852 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5853 {
5854 msg(msglevel, "plugin add failed: %s", p[1]);
5855 goto err;
5856 }
5857 }
5858#endif
5859 else if (streq(p[0], "mode") && p[1] && !p[2])
5860 {
5861 VERIFY_PERMISSION(OPT_P_GENERAL);
5862 if (streq(p[1], "p2p"))
5863 {
5864 options->mode = MODE_POINT_TO_POINT;
5865 }
5866 else if (streq(p[1], "server"))
5867 {
5868 options->mode = MODE_SERVER;
5869 }
5870 else
5871 {
5872 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5873 goto err;
5874 }
5875 }
5876 else if (streq(p[0], "dev") && p[1] && !p[2])
5877 {
5878 VERIFY_PERMISSION(OPT_P_GENERAL);
5879 options->dev = p[1];
5880 }
5881 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5882 {
5883 VERIFY_PERMISSION(OPT_P_GENERAL);
5884 options->dev_type = p[1];
5885 }
5886#ifdef _WIN32
5887 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5888 {
5889 VERIFY_PERMISSION(OPT_P_GENERAL);
5890 msg(M_WARN,
5891 "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
5892 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
5893 }
5894#endif
5895 else if (streq(p[0], "disable-dco"))
5896 {
5897 options->disable_dco = true;
5898 }
5899 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5900 {
5901 VERIFY_PERMISSION(OPT_P_GENERAL);
5902 options->dev_node = p[1];
5903 }
5904 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5905 {
5906 VERIFY_PERMISSION(OPT_P_UP);
5907 if (mac_addr_safe(p[1])) /* MAC address only */
5908 {
5909 options->lladdr = p[1];
5910 }
5911 else
5912 {
5913 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5914 goto err;
5915 }
5916 }
5917 else if (streq(p[0], "topology") && p[1] && !p[2])
5918 {
5919 VERIFY_PERMISSION(OPT_P_UP);
5920 options->topology = parse_topology(p[1], msglevel);
5921 }
5922 else if (streq(p[0], "tun-ipv6") && !p[1])
5923 {
5924 if (!pull_mode)
5925 {
5926 msg(M_WARN,
5927 "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5928 }
5929 }
5930#ifdef ENABLE_IPROUTE
5931 else if (streq(p[0], "iproute") && p[1] && !p[2])
5932 {
5933 VERIFY_PERMISSION(OPT_P_GENERAL);
5934 iproute_path = p[1];
5935 }
5936#endif
5937 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5938 {
5939 VERIFY_PERMISSION(OPT_P_UP);
5940 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
5941 && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5942 {
5943 options->ifconfig_local = p[1];
5944 options->ifconfig_remote_netmask = p[2];
5945 }
5946 else
5947 {
5948 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5949 goto err;
5950 }
5951 }
5952 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5953 {
5954 unsigned int netbits;
5955
5956 VERIFY_PERMISSION(OPT_P_UP);
5957 if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2]))
5958 {
5959 if (netbits < 64 || netbits > 124)
5960 {
5961 msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
5962 netbits);
5963 goto err;
5964 }
5965
5966 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5967 options->ifconfig_ipv6_netbits = netbits;
5968 options->ifconfig_ipv6_remote = p[2];
5969 }
5970 else
5971 {
5972 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5973 goto err;
5974 }
5975 }
5976 else if (streq(p[0], "ifconfig-noexec") && !p[1])
5977 {
5978 VERIFY_PERMISSION(OPT_P_UP);
5979 options->ifconfig_noexec = true;
5980 }
5981 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5982 {
5983 VERIFY_PERMISSION(OPT_P_UP);
5984 options->ifconfig_nowarn = true;
5985 }
5986 else if (streq(p[0], "local") && p[1] && !p[4])
5987 {
5988 struct local_entry *e;
5989
5990 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
5991
5992 e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
5993 ASSERT(e);
5994
5995 /* '*' is treated as 'ask the system to get some socket',
5996 * therefore force binding on a particular address only when
5997 * actually specified. */
5998 if (strcmp(p[1], "*") != 0)
5999 {
6000 e->local = p[1];
6001 }
6002
6003 if (p[2])
6004 {
6005 e->port = p[2];
6006 }
6007
6008 if (p[3])
6009 {
6010 e->proto = ascii2proto(p[3]);
6011 }
6012 }
6013 else if (streq(p[0], "remote-random") && !p[1])
6014 {
6015 VERIFY_PERMISSION(OPT_P_GENERAL);
6016 options->remote_random = true;
6017 }
6018 else if (streq(p[0], "connection") && p[1] && !p[3])
6019 {
6020 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
6021 if (is_inline)
6022 {
6023 struct options sub;
6024 struct connection_entry *e;
6025
6026 init_options(&sub, true);
6027 sub.ce = options->ce;
6028 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION,
6029 option_types_found, es);
6030 if (!sub.ce.remote)
6031 {
6032 msg(msglevel,
6033 "Each 'connection' block must contain exactly one 'remote' directive");
6034 uninit_options(&sub);
6035 goto err;
6036 }
6037
6038 e = alloc_connection_entry(options, msglevel);
6039 if (!e)
6040 {
6041 uninit_options(&sub);
6042 goto err;
6043 }
6044 *e = sub.ce;
6045 gc_transfer(&options->gc, &sub.gc);
6046 uninit_options(&sub);
6047 }
6048 }
6049 else if (streq(p[0], "ignore-unknown-option") && p[1])
6050 {
6051 int i;
6052 int j;
6053 int numignored = 0;
6054 const char **ignore;
6055
6056 VERIFY_PERMISSION(OPT_P_GENERAL);
6057 /* Find out how many options to be ignored */
6058 for (i = 1; p[i]; i++)
6059 {
6060 numignored++;
6061 }
6062
6063 /* add number of options already ignored */
6064 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
6065 {
6066 numignored++;
6067 }
6068
6069 /* Allocate array */
6070 ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc);
6071 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
6072 {
6073 ignore[i] = options->ignore_unknown_option[i];
6074 }
6075
6076 options->ignore_unknown_option = ignore;
6077
6078 for (j = 1; p[j]; j++)
6079 {
6080 /* Allow the user to specify ignore-unknown-option --opt too */
6081 if (p[j][0] == '-' && p[j][1] == '-')
6082 {
6083 options->ignore_unknown_option[i] = (p[j] + 2);
6084 }
6085 else
6086 {
6087 options->ignore_unknown_option[i] = p[j];
6088 }
6089 i++;
6090 }
6091
6092 options->ignore_unknown_option[i] = NULL;
6093 }
6094#if ENABLE_MANAGEMENT
6095 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6096 {
6097 VERIFY_PERMISSION(OPT_P_GENERAL);
6098 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], &options->gc);
6099 if (!options->http_proxy_override)
6100 {
6101 goto err;
6102 }
6103 }
6104#endif
6105 else if (streq(p[0], "remote") && p[1] && !p[4])
6106 {
6107 struct remote_entry re;
6108 re.remote = re.remote_port = NULL;
6109 re.proto = -1;
6110 re.af = 0;
6111
6112 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6113 re.remote = p[1];
6114 if (p[2])
6115 {
6116 re.remote_port = p[2];
6117 if (p[3])
6118 {
6119 const int proto = ascii2proto(p[3]);
6120 const sa_family_t af = ascii2af(p[3]);
6121 if (proto < 0)
6122 {
6123 msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
6124 goto err;
6125 }
6126 re.proto = proto;
6127 re.af = af;
6128 }
6129 }
6130 if (permission_mask & OPT_P_GENERAL)
6131 {
6132 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6133 if (!e)
6134 {
6135 goto err;
6136 }
6137 *e = re;
6138 }
6139 else if (permission_mask & OPT_P_CONNECTION)
6140 {
6141 connection_entry_load_re(&options->ce, &re);
6142 }
6143 }
6144 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6145 {
6146 VERIFY_PERMISSION(OPT_P_GENERAL);
6147 if (streq(p[1], "infinite"))
6148 {
6149 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6150 }
6151 else
6152 {
6153 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6154 }
6155 }
6156 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6157 {
6158 VERIFY_PERMISSION(OPT_P_GENERAL);
6159 options->resolve_in_advance = true;
6160 /* Note the ip-remote-hint and the argument p[1] are for
6161 * backward compatibility */
6162 if (p[1])
6163 {
6164 options->ip_remote_hint = p[1];
6165 }
6166 }
6167 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6168 {
6169 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6170 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6171 /*
6172 * Limit the base value of retry wait interval to 16 bits to avoid
6173 * overflow when scaled up for exponential backoff
6174 */
6175 if (options->ce.connect_retry_seconds > 0xFFFF)
6176 {
6177 options->ce.connect_retry_seconds = 0xFFFF;
6178 msg(M_WARN, "connect retry wait interval truncated to %d",
6179 options->ce.connect_retry_seconds);
6180 }
6181
6182 if (p[2])
6183 {
6184 options->ce.connect_retry_seconds_max =
6185 max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
6186 }
6187 }
6188 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1]
6189 && !p[2])
6190 {
6191 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6192 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6193 }
6194 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6195 {
6196 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6197 options->connect_retry_max = positive_atoi(p[1], msglevel);
6198 }
6199 else if (streq(p[0], "ipchange") && p[1])
6200 {
6201 VERIFY_PERMISSION(OPT_P_SCRIPT);
6202 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6203 {
6204 goto err;
6205 }
6206 set_user_script(options, &options->ipchange,
6207 string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true);
6208 }
6209 else if (streq(p[0], "float") && !p[1])
6210 {
6211 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6212 options->ce.remote_float = true;
6213 }
6214#ifdef ENABLE_DEBUG
6215 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6216 {
6217 VERIFY_PERMISSION(OPT_P_GENERAL);
6218 options->gremlin = positive_atoi(p[1], msglevel);
6219 }
6220#endif
6221 else if (streq(p[0], "chroot") && p[1] && !p[2])
6222 {
6223 VERIFY_PERMISSION(OPT_P_GENERAL);
6224 options->chroot_dir = p[1];
6225 }
6226 else if (streq(p[0], "cd") && p[1] && !p[2])
6227 {
6228 VERIFY_PERMISSION(OPT_P_GENERAL);
6229 if (platform_chdir(p[1]))
6230 {
6231 msg(M_ERR, "cd to '%s' failed", p[1]);
6232 goto err;
6233 }
6234 options->cd_dir = p[1];
6235 }
6236#ifdef ENABLE_SELINUX
6237 else if (streq(p[0], "setcon") && p[1] && !p[2])
6238 {
6239 VERIFY_PERMISSION(OPT_P_GENERAL);
6240 options->selinux_context = p[1];
6241 }
6242#endif
6243 else if (streq(p[0], "writepid") && p[1] && !p[2])
6244 {
6245 VERIFY_PERMISSION(OPT_P_GENERAL);
6246 options->writepid = p[1];
6247 }
6248 else if (streq(p[0], "up") && p[1])
6249 {
6250 VERIFY_PERMISSION(OPT_P_SCRIPT);
6251 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6252 {
6253 goto err;
6254 }
6255 set_user_script(options, &options->up_script, p[1], "up", false);
6256 }
6257 else if (streq(p[0], "down") && p[1])
6258 {
6259 VERIFY_PERMISSION(OPT_P_SCRIPT);
6260 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6261 {
6262 goto err;
6263 }
6264 set_user_script(options, &options->down_script, p[1], "down", true);
6265 }
6266 else if (streq(p[0], "down-pre") && !p[1])
6267 {
6268 VERIFY_PERMISSION(OPT_P_GENERAL);
6269 options->down_pre = true;
6270 }
6271 else if (streq(p[0], "up-delay") && !p[1])
6272 {
6273 VERIFY_PERMISSION(OPT_P_GENERAL);
6274 options->up_delay = true;
6275 }
6276 else if (streq(p[0], "up-restart") && !p[1])
6277 {
6278 VERIFY_PERMISSION(OPT_P_GENERAL);
6279 options->up_restart = true;
6280 }
6281 else if (streq(p[0], "syslog") && !p[2])
6282 {
6283 VERIFY_PERMISSION(OPT_P_GENERAL);
6284 open_syslog(p[1], false);
6285 }
6286 else if (streq(p[0], "daemon") && !p[2])
6287 {
6288 bool didit = false;
6289 VERIFY_PERMISSION(OPT_P_GENERAL);
6290 if (!options->daemon)
6291 {
6292 options->daemon = didit = true;
6293 open_syslog(p[1], false);
6294 }
6295 if (p[1])
6296 {
6297 if (!didit)
6298 {
6299 msg(M_WARN,
6300 "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
6301 p[1]);
6302 goto err;
6303 }
6304 }
6305 }
6306 else if (streq(p[0], "log") && p[1] && !p[2])
6307 {
6308 VERIFY_PERMISSION(OPT_P_GENERAL);
6309 options->log = true;
6310 redirect_stdout_stderr(p[1], false);
6311 }
6312 else if (streq(p[0], "suppress-timestamps") && !p[1])
6313 {
6314 VERIFY_PERMISSION(OPT_P_GENERAL);
6315 options->suppress_timestamps = true;
6316 set_suppress_timestamps(true);
6317 }
6318 else if (streq(p[0], "machine-readable-output") && !p[1])
6319 {
6320 VERIFY_PERMISSION(OPT_P_GENERAL);
6321 options->machine_readable_output = true;
6322 set_machine_readable_output(true);
6323 }
6324 else if (streq(p[0], "log-append") && p[1] && !p[2])
6325 {
6326 VERIFY_PERMISSION(OPT_P_GENERAL);
6327 options->log = true;
6328 redirect_stdout_stderr(p[1], true);
6329 }
6330 else if (streq(p[0], "mlock") && !p[1])
6331 {
6332 VERIFY_PERMISSION(OPT_P_GENERAL);
6333 options->mlock = true;
6334 }
6335#if ENABLE_IP_PKTINFO
6336 else if (streq(p[0], "multihome") && !p[2])
6337 {
6338 VERIFY_PERMISSION(OPT_P_GENERAL);
6339 options->sockflags |= SF_USE_IP_PKTINFO;
6340 if (p[1] && streq(p[1], "same-interface"))
6341 {
6342 options->sockflags |= SF_PKTINFO_COPY_IIF;
6343 }
6344 else if (p[1])
6345 {
6346 msg(msglevel, "Unknown parameter to --multihome: %s", p[1]);
6347 }
6348 }
6349#endif
6350 else if (streq(p[0], "verb") && p[1] && !p[2])
6351 {
6352 VERIFY_PERMISSION(OPT_P_MESSAGES);
6353 options->verbosity = positive_atoi(p[1], msglevel);
6354 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6355 {
6356 /* We pass this flag to the SSL library to avoid
6357 * mbed TLS always generating debug level logging */
6358 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6359 }
6360#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6361 /* Warn when a debug verbosity is supplied when built without debug support */
6362 if (options->verbosity >= 7)
6363 {
6364 msg(M_WARN,
6365 "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6366 options->verbosity);
6367 }
6368#endif
6369 }
6370 else if (streq(p[0], "mute") && p[1] && !p[2])
6371 {
6372 VERIFY_PERMISSION(OPT_P_MESSAGES);
6373 options->mute = positive_atoi(p[1], msglevel);
6374 }
6375 else if (streq(p[0], "errors-to-stderr") && !p[1])
6376 {
6377 VERIFY_PERMISSION(OPT_P_MESSAGES);
6378 errors_to_stderr();
6379 }
6380 else if (streq(p[0], "status") && p[1] && !p[3])
6381 {
6382 VERIFY_PERMISSION(OPT_P_GENERAL);
6383 options->status_file = p[1];
6384 if (p[2])
6385 {
6386 options->status_file_update_freq = positive_atoi(p[2], msglevel);
6387 }
6388 }
6389 else if (streq(p[0], "status-version") && p[1] && !p[2])
6390 {
6391 VERIFY_PERMISSION(OPT_P_GENERAL);
6392 if (!atoi_constrained(p[1], &options->status_file_version, p[0], 1, 3, msglevel))
6393 {
6394 goto err;
6395 }
6396 }
6397 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6398 {
6399 VERIFY_PERMISSION(OPT_P_GENERAL);
6400 if (streq(p[1], "SIGHUP"))
6401 {
6402 options->remap_sigusr1 = SIGHUP;
6403 }
6404 else if (streq(p[1], "SIGTERM"))
6405 {
6406 options->remap_sigusr1 = SIGTERM;
6407 }
6408 else
6409 {
6410 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6411 goto err;
6412 }
6413 }
6414 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6415 {
6416 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6417 options->ce.link_mtu = positive_atoi(p[1], msglevel);
6418 options->ce.link_mtu_defined = true;
6419 }
6420 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6421 {
6422 VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
6423 options->ce.tun_mtu = positive_atoi(p[1], msglevel);
6424 options->ce.tun_mtu_defined = true;
6425 if (p[2])
6426 {
6427 options->ce.occ_mtu = positive_atoi(p[2], msglevel);
6428 }
6429 else
6430 {
6431 options->ce.occ_mtu = 0;
6432 }
6433 }
6434 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[2])
6435 {
6436 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6437 atoi_constrained(p[1], &options->ce.tun_mtu_max, p[0], TUN_MTU_MAX_MIN, 65536, msglevel);
6438 }
6439 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6440 {
6441 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6442 if (atoi_constrained(p[1], &options->ce.tun_mtu_extra, p[0], 0, 65536, msglevel))
6443 {
6444 options->ce.tun_mtu_extra_defined = true;
6445 }
6446 }
6447 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6448 {
6449 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6450 int maxmtu = positive_atoi(p[1], msglevel);
6451 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6452
6453 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6454 {
6455 msg(M_WARN,
6456 "Note: max-packet-size value outside of allowed "
6457 "control channel packet size (%d to %d), will use %d "
6458 "instead.",
6459 TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE, options->ce.tls_mtu);
6460 }
6461
6462 /* also set mssfix maxmtu mtu */
6463 options->ce.mssfix = maxmtu;
6464 options->ce.mssfix_default = false;
6465 options->ce.mssfix_encap = true;
6466 }
6467#ifdef ENABLE_FRAGMENT
6468 else if (streq(p[0], "mtu-dynamic"))
6469 {
6470 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6471 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6472 goto err;
6473 }
6474 else if (streq(p[0], "fragment") && p[1] && !p[3])
6475 {
6476 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6477 if (!atoi_constrained(p[1], &options->ce.fragment, p[0], 68, INT_MAX, msglevel))
6478 {
6479 goto err;
6480 }
6481
6482 if (p[2] && streq(p[2], "mtu"))
6483 {
6484 options->ce.fragment_encap = true;
6485 }
6486 else if (p[2])
6487 {
6488 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6489 }
6490 }
6491#endif /* ifdef ENABLE_FRAGMENT */
6492 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6493 {
6494 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6495 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6496 }
6497 else if (streq(p[0], "mtu-test") && !p[1])
6498 {
6499 VERIFY_PERMISSION(OPT_P_GENERAL);
6500 options->mtu_test = true;
6501 }
6502 else if (streq(p[0], "nice") && p[1] && !p[2])
6503 {
6504 VERIFY_PERMISSION(OPT_P_NICE);
6505 options->nice = atoi_warn(p[1], msglevel);
6506 }
6507 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6508 {
6509 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6510 options->rcvbuf = positive_atoi(p[1], msglevel);
6511 }
6512 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6513 {
6514 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6515 options->sndbuf = positive_atoi(p[1], msglevel);
6516 }
6517 else if (streq(p[0], "mark") && p[1] && !p[2])
6518 {
6519#if defined(TARGET_LINUX)
6520 VERIFY_PERMISSION(OPT_P_GENERAL);
6521 options->mark = atoi_warn(p[1], msglevel);
6522#endif
6523 }
6524 else if (streq(p[0], "socket-flags"))
6525 {
6526 int j;
6527 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6528 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6529 {
6530 if (streq(p[j], "TCP_NODELAY"))
6531 {
6532 options->sockflags |= SF_TCP_NODELAY;
6533 }
6534 else
6535 {
6536 msg(msglevel, "unknown socket flag: %s", p[j]);
6537 }
6538 }
6539 }
6540#ifdef TARGET_LINUX
6541 else if (streq(p[0], "bind-dev") && p[1])
6542 {
6543 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6544 options->bind_dev = p[1];
6545 }
6546#endif
6547 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6548 {
6549 VERIFY_PERMISSION(OPT_P_GENERAL);
6550#ifdef TARGET_LINUX
6551 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
6552#else
6553 msg(msglevel, "--txqueuelen not supported on this OS");
6554 goto err;
6555#endif
6556 }
6557 else if (streq(p[0], "shaper") && p[1] && !p[2])
6558 {
6559 VERIFY_PERMISSION(OPT_P_SHAPER);
6560 if (!atoi_constrained(p[1], &options->shaper, p[0], SHAPER_MIN, SHAPER_MAX, msglevel))
6561 {
6562 goto err;
6563 }
6564 }
6565 else if (streq(p[0], "port") && p[1] && !p[2])
6566 {
6567 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6568 options->ce.local_port = options->ce.remote_port = p[1];
6569 }
6570 else if (streq(p[0], "lport") && p[1] && !p[2])
6571 {
6572 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6573
6574 /* only trigger bind() if port is not 0 (or --local is used) */
6575 if (!streq(p[1], "0"))
6576 {
6577 options->ce.local_port_defined = true;
6578 }
6579 options->ce.local_port = p[1];
6580 }
6581 else if (streq(p[0], "rport") && p[1] && !p[2])
6582 {
6583 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6584 options->ce.remote_port = p[1];
6585 }
6586 else if (streq(p[0], "bind") && !p[2])
6587 {
6588 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6589 options->ce.bind_defined = true;
6590 if (p[1] && streq(p[1], "ipv6only"))
6591 {
6592 options->ce.bind_ipv6_only = true;
6593 }
6594 }
6595 else if (streq(p[0], "nobind") && !p[1])
6596 {
6597 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6598 options->ce.bind_local = false;
6599 }
6600 else if (streq(p[0], "fast-io") && !p[1])
6601 {
6602 VERIFY_PERMISSION(OPT_P_GENERAL);
6603 options->fast_io = true;
6604 }
6605 else if (streq(p[0], "inactive") && p[1] && !p[3])
6606 {
6607 VERIFY_PERMISSION(OPT_P_TIMER);
6608 options->inactivity_timeout = positive_atoi(p[1], msglevel);
6609 if (p[2])
6610 {
6611 positive_atoll(p[2], &options->inactivity_minimum_bytes, p[0], msglevel);
6612 if (options->inactivity_minimum_bytes > INT_MAX)
6613 {
6614 msg(M_WARN,
6615 "WARNING: '--inactive' with a 'bytes' value"
6616 " >2 Gbyte was silently ignored in older versions. If "
6617 " your VPN exits unexpectedly with 'Inactivity timeout'"
6618 " in %d seconds, revisit this value.",
6619 options->inactivity_timeout);
6620 }
6621 }
6622 }
6623 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6624 {
6625 VERIFY_PERMISSION(OPT_P_TIMER);
6626 options->session_timeout = positive_atoi(p[1], msglevel);
6627 }
6628 else if (streq(p[0], "proto") && p[1] && !p[2])
6629 {
6630 int proto;
6631 sa_family_t af;
6632 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6633 proto = ascii2proto(p[1]);
6634 af = ascii2af(p[1]);
6635 if (proto < 0)
6636 {
6637 msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
6638 proto2ascii_all(&gc));
6639 goto err;
6640 }
6641 options->ce.proto = proto;
6642 options->ce.af = af;
6643 }
6644 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6645 {
6646 int proto_force;
6647 VERIFY_PERMISSION(OPT_P_GENERAL);
6648 proto_force = ascii2proto(p[1]);
6649 if (proto_force < 0)
6650 {
6651 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6652 goto err;
6653 }
6654 options->proto_force = proto_force;
6655 }
6656 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6657 {
6658 struct http_proxy_options *ho;
6659
6660 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6661
6662 {
6663 if (!p[2])
6664 {
6665 msg(msglevel, "http-proxy port number not defined");
6666 goto err;
6667 }
6668
6669 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6670
6671 ho->server = p[1];
6672 ho->port = p[2];
6673 }
6674
6675 if (p[3])
6676 {
6677 /* auto -- try to figure out proxy addr, port, and type automatically */
6678 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6679 if (streq(p[3], "auto"))
6680 {
6681 ho->auth_retry = PAR_ALL;
6682 }
6683 else if (streq(p[3], "auto-nct"))
6684 {
6685 ho->auth_retry = PAR_NCT;
6686 }
6687 else
6688 {
6689 ho->auth_method_string = "basic";
6690 ho->auth_file = p[3];
6691
6692 if (p[4])
6693 {
6694 ho->auth_method_string = p[4];
6695 }
6696 }
6697 }
6698 else
6699 {
6700 ho->auth_method_string = "none";
6701 }
6702 }
6703 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6704 {
6705 struct http_proxy_options *ho;
6706 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
6707 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6708 ho->auth_file_up = p[1];
6709 ho->inline_creds = is_inline;
6710 }
6711 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6712 {
6713 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6714 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6715 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6716 "Use connect-retry-max 1 to get a similar behavior as before.");
6717 }
6718 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6719 {
6720 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6721 msg(M_WARN,
6722 "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6723 "server is established is managed with a single timeout set by connect-timeout");
6724 }
6725 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6726 {
6727 struct http_proxy_options *ho;
6728
6729 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6730 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6731
6732 if (streq(p[1], "VERSION") && p[2] && !p[3])
6733 {
6734 ho->http_version = p[2];
6735 }
6736 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6737 {
6738 ho->user_agent = p[2];
6739 }
6740 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6741 && p[2])
6742 {
6743 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6744 * with either two argument or one */
6745
6746 struct http_custom_header *custom_header = NULL;
6747 int i;
6748 /* Find the first free header */
6749 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6750 {
6751 if (!ho->custom_headers[i].name)
6752 {
6753 custom_header = &ho->custom_headers[i];
6754 break;
6755 }
6756 }
6757 if (!custom_header)
6758 {
6759 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
6760 MAX_CUSTOM_HTTP_HEADER, p[1]);
6761 }
6762 else
6763 {
6764 /* We will save p[2] and p[3], the proxy code will detect if
6765 * p[3] is NULL */
6766 custom_header->name = p[2];
6767 custom_header->content = p[3];
6768 }
6769 }
6770 else
6771 {
6772 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6773 }
6774 }
6775 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6776 {
6777 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6778
6779 if (p[2])
6780 {
6781 options->ce.socks_proxy_port = p[2];
6782 }
6783 else
6784 {
6785 options->ce.socks_proxy_port = "1080";
6786 }
6787 options->ce.socks_proxy_server = p[1];
6788 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6789 }
6790 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6791 {
6792 VERIFY_PERMISSION(OPT_P_GENERAL);
6793 options->keepalive_ping = atoi_warn(p[1], msglevel);
6794 options->keepalive_timeout = atoi_warn(p[2], msglevel);
6795 }
6796 else if (streq(p[0], "ping") && p[1] && !p[2])
6797 {
6798 VERIFY_PERMISSION(OPT_P_TIMER);
6799 options->ping_send_timeout = positive_atoi(p[1], msglevel);
6800 }
6801 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6802 {
6803 VERIFY_PERMISSION(OPT_P_TIMER);
6804 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6805 options->ping_rec_timeout_action = PING_EXIT;
6806 }
6807 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6808 {
6809 VERIFY_PERMISSION(OPT_P_TIMER);
6810 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6811 options->ping_rec_timeout_action = PING_RESTART;
6812 }
6813 else if (streq(p[0], "ping-timer-rem") && !p[1])
6814 {
6815 VERIFY_PERMISSION(OPT_P_TIMER);
6816 options->ping_timer_remote = true;
6817 }
6818 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6819 {
6820 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_EXPLICIT_NOTIFY);
6821 if (p[1])
6822 {
6823 options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
6824 }
6825 else
6826 {
6827 options->ce.explicit_exit_notification = 1;
6828 }
6829 }
6830 else if (streq(p[0], "persist-tun") && !p[1])
6831 {
6832 VERIFY_PERMISSION(OPT_P_PERSIST);
6833 options->persist_tun = true;
6834 }
6835 else if (streq(p[0], "persist-key") && !p[1])
6836 {
6837 VERIFY_PERMISSION(OPT_P_PERSIST);
6838 msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
6839 "Keys are now always persisted across restarts. ");
6840 }
6841 else if (streq(p[0], "persist-local-ip") && !p[1])
6842 {
6843 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6844 options->persist_local_ip = true;
6845 }
6846 else if (streq(p[0], "persist-remote-ip") && !p[1])
6847 {
6848 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6849 options->persist_remote_ip = true;
6850 }
6851 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6852 {
6853 VERIFY_PERMISSION(OPT_P_ROUTE);
6854 cnol_check_alloc(options);
6855 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6856 }
6857 else if (streq(p[0], "route-table") && p[1] && !p[2])
6858 {
6859#ifndef ENABLE_SITNL
6860 msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
6861#endif
6862 VERIFY_PERMISSION(OPT_P_ROUTE_TABLE);
6863 options->route_default_table_id = positive_atoi(p[1], msglevel);
6864 }
6865 else if (streq(p[0], "route") && p[1] && !p[5])
6866 {
6867 VERIFY_PERMISSION(OPT_P_ROUTE);
6868 if (!check_route_option(options, p, msglevel, pull_mode))
6869 {
6870 goto err;
6871 }
6872 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
6873 options->route_default_table_id);
6874 }
6875 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6876 {
6877 VERIFY_PERMISSION(OPT_P_ROUTE);
6878 if (!check_route6_option(options, p, msglevel, pull_mode))
6879 {
6880 goto err;
6881 }
6882 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3],
6883 options->route_default_table_id);
6884 }
6885 else if (streq(p[0], "max-routes") && !p[2])
6886 {
6887 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
6888 "The number of routes is unlimited as of OpenVPN 2.4. "
6889 "This option will be removed in a future version, "
6890 "please remove it from your configuration.");
6891 }
6892 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6893 {
6894 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6895 if (streq(p[1], "dhcp"))
6896 {
6897 options->route_gateway_via_dhcp = true;
6898 }
6899 else
6900 {
6901 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
6902 || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6903 {
6904 options->route_default_gateway = p[1];
6905 }
6906 else
6907 {
6908 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6909 goto err;
6910 }
6911 }
6912 }
6913 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
6914 {
6915 if (ipv6_addr_safe(p[1]))
6916 {
6917 options->route_ipv6_default_gateway = p[1];
6918 }
6919 else
6920 {
6921 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
6922 goto err;
6923 }
6924 }
6925 else if (streq(p[0], "route-metric") && p[1] && !p[2])
6926 {
6927 VERIFY_PERMISSION(OPT_P_ROUTE);
6928 options->route_default_metric = positive_atoi(p[1], msglevel);
6929 }
6930 else if (streq(p[0], "route-delay") && !p[3])
6931 {
6932 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6933 options->route_delay_defined = true;
6934 if (p[1])
6935 {
6936 options->route_delay = positive_atoi(p[1], msglevel);
6937 if (p[2])
6938 {
6939 options->route_delay_window = positive_atoi(p[2], msglevel);
6940 }
6941 }
6942 else
6943 {
6944 options->route_delay = 0;
6945 }
6946 }
6947 else if (streq(p[0], "route-up") && p[1])
6948 {
6949 VERIFY_PERMISSION(OPT_P_SCRIPT);
6950 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6951 {
6952 goto err;
6953 }
6954 set_user_script(options, &options->route_script, p[1], "route-up", false);
6955 }
6956 else if (streq(p[0], "route-pre-down") && p[1])
6957 {
6958 VERIFY_PERMISSION(OPT_P_SCRIPT);
6959 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6960 {
6961 goto err;
6962 }
6963 set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true);
6964 }
6965 else if (streq(p[0], "route-noexec") && !p[1])
6966 {
6967 VERIFY_PERMISSION(OPT_P_SCRIPT);
6968 options->route_noexec = true;
6969 }
6970 else if (streq(p[0], "route-nopull") && !p[1])
6971 {
6972 VERIFY_PERMISSION(OPT_P_GENERAL);
6973 options->route_nopull = true;
6974 }
6975 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
6976 {
6977 struct pull_filter *f;
6978 VERIFY_PERMISSION(OPT_P_GENERAL)
6979 f = alloc_pull_filter(options);
6980
6981 if (strcmp("accept", p[1]) == 0)
6982 {
6983 f->type = PUF_TYPE_ACCEPT;
6984 }
6985 else if (strcmp("ignore", p[1]) == 0)
6986 {
6987 f->type = PUF_TYPE_IGNORE;
6988 }
6989 else if (strcmp("reject", p[1]) == 0)
6990 {
6991 f->type = PUF_TYPE_REJECT;
6992 }
6993 else
6994 {
6995 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
6996 goto err;
6997 }
6998 f->pattern = p[2];
6999 f->size = strlen(p[2]);
7000 }
7001 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7002 {
7003 VERIFY_PERMISSION(OPT_P_GENERAL);
7004 options->allow_pull_fqdn = true;
7005 }
7006 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7007 {
7008 int j;
7009 VERIFY_PERMISSION(OPT_P_ROUTE);
7010 rol_check_alloc(options);
7011
7012 if (options->routes->flags & RG_ENABLE)
7013 {
7014 msg(M_WARN, "WARNING: You have specified redirect-gateway and "
7015 "redirect-private at the same time (or the same option "
7016 "multiple times). This is not well supported and may lead to "
7017 "unexpected results");
7018 }
7019
7020 options->routes->flags |= RG_ENABLE;
7021
7022 if (streq(p[0], "redirect-gateway"))
7023 {
7024 options->routes->flags |= RG_REROUTE_GW;
7025 }
7026 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7027 {
7028 if (streq(p[j], "local"))
7029 {
7030 options->routes->flags |= RG_LOCAL;
7031 }
7032 else if (streq(p[j], "autolocal"))
7033 {
7034 options->routes->flags |= RG_AUTO_LOCAL;
7035 }
7036 else if (streq(p[j], "def1"))
7037 {
7038 options->routes->flags |= RG_DEF1;
7039 }
7040 else if (streq(p[j], "bypass-dhcp"))
7041 {
7042 options->routes->flags |= RG_BYPASS_DHCP;
7043 }
7044 else if (streq(p[j], "bypass-dns"))
7045 {
7046 options->routes->flags |= RG_BYPASS_DNS;
7047 }
7048 else if (streq(p[j], "block-local"))
7049 {
7050 options->routes->flags |= RG_BLOCK_LOCAL;
7051 }
7052 else if (streq(p[j], "ipv6"))
7053 {
7054 rol6_check_alloc(options);
7055 options->routes_ipv6->flags |= RG_REROUTE_GW;
7056 }
7057 else if (streq(p[j], "!ipv4"))
7058 {
7059 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7060 }
7061 else
7062 {
7063 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7064 goto err;
7065 }
7066 }
7067 if (options->routes->flags & RG_REROUTE_GW)
7068 {
7069 setenv_int(es, "route_redirect_gateway_ipv4",
7070 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7071 }
7072 if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW))
7073 {
7074 setenv_int(es, "route_redirect_gateway_ipv6",
7075 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7076 }
7077#ifdef _WIN32
7078 /* we need this here to handle pushed --redirect-gateway */
7079 remap_redirect_gateway_flags(options);
7080#endif
7081 }
7082 else if (streq(p[0], "block-ipv6") && !p[1])
7083 {
7084 VERIFY_PERMISSION(OPT_P_ROUTE);
7085 options->block_ipv6 = true;
7086 }
7087 else if (streq(p[0], "remote-random-hostname") && !p[1])
7088 {
7089 VERIFY_PERMISSION(OPT_P_GENERAL);
7090 options->sockflags |= SF_HOST_RANDOMIZE;
7091 }
7092 else if (streq(p[0], "setenv") && p[1] && !p[3])
7093 {
7094 VERIFY_PERMISSION(OPT_P_GENERAL);
7095 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7096 {
7097 options->sockflags |= SF_HOST_RANDOMIZE;
7098 }
7099 else if (streq(p[1], "GENERIC_CONFIG"))
7100 {
7101 msg(msglevel, "this is a generic configuration and cannot directly be used");
7102 goto err;
7103 }
7104 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7105 {
7106 options->push_peer_info = true;
7107 }
7108 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7109 {
7110 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7111 }
7112 else
7113 {
7114 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7115 {
7116 options->forward_compatible = true;
7117 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7118 }
7119 setenv_str(es, p[1], p[2] ? p[2] : "");
7120 }
7121 }
7122 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7123 {
7124 unsigned int major, minor, patch;
7125 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7126 {
7127 msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]);
7128 goto err;
7129 }
7130
7131 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7132 }
7133 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7134 {
7135 VERIFY_PERMISSION(OPT_P_SETENV);
7136 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7137 }
7138 else if (streq(p[0], "script-security") && p[1] && !p[2])
7139 {
7140 VERIFY_PERMISSION(OPT_P_GENERAL);
7141 int security;
7142 if (atoi_constrained(p[1], &security, p[0], SSEC_NONE, SSEC_PW_ENV, msglevel))
7143 {
7144 script_security_set(security);
7145 }
7146 }
7147 else if (streq(p[0], "mssfix") && !p[3])
7148 {
7149 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7150 if (p[1])
7151 {
7152 int mssfix;
7153 if (!atoi_constrained(p[1], &mssfix, p[0], 0, UINT16_MAX, msglevel))
7154 {
7155 goto err;
7156 }
7157 if (mssfix != 0 && mssfix < TLS_CHANNEL_MTU_MIN)
7158 {
7159 msg(msglevel, "mssfix needs to be >= %d, not %d", TLS_CHANNEL_MTU_MIN, mssfix);
7160 goto err;
7161 }
7162
7163 /* value specified, assume encapsulation is not
7164 * included unless "mtu" follows later */
7165 options->ce.mssfix = mssfix;
7166 options->ce.mssfix_encap = false;
7167 options->ce.mssfix_default = false;
7168 }
7169 else
7170 {
7171 /* Set MTU to default values */
7172 options->ce.mssfix_default = true;
7173 options->ce.mssfix_encap = true;
7174 options->ce.mssfix_fixed = false;
7175 }
7176
7177 if (p[2] && streq(p[2], "mtu"))
7178 {
7179 options->ce.mssfix_encap = true;
7180 }
7181 else if (p[2] && streq(p[2], "fixed"))
7182 {
7183 options->ce.mssfix_fixed = true;
7184 }
7185 else if (p[2])
7186 {
7187 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7188 }
7189 }
7190 else if (streq(p[0], "disable-occ") && !p[1])
7191 {
7192 VERIFY_PERMISSION(OPT_P_GENERAL);
7193 options->occ = false;
7194 }
7195 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7196 {
7197 const int lev = M_WARN;
7198 bool error = false;
7199 in_addr_t network, netmask;
7200
7201 VERIFY_PERMISSION(OPT_P_GENERAL);
7202 network = get_ip_addr(p[1], lev, &error);
7203 netmask = get_ip_addr(p[2], lev, &error);
7204 if (error || !network || !netmask)
7205 {
7206 msg(msglevel, "error parsing --server parameters");
7207 goto err;
7208 }
7209 options->server_defined = true;
7210 options->server_network = network;
7211 options->server_netmask = netmask;
7212
7213 if (p[3])
7214 {
7215 if (streq(p[3], "nopool"))
7216 {
7217 options->server_flags |= SF_NOPOOL;
7218 }
7219 else
7220 {
7221 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7222 goto err;
7223 }
7224 }
7225 }
7226 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7227 {
7228 const int lev = M_WARN;
7229 struct in6_addr network;
7230 unsigned int netbits = 0;
7231
7232 VERIFY_PERMISSION(OPT_P_GENERAL);
7233 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7234 {
7235 msg(msglevel, "error parsing --server-ipv6 parameter");
7236 goto err;
7237 }
7238 if (netbits < 64 || netbits > 124)
7239 {
7240 msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7241 netbits);
7242
7243 goto err;
7244 }
7245 options->server_ipv6_defined = true;
7246 options->server_network_ipv6 = network;
7247 options->server_netbits_ipv6 = netbits;
7248 }
7249 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7250 {
7251 const int lev = M_WARN;
7252 bool error = false;
7253 in_addr_t ip, netmask, pool_start, pool_end;
7254
7255 VERIFY_PERMISSION(OPT_P_GENERAL);
7256 ip = get_ip_addr(p[1], lev, &error);
7257 netmask = get_ip_addr(p[2], lev, &error);
7258 pool_start = get_ip_addr(p[3], lev, &error);
7259 pool_end = get_ip_addr(p[4], lev, &error);
7260 if (error || !ip || !netmask || !pool_start || !pool_end)
7261 {
7262 msg(msglevel, "error parsing --server-bridge parameters");
7263 goto err;
7264 }
7265 options->server_bridge_defined = true;
7266 options->server_bridge_ip = ip;
7267 options->server_bridge_netmask = netmask;
7268 options->server_bridge_pool_start = pool_start;
7269 options->server_bridge_pool_end = pool_end;
7270 }
7271 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7272 {
7273 VERIFY_PERMISSION(OPT_P_GENERAL);
7274 options->server_bridge_proxy_dhcp = true;
7275 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7276 }
7277 else if (streq(p[0], "server-bridge") && !p[1])
7278 {
7279 VERIFY_PERMISSION(OPT_P_GENERAL);
7280 options->server_bridge_proxy_dhcp = true;
7281 }
7282 else if (streq(p[0], "push") && p[1] && !p[2])
7283 {
7284 VERIFY_PERMISSION(OPT_P_PUSH);
7285 push_options(options, &p[1], msglevel, &options->gc);
7286 }
7287 else if (streq(p[0], "push-reset") && !p[1])
7288 {
7289 VERIFY_PERMISSION(OPT_P_INSTANCE);
7290 push_reset(options);
7291 }
7292 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7293 {
7294 VERIFY_PERMISSION(OPT_P_INSTANCE);
7295 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7296 push_remove_option(options, p[1]);
7297 }
7298 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7299 {
7300 const int lev = M_WARN;
7301 bool error = false;
7302 in_addr_t start, end, netmask = 0;
7303
7304 VERIFY_PERMISSION(OPT_P_GENERAL);
7305 start = get_ip_addr(p[1], lev, &error);
7306 end = get_ip_addr(p[2], lev, &error);
7307 if (p[3])
7308 {
7309 netmask = get_ip_addr(p[3], lev, &error);
7310 }
7311 if (error)
7312 {
7313 msg(msglevel, "error parsing --ifconfig-pool parameters");
7314 goto err;
7315 }
7316 if (!ifconfig_pool_verify_range(msglevel, start, end))
7317 {
7318 goto err;
7319 }
7320
7321 options->ifconfig_pool_defined = true;
7322 options->ifconfig_pool_start = start;
7323 options->ifconfig_pool_end = end;
7324 if (netmask)
7325 {
7326 options->ifconfig_pool_netmask = netmask;
7327 }
7328 }
7329 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7330 {
7331 VERIFY_PERMISSION(OPT_P_GENERAL);
7332 options->ifconfig_pool_persist_filename = p[1];
7333 if (p[2])
7334 {
7335 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2], msglevel);
7336 }
7337 }
7338 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7339 {
7340 const int lev = M_WARN;
7341 struct in6_addr network;
7342 unsigned int netbits = 0;
7343
7344 VERIFY_PERMISSION(OPT_P_GENERAL);
7345 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7346 {
7347 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7348 goto err;
7349 }
7350 if (netbits < 64 || netbits > 124)
7351 {
7352 msg(msglevel,
7353 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7354 netbits);
7355 goto err;
7356 }
7357
7358 options->ifconfig_ipv6_pool_defined = true;
7359 options->ifconfig_ipv6_pool_base = network;
7360 options->ifconfig_ipv6_pool_netbits = netbits;
7361 }
7362 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7363 {
7364 int real, virtual;
7365
7366 VERIFY_PERMISSION(OPT_P_GENERAL);
7367 if (!atoi_constrained(p[1], &real, "hash-size real", 1, INT_MAX, msglevel)
7368 || !atoi_constrained(p[2], &virtual, "hash-size virtual", 1, INT_MAX, msglevel))
7369 {
7370 goto err;
7371 }
7372 options->real_hash_size = (uint32_t)real;
7373 options->virtual_hash_size = (uint32_t)virtual;
7374 }
7375 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7376 {
7377 int cf_max, cf_per;
7378
7379 VERIFY_PERMISSION(OPT_P_GENERAL);
7380 if (!atoi_constrained(p[1], &cf_max, "connect-freq n", 1, INT_MAX, msglevel)
7381 || !atoi_constrained(p[2], &cf_per, "connect-freq seconds", 1, INT_MAX, msglevel))
7382 {
7383 goto err;
7384 }
7385 options->cf_max = cf_max;
7386 options->cf_per = cf_per;
7387 }
7388 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7389 {
7390 int cf_max, cf_per;
7391
7392 VERIFY_PERMISSION(OPT_P_GENERAL);
7393 if (!atoi_constrained(p[1], &cf_max, "connect-freq-initial n", 1, INT_MAX, msglevel)
7394 || !atoi_constrained(p[2], &cf_per, "connect-freq-initial seconds", 1, INT_MAX, msglevel))
7395 {
7396 goto err;
7397 }
7398 options->cf_initial_max = cf_max;
7399 options->cf_initial_per = cf_per;
7400 }
7401 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7402 {
7403 VERIFY_PERMISSION(OPT_P_GENERAL);
7404 if (!atoi_constrained(p[1], &options->max_clients, p[0], 1, MAX_PEER_ID, msglevel))
7405 {
7406 goto err;
7407 }
7408 }
7409 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7410 {
7411 VERIFY_PERMISSION(OPT_P_INHERIT);
7412 atoi_constrained(p[1], &options->max_routes_per_client, p[0], 1, INT_MAX, msglevel);
7413 }
7414 else if (streq(p[0], "client-cert-not-required") && !p[1])
7415 {
7416 VERIFY_PERMISSION(OPT_P_GENERAL);
7417 msg(M_FATAL,
7418 "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7419 }
7420 else if (streq(p[0], "verify-client-cert") && !p[2])
7421 {
7422 VERIFY_PERMISSION(OPT_P_GENERAL);
7423
7424 /* Reset any existing flags */
7425 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7426 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7427 if (p[1])
7428 {
7429 if (streq(p[1], "none"))
7430 {
7431 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7432 }
7433 else if (streq(p[1], "optional"))
7434 {
7435 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7436 }
7437 else if (!streq(p[1], "require"))
7438 {
7439 msg(msglevel,
7440 "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7441 goto err;
7442 }
7443 }
7444 }
7445 else if (streq(p[0], "username-as-common-name") && !p[1])
7446 {
7447 VERIFY_PERMISSION(OPT_P_GENERAL);
7448 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7449 }
7450 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7451 {
7452 VERIFY_PERMISSION(OPT_P_GENERAL);
7453 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7454 }
7455 else if (streq(p[0], "opt-verify") && !p[1])
7456 {
7457 VERIFY_PERMISSION(OPT_P_GENERAL);
7458 msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7.");
7459 }
7460 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7461 {
7462 VERIFY_PERMISSION(OPT_P_SCRIPT);
7463 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7464 {
7465 goto err;
7466 }
7467 if (p[2])
7468 {
7469 if (streq(p[2], "via-env"))
7470 {
7471 options->auth_user_pass_verify_script_via_file = false;
7472 }
7473 else if (streq(p[2], "via-file"))
7474 {
7475 options->auth_user_pass_verify_script_via_file = true;
7476 }
7477 else
7478 {
7479 msg(msglevel,
7480 "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7481 goto err;
7482 }
7483 }
7484 else
7485 {
7486 msg(msglevel,
7487 "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7488 goto err;
7489 }
7490 set_user_script(options, &options->auth_user_pass_verify_script, p[1],
7491 "auth-user-pass-verify", true);
7492 }
7493 else if (streq(p[0], "auth-gen-token"))
7494 {
7495 VERIFY_PERMISSION(OPT_P_GENERAL);
7496 options->auth_token_generate = true;
7497 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
7498
7499 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7500 {
7501 /* the second parameter can be the renewal time */
7502 if (i == 2 && valid_integer(p[i], true))
7503 {
7504 options->auth_token_renewal = positive_atoi(p[i], msglevel);
7505 }
7506 else if (streq(p[i], "external-auth"))
7507 {
7508 options->auth_token_call_auth = true;
7509 }
7510 else
7511 {
7512 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7513 }
7514 }
7515 }
7516 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7517 {
7518 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
7519 options->auth_token_secret_file = p[1];
7520 options->auth_token_secret_file_inline = is_inline;
7521 }
7522 else if (streq(p[0], "client-connect") && p[1])
7523 {
7524 VERIFY_PERMISSION(OPT_P_SCRIPT);
7525 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7526 {
7527 goto err;
7528 }
7529 set_user_script(options, &options->client_connect_script, p[1], "client-connect", true);
7530 }
7531 else if (streq(p[0], "client-crresponse") && p[1])
7532 {
7533 VERIFY_PERMISSION(OPT_P_SCRIPT);
7534 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7535 {
7536 goto err;
7537 }
7538 set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse",
7539 true);
7540 }
7541 else if (streq(p[0], "client-disconnect") && p[1])
7542 {
7543 VERIFY_PERMISSION(OPT_P_SCRIPT);
7544 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7545 {
7546 goto err;
7547 }
7548 set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect",
7549 true);
7550 }
7551 else if (streq(p[0], "learn-address") && p[1])
7552 {
7553 VERIFY_PERMISSION(OPT_P_SCRIPT);
7554 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7555 {
7556 goto err;
7557 }
7558 set_user_script(options, &options->learn_address_script, p[1], "learn-address", true);
7559 }
7560 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7561 {
7562 VERIFY_PERMISSION(OPT_P_GENERAL);
7563 options->tmp_dir = p[1];
7564 }
7565 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7566 {
7567 VERIFY_PERMISSION(OPT_P_GENERAL);
7568 options->client_config_dir = p[1];
7569 }
7570 else if (streq(p[0], "ccd-exclusive") && !p[1])
7571 {
7572 VERIFY_PERMISSION(OPT_P_GENERAL);
7573 options->ccd_exclusive = true;
7574 }
7575 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7576 {
7577 VERIFY_PERMISSION(OPT_P_GENERAL);
7578 atoi_constrained(p[1], &options->n_bcast_buf, p[0], 1, INT_MAX, msglevel);
7579 }
7580 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7581 {
7582 VERIFY_PERMISSION(OPT_P_GENERAL);
7583 atoi_constrained(p[1], &options->tcp_queue_limit, p[0], 1, INT_MAX, msglevel);
7584 }
7585#if PORT_SHARE
7586 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7587 {
7588 VERIFY_PERMISSION(OPT_P_GENERAL);
7589 options->port_share_host = p[1];
7590 options->port_share_port = p[2];
7591 options->port_share_journal_dir = p[3];
7592 }
7593#endif
7594 else if (streq(p[0], "client-to-client") && !p[1])
7595 {
7596 VERIFY_PERMISSION(OPT_P_GENERAL);
7597 options->enable_c2c = true;
7598 }
7599 else if (streq(p[0], "duplicate-cn") && !p[1])
7600 {
7601 VERIFY_PERMISSION(OPT_P_GENERAL);
7602 options->duplicate_cn = true;
7603 }
7604 else if (streq(p[0], "iroute") && p[1] && !p[3])
7605 {
7606 VERIFY_PERMISSION(OPT_P_INSTANCE);
7607 option_iroute(options, p[1], p[2], msglevel);
7608 }
7609 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7610 {
7611 VERIFY_PERMISSION(OPT_P_INSTANCE);
7612 option_iroute_ipv6(options, p[1], msglevel);
7613 }
7614 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7615 {
7616 in_addr_t local, remote_netmask;
7617
7618 VERIFY_PERMISSION(OPT_P_INSTANCE);
7619 local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7620 remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7621 if (local && remote_netmask)
7622 {
7623 options->push_ifconfig_defined = true;
7624 options->push_ifconfig_local = local;
7625 options->push_ifconfig_remote_netmask = remote_netmask;
7626 if (p[3])
7627 {
7628 options->push_ifconfig_local_alias =
7629 getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7630 }
7631 }
7632 else
7633 {
7634 msg(msglevel, "cannot parse --ifconfig-push addresses");
7635 goto err;
7636 }
7637 }
7638 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7639 {
7640 in_addr_t network, netmask;
7641
7642 VERIFY_PERMISSION(OPT_P_GENERAL);
7643 network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7644 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7645 if (network && netmask)
7646 {
7647 options->push_ifconfig_constraint_defined = true;
7648 options->push_ifconfig_constraint_network = network;
7649 options->push_ifconfig_constraint_netmask = netmask;
7650 }
7651 else
7652 {
7653 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7654 goto err;
7655 }
7656 }
7657 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7658 {
7659 struct in6_addr local, remote;
7660 unsigned int netbits;
7661
7662 VERIFY_PERMISSION(OPT_P_INSTANCE);
7663
7664 if (!get_ipv6_addr(p[1], &local, &netbits, msglevel))
7665 {
7666 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7667 goto err;
7668 }
7669
7670 if (p[2])
7671 {
7672 if (!get_ipv6_addr(p[2], &remote, NULL, msglevel))
7673 {
7674 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7675 goto err;
7676 }
7677 }
7678 else
7679 {
7680 if (!options->ifconfig_ipv6_local
7681 || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel))
7682 {
7683 msg(msglevel,
7684 "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7685 goto err;
7686 }
7687 }
7688
7689 options->push_ifconfig_ipv6_defined = true;
7690 options->push_ifconfig_ipv6_local = local;
7691 options->push_ifconfig_ipv6_netbits = netbits;
7692 options->push_ifconfig_ipv6_remote = remote;
7693 options->push_ifconfig_ipv6_blocked = false;
7694 }
7695 else if (streq(p[0], "disable") && !p[1])
7696 {
7697 VERIFY_PERMISSION(OPT_P_INSTANCE);
7698 options->disable = true;
7699 }
7700 else if (streq(p[0], "override-username") && p[1] && !p[2])
7701 {
7702 VERIFY_PERMISSION(OPT_P_INSTANCE);
7703 if (strlen(p[1]) > USER_PASS_LEN)
7704 {
7705 msg(msglevel,
7706 "override-username exceeds the maximum length of %d "
7707 "characters",
7708 USER_PASS_LEN);
7709
7710 /* disable the connection since ignoring the request to
7711 * set another username might cause serious problems */
7712 options->disable = true;
7713 }
7714 else
7715 {
7716 options->override_username = p[1];
7717 }
7718 }
7719 else if (streq(p[0], "tcp-nodelay") && !p[1])
7720 {
7721 VERIFY_PERMISSION(OPT_P_GENERAL);
7722 options->server_flags |= SF_TCP_NODELAY_HELPER;
7723 }
7724 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7725 {
7726 int ageing_time, check_interval;
7727
7728 VERIFY_PERMISSION(OPT_P_GENERAL);
7729 if (!atoi_constrained(p[1], &ageing_time, "stale-routes-check age", 1, INT_MAX, msglevel))
7730 {
7731 goto err;
7732 }
7733
7734 if (p[2])
7735 {
7736 if (!atoi_constrained(p[2], &check_interval,
7737 "stale-routes-check interval", 1, INT_MAX, msglevel))
7738 {
7739 goto err;
7740 }
7741 }
7742 else
7743 {
7744 check_interval = ageing_time;
7745 }
7746
7747 options->stale_routes_ageing_time = ageing_time;
7748 options->stale_routes_check_interval = check_interval;
7749 }
7750
7751 else if (streq(p[0], "client") && !p[1])
7752 {
7753 VERIFY_PERMISSION(OPT_P_GENERAL);
7754 options->client = true;
7755 }
7756 else if (streq(p[0], "pull") && !p[1])
7757 {
7758 VERIFY_PERMISSION(OPT_P_GENERAL);
7759 options->pull = true;
7760 }
7761 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7762 {
7763 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7764 atoi_constrained(p[1], &options->push_continuation, p[0], 0, 2, msglevel);
7765 }
7766 else if (streq(p[0], "auth-user-pass") && !p[2])
7767 {
7768 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
7769 if (p[1])
7770 {
7771 options->auth_user_pass_file = p[1];
7772 options->auth_user_pass_file_inline = is_inline;
7773 }
7774 else
7775 {
7776 options->auth_user_pass_file = "stdin";
7777 }
7778 }
7779 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7780 {
7781 VERIFY_PERMISSION(OPT_P_GENERAL);
7782 auth_retry_set(msglevel, p[1]);
7783 }
7784#ifdef ENABLE_MANAGEMENT
7785 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
7786 {
7787 VERIFY_PERMISSION(OPT_P_GENERAL);
7788 options->sc_info.challenge_text = p[1];
7789 if (atoi_warn(p[2], msglevel))
7790 {
7791 options->sc_info.flags |= SC_ECHO;
7792 }
7793 if (p[3] && streq(p[3], "concat"))
7794 {
7795 options->sc_info.flags |= SC_CONCAT;
7796 }
7797 else if (p[3] && !streq(p[3], "scrv1"))
7798 {
7799 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
7800 goto err;
7801 }
7802 }
7803#endif
7804 else if (streq(p[0], "msg-channel") && p[1])
7805 {
7806#ifdef _WIN32
7807 VERIFY_PERMISSION(OPT_P_GENERAL);
7808 HANDLE process = GetCurrentProcess();
7809 HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
7810 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE,
7811 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7812 {
7813 msg(msglevel, "could not duplicate service pipe handle");
7814 goto err;
7815 }
7816 options->route_method = ROUTE_METHOD_SERVICE;
7817#else /* ifdef _WIN32 */
7818 msg(msglevel, "--msg-channel is only supported on Windows");
7819 goto err;
7820#endif
7821 }
7822#ifdef _WIN32
7823 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7824 {
7825 VERIFY_PERMISSION(OPT_P_GENERAL);
7826 if (streq(p[1], "env"))
7827 {
7828 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7829 "This entry will now be ignored. "
7830 "Please remove this entry from your configuration file.");
7831 }
7832 else
7833 {
7834 set_win_sys_path(p[1], es);
7835 }
7836 }
7837 else if (streq(p[0], "route-method") && p[1] && !p[2])
7838 {
7839 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7840 if (streq(p[1], "adaptive"))
7841 {
7842 options->route_method = ROUTE_METHOD_ADAPTIVE;
7843 }
7844 else if (streq(p[1], "ipapi"))
7845 {
7846 options->route_method = ROUTE_METHOD_IPAPI;
7847 }
7848 else if (streq(p[1], "exe"))
7849 {
7850 options->route_method = ROUTE_METHOD_EXE;
7851 }
7852 else
7853 {
7854 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7855 goto err;
7856 }
7857 }
7858 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7859 {
7860 const int index = ascii2ipset(p[1]);
7861 struct tuntap_options *to = &options->tuntap_options;
7862
7863 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7864
7865 if (index < 0)
7866 {
7867 msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
7868 ipset2ascii_all(&gc));
7869 goto err;
7870 }
7871
7872 if (index == IPW32_SET_ADAPTIVE)
7873 {
7874 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7875 }
7876
7877 if (index == IPW32_SET_DHCP_MASQ)
7878 {
7879 if (p[2])
7880 {
7881 if (!streq(p[2], "default"))
7882 {
7883 int offset;
7884
7885 if (!atoi_constrained(p[2], &offset, "ip-win32 offset", -256, 256, msglevel))
7886 {
7887 goto err;
7888 }
7889 to->dhcp_masq_custom_offset = true;
7890 to->dhcp_masq_offset = offset;
7891 }
7892
7893 if (p[3])
7894 {
7895 if (!atoi_constrained(p[3], &to->dhcp_lease_time,
7896 "ip-win32 lease time", 30, INT_MAX, msglevel))
7897 {
7898 goto err;
7899 }
7900 }
7901 }
7902 }
7903 to->ip_win32_type = index;
7904 to->ip_win32_defined = true;
7905 }
7906#endif /* ifdef _WIN32 */
7907 else if (streq(p[0], "dns-updown") && p[1])
7908 {
7909 VERIFY_PERMISSION(OPT_P_SCRIPT);
7910 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7911 {
7912 goto err;
7913 }
7914 struct dns_options *dns = &options->dns_options;
7915 if (streq(p[1], "disable"))
7916 {
7917 dns->updown = NULL;
7918 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
7919 }
7920 else if (streq(p[1], "force"))
7921 {
7922 /* force dns-updown run, even if a --up script is defined */
7923 if (!dns_updown_user_set(dns))
7924 {
7925 dns->updown = DEFAULT_DNS_UPDOWN;
7926 dns->updown_flags = DNS_UPDOWN_FORCED;
7927 }
7928 }
7929 else
7930 {
7931 if (streq(dns->updown, DEFAULT_DNS_UPDOWN))
7932 {
7933 /* Unset the default command to prevent warnings */
7934 dns->updown = NULL;
7935 }
7936 set_user_script(options, &dns->updown, p[1], p[0], false);
7937 dns->updown_flags = DNS_UPDOWN_USER_SET;
7938 }
7939 }
7940 else if (streq(p[0], "dns") && p[1])
7941 {
7942 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7943 if (!check_dns_option(options, p, msglevel, pull_mode))
7944 {
7945 goto err;
7946 }
7947 }
7948 else if (streq(p[0], "dhcp-option") && p[1])
7949 {
7950 struct dhcp_options *dhcp = &options->dns_options.from_dhcp;
7951#if defined(_WIN32) || defined(TARGET_ANDROID)
7952 struct tuntap_options *o = &options->tuntap_options;
7953#endif
7954 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7955
7956 bool dhcp_optional = false;
7957
7958 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
7959 {
7960 if (!validate_domain(p[2]))
7961 {
7962 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
7963 goto err;
7964 }
7965
7966 dhcp->domain = p[2];
7967 dhcp_optional = true;
7968 }
7969 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
7970 {
7971 if (!validate_domain(p[2]))
7972 {
7973 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
7974 goto err;
7975 }
7976
7977 if (dhcp->domain_search_list_len < N_SEARCH_LIST_LEN)
7978 {
7979 dhcp->domain_search_list[dhcp->domain_search_list_len++] = p[2];
7980 }
7981 else
7982 {
7983 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
7984 p[1], N_SEARCH_LIST_LEN);
7985 }
7986 dhcp_optional = true;
7987 }
7988 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
7989 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
7990 {
7991 if (strstr(p[2], ":"))
7992 {
7993 dhcp_option_dns6_parse(p[2], dhcp->dns6, &dhcp->dns6_len, msglevel);
7994 }
7995 else
7996 {
7997 dhcp_option_address_parse("DNS", p[2], dhcp->dns, &dhcp->dns_len, msglevel);
7998 dhcp_optional = true;
7999 }
8000 }
8001#if defined(_WIN32) || defined(TARGET_ANDROID)
8002 else if (streq(p[1], "NBS") && p[2] && !p[3])
8003 {
8004 o->netbios_scope = p[2];
8005 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8006 }
8007 else if (streq(p[1], "NBT") && p[2] && !p[3])
8008 {
8009 int t = atoi_warn(p[2], msglevel);
8010 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8011 {
8012 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8013 goto err;
8014 }
8015 o->netbios_node_type = (uint8_t)t;
8016 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8017 }
8018 else if (streq(p[1], "WINS") && p[2] && !p[3])
8019 {
8020 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8021 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8022 }
8023 else if (streq(p[1], "NTP") && p[2] && !p[3])
8024 {
8025 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8026 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8027 }
8028 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8029 {
8030 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8031 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8032 }
8033 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8034 {
8035 o->disable_nbt = 1;
8036 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8037 }
8038#if defined(TARGET_ANDROID)
8039 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8040 {
8041 o->http_proxy_port = positive_atoi(p[3], msglevel);
8042 o->http_proxy = p[2];
8043 }
8044#endif
8045 else
8046 {
8047 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter",
8048 p[1]);
8049 goto err;
8050 }
8051#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8052 setenv_foreign_option(options, p[1], p[2], es);
8053#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8054
8055 if (dhcp_optional)
8056 {
8057#if defined(_WIN32) || defined(TARGET_ANDROID)
8058 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8059#endif
8060 }
8061 }
8062#ifdef _WIN32
8063 else if (streq(p[0], "show-adapters") && !p[1])
8064 {
8065 VERIFY_PERMISSION(OPT_P_GENERAL);
8066 show_tap_win_adapters(M_INFO | M_NOPREFIX, M_WARN | M_NOPREFIX);
8067 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8068 }
8069 else if (streq(p[0], "show-net") && !p[1])
8070 {
8071 VERIFY_PERMISSION(OPT_P_GENERAL);
8072 show_routes(M_INFO | M_NOPREFIX);
8073 show_adapters(M_INFO | M_NOPREFIX);
8074 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8075 }
8076 else if (streq(p[0], "show-net-up") && !p[1])
8077 {
8078 VERIFY_PERMISSION(OPT_P_UP);
8079 options->show_net_up = true;
8080 }
8081 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8082 {
8083 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8084 if (!atoi_constrained(p[1], &options->tuntap_options.tap_sleep, p[0], 0, 255, msglevel))
8085 {
8086 goto err;
8087 }
8088 }
8089 else if (streq(p[0], "dhcp-renew") && !p[1])
8090 {
8091 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8092 options->tuntap_options.dhcp_renew = true;
8093 }
8094 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8095 {
8096 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8097 options->tuntap_options.dhcp_pre_release = true;
8098 options->tuntap_options.dhcp_renew = true;
8099 }
8100 else if (streq(p[0], "dhcp-release") && !p[1])
8101 {
8102 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8103 }
8104 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8105 {
8106 unsigned int adapter_index;
8107 VERIFY_PERMISSION(OPT_P_GENERAL);
8108 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8109 adapter_index = atou(p[1]);
8110 sleep(options->tuntap_options.tap_sleep);
8111 if (options->tuntap_options.dhcp_pre_release)
8112 {
8113 dhcp_release_by_adapter_index(adapter_index);
8114 }
8115 if (options->tuntap_options.dhcp_renew)
8116 {
8117 dhcp_renew_by_adapter_index(adapter_index);
8118 }
8119 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8120 }
8121 else if (streq(p[0], "register-dns") && !p[1])
8122 {
8123 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8124 options->tuntap_options.register_dns = true;
8125 }
8126 else if (streq(p[0], "block-outside-dns") && !p[1])
8127 {
8128 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8129 options->block_outside_dns = true;
8130 }
8131 else if (streq(p[0], "rdns-internal") && !p[1])
8132 /* standalone method for internal use
8133 *
8134 * (if --register-dns is set, openvpn needs to call itself in a
8135 * sub-process to execute the required functions in a non-blocking
8136 * way, and uses --rdns-internal to signal that to itself)
8137 */
8138 {
8139 VERIFY_PERMISSION(OPT_P_GENERAL);
8140 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8141 if (options->tuntap_options.register_dns)
8142 {
8143 ipconfig_register_dns(NULL);
8144 }
8145 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8146 }
8147 else if (streq(p[0], "show-valid-subnets") && !p[1])
8148 {
8149 VERIFY_PERMISSION(OPT_P_GENERAL);
8150 show_valid_win32_tun_subnets();
8151 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8152 }
8153 else if (streq(p[0], "pause-exit") && !p[1])
8154 {
8155 VERIFY_PERMISSION(OPT_P_GENERAL);
8156 set_pause_exit_win32();
8157 }
8158 else if (streq(p[0], "service") && p[1] && !p[3])
8159 {
8160 VERIFY_PERMISSION(OPT_P_GENERAL);
8161 options->exit_event_name = p[1];
8162 if (p[2])
8163 {
8164 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8165 }
8166 }
8167 else if (streq(p[0], "allow-nonadmin") && !p[2])
8168 {
8169 VERIFY_PERMISSION(OPT_P_GENERAL);
8170 tap_allow_nonadmin_access(p[1]);
8171 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8172 }
8173 else if (streq(p[0], "user") && p[1] && !p[2])
8174 {
8175 VERIFY_PERMISSION(OPT_P_GENERAL);
8176 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8177 }
8178 else if (streq(p[0], "group") && p[1] && !p[2])
8179 {
8180 VERIFY_PERMISSION(OPT_P_GENERAL);
8181 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8182 }
8183#else /* ifdef _WIN32 */
8184 else if (streq(p[0], "user") && p[1] && !p[2])
8185 {
8186 VERIFY_PERMISSION(OPT_P_GENERAL);
8187 options->username = p[1];
8188 }
8189 else if (streq(p[0], "group") && p[1] && !p[2])
8190 {
8191 VERIFY_PERMISSION(OPT_P_GENERAL);
8192 options->groupname = p[1];
8193 }
8194 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8195 {
8196 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8197 setenv_foreign_option(options, p[1], p[2], es);
8198 }
8199 else if (streq(p[0], "route-method") && p[1] && !p[2])
8200 {
8201 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8202 /* ignore when pushed to non-Windows OS */
8203 }
8204#endif /* ifdef _WIN32 */
8205#if PASSTOS_CAPABILITY
8206 else if (streq(p[0], "passtos") && !p[1])
8207 {
8208 VERIFY_PERMISSION(OPT_P_GENERAL);
8209 options->passtos = true;
8210 }
8211#endif
8212 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8213 {
8214 VERIFY_PERMISSION(OPT_P_GENERAL);
8215
8216 if (streq(p[1], "no"))
8217 {
8218 options->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
8219 if (comp_non_stub_enabled(&options->comp))
8220 {
8221 msg(msglevel, "'--allow-compression no' conflicts with "
8222 " enabling compression");
8223 }
8224 }
8225 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8226 {
8227 /* Also printed on a push to hint at configuration problems */
8228 msg(msglevel,
8229 "Cannot set allow-compression to '%s' "
8230 "after set to 'no'",
8231 p[1]);
8232 goto err;
8233 }
8234 else if (streq(p[1], "asym"))
8235 {
8236 options->comp.flags |= COMP_F_ALLOW_ASYM;
8237 }
8238 else if (streq(p[1], "yes"))
8239 {
8240 msg(M_WARN,
8241 "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8242 "We will use \"asym\" mode instead. See the manual page for more information.");
8243
8244 options->comp.flags |= COMP_F_ALLOW_ASYM;
8245 }
8246 else
8247 {
8248 msg(msglevel,
8249 "bad allow-compression option: %s -- "
8250 "must be 'yes', 'no', or 'asym'",
8251 p[1]);
8252 goto err;
8253 }
8254 }
8255 else if (streq(p[0], "comp-lzo") && !p[2])
8256 {
8257 VERIFY_PERMISSION(OPT_P_COMP);
8258
8259 /* All lzo variants do not use swap */
8260 options->comp.flags &= ~COMP_F_SWAP;
8261 options->comp.alg = COMP_ALG_LZO;
8262
8263 if (p[1])
8264 {
8265 if (streq(p[1], "no"))
8266 {
8267 options->comp.alg = COMP_ALG_STUB;
8268 }
8269 /* There is no actual difference anymore between these variants.
8270 * We never compress. On the server side we replace this with
8271 * --compress migrate later anyway.
8272 */
8273 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8274 {
8275 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
8276 p[1]);
8277 goto err;
8278 }
8279 }
8280 show_compression_warning(&options->comp);
8281 }
8282 else if (streq(p[0], "comp-noadapt") && !p[1])
8283 {
8284 /* NO-OP since we never compress anymore */
8285 }
8286 else if (streq(p[0], "compress") && !p[2])
8287 {
8288 VERIFY_PERMISSION(OPT_P_COMP);
8289 const char *alg = "stub";
8290 if (p[1])
8291 {
8292 alg = p[1];
8293 }
8294
8295 if (streq(alg, "stub"))
8296 {
8297 options->comp.alg = COMP_ALG_STUB;
8298 options->comp.flags |= (COMP_F_SWAP | COMP_F_ADVERTISE_STUBS_ONLY);
8299 }
8300 else if (streq(alg, "stub-v2"))
8301 {
8302 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8303 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8304 }
8305 else if (streq(alg, "migrate"))
8306 {
8307 options->comp.alg = COMP_ALG_UNDEF;
8308 options->comp.flags = COMP_F_MIGRATE;
8309 }
8310 else if (streq(alg, "lzo"))
8311 {
8312 options->comp.alg = COMP_ALG_LZO;
8313 options->comp.flags &= ~COMP_F_SWAP;
8314 }
8315 else if (streq(alg, "lz4"))
8316 {
8317 options->comp.alg = COMP_ALG_LZ4;
8318 options->comp.flags |= COMP_F_SWAP;
8319 }
8320 else if (streq(alg, "lz4-v2"))
8321 {
8322 options->comp.alg = COMP_ALGV2_LZ4;
8323 }
8324 else
8325 {
8326 msg(msglevel, "bad comp option: %s", alg);
8327 goto err;
8328 }
8329
8330 show_compression_warning(&options->comp);
8331 }
8332 else if (streq(p[0], "show-ciphers") && !p[1])
8333 {
8334 VERIFY_PERMISSION(OPT_P_GENERAL);
8335 options->show_ciphers = true;
8336 }
8337 else if (streq(p[0], "show-digests") && !p[1])
8338 {
8339 VERIFY_PERMISSION(OPT_P_GENERAL);
8340 options->show_digests = true;
8341 }
8342 else if (streq(p[0], "show-engines") && !p[1])
8343 {
8344 VERIFY_PERMISSION(OPT_P_GENERAL);
8345 options->show_engines = true;
8346 }
8347 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8348 {
8349 int key_direction;
8350
8351 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
8352
8353 key_direction = ascii2keydirection(msglevel, p[1]);
8354 if (key_direction >= 0)
8355 {
8356 if (permission_mask & OPT_P_GENERAL)
8357 {
8358 options->key_direction = key_direction;
8359 }
8360 else if (permission_mask & OPT_P_CONNECTION)
8361 {
8362 options->ce.key_direction = key_direction;
8363 }
8364 }
8365 else
8366 {
8367 goto err;
8368 }
8369 }
8370 else if (streq(p[0], "secret") && p[1] && !p[3])
8371 {
8372 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8373 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8374 options->shared_secret_file = p[1];
8375 options->shared_secret_file_inline = is_inline;
8376 if (!is_inline && p[2])
8377 {
8378 int key_direction;
8379
8380 key_direction = ascii2keydirection(msglevel, p[2]);
8381 if (key_direction >= 0)
8382 {
8383 options->key_direction = key_direction;
8384 }
8385 else
8386 {
8387 goto err;
8388 }
8389 }
8390 }
8391 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8392 {
8393 VERIFY_PERMISSION(OPT_P_GENERAL);
8394 options->allow_deprecated_insecure_static_crypto = true;
8395 }
8396 else if (streq(p[0], "genkey") && !p[4])
8397 {
8398 VERIFY_PERMISSION(OPT_P_GENERAL);
8399 options->genkey = true;
8400 if (!p[1])
8401 {
8402 options->genkey_type = GENKEY_SECRET;
8403 }
8404 else
8405 {
8406 if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt"))
8407 {
8408 options->genkey_type = GENKEY_SECRET;
8409 }
8410 else if (streq(p[1], "tls-crypt-v2-server"))
8411 {
8412 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8413 }
8414 else if (streq(p[1], "tls-crypt-v2-client"))
8415 {
8416 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8417 if (p[3])
8418 {
8419 options->genkey_extra_data = p[3];
8420 }
8421 }
8422 else if (streq(p[1], "auth-token"))
8423 {
8424 options->genkey_type = GENKEY_AUTH_TOKEN;
8425 }
8426 else
8427 {
8428 msg(msglevel, "unknown --genkey type: %s", p[1]);
8429 }
8430 }
8431 if (p[2])
8432 {
8433 options->genkey_filename = p[2];
8434 }
8435 }
8436 else if (streq(p[0], "auth") && p[1] && !p[2])
8437 {
8438 VERIFY_PERMISSION(OPT_P_GENERAL);
8439 options->authname = p[1];
8440 }
8441 else if (streq(p[0], "cipher") && p[1] && !p[2])
8442 {
8443 VERIFY_PERMISSION(OPT_P_NCP | OPT_P_INSTANCE);
8444 options->ciphername = p[1];
8445 }
8446 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8447 {
8448 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
8449 options->ciphername = p[1];
8450 options->enable_ncp_fallback = true;
8451 }
8452 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2])
8453 {
8454 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
8455 if (streq(p[0], "ncp-ciphers"))
8456 {
8457 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8458 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8459 }
8460 options->ncp_ciphers = p[1];
8461 }
8462 else if (streq(p[0], "key-derivation") && p[1])
8463 {
8464 /* NCP only option that is pushed by the server to enable EKM,
8465 * should not be used by normal users in config files*/
8466 VERIFY_PERMISSION(OPT_P_NCP)
8467 if (streq(p[1], "tls-ekm"))
8468 {
8469 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8470 }
8471 else
8472 {
8473 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8474 }
8475 }
8476 else if (streq(p[0], "protocol-flags") && p[1])
8477 {
8478 /* NCP only option that is pushed by the server to enable protocol
8479 * features that are negotiated, should not be used by normal users
8480 * in config files */
8481 VERIFY_PERMISSION(OPT_P_NCP)
8482 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8483 {
8484 if (streq(p[j], "cc-exit"))
8485 {
8486 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8487 }
8488 else if (streq(p[j], "tls-ekm"))
8489 {
8490 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8491 }
8492 else if (streq(p[j], "dyn-tls-crypt"))
8493 {
8494 options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8495 }
8496 else if (streq(p[j], "aead-epoch"))
8497 {
8498 options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
8499 }
8500 else
8501 {
8502 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8503 }
8504 }
8505 }
8506 else if (streq(p[0], "force-tls-key-material-export"))
8507 {
8508 VERIFY_PERMISSION(OPT_P_GENERAL);
8509 options->force_key_material_export = true;
8510 }
8511 else if (streq(p[0], "prng") && p[1] && !p[3])
8512 {
8513 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8514 }
8515 else if (streq(p[0], "no-replay") && !p[1])
8516 {
8517 VERIFY_PERMISSION(OPT_P_GENERAL);
8518 /* always error out, this breaks the connection */
8519 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8520 "Update your configuration.");
8521 }
8522 else if (streq(p[0], "replay-window") && !p[3])
8523 {
8524 VERIFY_PERMISSION(OPT_P_GENERAL);
8525 if (p[1])
8526 {
8527 if (!atoi_constrained(p[1], &options->replay_window, "replay-window windows size",
8528 MIN_SEQ_BACKTRACK, MAX_SEQ_BACKTRACK, msglevel))
8529 {
8530 goto err;
8531 }
8532
8533 if (p[2])
8534 {
8535 if (!atoi_constrained(p[2], &options->replay_time, "replay-window time window",
8536 MIN_TIME_BACKTRACK, MAX_TIME_BACKTRACK, msglevel))
8537 {
8538 goto err;
8539 }
8540 }
8541 }
8542 else
8543 {
8544 msg(msglevel, "replay-window option is missing window size parameter");
8545 goto err;
8546 }
8547 }
8548 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8549 {
8550 VERIFY_PERMISSION(OPT_P_GENERAL);
8551 options->mute_replay_warnings = true;
8552 }
8553 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8554 {
8555 VERIFY_PERMISSION(OPT_P_GENERAL);
8556 options->packet_id_file = p[1];
8557 }
8558 else if (streq(p[0], "test-crypto") && !p[1])
8559 {
8560 VERIFY_PERMISSION(OPT_P_GENERAL);
8561 options->test_crypto = true;
8562 }
8563#ifndef ENABLE_CRYPTO_MBEDTLS
8564 else if (streq(p[0], "engine") && !p[2])
8565 {
8566 VERIFY_PERMISSION(OPT_P_GENERAL);
8567 if (p[1])
8568 {
8569 options->engine = p[1];
8570 }
8571 else
8572 {
8573 options->engine = "auto";
8574 }
8575 }
8576#endif /* ENABLE_CRYPTO_MBEDTLS */
8577 else if (streq(p[0], "providers") && p[1])
8578 {
8579 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8580 {
8581 options->providers.names[j] = p[j];
8582 }
8583 }
8584#ifdef ENABLE_PREDICTION_RESISTANCE
8585 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8586 {
8587 VERIFY_PERMISSION(OPT_P_GENERAL);
8588 options->use_prediction_resistance = true;
8589 }
8590#endif
8591 else if (streq(p[0], "show-tls") && !p[1])
8592 {
8593 VERIFY_PERMISSION(OPT_P_GENERAL);
8594 options->show_tls_ciphers = true;
8595 }
8596 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8597 {
8598 VERIFY_PERMISSION(OPT_P_GENERAL);
8599 options->show_curves = true;
8600 }
8601 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8602 {
8603 VERIFY_PERMISSION(OPT_P_GENERAL);
8604 msg(M_WARN, "Consider setting groups/curves preference with "
8605 "tls-groups instead of forcing a specific curve with "
8606 "ecdh-curve.");
8607 options->ecdh_curve = p[1];
8608 }
8609 else if (streq(p[0], "tls-server") && !p[1])
8610 {
8611 VERIFY_PERMISSION(OPT_P_GENERAL);
8612 options->tls_server = true;
8613 }
8614 else if (streq(p[0], "tls-client") && !p[1])
8615 {
8616 VERIFY_PERMISSION(OPT_P_GENERAL);
8617 options->tls_client = true;
8618 }
8619 else if (streq(p[0], "ca") && p[1] && !p[2])
8620 {
8621 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8622 options->ca_file = p[1];
8623 options->ca_file_inline = is_inline;
8624 }
8625#ifndef ENABLE_CRYPTO_MBEDTLS
8626 else if (streq(p[0], "capath") && p[1] && !p[2])
8627 {
8628 VERIFY_PERMISSION(OPT_P_GENERAL);
8629 options->ca_path = p[1];
8630 }
8631#endif /* ENABLE_CRYPTO_MBEDTLS */
8632 else if (streq(p[0], "dh") && p[1] && !p[2])
8633 {
8634 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8635 options->dh_file = p[1];
8636 options->dh_file_inline = is_inline;
8637 }
8638 else if (streq(p[0], "cert") && p[1] && !p[2])
8639 {
8640 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8641 options->cert_file = p[1];
8642 options->cert_file_inline = is_inline;
8643 }
8644 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8645 {
8646 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8647 options->extra_certs_file = p[1];
8648 options->extra_certs_file_inline = is_inline;
8649 }
8650 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8651 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8652 {
8653 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8654
8655 int verify_hash_depth = 0;
8656 if (streq(p[0], "verify-hash"))
8657 {
8658 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8659 "You should switch to the either use the level 1 certificate as "
8660 "--ca option, use --tls-verify or use --peer-fingerprint");
8661 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8662 verify_hash_depth = 1;
8663 }
8664
8665 options->verify_hash_algo = MD_SHA256;
8666
8667 int digest_len = SHA256_DIGEST_LENGTH;
8668
8669 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8670 {
8671 msg(msglevel,
8672 "ERROR: Setting %s not allowed. --verify-hash and"
8673 " --peer-fingerprint are mutually exclusive",
8674 p[0]);
8675 goto err;
8676 }
8677
8678 if (streq(p[0], "verify-hash"))
8679 {
8680 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8681 {
8682 options->verify_hash_algo = MD_SHA1;
8683 digest_len = SHA_DIGEST_LENGTH;
8684 }
8685 else if (p[2] && !streq(p[2], "SHA256"))
8686 {
8687 msg(msglevel,
8688 "invalid or unsupported hashing algorithm: %s "
8689 "(only SHA1 and SHA256 are supported)",
8690 p[2]);
8691 goto err;
8692 }
8693 }
8694
8695 struct verify_hash_list *newlist;
8696 newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc);
8697
8698 /* Append the new list to the end of our current list */
8699 if (!options->verify_hash)
8700 {
8701 options->verify_hash = newlist;
8702 options->verify_hash_depth = verify_hash_depth;
8703 }
8704 else
8705 {
8706 /* since both the old and new list can have multiple entries
8707 * we need to go to the end of one of them to concatenate them */
8708 struct verify_hash_list *listend = options->verify_hash;
8709 while (listend->next)
8710 {
8711 listend = listend->next;
8712 }
8713 listend->next = newlist;
8714 }
8715 }
8716#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8717 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8718 {
8719 VERIFY_PERMISSION(OPT_P_GENERAL);
8720 options->cryptoapi_cert = p[1];
8721 }
8722#endif
8723 else if (streq(p[0], "key") && p[1] && !p[2])
8724 {
8725 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8726 options->priv_key_file = p[1];
8727 options->priv_key_file_inline = is_inline;
8728 }
8729 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8730 {
8731 VERIFY_PERMISSION(OPT_P_GENERAL);
8732 int ver = tls_version_parse(p[1], p[2]);
8733 if (ver == TLS_VER_BAD)
8734 {
8735 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8736 goto err;
8737 }
8738
8739#ifdef ENABLE_CRYPTO_MBEDTLS
8740 if (ver < TLS_VER_1_2)
8741 {
8742 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
8743 ver = TLS_VER_1_2;
8744 }
8745#endif
8746
8747 options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8748 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MIN_SHIFT);
8749 }
8750 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8751 {
8752 VERIFY_PERMISSION(OPT_P_GENERAL);
8753 int ver = tls_version_parse(p[1], NULL);
8754 if (ver == TLS_VER_BAD)
8755 {
8756 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8757 goto err;
8758 }
8759 options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8760 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MAX_SHIFT);
8761 }
8762#ifndef ENABLE_CRYPTO_MBEDTLS
8763 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8764 {
8765 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8766 options->pkcs12_file = p[1];
8767 options->pkcs12_file_inline = is_inline;
8768 }
8769#endif /* ENABLE_CRYPTO_MBEDTLS */
8770 else if (streq(p[0], "askpass") && !p[2])
8771 {
8772 VERIFY_PERMISSION(OPT_P_GENERAL);
8773 if (p[1])
8774 {
8775 options->key_pass_file = p[1];
8776 }
8777 else
8778 {
8779 options->key_pass_file = "stdin";
8780 }
8781 }
8782 else if (streq(p[0], "auth-nocache") && !p[1])
8783 {
8784 VERIFY_PERMISSION(OPT_P_GENERAL);
8785 ssl_set_auth_nocache();
8786 }
8787 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8788 {
8789 VERIFY_PERMISSION(OPT_P_ECHO);
8790 ssl_set_auth_token(p[1]);
8791#ifdef ENABLE_MANAGEMENT
8792 if (management)
8793 {
8794 management_auth_token(management, p[1]);
8795 }
8796#endif
8797 }
8798 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8799 {
8800 VERIFY_PERMISSION(OPT_P_ECHO);
8801 ssl_set_auth_token_user(p[1]);
8802 }
8803 else if (streq(p[0], "single-session") && !p[1])
8804 {
8805 VERIFY_PERMISSION(OPT_P_GENERAL);
8806 options->single_session = true;
8807 }
8808 else if (streq(p[0], "push-peer-info") && !p[1])
8809 {
8810 VERIFY_PERMISSION(OPT_P_GENERAL);
8811 options->push_peer_info = true;
8812 }
8813 else if (streq(p[0], "tls-exit") && !p[1])
8814 {
8815 VERIFY_PERMISSION(OPT_P_GENERAL);
8816 options->tls_exit = true;
8817 }
8818 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8819 {
8820 VERIFY_PERMISSION(OPT_P_GENERAL);
8821 options->cipher_list = p[1];
8822 }
8823 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8824 {
8825 VERIFY_PERMISSION(OPT_P_GENERAL);
8826 options->tls_cert_profile = p[1];
8827 }
8828 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8829 {
8830 VERIFY_PERMISSION(OPT_P_GENERAL);
8831 options->cipher_list_tls13 = p[1];
8832 }
8833 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8834 {
8835 VERIFY_PERMISSION(OPT_P_GENERAL);
8836 options->tls_groups = p[1];
8837 }
8838 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]))
8839 {
8840 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8841 if (p[2] && streq(p[2], "dir"))
8842 {
8843 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8844 }
8845 options->crl_file = p[1];
8846 options->crl_file_inline = is_inline;
8847 }
8848 else if (streq(p[0], "tls-verify") && p[1])
8849 {
8850 VERIFY_PERMISSION(OPT_P_SCRIPT);
8851 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8852 {
8853 goto err;
8854 }
8855 set_user_script(options, &options->tls_verify,
8856 string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true);
8857 }
8858 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8859 {
8860 VERIFY_PERMISSION(OPT_P_SCRIPT);
8861 options->tls_export_peer_cert_dir = p[1];
8862 }
8863 else if (streq(p[0], "compat-names"))
8864 {
8865 VERIFY_PERMISSION(OPT_P_GENERAL);
8866 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
8867 "Update your configuration.");
8868 goto err;
8869 }
8870 else if (streq(p[0], "no-name-remapping") && !p[1])
8871 {
8872 VERIFY_PERMISSION(OPT_P_GENERAL);
8873 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
8874 "Update your configuration.");
8875 goto err;
8876 }
8877 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
8878 {
8879 int type = VERIFY_X509_SUBJECT_DN;
8880 VERIFY_PERMISSION(OPT_P_GENERAL);
8881 if (p[2])
8882 {
8883 if (streq(p[2], "subject"))
8884 {
8885 type = VERIFY_X509_SUBJECT_DN;
8886 }
8887 else if (streq(p[2], "name"))
8888 {
8889 type = VERIFY_X509_SUBJECT_RDN;
8890 }
8891 else if (streq(p[2], "name-prefix"))
8892 {
8893 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
8894 }
8895 else
8896 {
8897 msg(msglevel, "unknown X.509 name type: %s", p[2]);
8898 goto err;
8899 }
8900 }
8901 options->verify_x509_type = type;
8902 options->verify_x509_name = p[1];
8903 }
8904 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
8905 {
8906#ifdef ENABLE_CRYPTO_MBEDTLS
8907 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
8908 goto err;
8909#else
8910 VERIFY_PERMISSION(OPT_P_GENERAL);
8911 if (streq(p[1], "server"))
8912 {
8913 options->ns_cert_type = NS_CERT_CHECK_SERVER;
8914 }
8915 else if (streq(p[1], "client"))
8916 {
8917 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
8918 }
8919 else
8920 {
8921 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
8922 goto err;
8923 }
8924#endif /* ENABLE_CRYPTO_MBEDTLS */
8925 }
8926 else if (streq(p[0], "remote-cert-ku"))
8927 {
8928 VERIFY_PERMISSION(OPT_P_GENERAL);
8929
8930 size_t j;
8931 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8932 {
8933 sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1]));
8934 }
8935 if (j == 1)
8936 {
8937 /* No specific KU required, but require KU to be present */
8938 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8939 }
8940 }
8941 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
8942 {
8943 VERIFY_PERMISSION(OPT_P_GENERAL);
8944 options->remote_cert_eku = p[1];
8945 }
8946 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
8947 {
8948 VERIFY_PERMISSION(OPT_P_GENERAL);
8949
8950 if (streq(p[1], "server"))
8951 {
8952 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8953 options->remote_cert_eku = "TLS Web Server Authentication";
8954 }
8955 else if (streq(p[1], "client"))
8956 {
8957 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8958 options->remote_cert_eku = "TLS Web Client Authentication";
8959 }
8960 else
8961 {
8962 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
8963 goto err;
8964 }
8965 }
8966 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
8967 {
8968 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8969 options->tls_timeout = positive_atoi(p[1], msglevel);
8970 }
8971 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
8972 {
8973 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8974 if (!positive_atoll(p[1], &options->renegotiate_bytes, p[0], msglevel))
8975 {
8976 goto err;
8977 }
8978 }
8979 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
8980 {
8981 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8982 if (!positive_atoll(p[1], &options->renegotiate_packets, p[0], msglevel))
8983 {
8984 goto err;
8985 }
8986 }
8987 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
8988 {
8989 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8990 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
8991 if (p[2])
8992 {
8993 options->renegotiate_seconds_min = positive_atoi(p[2], msglevel);
8994 }
8995 }
8996 else if (streq(p[0], "hand-window") && p[1] && !p[2])
8997 {
8998 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8999 options->handshake_window = positive_atoi(p[1], msglevel);
9000 }
9001 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9002 {
9003 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9004 options->transition_window = positive_atoi(p[1], msglevel);
9005 }
9006 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9007 {
9008 int key_direction = -1;
9009
9010 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9011
9012 if (permission_mask & OPT_P_GENERAL)
9013 {
9014 options->tls_auth_file = p[1];
9015 options->tls_auth_file_inline = is_inline;
9016
9017 if (!is_inline && p[2])
9018 {
9019 key_direction = ascii2keydirection(msglevel, p[2]);
9020 if (key_direction < 0)
9021 {
9022 goto err;
9023 }
9024 options->key_direction = key_direction;
9025 }
9026 }
9027 else if (permission_mask & OPT_P_CONNECTION)
9028 {
9029 options->ce.tls_auth_file = p[1];
9030 options->ce.tls_auth_file_inline = is_inline;
9031 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9032
9033 if (!is_inline && p[2])
9034 {
9035 key_direction = ascii2keydirection(msglevel, p[2]);
9036 if (key_direction < 0)
9037 {
9038 goto err;
9039 }
9040 options->ce.key_direction = key_direction;
9041 }
9042 }
9043 }
9044 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9045 {
9046 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9047 if (permission_mask & OPT_P_GENERAL)
9048 {
9049 options->tls_crypt_file = p[1];
9050 options->tls_crypt_file_inline = is_inline;
9051 }
9052 else if (permission_mask & OPT_P_CONNECTION)
9053 {
9054 options->ce.tls_crypt_file = p[1];
9055 options->ce.tls_crypt_file_inline = is_inline;
9056 }
9057 }
9058 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9059 {
9060 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9061 if (permission_mask & OPT_P_GENERAL)
9062 {
9063 options->tls_crypt_v2_file = p[1];
9064 options->tls_crypt_v2_file_inline = is_inline;
9065 }
9066 else if (permission_mask & OPT_P_CONNECTION)
9067 {
9068 options->ce.tls_crypt_v2_file = p[1];
9069 options->ce.tls_crypt_v2_file_inline = is_inline;
9070 }
9071
9072 if (p[2] && streq(p[2], "force-cookie"))
9073 {
9074 options->ce.tls_crypt_v2_force_cookie = true;
9075 }
9076 else if (p[2] && streq(p[2], "allow-noncookie"))
9077 {
9078 options->ce.tls_crypt_v2_force_cookie = false;
9079 }
9080 else if (p[2])
9081 {
9082 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9083 }
9084 }
9085 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9086 {
9087 VERIFY_PERMISSION(OPT_P_GENERAL);
9088 options->tls_crypt_v2_verify_script = p[1];
9089 }
9090 else if (streq(p[0], "tls-crypt-v2-max-age") && p[1])
9091 {
9092 VERIFY_PERMISSION(OPT_P_GENERAL);
9093 if (!atoi_constrained(p[1], &options->tls_crypt_v2_max_age, "tls-crypt-v2-max-age", 1, INT_MAX, msglevel))
9094 {
9095 goto err;
9096 }
9097 }
9098 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9099 {
9100 VERIFY_PERMISSION(OPT_P_GENERAL);
9101 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9102 }
9103#ifdef ENABLE_X509ALTUSERNAME
9104 else if (streq(p[0], "x509-username-field") && p[1])
9105 {
9106 VERIFY_PERMISSION(OPT_P_GENERAL);
9107 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9108 {
9109 char *s = p[j];
9110
9111 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
9112 {
9113 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9114 }
9115 options->x509_username_field[j - 1] = p[j];
9116 }
9117 }
9118#endif /* ENABLE_X509ALTUSERNAME */
9119#ifdef ENABLE_PKCS11
9120 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9121 {
9122 char *provider = p[1];
9123 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0));
9124
9125#ifdef DEFAULT_PKCS11_MODULE
9126 if (!provider)
9127 {
9128 provider = DEFAULT_PKCS11_MODULE;
9129 }
9130 else if (!p[2])
9131 {
9132 char *endp = NULL;
9133 long i = strtol(provider, &endp, 10);
9134
9135 if (*endp == 0)
9136 {
9137 /* There was one argument, and it was purely numeric.
9138 * Interpret it as the cert_private argument */
9139 provider = DEFAULT_PKCS11_MODULE;
9140 cert_private = i;
9141 }
9142 }
9143#else /* ifdef DEFAULT_PKCS11_MODULE */
9144 if (!provider)
9145 {
9146 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9147 goto err;
9148 }
9149#endif /* ifdef DEFAULT_PKCS11_MODULE */
9150 VERIFY_PERMISSION(OPT_P_GENERAL);
9151
9152 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9153 show_pkcs11_ids(provider, cert_private);
9154 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9155 }
9156 else if (streq(p[0], "pkcs11-providers") && p[1])
9157 {
9158 int j;
9159
9160 VERIFY_PERMISSION(OPT_P_GENERAL);
9161
9162 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9163 {
9164 options->pkcs11_providers[j - 1] = p[j];
9165 }
9166 }
9167 else if (streq(p[0], "pkcs11-protected-authentication"))
9168 {
9169 int j;
9170
9171 VERIFY_PERMISSION(OPT_P_GENERAL);
9172
9173 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9174 {
9175 options->pkcs11_protected_authentication[j - 1] =
9176 atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9177 }
9178 }
9179 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9180 {
9181 int j;
9182
9183 VERIFY_PERMISSION(OPT_P_GENERAL);
9184
9185 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9186 {
9187 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1]));
9188 }
9189 }
9190 else if (streq(p[0], "pkcs11-cert-private"))
9191 {
9192 int j;
9193
9194 VERIFY_PERMISSION(OPT_P_GENERAL);
9195
9196 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9197 {
9198 options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel));
9199 }
9200 }
9201 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9202 {
9203 VERIFY_PERMISSION(OPT_P_GENERAL);
9204 options->pkcs11_pin_cache_period = positive_atoi(p[1], msglevel);
9205 }
9206 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9207 {
9208 VERIFY_PERMISSION(OPT_P_GENERAL);
9209 options->pkcs11_id = p[1];
9210 }
9211 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9212 {
9213 VERIFY_PERMISSION(OPT_P_GENERAL);
9214 options->pkcs11_id_management = true;
9215 }
9216#endif /* ifdef ENABLE_PKCS11 */
9217 else if (streq(p[0], "rmtun") && !p[1])
9218 {
9219 VERIFY_PERMISSION(OPT_P_GENERAL);
9220 options->persist_config = true;
9221 options->persist_mode = 0;
9222 }
9223 else if (streq(p[0], "mktun") && !p[1])
9224 {
9225 VERIFY_PERMISSION(OPT_P_GENERAL);
9226 options->persist_config = true;
9227 options->persist_mode = 1;
9228 }
9229 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9230 {
9231 VERIFY_PERMISSION(OPT_P_PEER_ID);
9232 options->use_peer_id = true;
9233 options->peer_id = atoi_warn(p[1], msglevel);
9234 }
9235 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9236 {
9237 VERIFY_PERMISSION(OPT_P_GENERAL);
9238
9239 if (strncmp(p[1], "EXPORTER", 8))
9240 {
9241 msg(msglevel, "Keying material exporter label must begin with "
9242 "\"EXPORTER\"");
9243 goto err;
9244 }
9245 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9246 {
9247 msg(msglevel,
9248 "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'.");
9249 }
9250
9251 if (!atoi_constrained(p[2], &options->keying_material_exporter_length,
9252 p[0], 16, 4095, msglevel))
9253 {
9254 goto err;
9255 }
9256
9257 options->keying_material_exporter_label = p[1];
9258 }
9259 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9260 {
9261 VERIFY_PERMISSION(OPT_P_GENERAL);
9262 options->allow_recursive_routing = true;
9263 }
9264 else if (streq(p[0], "vlan-tagging") && !p[1])
9265 {
9266 VERIFY_PERMISSION(OPT_P_GENERAL);
9267 options->vlan_tagging = true;
9268 }
9269 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9270 {
9271 VERIFY_PERMISSION(OPT_P_GENERAL);
9272 if (streq(p[1], "tagged"))
9273 {
9274 options->vlan_accept = VLAN_ONLY_TAGGED;
9275 }
9276 else if (streq(p[1], "untagged"))
9277 {
9278 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9279 }
9280 else if (streq(p[1], "all"))
9281 {
9282 options->vlan_accept = VLAN_ALL;
9283 }
9284 else
9285 {
9286 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9287 goto err;
9288 }
9289 }
9290 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9291 {
9292 int vlan_pvid;
9293 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
9294 if (!atoi_constrained(p[1], &vlan_pvid, p[0],
9295 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID, msglevel))
9296 {
9297 goto err;
9298 }
9299 options->vlan_pvid = (uint16_t)vlan_pvid;
9300 }
9301 else
9302 {
9303 int i;
9304 msglvl_t msglevel_unknown = msglevel_fc;
9305 /* Check if an option is in --ignore-unknown-option and
9306 * set warning level to non fatal */
9307 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9308 {
9309 if (streq(p[0], options->ignore_unknown_option[i]))
9310 {
9311 msglevel_unknown = M_WARN;
9312 break;
9313 }
9314 }
9315 if (file)
9316 {
9317 msg(msglevel_unknown,
9318 "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
9319 line, p[0], PACKAGE_VERSION);
9320 }
9321 else
9322 {
9323 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)",
9324 p[0], PACKAGE_VERSION);
9325 }
9326 }
9327err:
9328 gc_free(&gc);
9329}
9330
9331#if defined(__GNUC__) || defined(__clang__)
9332#pragma GCC diagnostic pop
9333#endif
9334
9335bool
9336has_udp_in_local_list(const struct options *options)
9337{
9338 if (options->ce.local_list)
9339 {
9340 for (int i = 0; i < options->ce.local_list->len; i++)
9341 {
9342 if (proto_is_dgram(options->ce.local_list->array[i]->proto))
9343 {
9344 return true;
9345 }
9346 }
9347 }
9348
9349 return false;
9350}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:460
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:370
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_array_len
int string_array_len(const char **array)
Definition buffer.c:702
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1352
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:824
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:648
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:751
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1011
BSTR
#define BSTR(buf)
Definition buffer.h:128
BPTR
#define BPTR(buf)
Definition buffer.h:123
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1063
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:234
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1004
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1089
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1084
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1025
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:969
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1017
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, msglvl_t msglevel)
Definition clinat.c:102
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, msglvl_t msglevel)
Definition clinat.c:50
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:71
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:79
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:88
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:70
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:83
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
Definition comp.h:45
COMP_F_SWAP
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
Definition comp.h:40
COMP_ALG_LZ4
#define COMP_ALG_LZ4
LZ4 algorithm.
Definition comp.h:59
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition comp.h:64
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
Definition comp.h:51
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:63
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_ALG_LZO
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
Definition comp.h:42
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:81
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:54
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:50
dirname
char * dirname(char *path)
Definition compat-dirname.c:61
strsep
char * strsep(char **stringp, const char *delim)
Definition compat-strsep.c:35
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:868
ascii2keydirection
int ascii2keydirection(msglvl_t msglevel, const char *str)
Definition crypto.c:1613
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1636
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1896
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1192
crypto.h
Data Channel Cryptography Module.
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:231
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
MD_SHA256
@ MD_SHA256
Definition crypto_backend.h:54
MD_SHA1
@ MD_SHA1
Definition crypto_backend.h:53
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition crypto_backend.h:219
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1073
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:673
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition crypto_mbedtls.h:77
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:78
dco_check_startup_option
static bool dco_check_startup_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:280
dco_check_option
static bool dco_check_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:274
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:268
dns_options_verify
bool dns_options_verify(msglvl_t msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:212
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:289
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:62
dns_domain_list_append
bool dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends safe DNS domain parameters to a linked list.
Definition dns.c:148
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:190
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:175
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:266
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:780
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:282
dns_updown_user_set
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
Definition dns.h:218
DNS_UPDOWN_FORCED
@ DNS_UPDOWN_FORCED
Definition dns.h:50
DNS_UPDOWN_NO_FLAGS
@ DNS_UPDOWN_NO_FLAGS
Definition dns.h:48
DNS_UPDOWN_USER_SET
@ DNS_UPDOWN_USER_SET
Definition dns.h:49
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition dns.h:33
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition dns.h:34
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition dns.h:35
dns_updown_forced
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
Definition dns.h:229
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition dns.h:41
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition dns.h:43
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition dns.h:42
domain_helper.h
validate_domain
static bool validate_domain(const char *domain)
Definition domain_helper.h:34
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:423
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:201
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:313
env_set_del
bool env_set_del(struct env_set *es, const char *str)
Definition env_set.c:183
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:150
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_DCO
#define D_DCO
Definition errlevel.h:93
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition errlevel.h:95
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:66
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
forward.h
Interface functions to the internal and external multiplexers.
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:137
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition helper.c:608
helper_client_server
void helper_client_server(struct options *o)
Definition helper.c:165
helper_keepalive
void helper_keepalive(struct options *o)
Definition helper.c:548
max_int
static int max_int(int x, int y)
Definition integer.h:92
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:118
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition keyingmaterialexporter.c:166
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3130
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3051
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition manage.h:31
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:38
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition manage.h:33
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:43
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:37
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition manage.h:41
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:36
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition manage.h:40
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition manage.h:28
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:42
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:44
MF_UP_DOWN
#define MF_UP_DOWN
Definition manage.h:39
MF_HOLD
#define MF_HOLD
Definition manage.h:29
MF_SIGNAL
#define MF_SIGNAL
Definition manage.h:30
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition manage.h:35
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition manage.h:32
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:777
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:543
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:64
SC_CONCAT
#define SC_CONCAT
Definition misc.h:92
SC_ECHO
#define SC_ECHO
Definition misc.h:91
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:253
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:147
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition mtu.h:84
TUN_MTU_MAX_MIN
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:79
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition mtu.h:64
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition mtu.h:69
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition mtu.h:89
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:83
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:47
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
BOOL_CAST
#define BOOL_CAST(x)
Definition basic.h:26
CLEAR
#define CLEAR(x)
Definition basic.h:32
SIZE
#define SIZE(x)
Definition basic.h:29
errors_to_stderr
void errors_to_stderr(void)
Definition error.c:179
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:442
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:491
openvpn_exit
void openvpn_exit(const int status)
Definition error.c:700
machine_readable_output
static bool machine_readable_output
Definition error.c:74
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition error.c:143
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition error.c:149
msg_fp
FILE * msg_fp(const msglvl_t flags)
Definition error.c:188
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:101
suppress_timestamps
static bool suppress_timestamps
Definition error.c:77
M_OPTERR
#define M_OPTERR
Definition error.h:101
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:201
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:98
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition error.h:88
M_USAGE
#define M_USAGE
Definition error.h:107
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:54
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:52
M_FATAL
#define M_FATAL
Definition error.h:90
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:553
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4569
RESET_OPTION_ROUTES
#define RESET_OPTION_ROUTES(option_ptr, field)
Definition options.c:5081
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition options.c:1578
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3968
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4102
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4068
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2278
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition options.c:5048
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:2933
usage_version
static void usage_version(void)
Definition options.c:4927
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
Definition options.c:1106
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2182
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
SHOW_BOOL
#define SHOW_BOOL(var)
Definition options.c:978
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3965
pre_connect_save
static void pre_connect_save(struct options *o)
Definition options.c:3124
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3967
TLS_CLIENT
#define TLS_CLIENT
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:983
global_auth_retry
static int global_auth_retry
Definition options.c:4806
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4311
uninit_options
void uninit_options(struct options *o)
Definition options.c:930
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, msglvl_t msglevel)
Definition options.c:1334
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2203
SHOW_STR
#define SHOW_STR(var)
Definition options.c:971
parse_topology
int parse_topology(const char *str, const msglvl_t msglevel)
Definition options.c:4759
show_windows_version
void show_windows_version(const unsigned int flags)
Definition options.c:4894
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition options.c:4988
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4581
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5579
check_ca_required
static void check_ca_required(const struct options *options)
Definition options.c:2240
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:1996
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const msglvl_t msglevel, struct options *options, bool is_inline)
Definition options.c:4998
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3966
tuntap_options_postprocess_dns
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
Definition options.c:3507
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1131
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
Definition options.c:1512
check_route_option
static bool check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5251
show_dco_version
void show_dco_version(const unsigned int flags)
Definition options.c:4903
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition options.c:1569
alloc_local_list_if_undef
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2059
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition options.c:977
show_settings
void show_settings(const struct options *o)
Definition options.c:1693
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:5540
remove_option
void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Resets options found in the PUSH_UPDATE message that are preceded by the - flag.
Definition options.c:5089
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1244
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
no_more_than_n_args
static bool no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5051
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition options.c:1286
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition options.c:1654
options_postprocess_mutate_le
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3090
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4689
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:4958
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4118
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4297
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition options.c:1296
usage_small
void usage_small(void)
Definition options.c:4886
auth_retry_print
const char * auth_retry_print(void)
Definition options.c:4838
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1530
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4186
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2146
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1597
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4712
show_library_versions
void show_library_versions(const unsigned int flags)
Definition options.c:4913
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:1009
CHKACC_ACCEPT_URI
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3969
usage_message
static const char usage_message[]
Definition options.c:121
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition options.c:1163
options_warning_safe_scan1
static void options_warning_safe_scan1(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4649
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2100
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4146
SHOW_INT64
#define SHOW_INT64(var)
Definition options.c:976
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3972
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition options.c:1393
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition options.c:950
add_option
void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5594
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition options.c:1587
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3764
options_detach
void options_detach(struct options *o)
Definition options.c:1560
options_warning_safe_ml
static void options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4667
atou
static unsigned int atou(const char *str)
Definition options.c:4980
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3169
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2172
print_topology
const char * print_topology(const int topology)
Definition options.c:4781
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4726
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1191
check_dns_option
static bool check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5300
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition options.c:972
options_warning_safe_scan2
static void options_warning_safe_scan2(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4595
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition options.c:3341
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3411
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1308
init_options
void init_options(struct options *o, const bool init_gc)
Definition options.c:802
MUST_BE_FALSE
#define MUST_BE_FALSE(condition, parm_name)
Definition options.c:2271
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm, parm_name)
Definition options.c:2266
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1376
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition options.c:970
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:2024
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4575
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1675
CHKACC_FILE
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3964
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4718
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3241
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1149
title_string
const char title_string[]
Definition options.c:71
update_option
void update_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, unsigned int *update_options_found)
Processes an option to update.
Definition options.c:5409
setenv_local_entry
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:1001
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3108
TLS_SERVER
#define TLS_SERVER
msglevel_forward_compatible
static msglvl_t msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
Definition options.c:5076
auth_retry_set
bool auth_retry_set(const msglvl_t msglevel, const char *option)
Definition options.c:4815
auth_retry_get
int auth_retry_get(void)
Definition options.c:4809
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, msglvl_t msglevel)
Definition options.c:1348
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2136
check_route6_option
static bool check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5279
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4949
usage
void usage(void)
Definition options.c:4860
alloc_local_entry
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
Definition options.c:2069
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition options.c:5567
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition options.c:3479
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9336
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4368
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, msglvl_t msglevel)
Definition options.c:1485
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition options.c:3304
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2224
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2110
SHOW_INT
#define SHOW_INT(var)
Definition options.c:974
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3401
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:263
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition options.h:737
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.h:802
OPT_P_PUSH
#define OPT_P_PUSH
Definition options.h:749
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition options.h:477
OPT_P_UP
#define OPT_P_UP
Definition options.h:734
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition options.h:760
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:750
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:745
read_config_file
void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:347
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:753
OPT_P_ROUTE_TABLE
#define OPT_P_ROUTE_TABLE
Definition options.h:764
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition options.h:751
MODE_SERVER
#define MODE_SERVER
Definition options.h:264
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition options.h:190
streq
#define streq(x, y)
Definition options.h:728
OPT_P_U_REDIR_GATEWAY
#define OPT_P_U_REDIR_GATEWAY
Definition options.h:797
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:752
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.h:803
AR_INTERACT
#define AR_INTERACT
Definition options.h:976
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:739
OPT_P_U_ROUTE6
#define OPT_P_U_ROUTE6
Definition options.h:794
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:997
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:759
SF_NOPOOL
#define SF_NOPOOL
Definition options.h:476
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.h:804
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:744
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:738
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:758
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:757
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition options.h:56
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:740
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition options.h:733
PING_RESTART
#define PING_RESTART
Definition options.h:355
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:736
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:756
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:242
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:239
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:241
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:240
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:763
AR_NONE
#define AR_NONE
Definition options.h:975
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:977
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:478
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:741
MAX_PARMS
#define MAX_PARMS
Definition options.h:51
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:768
OPT_P_U_DNS
#define OPT_P_U_DNS
Definition options.h:795
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:779
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:771
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition options.h:57
OPT_P_U_ROUTE
#define OPT_P_U_ROUTE
Definition options.h:793
PING_EXIT
#define PING_EXIT
Definition options.h:354
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:743
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition options.h:742
OPT_P_MTU
#define OPT_P_MTU
Definition options.h:747
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:755
OPT_P_U_DHCP
#define OPT_P_U_DHCP
Definition options.h:796
OPT_P_NICE
#define OPT_P_NICE
Definition options.h:748
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:761
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition options.h:754
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition options.h:746
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:735
read_config_string
void read_config_string(const char *prefix, struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:421
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:785
CE_DISABLED
#define CE_DISABLED
Definition options.h:153
OPT_P_INLINE
#define OPT_P_INLINE
Definition options.h:762
vlan_acceptable_frames
vlan_acceptable_frames
Definition options.h:223
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:225
VLAN_ALL
@ VLAN_ALL
Definition options.h:226
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition options.h:224
atoi_warn
int atoi_warn(const char *str, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number.
Definition options_util.c:151
positive_atoi
int positive_atoi(const char *str, msglvl_t msglevel)
Converts a str to a positive number if the string represents a postive integer number.
Definition options_util.c:120
positive_atoll
bool positive_atoll(const char *str, int64_t *value, const char *name, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is >= 0.
Definition options_util.c:135
valid_integer
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
Definition options_util.c:104
atoi_constrained
bool atoi_constrained(const char *str, int *value, const char *name, int min, int max, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is between min...
Definition options_util.c:166
options_util.h
packet_id.h
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:85
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:84
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:86
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition packet_id.h:94
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:95
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition packet_id.h:93
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:333
platform_access
int platform_access(const char *path, int mode)
Definition platform.c:457
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:392
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:526
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:118
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:159
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:167
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, msglvl_t msglevel)
Definition plugin.c:187
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const msglvl_t msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:117
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:316
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:317
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
TOP_UNDEF
#define TOP_UNDEF
Definition proto.h:40
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:34
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
PAR_NCT
#define PAR_NCT
Definition proxy.h:51
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
PAR_ALL
#define PAR_ALL
Definition proxy.h:50
push_reset
void push_reset(struct options *o)
Definition push.c:939
push_options
void push_options(struct options *o, char **p, msglvl_t msglevel, struct gc_arena *gc)
Definition push.c:913
clone_push_list
void clone_push_list(struct options *o)
Definition push.c:898
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition push.c:945
print_route_options
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1238
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:299
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:153
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3909
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:137
delete_routes_v6
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1196
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2668
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:171
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:179
print_default_gateway
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1252
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2570
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:162
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:128
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3071
delete_routes_v4
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1174
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:492
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:42
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:40
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:41
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
script_security_set
void script_security_set(int level)
Definition run_command.c:48
run_command.h
SSEC_PW_ENV
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
SSEC_NONE
#define SSEC_NONE
strictly no calling of external programs
Definition run_command.h:31
SHAPER_MAX
#define SHAPER_MAX
Definition shaper.h:40
SHAPER_MIN
#define SHAPER_MIN
Definition shaper.h:39
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:666
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:226
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:199
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition socket.h:192
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
OPENVPN_PORT
#define OPENVPN_PORT
Definition socket.h:42
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition socket.h:191
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition socket.h:194
SF_PKTINFO_COPY_IIF
#define SF_PKTINFO_COPY_IIF
Definition socket.h:198
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket_util.c:409
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition socket_util.c:890
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition socket_util.c:430
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition socket_util.c:396
proto_remote
const char * proto_remote(int proto, bool remote)
Definition socket_util.c:472
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition socket_util.c:837
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition socket_util.c:873
ascii2proto
int ascii2proto(const char *proto_name)
Definition socket_util.c:383
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition socket_util.c:787
socket_util.h
proto_is_net
static bool proto_is_net(int proto)
Definition socket_util.h:185
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket_util.h:195
GETADDR_FATAL
#define GETADDR_FATAL
Definition socket_util.h:118
PROTO_NONE
@ PROTO_NONE
Definition socket_util.h:176
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP
@ PROTO_TCP
Definition socket_util.h:178
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition socket_util.h:179
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket_util.h:119
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:361
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:336
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:420
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:355
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:346
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1869
ssl.h
Control Channel SSL/Data channel negotiation module.
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:122
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2628
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:103
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:390
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:203
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:433
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:426
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:428
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:425
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:430
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:435
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:434
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:431
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:432
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:427
options_postprocess_setdefault_ncpciphers
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:584
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:195
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:96
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
ssl_verify.h
Control Channel Verification Module.
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:257
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:69
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:70
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:254
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:71
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, msglvl_t msglevel, struct gc_arena *gc)
Definition ssl_verify_openssl.c:424
argv
Definition argv.h:35
argv::argv
char ** argv
Definition argv.h:39
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
compress_options
Definition comp.h:75
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry
Definition options.h:107
connection_entry::local_list
struct local_list * local_list
Definition options.h:108
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:129
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:119
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:179
connection_entry::link_mtu
int link_mtu
Definition options.h:134
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:135
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:132
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:120
connection_entry::bind_local
bool bind_local
Definition options.h:118
connection_entry::mssfix
int mssfix
Definition options.h:144
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:170
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:175
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:133
connection_entry::remote
const char * remote
Definition options.h:114
connection_entry::connect_timeout
int connect_timeout
Definition options.h:121
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:124
connection_entry::mssfix_default
bool mssfix_default
Definition options.h:145
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:146
connection_entry::occ_mtu
int occ_mtu
Definition options.h:128
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:122
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:171
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:166
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition options.h:117
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:131
connection_entry::remote_float
bool remote_float
Definition options.h:115
connection_entry::tls_mtu
int tls_mtu
Definition options.h:136
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:150
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:125
connection_entry::remote_port
const char * remote_port
Definition options.h:113
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:142
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:123
connection_entry::fragment
int fragment
Definition options.h:141
connection_entry::mtu_discover_type
int mtu_discover_type
Definition options.h:139
connection_entry::proto
int proto
Definition options.h:109
connection_entry::af
sa_family_t af
Definition options.h:110
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:165
connection_entry::local_port_defined
bool local_port_defined
Definition options.h:112
connection_entry::tun_mtu
int tun_mtu
Definition options.h:127
connection_entry::bind_defined
bool bind_defined
Definition options.h:116
connection_entry::local_port
const char * local_port
Definition options.h:111
connection_entry::key_direction
int key_direction
Definition options.h:167
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:176
connection_entry::flags
unsigned int flags
Definition options.h:162
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition options.h:148
connection_list
Definition options.h:200
connection_list::array
struct connection_entry ** array
Definition options.h:204
connection_list::capacity
int capacity
Definition options.h:201
connection_list::len
int len
Definition options.h:202
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
dhcp_options
Definition dns.h:100
dhcp_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition dns.h:101
dhcp
Definition dhcp.h:62
dns_domain
Definition dns.h:54
dns_domain::next
struct dns_domain * next
Definition dns.h:55
dns_domain::name
const char * name
Definition dns.h:56
dns_options
Definition dns.h:113
dns_options::servers
struct dns_server * servers
Definition dns.h:117
dns_options::updown
const char * updown
Definition dns.h:119
dns_options::from_dhcp
struct dhcp_options from_dhcp
Definition dns.h:114
dns_options::gc
struct gc_arena gc
Definition dns.h:118
dns_options::updown_flags
enum dns_updown_flags updown_flags
Definition dns.h:120
dns_options::search_domains
struct dns_domain * search_domains
Definition dns.h:115
dns_server_addr::a4
struct in_addr a4
Definition dns.h:63
dns_server_addr::in
union dns_server_addr::@0 in
dns_server_addr::family
sa_family_t family
Definition dns.h:66
dns_server_addr::a6
struct in6_addr a6
Definition dns.h:64
dns_server_addr::port
in_port_t port
Definition dns.h:67
dns_server
Definition dns.h:71
dns_server::addr
struct dns_server_addr addr[8]
Definition dns.h:75
dns_server::dnssec
enum dns_security dnssec
Definition dns.h:77
dns_server::next
struct dns_server * next
Definition dns.h:72
dns_server::priority
long priority
Definition dns.h:73
dns_server::addr_count
size_t addr_count
Definition dns.h:74
dns_server::domains
struct dns_domain * domains
Definition dns.h:76
dns_server::transport
enum dns_server_transport transport
Definition dns.h:78
dns_server::sni
const char * sni
Definition dns.h:79
env_item
Definition env_set.h:37
env_item::string
char * string
Definition env_set.h:38
env_item::next
struct env_item * next
Definition env_set.h:39
env_set
Definition env_set.h:43
env_set::list
struct env_item * list
Definition env_set.h:45
fragment
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
frame
Packet geometry parameters.
Definition mtu.h:103
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
hash
Definition list.h:53
http_custom_header
Definition proxy.h:38
http_custom_header::name
const char * name
Definition proxy.h:39
http_custom_header::content
const char * content
Definition proxy.h:40
http_proxy_options
Definition proxy.h:45
http_proxy_options::auth_file
const char * auth_file
Definition proxy.h:55
http_proxy_options::http_version
const char * http_version
Definition proxy.h:57
http_proxy_options::port
const char * port
Definition proxy.h:47
http_proxy_options::inline_creds
bool inline_creds
Definition proxy.h:60
http_proxy_options::user_agent
const char * user_agent
Definition proxy.h:58
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:52
http_proxy_options::auth_method_string
const char * auth_method_string
Definition proxy.h:54
http_proxy_options::nocache
bool nocache
Definition proxy.h:63
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:59
http_proxy_options::auth_file_up
const char * auth_file_up
Definition proxy.h:56
http_proxy_options::server
const char * server
Definition proxy.h:46
iroute_ipv6
Definition route.h:268
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:271
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:270
iroute_ipv6::network
struct in6_addr network
Definition route.h:269
iroute::network
in_addr_t network
Definition route.h:262
iroute::netbits
int netbits
Definition route.h:263
iroute::next
struct iroute * next
Definition route.h:264
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
local_entry
Definition options.h:100
local_entry::port
const char * port
Definition options.h:102
local_entry::proto
int proto
Definition options.h:103
local_entry::local
const char * local
Definition options.h:101
local_list
Definition options.h:193
local_list::array
struct local_entry ** array
Definition options.h:196
local_list::len
int len
Definition options.h:195
local_list::capacity
int capacity
Definition options.h:194
options_pre_connect
Definition options.h:63
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:65
options_pre_connect::routes_defined
bool routes_defined
Definition options.h:70
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:89
options_pre_connect::foreign_option_index
int foreign_option_index
Definition options.h:91
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition options.h:64
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition options.h:73
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition options.h:88
options_pre_connect::routes
struct route_option_list * routes
Definition options.h:71
options_pre_connect::comp
struct compress_options comp
Definition options.h:92
options_pre_connect::ciphername
const char * ciphername
Definition options.h:84
options_pre_connect::ifconfig_local
const char * ifconfig_local
Definition options.h:67
options_pre_connect::dns_options
struct dns_options dns_options
Definition options.h:82
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition options.h:76
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition options.h:87
options_pre_connect::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:68
options_pre_connect::authname
const char * authname
Definition options.h:85
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:74
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition options.h:79
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition options.h:80
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:77
options::resolve_retry_seconds
int resolve_retry_seconds
Definition options.h:366
options::rcvbuf
int rcvbuf
Definition options.h:415
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:367
options::route_nopull
bool route_nopull
Definition options.h:439
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:289
options::comp
struct compress_options comp
Definition options.h:412
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition options.h:312
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:525
options::proto_force
int proto_force
Definition options.h:335
options::persist_config
bool persist_config
Definition options.h:277
options::connection_list
struct connection_list * connection_list
Definition options.h:294
options::management_port
const char * management_port
Definition options.h:449
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:670
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:330
options::max_routes_per_client
int max_routes_per_client
Definition options.h:538
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:579
options::status_file_version
int status_file_version
Definition options.h:406
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition options.h:715
options::auth_token_renewal
int auth_token_renewal
Definition options.h:547
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:520
options::tmp_dir
const char * tmp_dir
Definition options.h:468
options::push_peer_info
bool push_peer_info
Definition options.h:686
options::daemon
bool daemon
Definition options.h:390
options::pre_connect
struct options_pre_connect * pre_connect
Definition options.h:563
options::route_default_metric
int route_default_metric
Definition options.h:431
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:650
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:548
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:725
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:615
options::crl_file_inline
bool crl_file_inline
Definition options.h:619
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:641
options::down_script
const char * down_script
Definition options.h:385
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:271
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:625
options::scheduled_exit_interval
int scheduled_exit_interval
Definition options.h:565
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:540
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:608
options::replay_time
int replay_time
Definition options.h:586
options::push_option_types_found
unsigned int push_option_types_found
Definition options.h:560
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:453
options::ca_file
const char * ca_file
Definition options.h:596
options::tls_auth_file
const char * tls_auth_file
Definition options.h:665
options::providers
struct provider_list providers
Definition options.h:583
options::duplicate_cn
bool duplicate_cn
Definition options.h:529
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition options.h:473
options::shaper
int shaper
Definition options.h:333
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:452
options::server_network
in_addr_t server_network
Definition options.h:470
options::real_hash_size
uint32_t real_hash_size
Definition options.h:501
options::show_net_up
bool show_net_up
Definition options.h:699
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:627
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition options.h:441
options::use_peer_id
bool use_peer_id
Definition options.h:705
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:622
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:483
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:709
options::status_file
const char * status_file
Definition options.h:405
options::ssl_flags
unsigned int ssl_flags
Definition options.h:628
options::route_noexec
bool route_noexec
Definition options.h:432
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:332
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:623
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:493
options::server_netmask
in_addr_t server_netmask
Definition options.h:471
options::tls_timeout
int tls_timeout
Definition options.h:644
options::test_crypto
bool test_crypto
Definition options.h:588
options::up_delay
bool up_delay
Definition options.h:388
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:481
options::allow_recursive_routing
bool allow_recursive_routing
Definition options.h:722
options::authname
const char * authname
Definition options.h:581
options::exit_event_name
const char * exit_event_name
Definition options.h:697
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:328
options::cf_max
int cf_max
Definition options.h:531
options::dh_file_inline
bool dh_file_inline
Definition options.h:600
options::replay_window
int replay_window
Definition options.h:585
options::disable
bool disable
Definition options.h:509
options::mute
int mute
Definition options.h:399
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:543
options::dev_type
const char * dev_type
Definition options.h:322
options::persist_mode
int persist_mode
Definition options.h:278
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:495
options::show_digests
bool show_digests
Definition options.h:282
options::up_script
const char * up_script
Definition options.h:384
options::single_session
bool single_session
Definition options.h:684
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:515
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:490
options::verify_hash_depth
int verify_hash_depth
Definition options.h:626
options::route_delay_defined
bool route_delay_defined
Definition options.h:435
options::packet_id_file
const char * packet_id_file
Definition options.h:587
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:674
options::management_log_history_cache
int management_log_history_cache
Definition options.h:451
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition options.h:485
options::ip_remote_hint
const char * ip_remote_hint
Definition options.h:368
options::vlan_tagging
bool vlan_tagging
Definition options.h:714
options::peer_id
uint32_t peer_id
Definition options.h:706
options::routes
struct route_option_list * routes
Definition options.h:436
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:492
options::keepalive_timeout
int keepalive_timeout
Definition options.h:342
options::writepid
const char * writepid
Definition options.h:383
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition options.h:345
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:497
options::fast_io
bool fast_io
Definition options.h:410
options::server_flags
unsigned int server_flags
Definition options.h:479
options::block_outside_dns
bool block_outside_dns
Definition options.h:701
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition options.h:527
options::tls_exit
bool tls_exit
Definition options.h:688
options::pkcs12_file
const char * pkcs12_file
Definition options.h:607
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:504
options::show_engines
bool show_engines
Definition options.h:283
options::remote_list
struct remote_list * remote_list
Definition options.h:296
options::msg_channel
HANDLE msg_channel
Definition options.h:696
options::key_pass_file
const char * key_pass_file
Definition options.h:280
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:584
options::tls_crypt_file
const char * tls_crypt_file
Definition options.h:669
options::inactivity_timeout
int inactivity_timeout
Definition options.h:344
options::n_bcast_buf
int n_bcast_buf
Definition options.h:511
options::handshake_window
int handshake_window
Definition options.h:654
options::server_defined
bool server_defined
Definition options.h:469
options::ifconfig_local
const char * ifconfig_local
Definition options.h:326
options::ce
struct connection_entry ce
Definition options.h:293
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:514
options::push_list
struct push_list push_list
Definition options.h:489
options::user_script_used
bool user_script_used
Definition options.h:386
options::tls_groups
const char * tls_groups
Definition options.h:611
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:284
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:370
options::route_method
int route_method
Definition options.h:700
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:624
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:612
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:648
options::management_flags
unsigned int management_flags
Definition options.h:461
options::push_continuation
int push_continuation
Definition options.h:559
options::route_default_gateway
const char * route_default_gateway
Definition options.h:428
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:518
options::dns_options
struct dns_options dns_options
Definition options.h:317
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:698
options::sc_info
struct static_challenge_info sc_info
Definition options.h:568
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:545
options::ipchange
const char * ipchange
Definition options.h:320
options::topology
int topology
Definition options.h:325
options::disable_dco
bool disable_dco
Definition options.h:373
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:580
options::genkey
bool genkey
Definition options.h:286
options::virtual_hash_size
uint32_t virtual_hash_size
Definition options.h:502
options::learn_address_script
const char * learn_address_script
Definition options.h:505
options::ciphername
const char * ciphername
Definition options.h:575
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:561
options::tls_crypt_v2_max_age
int tls_crypt_v2_max_age
Definition options.h:681
options::forward_compatible
bool forward_compatible
Definition options.h:268
options::username
const char * username
Definition options.h:376
options::cf_initial_max
int cf_initial_max
Definition options.h:534
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:539
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:464
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:546
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:716
options::ns_cert_type
int ns_cert_type
Definition options.h:621
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:679
options::mode
int mode
Definition options.h:265
options::tls_server
bool tls_server
Definition options.h:594
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:542
options::connect_retry_max
int connect_retry_max
Definition options.h:292
options::bind_dev
char * bind_dev
Definition options.h:420
options::extra_certs_file
const char * extra_certs_file
Definition options.h:603
options::client
bool client
Definition options.h:557
options::pull
bool pull
Definition options.h:558
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:499
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:521
options::show_curves
bool show_curves
Definition options.h:285
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:429
options::tls_client
bool tls_client
Definition options.h:595
options::ping_timer_remote
bool ping_timer_remote
Definition options.h:351
options::auth_token_generate
bool auth_token_generate
Definition options.h:544
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:606
options::tls_verify
const char * tls_verify
Definition options.h:614
options::crl_file
const char * crl_file
Definition options.h:618
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:356
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:562
options::show_ciphers
bool show_ciphers
Definition options.h:281
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:576
options::route_predown_script
const char * route_predown_script
Definition options.h:427
options::dh_file
const char * dh_file
Definition options.h:599
options::route_delay_window
int route_delay_window
Definition options.h:434
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:516
options::mlock
bool mlock
Definition options.h:339
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition options.h:274
options::sndbuf
int sndbuf
Definition options.h:416
options::foreign_option_index
int foreign_option_index
Definition options.h:693
options::gc
struct gc_arena gc
Definition options.h:256
options::gc_owned
bool gc_owned
Definition options.h:257
options::down_pre
bool down_pre
Definition options.h:387
options::persist_tun
bool persist_tun
Definition options.h:358
options::route_default_table_id
int route_default_table_id
Definition options.h:430
options::ca_file_inline
bool ca_file_inline
Definition options.h:597
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:549
options::block_ipv6
bool block_ipv6
Definition options.h:438
options::config
const char * config
Definition options.h:260
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:604
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:519
options::mark
int mark
Definition options.h:419
options::cf_initial_per
int cf_initial_per
Definition options.h:535
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:710
options::suppress_timestamps
bool suppress_timestamps
Definition options.h:395
options::force_key_material_export
bool force_key_material_export
Definition options.h:712
options::mtu_test
bool mtu_test
Definition options.h:337
options::iroutes
struct iroute * iroutes
Definition options.h:513
options::verify_x509_type
int verify_x509_type
Definition options.h:616
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:610
options::ecdh_curve
const char * ecdh_curve
Definition options.h:613
options::status_file_update_freq
int status_file_update_freq
Definition options.h:407
options::management_client_user
const char * management_client_user
Definition options.h:455
options::cipher_list
const char * cipher_list
Definition options.h:609
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:508
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition options.h:573
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition options.h:718
options::management_certificate
const char * management_certificate
Definition options.h:458
options::genkey_filename
const char * genkey_filename
Definition options.h:288
options::x509_track
const struct x509_track * x509_track
Definition options.h:690
options::chroot_dir
const char * chroot_dir
Definition options.h:378
options::log
bool log
Definition options.h:394
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:572
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:526
options::ca_path
const char * ca_path
Definition options.h:598
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:649
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:350
options::sockflags
unsigned int sockflags
Definition options.h:423
options::engine
const char * engine
Definition options.h:582
options::management_addr
const char * management_addr
Definition options.h:448
options::client_connect_script
const char * client_connect_script
Definition options.h:503
options::verify_x509_name
const char * verify_x509_name
Definition options.h:617
options::ping_send_timeout
int ping_send_timeout
Definition options.h:349
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition options.h:440
options::remote_random
bool remote_random
Definition options.h:319
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:523
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:512
options::route_delay
int route_delay
Definition options.h:433
options::dev_node
const char * dev_node
Definition options.h:323
options::override_username
const char * override_username
Definition options.h:510
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:506
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:437
options::machine_readable_output
bool machine_readable_output
Definition options.h:396
options::key_direction
int key_direction
Definition options.h:574
options::server_ipv6_defined
bool server_ipv6_defined
Definition options.h:472
options::priv_key_file
const char * priv_key_file
Definition options.h:605
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:360
options::up_restart
bool up_restart
Definition options.h:389
options::keepalive_ping
int keepalive_ping
Definition options.h:341
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:666
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:675
options::groupname
const char * groupname
Definition options.h:377
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition options.h:486
options::cd_dir
const char * cd_dir
Definition options.h:379
options::client_nat
struct client_nat_option_list * client_nat
Definition options.h:442
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:524
options::nice
int nice
Definition options.h:397
options::max_clients
int max_clients
Definition options.h:537
options::transition_window
int transition_window
Definition options.h:662
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:327
options::lladdr
const char * lladdr
Definition options.h:324
options::verbosity
int verbosity
Definition options.h:398
options::session_timeout
int session_timeout
Definition options.h:347
options::cert_file
const char * cert_file
Definition options.h:601
options::enable_c2c
bool enable_c2c
Definition options.h:528
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition options.h:487
options::cf_per
int cf_per
Definition options.h:532
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:702
options::cert_file_inline
bool cert_file_inline
Definition options.h:602
options::remap_sigusr1
int remap_sigusr1
Definition options.h:392
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:647
options::route_script
const char * route_script
Definition options.h:426
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:491
options::management_user_pass
const char * management_user_pass
Definition options.h:450
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition options.h:474
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:517
options::occ
bool occ
Definition options.h:445
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition options.h:484
options::shared_secret_file
const char * shared_secret_file
Definition options.h:571
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:331
options::dev
const char * dev
Definition options.h:321
options::management_client_group
const char * management_client_group
Definition options.h:456
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:498
options::client_config_dir
const char * client_config_dir
Definition options.h:507
options::genkey_type
enum genkey_type genkey_type
Definition options.h:287
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:494
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:329
options::persist_local_ip
bool persist_local_ip
Definition options.h:359
provider_list::names
const char * names[MAX_PARMS]
Definition options.h:217
pull_filter_list
Definition options.h:812
pull_filter_list::tail
struct pull_filter * tail
Definition options.h:814
pull_filter_list::head
struct pull_filter * head
Definition options.h:813
pull_filter
Definition options.h:800
pull_filter::type
int type
Definition options.h:805
pull_filter::size
int size
Definition options.h:806
pull_filter::next
struct pull_filter * next
Definition options.h:808
pull_filter::pattern
char * pattern
Definition options.h:807
push_entry
Definition pushlist.h:29
push_entry::next
struct push_entry * next
Definition pushlist.h:30
push_entry::enable
bool enable
Definition pushlist.h:31
push_entry::option
const char * option
Definition pushlist.h:32
push_list::head
struct push_entry * head
Definition pushlist.h:37
remote_entry
Definition options.h:183
remote_entry::proto
int proto
Definition options.h:186
remote_entry::remote
const char * remote
Definition options.h:184
remote_entry::remote_port
const char * remote_port
Definition options.h:185
remote_entry::af
sa_family_t af
Definition options.h:187
remote_list
Definition options.h:208
remote_list::len
int len
Definition options.h:210
remote_list::array
struct remote_entry ** array
Definition options.h:211
remote_list::capacity
int capacity
Definition options.h:209
route_gateway_info
Definition route.h:158
route_ipv6_gateway_info
Definition route.h:195
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_option_list::flags
unsigned int flags
Definition route.h:97
static_challenge_info::flags
unsigned int flags
Definition misc.h:93
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:95
tuntap_options
Definition tun.h:75
tuntap_options::wins_len
int wins_len
Definition tun.h:118
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:142
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:125
tuntap_options::dns_len
int dns_len
Definition tun.h:114
tuntap_options::dns6_len
int dns6_len
Definition tun.h:143
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:121
tuntap_options::ntp_len
int ntp_len
Definition tun.h:122
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:117
tuntap_options::tap_sleep
int tap_sleep
Definition tun.h:97
tuntap_options::netbios_node_type
uint8_t netbios_node_type
Definition tun.h:107
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition tun.h:94
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:113
tuntap_options::netbios_scope
const char * netbios_scope
Definition tun.h:105
tuntap_options::nbdd_len
int nbdd_len
Definition tun.h:126
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition tun.h:77
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition tun.h:92
tuntap_options::domain
const char * domain
Definition tun.h:103
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition tun.h:132
tuntap_options::dhcp_renew
bool dhcp_renew
Definition tun.h:137
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:131
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition tun.h:93
tuntap_options::ip_win32_type
int ip_win32_type
Definition tun.h:85
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition tun.h:138
tuntap_options::register_dns
bool register_dns
Definition tun.h:140
tuntap_options::disable_nbt
bool disable_nbt
Definition tun.h:135
tuntap_options::dhcp_options
int dhcp_options
Definition tun.h:101
tuntap
Definition tun.h:183
verify_hash_list
Definition options.h:246
verify_hash_list::next
struct verify_hash_list * next
Definition options.h:250
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:249
SIGHUP
#define SIGHUP
Definition syshead.h:55
sa_family_t
unsigned short sa_family_t
Definition syshead.h:409
SIGTERM
#define SIGTERM
Definition syshead.h:59
sleep
#define sleep(x)
Definition syshead.h:42
in_addr_t
uint32_t in_addr_t
Definition syshead.h:52
es
struct env_set * es
Definition test_pkcs11.c:138
pkcs11_id_management
static bool pkcs11_id_management
Definition test_pkcs11.c:133
gc
struct gc_arena gc
Definition test_ssl.c:131
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:5107
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:521
show_tap_win_adapters
void show_tap_win_adapters(msglvl_t msglevel, msglvl_t warnlevel)
Definition tun.c:4033
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5040
ascii2ipset
int ascii2ipset(const char *name)
Definition tun.c:6468
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:830
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:4999
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:540
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:4919
show_adapters
void show_adapters(msglvl_t msglevel)
Definition tun.c:4870
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:5066
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:694
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:6497
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition tun.c:4000
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition tun.h:80
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition tun.h:83
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:72
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition tun.h:128
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition tun.h:82
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition tun.h:79
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:45
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:46
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:67
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition tun.h:110
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition tun.h:71
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
win_get_tempdir
const char * win_get_tempdir(void)
Definition win32-util.c:150
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1116
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1381
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition win32.c:144
xkey_common.h
Generated by doxygen 1.9.8