OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38 
39 #include "syshead.h"
40 
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "options.h"
49 #include "misc.h"
50 #include "socket.h"
51 #include "packet_id.h"
52 #include "pkcs11.h"
53 #include "win32.h"
54 #include "push.h"
55 #include "pool.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include <ctype.h>
62 
63 #include "memdbg.h"
64 
65 const char title_string[] =
67 #ifdef CONFIGURE_GIT_REVISION
68  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
69 #endif
70  " " TARGET_ALIAS
71 #if defined(ENABLE_CRYPTO_MBEDTLS)
72  " [SSL (mbed TLS)]"
73 #elif defined(ENABLE_CRYPTO_OPENSSL)
74  " [SSL (OpenSSL)]"
75 #else
76  " [SSL]"
77 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
78 #ifdef USE_COMP
79 #ifdef ENABLE_LZO
80  " [LZO]"
81 #endif
82 #ifdef ENABLE_LZ4
83  " [LZ4]"
84 #endif
85 #ifdef ENABLE_COMP_STUB
86  " [COMP_STUB]"
87 #endif
88 #endif /* USE_COMP */
89 #if EPOLL
90  " [EPOLL]"
91 #endif
92 #ifdef PRODUCT_TAP_DEBUG
93  " [TAPDBG]"
94 #endif
95 #ifdef ENABLE_PKCS11
96  " [PKCS11]"
97 #endif
98 #if ENABLE_IP_PKTINFO
99 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
100  " [MH/PKTINFO]"
101 #elif defined(IP_RECVDSTADDR)
102  " [MH/RECVDA]"
103 #endif
104 #endif
105 #ifdef HAVE_AEAD_CIPHER_MODES
106  " [AEAD]"
107 #endif
108  " built on " __DATE__
109 ;
110 
111 #ifndef ENABLE_SMALL
112 
113 static const char usage_message[] =
114  "%s\n"
115  "\n"
116  "General Options:\n"
117  "--config file : Read configuration options from file.\n"
118  "--help : Show options.\n"
119  "--version : Show copyright and version information.\n"
120  "\n"
121  "Tunnel Options:\n"
122  "--local host : Local host name or ip address. Implies --bind.\n"
123  "--remote host [port] : Remote host name or ip address.\n"
124  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
125  "--remote-random-hostname : Add a random string to remote DNS name.\n"
126  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
127  "--proto p : Use protocol p for communicating with peer.\n"
128  " p = udp (default), tcp-server, or tcp-client\n"
129  "--proto-force p : only consider protocol p in list of connection profiles.\n"
130  " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
131  "--connect-retry n [m] : For client, number of seconds to wait between\n"
132  " connection retries (default=%d). On repeated retries\n"
133  " the wait time is exponentially increased to a maximum of m\n"
134  " (default=%d).\n"
135  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
136  "--http-proxy s p [up] [auth] : Connect to remote host\n"
137  " through an HTTP proxy at address s and port p.\n"
138  " If proxy authentication is required,\n"
139  " up is a file containing username/password on 2 lines, or\n"
140  " 'stdin' to prompt from console. Add auth='ntlm' if\n"
141  " the proxy requires NTLM authentication.\n"
142  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
143  " determine auth method and query for username/password\n"
144  " if needed. auto-nct disables weak proxy auth methods.\n"
145  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
146  " Repeat to set multiple options.\n"
147  " VERSION version (default=1.0)\n"
148  " AGENT user-agent\n"
149  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
150  " address s and port p (default port = 1080).\n"
151  " If proxy authentication is required,\n"
152  " up is a file containing username/password on 2 lines, or\n"
153  " 'stdin' to prompt for console.\n"
154  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
155  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
156  " resolve for n seconds before failing (disabled by default).\n"
157  " Set n=\"infinite\" to retry indefinitely.\n"
158  "--float : Allow remote to change its IP address/port, such as through\n"
159  " DHCP (this is the default if --remote is not used).\n"
160  "--ipchange cmd : Run command cmd on remote ip address initial\n"
161  " setting or change -- execute as: cmd ip-address port#\n"
162  "--port port : TCP/UDP port # for both local and remote.\n"
163  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
164  "--rport port : TCP/UDP port # for remote (default=%s).\n"
165  "--bind : Bind to local address and port. (This is the default unless\n"
166  " --proto tcp-client"
167  " or --http-proxy"
168  " or --socks-proxy"
169  " is used).\n"
170  "--nobind : Do not bind to local address and port.\n"
171  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
172  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
173  " this option only if the tun/tap device used with --dev\n"
174  " does not begin with \"tun\" or \"tap\".\n"
175  "--dev-node node : Explicitly set the device node rather than using\n"
176  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
177  "--lladdr hw : Set the link layer address of the tap device.\n"
178  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
179 #ifdef ENABLE_IPROUTE
180  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
181 #endif
182  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
183  " endpoint and rn as a remote endpoint. l & rn should be\n"
184  " swapped on the other peer. l & rn must be private\n"
185  " addresses outside of the subnets used by either peer.\n"
186  " TAP: configure device to use IP address l as a local\n"
187  " endpoint and rn as a subnet mask.\n"
188  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
189  " endpoint (as a /64) and r as remote endpoint\n"
190  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
191  " pass --ifconfig parms by environment to scripts.\n"
192  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
193  " connection doesn't match the remote side.\n"
194  "--route network [netmask] [gateway] [metric] :\n"
195  " Add route to routing table after connection\n"
196  " is established. Multiple routes can be specified.\n"
197  " netmask default: 255.255.255.255\n"
198  " gateway default: taken from --route-gateway or --ifconfig\n"
199  " Specify default by leaving blank or setting to \"nil\".\n"
200  "--route-ipv6 network/bits [gateway] [metric] :\n"
201  " Add IPv6 route to routing table after connection\n"
202  " is established. Multiple routes can be specified.\n"
203  " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
204  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
205  "--route-metric m : Specify a default metric for use with --route.\n"
206  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
207  " adding routes (may be 0). If not specified, routes will\n"
208  " be added immediately after tun/tap open. On Windows, wait\n"
209  " up to w seconds for TUN/TAP adapter to come up.\n"
210  "--route-up cmd : Run command cmd after routes are added.\n"
211  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
212  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
213  " --route-up script using environmental variables.\n"
214  "--route-nopull : When used with --client or --pull, accept options pushed\n"
215  " by server EXCEPT for routes and dhcp options.\n"
216  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
217  " --ifconfig, --route, and --route-gateway.\n"
218  "--redirect-gateway [flags]: Automatically execute routing\n"
219  " commands to redirect all outgoing IP traffic through the\n"
220  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
221  " connected via a common subnet, such as with WiFi.\n"
222  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
223  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
224  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
225  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
226  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
227  " the default gateway. Useful when pushing private subnets.\n"
228  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
229  "--push-peer-info : (client only) push client info to server.\n"
230  "--setenv name value : Set a custom environmental variable to pass to script.\n"
231  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
232  " directives for future OpenVPN versions to be ignored.\n"
233  "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
234  " these options to be ignored when unknown\n"
235  "--script-security level: Where level can be:\n"
236  " 0 -- strictly no calling of external programs\n"
237  " 1 -- (default) only call built-ins such as ifconfig\n"
238  " 2 -- allow calling of built-ins and scripts\n"
239  " 3 -- allow password to be passed to scripts via env\n"
240  "--shaper n : Restrict output to peer to n bytes per second.\n"
241  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
242  " ping once every n seconds, restart if ping not received\n"
243  " for m seconds.\n"
244  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
245  " produces a combined in/out byte count < bytes.\n"
246  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
247  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
248  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
249  " remote address.\n"
250  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
251 #if ENABLE_IP_PKTINFO
252  "--multihome : Configure a multi-homed UDP server.\n"
253 #endif
254  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
255  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
256  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
257  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
258  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
259  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
260 #if PASSTOS_CAPABILITY
261  "--passtos : TOS passthrough (applies to IPv4 only).\n"
262 #endif
263  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
264  " TCP/UDP MTU from it (default=%d).\n"
265  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
266  " as n bytes more than the tun-mtu size on read\n"
267  " (default TUN=0 TAP=%d).\n"
268  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
269  " from it.\n"
270  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
271  " 'no' -- Never send DF (Don't Fragment) frames\n"
272  " 'maybe' -- Use per-route hints\n"
273  " 'yes' -- Always DF (Don't Fragment)\n"
274 #ifdef ENABLE_OCC
275  "--mtu-test : Empirically measure and report MTU.\n"
276 #endif
277 #ifdef ENABLE_FRAGMENT
278  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
279  " datagrams are sent which are larger than max bytes.\n"
280  " Adds 4 bytes of overhead per datagram.\n"
281 #endif
282  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
283  " or --fragment max value, whichever is lower.\n"
284  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
285  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
286 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
287  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
288  " can be matched in policy routing and packetfilter rules.\n"
289 #endif
290  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
291 #ifdef ENABLE_MEMSTATS
292  "--memstats file : Write live usage stats to memory mapped binary file.\n"
293 #endif
294  "--mlock : Disable Paging -- ensures key material and tunnel\n"
295  " data will never be written to disk.\n"
296  "--up cmd : Run command cmd after successful tun device open.\n"
297  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
298  " ifconfig-local-ip ifconfig-remote-ip\n"
299  " (pre --user or --group UID/GID change)\n"
300  "--up-delay : Delay tun/tap open and possible --up script execution\n"
301  " until after TCP/UDP connection establishment with peer.\n"
302  "--down cmd : Run command cmd after tun device close.\n"
303  " (post --user/--group UID/GID change and/or --chroot)\n"
304  " (command parameters are same as --up option)\n"
305  "--down-pre : Run --down command before TUN/TAP close.\n"
306  "--up-restart : Run up/down commands for all restarts including those\n"
307  " caused by --ping-restart or SIGUSR1\n"
308  "--user user : Set UID to user after initialization.\n"
309  "--group group : Set GID to group after initialization.\n"
310  "--chroot dir : Chroot to this directory after initialization.\n"
311 #ifdef ENABLE_SELINUX
312  "--setcon context: Apply this SELinux context after initialization.\n"
313 #endif
314  "--cd dir : Change to this directory before initialization.\n"
315  "--daemon [name] : Become a daemon after initialization.\n"
316  " The optional 'name' parameter will be passed\n"
317  " as the program name to the system logger.\n"
318  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
319  " See --daemon above for a description of the 'name' parm.\n"
320  "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
321  " See --daemon above for a description of the 'name' parm.\n"
322  "--log file : Output log to file which is created/truncated on open.\n"
323  "--log-append file : Append log to file, or create file if nonexistent.\n"
324  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
325  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
326  "--writepid file : Write main process ID to file.\n"
327  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
328  "--echo [parms ...] : Echo parameters to log output.\n"
329  "--verb n : Set output verbosity to n (default=%d):\n"
330  " (Level 3 is recommended if you want a good summary\n"
331  " of what's happening without being swamped by output).\n"
332  " : 0 -- no output except fatal errors\n"
333  " : 1 -- startup info + connection initiated messages +\n"
334  " non-fatal encryption & net errors\n"
335  " : 2,3 -- show TLS negotiations & route info\n"
336  " : 4 -- show parameters\n"
337  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
338  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
339  " : 6 to 11 -- debug messages of increasing verbosity\n"
340  "--mute n : Log at most n consecutive messages in the same category.\n"
341  "--status file n : Write operational status to file every n seconds.\n"
342  "--status-version [n] : Choose the status file format version number.\n"
343  " Currently, n can be 1, 2, or 3 (default=1).\n"
344 #ifdef ENABLE_OCC
345  "--disable-occ : Disable options consistency check between peers.\n"
346 #endif
347 #ifdef ENABLE_DEBUG
348  "--gremlin mask : Special stress testing mode (for debugging only).\n"
349 #endif
350 #if defined(USE_COMP)
351  "--compress alg : Use compression algorithm alg\n"
352 #if defined(ENABLE_LZO)
353  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
354  " packet for uncompressible data.\n"
355  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
356  " is specified.\n"
357 #endif
358 #endif
359 #ifdef ENABLE_MANAGEMENT
360  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
361  " management functions. pass is a password file\n"
362  " or 'stdin' to prompt from console.\n"
363 #if UNIX_SOCK_SUPPORT
364  " To listen on a unix domain socket, specific the pathname\n"
365  " in place of ip and use 'unix' as the port number.\n"
366 #endif
367  "--management-client : Management interface will connect as a TCP client to\n"
368  " ip/port rather than listen as a TCP server.\n"
369  "--management-query-passwords : Query management channel for private key\n"
370  " and auth-user-pass passwords.\n"
371  "--management-query-proxy : Query management channel for proxy information.\n"
372  "--management-query-remote : Query management channel for --remote directive.\n"
373  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
374  " of the management interface explicitly starts it.\n"
375  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
376  "--management-forget-disconnect : Forget passwords when management disconnect\n"
377  " event occurs.\n"
378  "--management-up-down : Report tunnel up/down events to management interface.\n"
379  "--management-log-cache n : Cache n lines of log file history for usage\n"
380  " by the management channel.\n"
381 #if UNIX_SOCK_SUPPORT
382  "--management-client-user u : When management interface is a unix socket, only\n"
383  " allow connections from user u.\n"
384  "--management-client-group g : When management interface is a unix socket, only\n"
385  " allow connections from group g.\n"
386 #endif
387 #ifdef MANAGEMENT_DEF_AUTH
388  "--management-client-auth : gives management interface client the responsibility\n"
389  " to authenticate clients after their client certificate\n"
390  " has been verified.\n"
391 #endif
392 #ifdef MANAGEMENT_PF
393  "--management-client-pf : management interface clients must specify a packet\n"
394  " filter file for each connecting client.\n"
395 #endif
396 #endif /* ifdef ENABLE_MANAGEMENT */
397 #ifdef ENABLE_PLUGIN
398  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
399  " to its initialization function.\n"
400 #endif
401 #if P2MP
402 #if P2MP_SERVER
403  "\n"
404  "Multi-Client Server options (when --mode server is used):\n"
405  "--server network netmask : Helper option to easily configure server mode.\n"
406  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
407  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
408  " easily configure ethernet bridging server mode.\n"
409  "--push \"option\" : Push a config file option back to the peer for remote\n"
410  " execution. Peer must specify --pull in its config file.\n"
411  "--push-reset : Don't inherit global push list for specific\n"
412  " client instance.\n"
413  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
414  " to be dynamically allocated to connecting clients.\n"
415  "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"
416  " than /30 subnets\n in tun mode. Not compatible with\n"
417  " Windows clients.\n"
418  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
419  " data to file, at seconds intervals (default=600).\n"
420  " If seconds=0, file will be treated as read-only.\n"
421  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
422  " to be dynamically allocated to connecting clients.\n"
423  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
424  " overrides --ifconfig-pool dynamic allocation.\n"
425  " Only valid in a client-specific config file.\n"
426  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
427  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
428  " Only valid in a client-specific config file.\n"
429  "--iroute network [netmask] : Route subnet to client.\n"
430  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
431  " Sets up internal routes only.\n"
432  " Only valid in a client-specific config file.\n"
433  "--disable : Client is disabled.\n"
434  " Only valid in a client-specific config file.\n"
435  "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
436  " will authenticate using username/password.\n"
437  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
438  " mandatory client certificate verification.\n"
439  " Default is to require the client to supply a certificate.\n"
440  "--username-as-common-name : For auth-user-pass authentication, use\n"
441  " the authenticated username as the common name,\n"
442  " rather than the common name from the client cert.\n"
443  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
444  " run command cmd to verify. If method='via-env', pass\n"
445  " user/pass via environment, if method='via-file', pass\n"
446  " user/pass via temporary file.\n"
447  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
448  " to each client, replacing the password. Usefull when\n"
449  " OTP based two-factor auth mechanisms are in use and\n"
450  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
451  " for generated tokens can be set.\n"
452  "--opt-verify : Clients that connect with options that are incompatible\n"
453  " with those of the server will be disconnected.\n"
454  "--auth-user-pass-optional : Allow connections by clients that don't\n"
455  " specify a username/password.\n"
456  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
457  " any printable character.\n"
458  "--client-to-client : Internally route client-to-client traffic.\n"
459  "--duplicate-cn : Allow multiple clients with the same common name to\n"
460  " concurrently connect.\n"
461  "--client-connect cmd : Run command cmd on client connection.\n"
462  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
463  "--client-config-dir dir : Directory for custom client config files.\n"
464  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
465  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
466  "--hash-size r v : Set the size of the real address hash table to r and the\n"
467  " virtual address table to v.\n"
468  "--bcast-buffers n : Allocate n broadcast buffers.\n"
469  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
470  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
471  " as well as pushes it to connecting clients.\n"
472  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
473  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
474  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
475  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
476  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
477  " older than n seconds. Run this check every t\n"
478  " seconds (defaults to n).\n"
479  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
480  " clients. n = 1 - reconnect to same server,\n"
481  " 2 - advance to next server, default=1.\n"
482 #if PORT_SHARE
483  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
484  " sessions to a web server at host:port. dir specifies an\n"
485  " optional directory to write origin IP:port data.\n"
486 #endif
487 #endif /* if P2MP_SERVER */
488  "\n"
489  "Client options (when connecting to a multi-client server):\n"
490  "--client : Helper option to easily configure client mode.\n"
491  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
492  " up is a file containing the username on the first line,\n"
493  " and a password on the second. If either the password or both\n"
494  " the username and the password are omitted OpenVPN will prompt\n"
495  " for them from console.\n"
496  "--pull : Accept certain config file options from the peer as if they\n"
497  " were part of the local config file. Must be specified\n"
498  " when connecting to a '--mode server' remote host.\n"
499  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
500  " server if it starts with the text t. The action flag accept,\n"
501  " ignore or reject causes the option to be allowed, removed or\n"
502  " rejected with error. May be specified multiple times, and\n"
503  " each filter is applied in the order of appearance.\n"
504  "--auth-retry t : How to handle auth failures. Set t to\n"
505  " none (default), interact, or nointeract.\n"
506  "--static-challenge t e : Enable static challenge/response protocol using\n"
507  " challenge text t, with e indicating echo flag (0|1)\n"
508  "--connect-timeout n : when polling possible remote servers to connect to\n"
509  " in a round-robin fashion, spend no more than n seconds\n"
510  " waiting for a response before trying the next server.\n"
511  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
512  " incoming tun packets with same destination as host.\n"
513 #endif /* if P2MP */
514 #ifdef ENABLE_OCC
515  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
516  " server/remote. n = # of retries, default=1.\n"
517 #endif
518  "\n"
519  "Data Channel Encryption Options (must be compatible between peers):\n"
520  "(These options are meaningful for both Static Key & TLS-mode)\n"
521  "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
522  " Use shared secret file f, generate with --genkey.\n"
523  " The optional d parameter controls key directionality.\n"
524  " If d is specified, use separate keys for each\n"
525  " direction, set d=0 on one side of the connection,\n"
526  " and d=1 on the other side.\n"
527  "--auth alg : Authenticate packets with HMAC using message\n"
528  " digest algorithm alg (default=%s).\n"
529  " (usually adds 16 or 20 bytes per packet)\n"
530  " Set alg=none to disable authentication.\n"
531  "--cipher alg : Encrypt packets with cipher algorithm alg\n"
532  " (default=%s).\n"
533  " Set alg=none to disable encryption.\n"
534  "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
535  "--ncp-disable : Disable cipher negotiation.\n"
536  "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
537  " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
538 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
539  "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n"
540  " If unspecified, defaults to cipher-specific default.\n"
541 #endif
542 #ifndef ENABLE_CRYPTO_MBEDTLS
543  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
544 #endif
545  "--no-replay : (DEPRECATED) Disable replay protection.\n"
546  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
547  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
548  " and a time window of t seconds.\n"
549  " Default n=%d t=%d\n"
550  "--replay-persist file : Persist replay-protection state across sessions\n"
551  " using file.\n"
552  "--test-crypto : Run a self-test of crypto features enabled.\n"
553  " For debugging only.\n"
554 #ifdef ENABLE_PREDICTION_RESISTANCE
555  "--use-prediction-resistance: Enable prediction resistance on the random\n"
556  " number generator.\n"
557 #endif
558  "\n"
559  "TLS Key Negotiation Options:\n"
560  "(These options are meaningful only for TLS-mode)\n"
561  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
562  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
563  "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
564  " number, such as 1 (default), 2, etc.\n"
565  "--ca file : Certificate authority file in .pem format containing\n"
566  " root certificate.\n"
567 #ifndef ENABLE_CRYPTO_MBEDTLS
568  "--capath dir : A directory of trusted certificates (CAs"
569  " and CRLs).\n"
570 #endif /* ENABLE_CRYPTO_MBEDTLS */
571  "--dh file : File containing Diffie Hellman parameters\n"
572  " in .pem format (for --tls-server only).\n"
573  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
574  "--cert file : Local certificate in .pem format -- must be signed\n"
575  " by a Certificate Authority in --ca file.\n"
576  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
577  "--key file : Local private key in .pem format.\n"
578  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
579  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
580  " is specified, require max TLS version supported by SSL implementation.\n"
581  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
582 #ifndef ENABLE_CRYPTO_MBEDTLS
583  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
584  " and optionally the root CA certificate.\n"
585 #endif
586 #ifdef ENABLE_X509ALTUSERNAME
587  "--x509-username-field : Field in x509 certificate containing the username.\n"
588  " Default is CN in the Subject field.\n"
589 #endif
590  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
591  " Valid algo flags are SHA1 and SHA256. \n"
592 #ifdef _WIN32
593  "--cryptoapicert select-string : Load the certificate and private key from the\n"
594  " Windows Certificate System Store.\n"
595 #endif
596  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
597  " : Use --show-tls to see a list of supported TLS ciphers.\n"
598  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
599  " (default=legacy).\n"
600  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
601  " if no ACK from remote within n seconds (default=%d).\n"
602  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
603  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
604  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
605  " and at least min (defaults to 90%% of max on servers and equal\n"
606  " to max on clients).\n"
607  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
608  " of handshake initiation by any peer (default=%d).\n"
609  "--tran-window n : Transition window -- old key can live this many seconds\n"
610  " after new key renegotiation begins (default=%d).\n"
611  "--single-session: Allow only one session (reset state on restart).\n"
612  "--tls-exit : Exit on TLS negotiation failure.\n"
613  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
614  " control channel to protect against attacks on the TLS stack\n"
615  " and DoS attacks.\n"
616  " f (required) is a shared-secret key file.\n"
617  " The optional d parameter controls key directionality,\n"
618  " see --secret option for more info.\n"
619  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
620  " of the TLS control channel to hide the TLS certificate,\n"
621  " provide basic post-quantum security and protect against\n"
622  " attacks on the TLS stack and DoS attacks.\n"
623  " key (required) provides the pre-shared key file.\n"
624  " see --secret option for more info.\n"
625  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
626  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
627  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
628  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
629  " pending TLS connection that has otherwise passed all other\n"
630  " tests of certification. cmd should return 0 to allow\n"
631  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
632  " executed as 'cmd certificate_depth subject')\n"
633  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
634  " in an openvpn temporary file in [directory]. Peer cert is \n"
635  " stored before tls-verify script execution and deleted after.\n"
636  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
637  " DN name. The remote host must also pass all other tests\n"
638  " of verification.\n"
639  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
640  " an explicit nsCertType designation t = 'client' | 'server'.\n"
641  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
642  " plugins and management interface.\n"
643 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
644  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
645  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
646 #endif
647  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
648  " explicit key usage, you can specify more than one value.\n"
649  " value should be given in hex format.\n"
650  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
651  " explicit extended key usage. Extended key usage can be encoded\n"
652  " as an object identifier or OpenSSL string representation.\n"
653  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
654  " key usage and extended key usage based on RFC3280 TLS rules.\n"
655  " t = 'client' | 'server'.\n"
656 #ifdef ENABLE_PKCS11
657  "\n"
658  "PKCS#11 Options:\n"
659  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
660  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
661  " path. Set for each provider.\n"
662  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
663  " 0 : Try to determind automatically (default).\n"
664  " 1 : Use Sign.\n"
665  " 2 : Use SignRecover.\n"
666  " 4 : Use Decrypt.\n"
667  " 8 : Use Unwrap.\n"
668  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
669  " certificate can be accessed. Set for each provider.\n"
670  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
671  " cache until token is removed.\n"
672  "--pkcs11-id-management : Acquire identity from management interface.\n"
673  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
674 #endif /* ENABLE_PKCS11 */
675  "\n"
676  "SSL Library information:\n"
677  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
678  "--show-digests : Show message digest algorithms to use with --auth option.\n"
679  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
680  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
681 #ifdef _WIN32
682  "\n"
683  "Windows Specific:\n"
684  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
685  " from SystemRoot environment variable.\n"
686  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
687  " IP address using method = manual, netsh, ipapi,\n"
688  " dynamic, or adaptive (default = adaptive).\n"
689  " Dynamic method allows two optional parameters:\n"
690  " offset: DHCP server address offset (> -256 and < 256).\n"
691  " If 0, use network address, if >0, take nth\n"
692  " address forward from network address, if <0,\n"
693  " take nth address backward from broadcast\n"
694  " address.\n"
695  " Default is 0.\n"
696  " lease-time: Lease time in seconds.\n"
697  " Default is one year.\n"
698  "--route-method : Which method to use for adding routes on Windows?\n"
699  " adaptive (default) -- Try ipapi then fall back to exe.\n"
700  " ipapi -- Use IP helper API.\n"
701  " exe -- Call the route.exe shell command.\n"
702  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
703  " be used with --ip-win32 dynamic. For options\n"
704  " which allow multiple addresses,\n"
705  " --dhcp-option must be repeated.\n"
706  " DOMAIN name : Set DNS suffix\n"
707  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
708  " NTP : Set NTP server address(es)\n"
709  " NBDD : Set NBDD server address(es)\n"
710  " WINS addr : Set WINS server address(es)\n"
711  " NBT type : Set NetBIOS over TCP/IP Node type\n"
712  " 1: B, 2: P, 4: M, 8: H\n"
713  " NBS id : Set NetBIOS scope ID\n"
714  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
715  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
716  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
717  " startup.\n"
718  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
719  " on connection initiation.\n"
720  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
721  " attempting to set adapter properties.\n"
722  "--pause-exit : When run from a console window, pause before exiting.\n"
723  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
724  " service, and should not be used directly by end-users.\n"
725  " ex is the name of an event object which, when\n"
726  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
727  " optional parameter controls the initial state of ex.\n"
728  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
729  " after TAP adapter is up and routes have been added.\n"
730 #ifdef _WIN32
731  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
732 #endif
733  "Windows Standalone Options:\n"
734  "\n"
735  "--show-adapters : Show all TAP-Windows adapters.\n"
736  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
737  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
738  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
739  " to access TAP adapter.\n"
740 #endif /* ifdef _WIN32 */
741  "\n"
742  "Generate a random key (only for non-TLS static key encryption mode):\n"
743  "--genkey : Generate a random key to be used as a shared secret,\n"
744  " for use with the --secret option.\n"
745  "--secret file : Write key to file.\n"
746 #ifdef ENABLE_FEATURE_TUN_PERSIST
747  "\n"
748  "Tun/tap config mode (available with linux 2.4+):\n"
749  "--mktun : Create a persistent tunnel.\n"
750  "--rmtun : Remove a persistent tunnel.\n"
751  "--dev tunX|tapX : tun/tap device\n"
752  "--dev-type dt : Device type. See tunnel options above for details.\n"
753  "--user user : User to set privilege to.\n"
754  "--group group : Group to set privilege to.\n"
755 #endif
756 #ifdef ENABLE_PKCS11
757  "\n"
758  "PKCS#11 standalone options:\n"
759 #ifdef DEFAULT_PKCS11_MODULE
760  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
761 #else
762  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
763 #endif
764  " --verb option can be added *BEFORE* this.\n"
765 #endif /* ENABLE_PKCS11 */
766  "\n"
767  "General Standalone Options:\n"
768 #ifdef ENABLE_DEBUG
769  "--show-gateway : Show info about default gateway.\n"
770 #endif
771 ;
772 
773 #endif /* !ENABLE_SMALL */
774 
775 /*
776  * This is where the options defaults go.
777  * Any option not explicitly set here
778  * will be set to 0.
779  */
780 void
781 init_options(struct options *o, const bool init_gc)
782 {
783  CLEAR(*o);
784  if (init_gc)
785  {
786  gc_init(&o->gc);
787  o->gc_owned = true;
788  }
790  o->topology = TOP_NET30;
791  o->ce.proto = PROTO_UDP;
792  o->ce.af = AF_UNSPEC;
793  o->ce.bind_ipv6_only = false;
794  o->ce.connect_retry_seconds = 5;
795  o->ce.connect_retry_seconds_max = 300;
796  o->ce.connect_timeout = 120;
797  o->connect_retry_max = 0;
799  o->verbosity = 1;
800  o->status_file_update_freq = 60;
801  o->status_file_version = 1;
802  o->ce.bind_local = true;
805  o->ce.mtu_discover_type = -1;
806  o->ce.mssfix = MSSFIX_DEFAULT;
807  o->route_delay_window = 30;
809  o->resolve_in_advance = false;
810  o->proto_force = -1;
811 #ifdef ENABLE_OCC
812  o->occ = true;
813 #endif
814 #ifdef ENABLE_MANAGEMENT
818 #endif
819 #ifdef ENABLE_FEATURE_TUN_PERSIST
820  o->persist_mode = 1;
821 #endif
822 #ifdef TARGET_LINUX
823  o->tuntap_options.txqueuelen = 100;
824 #endif
825 #ifdef _WIN32
826 #if 0
828 #else
830 #endif
831  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
832  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
834  o->block_outside_dns = false;
835 #endif
836 #if P2MP_SERVER
837  o->real_hash_size = 256;
838  o->virtual_hash_size = 256;
839  o->n_bcast_buf = 256;
840  o->tcp_queue_limit = 64;
841  o->max_clients = 1024;
842  o->max_routes_per_client = 256;
845 #endif
846 #if P2MP
848 #endif
849  o->ciphername = "BF-CBC";
850 #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
851  o->ncp_enabled = true;
852 #else
853  o->ncp_enabled = false;
854 #endif
855  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
856  o->authname = "SHA1";
857  o->prng_hash = "SHA1";
858  o->prng_nonce_secret_len = 16;
859  o->replay = true;
863 #ifdef ENABLE_PREDICTION_RESISTANCE
864  o->use_prediction_resistance = false;
865 #endif
866  o->key_method = 2;
867  o->tls_timeout = 2;
868  o->renegotiate_bytes = -1;
869  o->renegotiate_seconds = 3600;
870  o->renegotiate_seconds_min = -1;
871  o->handshake_window = 60;
872  o->transition_window = 3600;
873  o->tls_cert_profile = NULL;
874  o->ecdh_curve = NULL;
875 #ifdef ENABLE_X509ALTUSERNAME
876  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
877 #endif
878 #ifdef ENABLE_PKCS11
879  o->pkcs11_pin_cache_period = -1;
880 #endif /* ENABLE_PKCS11 */
881 
882 /* P2MP server context features */
883 #if P2MP_SERVER
884  o->auth_token_generate = false;
885 
886  /* Set default --tmp-dir */
887 #ifdef _WIN32
888  /* On Windows, find temp dir via enviroment variables */
889  o->tmp_dir = win_get_tempdir();
890 #else
891  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
892  o->tmp_dir = getenv("TMPDIR");
893  if (!o->tmp_dir)
894  {
895  o->tmp_dir = "/tmp";
896  }
897 #endif /* _WIN32 */
898 #endif /* P2MP_SERVER */
899  o->allow_recursive_routing = false;
900 }
901 
902 void
904 {
905  if (o->gc_owned)
906  {
907  gc_free(&o->gc);
908  }
909 }
910 
912 {
913 #define PUF_TYPE_UNDEF 0
914 #define PUF_TYPE_ACCEPT 1
915 #define PUF_TYPE_IGNORE 2
916 #define PUF_TYPE_REJECT 3
917  int type;
918  int size;
919  char *pattern;
920  struct pull_filter *next;
921 };
922 
924 {
925  struct pull_filter *head;
926  struct pull_filter *tail;
927 };
928 
929 static const char *
931 {
932  if (type == PUF_TYPE_ACCEPT)
933  {
934  return "accept";
935  }
936  if (type == PUF_TYPE_IGNORE)
937  {
938  return "ignore";
939  }
940  if (type == PUF_TYPE_REJECT)
941  {
942  return "reject";
943  }
944  else
945  {
946  return "???";
947  }
948 }
949 
950 #ifndef ENABLE_SMALL
951 
952 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
953 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
954 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
955 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
956 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
957 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
958 
959 #endif
960 
961 static void
963  const struct connection_entry *e,
964  const int i)
965 {
966  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
967  setenv_str_i(es, "local", e->local, i);
968  setenv_str_i(es, "local_port", e->local_port, i);
969  setenv_str_i(es, "remote", e->remote, i);
970  setenv_str_i(es, "remote_port", e->remote_port, i);
971 
972  if (e->http_proxy_options)
973  {
974  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
975  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
976  }
977  if (e->socks_proxy_server)
978  {
979  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
980  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
981  }
982 }
983 
984 void
985 setenv_settings(struct env_set *es, const struct options *o)
986 {
987  setenv_str(es, "config", o->config);
988  setenv_int(es, "verb", o->verbosity);
989  setenv_int(es, "daemon", o->daemon);
990  setenv_int(es, "daemon_log_redirect", o->log);
991  setenv_long_long(es, "daemon_start_time", time(NULL));
992  setenv_int(es, "daemon_pid", platform_getpid());
993 
994  if (o->connection_list)
995  {
996  int i;
997  for (i = 0; i < o->connection_list->len; ++i)
998  {
1000  }
1001  }
1002  else
1003  {
1004  setenv_connection_entry(es, &o->ce, 1);
1005  }
1006 }
1007 
1008 static in_addr_t
1009 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1010 {
1011  unsigned int flags = GETADDR_HOST_ORDER;
1012  bool succeeded = false;
1013  in_addr_t ret;
1014 
1015  if (msglevel & M_FATAL)
1016  {
1017  flags |= GETADDR_FATAL;
1018  }
1019 
1020  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1021  if (!succeeded && error)
1022  {
1023  *error = true;
1024  }
1025  return ret;
1026 }
1027 
1028 /* helper: parse a text string containing an IPv6 address + netbits
1029  * in "standard format" (2001:dba::/32)
1030  * "/nn" is optional, default to /64 if missing
1031  *
1032  * return true if parsing succeeded, modify *network and *netbits
1033  */
1034 bool
1035 get_ipv6_addr( const char *prefix_str, struct in6_addr *network,
1036  unsigned int *netbits, int msglevel)
1037 {
1038  char *sep, *endp;
1039  int bits;
1040  struct in6_addr t_network;
1041 
1042  sep = strchr( prefix_str, '/' );
1043  if (sep == NULL)
1044  {
1045  bits = 64;
1046  }
1047  else
1048  {
1049  bits = strtol( sep+1, &endp, 10 );
1050  if (*endp != '\0' || bits < 0 || bits > 128)
1051  {
1052  msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
1053  return false;
1054  }
1055  }
1056 
1057  /* temporary replace '/' in caller-provided string with '\0', otherwise
1058  * inet_pton() will refuse prefix string
1059  * (alternative would be to strncpy() the prefix to temporary buffer)
1060  */
1061 
1062  if (sep != NULL)
1063  {
1064  *sep = '\0';
1065  }
1066 
1067  if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1)
1068  {
1069  msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
1070  return false;
1071  }
1072 
1073  if (sep != NULL)
1074  {
1075  *sep = '/';
1076  }
1077 
1078  if (netbits != NULL)
1079  {
1080  *netbits = bits;
1081  }
1082  if (network != NULL)
1083  {
1084  *network = t_network;
1085  }
1086  return true; /* parsing OK, values set */
1087 }
1088 
1094 static char *
1095 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1096 {
1097  const char *end = strchr(addr, '/');
1098  char *ret = NULL;
1099  if (NULL == end)
1100  {
1101  ret = string_alloc(addr, gc);
1102  }
1103  else
1104  {
1105  size_t len = end - addr;
1106  ret = gc_malloc(len + 1, true, gc);
1107  memcpy(ret, addr, len);
1108  }
1109  return ret;
1110 }
1111 
1112 static bool
1113 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1114 {
1115  struct in6_addr t_addr;
1116  unsigned int t_bits;
1117 
1118  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1119 }
1120 
1121 static char *
1122 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1123 {
1124  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1125  char *dest = ret;
1126  char c;
1127 
1128  do
1129  {
1130  c = *src++;
1131  if (c == from)
1132  {
1133  c = to;
1134  }
1135  *dest++ = c;
1136  }
1137  while (c);
1138  return ret;
1139 }
1140 
1141 static uint8_t *
1142 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1143 {
1144  int i;
1145  const char *cp = str;
1146  uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc);
1147  char term = 1;
1148  int byte;
1149  char bs[3];
1150 
1151  for (i = 0; i < nbytes; ++i)
1152  {
1153  if (strlen(cp) < 2)
1154  {
1155  msg(msglevel, "format error in hash fingerprint: %s", str);
1156  }
1157  bs[0] = *cp++;
1158  bs[1] = *cp++;
1159  bs[2] = 0;
1160  byte = 0;
1161  if (sscanf(bs, "%x", &byte) != 1)
1162  {
1163  msg(msglevel, "format error in hash fingerprint hex byte: %s", str);
1164  }
1165  ret[i] = (uint8_t)byte;
1166  term = *cp++;
1167  if (term != ':' && term != 0)
1168  {
1169  msg(msglevel, "format error in hash fingerprint delimiter: %s", str);
1170  }
1171  if (term == 0)
1172  {
1173  break;
1174  }
1175  }
1176  if (term != 0 || i != nbytes-1)
1177  {
1178  msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
1179  }
1180  return ret;
1181 }
1182 
1183 #ifdef _WIN32
1184 
1185 #ifndef ENABLE_SMALL
1186 
1187 static void
1188 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1189 {
1190  struct gc_arena gc = gc_new();
1191  int i;
1192  for (i = 0; i < len; ++i)
1193  {
1194  msg(D_SHOW_PARMS, " %s[%d] = %s",
1195  name,
1196  i,
1197  print_in_addr_t(array[i], 0, &gc));
1198  }
1199  gc_free(&gc);
1200 }
1201 
1202 static void
1204 {
1205  SHOW_BOOL(ip_win32_defined);
1206  SHOW_INT(ip_win32_type);
1207  SHOW_INT(dhcp_masq_offset);
1208  SHOW_INT(dhcp_lease_time);
1209  SHOW_INT(tap_sleep);
1210  SHOW_BOOL(dhcp_options);
1212  SHOW_BOOL(dhcp_pre_release);
1213  SHOW_STR(domain);
1214  SHOW_STR(netbios_scope);
1215  SHOW_INT(netbios_node_type);
1216  SHOW_BOOL(disable_nbt);
1217 
1218  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1219  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1220  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1221  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1222 }
1223 
1224 #endif /* ifndef ENABLE_SMALL */
1225 #endif /* ifdef _WIN32 */
1226 
1227 #if defined(_WIN32) || defined(TARGET_ANDROID)
1228 static void
1229 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1230 {
1231  struct in6_addr addr;
1232  if (*len >= N_DHCP_ADDR)
1233  {
1234  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1235  N_DHCP_ADDR);
1236  }
1237  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1238  {
1239  dns6_list[(*len)++] = addr;
1240  }
1241 }
1242 static void
1243 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1244 {
1245  if (*len >= N_DHCP_ADDR)
1246  {
1247  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1248  name,
1249  N_DHCP_ADDR,
1250  name);
1251  }
1252  else
1253  {
1254  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1255  {
1256  bool error = false;
1257  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1258  if (!error)
1259  {
1260  array[(*len)++] = addr;
1261  }
1262  }
1263  else
1264  {
1265  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1266  }
1267  }
1268 }
1269 
1270 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1271 
1272 #if P2MP
1273 
1274 #ifndef ENABLE_SMALL
1275 
1276 static void
1277 show_p2mp_parms(const struct options *o)
1278 {
1279  struct gc_arena gc = gc_new();
1280 
1281 #if P2MP_SERVER
1282  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1283  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1284  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1285  SHOW_INT(server_netbits_ipv6);
1286  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1287  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1288  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1289  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1290  if (o->push_list.head)
1291  {
1292  const struct push_entry *e = o->push_list.head;
1293  while (e)
1294  {
1295  if (e->enable)
1296  {
1297  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1298  }
1299  e = e->next;
1300  }
1301  }
1302  SHOW_BOOL(ifconfig_pool_defined);
1303  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1304  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1305  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1306  SHOW_STR(ifconfig_pool_persist_filename);
1307  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1308  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1309  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1310  SHOW_INT(ifconfig_ipv6_pool_netbits);
1311  SHOW_INT(n_bcast_buf);
1312  SHOW_INT(tcp_queue_limit);
1313  SHOW_INT(real_hash_size);
1314  SHOW_INT(virtual_hash_size);
1315  SHOW_STR(client_connect_script);
1317  SHOW_STR(client_disconnect_script);
1318  SHOW_STR(client_config_dir);
1319  SHOW_BOOL(ccd_exclusive);
1320  SHOW_STR(tmp_dir);
1321  SHOW_BOOL(push_ifconfig_defined);
1322  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1323  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1324  SHOW_BOOL(push_ifconfig_ipv6_defined);
1325  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1326  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1327  SHOW_BOOL(enable_c2c);
1328  SHOW_BOOL(duplicate_cn);
1329  SHOW_INT(cf_max);
1330  SHOW_INT(cf_per);
1331  SHOW_INT(max_clients);
1332  SHOW_INT(max_routes_per_client);
1333  SHOW_STR(auth_user_pass_verify_script);
1334  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1335  SHOW_BOOL(auth_token_generate);
1336  SHOW_INT(auth_token_lifetime);
1337 #if PORT_SHARE
1338  SHOW_STR(port_share_host);
1339  SHOW_STR(port_share_port);
1340 #endif
1341 #endif /* P2MP_SERVER */
1342 
1343  SHOW_BOOL(client);
1344  SHOW_BOOL(pull);
1345  SHOW_STR(auth_user_pass_file);
1346 
1347  gc_free(&gc);
1348 }
1349 
1350 #endif /* ! ENABLE_SMALL */
1351 
1352 #if P2MP_SERVER
1353 
1354 static void
1356  const char *network_str,
1357  const char *netmask_str,
1358  int msglevel)
1359 {
1360  struct iroute *ir;
1361 
1362  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1363  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1364  ir->netbits = -1;
1365 
1366  if (netmask_str)
1367  {
1368  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1369  if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1370  {
1371  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1372  network_str,
1373  netmask_str);
1374  return;
1375  }
1376  }
1377 
1378  ir->next = o->iroutes;
1379  o->iroutes = ir;
1380 }
1381 
1382 static void
1384  const char *prefix_str,
1385  int msglevel)
1386 {
1387  struct iroute_ipv6 *ir;
1388 
1389  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1390 
1391  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1392  {
1393  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1394  prefix_str);
1395  return;
1396  }
1397 
1398  ir->next = o->iroutes_ipv6;
1399  o->iroutes_ipv6 = ir;
1400 }
1401 #endif /* P2MP_SERVER */
1402 #endif /* P2MP */
1403 
1404 #ifndef ENABLE_SMALL
1405 static void
1407 {
1408  int i;
1409  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1410  SHOW_STR(server);
1411  SHOW_STR(port);
1412  SHOW_STR(auth_method_string);
1413  SHOW_STR(auth_file);
1414  SHOW_STR(http_version);
1415  SHOW_STR(user_agent);
1416  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1417  {
1418  if (o->custom_headers[i].content)
1419  {
1420  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1421  o->custom_headers[i].name, o->custom_headers[i].content);
1422  }
1423  else
1424  {
1425  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1426  o->custom_headers[i].name);
1427  }
1428  }
1429  msg(D_SHOW_PARMS, "END http_proxy");
1430 }
1431 #endif /* ifndef ENABLE_SMALL */
1432 
1433 void
1435 {
1436  gc_detach(&o->gc);
1437  o->routes = NULL;
1438  o->client_nat = NULL;
1439 #if P2MP_SERVER
1440  clone_push_list(o);
1441 #endif
1442 }
1443 
1444 void
1446 {
1447  if (!options->routes)
1448  {
1449  options->routes = new_route_option_list(&options->gc);
1450  }
1451 }
1452 
1453 static void
1455 {
1456  if (!options->routes_ipv6)
1457  {
1458  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1459  }
1460 }
1461 
1462 static void
1464 {
1465  if (!options->client_nat)
1466  {
1467  options->client_nat = new_client_nat_list(&options->gc);
1468  }
1469 }
1470 
1471 #ifndef ENABLE_SMALL
1472 static void
1474 {
1475  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1476  SHOW_STR(local);
1477  SHOW_STR(local_port);
1478  SHOW_STR(remote);
1479  SHOW_STR(remote_port);
1480  SHOW_BOOL(remote_float);
1481  SHOW_BOOL(bind_defined);
1483  SHOW_BOOL(bind_ipv6_only);
1484  SHOW_INT(connect_retry_seconds);
1485  SHOW_INT(connect_timeout);
1486 
1487  if (o->http_proxy_options)
1488  {
1490  }
1491  SHOW_STR(socks_proxy_server);
1492  SHOW_STR(socks_proxy_port);
1493  SHOW_INT(tun_mtu);
1494  SHOW_BOOL(tun_mtu_defined);
1495  SHOW_INT(link_mtu);
1496  SHOW_BOOL(link_mtu_defined);
1497  SHOW_INT(tun_mtu_extra);
1498  SHOW_BOOL(tun_mtu_extra_defined);
1499 
1500  SHOW_INT(mtu_discover_type);
1501 
1502 #ifdef ENABLE_FRAGMENT
1503  SHOW_INT(fragment);
1504 #endif
1505  SHOW_INT(mssfix);
1506 
1507 #ifdef ENABLE_OCC
1508  SHOW_INT(explicit_exit_notification);
1509 #endif
1510 
1511  SHOW_STR(tls_auth_file);
1512  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1513  "%s");
1514  SHOW_STR(tls_crypt_file);
1515 }
1516 
1517 
1518 static void
1520 {
1521  if (o->connection_list)
1522  {
1523  const struct connection_list *l = o->connection_list;
1524  int i;
1525  for (i = 0; i < l->len; ++i)
1526  {
1527  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1529  }
1530  }
1531  else
1532  {
1533  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1535  }
1536  msg(D_SHOW_PARMS, "Connection profiles END");
1537 }
1538 
1539 static void
1541 {
1542  struct pull_filter *f;
1543  if (!l)
1544  {
1545  return;
1546  }
1547 
1548  msg(D_SHOW_PARMS, " Pull filters:");
1549  for (f = l->head; f; f = f->next)
1550  {
1551  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1552  }
1553 }
1554 
1555 #endif /* ifndef ENABLE_SMALL */
1556 
1557 void
1558 show_settings(const struct options *o)
1559 {
1560 #ifndef ENABLE_SMALL
1561  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1562 
1563  SHOW_STR(config);
1564 
1565  SHOW_INT(mode);
1566 
1567 #ifdef ENABLE_FEATURE_TUN_PERSIST
1568  SHOW_BOOL(persist_config);
1569  SHOW_INT(persist_mode);
1570 #endif
1571 
1572  SHOW_BOOL(show_ciphers);
1573  SHOW_BOOL(show_digests);
1574  SHOW_BOOL(show_engines);
1575  SHOW_BOOL(genkey);
1576  SHOW_STR(key_pass_file);
1577  SHOW_BOOL(show_tls_ciphers);
1578 
1579  SHOW_INT(connect_retry_max);
1581 
1582  SHOW_BOOL(remote_random);
1583 
1584  SHOW_STR(ipchange);
1585  SHOW_STR(dev);
1586  SHOW_STR(dev_type);
1587  SHOW_STR(dev_node);
1588  SHOW_STR(lladdr);
1589  SHOW_INT(topology);
1590  SHOW_STR(ifconfig_local);
1591  SHOW_STR(ifconfig_remote_netmask);
1592  SHOW_BOOL(ifconfig_noexec);
1593  SHOW_BOOL(ifconfig_nowarn);
1594  SHOW_STR(ifconfig_ipv6_local);
1595  SHOW_INT(ifconfig_ipv6_netbits);
1596  SHOW_STR(ifconfig_ipv6_remote);
1597 
1598 #ifdef ENABLE_FEATURE_SHAPER
1599  SHOW_INT(shaper);
1600 #endif
1601 #ifdef ENABLE_OCC
1602  SHOW_INT(mtu_test);
1603 #endif
1604 
1605  SHOW_BOOL(mlock);
1606 
1607  SHOW_INT(keepalive_ping);
1608  SHOW_INT(keepalive_timeout);
1609  SHOW_INT(inactivity_timeout);
1610  SHOW_INT(ping_send_timeout);
1611  SHOW_INT(ping_rec_timeout);
1612  SHOW_INT(ping_rec_timeout_action);
1613  SHOW_BOOL(ping_timer_remote);
1614  SHOW_INT(remap_sigusr1);
1615  SHOW_BOOL(persist_tun);
1616  SHOW_BOOL(persist_local_ip);
1617  SHOW_BOOL(persist_remote_ip);
1618  SHOW_BOOL(persist_key);
1619 
1620 #if PASSTOS_CAPABILITY
1621  SHOW_BOOL(passtos);
1622 #endif
1623 
1624  SHOW_INT(resolve_retry_seconds);
1625  SHOW_BOOL(resolve_in_advance);
1626 
1627  SHOW_STR(username);
1628  SHOW_STR(groupname);
1629  SHOW_STR(chroot_dir);
1630  SHOW_STR(cd_dir);
1631 #ifdef ENABLE_SELINUX
1632  SHOW_STR(selinux_context);
1633 #endif
1634  SHOW_STR(writepid);
1635  SHOW_STR(up_script);
1636  SHOW_STR(down_script);
1637  SHOW_BOOL(down_pre);
1638  SHOW_BOOL(up_restart);
1639  SHOW_BOOL(up_delay);
1640  SHOW_BOOL(daemon);
1641  SHOW_INT(inetd);
1642  SHOW_BOOL(log);
1645  SHOW_INT(nice);
1646  SHOW_INT(verbosity);
1647  SHOW_INT(mute);
1648 #ifdef ENABLE_DEBUG
1649  SHOW_INT(gremlin);
1650 #endif
1651  SHOW_STR(status_file);
1652  SHOW_INT(status_file_version);
1653  SHOW_INT(status_file_update_freq);
1654 
1655 #ifdef ENABLE_OCC
1656  SHOW_BOOL(occ);
1657 #endif
1658  SHOW_INT(rcvbuf);
1659  SHOW_INT(sndbuf);
1660 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1661  SHOW_INT(mark);
1662 #endif
1663  SHOW_INT(sockflags);
1664 
1665  SHOW_BOOL(fast_io);
1666 
1667 #ifdef USE_COMP
1668  SHOW_INT(comp.alg);
1669  SHOW_INT(comp.flags);
1670 #endif
1671 
1672  SHOW_STR(route_script);
1673  SHOW_STR(route_default_gateway);
1674  SHOW_INT(route_default_metric);
1675  SHOW_BOOL(route_noexec);
1676  SHOW_INT(route_delay);
1677  SHOW_INT(route_delay_window);
1678  SHOW_BOOL(route_delay_defined);
1679  SHOW_BOOL(route_nopull);
1680  SHOW_BOOL(route_gateway_via_dhcp);
1681  SHOW_BOOL(allow_pull_fqdn);
1683 
1684  if (o->routes)
1685  {
1687  }
1688 
1689  if (o->client_nat)
1690  {
1692  }
1693 
1694 #ifdef ENABLE_MANAGEMENT
1695  SHOW_STR(management_addr);
1696  SHOW_STR(management_port);
1697  SHOW_STR(management_user_pass);
1698  SHOW_INT(management_log_history_cache);
1699  SHOW_INT(management_echo_buffer_size);
1700  SHOW_STR(management_write_peer_info_file);
1701  SHOW_STR(management_client_user);
1702  SHOW_STR(management_client_group);
1703  SHOW_INT(management_flags);
1704 #endif
1705 #ifdef ENABLE_PLUGIN
1706  if (o->plugin_list)
1707  {
1709  }
1710 #endif
1711 
1712  SHOW_STR(shared_secret_file);
1713  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1714  SHOW_STR(ciphername);
1715  SHOW_BOOL(ncp_enabled);
1716  SHOW_STR(ncp_ciphers);
1717  SHOW_STR(authname);
1718  SHOW_STR(prng_hash);
1719  SHOW_INT(prng_nonce_secret_len);
1720  SHOW_INT(keysize);
1721 #ifndef ENABLE_CRYPTO_MBEDTLS
1722  SHOW_BOOL(engine);
1723 #endif /* ENABLE_CRYPTO_MBEDTLS */
1724  SHOW_BOOL(replay);
1725  SHOW_BOOL(mute_replay_warnings);
1726  SHOW_INT(replay_window);
1727  SHOW_INT(replay_time);
1728  SHOW_STR(packet_id_file);
1730 #ifdef ENABLE_PREDICTION_RESISTANCE
1731  SHOW_BOOL(use_prediction_resistance);
1732 #endif
1733 
1734  SHOW_BOOL(tls_server);
1735  SHOW_BOOL(tls_client);
1736  SHOW_INT(key_method);
1737  SHOW_STR(ca_file);
1738  SHOW_STR(ca_path);
1739  SHOW_STR(dh_file);
1740 #ifdef MANAGMENT_EXTERNAL_KEY
1742  {
1743  SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1744  }
1745  else
1746 #endif
1747  SHOW_STR(cert_file);
1748  SHOW_STR(extra_certs_file);
1749 
1750 #ifdef MANAGMENT_EXTERNAL_KEY
1751  if ((o->management_flags & MF_EXTERNAL_KEY))
1752  {
1753  SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1754  }
1755  else
1756 #endif
1757  SHOW_STR(priv_key_file);
1758 #ifndef ENABLE_CRYPTO_MBEDTLS
1759  SHOW_STR(pkcs12_file);
1760 #endif
1761 #ifdef ENABLE_CRYPTOAPI
1762  SHOW_STR(cryptoapi_cert);
1763 #endif
1764  SHOW_STR(cipher_list);
1765  SHOW_STR(tls_cert_profile);
1767  SHOW_STR(tls_export_cert);
1768  SHOW_INT(verify_x509_type);
1769  SHOW_STR(verify_x509_name);
1770  SHOW_STR(crl_file);
1771  SHOW_INT(ns_cert_type);
1772  {
1773  int i;
1774  for (i = 0; i<MAX_PARMS; i++)
1775  {
1776  SHOW_INT(remote_cert_ku[i]);
1777  }
1778  }
1779  SHOW_STR(remote_cert_eku);
1780  SHOW_INT(ssl_flags);
1781 
1782  SHOW_INT(tls_timeout);
1783 
1784  SHOW_INT(renegotiate_bytes);
1785  SHOW_INT(renegotiate_packets);
1786  SHOW_INT(renegotiate_seconds);
1787 
1788  SHOW_INT(handshake_window);
1789  SHOW_INT(transition_window);
1790 
1791  SHOW_BOOL(single_session);
1793  SHOW_BOOL(tls_exit);
1794 
1795 #ifdef ENABLE_PKCS11
1796  {
1797  int i;
1798  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1799  {
1800  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1801  }
1802  }
1803  {
1804  int i;
1805  for (i = 0; i<MAX_PARMS; i++)
1806  {
1807  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1808  }
1809  }
1810  {
1811  int i;
1812  for (i = 0; i<MAX_PARMS; i++)
1813  {
1814  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1815  }
1816  }
1817  {
1818  int i;
1819  for (i = 0; i<MAX_PARMS; i++)
1820  {
1821  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1822  }
1823  }
1824  SHOW_INT(pkcs11_pin_cache_period);
1825  SHOW_STR(pkcs11_id);
1826  SHOW_BOOL(pkcs11_id_management);
1827 #endif /* ENABLE_PKCS11 */
1828 
1829 #if P2MP
1830  show_p2mp_parms(o);
1831 #endif
1832 
1833 #ifdef _WIN32
1834  SHOW_BOOL(show_net_up);
1835  SHOW_INT(route_method);
1836  SHOW_BOOL(block_outside_dns);
1838 #endif
1839 #endif /* ifndef ENABLE_SMALL */
1840 }
1841 
1842 #undef SHOW_PARM
1843 #undef SHOW_STR
1844 #undef SHOW_INT
1845 #undef SHOW_BOOL
1846 
1847 #ifdef ENABLE_MANAGEMENT
1848 
1849 static struct http_proxy_options *
1851  const char *port,
1852  const char *flags,
1853  const int msglevel,
1854  struct gc_arena *gc)
1855 {
1856  if (server && port)
1857  {
1858  struct http_proxy_options *ho;
1859  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1860  ho->server = string_alloc(server, gc);
1861  ho->port = port;
1862  if (flags && !strcmp(flags, "nct"))
1863  {
1864  ho->auth_retry = PAR_NCT;
1865  }
1866  else
1867  {
1868  ho->auth_retry = PAR_ALL;
1869  }
1870  ho->http_version = "1.0";
1871  ho->user_agent = "OpenVPN-Autoproxy/1.0";
1872  return ho;
1873  }
1874  else
1875  {
1876  return NULL;
1877  }
1878 }
1879 
1880 static void
1882 {
1883  const struct connection_list *l = o->connection_list;
1884  int i;
1885  bool succeed = false;
1886  for (i = 0; i < l->len; ++i)
1887  {
1888  struct connection_entry *ce = l->array[i];
1889  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1890  {
1892  succeed = true;
1893  }
1894  }
1895  if (succeed)
1896  {
1897  for (i = 0; i < l->len; ++i)
1898  {
1899  struct connection_entry *ce = l->array[i];
1900  if (ce->proto == PROTO_UDP)
1901  {
1902  ce->flags |= CE_DISABLED;
1903  }
1904  }
1905  }
1906  else
1907  {
1908  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1909  }
1910 }
1911 
1912 #endif /* ifdef ENABLE_MANAGEMENT */
1913 
1914 static struct connection_list *
1916 {
1917  if (!options->connection_list)
1918  {
1919  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1920  }
1921  return options->connection_list;
1922 }
1923 
1924 static struct connection_entry *
1925 alloc_connection_entry(struct options *options, const int msglevel)
1926 {
1927  struct connection_list *l = alloc_connection_list_if_undef(options);
1928  struct connection_entry *e;
1929 
1930  if (l->len >= CONNECTION_LIST_SIZE)
1931  {
1932  msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1933  return NULL;
1934  }
1935  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1936  l->array[l->len++] = e;
1937  return e;
1938 }
1939 
1940 static struct remote_list *
1942 {
1943  if (!options->remote_list)
1944  {
1945  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1946  }
1947  return options->remote_list;
1948 }
1949 
1950 static struct remote_entry *
1951 alloc_remote_entry(struct options *options, const int msglevel)
1952 {
1953  struct remote_list *l = alloc_remote_list_if_undef(options);
1954  struct remote_entry *e;
1955 
1956  if (l->len >= CONNECTION_LIST_SIZE)
1957  {
1958  msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1959  return NULL;
1960  }
1961  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1962  l->array[l->len++] = e;
1963  return e;
1964 }
1965 
1966 static struct pull_filter_list *
1968 {
1969  if (!o->pull_filter_list)
1970  {
1972  }
1973  return o->pull_filter_list;
1974 }
1975 
1976 static struct pull_filter *
1977 alloc_pull_filter(struct options *o, const int msglevel)
1978 {
1980  struct pull_filter *f;
1981 
1982  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
1983  if (l->head)
1984  {
1985  ASSERT(l->tail);
1986  l->tail->next = f;
1987  }
1988  else
1989  {
1990  ASSERT(!l->tail);
1991  l->head = f;
1992  }
1993  l->tail = f;
1994  return f;
1995 }
1996 
1997 static void
1999 {
2000  if (re->remote)
2001  {
2002  ce->remote = re->remote;
2003  }
2004  if (re->remote_port)
2005  {
2006  ce->remote_port = re->remote_port;
2007  }
2008  if (re->proto >= 0)
2009  {
2010  ce->proto = re->proto;
2011  }
2012  if (re->af > 0)
2013  {
2014  ce->af = re->af;
2015  }
2016 }
2017 
2018 static void
2020 {
2021  struct options defaults;
2022  int dev = DEV_TYPE_UNDEF;
2023  bool pull = false;
2024 
2025  init_options(&defaults, true);
2026 
2027  if (options->test_crypto)
2028  {
2029  notnull(options->shared_secret_file, "key file (--secret)");
2030  }
2031  else
2032  {
2033  notnull(options->dev, "TUN/TAP device (--dev)");
2034  }
2035 
2036  /*
2037  * Get tun/tap/null device type
2038  */
2039  dev = dev_type_enum(options->dev, options->dev_type);
2040 
2041  /*
2042  * If "proto tcp" is specified, make sure we know whether it is
2043  * tcp-client or tcp-server.
2044  */
2045  if (ce->proto == PROTO_TCP)
2046  {
2047  msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
2048  }
2049 
2050  /*
2051  * Sanity check on daemon/inetd modes
2052  */
2053 
2054  if (options->daemon && options->inetd)
2055  {
2056  msg(M_USAGE, "only one of --daemon or --inetd may be specified");
2057  }
2058 
2059  if (options->inetd && (ce->local || ce->remote))
2060  {
2061  msg(M_USAGE, "--local or --remote cannot be used with --inetd");
2062  }
2063 
2064  if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
2065  {
2066  msg(M_USAGE, "--proto tcp-client cannot be used with --inetd");
2067  }
2068 
2069  if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
2070  {
2071  msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
2072  }
2073 
2074  if (options->inetd == INETD_NOWAIT
2075  && !(options->tls_server || options->tls_client))
2076  {
2077  msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
2078  }
2079 
2080  if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
2081  {
2082  msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
2083  }
2084 
2085 
2086  if (options->lladdr && dev != DEV_TYPE_TAP)
2087  {
2088  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2089  }
2090 
2091  /*
2092  * Sanity check on MTU parameters
2093  */
2094  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2095  {
2096  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2097  }
2098 
2099 #ifdef ENABLE_OCC
2100  if (!proto_is_udp(ce->proto) && options->mtu_test)
2101  {
2102  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2103  }
2104 #endif
2105 
2106  /* will we be pulling options from server? */
2107 #if P2MP
2108  pull = options->pull;
2109 #endif
2110 
2111  /*
2112  * Sanity check on --local, --remote, and --ifconfig
2113  */
2114 
2115  if (proto_is_net(ce->proto)
2116  && string_defined_equal(ce->local, ce->remote)
2118  {
2119  msg(M_USAGE, "--remote and --local addresses are the same");
2120  }
2121 
2122  if (string_defined_equal(ce->remote, options->ifconfig_local)
2124  {
2125  msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
2126  }
2127 
2128  if (string_defined_equal(ce->local, options->ifconfig_local)
2130  {
2131  msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2132  }
2133 
2135  {
2136  msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2137  }
2138 
2139  if (ce->bind_defined && !ce->bind_local)
2140  {
2141  msg(M_USAGE, "--bind and --nobind can't be used together");
2142  }
2143 
2144  if (ce->local && !ce->bind_local)
2145  {
2146  msg(M_USAGE, "--local and --nobind don't make sense when used together");
2147  }
2148 
2149  if (ce->local_port_defined && !ce->bind_local)
2150  {
2151  msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2152  }
2153 
2154  if (!ce->remote && !ce->bind_local)
2155  {
2156  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2157  }
2158 
2159  /*
2160  * Check for consistency of management options
2161  */
2162 #ifdef ENABLE_MANAGEMENT
2163  if (!options->management_addr
2164  && (options->management_flags
2167  {
2168  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2169  }
2170 
2171  if ((options->management_client_user || options->management_client_group)
2172  && !(options->management_flags & MF_UNIX_SOCK))
2173  {
2174  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2175  }
2176 
2177  if (options->management_addr
2178  && !(options->management_flags & MF_UNIX_SOCK)
2179  && (!options->management_user_pass))
2180  {
2181  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2182  "passwords is STRONGLY discouraged and considered insecure");
2183  }
2184 
2185 #endif
2186 
2187  /*
2188  * Windows-specific options.
2189  */
2190 
2191 #ifdef _WIN32
2192  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2193  {
2194  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2195  }
2196 
2197  if ((options->tuntap_options.ip_win32_defined)
2198  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2199  {
2200  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2201  }
2202 
2203  if (options->tuntap_options.dhcp_options
2206  {
2207  msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
2208  }
2209 #endif
2210 
2211  /*
2212  * Check that protocol options make sense.
2213  */
2214 
2215 #ifdef ENABLE_FRAGMENT
2216  if (!proto_is_udp(ce->proto) && ce->fragment)
2217  {
2218  msg(M_USAGE, "--fragment can only be used with --proto udp");
2219  }
2220 #endif
2221 
2222 #ifdef ENABLE_OCC
2224  {
2225  msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
2226  }
2227 #endif
2228 
2229  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2230  {
2231  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2232  }
2233 
2234  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2235  {
2236  msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
2237  }
2238  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2239  {
2240  msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2241  }
2242 
2243  if (ce->http_proxy_options && ce->socks_proxy_server)
2244  {
2245  msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2246  }
2247 
2248  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2249  {
2250  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2251  }
2252 
2253  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2254  {
2255  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2256  }
2257 
2258 #if P2MP_SERVER
2259 
2260  /*
2261  * Check consistency of --mode server options.
2262  */
2263  if (options->mode == MODE_SERVER)
2264  {
2265  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2266  {
2267  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2268  }
2269  if (options->pull)
2270  {
2271  msg(M_USAGE, "--pull cannot be used with --mode server");
2272  }
2273  if (options->pull_filter_list)
2274  {
2275  msg(M_USAGE, "--pull-filter cannot be used with --mode server");
2276  }
2277  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2278  {
2279  msg(M_USAGE, "--mode server currently only supports "
2280  "--proto udp or --proto tcp-server or proto tcp6-server");
2281  }
2282 #if PORT_SHARE
2283  if ((options->port_share_host || options->port_share_port)
2284  && (ce->proto != PROTO_TCP_SERVER))
2285  {
2286  msg(M_USAGE, "--port-share only works in TCP server mode "
2287  "(--proto tcp-server or tcp6-server)");
2288  }
2289 #endif
2290  if (!options->tls_server)
2291  {
2292  msg(M_USAGE, "--mode server requires --tls-server");
2293  }
2294  if (ce->remote)
2295  {
2296  msg(M_USAGE, "--remote cannot be used with --mode server");
2297  }
2298  if (!ce->bind_local)
2299  {
2300  msg(M_USAGE, "--nobind cannot be used with --mode server");
2301  }
2302  if (ce->http_proxy_options)
2303  {
2304  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2305  }
2306  if (ce->socks_proxy_server)
2307  {
2308  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2309  }
2310  /* <connection> blocks force to have a remote embedded, so we check for the
2311  * --remote and bail out if it is present */
2312  if (options->connection_list->len >1
2313  || options->connection_list->array[0]->remote)
2314  {
2315  msg(M_USAGE, "<connection> cannot be used with --mode server");
2316  }
2317 
2318  if (options->shaper)
2319  {
2320  msg(M_USAGE, "--shaper cannot be used with --mode server");
2321  }
2322  if (options->inetd)
2323  {
2324  msg(M_USAGE, "--inetd cannot be used with --mode server");
2325  }
2326  if (options->ipchange)
2327  {
2328  msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
2329  }
2330  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2331  {
2332  msg(M_USAGE, "--mode server currently only supports "
2333  "--proto udp or --proto tcp-server or --proto tcp6-server");
2334  }
2335  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2336  {
2337  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2338  }
2339  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2340  {
2341  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2342  }
2343  if (options->routes && (options->routes->flags & RG_ENABLE))
2344  {
2345  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2346  }
2347  if (options->route_delay_defined)
2348  {
2349  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2350  }
2351  if (options->up_delay)
2352  {
2353  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2354  }
2355  if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
2356  {
2357  msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2358  }
2359  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2360  {
2361  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2362  }
2363  if (options->allow_recursive_routing)
2364  {
2365  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2366  }
2367  if (options->auth_user_pass_file)
2368  {
2369  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2370  }
2371  if (options->ccd_exclusive && !options->client_config_dir)
2372  {
2373  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2374  }
2375  if (options->key_method != 2)
2376  {
2377  msg(M_USAGE, "--mode server requires --key-method 2");
2378  }
2379 
2380  {
2381  const bool ccnr = (options->auth_user_pass_verify_script
2382  || PLUGIN_OPTION_LIST(options)
2383  || MAN_CLIENT_AUTH_ENABLED(options));
2384  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2386  {
2387  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2388  }
2389  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2390  {
2391  msg(M_USAGE, "--username-as-common-name %s", postfix);
2392  }
2393  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2394  {
2395  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2396  }
2397  }
2398  }
2399  else
2400  {
2401  /*
2402  * When not in server mode, err if parameters are
2403  * specified which require --mode server.
2404  */
2405  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2406  {
2407  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2408  }
2409  if (options->ifconfig_ipv6_pool_defined)
2410  {
2411  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2412  }
2413  if (options->real_hash_size != defaults.real_hash_size
2414  || options->virtual_hash_size != defaults.virtual_hash_size)
2415  {
2416  msg(M_USAGE, "--hash-size requires --mode server");
2417  }
2418  if (options->learn_address_script)
2419  {
2420  msg(M_USAGE, "--learn-address requires --mode server");
2421  }
2422  if (options->client_connect_script)
2423  {
2424  msg(M_USAGE, "--client-connect requires --mode server");
2425  }
2426  if (options->client_disconnect_script)
2427  {
2428  msg(M_USAGE, "--client-disconnect requires --mode server");
2429  }
2430  if (options->client_config_dir || options->ccd_exclusive)
2431  {
2432  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2433  }
2434  if (options->enable_c2c)
2435  {
2436  msg(M_USAGE, "--client-to-client requires --mode server");
2437  }
2438  if (options->duplicate_cn)
2439  {
2440  msg(M_USAGE, "--duplicate-cn requires --mode server");
2441  }
2442  if (options->cf_max || options->cf_per)
2443  {
2444  msg(M_USAGE, "--connect-freq requires --mode server");
2445  }
2447  {
2448  msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
2449  }
2450  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2451  {
2452  msg(M_USAGE, "--username-as-common-name requires --mode server");
2453  }
2454  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2455  {
2456  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2457  }
2458  if (options->ssl_flags & SSLF_OPT_VERIFY)
2459  {
2460  msg(M_USAGE, "--opt-verify requires --mode server");
2461  }
2462  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2463  {
2464  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2465  "affect the server. To have TCP_NODELAY in both direction use "
2466  "tcp-nodelay in the server configuration instead.");
2467  }
2468  if (options->auth_user_pass_verify_script)
2469  {
2470  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2471  }
2472  if (options->auth_token_generate)
2473  {
2474  msg(M_USAGE, "--auth-gen-token requires --mode server");
2475  }
2476 #if PORT_SHARE
2477  if (options->port_share_host || options->port_share_port)
2478  {
2479  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2480  }
2481 #endif
2482 
2483  if (options->stale_routes_check_interval)
2484  {
2485  msg(M_USAGE, "--stale-routes-check requires --mode server");
2486  }
2488  {
2489  msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server");
2490  }
2491  }
2492 #endif /* P2MP_SERVER */
2493 
2494  if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
2495  {
2496  msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
2497  }
2498 
2499  if (options->keysize)
2500  {
2501  msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
2502  }
2503 
2504  /*
2505  * Check consistency of replay options
2506  */
2507  if (!options->replay
2508  && (options->replay_window != defaults.replay_window
2509  || options->replay_time != defaults.replay_time))
2510  {
2511  msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2512  }
2513 
2514  /*
2515  * SSL/TLS mode sanity checks.
2516  */
2517  if (options->tls_server + options->tls_client
2518  +(options->shared_secret_file != NULL) > 1)
2519  {
2520  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2521  }
2522 
2524  {
2525  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2526  "--verify-client-cert none|optional (or --client-cert-not-required) "
2527  "may accept clients which do not present a certificate");
2528  }
2529 
2530  if (options->key_method == 1)
2531  {
2532  msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
2533  "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
2534  "in the configuration file, which is the recommended approach.");
2535  }
2536 
2537  const int tls_version_max =
2540  const int tls_version_min =
2543 
2544  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2545  {
2546  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2547  }
2548 
2549  if (options->tls_server || options->tls_client)
2550  {
2551 #ifdef ENABLE_PKCS11
2552  if (options->pkcs11_providers[0])
2553  {
2554  notnull(options->ca_file, "CA file (--ca)");
2555 
2556  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2557  {
2558  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2559  }
2560  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2561  {
2562  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2563  }
2564  if (options->cert_file)
2565  {
2566  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2567  }
2568  if (options->priv_key_file)
2569  {
2570  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2571  }
2572 #ifdef MANAGMENT_EXTERNAL_KEY
2573  if (options->management_flags & MF_EXTERNAL_KEY)
2574  {
2575  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2576  }
2577  if (options->management_flags & MF_EXTERNAL_CERT)
2578  {
2579  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2580  }
2581 #endif
2582  if (options->pkcs12_file)
2583  {
2584  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2585  }
2586 #ifdef ENABLE_CRYPTOAPI
2587  if (options->cryptoapi_cert)
2588  {
2589  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2590  }
2591 #endif
2592  }
2593  else
2594 #endif /* ifdef ENABLE_PKCS11 */
2595 #ifdef MANAGMENT_EXTERNAL_KEY
2596  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2597  {
2598  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2599  }
2600  else if ((options->management_flags & MF_EXTERNAL_CERT))
2601  {
2602  if (options->cert_file)
2603  {
2604  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2605  }
2606  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2607  {
2608  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2609  }
2610  }
2611  else
2612 #endif
2613 #ifdef ENABLE_CRYPTOAPI
2614  if (options->cryptoapi_cert)
2615  {
2616  if ((!(options->ca_file)) && (!(options->ca_path)))
2617  {
2618  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2619  }
2620  if (options->cert_file)
2621  {
2622  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2623  }
2624  if (options->priv_key_file)
2625  {
2626  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2627  }
2628  if (options->pkcs12_file)
2629  {
2630  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2631  }
2632 #ifdef MANAGMENT_EXTERNAL_KEY
2633  if (options->management_flags & MF_EXTERNAL_KEY)
2634  {
2635  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2636  }
2637  if (options->management_flags & MF_EXTERNAL_CERT)
2638  {
2639  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2640  }
2641 #endif
2642  }
2643  else
2644 #endif /* ifdef ENABLE_CRYPTOAPI */
2645  if (options->pkcs12_file)
2646  {
2647 #ifdef ENABLE_CRYPTO_MBEDTLS
2648  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2649 #else
2650  if (options->ca_path)
2651  {
2652  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2653  }
2654  if (options->cert_file)
2655  {
2656  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2657  }
2658  if (options->priv_key_file)
2659  {
2660  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2661  }
2662 #ifdef MANAGMENT_EXTERNAL_KEY
2663  if (options->management_flags & MF_EXTERNAL_KEY)
2664  {
2665  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2666  }
2667  if (options->management_flags & MF_EXTERNAL_CERT)
2668  {
2669  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2670  }
2671 #endif
2672 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2673  }
2674  else
2675  {
2676 #ifdef ENABLE_CRYPTO_MBEDTLS
2677  if (!(options->ca_file))
2678  {
2679  msg(M_USAGE, "You must define CA file (--ca)");
2680  }
2681  if (options->ca_path)
2682  {
2683  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2684  }
2685 #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
2686  if ((!(options->ca_file)) && (!(options->ca_path)))
2687  {
2688  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2689  }
2690 #endif
2691  if (pull)
2692  {
2693 
2694  const int sum =
2695 #ifdef MANAGMENT_EXTERNAL_KEY
2696  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2697  +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2698 #else
2699  (options->cert_file != NULL) + (options->priv_key_file != NULL);
2700 #endif
2701 
2702  if (sum == 0)
2703  {
2704 #if P2MP
2705  if (!options->auth_user_pass_file)
2706 #endif
2707  msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2708  }
2709  else if (sum == 2)
2710  {
2711  }
2712  else
2713  {
2714  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2715  }
2716  }
2717  else
2718  {
2719 #ifdef MANAGMENT_EXTERNAL_KEY
2720  if (!(options->management_flags & MF_EXTERNAL_CERT))
2721 #endif
2722  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2723 #ifdef MANAGMENT_EXTERNAL_KEY
2724  if (!(options->management_flags & MF_EXTERNAL_KEY))
2725 #endif
2726  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2727  }
2728  }
2729  if (ce->tls_auth_file && ce->tls_crypt_file)
2730  {
2731  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2732  }
2733  }
2734  else
2735  {
2736  /*
2737  * Make sure user doesn't specify any TLS options
2738  * when in non-TLS mode.
2739  */
2740 
2741 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2742 }
2743 
2744  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2745 
2751 #ifndef ENABLE_CRYPTO_MBEDTLS
2753 #endif
2775 #ifdef ENABLE_PKCS11
2776  MUST_BE_UNDEF(pkcs11_providers[0]);
2777  MUST_BE_UNDEF(pkcs11_private_mode[0]);
2778  MUST_BE_UNDEF(pkcs11_id);
2779  MUST_BE_UNDEF(pkcs11_id_management);
2780 #endif
2781 
2782  if (pull)
2783  {
2784  msg(M_USAGE, err, "--pull");
2785  }
2786  }
2787 #undef MUST_BE_UNDEF
2788 
2789 #if P2MP
2790  if (options->auth_user_pass_file && !options->pull)
2791  {
2792  msg(M_USAGE, "--auth-user-pass requires --pull");
2793  }
2794 #endif
2795 
2796  uninit_options(&defaults);
2797 }
2798 
2799 static void
2801 {
2802  const int dev = dev_type_enum(o->dev, o->dev_type);
2803 
2804 #if P2MP_SERVER
2806  {
2807  if (ce->proto == PROTO_TCP)
2808  {
2809  ce->proto = PROTO_TCP_SERVER;
2810  }
2811  }
2812 #endif
2813 #if P2MP
2814  if (o->client)
2815  {
2816  if (ce->proto == PROTO_TCP)
2817  {
2818  ce->proto = PROTO_TCP_CLIENT;
2819  }
2820  }
2821 #endif
2822 
2823  if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2824  {
2825  ce->bind_local = false;
2826  }
2827 
2828  if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2829  {
2830  ce->bind_local = false;
2831  }
2832 
2833  if (!ce->bind_local)
2834  {
2835  ce->local_port = NULL;
2836  }
2837 
2838  /* if protocol forcing is enabled, disable all protocols except for the forced one */
2839  if (o->proto_force >= 0 && o->proto_force != ce->proto)
2840  {
2841  ce->flags |= CE_DISABLED;
2842  }
2843 
2844  /*
2845  * If --mssfix is supplied without a parameter, default
2846  * it to --fragment value, if --fragment is specified.
2847  */
2848  if (o->ce.mssfix_default)
2849  {
2850 #ifdef ENABLE_FRAGMENT
2851  if (ce->fragment)
2852  {
2853  ce->mssfix = ce->fragment;
2854  }
2855 #else
2856  msg(M_USAGE, "--mssfix must specify a parameter");
2857 #endif
2858  }
2859 
2860  /*
2861  * Set MTU defaults
2862  */
2863  {
2864  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2865  {
2866  ce->tun_mtu_defined = true;
2867  }
2868  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2869  {
2870  ce->tun_mtu_extra_defined = true;
2872  }
2873  }
2874 
2875  /*
2876  * Set per-connection block tls-auth/crypt fields if undefined.
2877  *
2878  * At the end only one of the two will be really set because the parser
2879  * logic prevents configurations where both are set.
2880  */
2881  if (!ce->tls_auth_file && !ce->tls_crypt_file)
2882  {
2883  ce->tls_auth_file = o->tls_auth_file;
2885  ce->key_direction = o->key_direction;
2886 
2887  ce->tls_crypt_file = o->tls_crypt_file;
2889  }
2890 
2891  /* pre-cache tls-auth/crypt key file if persist-key was specified and keys
2892  * were not already embedded in the config file
2893  */
2894  if (o->persist_key)
2895  {
2896  if (ce->tls_auth_file && !ce->tls_auth_file_inline)
2897  {
2898  struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
2899  if (!buf_valid(&in))
2900  msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
2901  o->tls_auth_file);
2902 
2904  ce->tls_auth_file_inline = (char *)in.data;
2905  }
2906 
2907  if (ce->tls_crypt_file && !ce->tls_crypt_inline)
2908  {
2909  struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
2910  if (!buf_valid(&in))
2911  msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
2912  o->tls_auth_file);
2913 
2915  ce->tls_crypt_inline = (char *)in.data;
2916  }
2917  }
2918 }
2919 
2920 #ifdef _WIN32
2921 /* If iservice is in use, we need def1 method for redirect-gateway */
2922 static void
2924 {
2925  if (opt->routes
2927  && opt->routes->flags & RG_REROUTE_GW
2928  && !(opt->routes->flags & RG_DEF1))
2929  {
2930  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2931  opt->routes->flags |= RG_DEF1;
2932  }
2933 }
2934 #endif
2935 
2936 static void
2938 {
2939 #ifdef _WIN32
2940  const int dev = dev_type_enum(options->dev, options->dev_type);
2941 #endif
2942 
2943  /*
2944  * In forking TCP server mode, you don't need to ifconfig
2945  * the tap device (the assumption is that it will be bridged).
2946  */
2947  if (options->inetd == INETD_NOWAIT)
2948  {
2949  options->ifconfig_noexec = true;
2950  }
2951 
2952 #ifdef _WIN32
2953  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2954  {
2955  if (options->mode == MODE_POINT_TO_POINT)
2956  {
2957  options->route_delay_defined = true;
2958  options->route_delay = 5; /* Vista sometimes has a race without this */
2959  }
2960  }
2961 
2962  if (options->ifconfig_noexec)
2963  {
2965  options->ifconfig_noexec = false;
2966  }
2967 
2969 #endif
2970 
2971 #if P2MP_SERVER
2972  /*
2973  * Check consistency of --mode server options.
2974  */
2975  if (options->mode == MODE_SERVER)
2976  {
2977 #ifdef _WIN32
2978  /*
2979  * We need to explicitly set --tap-sleep because
2980  * we do not schedule event timers in the top-level context.
2981  */
2982  options->tuntap_options.tap_sleep = 10;
2983  if (options->route_delay_defined && options->route_delay)
2984  {
2985  options->tuntap_options.tap_sleep = options->route_delay;
2986  }
2987  options->route_delay_defined = false;
2988 #endif
2989  }
2990 #endif
2991 
2992 #ifdef DEFAULT_PKCS11_MODULE
2993  /* If p11-kit is present on the system then load its p11-kit-proxy.so
2994  * by default if the user asks for PKCS#11 without otherwise specifying
2995  * the module to use. */
2996  if (!options->pkcs11_providers[0]
2997  && (options->pkcs11_id || options->pkcs11_id_management))
2998  {
2999  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3000  }
3001 #endif
3002 }
3003 
3004 static void
3006 {
3007  if (o->connection_list)
3008  {
3009  int i;
3010  for (i = 0; i < o->connection_list->len; ++i)
3011  {
3013  }
3014  }
3015  else
3016  {
3018  }
3019 }
3020 
3021 static void
3023 {
3024  int i;
3025  /*
3026  * Process helper-type options which map to other, more complex
3027  * sequences of options.
3028  */
3030  helper_keepalive(o);
3031  helper_tcp_nodelay(o);
3032 
3034 
3035  if (o->remote_list && !o->connection_list)
3036  {
3037  /*
3038  * Convert remotes into connection list
3039  */
3040  const struct remote_list *rl = o->remote_list;
3041  for (i = 0; i < rl->len; ++i)
3042  {
3043  const struct remote_entry *re = rl->array[i];
3044  struct connection_entry ce = o->ce;
3045  struct connection_entry *ace;
3046 
3047  ASSERT(re->remote);
3048  connection_entry_load_re(&ce, re);
3049  ace = alloc_connection_entry(o, M_USAGE);
3050  ASSERT(ace);
3051  *ace = ce;
3052  }
3053  }
3054  else if (!o->remote_list && !o->connection_list)
3055  {
3056  struct connection_entry *ace;
3057  ace = alloc_connection_entry(o, M_USAGE);
3058  ASSERT(ace);
3059  *ace = o->ce;
3060  }
3061 
3062  ASSERT(o->connection_list);
3063  for (i = 0; i < o->connection_list->len; ++i)
3064  {
3066  }
3067 
3068  if (o->tls_server)
3069  {
3070  /* Check that DH file is specified, or explicitly disabled */
3071  notnull(o->dh_file, "DH file (--dh)");
3072  if (streq(o->dh_file, "none"))
3073  {
3074  o->dh_file = NULL;
3075  }
3076  }
3077  else if (o->dh_file)
3078  {
3079  /* DH file is only meaningful in a tls-server context. */
3080  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3081  "include this in your server configuration");
3082  o->dh_file = NULL;
3083  }
3084 
3085  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
3086  if (o->ncp_enabled
3087  && !(o->pull || o->mode == MODE_SERVER) )
3088  {
3089  msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
3090  "in P2MP client or server mode" );
3091  o->ncp_enabled = false;
3092  }
3093 
3094 #if ENABLE_MANAGEMENT
3095  if (o->http_proxy_override)
3096  {
3098  }
3099 #endif
3100 
3101 #if P2MP
3102  /*
3103  * Save certain parms before modifying options via --pull
3104  */
3105  pre_pull_save(o);
3106 #endif
3107 }
3108 
3109 /*
3110  * Check file/directory sanity
3111  *
3112  */
3113 #ifndef ENABLE_SMALL
3115 #define CHKACC_FILE (1<<0)
3116 #define CHKACC_DIRPATH (1<<1)
3117 #define CHKACC_FILEXSTWR (1<<2)
3118 #define CHKACC_INLINE (1<<3)
3119 #define CHKACC_ACPTSTDIN (1<<4)
3120 #define CHKACC_PRIVATE (1<<5)
3122 static bool
3123 check_file_access(const int type, const char *file, const int mode, const char *opt)
3124 {
3125  int errcode = 0;
3126 
3127  /* If no file configured, no errors to look for */
3128  if (!file)
3129  {
3130  return false;
3131  }
3132 
3133  /* If this may be an inline file, and the proper inline "filename" is set - no issues */
3134  if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
3135  {
3136  return false;
3137  }
3138 
3139  /* If stdin is allowed and the file name is 'stdin', then do no
3140  * further checks as stdin is always available
3141  */
3142  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3143  {
3144  return false;
3145  }
3146 
3147  /* Is the directory path leading to the given file accessible? */
3148  if (type & CHKACC_DIRPATH)
3149  {
3150  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */
3151  char *dirpath = dirname(fullpath);
3152 
3153  if (platform_access(dirpath, mode|X_OK) != 0)
3154  {
3155  errcode = errno;
3156  }
3157  free(fullpath);
3158  }
3159 
3160  /* Is the file itself accessible? */
3161  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3162  {
3163  errcode = errno;
3164  }
3165 
3166  /* If the file exists and is accessible, is it writable? */
3167  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3168  {
3169  if (platform_access(file, W_OK) != 0)
3170  {
3171  errcode = errno;
3172  }
3173  }
3174 
3175  /* Warn if a given private file is group/others accessible. */
3176  if (type & CHKACC_PRIVATE)
3177  {
3178  platform_stat_t st;
3179  if (platform_stat(file, &st))
3180  {
3181  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3182  }
3183 #ifndef _WIN32
3184  else
3185  {
3186  if (st.st_mode & (S_IRWXG|S_IRWXO))
3187  {
3188  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3189  }
3190  }
3191 #endif
3192  }
3193 
3194  /* Scream if an error is found */
3195  if (errcode > 0)
3196  {
3197  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3198  }
3199 
3200  /* Return true if an error occured */
3201  return (errcode != 0 ? true : false);
3202 }
3203 
3204 /* A wrapper for check_file_access() which also takes a chroot directory.
3205  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3206  * otherwise it will look for the file inside the given chroot directory instead.
3207  */
3208 static bool
3209 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3210 {
3211  bool ret = false;
3212 
3213  /* If no file configured, no errors to look for */
3214  if (!file)
3215  {
3216  return false;
3217  }
3218 
3219  /* If chroot is set, look for the file/directory inside the chroot */
3220  if (chroot)
3221  {
3222  struct gc_arena gc = gc_new();
3223  struct buffer chroot_file;
3224  int len = 0;
3225 
3226  /* Build up a new full path including chroot directory */
3227  len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
3228  chroot_file = alloc_buf_gc(len, &gc);
3229  buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
3230  ASSERT(chroot_file.len > 0);
3231 
3232  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3233  gc_free(&gc);
3234  }
3235  else
3236  {
3237  /* No chroot in play, just call core file check function */
3238  ret = check_file_access(type, file, mode, opt);
3239  }
3240  return ret;
3241 }
3242 
3243 
3244 /*
3245  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3246  * valid file with appropriate permissions.
3247  *
3248  * "command" consists of a path, optionally followed by a space, which may be
3249  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3250  * performed.
3251  *
3252  * The path and arguments in "command" may be single- or double-quoted or escaped.
3253  *
3254  * The path is extracted from "command", then check_file_access() is called to check it. The
3255  * arguments, if any, are ignored.
3256  *
3257  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3258  * check_file_access() arguments.
3259  */
3260 static bool
3261 check_cmd_access(const char *command, const char *opt, const char *chroot)
3262 {
3263  struct argv argv;
3264  bool return_code;
3265 
3266  /* If no command was set, there are no errors to look for */
3267  if (!command)
3268  {
3269  return false;
3270  }
3271 
3272  /* Extract executable path and arguments */
3273  argv = argv_new();
3274  argv_parse_cmd(&argv, command);
3275 
3276  /* if an executable is specified then check it; otherwise, complain */
3277  if (argv.argv[0])
3278  {
3279  /* Scripts requires R_OK as well, but that might fail on binaries which
3280  * only requires X_OK to function on Unix - a scenario not unlikely to
3281  * be seen on suid binaries.
3282  */
3283  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3284  }
3285  else
3286  {
3287  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3288  opt, command);
3289  return_code = true;
3290  }
3291 
3292  argv_reset(&argv);
3293 
3294  return return_code;
3295 }
3296 
3297 /*
3298  * Sanity check of all file/dir options. Checks that file/dir
3299  * is accessible by OpenVPN
3300  */
3301 static void
3303 {
3304  bool errs = false;
3305 
3306  /* ** SSL/TLS/crypto related files ** */
3307  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
3308  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
3309  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
3310  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
3312  "--extra-certs");
3313 #ifdef MANAGMENT_EXTERNAL_KEY
3314  if (!(options->management_flags & MF_EXTERNAL_KEY))
3315 #endif
3316  {
3318  options->priv_key_file, R_OK, "--key");
3319  }
3321  options->pkcs12_file, R_OK, "--pkcs12");
3322 
3323  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3324  {
3325  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
3326  "--crl-verify directory");
3327  }
3328  else
3329  {
3331  options->crl_file, R_OK, "--crl-verify");
3332  }
3333 
3334  ASSERT(options->connection_list);
3335  for (int i = 0; i < options->connection_list->len; ++i)
3336  {
3337  struct connection_entry *ce = options->connection_list->array[i];
3338 
3340  ce->tls_auth_file, R_OK, "--tls-auth");
3341 
3343  ce->tls_crypt_file, R_OK, "--tls-crypt");
3344 
3345  }
3346 
3348  options->shared_secret_file, R_OK, "--secret");
3349 
3351  options->packet_id_file, R_OK|W_OK, "--replay-persist");
3352 
3353  /* ** Password files ** */
3355  options->key_pass_file, R_OK, "--askpass");
3356 #ifdef ENABLE_MANAGEMENT
3358  options->management_user_pass, R_OK,
3359  "--management user/password file");
3360 #endif /* ENABLE_MANAGEMENT */
3361 #if P2MP
3363  options->auth_user_pass_file, R_OK,
3364  "--auth-user-pass");
3365 #endif /* P2MP */
3366 
3367  /* ** System related ** */
3368  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3369  R_OK|X_OK, "--chroot directory");
3371  R_OK|W_OK, "--writepid");
3372 
3373  /* ** Log related ** */
3375  R_OK|W_OK, "--status");
3376 
3377  /* ** Config related ** */
3378  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3379  R_OK|W_OK|X_OK, "--tls-export-cert");
3380 #if P2MP_SERVER
3382  R_OK|X_OK, "--client-config-dir");
3383  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3384  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3385 
3386 #endif /* P2MP_SERVER */
3387 
3388  if (errs)
3389  {
3390  msg(M_USAGE, "Please correct these errors.");
3391  }
3392 }
3393 #endif /* !ENABLE_SMALL */
3394 
3395 /*
3396  * Sanity check on options.
3397  * Also set some options based on other
3398  * options.
3399  */
3400 void
3402 {
3403  options_postprocess_mutate(options);
3404  options_postprocess_verify(options);
3405 #ifndef ENABLE_SMALL
3407 #endif /* !ENABLE_SMALL */
3408 }
3409 
3410 #if P2MP
3411 
3412 /*
3413  * Save/Restore certain option defaults before --pull is applied.
3414  */
3415 
3416 void
3418 {
3419  if (o->pull)
3420  {
3423  o->pre_pull->tuntap_options_defined = true;
3425  if (o->routes)
3426  {
3428  o->pre_pull->routes_defined = true;
3429  }
3430  if (o->routes_ipv6)
3431  {
3433  o->pre_pull->routes_ipv6_defined = true;
3434  }
3435  if (o->client_nat)
3436  {
3438  o->pre_pull->client_nat_defined = true;
3439  }
3440  }
3441 }
3442 
3443 void
3444 pre_pull_restore(struct options *o, struct gc_arena *gc)
3445 {
3446  const struct options_pre_pull *pp = o->pre_pull;
3447  if (pp)
3448  {
3449  CLEAR(o->tuntap_options);
3450  if (pp->tuntap_options_defined)
3451  {
3452  o->tuntap_options = pp->tuntap_options;
3453  }
3454 
3455  if (pp->routes_defined)
3456  {
3457  rol_check_alloc(o);
3458  copy_route_option_list(o->routes, pp->routes, gc);
3459  }
3460  else
3461  {
3462  o->routes = NULL;
3463  }
3464 
3465  if (pp->routes_ipv6_defined)
3466  {
3467  rol6_check_alloc(o);
3469  }
3470  else
3471  {
3472  o->routes_ipv6 = NULL;
3473  }
3474 
3475  if (pp->client_nat_defined)
3476  {
3477  cnol_check_alloc(o);
3479  }
3480  else
3481  {
3482  o->client_nat = NULL;
3483  }
3484 
3486  }
3487 
3488  o->push_continuation = 0;
3489  o->push_option_types_found = 0;
3490 }
3491 
3492 #endif /* if P2MP */
3493 
3494 #ifdef ENABLE_OCC
3495 
3503 static size_t
3504 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3505 {
3506  size_t link_mtu = EXPANDED_SIZE(frame);
3507 
3508  if (o->pull || o->mode == MODE_SERVER)
3509  {
3510  struct frame fake_frame = *frame;
3511  struct key_type fake_kt;
3512  init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
3513  false);
3514  frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead()));
3515  crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3516  cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3517  frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3518  o->ce.tun_mtu_defined, o->ce.tun_mtu);
3519  msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3520  EXPANDED_SIZE(&fake_frame));
3521  link_mtu = EXPANDED_SIZE(&fake_frame);
3522  }
3523  return link_mtu;
3524 }
3525 
3526 /*
3527  * Build an options string to represent data channel encryption options.
3528  * This string must match exactly between peers. The keysize is checked
3529  * separately by read_key().
3530  *
3531  * The following options must match on both peers:
3532  *
3533  * Tunnel options:
3534  *
3535  * --dev tun|tap [unit number need not match]
3536  * --dev-type tun|tap
3537  * --link-mtu
3538  * --udp-mtu
3539  * --tun-mtu
3540  * --proto udp
3541  * --proto tcp-client [matched with --proto tcp-server
3542  * on the other end of the connection]
3543  * --proto tcp-server [matched with --proto tcp-client on
3544  * the other end of the connection]
3545  * --tun-ipv6
3546  * --ifconfig x y [matched with --ifconfig y x on
3547  * the other end of the connection]
3548  *
3549  * --comp-lzo
3550  * --compress alg
3551  * --fragment
3552  *
3553  * Crypto Options:
3554  *
3555  * --cipher
3556  * --auth
3557  * --keysize
3558  * --secret
3559  * --no-replay
3560  *
3561  * SSL Options:
3562  *
3563  * --tls-auth
3564  * --tls-client [matched with --tls-server on
3565  * the other end of the connection]
3566  * --tls-server [matched with --tls-client on
3567  * the other end of the connection]
3568  */
3569 char *
3570 options_string(const struct options *o,
3571  const struct frame *frame,
3572  struct tuntap *tt,
3573  bool remote,
3574  struct gc_arena *gc)
3575 {
3576  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3577  bool tt_local = false;
3578 
3579  buf_printf(&out, "V4");
3580 
3581  /*
3582  * Tunnel Options
3583  */
3584 
3585  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3586  buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
3587  buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3588  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3589 
3590  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3591  * is usually pushed by the server, triggering a non-helpful warning
3592  */
3594  {
3595  buf_printf(&out, ",tun-ipv6");
3596  }
3597 
3598  /*
3599  * Try to get ifconfig parameters into the options string.
3600  * If tt is undefined, make a temporary instantiation.
3601  */
3602  if (!tt)
3603  {
3604  tt = init_tun(o->dev,
3605  o->dev_type,
3606  o->topology,
3607  o->ifconfig_local,
3612  NULL,
3613  NULL,
3614  false,
3615  NULL);
3616  if (tt)
3617  {
3618  tt_local = true;
3619  }
3620  }
3621 
3622  if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
3623  {
3624  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3625  if (ios && strlen(ios))
3626  {
3627  buf_printf(&out, ",ifconfig %s", ios);
3628  }
3629  }
3630  if (tt_local)
3631  {
3632  free(tt);
3633  tt = NULL;
3634  }
3635 
3636 #ifdef USE_COMP
3637  if (o->comp.alg != COMP_ALG_UNDEF)
3638  {
3639  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3640  }
3641 #endif
3642 
3643 #ifdef ENABLE_FRAGMENT
3644  if (o->ce.fragment)
3645  {
3646  buf_printf(&out, ",mtu-dynamic");
3647  }
3648 #endif
3649 
3650 #define TLS_CLIENT (o->tls_client)
3651 #define TLS_SERVER (o->tls_server)
3652 
3653  /*
3654  * Key direction
3655  */
3656  {
3657  const char *kd = keydirection2ascii(o->key_direction, remote, false);
3658  if (kd)
3659  {
3660  buf_printf(&out, ",keydir %s", kd);
3661  }
3662  }
3663 
3664  /*
3665  * Crypto Options
3666  */
3668  {
3669  struct key_type kt;
3670 
3671  ASSERT((o->shared_secret_file != NULL)
3672  + (TLS_CLIENT == true)
3673  + (TLS_SERVER == true)
3674  <= 1);
3675 
3676  init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
3677  false);
3678 
3679  buf_printf(&out, ",cipher %s",
3681  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3682  buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
3683  if (o->shared_secret_file)
3684  {
3685  buf_printf(&out, ",secret");
3686  }
3687  if (!o->replay)
3688  {
3689  buf_printf(&out, ",no-replay");
3690  }
3691 
3692 #ifdef ENABLE_PREDICTION_RESISTANCE
3693  if (o->use_prediction_resistance)
3694  {
3695  buf_printf(&out, ",use-prediction-resistance");
3696  }
3697 #endif
3698  }
3699 
3700  /*
3701  * SSL Options
3702  */
3703  {
3704  if (TLS_CLIENT || TLS_SERVER)
3705  {
3706  if (o->ce.tls_auth_file)
3707  {
3708  buf_printf(&out, ",tls-auth");
3709  }
3710  /* Not adding tls-crypt here, because we won't reach this code if
3711  * tls-auth/tls-crypt does not match. Removing tls-auth here would
3712  * break stuff, so leaving that in place. */
3713 
3714  if (o->key_method > 1)
3715  {
3716  buf_printf(&out, ",key-method %d", o->key_method);
3717  }
3718  }
3719 
3720  if (remote)
3721  {
3722  if (TLS_CLIENT)
3723  {
3724  buf_printf(&out, ",tls-server");
3725  }
3726  else if (TLS_SERVER)
3727  {
3728  buf_printf(&out, ",tls-client");
3729  }
3730  }
3731  else
3732  {
3733  if (TLS_CLIENT)
3734  {
3735  buf_printf(&out, ",tls-client");
3736  }
3737  else if (TLS_SERVER)
3738  {
3739  buf_printf(&out, ",tls-server");
3740  }
3741  }
3742  }
3743 
3744 #undef TLS_CLIENT
3745 #undef TLS_SERVER
3746 
3747  return BSTR(&out);
3748 }
3749 
3750 /*
3751  * Compare option strings for equality.
3752  * If the first two chars of the strings differ, it means that
3753  * we are looking at different versions of the options string,
3754  * therefore don't compare them and return true.
3755  */
3756 
3757 bool
3758 options_cmp_equal(char *actual, const char *expected)
3759 {
3760  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
3761 }
3762 
3763 void
3764 options_warning(char *actual, const char *expected)
3765 {
3766  options_warning_safe(actual, expected, strlen(actual) + 1);
3767 }
3768 
3769 static const char *
3770 options_warning_extract_parm1(const char *option_string,
3771  struct gc_arena *gc_ret)
3772 {
3773  struct gc_arena gc = gc_new();
3774  struct buffer b = string_alloc_buf(option_string, &gc);
3775  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3776  const char *ret;
3777 
3778  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
3779  ret = string_alloc(p, gc_ret);
3780  gc_free(&gc);
3781  return ret;
3782 }
3783 
3784 static void
3785 options_warning_safe_scan2(const int msglevel,
3786  const int delim,
3787  const bool report_inconsistent,
3788  const char *p1,
3789  const struct buffer *b2_src,
3790  const char *b1_name,
3791  const char *b2_name)
3792 {
3793  /* we will stop sending 'proto xxx' in OCC in a future version
3794  * (because it's not useful), and to reduce questions when
3795  * interoperating, we start not-printing a warning about it today
3796  */
3797  if (strncmp(p1, "proto ", 6) == 0)
3798  {
3799  return;
3800  }
3801 
3802  if (strlen(p1) > 0)
3803  {
3804  struct gc_arena gc = gc_new();
3805  struct buffer b2 = *b2_src;
3806  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
3807  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3808 
3809  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
3810  {
3811  if (strlen(p2))
3812  {
3813  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
3814 
3815  if (!strcmp(p1, p2))
3816  {
3817  goto done;
3818  }
3819  if (!strcmp(p1_prefix, p2_prefix))
3820  {
3821  if (report_inconsistent)
3822  {
3823  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
3824  safe_print(p1_prefix, &gc),
3825  b1_name,
3826  safe_print(p1, &gc),
3827  b2_name,
3828  safe_print(p2, &gc));
3829  }
3830  goto done;
3831  }
3832  }
3833  }
3834 
3835  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
3836  safe_print(p1_prefix, &gc),
3837  b1_name,
3838  b2_name,
3839  b1_name,
3840  safe_print(p1, &gc));
3841 
3842 done:
3843  gc_free(&gc);
3844  }
3845 }
3846 
3847 static void
3848 options_warning_safe_scan1(const int msglevel,
3849  const int delim,
3850  const bool report_inconsistent,
3851  const struct buffer *b1_src,
3852  const struct buffer *b2_src,
3853  const char *b1_name,
3854  const char *b2_name)
3855 {
3856  struct gc_arena gc = gc_new();
3857  struct buffer b = *b1_src;
3858  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
3859 
3860  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
3861  {
3862  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
3863  }
3864 
3865  gc_free(&gc);
3866 }
3867 
3868 static void
3869 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
3870 {
3871  struct gc_arena gc = gc_new();
3872 
3873  if (actual_n > 0)
3874  {
3875  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3876  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3877  actual[actual_n - 1] = 0;
3878 
3879  buf_printf(&local, "version %s", expected);
3880  buf_printf(&remote, "version %s", actual);
3881 
3882  options_warning_safe_scan1(msglevel, ',', true,
3883  &local, &remote,
3884  "local", "remote");
3885 
3886  options_warning_safe_scan1(msglevel, ',', false,
3887  &remote, &local,
3888  "remote", "local");
3889  }
3890 
3891  gc_free(&gc);
3892 }
3893 
3894 bool
3895 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
3896 {
3897  struct gc_arena gc = gc_new();
3898  bool ret = true;
3899 
3900  if (actual_n > 0)
3901  {
3902  actual[actual_n - 1] = 0;
3903 #ifndef ENABLE_STRICT_OPTIONS_CHECK
3904  if (strncmp(actual, expected, 2))
3905  {
3906  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
3907  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
3908  }
3909  else
3910 #endif
3911  ret = !strcmp(actual, expected);
3912  }
3913  gc_free(&gc);
3914  return ret;
3915 }
3916 
3917 void
3918 options_warning_safe(char *actual, const char *expected, size_t actual_n)
3919 {
3920  options_warning_safe_ml(M_WARN, actual, expected, actual_n);
3921 }
3922 
3923 const char *
3924 options_string_version(const char *s, struct gc_arena *gc)
3925 {
3926  struct buffer out = alloc_buf_gc(4, gc);
3927  strncpynt((char *) BPTR(&out), s, 3);
3928  return BSTR(&out);
3929 }
3930 
3931 #endif /* ENABLE_OCC */
3932 
3933 char *
3934 options_string_extract_option(const char *options_string,const char *opt_name,
3935  struct gc_arena *gc)
3936 {
3937  char *ret = NULL;
3938  const size_t opt_name_len = strlen(opt_name);
3939 
3940  const char *p = options_string;
3941  while (p)
3942  {
3943  if (0 == strncmp(p, opt_name, opt_name_len)
3944  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
3945  {
3946  /* option found, extract value */
3947  const char *start = &p[opt_name_len+1];
3948  const char *end = strchr(p, ',');
3949  size_t val_len = end ? end - start : strlen(start);
3950  ret = gc_malloc(val_len+1, true, gc);
3951  memcpy(ret, start, val_len);
3952  break;
3953  }
3954  p = strchr(p, ',');
3955  if (p)
3956  {
3957  p++; /* skip delimiter */
3958  }
3959  }
3960  return ret;
3961 }
3962 
3963 static void
3964 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
3965 {
3966  if (len > 0)
3967  {
3968  struct gc_arena gc = gc_new();
3969  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3970  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3971  int i;
3972  bool first = true;
3973  bool good = true;
3974 
3975  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
3976  ++o->foreign_option_index;
3977  for (i = 0; i < len; ++i)
3978  {
3979  if (argv[i])
3980  {
3981  if (!first)
3982  {
3983  good &= buf_printf(&value, " ");
3984  }
3985  good &= buf_printf(&value, "%s", argv[i]);
3986  first = false;
3987  }
3988  }
3989  if (good)
3990  {
3991  setenv_str(es, BSTR(&name), BSTR(&value));
3992  }
3993  else
3994  {
3995  msg(M_WARN, "foreign_option: name/value overflow");
3996  }
3997  gc_free(&gc);
3998  }
3999 }
4000 
4001 /*
4002  * parse/print topology coding
4003  */
4004 
4005 int
4006 parse_topology(const char *str, const int msglevel)
4007 {
4008  if (streq(str, "net30"))
4009  {
4010  return TOP_NET30;
4011  }
4012  else if (streq(str, "p2p"))
4013  {
4014  return TOP_P2P;
4015  }
4016  else if (streq(str, "subnet"))
4017  {
4018  return TOP_SUBNET;
4019  }
4020  else
4021  {
4022  msg(msglevel, "--topology must be net30, p2p, or subnet");
4023  return TOP_UNDEF;
4024  }
4025 }
4026 
4027 const char *
4028 print_topology(const int topology)
4029 {
4030  switch (topology)
4031  {
4032  case TOP_UNDEF:
4033  return "undef";
4034 
4035  case TOP_NET30:
4036  return "net30";
4037 
4038  case TOP_P2P:
4039  return "p2p";
4040 
4041  case TOP_SUBNET:
4042  return "subnet";
4043 
4044  default:
4045  return "unknown";
4046  }
4047 }
4048 
4049 #if P2MP
4050 
4051 /*
4052  * Manage auth-retry variable
4053  */
4054 
4055 static int global_auth_retry; /* GLOBAL */
4056 
4057 int
4059 {
4060  return global_auth_retry;
4061 }
4062 
4063 bool
4064 auth_retry_set(const int msglevel, const char *option)
4065 {
4066  if (streq(option, "interact"))
4067  {
4069  }
4070  else if (streq(option, "nointeract"))
4071  {
4073  }
4074  else if (streq(option, "none"))
4075  {
4077  }
4078  else
4079  {
4080  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4081  return false;
4082  }
4083  return true;
4084 }
4085 
4086 const char *
4088 {
4089  switch (global_auth_retry)
4090  {
4091  case AR_NONE:
4092  return "none";
4093 
4094  case AR_NOINTERACT:
4095  return "nointeract";
4096 
4097  case AR_INTERACT:
4098  return "interact";
4099 
4100  default:
4101  return "???";
4102  }
4103 }
4104 
4105 #endif /* if P2MP */
4106 
4107 /*
4108  * Print the help message.
4109  */
4110 static void
4111 usage(void)
4112 {
4113  FILE *fp = msg_fp(0);
4114 
4115 #ifdef ENABLE_SMALL
4116 
4117  fprintf(fp, "Usage message not available\n");
4118 
4119 #else
4120 
4121  struct options o;
4122  init_options(&o, true);
4123 
4124  fprintf(fp, usage_message,
4125  title_string,
4128  o.ce.local_port, o.ce.remote_port,
4130  o.verbosity,
4131  o.authname, o.ciphername,
4135  fflush(fp);
4136 
4137 #endif /* ENABLE_SMALL */
4138 
4139  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4140 }
4141 
4142 void
4144 {
4145  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4146  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4147 }
4148 
4149 #ifdef _WIN32
4150 void
4151 show_windows_version(const unsigned int flags)
4152 {
4153  struct gc_arena gc = gc_new();
4154  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4155  gc_free(&gc);
4156 }
4157 #endif
4158 
4159 void
4160 show_library_versions(const unsigned int flags)
4161 {
4162 #ifdef ENABLE_LZO
4163 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4164 #else
4165 #define LZO_LIB_VER_STR "", ""
4166 #endif
4167 
4168  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4169  LZO_LIB_VER_STR);
4170 
4171 #undef LZO_LIB_VER_STR
4172 }
4173 
4174 static void
4176 {
4179 #ifdef _WIN32
4181 #endif
4182  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4183  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>");
4184 #ifndef ENABLE_SMALL
4185 #ifdef CONFIGURE_DEFINES
4186  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4187 #endif
4188 #ifdef CONFIGURE_SPECIAL_BUILD
4189  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4190 #endif
4191 #endif
4192  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4193 }
4194 
4195 void
4196 notnull(const char *arg, const char *description)
4197 {
4198  if (!arg)
4199  {
4200  msg(M_USAGE, "You must define %s", description);
4201  }
4202 }
4203 
4204 bool
4205 string_defined_equal(const char *s1, const char *s2)
4206 {
4207  if (s1 && s2)
4208  {
4209  return !strcmp(s1, s2);
4210  }
4211  else
4212  {
4213  return false;
4214  }
4215 }
4216 
4217 #if 0
4218 static void
4219 ping_rec_err(int msglevel)
4220 {
4221  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4222 }
4223 #endif
4224 
4225 static int
4226 positive_atoi(const char *str)
4227 {
4228  const int i = atoi(str);
4229  return i < 0 ? 0 : i;
4230 }
4231 
4232 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4233 static unsigned int
4234 atou(const char *str)
4235 {
4236  unsigned int val = 0;
4237  sscanf(str, "%u", &val);
4238  return val;
4239 }
4240 #endif
4241 
4242 static inline bool
4243 space(unsigned char c)
4244 {
4245  return c == '\0' || isspace(c);
4246 }
4247 
4248 int
4249 parse_line(const char *line,
4250  char *p[],
4251  const int n,
4252  const char *file,
4253  const int line_num,
4254  int msglevel,
4255  struct gc_arena *gc)
4256 {
4257  const int STATE_INITIAL = 0;
4258  const int STATE_READING_QUOTED_PARM = 1;
4259  const int STATE_READING_UNQUOTED_PARM = 2;
4260  const int STATE_DONE = 3;
4261  const int STATE_READING_SQUOTED_PARM = 4;
4262 
4263  const char *error_prefix = "";
4264 
4265  int ret = 0;
4266  const char *c = line;
4267  int state = STATE_INITIAL;
4268  bool backslash = false;
4269  char in, out;
4270 
4271  char parm[OPTION_PARM_SIZE];
4272  unsigned int parm_len = 0;
4273 
4274  msglevel &= ~M_OPTERR;
4275 
4276  if (msglevel & M_MSG_VIRT_OUT)
4277  {
4278  error_prefix = "ERROR: ";
4279  }
4280 
4281  do
4282  {
4283  in = *c;
4284  out = 0;
4285 
4286  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4287  {
4288  backslash = true;
4289  }
4290  else
4291  {
4292  if (state == STATE_INITIAL)
4293  {
4294  if (!space(in))
4295  {
4296  if (in == ';' || in == '#') /* comment */
4297  {
4298  break;
4299  }
4300  if (!backslash && in == '\"')
4301  {
4302  state = STATE_READING_QUOTED_PARM;
4303  }
4304  else if (!backslash && in == '\'')
4305  {
4306  state = STATE_READING_SQUOTED_PARM;
4307  }
4308  else
4309  {
4310  out = in;
4311  state = STATE_READING_UNQUOTED_PARM;
4312  }
4313  }
4314  }
4315  else if (state == STATE_READING_UNQUOTED_PARM)
4316  {
4317  if (!backslash && space(in))
4318  {
4319  state = STATE_DONE;
4320  }
4321  else
4322  {
4323  out = in;
4324  }
4325  }
4326  else if (state == STATE_READING_QUOTED_PARM)
4327  {
4328  if (!backslash && in == '\"')
4329  {
4330  state = STATE_DONE;
4331  }
4332  else
4333  {
4334  out = in;
4335  }
4336  }
4337  else if (state == STATE_READING_SQUOTED_PARM)
4338  {
4339  if (in == '\'')
4340  {
4341  state = STATE_DONE;
4342  }
4343  else
4344  {
4345  out = in;
4346  }
4347  }
4348  if (state == STATE_DONE)
4349  {
4350  /* ASSERT (parm_len > 0); */
4351  p[ret] = gc_malloc(parm_len + 1, true, gc);
4352  memcpy(p[ret], parm, parm_len);
4353  p[ret][parm_len] = '\0';
4354  state = STATE_INITIAL;
4355  parm_len = 0;
4356  ++ret;
4357  }
4358 
4359  if (backslash && out)
4360  {
4361  if (!(out == '\\' || out == '\"' || space(out)))
4362  {
4363 #ifdef ENABLE_SMALL
4364  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4365 #else
4366  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4367 #endif
4368  return 0;
4369  }
4370  }
4371  backslash = false;
4372  }
4373 
4374  /* store parameter character */
4375  if (out)
4376  {
4377  if (parm_len >= SIZE(parm))
4378  {
4379  parm[SIZE(parm) - 1] = 0;
4380  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4381  error_prefix, file, line_num, (int) SIZE(parm), parm);
4382  return 0;
4383  }
4384  parm[parm_len++] = out;
4385  }
4386 
4387  /* avoid overflow if too many parms in one config file line */
4388  if (ret >= n)
4389  {
4390  break;
4391  }
4392 
4393  } while (*c++ != '\0');
4394 
4395  if (state == STATE_READING_QUOTED_PARM)
4396  {
4397  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4398  return 0;
4399  }
4400  if (state == STATE_READING_SQUOTED_PARM)
4401  {
4402  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4403  return 0;
4404  }
4405  if (state != STATE_INITIAL)
4406  {
4407  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4408  return 0;
4409  }
4410 #if 0
4411  {
4412  int i;
4413  for (i = 0; i < ret; ++i)
4414  {
4415  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4416  }
4417  }
4418 #endif
4419  return ret;
4420 }
4421 
4422 static void
4424 {
4425  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4426  {
4427  *p += 2;
4428  }
4429 }
4430 
4431 struct in_src {
4432 #define IS_TYPE_FP 1
4433 #define IS_TYPE_BUF 2
4434  int type;
4435  union {
4436  FILE *fp;
4438  } u;
4439 };
4440 
4441 static bool
4442 in_src_get(const struct in_src *is, char *line, const int size)
4443 {
4444  if (is->type == IS_TYPE_FP)
4445  {
4446  return BOOL_CAST(fgets(line, size, is->u.fp));
4447  }
4448  else if (is->type == IS_TYPE_BUF)
4449  {
4450  bool status = buf_parse(is->u.multiline, '\n', line, size);
4451  if ((int) strlen(line) + 1 < size)
4452  {
4453  strcat(line, "\n");
4454  }
4455  return status;
4456  }
4457  else
4458  {
4459  ASSERT(0);
4460  return false;
4461  }
4462 }
4463 
4464 static char *
4465 read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
4466 {
4467  char line[OPTION_LINE_SIZE];
4468  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4469  char *ret;
4470  bool endtagfound = false;
4471 
4472  while (in_src_get(is, line, sizeof(line)))
4473  {
4474  char *line_ptr = line;
4475  /* Remove leading spaces */
4476  while (isspace(*line_ptr))
4477  {
4478  line_ptr++;
4479  }
4480  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4481  {
4482  endtagfound = true;
4483  break;
4484  }
4485  if (!buf_safe(&buf, strlen(line)+1))
4486  {
4487  /* Increase buffer size */
4488  struct buffer buf2 = alloc_buf(buf.capacity * 2);
4489  ASSERT(buf_copy(&buf2, &buf));
4490  buf_clear(&buf);
4491  free_buf(&buf);
4492  buf = buf2;
4493  }
4494  buf_printf(&buf, "%s", line);
4495  }
4496  if (!endtagfound)
4497  {
4498  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4499  }
4500  ret = string_alloc(BSTR(&buf), gc);
4501  buf_clear(&buf);
4502  free_buf(&buf);
4503  secure_memzero(line, sizeof(line));
4504  return ret;
4505 }
4506 
4507 static bool
4508 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4509 {
4510  bool ret = false;
4511  if (p[0] && !p[1])
4512  {
4513  char *arg = p[0];
4514  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4515  {
4516  struct buffer close_tag;
4517  arg[strlen(arg)-1] = '\0';
4518  p[0] = string_alloc(arg+1, gc);
4519  p[1] = string_alloc(INLINE_FILE_TAG, gc);
4520  close_tag = alloc_buf(strlen(p[0]) + 4);
4521  buf_printf(&close_tag, "</%s>", p[0]);
4522  p[2] = read_inline_file(is, BSTR(&close_tag), gc);
4523  p[3] = NULL;
4524  free_buf(&close_tag);
4525  ret = true;
4526  }
4527  }
4528  return ret;
4529 }
4530 
4531 static bool
4532 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4533 {
4534  struct in_src is;
4535  is.type = IS_TYPE_FP;
4536  is.u.fp = fp;
4537  return check_inline_file(&is, p, gc);
4538 }
4539 
4540 static bool
4541 check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
4542 {
4543  struct in_src is;
4544  is.type = IS_TYPE_BUF;
4545  is.u.multiline = multiline;
4546  return check_inline_file(&is, p, gc);
4547 }
4548 
4549 static void
4550 add_option(struct options *options,
4551  char *p[],
4552  const char *file,
4553  int line,
4554  const int level,
4555  const int msglevel,
4556  const unsigned int permission_mask,
4557  unsigned int *option_types_found,
4558  struct env_set *es);
4559 
4560 static void
4561 read_config_file(struct options *options,
4562  const char *file,
4563  int level,
4564  const char *top_file,
4565  const int top_line,
4566  const int msglevel,
4567  const unsigned int permission_mask,
4568  unsigned int *option_types_found,
4569  struct env_set *es)
4570 {
4571  const int max_recursive_levels = 10;
4572  FILE *fp;
4573  int line_num;
4574  char line[OPTION_LINE_SIZE+1];
4575  char *p[MAX_PARMS+1];
4576 
4577  ++level;
4578  if (level <= max_recursive_levels)
4579  {
4580  if (streq(file, "stdin"))
4581  {
4582  fp = stdin;
4583  }
4584  else
4585  {
4586  fp = platform_fopen(file, "r");
4587  }
4588  if (fp)
4589  {
4590  line_num = 0;
4591  while (fgets(line, sizeof(line), fp))
4592  {
4593  int offset = 0;
4594  CLEAR(p);
4595  ++line_num;
4596  if (strlen(line) == OPTION_LINE_SIZE)
4597  {
4598  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
4599  file, line_num, OPTION_LINE_SIZE, line);
4600  }
4601 
4602  /* Ignore UTF-8 BOM at start of stream */
4603  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4604  {
4605  offset = 3;
4606  }
4607  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4608  {
4609  bypass_doubledash(&p[0]);
4610  check_inline_file_via_fp(fp, p, &options->gc);
4611  add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
4612  }
4613  }
4614  if (fp != stdin)
4615  {
4616  fclose(fp);
4617  }
4618  }
4619  else
4620  {
4621  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4622  }
4623  }
4624  else
4625  {
4626  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4627  }
4628  secure_memzero(line, sizeof(line));
4629  CLEAR(p);
4630 }
4631 
4632 static void
4633 read_config_string(const char *prefix,
4634  struct options *options,
4635  const char *config,
4636  const int msglevel,
4637  const unsigned int permission_mask,
4638  unsigned int *option_types_found,
4639  struct env_set *es)
4640 {
4641  char line[OPTION_LINE_SIZE];
4642  struct buffer multiline;
4643  int line_num = 0;
4644 
4645  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4646 
4647  while (buf_parse(&multiline, '\n', line, sizeof(line)))
4648  {
4649  char *p[MAX_PARMS+1];
4650  CLEAR(p);
4651  ++line_num;
4652  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4653  {
4654  bypass_doubledash(&p[0]);
4655  check_inline_file_via_buf(&multiline, p, &options->gc);
4656  add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es);
4657  }
4658  CLEAR(p);
4659  }
4660  secure_memzero(line, sizeof(line));
4661 }
4662 
4663 void
4664 parse_argv(struct options *options,
4665  const int argc,
4666  char *argv[],
4667  const int msglevel,
4668  const unsigned int permission_mask,
4669  unsigned int *option_types_found,
4670  struct env_set *es)
4671 {
4672  int i, j;
4673 
4674  /* usage message */
4675  if (argc <= 1)
4676  {
4677  usage();
4678  }
4679 
4680  /* config filename specified only? */
4681  if (argc == 2 && strncmp(argv[1], "--", 2))
4682  {
4683  char *p[MAX_PARMS];
4684  CLEAR(p);
4685  p[0] = "config";
4686  p[1] = argv[1];
4687  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4688  }
4689  else
4690  {
4691  /* parse command line */
4692  for (i = 1; i < argc; ++i)
4693  {
4694  char *p[MAX_PARMS];
4695  CLEAR(p);
4696  p[0] = argv[i];
4697  if (strncmp(p[0], "--", 2))
4698  {
4699  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
4700  }
4701  else
4702  {
4703  p[0] += 2;
4704  }
4705 
4706  for (j = 1; j < MAX_PARMS; ++j)
4707  {
4708  if (i + j < argc)
4709  {
4710  char *arg = argv[i + j];
4711  if (strncmp(arg, "--", 2))
4712  {
4713  p[j] = arg;
4714  }
4715  else
4716  {
4717  break;
4718  }
4719  }
4720  }
4721  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4722  i += j - 1;
4723  }
4724  }
4725 }
4726 
4735 static bool
4736 apply_pull_filter(const struct options *o, char *line)
4737 {
4738  struct pull_filter *f;
4739 
4740  if (!o->pull_filter_list)
4741  {
4742  return true;
4743  }
4744 
4745  for (f = o->pull_filter_list->head; f; f = f->next)
4746  {
4747  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
4748  {
4749  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
4750  return true;
4751  }
4752  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
4753  {
4754  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
4755  *line = '\0';
4756  return true;
4757  }
4758  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
4759  {
4760  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
4761  *line = '\0';
4762  throw_signal_soft(SIGUSR1, "Offending option received from server");
4763  return false;
4764  }
4765  }
4766  return true;
4767 }
4768 
4769 bool
4770 apply_push_options(struct options *options,
4771  struct buffer *buf,
4772  unsigned int permission_mask,
4773  unsigned int *option_types_found,
4774  struct env_set *es)
4775 {
4776  char line[OPTION_PARM_SIZE];
4777  int line_num = 0;
4778  const char *file = "[PUSH-OPTIONS]";
4779  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
4780 
4781  while (buf_parse(buf, ',', line, sizeof(line)))
4782  {
4783  char *p[MAX_PARMS+1];
4784  CLEAR(p);
4785  ++line_num;
4786  if (!apply_pull_filter(options, line))
4787  {
4788  return false; /* Cause push/pull error and stop push processing */
4789  }
4790  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4791  {
4792  add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
4793  }
4794  }
4795  return true;
4796 }
4797 
4798 void
4799 options_server_import(struct options *o,
4800  const char *filename,
4801  int msglevel,
4802  unsigned int permission_mask,
4803  unsigned int *option_types_found,
4804  struct env_set *es)
4805 {
4806  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
4807  read_config_file(o,
4808  filename,
4809  0,
4810  filename,
4811  0,
4812  msglevel,
4813  permission_mask,
4814  option_types_found,
4815  es);
4816 }
4817 
4818 void
4819 options_string_import(struct options *options,
4820  const char *config,
4821  const int msglevel,
4822  const unsigned int permission_mask,
4823  unsigned int *option_types_found,
4824  struct env_set *es)
4825 {
4826  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
4827 }
4828 
4829 #if P2MP
4830 
4831 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}}
4832 
4833 static bool
4834 verify_permission(const char *name,
4835  const char *file,
4836  int line,
4837  const unsigned int type,
4838  const unsigned int allowed,
4839  unsigned int *found,
4840  const int msglevel,
4841  struct options *options)
4842 {
4843  if (!(type & allowed))
4844  {
4845  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
4846  return false;
4847  }
4848 
4849  if (found)
4850  {
4851  *found |= type;
4852  }
4853 
4854 #ifndef ENABLE_SMALL
4855  /* Check if this options is allowed in connection block,
4856  * but we are currently not in a connection block
4857  * unless this is a pushed option.
4858  * Parsing a connection block uses a temporary options struct without
4859  * connection_list
4860  */
4861 
4862  if ((type & OPT_P_CONNECTION) && options->connection_list
4863  && !(allowed & OPT_P_PULL_MODE))
4864  {
4865  if (file)
4866  {
4867  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
4868  }
4869  else
4870  {
4871  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
4872  }
4873  }
4874 #endif
4875  return true;
4876 }
4877 
4878 #else /* if P2MP */
4879 
4880 #define VERIFY_PERMISSION(mask)
4881 
4882 #endif /* if P2MP */
4883 
4884 /*
4885  * Check that an option doesn't have too
4886  * many parameters.
4887  */
4888 
4889 #define NM_QUOTE_HINT (1<<0)
4890 
4891 static bool
4892 no_more_than_n_args(const int msglevel,
4893  char *p[],
4894  const int max,
4895  const unsigned int flags)
4896 {
4897  const int len = string_array_len((const char **)p);
4898 
4899  if (!len)
4900  {
4901  return false;
4902  }
4903 
4904  if (len > max)
4905  {
4906  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
4907  p[0],
4908  max - 1,
4909  max >= 3 ? "s" : "",
4910  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
4911  return false;
4912  }
4913  else
4914  {
4915  return true;
4916  }
4917 }
4918 
4919 static inline int
4920 msglevel_forward_compatible(struct options *options, const int msglevel)
4921 {
4922  return options->forward_compatible ? M_WARN : msglevel;
4923 }
4924 
4925 static void
4926 set_user_script(struct options *options,
4927  const char **script,
4928  const char *new_script,
4929  const char *type,
4930  bool in_chroot)
4931 {
4932  if (*script)
4933  {
4934  msg(M_WARN, "Multiple --%s scripts defined. "
4935  "The previously configured script is overridden.", type);
4936  }
4937  *script = new_script;
4938  options->user_script_used = true;
4939 
4940 #ifndef ENABLE_SMALL
4941  {
4942  char script_name[100];
4943  openvpn_snprintf(script_name, sizeof(script_name),
4944  "--%s script", type);
4945 
4946  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
4947  {
4948  msg(M_USAGE, "Please correct this error.");
4949  }
4950 
4951  }
4952 #endif
4953 }
4954 
4955 
4956 static void
4957 add_option(struct options *options,
4958  char *p[],
4959  const char *file,
4960  int line,
4961  const int level,
4962  const int msglevel,
4963  const unsigned int permission_mask,
4964  unsigned int *option_types_found,
4965  struct env_set *es)
4966 {
4967  struct gc_arena gc = gc_new();
4968  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
4969  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
4970 
4971  ASSERT(MAX_PARMS >= 7);
4972 
4973  /*
4974  * If directive begins with "setenv opt" prefix, don't raise an error if
4975  * directive is unrecognized.
4976  */
4977  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
4978  {
4979  if (!p[2])
4980  {
4981  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
4982  }
4983  p += 2;
4984  msglevel_fc = M_WARN;
4985  }
4986 
4987  if (!file)
4988  {
4989  file = "[CMD-LINE]";
4990  line = 1;
4991  }
4992  if (streq(p[0], "help"))
4993  {
4995  usage();
4996  if (p[1])
4997  {
4998  msg(msglevel, "--help does not accept any parameters");
4999  goto err;
5000  }
5001  }
5002  if (streq(p[0], "version") && !p[1])
5003  {
5005  usage_version();
5006  }
5007  else if (streq(p[0], "config") && p[1] && !p[2])
5008  {
5010 
5011  /* save first config file only in options */
5012  if (!options->config)
5013  {
5014  options->config = p[1];
5015  }
5016 
5017  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5018  }
5019 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5020  else if (streq(p[0], "show-gateway") && !p[2])
5021  {
5022  struct route_gateway_info rgi;
5023  struct route_ipv6_gateway_info rgi6;
5024  struct in6_addr remote = IN6ADDR_ANY_INIT;
5026  if (p[1])
5027  {
5028  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5029  }
5030  get_default_gateway(&rgi);
5031  get_default_gateway_ipv6(&rgi6, &remote);
5032  print_default_gateway(M_INFO, &rgi, &rgi6);
5033  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5034  }
5035 #endif
5036 #if 0
5037  else if (streq(p[0], "foreign-option") && p[1])
5038  {
5040  foreign_option(options, p, 3, es);
5041  }
5042 #endif
5043  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5044  {
5045  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5046  int j;
5047  bool good = true;
5048 
5050 
5051  for (j = 1; j < MAX_PARMS; ++j)
5052  {
5053  if (!p[j])
5054  {
5055  break;
5056  }
5057  if (j > 1)
5058  {
5059  good &= buf_printf(&string, " ");
5060  }
5061  good &= buf_printf(&string, "%s", p[j]);
5062  }
5063  if (good)
5064  {
5065 #if 0
5066  /* removed for now since ECHO can potentially include
5067  * security-sensitive strings */
5068  msg(M_INFO, "%s:%s",
5069  pull_mode ? "ECHO-PULL" : "ECHO",
5070  BSTR(&string));
5071 #endif
5072 #ifdef ENABLE_MANAGEMENT
5073  if (management)
5074  {
5075  management_echo(management, BSTR(&string), pull_mode);
5076  }
5077 #endif
5078  }
5079  else
5080  {
5081  msg(M_WARN, "echo/parameter option overflow");
5082  }
5083  }
5084 #ifdef ENABLE_MANAGEMENT
5085  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5086  {
5088  if (streq(p[2], "unix"))
5089  {
5090 #if UNIX_SOCK_SUPPORT
5091  options->management_flags |= MF_UNIX_SOCK;
5092 #else
5093  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5094  goto err;
5095 #endif
5096  }
5097 
5098  options->management_addr = p[1];
5099  options->management_port = p[2];
5100  if (p[3])
5101  {
5102  options->management_user_pass = p[3];
5103  }
5104  }
5105  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5106  {
5108  options->management_client_user = p[1];
5109  }
5110  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5111  {
5113  options->management_client_group = p[1];
5114  }
5115  else if (streq(p[0], "management-query-passwords") && !p[1])
5116  {
5119  }
5120  else if (streq(p[0], "management-query-remote") && !p[1])
5121  {
5123  options->management_flags |= MF_QUERY_REMOTE;
5124  }
5125  else if (streq(p[0], "management-query-proxy") && !p[1])
5126  {
5128  options->management_flags |= MF_QUERY_PROXY;
5129  }
5130  else if (streq(p[0], "management-hold") && !p[1])
5131  {
5133  options->management_flags |= MF_HOLD;
5134  }
5135  else if (streq(p[0], "management-signal") && !p[1])
5136  {
5138  options->management_flags |= MF_SIGNAL;
5139  }
5140  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5141  {
5144  }
5145  else if (streq(p[0], "management-up-down") && !p[1])
5146  {
5148  options->management_flags |= MF_UP_DOWN;
5149  }
5150  else if (streq(p[0], "management-client") && !p[2])
5151  {
5154  options->management_write_peer_info_file = p[1];
5155  }
5156 #ifdef MANAGMENT_EXTERNAL_KEY
5157  else if (streq(p[0], "management-external-key") && !p[1])
5158  {
5160  options->management_flags |= MF_EXTERNAL_KEY;
5161  }
5162  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5163  {
5165  options->management_flags |= MF_EXTERNAL_CERT;
5166  options->management_certificate = p[1];
5167  }
5168 #endif
5169 #ifdef MANAGEMENT_DEF_AUTH
5170  else if (streq(p[0], "management-client-auth") && !p[1])
5171  {
5173  options->management_flags |= MF_CLIENT_AUTH;
5174  }
5175 #endif
5176 #ifdef MANAGEMENT_PF
5177  else if (streq(p[0], "management-client-pf") && !p[1])
5178  {
5180  options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
5181  }
5182 #endif
5183  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5184  {
5185  int cache;
5186 
5188  cache = atoi(p[1]);
5189  if (cache < 1)
5190  {
5191  msg(msglevel, "--management-log-cache parameter is out of range");
5192  goto err;
5193  }
5194  options->management_log_history_cache = cache;
5195  }
5196 #endif /* ifdef ENABLE_MANAGEMENT */
5197 #ifdef ENABLE_PLUGIN
5198  else if (streq(p[0], "plugin") && p[1])
5199  {
5201  if (!options->plugin_list)
5202  {
5203  options->plugin_list = plugin_option_list_new(&options->gc);
5204  }
5205  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5206  {
5207  msg(msglevel, "plugin add failed: %s", p[1]);
5208  goto err;
5209  }
5210  }
5211 #endif
5212  else if (streq(p[0], "mode") && p[1] && !p[2])
5213  {
5215  if (streq(p[1], "p2p"))
5216  {
5217  options->mode = MODE_POINT_TO_POINT;
5218  }
5219 #if P2MP_SERVER
5220  else if (streq(p[1], "server"))
5221  {
5222  options->mode = MODE_SERVER;
5223  }
5224 #endif
5225  else
5226  {
5227  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5228  goto err;
5229  }
5230  }
5231  else if (streq(p[0], "dev") && p[1] && !p[2])
5232  {
5234  options->dev = p[1];
5235  }
5236  else if (streq(p[0], "dev-type") && p[1] && !p[2])
5237  {
5239  options->dev_type = p[1];
5240  }
5241  else if (streq(p[0], "dev-node") && p[1] && !p[2])
5242  {
5244  options->dev_node = p[1];
5245  }
5246  else if (streq(p[0], "lladdr") && p[1] && !p[2])
5247  {
5249  if (mac_addr_safe(p[1])) /* MAC address only */
5250  {
5251  options->lladdr = p[1];
5252  }
5253  else
5254  {
5255  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5256  goto err;
5257  }
5258  }
5259  else if (streq(p[0], "topology") && p[1] && !p[2])
5260  {
5262  options->topology = parse_topology(p[1], msglevel);
5263  }
5264  else if (streq(p[0], "tun-ipv6") && !p[1])
5265  {
5266  if (!pull_mode)
5267  {
5268  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5269  }
5270  }
5271 #ifdef ENABLE_IPROUTE
5272  else if (streq(p[0], "iproute") && p[1] && !p[2])
5273  {
5275  iproute_path = p[1];
5276  }
5277 #endif
5278  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5279  {
5281  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5282  {
5283  options->ifconfig_local = p[1];
5284  options->ifconfig_remote_netmask = p[2];
5285  }
5286  else
5287  {
5288  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5289  goto err;
5290  }
5291  }
5292  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5293  {
5294  unsigned int netbits;
5295 
5297  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5298  && ipv6_addr_safe( p[2] ) )
5299  {
5300  if (netbits < 64 || netbits > 124)
5301  {
5302  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5303  goto err;
5304  }
5305 
5306  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5307  options->ifconfig_ipv6_netbits = netbits;
5308  options->ifconfig_ipv6_remote = p[2];
5309  }
5310  else
5311  {
5312  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5313  goto err;
5314  }
5315  }
5316  else if (streq(p[0], "ifconfig-noexec") && !p[1])
5317  {
5319  options->ifconfig_noexec = true;
5320  }
5321  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5322  {
5324  options->ifconfig_nowarn = true;
5325  }
5326  else if (streq(p[0], "local") && p[1] && !p[2])
5327  {
5329  options->ce.local = p[1];
5330  }
5331  else if (streq(p[0], "remote-random") && !p[1])
5332  {
5334  options->remote_random = true;
5335  }
5336  else if (streq(p[0], "connection") && p[1] && !p[3])
5337  {
5339  if (streq(p[1], INLINE_FILE_TAG) && p[2])
5340  {
5341  struct options sub;
5342  struct connection_entry *e;
5343 
5344  init_options(&sub, true);
5345  sub.ce = options->ce;
5346  read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
5347  if (!sub.ce.remote)
5348  {
5349  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
5350  uninit_options(&sub);
5351  goto err;
5352  }
5353 
5354  e = alloc_connection_entry(options, msglevel);
5355  if (!e)
5356  {
5357  uninit_options(&sub);
5358  goto err;
5359  }
5360  *e = sub.ce;
5361  gc_transfer(&options->gc, &sub.gc);
5362  uninit_options(&sub);
5363  }
5364  }
5365  else if (streq(p[0], "ignore-unknown-option") && p[1])
5366  {
5367  int i;
5368  int j;
5369  int numignored = 0;
5370  const char **ignore;
5371 
5373  /* Find out how many options to be ignored */
5374  for (i = 1; p[i]; i++)
5375  {
5376  numignored++;
5377  }
5378 
5379  /* add number of options already ignored */
5380  for (i = 0; options->ignore_unknown_option
5381  && options->ignore_unknown_option[i]; i++)
5382  {
5383  numignored++;
5384  }
5385 
5386  /* Allocate array */
5387  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
5388  for (i = 0; options->ignore_unknown_option
5389  && options->ignore_unknown_option[i]; i++)
5390  {
5391  ignore[i] = options->ignore_unknown_option[i];
5392  }
5393 
5394  options->ignore_unknown_option = ignore;
5395 
5396  for (j = 1; p[j]; j++)
5397  {
5398  /* Allow the user to specify ignore-unknown-option --opt too */
5399  if (p[j][0]=='-' && p[j][1]=='-')
5400  {
5401  options->ignore_unknown_option[i] = (p[j]+2);
5402  }
5403  else
5404  {
5405  options->ignore_unknown_option[i] = p[j];
5406  }
5407  i++;
5408  }
5409 
5410  options->ignore_unknown_option[i] = NULL;
5411  }
5412 #if ENABLE_MANAGEMENT
5413  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
5414  {
5416  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
5417  if (!options->http_proxy_override)
5418  {
5419  goto err;
5420  }
5421  }
5422 #endif
5423  else if (streq(p[0], "remote") && p[1] && !p[4])
5424  {
5425  struct remote_entry re;
5426  re.remote = re.remote_port = NULL;
5427  re.proto = -1;
5428  re.af = 0;
5429 
5431  re.remote = p[1];
5432  if (p[2])
5433  {
5434  re.remote_port = p[2];
5435  if (p[3])
5436  {
5437  const int proto = ascii2proto(p[3]);
5438  const sa_family_t af = ascii2af(p[3]);
5439  if (proto < 0)
5440  {
5441  msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
5442  goto err;
5443  }
5444  re.proto = proto;
5445  re.af = af;
5446  }
5447  }
5448  if (permission_mask & OPT_P_GENERAL)
5449  {
5450  struct remote_entry *e = alloc_remote_entry(options, msglevel);
5451  if (!e)
5452  {
5453  goto err;
5454  }
5455  *e = re;
5456  }
5457  else if (permission_mask & OPT_P_CONNECTION)
5458  {
5459  connection_entry_load_re(&options->ce, &re);
5460  }
5461  }
5462  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
5463  {
5465  if (streq(p[1], "infinite"))
5466  {
5468  }
5469  else
5470  {
5471  options->resolve_retry_seconds = positive_atoi(p[1]);
5472  }
5473  }
5474  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
5475  {
5477  options->resolve_in_advance = true;
5478  /* Note the ip-remote-hint and the argument p[1] are for
5479  * backward compatibility */
5480  if (p[1])
5481  {
5482  options->ip_remote_hint = p[1];
5483  }
5484  }
5485  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
5486  {
5488  options->ce.connect_retry_seconds = positive_atoi(p[1]);
5489  /*
5490  * Limit the base value of retry wait interval to 16 bits to avoid
5491  * overflow when scaled up for exponential backoff
5492  */
5493  if (options->ce.connect_retry_seconds > 0xFFFF)
5494  {
5495  options->ce.connect_retry_seconds = 0xFFFF;
5496  msg(M_WARN, "connect retry wait interval truncated to %d",
5497  options->ce.connect_retry_seconds);
5498  }
5499 
5500  if (p[2])
5501  {
5502  options->ce.connect_retry_seconds_max =
5503  max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
5504  }
5505  }
5506  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
5507  && p[1] && !p[2])
5508  {
5510  options->ce.connect_timeout = positive_atoi(p[1]);
5511  }
5512  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
5513  {
5515  options->connect_retry_max = positive_atoi(p[1]);
5516  }
5517  else if (streq(p[0], "ipchange") && p[1])
5518  {
5520  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5521  {
5522  goto err;
5523  }
5524  set_user_script(options,
5525  &options->ipchange,
5526  string_substitute(p[1], ',', ' ', &options->gc),
5527  "ipchange", true);
5528  }
5529  else if (streq(p[0], "float") && !p[1])
5530  {
5532  options->ce.remote_float = true;
5533  }
5534 #ifdef ENABLE_DEBUG
5535  else if (streq(p[0], "gremlin") && p[1] && !p[2])
5536  {
5538  options->gremlin = positive_atoi(p[1]);
5539  }
5540 #endif
5541  else if (streq(p[0], "chroot") && p[1] && !p[2])
5542  {
5544  options->chroot_dir = p[1];
5545  }
5546  else if (streq(p[0], "cd") && p[1] && !p[2])
5547  {
5549  if (platform_chdir(p[1]))
5550  {
5551  msg(M_ERR, "cd to '%s' failed", p[1]);
5552  goto err;
5553  }
5554  options->cd_dir = p[1];
5555  }
5556 #ifdef ENABLE_SELINUX
5557  else if (streq(p[0], "setcon") && p[1] && !p[2])
5558  {
5560  options->selinux_context = p[1];
5561  }
5562 #endif
5563  else if (streq(p[0], "writepid") && p[1] && !p[2])
5564  {
5566  options->writepid = p[1];
5567  }
5568  else if (streq(p[0], "up") && p[1])
5569  {
5571  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5572  {
5573  goto err;
5574  }
5575  set_user_script(options, &options->up_script, p[1], "up", false);
5576  }
5577  else if (streq(p[0], "down") && p[1])
5578  {
5580  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5581  {
5582  goto err;
5583  }
5584  set_user_script(options, &options->down_script, p[1], "down", true);
5585  }
5586  else if (streq(p[0], "down-pre") && !p[1])
5587  {
5589  options->down_pre = true;
5590  }
5591  else if (streq(p[0], "up-delay") && !p[1])
5592  {
5594  options->up_delay = true;
5595  }
5596  else if (streq(p[0], "up-restart") && !p[1])
5597  {
5599  options->up_restart = true;
5600  }
5601  else if (streq(p[0], "syslog") && !p[2])
5602  {
5604  open_syslog(p[1], false);
5605  }
5606  else if (streq(p[0], "daemon") && !p[2])
5607  {
5608  bool didit = false;
5610  if (!options->daemon)
5611  {
5612  options->daemon = didit = true;
5613  open_syslog(p[1], false);
5614  }
5615  if (p[1])
5616  {
5617  if (!didit)
5618  {
5619  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
5620  goto err;
5621  }
5622  }
5623  }
5624  else if (streq(p[0], "inetd") && !p[3])
5625  {
5627  if (!options->inetd)
5628  {
5629  int z;
5630  const char *name = NULL;
5631  const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
5632 
5633  options->inetd = -1;
5634 
5635  for (z = 1; z <= 2; ++z)
5636  {
5637  if (p[z])
5638  {
5639  if (streq(p[z], "wait"))
5640  {
5641  if (options->inetd != -1)
5642  {
5643  msg(msglevel, "%s", opterr);
5644  goto err;
5645  }
5646  else
5647  {
5648  options->inetd = INETD_WAIT;
5649  }
5650  }
5651  else if (streq(p[z], "nowait"))
5652  {
5653  if (options->inetd != -1)
5654  {
5655  msg(msglevel, "%s", opterr);
5656  goto err;
5657  }
5658  else
5659  {
5660  options->inetd = INETD_NOWAIT;
5661  }
5662  }
5663  else
5664  {
5665  if (name != NULL)
5666  {
5667  msg(msglevel, "%s", opterr);
5668  goto err;
5669  }
5670  name = p[z];
5671  }
5672  }
5673  }
5674 
5675  /* default */
5676  if (options->inetd == -1)
5677  {
5678  options->inetd = INETD_WAIT;
5679  }
5680 
5682  open_syslog(name, true);
5683  }
5684  }
5685  else if (streq(p[0], "log") && p[1] && !p[2])
5686  {
5688  options->log = true;
5689  redirect_stdout_stderr(p[1], false);
5690  }
5691  else if (streq(p[0], "suppress-timestamps") && !p[1])
5692  {
5694  options->suppress_timestamps = true;
5696  }
5697  else if (streq(p[0], "machine-readable-output") && !p[1])
5698  {
5700  options->machine_readable_output = true;
5702  }
5703  else if (streq(p[0], "log-append") && p[1] && !p[2])
5704  {
5706  options->log = true;
5707  redirect_stdout_stderr(p[1], true);
5708  }
5709 #ifdef ENABLE_MEMSTATS
5710  else if (streq(p[0], "memstats") && p[1] && !p[2])
5711  {
5713  options->memstats_fn = p[1];
5714  }
5715 #endif
5716  else if (streq(p[0], "mlock") && !p[1])
5717  {
5719  options->mlock = true;
5720  }
5721 #if ENABLE_IP_PKTINFO
5722  else if (streq(p[0], "multihome") && !p[1])
5723  {
5725  options->sockflags |= SF_USE_IP_PKTINFO;
5726  }
5727 #endif
5728  else