OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38 
39 #include "syshead.h"
40 
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "shaper.h"
45 #include "crypto.h"
46 #include "ssl.h"
47 #include "options.h"
48 #include "misc.h"
49 #include "socket.h"
50 #include "packet_id.h"
51 #include "pkcs11.h"
52 #include "win32.h"
53 #include "push.h"
54 #include "pool.h"
55 #include "helper.h"
56 #include "manage.h"
57 #include "forward.h"
58 #include "ssl_verify.h"
59 #include "platform.h"
60 #include <ctype.h>
61 
62 #include "memdbg.h"
63 
64 const char title_string[] =
65  PACKAGE_STRING
66 #ifdef CONFIGURE_GIT_REVISION
67  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
68 #endif
69  " " TARGET_ALIAS
70 #ifdef ENABLE_CRYPTO
71 #if defined(ENABLE_CRYPTO_MBEDTLS)
72  " [SSL (mbed TLS)]"
73 #elif defined(ENABLE_CRYPTO_OPENSSL)
74  " [SSL (OpenSSL)]"
75 #else
76  " [SSL]"
77 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
78 #endif /* ENABLE_CRYPTO */
79 #ifdef USE_COMP
80 #ifdef ENABLE_LZO
81  " [LZO]"
82 #endif
83 #ifdef ENABLE_LZ4
84  " [LZ4]"
85 #endif
86 #ifdef ENABLE_COMP_STUB
87  " [COMP_STUB]"
88 #endif
89 #endif /* USE_COMP */
90 #if EPOLL
91  " [EPOLL]"
92 #endif
93 #ifdef PRODUCT_TAP_DEBUG
94  " [TAPDBG]"
95 #endif
96 #ifdef ENABLE_PKCS11
97  " [PKCS11]"
98 #endif
99 #if ENABLE_IP_PKTINFO
100 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
101  " [MH/PKTINFO]"
102 #elif defined(IP_RECVDSTADDR)
103  " [MH/RECVDA]"
104 #endif
105 #endif
106 #ifdef HAVE_AEAD_CIPHER_MODES
107  " [AEAD]"
108 #endif
109  " built on " __DATE__
110 ;
111 
112 #ifndef ENABLE_SMALL
113 
114 static const char usage_message[] =
115  "%s\n"
116  "\n"
117  "General Options:\n"
118  "--config file : Read configuration options from file.\n"
119  "--help : Show options.\n"
120  "--version : Show copyright and version information.\n"
121  "\n"
122  "Tunnel Options:\n"
123  "--local host : Local host name or ip address. Implies --bind.\n"
124  "--remote host [port] : Remote host name or ip address.\n"
125  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
126  "--remote-random-hostname : Add a random string to remote DNS name.\n"
127  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
128  "--proto p : Use protocol p for communicating with peer.\n"
129  " p = udp (default), tcp-server, or tcp-client\n"
130  "--proto-force p : only consider protocol p in list of connection profiles.\n"
131  " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
132  "--connect-retry n [m] : For client, number of seconds to wait between\n"
133  " connection retries (default=%d). On repeated retries\n"
134  " the wait time is exponentially increased to a maximum of m\n"
135  " (default=%d).\n"
136  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
137  "--http-proxy s p [up] [auth] : Connect to remote host\n"
138  " through an HTTP proxy at address s and port p.\n"
139  " If proxy authentication is required,\n"
140  " up is a file containing username/password on 2 lines, or\n"
141  " 'stdin' to prompt from console. Add auth='ntlm' if\n"
142  " the proxy requires NTLM authentication.\n"
143  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
144  " determine auth method and query for username/password\n"
145  " if needed. auto-nct disables weak proxy auth methods.\n"
146  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
147  " Repeat to set multiple options.\n"
148  " VERSION version (default=1.0)\n"
149  " AGENT user-agent\n"
150  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
151  " address s and port p (default port = 1080).\n"
152  " If proxy authentication is required,\n"
153  " up is a file containing username/password on 2 lines, or\n"
154  " 'stdin' to prompt for console.\n"
155  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
156  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
157  " resolve for n seconds before failing (disabled by default).\n"
158  " Set n=\"infinite\" to retry indefinitely.\n"
159  "--float : Allow remote to change its IP address/port, such as through\n"
160  " DHCP (this is the default if --remote is not used).\n"
161  "--ipchange cmd : Run command cmd on remote ip address initial\n"
162  " setting or change -- execute as: cmd ip-address port#\n"
163  "--port port : TCP/UDP port # for both local and remote.\n"
164  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
165  "--rport port : TCP/UDP port # for remote (default=%s).\n"
166  "--bind : Bind to local address and port. (This is the default unless\n"
167  " --proto tcp-client"
168  " or --http-proxy"
169  " or --socks-proxy"
170  " is used).\n"
171  "--nobind : Do not bind to local address and port.\n"
172  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
173  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
174  " this option only if the tun/tap device used with --dev\n"
175  " does not begin with \"tun\" or \"tap\".\n"
176  "--dev-node node : Explicitly set the device node rather than using\n"
177  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
178  "--lladdr hw : Set the link layer address of the tap device.\n"
179  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
180 #ifdef ENABLE_IPROUTE
181  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
182 #endif
183  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
184  " endpoint and rn as a remote endpoint. l & rn should be\n"
185  " swapped on the other peer. l & rn must be private\n"
186  " addresses outside of the subnets used by either peer.\n"
187  " TAP: configure device to use IP address l as a local\n"
188  " endpoint and rn as a subnet mask.\n"
189  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
190  " endpoint (as a /64) and r as remote endpoint\n"
191  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
192  " pass --ifconfig parms by environment to scripts.\n"
193  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
194  " connection doesn't match the remote side.\n"
195  "--route network [netmask] [gateway] [metric] :\n"
196  " Add route to routing table after connection\n"
197  " is established. Multiple routes can be specified.\n"
198  " netmask default: 255.255.255.255\n"
199  " gateway default: taken from --route-gateway or --ifconfig\n"
200  " Specify default by leaving blank or setting to \"nil\".\n"
201  "--route-ipv6 network/bits [gateway] [metric] :\n"
202  " Add IPv6 route to routing table after connection\n"
203  " is established. Multiple routes can be specified.\n"
204  " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
205  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
206  "--route-metric m : Specify a default metric for use with --route.\n"
207  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
208  " adding routes (may be 0). If not specified, routes will\n"
209  " be added immediately after tun/tap open. On Windows, wait\n"
210  " up to w seconds for TUN/TAP adapter to come up.\n"
211  "--route-up cmd : Run command cmd after routes are added.\n"
212  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
213  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
214  " --route-up script using environmental variables.\n"
215  "--route-nopull : When used with --client or --pull, accept options pushed\n"
216  " by server EXCEPT for routes and dhcp options.\n"
217  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
218  " --ifconfig, --route, and --route-gateway.\n"
219  "--redirect-gateway [flags]: Automatically execute routing\n"
220  " commands to redirect all outgoing IP traffic through the\n"
221  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
222  " connected via a common subnet, such as with WiFi.\n"
223  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
224  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
225  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
226  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
227  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
228  " the default gateway. Useful when pushing private subnets.\n"
229  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
230 #ifdef ENABLE_PUSH_PEER_INFO
231  "--push-peer-info : (client only) push client info to server.\n"
232 #endif
233  "--setenv name value : Set a custom environmental variable to pass to script.\n"
234  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
235  " directives for future OpenVPN versions to be ignored.\n"
236  "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
237  " these options to be ignored when unknown\n"
238  "--script-security level: Where level can be:\n"
239  " 0 -- strictly no calling of external programs\n"
240  " 1 -- (default) only call built-ins such as ifconfig\n"
241  " 2 -- allow calling of built-ins and scripts\n"
242  " 3 -- allow password to be passed to scripts via env\n"
243  "--shaper n : Restrict output to peer to n bytes per second.\n"
244  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
245  " ping once every n seconds, restart if ping not received\n"
246  " for m seconds.\n"
247  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
248  " produces a combined in/out byte count < bytes.\n"
249  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
250  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
251  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
252  " remote address.\n"
253  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
254 #if ENABLE_IP_PKTINFO
255  "--multihome : Configure a multi-homed UDP server.\n"
256 #endif
257  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
258  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
259  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
260  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
261  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
262  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
263 #if PASSTOS_CAPABILITY
264  "--passtos : TOS passthrough (applies to IPv4 only).\n"
265 #endif
266  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
267  " TCP/UDP MTU from it (default=%d).\n"
268  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
269  " as n bytes more than the tun-mtu size on read\n"
270  " (default TUN=0 TAP=%d).\n"
271  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
272  " from it.\n"
273  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
274  " 'no' -- Never send DF (Don't Fragment) frames\n"
275  " 'maybe' -- Use per-route hints\n"
276  " 'yes' -- Always DF (Don't Fragment)\n"
277 #ifdef ENABLE_OCC
278  "--mtu-test : Empirically measure and report MTU.\n"
279 #endif
280 #ifdef ENABLE_FRAGMENT
281  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
282  " datagrams are sent which are larger than max bytes.\n"
283  " Adds 4 bytes of overhead per datagram.\n"
284 #endif
285  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
286  " or --fragment max value, whichever is lower.\n"
287  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
288  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
289 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
290  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
291  " can be matched in policy routing and packetfilter rules.\n"
292 #endif
293  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
294 #ifdef ENABLE_MEMSTATS
295  "--memstats file : Write live usage stats to memory mapped binary file.\n"
296 #endif
297  "--mlock : Disable Paging -- ensures key material and tunnel\n"
298  " data will never be written to disk.\n"
299  "--up cmd : Run command cmd after successful tun device open.\n"
300  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
301  " ifconfig-local-ip ifconfig-remote-ip\n"
302  " (pre --user or --group UID/GID change)\n"
303  "--up-delay : Delay tun/tap open and possible --up script execution\n"
304  " until after TCP/UDP connection establishment with peer.\n"
305  "--down cmd : Run command cmd after tun device close.\n"
306  " (post --user/--group UID/GID change and/or --chroot)\n"
307  " (command parameters are same as --up option)\n"
308  "--down-pre : Run --down command before TUN/TAP close.\n"
309  "--up-restart : Run up/down commands for all restarts including those\n"
310  " caused by --ping-restart or SIGUSR1\n"
311  "--user user : Set UID to user after initialization.\n"
312  "--group group : Set GID to group after initialization.\n"
313  "--chroot dir : Chroot to this directory after initialization.\n"
314 #ifdef ENABLE_SELINUX
315  "--setcon context: Apply this SELinux context after initialization.\n"
316 #endif
317  "--cd dir : Change to this directory before initialization.\n"
318  "--daemon [name] : Become a daemon after initialization.\n"
319  " The optional 'name' parameter will be passed\n"
320  " as the program name to the system logger.\n"
321  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
322  " See --daemon above for a description of the 'name' parm.\n"
323  "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
324  " See --daemon above for a description of the 'name' parm.\n"
325  "--log file : Output log to file which is created/truncated on open.\n"
326  "--log-append file : Append log to file, or create file if nonexistent.\n"
327  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
328  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
329  "--writepid file : Write main process ID to file.\n"
330  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
331  "--echo [parms ...] : Echo parameters to log output.\n"
332  "--verb n : Set output verbosity to n (default=%d):\n"
333  " (Level 3 is recommended if you want a good summary\n"
334  " of what's happening without being swamped by output).\n"
335  " : 0 -- no output except fatal errors\n"
336  " : 1 -- startup info + connection initiated messages +\n"
337  " non-fatal encryption & net errors\n"
338  " : 2,3 -- show TLS negotiations & route info\n"
339  " : 4 -- show parameters\n"
340  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
341  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
342  " : 6 to 11 -- debug messages of increasing verbosity\n"
343  "--mute n : Log at most n consecutive messages in the same category.\n"
344  "--status file n : Write operational status to file every n seconds.\n"
345  "--status-version [n] : Choose the status file format version number.\n"
346  " Currently, n can be 1, 2, or 3 (default=1).\n"
347 #ifdef ENABLE_OCC
348  "--disable-occ : Disable options consistency check between peers.\n"
349 #endif
350 #ifdef ENABLE_DEBUG
351  "--gremlin mask : Special stress testing mode (for debugging only).\n"
352 #endif
353 #if defined(USE_COMP)
354  "--compress alg : Use compression algorithm alg\n"
355 #if defined(ENABLE_LZO)
356  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
357  " packet for uncompressible data.\n"
358  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
359  " is specified.\n"
360 #endif
361 #endif
362 #ifdef ENABLE_MANAGEMENT
363  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
364  " management functions. pass is a password file\n"
365  " or 'stdin' to prompt from console.\n"
366 #if UNIX_SOCK_SUPPORT
367  " To listen on a unix domain socket, specific the pathname\n"
368  " in place of ip and use 'unix' as the port number.\n"
369 #endif
370  "--management-client : Management interface will connect as a TCP client to\n"
371  " ip/port rather than listen as a TCP server.\n"
372  "--management-query-passwords : Query management channel for private key\n"
373  " and auth-user-pass passwords.\n"
374  "--management-query-proxy : Query management channel for proxy information.\n"
375  "--management-query-remote : Query management channel for --remote directive.\n"
376  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
377  " of the management interface explicitly starts it.\n"
378  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
379  "--management-forget-disconnect : Forget passwords when management disconnect\n"
380  " event occurs.\n"
381  "--management-up-down : Report tunnel up/down events to management interface.\n"
382  "--management-log-cache n : Cache n lines of log file history for usage\n"
383  " by the management channel.\n"
384 #if UNIX_SOCK_SUPPORT
385  "--management-client-user u : When management interface is a unix socket, only\n"
386  " allow connections from user u.\n"
387  "--management-client-group g : When management interface is a unix socket, only\n"
388  " allow connections from group g.\n"
389 #endif
390 #ifdef MANAGEMENT_DEF_AUTH
391  "--management-client-auth : gives management interface client the responsibility\n"
392  " to authenticate clients after their client certificate\n"
393  " has been verified.\n"
394 #endif
395 #ifdef MANAGEMENT_PF
396  "--management-client-pf : management interface clients must specify a packet\n"
397  " filter file for each connecting client.\n"
398 #endif
399 #endif /* ifdef ENABLE_MANAGEMENT */
400 #ifdef ENABLE_PLUGIN
401  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
402  " to its initialization function.\n"
403 #endif
404 #if P2MP
405 #if P2MP_SERVER
406  "\n"
407  "Multi-Client Server options (when --mode server is used):\n"
408  "--server network netmask : Helper option to easily configure server mode.\n"
409  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
410  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
411  " easily configure ethernet bridging server mode.\n"
412  "--push \"option\" : Push a config file option back to the peer for remote\n"
413  " execution. Peer must specify --pull in its config file.\n"
414  "--push-reset : Don't inherit global push list for specific\n"
415  " client instance.\n"
416  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
417  " to be dynamically allocated to connecting clients.\n"
418  "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"
419  " than /30 subnets\n in tun mode. Not compatible with\n"
420  " Windows clients.\n"
421  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
422  " data to file, at seconds intervals (default=600).\n"
423  " If seconds=0, file will be treated as read-only.\n"
424  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
425  " to be dynamically allocated to connecting clients.\n"
426  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
427  " overrides --ifconfig-pool dynamic allocation.\n"
428  " Only valid in a client-specific config file.\n"
429  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
430  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
431  " Only valid in a client-specific config file.\n"
432  "--iroute network [netmask] : Route subnet to client.\n"
433  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
434  " Sets up internal routes only.\n"
435  " Only valid in a client-specific config file.\n"
436  "--disable : Client is disabled.\n"
437  " Only valid in a client-specific config file.\n"
438  "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
439  " will authenticate using username/password.\n"
440  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
441  " mandatory client certificate verification.\n"
442  " Default is to require the client to supply a certificate.\n"
443  "--username-as-common-name : For auth-user-pass authentication, use\n"
444  " the authenticated username as the common name,\n"
445  " rather than the common name from the client cert.\n"
446  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
447  " run command cmd to verify. If method='via-env', pass\n"
448  " user/pass via environment, if method='via-file', pass\n"
449  " user/pass via temporary file.\n"
450  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
451  " to each client, replacing the password. Usefull when\n"
452  " OTP based two-factor auth mechanisms are in use and\n"
453  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
454  " for generated tokens can be set.\n"
455  "--opt-verify : Clients that connect with options that are incompatible\n"
456  " with those of the server will be disconnected.\n"
457  "--auth-user-pass-optional : Allow connections by clients that don't\n"
458  " specify a username/password.\n"
459  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
460  " any printable character.\n"
461  "--client-to-client : Internally route client-to-client traffic.\n"
462  "--duplicate-cn : Allow multiple clients with the same common name to\n"
463  " concurrently connect.\n"
464  "--client-connect cmd : Run command cmd on client connection.\n"
465  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
466  "--client-config-dir dir : Directory for custom client config files.\n"
467  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
468  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
469  "--hash-size r v : Set the size of the real address hash table to r and the\n"
470  " virtual address table to v.\n"
471  "--bcast-buffers n : Allocate n broadcast buffers.\n"
472  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
473  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
474  " as well as pushes it to connecting clients.\n"
475  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
476  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
477  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
478  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
479  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
480  " older than n seconds. Run this check every t\n"
481  " seconds (defaults to n).\n"
482  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
483  " clients. n = 1 - reconnect to same server,\n"
484  " 2 - advance to next server, default=1.\n"
485 #if PORT_SHARE
486  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
487  " sessions to a web server at host:port. dir specifies an\n"
488  " optional directory to write origin IP:port data.\n"
489 #endif
490 #endif /* if P2MP_SERVER */
491  "\n"
492  "Client options (when connecting to a multi-client server):\n"
493  "--client : Helper option to easily configure client mode.\n"
494  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
495  " up is a file containing the username on the first line,\n"
496  " and a password on the second. If either the password or both\n"
497  " the username and the password are omitted OpenVPN will prompt\n"
498  " for them from console.\n"
499  "--pull : Accept certain config file options from the peer as if they\n"
500  " were part of the local config file. Must be specified\n"
501  " when connecting to a '--mode server' remote host.\n"
502  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
503  " server if it starts with the text t. The action flag accept,\n"
504  " ignore or reject causes the option to be allowed, removed or\n"
505  " rejected with error. May be specified multiple times, and\n"
506  " each filter is applied in the order of appearance.\n"
507  "--auth-retry t : How to handle auth failures. Set t to\n"
508  " none (default), interact, or nointeract.\n"
509  "--static-challenge t e : Enable static challenge/response protocol using\n"
510  " challenge text t, with e indicating echo flag (0|1)\n"
511  "--connect-timeout n : when polling possible remote servers to connect to\n"
512  " in a round-robin fashion, spend no more than n seconds\n"
513  " waiting for a response before trying the next server.\n"
514  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
515  " incoming tun packets with same destination as host.\n"
516 #endif /* if P2MP */
517 #ifdef ENABLE_OCC
518  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
519  " server/remote. n = # of retries, default=1.\n"
520 #endif
521 #ifdef ENABLE_CRYPTO
522  "\n"
523  "Data Channel Encryption Options (must be compatible between peers):\n"
524  "(These options are meaningful for both Static Key & TLS-mode)\n"
525  "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
526  " Use shared secret file f, generate with --genkey.\n"
527  " The optional d parameter controls key directionality.\n"
528  " If d is specified, use separate keys for each\n"
529  " direction, set d=0 on one side of the connection,\n"
530  " and d=1 on the other side.\n"
531  "--auth alg : Authenticate packets with HMAC using message\n"
532  " digest algorithm alg (default=%s).\n"
533  " (usually adds 16 or 20 bytes per packet)\n"
534  " Set alg=none to disable authentication.\n"
535  "--cipher alg : Encrypt packets with cipher algorithm alg\n"
536  " (default=%s).\n"
537  " Set alg=none to disable encryption.\n"
538  "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
539  "--ncp-disable : Disable cipher negotiation.\n"
540  "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
541  " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
542 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
543  "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n"
544  " If unspecified, defaults to cipher-specific default.\n"
545 #endif
546 #ifndef ENABLE_CRYPTO_MBEDTLS
547  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
548 #endif
549  "--no-replay : (DEPRECATED) Disable replay protection.\n"
550  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
551  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
552  " and a time window of t seconds.\n"
553  " Default n=%d t=%d\n"
554  "--replay-persist file : Persist replay-protection state across sessions\n"
555  " using file.\n"
556  "--test-crypto : Run a self-test of crypto features enabled.\n"
557  " For debugging only.\n"
558 #ifdef ENABLE_PREDICTION_RESISTANCE
559  "--use-prediction-resistance: Enable prediction resistance on the random\n"
560  " number generator.\n"
561 #endif
562  "\n"
563  "TLS Key Negotiation Options:\n"
564  "(These options are meaningful only for TLS-mode)\n"
565  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
566  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
567  "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
568  " number, such as 1 (default), 2, etc.\n"
569  "--ca file : Certificate authority file in .pem format containing\n"
570  " root certificate.\n"
571 #ifndef ENABLE_CRYPTO_MBEDTLS
572  "--capath dir : A directory of trusted certificates (CAs"
573  " and CRLs).\n"
574 #endif /* ENABLE_CRYPTO_MBEDTLS */
575  "--dh file : File containing Diffie Hellman parameters\n"
576  " in .pem format (for --tls-server only).\n"
577  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
578  "--cert file : Local certificate in .pem format -- must be signed\n"
579  " by a Certificate Authority in --ca file.\n"
580  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
581  "--key file : Local private key in .pem format.\n"
582  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
583  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
584  " is specified, require max TLS version supported by SSL implementation.\n"
585  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
586 #ifndef ENABLE_CRYPTO_MBEDTLS
587  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
588  " and optionally the root CA certificate.\n"
589 #endif
590 #ifdef ENABLE_X509ALTUSERNAME
591  "--x509-username-field : Field in x509 certificate containing the username.\n"
592  " Default is CN in the Subject field.\n"
593 #endif
594  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
595  " Valid algo flags are SHA1 and SHA256. \n"
596 #ifdef _WIN32
597  "--cryptoapicert select-string : Load the certificate and private key from the\n"
598  " Windows Certificate System Store.\n"
599 #endif
600  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
601  " : Use --show-tls to see a list of supported TLS ciphers.\n"
602  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
603  " if no ACK from remote within n seconds (default=%d).\n"
604  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
605  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
606  "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
607  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
608  " of handshake initiation by any peer (default=%d).\n"
609  "--tran-window n : Transition window -- old key can live this many seconds\n"
610  " after new key renegotiation begins (default=%d).\n"
611  "--single-session: Allow only one session (reset state on restart).\n"
612  "--tls-exit : Exit on TLS negotiation failure.\n"
613  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
614  " control channel to protect against attacks on the TLS stack\n"
615  " and DoS attacks.\n"
616  " f (required) is a shared-secret key file.\n"
617  " The optional d parameter controls key directionality,\n"
618  " see --secret option for more info.\n"
619  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
620  " of the TLS control channel to hide the TLS certificate,\n"
621  " provide basic post-quantum security and protect against\n"
622  " attacks on the TLS stack and DoS attacks.\n"
623  " key (required) provides the pre-shared key file.\n"
624  " see --secret option for more info.\n"
625  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
626  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
627  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
628  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
629  " pending TLS connection that has otherwise passed all other\n"
630  " tests of certification. cmd should return 0 to allow\n"
631  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
632  " executed as 'cmd certificate_depth subject')\n"
633  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
634  " in an openvpn temporary file in [directory]. Peer cert is \n"
635  " stored before tls-verify script execution and deleted after.\n"
636  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
637  " DN name. The remote host must also pass all other tests\n"
638  " of verification.\n"
639  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
640  " an explicit nsCertType designation t = 'client' | 'server'.\n"
641  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
642  " plugins and management interface.\n"
643 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
644  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
645  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
646 #endif
647  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
648  " explicit key usage, you can specify more than one value.\n"
649  " value should be given in hex format.\n"
650  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
651  " explicit extended key usage. Extended key usage can be encoded\n"
652  " as an object identifier or OpenSSL string representation.\n"
653  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
654  " key usage and extended key usage based on RFC3280 TLS rules.\n"
655  " t = 'client' | 'server'.\n"
656 #ifdef ENABLE_PKCS11
657  "\n"
658  "PKCS#11 Options:\n"
659  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
660  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
661  " path. Set for each provider.\n"
662  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
663  " 0 : Try to determind automatically (default).\n"
664  " 1 : Use Sign.\n"
665  " 2 : Use SignRecover.\n"
666  " 4 : Use Decrypt.\n"
667  " 8 : Use Unwrap.\n"
668  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
669  " certificate can be accessed. Set for each provider.\n"
670  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
671  " cache until token is removed.\n"
672  "--pkcs11-id-management : Acquire identity from management interface.\n"
673  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
674 #endif /* ENABLE_PKCS11 */
675  "\n"
676  "SSL Library information:\n"
677  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
678  "--show-digests : Show message digest algorithms to use with --auth option.\n"
679  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
680  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
681 #ifdef _WIN32
682  "\n"
683  "Windows Specific:\n"
684  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
685  " from SystemRoot environment variable.\n"
686  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
687  " IP address using method = manual, netsh, ipapi,\n"
688  " dynamic, or adaptive (default = adaptive).\n"
689  " Dynamic method allows two optional parameters:\n"
690  " offset: DHCP server address offset (> -256 and < 256).\n"
691  " If 0, use network address, if >0, take nth\n"
692  " address forward from network address, if <0,\n"
693  " take nth address backward from broadcast\n"
694  " address.\n"
695  " Default is 0.\n"
696  " lease-time: Lease time in seconds.\n"
697  " Default is one year.\n"
698  "--route-method : Which method to use for adding routes on Windows?\n"
699  " adaptive (default) -- Try ipapi then fall back to exe.\n"
700  " ipapi -- Use IP helper API.\n"
701  " exe -- Call the route.exe shell command.\n"
702  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
703  " be used with --ip-win32 dynamic. For options\n"
704  " which allow multiple addresses,\n"
705  " --dhcp-option must be repeated.\n"
706  " DOMAIN name : Set DNS suffix\n"
707  " DNS addr : Set domain name server address(es) (IPv4)\n"
708  " DNS6 addr : Set domain name server address(es) (IPv6)\n"
709  " NTP : Set NTP server address(es)\n"
710  " NBDD : Set NBDD server address(es)\n"
711  " WINS addr : Set WINS server address(es)\n"
712  " NBT type : Set NetBIOS over TCP/IP Node type\n"
713  " 1: B, 2: P, 4: M, 8: H\n"
714  " NBS id : Set NetBIOS scope ID\n"
715  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
716  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
717  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
718  " startup.\n"
719  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
720  " on connection initiation.\n"
721  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
722  " attempting to set adapter properties.\n"
723  "--pause-exit : When run from a console window, pause before exiting.\n"
724  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
725  " service, and should not be used directly by end-users.\n"
726  " ex is the name of an event object which, when\n"
727  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
728  " optional parameter controls the initial state of ex.\n"
729  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
730  " after TAP adapter is up and routes have been added.\n"
731 #ifdef _WIN32
732  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
733 #endif
734  "Windows Standalone Options:\n"
735  "\n"
736  "--show-adapters : Show all TAP-Windows adapters.\n"
737  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
738  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
739  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
740  " to access TAP adapter.\n"
741 #endif /* ifdef _WIN32 */
742  "\n"
743  "Generate a random key (only for non-TLS static key encryption mode):\n"
744  "--genkey : Generate a random key to be used as a shared secret,\n"
745  " for use with the --secret option.\n"
746  "--secret file : Write key to file.\n"
747 #endif /* ENABLE_CRYPTO */
748 #ifdef ENABLE_FEATURE_TUN_PERSIST
749  "\n"
750  "Tun/tap config mode (available with linux 2.4+):\n"
751  "--mktun : Create a persistent tunnel.\n"
752  "--rmtun : Remove a persistent tunnel.\n"
753  "--dev tunX|tapX : tun/tap device\n"
754  "--dev-type dt : Device type. See tunnel options above for details.\n"
755  "--user user : User to set privilege to.\n"
756  "--group group : Group to set privilege to.\n"
757 #endif
758 #ifdef ENABLE_PKCS11
759  "\n"
760  "PKCS#11 standalone options:\n"
761 #ifdef DEFAULT_PKCS11_MODULE
762  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
763 #else
764  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
765 #endif
766  " --verb option can be added *BEFORE* this.\n"
767 #endif /* ENABLE_PKCS11 */
768  "\n"
769  "General Standalone Options:\n"
770 #ifdef ENABLE_DEBUG
771  "--show-gateway : Show info about default gateway.\n"
772 #endif
773 ;
774 
775 #endif /* !ENABLE_SMALL */
776 
777 /*
778  * This is where the options defaults go.
779  * Any option not explicitly set here
780  * will be set to 0.
781  */
782 void
783 init_options(struct options *o, const bool init_gc)
784 {
785  CLEAR(*o);
786  if (init_gc)
787  {
788  gc_init(&o->gc);
789  o->gc_owned = true;
790  }
792  o->topology = TOP_NET30;
793  o->ce.proto = PROTO_UDP;
794  o->ce.af = AF_UNSPEC;
795  o->ce.bind_ipv6_only = false;
796  o->ce.connect_retry_seconds = 5;
797  o->ce.connect_retry_seconds_max = 300;
798  o->ce.connect_timeout = 120;
799  o->connect_retry_max = 0;
801  o->verbosity = 1;
802  o->status_file_update_freq = 60;
803  o->status_file_version = 1;
804  o->ce.bind_local = true;
807  o->ce.mtu_discover_type = -1;
808  o->ce.mssfix = MSSFIX_DEFAULT;
809  o->route_delay_window = 30;
811  o->resolve_in_advance = false;
812  o->proto_force = -1;
813 #ifdef ENABLE_OCC
814  o->occ = true;
815 #endif
816 #ifdef ENABLE_MANAGEMENT
820 #endif
821 #ifdef ENABLE_FEATURE_TUN_PERSIST
822  o->persist_mode = 1;
823 #endif
824 #ifdef TARGET_LINUX
825  o->tuntap_options.txqueuelen = 100;
826 #endif
827 #ifdef _WIN32
828 #if 0
830 #else
832 #endif
833  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
834  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
836  o->block_outside_dns = false;
837 #endif
838 #if P2MP_SERVER
839  o->real_hash_size = 256;
840  o->virtual_hash_size = 256;
841  o->n_bcast_buf = 256;
842  o->tcp_queue_limit = 64;
843  o->max_clients = 1024;
844  o->max_routes_per_client = 256;
847 #endif
848 #if P2MP
850 #endif
851 #ifdef ENABLE_CRYPTO
852  o->ciphername = "BF-CBC";
853 #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
854  o->ncp_enabled = true;
855 #else
856  o->ncp_enabled = false;
857 #endif
858  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
859  o->authname = "SHA1";
860  o->prng_hash = "SHA1";
861  o->prng_nonce_secret_len = 16;
862  o->replay = true;
866 #ifdef ENABLE_PREDICTION_RESISTANCE
867  o->use_prediction_resistance = false;
868 #endif
869  o->key_method = 2;
870  o->tls_timeout = 2;
871  o->renegotiate_bytes = -1;
872  o->renegotiate_seconds = 3600;
873  o->handshake_window = 60;
874  o->transition_window = 3600;
875  o->ecdh_curve = NULL;
876 #ifdef ENABLE_X509ALTUSERNAME
877  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
878 #endif
879 #endif /* ENABLE_CRYPTO */
880 #ifdef ENABLE_PKCS11
881  o->pkcs11_pin_cache_period = -1;
882 #endif /* ENABLE_PKCS11 */
883 
884 /* P2MP server context features */
885 #if P2MP_SERVER
886  o->auth_token_generate = false;
887 
888  /* Set default --tmp-dir */
889 #ifdef _WIN32
890  /* On Windows, find temp dir via enviroment variables */
891  o->tmp_dir = win_get_tempdir();
892 #else
893  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
894  o->tmp_dir = getenv("TMPDIR");
895  if (!o->tmp_dir)
896  {
897  o->tmp_dir = "/tmp";
898  }
899 #endif /* _WIN32 */
900 #endif /* P2MP_SERVER */
901  o->allow_recursive_routing = false;
902 }
903 
904 void
906 {
907  if (o->gc_owned)
908  {
909  gc_free(&o->gc);
910  }
911 }
912 
914 {
915 #define PUF_TYPE_UNDEF 0
916 #define PUF_TYPE_ACCEPT 1
917 #define PUF_TYPE_IGNORE 2
918 #define PUF_TYPE_REJECT 3
919  int type;
920  int size;
921  char *pattern;
922  struct pull_filter *next;
923 };
924 
926 {
927  struct pull_filter *head;
928  struct pull_filter *tail;
929 };
930 
931 static const char *
933 {
934  if (type == PUF_TYPE_ACCEPT)
935  {
936  return "accept";
937  }
938  if (type == PUF_TYPE_IGNORE)
939  {
940  return "ignore";
941  }
942  if (type == PUF_TYPE_REJECT)
943  {
944  return "reject";
945  }
946  else
947  {
948  return "???";
949  }
950 }
951 
952 #ifndef ENABLE_SMALL
953 
954 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
955 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
956 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
957 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
958 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
959 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
960 
961 #endif
962 
963 static void
965  const struct connection_entry *e,
966  const int i)
967 {
968  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
969  setenv_str_i(es, "local", e->local, i);
970  setenv_str_i(es, "local_port", e->local_port, i);
971  setenv_str_i(es, "remote", e->remote, i);
972  setenv_str_i(es, "remote_port", e->remote_port, i);
973 
974  if (e->http_proxy_options)
975  {
976  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
977  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
978  }
979  if (e->socks_proxy_server)
980  {
981  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
982  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
983  }
984 }
985 
986 void
987 setenv_settings(struct env_set *es, const struct options *o)
988 {
989  setenv_str(es, "config", o->config);
990  setenv_int(es, "verb", o->verbosity);
991  setenv_int(es, "daemon", o->daemon);
992  setenv_int(es, "daemon_log_redirect", o->log);
993  setenv_unsigned(es, "daemon_start_time", time(NULL));
994  setenv_int(es, "daemon_pid", platform_getpid());
995 
996  if (o->connection_list)
997  {
998  int i;
999  for (i = 0; i < o->connection_list->len; ++i)
1000  {
1002  }
1003  }
1004  else
1005  {
1006  setenv_connection_entry(es, &o->ce, 1);
1007  }
1008 }
1009 
1010 static in_addr_t
1011 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1012 {
1013  unsigned int flags = GETADDR_HOST_ORDER;
1014  bool succeeded = false;
1015  in_addr_t ret;
1016 
1017  if (msglevel & M_FATAL)
1018  {
1019  flags |= GETADDR_FATAL;
1020  }
1021 
1022  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1023  if (!succeeded && error)
1024  {
1025  *error = true;
1026  }
1027  return ret;
1028 }
1029 
1030 /* helper: parse a text string containing an IPv6 address + netbits
1031  * in "standard format" (2001:dba::/32)
1032  * "/nn" is optional, default to /64 if missing
1033  *
1034  * return true if parsing succeeded, modify *network and *netbits
1035  */
1036 bool
1037 get_ipv6_addr( const char *prefix_str, struct in6_addr *network,
1038  unsigned int *netbits, int msglevel)
1039 {
1040  char *sep, *endp;
1041  int bits;
1042  struct in6_addr t_network;
1043 
1044  sep = strchr( prefix_str, '/' );
1045  if (sep == NULL)
1046  {
1047  bits = 64;
1048  }
1049  else
1050  {
1051  bits = strtol( sep+1, &endp, 10 );
1052  if (*endp != '\0' || bits < 0 || bits > 128)
1053  {
1054  msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
1055  return false;
1056  }
1057  }
1058 
1059  /* temporary replace '/' in caller-provided string with '\0', otherwise
1060  * inet_pton() will refuse prefix string
1061  * (alternative would be to strncpy() the prefix to temporary buffer)
1062  */
1063 
1064  if (sep != NULL)
1065  {
1066  *sep = '\0';
1067  }
1068 
1069  if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1)
1070  {
1071  msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
1072  return false;
1073  }
1074 
1075  if (sep != NULL)
1076  {
1077  *sep = '/';
1078  }
1079 
1080  if (netbits != NULL)
1081  {
1082  *netbits = bits;
1083  }
1084  if (network != NULL)
1085  {
1086  *network = t_network;
1087  }
1088  return true; /* parsing OK, values set */
1089 }
1090 
1096 static char *
1097 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1098 {
1099  const char *end = strchr(addr, '/');
1100  char *ret = NULL;
1101  if (NULL == end)
1102  {
1103  ret = string_alloc(addr, gc);
1104  }
1105  else
1106  {
1107  size_t len = end - addr;
1108  ret = gc_malloc(len + 1, true, gc);
1109  memcpy(ret, addr, len);
1110  }
1111  return ret;
1112 }
1113 
1114 static bool
1115 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1116 {
1117  struct in6_addr t_addr;
1118  unsigned int t_bits;
1119 
1120  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1121 }
1122 
1123 static char *
1124 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1125 {
1126  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1127  char *dest = ret;
1128  char c;
1129 
1130  do
1131  {
1132  c = *src++;
1133  if (c == from)
1134  {
1135  c = to;
1136  }
1137  *dest++ = c;
1138  }
1139  while (c);
1140  return ret;
1141 }
1142 
1143 #ifdef ENABLE_CRYPTO
1144 static uint8_t *
1145 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1146 {
1147  int i;
1148  const char *cp = str;
1149  uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc);
1150  char term = 1;
1151  int byte;
1152  char bs[3];
1153 
1154  for (i = 0; i < nbytes; ++i)
1155  {
1156  if (strlen(cp) < 2)
1157  {
1158  msg(msglevel, "format error in hash fingerprint: %s", str);
1159  }
1160  bs[0] = *cp++;
1161  bs[1] = *cp++;
1162  bs[2] = 0;
1163  byte = 0;
1164  if (sscanf(bs, "%x", &byte) != 1)
1165  {
1166  msg(msglevel, "format error in hash fingerprint hex byte: %s", str);
1167  }
1168  ret[i] = (uint8_t)byte;
1169  term = *cp++;
1170  if (term != ':' && term != 0)
1171  {
1172  msg(msglevel, "format error in hash fingerprint delimiter: %s", str);
1173  }
1174  if (term == 0)
1175  {
1176  break;
1177  }
1178  }
1179  if (term != 0 || i != nbytes-1)
1180  {
1181  msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
1182  }
1183  return ret;
1184 }
1185 #endif /* ifdef ENABLE_CRYPTO */
1186 
1187 #ifdef _WIN32
1188 
1189 #ifndef ENABLE_SMALL
1190 
1191 static void
1192 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1193 {
1194  struct gc_arena gc = gc_new();
1195  int i;
1196  for (i = 0; i < len; ++i)
1197  {
1198  msg(D_SHOW_PARMS, " %s[%d] = %s",
1199  name,
1200  i,
1201  print_in_addr_t(array[i], 0, &gc));
1202  }
1203  gc_free(&gc);
1204 }
1205 
1206 static void
1208 {
1209  SHOW_BOOL(ip_win32_defined);
1210  SHOW_INT(ip_win32_type);
1211  SHOW_INT(dhcp_masq_offset);
1212  SHOW_INT(dhcp_lease_time);
1213  SHOW_INT(tap_sleep);
1214  SHOW_BOOL(dhcp_options);
1216  SHOW_BOOL(dhcp_pre_release);
1217  SHOW_STR(domain);
1218  SHOW_STR(netbios_scope);
1219  SHOW_INT(netbios_node_type);
1220  SHOW_BOOL(disable_nbt);
1221 
1222  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1223  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1224  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1225  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1226 }
1227 
1228 #endif /* ifndef ENABLE_SMALL */
1229 #endif /* ifdef _WIN32 */
1230 
1231 #if defined(_WIN32) || defined(TARGET_ANDROID)
1232 static void
1233 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1234 {
1235  if (*len >= N_DHCP_ADDR)
1236  {
1237  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1238  name,
1239  N_DHCP_ADDR,
1240  name);
1241  }
1242  else
1243  {
1244  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1245  {
1246  bool error = false;
1247  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1248  if (!error)
1249  {
1250  array[(*len)++] = addr;
1251  }
1252  }
1253  else
1254  {
1255  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1256  }
1257  }
1258 }
1259 
1260 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1261 
1262 #if P2MP
1263 
1264 #ifndef ENABLE_SMALL
1265 
1266 static void
1267 show_p2mp_parms(const struct options *o)
1268 {
1269  struct gc_arena gc = gc_new();
1270 
1271 #if P2MP_SERVER
1272  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1273  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1274  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1275  SHOW_INT(server_netbits_ipv6);
1276  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1277  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1278  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1279  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1280  if (o->push_list.head)
1281  {
1282  const struct push_entry *e = o->push_list.head;
1283  while (e)
1284  {
1285  if (e->enable)
1286  {
1287  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1288  }
1289  e = e->next;
1290  }
1291  }
1292  SHOW_BOOL(ifconfig_pool_defined);
1293  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1294  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1295  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1296  SHOW_STR(ifconfig_pool_persist_filename);
1297  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1298  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1299  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1300  SHOW_INT(ifconfig_ipv6_pool_netbits);
1301  SHOW_INT(n_bcast_buf);
1302  SHOW_INT(tcp_queue_limit);
1303  SHOW_INT(real_hash_size);
1304  SHOW_INT(virtual_hash_size);
1305  SHOW_STR(client_connect_script);
1307  SHOW_STR(client_disconnect_script);
1308  SHOW_STR(client_config_dir);
1309  SHOW_BOOL(ccd_exclusive);
1310  SHOW_STR(tmp_dir);
1311  SHOW_BOOL(push_ifconfig_defined);
1312  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1313  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1314  SHOW_BOOL(push_ifconfig_ipv6_defined);
1315  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1316  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1317  SHOW_BOOL(enable_c2c);
1318  SHOW_BOOL(duplicate_cn);
1319  SHOW_INT(cf_max);
1320  SHOW_INT(cf_per);
1321  SHOW_INT(max_clients);
1322  SHOW_INT(max_routes_per_client);
1323  SHOW_STR(auth_user_pass_verify_script);
1324  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1325  SHOW_BOOL(auth_token_generate);
1326  SHOW_INT(auth_token_lifetime);
1327 #if PORT_SHARE
1328  SHOW_STR(port_share_host);
1329  SHOW_STR(port_share_port);
1330 #endif
1331 #endif /* P2MP_SERVER */
1332 
1333  SHOW_BOOL(client);
1334  SHOW_BOOL(pull);
1335  SHOW_STR(auth_user_pass_file);
1336 
1337  gc_free(&gc);
1338 }
1339 
1340 #endif /* ! ENABLE_SMALL */
1341 
1342 #if P2MP_SERVER
1343 
1344 static void
1346  const char *network_str,
1347  const char *netmask_str,
1348  int msglevel)
1349 {
1350  struct iroute *ir;
1351 
1352  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1353  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1354  ir->netbits = -1;
1355 
1356  if (netmask_str)
1357  {
1358  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1359  if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1360  {
1361  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1362  network_str,
1363  netmask_str);
1364  return;
1365  }
1366  }
1367 
1368  ir->next = o->iroutes;
1369  o->iroutes = ir;
1370 }
1371 
1372 static void
1374  const char *prefix_str,
1375  int msglevel)
1376 {
1377  struct iroute_ipv6 *ir;
1378 
1379  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1380 
1381  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1382  {
1383  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1384  prefix_str);
1385  return;
1386  }
1387 
1388  ir->next = o->iroutes_ipv6;
1389  o->iroutes_ipv6 = ir;
1390 }
1391 #endif /* P2MP_SERVER */
1392 #endif /* P2MP */
1393 
1394 #ifndef ENABLE_SMALL
1395 static void
1397 {
1398  int i;
1399  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1400  SHOW_STR(server);
1401  SHOW_STR(port);
1402  SHOW_STR(auth_method_string);
1403  SHOW_STR(auth_file);
1404  SHOW_STR(http_version);
1405  SHOW_STR(user_agent);
1406  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1407  {
1408  if (o->custom_headers[i].content)
1409  {
1410  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1411  o->custom_headers[i].name, o->custom_headers[i].content);
1412  }
1413  else
1414  {
1415  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1416  o->custom_headers[i].name);
1417  }
1418  }
1419  msg(D_SHOW_PARMS, "END http_proxy");
1420 }
1421 #endif /* ifndef ENABLE_SMALL */
1422 
1423 void
1425 {
1426  gc_detach(&o->gc);
1427  o->routes = NULL;
1428  o->client_nat = NULL;
1429 #if P2MP_SERVER
1430  clone_push_list(o);
1431 #endif
1432 }
1433 
1434 void
1436 {
1437  if (!options->routes)
1438  {
1439  options->routes = new_route_option_list(&options->gc);
1440  }
1441 }
1442 
1443 static void
1445 {
1446  if (!options->routes_ipv6)
1447  {
1448  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1449  }
1450 }
1451 
1452 static void
1454 {
1455  if (!options->client_nat)
1456  {
1457  options->client_nat = new_client_nat_list(&options->gc);
1458  }
1459 }
1460 
1461 #ifndef ENABLE_SMALL
1462 static void
1464 {
1465  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1466  SHOW_STR(local);
1467  SHOW_STR(local_port);
1468  SHOW_STR(remote);
1469  SHOW_STR(remote_port);
1470  SHOW_BOOL(remote_float);
1471  SHOW_BOOL(bind_defined);
1473  SHOW_BOOL(bind_ipv6_only);
1474  SHOW_INT(connect_retry_seconds);
1475  SHOW_INT(connect_timeout);
1476 
1477  if (o->http_proxy_options)
1478  {
1480  }
1481  SHOW_STR(socks_proxy_server);
1482  SHOW_STR(socks_proxy_port);
1483  SHOW_INT(tun_mtu);
1484  SHOW_BOOL(tun_mtu_defined);
1485  SHOW_INT(link_mtu);
1486  SHOW_BOOL(link_mtu_defined);
1487  SHOW_INT(tun_mtu_extra);
1488  SHOW_BOOL(tun_mtu_extra_defined);
1489 
1490  SHOW_INT(mtu_discover_type);
1491 
1492 #ifdef ENABLE_FRAGMENT
1493  SHOW_INT(fragment);
1494 #endif
1495  SHOW_INT(mssfix);
1496 
1497 #ifdef ENABLE_OCC
1498  SHOW_INT(explicit_exit_notification);
1499 #endif
1500 }
1501 
1502 
1503 static void
1505 {
1506  if (o->connection_list)
1507  {
1508  const struct connection_list *l = o->connection_list;
1509  int i;
1510  for (i = 0; i < l->len; ++i)
1511  {
1512  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1514  }
1515  }
1516  else
1517  {
1518  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1520  }
1521  msg(D_SHOW_PARMS, "Connection profiles END");
1522 }
1523 
1524 static void
1526 {
1527  struct pull_filter *f;
1528  if (!l)
1529  {
1530  return;
1531  }
1532 
1533  msg(D_SHOW_PARMS, " Pull filters:");
1534  for (f = l->head; f; f = f->next)
1535  {
1536  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1537  }
1538 }
1539 
1540 #endif /* ifndef ENABLE_SMALL */
1541 
1542 void
1543 show_settings(const struct options *o)
1544 {
1545 #ifndef ENABLE_SMALL
1546  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1547 
1548  SHOW_STR(config);
1549 
1550  SHOW_INT(mode);
1551 
1552 #ifdef ENABLE_FEATURE_TUN_PERSIST
1553  SHOW_BOOL(persist_config);
1554  SHOW_INT(persist_mode);
1555 #endif
1556 
1557 #ifdef ENABLE_CRYPTO
1558  SHOW_BOOL(show_ciphers);
1559  SHOW_BOOL(show_digests);
1560  SHOW_BOOL(show_engines);
1561  SHOW_BOOL(genkey);
1562  SHOW_STR(key_pass_file);
1563  SHOW_BOOL(show_tls_ciphers);
1564 #endif
1565 
1566  SHOW_INT(connect_retry_max);
1568 
1569  SHOW_BOOL(remote_random);
1570 
1571  SHOW_STR(ipchange);
1572  SHOW_STR(dev);
1573  SHOW_STR(dev_type);
1574  SHOW_STR(dev_node);
1575  SHOW_STR(lladdr);
1576  SHOW_INT(topology);
1577  SHOW_STR(ifconfig_local);
1578  SHOW_STR(ifconfig_remote_netmask);
1579  SHOW_BOOL(ifconfig_noexec);
1580  SHOW_BOOL(ifconfig_nowarn);
1581  SHOW_STR(ifconfig_ipv6_local);
1582  SHOW_INT(ifconfig_ipv6_netbits);
1583  SHOW_STR(ifconfig_ipv6_remote);
1584 
1585 #ifdef ENABLE_FEATURE_SHAPER
1586  SHOW_INT(shaper);
1587 #endif
1588 #ifdef ENABLE_OCC
1589  SHOW_INT(mtu_test);
1590 #endif
1591 
1592  SHOW_BOOL(mlock);
1593 
1594  SHOW_INT(keepalive_ping);
1595  SHOW_INT(keepalive_timeout);
1596  SHOW_INT(inactivity_timeout);
1597  SHOW_INT(ping_send_timeout);
1598  SHOW_INT(ping_rec_timeout);
1599  SHOW_INT(ping_rec_timeout_action);
1600  SHOW_BOOL(ping_timer_remote);
1601  SHOW_INT(remap_sigusr1);
1602  SHOW_BOOL(persist_tun);
1603  SHOW_BOOL(persist_local_ip);
1604  SHOW_BOOL(persist_remote_ip);
1605  SHOW_BOOL(persist_key);
1606 
1607 #if PASSTOS_CAPABILITY
1608  SHOW_BOOL(passtos);
1609 #endif
1610 
1611  SHOW_INT(resolve_retry_seconds);
1612  SHOW_BOOL(resolve_in_advance);
1613 
1614  SHOW_STR(username);
1615  SHOW_STR(groupname);
1616  SHOW_STR(chroot_dir);
1617  SHOW_STR(cd_dir);
1618 #ifdef ENABLE_SELINUX
1619  SHOW_STR(selinux_context);
1620 #endif
1621  SHOW_STR(writepid);
1622  SHOW_STR(up_script);
1623  SHOW_STR(down_script);
1624  SHOW_BOOL(down_pre);
1625  SHOW_BOOL(up_restart);
1626  SHOW_BOOL(up_delay);
1627  SHOW_BOOL(daemon);
1628  SHOW_INT(inetd);
1629  SHOW_BOOL(log);
1632  SHOW_INT(nice);
1633  SHOW_INT(verbosity);
1634  SHOW_INT(mute);
1635 #ifdef ENABLE_DEBUG
1636  SHOW_INT(gremlin);
1637 #endif
1638  SHOW_STR(status_file);
1639  SHOW_INT(status_file_version);
1640  SHOW_INT(status_file_update_freq);
1641 
1642 #ifdef ENABLE_OCC
1643  SHOW_BOOL(occ);
1644 #endif
1645  SHOW_INT(rcvbuf);
1646  SHOW_INT(sndbuf);
1647 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1648  SHOW_INT(mark);
1649 #endif
1650  SHOW_INT(sockflags);
1651 
1652  SHOW_BOOL(fast_io);
1653 
1654 #ifdef USE_COMP
1655  SHOW_INT(comp.alg);
1656  SHOW_INT(comp.flags);
1657 #endif
1658 
1659  SHOW_STR(route_script);
1660  SHOW_STR(route_default_gateway);
1661  SHOW_INT(route_default_metric);
1662  SHOW_BOOL(route_noexec);
1663  SHOW_INT(route_delay);
1664  SHOW_INT(route_delay_window);
1665  SHOW_BOOL(route_delay_defined);
1666  SHOW_BOOL(route_nopull);
1667  SHOW_BOOL(route_gateway_via_dhcp);
1668  SHOW_BOOL(allow_pull_fqdn);
1670 
1671  if (o->routes)
1672  {
1674  }
1675 
1676  if (o->client_nat)
1677  {
1679  }
1680 
1681 #ifdef ENABLE_MANAGEMENT
1682  SHOW_STR(management_addr);
1683  SHOW_STR(management_port);
1684  SHOW_STR(management_user_pass);
1685  SHOW_INT(management_log_history_cache);
1686  SHOW_INT(management_echo_buffer_size);
1687  SHOW_STR(management_write_peer_info_file);
1688  SHOW_STR(management_client_user);
1689  SHOW_STR(management_client_group);
1690  SHOW_INT(management_flags);
1691 #endif
1692 #ifdef ENABLE_PLUGIN
1693  if (o->plugin_list)
1694  {
1696  }
1697 #endif
1698 
1699 #ifdef ENABLE_CRYPTO
1700  SHOW_STR(shared_secret_file);
1701  SHOW_INT(key_direction);
1702  SHOW_STR(ciphername);
1703  SHOW_BOOL(ncp_enabled);
1704  SHOW_STR(ncp_ciphers);
1705  SHOW_STR(authname);
1706  SHOW_STR(prng_hash);
1707  SHOW_INT(prng_nonce_secret_len);
1708  SHOW_INT(keysize);
1709 #ifndef ENABLE_CRYPTO_MBEDTLS
1710  SHOW_BOOL(engine);
1711 #endif /* ENABLE_CRYPTO_MBEDTLS */
1712  SHOW_BOOL(replay);
1713  SHOW_BOOL(mute_replay_warnings);
1714  SHOW_INT(replay_window);
1715  SHOW_INT(replay_time);
1716  SHOW_STR(packet_id_file);
1718 #ifdef ENABLE_PREDICTION_RESISTANCE
1719  SHOW_BOOL(use_prediction_resistance);
1720 #endif
1721 
1722  SHOW_BOOL(tls_server);
1723  SHOW_BOOL(tls_client);
1724  SHOW_INT(key_method);
1725  SHOW_STR(ca_file);
1726  SHOW_STR(ca_path);
1727  SHOW_STR(dh_file);
1728 #ifdef MANAGMENT_EXTERNAL_KEY
1730  {
1731  SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1732  }
1733  else
1734 #endif
1735  SHOW_STR(cert_file);
1736  SHOW_STR(extra_certs_file);
1737 
1738 #ifdef MANAGMENT_EXTERNAL_KEY
1739  if ((o->management_flags & MF_EXTERNAL_KEY))
1740  {
1741  SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1742  }
1743  else
1744 #endif
1745  SHOW_STR(priv_key_file);
1746 #ifndef ENABLE_CRYPTO_MBEDTLS
1747  SHOW_STR(pkcs12_file);
1748 #endif
1749 #ifdef ENABLE_CRYPTOAPI
1750  SHOW_STR(cryptoapi_cert);
1751 #endif
1752  SHOW_STR(cipher_list);
1754  SHOW_STR(tls_export_cert);
1755  SHOW_INT(verify_x509_type);
1756  SHOW_STR(verify_x509_name);
1757  SHOW_STR(crl_file);
1758  SHOW_INT(ns_cert_type);
1759  {
1760  int i;
1761  for (i = 0; i<MAX_PARMS; i++)
1762  {
1763  SHOW_INT(remote_cert_ku[i]);
1764  }
1765  }
1766  SHOW_STR(remote_cert_eku);
1767  SHOW_INT(ssl_flags);
1768 
1769  SHOW_INT(tls_timeout);
1770 
1771  SHOW_INT(renegotiate_bytes);
1772  SHOW_INT(renegotiate_packets);
1773  SHOW_INT(renegotiate_seconds);
1774 
1775  SHOW_INT(handshake_window);
1776  SHOW_INT(transition_window);
1777 
1778  SHOW_BOOL(single_session);
1779 #ifdef ENABLE_PUSH_PEER_INFO
1781 #endif
1782  SHOW_BOOL(tls_exit);
1783 
1784  SHOW_STR(tls_auth_file);
1785  SHOW_STR(tls_crypt_file);
1786 #endif /* ENABLE_CRYPTO */
1787 
1788 #ifdef ENABLE_PKCS11
1789  {
1790  int i;
1791  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1792  {
1793  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1794  }
1795  }
1796  {
1797  int i;
1798  for (i = 0; i<MAX_PARMS; i++)
1799  {
1800  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1801  }
1802  }
1803  {
1804  int i;
1805  for (i = 0; i<MAX_PARMS; i++)
1806  {
1807  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1808  }
1809  }
1810  {
1811  int i;
1812  for (i = 0; i<MAX_PARMS; i++)
1813  {
1814  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1815  }
1816  }
1817  SHOW_INT(pkcs11_pin_cache_period);
1818  SHOW_STR(pkcs11_id);
1819  SHOW_BOOL(pkcs11_id_management);
1820 #endif /* ENABLE_PKCS11 */
1821 
1822 #if P2MP
1823  show_p2mp_parms(o);
1824 #endif
1825 
1826 #ifdef _WIN32
1827  SHOW_BOOL(show_net_up);
1828  SHOW_INT(route_method);
1829  SHOW_BOOL(block_outside_dns);
1831 #endif
1832 #endif /* ifndef ENABLE_SMALL */
1833 }
1834 
1835 #undef SHOW_PARM
1836 #undef SHOW_STR
1837 #undef SHOW_INT
1838 #undef SHOW_BOOL
1839 
1840 #ifdef ENABLE_MANAGEMENT
1841 
1842 static struct http_proxy_options *
1844  const char *port,
1845  const char *flags,
1846  const int msglevel,
1847  struct gc_arena *gc)
1848 {
1849  if (server && port)
1850  {
1851  struct http_proxy_options *ho;
1852  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1853  ho->server = string_alloc(server, gc);
1854  ho->port = port;
1855  if (flags && !strcmp(flags, "nct"))
1856  {
1857  ho->auth_retry = PAR_NCT;
1858  }
1859  else
1860  {
1861  ho->auth_retry = PAR_ALL;
1862  }
1863  ho->http_version = "1.0";
1864  ho->user_agent = "OpenVPN-Autoproxy/1.0";
1865  return ho;
1866  }
1867  else
1868  {
1869  return NULL;
1870  }
1871 }
1872 
1873 static void
1875 {
1876  const struct connection_list *l = o->connection_list;
1877  int i;
1878  bool succeed = false;
1879  for (i = 0; i < l->len; ++i)
1880  {
1881  struct connection_entry *ce = l->array[i];
1882  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1883  {
1885  succeed = true;
1886  }
1887  }
1888  if (succeed)
1889  {
1890  for (i = 0; i < l->len; ++i)
1891  {
1892  struct connection_entry *ce = l->array[i];
1893  if (ce->proto == PROTO_UDP)
1894  {
1895  ce->flags |= CE_DISABLED;
1896  }
1897  }
1898  }
1899  else
1900  {
1901  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1902  }
1903 }
1904 
1905 #endif /* ifdef ENABLE_MANAGEMENT */
1906 
1907 static struct connection_list *
1909 {
1910  if (!options->connection_list)
1911  {
1912  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1913  }
1914  return options->connection_list;
1915 }
1916 
1917 static struct connection_entry *
1918 alloc_connection_entry(struct options *options, const int msglevel)
1919 {
1920  struct connection_list *l = alloc_connection_list_if_undef(options);
1921  struct connection_entry *e;
1922 
1923  if (l->len >= CONNECTION_LIST_SIZE)
1924  {
1925  msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1926  return NULL;
1927  }
1928  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1929  l->array[l->len++] = e;
1930  return e;
1931 }
1932 
1933 static struct remote_list *
1935 {
1936  if (!options->remote_list)
1937  {
1938  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1939  }
1940  return options->remote_list;
1941 }
1942 
1943 static struct remote_entry *
1944 alloc_remote_entry(struct options *options, const int msglevel)
1945 {
1946  struct remote_list *l = alloc_remote_list_if_undef(options);
1947  struct remote_entry *e;
1948 
1949  if (l->len >= CONNECTION_LIST_SIZE)
1950  {
1951  msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1952  return NULL;
1953  }
1954  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1955  l->array[l->len++] = e;
1956  return e;
1957 }
1958 
1959 static struct pull_filter_list *
1961 {
1962  if (!o->pull_filter_list)
1963  {
1965  }
1966  return o->pull_filter_list;
1967 }
1968 
1969 static struct pull_filter *
1970 alloc_pull_filter(struct options *o, const int msglevel)
1971 {
1973  struct pull_filter *f;
1974 
1975  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
1976  if (l->head)
1977  {
1978  ASSERT(l->tail);
1979  l->tail->next = f;
1980  }
1981  else
1982  {
1983  ASSERT(!l->tail);
1984  l->head = f;
1985  }
1986  l->tail = f;
1987  return f;
1988 }
1989 
1990 static void
1992 {
1993  if (re->remote)
1994  {
1995  ce->remote = re->remote;
1996  }
1997  if (re->remote_port)
1998  {
1999  ce->remote_port = re->remote_port;
2000  }
2001  if (re->proto >= 0)
2002  {
2003  ce->proto = re->proto;
2004  }
2005  if (re->af > 0)
2006  {
2007  ce->af = re->af;
2008  }
2009 }
2010 
2011 static void
2013 {
2014  struct options defaults;
2015  int dev = DEV_TYPE_UNDEF;
2016  bool pull = false;
2017 
2018  init_options(&defaults, true);
2019 
2020 #ifdef ENABLE_CRYPTO
2021  if (options->test_crypto)
2022  {
2023  notnull(options->shared_secret_file, "key file (--secret)");
2024  }
2025  else
2026 #endif
2027  notnull(options->dev, "TUN/TAP device (--dev)");
2028 
2029  /*
2030  * Get tun/tap/null device type
2031  */
2032  dev = dev_type_enum(options->dev, options->dev_type);
2033 
2034  /*
2035  * If "proto tcp" is specified, make sure we know whether it is
2036  * tcp-client or tcp-server.
2037  */
2038  if (ce->proto == PROTO_TCP)
2039  {
2040  msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
2041  }
2042 
2043  /*
2044  * Sanity check on daemon/inetd modes
2045  */
2046 
2047  if (options->daemon && options->inetd)
2048  {
2049  msg(M_USAGE, "only one of --daemon or --inetd may be specified");
2050  }
2051 
2052  if (options->inetd && (ce->local || ce->remote))
2053  {
2054  msg(M_USAGE, "--local or --remote cannot be used with --inetd");
2055  }
2056 
2057  if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
2058  {
2059  msg(M_USAGE, "--proto tcp-client cannot be used with --inetd");
2060  }
2061 
2062  if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
2063  {
2064  msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
2065  }
2066 
2067  if (options->inetd == INETD_NOWAIT
2068 #ifdef ENABLE_CRYPTO
2069  && !(options->tls_server || options->tls_client)
2070 #endif
2071  )
2072  {
2073  msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
2074  }
2075 
2076  if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
2077  {
2078  msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
2079  }
2080 
2081 
2082  if (options->lladdr && dev != DEV_TYPE_TAP)
2083  {
2084  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2085  }
2086 
2087  /*
2088  * Sanity check on MTU parameters
2089  */
2090  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2091  {
2092  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2093  }
2094 
2095 #ifdef ENABLE_OCC
2096  if (!proto_is_udp(ce->proto) && options->mtu_test)
2097  {
2098  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2099  }
2100 #endif
2101 
2102  /* will we be pulling options from server? */
2103 #if P2MP
2104  pull = options->pull;
2105 #endif
2106 
2107  /*
2108  * Sanity check on --local, --remote, and --ifconfig
2109  */
2110 
2111  if (proto_is_net(ce->proto)
2112  && string_defined_equal(ce->local, ce->remote)
2114  {
2115  msg(M_USAGE, "--remote and --local addresses are the same");
2116  }
2117 
2118  if (string_defined_equal(ce->remote, options->ifconfig_local)
2120  {
2121  msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
2122  }
2123 
2124  if (string_defined_equal(ce->local, options->ifconfig_local)
2126  {
2127  msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2128  }
2129 
2131  {
2132  msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2133  }
2134 
2135  if (ce->bind_defined && !ce->bind_local)
2136  {
2137  msg(M_USAGE, "--bind and --nobind can't be used together");
2138  }
2139 
2140  if (ce->local && !ce->bind_local)
2141  {
2142  msg(M_USAGE, "--local and --nobind don't make sense when used together");
2143  }
2144 
2145  if (ce->local_port_defined && !ce->bind_local)
2146  {
2147  msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2148  }
2149 
2150  if (!ce->remote && !ce->bind_local)
2151  {
2152  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2153  }
2154 
2155  /*
2156  * Check for consistency of management options
2157  */
2158 #ifdef ENABLE_MANAGEMENT
2159  if (!options->management_addr
2160  && (options->management_flags
2163  {
2164  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2165  }
2166 
2167  if ((options->management_client_user || options->management_client_group)
2168  && !(options->management_flags & MF_UNIX_SOCK))
2169  {
2170  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2171  }
2172 #endif
2173 
2174  /*
2175  * Windows-specific options.
2176  */
2177 
2178 #ifdef _WIN32
2179  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2180  {
2181  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2182  }
2183 
2184  if ((options->tuntap_options.ip_win32_defined)
2185  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2186  {
2187  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2188  }
2189 
2190  if (options->tuntap_options.dhcp_options
2193  {
2194  msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
2195  }
2196 #endif
2197 
2198  /*
2199  * Check that protocol options make sense.
2200  */
2201 
2202 #ifdef ENABLE_FRAGMENT
2203  if (!proto_is_udp(ce->proto) && ce->fragment)
2204  {
2205  msg(M_USAGE, "--fragment can only be used with --proto udp");
2206  }
2207 #endif
2208 
2209 #ifdef ENABLE_OCC
2211  {
2212  msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
2213  }
2214 #endif
2215 
2216  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2217  {
2218  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2219  }
2220 
2221  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2222  {
2223  msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
2224  }
2225  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2226  {
2227  msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2228  }
2229 
2230  if (ce->http_proxy_options && ce->socks_proxy_server)
2231  {
2232  msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2233  }
2234 
2235  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2236  {
2237  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2238  }
2239 
2240  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2241  {
2242  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2243  }
2244 
2245 #if P2MP_SERVER
2246 
2247  /*
2248  * Check consistency of --mode server options.
2249  */
2250  if (options->mode == MODE_SERVER)
2251  {
2252  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2253  {
2254  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2255  }
2256  if (options->pull)
2257  {
2258  msg(M_USAGE, "--pull cannot be used with --mode server");
2259  }
2260  if (options->pull_filter_list)
2261  {
2262  msg(M_USAGE, "--pull-filter cannot be used with --mode server");
2263  }
2264  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2265  {
2266  msg(M_USAGE, "--mode server currently only supports "
2267  "--proto udp or --proto tcp-server or proto tcp6-server");
2268  }
2269 #if PORT_SHARE
2270  if ((options->port_share_host || options->port_share_port)
2271  && (ce->proto != PROTO_TCP_SERVER))
2272  {
2273  msg(M_USAGE, "--port-share only works in TCP server mode "
2274  "(--proto tcp-server or tcp6-server)");
2275  }
2276 #endif
2277  if (!options->tls_server)
2278  {
2279  msg(M_USAGE, "--mode server requires --tls-server");
2280  }
2281  if (ce->remote)
2282  {
2283  msg(M_USAGE, "--remote cannot be used with --mode server");
2284  }
2285  if (!ce->bind_local)
2286  {
2287  msg(M_USAGE, "--nobind cannot be used with --mode server");
2288  }
2289  if (ce->http_proxy_options)
2290  {
2291  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2292  }
2293  if (ce->socks_proxy_server)
2294  {
2295  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2296  }
2297  /* <connection> blocks force to have a remote embedded, so we check for the
2298  * --remote and bail out if it is present */
2299  if (options->connection_list->len >1
2300  || options->connection_list->array[0]->remote)
2301  {
2302  msg(M_USAGE, "<connection> cannot be used with --mode server");
2303  }
2304 
2305  if (options->shaper)
2306  {
2307  msg(M_USAGE, "--shaper cannot be used with --mode server");
2308  }
2309  if (options->inetd)
2310  {
2311  msg(M_USAGE, "--inetd cannot be used with --mode server");
2312  }
2313  if (options->ipchange)
2314  {
2315  msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
2316  }
2317  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2318  {
2319  msg(M_USAGE, "--mode server currently only supports "
2320  "--proto udp or --proto tcp-server or --proto tcp6-server");
2321  }
2322  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2323  {
2324  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2325  }
2326  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2327  {
2328  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2329  }
2330  if (options->routes && (options->routes->flags & RG_ENABLE))
2331  {
2332  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2333  }
2334  if (options->route_delay_defined)
2335  {
2336  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2337  }
2338  if (options->up_delay)
2339  {
2340  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2341  }
2342  if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
2343  {
2344  msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2345  }
2346  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2347  {
2348  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2349  }
2350  if (options->allow_recursive_routing)
2351  {
2352  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2353  }
2354  if (options->auth_user_pass_file)
2355  {
2356  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2357  }
2358  if (options->ccd_exclusive && !options->client_config_dir)
2359  {
2360  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2361  }
2362  if (options->key_method != 2)
2363  {
2364  msg(M_USAGE, "--mode server requires --key-method 2");
2365  }
2366 
2367  {
2368  const bool ccnr = (options->auth_user_pass_verify_script
2369  || PLUGIN_OPTION_LIST(options)
2370  || MAN_CLIENT_AUTH_ENABLED(options));
2371  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2373  {
2374  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2375  }
2376  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2377  {
2378  msg(M_USAGE, "--username-as-common-name %s", postfix);
2379  }
2380  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2381  {
2382  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2383  }
2384  }
2385  }
2386  else
2387  {
2388  /*
2389  * When not in server mode, err if parameters are
2390  * specified which require --mode server.
2391  */
2392  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2393  {
2394  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2395  }
2396  if (options->ifconfig_ipv6_pool_defined)
2397  {
2398  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2399  }
2400  if (options->real_hash_size != defaults.real_hash_size
2401  || options->virtual_hash_size != defaults.virtual_hash_size)
2402  {
2403  msg(M_USAGE, "--hash-size requires --mode server");
2404  }
2405  if (options->learn_address_script)
2406  {
2407  msg(M_USAGE, "--learn-address requires --mode server");
2408  }
2409  if (options->client_connect_script)
2410  {
2411  msg(M_USAGE, "--client-connect requires --mode server");
2412  }
2413  if (options->client_disconnect_script)
2414  {
2415  msg(M_USAGE, "--client-disconnect requires --mode server");
2416  }
2417  if (options->client_config_dir || options->ccd_exclusive)
2418  {
2419  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2420  }
2421  if (options->enable_c2c)
2422  {
2423  msg(M_USAGE, "--client-to-client requires --mode server");
2424  }
2425  if (options->duplicate_cn)
2426  {
2427  msg(M_USAGE, "--duplicate-cn requires --mode server");
2428  }
2429  if (options->cf_max || options->cf_per)
2430  {
2431  msg(M_USAGE, "--connect-freq requires --mode server");
2432  }
2434  {
2435  msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
2436  }
2437  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2438  {
2439  msg(M_USAGE, "--username-as-common-name requires --mode server");
2440  }
2441  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2442  {
2443  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2444  }
2445  if (options->ssl_flags & SSLF_OPT_VERIFY)
2446  {
2447  msg(M_USAGE, "--opt-verify requires --mode server");
2448  }
2449  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2450  {
2451  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2452  "affect the server. To have TCP_NODELAY in both direction use "
2453  "tcp-nodelay in the server configuration instead.");
2454  }
2455  if (options->auth_user_pass_verify_script)
2456  {
2457  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2458  }
2459  if (options->auth_token_generate)
2460  {
2461  msg(M_USAGE, "--auth-gen-token requires --mode server");
2462  }
2463 #if PORT_SHARE
2464  if (options->port_share_host || options->port_share_port)
2465  {
2466  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2467  }
2468 #endif
2469 
2470  if (options->stale_routes_check_interval)
2471  {
2472  msg(M_USAGE, "--stale-routes-check requires --mode server");
2473  }
2475  {
2476  msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server");
2477  }
2478  }
2479 #endif /* P2MP_SERVER */
2480 
2481 #ifdef ENABLE_CRYPTO
2482 
2483  if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
2484  {
2485  msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
2486  }
2487 
2488  if (options->keysize)
2489  {
2490  msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
2491  }
2492 
2493  /*
2494  * Check consistency of replay options
2495  */
2496  if (!options->replay
2497  && (options->replay_window != defaults.replay_window
2498  || options->replay_time != defaults.replay_time))
2499  {
2500  msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2501  }
2502 
2503  /*
2504  * SSL/TLS mode sanity checks.
2505  */
2506  if (options->tls_server + options->tls_client
2507  +(options->shared_secret_file != NULL) > 1)
2508  {
2509  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2510  }
2511 
2513  {
2514  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2515  "--verify-client-cert none|optional (or --client-cert-not-required) "
2516  "may accept clients which do not present a certificate");
2517  }
2518 
2519  if (options->key_method == 1)
2520  {
2521  msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
2522  "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
2523  "in the configuration file, which is the recommended approach.");
2524  }
2525 
2526  if (options->tls_server || options->tls_client)
2527  {
2528 #ifdef ENABLE_PKCS11
2529  if (options->pkcs11_providers[0])
2530  {
2531  notnull(options->ca_file, "CA file (--ca)");
2532 
2533  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2534  {
2535  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2536  }
2537  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2538  {
2539  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2540  }
2541  if (options->cert_file)
2542  {
2543  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2544  }
2545  if (options->priv_key_file)
2546  {
2547  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2548  }
2549 #ifdef MANAGMENT_EXTERNAL_KEY
2550  if (options->management_flags & MF_EXTERNAL_KEY)
2551  {
2552  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2553  }
2554  if (options->management_flags & MF_EXTERNAL_CERT)
2555  {
2556  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2557  }
2558 #endif
2559  if (options->pkcs12_file)
2560  {
2561  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2562  }
2563 #ifdef ENABLE_CRYPTOAPI
2564  if (options->cryptoapi_cert)
2565  {
2566  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2567  }
2568 #endif
2569  }
2570  else
2571 #endif /* ifdef ENABLE_PKCS11 */
2572 #ifdef MANAGMENT_EXTERNAL_KEY
2573  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2574  {
2575  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2576  }
2577  else if ((options->management_flags & MF_EXTERNAL_CERT))
2578  {
2579  if (options->cert_file)
2580  {
2581  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2582  }
2583  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2584  {
2585  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2586  }
2587  }
2588  else
2589 #endif
2590 #ifdef ENABLE_CRYPTOAPI
2591  if (options->cryptoapi_cert)
2592  {
2593  if ((!(options->ca_file)) && (!(options->ca_path)))
2594  {
2595  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2596  }
2597  if (options->cert_file)
2598  {
2599  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2600  }
2601  if (options->priv_key_file)
2602  {
2603  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2604  }
2605  if (options->pkcs12_file)
2606  {
2607  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2608  }
2609 #ifdef MANAGMENT_EXTERNAL_KEY
2610  if (options->management_flags & MF_EXTERNAL_KEY)
2611  {
2612  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2613  }
2614  if (options->management_flags & MF_EXTERNAL_CERT)
2615  {
2616  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2617  }
2618 #endif
2619  }
2620  else
2621 #endif /* ifdef ENABLE_CRYPTOAPI */
2622  if (options->pkcs12_file)
2623  {
2624 #ifdef ENABLE_CRYPTO_MBEDTLS
2625  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2626 #else
2627  if (options->ca_path)
2628  {
2629  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2630  }
2631  if (options->cert_file)
2632  {
2633  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2634  }
2635  if (options->priv_key_file)
2636  {
2637  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2638  }
2639 #ifdef MANAGMENT_EXTERNAL_KEY
2640  if (options->management_flags & MF_EXTERNAL_KEY)
2641  {
2642  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2643  }
2644  if (options->management_flags & MF_EXTERNAL_CERT)
2645  {
2646  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2647  }
2648 #endif
2649 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2650  }
2651  else
2652  {
2653 #ifdef ENABLE_CRYPTO_MBEDTLS
2654  if (!(options->ca_file))
2655  {
2656  msg(M_USAGE, "You must define CA file (--ca)");
2657  }
2658  if (options->ca_path)
2659  {
2660  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2661  }
2662 #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
2663  if ((!(options->ca_file)) && (!(options->ca_path)))
2664  {
2665  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2666  }
2667 #endif
2668  if (pull)
2669  {
2670 
2671  const int sum =
2672 #ifdef MANAGMENT_EXTERNAL_KEY
2673  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2674  +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2675 #else
2676  (options->cert_file != NULL) + (options->priv_key_file != NULL);
2677 #endif
2678 
2679  if (sum == 0)
2680  {
2681 #if P2MP
2682  if (!options->auth_user_pass_file)
2683 #endif
2684  msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2685  }
2686  else if (sum == 2)
2687  {
2688  }
2689  else
2690  {
2691  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2692  }
2693  }
2694  else
2695  {
2696 #ifdef MANAGMENT_EXTERNAL_KEY
2697  if (!(options->management_flags & MF_EXTERNAL_CERT))
2698 #endif
2699  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2700 #ifdef MANAGMENT_EXTERNAL_KEY
2701  if (!(options->management_flags & MF_EXTERNAL_KEY))
2702 #endif
2703  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2704  }
2705  }
2706  if (options->tls_auth_file && options->tls_crypt_file)
2707  {
2708  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2709  }
2710  }
2711  else
2712  {
2713  /*
2714  * Make sure user doesn't specify any TLS options
2715  * when in non-TLS mode.
2716  */
2717 
2718 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2719 }
2720 
2721  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2722 
2728 #ifndef ENABLE_CRYPTO_MBEDTLS
2730 #endif
2744 #ifdef ENABLE_PUSH_PEER_INFO
2746 #endif
2753 #ifdef ENABLE_PKCS11
2754  MUST_BE_UNDEF(pkcs11_providers[0]);
2755  MUST_BE_UNDEF(pkcs11_private_mode[0]);
2756  MUST_BE_UNDEF(pkcs11_id);
2757  MUST_BE_UNDEF(pkcs11_id_management);
2758 #endif
2759 
2760  if (pull)
2761  {
2762  msg(M_USAGE, err, "--pull");
2763  }
2764  }
2765 #undef MUST_BE_UNDEF
2766 #endif /* ENABLE_CRYPTO */
2767 
2768 #if P2MP
2769  if (options->auth_user_pass_file && !options->pull)
2770  {
2771  msg(M_USAGE, "--auth-user-pass requires --pull");
2772  }
2773 #endif
2774 
2775  uninit_options(&defaults);
2776 }
2777 
2778 static void
2780 {
2781  const int dev = dev_type_enum(o->dev, o->dev_type);
2782 
2783 #if P2MP_SERVER
2785  {
2786  if (ce->proto == PROTO_TCP)
2787  {
2788  ce->proto = PROTO_TCP_SERVER;
2789  }
2790  }
2791 #endif
2792 #if P2MP
2793  if (o->client)
2794  {
2795  if (ce->proto == PROTO_TCP)
2796  {
2797  ce->proto = PROTO_TCP_CLIENT;
2798  }
2799  }
2800 #endif
2801 
2802  if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2803  {
2804  ce->bind_local = false;
2805  }
2806 
2807  if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2808  {
2809  ce->bind_local = false;
2810  }
2811 
2812  if (!ce->bind_local)
2813  {
2814  ce->local_port = NULL;
2815  }
2816 
2817  /* if protocol forcing is enabled, disable all protocols except for the forced one */
2818  if (o->proto_force >= 0 && o->proto_force != ce->proto)
2819  {
2820  ce->flags |= CE_DISABLED;
2821  }
2822 
2823  /*
2824  * If --mssfix is supplied without a parameter, default
2825  * it to --fragment value, if --fragment is specified.
2826  */
2827  if (o->ce.mssfix_default)
2828  {
2829 #ifdef ENABLE_FRAGMENT
2830  if (ce->fragment)
2831  {
2832  ce->mssfix = ce->fragment;
2833  }
2834 #else
2835  msg(M_USAGE, "--mssfix must specify a parameter");
2836 #endif
2837  }
2838 
2839  /*
2840  * Set MTU defaults
2841  */
2842  {
2843  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2844  {
2845  ce->tun_mtu_defined = true;
2846  }
2847  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2848  {
2849  ce->tun_mtu_extra_defined = true;
2851  }
2852  }
2853 
2854 }
2855 
2856 #ifdef _WIN32
2857 /* If iservice is in use, we need def1 method for redirect-gateway */
2858 static void
2860 {
2861  if (opt->routes
2863  && opt->routes->flags & RG_REROUTE_GW
2864  && !(opt->routes->flags & RG_DEF1))
2865  {
2866  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2867  opt->routes->flags |= RG_DEF1;
2868  }
2869 }
2870 #endif
2871 
2872 static void
2874 {
2875 #ifdef _WIN32
2876  const int dev = dev_type_enum(options->dev, options->dev_type);
2877 #endif
2878 
2879  /*
2880  * In forking TCP server mode, you don't need to ifconfig
2881  * the tap device (the assumption is that it will be bridged).
2882  */
2883  if (options->inetd == INETD_NOWAIT)
2884  {
2885  options->ifconfig_noexec = true;
2886  }
2887 
2888 #ifdef _WIN32
2889  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2890  {
2891  if (options->mode == MODE_POINT_TO_POINT)
2892  {
2893  options->route_delay_defined = true;
2894  options->route_delay = 5; /* Vista sometimes has a race without this */
2895  }
2896  }
2897 
2898  if (options->ifconfig_noexec)
2899  {
2901  options->ifconfig_noexec = false;
2902  }
2903 
2905 #endif
2906 
2907 #if P2MP_SERVER
2908  /*
2909  * Check consistency of --mode server options.
2910  */
2911  if (options->mode == MODE_SERVER)
2912  {
2913 #ifdef _WIN32
2914  /*
2915  * We need to explicitly set --tap-sleep because
2916  * we do not schedule event timers in the top-level context.
2917  */
2918  options->tuntap_options.tap_sleep = 10;
2919  if (options->route_delay_defined && options->route_delay)
2920  {
2921  options->tuntap_options.tap_sleep = options->route_delay;
2922  }
2923  options->route_delay_defined = false;
2924 #endif
2925  }
2926 #endif
2927 
2928 #ifdef DEFAULT_PKCS11_MODULE
2929  /* If p11-kit is present on the system then load its p11-kit-proxy.so
2930  * by default if the user asks for PKCS#11 without otherwise specifying
2931  * the module to use. */
2932  if (!options->pkcs11_providers[0]
2933  && (options->pkcs11_id || options->pkcs11_id_management))
2934  {
2935  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
2936  }
2937 #endif
2938 }
2939 
2940 static void
2942 {
2943  if (o->connection_list)
2944  {
2945  int i;
2946  for (i = 0; i < o->connection_list->len; ++i)
2947  {
2949  }
2950  }
2951  else
2952  {
2954  }
2955 }
2956 
2957 static void
2959 {
2960  int i;
2961  /*
2962  * Process helper-type options which map to other, more complex
2963  * sequences of options.
2964  */
2966  helper_keepalive(o);
2967  helper_tcp_nodelay(o);
2968 
2970 
2971  if (o->remote_list && !o->connection_list)
2972  {
2973  /*
2974  * Convert remotes into connection list
2975  */
2976  const struct remote_list *rl = o->remote_list;
2977  for (i = 0; i < rl->len; ++i)
2978  {
2979  const struct remote_entry *re = rl->array[i];
2980  struct connection_entry ce = o->ce;
2981  struct connection_entry *ace;
2982 
2983  ASSERT(re->remote);
2984  connection_entry_load_re(&ce, re);
2985  ace = alloc_connection_entry(o, M_USAGE);
2986  ASSERT(ace);
2987  *ace = ce;
2988  }
2989  }
2990  else if (!o->remote_list && !o->connection_list)
2991  {
2992  struct connection_entry *ace;
2993  ace = alloc_connection_entry(o, M_USAGE);
2994  ASSERT(ace);
2995  *ace = o->ce;
2996  }
2997 
2998  ASSERT(o->connection_list);
2999  for (i = 0; i < o->connection_list->len; ++i)
3000  {
3002  }
3003 
3004 #ifdef ENABLE_CRYPTO
3005  if (o->tls_server)
3006  {
3007  /* Check that DH file is specified, or explicitly disabled */
3008  notnull(o->dh_file, "DH file (--dh)");
3009  if (streq(o->dh_file, "none"))
3010  {
3011  o->dh_file = NULL;
3012  }
3013  }
3014  else if (o->dh_file)
3015  {
3016  /* DH file is only meaningful in a tls-server context. */
3017  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3018  "include this in your server configuration");
3019  o->dh_file = NULL;
3020  }
3021 
3022  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
3023  if (o->ncp_enabled
3024  && !(o->pull || o->mode == MODE_SERVER) )
3025  {
3026  msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
3027  "in P2MP client or server mode" );
3028  o->ncp_enabled = false;
3029  }
3030 #endif
3031 
3032 #if ENABLE_MANAGEMENT
3033  if (o->http_proxy_override)
3034  {
3036  }
3037 #endif
3038 
3039 #ifdef ENABLE_CRYPTOAPI
3040  if (o->cryptoapi_cert)
3041  {
3042  const int tls_version_max =
3045 
3046  if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
3047  {
3048  msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
3049  "version to 1.1.");
3053  }
3054  }
3055 #endif /* ENABLE_CRYPTOAPI */
3056 
3057 #if P2MP
3058  /*
3059  * Save certain parms before modifying options via --pull
3060  */
3061  pre_pull_save(o);
3062 #endif
3063 }
3064 
3065 /*
3066  * Check file/directory sanity
3067  *
3068  */
3069 #ifndef ENABLE_SMALL
3071 #define CHKACC_FILE (1<<0)
3072 #define CHKACC_DIRPATH (1<<1)
3073 #define CHKACC_FILEXSTWR (1<<2)
3074 #define CHKACC_INLINE (1<<3)
3075 #define CHKACC_ACPTSTDIN (1<<4)
3076 #define CHKACC_PRIVATE (1<<5)
3078 static bool
3079 check_file_access(const int type, const char *file, const int mode, const char *opt)
3080 {
3081  int errcode = 0;
3082 
3083  /* If no file configured, no errors to look for */
3084  if (!file)
3085  {
3086  return false;
3087  }
3088 
3089  /* If this may be an inline file, and the proper inline "filename" is set - no issues */
3090  if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
3091  {
3092  return false;
3093  }
3094 
3095  /* If stdin is allowed and the file name is 'stdin', then do no
3096  * further checks as stdin is always available
3097  */
3098  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3099  {
3100  return false;
3101  }
3102 
3103  /* Is the directory path leading to the given file accessible? */
3104  if (type & CHKACC_DIRPATH)
3105  {
3106  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */
3107  char *dirpath = dirname(fullpath);
3108 
3109  if (platform_access(dirpath, mode|X_OK) != 0)
3110  {
3111  errcode = errno;
3112  }
3113  free(fullpath);
3114  }
3115 
3116  /* Is the file itself accessible? */
3117  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3118  {
3119  errcode = errno;
3120  }
3121 
3122  /* If the file exists and is accessible, is it writable? */
3123  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3124  {
3125  if (platform_access(file, W_OK) != 0)
3126  {
3127  errcode = errno;
3128  }
3129  }
3130 
3131  /* Warn if a given private file is group/others accessible. */
3132  if (type & CHKACC_PRIVATE)
3133  {
3134  platform_stat_t st;
3135  if (platform_stat(file, &st))
3136  {
3137  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3138  }
3139 #ifndef _WIN32
3140  else
3141  {
3142  if (st.st_mode & (S_IRWXG|S_IRWXO))
3143  {
3144  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3145  }
3146  }
3147 #endif
3148  }
3149 
3150  /* Scream if an error is found */
3151  if (errcode > 0)
3152  {
3153  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3154  }
3155 
3156  /* Return true if an error occured */
3157  return (errcode != 0 ? true : false);
3158 }
3159 
3160 /* A wrapper for check_file_access() which also takes a chroot directory.
3161  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3162  * otherwise it will look for the file inside the given chroot directory instead.
3163  */
3164 static bool
3165 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3166 {
3167  bool ret = false;
3168 
3169  /* If no file configured, no errors to look for */
3170  if (!file)
3171  {
3172  return false;
3173  }
3174 
3175  /* If chroot is set, look for the file/directory inside the chroot */
3176  if (chroot)
3177  {
3178  struct gc_arena gc = gc_new();
3179  struct buffer chroot_file;
3180  int len = 0;
3181 
3182  /* Build up a new full path including chroot directory */
3183  len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
3184  chroot_file = alloc_buf_gc(len, &gc);
3185  buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
3186  ASSERT(chroot_file.len > 0);
3187 
3188  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3189  gc_free(&gc);
3190  }
3191  else
3192  {
3193  /* No chroot in play, just call core file check function */
3194  ret = check_file_access(type, file, mode, opt);
3195  }
3196  return ret;
3197 }
3198 
3199 
3200 /*
3201  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3202  * valid file with appropriate permissions.
3203  *
3204  * "command" consists of a path, optionally followed by a space, which may be
3205  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3206  * performed.
3207  *
3208  * The path and arguments in "command" may be single- or double-quoted or escaped.
3209  *
3210  * The path is extracted from "command", then check_file_access() is called to check it. The
3211  * arguments, if any, are ignored.
3212  *
3213  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3214  * check_file_access() arguments.
3215  */
3216 static bool
3217 check_cmd_access(const char *command, const char *opt, const char *chroot)
3218 {
3219  struct argv argv;
3220  bool return_code;
3221 
3222  /* If no command was set, there are no errors to look for */
3223  if (!command)
3224  {
3225  return false;
3226  }
3227 
3228  /* Extract executable path and arguments */
3229  argv = argv_new();
3230  argv_parse_cmd(&argv, command);
3231 
3232  /* if an executable is specified then check it; otherwise, complain */
3233  if (argv.argv[0])
3234  {
3235  /* Scripts requires R_OK as well, but that might fail on binaries which
3236  * only requires X_OK to function on Unix - a scenario not unlikely to
3237  * be seen on suid binaries.
3238  */
3239  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3240  }
3241  else
3242  {
3243  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3244  opt, command);
3245  return_code = true;
3246  }
3247 
3248  argv_reset(&argv);
3249 
3250  return return_code;
3251 }
3252 
3253 /*
3254  * Sanity check of all file/dir options. Checks that file/dir
3255  * is accessible by OpenVPN
3256  */
3257 static void
3259 {
3260  bool errs = false;
3261 
3262 #ifdef ENABLE_CRYPTO
3263  /* ** SSL/TLS/crypto related files ** */
3264  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
3265  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
3266  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
3267  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
3269  "--extra-certs");
3270 #ifdef MANAGMENT_EXTERNAL_KEY
3271  if (!(options->management_flags & MF_EXTERNAL_KEY))
3272 #endif
3273  {
3275  options->priv_key_file, R_OK, "--key");
3276  }
3278  options->pkcs12_file, R_OK, "--pkcs12");
3279 
3280  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3281  {
3282  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
3283  "--crl-verify directory");
3284  }
3285  else
3286  {
3288  options->crl_file, R_OK, "--crl-verify");
3289  }
3290 
3292  options->tls_auth_file, R_OK, "--tls-auth");
3294  options->tls_crypt_file, R_OK, "--tls-crypt");
3296  options->shared_secret_file, R_OK, "--secret");
3298  options->packet_id_file, R_OK|W_OK, "--replay-persist");
3299 
3300  /* ** Password files ** */
3302  options->key_pass_file, R_OK, "--askpass");
3303 #endif /* ENABLE_CRYPTO */
3304 #ifdef ENABLE_MANAGEMENT
3306  options->management_user_pass, R_OK,
3307  "--management user/password file");
3308 #endif /* ENABLE_MANAGEMENT */
3309 #if P2MP
3311  options->auth_user_pass_file, R_OK,
3312  "--auth-user-pass");
3313 #endif /* P2MP */
3314 
3315  /* ** System related ** */
3316  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3317  R_OK|X_OK, "--chroot directory");
3319  R_OK|W_OK, "--writepid");
3320 
3321  /* ** Log related ** */
3323  R_OK|W_OK, "--status");
3324 
3325  /* ** Config related ** */
3326 #ifdef ENABLE_CRYPTO
3327  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3328  R_OK|W_OK|X_OK, "--tls-export-cert");
3329 #endif /* ENABLE_CRYPTO */
3330 #if P2MP_SERVER
3332  R_OK|X_OK, "--client-config-dir");
3333  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3334  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3335 
3336 #endif /* P2MP_SERVER */
3337 
3338  if (errs)
3339  {
3340  msg(M_USAGE, "Please correct these errors.");
3341  }
3342 }
3343 #endif /* !ENABLE_SMALL */
3344 
3345 /*
3346  * Sanity check on options.
3347  * Also set some options based on other
3348  * options.
3349  */
3350 void
3352 {
3353  options_postprocess_mutate(options);
3354  options_postprocess_verify(options);
3355 #ifndef ENABLE_SMALL
3357 #endif /* !ENABLE_SMALL */
3358 }
3359 
3360 #if P2MP
3361 
3362 /*
3363  * Save/Restore certain option defaults before --pull is applied.
3364  */
3365 
3366 void
3368 {
3369  if (o->pull)
3370  {
3373  o->pre_pull->tuntap_options_defined = true;
3375  if (o->routes)
3376  {
3378  o->pre_pull->routes_defined = true;
3379  }
3380  if (o->routes_ipv6)
3381  {
3383  o->pre_pull->routes_ipv6_defined = true;
3384  }
3385  if (o->client_nat)
3386  {
3388  o->pre_pull->client_nat_defined = true;
3389  }
3390  }
3391 }
3392 
3393 void
3394 pre_pull_restore(struct options *o, struct gc_arena *gc)
3395 {
3396  const struct options_pre_pull *pp = o->pre_pull;
3397  if (pp)
3398  {
3399  CLEAR(o->tuntap_options);
3400  if (pp->tuntap_options_defined)
3401  {
3402  o->tuntap_options = pp->tuntap_options;
3403  }
3404 
3405  if (pp->routes_defined)
3406  {
3407  rol_check_alloc(o);
3408  copy_route_option_list(o->routes, pp->routes, gc);
3409  }
3410  else
3411  {
3412  o->routes = NULL;
3413  }
3414 
3415  if (pp->routes_ipv6_defined)
3416  {
3417  rol6_check_alloc(o);
3419  }
3420  else
3421  {
3422  o->routes_ipv6 = NULL;
3423  }
3424 
3425  if (pp->client_nat_defined)
3426  {
3427  cnol_check_alloc(o);
3429  }
3430  else
3431  {
3432  o->client_nat = NULL;
3433  }
3434 
3436  }
3437 
3438  o->push_continuation = 0;
3439  o->push_option_types_found = 0;
3440 }
3441 
3442 #endif /* if P2MP */
3443 
3444 #ifdef ENABLE_OCC
3445 
3453 static size_t
3454 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3455 {
3456  size_t link_mtu = EXPANDED_SIZE(frame);
3457 #ifdef ENABLE_CRYPTO
3458  if (o->pull || o->mode == MODE_SERVER)
3459  {
3460  struct frame fake_frame = *frame;
3461  struct key_type fake_kt;
3462  init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
3463  false);
3464  frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead()));
3465  crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3466  cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3467  frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3468  o->ce.tun_mtu_defined, o->ce.tun_mtu);
3469  msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3470  EXPANDED_SIZE(&fake_frame));
3471  link_mtu = EXPANDED_SIZE(&fake_frame);
3472  }
3473 #endif
3474  return link_mtu;
3475 }
3476 
3477 /*
3478  * Build an options string to represent data channel encryption options.
3479  * This string must match exactly between peers. The keysize is checked
3480  * separately by read_key().
3481  *
3482  * The following options must match on both peers:
3483  *
3484  * Tunnel options:
3485  *
3486  * --dev tun|tap [unit number need not match]
3487  * --dev-type tun|tap
3488  * --link-mtu
3489  * --udp-mtu
3490  * --tun-mtu
3491  * --proto udp
3492  * --proto tcp-client [matched with --proto tcp-server
3493  * on the other end of the connection]
3494  * --proto tcp-server [matched with --proto tcp-client on
3495  * the other end of the connection]
3496  * --tun-ipv6
3497  * --ifconfig x y [matched with --ifconfig y x on
3498  * the other end of the connection]
3499  *
3500  * --comp-lzo
3501  * --compress alg
3502  * --fragment
3503  *
3504  * Crypto Options:
3505  *
3506  * --cipher
3507  * --auth
3508  * --keysize
3509  * --secret
3510  * --no-replay
3511  *
3512  * SSL Options:
3513  *
3514  * --tls-auth
3515  * --tls-client [matched with --tls-server on
3516  * the other end of the connection]
3517  * --tls-server [matched with --tls-client on
3518  * the other end of the connection]
3519  */
3520 char *
3521 options_string(const struct options *o,
3522  const struct frame *frame,
3523  struct tuntap *tt,
3524  bool remote,
3525  struct gc_arena *gc)
3526 {
3527  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3528  bool tt_local = false;
3529 
3530  buf_printf(&out, "V4");
3531 
3532  /*
3533  * Tunnel Options
3534  */
3535 
3536  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3537  buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
3538  buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3539  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3540 
3541  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3542  * is usually pushed by the server, triggering a non-helpful warning
3543  */
3545  {
3546  buf_printf(&out, ",tun-ipv6");
3547  }
3548 
3549  /*
3550  * Try to get ifconfig parameters into the options string.
3551  * If tt is undefined, make a temporary instantiation.
3552  */
3553  if (!tt)
3554  {
3555  tt = init_tun(o->dev,
3556  o->dev_type,
3557  o->topology,
3558  o->ifconfig_local,
3563  NULL,
3564  NULL,
3565  false,
3566  NULL);
3567  if (tt)
3568  {
3569  tt_local = true;
3570  }
3571  }
3572 
3573  if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
3574  {
3575  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3576  if (ios && strlen(ios))
3577  {
3578  buf_printf(&out, ",ifconfig %s", ios);
3579  }
3580  }
3581  if (tt_local)
3582  {
3583  free(tt);
3584  tt = NULL;
3585  }
3586 
3587 #ifdef USE_COMP
3588  if (o->comp.alg != COMP_ALG_UNDEF)
3589  {
3590  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3591  }
3592 #endif
3593 
3594 #ifdef ENABLE_FRAGMENT
3595  if (o->ce.fragment)
3596  {
3597  buf_printf(&out, ",mtu-dynamic");
3598  }
3599 #endif
3600 
3601 #ifdef ENABLE_CRYPTO
3602 
3603 #define TLS_CLIENT (o->tls_client)
3604 #define TLS_SERVER (o->tls_server)
3605 
3606  /*
3607  * Key direction
3608  */
3609  {
3610  const char *kd = keydirection2ascii(o->key_direction, remote);
3611  if (kd)
3612  {
3613  buf_printf(&out, ",keydir %s", kd);
3614  }
3615  }
3616 
3617  /*
3618  * Crypto Options
3619  */
3621  {
3622  struct key_type kt;
3623 
3624  ASSERT((o->shared_secret_file != NULL)
3625  + (TLS_CLIENT == true)
3626  + (TLS_SERVER == true)
3627  <= 1);
3628 
3629  init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
3630  false);
3631 
3632  buf_printf(&out, ",cipher %s",
3634  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3635  buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
3636  if (o->shared_secret_file)
3637  {
3638  buf_printf(&out, ",secret");
3639  }
3640  if (!o->replay)
3641  {
3642  buf_printf(&out, ",no-replay");
3643  }
3644 
3645 #ifdef ENABLE_PREDICTION_RESISTANCE
3646  if (o->use_prediction_resistance)
3647  {
3648  buf_printf(&out, ",use-prediction-resistance");
3649  }
3650 #endif
3651  }
3652 
3653  /*
3654  * SSL Options
3655  */
3656  {
3657  if (TLS_CLIENT || TLS_SERVER)
3658  {
3659  if (o->tls_auth_file)
3660  {
3661  buf_printf(&out, ",tls-auth");
3662  }
3663  /* Not adding tls-crypt here, because we won't reach this code if
3664  * tls-auth/tls-crypt does not match. Removing tls-auth here would
3665  * break stuff, so leaving that in place. */
3666 
3667  if (o->key_method > 1)
3668  {
3669  buf_printf(&out, ",key-method %d", o->key_method);
3670  }
3671  }
3672 
3673  if (remote)
3674  {
3675  if (TLS_CLIENT)
3676  {
3677  buf_printf(&out, ",tls-server");
3678  }
3679  else if (TLS_SERVER)
3680  {
3681  buf_printf(&out, ",tls-client");
3682  }
3683  }
3684  else
3685  {
3686  if (TLS_CLIENT)
3687  {
3688  buf_printf(&out, ",tls-client");
3689  }
3690  else if (TLS_SERVER)
3691  {
3692  buf_printf(&out, ",tls-server");
3693  }
3694  }
3695  }
3696 
3697 #undef TLS_CLIENT
3698 #undef TLS_SERVER
3699 
3700 #endif /* ENABLE_CRYPTO */
3701 
3702  return BSTR(&out);
3703 }
3704 
3705 /*
3706  * Compare option strings for equality.
3707  * If the first two chars of the strings differ, it means that
3708  * we are looking at different versions of the options string,
3709  * therefore don't compare them and return true.
3710  */
3711 
3712 bool
3713 options_cmp_equal(char *actual, const char *expected)
3714 {
3715  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
3716 }
3717 
3718 void
3719 options_warning(char *actual, const char *expected)
3720 {
3721  options_warning_safe(actual, expected, strlen(actual) + 1);
3722 }
3723 
3724 static const char *
3725 options_warning_extract_parm1(const char *option_string,
3726  struct gc_arena *gc_ret)
3727 {
3728  struct gc_arena gc = gc_new();
3729  struct buffer b = string_alloc_buf(option_string, &gc);
3730  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3731  const char *ret;
3732 
3733  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
3734  ret = string_alloc(p, gc_ret);
3735  gc_free(&gc);
3736  return ret;
3737 }
3738 
3739 static void
3740 options_warning_safe_scan2(const int msglevel,
3741  const int delim,
3742  const bool report_inconsistent,
3743  const char *p1,
3744  const struct buffer *b2_src,
3745  const char *b1_name,
3746  const char *b2_name)
3747 {
3748  /* we will stop sending 'proto xxx' in OCC in a future version
3749  * (because it's not useful), and to reduce questions when
3750  * interoperating, we start not-printing a warning about it today
3751  */
3752  if (strncmp(p1, "proto ", 6) == 0)
3753  {
3754  return;
3755  }
3756 
3757  if (strlen(p1) > 0)
3758  {
3759  struct gc_arena gc = gc_new();
3760  struct buffer b2 = *b2_src;
3761  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
3762  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3763 
3764  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
3765  {
3766  if (strlen(p2))
3767  {
3768  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
3769 
3770  if (!strcmp(p1, p2))
3771  {
3772  goto done;
3773  }
3774  if (!strcmp(p1_prefix, p2_prefix))
3775  {
3776  if (report_inconsistent)
3777  {
3778  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
3779  safe_print(p1_prefix, &gc),
3780  b1_name,
3781  safe_print(p1, &gc),
3782  b2_name,
3783  safe_print(p2, &gc));
3784  }
3785  goto done;
3786  }
3787  }
3788  }
3789 
3790  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
3791  safe_print(p1_prefix, &gc),
3792  b1_name,
3793  b2_name,
3794  b1_name,
3795  safe_print(p1, &gc));
3796 
3797 done:
3798  gc_free(&gc);
3799  }
3800 }
3801 
3802 static void
3803 options_warning_safe_scan1(const int msglevel,
3804  const int delim,
3805  const bool report_inconsistent,
3806  const struct buffer *b1_src,
3807  const struct buffer *b2_src,
3808  const char *b1_name,
3809  const char *b2_name)
3810 {
3811  struct gc_arena gc = gc_new();
3812  struct buffer b = *b1_src;
3813  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
3814 
3815  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
3816  {
3817  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
3818  }
3819 
3820  gc_free(&gc);
3821 }
3822 
3823 static void
3824 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
3825 {
3826  struct gc_arena gc = gc_new();
3827 
3828  if (actual_n > 0)
3829  {
3830  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3831  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3832  actual[actual_n - 1] = 0;
3833 
3834  buf_printf(&local, "version %s", expected);
3835  buf_printf(&remote, "version %s", actual);
3836 
3837  options_warning_safe_scan1(msglevel, ',', true,
3838  &local, &remote,
3839  "local", "remote");
3840 
3841  options_warning_safe_scan1(msglevel, ',', false,
3842  &remote, &local,
3843  "remote", "local");
3844  }
3845 
3846  gc_free(&gc);
3847 }
3848 
3849 bool
3850 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
3851 {
3852  struct gc_arena gc = gc_new();
3853  bool ret = true;
3854 
3855  if (actual_n > 0)
3856  {
3857  actual[actual_n - 1] = 0;
3858 #ifndef ENABLE_STRICT_OPTIONS_CHECK
3859  if (strncmp(actual, expected, 2))
3860  {
3861  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
3862  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
3863  }
3864  else
3865 #endif
3866  ret = !strcmp(actual, expected);
3867  }
3868  gc_free(&gc);
3869  return ret;
3870 }
3871 
3872 void
3873 options_warning_safe(char *actual, const char *expected, size_t actual_n)
3874 {
3875  options_warning_safe_ml(M_WARN, actual, expected, actual_n);
3876 }
3877 
3878 const char *
3879 options_string_version(const char *s, struct gc_arena *gc)
3880 {
3881  struct buffer out = alloc_buf_gc(4, gc);
3882  strncpynt((char *) BPTR(&out), s, 3);
3883  return BSTR(&out);
3884 }
3885 
3886 #endif /* ENABLE_OCC */
3887 
3888 char *
3889 options_string_extract_option(const char *options_string,const char *opt_name,
3890  struct gc_arena *gc)
3891 {
3892  char *ret = NULL;
3893  const size_t opt_name_len = strlen(opt_name);
3894 
3895  const char *p = options_string;
3896  while (p)
3897  {
3898  if (0 == strncmp(p, opt_name, opt_name_len)
3899  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
3900  {
3901  /* option found, extract value */
3902  const char *start = &p[opt_name_len+1];
3903  const char *end = strchr(p, ',');
3904  size_t val_len = end ? end - start : strlen(start);
3905  ret = gc_malloc(val_len+1, true, gc);
3906  memcpy(ret, start, val_len);
3907  break;
3908  }
3909  p = strchr(p, ',');
3910  if (p)
3911  {
3912  p++; /* skip delimiter */
3913  }
3914  }
3915  return ret;
3916 }
3917 
3918 static void
3919 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
3920 {
3921  if (len > 0)
3922  {
3923  struct gc_arena gc = gc_new();
3924  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3925  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3926  int i;
3927  bool first = true;
3928  bool good = true;
3929 
3930  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
3931  ++o->foreign_option_index;
3932  for (i = 0; i < len; ++i)
3933  {
3934  if (argv[i])
3935  {
3936  if (!first)
3937  {
3938  good &= buf_printf(&value, " ");
3939  }
3940  good &= buf_printf(&value, "%s", argv[i]);
3941  first = false;
3942  }
3943  }
3944  if (good)
3945  {
3946  setenv_str(es, BSTR(&name), BSTR(&value));
3947  }
3948  else
3949  {
3950  msg(M_WARN, "foreign_option: name/value overflow");
3951  }
3952  gc_free(&gc);
3953  }
3954 }
3955 
3956 /*
3957  * parse/print topology coding
3958  */
3959 
3960 int
3961 parse_topology(const char *str, const int msglevel)
3962 {
3963  if (streq(str, "net30"))
3964  {
3965  return TOP_NET30;
3966  }
3967  else if (streq(str, "p2p"))
3968  {
3969  return TOP_P2P;
3970  }
3971  else if (streq(str, "subnet"))
3972  {
3973  return TOP_SUBNET;
3974  }
3975  else
3976  {
3977  msg(msglevel, "--topology must be net30, p2p, or subnet");
3978  return TOP_UNDEF;
3979  }
3980 }
3981 
3982 const char *
3983 print_topology(const int topology)
3984 {
3985  switch (topology)
3986  {
3987  case TOP_UNDEF:
3988  return "undef";
3989 
3990  case TOP_NET30:
3991  return "net30";
3992 
3993  case TOP_P2P:
3994  return "p2p";
3995 
3996  case TOP_SUBNET:
3997  return "subnet";
3998 
3999  default:
4000  return "unknown";
4001  }
4002 }
4003 
4004 #if P2MP
4005 
4006 /*
4007  * Manage auth-retry variable
4008  */
4009 
4010 static int global_auth_retry; /* GLOBAL */
4011 
4012 int
4014 {
4015  return global_auth_retry;
4016 }
4017 
4018 bool
4019 auth_retry_set(const int msglevel, const char *option)
4020 {
4021  if (streq(option, "interact"))
4022  {
4024  }
4025  else if (streq(option, "nointeract"))
4026  {
4028  }
4029  else if (streq(option, "none"))
4030  {
4032  }
4033  else
4034  {
4035  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4036  return false;
4037  }
4038  return true;
4039 }
4040 
4041 const char *
4043 {
4044  switch (global_auth_retry)
4045  {
4046  case AR_NONE:
4047  return "none";
4048 
4049  case AR_NOINTERACT:
4050  return "nointeract";
4051 
4052  case AR_INTERACT:
4053  return "interact";
4054 
4055  default:
4056  return "???";
4057  }
4058 }
4059 
4060 #endif /* if P2MP */
4061 
4062 /*
4063  * Print the help message.
4064  */
4065 static void
4066 usage(void)
4067 {
4068  FILE *fp = msg_fp(0);
4069 
4070 #ifdef ENABLE_SMALL
4071 
4072  fprintf(fp, "Usage message not available\n");
4073 
4074 #else
4075 
4076  struct options o;
4077  init_options(&o, true);
4078 
4079 #ifdef ENABLE_CRYPTO
4080  fprintf(fp, usage_message,
4081  title_string,
4084  o.ce.local_port, o.ce.remote_port,
4086  o.verbosity,
4087  o.authname, o.ciphername,
4091 #else /* ifdef ENABLE_CRYPTO */
4092  fprintf(fp, usage_message,
4093  title_string,
4096  o.ce.local_port, o.ce.remote_port,
4098  o.verbosity);
4099 #endif
4100  fflush(fp);
4101 
4102 #endif /* ENABLE_SMALL */
4103 
4104  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4105 }
4106 
4107 void
4109 {
4110  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4111  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4112 }
4113 
4114 #ifdef _WIN32
4115 void
4116 show_windows_version(const unsigned int flags)
4117 {
4118  struct gc_arena gc = gc_new();
4119  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4120  gc_free(&gc);
4121 }
4122 #endif
4123 
4124 void
4125 show_library_versions(const unsigned int flags)
4126 {
4127 #ifdef ENABLE_CRYPTO
4128 #define SSL_LIB_VER_STR get_ssl_library_version()
4129 #else
4130 #define SSL_LIB_VER_STR ""
4131 #endif
4132 #ifdef ENABLE_LZO
4133 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4134 #else
4135 #define LZO_LIB_VER_STR "", ""
4136 #endif
4137 
4138  msg(flags, "library versions: %s%s%s", SSL_LIB_VER_STR, LZO_LIB_VER_STR);
4139 
4140 #undef SSL_LIB_VER_STR
4141 #undef LZO_LIB_VER_STR
4142 }
4143 
4144 static void
4146 {
4149 #ifdef _WIN32
4151 #endif
4152  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4153  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>");
4154 #ifndef ENABLE_SMALL
4155 #ifdef CONFIGURE_DEFINES
4156  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4157 #endif
4158 #ifdef CONFIGURE_SPECIAL_BUILD
4159  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4160 #endif
4161 #endif
4162  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4163 }
4164 
4165 void
4166 notnull(const char *arg, const char *description)
4167 {
4168  if (!arg)
4169  {
4170  msg(M_USAGE, "You must define %s", description);
4171  }
4172 }
4173 
4174 bool
4175 string_defined_equal(const char *s1, const char *s2)
4176 {
4177  if (s1 && s2)
4178  {
4179  return !strcmp(s1, s2);
4180  }
4181  else
4182  {
4183  return false;
4184  }
4185 }
4186 
4187 #if 0
4188 static void
4189 ping_rec_err(int msglevel)
4190 {
4191  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4192 }
4193 #endif
4194 
4195 static int
4196 positive_atoi(const char *str)
4197 {
4198  const int i = atoi(str);
4199  return i < 0 ? 0 : i;
4200 }
4201 
4202 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4203 static unsigned int
4204 atou(const char *str)
4205 {
4206  unsigned int val = 0;
4207  sscanf(str, "%u", &val);
4208  return val;
4209 }
4210 #endif
4211 
4212 static inline bool
4213 space(unsigned char c)
4214 {
4215  return c == '\0' || isspace(c);
4216 }
4217 
4218 int
4219 parse_line(const char *line,
4220  char *p[],
4221  const int n,
4222  const char *file,
4223  const int line_num,
4224  int msglevel,
4225  struct gc_arena *gc)
4226 {
4227  const int STATE_INITIAL = 0;
4228  const int STATE_READING_QUOTED_PARM = 1;
4229  const int STATE_READING_UNQUOTED_PARM = 2;
4230  const int STATE_DONE = 3;
4231  const int STATE_READING_SQUOTED_PARM = 4;
4232 
4233  const char *error_prefix = "";
4234 
4235  int ret = 0;
4236  const char *c = line;
4237  int state = STATE_INITIAL;
4238  bool backslash = false;
4239  char in, out;
4240 
4241  char parm[OPTION_PARM_SIZE];
4242  unsigned int parm_len = 0;
4243 
4244  msglevel &= ~M_OPTERR;
4245 
4246  if (msglevel & M_MSG_VIRT_OUT)
4247  {
4248  error_prefix = "ERROR: ";
4249  }
4250 
4251  do
4252  {
4253  in = *c;
4254  out = 0;
4255 
4256  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4257  {
4258  backslash = true;
4259  }
4260  else
4261  {
4262  if (state == STATE_INITIAL)
4263  {
4264  if (!space(in))
4265  {
4266  if (in == ';' || in == '#') /* comment */
4267  {
4268  break;
4269  }
4270  if (!backslash && in == '\"')
4271  {
4272  state = STATE_READING_QUOTED_PARM;
4273  }
4274  else if (!backslash && in == '\'')
4275  {
4276  state = STATE_READING_SQUOTED_PARM;
4277  }
4278  else
4279  {
4280  out = in;
4281  state = STATE_READING_UNQUOTED_PARM;
4282  }
4283  }
4284  }
4285  else if (state == STATE_READING_UNQUOTED_PARM)
4286  {
4287  if (!backslash && space(in))
4288  {
4289  state = STATE_DONE;
4290  }
4291  else
4292  {
4293  out = in;
4294  }
4295  }
4296  else if (state == STATE_READING_QUOTED_PARM)
4297  {
4298  if (!backslash && in == '\"')
4299  {
4300  state = STATE_DONE;
4301  }
4302  else
4303  {
4304  out = in;
4305  }
4306  }
4307  else if (state == STATE_READING_SQUOTED_PARM)
4308  {
4309  if (in == '\'')
4310  {
4311  state = STATE_DONE;
4312  }
4313  else
4314  {
4315  out = in;
4316  }
4317  }
4318  if (state == STATE_DONE)
4319  {
4320  /* ASSERT (parm_len > 0); */
4321  p[ret] = gc_malloc(parm_len + 1, true, gc);
4322  memcpy(p[ret], parm, parm_len);
4323  p[ret][parm_len] = '\0';
4324  state = STATE_INITIAL;
4325  parm_len = 0;
4326  ++ret;
4327  }
4328 
4329  if (backslash && out)
4330  {
4331  if (!(out == '\\' || out == '\"' || space(out)))
4332  {
4333 #ifdef ENABLE_SMALL
4334  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4335 #else
4336  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4337 #endif
4338  return 0;
4339  }
4340  }
4341  backslash = false;
4342  }
4343 
4344  /* store parameter character */
4345  if (out)
4346  {
4347  if (parm_len >= SIZE(parm))
4348  {
4349  parm[SIZE(parm) - 1] = 0;
4350  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4351  error_prefix, file, line_num, (int) SIZE(parm), parm);
4352  return 0;
4353  }
4354  parm[parm_len++] = out;
4355  }
4356 
4357  /* avoid overflow if too many parms in one config file line */
4358  if (ret >= n)
4359  {
4360  break;
4361  }
4362 
4363  } while (*c++ != '\0');
4364 
4365  if (state == STATE_READING_QUOTED_PARM)
4366  {
4367  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4368  return 0;
4369  }
4370  if (state == STATE_READING_SQUOTED_PARM)
4371  {
4372  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4373  return 0;
4374  }
4375  if (state != STATE_INITIAL)
4376  {
4377  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4378  return 0;
4379  }
4380 #if 0
4381  {
4382  int i;
4383  for (i = 0; i < ret; ++i)
4384  {
4385  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4386  }
4387  }
4388 #endif
4389  return ret;
4390 }
4391 
4392 static void
4394 {
4395  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4396  {
4397  *p += 2;
4398  }
4399 }
4400 
4401 struct in_src {
4402 #define IS_TYPE_FP 1
4403 #define IS_TYPE_BUF 2
4404  int type;
4405  union {
4406  FILE *fp;
4408  } u;
4409 };
4410 
4411 static bool
4412 in_src_get(const struct in_src *is, char *line, const int size)
4413 {
4414  if (is->type == IS_TYPE_FP)
4415  {
4416  return BOOL_CAST(fgets(line, size, is->u.fp));
4417  }
4418  else if (is->type == IS_TYPE_BUF)
4419  {
4420  bool status = buf_parse(is->u.multiline, '\n', line, size);
4421  if ((int) strlen(line) + 1 < size)
4422  {
4423  strcat(line, "\n");
4424  }
4425  return status;
4426  }
4427  else
4428  {
4429  ASSERT(0);
4430  return false;
4431  }
4432 }
4433 
4434 static char *
4435 read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
4436 {
4437  char line[OPTION_LINE_SIZE];
4438  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4439  char *ret;
4440  bool endtagfound = false;
4441 
4442  while (in_src_get(is, line, sizeof(line)))
4443  {
4444  char *line_ptr = line;
4445  /* Remove leading spaces */
4446  while (isspace(*line_ptr))
4447  {
4448  line_ptr++;
4449  }
4450  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4451  {
4452  endtagfound = true;
4453  break;
4454  }
4455  if (!buf_safe(&buf, strlen(line)+1))
4456  {
4457  /* Increase buffer size */
4458  struct buffer buf2 = alloc_buf(buf.capacity * 2);
4459  ASSERT(buf_copy(&buf2, &buf));
4460  buf_clear(&buf);
4461  free_buf(&buf);
4462  buf = buf2;
4463  }
4464  buf_printf(&buf, "%s", line);
4465  }
4466  if (!endtagfound)
4467  {
4468  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4469  }
4470  ret = string_alloc(BSTR(&buf), gc);
4471  buf_clear(&buf);
4472  free_buf(&buf);
4473  secure_memzero(line, sizeof(line));
4474  return ret;
4475 }
4476 
4477 static bool
4478 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4479 {
4480  bool ret = false;
4481  if (p[0] && !p[1])
4482  {
4483  char *arg = p[0];
4484  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4485  {
4486  struct buffer close_tag;
4487  arg[strlen(arg)-1] = '\0';
4488  p[0] = string_alloc(arg+1, gc);
4489  p[1] = string_alloc(INLINE_FILE_TAG, gc);
4490  close_tag = alloc_buf(strlen(p[0]) + 4);
4491  buf_printf(&close_tag, "</%s>", p[0]);
4492  p[2] = read_inline_file(is, BSTR(&close_tag), gc);
4493  p[3] = NULL;
4494  free_buf(&close_tag);
4495  ret = true;
4496  }
4497  }
4498  return ret;
4499 }
4500 
4501 static bool
4502 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4503 {
4504  struct in_src is;
4505  is.type = IS_TYPE_FP;
4506  is.u.fp = fp;
4507  return check_inline_file(&is, p, gc);
4508 }
4509 
4510 static bool
4511 check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
4512 {
4513  struct in_src is;
4514  is.type = IS_TYPE_BUF;
4515  is.u.multiline = multiline;
4516  return check_inline_file(&is, p, gc);
4517 }
4518 
4519 static void
4520 add_option(struct options *options,
4521  char *p[],
4522  const char *file,
4523  int line,
4524  const int level,
4525  const int msglevel,
4526  const unsigned int permission_mask,
4527  unsigned int *option_types_found,
4528  struct env_set *es);
4529 
4530 static void
4531 read_config_file(struct options *options,
4532  const char *file,
4533  int level,
4534  const char *top_file,
4535  const int top_line,
4536  const int msglevel,
4537  const unsigned int permission_mask,
4538  unsigned int *option_types_found,
4539  struct env_set *es)
4540 {
4541  const int max_recursive_levels = 10;
4542  FILE *fp;
4543  int line_num;
4544  char line[OPTION_LINE_SIZE+1];
4545  char *p[MAX_PARMS+1];
4546 
4547  ++level;
4548  if (level <= max_recursive_levels)
4549  {
4550  if (streq(file, "stdin"))
4551  {
4552  fp = stdin;
4553  }
4554  else
4555  {
4556  fp = platform_fopen(file, "r");
4557  }
4558  if (fp)
4559  {
4560  line_num = 0;
4561  while (fgets(line, sizeof(line), fp))
4562  {
4563  int offset = 0;
4564  CLEAR(p);
4565  ++line_num;
4566  if (strlen(line) == OPTION_LINE_SIZE)
4567  {
4568  msg(msglevel, "In %s:%d: Maximum optione line length (%d) exceeded, line starts with %s",
4569  file, line_num, OPTION_LINE_SIZE, line);
4570  }
4571 
4572  /* Ignore UTF-8 BOM at start of stream */
4573  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4574  {
4575  offset = 3;
4576  }
4577  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4578  {
4579  bypass_doubledash(&p[0]);
4580  check_inline_file_via_fp(fp, p, &options->gc);
4581  add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
4582  }
4583  }
4584  if (fp != stdin)
4585  {
4586  fclose(fp);
4587  }
4588  }
4589  else
4590  {
4591  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4592  }
4593  }
4594  else
4595  {
4596  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4597  }
4598  secure_memzero(line, sizeof(line));
4599  CLEAR(p);
4600 }
4601 
4602 static void
4603 read_config_string(const char *prefix,
4604  struct options *options,
4605  const char *config,
4606  const int msglevel,
4607  const unsigned int permission_mask,
4608  unsigned int *option_types_found,
4609  struct env_set *es)
4610 {
4611  char line[OPTION_LINE_SIZE];
4612  struct buffer multiline;
4613  int line_num = 0;
4614 
4615  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4616 
4617  while (buf_parse(&multiline, '\n', line, sizeof(line)))
4618  {
4619  char *p[MAX_PARMS+1];
4620  CLEAR(p);
4621  ++line_num;
4622  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4623  {
4624  bypass_doubledash(&p[0]);
4625  check_inline_file_via_buf(&multiline, p, &options->gc);
4626  add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es);
4627  }
4628  CLEAR(p);
4629  }
4630  secure_memzero(line, sizeof(line));
4631 }
4632 
4633 void
4634 parse_argv(struct options *options,
4635  const int argc,
4636  char *argv[],
4637  const int msglevel,
4638  const unsigned int permission_mask,
4639  unsigned int *option_types_found,
4640  struct env_set *es)
4641 {
4642  int i, j;
4643 
4644  /* usage message */
4645  if (argc <= 1)
4646  {
4647  usage();
4648  }
4649 
4650  /* config filename specified only? */
4651  if (argc == 2 && strncmp(argv[1], "--", 2))
4652  {
4653  char *p[MAX_PARMS];
4654  CLEAR(p);
4655  p[0] = "config";
4656  p[1] = argv[1];
4657  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4658  }
4659  else
4660  {
4661  /* parse command line */
4662  for (i = 1; i < argc; ++i)
4663  {
4664  char *p[MAX_PARMS];
4665  CLEAR(p);
4666  p[0] = argv[i];
4667  if (strncmp(p[0], "--", 2))
4668  {
4669  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
4670  }
4671  else
4672  {
4673  p[0] += 2;
4674  }
4675 
4676  for (j = 1; j < MAX_PARMS; ++j)
4677  {
4678  if (i + j < argc)
4679  {
4680  char *arg = argv[i + j];
4681  if (strncmp(arg, "--", 2))
4682  {
4683  p[j] = arg;
4684  }
4685  else
4686  {
4687  break;
4688  }
4689  }
4690  }
4691  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4692  i += j - 1;
4693  }
4694  }
4695 }
4696 
4705 static bool
4706 apply_pull_filter(const struct options *o, char *line)
4707 {
4708  struct pull_filter *f;
4709 
4710  if (!o->pull_filter_list)
4711  {
4712  return true;
4713  }
4714 
4715  for (f = o->pull_filter_list->head; f; f = f->next)
4716  {
4717  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
4718  {
4719  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
4720  return true;
4721  }
4722  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
4723  {
4724  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
4725  *line = '\0';
4726  return true;
4727  }
4728  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
4729  {
4730  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
4731  *line = '\0';
4732  throw_signal_soft(SIGUSR1, "Offending option received from server");
4733  return false;
4734  }
4735  }
4736  return true;
4737 }
4738 
4739 bool
4740 apply_push_options(struct options *options,
4741  struct buffer *buf,
4742  unsigned int permission_mask,
4743  unsigned int *option_types_found,
4744  struct env_set *es)
4745 {
4746  char line[OPTION_PARM_SIZE];
4747  int line_num = 0;
4748  const char *file = "[PUSH-OPTIONS]";
4749  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
4750 
4751  while (buf_parse(buf, ',', line, sizeof(line)))
4752  {
4753  char *p[MAX_PARMS+1];
4754  CLEAR(p);
4755  ++line_num;
4756  if (!apply_pull_filter(options, line))
4757  {
4758  return false; /* Cause push/pull error and stop push processing */
4759  }
4760  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4761  {
4762  add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
4763  }
4764  }
4765  return true;
4766 }
4767 
4768 void
4769 options_server_import(struct options *o,
4770  const char *filename,
4771  int msglevel,
4772  unsigned int permission_mask,
4773  unsigned int *option_types_found,
4774  struct env_set *es)
4775 {
4776  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
4777  read_config_file(o,
4778  filename,
4779  0,
4780  filename,
4781  0,
4782  msglevel,
4783  permission_mask,
4784  option_types_found,
4785  es);
4786 }
4787 
4788 void
4789 options_string_import(struct options *options,
4790  const char *config,
4791  const int msglevel,
4792  const unsigned int permission_mask,
4793  unsigned int *option_types_found,
4794  struct env_set *es)
4795 {
4796  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
4797 }
4798 
4799 #if P2MP
4800 
4801 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}}
4802 
4803 static bool
4804 verify_permission(const char *name,
4805  const char *file,
4806  int line,
4807  const unsigned int type,
4808  const unsigned int allowed,
4809  unsigned int *found,
4810  const int msglevel,
4811  struct options *options)
4812 {
4813  if (!(type & allowed))
4814  {
4815  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
4816  return false;
4817  }
4818 
4819  if (found)
4820  {
4821  *found |= type;
4822  }
4823 
4824 #ifndef ENABLE_SMALL
4825  /* Check if this options is allowed in connection block,
4826  * but we are currently not in a connection block
4827  * unless this is a pushed option.
4828  * Parsing a connection block uses a temporary options struct without
4829  * connection_list
4830  */
4831 
4832  if ((type & OPT_P_CONNECTION) && options->connection_list
4833  && !(allowed & OPT_P_PULL_MODE))
4834  {
4835  if (file)
4836  {
4837  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
4838  }
4839  else
4840  {
4841  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
4842  }
4843  }
4844 #endif
4845  return true;
4846 }
4847 
4848 #else /* if P2MP */
4849 
4850 #define VERIFY_PERMISSION(mask)
4851 
4852 #endif /* if P2MP */
4853 
4854 /*
4855  * Check that an option doesn't have too
4856  * many parameters.
4857  */
4858 
4859 #define NM_QUOTE_HINT (1<<0)
4860 
4861 static bool
4862 no_more_than_n_args(const int msglevel,
4863  char *p[],
4864  const int max,
4865  const unsigned int flags)
4866 {
4867  const int len = string_array_len((const char **)p);
4868 
4869  if (!len)
4870  {
4871  return false;
4872  }
4873 
4874  if (len > max)
4875  {
4876  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
4877  p[0],
4878  max - 1,
4879  max >= 3 ? "s" : "",
4880  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
4881  return false;
4882  }
4883  else
4884  {
4885  return true;
4886  }
4887 }
4888 
4889 static inline int
4890 msglevel_forward_compatible(struct options *options, const int msglevel)
4891 {
4892  return options->forward_compatible ? M_WARN : msglevel;
4893 }
4894 
4895 static void
4896 set_user_script(struct options *options,
4897  const char **script,
4898  const char *new_script,
4899  const char *type,
4900  bool in_chroot)
4901 {
4902  if (*script)
4903  {
4904  msg(M_WARN, "Multiple --%s scripts defined. "
4905  "The previously configured script is overridden.", type);
4906  }
4907  *script = new_script;
4908  options->user_script_used = true;
4909 
4910 #ifndef ENABLE_SMALL
4911  {
4912  char script_name[100];
4913  openvpn_snprintf(script_name, sizeof(script_name),
4914  "--%s script", type);
4915 
4916  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
4917  {
4918  msg(M_USAGE, "Please correct this error.");
4919  }
4920 
4921  }
4922 #endif
4923 }
4924 
4925 
4926 static void
4927 add_option(struct options *options,
4928  char *p[],
4929  const char *file,
4930  int line,
4931  const int level,
4932  const int msglevel,
4933  const unsigned int permission_mask,
4934  unsigned int *option_types_found,
4935  struct env_set *es)
4936 {
4937  struct gc_arena gc = gc_new();
4938  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
4939  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
4940 
4941  ASSERT(MAX_PARMS >= 7);
4942 
4943  /*
4944  * If directive begins with "setenv opt" prefix, don't raise an error if
4945  * directive is unrecognized.
4946  */
4947  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
4948  {
4949  if (!p[2])
4950  {
4951  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
4952  }
4953  p += 2;
4954  msglevel_fc = M_WARN;
4955  }
4956 
4957  if (!file)
4958  {
4959  file = "[CMD-LINE]";
4960  line = 1;
4961  }
4962  if (streq(p[0], "help"))
4963  {
4965  usage();
4966  if (p[1])
4967  {
4968  msg(msglevel, "--help does not accept any parameters");
4969  goto err;
4970  }
4971  }
4972  if (streq(p[0], "version") && !p[1])
4973  {
4975  usage_version();
4976  }
4977  else if (streq(p[0], "config") && p[1] && !p[2])
4978  {
4980 
4981  /* save first config file only in options */
4982  if (!options->config)
4983  {
4984  options->config = p[1];
4985  }
4986 
4987  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
4988  }
4989 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
4990  else if (streq(p[0], "show-gateway") && !p[2])
4991  {
4992  struct route_gateway_info rgi;
4993  struct route_ipv6_gateway_info rgi6;
4994  struct in6_addr remote = IN6ADDR_ANY_INIT;
4996  if (p[1])
4997  {
4998  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
4999  }
5000  get_default_gateway(&rgi);
5001  get_default_gateway_ipv6(&rgi6, &remote);
5002  print_default_gateway(M_INFO, &rgi, &rgi6);
5003  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5004  }
5005 #endif
5006 #if 0
5007  else if (streq(p[0], "foreign-option") && p[1])
5008  {
5010  foreign_option(options, p, 3, es);
5011  }
5012 #endif
5013  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5014  {
5015  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5016  int j;
5017  bool good = true;
5018 
5020 
5021  for (j = 1; j < MAX_PARMS; ++j)
5022  {
5023  if (!p[j])
5024  {
5025  break;
5026  }
5027  if (j > 1)
5028  {
5029  good &= buf_printf(&string, " ");
5030  }
5031  good &= buf_printf(&string, "%s", p[j]);
5032  }
5033  if (good)
5034  {
5035 #if 0
5036  /* removed for now since ECHO can potentially include
5037  * security-sensitive strings */
5038  msg(M_INFO, "%s:%s",
5039  pull_mode ? "ECHO-PULL" : "ECHO",
5040  BSTR(&string));
5041 #endif
5042 #ifdef ENABLE_MANAGEMENT
5043  if (management)
5044  {
5045  management_echo(management, BSTR(&string), pull_mode);
5046  }
5047 #endif
5048  }
5049  else
5050  {
5051  msg(M_WARN, "echo/parameter option overflow");
5052  }
5053  }
5054 #ifdef ENABLE_MANAGEMENT
5055  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5056  {
5058  if (streq(p[2], "unix"))
5059  {
5060 #if UNIX_SOCK_SUPPORT
5061  options->management_flags |= MF_UNIX_SOCK;
5062 #else
5063  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5064  goto err;
5065 #endif
5066  }
5067 
5068  options->management_addr = p[1];
5069  options->management_port = p[2];
5070  if (p[3])
5071  {
5072  options->management_user_pass = p[3];
5073  }
5074  }
5075  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5076  {
5078  options->management_client_user = p[1];
5079  }
5080  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5081  {
5083  options->management_client_group = p[1];
5084  }
5085  else if (streq(p[0], "management-query-passwords") && !p[1])
5086  {
5089  }
5090  else if (streq(p[0], "management-query-remote") && !p[1])
5091  {
5093  options->management_flags |= MF_QUERY_REMOTE;
5094  }
5095  else if (streq(p[0], "management-query-proxy") && !p[1])
5096  {
5098  options->management_flags |= MF_QUERY_PROXY;
5099  }
5100  else if (streq(p[0], "management-hold") && !p[1])
5101  {
5103  options->management_flags |= MF_HOLD;
5104  }
5105  else if (streq(p[0], "management-signal") && !p[1])
5106  {
5108  options->management_flags |= MF_SIGNAL;
5109  }
5110  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5111  {
5114  }
5115  else if (streq(p[0], "management-up-down") && !p[1])
5116  {
5118  options->management_flags |= MF_UP_DOWN;
5119  }
5120  else if (streq(p[0], "management-client") && !p[2])
5121  {
5124  options->management_write_peer_info_file = p[1];
5125  }
5126 #ifdef MANAGMENT_EXTERNAL_KEY
5127  else if (streq(p[0], "management-external-key") && !p[1])
5128  {
5130  options->management_flags |= MF_EXTERNAL_KEY;
5131  }
5132  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5133  {
5135  options->management_flags |= MF_EXTERNAL_CERT;
5136  options->management_certificate = p[1];
5137  }
5138 #endif
5139 #ifdef MANAGEMENT_DEF_AUTH
5140  else if (streq(p[0], "management-client-auth") && !p[1])
5141  {
5143  options->management_flags |= MF_CLIENT_AUTH;
5144  }
5145 #endif
5146 #ifdef MANAGEMENT_PF
5147  else if (streq(p[0], "management-client-pf") && !p[1])
5148  {
5150  options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
5151  }
5152 #endif
5153  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5154  {
5155  int cache;
5156 
5158  cache = atoi(p[1]);
5159  if (cache < 1)
5160  {
5161  msg(msglevel, "--management-log-cache parameter is out of range");
5162  goto err;
5163  }
5164  options->management_log_history_cache = cache;
5165  }
5166 #endif /* ifdef ENABLE_MANAGEMENT */
5167 #ifdef ENABLE_PLUGIN
5168  else if (streq(p[0], "plugin") && p[1])
5169  {
5171  if (!options->plugin_list)
5172  {
5173  options->plugin_list = plugin_option_list_new(&options->gc);
5174  }
5175  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5176  {
5177  msg(msglevel, "plugin add failed: %s", p[1]);
5178  goto err;
5179  }
5180  }
5181 #endif
5182  else if (streq(p[0], "mode") && p[1] && !p[2])
5183  {
5185  if (streq(p[1], "p2p"))
5186  {
5187  options->mode = MODE_POINT_TO_POINT;
5188  }
5189 #if P2MP_SERVER
5190  else if (streq(p[1], "server"))
5191  {
5192  options->mode = MODE_SERVER;
5193  }
5194 #endif
5195  else
5196  {
5197  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5198  goto err;
5199  }
5200  }
5201  else if (streq(p[0], "dev") && p[1] && !p[2])
5202  {
5204  options->dev = p[1];
5205  }
5206  else if (streq(p[0], "dev-type") && p[1] && !p[2])
5207  {
5209  options->dev_type = p[1];
5210  }
5211  else if (streq(p[0], "dev-node") && p[1] && !p[2])
5212  {
5214  options->dev_node = p[1];
5215  }
5216  else if (streq(p[0], "lladdr") && p[1] && !p[2])
5217  {
5219  if (mac_addr_safe(p[1])) /* MAC address only */
5220  {
5221  options->lladdr = p[1];
5222  }
5223  else
5224  {
5225  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5226  goto err;
5227  }
5228  }
5229  else if (streq(p[0], "topology") && p[1] && !p[2])
5230  {
5232  options->topology = parse_topology(p[1], msglevel);
5233  }
5234  else if (streq(p[0], "tun-ipv6") && !p[1])
5235  {
5237  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5238  }
5239 #ifdef ENABLE_IPROUTE
5240  else if (streq(p[0], "iproute") && p[1] && !p[2])
5241  {
5243  iproute_path = p[1];
5244  }
5245 #endif
5246  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5247  {
5249  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5250  {
5251  options->ifconfig_local = p[1];
5252  options->ifconfig_remote_netmask = p[2];
5253  }
5254  else
5255  {
5256  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5257  goto err;
5258  }
5259  }
5260  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5261  {
5262  unsigned int netbits;
5263 
5265  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5266  && ipv6_addr_safe( p[2] ) )
5267  {
5268  if (netbits < 64 || netbits > 124)
5269  {
5270  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5271  goto err;
5272  }
5273 
5274  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5275  options->ifconfig_ipv6_netbits = netbits;
5276  options->ifconfig_ipv6_remote = p[2];
5277  }
5278  else
5279  {
5280  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5281  goto err;
5282  }
5283  }
5284  else if (streq(p[0], "ifconfig-noexec") && !p[1])
5285  {
5287  options->ifconfig_noexec = true;
5288  }
5289  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5290  {
5292  options->ifconfig_nowarn = true;
5293  }
5294  else if (streq(p[0], "local") && p[1] && !p[2])
5295  {
5297  options->ce.local = p[1];
5298  }
5299  else if (streq(p[0], "remote-random") && !p[1])
5300  {
5302  options->remote_random = true;
5303  }
5304  else if (streq(p[0], "connection") && p[1] && !p[3])
5305  {
5307  if (streq(p[1], INLINE_FILE_TAG) && p[2])
5308  {
5309  struct options sub;
5310  struct connection_entry *e;
5311 
5312  init_options(&sub, true);
5313  sub.ce = options->ce;
5314  read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
5315  if (!sub.ce.remote)
5316  {
5317  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
5318  uninit_options(&sub);
5319  goto err;
5320  }
5321 
5322  e = alloc_connection_entry(options, msglevel);
5323  if (!e)
5324  {
5325  uninit_options(&sub);
5326  goto err;
5327  }
5328  *e = sub.ce;
5329  gc_transfer(&options->gc, &sub.gc);
5330  uninit_options(&sub);
5331  }
5332  }
5333  else if (streq(p[0], "ignore-unknown-option") && p[1])
5334  {
5335  int i;
5336  int j;
5337  int numignored = 0;
5338  const char **ignore;
5339 
5341  /* Find out how many options to be ignored */
5342  for (i = 1; p[i]; i++)
5343  {
5344  numignored++;
5345  }
5346 
5347  /* add number of options already ignored */
5348  for (i = 0; options->ignore_unknown_option
5349  && options->ignore_unknown_option[i]; i++)
5350  {
5351  numignored++;
5352  }
5353 
5354  /* Allocate array */
5355  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
5356  for (i = 0; options->ignore_unknown_option
5357  && options->ignore_unknown_option[i]; i++)
5358  {
5359  ignore[i] = options->ignore_unknown_option[i];
5360  }
5361 
5362  options->ignore_unknown_option = ignore;
5363 
5364  for (j = 1; p[j]; j++)
5365  {
5366  /* Allow the user to specify ignore-unknown-option --opt too */
5367  if (p[j][0]=='-' && p[j][1]=='-')
5368  {
5369  options->ignore_unknown_option[i] = (p[j]+2);
5370  }
5371  else
5372  {
5373  options->ignore_unknown_option[i] = p[j];
5374  }
5375  i++;
5376  }
5377 
5378  options->ignore_unknown_option[i] = NULL;
5379  }
5380 #if ENABLE_MANAGEMENT
5381  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
5382  {
5384  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
5385  if (!options->http_proxy_override)
5386  {
5387  goto err;
5388  }
5389  }
5390 #endif
5391  else if (streq(p[0], "remote") && p[1] && !p[4])
5392  {
5393  struct remote_entry re;
5394  re.remote = re.remote_port = NULL;
5395  re.proto = -1;
5396  re.af = 0;
5397 
5399  re.remote = p[1];
5400  if (p[2])
5401  {
5402  re.remote_port = p[2];
5403  if (p[3])
5404  {
5405  const int proto = ascii2proto(p[3]);
5406  const sa_family_t af = ascii2af(p[3]);
5407  if (proto < 0)
5408  {
5409  msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
5410  goto err;
5411  }
5412  re.proto = proto;
5413  re.af = af;
5414  }
5415  }
5416  if (permission_mask & OPT_P_GENERAL)
5417  {
5418  struct remote_entry *e = alloc_remote_entry(options, msglevel);
5419  if (!e)
5420  {
5421  goto err;
5422  }
5423  *e = re;
5424  }
5425  else if (permission_mask & OPT_P_CONNECTION)
5426  {
5427  connection_entry_load_re(&options->ce, &re);
5428  }
5429  }
5430  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
5431  {
5433  if (streq(p[1], "infinite"))
5434  {
5436  }
5437  else
5438  {
5439  options->resolve_retry_seconds = positive_atoi(p[1]);
5440  }
5441  }
5442  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
5443  {
5445  options->resolve_in_advance = true;
5446  /* Note the ip-remote-hint and the argument p[1] are for
5447  * backward compatibility */
5448  if (p[1])
5449  {
5450  options->ip_remote_hint = p[1];
5451  }
5452  }
5453  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
5454  {
5456  options->ce.connect_retry_seconds = positive_atoi(p[1]);
5457  /*
5458  * Limit the base value of retry wait interval to 16 bits to avoid
5459  * overflow when scaled up for exponential backoff
5460  */
5461  if (options->ce.connect_retry_seconds > 0xFFFF)
5462  {
5463  options->ce.connect_retry_seconds = 0xFFFF;
5464  msg(M_WARN, "connect retry wait interval truncated to %d",
5465  options->ce.connect_retry_seconds);
5466  }
5467 
5468  if (p[2])
5469  {
5470  options->ce.connect_retry_seconds_max =
5471  max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
5472  }
5473  }
5474  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
5475  && p[1] && !p[2])
5476  {
5478  options->ce.connect_timeout = positive_atoi(p[1]);
5479  }
5480  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
5481  {
5483  options->connect_retry_max = positive_atoi(p[1]);
5484  }
5485  else if (streq(p[0], "ipchange") && p[1])
5486  {
5488  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5489  {
5490  goto err;
5491  }
5492  set_user_script(options,
5493  &options->ipchange,
5494  string_substitute(p[1], ',', ' ', &options->gc),
5495  "ipchange", true);
5496  }
5497  else if (streq(p[0], "float") && !p[1])
5498  {
5500  options->ce.remote_float = true;
5501  }
5502 #ifdef ENABLE_DEBUG
5503  else if (streq(p[0], "gremlin") && p[1] && !p[2])
5504  {
5506  options->gremlin = positive_atoi(p[1]);
5507  }
5508 #endif
5509  else if (streq(p[0], "chroot") && p[1] && !p[2])
5510  {
5512  options->chroot_dir = p[1];
5513  }
5514  else if (streq(p[0], "cd") && p[1] && !p[2])
5515  {
5517  if (platform_chdir(p[1]))
5518  {
5519  msg(M_ERR, "cd to '%s' failed", p[1]);
5520  goto err;
5521  }
5522  options->cd_dir = p[1];
5523  }
5524 #ifdef ENABLE_SELINUX
5525  else if (streq(p[0], "setcon") && p[1] && !p[2])
5526  {
5528  options->selinux_context = p[1];
5529  }
5530 #endif
5531  else if (streq(p[0], "writepid") && p[1] && !p[2])
5532  {
5534  options->writepid = p[1];
5535  }
5536  else if (streq(p[0], "up") && p[1])
5537  {
5539  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5540  {
5541  goto err;
5542  }
5543  set_user_script(options, &options->up_script, p[1], "up", false);
5544  }
5545  else if (streq(p[0], "down") && p[1])
5546  {
5548  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5549  {
5550  goto err;
5551  }
5552  set_user_script(options, &options->down_script, p[1], "down", true);
5553  }
5554  else if (streq(p[0], "down-pre") && !p[1])
5555  {
5557  options->down_pre = true;
5558  }
5559  else if (streq(p[0], "up-delay") && !p[1])
5560  {
5562  options->up_delay = true;
5563  }
5564  else if (streq(p[0], "up-restart") && !p[1])
5565  {
5567  options->up_restart = true;
5568  }
5569  else if (streq(p[0], "syslog") && !p[2])
5570  {
5572  open_syslog(p[1], false);
5573  }
5574  else if (streq(p[0], "daemon") && !p[2])
5575  {
5576  bool didit = false;
5578  if (!options->daemon)
5579  {
5580  options->daemon = didit = true;
5581  open_syslog(p[1], false);
5582  }
5583  if (p[1])
5584  {
5585  if (!didit)
5586  {
5587  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
5588  goto err;
5589  }
5590  }
5591  }
5592  else if (streq(p[0], "inetd") && !p[3])
5593  {
5595  if (!options->inetd)
5596  {
5597  int z;
5598  const char *name = NULL;
5599  const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
5600 
5601  options->inetd = -1;
5602 
5603  for (z = 1; z <= 2; ++z)
5604  {
5605  if (p[z])
5606  {
5607  if (streq(p[z], "wait"))
5608  {
5609  if (options->inetd != -1)
5610  {
5611  msg(msglevel, "%s", opterr);
5612  goto err;
5613  }
5614  else
5615  {
5616  options->inetd = INETD_WAIT;
5617  }
5618  }
5619  else if (streq(p[z], "nowait"))
5620  {
5621  if (options->inetd != -1)
5622  {
5623  msg(msglevel, "%s", opterr);
5624  goto err;
5625  }
5626  else
5627  {
5628  options->inetd = INETD_NOWAIT;
5629  }
5630  }
5631  else
5632  {
5633  if (name != NULL)
5634  {
5635  msg(msglevel, "%s", opterr);
5636  goto err;
5637  }
5638  name = p[z];
5639  }
5640  }
5641  }
5642 
5643  /* default */
5644  if (options->inetd == -1)
5645  {
5646  options->inetd = INETD_WAIT;
5647  }
5648 
5650  open_syslog(name, true);
5651  }
5652  }
5653  else if (streq(p[0], "log") && p[1] && !p[2])
5654  {
5656  options->log = true;
5657  redirect_stdout_stderr(p[1], false);
5658  }
5659  else if (streq(p[0], "suppress-timestamps") && !p[1])
5660  {
5662  options->suppress_timestamps = true;
5664  }
5665  else if (streq(p[0], "machine-readable-output") && !p[1])
5666  {
5668  options->machine_readable_output = true;
5670  }
5671  else if (streq(p[0], "log-append") && p[1] && !p[2])
5672  {
5674  options->log = true;
5675  redirect_stdout_stderr(p[1], true);
5676  }
5677 #ifdef ENABLE_MEMSTATS
5678  else if (streq(p[0], "memstats") && p[1] && !p[2])
5679  {
5681  options->memstats_fn = p[1];
5682  }
5683 #endif
5684  else if (streq(p[0], "mlock") && !p[1])
5685  {
5687  options->mlock = true;
5688  }
5689 #if ENABLE_IP_PKTINFO
5690  else if (streq(p[0], "multihome") && !p[1])
5691  {
5693  options->sockflags |= SF_USE_IP_PKTINFO;
5694  }
5695 #endif
5696  else if (streq(p[0], "verb") && p[1] && !p[2])
5697  {
5699  options->verbosity = positive_atoi(p[1]);
5700 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5701  /* Warn when a debug verbosity is supplied when built without debug support */
5702  if (options->verbosity >= 7)
5703  {
5704  msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
5705  options->verbosity);
5706  }
5707 #endif
5708  }
5709  else if (streq(p[0], "mute") && p[1] && !p[2])
5710  {
5712  options->mute = positive_atoi(p[1]);
5713  }
5714  else if (streq(p[0], "errors-to-stderr") && !p[1])
5715  {
5717  errors_to_stderr();
5718  }
5719  else if (streq(p[0], "status") && p[1] && !p[3])
5720  {
5722  options->status_file = p[1];
5723  if (p[2])
5724  {
5725  options->status_file_update_freq = positive_atoi(p[2]);
5726  }
5727  }
5728  else if (streq(p[0], "status-version") && p[1] && !p[2])
5729  {
5730  int version;
5731 
5733  version = atoi(p[1]);
5734  if (version < 1 || version > 3)
5735  {
5736  msg(msglevel, "--status-version must be 1 to 3");
5737  goto err;
5738  }
5739  options->status_file_version = version;
5740  }
5741  else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
5742  {
5744  if (