OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2026 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, https://cmeerw.org)
27 */
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32#ifdef HAVE_CONFIG_VERSION_H
33#include "config-version.h"
34#endif
35
36#include "syshead.h"
37
38#include "buffer.h"
39#include "error.h"
40#include "common.h"
41#include "run_command.h"
42#include "shaper.h"
43#include "crypto.h"
44#include "ssl.h"
45#include "ssl_ncp.h"
46#include "options.h"
47#include "misc.h"
48#include "socket_util.h"
49#include "packet_id.h"
50#include "pkcs11.h"
51#include "win32.h"
52#include "push.h"
53#include "pool.h"
54#include "proto.h"
55#include "helper.h"
56#include "manage.h"
57#include "forward.h"
58#include "ssl_verify.h"
59#include "platform.h"
60#include "xkey_common.h"
61#include "dco.h"
62#include "options_util.h"
63#include "tun_afunix.h"
64#include "domain_helper.h"
65#include "mbuf.h"
66
67#include <ctype.h>
68
69#include "memdbg.h"
70#include "options_util.h"
71
72const char title_string[] = PACKAGE_STRING
73#ifdef CONFIGURE_GIT_REVISION
74 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
75#endif
76 " " TARGET_ALIAS
77#if defined(ENABLE_CRYPTO_MBEDTLS)
78 " [SSL (mbed TLS)]"
79#elif defined(ENABLE_CRYPTO_OPENSSL)
80 " [SSL (OpenSSL)]"
81#else
82 " [SSL]"
83#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
84#ifdef USE_COMP
85#ifdef ENABLE_LZO
86 " [LZO]"
87#endif
88#ifdef ENABLE_LZ4
89 " [LZ4]"
90#endif
91#ifdef ENABLE_COMP_STUB
92 " [COMP_STUB]"
93#endif
94#endif /* USE_COMP */
95#if EPOLL
96 " [EPOLL]"
97#endif
98#ifdef PRODUCT_TAP_DEBUG
99 " [TAPDBG]"
100#endif
101#ifdef ENABLE_PKCS11
102 " [PKCS11]"
103#endif
104#if ENABLE_IP_PKTINFO
105#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
106 " [MH/PKTINFO]"
107#elif defined(IP_RECVDSTADDR)
108 " [MH/RECVDA]"
109#endif
110#endif
111 " [AEAD]"
112#ifdef ENABLE_DCO
113 " [DCO]"
114#endif
115#ifdef CONFIGURE_GIT_REVISION
116 " built on " __DATE__
117#endif
118 ;
119
120#ifndef ENABLE_SMALL
121
122static const char usage_message[] =
123 "%s\n"
124 "\n"
125 "General Options:\n"
126 "--config file : Read configuration options from file.\n"
127 "--help : Show options.\n"
128 "--version : Show copyright and version information.\n"
129 "\n"
130 "Tunnel Options:\n"
131 "--local host|* [port]: Local host name or IP address and port for bind.\n"
132 " If specified, OpenVPN will bindto this address. If unspecified,\n"
133 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
134 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
135 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
136 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
137 " to open multiple listening sockets on different addresses and/or different ports.\n"
138 " In order to specify multiple listen ports without specifying an address, use '*'\n"
139 " to signal 'use what the operating system gives you as default', for\n"
140 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
141 " ``--local`` implies ``--bind``.\n"
142 "--remote host [port] : Remote host name or ip address.\n"
143 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
144 "--remote-random-hostname : Add a random string to remote DNS name.\n"
145 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
146 "--proto p : Use protocol p for communicating with peer.\n"
147 " p = udp (default), tcp-server, tcp-client\n"
148 " udp4, tcp4-server, tcp4-client\n"
149 " udp6, tcp6-server, tcp6-client\n"
150 "--proto-force p : only consider protocol p in list of connection profiles.\n"
151 " p = udp or tcp\n"
152 "--connect-retry n [m] : For client, number of seconds to wait between\n"
153 " connection retries (default=%d). On repeated retries\n"
154 " the wait time is exponentially increased to a maximum of m\n"
155 " (default=%d).\n"
156 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
157 "--http-proxy s p [up] [auth] : Connect to remote host\n"
158 " through an HTTP proxy at address s and port p.\n"
159 " If proxy authentication is required,\n"
160 " up is a file containing username/password on 2 lines, or\n"
161 " 'stdin' to prompt from console.\n"
162 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
163 " determine auth method and query for username/password\n"
164 " if needed. auto-nct disables weak proxy auth methods.\n"
165 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
166 " Repeat to set multiple options.\n"
167 " VERSION version (default=1.0)\n"
168 " AGENT user-agent\n"
169 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
170 " address s and port p (default port = 1080).\n"
171 " If proxy authentication is required,\n"
172 " up is a file containing username/password on 2 lines, or\n"
173 " 'stdin' to prompt for console.\n"
174 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
175 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
176 " resolve for n seconds before failing (disabled by default).\n"
177 " Set n=\"infinite\" to retry indefinitely.\n"
178 "--float : Allow remote to change its IP address/port, such as through\n"
179 " DHCP (this is the default if --remote is not used).\n"
180 "--ipchange cmd : Run command cmd on remote ip address initial\n"
181 " setting or change -- execute as: cmd ip-address port#\n"
182 "--port port : TCP/UDP port # for both local and remote.\n"
183 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
184 "--rport port : TCP/UDP port # for remote (default=%s).\n"
185 "--bind : Bind to local address and port. (This is the default unless\n"
186 " --proto tcp-client"
187 " or --http-proxy"
188 " or --socks-proxy"
189 " is used).\n"
190 "--nobind : Do not bind to local address and port.\n"
191 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
192 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
193 " this option only if the tun/tap device used with --dev\n"
194 " does not begin with \"tun\" or \"tap\".\n"
195 "--dev-node node : Explicitly set the device node rather than using\n"
196 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
197#if defined(ENABLE_DCO)
198 "--disable-dco : Do not attempt using Data Channel Offload.\n"
199#endif
200 "--lladdr hw : Set the link layer address of the tap device.\n"
201 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
202#ifdef ENABLE_IPROUTE
203 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
204#endif
205 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
206 " endpoint and rn as a remote endpoint. l & rn should be\n"
207 " swapped on the other peer. l & rn must be private\n"
208 " addresses outside of the subnets used by either peer.\n"
209 " TAP: configure device to use IP address l as a local\n"
210 " endpoint and rn as a subnet mask.\n"
211 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
212 " endpoint (as a /64) and r as remote endpoint\n"
213 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
214 " pass --ifconfig parms by environment to scripts.\n"
215 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
216 " connection doesn't match the remote side.\n"
217#ifdef TARGET_LINUX
218 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
219 " If not specified, the id of the default routing table will be used.\n"
220#endif
221 "--route network [netmask] [gateway] [metric] :\n"
222 " Add route to routing table after connection\n"
223 " is established. Multiple routes can be specified.\n"
224 " netmask default: 255.255.255.255\n"
225 " gateway default: taken from --route-gateway or --ifconfig\n"
226 " Specify default by leaving blank or setting to \"default\".\n"
227 "--route-ipv6 network/bits [gateway] [metric] :\n"
228 " Add IPv6 route to routing table after connection\n"
229 " is established. Multiple routes can be specified.\n"
230 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
231 " in --ifconfig-ipv6\n"
232 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
233 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
234 "--route-metric m : Specify a default metric for use with --route.\n"
235 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
236 " adding routes (may be 0). If not specified, routes will\n"
237 " be added immediately after tun/tap open. On Windows, wait\n"
238 " up to w seconds for TUN/TAP adapter to come up.\n"
239 "--route-up cmd : Run command cmd after routes are added.\n"
240 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
241 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
242 " --route-up script using environmental variables.\n"
243 "--route-nopull : When used with --client or --pull, accept options pushed\n"
244 " by server EXCEPT for routes, dns, and dhcp options.\n"
245 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
246 " --ifconfig, --route, and --route-gateway.\n"
247 "--redirect-gateway [flags]: Automatically execute routing\n"
248 " commands to redirect all outgoing IP traffic through the\n"
249 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
250 " connected via a common subnet, such as with WiFi.\n"
251 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
252 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
253 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
254 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
255 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
256 " the default gateway. Useful when pushing private subnets.\n"
257 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
258 " ICMPv6 host unreachable messages on the client.\n"
259 " (Server) Instead of forwarding IPv6 packets send\n"
260 " ICMPv6 host unreachable packets to the client.\n"
261 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
262 "--push-peer-info : (client only) push client info to server.\n"
263 "--setenv name value : Set a custom environmental variable to pass to script.\n"
264 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
265 " directives for future OpenVPN versions to be ignored.\n"
266 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
267 " these options to be ignored when unknown\n"
268 "--script-security level: Where level can be:\n"
269 " 0 -- strictly no calling of external programs\n"
270 " 1 -- (default) only call built-ins such as ifconfig\n"
271 " 2 -- allow calling of built-ins and scripts\n"
272 " 3 -- allow password to be passed to scripts via env\n"
273 "--shaper n : Restrict output to peer to n bytes per second.\n"
274 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
275 " ping once every n seconds, restart if ping not received\n"
276 " for m seconds.\n"
277 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
278 " produces a combined in/out byte count < bytes.\n"
279 "--session-timeout n: Limit connection time to n seconds.\n"
280 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
281 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
282 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
283 " remote address.\n"
284 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
285#if ENABLE_IP_PKTINFO
286 "--multihome : Configure a multi-homed UDP server.\n"
287#endif
288 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
289 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
290 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
291 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
292#if PASSTOS_CAPABILITY
293 "--passtos : TOS passthrough (applies to IPv4 only).\n"
294#endif
295 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
296 " TCP/UDP MTU from it (default=%d).\n"
297 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
298 " as n bytes more than the tun-mtu size on read\n"
299 " (default TUN=0 TAP=%d).\n"
300 "--tun-mtu-max n : Maximum pushable MTU (default and minimum=%d).\n"
301 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
302 " from it.\n"
303 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
304 " 'no' -- Never send DF (Don't Fragment) frames\n"
305 " 'maybe' -- Use per-route hints\n"
306 " 'yes' -- Always DF (Don't Fragment)\n"
307 "--mtu-test : Empirically measure and report MTU.\n"
308#ifdef ENABLE_FRAGMENT
309 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
310 " datagrams are sent which are larger than max bytes.\n"
311 " Adds 4 bytes of overhead per datagram.\n"
312#endif
313 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
314 " or --fragment max value, whichever is lower.\n"
315 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
316 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
317#if defined(TARGET_LINUX)
318 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
319 " can be matched in policy routing and packetfilter rules.\n"
320 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
321 " listening for connections. This allows sending encrypted packets\n"
322 " via a VRF present on the system.\n"
323#endif
324 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
325 "--mlock : Disable Paging -- ensures key material and tunnel\n"
326 " data will never be written to disk.\n"
327 "--up cmd : Run command cmd after successful tun device open.\n"
328 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
329 " ifconfig-local-ip ifconfig-remote-ip\n"
330 " (pre --user or --group UID/GID change)\n"
331 "--up-delay : Delay tun/tap open and possible --up script execution\n"
332 " until after TCP/UDP connection establishment with peer.\n"
333 "--down cmd : Run command cmd after tun device close.\n"
334 " (post --user/--group UID/GID change and/or --chroot)\n"
335 " (command parameters are same as --up option)\n"
336 "--down-pre : Run --down command before TUN/TAP close.\n"
337 "--up-restart : Run up/down commands for all restarts including those\n"
338 " caused by --ping-restart or SIGUSR1\n"
339 "--user user : Set UID to user after initialization.\n"
340 "--group group : Set GID to group after initialization.\n"
341 "--chroot dir : Chroot to this directory after initialization.\n"
342#ifdef ENABLE_SELINUX
343 "--setcon context: Apply this SELinux context after initialization.\n"
344#endif
345 "--cd dir : Change to this directory before initialization.\n"
346 "--daemon [name] : Become a daemon after initialization.\n"
347 " The optional 'name' parameter will be passed\n"
348 " as the program name to the system logger.\n"
349 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
350 " See --daemon above for a description of the 'name' parm.\n"
351 "--log file : Output log to file which is created/truncated on open.\n"
352 "--log-append file : Append log to file, or create file if nonexistent.\n"
353 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
354 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
355 "--writepid file : Write main process ID to file.\n"
356 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
357 "--echo [parms ...] : Echo parameters to log output.\n"
358 "--verb n : Set output verbosity to n (default=%d):\n"
359 " (Level 3 is recommended if you want a good summary\n"
360 " of what's happening without being swamped by output).\n"
361 " : 0 -- no output except fatal errors\n"
362 " : 1 -- startup info + connection initiated messages +\n"
363 " non-fatal encryption & net errors\n"
364 " : 2,3 -- show TLS negotiations & route info\n"
365 " : 4 -- show parameters\n"
366 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
367 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
368 " : 6 to 11 -- debug messages of increasing verbosity\n"
369 "--mute n : Log at most n consecutive messages in the same category.\n"
370 "--status file [n] : Write operational status to file every n seconds.\n"
371 "--status-version [n] : Choose the status file format version number.\n"
372 " Currently, n can be 1, 2, or 3 (default=1).\n"
373 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
374#ifdef ENABLE_DEBUG
375 "--gremlin mask : Special stress testing mode (for debugging only).\n"
376#endif
377#if defined(USE_COMP)
378 "--compress alg : Use compression algorithm alg\n"
379 "--allow-compression: Specify whether compression should be allowed\n"
380#if defined(ENABLE_LZO)
381 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
382 " packet for incompressible data.\n"
383 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
384 " is specified.\n"
385#endif
386#endif
387#ifdef ENABLE_MANAGEMENT
388 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
389 " management functions. pass is a password file\n"
390 " or 'stdin' to prompt from console.\n"
391#if UNIX_SOCK_SUPPORT
392 " To listen on a unix domain socket, specific the pathname\n"
393 " in place of ip and use 'unix' as the port number.\n"
394#endif
395 "--management-client : Management interface will connect as a TCP client to\n"
396 " ip/port rather than listen as a TCP server.\n"
397 "--management-query-passwords : Query management channel for private key\n"
398 " and auth-user-pass passwords.\n"
399 "--management-query-proxy : Query management channel for proxy information.\n"
400 "--management-query-remote : Query management channel for --remote directive.\n"
401 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
402 " of the management interface explicitly starts it.\n"
403 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
404 "--management-forget-disconnect : Forget passwords when management disconnect\n"
405 " event occurs.\n"
406 "--management-up-down : Report tunnel up/down events to management interface.\n"
407 "--management-log-cache n : Cache n lines of log file history for usage\n"
408 " by the management channel.\n"
409#if UNIX_SOCK_SUPPORT
410 "--management-client-user u : When management interface is a unix socket, only\n"
411 " allow connections from user u.\n"
412 "--management-client-group g : When management interface is a unix socket, only\n"
413 " allow connections from group g.\n"
414#endif
415 "--management-client-auth : gives management interface client the responsibility\n"
416 " to authenticate clients after their client certificate\n"
417 " has been verified.\n"
418#endif /* ifdef ENABLE_MANAGEMENT */
419#ifdef ENABLE_PLUGIN
420 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
421 " to its initialization function.\n"
422#endif
423 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
424 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
425 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
426 "\n"
427 "Multi-Client Server options (when --mode server is used):\n"
428 "--server network netmask : Helper option to easily configure server mode.\n"
429 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
430 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
431 " easily configure ethernet bridging server mode.\n"
432 "--push \"option\" : Push a config file option back to the peer for remote\n"
433 " execution. Peer must specify --pull in its config file.\n"
434 "--push-reset : Don't inherit global push list for specific\n"
435 " client instance.\n"
436 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
437 " a specific client instance.\n"
438 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
439 " to be dynamically allocated to connecting clients.\n"
440 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
441 " data to file, at seconds intervals (default=600).\n"
442 " If seconds=0, file will be treated as read-only.\n"
443 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
444 " to be dynamically allocated to connecting clients.\n"
445 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
446 " overrides --ifconfig-pool dynamic allocation.\n"
447 " Only valid in a client-specific config file.\n"
448 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
449 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
450 " Only valid in a client-specific config file.\n"
451 "--iroute network [netmask] : Route subnet to client.\n"
452 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
453 " Sets up internal routes only.\n"
454 " Only valid in a client-specific config file.\n"
455 "--disable : Client is disabled.\n"
456 " Only valid in a client-specific config file.\n"
457 "--override-username: Overrides the client-specific username to be used.\n"
458 " Only valid in a client-specific config file.\n"
459 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
460 " mandatory client certificate verification.\n"
461 " Default is to require the client to supply a certificate.\n"
462 "--username-as-common-name : For auth-user-pass authentication, use\n"
463 " the authenticated username as the common name,\n"
464 " rather than the common name from the client cert.\n"
465 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
466 " run command cmd to verify. If method='via-env', pass\n"
467 " user/pass via environment, if method='via-file', pass\n"
468 " user/pass via temporary file.\n"
469 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
470 " to each client, replacing the password. Useful when\n"
471 " OTP based two-factor auth mechanisms are in use and\n"
472 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
473 " for generated tokens can be set.\n"
474 "--auth-user-pass-optional : Allow connections by clients that don't\n"
475 " specify a username/password.\n"
476 "--client-to-client : Internally route client-to-client traffic.\n"
477 "--duplicate-cn : Allow multiple clients with the same common name to\n"
478 " concurrently connect.\n"
479 "--client-connect cmd : Run command cmd on client connection.\n"
480 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
481 "--client-config-dir dir : Directory for custom client config files.\n"
482 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
483 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
484 "--hash-size r v : Set the size of the real address hash table to r and the\n"
485 " virtual address table to v.\n"
486 "--bcast-buffers n : Allocate n broadcast buffers.\n"
487 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
488 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
489 " as well as pushes it to connecting clients.\n"
490 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
491 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
492 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
493 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
494 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
495 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
496 " older than n seconds. Run this check every t\n"
497 " seconds (defaults to n).\n"
498 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
499 " clients. n = 1 - reconnect to same server,\n"
500 " 2 - advance to next server, default=1.\n"
501#if PORT_SHARE
502 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
503 " sessions to a web server at host:port. dir specifies an\n"
504 " optional directory to write origin IP:port data.\n"
505#endif
506 "\n"
507 "Client options (when connecting to a multi-client server):\n"
508 "--client : Helper option to easily configure client mode.\n"
509 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
510 " up is a file containing the username on the first line,\n"
511 " and a password on the second. If either the password or both\n"
512 " the username and the password are omitted OpenVPN will prompt\n"
513 " for them from console.\n"
514 "--pull : Accept certain config file options from the peer as if they\n"
515 " were part of the local config file. Must be specified\n"
516 " when connecting to a '--mode server' remote host.\n"
517 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
518 " server if it starts with the text t. The action flag accept,\n"
519 " ignore or reject causes the option to be allowed, removed or\n"
520 " rejected with error. May be specified multiple times, and\n"
521 " each filter is applied in the order of appearance.\n"
522 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
523 " Valid options are :\n"
524 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
525 " resolve-domains <domain> [domain ...] : split domains\n"
526 " dnssec <yes|no|optional> : option to use DNSSEC\n"
527 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
528 " sni <domain> : DNS server name indication\n"
529 "--dns search-domains <domain> [domain ...]:\n"
530 " Add domains to DNS domain search list\n"
531 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
532 " force running the default script or disable running it.\n"
533 "--auth-retry t : How to handle auth failures. Set t to\n"
534 " none (default), interact, or nointeract.\n"
535 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
536 " challenge text t, with e indicating echo flag (0|1)\n"
537 " and optional argument scrv1 or concat to use SCRV1 protocol or"
538 " concatenate response with password. Default is scrv1.\n"
539 "--connect-timeout n : when polling possible remote servers to connect to\n"
540 " in a round-robin fashion, spend no more than n seconds\n"
541 " waiting for a response before trying the next server.\n"
542 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
543 " incoming tun packets with same destination as host.\n"
544 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
545 " server/remote. n = # of retries, default=1.\n"
546 "\n"
547 "Data Channel Encryption Options (must be compatible between peers):\n"
548 "(These options are meaningful for both Static Key & TLS-mode)\n"
549 "--auth alg : Authenticate packets with HMAC using message\n"
550 " digest algorithm alg (default=%s).\n"
551 " (usually adds 16 or 20 bytes per packet)\n"
552 " Set alg=none to disable authentication.\n"
553 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
554 " You should usually use --data-ciphers instead.\n"
555 " Set alg=none to disable encryption.\n"
556 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
557#ifndef ENABLE_CRYPTO_MBEDTLS
558 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
559#endif
560 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
561 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
562 " and a time window of t seconds.\n"
563 " Default n=%d t=%d\n"
564 "--replay-persist file : Persist replay-protection state across sessions\n"
565 " using file.\n"
566 "--test-crypto : Run a self-test of crypto features enabled.\n"
567 " For debugging only.\n"
568 "\n"
569 "TLS Key Negotiation Options:\n"
570 "(These options are meaningful only for TLS-mode)\n"
571 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
572 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
573 "--ca file : Certificate authority file in .pem format containing\n"
574 " root certificate.\n"
575#ifndef ENABLE_CRYPTO_MBEDTLS
576 "--capath dir : A directory of trusted certificates (CAs"
577 " and CRLs).\n"
578#endif /* ENABLE_CRYPTO_MBEDTLS */
579 "--dh file : File containing Diffie Hellman parameters\n"
580 " in .pem format (for --tls-server only).\n"
581 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
582 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
583 " by a Certificate Authority in --ca file used by the peer.\n"
584 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
585 "--key file : Local private key in .pem format or a URI.\n"
586 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
587 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
588 " is specified, require max TLS version supported by SSL implementation.\n"
589 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
590#ifndef ENABLE_CRYPTO_MBEDTLS
591 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
592 " and optionally the root CA certificate.\n"
593 "--x509-username-field : Field in x509 certificate containing the username.\n"
594 " Default is CN in the Subject field.\n"
595#endif
596 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
597 " Valid algo flags are SHA1 and SHA256. \n"
598#ifdef _WIN32
599 "--cryptoapicert select-string : Load the certificate and private key from the\n"
600 " Windows Certificate System Store.\n"
601#endif
602 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
603 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
604 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
605 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
606 " (default=legacy).\n"
607 "--providers l : A list l of OpenSSL providers to load.\n"
608 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
609 " if no ACK from remote within n seconds (default=%d).\n"
610 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
611 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
612 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
613 " and at least min (defaults to 90%% of max on servers and equal\n"
614 " to max on clients).\n"
615 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
616 " of handshake initiation by any peer (default=%d).\n"
617 "--tran-window n : Transition window -- old key can live this many seconds\n"
618 " after new key renegotiation begins (default=%d).\n"
619 "--single-session: Allow only one session (reset state on restart).\n"
620 "--tls-exit : Exit on TLS negotiation failure.\n"
621 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
622 " control channel to protect against attacks on the TLS stack\n"
623 " and DoS attacks.\n"
624 " f (required) is a shared-secret key file.\n"
625 " The optional d parameter controls key directionality.\n"
626 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
627 " of the TLS control channel to hide the TLS certificate,\n"
628 " provide basic post-quantum security and protect against\n"
629 " attacks on the TLS stack and DoS attacks.\n"
630 " key (required) provides the pre-shared key file.\n"
631 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
632 " For servers: use key to decrypt client-specific keys. For\n"
633 " key generation (--genkey tls-crypt-v2-client): use key to\n"
634 " encrypt generated client-specific key. (See --tls-crypt.)\n"
635 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
636 " fresh tls-crypt-v2 client key, and store to\n"
637 " keyfile. If supplied, include metadata in wrapped key.\n"
638 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
639 " fresh tls-crypt-v2 server key, and store to keyfile\n"
640 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
641 " client-supplied tls-crypt-v2 client key\n"
642 "--tls-crypt-v2-max-age n : Only accept tls-crypt-v2 client keys that have a\n"
643 " timestamp which is at most n days old.\n"
644 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
645 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
646 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
647 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
648 " pending TLS connection that has otherwise passed all other\n"
649 " tests of certification. cmd should return 0 to allow\n"
650 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
651 " executed as 'cmd certificate_depth subject')\n"
652 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
653 " DN name. The remote host must also pass all other tests\n"
654 " of verification.\n"
655#ifndef ENABLE_CRYPTO_MBEDTLS
656 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
657 " an explicit nsCertType designation t = 'client' | 'server'.\n"
658#endif
659 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
660 " plugins and management interface.\n"
661 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
662 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
663 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
664 " explicit key usage, you can specify more than one value.\n"
665 " value should be given in hex format.\n"
666 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
667 " explicit extended key usage. Extended key usage can be encoded\n"
668 " as an object identifier or OpenSSL string representation.\n"
669 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
670 " key usage and extended key usage based on RFC3280 TLS rules.\n"
671 " t = 'client' | 'server'.\n"
672#ifdef ENABLE_PKCS11
673 "\n"
674 "PKCS#11 Options:\n"
675 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
676 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
677 " path. Set for each provider.\n"
678 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
679 " 0 : Try to determine automatically (default).\n"
680 " 1 : Use Sign.\n"
681 " 2 : Use SignRecover.\n"
682 " 4 : Use Decrypt.\n"
683 " 8 : Use Unwrap.\n"
684 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
685 " certificate can be accessed. Set for each provider.\n"
686 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
687 " cache until token is removed.\n"
688 "--pkcs11-id-management : Acquire identity from management interface.\n"
689 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
690#endif /* ENABLE_PKCS11 */
691 "\n"
692 "SSL Library information:\n"
693 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
694 "--show-digests : Show message digest algorithms to use with --auth option.\n"
695 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
696 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
697#ifdef _WIN32
698 "\n"
699 "Windows Specific:\n"
700 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
701 " from SystemRoot environment variable.\n"
702 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
703 " IP address using method = manual, netsh, ipapi,\n"
704 " dynamic, or adaptive (default = adaptive).\n"
705 " Dynamic method allows two optional parameters:\n"
706 " offset: DHCP server address offset (> -256 and < 256).\n"
707 " If 0, use network address, if >0, take nth\n"
708 " address forward from network address, if <0,\n"
709 " take nth address backward from broadcast\n"
710 " address.\n"
711 " Default is 0.\n"
712 " lease-time: Lease time in seconds.\n"
713 " Default is one year.\n"
714 "--route-method : Which method to use for adding routes on Windows?\n"
715 " adaptive (default) -- Try ipapi then fall back to exe.\n"
716 " ipapi -- Use IP helper API.\n"
717 " exe -- Call the route.exe shell command.\n"
718 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
719 " be used with --ip-win32 dynamic. For options\n"
720 " which allow multiple addresses,\n"
721 " --dhcp-option must be repeated.\n"
722 " DOMAIN name : Set DNS suffix\n"
723 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
724 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
725 " NTP : Set NTP server address(es)\n"
726 " NBDD : Set NBDD server address(es)\n"
727 " WINS addr : Set WINS server address(es)\n"
728 " NBT type : Set NetBIOS over TCP/IP Node type\n"
729 " 1: B, 2: P, 4: M, 8: H\n"
730 " NBS id : Set NetBIOS scope ID\n"
731 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
732 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
733 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
734 " startup.\n"
735 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
736 " on connection initiation.\n"
737 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
738 " attempting to set adapter properties.\n"
739 "--pause-exit : When run from a console window, pause before exiting.\n"
740 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
741 " service, and should not be used directly by end-users.\n"
742 " ex is the name of an event object which, when\n"
743 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
744 " optional parameter controls the initial state of ex.\n"
745 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
746 " after TAP adapter is up and routes have been added.\n"
747 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
748 "Windows Standalone Options:\n"
749 "\n"
750 "--show-adapters : Show all TAP-Windows adapters.\n"
751 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
752 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
753 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
754 " to access TAP adapter.\n"
755#endif /* ifdef _WIN32 */
756 "\n"
757 "Generate a new key :\n"
758 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
759 " (for use with --tls-auth or --tls-crypt)."
760#ifdef ENABLE_FEATURE_TUN_PERSIST
761 "\n"
762 "Tun/tap config mode:\n"
763 "--mktun : Create a persistent tunnel.\n"
764 "--rmtun : Remove a persistent tunnel.\n"
765 "--dev tunX|tapX : tun/tap device\n"
766 "--dev-type dt : Device type. See tunnel options above for details.\n"
767 "--user user : User to set privilege to.\n"
768 "--group group : Group to set privilege to.\n"
769#endif
770#ifdef ENABLE_PKCS11
771 "\n"
772 "PKCS#11 standalone options:\n"
773#ifdef DEFAULT_PKCS11_MODULE
774 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
775#else
776 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
777#endif
778 " --verb option can be added *BEFORE* this.\n"
779#endif /* ENABLE_PKCS11 */
780 "\n"
781 "General Standalone Options:\n"
782#ifdef ENABLE_DEBUG
783 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
784#endif
785 ;
786
787#endif /* !ENABLE_SMALL */
788
789/*
790 * This is where the options defaults go.
791 * Any option not explicitly set here
792 * will be set to 0.
793 */
794void
795init_options(struct options *o)
796{
797 CLEAR(*o);
798 gc_init(&o->gc);
799 gc_init(&o->dns_options.gc);
800
801 o->mode = MODE_POINT_TO_POINT;
802 o->topology = TOP_UNDEF;
803 o->ce.proto = PROTO_UDP;
804 o->ce.af = AF_UNSPEC;
805 o->ce.bind_ipv6_only = false;
806 o->ce.connect_retry_seconds = 1;
807 o->ce.connect_retry_seconds_max = 300;
808 o->ce.connect_timeout = 120;
809 o->connect_retry_max = 0;
810 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
811 o->verbosity = 1;
812 o->status_file_update_freq = 60;
813 o->status_file_version = 1;
814 o->ce.bind_local = true;
815 o->ce.tun_mtu = TUN_MTU_DEFAULT;
816 o->ce.occ_mtu = 0;
817 o->ce.link_mtu = LINK_MTU_DEFAULT;
818 o->ce.tls_mtu = TLS_MTU_DEFAULT;
819 o->ce.mtu_discover_type = -1;
820 o->ce.mssfix = 0;
821 o->ce.mssfix_default = true;
822 o->ce.mssfix_encap = true;
823 o->route_default_table_id = 0;
824 o->route_delay_window = 30;
825 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
826 o->resolve_in_advance = false;
827 o->proto_force = -1;
828 o->occ = true;
829#ifdef ENABLE_MANAGEMENT
830 o->management_log_history_cache = 250;
831 o->management_echo_buffer_size = 100;
832 o->management_state_buffer_size = 100;
833#endif
834#ifdef ENABLE_FEATURE_TUN_PERSIST
835 o->persist_mode = 1;
836#endif
837#ifdef _WIN32
838#if 0
839 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
840#else
841 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
842#endif
843 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
844 /* use network address as internal DHCP server address */
845 o->tuntap_options.dhcp_masq_offset = 0;
846 o->route_method = ROUTE_METHOD_ADAPTIVE;
847 o->block_outside_dns = false;
848 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
849#endif
850 o->vlan_accept = VLAN_ALL;
851 o->vlan_pvid = 1;
852 o->real_hash_size = 256;
853 o->virtual_hash_size = 256;
854 o->n_bcast_buf = 256;
855 o->tcp_queue_limit = 64;
856 o->max_clients = 1024;
857 o->cf_initial_per = 10;
858 o->cf_initial_max = 100;
859 o->max_routes_per_client = 256;
860 o->stale_routes_check_interval = 0;
861 o->ifconfig_pool_persist_refresh_freq = 600;
862 o->scheduled_exit_interval = 5;
863 o->authname = "SHA1";
864 o->replay_window = DEFAULT_SEQ_BACKTRACK;
865 o->replay_time = DEFAULT_TIME_BACKTRACK;
866 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
867 o->tls_timeout = 2;
868 o->renegotiate_bytes = -1;
869 o->renegotiate_seconds = 3600;
870 o->renegotiate_seconds_min = -1;
871 o->handshake_window = 60;
872 o->transition_window = 3600;
873 o->tls_cert_profile = NULL;
874 o->ecdh_curve = NULL;
875 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
876#ifdef ENABLE_PKCS11
877 o->pkcs11_pin_cache_period = -1;
878#endif /* ENABLE_PKCS11 */
879
880 /* P2MP server context features */
881 o->auth_token_generate = false;
882
883 /* Set default --tmp-dir */
884#ifdef _WIN32
885 /* On Windows, find temp dir via environment variables */
886 o->tmp_dir = win_get_tempdir();
887
888 if (!o->tmp_dir)
889 {
890 /* Error out if we can't find a valid temporary directory, which should
891 * be very unlikely. */
892 msg(M_USAGE, "Could not find a suitable temporary directory."
893 " (GetTempPath() failed). Consider using --tmp-dir");
894 }
895#else /* ifdef _WIN32 */
896 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
897 o->tmp_dir = getenv("TMPDIR");
898 if (!o->tmp_dir)
899 {
900 o->tmp_dir = "/tmp";
901 }
902#endif /* _WIN32 */
903 o->allow_recursive_routing = false;
904
905#ifndef ENABLE_DCO
906 o->disable_dco = true;
907#endif /* ENABLE_DCO */
908
909#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
910 o->dns_options.updown = DEFAULT_DNS_UPDOWN;
911#endif /* ENABLE_DNS_UPDOWN_BY_DEFAULT */
912}
913
914void
915uninit_options(struct options *o)
916{
917 if (o->connection_list)
918 {
919 CLEAR(*o->connection_list);
920 }
921 if (o->remote_list)
922 {
923 CLEAR(*o->remote_list);
924 }
925
926 gc_free(&o->gc);
927 gc_free(&o->dns_options.gc);
928}
929
930#ifndef ENABLE_SMALL
931
932static const char *
933pull_filter_type_name(int type)
934{
935 if (type == PUF_TYPE_ACCEPT)
936 {
937 return "accept";
938 }
939 if (type == PUF_TYPE_IGNORE)
940 {
941 return "ignore";
942 }
943 if (type == PUF_TYPE_REJECT)
944 {
945 return "reject";
946 }
947 else
948 {
949 return "???";
950 }
951}
952
953#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
954#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
955#define SHOW_STR_INLINE(var) \
956 SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
957#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
958#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
959#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
960#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
961#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
962
963#endif /* ifndef ENABLE_SMALL */
964
965static void
966setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
967{
968 setenv_str_i(es, "remote", e->remote, i);
969 setenv_str_i(es, "remote_port", e->remote_port, i);
970
971 if (e->http_proxy_options)
972 {
973 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
974 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
975 }
976 if (e->socks_proxy_server)
977 {
978 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
979 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
980 }
981}
982
983static void
984setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
985{
986 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
987 setenv_str_i(es, "local", e->local, i);
988 setenv_str_i(es, "local_port", e->port, i);
989}
990
991void
992setenv_settings(struct env_set *es, const struct options *o)
993{
994 setenv_str(es, "config", o->config);
995 setenv_int(es, "verb", o->verbosity);
996 setenv_int(es, "daemon", o->daemon);
997 setenv_int(es, "daemon_log_redirect", o->log);
998 setenv_long_long(es, "daemon_start_time", time(NULL));
999 setenv_int(es, "daemon_pid", platform_getpid());
1000
1001 if (o->connection_list)
1002 {
1003 int i;
1004 for (i = 0; i < o->connection_list->len; ++i)
1005 {
1006 setenv_connection_entry(es, o->connection_list->array[i], i + 1);
1007 }
1008 }
1009 else
1010 {
1011 setenv_connection_entry(es, &o->ce, 1);
1012 }
1013
1014 if (o->ce.local_list)
1015 {
1016 for (int i = 0; i < o->ce.local_list->len; i++)
1017 {
1018 setenv_local_entry(es, o->ce.local_list->array[i], i + 1);
1019 }
1020 }
1021}
1022
1023#ifndef _WIN32
1024static void
1025setenv_foreign_option(struct options *o, const char *option, const char *value, struct env_set *es)
1026{
1027 struct gc_arena gc = gc_new();
1028 struct buffer env_name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1029 struct buffer env_value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1030 bool good = true;
1031
1032 good &= buf_printf(&env_name, "foreign_option_%d", o->foreign_option_index + 1);
1033 if (value)
1034 {
1035 good &= buf_printf(&env_value, "dhcp-option %s %s", option, value);
1036 }
1037 else
1038 {
1039 good &= buf_printf(&env_value, "dhcp-option %s", option);
1040 }
1041 if (good)
1042 {
1043 setenv_str(es, BSTR(&env_name), BSTR(&env_value));
1044 ++o->foreign_option_index;
1045 }
1046 else
1047 {
1048 msg(M_WARN, "foreign_option: name/value overflow");
1049 }
1050 gc_free(&gc);
1051}
1052
1053static void
1054delete_all_dhcp_fo(struct options *o, struct env_item **list)
1055{
1056 struct env_item *current, *prev;
1057
1058 ASSERT(list);
1059
1060 for (current = *list, prev = NULL; current != NULL; current = current->next)
1061 {
1062 char *tmp_value = NULL;
1063 if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1))
1064 {
1065 tmp_value = strchr(current->string, '=');
1066 if (tmp_value && ++tmp_value)
1067 {
1068 if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1))
1069 {
1070 if (prev)
1071 {
1072 prev->next = current->next;
1073 }
1074 else
1075 {
1076 *list = current->next;
1077 }
1078 o->foreign_option_index--;
1079 }
1080 }
1081 }
1082 prev = current;
1083 }
1084}
1085
1086#endif /* ifndef _WIN32 */
1087
1088static in_addr_t
1089get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
1090{
1091 unsigned int flags = GETADDR_HOST_ORDER;
1092 bool succeeded = false;
1093 in_addr_t ret;
1094
1095 if (msglevel & M_FATAL)
1096 {
1097 flags |= GETADDR_FATAL;
1098 }
1099
1100 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1101 if (!succeeded && error)
1102 {
1103 *error = true;
1104 }
1105 return ret;
1106}
1107
1113static char *
1114get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1115{
1116 const char *end = strchr(addr, '/');
1117 char *ret = NULL;
1118 if (NULL == end)
1119 {
1120 ret = string_alloc(addr, gc);
1121 }
1122 else
1123 {
1124 size_t len = end - addr;
1125 ret = gc_malloc(len + 1, true, gc);
1126 memcpy(ret, addr, len);
1127 }
1128 return ret;
1129}
1130
1131static bool
1132ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
1133{
1134 return get_ipv6_addr(ipv6_prefix_spec, NULL, NULL, M_WARN);
1135}
1136
1137static char *
1138string_substitute(const char *src, char from, char to, struct gc_arena *gc)
1139{
1140 char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc);
1141 char *dest = ret;
1142 char c;
1143
1144 do
1145 {
1146 c = *src++;
1147 if (c == from)
1148 {
1149 c = to;
1150 }
1151 *dest++ = c;
1152 } while (c);
1153 return ret;
1154}
1155
1165static struct verify_hash_list *
1166parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
1167{
1168 int i = 0;
1169 const char *cp = str;
1170
1171 struct verify_hash_list *ret;
1172 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1173
1174 char term = 0;
1175 unsigned int byte;
1176
1177 while (*cp && i < nbytes)
1178 {
1179 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1180 if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0')
1181 || sscanf(cp, "%x", &byte) != 1)
1182 {
1183 msg(msglevel, "format error in hash fingerprint: %s", str);
1184 break;
1185 }
1186
1187 ret->hash[i++] = (uint8_t)byte;
1188
1189 term = cp[2];
1190 if (term == '\0')
1191 {
1192 break;
1193 }
1194 cp += 3;
1195 }
1196 if (i < nbytes)
1197 {
1198 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i,
1199 str);
1200 }
1201 else if (term != '\0')
1202 {
1203 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1204 }
1205 return ret;
1206}
1207
1218static struct verify_hash_list *
1219parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel,
1220 struct gc_arena *gc)
1221{
1222 struct gc_arena gc_temp = gc_new();
1223 char *lines = string_alloc(str, &gc_temp);
1224
1225 struct verify_hash_list *ret = NULL;
1226
1227 const char *line;
1228 while ((line = strsep(&lines, "\n")))
1229 {
1230 /* ignore leading whitespace */
1231 while (isspace(*line))
1232 {
1233 line++;
1234 }
1235 /* skip empty lines and comment lines */
1236 if (strlen(line) == 0 || *line == '#' || *line == ';')
1237 {
1238 continue;
1239 }
1240
1241 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc);
1242
1243 if (!hash)
1244 {
1245 gc_free(&gc_temp);
1246 return NULL;
1247 }
1248
1249 hash->next = ret;
1250 ret = hash;
1251 }
1252 gc_free(&gc_temp);
1253
1254 return ret;
1255}
1256#ifdef _WIN32
1257
1258#ifndef ENABLE_SMALL
1259
1260static void
1261show_dhcp_option_list(const char *name, const char *const *array, unsigned int len)
1262{
1263 for (unsigned int i = 0; i < len; ++i)
1264 {
1265 msg(D_SHOW_PARMS, " %s[%u] = %s", name, i, array[i]);
1266 }
1267}
1268
1269static void
1270show_dhcp_option_addrs(const char *name, const in_addr_t *array, unsigned int len)
1271{
1272 struct gc_arena gc = gc_new();
1273 for (unsigned int i = 0; i < len; ++i)
1274 {
1275 msg(D_SHOW_PARMS, " %s[%u] = %s", name, i, print_in_addr_t(array[i], 0, &gc));
1276 }
1277 gc_free(&gc);
1278}
1279
1280static void
1281show_tuntap_options(const struct tuntap_options *o)
1282{
1283 SHOW_BOOL(ip_win32_defined);
1284 SHOW_INT(ip_win32_type);
1285 SHOW_INT(dhcp_masq_offset);
1286 SHOW_INT(dhcp_lease_time);
1287 SHOW_INT(tap_sleep);
1288 SHOW_UNSIGNED(dhcp_options);
1289 SHOW_BOOL(dhcp_renew);
1290 SHOW_BOOL(dhcp_pre_release);
1291 SHOW_STR(domain);
1292 SHOW_STR(netbios_scope);
1293 SHOW_UNSIGNED(netbios_node_type);
1294 SHOW_BOOL(disable_nbt);
1295
1296 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1297 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1298 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1299 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1300 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1301}
1302
1303#endif /* ifndef ENABLE_SMALL */
1304#endif /* ifdef _WIN32 */
1305
1306static void
1307dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, unsigned int *len, msglvl_t msglevel)
1308{
1309 struct in6_addr addr;
1310 if (*len >= N_DHCP_ADDR)
1311 {
1312 msg(msglevel, "--dhcp-option DNS: maximum of %u IPv6 dns servers can be specified",
1313 N_DHCP_ADDR);
1314 }
1315 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1316 {
1317 dns6_list[(*len)++] = addr;
1318 }
1319}
1320static void
1321dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, unsigned int *len,
1322 msglvl_t msglevel)
1323{
1324 if (*len >= N_DHCP_ADDR)
1325 {
1326 msg(msglevel, "--dhcp-option %s: maximum of %u %s servers can be specified", name,
1327 N_DHCP_ADDR, name);
1328 }
1329 else
1330 {
1331 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1332 {
1333 bool error = false;
1334 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1335 if (!error)
1336 {
1337 array[(*len)++] = addr;
1338 }
1339 }
1340 else
1341 {
1342 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1343 }
1344 }
1345}
1346
1347#ifndef ENABLE_SMALL
1348static const char *
1349print_vlan_accept(enum vlan_acceptable_frames mode)
1350{
1351 switch (mode)
1352 {
1353 case VLAN_ONLY_TAGGED:
1354 return "tagged";
1355
1356 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1357 return "untagged";
1358
1359 case VLAN_ALL:
1360 return "all";
1361 }
1362 return NULL;
1363}
1364
1365static void
1366show_p2mp_parms(const struct options *o)
1367{
1368 struct gc_arena gc = gc_new();
1369
1370 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1371 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1372 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc));
1373 SHOW_INT(server_netbits_ipv6);
1374 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1375 msg(D_SHOW_PARMS, " server_bridge_netmask = %s",
1376 print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1377 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s",
1378 print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1379 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s",
1380 print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1381 if (o->push_list.head)
1382 {
1383 const struct push_entry *e = o->push_list.head;
1384 while (e)
1385 {
1386 if (e->enable)
1387 {
1388 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1389 }
1390 e = e->next;
1391 }
1392 }
1393 SHOW_BOOL(ifconfig_pool_defined);
1394 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s",
1395 print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1396 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1397 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s",
1398 print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1399 SHOW_STR(ifconfig_pool_persist_filename);
1400 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1401 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1402 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s",
1403 print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1404 SHOW_INT(ifconfig_ipv6_pool_netbits);
1405 SHOW_INT(n_bcast_buf);
1406 SHOW_INT(tcp_queue_limit);
1407 SHOW_INT(real_hash_size);
1408 SHOW_INT(virtual_hash_size);
1409 SHOW_STR(client_connect_script);
1410 SHOW_STR(learn_address_script);
1411 SHOW_STR(client_disconnect_script);
1412 SHOW_STR(client_crresponse_script);
1413 SHOW_STR(client_config_dir);
1414 SHOW_BOOL(ccd_exclusive);
1415 SHOW_STR(tmp_dir);
1416 SHOW_BOOL(push_ifconfig_defined);
1417 msg(D_SHOW_PARMS, " push_ifconfig_local = %s",
1418 print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1419 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s",
1420 print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1421 SHOW_BOOL(push_ifconfig_ipv6_defined);
1422 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d",
1423 print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits);
1424 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s",
1425 print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1426 SHOW_BOOL(enable_c2c);
1427 SHOW_BOOL(duplicate_cn);
1428 SHOW_INT(cf_max);
1429 SHOW_INT(cf_per);
1430 SHOW_INT(cf_initial_max);
1431 SHOW_INT(cf_initial_per);
1432 SHOW_INT(max_clients);
1433 SHOW_INT(max_routes_per_client);
1434 SHOW_STR(auth_user_pass_verify_script);
1435 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1436 SHOW_BOOL(auth_token_generate);
1437 SHOW_BOOL(force_key_material_export);
1438 SHOW_INT(auth_token_lifetime);
1439 SHOW_STR_INLINE(auth_token_secret_file);
1440#if PORT_SHARE
1441 SHOW_STR(port_share_host);
1442 SHOW_STR(port_share_port);
1443#endif
1444 SHOW_BOOL(vlan_tagging);
1445 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1446 SHOW_INT(vlan_pvid);
1447
1448 SHOW_BOOL(client);
1449 SHOW_BOOL(pull);
1450 SHOW_STR_INLINE(auth_user_pass_file);
1451
1452 gc_free(&gc);
1453}
1454
1455#endif /* ! ENABLE_SMALL */
1456
1457static void
1458option_iroute(struct options *o, const char *network_str, const char *netmask_str,
1459 msglvl_t msglevel)
1460{
1461 struct iroute *ir;
1462
1463 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1464 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1465 ir->netbits = 32; /* host route if no netmask given */
1466
1467 if (netmask_str)
1468 {
1469 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1470 ir->netbits = netmask_to_netbits2(netmask);
1471
1472 if (ir->netbits < 0)
1473 {
1474 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str,
1475 netmask_str);
1476 return;
1477 }
1478 }
1479
1480 ir->next = o->iroutes;
1481 o->iroutes = ir;
1482}
1483
1484static void
1485option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
1486{
1487 struct iroute_ipv6 *ir;
1488
1489 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1490
1491 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel))
1492 {
1493 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
1494 return;
1495 }
1496
1497 ir->next = o->iroutes_ipv6;
1498 o->iroutes_ipv6 = ir;
1499}
1500
1501#ifndef ENABLE_SMALL
1502static void
1503show_http_proxy_options(const struct http_proxy_options *o)
1504{
1505 int i;
1506 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1507 SHOW_STR(server);
1508 SHOW_STR(port);
1509 SHOW_STR(auth_method_string);
1510 SHOW_STR(auth_file);
1511 SHOW_STR(auth_file_up);
1512 SHOW_BOOL(inline_creds);
1513 SHOW_BOOL(nocache);
1514 SHOW_STR(http_version);
1515 SHOW_STR(user_agent);
1516 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1517 {
1518 if (o->custom_headers[i].content)
1519 {
1520 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name,
1521 o->custom_headers[i].content);
1522 }
1523 else
1524 {
1525 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name);
1526 }
1527 }
1528 msg(D_SHOW_PARMS, "END http_proxy");
1529}
1530#endif /* ifndef ENABLE_SMALL */
1531
1532void
1533options_detach(struct options *o)
1534{
1535 gc_detach(&o->gc);
1536 o->routes = NULL;
1537 o->client_nat = NULL;
1538 clone_push_list(o);
1539}
1540
1541void
1542rol_check_alloc(struct options *options)
1543{
1544 if (!options->routes)
1545 {
1546 options->routes = new_route_option_list(&options->gc);
1547 }
1548}
1549
1550static void
1558
1559static void
1560cnol_check_alloc(struct options *options)
1561{
1562 if (!options->client_nat)
1563 {
1564 options->client_nat = new_client_nat_list(&options->gc);
1565 }
1566}
1567
1568#ifndef ENABLE_SMALL
1569static void
1570show_connection_entry(const struct connection_entry *o)
1571{
1572 /* Display the global proto only in client mode or with no '--local'*/
1573 if (o->local_list->len == 1)
1574 {
1575 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1576 }
1577
1578 msg(D_SHOW_PARMS, " Local Sockets:");
1579 for (int i = 0; i < o->local_list->len; i++)
1580 {
1581 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1582 o->local_list->array[i]->port,
1583 proto2ascii(o->local_list->array[i]->proto, o->af, false));
1584 }
1585 SHOW_STR(remote);
1586 SHOW_STR(remote_port);
1587 SHOW_BOOL(remote_float);
1588 SHOW_BOOL(bind_defined);
1589 SHOW_BOOL(bind_local);
1590 SHOW_BOOL(bind_ipv6_only);
1591 SHOW_INT(connect_retry_seconds);
1592 SHOW_INT(connect_timeout);
1593
1594 if (o->http_proxy_options)
1595 {
1596 show_http_proxy_options(o->http_proxy_options);
1597 }
1598 SHOW_STR(socks_proxy_server);
1599 SHOW_STR(socks_proxy_port);
1600 SHOW_INT(tun_mtu);
1601 SHOW_BOOL(tun_mtu_defined);
1602 SHOW_INT(link_mtu);
1603 SHOW_BOOL(link_mtu_defined);
1604 SHOW_INT(tun_mtu_extra);
1605 SHOW_BOOL(tun_mtu_extra_defined);
1606 SHOW_INT(tls_mtu);
1607
1608 SHOW_INT(mtu_discover_type);
1609
1610#ifdef ENABLE_FRAGMENT
1611 SHOW_INT(fragment);
1612#endif
1613 SHOW_INT(mssfix);
1614 SHOW_BOOL(mssfix_encap);
1615 SHOW_BOOL(mssfix_fixed);
1616
1617 SHOW_INT(explicit_exit_notification);
1618
1619 SHOW_STR_INLINE(tls_auth_file);
1620 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1621 SHOW_STR_INLINE(tls_crypt_file);
1622 SHOW_STR_INLINE(tls_crypt_v2_file);
1623}
1624
1625
1626static void
1627show_connection_entries(const struct options *o)
1628{
1629 if (o->connection_list)
1630 {
1631 const struct connection_list *l = o->connection_list;
1632 int i;
1633 for (i = 0; i < l->len; ++i)
1634 {
1635 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1636 show_connection_entry(l->array[i]);
1637 }
1638 }
1639 else
1640 {
1641 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1642 show_connection_entry(&o->ce);
1643 }
1644 msg(D_SHOW_PARMS, "Connection profiles END");
1645}
1646
1647static void
1648show_pull_filter_list(const struct pull_filter_list *l)
1649{
1650 struct pull_filter *f;
1651 if (!l)
1652 {
1653 return;
1654 }
1655
1656 msg(D_SHOW_PARMS, " Pull filters:");
1657 for (f = l->head; f; f = f->next)
1658 {
1659 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1660 }
1661}
1662
1663#endif /* ifndef ENABLE_SMALL */
1664
1665void
1666show_settings(const struct options *o)
1667{
1668#ifndef ENABLE_SMALL
1669 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1670
1671 SHOW_STR(config);
1672
1673 SHOW_INT(mode);
1674
1675#ifdef ENABLE_FEATURE_TUN_PERSIST
1676 SHOW_BOOL(persist_config);
1677 SHOW_INT(persist_mode);
1678#endif
1679
1680 SHOW_BOOL(show_ciphers);
1681 SHOW_BOOL(show_digests);
1682 SHOW_BOOL(show_engines);
1683 SHOW_BOOL(genkey);
1684 SHOW_STR(genkey_filename);
1685 SHOW_STR(key_pass_file);
1686 SHOW_BOOL(show_tls_ciphers);
1687
1688 SHOW_INT(connect_retry_max);
1689 show_connection_entries(o);
1690
1691 SHOW_BOOL(remote_random);
1692
1693 SHOW_STR(ipchange);
1694 SHOW_STR(dev);
1695 SHOW_STR(dev_type);
1696 SHOW_STR(dev_node);
1697#if defined(ENABLE_DCO)
1698 SHOW_BOOL(disable_dco);
1699#endif
1700 SHOW_STR(lladdr);
1701 SHOW_INT(topology);
1702 SHOW_STR(ifconfig_local);
1703 SHOW_STR(ifconfig_remote_netmask);
1704 SHOW_BOOL(ifconfig_noexec);
1705 SHOW_BOOL(ifconfig_nowarn);
1706 SHOW_STR(ifconfig_ipv6_local);
1707 SHOW_INT(ifconfig_ipv6_netbits);
1708 SHOW_STR(ifconfig_ipv6_remote);
1709
1710 SHOW_INT(shaper);
1711 SHOW_INT(mtu_test);
1712
1713 SHOW_BOOL(mlock);
1714
1715 SHOW_INT(keepalive_ping);
1716 SHOW_INT(keepalive_timeout);
1717 SHOW_INT(inactivity_timeout);
1718 SHOW_INT(session_timeout);
1719 SHOW_INT64(inactivity_minimum_bytes);
1720 SHOW_INT(ping_send_timeout);
1721 SHOW_INT(ping_rec_timeout);
1722 SHOW_INT(ping_rec_timeout_action);
1723 SHOW_BOOL(ping_timer_remote);
1724 SHOW_INT(remap_sigusr1);
1725 SHOW_BOOL(persist_tun);
1726 SHOW_BOOL(persist_local_ip);
1727 SHOW_BOOL(persist_remote_ip);
1728
1729#if PASSTOS_CAPABILITY
1730 SHOW_BOOL(passtos);
1731#endif
1732
1733 SHOW_INT(resolve_retry_seconds);
1734 SHOW_BOOL(resolve_in_advance);
1735
1736 SHOW_STR(username);
1737 SHOW_STR(groupname);
1738 SHOW_STR(chroot_dir);
1739 SHOW_STR(cd_dir);
1740#ifdef ENABLE_SELINUX
1741 SHOW_STR(selinux_context);
1742#endif
1743 SHOW_STR(writepid);
1744 SHOW_STR(up_script);
1745 SHOW_STR(down_script);
1746 SHOW_BOOL(down_pre);
1747 SHOW_BOOL(up_restart);
1748 SHOW_BOOL(up_delay);
1749 SHOW_BOOL(daemon);
1750 SHOW_BOOL(log);
1751 SHOW_BOOL(suppress_timestamps);
1752 SHOW_BOOL(machine_readable_output);
1753 SHOW_INT(nice);
1754 SHOW_INT(verbosity);
1755 SHOW_INT(mute);
1756#ifdef ENABLE_DEBUG
1757 SHOW_INT(gremlin);
1758#endif
1759 SHOW_STR(status_file);
1760 SHOW_INT(status_file_version);
1761 SHOW_INT(status_file_update_freq);
1762
1763 SHOW_BOOL(occ);
1764 SHOW_INT(rcvbuf);
1765 SHOW_INT(sndbuf);
1766#if defined(TARGET_LINUX)
1767 SHOW_INT(mark);
1768#endif
1769 SHOW_INT(sockflags);
1770
1771 SHOW_INT(comp.alg);
1772 SHOW_INT(comp.flags);
1773
1774 SHOW_STR(route_script);
1775 SHOW_STR(route_default_gateway);
1776 SHOW_INT(route_default_metric);
1777 SHOW_INT(route_default_table_id);
1778 SHOW_BOOL(route_noexec);
1779 SHOW_INT(route_delay);
1780 SHOW_INT(route_delay_window);
1781 SHOW_BOOL(route_delay_defined);
1782 SHOW_BOOL(route_nopull);
1783 SHOW_BOOL(route_gateway_via_dhcp);
1784 SHOW_BOOL(allow_pull_fqdn);
1785 show_pull_filter_list(o->pull_filter_list);
1786
1787 if (o->routes)
1788 {
1789 print_route_options(o->routes, D_SHOW_PARMS);
1790 }
1791
1792 if (o->client_nat)
1793 {
1794 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1795 }
1796
1797 show_dns_options(&o->dns_options);
1798
1799#ifdef ENABLE_MANAGEMENT
1800 SHOW_STR(management_addr);
1801 SHOW_STR(management_port);
1802 SHOW_STR(management_user_pass);
1803 SHOW_INT(management_log_history_cache);
1804 SHOW_INT(management_echo_buffer_size);
1805 SHOW_STR(management_client_user);
1806 SHOW_STR(management_client_group);
1807 SHOW_INT(management_flags);
1808#endif
1809#ifdef ENABLE_PLUGIN
1810 if (o->plugin_list)
1811 {
1812 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1813 }
1814#endif
1815
1816 SHOW_STR_INLINE(shared_secret_file);
1817 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1818 SHOW_STR(ciphername);
1819 SHOW_STR(ncp_ciphers);
1820 SHOW_STR(authname);
1821#ifndef ENABLE_CRYPTO_MBEDTLS
1822 SHOW_BOOL(engine);
1823#endif /* ENABLE_CRYPTO_MBEDTLS */
1824 SHOW_BOOL(mute_replay_warnings);
1825 SHOW_INT(replay_window);
1826 SHOW_INT(replay_time);
1827 SHOW_STR(packet_id_file);
1828 SHOW_BOOL(test_crypto);
1829
1830 SHOW_BOOL(tls_server);
1831 SHOW_BOOL(tls_client);
1832 SHOW_STR_INLINE(ca_file);
1833 SHOW_STR(ca_path);
1834 SHOW_STR_INLINE(dh_file);
1835 if ((o->management_flags & MF_EXTERNAL_CERT))
1836 {
1837 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1838 }
1839 else
1840 {
1841 SHOW_STR_INLINE(cert_file);
1842 }
1843 SHOW_STR_INLINE(extra_certs_file);
1844
1845 if ((o->management_flags & MF_EXTERNAL_KEY))
1846 {
1847 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1848 }
1849 else
1850 {
1851 SHOW_STR_INLINE(priv_key_file);
1852 }
1853#ifndef ENABLE_CRYPTO_MBEDTLS
1854 SHOW_STR_INLINE(pkcs12_file);
1855#endif
1856#ifdef ENABLE_CRYPTOAPI
1857 SHOW_STR(cryptoapi_cert);
1858#endif
1859 SHOW_STR(cipher_list);
1860 SHOW_STR(cipher_list_tls13);
1861 SHOW_STR(tls_cert_profile);
1862 SHOW_STR(tls_verify);
1863 SHOW_STR(tls_export_peer_cert_dir);
1864 SHOW_INT(verify_x509_type);
1865 SHOW_STR(verify_x509_name);
1866 SHOW_STR_INLINE(crl_file);
1867 SHOW_INT(ns_cert_type);
1868 {
1869 int i;
1870 for (i = 0; i < MAX_PARMS; i++)
1871 {
1872 SHOW_INT(remote_cert_ku[i]);
1873 }
1874 }
1875 SHOW_STR(remote_cert_eku);
1876 if (o->verify_hash)
1877 {
1878 SHOW_INT(verify_hash_algo);
1879 SHOW_INT(verify_hash_depth);
1880 struct gc_arena gc = gc_new();
1881 struct verify_hash_list *hl = o->verify_hash;
1882 int digest_len =
1883 (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH : SHA256_DIGEST_LENGTH;
1884 while (hl)
1885 {
1886 char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc);
1887 SHOW_PARM(verify_hash, s, "%s");
1888 hl = hl->next;
1889 }
1890 gc_free(&gc);
1891 }
1892 SHOW_INT(ssl_flags);
1893
1894 SHOW_INT(tls_timeout);
1895
1896 SHOW_INT64(renegotiate_bytes);
1897 SHOW_INT64(renegotiate_packets);
1898 SHOW_INT(renegotiate_seconds);
1899
1900 SHOW_INT(handshake_window);
1901 SHOW_INT(transition_window);
1902
1903 SHOW_BOOL(single_session);
1904 SHOW_BOOL(push_peer_info);
1905 SHOW_BOOL(tls_exit);
1906
1907 SHOW_STR(tls_crypt_v2_metadata);
1908
1909#ifdef ENABLE_PKCS11
1910 {
1911 int i;
1912 for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1913 {
1914 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1915 }
1916 }
1917 {
1918 int i;
1919 for (i = 0; i < MAX_PARMS; i++)
1920 {
1921 SHOW_PARM(pkcs11_protected_authentication,
1922 o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1923 }
1924 }
1925 {
1926 int i;
1927 for (i = 0; i < MAX_PARMS; i++)
1928 {
1929 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1930 }
1931 }
1932 {
1933 int i;
1934 for (i = 0; i < MAX_PARMS; i++)
1935 {
1936 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED",
1937 "%s");
1938 }
1939 }
1940 SHOW_INT(pkcs11_pin_cache_period);
1941 SHOW_STR(pkcs11_id);
1942 SHOW_BOOL(pkcs11_id_management);
1943#endif /* ENABLE_PKCS11 */
1944
1945 show_p2mp_parms(o);
1946
1947#ifdef _WIN32
1948 SHOW_BOOL(show_net_up);
1949 SHOW_INT(route_method);
1950 SHOW_BOOL(block_outside_dns);
1951 show_tuntap_options(&o->tuntap_options);
1952#endif
1953#endif /* ifndef ENABLE_SMALL */
1954}
1955
1956#undef SHOW_PARM
1957#undef SHOW_STR
1958#undef SHOW_INT
1959#undef SHOW_BOOL
1960
1961#ifdef ENABLE_MANAGEMENT
1962
1963static struct http_proxy_options *
1964parse_http_proxy_override(const char *server, const char *port, const char *flags,
1965 struct gc_arena *gc)
1966{
1967 if (server && port)
1968 {
1969 struct http_proxy_options *ho;
1970 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1971 ho->server = string_alloc(server, gc);
1972 ho->port = port;
1973 if (flags && !strcmp(flags, "nct"))
1974 {
1975 ho->auth_retry = PAR_NCT;
1976 }
1977 else
1978 {
1979 ho->auth_retry = PAR_ALL;
1980 }
1981 ho->http_version = "1.0";
1982 ho->user_agent = "OpenVPN-Autoproxy/1.0";
1983 return ho;
1984 }
1985 else
1986 {
1987 return NULL;
1988 }
1989}
1990
1991static void
1992options_postprocess_http_proxy_override(struct options *o)
1993{
1994 const struct connection_list *l = o->connection_list;
1995 int i;
1996 bool succeed = false;
1997 for (i = 0; i < l->len; ++i)
1998 {
1999 struct connection_entry *ce = l->array[i];
2000 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2001 {
2002 ce->http_proxy_options = o->http_proxy_override;
2003 succeed = true;
2004 }
2005 }
2006 if (succeed)
2007 {
2008 for (i = 0; i < l->len; ++i)
2009 {
2010 struct connection_entry *ce = l->array[i];
2011 if (ce->proto == PROTO_UDP)
2012 {
2013 ce->flags |= CE_DISABLED;
2014 }
2015 }
2016 }
2017 else
2018 {
2019 msg(M_WARN,
2020 "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2021 }
2022}
2023
2024#endif /* ifdef ENABLE_MANAGEMENT */
2025
2026static struct local_list *
2027alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
2028{
2029 if (!ce->local_list)
2030 {
2031 ALLOC_OBJ_CLEAR_GC(ce->local_list, struct local_list, gc);
2032 }
2033 return ce->local_list;
2034}
2035
2036static struct local_entry *
2037alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
2038{
2039 struct local_list *l = alloc_local_list_if_undef(ce, gc);
2040 struct local_entry *e;
2041
2042 if (l->len >= l->capacity)
2043 {
2044 const int new_cap = l->capacity + 1;
2045 const size_t elem_size = sizeof(*l->array);
2046
2047 struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
2048 if (!new_array)
2049 {
2050 msg(msglevel,
2051 "Unable to process more local options: out of memory. Number of entries = %d",
2052 l->len);
2053 return NULL;
2054 }
2055
2056 l->array = new_array;
2057 l->capacity = new_cap;
2058 }
2059
2060 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2061 e->proto = PROTO_NONE;
2062 l->array[l->len++] = e;
2063
2064 return e;
2065}
2066
2067static struct connection_list *
2076
2077static struct connection_entry *
2078alloc_connection_entry(struct options *options, const msglvl_t msglevel)
2079{
2080 struct connection_list *l = alloc_connection_list_if_undef(options);
2081 struct connection_entry *e;
2082
2083 if (l->len == l->capacity)
2084 {
2085 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2086 struct connection_entry **ce =
2087 gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc);
2088 if (ce == NULL)
2089 {
2090 msg(msglevel,
2091 "Unable to process more connection options: out of memory. Number of entries = %d",
2092 l->len);
2093 return NULL;
2094 }
2095 l->array = ce;
2096 l->capacity = capacity;
2097 }
2098 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2099 l->array[l->len++] = e;
2100 return e;
2101}
2102
2103static struct remote_list *
2104alloc_remote_list_if_undef(struct options *options)
2105{
2106 if (!options->remote_list)
2107 {
2108 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2109 }
2110 return options->remote_list;
2111}
2112
2113static struct remote_entry *
2114alloc_remote_entry(struct options *options, const msglvl_t msglevel)
2115{
2116 struct remote_list *l = alloc_remote_list_if_undef(options);
2117 struct remote_entry *e;
2118
2119 if (l->len == l->capacity)
2120 {
2121 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2122 struct remote_entry **re =
2123 gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc);
2124 if (re == NULL)
2125 {
2126 msg(msglevel,
2127 "Unable to process more remote options: out of memory. Number of entries = %d",
2128 l->len);
2129 return NULL;
2130 }
2131 l->array = re;
2132 l->capacity = capacity;
2133 }
2134 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2135 l->array[l->len++] = e;
2136 return e;
2137}
2138
2139static struct pull_filter_list *
2140alloc_pull_filter_list(struct options *o)
2141{
2142 if (!o->pull_filter_list)
2143 {
2144 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2145 }
2146 return o->pull_filter_list;
2147}
2148
2149static struct pull_filter *
2150alloc_pull_filter(struct options *o)
2151{
2152 struct pull_filter_list *l = alloc_pull_filter_list(o);
2153 struct pull_filter *f;
2154
2155 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2156 if (l->head)
2157 {
2158 ASSERT(l->tail);
2159 l->tail->next = f;
2160 }
2161 else
2162 {
2163 ASSERT(!l->tail);
2164 l->head = f;
2165 }
2166 l->tail = f;
2167 return f;
2168}
2169
2170static void
2171connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2172{
2173 if (re->remote)
2174 {
2175 ce->remote = re->remote;
2176 }
2177 if (re->remote_port)
2178 {
2179 ce->remote_port = re->remote_port;
2180 }
2181 if (re->proto >= 0)
2182 {
2183 ce->proto = re->proto;
2184 }
2185 if (re->af > 0)
2186 {
2187 ce->af = re->af;
2188 }
2189}
2190
2191static void
2192connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
2193{
2194 if (key_file && *key_file && !(*key_inline))
2195 {
2196 struct buffer in = buffer_read_from_file(*key_file, gc);
2197 if (!buf_valid(&in))
2198 {
2199 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2200 }
2201
2202 *key_file = (const char *)in.data;
2203 *key_inline = true;
2204 }
2205}
2206
2207static void
2208check_ca_required(const struct options *options)
2209{
2210#ifdef ENABLE_CRYPTO_MBEDTLS
2211 if (options->ca_path)
2212 {
2213 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2214 }
2215#endif
2216
2217 if (options->verify_hash_no_ca || options->pkcs12_file || options->ca_file
2218#ifndef ENABLE_CRYPTO_MBEDTLS
2219 || options->ca_path
2220#endif
2221 )
2222 {
2223 return;
2224 }
2225
2226 const char *const str = "You must define CA file (--ca)"
2227#ifndef ENABLE_CRYPTO_MBEDTLS
2228 " or CA path (--capath)"
2229#endif
2230 " and/or peer fingerprint verification (--peer-fingerprint)";
2231 msg(M_USAGE, "%s", str);
2232}
2233
2234#define MUST_BE_UNDEF(parm, parm_name) \
2235 if (options->parm != defaults.parm) \
2236 { \
2237 msg(M_USAGE, use_err, parm_name); \
2238 }
2239#define MUST_BE_FALSE(condition, parm_name) \
2240 if (condition) \
2241 { \
2242 msg(M_USAGE, use_err, parm_name); \
2243 }
2244
2245static void
2246options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
2247{
2248 struct options defaults;
2249 int dev = DEV_TYPE_UNDEF;
2250 bool pull = false;
2251
2252 init_options(&defaults);
2253
2254 if (!options->test_crypto)
2255 {
2256 notnull(options->dev, "TUN/TAP device (--dev)");
2257 }
2258
2259 /*
2260 * Get tun/tap/null device type
2261 */
2262 dev = dev_type_enum(options->dev, options->dev_type);
2263
2264 /*
2265 * If "proto tcp" is specified, make sure we know whether it is
2266 * tcp-client or tcp-server.
2267 */
2268 if (ce->proto == PROTO_TCP)
2269 {
2270 msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify "
2271 "--proto tcp-server or --proto tcp-client");
2272 }
2273
2274 /*
2275 * Sanity check on Client mode
2276 */
2277
2278 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2279 {
2280 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2281 }
2282
2283 if (options->lladdr && dev != DEV_TYPE_TAP)
2284 {
2285 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2286 }
2287
2288 /*
2289 * Sanity check on MTU parameters
2290 */
2291 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2292 {
2293 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2294 }
2295
2296 if (!proto_is_udp(ce->proto) && options->mtu_test)
2297 {
2298 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2299 }
2300
2301 /* will we be pulling options from server? */
2302 pull = options->pull;
2303
2304 /*
2305 * Sanity check on --local, --remote, and --ifconfig
2306 */
2307
2308 if (string_defined_equal(ce->remote, options->ifconfig_local)
2309 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2310 {
2311 msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig "
2312 "addresses");
2313 }
2314
2315 if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask))
2316 {
2317 msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2318 }
2319
2320 if (ce->bind_defined && !ce->bind_local)
2321 {
2322 msg(M_USAGE, "--bind and --nobind can't be used together");
2323 }
2324
2325 if (ce->local_port_defined && !ce->bind_local)
2326 {
2327 msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2328 }
2329
2330 if (!ce->remote && !ce->bind_local)
2331 {
2332 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2333 }
2334
2335 for (int i = 0; i < ce->local_list->len; i++)
2336 {
2337 struct local_entry *le = ce->local_list->array[i];
2338
2339 if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote)
2340 && string_defined_equal(le->port, ce->remote_port))
2341 {
2342 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2343 }
2344
2345 if (string_defined_equal(le->local, options->ifconfig_local)
2346 || string_defined_equal(le->local, options->ifconfig_remote_netmask))
2347 {
2348 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2349 }
2350
2351 if (le->local && !ce->bind_local)
2352 {
2353 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2354 }
2355 }
2356
2357 /*
2358 * Check for consistency of management options
2359 */
2360#ifdef ENABLE_MANAGEMENT
2361 if (!options->management_addr
2362 && (options->management_flags
2363 || options->management_log_history_cache != defaults.management_log_history_cache))
2364 {
2365 msg(M_USAGE,
2366 "--management is not specified, however one or more options which modify the behavior of --management were specified");
2367 }
2368
2369 if ((options->management_client_user || options->management_client_group)
2370 && !(options->management_flags & MF_UNIX_SOCK))
2371 {
2372 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2373 }
2374
2375 if (options->management_addr && !(options->management_flags & MF_UNIX_SOCK)
2376 && (!options->management_user_pass))
2377 {
2378 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2379 "passwords is STRONGLY discouraged and considered insecure");
2380 }
2381
2382#endif /* ifdef ENABLE_MANAGEMENT */
2383
2384#if !defined(HAVE_XKEY_PROVIDER)
2385 if ((tls_version_max() >= TLS_VER_1_3) && (options->management_flags & MF_EXTERNAL_KEY)
2386 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)))
2387 {
2388 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2389 "nopadding argument/support");
2390 }
2391#endif
2392 /*
2393 * Windows-specific options.
2394 */
2395
2396#ifdef _WIN32
2397 if (dev == DEV_TYPE_TUN
2398 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2399 {
2400 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2401 }
2402
2403 if ((options->tuntap_options.ip_win32_defined)
2404 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2405 {
2406 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2407 }
2408
2409 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2410 {
2411 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2412 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2413 {
2414 msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix,
2415 print_tun_backend_driver(options->windows_driver));
2416 }
2417 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2418 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2419 {
2420 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix);
2421 }
2422 }
2423#endif /* ifdef _WIN32 */
2424
2425 /*
2426 * Check that protocol options make sense.
2427 */
2428
2429#ifdef ENABLE_FRAGMENT
2430 if (!proto_is_udp(ce->proto) && ce->fragment)
2431 {
2432 msg(M_USAGE, "--fragment can only be used with --proto udp");
2433 }
2434#endif
2435
2436 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2437 {
2438 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2439 }
2440
2441 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2442 {
2443 msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2444 "tcp-client)");
2445 }
2446
2447 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2448 {
2449 msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2450 }
2451
2452 if (ce->http_proxy_options && ce->socks_proxy_server)
2453 {
2454 msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2455 }
2456
2457 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2458 {
2459 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2460 }
2461
2462 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2463 {
2464 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2465 }
2466
2467 /*
2468 * Check consistency of --mode server options.
2469 */
2470 if (options->mode == MODE_SERVER)
2471 {
2472 const char use_err[] = "--%s cannot be used with --mode server.";
2473
2474#define USAGE_VALID_SERVER_PROTOS \
2475 "--mode server currently only supports " \
2476 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2477#ifdef TARGET_ANDROID
2478 msg(M_FATAL, "--mode server not supported on Android");
2479#endif
2480 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2481 {
2482 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2483 }
2484 MUST_BE_UNDEF(pull, "pull");
2485 if (options->pull_filter_list)
2486 {
2487 msg(M_WARN, "--pull-filter ignored for --mode server");
2488 }
2489 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2490 {
2491 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2492 }
2493#if PORT_SHARE
2494 if ((options->port_share_host || options->port_share_port)
2495 && (ce->proto != PROTO_TCP_SERVER))
2496 {
2497 msg(M_USAGE, "--port-share only works in TCP server mode "
2498 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2499 }
2500#endif
2501 if (!options->tls_server)
2502 {
2503 msg(M_USAGE, "--mode server requires --tls-server");
2504 }
2505 MUST_BE_FALSE(ce->remote, "remote");
2506 MUST_BE_FALSE(!ce->bind_local, "nobind");
2507 MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2508 MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2509 /* <connection> blocks force to have a remote embedded, so we check
2510 * for the --remote and bail out if it is present
2511 */
2512 if (options->connection_list->len > 1 || options->connection_list->array[0]->remote)
2513 {
2514 msg(M_USAGE, "<connection> cannot be used with --mode server");
2515 }
2516
2517 MUST_BE_UNDEF(shaper, "shaper");
2518 if (options->ipchange)
2519 {
2520 msg(M_USAGE, "--ipchange cannot be used with --mode server (use "
2521 "--client-connect instead)");
2522 }
2523 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2524 {
2525 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2526 }
2527 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2528 {
2529 msg(M_USAGE,
2530 "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2531 }
2532 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET))
2533 && options->ifconfig_pool_netmask)
2534 {
2535 msg(M_USAGE,
2536 "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2537 }
2538 if (options->routes && (options->routes->flags & RG_ENABLE))
2539 {
2540 msg(M_USAGE,
2541 "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2542 }
2543 MUST_BE_UNDEF(route_delay_defined, "route-delay");
2544 MUST_BE_UNDEF(up_delay, "up-delay");
2545 if (!options->ifconfig_pool_defined && !options->ifconfig_ipv6_pool_defined
2546 && options->ifconfig_pool_persist_filename)
2547 {
2548 msg(M_USAGE,
2549 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2550 }
2551 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2552 {
2553 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2554 }
2555 MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2556 if (options->auth_user_pass_file)
2557 {
2558 msg(M_USAGE,
2559 "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2560 }
2561 if (options->ccd_exclusive && !options->client_config_dir)
2562 {
2563 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2564 }
2565 if (options->auth_token_generate && !options->renegotiate_seconds)
2566 {
2567 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2568 "--renegotiate_seconds setting");
2569 }
2570 if (options->auth_token_generate && options->auth_token_renewal
2571 && options->auth_token_renewal < 2 * options->handshake_window)
2572 {
2573 msg(M_USAGE,
2574 "--auth-gen-token renewal time needs to be at least "
2575 " two times --hand-window (%d).",
2576 options->handshake_window);
2577 }
2578 if (!options->auth_user_pass_verify_script && !PLUGIN_OPTION_LIST(options)
2579 && !MAN_CLIENT_AUTH_ENABLED(options))
2580 {
2581 const char *use_err =
2582 "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2583
2584 MUST_BE_FALSE(options->ssl_flags
2585 & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
2586 "verify-client-cert none|optional");
2587 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
2588 "username-as-common-name");
2589 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL,
2590 "auth-user-pass-optional");
2591 }
2592
2593 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2594 {
2595 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2596 }
2597 if (!options->vlan_tagging)
2598 {
2599 const char use_err[] = "--%s requires --vlan-tagging";
2600 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2601 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2602 }
2603 }
2604 else
2605 {
2606 const char use_err[] = "--%s requires --mode server";
2607 /*
2608 * When not in server mode, err if parameters are
2609 * specified which require --mode server.
2610 */
2611 MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2612 MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2613 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2614 MUST_BE_UNDEF(real_hash_size, "hash-size");
2615 MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2616 MUST_BE_UNDEF(learn_address_script, "learn-address");
2617 MUST_BE_UNDEF(client_connect_script, "client-connect");
2618 MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2619 MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2620 MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2621 MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2622 MUST_BE_UNDEF(enable_c2c, "client-to-client");
2623 MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2624 MUST_BE_UNDEF(cf_max, "connect-freq");
2625 MUST_BE_UNDEF(cf_per, "connect-freq");
2626 MUST_BE_FALSE(options->ssl_flags
2627 & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
2628 "verify-client-cert");
2629 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2630 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2631 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2632 {
2633 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2634 "affect the server. To have TCP_NODELAY in both direction use "
2635 "tcp-nodelay in the server configuration instead.");
2636 }
2637 MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2638 MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2639#if PORT_SHARE
2640 if (options->port_share_host || options->port_share_port)
2641 {
2642 msg(M_USAGE,
2643 "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2644 }
2645#endif
2646 MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2647 MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2648 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2649 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2650 MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2651
2652 if (options->push_list.head)
2653 {
2654 msg(M_WARN, "Note: Using --push without --mode server is an "
2655 "unsupported configuration. Negotiation of OpenVPN "
2656 "features is expected to fail.");
2657 }
2658 }
2659
2660 /*
2661 * SSL/TLS mode sanity checks.
2662 */
2663 if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1)
2664 {
2665 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2666 }
2667
2668 if (!options->tls_server && !options->tls_client && !options->test_crypto)
2669 {
2670 msglvl_t msglevel = M_USAGE;
2671 if (options->allow_deprecated_insecure_static_crypto)
2672 {
2673 msglevel = M_INFO;
2674 }
2675
2676 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2677 "configuration detected. OpenVPN 2.8 will remove the "
2678 "functionality to run a VPN without TLS. "
2679 "See the examples section in the manual page for "
2680 "examples of a similar quick setup with peer-fingerprint. "
2681 "OpenVPN 2.7 allows using this configuration when using "
2682 "--allow-deprecated-insecure-static-crypto but you should move "
2683 "to a proper configuration using TLS as soon as possible.");
2684 }
2685
2686 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL))
2687 {
2688 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2689 "--verify-client-cert none|optional "
2690 "may accept clients which do not present a certificate");
2691 }
2692
2693 const unsigned int tls_version_max =
2694 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
2695 const unsigned int tls_version_min =
2696 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
2697
2698 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2699 {
2700 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2701 }
2702
2703 if (options->tls_server || options->tls_client)
2704 {
2705 check_ca_required(options);
2706#ifdef ENABLE_PKCS11
2707 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2708 {
2709 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2710 }
2711 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2712 {
2713 msg(M_WARN,
2714 "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2715 }
2716
2717 if (options->pkcs11_providers[0])
2718 {
2719 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2720 {
2721 msg(M_USAGE,
2722 "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2723 }
2724 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2725 {
2726 msg(M_USAGE,
2727 "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2728 }
2729 const char use_err[] =
2730 "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2731 MUST_BE_UNDEF(cert_file, "cert");
2732 MUST_BE_UNDEF(priv_key_file, "key");
2733 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2734 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2735 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2736#ifdef ENABLE_CRYPTOAPI
2737 MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2738#endif
2739 }
2740 else
2741#endif /* ifdef ENABLE_PKCS11 */
2742#ifdef ENABLE_CRYPTOAPI
2743 if (options->cryptoapi_cert)
2744 {
2745 const char use_err[] =
2746 "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2747 MUST_BE_UNDEF(cert_file, "cert");
2748 MUST_BE_UNDEF(priv_key_file, "key");
2749 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2750 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2751 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2752 }
2753 else
2754#endif
2755 if (options->pkcs12_file)
2756 {
2757#ifdef ENABLE_CRYPTO_MBEDTLS
2758 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2759#else
2760 const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2761 MUST_BE_UNDEF(ca_path, "capath");
2762 MUST_BE_UNDEF(cert_file, "cert");
2763 MUST_BE_UNDEF(priv_key_file, "key");
2764 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2765 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2766#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2767 }
2768 else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2769 {
2770 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2771 {
2772 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2773 }
2774 if ((options->management_flags & MF_EXTERNAL_CERT))
2775 {
2776 if (options->cert_file)
2777 {
2778 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2779 }
2780 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2781 {
2782 msg(M_USAGE,
2783 "--management-external-cert must be used with --management-external-key");
2784 }
2785 }
2786 if (pull)
2787 {
2788 const int sum =
2789 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2790 + ((options->priv_key_file != NULL)
2791 || (options->management_flags & MF_EXTERNAL_KEY));
2792
2793 if (sum == 0)
2794 {
2795 if (!options->auth_user_pass_file)
2796 {
2797 msg(M_USAGE, "No client-side authentication method is "
2798 "specified. You must use either "
2799 "--cert/--key, --pkcs12, or "
2800 "--auth-user-pass");
2801 }
2802 }
2803 else if (sum != 2)
2804 {
2805 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2806 }
2807 }
2808 else
2809 {
2810 if (!(options->management_flags & MF_EXTERNAL_CERT))
2811 {
2812 notnull(options->cert_file,
2813 "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2814 }
2815 if (!(options->management_flags & MF_EXTERNAL_KEY))
2816 {
2817 notnull(options->priv_key_file,
2818 "private key file (--key) or PKCS#12 file (--pkcs12)");
2819 }
2820 }
2821 }
2822 if (ce->tls_auth_file && ce->tls_crypt_file)
2823 {
2824 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2825 }
2826 if (options->tls_client && ce->tls_crypt_v2_file
2827 && (ce->tls_auth_file || ce->tls_crypt_file))
2828 {
2829 msg(M_USAGE,
2830 "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2831 }
2832 }
2833 else
2834 {
2835 /*
2836 * Make sure user doesn't specify any TLS options
2837 * when in non-TLS mode.
2838 */
2839
2840 const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
2841 "i.e. where --tls-server or --tls-client is also specified.";
2842
2843 MUST_BE_UNDEF(ca_file, "ca");
2844 MUST_BE_UNDEF(ca_path, "capath");
2845 MUST_BE_UNDEF(dh_file, "dh");
2846 MUST_BE_UNDEF(cert_file, "cert");
2847 MUST_BE_UNDEF(priv_key_file, "key");
2848#ifndef ENABLE_CRYPTO_MBEDTLS
2849 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2850#endif
2851 MUST_BE_UNDEF(cipher_list, "tls-cipher");
2852 MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
2853 MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
2854 MUST_BE_UNDEF(tls_verify, "tls-verify");
2855 MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
2856 MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
2857 MUST_BE_UNDEF(tls_timeout, "tls-timeout");
2858 MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
2859 MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
2860 MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
2861 MUST_BE_UNDEF(handshake_window, "hand-window");
2862 MUST_BE_UNDEF(transition_window, "tran-window");
2863 MUST_BE_UNDEF(tls_auth_file, "tls-auth");
2864 MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
2865 MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
2866 MUST_BE_UNDEF(single_session, "single-session");
2867 MUST_BE_UNDEF(push_peer_info, "push-peer-info");
2868 MUST_BE_UNDEF(tls_exit, "tls-exit");
2869 MUST_BE_UNDEF(crl_file, "crl-verify");
2870 MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
2871 MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
2872 MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
2873#ifdef ENABLE_PKCS11
2874 MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
2875 MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
2876 MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
2877 MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
2878#endif
2879
2880 if (pull)
2881 {
2882 msg(M_USAGE, use_err, "--pull");
2883 }
2884 }
2885 if (options->auth_user_pass_file && !options->pull)
2886 {
2887 msg(M_USAGE, "--auth-user-pass requires --pull");
2888 }
2889
2890 uninit_options(&defaults);
2891}
2892
2893#undef MUST_BE_UNDEF
2894#undef MUST_BE_FALSE
2895
2896static void
2897options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
2898{
2899 const int dev = dev_type_enum(o->dev, o->dev_type);
2900
2901 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2902 {
2903 if (ce->proto == PROTO_TCP)
2904 {
2905 ce->proto = PROTO_TCP_SERVER;
2906 o->ce.proto = ce->proto;
2907 }
2908 }
2909
2910 if (o->mode != MODE_SERVER)
2911 {
2912 if (ce->proto == PROTO_TCP)
2913 {
2914 ce->proto = PROTO_TCP_CLIENT;
2915 o->ce.proto = ce->proto;
2916 }
2917 }
2918
2919 /* an option is present that requires local bind to enabled */
2920 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
2921
2922 /* socks proxy is enabled */
2923 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
2924
2925 /* If binding is not forced by an explicit option and we have (at least)
2926 * one of --tcp-client, --pull (or --client), or socks we do not bind
2927 * locally to have "normal" IP client behaviour of a random source port */
2928 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
2929 {
2930 ce->bind_local = false;
2931 }
2932
2933 if (!ce->bind_local)
2934 {
2935 ce->local_port = NULL;
2936 }
2937
2938 /* if protocol forcing is enabled, disable all protocols
2939 * except for the forced one
2940 */
2941 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2942 {
2943 ce->flags |= CE_DISABLED;
2944 }
2945
2946 if (ce->http_proxy_options)
2947 {
2948 ce->http_proxy_options->nocache = ssl_get_auth_nocache();
2949 }
2950
2951 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2952 * so fall back to IPv4-only (trac #1221)
2953 */
2954 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2955 {
2956 if (ce->af == AF_INET6)
2957 {
2958 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2959 "'--socks-proxy' today. Forcing IPv4 mode.");
2960 }
2961 else
2962 {
2963 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2964 "work correctly with '--socks-proxy' today. Forcing IPv4.");
2965 }
2966 ce->af = AF_INET;
2967 }
2968
2969 /*
2970 * Set MTU defaults
2971 */
2972 {
2973 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2974 {
2975 ce->tun_mtu_defined = true;
2976 }
2977 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2978 {
2979 ce->tun_mtu_extra_defined = true;
2980 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2981 }
2982 }
2983
2984 /*
2985 * If --mssfix is supplied without a parameter or not specified at all,
2986 * default it to --fragment value, if --fragment is specified and otherwise
2987 * to the default if tun-mtu is 1500
2988 */
2989 if (o->ce.mssfix_default)
2990 {
2991#ifdef ENABLE_FRAGMENT
2992 if (ce->fragment)
2993 {
2994 ce->mssfix = ce->fragment;
2995 }
2996 else
2997#endif
2998 if (ce->tun_mtu_defined)
2999 {
3000 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3001 {
3002 /* We want to only set mssfix default value if we use a default
3003 * MTU Size, otherwise the different size of tun should either
3004 * already solve the problem or mssfix might artifically make the
3005 * payload packets smaller without mssfix 0 */
3006 ce->mssfix = MSSFIX_DEFAULT;
3007 ce->mssfix_encap = true;
3008 }
3009 else
3010 {
3011 /* We still apply the mssfix value but only adjust it to the
3012 * size of the tun interface. */
3013 ce->mssfix = ce->tun_mtu;
3014 ce->mssfix_fixed = true;
3015 }
3016 }
3017 }
3018
3019 /*
3020 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3021 *
3022 * At the end only one of these will be really set because the parser
3023 * logic prevents configurations where more are set.
3024 */
3025 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3026 {
3027 ce->tls_auth_file = o->tls_auth_file;
3028 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3029 ce->key_direction = o->key_direction;
3030
3031 ce->tls_crypt_file = o->tls_crypt_file;
3032 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3033
3034 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3035 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3036 }
3037
3038 /* Pre-cache tls-auth/crypt(-v2) key file if
3039 * keys were not already embedded in the config file.
3040 */
3041 connection_entry_preload_key(&ce->tls_auth_file, &ce->tls_auth_file_inline, &o->gc);
3042 connection_entry_preload_key(&ce->tls_crypt_file, &ce->tls_crypt_file_inline, &o->gc);
3043 connection_entry_preload_key(&ce->tls_crypt_v2_file, &ce->tls_crypt_v2_file_inline, &o->gc);
3044
3045
3046 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3047 {
3048 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3049 ce->explicit_exit_notification = 0;
3050 }
3051}
3052
3053static void
3054options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
3055{
3056 /* use the global port if none is specified */
3057 if (!le->port)
3058 {
3059 le->port = ce->local_port;
3060 }
3061 /* use the global proto if none is specified and
3062 * allow proto bindings on server mode only */
3063 if (!le->proto || mode == MODE_POINT_TO_POINT)
3064 {
3065 le->proto = ce->proto;
3066 }
3067}
3068
3069#ifdef _WIN32
3070/* If iservice is in use, we need def1 method for redirect-gateway */
3071static void
3072remap_redirect_gateway_flags(struct options *opt)
3073{
3074 if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE
3075 && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1))
3076 {
3077 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3078 opt->routes->flags |= RG_DEF1;
3079 }
3080}
3081#endif /* ifdef _WIN32 */
3082
3083/*
3084 * Save/Restore certain option defaults before --pull is applied.
3085 */
3086
3087static void
3088pre_connect_save(struct options *o)
3089{
3090 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3091 o->pre_connect->tuntap_options = o->tuntap_options;
3092 o->pre_connect->tuntap_options_defined = true;
3093 o->pre_connect->foreign_option_index = o->foreign_option_index;
3094
3095 if (o->routes)
3096 {
3097 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3098 o->pre_connect->routes_defined = true;
3099 }
3100 if (o->routes_ipv6)
3101 {
3102 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3103 o->pre_connect->routes_ipv6_defined = true;
3104 }
3105 if (o->client_nat)
3106 {
3107 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3108 o->pre_connect->client_nat_defined = true;
3109 }
3110
3111 o->pre_connect->ifconfig_local = o->ifconfig_local;
3112 o->pre_connect->ifconfig_ipv6_local = o->ifconfig_ipv6_local;
3113
3114 o->pre_connect->route_default_gateway = o->route_default_gateway;
3115 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3116
3117 o->pre_connect->dns_options = clone_dns_options(&o->dns_options, &o->gc);
3118
3119 /* NCP related options that can be overwritten by a push */
3120 o->pre_connect->ciphername = o->ciphername;
3121 o->pre_connect->authname = o->authname;
3122
3123 /* Ping related options should be reset to the config values on reconnect */
3124 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3125 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3126 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3127
3128 /* Miscellaneous Options */
3129 o->pre_connect->comp = o->comp;
3130}
3131
3132void
3133pre_connect_restore(struct options *o, struct gc_arena *gc)
3134{
3135 const struct options_pre_connect *pp = o->pre_connect;
3136 if (pp)
3137 {
3138 CLEAR(o->tuntap_options);
3139 if (pp->tuntap_options_defined)
3140 {
3141 o->tuntap_options = pp->tuntap_options;
3142 }
3143
3144 if (pp->routes_defined)
3145 {
3146 rol_check_alloc(o);
3147 copy_route_option_list(o->routes, pp->routes, gc);
3148 }
3149 else
3150 {
3151 o->routes = NULL;
3152 }
3153
3154 if (pp->routes_ipv6_defined)
3155 {
3156 rol6_check_alloc(o);
3157 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3158 }
3159 else
3160 {
3161 o->routes_ipv6 = NULL;
3162 }
3163
3164 o->ifconfig_local = pp->ifconfig_local;
3165 o->ifconfig_ipv6_local = pp->ifconfig_ipv6_local;
3166
3167 o->route_default_gateway = pp->route_default_gateway;
3168 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3169
3170 /* Free DNS options and reset them to pre-pull state */
3171 gc_free(&o->dns_options.gc);
3172 struct gc_arena dns_gc = gc_new();
3173 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3174 o->dns_options.gc = dns_gc;
3175
3176 if (pp->client_nat_defined)
3177 {
3178 cnol_check_alloc(o);
3179 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3180 }
3181 else
3182 {
3183 o->client_nat = NULL;
3184 }
3185
3186 o->foreign_option_index = pp->foreign_option_index;
3187
3188 o->ciphername = pp->ciphername;
3189 o->authname = pp->authname;
3190
3191 o->ping_rec_timeout = pp->ping_rec_timeout;
3192 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3193 o->ping_send_timeout = pp->ping_send_timeout;
3194
3195 /* Miscellaneous Options */
3196 o->comp = pp->comp;
3197 }
3198
3199 o->push_continuation = 0;
3200 o->push_option_types_found = 0;
3201 o->push_update_options_found = 0;
3202 o->imported_protocol_flags = 0;
3203}
3204
3205static void
3206options_postprocess_mutate_invariant(struct options *options)
3207{
3208#ifdef _WIN32
3209 const int dev = dev_type_enum(options->dev, options->dev_type);
3210
3211 /* when using ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3212 if ((options->windows_driver == DRIVER_DCO)
3213 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3214 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3215 {
3216 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3217 }
3218
3219 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3220 {
3221 /* delay may only be necessary when we perform DHCP handshake */
3222 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3223 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3224 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3225 {
3226 options->route_delay_defined = true;
3227 options->route_delay = 5; /* Vista sometimes has a race without this */
3228 }
3229 }
3230
3231 if (options->ifconfig_noexec)
3232 {
3233 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3234 options->ifconfig_noexec = false;
3235 }
3236
3237 remap_redirect_gateway_flags(options);
3238
3239 /*
3240 * Check consistency of --mode server options.
3241 */
3242 if (options->mode == MODE_SERVER)
3243 {
3244 /*
3245 * We need to explicitly set --tap-sleep because
3246 * we do not schedule event timers in the top-level context.
3247 */
3248 options->tuntap_options.tap_sleep = 10;
3249 if (options->route_delay_defined && options->route_delay)
3250 {
3251 options->tuntap_options.tap_sleep = options->route_delay;
3252 }
3253 options->route_delay_defined = false;
3254 }
3255#endif /* ifdef _WIN32 */
3256
3257#ifdef DEFAULT_PKCS11_MODULE
3258 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3259 * by default if the user asks for PKCS#11 without otherwise specifying
3260 * the module to use. */
3261 if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management))
3262 {
3263 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3264 }
3265#endif
3266}
3267
3268static void
3269options_postprocess_verify(const struct options *o)
3270{
3271 if (o->connection_list)
3272 {
3273 int i;
3274 for (i = 0; i < o->connection_list->len; ++i)
3275 {
3276 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3277 }
3278 }
3279 else
3280 {
3281 options_postprocess_verify_ce(o, &o->ce);
3282 }
3283
3284 dns_options_verify(M_FATAL, &o->dns_options);
3285
3286 if (dco_enabled(o))
3287 {
3288 if (o->enable_c2c)
3289 {
3290 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3291 "channel offload: packets are always sent to the VPN "
3292 "interface and then routed based on the system routing table");
3293 }
3294
3295 if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
3296 {
3297 msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported "
3298 "by data channel offload; automatic key renegotiation "
3299 "mechanisms are sufficient for modern ciphers. "
3300 "Ignoring these options.");
3301 }
3302 }
3303}
3304
3305static void
3306options_postprocess_cipher(struct options *o)
3307{
3308 if (!o->pull && !(o->mode == MODE_SERVER))
3309 {
3310 /* If the cipher is not set, use the old default of BF-CBC. We will
3311 * warn that this is deprecated on cipher initialisation, no need
3312 * to warn here as well */
3313 if (!o->ciphername)
3314 {
3315 o->ciphername = "BF-CBC";
3316 }
3317 else
3318 {
3319 o->enable_ncp_fallback = true;
3320 }
3321 return;
3322 }
3323
3324 /* pull or P2MP mode */
3325 if (!o->ciphername)
3326 {
3327 /* We still need to set the ciphername to BF-CBC since various other
3328 * parts of OpenVPN assert that the ciphername is set */
3329 o->ciphername = "BF-CBC";
3330
3331 msg(M_INFO,
3332 "Note: --cipher is not set. OpenVPN versions before 2.5 "
3333 "defaulted to BF-CBC as fallback when cipher negotiation "
3334 "failed in this case. If you need this fallback please add "
3335 "'--data-ciphers-fallback BF-CBC' to your configuration "
3336 "and/or add BF-CBC to --data-ciphers. E.g. "
3337 "--data-ciphers %s:BF-CBC",
3338 o->ncp_ciphers_conf);
3339 }
3340 else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3341 {
3342 msg(M_WARN,
3343 "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3344 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3345 "negotiations. ",
3346 o->ciphername, o->ncp_ciphers_conf);
3347 }
3348}
3349
3365static bool
3366need_compatibility_before(const struct options *o, unsigned int version)
3367{
3368 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3369}
3370
3375static void
3376options_set_backwards_compatible_options(struct options *o)
3377{
3378 /* TLS min version is not set */
3379 unsigned int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
3380 if (tls_ver_min == 0)
3381 {
3382 unsigned int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
3383 if (need_compatibility_before(o, 20307))
3384 {
3385 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3386 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3387 }
3388 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3389 {
3390 /* Use TLS 1.2 as proper default */
3391 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3392 }
3393 else
3394 {
3395 /* Maximize the minimum version */
3396 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3397 }
3398 }
3399
3400 if (need_compatibility_before(o, 20400))
3401 {
3402 if (!o->ciphername)
3403 {
3404 /* If ciphername is not set default to BF-CBC when targeting these
3405 * old versions that do not have NCP */
3406 o->ciphername = "BF-CBC";
3407 }
3408 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3409 * not have OCC strings required for "poor man's NCP" */
3410 o->enable_ncp_fallback = true;
3411 }
3412
3413 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3414 * Version 2.4 probably does not need it but NCP was not so
3415 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3416 * Only do this iff --cipher is set (explicitly or by compat mode
3417 * < 2.4.0, see above). This is not 100% correct backwards compatible
3418 * behaviour but 2.5 already behaved like this */
3419 if (o->ciphername && need_compatibility_before(o, 20500)
3420 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3421 {
3422 append_cipher_to_ncp_list(o, o->ciphername);
3423 }
3424
3425#ifdef USE_COMP
3426 /* Compression is deprecated and we do not want to announce support for it
3427 * by default anymore, additionally DCO breaks with compression.
3428 *
3429 * Disable compression by default starting with 2.6.0 if no other
3430 * compression related option has been explicitly set */
3431 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3432 {
3433 if (!comp_non_stub_enabled(&o->comp))
3434 {
3435 o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3436 }
3437 }
3438#else /* ifdef USE_COMP */
3439 o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3440#endif
3441}
3442
3443static void
3444options_process_mutate_prf(struct options *o)
3445{
3446 if (!check_tls_prf_working())
3447 {
3448 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3449 "supported by the TLS library. Your system does not support this "
3450 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3451 "forbids it. Connections will only work with peers running "
3452 "OpenVPN 2.6.0 or higher)");
3453 if (o->mode == MODE_SERVER)
3454 {
3455 msg(M_WARN, "Automatically enabling option "
3456 "--force-tls-key-material-export");
3457 o->force_key_material_export = true;
3458 }
3459 }
3460}
3461
3462#if defined(_WIN32) || defined(TARGET_ANDROID)
3471static void
3472tuntap_options_postprocess_dns(struct options *o)
3473{
3474 struct dns_options *dns = &o->dns_options;
3475 struct tuntap_options *tt = &o->tuntap_options;
3476 if (!dns->servers)
3477 {
3478 /* Copy --dhcp-options to tuntap_options */
3479 struct dhcp_options *dhcp = &dns->from_dhcp;
3480 ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
3481 ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
3482 ASSERT(sizeof(dhcp->domain_search_list) == sizeof(tt->domain_search_list));
3483
3484 tt->domain = dhcp->domain;
3485 tt->dns_len = dhcp->dns_len;
3486 tt->dns6_len = dhcp->dns6_len;
3487
3488 memcpy(tt->dns, dhcp->dns, sizeof(tt->dns));
3489 memcpy(tt->dns6, dhcp->dns6, sizeof(tt->dns6));
3490
3491 tt->domain_search_list_len = dhcp->domain_search_list_len;
3492 for (size_t i = 0; i < SIZE(tt->domain_search_list); ++i)
3493 {
3494 tt->domain_search_list[i] = dhcp->domain_search_list[i];
3495 }
3496
3497 return;
3498 }
3499
3500#if defined(_WIN32)
3501 if (tt->ip_win32_type != IPW32_SET_DHCP_MASQ && tt->ip_win32_type != IPW32_SET_ADAPTIVE)
3502 {
3503 return; /* Not in DHCP mode */
3504 }
3505#endif /* if defined(_WIN32) */
3506
3507 /* Copy --dns options to tuntap_options */
3508
3509 const struct dns_domain *d = dns->search_domains;
3510 if (d)
3511 {
3512 tt->domain_search_list_len = 0;
3513 }
3514
3515 while (d && tt->domain_search_list_len + 1 < N_SEARCH_LIST_LEN)
3516 {
3517 tt->domain_search_list[tt->domain_search_list_len++] = d->name;
3518 d = d->next;
3519 }
3520 if (d)
3521 {
3522 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3523 }
3524
3525 tt->dns_len = 0;
3526 tt->dns6_len = 0;
3527
3528 const struct dns_server *s = dns->servers;
3529 while (s)
3530 {
3531 bool non_standard_server_port = false;
3532 for (size_t i = 0; i < s->addr_count; ++i)
3533 {
3534 if (s->addr[i].port && s->addr[i].port != 53)
3535 {
3536 non_standard_server_port = true;
3537 break;
3538 }
3539 }
3540 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3541 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3542 {
3543 /* Skip servers requiring unsupported config to be set */
3544 s = s->next;
3545 }
3546 else
3547 {
3548 bool overflow = false;
3549 for (size_t i = 0; i < s->addr_count; ++i)
3550 {
3551 if (s->addr[i].family == AF_INET && tt->dns_len + 1 < N_DHCP_ADDR)
3552 {
3553 tt->dns[tt->dns_len++] = ntohl(s->addr[i].in.a4.s_addr);
3554 }
3555 else if (tt->dns6_len + 1 < N_DHCP_ADDR)
3556 {
3557 tt->dns6[tt->dns6_len++] = s->addr[i].in.a6;
3558 }
3559 else
3560 {
3561 overflow = true;
3562 }
3563 }
3564 if (overflow)
3565 {
3566 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3567 }
3568 tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
3569 return;
3570 }
3571 }
3572}
3573
3574#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3575
3586static void
3587dhcp_options_postprocess_dns(struct options *o, struct env_set *es)
3588{
3589 struct gc_arena gc = gc_new();
3590 struct dns_options *dns = &o->dns_options;
3591
3592 if (is_tun_afunix(o->dev_node))
3593 {
3594 /* Disable running dns-updown script with lwipovpn */
3595 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
3596 dns->updown = NULL;
3597 }
3598
3599 if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
3600 {
3601 /* Clean up env from --dhcp-option DNS config */
3602 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3603 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3604
3605 const int fo_count = o->foreign_option_index;
3606 o->foreign_option_index = 0;
3607
3608 for (int i = 1; i <= fo_count; ++i)
3609 {
3610 buf_clear(&name);
3611 buf_printf(&name, "foreign_option_%d", i);
3612 const char *env_str = env_set_get(es, BSTR(&name));
3613 const char *item_val = strchr(env_str, '=') + 1;
3614 buf_clear(&value);
3615 buf_printf(&value, "%s", item_val);
3616
3617 /* Remove foreign option item from env set */
3618 env_set_del(es, BSTR(&name));
3619
3620 item_val = BSTR(&value);
3621 if (strncmp(item_val, "dhcp-option ", 12) != 0
3622 || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0
3623 && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0
3624 && strncmp(item_val + 12, "DOMAIN ", 7) != 0
3625 && strncmp(item_val + 12, "DNS6 ", 5) != 0
3626 && strncmp(item_val + 12, "DNS ", 4) != 0))
3627 {
3628 /* Re-set the item with potentially updated name */
3629 buf_clear(&name);
3630 buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index);
3631 setenv_str(es, BSTR(&name), BSTR(&value));
3632 }
3633 }
3634 }
3635
3636 if (!dns->servers)
3637 {
3638 /* Copy --dhcp-options to dns_options */
3639 struct dhcp_options *dhcp = &dns->from_dhcp;
3640
3641 if (dhcp->dns_len || dhcp->dns6_len)
3642 {
3643 struct dns_domain **entry = &dns->search_domains;
3644 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3645 struct dns_domain *new = *entry;
3646 new->name = dhcp->domain;
3647 entry = &new->next;
3648
3649 for (unsigned int i = 0; i < dhcp->domain_search_list_len; ++i)
3650 {
3651 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3652 struct dns_domain *new = *entry;
3653 new->name = dhcp->domain_search_list[i];
3654 entry = &new->next;
3655 }
3656
3657 struct dns_server *server = dns_server_get(&dns->servers, 0, &dns->gc);
3658 const size_t max_addrs = SIZE(server->addr);
3659 for (unsigned int i = 0; i < dhcp->dns_len && server->addr_count < max_addrs; ++i)
3660 {
3661 server->addr[server->addr_count].in.a4.s_addr = htonl(dhcp->dns[i]);
3662 server->addr[server->addr_count].family = AF_INET;
3663 server->addr_count += 1;
3664 }
3665 for (unsigned int i = 0; i < dhcp->dns6_len && server->addr_count < max_addrs; ++i)
3666 {
3667 server->addr[server->addr_count].in.a6 = dhcp->dns6[i];
3668 server->addr[server->addr_count].family = AF_INET6;
3669 server->addr_count += 1;
3670 }
3671 }
3672 }
3673 else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
3674 {
3675 /* Set foreign option env vars from --dns config */
3676 const struct dns_domain *d = dns->search_domains;
3677 while (d)
3678 {
3679 setenv_foreign_option(o, "DOMAIN", d->name, es);
3680 d = d->next;
3681 }
3682
3683 const struct dns_server *s = dns->servers;
3684 while (s)
3685 {
3686 bool non_standard_server_port = false;
3687 for (size_t i = 0; i < s->addr_count; ++i)
3688 {
3689 if (s->addr[i].port && s->addr[i].port != 53)
3690 {
3691 non_standard_server_port = true;
3692 break;
3693 }
3694 }
3695 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3696 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3697 {
3698 /* Skip servers requiring unsupported config to be set */
3699 s = s->next;
3700 }
3701 else
3702 {
3703 for (size_t i = 0; i < s->addr_count; ++i)
3704 {
3705 const char *option;
3706 const char *value;
3707 if (s->addr[i].family == AF_INET)
3708 {
3709 option = "DNS";
3710 value = print_in_addr_t(s->addr[i].in.a4.s_addr, IA_NET_ORDER, &gc);
3711 }
3712 else
3713 {
3714 option = "DNS6";
3715 value = print_in6_addr(s->addr[i].in.a6, 0, &gc);
3716 }
3717 setenv_foreign_option(o, option, value, es);
3718 }
3719 break;
3720 }
3721 }
3722 }
3723
3724 gc_free(&gc);
3725}
3726#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3727
3728static void
3729options_postprocess_mutate(struct options *o, struct env_set *es)
3730{
3731 int i;
3732 /*
3733 * Process helper-type options which map to other, more complex
3734 * sequences of options.
3735 */
3736 helper_client_server(o);
3737 /* must be called after helpers that might set --mode */
3738 helper_setdefault_topology(o);
3739 helper_keepalive(o);
3740 helper_tcp_nodelay(o);
3741
3742 options_postprocess_setdefault_ncpciphers(o);
3743 options_set_backwards_compatible_options(o);
3744 options_process_mutate_prf(o);
3745
3746 options_postprocess_cipher(o);
3747 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3748 if (o->ncp_ciphers == NULL)
3749 {
3750 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3751 }
3752
3753 if (o->remote_list && !o->connection_list)
3754 {
3755 /*
3756 * Convert remotes into connection list
3757 */
3758 const struct remote_list *rl = o->remote_list;
3759 for (i = 0; i < rl->len; ++i)
3760 {
3761 const struct remote_entry *re = rl->array[i];
3762 struct connection_entry ce = o->ce;
3763 struct connection_entry *ace;
3764
3765 ASSERT(re->remote);
3766 connection_entry_load_re(&ce, re);
3767 ace = alloc_connection_entry(o, M_USAGE);
3768 ASSERT(ace);
3769 *ace = ce;
3770 }
3771 }
3772 else if (!o->remote_list && !o->connection_list)
3773 {
3774 struct connection_entry *ace;
3775 ace = alloc_connection_entry(o, M_USAGE);
3776 ASSERT(ace);
3777 *ace = o->ce;
3778 }
3779
3780 ASSERT(o->connection_list);
3781 for (i = 0; i < o->connection_list->len; ++i)
3782 {
3783 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3784 }
3785
3786 if (o->ce.local_list)
3787 {
3788 for (i = 0; i < o->ce.local_list->len; i++)
3789 {
3790 options_postprocess_mutate_le(&o->ce, o->ce.local_list->array[i], o->mode);
3791 }
3792
3793 for (int i = 0; i < o->ce.local_list->len; i++)
3794 {
3795 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3796 {
3797 o->ce.local_list->array[i]->proto = PROTO_TCP_SERVER;
3798 }
3799 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3800 {
3801 o->ce.local_list->array[i]->proto = o->ce.proto;
3802 }
3803 }
3804 }
3805 else
3806 {
3807 /* if no 'local' directive was specified, convert the global port
3808 * setting to a listen entry */
3809 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3810 ASSERT(e);
3811 e->port = o->ce.local_port;
3812 e->proto = o->ce.proto;
3813 }
3814
3815 /* use the same listen list for every outgoing connection */
3816 for (i = 0; i < o->connection_list->len; ++i)
3817 {
3818 o->connection_list->array[i]->local_list = o->ce.local_list;
3819 }
3820
3821 if (o->tls_server)
3822 {
3823 if (o->dh_file && streq(o->dh_file, "none"))
3824 {
3825 o->dh_file = NULL;
3826 }
3827 }
3828 else if (o->dh_file)
3829 {
3830 /* DH file is only meaningful in a tls-server context. */
3831 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3832 "include this in your server configuration");
3833 o->dh_file = NULL;
3834 }
3835#if ENABLE_MANAGEMENT
3836 if (o->http_proxy_override)
3837 {
3838 options_postprocess_http_proxy_override(o);
3839 }
3840#endif
3841 if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0)
3842 {
3843 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3844 "option set). ");
3845 o->verify_hash_no_ca = true;
3846 }
3847
3848 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3849 {
3850 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3851 "incompatible with each other.");
3852 }
3853
3854 if (dco_enabled(o))
3855 {
3856 /* check if any option should force disabling DCO */
3857 o->disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o);
3858 }
3859#ifdef USE_COMP
3860 if (dco_enabled(o))
3861 {
3862 o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3863 }
3864#endif
3865
3866#ifdef _WIN32
3867 if (dco_enabled(o))
3868 {
3869 o->windows_driver = DRIVER_DCO;
3870 }
3871 else
3872 {
3873 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3874 }
3875#else /* _WIN32 */
3876 if (dco_enabled(o) && o->dev_node)
3877 {
3878 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3879 "data channel offload");
3880 o->dev_node = NULL;
3881 }
3882#endif /* _WIN32 */
3883
3884 /* this depends on o->windows_driver, which is set above */
3885 options_postprocess_mutate_invariant(o);
3886
3887 /* check that compression settings in the options are okay */
3888 check_compression_settings_valid(&o->comp, M_USAGE);
3889
3890 /*
3891 * Save certain parms before modifying options during connect, especially
3892 * when using --pull
3893 */
3894 if (o->pull)
3895 {
3896 dns_options_preprocess_pull(&o->dns_options);
3897 }
3898 else
3899 {
3900#if defined(_WIN32) || defined(TARGET_ANDROID)
3901 tuntap_options_postprocess_dns(o);
3902#else
3903 dhcp_options_postprocess_dns(o, es);
3904#endif
3905 }
3906 if (o->auth_token_generate && !o->auth_token_renewal)
3907 {
3908 o->auth_token_renewal = o->renegotiate_seconds;
3909 }
3910 pre_connect_save(o);
3911}
3912
3913/*
3914 * Check file/directory sanity
3915 *
3916 */
3917/* Expect people using the stripped down version to know what they do */
3918#ifndef ENABLE_SMALL
3919
3920#define CHKACC_FILE (1 << 0)
3921#define CHKACC_DIRPATH (1 << 1)
3922#define CHKACC_FILEXSTWR (1 << 2)
3923#define CHKACC_ACPTSTDIN (1 << 3)
3924#define CHKACC_PRIVATE (1 << 4)
3925#define CHKACC_ACCEPT_URI (1 << 5)
3927static bool
3928check_file_access(const int type, const char *file, const int mode, const char *opt)
3929{
3930 int errcode = 0;
3931
3932 /* If no file configured, no errors to look for */
3933 if (!file)
3934 {
3935 return false;
3936 }
3937
3938 /* If stdin is allowed and the file name is 'stdin', then do no
3939 * further checks as stdin is always available
3940 */
3941 if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin"))
3942 {
3943 return false;
3944 }
3945
3946 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3947 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3948 */
3949 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3950 {
3951 if (!strncmp(file, "file:", 5))
3952 {
3953 file += 5;
3954 }
3955 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3956 {
3957 return false;
3958 }
3959 }
3960
3961 /* Is the directory path leading to the given file accessible? */
3962 if (type & CHKACC_DIRPATH)
3963 {
3964 char *fullpath =
3965 string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3966 char *dirpath = dirname(fullpath);
3967
3968 if (platform_access(dirpath, mode | X_OK) != 0)
3969 {
3970 errcode = errno;
3971 }
3972 free(fullpath);
3973 }
3974
3975 /* Is the file itself accessible? */
3976 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0))
3977 {
3978 errcode = errno;
3979 }
3980
3981 /* If the file exists and is accessible, is it writable? */
3982 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0))
3983 {
3984 if (platform_access(file, W_OK) != 0)
3985 {
3986 errcode = errno;
3987 }
3988 }
3989
3990 /* Warn if a given private file is group/others accessible. */
3991 if (type & CHKACC_PRIVATE)
3992 {
3993 platform_stat_t st;
3994 if (platform_stat(file, &st))
3995 {
3996 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3997 }
3998#ifndef _WIN32
3999 else
4000 {
4001 if (st.st_mode & (S_IRWXG | S_IRWXO))
4002 {
4003 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4004 }
4005 }
4006#endif
4007 }
4008
4009 /* Scream if an error is found */
4010 if (errcode > 0)
4011 {
4012 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4013 }
4014
4015 /* Return true if an error occurred */
4016 return (errcode != 0 ? true : false);
4017}
4018
4019/* A wrapper for check_file_access() which also takes a chroot directory.
4020 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4021 * otherwise it will look for the file inside the given chroot directory instead.
4022 */
4023static bool
4024check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode,
4025 const char *opt)
4026{
4027 bool ret = false;
4028
4029 /* If no file configured, no errors to look for */
4030 if (!file)
4031 {
4032 return false;
4033 }
4034
4035 /* If chroot is set, look for the file/directory inside the chroot */
4036 if (chroot)
4037 {
4038 struct gc_arena gc = gc_new();
4039 struct buffer chroot_file;
4040
4041 chroot_file = prepend_dir(chroot, file, &gc);
4042 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4043 gc_free(&gc);
4044 }
4045 else
4046 {
4047 /* No chroot in play, just call core file check function */
4048 ret = check_file_access(type, file, mode, opt);
4049 }
4050 return ret;
4051}
4052
4057static bool
4058check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type,
4059 const char *file, const int mode, const char *opt)
4060{
4061 if (is_inline)
4062 {
4063 return false;
4064 }
4065
4066 return check_file_access_chroot(chroot, type, file, mode, opt);
4067}
4068
4073static bool
4074check_file_access_inline(bool is_inline, const int type, const char *file, const int mode,
4075 const char *opt)
4076{
4077 if (is_inline)
4078 {
4079 return false;
4080 }
4081
4082 return check_file_access(type, file, mode, opt);
4083}
4084
4085/*
4086 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4087 * valid file with appropriate permissions.
4088 *
4089 * "command" consists of a path, optionally followed by a space, which may be
4090 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4091 * performed.
4092 *
4093 * The path and arguments in "command" may be single- or double-quoted or escaped.
4094 *
4095 * The path is extracted from "command", then check_file_access() is called to check it. The
4096 * arguments, if any, are ignored.
4097 *
4098 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4099 * check_file_access() arguments.
4100 */
4101static bool
4102check_cmd_access(const char *command, const char *opt, const char *chroot)
4103{
4104 struct argv argv;
4105 bool return_code;
4106
4107 /* If no command was set, there are no errors to look for */
4108 if (!command)
4109 {
4110 return false;
4111 }
4112
4113 /* Extract executable path and arguments */
4114 argv = argv_new();
4115 argv_parse_cmd(&argv, command);
4116
4117 /* if an executable is specified then check it; otherwise, complain */
4118 if (argv.argv[0])
4119 {
4120 /* Scripts requires R_OK as well, but that might fail on binaries which
4121 * only requires X_OK to function on Unix - a scenario not unlikely to
4122 * be seen on suid binaries.
4123 */
4124 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4125 }
4126 else
4127 {
4128 msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command);
4129 return_code = true;
4130 }
4131
4132 argv_free(&argv);
4133
4134 return return_code;
4135}
4136
4137/*
4138 * Sanity check of all file/dir options. Checks that file/dir
4139 * is accessible by OpenVPN
4140 */
4141static void
4142options_postprocess_filechecks(struct options *options)
4143{
4144 bool errs = false;
4145
4146 /* ** SSL/TLS/crypto related files ** */
4147 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK,
4148 "--dh");
4149
4150 if (!options->verify_hash_no_ca)
4151 {
4152 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, options->ca_file,
4153 R_OK, "--ca");
4154 }
4155
4156 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK,
4157 "--capath");
4158
4159 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE | CHKACC_ACCEPT_URI,
4160 options->cert_file, R_OK, "--cert");
4161
4162 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4163 options->extra_certs_file, R_OK, "--extra-certs");
4164
4165 if (!(options->management_flags & MF_EXTERNAL_KEY))
4166 {
4167 errs |= check_file_access_inline(options->priv_key_file_inline,
4168 CHKACC_FILE | CHKACC_PRIVATE | CHKACC_ACCEPT_URI,
4169 options->priv_key_file, R_OK, "--key");
4170 }
4171
4172 errs |= check_file_access_inline(options->pkcs12_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4173 options->pkcs12_file, R_OK, "--pkcs12");
4174
4175 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4176 {
4177 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file,
4178 R_OK | X_OK, "--crl-verify directory");
4179 }
4180 else
4181 {
4182 errs |=
4183 check_file_access_chroot_inline(options->crl_file_inline, options->chroot_dir,
4184 CHKACC_FILE, options->crl_file, R_OK, "--crl-verify");
4185 }
4186
4187 if (options->tls_export_peer_cert_dir)
4188 {
4189 errs |=
4190 check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4191 options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert");
4192 }
4193
4194 ASSERT(options->connection_list);
4195 for (int i = 0; i < options->connection_list->len; ++i)
4196 {
4197 struct connection_entry *ce = options->connection_list->array[i];
4198
4199 errs |= check_file_access_inline(ce->tls_auth_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4200 ce->tls_auth_file, R_OK, "--tls-auth");
4201 errs |= check_file_access_inline(ce->tls_crypt_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4202 ce->tls_crypt_file, R_OK, "--tls-crypt");
4203 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4204 ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2");
4205 }
4206
4207 errs |=
4208 check_file_access_inline(options->shared_secret_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4209 options->shared_secret_file, R_OK, "--secret");
4210
4211 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->packet_id_file,
4212 R_OK | W_OK, "--replay-persist");
4213
4214 /* ** Password files ** */
4215 errs |= check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4216 options->key_pass_file, R_OK, "--askpass");
4217#ifdef ENABLE_MANAGEMENT
4218 errs |=
4219 check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4220 options->management_user_pass, R_OK, "--management user/password file");
4221#endif /* ENABLE_MANAGEMENT */
4222 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4223 CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4224 options->auth_user_pass_file, R_OK, "--auth-user-pass");
4225 /* ** System related ** */
4226 errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory");
4227 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->writepid, R_OK | W_OK,
4228 "--writepid");
4229
4230 /* ** Log related ** */
4231 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->status_file, R_OK | W_OK,
4232 "--status");
4233
4234 /* ** Config related ** */
4235 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4236 R_OK | X_OK, "--client-config-dir");
4237 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4238 R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)");
4239
4240 if (errs)
4241 {
4242 msg(M_USAGE, "Please correct these errors.");
4243 }
4244}
4245#endif /* !ENABLE_SMALL */
4246
4247/*
4248 * Sanity check on options.
4249 * Also set some options based on other
4250 * options.
4251 */
4252void
4253options_postprocess(struct options *options, struct env_set *es)
4254{
4255 options_postprocess_mutate(options, es);
4256 options_postprocess_verify(options);
4257#ifndef ENABLE_SMALL
4258 options_postprocess_filechecks(options);
4259#endif /* !ENABLE_SMALL */
4260}
4261
4262/*
4263 * Sanity check on options after more options were pulled from server.
4264 * Also time to modify some options based on other options.
4265 */
4266bool
4267options_postprocess_pull(struct options *o, struct env_set *es)
4268{
4269 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4270 if (success)
4271 {
4272 dns_options_postprocess_pull(&o->dns_options);
4273#if defined(_WIN32) || defined(TARGET_ANDROID)
4274 tuntap_options_postprocess_dns(o);
4275#else
4276 dhcp_options_postprocess_dns(o, es);
4277#endif
4278 }
4279 return success;
4280}
4281
4282/*
4283 * Build an options string to represent data channel encryption options.
4284 * This string must match exactly between peers. The keysize is checked
4285 * separately by read_key().
4286 *
4287 * The following options must match on both peers:
4288 *
4289 * Tunnel options:
4290 *
4291 * --dev tun|tap [unit number need not match]
4292 * --dev-type tun|tap
4293 * --link-mtu
4294 * --udp-mtu
4295 * --tun-mtu
4296 * --proto udp
4297 * --proto tcp-client [matched with --proto tcp-server
4298 * on the other end of the connection]
4299 * --proto tcp-server [matched with --proto tcp-client on
4300 * the other end of the connection]
4301 * --tun-ipv6
4302 * --ifconfig x y [matched with --ifconfig y x on
4303 * the other end of the connection]
4304 *
4305 * --comp-lzo
4306 * --compress alg
4307 * --fragment
4308 *
4309 * Crypto Options:
4310 *
4311 * --cipher
4312 * --auth
4313 * --secret
4314 *
4315 * SSL Options:
4316 *
4317 * --tls-auth
4318 * --tls-client [matched with --tls-server on
4319 * the other end of the connection]
4320 * --tls-server [matched with --tls-client on
4321 * the other end of the connection]
4322 */
4323char *
4324options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
4325 openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
4326{
4327 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4328 bool tt_local = false;
4329
4330 buf_printf(&out, "V4");
4331
4332 /*
4333 * Tunnel Options
4334 */
4335
4336 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4337 /* the link-mtu that we send has only a meaning if have a fixed
4338 * cipher (p2p) or have a fallback cipher configured for older non
4339 * ncp clients. But not sending it will make even 2.4 complain
4340 * about it being missing. So still send it. */
4341 buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame));
4342
4343 if (o->ce.occ_mtu != 0)
4344 {
4345 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4346 }
4347 else
4348 {
4349 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4350 }
4351
4352 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4353
4354 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4355 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4356 * is usually pushed by the server, triggering a non-helpful warning
4357 */
4358 if (o->ifconfig_ipv6_local && p2p_nopull)
4359 {
4360 buf_printf(&out, ",tun-ipv6");
4361 }
4362
4363 /*
4364 * Try to get ifconfig parameters into the options string.
4365 * If tt is undefined, make a temporary instantiation.
4366 */
4367 if (!tt)
4368 {
4369 tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local,
4370 o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits,
4371 o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL);
4372 if (tt)
4373 {
4374 tt_local = true;
4375 }
4376 }
4377
4378 if (tt && p2p_nopull)
4379 {
4380 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4381 if (ios && strlen(ios))
4382 {
4383 buf_printf(&out, ",ifconfig %s", ios);
4384 }
4385 }
4386 if (tt_local)
4387 {
4388 free(tt);
4389 tt = NULL;
4390 }
4391
4392#ifdef USE_COMP
4393 if (o->comp.alg != COMP_ALG_UNDEF)
4394 {
4395 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression
4396 context is active, not necessarily LZO per-se */
4397 }
4398#endif
4399
4400#ifdef ENABLE_FRAGMENT
4401 if (o->ce.fragment)
4402 {
4403 buf_printf(&out, ",mtu-dynamic");
4404 }
4405#endif
4406
4407#define TLS_CLIENT (o->tls_client)
4408#define TLS_SERVER (o->tls_server)
4409
4410 /*
4411 * Key direction
4412 */
4413 {
4414 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4415 if (kd)
4416 {
4417 buf_printf(&out, ",keydir %s", kd);
4418 }
4419 }
4420
4421 /*
4422 * Crypto Options
4423 */
4424 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4425 {
4426 struct key_type kt;
4427
4428 ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1);
4429
4430 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4431 * to work here in the default configuration */
4432 const char *ciphername = o->ciphername;
4433 size_t keysize = 0;
4434
4435 if (strcmp(o->ciphername, "BF-CBC") == 0)
4436 {
4437 init_key_type(&kt, "none", o->authname, true, false);
4438 keysize = 128;
4439 }
4440 else
4441 {
4442 init_key_type(&kt, o->ciphername, o->authname, true, false);
4443 ciphername = cipher_kt_name(kt.cipher);
4444 if (cipher_defined(o->ciphername))
4445 {
4446 keysize = cipher_kt_key_size(kt.cipher) * 8;
4447 }
4448 }
4449 /* Only announce the cipher to our peer if we are willing to
4450 * support it */
4451 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4452 {
4453 buf_printf(&out, ",cipher %s", ciphername);
4454 }
4455 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4456 buf_printf(&out, ",keysize %zu", keysize);
4457 if (o->shared_secret_file)
4458 {
4459 buf_printf(&out, ",secret");
4460 }
4461 }
4462
4463 /*
4464 * SSL Options
4465 */
4466 {
4467 if (TLS_CLIENT || TLS_SERVER)
4468 {
4469 if (o->ce.tls_auth_file)
4470 {
4471 buf_printf(&out, ",tls-auth");
4472 }
4473 /* Not adding tls-crypt here, because we won't reach this code if
4474 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4475 * break stuff, so leaving that in place. */
4476
4477 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4478 }
4479
4480 if (remote)
4481 {
4482 if (TLS_CLIENT)
4483 {
4484 buf_printf(&out, ",tls-server");
4485 }
4486 else if (TLS_SERVER)
4487 {
4488 buf_printf(&out, ",tls-client");
4489 }
4490 }
4491 else
4492 {
4493 if (TLS_CLIENT)
4494 {
4495 buf_printf(&out, ",tls-client");
4496 }
4497 else if (TLS_SERVER)
4498 {
4499 buf_printf(&out, ",tls-server");
4500 }
4501 }
4502 }
4503
4504#undef TLS_CLIENT
4505#undef TLS_SERVER
4506
4507 return BSTR(&out);
4508}
4509
4510/*
4511 * Compare option strings for equality.
4512 * If the first two chars of the strings differ, it means that
4513 * we are looking at different versions of the options string,
4514 * therefore don't compare them and return true.
4515 */
4516
4517bool
4518options_cmp_equal(char *actual, const char *expected)
4519{
4520 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4521}
4522
4523void
4524options_warning(char *actual, const char *expected)
4525{
4526 options_warning_safe(actual, expected, strlen(actual) + 1);
4527}
4528
4529static const char *
4530options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
4531{
4532 struct gc_arena gc = gc_new();
4533 struct buffer b = string_alloc_buf(option_string, &gc);
4534 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4535 const char *ret;
4536
4537 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4538 ret = string_alloc(p, gc_ret);
4539 gc_free(&gc);
4540 return ret;
4541}
4542
4543static void
4544options_warning_safe_scan2(const msglvl_t msglevel, const int delim,
4545 const bool report_inconsistent, const char *p1,
4546 const struct buffer *b2_src, const char *b1_name,
4547 const char *b2_name)
4548{
4549 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4550 * OCC in a future version (because it's not useful). To reduce questions
4551 * when interoperating, we no longer printing a warning about it.
4552 */
4553 if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ")
4554 || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher "))
4555 {
4556 return;
4557 }
4558
4559 if (strlen(p1) > 0)
4560 {
4561 struct gc_arena gc = gc_new();
4562 struct buffer b2 = *b2_src;
4563 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4564 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4565
4566 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4567 {
4568 if (strlen(p2))
4569 {
4570 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4571
4572 if (!strcmp(p1, p2))
4573 {
4574 goto done;
4575 }
4576 if (!strcmp(p1_prefix, p2_prefix))
4577 {
4578 if (report_inconsistent)
4579 {
4580 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4581 safe_print(p1_prefix, &gc), b1_name, safe_print(p1, &gc), b2_name,
4582 safe_print(p2, &gc));
4583 }
4584 goto done;
4585 }
4586 }
4587 }
4588
4589 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4590 safe_print(p1_prefix, &gc), b1_name, b2_name, b1_name, safe_print(p1, &gc));
4591
4592done:
4593 gc_free(&gc);
4594 }
4595}
4596
4597static void
4598options_warning_safe_scan1(const msglvl_t msglevel, const int delim,
4599 const bool report_inconsistent, const struct buffer *b1_src,
4600 const struct buffer *b2_src, const char *b1_name, const char *b2_name)
4601{
4602 struct gc_arena gc = gc_new();
4603 struct buffer b = *b1_src;
4604 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4605
4606 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4607 {
4608 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name,
4609 b2_name);
4610 }
4611
4612 gc_free(&gc);
4613}
4614
4615static void
4616options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
4617{
4618 struct gc_arena gc = gc_new();
4619
4620 if (actual_n > 0)
4621 {
4622 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4623 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4624 actual[actual_n - 1] = 0;
4625
4626 buf_printf(&local, "version %s", expected);
4627 buf_printf(&remote, "version %s", actual);
4628
4629 options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote");
4630
4631 options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local");
4632 }
4633
4634 gc_free(&gc);
4635}
4636
4637bool
4638options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4639{
4640 struct gc_arena gc = gc_new();
4641 bool ret = true;
4642
4643 if (actual_n > 0)
4644 {
4645 actual[actual_n - 1] = 0;
4646 if (strncmp(actual, expected, 2))
4647 {
4648 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4649 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4650 }
4651 else
4652 {
4653 ret = !strcmp(actual, expected);
4654 }
4655 }
4656 gc_free(&gc);
4657 return ret;
4658}
4659
4660void
4661options_warning_safe(char *actual, const char *expected, size_t actual_n)
4662{
4663 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4664}
4665
4666const char *
4667options_string_version(const char *s, struct gc_arena *gc)
4668{
4669 struct buffer out = alloc_buf_gc(4, gc);
4670 strncpynt((char *)BPTR(&out), s, 3);
4671 return BSTR(&out);
4672}
4673
4674#if defined(__GNUC__) || defined(__clang__)
4675#pragma GCC diagnostic push
4676#pragma GCC diagnostic ignored "-Wsign-compare"
4677#endif
4678
4679char *
4680options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
4681{
4682 char *ret = NULL;
4683 const size_t opt_name_len = strlen(opt_name);
4684
4685 const char *p = options_string;
4686 while (p)
4687 {
4688 if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1)
4689 && p[opt_name_len] == ' ')
4690 {
4691 /* option found, extract value */
4692 const char *start = &p[opt_name_len + 1];
4693 const char *end = strchr(p, ',');
4694 size_t val_len = end ? end - start : strlen(start);
4695 ret = gc_malloc(val_len + 1, true, gc);
4696 memcpy(ret, start, val_len);
4697 break;
4698 }
4699 p = strchr(p, ',');
4700 if (p)
4701 {
4702 p++; /* skip delimiter */
4703 }
4704 }
4705 return ret;
4706}
4707
4708#if defined(__GNUC__) || defined(__clang__)
4709#pragma GCC diagnostic pop
4710#endif
4711
4712/*
4713 * parse/print topology coding
4714 */
4715
4716int
4717parse_topology(const char *str, const msglvl_t msglevel)
4718{
4719 if (streq(str, "net30"))
4720 {
4721 return TOP_NET30;
4722 }
4723 else if (streq(str, "p2p"))
4724 {
4725 return TOP_P2P;
4726 }
4727 else if (streq(str, "subnet"))
4728 {
4729 return TOP_SUBNET;
4730 }
4731 else
4732 {
4733 msg(msglevel, "--topology must be net30, p2p, or subnet");
4734 return TOP_UNDEF;
4735 }
4736}
4737
4738const char *
4739print_topology(const int topology)
4740{
4741 switch (topology)
4742 {
4743 case TOP_UNDEF:
4744 return "undef";
4745
4746 case TOP_NET30:
4747 return "net30";
4748
4749 case TOP_P2P:
4750 return "p2p";
4751
4752 case TOP_SUBNET:
4753 return "subnet";
4754
4755 default:
4756 return "unknown";
4757 }
4758}
4759
4760/*
4761 * Manage auth-retry variable
4762 */
4763
4764static int global_auth_retry; /* GLOBAL */
4765
4766int
4767auth_retry_get(void)
4768{
4769 return global_auth_retry;
4770}
4771
4772bool
4773auth_retry_set(const msglvl_t msglevel, const char *option)
4774{
4775 if (streq(option, "interact"))
4776 {
4777 global_auth_retry = AR_INTERACT;
4778 }
4779 else if (streq(option, "nointeract"))
4780 {
4781 global_auth_retry = AR_NOINTERACT;
4782 }
4783 else if (streq(option, "none"))
4784 {
4785 global_auth_retry = AR_NONE;
4786 }
4787 else
4788 {
4789 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4790 return false;
4791 }
4792 return true;
4793}
4794
4795const char *
4796auth_retry_print(void)
4797{
4798 switch (global_auth_retry)
4799 {
4800 case AR_NONE:
4801 return "none";
4802
4803 case AR_NOINTERACT:
4804 return "nointeract";
4805
4806 case AR_INTERACT:
4807 return "interact";
4808
4809 default:
4810 return "???";
4811 }
4812}
4813
4814/*
4815 * Print the help message.
4816 */
4817void
4818usage(void)
4819{
4820 FILE *fp = msg_fp(0);
4821
4822#ifdef ENABLE_SMALL
4823
4824 fprintf(fp, "Usage message not available\n");
4825
4826#else
4827
4828 struct options o;
4829 init_options(&o);
4830
4831 fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds,
4832 o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT,
4833 TAP_MTU_EXTRA_DEFAULT, TUN_MTU_MAX_MIN, o.verbosity, o.authname, o.replay_window,
4834 o.replay_time, o.tls_timeout, o.renegotiate_seconds, o.handshake_window,
4835 o.transition_window);
4836 fflush(fp);
4837
4838#endif /* ENABLE_SMALL */
4839
4840 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4841}
4842
4843void
4844usage_small(void)
4845{
4846 msg(M_WARN | M_NOPREFIX, "Use --help for more information.");
4847 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4848}
4849
4850#ifdef _WIN32
4851void
4852show_windows_version(const unsigned int flags)
4853{
4854 struct gc_arena gc = gc_new();
4855 msg(flags, "Windows version: %s", win32_version_string(&gc));
4856 gc_free(&gc);
4857}
4858#endif
4859
4860void
4861show_dco_version(const unsigned int flags)
4862{
4863#ifdef ENABLE_DCO
4864 struct gc_arena gc = gc_new();
4865 msg(flags, "DCO version: %s", dco_version_string(&gc));
4866 gc_free(&gc);
4867#endif
4868}
4869
4870void
4871show_library_versions(const unsigned int flags)
4872{
4873#ifdef ENABLE_LZO
4874#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4875#else
4876#define LZO_LIB_VER_STR "", ""
4877#endif
4878
4879 msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR);
4880
4881#undef LZO_LIB_VER_STR
4882}
4883
4884static void
4885usage_version(void)
4886{
4887 msg(M_INFO | M_NOPREFIX, "%s", title_string);
4888 show_library_versions(M_INFO | M_NOPREFIX);
4889#ifdef _WIN32
4890 show_windows_version(M_INFO | M_NOPREFIX);
4891#endif
4892 show_dco_version(M_INFO | M_NOPREFIX);
4893 msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan");
4894 msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>");
4895#ifndef ENABLE_SMALL
4896#ifdef CONFIGURE_DEFINES
4897 msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4898#endif
4899#ifdef CONFIGURE_SPECIAL_BUILD
4900 msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4901#endif
4902#endif
4903 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4904}
4905
4906void
4907notnull(const char *arg, const char *description)
4908{
4909 if (!arg)
4910 {
4911 msg(M_USAGE, "You must define %s", description);
4912 }
4913}
4914
4915bool
4916string_defined_equal(const char *s1, const char *s2)
4917{
4918 if (s1 && s2)
4919 {
4920 return !strcmp(s1, s2);
4921 }
4922 else
4923 {
4924 return false;
4925 }
4926}
4927
4928#if 0
4929static void
4930ping_rec_err(msglvl_t msglevel)
4931{
4932 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4933}
4934#endif
4935
4936#ifdef _WIN32 /* This function is only used when compiling on Windows */
4937static unsigned int
4938atou(const char *str)
4939{
4940 unsigned int val = 0;
4941 sscanf(str, "%u", &val);
4942 return val;
4943}
4944#endif
4945
4946#define VERIFY_PERMISSION(mask) \
4947 { \
4948 if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
4949 msglevel, options, is_inline)) \
4950 { \
4951 goto err; \
4952 } \
4953 }
4954
4955static bool
4956verify_permission(const char *name, const char *file, int line, const unsigned int type,
4957 const unsigned int allowed, unsigned int *found, const msglvl_t msglevel,
4958 struct options *options, bool is_inline)
4959{
4960 if (!(type & allowed))
4961 {
4962 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
4963 return false;
4964 }
4965
4966 if (is_inline && !(type & OPT_P_INLINE))
4967 {
4968 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line);
4969 return false;
4970 }
4971
4972 if (found)
4973 {
4974 *found |= type;
4975 }
4976
4977#ifndef ENABLE_SMALL
4978 /* Check if this options is allowed in connection block,
4979 * but we are currently not in a connection block
4980 * unless this is a pushed option.
4981 * Parsing a connection block uses a temporary options struct without
4982 * connection_list
4983 */
4984
4985 if ((type & OPT_P_CONNECTION) && options->connection_list && !(allowed & OPT_P_PULL_MODE))
4986 {
4987 if (file)
4988 {
4989 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
4990 file, line);
4991 }
4992 else
4993 {
4994 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
4995 }
4996 }
4997#endif
4998 return true;
4999}
5000
5001/*
5002 * Check that an option doesn't have too
5003 * many parameters.
5004 */
5005
5006#define NM_QUOTE_HINT (1 << 0)
5007
5008static bool
5009no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
5010{
5011 const int len = string_array_len((const char **)p);
5012
5013 if (!len)
5014 {
5015 return false;
5016 }
5017
5018 if (len > max)
5019 {
5020 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1,
5021 max >= 3 ? "s" : "",
5022 (flags & NM_QUOTE_HINT)
5023 ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
5024 : "");
5025 return false;
5026 }
5027 else
5028 {
5029 return true;
5030 }
5031}
5032
5033static inline msglvl_t
5034msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
5035{
5036 return options->forward_compatible ? M_WARN : msglevel;
5037}
5038
5039#define RESET_OPTION_ROUTES(option_ptr, field) \
5040 if (option_ptr) \
5041 { \
5042 option_ptr->field = NULL; \
5043 option_ptr->flags = 0; \
5044 }
5045
5046void
5047remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5048 const char *file, int line, const msglvl_t msglevel,
5049 const unsigned int permission_mask, unsigned int *option_types_found,
5050 struct env_set *es)
5051{
5052 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5053
5054 if (streq(p[0], "ifconfig") && !p[1])
5055 {
5056 VERIFY_PERMISSION(OPT_P_UP);
5057 options->ifconfig_local = NULL;
5058 options->ifconfig_remote_netmask = NULL;
5059 }
5060 else if (streq(p[0], "ifconfig-ipv6") && !p[1])
5061 {
5062 VERIFY_PERMISSION(OPT_P_UP);
5063 options->ifconfig_ipv6_local = NULL;
5064 options->ifconfig_ipv6_netbits = 0;
5065 options->ifconfig_ipv6_remote = NULL;
5066 }
5067 else if (streq(p[0], "route") && !p[1])
5068 {
5069 VERIFY_PERMISSION(OPT_P_ROUTE);
5070 if (c->c1.route_list)
5071 {
5072 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es,
5073 &c->net_ctx);
5074 RESET_OPTION_ROUTES(options->routes, routes);
5075 }
5076 }
5077 else if (streq(p[0], "route-ipv6") && !p[1])
5078 {
5079 VERIFY_PERMISSION(OPT_P_ROUTE);
5080 if (c->c1.route_ipv6_list)
5081 {
5082 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
5083 es, &c->net_ctx);
5084 RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
5085 }
5086 }
5087 else if (streq(p[0], "route-gateway") && !p[1])
5088 {
5089 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
5090 options->route_gateway_via_dhcp = false;
5091 options->route_default_gateway = NULL;
5092 }
5093 else if (streq(p[0], "route-metric") && !p[1])
5094 {
5095 VERIFY_PERMISSION(OPT_P_ROUTE);
5096 options->route_default_metric = 0;
5097 }
5098 else if (streq(p[0], "push-continuation") && !p[1])
5099 {
5100 VERIFY_PERMISSION(OPT_P_PULL_MODE);
5101 options->push_continuation = 0;
5102 }
5103 else if ((streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private")) && !p[1])
5104 {
5105 VERIFY_PERMISSION(OPT_P_ROUTE);
5106 if (options->routes)
5107 {
5108 options->routes->flags = 0;
5109 }
5110 if (options->routes_ipv6)
5111 {
5112 options->routes_ipv6->flags = 0;
5113 }
5114 env_set_del(es, "route_redirect_gateway_ipv4");
5115 env_set_del(es, "route_redirect_gateway_ipv6");
5116 }
5117 else if (streq(p[0], "dns") && !p[1])
5118 {
5119 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5120 gc_free(&options->dns_options.gc);
5121 CLEAR(options->dns_options);
5122 }
5123 else if (streq(p[0], "topology") && !p[1])
5124 {
5125 VERIFY_PERMISSION(OPT_P_UP);
5126 options->topology = TOP_UNDEF;
5127 helper_setdefault_topology(options);
5128 }
5129 else if (streq(p[0], "tun-mtu") && !p[1])
5130 {
5131 VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
5132 options->ce.tun_mtu = TUN_MTU_DEFAULT;
5133 options->ce.tun_mtu_defined = false;
5134 options->ce.occ_mtu = 0;
5135 }
5136 else if (streq(p[0], "block-ipv6") && !p[1])
5137 {
5138 VERIFY_PERMISSION(OPT_P_ROUTE);
5139 options->block_ipv6 = false;
5140 }
5141#if defined(_WIN32) || defined(TARGET_ANDROID)
5142 else if (streq(p[0], "dhcp-option") && !p[1])
5143 {
5144 struct tuntap_options *o = &options->tuntap_options;
5145 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5146
5147 o->domain = NULL;
5148 o->netbios_scope = NULL;
5149 o->netbios_node_type = 0;
5150 o->dns6_len = 0;
5151 memset(o->dns6, 0, sizeof(o->dns6));
5152 o->dns_len = 0;
5153 memset(o->dns, 0, sizeof(o->dns));
5154 o->wins_len = 0;
5155 memset(o->wins, 0, sizeof(o->wins));
5156 o->ntp_len = 0;
5157 memset(o->ntp, 0, sizeof(o->ntp));
5158 o->nbdd_len = 0;
5159 memset(o->nbdd, 0, sizeof(o->nbdd));
5160 while (o->domain_search_list_len-- > 0)
5161 {
5162 o->domain_search_list[o->domain_search_list_len] = NULL;
5163 }
5164 o->disable_nbt = 0;
5165 o->dhcp_options = 0;
5166#if defined(TARGET_ANDROID)
5167 o->http_proxy_port = 0;
5168 o->http_proxy = NULL;
5169#endif
5170 }
5171#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5172#ifdef _WIN32
5173 else if (streq(p[0], "block-outside-dns") && !p[1])
5174 {
5175 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5176 options->block_outside_dns = false;
5177 }
5178#else /* ifdef _WIN32 */
5179 else if (streq(p[0], "dhcp-option") && !p[1])
5180 {
5181 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5182 delete_all_dhcp_fo(options, &es->list);
5183 }
5184#endif
5185 else
5186 {
5187 msglvl_t msglevel_unknown = msglevel_fc;
5188 /* Check if an option is in --ignore-unknown-option and
5189 * set warning level to non fatal */
5190 for (int i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
5191 {
5192 if (streq(p[0], options->ignore_unknown_option[i]))
5193 {
5194 msglevel_unknown = M_WARN;
5195 break;
5196 }
5197 }
5198 msg(msglevel_unknown,
5199 "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
5200 p[0], PACKAGE_VERSION);
5201 }
5202 return;
5203err:
5204 msg(msglevel, "Error occurred trying to remove %s option", p[0]);
5205}
5206
5207
5208static bool
5209check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5210{
5211 rol_check_alloc(options);
5212 if (pull_mode)
5213 {
5214 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
5215 && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
5216 {
5217 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
5218 return false;
5219 }
5220 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
5221 {
5222 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
5223 return false;
5224 }
5225 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn)
5226 && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
5227 {
5228 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
5229 return false;
5230 }
5231 }
5232 return true;
5233}
5234
5235
5236static bool
5237check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5238{
5239 rol6_check_alloc(options);
5240 if (pull_mode)
5241 {
5242 if (!ipv6_addr_safe_hexplusbits(p[1]))
5243 {
5244 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5245 return false;
5246 }
5247 if (p[2] && !ipv6_addr_safe(p[2]))
5248 {
5249 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5250 return false;
5251 }
5252 /* p[3] is metric, if present */
5253 }
5254 return true;
5255}
5256
5257static bool
5258check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5259{
5260 if (streq(p[1], "search-domains") && p[2])
5261 {
5262 if (!dns_domain_list_append(&options->dns_options.search_domains, &p[2],
5263 &options->dns_options.gc))
5264 {
5265 msg(msglevel, "--dns %s contain invalid characters", p[1]);
5266 return false;
5267 }
5268 }
5269 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
5270 {
5271 long priority;
5272 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
5273 {
5274 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
5275 return false;
5276 }
5277
5278 struct dns_server *server =
5279 dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
5280
5281 if (streq(p[3], "address") && p[4])
5282 {
5283 for (int i = 4; p[i]; ++i)
5284 {
5285 if (!dns_server_addr_parse(server, p[i]))
5286 {
5287 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'",
5288 priority, p[i]);
5289 return false;
5290 }
5291 }
5292 }
5293 else if (streq(p[3], "resolve-domains"))
5294 {
5295 if (!dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc))
5296 {
5297 msg(msglevel, "--dns server %ld: %s contain invalid characters", priority, p[3]);
5298 return false;
5299 }
5300 }
5301 else if (streq(p[3], "dnssec") && !p[5])
5302 {
5303 if (streq(p[4], "yes"))
5304 {
5305 server->dnssec = DNS_SECURITY_YES;
5306 }
5307 else if (streq(p[4], "no"))
5308 {
5309 server->dnssec = DNS_SECURITY_NO;
5310 }
5311 else if (streq(p[4], "optional"))
5312 {
5313 server->dnssec = DNS_SECURITY_OPTIONAL;
5314 }
5315 else
5316 {
5317 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
5318 return false;
5319 }
5320 }
5321 else if (streq(p[3], "transport") && !p[5])
5322 {
5323 if (streq(p[4], "plain"))
5324 {
5325 server->transport = DNS_TRANSPORT_PLAIN;
5326 }
5327 else if (streq(p[4], "DoH"))
5328 {
5329 server->transport = DNS_TRANSPORT_HTTPS;
5330 }
5331 else if (streq(p[4], "DoT"))
5332 {
5333 server->transport = DNS_TRANSPORT_TLS;
5334 }
5335 else
5336 {
5337 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
5338 return false;
5339 }
5340 }
5341 else if (streq(p[3], "sni") && !p[5])
5342 {
5343 if (!validate_domain(p[4]))
5344 {
5345 msg(msglevel, "--dns server %ld: %s contains invalid characters", priority, p[3]);
5346 return false;
5347 }
5348 server->sni = p[4];
5349 }
5350 else
5351 {
5352 msg(msglevel,
5353 "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
5354 priority, p[3]);
5355 return false;
5356 }
5357 }
5358 else
5359 {
5360 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
5361 return false;
5362 }
5363 return true;
5364}
5365
5366void
5367update_option(struct context *c, struct options *options, char *p[], bool is_inline,
5368 const char *file, int line, const int level, const msglvl_t msglevel,
5369 const unsigned int permission_mask, unsigned int *option_types_found,
5370 struct env_set *es)
5371{
5372 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5373 ASSERT(MAX_PARMS >= 7);
5374
5375 if (streq(p[0], "route") && p[1] && !p[5])
5376 {
5377 if (!(options->push_update_options_found & OPT_P_U_ROUTE))
5378 {
5379 VERIFY_PERMISSION(OPT_P_ROUTE);
5380 if (!check_route_option(options, p, msglevel, pull_mode))
5381 {
5382 goto err;
5383 }
5384 if (c->c1.route_list)
5385 {
5386 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
5387 es, &c->net_ctx);
5388 RESET_OPTION_ROUTES(options->routes, routes);
5389 }
5390 options->push_update_options_found |= OPT_P_U_ROUTE;
5391 }
5392 }
5393 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
5394 {
5395 if (!(options->push_update_options_found & OPT_P_U_ROUTE6))
5396 {
5397 VERIFY_PERMISSION(OPT_P_ROUTE);
5398 if (!check_route6_option(options, p, msglevel, pull_mode))
5399 {
5400 goto err;
5401 }
5402 if (c->c1.route_ipv6_list)
5403 {
5404 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
5405 ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx);
5406 RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
5407 }
5408 options->push_update_options_found |= OPT_P_U_ROUTE6;
5409 }
5410 }
5411 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
5412 {
5413 if (!(options->push_update_options_found & OPT_P_U_REDIR_GATEWAY))
5414 {
5415 VERIFY_PERMISSION(OPT_P_ROUTE);
5416 if (options->routes)
5417 {
5418 options->routes->flags = 0;
5419 }
5420 if (options->routes_ipv6)
5421 {
5422 options->routes_ipv6->flags = 0;
5423 }
5424 env_set_del(es, "route_redirect_gateway_ipv4");
5425 env_set_del(es, "route_redirect_gateway_ipv6");
5426 options->push_update_options_found |= OPT_P_U_REDIR_GATEWAY;
5427 }
5428 }
5429 else if (streq(p[0], "dns") && p[1])
5430 {
5431 if (!(options->push_update_options_found & OPT_P_U_DNS))
5432 {
5433 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5434 if (!check_dns_option(options, p, msglevel, pull_mode))
5435 {
5436 goto err;
5437 }
5438 gc_free(&options->dns_options.gc);
5439 CLEAR(options->dns_options);
5440 options->push_update_options_found |= OPT_P_U_DNS;
5441 }
5442 }
5443#if defined(_WIN32) || defined(TARGET_ANDROID)
5444 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
5445 {
5446 if (!(options->push_update_options_found & OPT_P_U_DHCP))
5447 {
5448 struct tuntap_options *o = &options->tuntap_options;
5449 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5450
5451 o->domain = NULL;
5452 o->netbios_scope = NULL;
5453 o->netbios_node_type = 0;
5454 o->dns6_len = 0;
5455 CLEAR(o->dns6);
5456 o->dns_len = 0;
5457 CLEAR(o->dns);
5458 o->wins_len = 0;
5459 CLEAR(o->wins);
5460 o->ntp_len = 0;
5461 CLEAR(o->ntp);
5462 o->nbdd_len = 0;
5463 CLEAR(o->nbdd);
5464 while (o->domain_search_list_len-- > 0)
5465 {
5466 o->domain_search_list[o->domain_search_list_len] = NULL;
5467 }
5468 o->disable_nbt = 0;
5469 o->dhcp_options = 0;
5470
5471 CLEAR(options->dns_options.from_dhcp);
5472#if defined(TARGET_ANDROID)
5473 o->http_proxy_port = 0;
5474 o->http_proxy = NULL;
5475#endif
5476 options->push_update_options_found |= OPT_P_U_DHCP;
5477 }
5478 }
5479#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5480 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
5481 {
5482 if (!(options->push_update_options_found & OPT_P_U_DHCP))
5483 {
5484 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5485 delete_all_dhcp_fo(options, &es->list);
5486 options->push_update_options_found |= OPT_P_U_DHCP;
5487 }
5488 }
5489#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5490 add_option(options, p, is_inline, file, line, level, msglevel, permission_mask,
5491 option_types_found, es);
5492 return;
5493err:
5494 msg(msglevel, "Error occurred trying to update %s option", p[0]);
5495}
5496
5497static void
5498set_user_script(struct options *options, const char **script, const char *new_script,
5499 const char *type, bool in_chroot)
5500{
5501 if (*script)
5502 {
5503 msg(M_WARN,
5504 "Multiple --%s scripts defined. "
5505 "The previously configured script is overridden.",
5506 type);
5507 }
5508 *script = new_script;
5509 options->user_script_used = true;
5510
5511#ifndef ENABLE_SMALL
5512 {
5513 char script_name[100];
5514 snprintf(script_name, sizeof(script_name), "--%s script", type);
5515
5516 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5517 {
5518 msg(M_USAGE, "Please correct this error.");
5519 }
5520 }
5521#endif
5522}
5523
5524static void
5525show_compression_warning(struct compress_options *info)
5526{
5527 if (comp_non_stub_enabled(info))
5528 {
5529 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5530 "Compression has been used in the past to break encryption. "
5531 "Compression support is deprecated and we recommend to disable "
5532 "it completely.");
5533 }
5534}
5535
5536bool
5537key_is_external(const struct options *options)
5538{
5539 bool ret = false;
5540 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5541#ifdef ENABLE_PKCS11
5542 ret = ret || (options->pkcs11_providers[0] != NULL);
5543#endif
5544#ifdef ENABLE_CRYPTOAPI
5545 ret = ret || options->cryptoapi_cert;
5546#endif
5547
5548 return ret;
5549}
5550
5551#if defined(__GNUC__) || defined(__clang__)
5552#pragma GCC diagnostic push
5553#pragma GCC diagnostic ignored "-Wsign-compare"
5554#endif
5555
5556void
5557add_option(struct options *options, char *p[], bool is_inline, const char *file, int line,
5558 const int level, const msglvl_t msglevel, const unsigned int permission_mask,
5559 unsigned int *option_types_found, struct env_set *es)
5560{
5561 struct gc_arena gc = gc_new();
5562 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5563 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5564
5565 ASSERT(MAX_PARMS >= 7);
5566
5567 /*
5568 * If directive begins with "setenv opt" prefix, don't raise an error if
5569 * directive is unrecognized.
5570 */
5571 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5572 {
5573 if (!p[2])
5574 {
5575 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5576 }
5577 p += 2;
5578 msglevel_fc = M_WARN;
5579 }
5580
5581 if (!file)
5582 {
5583 file = "[CMD-LINE]";
5584 line = 1;
5585 }
5586 if (streq(p[0], "help"))
5587 {
5588 VERIFY_PERMISSION(OPT_P_GENERAL);
5589 usage();
5590 if (p[1])
5591 {
5592 msg(msglevel, "--help does not accept any parameters");
5593 goto err;
5594 }
5595 }
5596 if (streq(p[0], "version") && !p[1])
5597 {
5598 VERIFY_PERMISSION(OPT_P_GENERAL);
5599 usage_version();
5600 }
5601 else if (streq(p[0], "config") && p[1] && !p[2])
5602 {
5603 VERIFY_PERMISSION(OPT_P_CONFIG);
5604
5605 /* save first config file only in options */
5606 if (!options->config)
5607 {
5608 options->config = p[1];
5609 }
5610
5611 read_config_file(options, p[1], level, file, line, msglevel, permission_mask,
5612 option_types_found, es);
5613 }
5614#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5615 else if (streq(p[0], "show-gateway") && !p[2])
5616 {
5617 struct route_gateway_info rgi;
5618 struct route_ipv6_gateway_info rgi6;
5619 in_addr_t remote_ipv4 = 0;
5620 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
5621 openvpn_net_ctx_t net_ctx;
5622 VERIFY_PERMISSION(OPT_P_GENERAL);
5623 if (p[1])
5624 {
5625 /* try parsing the argument as a v4 or v6 address - if
5626 * possible, the output will show the exact route there, and
5627 * "the default route" for the other protocol
5628 */
5629 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
5630 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
5631 }
5632 net_ctx_init(NULL, &net_ctx);
5633 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
5634 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
5635 print_default_gateway(M_INFO, &rgi, &rgi6);
5636 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5637 }
5638#endif
5639 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5640 {
5641 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5642 int j;
5643 bool good = true;
5644
5645 VERIFY_PERMISSION(OPT_P_ECHO);
5646
5647 for (j = 1; j < MAX_PARMS; ++j)
5648 {
5649 if (!p[j])
5650 {
5651 break;
5652 }
5653 if (j > 1)
5654 {
5655 good &= buf_printf(&string, " ");
5656 }
5657 good &= buf_printf(&string, "%s", p[j]);
5658 }
5659 if (good)
5660 {
5661 /* only message-related ECHO are logged, since other ECHOs
5662 * can potentially include security-sensitive strings */
5663 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5664 {
5665 msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string));
5666 }
5667#ifdef ENABLE_MANAGEMENT
5668 if (management)
5669 {
5670 management_echo(management, BSTR(&string), pull_mode);
5671 }
5672#endif
5673 }
5674 else
5675 {
5676 msg(M_WARN, "echo/parameter option overflow");
5677 }
5678 }
5679#ifdef ENABLE_MANAGEMENT
5680 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5681 {
5682 VERIFY_PERMISSION(OPT_P_GENERAL);
5683 if (streq(p[2], "unix"))
5684 {
5685#if UNIX_SOCK_SUPPORT
5686 options->management_flags |= MF_UNIX_SOCK;
5687#else
5688 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5689 goto err;
5690#endif
5691 }
5692
5693 options->management_addr = p[1];
5694 options->management_port = p[2];
5695 if (p[3])
5696 {
5697 options->management_user_pass = p[3];
5698 }
5699 }
5700 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5701 {
5702 VERIFY_PERMISSION(OPT_P_GENERAL);
5703 options->management_client_user = p[1];
5704 }
5705 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5706 {
5707 VERIFY_PERMISSION(OPT_P_GENERAL);
5708 options->management_client_group = p[1];
5709 }
5710 else if (streq(p[0], "management-query-passwords") && !p[1])
5711 {
5712 VERIFY_PERMISSION(OPT_P_GENERAL);
5713 options->management_flags |= MF_QUERY_PASSWORDS;
5714 }
5715 else if (streq(p[0], "management-query-remote") && !p[1])
5716 {
5717 VERIFY_PERMISSION(OPT_P_GENERAL);
5718 options->management_flags |= MF_QUERY_REMOTE;
5719 }
5720 else if (streq(p[0], "management-query-proxy") && !p[1])
5721 {
5722 VERIFY_PERMISSION(OPT_P_GENERAL);
5723 options->management_flags |= MF_QUERY_PROXY;
5724 }
5725 else if (streq(p[0], "management-hold") && !p[1])
5726 {
5727 VERIFY_PERMISSION(OPT_P_GENERAL);
5728 options->management_flags |= MF_HOLD;
5729 }
5730 else if (streq(p[0], "management-signal") && !p[1])
5731 {
5732 VERIFY_PERMISSION(OPT_P_GENERAL);
5733 options->management_flags |= MF_SIGNAL;
5734 }
5735 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5736 {
5737 VERIFY_PERMISSION(OPT_P_GENERAL);
5738 options->management_flags |= MF_FORGET_DISCONNECT;
5739 }
5740 else if (streq(p[0], "management-up-down") && !p[1])
5741 {
5742 VERIFY_PERMISSION(OPT_P_GENERAL);
5743 options->management_flags |= MF_UP_DOWN;
5744 }
5745 else if (streq(p[0], "management-client") && !p[1])
5746 {
5747 VERIFY_PERMISSION(OPT_P_GENERAL);
5748 options->management_flags |= MF_CONNECT_AS_CLIENT;
5749 }
5750 else if (streq(p[0], "management-external-key"))
5751 {
5752 VERIFY_PERMISSION(OPT_P_GENERAL);
5753 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5754 {
5755 if (streq(p[j], "nopadding"))
5756 {
5757 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5758 }
5759 else if (streq(p[j], "pkcs1"))
5760 {
5761 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5762 }
5763 else if (streq(p[j], "pss"))
5764 {
5765 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5766 }
5767 else if (streq(p[j], "digest"))
5768 {
5769 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5770 }
5771 else
5772 {
5773 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5774 }
5775 }
5776 /*
5777 * When no option is present, assume that only PKCS1
5778 * padding is supported
5779 */
5780 if (!(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5781 {
5782 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5783 }
5784 options->management_flags |= MF_EXTERNAL_KEY;
5785 }
5786 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5787 {
5788 VERIFY_PERMISSION(OPT_P_GENERAL);
5789 options->management_flags |= MF_EXTERNAL_CERT;
5790 options->management_certificate = p[1];
5791 }
5792 else if (streq(p[0], "management-client-auth") && !p[1])
5793 {
5794 VERIFY_PERMISSION(OPT_P_GENERAL);
5795 options->management_flags |= MF_CLIENT_AUTH;
5796 }
5797 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5798 {
5799 VERIFY_PERMISSION(OPT_P_GENERAL);
5800 if (!atoi_constrained(p[1], &options->management_log_history_cache,
5801 p[0], 1, INT_MAX, msglevel))
5802 {
5803 goto err;
5804 }
5805 }
5806#endif /* ifdef ENABLE_MANAGEMENT */
5807#ifdef ENABLE_PLUGIN
5808 else if (streq(p[0], "plugin") && p[1])
5809 {
5810 VERIFY_PERMISSION(OPT_P_PLUGIN);
5811 if (!options->plugin_list)
5812 {
5813 options->plugin_list = plugin_option_list_new(&options->gc);
5814 }
5815 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5816 {
5817 msg(msglevel, "plugin add failed: %s", p[1]);
5818 goto err;
5819 }
5820 }
5821#endif
5822 else if (streq(p[0], "mode") && p[1] && !p[2])
5823 {
5824 VERIFY_PERMISSION(OPT_P_GENERAL);
5825 if (streq(p[1], "p2p"))
5826 {
5827 options->mode = MODE_POINT_TO_POINT;
5828 }
5829 else if (streq(p[1], "server"))
5830 {
5831 options->mode = MODE_SERVER;
5832 }
5833 else
5834 {
5835 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5836 goto err;
5837 }
5838 }
5839 else if (streq(p[0], "dev") && p[1] && !p[2])
5840 {
5841 VERIFY_PERMISSION(OPT_P_GENERAL);
5842 options->dev = p[1];
5843 }
5844 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5845 {
5846 VERIFY_PERMISSION(OPT_P_GENERAL);
5847 options->dev_type = p[1];
5848 }
5849#ifdef _WIN32
5850 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5851 {
5852 VERIFY_PERMISSION(OPT_P_GENERAL);
5853 msg(M_WARN,
5854 "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
5855 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
5856 }
5857#endif
5858 else if (streq(p[0], "disable-dco"))
5859 {
5860 options->disable_dco = true;
5861 }
5862 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5863 {
5864 VERIFY_PERMISSION(OPT_P_GENERAL);
5865 options->dev_node = p[1];
5866 }
5867 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5868 {
5869 VERIFY_PERMISSION(OPT_P_UP);
5870 if (mac_addr_safe(p[1])) /* MAC address only */
5871 {
5872 options->lladdr = p[1];
5873 }
5874 else
5875 {
5876 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5877 goto err;
5878 }
5879 }
5880 else if (streq(p[0], "topology") && p[1] && !p[2])
5881 {
5882 VERIFY_PERMISSION(OPT_P_UP);
5883 options->topology = parse_topology(p[1], msglevel);
5884 }
5885 else if (streq(p[0], "tun-ipv6") && !p[1])
5886 {
5887 if (!pull_mode)
5888 {
5889 msg(M_WARN,
5890 "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5891 }
5892 }
5893#ifdef ENABLE_IPROUTE
5894 else if (streq(p[0], "iproute") && p[1] && !p[2])
5895 {
5896 VERIFY_PERMISSION(OPT_P_GENERAL);
5897 iproute_path = p[1];
5898 }
5899#endif
5900 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5901 {
5902 VERIFY_PERMISSION(OPT_P_UP);
5903 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
5904 && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5905 {
5906 options->ifconfig_local = p[1];
5907 options->ifconfig_remote_netmask = p[2];
5908 }
5909 else
5910 {
5911 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5912 goto err;
5913 }
5914 }
5915 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5916 {
5917 unsigned int netbits;
5918
5919 VERIFY_PERMISSION(OPT_P_UP);
5920 if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2]))
5921 {
5922 if (netbits < 64 || netbits > 124)
5923 {
5924 msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
5925 netbits);
5926 goto err;
5927 }
5928
5929 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5930 options->ifconfig_ipv6_netbits = netbits;
5931 options->ifconfig_ipv6_remote = p[2];
5932 }
5933 else
5934 {
5935 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5936 goto err;
5937 }
5938 }
5939 else if (streq(p[0], "ifconfig-noexec") && !p[1])
5940 {
5941 VERIFY_PERMISSION(OPT_P_UP);
5942 options->ifconfig_noexec = true;
5943 }
5944 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5945 {
5946 VERIFY_PERMISSION(OPT_P_UP);
5947 options->ifconfig_nowarn = true;
5948 }
5949 else if (streq(p[0], "local") && p[1] && !p[4])
5950 {
5951 struct local_entry *e;
5952
5953 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
5954
5955 e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
5956 ASSERT(e);
5957
5958 /* '*' is treated as 'ask the system to get some socket',
5959 * therefore force binding on a particular address only when
5960 * actually specified. */
5961 if (strcmp(p[1], "*") != 0)
5962 {
5963 e->local = p[1];
5964 }
5965
5966 if (p[2])
5967 {
5968 e->port = p[2];
5969 }
5970
5971 if (p[3])
5972 {
5973 e->proto = ascii2proto(p[3]);
5974 }
5975 }
5976 else if (streq(p[0], "remote-random") && !p[1])
5977 {
5978 VERIFY_PERMISSION(OPT_P_GENERAL);
5979 options->remote_random = true;
5980 }
5981 else if (streq(p[0], "connection") && p[1] && !p[3])
5982 {
5983 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
5984 if (is_inline)
5985 {
5986 struct options sub;
5987 struct connection_entry *e;
5988
5989 init_options(&sub);
5990 sub.ce = options->ce;
5991 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION,
5992 option_types_found, es);
5993 if (!sub.ce.remote)
5994 {
5995 msg(msglevel,
5996 "Each 'connection' block must contain exactly one 'remote' directive");
5997 uninit_options(&sub);
5998 goto err;
5999 }
6000
6001 e = alloc_connection_entry(options, msglevel);
6002 if (!e)
6003 {
6004 uninit_options(&sub);
6005 goto err;
6006 }
6007 *e = sub.ce;
6008 gc_transfer(&options->gc, &sub.gc);
6009 uninit_options(&sub);
6010 }
6011 }
6012 else if (streq(p[0], "ignore-unknown-option") && p[1])
6013 {
6014 int i;
6015 int j;
6016 int numignored = 0;
6017 const char **ignore;
6018
6019 VERIFY_PERMISSION(OPT_P_GENERAL);
6020 /* Find out how many options to be ignored */
6021 for (i = 1; p[i]; i++)
6022 {
6023 numignored++;
6024 }
6025
6026 /* add number of options already ignored */
6027 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
6028 {
6029 numignored++;
6030 }
6031
6032 /* Allocate array */
6033 ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc);
6034 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
6035 {
6036 ignore[i] = options->ignore_unknown_option[i];
6037 }
6038
6039 options->ignore_unknown_option = ignore;
6040
6041 for (j = 1; p[j]; j++)
6042 {
6043 /* Allow the user to specify ignore-unknown-option --opt too */
6044 if (p[j][0] == '-' && p[j][1] == '-')
6045 {
6046 options->ignore_unknown_option[i] = (p[j] + 2);
6047 }
6048 else
6049 {
6050 options->ignore_unknown_option[i] = p[j];
6051 }
6052 i++;
6053 }
6054
6055 options->ignore_unknown_option[i] = NULL;
6056 }
6057#if ENABLE_MANAGEMENT
6058 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6059 {
6060 VERIFY_PERMISSION(OPT_P_GENERAL);
6061 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], &options->gc);
6062 if (!options->http_proxy_override)
6063 {
6064 goto err;
6065 }
6066 }
6067#endif
6068 else if (streq(p[0], "remote") && p[1] && !p[4])
6069 {
6070 struct remote_entry re;
6071 re.remote = re.remote_port = NULL;
6072 re.proto = -1;
6073 re.af = 0;
6074
6075 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6076 re.remote = p[1];
6077 if (p[2])
6078 {
6079 re.remote_port = p[2];
6080 if (p[3])
6081 {
6082 const int proto = ascii2proto(p[3]);
6083 const sa_family_t af = ascii2af(p[3]);
6084 if (proto < 0)
6085 {
6086 msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
6087 goto err;
6088 }
6089 re.proto = proto;
6090 re.af = af;
6091 }
6092 }
6093 if (permission_mask & OPT_P_GENERAL)
6094 {
6095 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6096 if (!e)
6097 {
6098 goto err;
6099 }
6100 *e = re;
6101 }
6102 else if (permission_mask & OPT_P_CONNECTION)
6103 {
6104 connection_entry_load_re(&options->ce, &re);
6105 }
6106 }
6107 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6108 {
6109 VERIFY_PERMISSION(OPT_P_GENERAL);
6110 if (streq(p[1], "infinite"))
6111 {
6112 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6113 }
6114 else
6115 {
6116 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6117 }
6118 }
6119 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6120 {
6121 VERIFY_PERMISSION(OPT_P_GENERAL);
6122 options->resolve_in_advance = true;
6123 /* Note the ip-remote-hint and the argument p[1] are for
6124 * backward compatibility */
6125 if (p[1])
6126 {
6127 options->ip_remote_hint = p[1];
6128 }
6129 }
6130 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6131 {
6132 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6133 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6134 /*
6135 * Limit the base value of retry wait interval to 16 bits to avoid
6136 * overflow when scaled up for exponential backoff
6137 */
6138 if (options->ce.connect_retry_seconds > 0xFFFF)
6139 {
6140 options->ce.connect_retry_seconds = 0xFFFF;
6141 msg(M_WARN, "connect retry wait interval truncated to %d",
6142 options->ce.connect_retry_seconds);
6143 }
6144
6145 if (p[2])
6146 {
6147 options->ce.connect_retry_seconds_max =
6148 max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
6149 }
6150 }
6151 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1]
6152 && !p[2])
6153 {
6154 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6155 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6156 }
6157 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6158 {
6159 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6160 options->connect_retry_max = positive_atoi(p[1], msglevel);
6161 }
6162 else if (streq(p[0], "ipchange") && p[1])
6163 {
6164 VERIFY_PERMISSION(OPT_P_SCRIPT);
6165 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6166 {
6167 goto err;
6168 }
6169 set_user_script(options, &options->ipchange,
6170 string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true);
6171 }
6172 else if (streq(p[0], "float") && !p[1])
6173 {
6174 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6175 options->ce.remote_float = true;
6176 }
6177#ifdef ENABLE_DEBUG
6178 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6179 {
6180 VERIFY_PERMISSION(OPT_P_GENERAL);
6181 options->gremlin = positive_atoi(p[1], msglevel);
6182 }
6183#endif
6184 else if (streq(p[0], "chroot") && p[1] && !p[2])
6185 {
6186 VERIFY_PERMISSION(OPT_P_GENERAL);
6187 options->chroot_dir = p[1];
6188 }
6189 else if (streq(p[0], "cd") && p[1] && !p[2])
6190 {
6191 VERIFY_PERMISSION(OPT_P_GENERAL);
6192 if (platform_chdir(p[1]))
6193 {
6194 msg(M_ERR, "cd to '%s' failed", p[1]);
6195 goto err;
6196 }
6197 options->cd_dir = p[1];
6198 }
6199#ifdef ENABLE_SELINUX
6200 else if (streq(p[0], "setcon") && p[1] && !p[2])
6201 {
6202 VERIFY_PERMISSION(OPT_P_GENERAL);
6203 options->selinux_context = p[1];
6204 }
6205#endif
6206 else if (streq(p[0], "writepid") && p[1] && !p[2])
6207 {
6208 VERIFY_PERMISSION(OPT_P_GENERAL);
6209 options->writepid = p[1];
6210 }
6211 else if (streq(p[0], "up") && p[1])
6212 {
6213 VERIFY_PERMISSION(OPT_P_SCRIPT);
6214 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6215 {
6216 goto err;
6217 }
6218 set_user_script(options, &options->up_script, p[1], "up", false);
6219 }
6220 else if (streq(p[0], "down") && p[1])
6221 {
6222 VERIFY_PERMISSION(OPT_P_SCRIPT);
6223 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6224 {
6225 goto err;
6226 }
6227 set_user_script(options, &options->down_script, p[1], "down", true);
6228 }
6229 else if (streq(p[0], "down-pre") && !p[1])
6230 {
6231 VERIFY_PERMISSION(OPT_P_GENERAL);
6232 options->down_pre = true;
6233 }
6234 else if (streq(p[0], "up-delay") && !p[1])
6235 {
6236 VERIFY_PERMISSION(OPT_P_GENERAL);
6237 options->up_delay = true;
6238 }
6239 else if (streq(p[0], "up-restart") && !p[1])
6240 {
6241 VERIFY_PERMISSION(OPT_P_GENERAL);
6242 options->up_restart = true;
6243 }
6244 else if (streq(p[0], "syslog") && !p[2])
6245 {
6246 VERIFY_PERMISSION(OPT_P_GENERAL);
6247 open_syslog(p[1], false);
6248 }
6249 else if (streq(p[0], "daemon") && !p[2])
6250 {
6251 bool didit = false;
6252 VERIFY_PERMISSION(OPT_P_GENERAL);
6253 if (!options->daemon)
6254 {
6255 options->daemon = didit = true;
6256 open_syslog(p[1], false);
6257 }
6258 if (p[1])
6259 {
6260 if (!didit)
6261 {
6262 msg(M_WARN,
6263 "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
6264 p[1]);
6265 goto err;
6266 }
6267 }
6268 }
6269 else if (streq(p[0], "log") && p[1] && !p[2])
6270 {
6271 VERIFY_PERMISSION(OPT_P_GENERAL);
6272 options->log = true;
6273 redirect_stdout_stderr(p[1], false);
6274 }
6275 else if (streq(p[0], "suppress-timestamps") && !p[1])
6276 {
6277 VERIFY_PERMISSION(OPT_P_GENERAL);
6278 options->suppress_timestamps = true;
6279 set_suppress_timestamps(true);
6280 }
6281 else if (streq(p[0], "machine-readable-output") && !p[1])
6282 {
6283 VERIFY_PERMISSION(OPT_P_GENERAL);
6284 options->machine_readable_output = true;
6285 set_machine_readable_output(true);
6286 }
6287 else if (streq(p[0], "log-append") && p[1] && !p[2])
6288 {
6289 VERIFY_PERMISSION(OPT_P_GENERAL);
6290 options->log = true;
6291 redirect_stdout_stderr(p[1], true);
6292 }
6293 else if (streq(p[0], "mlock") && !p[1])
6294 {
6295 VERIFY_PERMISSION(OPT_P_GENERAL);
6296 options->mlock = true;
6297 }
6298#if ENABLE_IP_PKTINFO
6299 else if (streq(p[0], "multihome") && !p[2])
6300 {
6301 VERIFY_PERMISSION(OPT_P_GENERAL);
6302 options->sockflags |= SF_USE_IP_PKTINFO;
6303 if (p[1] && streq(p[1], "same-interface"))
6304 {
6305 options->sockflags |= SF_PKTINFO_COPY_IIF;
6306 }
6307 else if (p[1])
6308 {
6309 msg(msglevel, "Unknown parameter to --multihome: %s", p[1]);
6310 }
6311 }
6312#endif
6313 else if (streq(p[0], "verb") && p[1] && !p[2])
6314 {
6315 VERIFY_PERMISSION(OPT_P_MESSAGES);
6316 options->verbosity = positive_atoi(p[1], msglevel);
6317 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6318 {
6319 /* We pass this flag to the SSL library to avoid
6320 * mbed TLS always generating debug level logging */
6321 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6322 }
6323#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6324 /* Warn when a debug verbosity is supplied when built without debug support */
6325 if (options->verbosity >= 7)
6326 {
6327 msg(M_WARN,
6328 "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6329 options->verbosity);
6330 }
6331#endif
6332 }
6333 else if (streq(p[0], "mute") && p[1] && !p[2])
6334 {
6335 VERIFY_PERMISSION(OPT_P_MESSAGES);
6336 options->mute = positive_atoi(p[1], msglevel);
6337 }
6338 else if (streq(p[0], "errors-to-stderr") && !p[1])
6339 {
6340 VERIFY_PERMISSION(OPT_P_MESSAGES);
6341 errors_to_stderr();
6342 }
6343 else if (streq(p[0], "status") && p[1] && !p[3])
6344 {
6345 VERIFY_PERMISSION(OPT_P_GENERAL);
6346 options->status_file = p[1];
6347 if (p[2])
6348 {
6349 options->status_file_update_freq = positive_atoi(p[2], msglevel);
6350 }
6351 }
6352 else if (streq(p[0], "status-version") && p[1] && !p[2])
6353 {
6354 VERIFY_PERMISSION(OPT_P_GENERAL);
6355 if (!atoi_constrained(p[1], &options->status_file_version, p[0], 1, 3, msglevel))
6356 {
6357 goto err;
6358 }
6359 }
6360 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6361 {
6362 VERIFY_PERMISSION(OPT_P_GENERAL);
6363 if (streq(p[1], "SIGHUP"))
6364 {
6365 options->remap_sigusr1 = SIGHUP;
6366 }
6367 else if (streq(p[1], "SIGTERM"))
6368 {
6369 options->remap_sigusr1 = SIGTERM;
6370 }
6371 else
6372 {
6373 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6374 goto err;
6375 }
6376 }
6377 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6378 {
6379 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6380 options->ce.link_mtu = positive_atoi(p[1], msglevel);
6381 options->ce.link_mtu_defined = true;
6382 }
6383 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6384 {
6385 VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
6386 options->ce.tun_mtu = positive_atoi(p[1], msglevel);
6387 options->ce.tun_mtu_defined = true;
6388 if (p[2])
6389 {
6390 options->ce.occ_mtu = positive_atoi(p[2], msglevel);
6391 }
6392 else
6393 {
6394 options->ce.occ_mtu = 0;
6395 }
6396 }
6397 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[2])
6398 {
6399 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6400 atoi_constrained(p[1], &options->ce.tun_mtu_max, p[0], TUN_MTU_MAX_MIN, 65536, msglevel);
6401 }
6402 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6403 {
6404 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6405 if (atoi_constrained(p[1], &options->ce.tun_mtu_extra, p[0], 0, 65536, msglevel))
6406 {
6407 options->ce.tun_mtu_extra_defined = true;
6408 }
6409 }
6410 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6411 {
6412 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6413 int maxmtu = positive_atoi(p[1], msglevel);
6414 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6415
6416 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6417 {
6418 msg(M_WARN,
6419 "Note: max-packet-size value outside of allowed "
6420 "control channel packet size (%d to %d), will use %d "
6421 "instead.",
6422 TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE, options->ce.tls_mtu);
6423 }
6424
6425 /* also set mssfix maxmtu mtu */
6426 options->ce.mssfix = maxmtu;
6427 options->ce.mssfix_default = false;
6428 options->ce.mssfix_encap = true;
6429 }
6430#ifdef ENABLE_FRAGMENT
6431 else if (streq(p[0], "mtu-dynamic"))
6432 {
6433 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6434 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6435 goto err;
6436 }
6437 else if (streq(p[0], "fragment") && p[1] && !p[3])
6438 {
6439 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6440 if (!atoi_constrained(p[1], &options->ce.fragment, p[0], 68, INT_MAX, msglevel))
6441 {
6442 goto err;
6443 }
6444
6445 if (p[2] && streq(p[2], "mtu"))
6446 {
6447 options->ce.fragment_encap = true;
6448 }
6449 else if (p[2])
6450 {
6451 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6452 }
6453 }
6454#endif /* ifdef ENABLE_FRAGMENT */
6455 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6456 {
6457 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
6458 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6459 }
6460 else if (streq(p[0], "mtu-test") && !p[1])
6461 {
6462 VERIFY_PERMISSION(OPT_P_GENERAL);
6463 options->mtu_test = true;
6464 }
6465 else if (streq(p[0], "nice") && p[1] && !p[2])
6466 {
6467 VERIFY_PERMISSION(OPT_P_NICE);
6468 options->nice = atoi_warn(p[1], msglevel);
6469 }
6470 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6471 {
6472 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6473 options->rcvbuf = positive_atoi(p[1], msglevel);
6474 }
6475 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6476 {
6477 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6478 options->sndbuf = positive_atoi(p[1], msglevel);
6479 }
6480 else if (streq(p[0], "mark") && p[1] && !p[2])
6481 {
6482#if defined(TARGET_LINUX)
6483 VERIFY_PERMISSION(OPT_P_GENERAL);
6484 options->mark = atoi_warn(p[1], msglevel);
6485#endif
6486 }
6487 else if (streq(p[0], "socket-flags"))
6488 {
6489 int j;
6490 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6491 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6492 {
6493 if (streq(p[j], "TCP_NODELAY"))
6494 {
6495 options->sockflags |= SF_TCP_NODELAY;
6496 }
6497 else
6498 {
6499 msg(msglevel, "unknown socket flag: %s", p[j]);
6500 }
6501 }
6502 }
6503#ifdef TARGET_LINUX
6504 else if (streq(p[0], "bind-dev") && p[1])
6505 {
6506 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6507 options->bind_dev = p[1];
6508 }
6509#endif
6510 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6511 {
6512 VERIFY_PERMISSION(OPT_P_GENERAL);
6513#ifdef TARGET_LINUX
6514 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
6515#else
6516 msg(msglevel, "--txqueuelen not supported on this OS");
6517 goto err;
6518#endif
6519 }
6520 else if (streq(p[0], "shaper") && p[1] && !p[2])
6521 {
6522 VERIFY_PERMISSION(OPT_P_SHAPER);
6523 if (!atoi_constrained(p[1], &options->shaper, p[0], SHAPER_MIN, SHAPER_MAX, msglevel))
6524 {
6525 goto err;
6526 }
6527 }
6528 else if (streq(p[0], "port") && p[1] && !p[2])
6529 {
6530 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6531 options->ce.local_port = options->ce.remote_port = p[1];
6532 }
6533 else if (streq(p[0], "lport") && p[1] && !p[2])
6534 {
6535 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6536
6537 /* only trigger bind() if port is not 0 (or --local is used) */
6538 if (!streq(p[1], "0"))
6539 {
6540 options->ce.local_port_defined = true;
6541 }
6542 options->ce.local_port = p[1];
6543 }
6544 else if (streq(p[0], "rport") && p[1] && !p[2])
6545 {
6546 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6547 options->ce.remote_port = p[1];
6548 }
6549 else if (streq(p[0], "bind") && !p[2])
6550 {
6551 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6552 options->ce.bind_defined = true;
6553 if (p[1] && streq(p[1], "ipv6only"))
6554 {
6555 options->ce.bind_ipv6_only = true;
6556 }
6557 }
6558 else if (streq(p[0], "nobind") && !p[1])
6559 {
6560 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6561 options->ce.bind_local = false;
6562 }
6563 else if (streq(p[0], "fast-io") && !p[1])
6564 {
6565 VERIFY_PERMISSION(OPT_P_GENERAL);
6566 msg(M_WARN, "DEPRECATED OPTION: --fast-io option ignored.");
6567 }
6568 else if (streq(p[0], "inactive") && p[1] && !p[3])
6569 {
6570 VERIFY_PERMISSION(OPT_P_TIMER);
6571 options->inactivity_timeout = positive_atoi(p[1], msglevel);
6572 if (p[2])
6573 {
6574 positive_atoll(p[2], &options->inactivity_minimum_bytes, p[0], msglevel);
6575 if (options->inactivity_minimum_bytes > INT_MAX)
6576 {
6577 msg(M_WARN,
6578 "WARNING: '--inactive' with a 'bytes' value"
6579 " >2 Gbyte was silently ignored in older versions. If "
6580 " your VPN exits unexpectedly with 'Inactivity timeout'"
6581 " in %d seconds, revisit this value.",
6582 options->inactivity_timeout);
6583 }
6584 }
6585 }
6586 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6587 {
6588 VERIFY_PERMISSION(OPT_P_TIMER);
6589 options->session_timeout = positive_atoi(p[1], msglevel);
6590 }
6591 else if (streq(p[0], "proto") && p[1] && !p[2])
6592 {
6593 int proto;
6594 sa_family_t af;
6595 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6596 proto = ascii2proto(p[1]);
6597 af = ascii2af(p[1]);
6598 if (proto < 0)
6599 {
6600 msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
6601 proto2ascii_all(&gc));
6602 goto err;
6603 }
6604 options->ce.proto = proto;
6605 options->ce.af = af;
6606 }
6607 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6608 {
6609 int proto_force;
6610 VERIFY_PERMISSION(OPT_P_GENERAL);
6611 proto_force = ascii2proto(p[1]);
6612 if (proto_force < 0)
6613 {
6614 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6615 goto err;
6616 }
6617 options->proto_force = proto_force;
6618 }
6619 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6620 {
6621 struct http_proxy_options *ho;
6622
6623 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6624
6625 {
6626 if (!p[2])
6627 {
6628 msg(msglevel, "http-proxy port number not defined");
6629 goto err;
6630 }
6631
6632 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6633
6634 ho->server = p[1];
6635 ho->port = p[2];
6636 }
6637
6638 if (p[3])
6639 {
6640 /* auto -- try to figure out proxy addr, port, and type automatically */
6641 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6642 if (streq(p[3], "auto"))
6643 {
6644 ho->auth_retry = PAR_ALL;
6645 }
6646 else if (streq(p[3], "auto-nct"))
6647 {
6648 ho->auth_retry = PAR_NCT;
6649 }
6650 else
6651 {
6652 ho->auth_method_string = "basic";
6653 ho->auth_file = p[3];
6654
6655 if (p[4])
6656 {
6657 ho->auth_method_string = p[4];
6658 }
6659 }
6660 }
6661 else
6662 {
6663 ho->auth_method_string = "none";
6664 }
6665 }
6666 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6667 {
6668 struct http_proxy_options *ho;
6669 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
6670 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6671 ho->auth_file_up = p[1];
6672 ho->inline_creds = is_inline;
6673 }
6674 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry") || streq(p[0], "http-proxy-timeout"))
6675 {
6676 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6677 msg(M_WARN, "DEPRECATED OPTION: %s option ignored.", p[0]);
6678 }
6679 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6680 {
6681 struct http_proxy_options *ho;
6682
6683 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6684 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6685
6686 if (streq(p[1], "VERSION") && p[2] && !p[3])
6687 {
6688 ho->http_version = p[2];
6689 }
6690 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6691 {
6692 ho->user_agent = p[2];
6693 }
6694 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6695 && p[2])
6696 {
6697 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6698 * with either two argument or one */
6699
6700 struct http_custom_header *custom_header = NULL;
6701 int i;
6702 /* Find the first free header */
6703 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6704 {
6705 if (!ho->custom_headers[i].name)
6706 {
6707 custom_header = &ho->custom_headers[i];
6708 break;
6709 }
6710 }
6711 if (!custom_header)
6712 {
6713 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
6714 MAX_CUSTOM_HTTP_HEADER, p[1]);
6715 }
6716 else
6717 {
6718 /* We will save p[2] and p[3], the proxy code will detect if
6719 * p[3] is NULL */
6720 custom_header->name = p[2];
6721 custom_header->content = p[3];
6722 }
6723 }
6724 else
6725 {
6726 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6727 }
6728 }
6729 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6730 {
6731 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6732
6733 if (p[2])
6734 {
6735 options->ce.socks_proxy_port = p[2];
6736 }
6737 else
6738 {
6739 options->ce.socks_proxy_port = "1080";
6740 }
6741 options->ce.socks_proxy_server = p[1];
6742 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6743 }
6744 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6745 {
6746 VERIFY_PERMISSION(OPT_P_GENERAL);
6747 options->keepalive_ping = atoi_warn(p[1], msglevel);
6748 options->keepalive_timeout = atoi_warn(p[2], msglevel);
6749 }
6750 else if (streq(p[0], "ping") && p[1] && !p[2])
6751 {
6752 VERIFY_PERMISSION(OPT_P_TIMER);
6753 options->ping_send_timeout = positive_atoi(p[1], msglevel);
6754 }
6755 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6756 {
6757 VERIFY_PERMISSION(OPT_P_TIMER);
6758 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6759 options->ping_rec_timeout_action = PING_EXIT;
6760 }
6761 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6762 {
6763 VERIFY_PERMISSION(OPT_P_TIMER);
6764 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6765 options->ping_rec_timeout_action = PING_RESTART;
6766 }
6767 else if (streq(p[0], "ping-timer-rem") && !p[1])
6768 {
6769 VERIFY_PERMISSION(OPT_P_TIMER);
6770 options->ping_timer_remote = true;
6771 }
6772 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6773 {
6774 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_EXPLICIT_NOTIFY);
6775 if (p[1])
6776 {
6777 options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
6778 }
6779 else
6780 {
6781 options->ce.explicit_exit_notification = 1;
6782 }
6783 }
6784 else if (streq(p[0], "persist-tun") && !p[1])
6785 {
6786 VERIFY_PERMISSION(OPT_P_PERSIST);
6787 options->persist_tun = true;
6788 }
6789 else if (streq(p[0], "persist-key") && !p[1])
6790 {
6791 VERIFY_PERMISSION(OPT_P_PERSIST);
6792 msg(M_WARN, "DEPRECATED OPTION: --persist-key option ignored. "
6793 "Keys are now always persisted across restarts. ");
6794 }
6795 else if (streq(p[0], "persist-local-ip") && !p[1])
6796 {
6797 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6798 options->persist_local_ip = true;
6799 }
6800 else if (streq(p[0], "persist-remote-ip") && !p[1])
6801 {
6802 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6803 options->persist_remote_ip = true;
6804 }
6805 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6806 {
6807 VERIFY_PERMISSION(OPT_P_ROUTE);
6808 cnol_check_alloc(options);
6809 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6810 }
6811 else if (streq(p[0], "route-table") && p[1] && !p[2])
6812 {
6813#ifndef ENABLE_SITNL
6814 msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
6815#endif
6816 VERIFY_PERMISSION(OPT_P_ROUTE_TABLE);
6817 options->route_default_table_id = positive_atoi(p[1], msglevel);
6818 }
6819 else if (streq(p[0], "route") && p[1] && !p[5])
6820 {
6821 VERIFY_PERMISSION(OPT_P_ROUTE);
6822 if (!check_route_option(options, p, msglevel, pull_mode))
6823 {
6824 goto err;
6825 }
6826 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
6827 options->route_default_table_id);
6828 }
6829 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6830 {
6831 VERIFY_PERMISSION(OPT_P_ROUTE);
6832 if (!check_route6_option(options, p, msglevel, pull_mode))
6833 {
6834 goto err;
6835 }
6836 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3],
6837 options->route_default_table_id);
6838 }
6839 else if (streq(p[0], "max-routes") && !p[2])
6840 {
6841 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored.");
6842 }
6843 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6844 {
6845 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6846 if (streq(p[1], "dhcp"))
6847 {
6848 options->route_gateway_via_dhcp = true;
6849 }
6850 else
6851 {
6852 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
6853 || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6854 {
6855 options->route_default_gateway = p[1];
6856 }
6857 else
6858 {
6859 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6860 goto err;
6861 }
6862 }
6863 }
6864 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
6865 {
6866 if (ipv6_addr_safe(p[1]))
6867 {
6868 options->route_ipv6_default_gateway = p[1];
6869 }
6870 else
6871 {
6872 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
6873 goto err;
6874 }
6875 }
6876 else if (streq(p[0], "route-metric") && p[1] && !p[2])
6877 {
6878 VERIFY_PERMISSION(OPT_P_ROUTE);
6879 options->route_default_metric = positive_atoi(p[1], msglevel);
6880 }
6881 else if (streq(p[0], "route-delay") && !p[3])
6882 {
6883 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6884 options->route_delay_defined = true;
6885 if (p[1])
6886 {
6887 options->route_delay = positive_atoi(p[1], msglevel);
6888 if (p[2])
6889 {
6890 options->route_delay_window = positive_atoi(p[2], msglevel);
6891 }
6892 }
6893 else
6894 {
6895 options->route_delay = 0;
6896 }
6897 }
6898 else if (streq(p[0], "route-up") && p[1])
6899 {
6900 VERIFY_PERMISSION(OPT_P_SCRIPT);
6901 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6902 {
6903 goto err;
6904 }
6905 set_user_script(options, &options->route_script, p[1], "route-up", false);
6906 }
6907 else if (streq(p[0], "route-pre-down") && p[1])
6908 {
6909 VERIFY_PERMISSION(OPT_P_SCRIPT);
6910 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6911 {
6912 goto err;
6913 }
6914 set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true);
6915 }
6916 else if (streq(p[0], "route-noexec") && !p[1])
6917 {
6918 VERIFY_PERMISSION(OPT_P_SCRIPT);
6919 options->route_noexec = true;
6920 }
6921 else if (streq(p[0], "route-nopull") && !p[1])
6922 {
6923 VERIFY_PERMISSION(OPT_P_GENERAL);
6924 options->route_nopull = true;
6925 }
6926 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
6927 {
6928 struct pull_filter *f;
6929 VERIFY_PERMISSION(OPT_P_GENERAL)
6930 f = alloc_pull_filter(options);
6931
6932 if (strcmp("accept", p[1]) == 0)
6933 {
6934 f->type = PUF_TYPE_ACCEPT;
6935 }
6936 else if (strcmp("ignore", p[1]) == 0)
6937 {
6938 f->type = PUF_TYPE_IGNORE;
6939 }
6940 else if (strcmp("reject", p[1]) == 0)
6941 {
6942 f->type = PUF_TYPE_REJECT;
6943 }
6944 else
6945 {
6946 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
6947 goto err;
6948 }
6949 f->pattern = p[2];
6950 f->size = strlen(p[2]);
6951 }
6952 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
6953 {
6954 VERIFY_PERMISSION(OPT_P_GENERAL);
6955 options->allow_pull_fqdn = true;
6956 }
6957 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
6958 {
6959 int j;
6960 VERIFY_PERMISSION(OPT_P_ROUTE);
6961 rol_check_alloc(options);
6962
6963 if (options->routes->flags & RG_ENABLE)
6964 {
6965 msg(M_WARN, "WARNING: You have specified redirect-gateway and "
6966 "redirect-private at the same time (or the same option "
6967 "multiple times). This is not well supported and may lead to "
6968 "unexpected results");
6969 }
6970
6971 options->routes->flags |= RG_ENABLE;
6972
6973 if (streq(p[0], "redirect-gateway"))
6974 {
6975 options->routes->flags |= RG_REROUTE_GW;
6976 }
6977 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6978 {
6979 if (streq(p[j], "local"))
6980 {
6981 options->routes->flags |= RG_LOCAL;
6982 }
6983 else if (streq(p[j], "autolocal"))
6984 {
6985 options->routes->flags |= RG_AUTO_LOCAL;
6986 }
6987 else if (streq(p[j], "def1"))
6988 {
6989 options->routes->flags |= RG_DEF1;
6990 }
6991 else if (streq(p[j], "bypass-dhcp"))
6992 {
6993 options->routes->flags |= RG_BYPASS_DHCP;
6994 }
6995 else if (streq(p[j], "bypass-dns"))
6996 {
6997 options->routes->flags |= RG_BYPASS_DNS;
6998 }
6999 else if (streq(p[j], "block-local"))
7000 {
7001 options->routes->flags |= RG_BLOCK_LOCAL;
7002 }
7003 else if (streq(p[j], "ipv6"))
7004 {
7005 rol6_check_alloc(options);
7006 options->routes_ipv6->flags |= RG_REROUTE_GW;
7007 }
7008 else if (streq(p[j], "!ipv4"))
7009 {
7010 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7011 }
7012 else
7013 {
7014 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7015 goto err;
7016 }
7017 }
7018 if (options->routes->flags & RG_REROUTE_GW)
7019 {
7020 setenv_int(es, "route_redirect_gateway_ipv4",
7021 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7022 }
7023 if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW))
7024 {
7025 setenv_int(es, "route_redirect_gateway_ipv6",
7026 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7027 }
7028#ifdef _WIN32
7029 /* we need this here to handle pushed --redirect-gateway */
7030 remap_redirect_gateway_flags(options);
7031#endif
7032 }
7033 else if (streq(p[0], "block-ipv6") && !p[1])
7034 {
7035 VERIFY_PERMISSION(OPT_P_ROUTE);
7036 options->block_ipv6 = true;
7037 }
7038 else if (streq(p[0], "remote-random-hostname") && !p[1])
7039 {
7040 VERIFY_PERMISSION(OPT_P_GENERAL);
7041 options->sockflags |= SF_HOST_RANDOMIZE;
7042 }
7043 else if (streq(p[0], "setenv") && p[1] && !p[3])
7044 {
7045 VERIFY_PERMISSION(OPT_P_GENERAL);
7046 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7047 {
7048 options->sockflags |= SF_HOST_RANDOMIZE;
7049 }
7050 else if (streq(p[1], "GENERIC_CONFIG"))
7051 {
7052 msg(msglevel, "this is a generic configuration and cannot directly be used");
7053 goto err;
7054 }
7055 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7056 {
7057 options->push_peer_info = true;
7058 }
7059 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7060 {
7061 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7062 }
7063 else
7064 {
7065 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7066 {
7067 options->forward_compatible = true;
7068 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7069 }
7070 setenv_str(es, p[1], p[2] ? p[2] : "");
7071 }
7072 }
7073 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7074 {
7075 unsigned int major, minor, patch;
7076 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7077 {
7078 msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]);
7079 goto err;
7080 }
7081
7082 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7083 }
7084 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7085 {
7086 VERIFY_PERMISSION(OPT_P_SETENV);
7087 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7088 }
7089 else if (streq(p[0], "script-security") && p[1] && !p[2])
7090 {
7091 VERIFY_PERMISSION(OPT_P_GENERAL);
7092 int security;
7093 if (atoi_constrained(p[1], &security, p[0], SSEC_NONE, SSEC_PW_ENV, msglevel))
7094 {
7095 script_security_set(security);
7096 }
7097 }
7098 else if (streq(p[0], "mssfix") && !p[3])
7099 {
7100 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7101 if (p[1])
7102 {
7103 int mssfix;
7104 if (!atoi_constrained(p[1], &mssfix, p[0], 0, UINT16_MAX, msglevel))
7105 {
7106 goto err;
7107 }
7108 if (mssfix != 0 && mssfix < TLS_CHANNEL_MTU_MIN)
7109 {
7110 msg(msglevel, "mssfix needs to be >= %d, not %d", TLS_CHANNEL_MTU_MIN, mssfix);
7111 goto err;
7112 }
7113
7114 /* value specified, assume encapsulation is not
7115 * included unless "mtu" follows later */
7116 options->ce.mssfix = mssfix;
7117 options->ce.mssfix_encap = false;
7118 options->ce.mssfix_default = false;
7119 }
7120 else
7121 {
7122 /* Set MTU to default values */
7123 options->ce.mssfix_default = true;
7124 options->ce.mssfix_encap = true;
7125 options->ce.mssfix_fixed = false;
7126 }
7127
7128 if (p[2] && streq(p[2], "mtu"))
7129 {
7130 options->ce.mssfix_encap = true;
7131 }
7132 else if (p[2] && streq(p[2], "fixed"))
7133 {
7134 options->ce.mssfix_fixed = true;
7135 }
7136 else if (p[2])
7137 {
7138 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7139 }
7140 }
7141 else if (streq(p[0], "disable-occ") && !p[1])
7142 {
7143 VERIFY_PERMISSION(OPT_P_GENERAL);
7144 options->occ = false;
7145 }
7146 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7147 {
7148 const int lev = M_WARN;
7149 bool error = false;
7150 in_addr_t network, netmask;
7151
7152 VERIFY_PERMISSION(OPT_P_GENERAL);
7153 network = get_ip_addr(p[1], lev, &error);
7154 netmask = get_ip_addr(p[2], lev, &error);
7155 if (error || !network || !netmask)
7156 {
7157 msg(msglevel, "error parsing --server parameters");
7158 goto err;
7159 }
7160 options->server_defined = true;
7161 options->server_network = network;
7162 options->server_netmask = netmask;
7163
7164 if (p[3])
7165 {
7166 if (streq(p[3], "nopool"))
7167 {
7168 options->server_flags |= SF_NOPOOL;
7169 }
7170 else
7171 {
7172 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7173 goto err;
7174 }
7175 }
7176 }
7177 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7178 {
7179 const int lev = M_WARN;
7180 struct in6_addr network;
7181 unsigned int netbits = 0;
7182
7183 VERIFY_PERMISSION(OPT_P_GENERAL);
7184 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7185 {
7186 msg(msglevel, "error parsing --server-ipv6 parameter");
7187 goto err;
7188 }
7189 if (netbits < 64 || netbits > 124)
7190 {
7191 msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7192 netbits);
7193
7194 goto err;
7195 }
7196 options->server_ipv6_defined = true;
7197 options->server_network_ipv6 = network;
7198 options->server_netbits_ipv6 = netbits;
7199 }
7200 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7201 {
7202 const int lev = M_WARN;
7203 bool error = false;
7204 in_addr_t ip, netmask, pool_start, pool_end;
7205
7206 VERIFY_PERMISSION(OPT_P_GENERAL);
7207 ip = get_ip_addr(p[1], lev, &error);
7208 netmask = get_ip_addr(p[2], lev, &error);
7209 pool_start = get_ip_addr(p[3], lev, &error);
7210 pool_end = get_ip_addr(p[4], lev, &error);
7211 if (error || !ip || !netmask || !pool_start || !pool_end)
7212 {
7213 msg(msglevel, "error parsing --server-bridge parameters");
7214 goto err;
7215 }
7216 options->server_bridge_defined = true;
7217 options->server_bridge_ip = ip;
7218 options->server_bridge_netmask = netmask;
7219 options->server_bridge_pool_start = pool_start;
7220 options->server_bridge_pool_end = pool_end;
7221 }
7222 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7223 {
7224 VERIFY_PERMISSION(OPT_P_GENERAL);
7225 options->server_bridge_proxy_dhcp = true;
7226 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7227 }
7228 else if (streq(p[0], "server-bridge") && !p[1])
7229 {
7230 VERIFY_PERMISSION(OPT_P_GENERAL);
7231 options->server_bridge_proxy_dhcp = true;
7232 }
7233 else if (streq(p[0], "push") && p[1] && !p[2])
7234 {
7235 VERIFY_PERMISSION(OPT_P_PUSH);
7236 push_options(options, &p[1], msglevel, &options->gc);
7237 }
7238 else if (streq(p[0], "push-reset") && !p[1])
7239 {
7240 VERIFY_PERMISSION(OPT_P_INSTANCE);
7241 push_reset(options);
7242 }
7243 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7244 {
7245 VERIFY_PERMISSION(OPT_P_INSTANCE);
7246 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7247 push_remove_option(options, p[1]);
7248 }
7249 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7250 {
7251 const int lev = M_WARN;
7252 bool error = false;
7253 in_addr_t start, end, netmask = 0;
7254
7255 VERIFY_PERMISSION(OPT_P_GENERAL);
7256 start = get_ip_addr(p[1], lev, &error);
7257 end = get_ip_addr(p[2], lev, &error);
7258 if (p[3])
7259 {
7260 netmask = get_ip_addr(p[3], lev, &error);
7261 }
7262 if (error)
7263 {
7264 msg(msglevel, "error parsing --ifconfig-pool parameters");
7265 goto err;
7266 }
7267 if (!ifconfig_pool_verify_range(msglevel, start, end))
7268 {
7269 goto err;
7270 }
7271
7272 options->ifconfig_pool_defined = true;
7273 options->ifconfig_pool_start = start;
7274 options->ifconfig_pool_end = end;
7275 if (netmask)
7276 {
7277 options->ifconfig_pool_netmask = netmask;
7278 }
7279 }
7280 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7281 {
7282 VERIFY_PERMISSION(OPT_P_GENERAL);
7283 options->ifconfig_pool_persist_filename = p[1];
7284 if (p[2])
7285 {
7286 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2], msglevel);
7287 }
7288 }
7289 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7290 {
7291 const int lev = M_WARN;
7292 struct in6_addr network;
7293 unsigned int netbits = 0;
7294
7295 VERIFY_PERMISSION(OPT_P_GENERAL);
7296 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7297 {
7298 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7299 goto err;
7300 }
7301 if (netbits < 64 || netbits > 124)
7302 {
7303 msg(msglevel,
7304 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7305 netbits);
7306 goto err;
7307 }
7308
7309 options->ifconfig_ipv6_pool_defined = true;
7310 options->ifconfig_ipv6_pool_base = network;
7311 options->ifconfig_ipv6_pool_netbits = netbits;
7312 }
7313 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7314 {
7315 int real, virtual;
7316
7317 VERIFY_PERMISSION(OPT_P_GENERAL);
7318 if (!atoi_constrained(p[1], &real, "hash-size real", 1, INT_MAX, msglevel)
7319 || !atoi_constrained(p[2], &virtual, "hash-size virtual", 1, INT_MAX, msglevel))
7320 {
7321 goto err;
7322 }
7323 options->real_hash_size = (uint32_t)real;
7324 options->virtual_hash_size = (uint32_t)virtual;
7325 }
7326 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7327 {
7328 int cf_max, cf_per;
7329
7330 VERIFY_PERMISSION(OPT_P_GENERAL);
7331 if (!atoi_constrained(p[1], &cf_max, "connect-freq n", 1, INT_MAX, msglevel)
7332 || !atoi_constrained(p[2], &cf_per, "connect-freq seconds", 1, INT_MAX, msglevel))
7333 {
7334 goto err;
7335 }
7336 options->cf_max = cf_max;
7337 options->cf_per = cf_per;
7338 }
7339 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7340 {
7341 int cf_max, cf_per;
7342
7343 VERIFY_PERMISSION(OPT_P_GENERAL);
7344 if (!atoi_constrained(p[1], &cf_max, "connect-freq-initial n", 1, INT_MAX, msglevel)
7345 || !atoi_constrained(p[2], &cf_per, "connect-freq-initial seconds", 1, INT_MAX, msglevel))
7346 {
7347 goto err;
7348 }
7349 options->cf_initial_max = cf_max;
7350 options->cf_initial_per = cf_per;
7351 }
7352 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7353 {
7354 VERIFY_PERMISSION(OPT_P_GENERAL);
7355 if (!atoi_constrained(p[1], &options->max_clients, p[0], 1, MAX_PEER_ID, msglevel))
7356 {
7357 goto err;
7358 }
7359 }
7360 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7361 {
7362 VERIFY_PERMISSION(OPT_P_INHERIT);
7363 atoi_constrained(p[1], &options->max_routes_per_client, p[0], 1, INT_MAX, msglevel);
7364 }
7365 else if (streq(p[0], "client-cert-not-required") && !p[1])
7366 {
7367 VERIFY_PERMISSION(OPT_P_GENERAL);
7368 msg(M_FATAL,
7369 "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7370 }
7371 else if (streq(p[0], "verify-client-cert") && !p[2])
7372 {
7373 VERIFY_PERMISSION(OPT_P_GENERAL);
7374
7375 /* Reset any existing flags */
7376 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7377 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7378 if (p[1])
7379 {
7380 if (streq(p[1], "none"))
7381 {
7382 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7383 }
7384 else if (streq(p[1], "optional"))
7385 {
7386 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7387 }
7388 else if (!streq(p[1], "require"))
7389 {
7390 msg(msglevel,
7391 "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7392 goto err;
7393 }
7394 }
7395 }
7396 else if (streq(p[0], "username-as-common-name") && !p[1])
7397 {
7398 VERIFY_PERMISSION(OPT_P_GENERAL);
7399 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7400 }
7401 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7402 {
7403 VERIFY_PERMISSION(OPT_P_GENERAL);
7404 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7405 }
7406 else if (streq(p[0], "opt-verify") && !p[1])
7407 {
7408 VERIFY_PERMISSION(OPT_P_GENERAL);
7409 msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7.");
7410 }
7411 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7412 {
7413 VERIFY_PERMISSION(OPT_P_SCRIPT);
7414 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7415 {
7416 goto err;
7417 }
7418 if (p[2])
7419 {
7420 if (streq(p[2], "via-env"))
7421 {
7422 options->auth_user_pass_verify_script_via_file = false;
7423 }
7424 else if (streq(p[2], "via-file"))
7425 {
7426 options->auth_user_pass_verify_script_via_file = true;
7427 }
7428 else
7429 {
7430 msg(msglevel,
7431 "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7432 goto err;
7433 }
7434 }
7435 else
7436 {
7437 msg(msglevel,
7438 "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7439 goto err;
7440 }
7441 set_user_script(options, &options->auth_user_pass_verify_script, p[1],
7442 "auth-user-pass-verify", true);
7443 }
7444 else if (streq(p[0], "auth-gen-token"))
7445 {
7446 VERIFY_PERMISSION(OPT_P_GENERAL);
7447 options->auth_token_generate = true;
7448 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
7449
7450 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7451 {
7452 /* the second parameter can be the renewal time */
7453 if (i == 2 && valid_integer(p[i], true))
7454 {
7455 options->auth_token_renewal = positive_atoi(p[i], msglevel);
7456 }
7457 else if (streq(p[i], "external-auth"))
7458 {
7459 options->auth_token_call_auth = true;
7460 }
7461 else
7462 {
7463 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7464 }
7465 }
7466 }
7467 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7468 {
7469 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
7470 options->auth_token_secret_file = p[1];
7471 options->auth_token_secret_file_inline = is_inline;
7472 }
7473 else if (streq(p[0], "client-connect") && p[1])
7474 {
7475 VERIFY_PERMISSION(OPT_P_SCRIPT);
7476 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7477 {
7478 goto err;
7479 }
7480 set_user_script(options, &options->client_connect_script, p[1], "client-connect", true);
7481 }
7482 else if (streq(p[0], "client-crresponse") && p[1])
7483 {
7484 VERIFY_PERMISSION(OPT_P_SCRIPT);
7485 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7486 {
7487 goto err;
7488 }
7489 set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse",
7490 true);
7491 }
7492 else if (streq(p[0], "client-disconnect") && p[1])
7493 {
7494 VERIFY_PERMISSION(OPT_P_SCRIPT);
7495 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7496 {
7497 goto err;
7498 }
7499 set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect",
7500 true);
7501 }
7502 else if (streq(p[0], "learn-address") && p[1])
7503 {
7504 VERIFY_PERMISSION(OPT_P_SCRIPT);
7505 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7506 {
7507 goto err;
7508 }
7509 set_user_script(options, &options->learn_address_script, p[1], "learn-address", true);
7510 }
7511 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7512 {
7513 VERIFY_PERMISSION(OPT_P_GENERAL);
7514 options->tmp_dir = p[1];
7515 }
7516 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7517 {
7518 VERIFY_PERMISSION(OPT_P_GENERAL);
7519 options->client_config_dir = p[1];
7520 }
7521 else if (streq(p[0], "ccd-exclusive") && !p[1])
7522 {
7523 VERIFY_PERMISSION(OPT_P_GENERAL);
7524 options->ccd_exclusive = true;
7525 }
7526 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7527 {
7528 VERIFY_PERMISSION(OPT_P_GENERAL);
7529 atoi_constrained(p[1], &options->n_bcast_buf, p[0], 1, MBUF_SIZE_MAX, msglevel);
7530 }
7531 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7532 {
7533 VERIFY_PERMISSION(OPT_P_GENERAL);
7534 atoi_constrained(p[1], &options->tcp_queue_limit, p[0], 1, INT_MAX, msglevel);
7535 }
7536#if PORT_SHARE
7537 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7538 {
7539 VERIFY_PERMISSION(OPT_P_GENERAL);
7540 options->port_share_host = p[1];
7541 options->port_share_port = p[2];
7542 options->port_share_journal_dir = p[3];
7543 }
7544#endif
7545 else if (streq(p[0], "client-to-client") && !p[1])
7546 {
7547 VERIFY_PERMISSION(OPT_P_GENERAL);
7548 options->enable_c2c = true;
7549 }
7550 else if (streq(p[0], "duplicate-cn") && !p[1])
7551 {
7552 VERIFY_PERMISSION(OPT_P_GENERAL);
7553 options->duplicate_cn = true;
7554 }
7555 else if (streq(p[0], "iroute") && p[1] && !p[3])
7556 {
7557 VERIFY_PERMISSION(OPT_P_INSTANCE);
7558 option_iroute(options, p[1], p[2], msglevel);
7559 }
7560 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7561 {
7562 VERIFY_PERMISSION(OPT_P_INSTANCE);
7563 option_iroute_ipv6(options, p[1], msglevel);
7564 }
7565 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7566 {
7567 in_addr_t local, remote_netmask;
7568
7569 VERIFY_PERMISSION(OPT_P_INSTANCE);
7570 local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7571 remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7572 if (local && remote_netmask)
7573 {
7574 options->push_ifconfig_defined = true;
7575 options->push_ifconfig_local = local;
7576 options->push_ifconfig_remote_netmask = remote_netmask;
7577 if (p[3])
7578 {
7579 options->push_ifconfig_local_alias =
7580 getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7581 }
7582 }
7583 else
7584 {
7585 msg(msglevel, "cannot parse --ifconfig-push addresses");
7586 goto err;
7587 }
7588 }
7589 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7590 {
7591 in_addr_t network, netmask;
7592
7593 VERIFY_PERMISSION(OPT_P_GENERAL);
7594 network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7595 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7596 if (network && netmask)
7597 {
7598 options->push_ifconfig_constraint_defined = true;
7599 options->push_ifconfig_constraint_network = network;
7600 options->push_ifconfig_constraint_netmask = netmask;
7601 }
7602 else
7603 {
7604 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7605 goto err;
7606 }
7607 }
7608 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7609 {
7610 struct in6_addr local, remote;
7611 unsigned int netbits;
7612
7613 VERIFY_PERMISSION(OPT_P_INSTANCE);
7614
7615 if (!get_ipv6_addr(p[1], &local, &netbits, msglevel))
7616 {
7617 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7618 goto err;
7619 }
7620
7621 if (p[2])
7622 {
7623 if (!get_ipv6_addr(p[2], &remote, NULL, msglevel))
7624 {
7625 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7626 goto err;
7627 }
7628 }
7629 else
7630 {
7631 if (!options->ifconfig_ipv6_local
7632 || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel))
7633 {
7634 msg(msglevel,
7635 "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7636 goto err;
7637 }
7638 }
7639
7640 options->push_ifconfig_ipv6_defined = true;
7641 options->push_ifconfig_ipv6_local = local;
7642 options->push_ifconfig_ipv6_netbits = netbits;
7643 options->push_ifconfig_ipv6_remote = remote;
7644 options->push_ifconfig_ipv6_blocked = false;
7645 }
7646 else if (streq(p[0], "disable") && !p[1])
7647 {
7648 VERIFY_PERMISSION(OPT_P_INSTANCE);
7649 options->disable = true;
7650 }
7651 else if (streq(p[0], "override-username") && p[1] && !p[2])
7652 {
7653 VERIFY_PERMISSION(OPT_P_INSTANCE);
7654 if (strlen(p[1]) > USER_PASS_LEN)
7655 {
7656 msg(msglevel,
7657 "override-username exceeds the maximum length of %d "
7658 "characters",
7659 USER_PASS_LEN);
7660
7661 /* disable the connection since ignoring the request to
7662 * set another username might cause serious problems */
7663 options->disable = true;
7664 }
7665 else
7666 {
7667 options->override_username = p[1];
7668 }
7669 }
7670 else if (streq(p[0], "tcp-nodelay") && !p[1])
7671 {
7672 VERIFY_PERMISSION(OPT_P_GENERAL);
7673 options->server_flags |= SF_TCP_NODELAY_HELPER;
7674 }
7675 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7676 {
7677 int ageing_time, check_interval;
7678
7679 VERIFY_PERMISSION(OPT_P_GENERAL);
7680 if (!atoi_constrained(p[1], &ageing_time, "stale-routes-check age", 1, INT_MAX, msglevel))
7681 {
7682 goto err;
7683 }
7684
7685 if (p[2])
7686 {
7687 if (!atoi_constrained(p[2], &check_interval,
7688 "stale-routes-check interval", 1, INT_MAX, msglevel))
7689 {
7690 goto err;
7691 }
7692 }
7693 else
7694 {
7695 check_interval = ageing_time;
7696 }
7697
7698 options->stale_routes_ageing_time = ageing_time;
7699 options->stale_routes_check_interval = check_interval;
7700 }
7701
7702 else if (streq(p[0], "client") && !p[1])
7703 {
7704 VERIFY_PERMISSION(OPT_P_GENERAL);
7705 options->client = true;
7706 }
7707 else if (streq(p[0], "pull") && !p[1])
7708 {
7709 VERIFY_PERMISSION(OPT_P_GENERAL);
7710 options->pull = true;
7711 }
7712 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7713 {
7714 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7715 atoi_constrained(p[1], &options->push_continuation, p[0], 0, 2, msglevel);
7716 }
7717 else if (streq(p[0], "auth-user-pass") && !p[2])
7718 {
7719 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
7720 if (p[1])
7721 {
7722 options->auth_user_pass_file = p[1];
7723 options->auth_user_pass_file_inline = is_inline;
7724 }
7725 else
7726 {
7727 options->auth_user_pass_file = "stdin";
7728 }
7729 }
7730 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7731 {
7732 VERIFY_PERMISSION(OPT_P_GENERAL);
7733 auth_retry_set(msglevel, p[1]);
7734 }
7735#ifdef ENABLE_MANAGEMENT
7736 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
7737 {
7738 VERIFY_PERMISSION(OPT_P_GENERAL);
7739 options->sc_info.challenge_text = p[1];
7740 if (atoi_warn(p[2], msglevel))
7741 {
7742 options->sc_info.flags |= SC_ECHO;
7743 }
7744 if (p[3] && streq(p[3], "concat"))
7745 {
7746 options->sc_info.flags |= SC_CONCAT;
7747 }
7748 else if (p[3] && !streq(p[3], "scrv1"))
7749 {
7750 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
7751 goto err;
7752 }
7753 }
7754#endif
7755 else if (streq(p[0], "msg-channel") && p[1])
7756 {
7757#ifdef _WIN32
7758 VERIFY_PERMISSION(OPT_P_GENERAL);
7759 HANDLE process = GetCurrentProcess();
7760 HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
7761 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE,
7762 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7763 {
7764 msg(msglevel, "could not duplicate service pipe handle");
7765 goto err;
7766 }
7767 options->route_method = ROUTE_METHOD_SERVICE;
7768#else /* ifdef _WIN32 */
7769 msg(msglevel, "--msg-channel is only supported on Windows");
7770 goto err;
7771#endif
7772 }
7773#ifdef _WIN32
7774 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7775 {
7776 VERIFY_PERMISSION(OPT_P_GENERAL);
7777 if (streq(p[1], "env"))
7778 {
7779 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7780 "This entry will now be ignored. "
7781 "Please remove this entry from your configuration file.");
7782 }
7783 else
7784 {
7785 set_win_sys_path(p[1], es);
7786 }
7787 }
7788 else if (streq(p[0], "route-method") && p[1] && !p[2])
7789 {
7790 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7791 if (streq(p[1], "adaptive"))
7792 {
7793 options->route_method = ROUTE_METHOD_ADAPTIVE;
7794 }
7795 else if (streq(p[1], "ipapi"))
7796 {
7797 options->route_method = ROUTE_METHOD_IPAPI;
7798 }
7799 else if (streq(p[1], "exe"))
7800 {
7801 options->route_method = ROUTE_METHOD_EXE;
7802 }
7803 else
7804 {
7805 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7806 goto err;
7807 }
7808 }
7809 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7810 {
7811 const int index = ascii2ipset(p[1]);
7812 struct tuntap_options *to = &options->tuntap_options;
7813
7814 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7815
7816 if (index < 0)
7817 {
7818 msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
7819 ipset2ascii_all(&gc));
7820 goto err;
7821 }
7822
7823 if (index == IPW32_SET_ADAPTIVE)
7824 {
7825 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7826 }
7827
7828 if (index == IPW32_SET_DHCP_MASQ)
7829 {
7830 if (p[2])
7831 {
7832 if (!streq(p[2], "default"))
7833 {
7834 int offset;
7835
7836 if (!atoi_constrained(p[2], &offset, "ip-win32 offset", -256, 256, msglevel))
7837 {
7838 goto err;
7839 }
7840 to->dhcp_masq_custom_offset = true;
7841 to->dhcp_masq_offset = offset;
7842 }
7843
7844 if (p[3])
7845 {
7846 if (!atoi_constrained(p[3], &to->dhcp_lease_time,
7847 "ip-win32 lease time", 30, INT_MAX, msglevel))
7848 {
7849 goto err;
7850 }
7851 }
7852 }
7853 }
7854 to->ip_win32_type = index;
7855 to->ip_win32_defined = true;
7856 }
7857#endif /* ifdef _WIN32 */
7858 else if (streq(p[0], "dns-updown") && p[1])
7859 {
7860 VERIFY_PERMISSION(OPT_P_SCRIPT);
7861 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7862 {
7863 goto err;
7864 }
7865 struct dns_options *dns = &options->dns_options;
7866 if (streq(p[1], "disable"))
7867 {
7868 dns->updown = NULL;
7869 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
7870 }
7871 else if (streq(p[1], "force"))
7872 {
7873 /* force dns-updown run, even if a --up script is defined */
7874 if (!dns_updown_user_set(dns))
7875 {
7876 dns->updown = DEFAULT_DNS_UPDOWN;
7877 dns->updown_flags = DNS_UPDOWN_FORCED;
7878 }
7879 }
7880 else
7881 {
7882 if (dns->updown && streq(dns->updown, DEFAULT_DNS_UPDOWN))
7883 {
7884 /* Unset the default command to prevent warnings */
7885 dns->updown = NULL;
7886 }
7887 set_user_script(options, &dns->updown, p[1], p[0], false);
7888 dns->updown_flags = DNS_UPDOWN_USER_SET;
7889 }
7890 }
7891 else if (streq(p[0], "dns") && p[1])
7892 {
7893 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7894 if (!check_dns_option(options, p, msglevel, pull_mode))
7895 {
7896 goto err;
7897 }
7898 }
7899 else if (streq(p[0], "dhcp-option") && p[1])
7900 {
7901 struct dhcp_options *dhcp = &options->dns_options.from_dhcp;
7902#if defined(_WIN32) || defined(TARGET_ANDROID)
7903 struct tuntap_options *o = &options->tuntap_options;
7904#endif
7905 VERIFY_PERMISSION(OPT_P_DHCPDNS);
7906
7907 bool dhcp_optional = false;
7908
7909 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
7910 {
7911 if (!validate_domain(p[2]))
7912 {
7913 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
7914 goto err;
7915 }
7916
7917 dhcp->domain = p[2];
7918 dhcp_optional = true;
7919 }
7920 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
7921 {
7922 if (!validate_domain(p[2]))
7923 {
7924 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
7925 goto err;
7926 }
7927
7928 if (dhcp->domain_search_list_len < N_SEARCH_LIST_LEN)
7929 {
7930 dhcp->domain_search_list[dhcp->domain_search_list_len++] = p[2];
7931 }
7932 else
7933 {
7934 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
7935 p[1], N_SEARCH_LIST_LEN);
7936 }
7937 dhcp_optional = true;
7938 }
7939 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
7940 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
7941 {
7942 if (strstr(p[2], ":"))
7943 {
7944 dhcp_option_dns6_parse(p[2], dhcp->dns6, &dhcp->dns6_len, msglevel);
7945 }
7946 else
7947 {
7948 dhcp_option_address_parse("DNS", p[2], dhcp->dns, &dhcp->dns_len, msglevel);
7949 dhcp_optional = true;
7950 }
7951 }
7952#if defined(_WIN32) || defined(TARGET_ANDROID)
7953 else if (streq(p[1], "NBS") && p[2] && !p[3])
7954 {
7955 o->netbios_scope = p[2];
7956 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
7957 }
7958 else if (streq(p[1], "NBT") && p[2] && !p[3])
7959 {
7960 int t = atoi_warn(p[2], msglevel);
7961 if (!(t == 1 || t == 2 || t == 4 || t == 8))
7962 {
7963 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
7964 goto err;
7965 }
7966 o->netbios_node_type = (uint8_t)t;
7967 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
7968 }
7969 else if (streq(p[1], "WINS") && p[2] && !p[3])
7970 {
7971 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
7972 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
7973 }
7974 else if (streq(p[1], "NTP") && p[2] && !p[3])
7975 {
7976 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
7977 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
7978 }
7979 else if (streq(p[1], "NBDD") && p[2] && !p[3])
7980 {
7981 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
7982 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
7983 }
7984 else if (streq(p[1], "DISABLE-NBT") && !p[2])
7985 {
7986 o->disable_nbt = 1;
7987 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
7988 }
7989#if defined(TARGET_ANDROID)
7990 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
7991 {
7992 o->http_proxy_port = positive_atoi(p[3], msglevel);
7993 o->http_proxy = p[2];
7994 }
7995#endif
7996 else
7997 {
7998 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter",
7999 p[1]);
8000 goto err;
8001 }
8002#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8003 setenv_foreign_option(options, p[1], p[2], es);
8004#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8005
8006 if (dhcp_optional)
8007 {
8008#if defined(_WIN32) || defined(TARGET_ANDROID)
8009 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8010#endif
8011 }
8012 }
8013#ifdef _WIN32
8014 else if (streq(p[0], "show-adapters") && !p[1])
8015 {
8016 VERIFY_PERMISSION(OPT_P_GENERAL);
8017 show_tap_win_adapters(M_INFO | M_NOPREFIX, M_WARN | M_NOPREFIX);
8018 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8019 }
8020 else if (streq(p[0], "show-net") && !p[1])
8021 {
8022 VERIFY_PERMISSION(OPT_P_GENERAL);
8023 show_routes(M_INFO | M_NOPREFIX);
8024 show_adapters(M_INFO | M_NOPREFIX);
8025 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8026 }
8027 else if (streq(p[0], "show-net-up") && !p[1])
8028 {
8029 VERIFY_PERMISSION(OPT_P_UP);
8030 options->show_net_up = true;
8031 }
8032 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8033 {
8034 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8035 if (!atoi_constrained(p[1], &options->tuntap_options.tap_sleep, p[0], 0, 255, msglevel))
8036 {
8037 goto err;
8038 }
8039 }
8040 else if (streq(p[0], "dhcp-renew") && !p[1])
8041 {
8042 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8043 options->tuntap_options.dhcp_renew = true;
8044 }
8045 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8046 {
8047 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8048 options->tuntap_options.dhcp_pre_release = true;
8049 options->tuntap_options.dhcp_renew = true;
8050 }
8051 else if (streq(p[0], "dhcp-release") && !p[1])
8052 {
8053 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8054 }
8055 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8056 {
8057 unsigned int adapter_index;
8058 VERIFY_PERMISSION(OPT_P_GENERAL);
8059 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8060 adapter_index = atou(p[1]);
8061 sleep(options->tuntap_options.tap_sleep);
8062 if (options->tuntap_options.dhcp_pre_release)
8063 {
8064 dhcp_release_by_adapter_index(adapter_index);
8065 }
8066 if (options->tuntap_options.dhcp_renew)
8067 {
8068 dhcp_renew_by_adapter_index(adapter_index);
8069 }
8070 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8071 }
8072 else if (streq(p[0], "register-dns") && !p[1])
8073 {
8074 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8075 options->tuntap_options.register_dns = true;
8076 }
8077 else if (streq(p[0], "block-outside-dns") && !p[1])
8078 {
8079 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8080 options->block_outside_dns = true;
8081 }
8082 else if (streq(p[0], "rdns-internal") && !p[1])
8083 /* standalone method for internal use
8084 *
8085 * (if --register-dns is set, openvpn needs to call itself in a
8086 * sub-process to execute the required functions in a non-blocking
8087 * way, and uses --rdns-internal to signal that to itself)
8088 */
8089 {
8090 VERIFY_PERMISSION(OPT_P_GENERAL);
8091 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8092 if (options->tuntap_options.register_dns)
8093 {
8094 ipconfig_register_dns(NULL);
8095 }
8096 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8097 }
8098 else if (streq(p[0], "show-valid-subnets") && !p[1])
8099 {
8100 VERIFY_PERMISSION(OPT_P_GENERAL);
8101 show_valid_win32_tun_subnets();
8102 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8103 }
8104 else if (streq(p[0], "pause-exit") && !p[1])
8105 {
8106 VERIFY_PERMISSION(OPT_P_GENERAL);
8107 set_pause_exit_win32();
8108 }
8109 else if (streq(p[0], "service") && p[1] && !p[3])
8110 {
8111 VERIFY_PERMISSION(OPT_P_GENERAL);
8112 options->exit_event_name = p[1];
8113 if (p[2])
8114 {
8115 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8116 }
8117 }
8118 else if (streq(p[0], "allow-nonadmin") && !p[2])
8119 {
8120 VERIFY_PERMISSION(OPT_P_GENERAL);
8121 tap_allow_nonadmin_access(p[1]);
8122 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8123 }
8124 else if (streq(p[0], "user") && p[1] && !p[2])
8125 {
8126 VERIFY_PERMISSION(OPT_P_GENERAL);
8127 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8128 }
8129 else if (streq(p[0], "group") && p[1] && !p[2])
8130 {
8131 VERIFY_PERMISSION(OPT_P_GENERAL);
8132 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8133 }
8134#else /* ifdef _WIN32 */
8135 else if (streq(p[0], "user") && p[1] && !p[2])
8136 {
8137 VERIFY_PERMISSION(OPT_P_GENERAL);
8138 options->username = p[1];
8139 }
8140 else if (streq(p[0], "group") && p[1] && !p[2])
8141 {
8142 VERIFY_PERMISSION(OPT_P_GENERAL);
8143 options->groupname = p[1];
8144 }
8145 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8146 {
8147 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8148 setenv_foreign_option(options, p[1], p[2], es);
8149 }
8150 else if (streq(p[0], "route-method") && p[1] && !p[2])
8151 {
8152 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8153 /* ignore when pushed to non-Windows OS */
8154 }
8155#endif /* ifdef _WIN32 */
8156#if PASSTOS_CAPABILITY
8157 else if (streq(p[0], "passtos") && !p[1])
8158 {
8159 VERIFY_PERMISSION(OPT_P_GENERAL);
8160 options->passtos = true;
8161 }
8162#endif
8163 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8164 {
8165 VERIFY_PERMISSION(OPT_P_GENERAL);
8166
8167 if (streq(p[1], "no"))
8168 {
8169 options->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
8170 if (comp_non_stub_enabled(&options->comp))
8171 {
8172 msg(msglevel, "'--allow-compression no' conflicts with "
8173 " enabling compression");
8174 }
8175 }
8176 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8177 {
8178 /* Also printed on a push to hint at configuration problems */
8179 msg(msglevel,
8180 "Cannot set allow-compression to '%s' "
8181 "after set to 'no'",
8182 p[1]);
8183 goto err;
8184 }
8185 else if (streq(p[1], "asym"))
8186 {
8187 options->comp.flags |= COMP_F_ALLOW_ASYM;
8188 }
8189 else if (streq(p[1], "yes"))
8190 {
8191 msg(M_WARN,
8192 "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8193 "We will use \"asym\" mode instead. See the manual page for more information.");
8194
8195 options->comp.flags |= COMP_F_ALLOW_ASYM;
8196 }
8197 else
8198 {
8199 msg(msglevel,
8200 "bad allow-compression option: %s -- "
8201 "must be 'yes', 'no', or 'asym'",
8202 p[1]);
8203 goto err;
8204 }
8205 }
8206 else if (streq(p[0], "comp-lzo") && !p[2])
8207 {
8208 VERIFY_PERMISSION(OPT_P_COMP);
8209
8210 /* All lzo variants do not use swap */
8211 options->comp.flags &= ~COMP_F_SWAP;
8212 options->comp.alg = COMP_ALG_LZO;
8213
8214 if (p[1])
8215 {
8216 if (streq(p[1], "no"))
8217 {
8218 options->comp.alg = COMP_ALG_STUB;
8219 }
8220 /* There is no actual difference anymore between these variants.
8221 * We never compress. On the server side we replace this with
8222 * --compress migrate later anyway.
8223 */
8224 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8225 {
8226 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
8227 p[1]);
8228 goto err;
8229 }
8230 }
8231 show_compression_warning(&options->comp);
8232 }
8233 else if (streq(p[0], "comp-noadapt") && !p[1])
8234 {
8235 /* NO-OP since we never compress anymore */
8236 }
8237 else if (streq(p[0], "compress") && !p[2])
8238 {
8239 VERIFY_PERMISSION(OPT_P_COMP);
8240 const char *alg = "stub";
8241 if (p[1])
8242 {
8243 alg = p[1];
8244 }
8245
8246 if (streq(alg, "stub"))
8247 {
8248 options->comp.alg = COMP_ALG_STUB;
8249 options->comp.flags |= (COMP_F_SWAP | COMP_F_ADVERTISE_STUBS_ONLY);
8250 }
8251 else if (streq(alg, "stub-v2"))
8252 {
8253 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8254 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8255 }
8256 else if (streq(alg, "migrate"))
8257 {
8258 options->comp.alg = COMP_ALG_UNDEF;
8259 options->comp.flags = COMP_F_MIGRATE;
8260 }
8261 else if (streq(alg, "lzo"))
8262 {
8263 options->comp.alg = COMP_ALG_LZO;
8264 options->comp.flags &= ~COMP_F_SWAP;
8265 }
8266 else if (streq(alg, "lz4"))
8267 {
8268 options->comp.alg = COMP_ALG_LZ4;
8269 options->comp.flags |= COMP_F_SWAP;
8270 }
8271 else if (streq(alg, "lz4-v2"))
8272 {
8273 options->comp.alg = COMP_ALGV2_LZ4;
8274 }
8275 else
8276 {
8277 msg(msglevel, "bad comp option: %s", alg);
8278 goto err;
8279 }
8280
8281 show_compression_warning(&options->comp);
8282 }
8283 else if (streq(p[0], "show-ciphers") && !p[1])
8284 {
8285 VERIFY_PERMISSION(OPT_P_GENERAL);
8286 options->show_ciphers = true;
8287 }
8288 else if (streq(p[0], "show-digests") && !p[1])
8289 {
8290 VERIFY_PERMISSION(OPT_P_GENERAL);
8291 options->show_digests = true;
8292 }
8293 else if (streq(p[0], "show-engines") && !p[1])
8294 {
8295 VERIFY_PERMISSION(OPT_P_GENERAL);
8296 options->show_engines = true;
8297 }
8298 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8299 {
8300 int key_direction;
8301
8302 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
8303
8304 key_direction = ascii2keydirection(msglevel, p[1]);
8305 if (key_direction >= 0)
8306 {
8307 if (permission_mask & OPT_P_GENERAL)
8308 {
8309 options->key_direction = key_direction;
8310 }
8311 else if (permission_mask & OPT_P_CONNECTION)
8312 {
8313 options->ce.key_direction = key_direction;
8314 }
8315 }
8316 else
8317 {
8318 goto err;
8319 }
8320 }
8321 else if (streq(p[0], "secret") && p[1] && !p[3])
8322 {
8323 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8324 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8325 options->shared_secret_file = p[1];
8326 options->shared_secret_file_inline = is_inline;
8327 if (!is_inline && p[2])
8328 {
8329 int key_direction;
8330
8331 key_direction = ascii2keydirection(msglevel, p[2]);
8332 if (key_direction >= 0)
8333 {
8334 options->key_direction = key_direction;
8335 }
8336 else
8337 {
8338 goto err;
8339 }
8340 }
8341 }
8342 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8343 {
8344 VERIFY_PERMISSION(OPT_P_GENERAL);
8345 options->allow_deprecated_insecure_static_crypto = true;
8346 }
8347 else if (streq(p[0], "genkey") && !p[4])
8348 {
8349 VERIFY_PERMISSION(OPT_P_GENERAL);
8350 options->genkey = true;
8351 if (!p[1])
8352 {
8353 options->genkey_type = GENKEY_SECRET;
8354 }
8355 else
8356 {
8357 if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt"))
8358 {
8359 options->genkey_type = GENKEY_SECRET;
8360 }
8361 else if (streq(p[1], "tls-crypt-v2-server"))
8362 {
8363 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8364 }
8365 else if (streq(p[1], "tls-crypt-v2-client"))
8366 {
8367 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8368 if (p[3])
8369 {
8370 options->genkey_extra_data = p[3];
8371 }
8372 }
8373 else if (streq(p[1], "auth-token"))
8374 {
8375 options->genkey_type = GENKEY_AUTH_TOKEN;
8376 }
8377 else
8378 {
8379 msg(msglevel, "unknown --genkey type: %s", p[1]);
8380 }
8381 }
8382 if (p[2])
8383 {
8384 options->genkey_filename = p[2];
8385 }
8386 }
8387 else if (streq(p[0], "auth") && p[1] && !p[2])
8388 {
8389 VERIFY_PERMISSION(OPT_P_GENERAL);
8390 options->authname = p[1];
8391 }
8392 else if (streq(p[0], "cipher") && p[1] && !p[2])
8393 {
8394 VERIFY_PERMISSION(OPT_P_NCP | OPT_P_INSTANCE);
8395 options->ciphername = p[1];
8396 }
8397 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8398 {
8399 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
8400 options->ciphername = p[1];
8401 options->enable_ncp_fallback = true;
8402 }
8403 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2])
8404 {
8405 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
8406 if (streq(p[0], "ncp-ciphers"))
8407 {
8408 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8409 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8410 }
8411 options->ncp_ciphers = p[1];
8412 }
8413 else if (streq(p[0], "key-derivation") && p[1])
8414 {
8415 /* NCP only option that is pushed by the server to enable EKM,
8416 * should not be used by normal users in config files*/
8417 VERIFY_PERMISSION(OPT_P_NCP)
8418 if (streq(p[1], "tls-ekm"))
8419 {
8420 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8421 }
8422 else
8423 {
8424 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8425 }
8426 }
8427 else if (streq(p[0], "protocol-flags") && p[1])
8428 {
8429 /* NCP only option that is pushed by the server to enable protocol
8430 * features that are negotiated, should not be used by normal users
8431 * in config files */
8432 VERIFY_PERMISSION(OPT_P_NCP)
8433 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8434 {
8435 if (streq(p[j], "cc-exit"))
8436 {
8437 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8438 }
8439 else if (streq(p[j], "tls-ekm"))
8440 {
8441 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8442 }
8443 else if (streq(p[j], "dyn-tls-crypt"))
8444 {
8445 options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8446 }
8447 else if (streq(p[j], "aead-epoch"))
8448 {
8449 options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
8450 }
8451 else
8452 {
8453 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8454 }
8455 }
8456 }
8457 else if (streq(p[0], "force-tls-key-material-export"))
8458 {
8459 VERIFY_PERMISSION(OPT_P_GENERAL);
8460 options->force_key_material_export = true;
8461 }
8462 else if (streq(p[0], "prng") && p[1] && !p[3])
8463 {
8464 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8465 }
8466 else if (streq(p[0], "no-replay") && !p[1])
8467 {
8468 VERIFY_PERMISSION(OPT_P_GENERAL);
8469 /* always error out, this breaks the connection */
8470 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8471 "Update your configuration.");
8472 }
8473 else if (streq(p[0], "replay-window") && !p[3])
8474 {
8475 VERIFY_PERMISSION(OPT_P_GENERAL);
8476 if (p[1])
8477 {
8478 if (!atoi_constrained(p[1], &options->replay_window, "replay-window windows size",
8479 MIN_SEQ_BACKTRACK, MAX_SEQ_BACKTRACK, msglevel))
8480 {
8481 goto err;
8482 }
8483
8484 if (p[2])
8485 {
8486 if (!atoi_constrained(p[2], &options->replay_time, "replay-window time window",
8487 MIN_TIME_BACKTRACK, MAX_TIME_BACKTRACK, msglevel))
8488 {
8489 goto err;
8490 }
8491 }
8492 }
8493 else
8494 {
8495 msg(msglevel, "replay-window option is missing window size parameter");
8496 goto err;
8497 }
8498 }
8499 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8500 {
8501 VERIFY_PERMISSION(OPT_P_GENERAL);
8502 options->mute_replay_warnings = true;
8503 }
8504 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8505 {
8506 VERIFY_PERMISSION(OPT_P_GENERAL);
8507 options->packet_id_file = p[1];
8508 }
8509 else if (streq(p[0], "test-crypto") && !p[1])
8510 {
8511 VERIFY_PERMISSION(OPT_P_GENERAL);
8512 options->test_crypto = true;
8513 }
8514#ifndef ENABLE_CRYPTO_MBEDTLS
8515 else if (streq(p[0], "engine") && !p[2])
8516 {
8517 VERIFY_PERMISSION(OPT_P_GENERAL);
8518 if (p[1])
8519 {
8520 options->engine = p[1];
8521 }
8522 else
8523 {
8524 options->engine = "auto";
8525 }
8526 }
8527#endif /* ENABLE_CRYPTO_MBEDTLS */
8528 else if (streq(p[0], "providers") && p[1])
8529 {
8530 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8531 {
8532 options->providers.names[j] = p[j];
8533 }
8534 }
8535 else if (streq(p[0], "show-tls") && !p[1])
8536 {
8537 VERIFY_PERMISSION(OPT_P_GENERAL);
8538 options->show_tls_ciphers = true;
8539 }
8540 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8541 {
8542 VERIFY_PERMISSION(OPT_P_GENERAL);
8543 options->show_curves = true;
8544 }
8545 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8546 {
8547 VERIFY_PERMISSION(OPT_P_GENERAL);
8548 msg(M_WARN, "Consider setting groups/curves preference with "
8549 "tls-groups instead of forcing a specific curve with "
8550 "ecdh-curve.");
8551 options->ecdh_curve = p[1];
8552 }
8553 else if (streq(p[0], "tls-server") && !p[1])
8554 {
8555 VERIFY_PERMISSION(OPT_P_GENERAL);
8556 options->tls_server = true;
8557 }
8558 else if (streq(p[0], "tls-client") && !p[1])
8559 {
8560 VERIFY_PERMISSION(OPT_P_GENERAL);
8561 options->tls_client = true;
8562 }
8563 else if (streq(p[0], "ca") && p[1] && !p[2])
8564 {
8565 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8566 options->ca_file = p[1];
8567 options->ca_file_inline = is_inline;
8568 }
8569#ifndef ENABLE_CRYPTO_MBEDTLS
8570 else if (streq(p[0], "capath") && p[1] && !p[2])
8571 {
8572 VERIFY_PERMISSION(OPT_P_GENERAL);
8573 options->ca_path = p[1];
8574 }
8575#endif /* ENABLE_CRYPTO_MBEDTLS */
8576 else if (streq(p[0], "dh") && p[1] && !p[2])
8577 {
8578 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8579 options->dh_file = p[1];
8580 options->dh_file_inline = is_inline;
8581 }
8582 else if (streq(p[0], "cert") && p[1] && !p[2])
8583 {
8584 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8585 options->cert_file = p[1];
8586 options->cert_file_inline = is_inline;
8587 }
8588 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8589 {
8590 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8591 options->extra_certs_file = p[1];
8592 options->extra_certs_file_inline = is_inline;
8593 }
8594 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8595 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8596 {
8597 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8598
8599 int verify_hash_depth = 0;
8600 if (streq(p[0], "verify-hash"))
8601 {
8602 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8603 "You should switch to the either use the level 1 certificate as "
8604 "--ca option, use --tls-verify or use --peer-fingerprint");
8605 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8606 verify_hash_depth = 1;
8607 }
8608
8609 options->verify_hash_algo = MD_SHA256;
8610
8611 int digest_len = SHA256_DIGEST_LENGTH;
8612
8613 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8614 {
8615 msg(msglevel,
8616 "ERROR: Setting %s not allowed. --verify-hash and"
8617 " --peer-fingerprint are mutually exclusive",
8618 p[0]);
8619 goto err;
8620 }
8621
8622 if (streq(p[0], "verify-hash"))
8623 {
8624 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8625 {
8626 options->verify_hash_algo = MD_SHA1;
8627 digest_len = SHA_DIGEST_LENGTH;
8628 }
8629 else if (p[2] && !streq(p[2], "SHA256"))
8630 {
8631 msg(msglevel,
8632 "invalid or unsupported hashing algorithm: %s "
8633 "(only SHA1 and SHA256 are supported)",
8634 p[2]);
8635 goto err;
8636 }
8637 }
8638
8639 struct verify_hash_list *newlist;
8640 newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc);
8641
8642 /* Append the new list to the end of our current list */
8643 if (!options->verify_hash)
8644 {
8645 options->verify_hash = newlist;
8646 options->verify_hash_depth = verify_hash_depth;
8647 }
8648 else
8649 {
8650 /* since both the old and new list can have multiple entries
8651 * we need to go to the end of one of them to concatenate them */
8652 struct verify_hash_list *listend = options->verify_hash;
8653 while (listend->next)
8654 {
8655 listend = listend->next;
8656 }
8657 listend->next = newlist;
8658 }
8659 }
8660#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8661 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8662 {
8663 VERIFY_PERMISSION(OPT_P_GENERAL);
8664 options->cryptoapi_cert = p[1];
8665 }
8666#endif
8667 else if (streq(p[0], "key") && p[1] && !p[2])
8668 {
8669 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8670 options->priv_key_file = p[1];
8671 options->priv_key_file_inline = is_inline;
8672 }
8673 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8674 {
8675 VERIFY_PERMISSION(OPT_P_GENERAL);
8676 int ver = tls_version_parse(p[1], p[2]);
8677 if (ver == TLS_VER_BAD)
8678 {
8679 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8680 goto err;
8681 }
8682
8683#ifdef ENABLE_CRYPTO_MBEDTLS
8684 if (ver < TLS_VER_1_2)
8685 {
8686 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
8687 ver = TLS_VER_1_2;
8688 }
8689#endif
8690
8691 options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8692 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MIN_SHIFT);
8693 }
8694 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8695 {
8696 VERIFY_PERMISSION(OPT_P_GENERAL);
8697 int ver = tls_version_parse(p[1], NULL);
8698 if (ver == TLS_VER_BAD)
8699 {
8700 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8701 goto err;
8702 }
8703 options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8704 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MAX_SHIFT);
8705 }
8706#ifndef ENABLE_CRYPTO_MBEDTLS
8707 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8708 {
8709 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8710 options->pkcs12_file = p[1];
8711 options->pkcs12_file_inline = is_inline;
8712 }
8713#endif /* ENABLE_CRYPTO_MBEDTLS */
8714 else if (streq(p[0], "askpass") && !p[2])
8715 {
8716 VERIFY_PERMISSION(OPT_P_GENERAL);
8717 if (p[1])
8718 {
8719 options->key_pass_file = p[1];
8720 }
8721 else
8722 {
8723 options->key_pass_file = "stdin";
8724 }
8725 }
8726 else if (streq(p[0], "auth-nocache") && !p[1])
8727 {
8728 VERIFY_PERMISSION(OPT_P_GENERAL);
8729 ssl_set_auth_nocache();
8730 }
8731 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8732 {
8733 VERIFY_PERMISSION(OPT_P_ECHO);
8734 ssl_set_auth_token(p[1]);
8735#ifdef ENABLE_MANAGEMENT
8736 if (management)
8737 {
8738 management_auth_token(management, p[1]);
8739 }
8740#endif
8741 }
8742 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8743 {
8744 VERIFY_PERMISSION(OPT_P_ECHO);
8745 ssl_set_auth_token_user(p[1]);
8746 }
8747 else if (streq(p[0], "single-session") && !p[1])
8748 {
8749 VERIFY_PERMISSION(OPT_P_GENERAL);
8750 options->single_session = true;
8751 }
8752 else if (streq(p[0], "push-peer-info") && !p[1])
8753 {
8754 VERIFY_PERMISSION(OPT_P_GENERAL);
8755 options->push_peer_info = true;
8756 }
8757 else if (streq(p[0], "tls-exit") && !p[1])
8758 {
8759 VERIFY_PERMISSION(OPT_P_GENERAL);
8760 options->tls_exit = true;
8761 }
8762 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8763 {
8764 VERIFY_PERMISSION(OPT_P_GENERAL);
8765 options->cipher_list = p[1];
8766 }
8767 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8768 {
8769 VERIFY_PERMISSION(OPT_P_GENERAL);
8770 options->tls_cert_profile = p[1];
8771 }
8772 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8773 {
8774 VERIFY_PERMISSION(OPT_P_GENERAL);
8775 options->cipher_list_tls13 = p[1];
8776 }
8777 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8778 {
8779 VERIFY_PERMISSION(OPT_P_GENERAL);
8780 options->tls_groups = p[1];
8781 }
8782 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]))
8783 {
8784 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8785 if (p[2] && streq(p[2], "dir"))
8786 {
8787 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8788 }
8789 options->crl_file = p[1];
8790 options->crl_file_inline = is_inline;
8791 }
8792 else if (streq(p[0], "tls-verify") && p[1])
8793 {
8794 VERIFY_PERMISSION(OPT_P_SCRIPT);
8795 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8796 {
8797 goto err;
8798 }
8799 set_user_script(options, &options->tls_verify,
8800 string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true);
8801 }
8802 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8803 {
8804 VERIFY_PERMISSION(OPT_P_SCRIPT);
8805 options->tls_export_peer_cert_dir = p[1];
8806 }
8807 else if (streq(p[0], "compat-names"))
8808 {
8809 VERIFY_PERMISSION(OPT_P_GENERAL);
8810 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
8811 "Update your configuration.");
8812 goto err;
8813 }
8814 else if (streq(p[0], "no-name-remapping") && !p[1])
8815 {
8816 VERIFY_PERMISSION(OPT_P_GENERAL);
8817 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
8818 "Update your configuration.");
8819 goto err;
8820 }
8821 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
8822 {
8823 int type = VERIFY_X509_SUBJECT_DN;
8824 VERIFY_PERMISSION(OPT_P_GENERAL);
8825 if (p[2])
8826 {
8827 if (streq(p[2], "subject"))
8828 {
8829 type = VERIFY_X509_SUBJECT_DN;
8830 }
8831 else if (streq(p[2], "name"))
8832 {
8833 type = VERIFY_X509_SUBJECT_RDN;
8834 }
8835 else if (streq(p[2], "name-prefix"))
8836 {
8837 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
8838 }
8839 else
8840 {
8841 msg(msglevel, "unknown X.509 name type: %s", p[2]);
8842 goto err;
8843 }
8844 }
8845 options->verify_x509_type = type;
8846 options->verify_x509_name = p[1];
8847 }
8848 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
8849 {
8850#ifdef ENABLE_CRYPTO_MBEDTLS
8851 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
8852 goto err;
8853#else
8854 VERIFY_PERMISSION(OPT_P_GENERAL);
8855 if (streq(p[1], "server"))
8856 {
8857 options->ns_cert_type = NS_CERT_CHECK_SERVER;
8858 }
8859 else if (streq(p[1], "client"))
8860 {
8861 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
8862 }
8863 else
8864 {
8865 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
8866 goto err;
8867 }
8868#endif /* ENABLE_CRYPTO_MBEDTLS */
8869 }
8870 else if (streq(p[0], "remote-cert-ku"))
8871 {
8872 VERIFY_PERMISSION(OPT_P_GENERAL);
8873
8874 size_t j;
8875 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8876 {
8877 sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1]));
8878 }
8879 if (j == 1)
8880 {
8881 /* No specific KU required, but require KU to be present */
8882 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8883 }
8884 }
8885 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
8886 {
8887 VERIFY_PERMISSION(OPT_P_GENERAL);
8888 options->remote_cert_eku = p[1];
8889 }
8890 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
8891 {
8892 VERIFY_PERMISSION(OPT_P_GENERAL);
8893
8894 if (streq(p[1], "server"))
8895 {
8896 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8897 options->remote_cert_eku = "TLS Web Server Authentication";
8898 }
8899 else if (streq(p[1], "client"))
8900 {
8901 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8902 options->remote_cert_eku = "TLS Web Client Authentication";
8903 }
8904 else
8905 {
8906 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
8907 goto err;
8908 }
8909 }
8910 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
8911 {
8912 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8913 options->tls_timeout = positive_atoi(p[1], msglevel);
8914 }
8915 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
8916 {
8917 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8918 if (!positive_atoll(p[1], &options->renegotiate_bytes, p[0], msglevel))
8919 {
8920 goto err;
8921 }
8922 }
8923 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
8924 {
8925 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8926 if (!positive_atoll(p[1], &options->renegotiate_packets, p[0], msglevel))
8927 {
8928 goto err;
8929 }
8930 }
8931 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
8932 {
8933 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8934 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
8935 if (p[2])
8936 {
8937 options->renegotiate_seconds_min = positive_atoi(p[2], msglevel);
8938 }
8939 }
8940 else if (streq(p[0], "hand-window") && p[1] && !p[2])
8941 {
8942 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8943 options->handshake_window = positive_atoi(p[1], msglevel);
8944 }
8945 else if (streq(p[0], "tran-window") && p[1] && !p[2])
8946 {
8947 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8948 options->transition_window = positive_atoi(p[1], msglevel);
8949 }
8950 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
8951 {
8952 int key_direction = -1;
8953
8954 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
8955
8956 if (permission_mask & OPT_P_GENERAL)
8957 {
8958 options->tls_auth_file = p[1];
8959 options->tls_auth_file_inline = is_inline;
8960
8961 if (!is_inline && p[2])
8962 {
8963 key_direction = ascii2keydirection(msglevel, p[2]);
8964 if (key_direction < 0)
8965 {
8966 goto err;
8967 }
8968 options->key_direction = key_direction;
8969 }
8970 }
8971 else if (permission_mask & OPT_P_CONNECTION)
8972 {
8973 options->ce.tls_auth_file = p[1];
8974 options->ce.tls_auth_file_inline = is_inline;
8975 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
8976
8977 if (!is_inline && p[2])
8978 {
8979 key_direction = ascii2keydirection(msglevel, p[2]);
8980 if (key_direction < 0)
8981 {
8982 goto err;
8983 }
8984 options->ce.key_direction = key_direction;
8985 }
8986 }
8987 }
8988 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
8989 {
8990 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
8991 if (permission_mask & OPT_P_GENERAL)
8992 {
8993 options->tls_crypt_file = p[1];
8994 options->tls_crypt_file_inline = is_inline;
8995 }
8996 else if (permission_mask & OPT_P_CONNECTION)
8997 {
8998 options->ce.tls_crypt_file = p[1];
8999 options->ce.tls_crypt_file_inline = is_inline;
9000 }
9001 }
9002 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9003 {
9004 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9005 if (permission_mask & OPT_P_GENERAL)
9006 {
9007 options->tls_crypt_v2_file = p[1];
9008 options->tls_crypt_v2_file_inline = is_inline;
9009 }
9010 else if (permission_mask & OPT_P_CONNECTION)
9011 {
9012 options->ce.tls_crypt_v2_file = p[1];
9013 options->ce.tls_crypt_v2_file_inline = is_inline;
9014 }
9015
9016 if (p[2] && streq(p[2], "force-cookie"))
9017 {
9018 options->ce.tls_crypt_v2_force_cookie = true;
9019 }
9020 else if (p[2] && streq(p[2], "allow-noncookie"))
9021 {
9022 options->ce.tls_crypt_v2_force_cookie = false;
9023 }
9024 else if (p[2])
9025 {
9026 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9027 }
9028 }
9029 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9030 {
9031 VERIFY_PERMISSION(OPT_P_GENERAL);
9032 options->tls_crypt_v2_verify_script = p[1];
9033 }
9034 else if (streq(p[0], "tls-crypt-v2-max-age") && p[1])
9035 {
9036 VERIFY_PERMISSION(OPT_P_GENERAL);
9037 if (!atoi_constrained(p[1], &options->tls_crypt_v2_max_age, "tls-crypt-v2-max-age", 1, INT_MAX, msglevel))
9038 {
9039 goto err;
9040 }
9041 }
9042 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9043 {
9044 VERIFY_PERMISSION(OPT_P_GENERAL);
9045 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9046 }
9047 else if (streq(p[0], "x509-username-field") && p[1])
9048 {
9049 VERIFY_PERMISSION(OPT_P_GENERAL);
9050 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9051 {
9052 char *s = p[j];
9053
9054 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
9055 {
9056 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9057 }
9058 options->x509_username_field[j - 1] = p[j];
9059 }
9060 }
9061#ifdef ENABLE_PKCS11
9062 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9063 {
9064 char *provider = p[1];
9065 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0));
9066
9067#ifdef DEFAULT_PKCS11_MODULE
9068 if (!provider)
9069 {
9070 provider = DEFAULT_PKCS11_MODULE;
9071 }
9072 else if (!p[2])
9073 {
9074 char *endp = NULL;
9075 long i = strtol(provider, &endp, 10);
9076
9077 if (*endp == 0)
9078 {
9079 /* There was one argument, and it was purely numeric.
9080 * Interpret it as the cert_private argument */
9081 provider = DEFAULT_PKCS11_MODULE;
9082 cert_private = i;
9083 }
9084 }
9085#else /* ifdef DEFAULT_PKCS11_MODULE */
9086 if (!provider)
9087 {
9088 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9089 goto err;
9090 }
9091#endif /* ifdef DEFAULT_PKCS11_MODULE */
9092 VERIFY_PERMISSION(OPT_P_GENERAL);
9093
9094 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9095 show_pkcs11_ids(provider, cert_private);
9096 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9097 }
9098 else if (streq(p[0], "pkcs11-providers") && p[1])
9099 {
9100 int j;
9101
9102 VERIFY_PERMISSION(OPT_P_GENERAL);
9103
9104 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9105 {
9106 options->pkcs11_providers[j - 1] = p[j];
9107 }
9108 }
9109 else if (streq(p[0], "pkcs11-protected-authentication"))
9110 {
9111 int j;
9112
9113 VERIFY_PERMISSION(OPT_P_GENERAL);
9114
9115 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9116 {
9117 options->pkcs11_protected_authentication[j - 1] =
9118 atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9119 }
9120 }
9121 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9122 {
9123 int j;
9124
9125 VERIFY_PERMISSION(OPT_P_GENERAL);
9126
9127 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9128 {
9129 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1]));
9130 }
9131 }
9132 else if (streq(p[0], "pkcs11-cert-private"))
9133 {
9134 int j;
9135
9136 VERIFY_PERMISSION(OPT_P_GENERAL);
9137
9138 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9139 {
9140 options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel));
9141 }
9142 }
9143 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9144 {
9145 VERIFY_PERMISSION(OPT_P_GENERAL);
9146 options->pkcs11_pin_cache_period = positive_atoi(p[1], msglevel);
9147 }
9148 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9149 {
9150 VERIFY_PERMISSION(OPT_P_GENERAL);
9151 options->pkcs11_id = p[1];
9152 }
9153 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9154 {
9155 VERIFY_PERMISSION(OPT_P_GENERAL);
9156 options->pkcs11_id_management = true;
9157 }
9158#endif /* ifdef ENABLE_PKCS11 */
9159 else if (streq(p[0], "rmtun") && !p[1])
9160 {
9161 VERIFY_PERMISSION(OPT_P_GENERAL);
9162 options->persist_config = true;
9163 options->persist_mode = 0;
9164 }
9165 else if (streq(p[0], "mktun") && !p[1])
9166 {
9167 VERIFY_PERMISSION(OPT_P_GENERAL);
9168 options->persist_config = true;
9169 options->persist_mode = 1;
9170 }
9171 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9172 {
9173 VERIFY_PERMISSION(OPT_P_PEER_ID);
9174 options->use_peer_id = true;
9175 options->peer_id = atoi_warn(p[1], msglevel);
9176 }
9177 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9178 {
9179 VERIFY_PERMISSION(OPT_P_GENERAL);
9180
9181 if (strncmp(p[1], "EXPORTER", 8))
9182 {
9183 msg(msglevel, "Keying material exporter label must begin with "
9184 "\"EXPORTER\"");
9185 goto err;
9186 }
9187 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9188 {
9189 msg(msglevel,
9190 "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'.");
9191 }
9192
9193 if (!atoi_constrained(p[2], &options->keying_material_exporter_length,
9194 p[0], 16, 4095, msglevel))
9195 {
9196 goto err;
9197 }
9198
9199 options->keying_material_exporter_label = p[1];
9200 }
9201 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9202 {
9203 VERIFY_PERMISSION(OPT_P_GENERAL);
9204 options->allow_recursive_routing = true;
9205 }
9206 else if (streq(p[0], "vlan-tagging") && !p[1])
9207 {
9208 VERIFY_PERMISSION(OPT_P_GENERAL);
9209 options->vlan_tagging = true;
9210 }
9211 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9212 {
9213 VERIFY_PERMISSION(OPT_P_GENERAL);
9214 if (streq(p[1], "tagged"))
9215 {
9216 options->vlan_accept = VLAN_ONLY_TAGGED;
9217 }
9218 else if (streq(p[1], "untagged"))
9219 {
9220 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9221 }
9222 else if (streq(p[1], "all"))
9223 {
9224 options->vlan_accept = VLAN_ALL;
9225 }
9226 else
9227 {
9228 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9229 goto err;
9230 }
9231 }
9232 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9233 {
9234 int vlan_pvid;
9235 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
9236 if (!atoi_constrained(p[1], &vlan_pvid, p[0],
9237 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID, msglevel))
9238 {
9239 goto err;
9240 }
9241 options->vlan_pvid = (uint16_t)vlan_pvid;
9242 }
9243 else
9244 {
9245 int i;
9246 msglvl_t msglevel_unknown = msglevel_fc;
9247 /* Check if an option is in --ignore-unknown-option and
9248 * set warning level to non fatal */
9249 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9250 {
9251 if (streq(p[0], options->ignore_unknown_option[i]))
9252 {
9253 msglevel_unknown = M_WARN;
9254 break;
9255 }
9256 }
9257 if (file)
9258 {
9259 msg(msglevel_unknown,
9260 "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
9261 line, p[0], PACKAGE_VERSION);
9262 }
9263 else
9264 {
9265 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)",
9266 p[0], PACKAGE_VERSION);
9267 }
9268 }
9269err:
9270 gc_free(&gc);
9271}
9272
9273#if defined(__GNUC__) || defined(__clang__)
9274#pragma GCC diagnostic pop
9275#endif
9276
9277bool
9278has_udp_in_local_list(const struct options *options)
9279{
9280 if (options->ce.local_list)
9281 {
9282 for (int i = 0; i < options->ce.local_list->len; i++)
9283 {
9284 if (proto_is_dgram(options->ce.local_list->array[i]->proto))
9285 {
9286 return true;
9287 }
9288 }
9289 }
9290
9291 return false;
9292}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:465
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:375
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:341
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:488
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_array_len
int string_array_len(const char **array)
Definition buffer.c:707
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1381
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:829
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:653
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:756
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1035
BSTR
#define BSTR(buf)
Definition buffer.h:129
BPTR
#define BPTR(buf)
Definition buffer.h:123
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1099
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:235
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:1028
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1125
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1120
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:362
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:970
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1041
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, msglvl_t msglevel)
Definition clinat.c:102
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, msglvl_t msglevel)
Definition clinat.c:50
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:71
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:79
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:88
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:70
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:83
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
Definition comp.h:45
COMP_F_SWAP
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
Definition comp.h:40
COMP_ALG_LZ4
#define COMP_ALG_LZ4
LZ4 algorithm.
Definition comp.h:59
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition comp.h:64
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
Definition comp.h:51
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:63
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_ALG_LZO
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
Definition comp.h:42
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:81
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:54
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:50
dirname
char * dirname(char *path)
Definition compat-dirname.c:61
strsep
char * strsep(char **stringp, const char *delim)
Definition compat-strsep.c:35
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:875
ascii2keydirection
int ascii2keydirection(msglvl_t msglevel, const char *str)
Definition crypto.c:1632
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1655
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1915
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1199
crypto.h
Data Channel Cryptography Module.
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:375
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:379
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:231
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:371
MD_SHA256
@ MD_SHA256
Definition crypto_backend.h:61
MD_SHA1
@ MD_SHA1
Definition crypto_backend.h:60
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition crypto_backend.h:226
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1067
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
cipher_kt_key_size
unsigned int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:673
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition crypto_mbedtls.h:63
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:64
dco_check_startup_option
static bool dco_check_startup_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:280
dco_check_option
static bool dco_check_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:274
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:268
dns_options_verify
bool dns_options_verify(msglvl_t msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:212
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:289
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:62
dns_domain_list_append
bool dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends safe DNS domain parameters to a linked list.
Definition dns.c:148
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:190
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:175
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:266
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:788
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:282
dns_updown_user_set
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
Definition dns.h:218
DNS_UPDOWN_FORCED
@ DNS_UPDOWN_FORCED
Definition dns.h:50
DNS_UPDOWN_NO_FLAGS
@ DNS_UPDOWN_NO_FLAGS
Definition dns.h:48
DNS_UPDOWN_USER_SET
@ DNS_UPDOWN_USER_SET
Definition dns.h:49
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition dns.h:33
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition dns.h:34
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition dns.h:35
dns_updown_forced
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
Definition dns.h:229
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition dns.h:41
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition dns.h:43
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition dns.h:42
domain_helper.h
validate_domain
static bool validate_domain(const char *domain)
Definition domain_helper.h:34
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:423
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:201
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:313
env_set_del
bool env_set_del(struct env_set *es, const char *str)
Definition env_set.c:183
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:150
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_DCO
#define D_DCO
Definition errlevel.h:93
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition errlevel.h:95
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:66
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
forward.h
Interface functions to the internal and external multiplexers.
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:137
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition helper.c:608
helper_client_server
void helper_client_server(struct options *o)
Definition helper.c:165
helper_keepalive
void helper_keepalive(struct options *o)
Definition helper.c:548
max_int
static int max_int(int x, int y)
Definition integer.h:92
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:118
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition keyingmaterialexporter.c:166
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3136
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3057
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition manage.h:31
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:38
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition manage.h:33
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:43
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:37
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition manage.h:41
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:36
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition manage.h:40
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition manage.h:28
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:42
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:44
MF_UP_DOWN
#define MF_UP_DOWN
Definition manage.h:39
MF_HOLD
#define MF_HOLD
Definition manage.h:29
MF_SIGNAL
#define MF_SIGNAL
Definition manage.h:30
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition manage.h:35
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition manage.h:32
MBUF_SIZE_MAX
#define MBUF_SIZE_MAX
Definition mbuf.h:40
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:777
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:543
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:64
SC_CONCAT
#define SC_CONCAT
Definition misc.h:92
SC_ECHO
#define SC_ECHO
Definition misc.h:91
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:253
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:147
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition mtu.h:84
TUN_MTU_MAX_MIN
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:79
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition mtu.h:64
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition mtu.h:69
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition mtu.h:89
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:83
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:47
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
BOOL_CAST
#define BOOL_CAST(x)
Definition basic.h:26
CLEAR
#define CLEAR(x)
Definition basic.h:32
SIZE
#define SIZE(x)
Definition basic.h:29
errors_to_stderr
void errors_to_stderr(void)
Definition error.c:179
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:442
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:491
openvpn_exit
void openvpn_exit(const int status)
Definition error.c:707
machine_readable_output
static bool machine_readable_output
Definition error.c:74
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition error.c:143
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition error.c:149
msg_fp
FILE * msg_fp(const msglvl_t flags)
Definition error.c:188
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:101
suppress_timestamps
static bool suppress_timestamps
Definition error.c:77
M_OPTERR
#define M_OPTERR
Definition error.h:101
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:201
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:98
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition error.h:88
M_USAGE
#define M_USAGE
Definition error.h:107
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:54
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:52
M_FATAL
#define M_FATAL
Definition error.h:90
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:550
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4518
RESET_OPTION_ROUTES
#define RESET_OPTION_ROUTES(option_ptr, field)
Definition options.c:5039
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition options.c:1551
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3924
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4058
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4024
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2246
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition options.c:5006
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:2897
usage_version
static void usage_version(void)
Definition options.c:4885
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
Definition options.c:1089
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2150
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
SHOW_BOOL
#define SHOW_BOOL(var)
Definition options.c:961
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3921
pre_connect_save
static void pre_connect_save(struct options *o)
Definition options.c:3088
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3923
TLS_CLIENT
#define TLS_CLIENT
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:966
global_auth_retry
static int global_auth_retry
Definition options.c:4764
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4267
uninit_options
void uninit_options(struct options *o)
Definition options.c:915
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2171
SHOW_STR
#define SHOW_STR(var)
Definition options.c:954
parse_topology
int parse_topology(const char *str, const msglvl_t msglevel)
Definition options.c:4717
show_windows_version
void show_windows_version(const unsigned int flags)
Definition options.c:4852
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition options.c:4946
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4530
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5537
string_substitute
static char * string_substitute(const char *src, char from, char to, struct gc_arena *gc)
Definition options.c:1138
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, unsigned int len)
Definition options.c:1261
check_ca_required
static void check_ca_required(const struct options *options)
Definition options.c:2208
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:1964
init_options
void init_options(struct options *o)
Definition options.c:795
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const msglvl_t msglevel, struct options *options, bool is_inline)
Definition options.c:4956
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3922
tuntap_options_postprocess_dns
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
Definition options.c:3472
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, unsigned int *len, msglvl_t msglevel)
Definition options.c:1307
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1114
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
Definition options.c:1485
check_route_option
static bool check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5209
show_dco_version
void show_dco_version(const unsigned int flags)
Definition options.c:4861
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition options.c:1542
alloc_local_list_if_undef
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2027
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, unsigned int *len, msglvl_t msglevel)
Definition options.c:1321
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition options.c:960
show_settings
void show_settings(const struct options *o)
Definition options.c:1666
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:5498
remove_option
void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Resets options found in the PUSH_UPDATE message that are preceded by the - flag.
Definition options.c:5047
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1219
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
no_more_than_n_args
static bool no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5009
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition options.c:1627
options_postprocess_mutate_le
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3054
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, unsigned int len)
Definition options.c:1270
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4638
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:4916
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4074
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4253
update_option
void update_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Processes an option to update.
Definition options.c:5367
usage_small
void usage_small(void)
Definition options.c:4844
auth_retry_print
const char * auth_retry_print(void)
Definition options.c:4796
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1503
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4142
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2114
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1570
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4661
show_library_versions
void show_library_versions(const unsigned int flags)
Definition options.c:4871
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:992
CHKACC_ACCEPT_URI
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3925
usage_message
static const char usage_message[]
Definition options.c:122
options_warning_safe_scan1
static void options_warning_safe_scan1(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4598
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2068
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4102
SHOW_INT64
#define SHOW_INT64(var)
Definition options.c:959
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3928
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition options.c:1366
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition options.c:933
add_option
void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5557
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition options.c:1560
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3729
options_detach
void options_detach(struct options *o)
Definition options.c:1533
options_warning_safe_ml
static void options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4616
atou
static unsigned int atou(const char *str)
Definition options.c:4938
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3133
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2140
print_topology
const char * print_topology(const int topology)
Definition options.c:4739
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4680
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1166
check_dns_option
static bool check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5258
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition options.c:955
options_warning_safe_scan2
static void options_warning_safe_scan2(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4544
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition options.c:3306
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3376
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1281
MUST_BE_FALSE
#define MUST_BE_FALSE(condition, parm_name)
Definition options.c:2239
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm, parm_name)
Definition options.c:2234
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1349
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition options.c:953
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:1992
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4524
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1648
CHKACC_FILE
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3920
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4667
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3206
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1132
title_string
const char title_string[]
Definition options.c:72
setenv_local_entry
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:984
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3072
TLS_SERVER
#define TLS_SERVER
msglevel_forward_compatible
static msglvl_t msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
Definition options.c:5034
auth_retry_set
bool auth_retry_set(const msglvl_t msglevel, const char *option)
Definition options.c:4773
auth_retry_get
int auth_retry_get(void)
Definition options.c:4767
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2104
check_route6_option
static bool check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5237
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4907
usage
void usage(void)
Definition options.c:4818
alloc_local_entry
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
Definition options.c:2037
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition options.c:5525
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition options.c:3444
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9278
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4324
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, msglvl_t msglevel)
Definition options.c:1458
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition options.c:3269
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2192
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2078
SHOW_INT
#define SHOW_INT(var)
Definition options.c:957
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3366
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:262
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition options.h:729
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.h:794
OPT_P_PUSH
#define OPT_P_PUSH
Definition options.h:741
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition options.h:473
OPT_P_UP
#define OPT_P_UP
Definition options.h:726
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition options.h:752
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:742
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:737
read_config_file
void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:347
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:745
OPT_P_ROUTE_TABLE
#define OPT_P_ROUTE_TABLE
Definition options.h:756
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition options.h:743
MODE_SERVER
#define MODE_SERVER
Definition options.h:263
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition options.h:190
streq
#define streq(x, y)
Definition options.h:720
OPT_P_U_REDIR_GATEWAY
#define OPT_P_U_REDIR_GATEWAY
Definition options.h:789
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:744
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.h:795
AR_INTERACT
#define AR_INTERACT
Definition options.h:965
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:731
OPT_P_U_ROUTE6
#define OPT_P_U_ROUTE6
Definition options.h:786
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:986
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:751
SF_NOPOOL
#define SF_NOPOOL
Definition options.h:472
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.h:796
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:736
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:730
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:750
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:749
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition options.h:56
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:732
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition options.h:725
PING_RESTART
#define PING_RESTART
Definition options.h:354
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:728
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:748
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:242
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:239
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:241
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:240
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:755
AR_NONE
#define AR_NONE
Definition options.h:964
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:966
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:474
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:733
MAX_PARMS
#define MAX_PARMS
Definition options.h:51
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:760
OPT_P_U_DNS
#define OPT_P_U_DNS
Definition options.h:787
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:771
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:763
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition options.h:57
OPT_P_U_ROUTE
#define OPT_P_U_ROUTE
Definition options.h:785
PING_EXIT
#define PING_EXIT
Definition options.h:353
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:735
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition options.h:734
OPT_P_MTU
#define OPT_P_MTU
Definition options.h:739
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:747
OPT_P_U_DHCP
#define OPT_P_U_DHCP
Definition options.h:788
OPT_P_NICE
#define OPT_P_NICE
Definition options.h:740
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:753
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition options.h:746
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition options.h:738
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:727
read_config_string
void read_config_string(const char *prefix, struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options_parse.c:421
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:777
CE_DISABLED
#define CE_DISABLED
Definition options.h:153
OPT_P_INLINE
#define OPT_P_INLINE
Definition options.h:754
vlan_acceptable_frames
vlan_acceptable_frames
Definition options.h:223
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:225
VLAN_ALL
@ VLAN_ALL
Definition options.h:226
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition options.h:224
atoi_warn
int atoi_warn(const char *str, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number.
Definition options_util.c:151
positive_atoi
int positive_atoi(const char *str, msglvl_t msglevel)
Converts a str to a positive number if the string represents a postive integer number.
Definition options_util.c:120
positive_atoll
bool positive_atoll(const char *str, int64_t *value, const char *name, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is >= 0.
Definition options_util.c:135
valid_integer
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
Definition options_util.c:104
atoi_constrained
bool atoi_constrained(const char *str, int *value, const char *name, int min, int max, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is between min...
Definition options_util.c:166
options_util.h
packet_id.h
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:85
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:84
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:86
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition packet_id.h:94
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:95
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition packet_id.h:93
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:333
platform_access
int platform_access(const char *path, int mode)
Definition platform.c:457
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:392
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:526
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:118
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:159
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:167
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, msglvl_t msglevel)
Definition plugin.c:187
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const msglvl_t msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:117
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:316
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:317
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
TOP_UNDEF
#define TOP_UNDEF
Definition proto.h:40
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:34
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:44
PAR_NCT
#define PAR_NCT
Definition proxy.h:51
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
PAR_ALL
#define PAR_ALL
Definition proxy.h:50
push_reset
void push_reset(struct options *o)
Definition push.c:943
push_options
void push_options(struct options *o, char **p, msglvl_t msglevel, struct gc_arena *gc)
Definition push.c:917
clone_push_list
void clone_push_list(struct options *o)
Definition push.c:902
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition push.c:949
print_route_options
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1240
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:301
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:155
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3895
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:139
delete_routes_v6
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1198
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2662
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:509
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:173
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:181
print_default_gateway
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1254
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2565
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:164
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:130
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3065
delete_routes_v4
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1176
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:494
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:42
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:40
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:41
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
script_security_set
void script_security_set(int level)
Definition run_command.c:48
run_command.h
SSEC_PW_ENV
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
SSEC_NONE
#define SSEC_NONE
strictly no calling of external programs
Definition run_command.h:31
SHAPER_MAX
#define SHAPER_MAX
Definition shaper.h:40
SHAPER_MIN
#define SHAPER_MIN
Definition shaper.h:39
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:650
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:222
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition socket.h:210
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
OPENVPN_PORT
#define OPENVPN_PORT
Definition socket.h:42
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition socket.h:209
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition socket.h:212
SF_PKTINFO_COPY_IIF
#define SF_PKTINFO_COPY_IIF
Definition socket.h:216
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket_util.c:409
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition socket_util.c:890
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition socket_util.c:430
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition socket_util.c:396
proto_remote
const char * proto_remote(int proto, bool remote)
Definition socket_util.c:472
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition socket_util.c:837
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition socket_util.c:873
ascii2proto
int ascii2proto(const char *proto_name)
Definition socket_util.c:383
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition socket_util.c:787
socket_util.h
proto_is_net
static bool proto_is_net(int proto)
Definition socket_util.h:185
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket_util.h:195
GETADDR_FATAL
#define GETADDR_FATAL
Definition socket_util.h:118
PROTO_NONE
@ PROTO_NONE
Definition socket_util.h:176
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP
@ PROTO_TCP
Definition socket_util.h:178
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition socket_util.h:179
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket_util.h:119
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:361
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:336
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:420
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:355
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:346
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1872
ssl.h
Control Channel SSL/Data channel negotiation module.
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:122
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2630
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:103
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:390
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:205
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:431
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:424
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:426
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:423
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:428
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:433
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:432
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:429
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:430
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:425
options_postprocess_setdefault_ncpciphers
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:576
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:195
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:96
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
ssl_verify.h
Control Channel Verification Module.
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:257
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:69
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:70
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:254
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:71
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
x509_username_field_ext_supported
bool x509_username_field_ext_supported(const char *extname)
Return true iff the supplied extension field is supported by the –x509-username-field option.
Definition ssl_verify_openssl.c:115
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, msglvl_t msglevel, struct gc_arena *gc)
Definition ssl_verify_openssl.c:418
argv
Definition argv.h:35
argv::argv
char ** argv
Definition argv.h:39
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
compress_options
Definition comp.h:75
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry
Definition options.h:107
connection_entry::local_list
struct local_list * local_list
Definition options.h:108
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:129
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:119
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:179
connection_entry::link_mtu
int link_mtu
Definition options.h:134
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:135
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:132
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:120
connection_entry::bind_local
bool bind_local
Definition options.h:118
connection_entry::mssfix
int mssfix
Definition options.h:144
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:170
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:175
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:133
connection_entry::remote
const char * remote
Definition options.h:114
connection_entry::connect_timeout
int connect_timeout
Definition options.h:121
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:124
connection_entry::mssfix_default
bool mssfix_default
Definition options.h:145
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:146
connection_entry::occ_mtu
int occ_mtu
Definition options.h:128
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:122
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:171
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:166
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition options.h:117
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:131
connection_entry::remote_float
bool remote_float
Definition options.h:115
connection_entry::tls_mtu
int tls_mtu
Definition options.h:136
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:150
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:125
connection_entry::remote_port
const char * remote_port
Definition options.h:113
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:142
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:123
connection_entry::fragment
int fragment
Definition options.h:141
connection_entry::mtu_discover_type
int mtu_discover_type
Definition options.h:139
connection_entry::proto
int proto
Definition options.h:109
connection_entry::af
sa_family_t af
Definition options.h:110
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:165
connection_entry::local_port_defined
bool local_port_defined
Definition options.h:112
connection_entry::tun_mtu
int tun_mtu
Definition options.h:127
connection_entry::bind_defined
bool bind_defined
Definition options.h:116
connection_entry::local_port
const char * local_port
Definition options.h:111
connection_entry::key_direction
int key_direction
Definition options.h:167
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:176
connection_entry::flags
unsigned int flags
Definition options.h:162
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition options.h:148
connection_list
Definition options.h:200
connection_list::array
struct connection_entry ** array
Definition options.h:204
connection_list::capacity
int capacity
Definition options.h:201
connection_list::len
int len
Definition options.h:202
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context
Contains all state information for one tunnel.
Definition openvpn.h:471
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:498
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:472
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
dhcp_options
Definition dns.h:100
dhcp_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition dns.h:101
dhcp
Definition dhcp.h:62
dns_domain
Definition dns.h:54
dns_domain::next
struct dns_domain * next
Definition dns.h:55
dns_domain::name
const char * name
Definition dns.h:56
dns_options
Definition dns.h:113
dns_options::servers
struct dns_server * servers
Definition dns.h:117
dns_options::updown
const char * updown
Definition dns.h:119
dns_options::from_dhcp
struct dhcp_options from_dhcp
Definition dns.h:114
dns_options::gc
struct gc_arena gc
Definition dns.h:118
dns_options::updown_flags
enum dns_updown_flags updown_flags
Definition dns.h:120
dns_options::search_domains
struct dns_domain * search_domains
Definition dns.h:115
dns_server_addr::a4
struct in_addr a4
Definition dns.h:63
dns_server_addr::in
union dns_server_addr::@0 in
dns_server_addr::family
sa_family_t family
Definition dns.h:66
dns_server_addr::a6
struct in6_addr a6
Definition dns.h:64
dns_server_addr::port
in_port_t port
Definition dns.h:67
dns_server
Definition dns.h:71
dns_server::addr
struct dns_server_addr addr[8]
Definition dns.h:75
dns_server::dnssec
enum dns_security dnssec
Definition dns.h:77
dns_server::next
struct dns_server * next
Definition dns.h:72
dns_server::priority
long priority
Definition dns.h:73
dns_server::addr_count
size_t addr_count
Definition dns.h:74
dns_server::domains
struct dns_domain * domains
Definition dns.h:76
dns_server::transport
enum dns_server_transport transport
Definition dns.h:78
dns_server::sni
const char * sni
Definition dns.h:79
env_item
Definition env_set.h:37
env_item::string
char * string
Definition env_set.h:38
env_item::next
struct env_item * next
Definition env_set.h:39
env_set
Definition env_set.h:43
env_set::list
struct env_item * list
Definition env_set.h:45
fragment
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
frame
Packet geometry parameters.
Definition mtu.h:108
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:142
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
hash
Definition list.h:53
http_custom_header
Definition proxy.h:38
http_custom_header::name
const char * name
Definition proxy.h:39
http_custom_header::content
const char * content
Definition proxy.h:40
http_proxy_options
Definition proxy.h:45
http_proxy_options::auth_file
const char * auth_file
Definition proxy.h:55
http_proxy_options::http_version
const char * http_version
Definition proxy.h:57
http_proxy_options::port
const char * port
Definition proxy.h:47
http_proxy_options::inline_creds
bool inline_creds
Definition proxy.h:60
http_proxy_options::user_agent
const char * user_agent
Definition proxy.h:58
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:52
http_proxy_options::auth_method_string
const char * auth_method_string
Definition proxy.h:54
http_proxy_options::nocache
bool nocache
Definition proxy.h:63
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:59
http_proxy_options::auth_file_up
const char * auth_file_up
Definition proxy.h:56
http_proxy_options::server
const char * server
Definition proxy.h:46
iroute_ipv6
Definition route.h:268
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:271
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:270
iroute_ipv6::network
struct in6_addr network
Definition route.h:269
iroute::network
in_addr_t network
Definition route.h:262
iroute::netbits
int netbits
Definition route.h:263
iroute::next
struct iroute * next
Definition route.h:264
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
local_entry
Definition options.h:100
local_entry::port
const char * port
Definition options.h:102
local_entry::proto
int proto
Definition options.h:103
local_entry::local
const char * local
Definition options.h:101
local_list
Definition options.h:193
local_list::array
struct local_entry ** array
Definition options.h:196
local_list::len
int len
Definition options.h:195
local_list::capacity
int capacity
Definition options.h:194
options_pre_connect
Definition options.h:63
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:65
options_pre_connect::routes_defined
bool routes_defined
Definition options.h:70
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:89
options_pre_connect::foreign_option_index
int foreign_option_index
Definition options.h:91
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition options.h:64
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition options.h:73
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition options.h:88
options_pre_connect::routes
struct route_option_list * routes
Definition options.h:71
options_pre_connect::comp
struct compress_options comp
Definition options.h:92
options_pre_connect::ciphername
const char * ciphername
Definition options.h:84
options_pre_connect::ifconfig_local
const char * ifconfig_local
Definition options.h:67
options_pre_connect::dns_options
struct dns_options dns_options
Definition options.h:82
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition options.h:76
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition options.h:87
options_pre_connect::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:68
options_pre_connect::authname
const char * authname
Definition options.h:85
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:74
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition options.h:79
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition options.h:80
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:77
options::resolve_retry_seconds
int resolve_retry_seconds
Definition options.h:365
options::rcvbuf
int rcvbuf
Definition options.h:411
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:366
options::route_nopull
bool route_nopull
Definition options.h:435
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:288
options::comp
struct compress_options comp
Definition options.h:408
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition options.h:311
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:521
options::proto_force
int proto_force
Definition options.h:334
options::persist_config
bool persist_config
Definition options.h:276
options::connection_list
struct connection_list * connection_list
Definition options.h:293
options::management_port
const char * management_port
Definition options.h:445
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:662
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:329
options::max_routes_per_client
int max_routes_per_client
Definition options.h:534
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:576
options::status_file_version
int status_file_version
Definition options.h:405
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition options.h:707
options::auth_token_renewal
int auth_token_renewal
Definition options.h:543
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:516
options::tmp_dir
const char * tmp_dir
Definition options.h:464
options::push_peer_info
bool push_peer_info
Definition options.h:678
options::daemon
bool daemon
Definition options.h:389
options::pre_connect
struct options_pre_connect * pre_connect
Definition options.h:560
options::route_default_metric
int route_default_metric
Definition options.h:427
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:644
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:544
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:717
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:609
options::crl_file_inline
bool crl_file_inline
Definition options.h:613
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:635
options::down_script
const char * down_script
Definition options.h:384
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:270
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:619
options::scheduled_exit_interval
int scheduled_exit_interval
Definition options.h:562
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:536
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:602
options::replay_time
int replay_time
Definition options.h:583
options::push_option_types_found
unsigned int push_option_types_found
Definition options.h:556
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:449
options::ca_file
const char * ca_file
Definition options.h:590
options::tls_auth_file
const char * tls_auth_file
Definition options.h:657
options::providers
struct provider_list providers
Definition options.h:580
options::duplicate_cn
bool duplicate_cn
Definition options.h:525
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition options.h:469
options::shaper
int shaper
Definition options.h:332
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:448
options::server_network
in_addr_t server_network
Definition options.h:466
options::real_hash_size
uint32_t real_hash_size
Definition options.h:497
options::show_net_up
bool show_net_up
Definition options.h:691
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:621
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition options.h:437
options::use_peer_id
bool use_peer_id
Definition options.h:697
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:616
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:479
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:701
options::status_file
const char * status_file
Definition options.h:404
options::ssl_flags
unsigned int ssl_flags
Definition options.h:622
options::route_noexec
bool route_noexec
Definition options.h:428
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:331
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:617
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:489
options::server_netmask
in_addr_t server_netmask
Definition options.h:467
options::tls_timeout
int tls_timeout
Definition options.h:638
options::test_crypto
bool test_crypto
Definition options.h:585
options::up_delay
bool up_delay
Definition options.h:387
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:477
options::allow_recursive_routing
bool allow_recursive_routing
Definition options.h:714
options::authname
const char * authname
Definition options.h:578
options::exit_event_name
const char * exit_event_name
Definition options.h:689
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:327
options::cf_max
int cf_max
Definition options.h:527
options::dh_file_inline
bool dh_file_inline
Definition options.h:594
options::push_update_options_found
unsigned int push_update_options_found
Definition options.h:557
options::replay_window
int replay_window
Definition options.h:582
options::disable
bool disable
Definition options.h:505
options::mute
int mute
Definition options.h:398
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:539
options::dev_type
const char * dev_type
Definition options.h:321
options::persist_mode
int persist_mode
Definition options.h:277
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:491
options::show_digests
bool show_digests
Definition options.h:281
options::up_script
const char * up_script
Definition options.h:383
options::single_session
bool single_session
Definition options.h:676
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:511
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:486
options::verify_hash_depth
int verify_hash_depth
Definition options.h:620
options::route_delay_defined
bool route_delay_defined
Definition options.h:431
options::packet_id_file
const char * packet_id_file
Definition options.h:584
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:666
options::management_log_history_cache
int management_log_history_cache
Definition options.h:447
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition options.h:481
options::ip_remote_hint
const char * ip_remote_hint
Definition options.h:367
options::vlan_tagging
bool vlan_tagging
Definition options.h:706
options::peer_id
uint32_t peer_id
Definition options.h:698
options::routes
struct route_option_list * routes
Definition options.h:432
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:488
options::keepalive_timeout
int keepalive_timeout
Definition options.h:341
options::writepid
const char * writepid
Definition options.h:382
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition options.h:344
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:493
options::server_flags
unsigned int server_flags
Definition options.h:475
options::block_outside_dns
bool block_outside_dns
Definition options.h:693
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition options.h:523
options::tls_exit
bool tls_exit
Definition options.h:680
options::pkcs12_file
const char * pkcs12_file
Definition options.h:601
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:500
options::show_engines
bool show_engines
Definition options.h:282
options::remote_list
struct remote_list * remote_list
Definition options.h:295
options::msg_channel
HANDLE msg_channel
Definition options.h:688
options::key_pass_file
const char * key_pass_file
Definition options.h:279
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:581
options::tls_crypt_file
const char * tls_crypt_file
Definition options.h:661
options::inactivity_timeout
int inactivity_timeout
Definition options.h:343
options::n_bcast_buf
int n_bcast_buf
Definition options.h:507
options::handshake_window
int handshake_window
Definition options.h:648
options::server_defined
bool server_defined
Definition options.h:465
options::ifconfig_local
const char * ifconfig_local
Definition options.h:325
options::x509_username_field
char * x509_username_field[MAX_PARMS]
Definition options.h:651
options::ce
struct connection_entry ce
Definition options.h:292
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:510
options::push_list
struct push_list push_list
Definition options.h:485
options::user_script_used
bool user_script_used
Definition options.h:385
options::tls_groups
const char * tls_groups
Definition options.h:605
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:283
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:369
options::route_method
int route_method
Definition options.h:692
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:618
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:606
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:642
options::management_flags
unsigned int management_flags
Definition options.h:457
options::push_continuation
int push_continuation
Definition options.h:555
options::route_default_gateway
const char * route_default_gateway
Definition options.h:424
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:514
options::dns_options
struct dns_options dns_options
Definition options.h:316
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:690
options::sc_info
struct static_challenge_info sc_info
Definition options.h:565
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:541
options::ipchange
const char * ipchange
Definition options.h:319
options::topology
int topology
Definition options.h:324
options::disable_dco
bool disable_dco
Definition options.h:372
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:577
options::genkey
bool genkey
Definition options.h:285
options::virtual_hash_size
uint32_t virtual_hash_size
Definition options.h:498
options::learn_address_script
const char * learn_address_script
Definition options.h:501
options::ciphername
const char * ciphername
Definition options.h:572
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:558
options::tls_crypt_v2_max_age
int tls_crypt_v2_max_age
Definition options.h:673
options::forward_compatible
bool forward_compatible
Definition options.h:267
options::username
const char * username
Definition options.h:375
options::cf_initial_max
int cf_initial_max
Definition options.h:530
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:535
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:460
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:542
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:708
options::ns_cert_type
int ns_cert_type
Definition options.h:615
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:671
options::mode
int mode
Definition options.h:264
options::tls_server
bool tls_server
Definition options.h:588
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:538
options::connect_retry_max
int connect_retry_max
Definition options.h:291
options::bind_dev
char * bind_dev
Definition options.h:416
options::extra_certs_file
const char * extra_certs_file
Definition options.h:597
options::client
bool client
Definition options.h:553
options::pull
bool pull
Definition options.h:554
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:495
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:517
options::show_curves
bool show_curves
Definition options.h:284
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:425
options::tls_client
bool tls_client
Definition options.h:589
options::ping_timer_remote
bool ping_timer_remote
Definition options.h:350
options::auth_token_generate
bool auth_token_generate
Definition options.h:540
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:600
options::tls_verify
const char * tls_verify
Definition options.h:608
options::crl_file
const char * crl_file
Definition options.h:612
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:355
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:559
options::show_ciphers
bool show_ciphers
Definition options.h:280
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:573
options::route_predown_script
const char * route_predown_script
Definition options.h:423
options::dh_file
const char * dh_file
Definition options.h:593
options::route_delay_window
int route_delay_window
Definition options.h:430
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:512
options::mlock
bool mlock
Definition options.h:338
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition options.h:273
options::sndbuf
int sndbuf
Definition options.h:412
options::foreign_option_index
int foreign_option_index
Definition options.h:685
options::gc
struct gc_arena gc
Definition options.h:256
options::down_pre
bool down_pre
Definition options.h:386
options::persist_tun
bool persist_tun
Definition options.h:357
options::route_default_table_id
int route_default_table_id
Definition options.h:426
options::ca_file_inline
bool ca_file_inline
Definition options.h:591
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:545
options::block_ipv6
bool block_ipv6
Definition options.h:434
options::config
const char * config
Definition options.h:259
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:598
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:515
options::mark
int mark
Definition options.h:415
options::cf_initial_per
int cf_initial_per
Definition options.h:531
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:702
options::suppress_timestamps
bool suppress_timestamps
Definition options.h:394
options::force_key_material_export
bool force_key_material_export
Definition options.h:704
options::mtu_test
bool mtu_test
Definition options.h:336
options::iroutes
struct iroute * iroutes
Definition options.h:509
options::verify_x509_type
int verify_x509_type
Definition options.h:610
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:604
options::ecdh_curve
const char * ecdh_curve
Definition options.h:607
options::status_file_update_freq
int status_file_update_freq
Definition options.h:406
options::management_client_user
const char * management_client_user
Definition options.h:451
options::cipher_list
const char * cipher_list
Definition options.h:603
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:504
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition options.h:570
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition options.h:710
options::management_certificate
const char * management_certificate
Definition options.h:454
options::genkey_filename
const char * genkey_filename
Definition options.h:287
options::x509_track
const struct x509_track * x509_track
Definition options.h:682
options::chroot_dir
const char * chroot_dir
Definition options.h:377
options::log
bool log
Definition options.h:393
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:569
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:522
options::ca_path
const char * ca_path
Definition options.h:592
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:643
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:349
options::sockflags
unsigned int sockflags
Definition options.h:419
options::engine
const char * engine
Definition options.h:579
options::management_addr
const char * management_addr
Definition options.h:444
options::client_connect_script
const char * client_connect_script
Definition options.h:499
options::verify_x509_name
const char * verify_x509_name
Definition options.h:611
options::ping_send_timeout
int ping_send_timeout
Definition options.h:348
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition options.h:436
options::remote_random
bool remote_random
Definition options.h:318
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:519
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:508
options::route_delay
int route_delay
Definition options.h:429
options::dev_node
const char * dev_node
Definition options.h:322
options::override_username
const char * override_username
Definition options.h:506
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:502
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:433
options::machine_readable_output
bool machine_readable_output
Definition options.h:395
options::key_direction
int key_direction
Definition options.h:571
options::server_ipv6_defined
bool server_ipv6_defined
Definition options.h:468
options::priv_key_file
const char * priv_key_file
Definition options.h:599
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:359
options::up_restart
bool up_restart
Definition options.h:388
options::keepalive_ping
int keepalive_ping
Definition options.h:340
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:658
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:667
options::groupname
const char * groupname
Definition options.h:376
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition options.h:482
options::cd_dir
const char * cd_dir
Definition options.h:378
options::client_nat
struct client_nat_option_list * client_nat
Definition options.h:438
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:520
options::nice
int nice
Definition options.h:396
options::max_clients
int max_clients
Definition options.h:533
options::transition_window
int transition_window
Definition options.h:654
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:326
options::lladdr
const char * lladdr
Definition options.h:323
options::verbosity
int verbosity
Definition options.h:397
options::session_timeout
int session_timeout
Definition options.h:346
options::cert_file
const char * cert_file
Definition options.h:595
options::enable_c2c
bool enable_c2c
Definition options.h:524
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition options.h:483
options::cf_per
int cf_per
Definition options.h:528
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:694
options::cert_file_inline
bool cert_file_inline
Definition options.h:596
options::remap_sigusr1
int remap_sigusr1
Definition options.h:391
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:641
options::route_script
const char * route_script
Definition options.h:422
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:487
options::management_user_pass
const char * management_user_pass
Definition options.h:446
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition options.h:470
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:513
options::occ
bool occ
Definition options.h:441
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition options.h:480
options::shared_secret_file
const char * shared_secret_file
Definition options.h:568
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:330
options::dev
const char * dev
Definition options.h:320
options::management_client_group
const char * management_client_group
Definition options.h:452
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:494
options::client_config_dir
const char * client_config_dir
Definition options.h:503
options::genkey_type
enum genkey_type genkey_type
Definition options.h:286
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:490
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:328
options::persist_local_ip
bool persist_local_ip
Definition options.h:358
provider_list::names
const char * names[MAX_PARMS]
Definition options.h:217
pull_filter_list
Definition options.h:804
pull_filter_list::tail
struct pull_filter * tail
Definition options.h:806
pull_filter_list::head
struct pull_filter * head
Definition options.h:805
pull_filter
Definition options.h:792
pull_filter::type
int type
Definition options.h:797
pull_filter::next
struct pull_filter * next
Definition options.h:800
pull_filter::pattern
char * pattern
Definition options.h:799
pull_filter::size
size_t size
Definition options.h:798
push_entry
Definition pushlist.h:29
push_entry::next
struct push_entry * next
Definition pushlist.h:30
push_entry::enable
bool enable
Definition pushlist.h:31
push_entry::option
const char * option
Definition pushlist.h:32
push_list::head
struct push_entry * head
Definition pushlist.h:37
remote_entry
Definition options.h:183
remote_entry::proto
int proto
Definition options.h:186
remote_entry::remote
const char * remote
Definition options.h:184
remote_entry::remote_port
const char * remote_port
Definition options.h:185
remote_entry::af
sa_family_t af
Definition options.h:187
remote_list
Definition options.h:208
remote_list::len
int len
Definition options.h:210
remote_list::array
struct remote_entry ** array
Definition options.h:211
remote_list::capacity
int capacity
Definition options.h:209
route_gateway_info
Definition route.h:158
route_ipv6_gateway_info
Definition route.h:195
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_option_list::flags
unsigned int flags
Definition route.h:97
static_challenge_info::flags
unsigned int flags
Definition misc.h:93
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:95
tuntap_options
Definition tun.h:73
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:140
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:123
tuntap_options::dns6_len
unsigned int dns6_len
Definition tun.h:141
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:119
tuntap_options::ntp_len
unsigned int ntp_len
Definition tun.h:120
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:115
tuntap_options::tap_sleep
int tap_sleep
Definition tun.h:95
tuntap_options::netbios_node_type
uint8_t netbios_node_type
Definition tun.h:105
tuntap_options::dns_len
unsigned int dns_len
Definition tun.h:112
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition tun.h:92
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:111
tuntap_options::netbios_scope
const char * netbios_scope
Definition tun.h:103
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition tun.h:75
tuntap_options::domain_search_list_len
unsigned int domain_search_list_len
Definition tun.h:130
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition tun.h:90
tuntap_options::domain
const char * domain
Definition tun.h:101
tuntap_options::dhcp_renew
bool dhcp_renew
Definition tun.h:135
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:129
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition tun.h:91
tuntap_options::ip_win32_type
int ip_win32_type
Definition tun.h:83
tuntap_options::nbdd_len
unsigned int nbdd_len
Definition tun.h:124
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition tun.h:136
tuntap_options::register_dns
bool register_dns
Definition tun.h:138
tuntap_options::disable_nbt
bool disable_nbt
Definition tun.h:133
tuntap_options::wins_len
unsigned int wins_len
Definition tun.h:116
tuntap_options::dhcp_options
int dhcp_options
Definition tun.h:99
tuntap
Definition tun.h:181
verify_hash_list
Definition options.h:246
verify_hash_list::next
struct verify_hash_list * next
Definition options.h:250
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:249
SIGHUP
#define SIGHUP
Definition syshead.h:55
sa_family_t
unsigned short sa_family_t
Definition syshead.h:409
SIGTERM
#define SIGTERM
Definition syshead.h:59
sleep
#define sleep(x)
Definition syshead.h:42
in_addr_t
uint32_t in_addr_t
Definition syshead.h:52
es
struct env_set * es
Definition test_pkcs11.c:138
pkcs11_id_management
static bool pkcs11_id_management
Definition test_pkcs11.c:133
gc
struct gc_arena gc
Definition test_ssl.c:131
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:4889
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:521
show_tap_win_adapters
void show_tap_win_adapters(msglvl_t msglevel, msglvl_t warnlevel)
Definition tun.c:3815
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:4822
ascii2ipset
int ascii2ipset(const char *name)
Definition tun.c:6249
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:830
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:4781
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:540
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:4701
show_adapters
void show_adapters(msglvl_t msglevel)
Definition tun.c:4652
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:4848
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:694
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:6278
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition tun.c:3782
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition tun.h:78
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition tun.h:81
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:70
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition tun.h:126
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition tun.h:80
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition tun.h:77
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:45
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:46
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:65
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition tun.h:108
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition tun.h:69
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
win_get_tempdir
const char * win_get_tempdir(void)
Definition win32-util.c:150
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1115
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1380
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition win32.c:144
xkey_common.h
Generated by doxygen 1.9.8