OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38 
39 #include "syshead.h"
40 
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "options.h"
49 #include "misc.h"
50 #include "socket.h"
51 #include "packet_id.h"
52 #include "pkcs11.h"
53 #include "win32.h"
54 #include "push.h"
55 #include "pool.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include <ctype.h>
62 
63 #include "memdbg.h"
64 
65 const char title_string[] =
67 #ifdef CONFIGURE_GIT_REVISION
68  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
69 #endif
70  " " TARGET_ALIAS
71 #if defined(ENABLE_CRYPTO_MBEDTLS)
72  " [SSL (mbed TLS)]"
73 #elif defined(ENABLE_CRYPTO_OPENSSL)
74  " [SSL (OpenSSL)]"
75 #else
76  " [SSL]"
77 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
78 #ifdef USE_COMP
79 #ifdef ENABLE_LZO
80  " [LZO]"
81 #endif
82 #ifdef ENABLE_LZ4
83  " [LZ4]"
84 #endif
85 #ifdef ENABLE_COMP_STUB
86  " [COMP_STUB]"
87 #endif
88 #endif /* USE_COMP */
89 #if EPOLL
90  " [EPOLL]"
91 #endif
92 #ifdef PRODUCT_TAP_DEBUG
93  " [TAPDBG]"
94 #endif
95 #ifdef ENABLE_PKCS11
96  " [PKCS11]"
97 #endif
98 #if ENABLE_IP_PKTINFO
99 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
100  " [MH/PKTINFO]"
101 #elif defined(IP_RECVDSTADDR)
102  " [MH/RECVDA]"
103 #endif
104 #endif
105 #ifdef HAVE_AEAD_CIPHER_MODES
106  " [AEAD]"
107 #endif
108  " built on " __DATE__
109 ;
110 
111 #ifndef ENABLE_SMALL
112 
113 static const char usage_message[] =
114  "%s\n"
115  "\n"
116  "General Options:\n"
117  "--config file : Read configuration options from file.\n"
118  "--help : Show options.\n"
119  "--version : Show copyright and version information.\n"
120  "\n"
121  "Tunnel Options:\n"
122  "--local host : Local host name or ip address. Implies --bind.\n"
123  "--remote host [port] : Remote host name or ip address.\n"
124  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
125  "--remote-random-hostname : Add a random string to remote DNS name.\n"
126  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
127  "--proto p : Use protocol p for communicating with peer.\n"
128  " p = udp (default), tcp-server, or tcp-client\n"
129  "--proto-force p : only consider protocol p in list of connection profiles.\n"
130  " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
131  "--connect-retry n [m] : For client, number of seconds to wait between\n"
132  " connection retries (default=%d). On repeated retries\n"
133  " the wait time is exponentially increased to a maximum of m\n"
134  " (default=%d).\n"
135  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
136  "--http-proxy s p [up] [auth] : Connect to remote host\n"
137  " through an HTTP proxy at address s and port p.\n"
138  " If proxy authentication is required,\n"
139  " up is a file containing username/password on 2 lines, or\n"
140  " 'stdin' to prompt from console. Add auth='ntlm' if\n"
141  " the proxy requires NTLM authentication.\n"
142  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
143  " determine auth method and query for username/password\n"
144  " if needed. auto-nct disables weak proxy auth methods.\n"
145  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
146  " Repeat to set multiple options.\n"
147  " VERSION version (default=1.0)\n"
148  " AGENT user-agent\n"
149  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
150  " address s and port p (default port = 1080).\n"
151  " If proxy authentication is required,\n"
152  " up is a file containing username/password on 2 lines, or\n"
153  " 'stdin' to prompt for console.\n"
154  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
155  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
156  " resolve for n seconds before failing (disabled by default).\n"
157  " Set n=\"infinite\" to retry indefinitely.\n"
158  "--float : Allow remote to change its IP address/port, such as through\n"
159  " DHCP (this is the default if --remote is not used).\n"
160  "--ipchange cmd : Run command cmd on remote ip address initial\n"
161  " setting or change -- execute as: cmd ip-address port#\n"
162  "--port port : TCP/UDP port # for both local and remote.\n"
163  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
164  "--rport port : TCP/UDP port # for remote (default=%s).\n"
165  "--bind : Bind to local address and port. (This is the default unless\n"
166  " --proto tcp-client"
167  " or --http-proxy"
168  " or --socks-proxy"
169  " is used).\n"
170  "--nobind : Do not bind to local address and port.\n"
171  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
172  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
173  " this option only if the tun/tap device used with --dev\n"
174  " does not begin with \"tun\" or \"tap\".\n"
175  "--dev-node node : Explicitly set the device node rather than using\n"
176  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
177  "--lladdr hw : Set the link layer address of the tap device.\n"
178  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
179 #ifdef ENABLE_IPROUTE
180  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
181 #endif
182  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
183  " endpoint and rn as a remote endpoint. l & rn should be\n"
184  " swapped on the other peer. l & rn must be private\n"
185  " addresses outside of the subnets used by either peer.\n"
186  " TAP: configure device to use IP address l as a local\n"
187  " endpoint and rn as a subnet mask.\n"
188  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
189  " endpoint (as a /64) and r as remote endpoint\n"
190  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
191  " pass --ifconfig parms by environment to scripts.\n"
192  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
193  " connection doesn't match the remote side.\n"
194  "--route network [netmask] [gateway] [metric] :\n"
195  " Add route to routing table after connection\n"
196  " is established. Multiple routes can be specified.\n"
197  " netmask default: 255.255.255.255\n"
198  " gateway default: taken from --route-gateway or --ifconfig\n"
199  " Specify default by leaving blank or setting to \"nil\".\n"
200  "--route-ipv6 network/bits [gateway] [metric] :\n"
201  " Add IPv6 route to routing table after connection\n"
202  " is established. Multiple routes can be specified.\n"
203  " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
204  " in --ifconfig-ipv6\n"
205  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
206  "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
207  "--route-metric m : Specify a default metric for use with --route.\n"
208  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
209  " adding routes (may be 0). If not specified, routes will\n"
210  " be added immediately after tun/tap open. On Windows, wait\n"
211  " up to w seconds for TUN/TAP adapter to come up.\n"
212  "--route-up cmd : Run command cmd after routes are added.\n"
213  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
214  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
215  " --route-up script using environmental variables.\n"
216  "--route-nopull : When used with --client or --pull, accept options pushed\n"
217  " by server EXCEPT for routes and dhcp options.\n"
218  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
219  " --ifconfig, --route, and --route-gateway.\n"
220  "--redirect-gateway [flags]: Automatically execute routing\n"
221  " commands to redirect all outgoing IP traffic through the\n"
222  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
223  " connected via a common subnet, such as with WiFi.\n"
224  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
225  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
226  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
227  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
228  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
229  " the default gateway. Useful when pushing private subnets.\n"
230  "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
231  " ICMPv6 host unreachable messages on the client.\n"
232  " (Server) Instead of forwarding IPv6 packets send\n"
233  " ICMPv6 host unreachable packets to the client.\n"
234  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
235  "--push-peer-info : (client only) push client info to server.\n"
236  "--setenv name value : Set a custom environmental variable to pass to script.\n"
237  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
238  " directives for future OpenVPN versions to be ignored.\n"
239  "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
240  " these options to be ignored when unknown\n"
241  "--script-security level: Where level can be:\n"
242  " 0 -- strictly no calling of external programs\n"
243  " 1 -- (default) only call built-ins such as ifconfig\n"
244  " 2 -- allow calling of built-ins and scripts\n"
245  " 3 -- allow password to be passed to scripts via env\n"
246  "--shaper n : Restrict output to peer to n bytes per second.\n"
247  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
248  " ping once every n seconds, restart if ping not received\n"
249  " for m seconds.\n"
250  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
251  " produces a combined in/out byte count < bytes.\n"
252  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
253  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
254  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
255  " remote address.\n"
256  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
257 #if ENABLE_IP_PKTINFO
258  "--multihome : Configure a multi-homed UDP server.\n"
259 #endif
260  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
261  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
262  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
263  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
264  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
265  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
266 #if PASSTOS_CAPABILITY
267  "--passtos : TOS passthrough (applies to IPv4 only).\n"
268 #endif
269  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
270  " TCP/UDP MTU from it (default=%d).\n"
271  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
272  " as n bytes more than the tun-mtu size on read\n"
273  " (default TUN=0 TAP=%d).\n"
274  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
275  " from it.\n"
276  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
277  " 'no' -- Never send DF (Don't Fragment) frames\n"
278  " 'maybe' -- Use per-route hints\n"
279  " 'yes' -- Always DF (Don't Fragment)\n"
280 #ifdef ENABLE_OCC
281  "--mtu-test : Empirically measure and report MTU.\n"
282 #endif
283 #ifdef ENABLE_FRAGMENT
284  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
285  " datagrams are sent which are larger than max bytes.\n"
286  " Adds 4 bytes of overhead per datagram.\n"
287 #endif
288  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
289  " or --fragment max value, whichever is lower.\n"
290  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
291  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
292 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
293  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
294  " can be matched in policy routing and packetfilter rules.\n"
295 #endif
296  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
297 #ifdef ENABLE_MEMSTATS
298  "--memstats file : Write live usage stats to memory mapped binary file.\n"
299 #endif
300  "--mlock : Disable Paging -- ensures key material and tunnel\n"
301  " data will never be written to disk.\n"
302  "--up cmd : Run command cmd after successful tun device open.\n"
303  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
304  " ifconfig-local-ip ifconfig-remote-ip\n"
305  " (pre --user or --group UID/GID change)\n"
306  "--up-delay : Delay tun/tap open and possible --up script execution\n"
307  " until after TCP/UDP connection establishment with peer.\n"
308  "--down cmd : Run command cmd after tun device close.\n"
309  " (post --user/--group UID/GID change and/or --chroot)\n"
310  " (command parameters are same as --up option)\n"
311  "--down-pre : Run --down command before TUN/TAP close.\n"
312  "--up-restart : Run up/down commands for all restarts including those\n"
313  " caused by --ping-restart or SIGUSR1\n"
314  "--user user : Set UID to user after initialization.\n"
315  "--group group : Set GID to group after initialization.\n"
316  "--chroot dir : Chroot to this directory after initialization.\n"
317 #ifdef ENABLE_SELINUX
318  "--setcon context: Apply this SELinux context after initialization.\n"
319 #endif
320  "--cd dir : Change to this directory before initialization.\n"
321  "--daemon [name] : Become a daemon after initialization.\n"
322  " The optional 'name' parameter will be passed\n"
323  " as the program name to the system logger.\n"
324  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
325  " See --daemon above for a description of the 'name' parm.\n"
326  "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
327  " See --daemon above for a description of the 'name' parm.\n"
328  "--log file : Output log to file which is created/truncated on open.\n"
329  "--log-append file : Append log to file, or create file if nonexistent.\n"
330  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
331  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
332  "--writepid file : Write main process ID to file.\n"
333  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
334  "--echo [parms ...] : Echo parameters to log output.\n"
335  "--verb n : Set output verbosity to n (default=%d):\n"
336  " (Level 3 is recommended if you want a good summary\n"
337  " of what's happening without being swamped by output).\n"
338  " : 0 -- no output except fatal errors\n"
339  " : 1 -- startup info + connection initiated messages +\n"
340  " non-fatal encryption & net errors\n"
341  " : 2,3 -- show TLS negotiations & route info\n"
342  " : 4 -- show parameters\n"
343  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
344  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
345  " : 6 to 11 -- debug messages of increasing verbosity\n"
346  "--mute n : Log at most n consecutive messages in the same category.\n"
347  "--status file n : Write operational status to file every n seconds.\n"
348  "--status-version [n] : Choose the status file format version number.\n"
349  " Currently, n can be 1, 2, or 3 (default=1).\n"
350 #ifdef ENABLE_OCC
351  "--disable-occ : Disable options consistency check between peers.\n"
352 #endif
353 #ifdef ENABLE_DEBUG
354  "--gremlin mask : Special stress testing mode (for debugging only).\n"
355 #endif
356 #if defined(USE_COMP)
357  "--compress alg : Use compression algorithm alg\n"
358 #if defined(ENABLE_LZO)
359  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
360  " packet for uncompressible data.\n"
361  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
362  " is specified.\n"
363 #endif
364 #endif
365 #ifdef ENABLE_MANAGEMENT
366  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
367  " management functions. pass is a password file\n"
368  " or 'stdin' to prompt from console.\n"
369 #if UNIX_SOCK_SUPPORT
370  " To listen on a unix domain socket, specific the pathname\n"
371  " in place of ip and use 'unix' as the port number.\n"
372 #endif
373  "--management-client : Management interface will connect as a TCP client to\n"
374  " ip/port rather than listen as a TCP server.\n"
375  "--management-query-passwords : Query management channel for private key\n"
376  " and auth-user-pass passwords.\n"
377  "--management-query-proxy : Query management channel for proxy information.\n"
378  "--management-query-remote : Query management channel for --remote directive.\n"
379  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
380  " of the management interface explicitly starts it.\n"
381  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
382  "--management-forget-disconnect : Forget passwords when management disconnect\n"
383  " event occurs.\n"
384  "--management-up-down : Report tunnel up/down events to management interface.\n"
385  "--management-log-cache n : Cache n lines of log file history for usage\n"
386  " by the management channel.\n"
387 #if UNIX_SOCK_SUPPORT
388  "--management-client-user u : When management interface is a unix socket, only\n"
389  " allow connections from user u.\n"
390  "--management-client-group g : When management interface is a unix socket, only\n"
391  " allow connections from group g.\n"
392 #endif
393 #ifdef MANAGEMENT_DEF_AUTH
394  "--management-client-auth : gives management interface client the responsibility\n"
395  " to authenticate clients after their client certificate\n"
396  " has been verified.\n"
397 #endif
398 #ifdef MANAGEMENT_PF
399  "--management-client-pf : management interface clients must specify a packet\n"
400  " filter file for each connecting client.\n"
401 #endif
402 #endif /* ifdef ENABLE_MANAGEMENT */
403 #ifdef ENABLE_PLUGIN
404  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
405  " to its initialization function.\n"
406 #endif
407 #if P2MP
408 #if P2MP_SERVER
409  "\n"
410  "Multi-Client Server options (when --mode server is used):\n"
411  "--server network netmask : Helper option to easily configure server mode.\n"
412  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
413  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
414  " easily configure ethernet bridging server mode.\n"
415  "--push \"option\" : Push a config file option back to the peer for remote\n"
416  " execution. Peer must specify --pull in its config file.\n"
417  "--push-reset : Don't inherit global push list for specific\n"
418  " client instance.\n"
419  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
420  " to be dynamically allocated to connecting clients.\n"
421  "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"
422  " than /30 subnets\n in tun mode. Not compatible with\n"
423  " Windows clients.\n"
424  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
425  " data to file, at seconds intervals (default=600).\n"
426  " If seconds=0, file will be treated as read-only.\n"
427  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
428  " to be dynamically allocated to connecting clients.\n"
429  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
430  " overrides --ifconfig-pool dynamic allocation.\n"
431  " Only valid in a client-specific config file.\n"
432  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
433  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
434  " Only valid in a client-specific config file.\n"
435  "--iroute network [netmask] : Route subnet to client.\n"
436  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
437  " Sets up internal routes only.\n"
438  " Only valid in a client-specific config file.\n"
439  "--disable : Client is disabled.\n"
440  " Only valid in a client-specific config file.\n"
441  "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
442  " will authenticate using username/password.\n"
443  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
444  " mandatory client certificate verification.\n"
445  " Default is to require the client to supply a certificate.\n"
446  "--username-as-common-name : For auth-user-pass authentication, use\n"
447  " the authenticated username as the common name,\n"
448  " rather than the common name from the client cert.\n"
449  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
450  " run command cmd to verify. If method='via-env', pass\n"
451  " user/pass via environment, if method='via-file', pass\n"
452  " user/pass via temporary file.\n"
453  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
454  " to each client, replacing the password. Usefull when\n"
455  " OTP based two-factor auth mechanisms are in use and\n"
456  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
457  " for generated tokens can be set.\n"
458  "--opt-verify : Clients that connect with options that are incompatible\n"
459  " with those of the server will be disconnected.\n"
460  "--auth-user-pass-optional : Allow connections by clients that don't\n"
461  " specify a username/password.\n"
462  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
463  " any printable character.\n"
464  "--client-to-client : Internally route client-to-client traffic.\n"
465  "--duplicate-cn : Allow multiple clients with the same common name to\n"
466  " concurrently connect.\n"
467  "--client-connect cmd : Run command cmd on client connection.\n"
468  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
469  "--client-config-dir dir : Directory for custom client config files.\n"
470  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
471  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
472  "--hash-size r v : Set the size of the real address hash table to r and the\n"
473  " virtual address table to v.\n"
474  "--bcast-buffers n : Allocate n broadcast buffers.\n"
475  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
476  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
477  " as well as pushes it to connecting clients.\n"
478  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
479  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
480  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
481  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
482  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
483  " older than n seconds. Run this check every t\n"
484  " seconds (defaults to n).\n"
485  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
486  " clients. n = 1 - reconnect to same server,\n"
487  " 2 - advance to next server, default=1.\n"
488 #if PORT_SHARE
489  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
490  " sessions to a web server at host:port. dir specifies an\n"
491  " optional directory to write origin IP:port data.\n"
492 #endif
493 #endif /* if P2MP_SERVER */
494  "\n"
495  "Client options (when connecting to a multi-client server):\n"
496  "--client : Helper option to easily configure client mode.\n"
497  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
498  " up is a file containing the username on the first line,\n"
499  " and a password on the second. If either the password or both\n"
500  " the username and the password are omitted OpenVPN will prompt\n"
501  " for them from console.\n"
502  "--pull : Accept certain config file options from the peer as if they\n"
503  " were part of the local config file. Must be specified\n"
504  " when connecting to a '--mode server' remote host.\n"
505  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
506  " server if it starts with the text t. The action flag accept,\n"
507  " ignore or reject causes the option to be allowed, removed or\n"
508  " rejected with error. May be specified multiple times, and\n"
509  " each filter is applied in the order of appearance.\n"
510  "--auth-retry t : How to handle auth failures. Set t to\n"
511  " none (default), interact, or nointeract.\n"
512  "--static-challenge t e : Enable static challenge/response protocol using\n"
513  " challenge text t, with e indicating echo flag (0|1)\n"
514  "--connect-timeout n : when polling possible remote servers to connect to\n"
515  " in a round-robin fashion, spend no more than n seconds\n"
516  " waiting for a response before trying the next server.\n"
517  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
518  " incoming tun packets with same destination as host.\n"
519 #endif /* if P2MP */
520 #ifdef ENABLE_OCC
521  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
522  " server/remote. n = # of retries, default=1.\n"
523 #endif
524  "\n"
525  "Data Channel Encryption Options (must be compatible between peers):\n"
526  "(These options are meaningful for both Static Key & TLS-mode)\n"
527  "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
528  " Use shared secret file f, generate with --genkey.\n"
529  " The optional d parameter controls key directionality.\n"
530  " If d is specified, use separate keys for each\n"
531  " direction, set d=0 on one side of the connection,\n"
532  " and d=1 on the other side.\n"
533  "--auth alg : Authenticate packets with HMAC using message\n"
534  " digest algorithm alg (default=%s).\n"
535  " (usually adds 16 or 20 bytes per packet)\n"
536  " Set alg=none to disable authentication.\n"
537  "--cipher alg : Encrypt packets with cipher algorithm alg\n"
538  " (default=%s).\n"
539  " Set alg=none to disable encryption.\n"
540  "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
541  "--ncp-disable : Disable cipher negotiation.\n"
542  "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
543  " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
544 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
545  "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n"
546  " If unspecified, defaults to cipher-specific default.\n"
547 #endif
548 #ifndef ENABLE_CRYPTO_MBEDTLS
549  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
550 #endif
551  "--no-replay : (DEPRECATED) Disable replay protection.\n"
552  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
553  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
554  " and a time window of t seconds.\n"
555  " Default n=%d t=%d\n"
556  "--replay-persist file : Persist replay-protection state across sessions\n"
557  " using file.\n"
558  "--test-crypto : Run a self-test of crypto features enabled.\n"
559  " For debugging only.\n"
560 #ifdef ENABLE_PREDICTION_RESISTANCE
561  "--use-prediction-resistance: Enable prediction resistance on the random\n"
562  " number generator.\n"
563 #endif
564  "\n"
565  "TLS Key Negotiation Options:\n"
566  "(These options are meaningful only for TLS-mode)\n"
567  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
568  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
569  "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
570  " number, such as 1 (default), 2, etc.\n"
571  "--ca file : Certificate authority file in .pem format containing\n"
572  " root certificate.\n"
573 #ifndef ENABLE_CRYPTO_MBEDTLS
574  "--capath dir : A directory of trusted certificates (CAs"
575  " and CRLs).\n"
576 #endif /* ENABLE_CRYPTO_MBEDTLS */
577  "--dh file : File containing Diffie Hellman parameters\n"
578  " in .pem format (for --tls-server only).\n"
579  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
580  "--cert file : Local certificate in .pem format -- must be signed\n"
581  " by a Certificate Authority in --ca file.\n"
582  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
583  "--key file : Local private key in .pem format.\n"
584  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
585  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
586  " is specified, require max TLS version supported by SSL implementation.\n"
587  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
588 #ifndef ENABLE_CRYPTO_MBEDTLS
589  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
590  " and optionally the root CA certificate.\n"
591 #endif
592 #ifdef ENABLE_X509ALTUSERNAME
593  "--x509-username-field : Field in x509 certificate containing the username.\n"
594  " Default is CN in the Subject field.\n"
595 #endif
596  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
597  " Valid algo flags are SHA1 and SHA256. \n"
598 #ifdef _WIN32
599  "--cryptoapicert select-string : Load the certificate and private key from the\n"
600  " Windows Certificate System Store.\n"
601 #endif
602  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
603  " : Use --show-tls to see a list of supported TLS ciphers.\n"
604  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
605  " (default=legacy).\n"
606  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
607  " if no ACK from remote within n seconds (default=%d).\n"
608  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
609  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
610  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
611  " and at least min (defaults to 90%% of max on servers and equal\n"
612  " to max on clients).\n"
613  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
614  " of handshake initiation by any peer (default=%d).\n"
615  "--tran-window n : Transition window -- old key can live this many seconds\n"
616  " after new key renegotiation begins (default=%d).\n"
617  "--single-session: Allow only one session (reset state on restart).\n"
618  "--tls-exit : Exit on TLS negotiation failure.\n"
619  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
620  " control channel to protect against attacks on the TLS stack\n"
621  " and DoS attacks.\n"
622  " f (required) is a shared-secret key file.\n"
623  " The optional d parameter controls key directionality,\n"
624  " see --secret option for more info.\n"
625  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
626  " of the TLS control channel to hide the TLS certificate,\n"
627  " provide basic post-quantum security and protect against\n"
628  " attacks on the TLS stack and DoS attacks.\n"
629  " key (required) provides the pre-shared key file.\n"
630  " see --secret option for more info.\n"
631  "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
632  " For servers: use key to decrypt client-specific keys. For\n"
633  " key generation (--tls-crypt-v2-genkey): use key to\n"
634  " encrypt generated client-specific key. (See --tls-crypt.)\n"
635  "--tls-crypt-v2-genkey client|server keyfile [base64 metadata]: Generate a\n"
636  " fresh tls-crypt-v2 client or server key, and store to\n"
637  " keyfile. If supplied, include metadata in wrapped key.\n"
638  "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
639  " client-supplied tls-crypt-v2 client key\n"
640  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
641  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
642  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
643  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
644  " pending TLS connection that has otherwise passed all other\n"
645  " tests of certification. cmd should return 0 to allow\n"
646  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
647  " executed as 'cmd certificate_depth subject')\n"
648  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
649  " in an openvpn temporary file in [directory]. Peer cert is \n"
650  " stored before tls-verify script execution and deleted after.\n"
651  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
652  " DN name. The remote host must also pass all other tests\n"
653  " of verification.\n"
654  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
655  " an explicit nsCertType designation t = 'client' | 'server'.\n"
656  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
657  " plugins and management interface.\n"
658 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
659  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
660  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
661 #endif
662  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
663  " explicit key usage, you can specify more than one value.\n"
664  " value should be given in hex format.\n"
665  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
666  " explicit extended key usage. Extended key usage can be encoded\n"
667  " as an object identifier or OpenSSL string representation.\n"
668  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
669  " key usage and extended key usage based on RFC3280 TLS rules.\n"
670  " t = 'client' | 'server'.\n"
671 #ifdef ENABLE_PKCS11
672  "\n"
673  "PKCS#11 Options:\n"
674  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
675  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
676  " path. Set for each provider.\n"
677  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
678  " 0 : Try to determind automatically (default).\n"
679  " 1 : Use Sign.\n"
680  " 2 : Use SignRecover.\n"
681  " 4 : Use Decrypt.\n"
682  " 8 : Use Unwrap.\n"
683  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
684  " certificate can be accessed. Set for each provider.\n"
685  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
686  " cache until token is removed.\n"
687  "--pkcs11-id-management : Acquire identity from management interface.\n"
688  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
689 #endif /* ENABLE_PKCS11 */
690  "\n"
691  "SSL Library information:\n"
692  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
693  "--show-digests : Show message digest algorithms to use with --auth option.\n"
694  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
695  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
696 #ifdef _WIN32
697  "\n"
698  "Windows Specific:\n"
699  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
700  " from SystemRoot environment variable.\n"
701  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
702  " IP address using method = manual, netsh, ipapi,\n"
703  " dynamic, or adaptive (default = adaptive).\n"
704  " Dynamic method allows two optional parameters:\n"
705  " offset: DHCP server address offset (> -256 and < 256).\n"
706  " If 0, use network address, if >0, take nth\n"
707  " address forward from network address, if <0,\n"
708  " take nth address backward from broadcast\n"
709  " address.\n"
710  " Default is 0.\n"
711  " lease-time: Lease time in seconds.\n"
712  " Default is one year.\n"
713  "--route-method : Which method to use for adding routes on Windows?\n"
714  " adaptive (default) -- Try ipapi then fall back to exe.\n"
715  " ipapi -- Use IP helper API.\n"
716  " exe -- Call the route.exe shell command.\n"
717  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
718  " be used with --ip-win32 dynamic. For options\n"
719  " which allow multiple addresses,\n"
720  " --dhcp-option must be repeated.\n"
721  " DOMAIN name : Set DNS suffix\n"
722  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
723  " NTP : Set NTP server address(es)\n"
724  " NBDD : Set NBDD server address(es)\n"
725  " WINS addr : Set WINS server address(es)\n"
726  " NBT type : Set NetBIOS over TCP/IP Node type\n"
727  " 1: B, 2: P, 4: M, 8: H\n"
728  " NBS id : Set NetBIOS scope ID\n"
729  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
730  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
731  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
732  " startup.\n"
733  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
734  " on connection initiation.\n"
735  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
736  " attempting to set adapter properties.\n"
737  "--pause-exit : When run from a console window, pause before exiting.\n"
738  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
739  " service, and should not be used directly by end-users.\n"
740  " ex is the name of an event object which, when\n"
741  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
742  " optional parameter controls the initial state of ex.\n"
743  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
744  " after TAP adapter is up and routes have been added.\n"
745 #ifdef _WIN32
746  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
747 #endif
748  "Windows Standalone Options:\n"
749  "\n"
750  "--show-adapters : Show all TAP-Windows adapters.\n"
751  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
752  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
753  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
754  " to access TAP adapter.\n"
755 #endif /* ifdef _WIN32 */
756  "\n"
757  "Generate a new key (for use with --secret, --tls-auth or --tls-crypt):\n"
758  "--genkey file : Generate a new random key and write to file.\n"
759 #ifdef ENABLE_FEATURE_TUN_PERSIST
760  "\n"
761  "Tun/tap config mode (available with linux 2.4+):\n"
762  "--mktun : Create a persistent tunnel.\n"
763  "--rmtun : Remove a persistent tunnel.\n"
764  "--dev tunX|tapX : tun/tap device\n"
765  "--dev-type dt : Device type. See tunnel options above for details.\n"
766  "--user user : User to set privilege to.\n"
767  "--group group : Group to set privilege to.\n"
768 #endif
769 #ifdef ENABLE_PKCS11
770  "\n"
771  "PKCS#11 standalone options:\n"
772 #ifdef DEFAULT_PKCS11_MODULE
773  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
774 #else
775  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
776 #endif
777  " --verb option can be added *BEFORE* this.\n"
778 #endif /* ENABLE_PKCS11 */
779  "\n"
780  "General Standalone Options:\n"
781 #ifdef ENABLE_DEBUG
782  "--show-gateway : Show info about default gateway.\n"
783 #endif
784 ;
785 
786 #endif /* !ENABLE_SMALL */
787 
788 /*
789  * This is where the options defaults go.
790  * Any option not explicitly set here
791  * will be set to 0.
792  */
793 void
794 init_options(struct options *o, const bool init_gc)
795 {
796  CLEAR(*o);
797  if (init_gc)
798  {
799  gc_init(&o->gc);
800  o->gc_owned = true;
801  }
803  o->topology = TOP_NET30;
804  o->ce.proto = PROTO_UDP;
805  o->ce.af = AF_UNSPEC;
806  o->ce.bind_ipv6_only = false;
807  o->ce.connect_retry_seconds = 5;
808  o->ce.connect_retry_seconds_max = 300;
809  o->ce.connect_timeout = 120;
810  o->connect_retry_max = 0;
812  o->verbosity = 1;
813  o->status_file_update_freq = 60;
814  o->status_file_version = 1;
815  o->ce.bind_local = true;
818  o->ce.mtu_discover_type = -1;
819  o->ce.mssfix = MSSFIX_DEFAULT;
820  o->route_delay_window = 30;
822  o->resolve_in_advance = false;
823  o->proto_force = -1;
824 #ifdef ENABLE_OCC
825  o->occ = true;
826 #endif
827 #ifdef ENABLE_MANAGEMENT
831 #endif
832 #ifdef ENABLE_FEATURE_TUN_PERSIST
833  o->persist_mode = 1;
834 #endif
835 #ifdef TARGET_LINUX
836  o->tuntap_options.txqueuelen = 100;
837 #endif
838 #ifdef _WIN32
839 #if 0
841 #else
843 #endif
844  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
845  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
847  o->block_outside_dns = false;
848 #endif
849 #if P2MP_SERVER
850  o->real_hash_size = 256;
851  o->virtual_hash_size = 256;
852  o->n_bcast_buf = 256;
853  o->tcp_queue_limit = 64;
854  o->max_clients = 1024;
855  o->max_routes_per_client = 256;
858 #endif
859 #if P2MP
861 #endif
862  o->ciphername = "BF-CBC";
863 #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
864  o->ncp_enabled = true;
865 #else
866  o->ncp_enabled = false;
867 #endif
868  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
869  o->authname = "SHA1";
870  o->prng_hash = "SHA1";
871  o->prng_nonce_secret_len = 16;
872  o->replay = true;
876 #ifdef ENABLE_PREDICTION_RESISTANCE
877  o->use_prediction_resistance = false;
878 #endif
879  o->key_method = 2;
880  o->tls_timeout = 2;
881  o->renegotiate_bytes = -1;
882  o->renegotiate_seconds = 3600;
883  o->renegotiate_seconds_min = -1;
884  o->handshake_window = 60;
885  o->transition_window = 3600;
886  o->tls_cert_profile = NULL;
887  o->ecdh_curve = NULL;
888 #ifdef ENABLE_X509ALTUSERNAME
889  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
890 #endif
891 #ifdef ENABLE_PKCS11
892  o->pkcs11_pin_cache_period = -1;
893 #endif /* ENABLE_PKCS11 */
894 
895 /* P2MP server context features */
896 #if P2MP_SERVER
897  o->auth_token_generate = false;
898 
899  /* Set default --tmp-dir */
900 #ifdef _WIN32
901  /* On Windows, find temp dir via enviroment variables */
902  o->tmp_dir = win_get_tempdir();
903 #else
904  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
905  o->tmp_dir = getenv("TMPDIR");
906  if (!o->tmp_dir)
907  {
908  o->tmp_dir = "/tmp";
909  }
910 #endif /* _WIN32 */
911 #endif /* P2MP_SERVER */
912  o->allow_recursive_routing = false;
913 }
914 
915 void
917 {
918  if (o->gc_owned)
919  {
920  gc_free(&o->gc);
921  }
922 }
923 
925 {
926 #define PUF_TYPE_UNDEF 0
927 #define PUF_TYPE_ACCEPT 1
928 #define PUF_TYPE_IGNORE 2
929 #define PUF_TYPE_REJECT 3
930  int type;
931  int size;
932  char *pattern;
933  struct pull_filter *next;
934 };
935 
937 {
938  struct pull_filter *head;
939  struct pull_filter *tail;
940 };
941 
942 static const char *
944 {
945  if (type == PUF_TYPE_ACCEPT)
946  {
947  return "accept";
948  }
949  if (type == PUF_TYPE_IGNORE)
950  {
951  return "ignore";
952  }
953  if (type == PUF_TYPE_REJECT)
954  {
955  return "reject";
956  }
957  else
958  {
959  return "???";
960  }
961 }
962 
963 #ifndef ENABLE_SMALL
964 
965 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
966 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
967 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
968 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
969 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
970 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
971 
972 #endif
973 
974 static void
976  const struct connection_entry *e,
977  const int i)
978 {
979  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
980  setenv_str_i(es, "local", e->local, i);
981  setenv_str_i(es, "local_port", e->local_port, i);
982  setenv_str_i(es, "remote", e->remote, i);
983  setenv_str_i(es, "remote_port", e->remote_port, i);
984 
985  if (e->http_proxy_options)
986  {
987  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
988  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
989  }
990  if (e->socks_proxy_server)
991  {
992  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
993  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
994  }
995 }
996 
997 void
998 setenv_settings(struct env_set *es, const struct options *o)
999 {
1000  setenv_str(es, "config", o->config);
1001  setenv_int(es, "verb", o->verbosity);
1002  setenv_int(es, "daemon", o->daemon);
1003  setenv_int(es, "daemon_log_redirect", o->log);
1004  setenv_long_long(es, "daemon_start_time", time(NULL));
1005  setenv_int(es, "daemon_pid", platform_getpid());
1006 
1007  if (o->connection_list)
1008  {
1009  int i;
1010  for (i = 0; i < o->connection_list->len; ++i)
1011  {
1013  }
1014  }
1015  else
1016  {
1017  setenv_connection_entry(es, &o->ce, 1);
1018  }
1019 }
1020 
1021 static in_addr_t
1022 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1023 {
1024  unsigned int flags = GETADDR_HOST_ORDER;
1025  bool succeeded = false;
1026  in_addr_t ret;
1027 
1028  if (msglevel & M_FATAL)
1029  {
1030  flags |= GETADDR_FATAL;
1031  }
1032 
1033  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1034  if (!succeeded && error)
1035  {
1036  *error = true;
1037  }
1038  return ret;
1039 }
1040 
1046 static char *
1047 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1048 {
1049  const char *end = strchr(addr, '/');
1050  char *ret = NULL;
1051  if (NULL == end)
1052  {
1053  ret = string_alloc(addr, gc);
1054  }
1055  else
1056  {
1057  size_t len = end - addr;
1058  ret = gc_malloc(len + 1, true, gc);
1059  memcpy(ret, addr, len);
1060  }
1061  return ret;
1062 }
1063 
1064 static bool
1065 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1066 {
1067  struct in6_addr t_addr;
1068  unsigned int t_bits;
1069 
1070  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1071 }
1072 
1073 static char *
1074 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1075 {
1076  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1077  char *dest = ret;
1078  char c;
1079 
1080  do
1081  {
1082  c = *src++;
1083  if (c == from)
1084  {
1085  c = to;
1086  }
1087  *dest++ = c;
1088  }
1089  while (c);
1090  return ret;
1091 }
1092 
1093 static uint8_t *
1094 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1095 {
1096  int i;
1097  const char *cp = str;
1098  uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc);
1099  char term = 1;
1100  int byte;
1101  char bs[3];
1102 
1103  for (i = 0; i < nbytes; ++i)
1104  {
1105  if (strlen(cp) < 2)
1106  {
1107  msg(msglevel, "format error in hash fingerprint: %s", str);
1108  }
1109  bs[0] = *cp++;
1110  bs[1] = *cp++;
1111  bs[2] = 0;
1112  byte = 0;
1113  if (sscanf(bs, "%x", &byte) != 1)
1114  {
1115  msg(msglevel, "format error in hash fingerprint hex byte: %s", str);
1116  }
1117  ret[i] = (uint8_t)byte;
1118  term = *cp++;
1119  if (term != ':' && term != 0)
1120  {
1121  msg(msglevel, "format error in hash fingerprint delimiter: %s", str);
1122  }
1123  if (term == 0)
1124  {
1125  break;
1126  }
1127  }
1128  if (term != 0 || i != nbytes-1)
1129  {
1130  msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
1131  }
1132  return ret;
1133 }
1134 
1135 #ifdef _WIN32
1136 
1137 #ifndef ENABLE_SMALL
1138 
1139 static void
1140 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1141 {
1142  struct gc_arena gc = gc_new();
1143  int i;
1144  for (i = 0; i < len; ++i)
1145  {
1146  msg(D_SHOW_PARMS, " %s[%d] = %s",
1147  name,
1148  i,
1149  print_in_addr_t(array[i], 0, &gc));
1150  }
1151  gc_free(&gc);
1152 }
1153 
1154 static void
1156 {
1157  SHOW_BOOL(ip_win32_defined);
1158  SHOW_INT(ip_win32_type);
1159  SHOW_INT(dhcp_masq_offset);
1160  SHOW_INT(dhcp_lease_time);
1161  SHOW_INT(tap_sleep);
1162  SHOW_BOOL(dhcp_options);
1164  SHOW_BOOL(dhcp_pre_release);
1165  SHOW_STR(domain);
1166  SHOW_STR(netbios_scope);
1167  SHOW_INT(netbios_node_type);
1168  SHOW_BOOL(disable_nbt);
1169 
1170  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1171  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1172  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1173  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1174 }
1175 
1176 #endif /* ifndef ENABLE_SMALL */
1177 #endif /* ifdef _WIN32 */
1178 
1179 #if defined(_WIN32) || defined(TARGET_ANDROID)
1180 static void
1181 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1182 {
1183  struct in6_addr addr;
1184  if (*len >= N_DHCP_ADDR)
1185  {
1186  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1187  N_DHCP_ADDR);
1188  }
1189  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1190  {
1191  dns6_list[(*len)++] = addr;
1192  }
1193 }
1194 static void
1195 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1196 {
1197  if (*len >= N_DHCP_ADDR)
1198  {
1199  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1200  name,
1201  N_DHCP_ADDR,
1202  name);
1203  }
1204  else
1205  {
1206  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1207  {
1208  bool error = false;
1209  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1210  if (!error)
1211  {
1212  array[(*len)++] = addr;
1213  }
1214  }
1215  else
1216  {
1217  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1218  }
1219  }
1220 }
1221 
1222 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1223 
1224 #if P2MP
1225 
1226 #ifndef ENABLE_SMALL
1227 
1228 static void
1229 show_p2mp_parms(const struct options *o)
1230 {
1231  struct gc_arena gc = gc_new();
1232 
1233 #if P2MP_SERVER
1234  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1235  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1236  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1237  SHOW_INT(server_netbits_ipv6);
1238  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1239  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1240  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1241  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1242  if (o->push_list.head)
1243  {
1244  const struct push_entry *e = o->push_list.head;
1245  while (e)
1246  {
1247  if (e->enable)
1248  {
1249  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1250  }
1251  e = e->next;
1252  }
1253  }
1254  SHOW_BOOL(ifconfig_pool_defined);
1255  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1256  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1257  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1258  SHOW_STR(ifconfig_pool_persist_filename);
1259  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1260  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1261  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1262  SHOW_INT(ifconfig_ipv6_pool_netbits);
1263  SHOW_INT(n_bcast_buf);
1264  SHOW_INT(tcp_queue_limit);
1265  SHOW_INT(real_hash_size);
1266  SHOW_INT(virtual_hash_size);
1267  SHOW_STR(client_connect_script);
1269  SHOW_STR(client_disconnect_script);
1270  SHOW_STR(client_config_dir);
1271  SHOW_BOOL(ccd_exclusive);
1272  SHOW_STR(tmp_dir);
1273  SHOW_BOOL(push_ifconfig_defined);
1274  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1275  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1276  SHOW_BOOL(push_ifconfig_ipv6_defined);
1277  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1278  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1279  SHOW_BOOL(enable_c2c);
1280  SHOW_BOOL(duplicate_cn);
1281  SHOW_INT(cf_max);
1282  SHOW_INT(cf_per);
1283  SHOW_INT(max_clients);
1284  SHOW_INT(max_routes_per_client);
1285  SHOW_STR(auth_user_pass_verify_script);
1286  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1287  SHOW_BOOL(auth_token_generate);
1288  SHOW_INT(auth_token_lifetime);
1289 #if PORT_SHARE
1290  SHOW_STR(port_share_host);
1291  SHOW_STR(port_share_port);
1292 #endif
1293 #endif /* P2MP_SERVER */
1294 
1295  SHOW_BOOL(client);
1296  SHOW_BOOL(pull);
1297  SHOW_STR(auth_user_pass_file);
1298 
1299  gc_free(&gc);
1300 }
1301 
1302 #endif /* ! ENABLE_SMALL */
1303 
1304 #if P2MP_SERVER
1305 
1306 static void
1308  const char *network_str,
1309  const char *netmask_str,
1310  int msglevel)
1311 {
1312  struct iroute *ir;
1313 
1314  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1315  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1316  ir->netbits = -1;
1317 
1318  if (netmask_str)
1319  {
1320  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1321  if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1322  {
1323  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1324  network_str,
1325  netmask_str);
1326  return;
1327  }
1328  }
1329 
1330  ir->next = o->iroutes;
1331  o->iroutes = ir;
1332 }
1333 
1334 static void
1336  const char *prefix_str,
1337  int msglevel)
1338 {
1339  struct iroute_ipv6 *ir;
1340 
1341  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1342 
1343  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1344  {
1345  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1346  prefix_str);
1347  return;
1348  }
1349 
1350  ir->next = o->iroutes_ipv6;
1351  o->iroutes_ipv6 = ir;
1352 }
1353 #endif /* P2MP_SERVER */
1354 #endif /* P2MP */
1355 
1356 #ifndef ENABLE_SMALL
1357 static void
1359 {
1360  int i;
1361  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1362  SHOW_STR(server);
1363  SHOW_STR(port);
1364  SHOW_STR(auth_method_string);
1365  SHOW_STR(auth_file);
1366  SHOW_STR(http_version);
1367  SHOW_STR(user_agent);
1368  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1369  {
1370  if (o->custom_headers[i].content)
1371  {
1372  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1373  o->custom_headers[i].name, o->custom_headers[i].content);
1374  }
1375  else
1376  {
1377  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1378  o->custom_headers[i].name);
1379  }
1380  }
1381  msg(D_SHOW_PARMS, "END http_proxy");
1382 }
1383 #endif /* ifndef ENABLE_SMALL */
1384 
1385 void
1387 {
1388  gc_detach(&o->gc);
1389  o->routes = NULL;
1390  o->client_nat = NULL;
1391 #if P2MP_SERVER
1392  clone_push_list(o);
1393 #endif
1394 }
1395 
1396 void
1398 {
1399  if (!options->routes)
1400  {
1401  options->routes = new_route_option_list(&options->gc);
1402  }
1403 }
1404 
1405 static void
1407 {
1408  if (!options->routes_ipv6)
1409  {
1410  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1411  }
1412 }
1413 
1414 static void
1416 {
1417  if (!options->client_nat)
1418  {
1419  options->client_nat = new_client_nat_list(&options->gc);
1420  }
1421 }
1422 
1423 #ifndef ENABLE_SMALL
1424 static void
1426 {
1427  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1428  SHOW_STR(local);
1429  SHOW_STR(local_port);
1430  SHOW_STR(remote);
1431  SHOW_STR(remote_port);
1432  SHOW_BOOL(remote_float);
1433  SHOW_BOOL(bind_defined);
1435  SHOW_BOOL(bind_ipv6_only);
1436  SHOW_INT(connect_retry_seconds);
1437  SHOW_INT(connect_timeout);
1438 
1439  if (o->http_proxy_options)
1440  {
1442  }
1443  SHOW_STR(socks_proxy_server);
1444  SHOW_STR(socks_proxy_port);
1445  SHOW_INT(tun_mtu);
1446  SHOW_BOOL(tun_mtu_defined);
1447  SHOW_INT(link_mtu);
1448  SHOW_BOOL(link_mtu_defined);
1449  SHOW_INT(tun_mtu_extra);
1450  SHOW_BOOL(tun_mtu_extra_defined);
1451 
1452  SHOW_INT(mtu_discover_type);
1453 
1454 #ifdef ENABLE_FRAGMENT
1455  SHOW_INT(fragment);
1456 #endif
1457  SHOW_INT(mssfix);
1458 
1459 #ifdef ENABLE_OCC
1460  SHOW_INT(explicit_exit_notification);
1461 #endif
1462 
1463  SHOW_STR(tls_auth_file);
1464  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1465  "%s");
1466  SHOW_STR(tls_crypt_file);
1467  SHOW_STR(tls_crypt_v2_file);
1468 }
1469 
1470 
1471 static void
1473 {
1474  if (o->connection_list)
1475  {
1476  const struct connection_list *l = o->connection_list;
1477  int i;
1478  for (i = 0; i < l->len; ++i)
1479  {
1480  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1482  }
1483  }
1484  else
1485  {
1486  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1488  }
1489  msg(D_SHOW_PARMS, "Connection profiles END");
1490 }
1491 
1492 static void
1494 {
1495  struct pull_filter *f;
1496  if (!l)
1497  {
1498  return;
1499  }
1500 
1501  msg(D_SHOW_PARMS, " Pull filters:");
1502  for (f = l->head; f; f = f->next)
1503  {
1504  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1505  }
1506 }
1507 
1508 #endif /* ifndef ENABLE_SMALL */
1509 
1510 void
1511 show_settings(const struct options *o)
1512 {
1513 #ifndef ENABLE_SMALL
1514  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1515 
1516  SHOW_STR(config);
1517 
1518  SHOW_INT(mode);
1519 
1520 #ifdef ENABLE_FEATURE_TUN_PERSIST
1521  SHOW_BOOL(persist_config);
1522  SHOW_INT(persist_mode);
1523 #endif
1524 
1525  SHOW_BOOL(show_ciphers);
1526  SHOW_BOOL(show_digests);
1527  SHOW_BOOL(show_engines);
1528  SHOW_BOOL(genkey);
1529  SHOW_STR(key_pass_file);
1530  SHOW_BOOL(show_tls_ciphers);
1531 
1532  SHOW_INT(connect_retry_max);
1534 
1535  SHOW_BOOL(remote_random);
1536 
1537  SHOW_STR(ipchange);
1538  SHOW_STR(dev);
1539  SHOW_STR(dev_type);
1540  SHOW_STR(dev_node);
1541  SHOW_STR(lladdr);
1542  SHOW_INT(topology);
1543  SHOW_STR(ifconfig_local);
1544  SHOW_STR(ifconfig_remote_netmask);
1545  SHOW_BOOL(ifconfig_noexec);
1546  SHOW_BOOL(ifconfig_nowarn);
1547  SHOW_STR(ifconfig_ipv6_local);
1548  SHOW_INT(ifconfig_ipv6_netbits);
1549  SHOW_STR(ifconfig_ipv6_remote);
1550 
1551 #ifdef ENABLE_FEATURE_SHAPER
1552  SHOW_INT(shaper);
1553 #endif
1554 #ifdef ENABLE_OCC
1555  SHOW_INT(mtu_test);
1556 #endif
1557 
1558  SHOW_BOOL(mlock);
1559 
1560  SHOW_INT(keepalive_ping);
1561  SHOW_INT(keepalive_timeout);
1562  SHOW_INT(inactivity_timeout);
1563  SHOW_INT(ping_send_timeout);
1564  SHOW_INT(ping_rec_timeout);
1565  SHOW_INT(ping_rec_timeout_action);
1566  SHOW_BOOL(ping_timer_remote);
1567  SHOW_INT(remap_sigusr1);
1568  SHOW_BOOL(persist_tun);
1569  SHOW_BOOL(persist_local_ip);
1570  SHOW_BOOL(persist_remote_ip);
1571  SHOW_BOOL(persist_key);
1572 
1573 #if PASSTOS_CAPABILITY
1574  SHOW_BOOL(passtos);
1575 #endif
1576 
1577  SHOW_INT(resolve_retry_seconds);
1578  SHOW_BOOL(resolve_in_advance);
1579 
1580  SHOW_STR(username);
1581  SHOW_STR(groupname);
1582  SHOW_STR(chroot_dir);
1583  SHOW_STR(cd_dir);
1584 #ifdef ENABLE_SELINUX
1585  SHOW_STR(selinux_context);
1586 #endif
1587  SHOW_STR(writepid);
1588  SHOW_STR(up_script);
1589  SHOW_STR(down_script);
1590  SHOW_BOOL(down_pre);
1591  SHOW_BOOL(up_restart);
1592  SHOW_BOOL(up_delay);
1593  SHOW_BOOL(daemon);
1594  SHOW_INT(inetd);
1595  SHOW_BOOL(log);
1598  SHOW_INT(nice);
1599  SHOW_INT(verbosity);
1600  SHOW_INT(mute);
1601 #ifdef ENABLE_DEBUG
1602  SHOW_INT(gremlin);
1603 #endif
1604  SHOW_STR(status_file);
1605  SHOW_INT(status_file_version);
1606  SHOW_INT(status_file_update_freq);
1607 
1608 #ifdef ENABLE_OCC
1609  SHOW_BOOL(occ);
1610 #endif
1611  SHOW_INT(rcvbuf);
1612  SHOW_INT(sndbuf);
1613 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1614  SHOW_INT(mark);
1615 #endif
1616  SHOW_INT(sockflags);
1617 
1618  SHOW_BOOL(fast_io);
1619 
1620 #ifdef USE_COMP
1621  SHOW_INT(comp.alg);
1622  SHOW_INT(comp.flags);
1623 #endif
1624 
1625  SHOW_STR(route_script);
1626  SHOW_STR(route_default_gateway);
1627  SHOW_INT(route_default_metric);
1628  SHOW_BOOL(route_noexec);
1629  SHOW_INT(route_delay);
1630  SHOW_INT(route_delay_window);
1631  SHOW_BOOL(route_delay_defined);
1632  SHOW_BOOL(route_nopull);
1633  SHOW_BOOL(route_gateway_via_dhcp);
1634  SHOW_BOOL(allow_pull_fqdn);
1636 
1637  if (o->routes)
1638  {
1640  }
1641 
1642  if (o->client_nat)
1643  {
1645  }
1646 
1647 #ifdef ENABLE_MANAGEMENT
1648  SHOW_STR(management_addr);
1649  SHOW_STR(management_port);
1650  SHOW_STR(management_user_pass);
1651  SHOW_INT(management_log_history_cache);
1652  SHOW_INT(management_echo_buffer_size);
1653  SHOW_STR(management_write_peer_info_file);
1654  SHOW_STR(management_client_user);
1655  SHOW_STR(management_client_group);
1656  SHOW_INT(management_flags);
1657 #endif
1658 #ifdef ENABLE_PLUGIN
1659  if (o->plugin_list)
1660  {
1662  }
1663 #endif
1664 
1665  SHOW_STR(shared_secret_file);
1666  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1667  SHOW_STR(ciphername);
1668  SHOW_BOOL(ncp_enabled);
1669  SHOW_STR(ncp_ciphers);
1670  SHOW_STR(authname);
1671  SHOW_STR(prng_hash);
1672  SHOW_INT(prng_nonce_secret_len);
1673  SHOW_INT(keysize);
1674 #ifndef ENABLE_CRYPTO_MBEDTLS
1675  SHOW_BOOL(engine);
1676 #endif /* ENABLE_CRYPTO_MBEDTLS */
1677  SHOW_BOOL(replay);
1678  SHOW_BOOL(mute_replay_warnings);
1679  SHOW_INT(replay_window);
1680  SHOW_INT(replay_time);
1681  SHOW_STR(packet_id_file);
1683 #ifdef ENABLE_PREDICTION_RESISTANCE
1684  SHOW_BOOL(use_prediction_resistance);
1685 #endif
1686 
1687  SHOW_BOOL(tls_server);
1688  SHOW_BOOL(tls_client);
1689  SHOW_INT(key_method);
1690  SHOW_STR(ca_file);
1691  SHOW_STR(ca_path);
1692  SHOW_STR(dh_file);
1693 #ifdef ENABLE_MANAGEMENT
1695  {
1696  SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1697  }
1698  else
1699 #endif
1700  SHOW_STR(cert_file);
1701  SHOW_STR(extra_certs_file);
1702 
1703 #ifdef ENABLE_MANAGEMENT
1704  if ((o->management_flags & MF_EXTERNAL_KEY))
1705  {
1706  SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1707  }
1708  else
1709 #endif
1710  SHOW_STR(priv_key_file);
1711 #ifndef ENABLE_CRYPTO_MBEDTLS
1712  SHOW_STR(pkcs12_file);
1713 #endif
1714 #ifdef ENABLE_CRYPTOAPI
1715  SHOW_STR(cryptoapi_cert);
1716 #endif
1717  SHOW_STR(cipher_list);
1718  SHOW_STR(cipher_list_tls13);
1719  SHOW_STR(tls_cert_profile);
1721  SHOW_STR(tls_export_cert);
1722  SHOW_INT(verify_x509_type);
1723  SHOW_STR(verify_x509_name);
1724  SHOW_STR(crl_file);
1725  SHOW_INT(ns_cert_type);
1726  {
1727  int i;
1728  for (i = 0; i<MAX_PARMS; i++)
1729  {
1730  SHOW_INT(remote_cert_ku[i]);
1731  }
1732  }
1733  SHOW_STR(remote_cert_eku);
1734  SHOW_INT(ssl_flags);
1735 
1736  SHOW_INT(tls_timeout);
1737 
1738  SHOW_INT(renegotiate_bytes);
1739  SHOW_INT(renegotiate_packets);
1740  SHOW_INT(renegotiate_seconds);
1741 
1742  SHOW_INT(handshake_window);
1743  SHOW_INT(transition_window);
1744 
1745  SHOW_BOOL(single_session);
1747  SHOW_BOOL(tls_exit);
1748 
1749  SHOW_STR(tls_crypt_v2_genkey_type);
1750  SHOW_STR(tls_crypt_v2_genkey_file);
1751  SHOW_STR(tls_crypt_v2_metadata);
1752 
1753 #ifdef ENABLE_PKCS11
1754  {
1755  int i;
1756  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1757  {
1758  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1759  }
1760  }
1761  {
1762  int i;
1763  for (i = 0; i<MAX_PARMS; i++)
1764  {
1765  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1766  }
1767  }
1768  {
1769  int i;
1770  for (i = 0; i<MAX_PARMS; i++)
1771  {
1772  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1773  }
1774  }
1775  {
1776  int i;
1777  for (i = 0; i<MAX_PARMS; i++)
1778  {
1779  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1780  }
1781  }
1782  SHOW_INT(pkcs11_pin_cache_period);
1783  SHOW_STR(pkcs11_id);
1784  SHOW_BOOL(pkcs11_id_management);
1785 #endif /* ENABLE_PKCS11 */
1786 
1787 #if P2MP
1788  show_p2mp_parms(o);
1789 #endif
1790 
1791 #ifdef _WIN32
1792  SHOW_BOOL(show_net_up);
1793  SHOW_INT(route_method);
1794  SHOW_BOOL(block_outside_dns);
1796 #endif
1797 #endif /* ifndef ENABLE_SMALL */
1798 }
1799 
1800 #undef SHOW_PARM
1801 #undef SHOW_STR
1802 #undef SHOW_INT
1803 #undef SHOW_BOOL
1804 
1805 #ifdef ENABLE_MANAGEMENT
1806 
1807 static struct http_proxy_options *
1809  const char *port,
1810  const char *flags,
1811  const int msglevel,
1812  struct gc_arena *gc)
1813 {
1814  if (server && port)
1815  {
1816  struct http_proxy_options *ho;
1817  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1818  ho->server = string_alloc(server, gc);
1819  ho->port = port;
1820  if (flags && !strcmp(flags, "nct"))
1821  {
1822  ho->auth_retry = PAR_NCT;
1823  }
1824  else
1825  {
1826  ho->auth_retry = PAR_ALL;
1827  }
1828  ho->http_version = "1.0";
1829  ho->user_agent = "OpenVPN-Autoproxy/1.0";
1830  return ho;
1831  }
1832  else
1833  {
1834  return NULL;
1835  }
1836 }
1837 
1838 static void
1840 {
1841  const struct connection_list *l = o->connection_list;
1842  int i;
1843  bool succeed = false;
1844  for (i = 0; i < l->len; ++i)
1845  {
1846  struct connection_entry *ce = l->array[i];
1847  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1848  {
1850  succeed = true;
1851  }
1852  }
1853  if (succeed)
1854  {
1855  for (i = 0; i < l->len; ++i)
1856  {
1857  struct connection_entry *ce = l->array[i];
1858  if (ce->proto == PROTO_UDP)
1859  {
1860  ce->flags |= CE_DISABLED;
1861  }
1862  }
1863  }
1864  else
1865  {
1866  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1867  }
1868 }
1869 
1870 #endif /* ifdef ENABLE_MANAGEMENT */
1871 
1872 static struct connection_list *
1874 {
1875  if (!options->connection_list)
1876  {
1877  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1878  }
1879  return options->connection_list;
1880 }
1881 
1882 static struct connection_entry *
1883 alloc_connection_entry(struct options *options, const int msglevel)
1884 {
1885  struct connection_list *l = alloc_connection_list_if_undef(options);
1886  struct connection_entry *e;
1887 
1888  if (l->len >= CONNECTION_LIST_SIZE)
1889  {
1890  msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1891  return NULL;
1892  }
1893  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1894  l->array[l->len++] = e;
1895  return e;
1896 }
1897 
1898 static struct remote_list *
1900 {
1901  if (!options->remote_list)
1902  {
1903  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1904  }
1905  return options->remote_list;
1906 }
1907 
1908 static struct remote_entry *
1909 alloc_remote_entry(struct options *options, const int msglevel)
1910 {
1911  struct remote_list *l = alloc_remote_list_if_undef(options);
1912  struct remote_entry *e;
1913 
1914  if (l->len >= CONNECTION_LIST_SIZE)
1915  {
1916  msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1917  return NULL;
1918  }
1919  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1920  l->array[l->len++] = e;
1921  return e;
1922 }
1923 
1924 static struct pull_filter_list *
1926 {
1927  if (!o->pull_filter_list)
1928  {
1930  }
1931  return o->pull_filter_list;
1932 }
1933 
1934 static struct pull_filter *
1935 alloc_pull_filter(struct options *o, const int msglevel)
1936 {
1938  struct pull_filter *f;
1939 
1940  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
1941  if (l->head)
1942  {
1943  ASSERT(l->tail);
1944  l->tail->next = f;
1945  }
1946  else
1947  {
1948  ASSERT(!l->tail);
1949  l->head = f;
1950  }
1951  l->tail = f;
1952  return f;
1953 }
1954 
1955 static void
1957 {
1958  if (re->remote)
1959  {
1960  ce->remote = re->remote;
1961  }
1962  if (re->remote_port)
1963  {
1964  ce->remote_port = re->remote_port;
1965  }
1966  if (re->proto >= 0)
1967  {
1968  ce->proto = re->proto;
1969  }
1970  if (re->af > 0)
1971  {
1972  ce->af = re->af;
1973  }
1974 }
1975 
1976 static void
1978 {
1979  struct options defaults;
1980  int dev = DEV_TYPE_UNDEF;
1981  bool pull = false;
1982 
1983  init_options(&defaults, true);
1984 
1985  if (options->test_crypto)
1986  {
1987  notnull(options->shared_secret_file, "key file (--secret)");
1988  }
1989  else
1990  {
1991  notnull(options->dev, "TUN/TAP device (--dev)");
1992  }
1993 
1994  /*
1995  * Get tun/tap/null device type
1996  */
1997  dev = dev_type_enum(options->dev, options->dev_type);
1998 
1999  /*
2000  * If "proto tcp" is specified, make sure we know whether it is
2001  * tcp-client or tcp-server.
2002  */
2003  if (ce->proto == PROTO_TCP)
2004  {
2005  msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
2006  }
2007 
2008  /*
2009  * Sanity check on daemon/inetd modes
2010  */
2011 
2012  if (options->daemon && options->inetd)
2013  {
2014  msg(M_USAGE, "only one of --daemon or --inetd may be specified");
2015  }
2016 
2017  if (options->inetd && (ce->local || ce->remote))
2018  {
2019  msg(M_USAGE, "--local or --remote cannot be used with --inetd");
2020  }
2021 
2022  if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
2023  {
2024  msg(M_USAGE, "--proto tcp-client cannot be used with --inetd");
2025  }
2026 
2027  if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
2028  {
2029  msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
2030  }
2031 
2032  if (options->inetd == INETD_NOWAIT
2033  && !(options->tls_server || options->tls_client))
2034  {
2035  msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
2036  }
2037 
2038  if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
2039  {
2040  msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
2041  }
2042 
2043 
2044  if (options->lladdr && dev != DEV_TYPE_TAP)
2045  {
2046  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2047  }
2048 
2049  /*
2050  * Sanity check on MTU parameters
2051  */
2052  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2053  {
2054  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2055  }
2056 
2057 #ifdef ENABLE_OCC
2058  if (!proto_is_udp(ce->proto) && options->mtu_test)
2059  {
2060  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2061  }
2062 #endif
2063 
2064  /* will we be pulling options from server? */
2065 #if P2MP
2066  pull = options->pull;
2067 #endif
2068 
2069  /*
2070  * Sanity check on --local, --remote, and --ifconfig
2071  */
2072 
2073  if (proto_is_net(ce->proto)
2074  && string_defined_equal(ce->local, ce->remote)
2076  {
2077  msg(M_USAGE, "--remote and --local addresses are the same");
2078  }
2079 
2080  if (string_defined_equal(ce->remote, options->ifconfig_local)
2082  {
2083  msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
2084  }
2085 
2086  if (string_defined_equal(ce->local, options->ifconfig_local)
2088  {
2089  msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2090  }
2091 
2093  {
2094  msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2095  }
2096 
2097  if (ce->bind_defined && !ce->bind_local)
2098  {
2099  msg(M_USAGE, "--bind and --nobind can't be used together");
2100  }
2101 
2102  if (ce->local && !ce->bind_local)
2103  {
2104  msg(M_USAGE, "--local and --nobind don't make sense when used together");
2105  }
2106 
2107  if (ce->local_port_defined && !ce->bind_local)
2108  {
2109  msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2110  }
2111 
2112  if (!ce->remote && !ce->bind_local)
2113  {
2114  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2115  }
2116 
2117  /*
2118  * Check for consistency of management options
2119  */
2120 #ifdef ENABLE_MANAGEMENT
2121  if (!options->management_addr
2122  && (options->management_flags
2125  {
2126  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2127  }
2128 
2129  if ((options->management_client_user || options->management_client_group)
2130  && !(options->management_flags & MF_UNIX_SOCK))
2131  {
2132  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2133  }
2134 
2135  if (options->management_addr
2136  && !(options->management_flags & MF_UNIX_SOCK)
2137  && (!options->management_user_pass))
2138  {
2139  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2140  "passwords is STRONGLY discouraged and considered insecure");
2141  }
2142 
2143 #endif /* ifdef ENABLE_MANAGEMENT */
2144 
2145  /*
2146  * Windows-specific options.
2147  */
2148 
2149 #ifdef _WIN32
2150  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2151  {
2152  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2153  }
2154 
2155  if ((options->tuntap_options.ip_win32_defined)
2156  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2157  {
2158  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2159  }
2160 
2161  if (options->tuntap_options.dhcp_options
2164  {
2165  msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
2166  }
2167 #endif
2168 
2169  /*
2170  * Check that protocol options make sense.
2171  */
2172 
2173 #ifdef ENABLE_FRAGMENT
2174  if (!proto_is_udp(ce->proto) && ce->fragment)
2175  {
2176  msg(M_USAGE, "--fragment can only be used with --proto udp");
2177  }
2178 #endif
2179 
2180 #ifdef ENABLE_OCC
2182  {
2183  msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
2184  }
2185 #endif
2186 
2187  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2188  {
2189  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2190  }
2191 
2192  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2193  {
2194  msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
2195  }
2196  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2197  {
2198  msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2199  }
2200 
2201  if (ce->http_proxy_options && ce->socks_proxy_server)
2202  {
2203  msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2204  }
2205 
2206  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2207  {
2208  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2209  }
2210 
2211  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2212  {
2213  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2214  }
2215 
2216 #if P2MP_SERVER
2217 
2218  /*
2219  * Check consistency of --mode server options.
2220  */
2221  if (options->mode == MODE_SERVER)
2222  {
2223  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2224  {
2225  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2226  }
2227  if (options->pull)
2228  {
2229  msg(M_USAGE, "--pull cannot be used with --mode server");
2230  }
2231  if (options->pull_filter_list)
2232  {
2233  msg(M_USAGE, "--pull-filter cannot be used with --mode server");
2234  }
2235  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2236  {
2237  msg(M_USAGE, "--mode server currently only supports "
2238  "--proto udp or --proto tcp-server or proto tcp6-server");
2239  }
2240 #if PORT_SHARE
2241  if ((options->port_share_host || options->port_share_port)
2242  && (ce->proto != PROTO_TCP_SERVER))
2243  {
2244  msg(M_USAGE, "--port-share only works in TCP server mode "
2245  "(--proto tcp-server or tcp6-server)");
2246  }
2247 #endif
2248  if (!options->tls_server)
2249  {
2250  msg(M_USAGE, "--mode server requires --tls-server");
2251  }
2252  if (ce->remote)
2253  {
2254  msg(M_USAGE, "--remote cannot be used with --mode server");
2255  }
2256  if (!ce->bind_local)
2257  {
2258  msg(M_USAGE, "--nobind cannot be used with --mode server");
2259  }
2260  if (ce->http_proxy_options)
2261  {
2262  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2263  }
2264  if (ce->socks_proxy_server)
2265  {
2266  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2267  }
2268  /* <connection> blocks force to have a remote embedded, so we check for the
2269  * --remote and bail out if it is present */
2270  if (options->connection_list->len >1
2271  || options->connection_list->array[0]->remote)
2272  {
2273  msg(M_USAGE, "<connection> cannot be used with --mode server");
2274  }
2275 
2276  if (options->shaper)
2277  {
2278  msg(M_USAGE, "--shaper cannot be used with --mode server");
2279  }
2280  if (options->inetd)
2281  {
2282  msg(M_USAGE, "--inetd cannot be used with --mode server");
2283  }
2284  if (options->ipchange)
2285  {
2286  msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
2287  }
2288  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2289  {
2290  msg(M_USAGE, "--mode server currently only supports "
2291  "--proto udp or --proto tcp-server or --proto tcp6-server");
2292  }
2293  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2294  {
2295  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2296  }
2297  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2298  {
2299  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2300  }
2301  if (options->routes && (options->routes->flags & RG_ENABLE))
2302  {
2303  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2304  }
2305  if (options->route_delay_defined)
2306  {
2307  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2308  }
2309  if (options->up_delay)
2310  {
2311  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2312  }
2313  if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
2314  {
2315  msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2316  }
2317  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2318  {
2319  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2320  }
2321  if (options->allow_recursive_routing)
2322  {
2323  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2324  }
2325  if (options->auth_user_pass_file)
2326  {
2327  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2328  }
2329  if (options->ccd_exclusive && !options->client_config_dir)
2330  {
2331  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2332  }
2333  if (options->key_method != 2)
2334  {
2335  msg(M_USAGE, "--mode server requires --key-method 2");
2336  }
2337 
2338  {
2339  const bool ccnr = (options->auth_user_pass_verify_script
2340  || PLUGIN_OPTION_LIST(options)
2341  || MAN_CLIENT_AUTH_ENABLED(options));
2342  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2344  {
2345  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2346  }
2347  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2348  {
2349  msg(M_USAGE, "--username-as-common-name %s", postfix);
2350  }
2351  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2352  {
2353  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2354  }
2355  }
2356  }
2357  else
2358  {
2359  /*
2360  * When not in server mode, err if parameters are
2361  * specified which require --mode server.
2362  */
2363  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2364  {
2365  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2366  }
2367  if (options->ifconfig_ipv6_pool_defined)
2368  {
2369  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2370  }
2371  if (options->real_hash_size != defaults.real_hash_size
2372  || options->virtual_hash_size != defaults.virtual_hash_size)
2373  {
2374  msg(M_USAGE, "--hash-size requires --mode server");
2375  }
2376  if (options->learn_address_script)
2377  {
2378  msg(M_USAGE, "--learn-address requires --mode server");
2379  }
2380  if (options->client_connect_script)
2381  {
2382  msg(M_USAGE, "--client-connect requires --mode server");
2383  }
2384  if (options->client_disconnect_script)
2385  {
2386  msg(M_USAGE, "--client-disconnect requires --mode server");
2387  }
2388  if (options->client_config_dir || options->ccd_exclusive)
2389  {
2390  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2391  }
2392  if (options->enable_c2c)
2393  {
2394  msg(M_USAGE, "--client-to-client requires --mode server");
2395  }
2396  if (options->duplicate_cn)
2397  {
2398  msg(M_USAGE, "--duplicate-cn requires --mode server");
2399  }
2400  if (options->cf_max || options->cf_per)
2401  {
2402  msg(M_USAGE, "--connect-freq requires --mode server");
2403  }
2405  {
2406  msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
2407  }
2408  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2409  {
2410  msg(M_USAGE, "--username-as-common-name requires --mode server");
2411  }
2412  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2413  {
2414  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2415  }
2416  if (options->ssl_flags & SSLF_OPT_VERIFY)
2417  {
2418  msg(M_USAGE, "--opt-verify requires --mode server");
2419  }
2420  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2421  {
2422  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2423  "affect the server. To have TCP_NODELAY in both direction use "
2424  "tcp-nodelay in the server configuration instead.");
2425  }
2426  if (options->auth_user_pass_verify_script)
2427  {
2428  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2429  }
2430  if (options->auth_token_generate)
2431  {
2432  msg(M_USAGE, "--auth-gen-token requires --mode server");
2433  }
2434 #if PORT_SHARE
2435  if (options->port_share_host || options->port_share_port)
2436  {
2437  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2438  }
2439 #endif
2440 
2441  if (options->stale_routes_check_interval)
2442  {
2443  msg(M_USAGE, "--stale-routes-check requires --mode server");
2444  }
2445  }
2446 #endif /* P2MP_SERVER */
2447 
2448  if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
2449  {
2450  msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
2451  }
2452 
2453  if (options->keysize)
2454  {
2455  msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
2456  }
2457 
2458  /*
2459  * Check consistency of replay options
2460  */
2461  if (!options->replay
2462  && (options->replay_window != defaults.replay_window
2463  || options->replay_time != defaults.replay_time))
2464  {
2465  msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2466  }
2467 
2468  /*
2469  * SSL/TLS mode sanity checks.
2470  */
2471  if (options->tls_server + options->tls_client
2472  +(options->shared_secret_file != NULL) > 1)
2473  {
2474  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2475  }
2476 
2478  {
2479  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2480  "--verify-client-cert none|optional (or --client-cert-not-required) "
2481  "may accept clients which do not present a certificate");
2482  }
2483 
2484  if (options->key_method == 1)
2485  {
2486  msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
2487  "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
2488  "in the configuration file, which is the recommended approach.");
2489  }
2490 
2491  const int tls_version_max =
2494  const int tls_version_min =
2497 
2498  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2499  {
2500  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2501  }
2502 
2503  if (options->tls_server || options->tls_client)
2504  {
2505 #ifdef ENABLE_PKCS11
2506  if (options->pkcs11_providers[0])
2507  {
2508  notnull(options->ca_file, "CA file (--ca)");
2509 
2510  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2511  {
2512  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2513  }
2514  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2515  {
2516  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2517  }
2518  if (options->cert_file)
2519  {
2520  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2521  }
2522  if (options->priv_key_file)
2523  {
2524  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2525  }
2526 #ifdef ENABLE_MANAGEMENT
2527  if (options->management_flags & MF_EXTERNAL_KEY)
2528  {
2529  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2530  }
2531  if (options->management_flags & MF_EXTERNAL_CERT)
2532  {
2533  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2534  }
2535 #endif
2536  if (options->pkcs12_file)
2537  {
2538  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2539  }
2540 #ifdef ENABLE_CRYPTOAPI
2541  if (options->cryptoapi_cert)
2542  {
2543  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2544  }
2545 #endif
2546  }
2547  else
2548 #endif /* ifdef ENABLE_PKCS11 */
2549 #ifdef ENABLE_MANAGEMENT
2550  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2551  {
2552  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2553  }
2554  else if ((options->management_flags & MF_EXTERNAL_CERT))
2555  {
2556  if (options->cert_file)
2557  {
2558  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2559  }
2560  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2561  {
2562  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2563  }
2564  }
2565  else
2566 #endif
2567 #ifdef ENABLE_CRYPTOAPI
2568  if (options->cryptoapi_cert)
2569  {
2570  if ((!(options->ca_file)) && (!(options->ca_path)))
2571  {
2572  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2573  }
2574  if (options->cert_file)
2575  {
2576  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2577  }
2578  if (options->priv_key_file)
2579  {
2580  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2581  }
2582  if (options->pkcs12_file)
2583  {
2584  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2585  }
2586 #ifdef ENABLE_MANAGEMENT
2587  if (options->management_flags & MF_EXTERNAL_KEY)
2588  {
2589  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2590  }
2591  if (options->management_flags & MF_EXTERNAL_CERT)
2592  {
2593  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2594  }
2595 #endif
2596  }
2597  else
2598 #endif /* ifdef ENABLE_CRYPTOAPI */
2599  if (options->pkcs12_file)
2600  {
2601 #ifdef ENABLE_CRYPTO_MBEDTLS
2602  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2603 #else
2604  if (options->ca_path)
2605  {
2606  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2607  }
2608  if (options->cert_file)
2609  {
2610  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2611  }
2612  if (options->priv_key_file)
2613  {
2614  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2615  }
2616 #ifdef ENABLE_MANAGEMENT
2617  if (options->management_flags & MF_EXTERNAL_KEY)
2618  {
2619  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2620  }
2621  if (options->management_flags & MF_EXTERNAL_CERT)
2622  {
2623  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2624  }
2625 #endif
2626 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2627  }
2628  else
2629  {
2630 #ifdef ENABLE_CRYPTO_MBEDTLS
2631  if (!(options->ca_file))
2632  {
2633  msg(M_USAGE, "You must define CA file (--ca)");
2634  }
2635  if (options->ca_path)
2636  {
2637  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2638  }
2639 #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
2640  if ((!(options->ca_file)) && (!(options->ca_path)))
2641  {
2642  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2643  }
2644 #endif
2645  if (pull)
2646  {
2647 
2648  const int sum =
2649 #ifdef ENABLE_MANAGEMENT
2650  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2651  +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2652 #else
2653  (options->cert_file != NULL) + (options->priv_key_file != NULL);
2654 #endif
2655 
2656  if (sum == 0)
2657  {
2658 #if P2MP
2659  if (!options->auth_user_pass_file)
2660 #endif
2661  msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2662  }
2663  else if (sum == 2)
2664  {
2665  }
2666  else
2667  {
2668  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2669  }
2670  }
2671  else
2672  {
2673 #ifdef ENABLE_MANAGEMENT
2674  if (!(options->management_flags & MF_EXTERNAL_CERT))
2675 #endif
2676  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2677 #ifdef ENABLE_MANAGEMENT
2678  if (!(options->management_flags & MF_EXTERNAL_KEY))
2679 #endif
2680  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2681  }
2682  }
2683  if (ce->tls_auth_file && ce->tls_crypt_file)
2684  {
2685  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2686  }
2687  if (options->tls_client && ce->tls_crypt_v2_file
2688  && (ce->tls_auth_file || ce->tls_crypt_file))
2689  {
2690  msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2691  }
2692  if (options->genkey && options->tls_crypt_v2_genkey_type)
2693  {
2694  msg(M_USAGE, "--genkey and --tls-crypt-v2-genkey are mutually exclusive");
2695  }
2696  }
2697  else
2698  {
2699  /*
2700  * Make sure user doesn't specify any TLS options
2701  * when in non-TLS mode.
2702  */
2703 
2704 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2705 }
2706 
2707  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2708 
2714 #ifndef ENABLE_CRYPTO_MBEDTLS
2716 #endif
2740 #ifdef ENABLE_PKCS11
2741  MUST_BE_UNDEF(pkcs11_providers[0]);
2742  MUST_BE_UNDEF(pkcs11_private_mode[0]);
2743  MUST_BE_UNDEF(pkcs11_id);
2744  MUST_BE_UNDEF(pkcs11_id_management);
2745 #endif
2746 
2747  if (pull)
2748  {
2749  msg(M_USAGE, err, "--pull");
2750  }
2751  }
2752 #undef MUST_BE_UNDEF
2753 
2754 #if P2MP
2755  if (options->auth_user_pass_file && !options->pull)
2756  {
2757  msg(M_USAGE, "--auth-user-pass requires --pull");
2758  }
2759 #endif
2760 
2761  uninit_options(&defaults);
2762 }
2763 
2764 static void
2766 {
2767  const int dev = dev_type_enum(o->dev, o->dev_type);
2768 
2769 #if P2MP_SERVER
2771  {
2772  if (ce->proto == PROTO_TCP)
2773  {
2774  ce->proto = PROTO_TCP_SERVER;
2775  }
2776  }
2777 #endif
2778 #if P2MP
2779  if (o->client)
2780  {
2781  if (ce->proto == PROTO_TCP)
2782  {
2783  ce->proto = PROTO_TCP_CLIENT;
2784  }
2785  }
2786 #endif
2787 
2788  if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2789  {
2790  ce->bind_local = false;
2791  }
2792 
2793  if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2794  {
2795  ce->bind_local = false;
2796  }
2797 
2798  if (!ce->bind_local)
2799  {
2800  ce->local_port = NULL;
2801  }
2802 
2803  /* if protocol forcing is enabled, disable all protocols except for the forced one */
2804  if (o->proto_force >= 0 && o->proto_force != ce->proto)
2805  {
2806  ce->flags |= CE_DISABLED;
2807  }
2808 
2809  /*
2810  * If --mssfix is supplied without a parameter, default
2811  * it to --fragment value, if --fragment is specified.
2812  */
2813  if (o->ce.mssfix_default)
2814  {
2815 #ifdef ENABLE_FRAGMENT
2816  if (ce->fragment)
2817  {
2818  ce->mssfix = ce->fragment;
2819  }
2820 #else
2821  msg(M_USAGE, "--mssfix must specify a parameter");
2822 #endif
2823  }
2824 
2825  /*
2826  * Set MTU defaults
2827  */
2828  {
2829  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2830  {
2831  ce->tun_mtu_defined = true;
2832  }
2833  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2834  {
2835  ce->tun_mtu_extra_defined = true;
2837  }
2838  }
2839 
2840  /*
2841  * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
2842  *
2843  * At the end only one of these will be really set because the parser
2844  * logic prevents configurations where more are set.
2845  */
2846  if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
2847  {
2848  ce->tls_auth_file = o->tls_auth_file;
2850  ce->key_direction = o->key_direction;
2851 
2852  ce->tls_crypt_file = o->tls_crypt_file;
2854 
2857  }
2858 
2859  /* pre-cache tls-auth/crypt key file if persist-key was specified and keys
2860  * were not already embedded in the config file
2861  */
2862  if (o->persist_key)
2863  {
2864  if (ce->tls_auth_file && !ce->tls_auth_file_inline)
2865  {
2866  struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
2867  if (!buf_valid(&in))
2868  {
2869  msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
2870  o->tls_auth_file);
2871  }
2872 
2874  ce->tls_auth_file_inline = (char *)in.data;
2875  }
2876 
2877  if (ce->tls_crypt_file && !ce->tls_crypt_inline)
2878  {
2879  struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
2880  if (!buf_valid(&in))
2881  {
2882  msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
2883  o->tls_auth_file);
2884  }
2885 
2887  ce->tls_crypt_inline = (char *)in.data;
2888  }
2889  }
2890 }
2891 
2892 #ifdef _WIN32
2893 /* If iservice is in use, we need def1 method for redirect-gateway */
2894 static void
2896 {
2897  if (opt->routes
2899  && opt->routes->flags & RG_REROUTE_GW
2900  && !(opt->routes->flags & RG_DEF1))
2901  {
2902  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2903  opt->routes->flags |= RG_DEF1;
2904  }
2905 }
2906 #endif
2907 
2908 static void
2910 {
2911 #ifdef _WIN32
2912  const int dev = dev_type_enum(options->dev, options->dev_type);
2913 #endif
2914 
2915  /*
2916  * In forking TCP server mode, you don't need to ifconfig
2917  * the tap device (the assumption is that it will be bridged).
2918  */
2919  if (options->inetd == INETD_NOWAIT)
2920  {
2921  options->ifconfig_noexec = true;
2922  }
2923 
2924 #ifdef _WIN32
2925  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2926  {
2927  if (options->mode == MODE_POINT_TO_POINT)
2928  {
2929  options->route_delay_defined = true;
2930  options->route_delay = 5; /* Vista sometimes has a race without this */
2931  }
2932  }
2933 
2934  if (options->ifconfig_noexec)
2935  {
2937  options->ifconfig_noexec = false;
2938  }
2939 
2941 #endif
2942 
2943 #if P2MP_SERVER
2944  /*
2945  * Check consistency of --mode server options.
2946  */
2947  if (options->mode == MODE_SERVER)
2948  {
2949 #ifdef _WIN32
2950  /*
2951  * We need to explicitly set --tap-sleep because
2952  * we do not schedule event timers in the top-level context.
2953  */
2954  options->tuntap_options.tap_sleep = 10;
2955  if (options->route_delay_defined && options->route_delay)
2956  {
2957  options->tuntap_options.tap_sleep = options->route_delay;
2958  }
2959  options->route_delay_defined = false;
2960 #endif
2961  }
2962 #endif
2963 
2964 #ifdef DEFAULT_PKCS11_MODULE
2965  /* If p11-kit is present on the system then load its p11-kit-proxy.so
2966  * by default if the user asks for PKCS#11 without otherwise specifying
2967  * the module to use. */
2968  if (!options->pkcs11_providers[0]
2969  && (options->pkcs11_id || options->pkcs11_id_management))
2970  {
2971  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
2972  }
2973 #endif
2974 }
2975 
2976 static void
2978 {
2979  if (o->connection_list)
2980  {
2981  int i;
2982  for (i = 0; i < o->connection_list->len; ++i)
2983  {
2985  }
2986  }
2987  else
2988  {
2990  }
2991 }
2992 
2993 static void
2995 {
2996  int i;
2997  /*
2998  * Process helper-type options which map to other, more complex
2999  * sequences of options.
3000  */
3002  helper_keepalive(o);
3003  helper_tcp_nodelay(o);
3004 
3006 
3007  if (o->remote_list && !o->connection_list)
3008  {
3009  /*
3010  * Convert remotes into connection list
3011  */
3012  const struct remote_list *rl = o->remote_list;
3013  for (i = 0; i < rl->len; ++i)
3014  {
3015  const struct remote_entry *re = rl->array[i];
3016  struct connection_entry ce = o->ce;
3017  struct connection_entry *ace;
3018 
3019  ASSERT(re->remote);
3020  connection_entry_load_re(&ce, re);
3021  ace = alloc_connection_entry(o, M_USAGE);
3022  ASSERT(ace);
3023  *ace = ce;
3024  }
3025  }
3026  else if (!o->remote_list && !o->connection_list)
3027  {
3028  struct connection_entry *ace;
3029  ace = alloc_connection_entry(o, M_USAGE);
3030  ASSERT(ace);
3031  *ace = o->ce;
3032  }
3033 
3034  ASSERT(o->connection_list);
3035  for (i = 0; i < o->connection_list->len; ++i)
3036  {
3038  }
3039 
3040  if (o->tls_server)
3041  {
3042  /* Check that DH file is specified, or explicitly disabled */
3043  notnull(o->dh_file, "DH file (--dh)");
3044  if (streq(o->dh_file, "none"))
3045  {
3046  o->dh_file = NULL;
3047  }
3048  }
3049  else if (o->dh_file)
3050  {
3051  /* DH file is only meaningful in a tls-server context. */
3052  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3053  "include this in your server configuration");
3054  o->dh_file = NULL;
3055  }
3056 
3057  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
3058  if (o->ncp_enabled
3059  && !(o->pull || o->mode == MODE_SERVER) )
3060  {
3061  msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
3062  "in P2MP client or server mode" );
3063  o->ncp_enabled = false;
3064  }
3065 
3066 #if ENABLE_MANAGEMENT
3067  if (o->http_proxy_override)
3068  {
3070  }
3071 #endif
3072 
3073 #if P2MP
3074  /*
3075  * Save certain parms before modifying options via --pull
3076  */
3077  pre_pull_save(o);
3078 #endif
3079 }
3080 
3081 /*
3082  * Check file/directory sanity
3083  *
3084  */
3085 #ifndef ENABLE_SMALL
3087 #define CHKACC_FILE (1<<0)
3088 #define CHKACC_DIRPATH (1<<1)
3089 #define CHKACC_FILEXSTWR (1<<2)
3090 #define CHKACC_INLINE (1<<3)
3091 #define CHKACC_ACPTSTDIN (1<<4)
3092 #define CHKACC_PRIVATE (1<<5)
3094 static bool
3095 check_file_access(const int type, const char *file, const int mode, const char *opt)
3096 {
3097  int errcode = 0;
3098 
3099  /* If no file configured, no errors to look for */
3100  if (!file)
3101  {
3102  return false;
3103  }
3104 
3105  /* If this may be an inline file, and the proper inline "filename" is set - no issues */
3106  if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
3107  {
3108  return false;
3109  }
3110 
3111  /* If stdin is allowed and the file name is 'stdin', then do no
3112  * further checks as stdin is always available
3113  */
3114  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3115  {
3116  return false;
3117  }
3118 
3119  /* Is the directory path leading to the given file accessible? */
3120  if (type & CHKACC_DIRPATH)
3121  {
3122  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */
3123  char *dirpath = dirname(fullpath);
3124 
3125  if (platform_access(dirpath, mode|X_OK) != 0)
3126  {
3127  errcode = errno;
3128  }
3129  free(fullpath);
3130  }
3131 
3132  /* Is the file itself accessible? */
3133  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3134  {
3135  errcode = errno;
3136  }
3137 
3138  /* If the file exists and is accessible, is it writable? */
3139  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3140  {
3141  if (platform_access(file, W_OK) != 0)
3142  {
3143  errcode = errno;
3144  }
3145  }
3146 
3147  /* Warn if a given private file is group/others accessible. */
3148  if (type & CHKACC_PRIVATE)
3149  {
3150  platform_stat_t st;
3151  if (platform_stat(file, &st))
3152  {
3153  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3154  }
3155 #ifndef _WIN32
3156  else
3157  {
3158  if (st.st_mode & (S_IRWXG|S_IRWXO))
3159  {
3160  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3161  }
3162  }
3163 #endif
3164  }
3165 
3166  /* Scream if an error is found */
3167  if (errcode > 0)
3168  {
3169  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3170  }
3171 
3172  /* Return true if an error occured */
3173  return (errcode != 0 ? true : false);
3174 }
3175 
3176 /* A wrapper for check_file_access() which also takes a chroot directory.
3177  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3178  * otherwise it will look for the file inside the given chroot directory instead.
3179  */
3180 static bool
3181 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3182 {
3183  bool ret = false;
3184 
3185  /* If no file configured, no errors to look for */
3186  if (!file)
3187  {
3188  return false;
3189  }
3190 
3191  /* If chroot is set, look for the file/directory inside the chroot */
3192  if (chroot)
3193  {
3194  struct gc_arena gc = gc_new();
3195  struct buffer chroot_file;
3196  int len = 0;
3197 
3198  /* Build up a new full path including chroot directory */
3199  len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
3200  chroot_file = alloc_buf_gc(len, &gc);
3201  buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
3202  ASSERT(chroot_file.len > 0);
3203 
3204  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3205  gc_free(&gc);
3206  }
3207  else
3208  {
3209  /* No chroot in play, just call core file check function */
3210  ret = check_file_access(type, file, mode, opt);
3211  }
3212  return ret;
3213 }
3214 
3215 
3216 /*
3217  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3218  * valid file with appropriate permissions.
3219  *
3220  * "command" consists of a path, optionally followed by a space, which may be
3221  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3222  * performed.
3223  *
3224  * The path and arguments in "command" may be single- or double-quoted or escaped.
3225  *
3226  * The path is extracted from "command", then check_file_access() is called to check it. The
3227  * arguments, if any, are ignored.
3228  *
3229  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3230  * check_file_access() arguments.
3231  */
3232 static bool
3233 check_cmd_access(const char *command, const char *opt, const char *chroot)
3234 {
3235  struct argv argv;
3236  bool return_code;
3237 
3238  /* If no command was set, there are no errors to look for */
3239  if (!command)
3240  {
3241  return false;
3242  }
3243 
3244  /* Extract executable path and arguments */
3245  argv = argv_new();
3246  argv_parse_cmd(&argv, command);
3247 
3248  /* if an executable is specified then check it; otherwise, complain */
3249  if (argv.argv[0])
3250  {
3251  /* Scripts requires R_OK as well, but that might fail on binaries which
3252  * only requires X_OK to function on Unix - a scenario not unlikely to
3253  * be seen on suid binaries.
3254  */
3255  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3256  }
3257  else
3258  {
3259  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3260  opt, command);
3261  return_code = true;
3262  }
3263 
3264  argv_reset(&argv);
3265 
3266  return return_code;
3267 }
3268 
3269 /*
3270  * Sanity check of all file/dir options. Checks that file/dir
3271  * is accessible by OpenVPN
3272  */
3273 static void
3275 {
3276  bool errs = false;
3277 
3278  /* ** SSL/TLS/crypto related files ** */
3279  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
3280  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
3281  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
3282  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
3284  "--extra-certs");
3285 #ifdef ENABLE_MANAGEMENT
3286  if (!(options->management_flags & MF_EXTERNAL_KEY))
3287 #endif
3288  {
3290  options->priv_key_file, R_OK, "--key");
3291  }
3293  options->pkcs12_file, R_OK, "--pkcs12");
3294 
3295  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3296  {
3297  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
3298  "--crl-verify directory");
3299  }
3300  else
3301  {
3303  options->crl_file, R_OK, "--crl-verify");
3304  }
3305 
3306  ASSERT(options->connection_list);
3307  for (int i = 0; i < options->connection_list->len; ++i)
3308  {
3309  struct connection_entry *ce = options->connection_list->array[i];
3310 
3312  ce->tls_auth_file, R_OK, "--tls-auth");
3313 
3315  ce->tls_crypt_file, R_OK, "--tls-crypt");
3316 
3318  ce->tls_crypt_v2_file, R_OK,
3319  "--tls-crypt-v2");
3320  }
3321 
3323  options->tls_crypt_v2_genkey_file, R_OK,
3324  "--tls-crypt-v2-genkey");
3326  options->shared_secret_file, R_OK, "--secret");
3327 
3329  options->packet_id_file, R_OK|W_OK, "--replay-persist");
3330 
3331  /* ** Password files ** */
3333  options->key_pass_file, R_OK, "--askpass");
3334 #ifdef ENABLE_MANAGEMENT
3336  options->management_user_pass, R_OK,
3337  "--management user/password file");
3338 #endif /* ENABLE_MANAGEMENT */
3339 #if P2MP
3341  options->auth_user_pass_file, R_OK,
3342  "--auth-user-pass");
3343 #endif /* P2MP */
3344 
3345  /* ** System related ** */
3346  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3347  R_OK|X_OK, "--chroot directory");
3349  R_OK|W_OK, "--writepid");
3350 
3351  /* ** Log related ** */
3353  R_OK|W_OK, "--status");
3354 
3355  /* ** Config related ** */
3356  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3357  R_OK|W_OK|X_OK, "--tls-export-cert");
3358 #if P2MP_SERVER
3360  R_OK|X_OK, "--client-config-dir");
3361  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3362  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3363 
3364 #endif /* P2MP_SERVER */
3365 
3366  if (errs)
3367  {
3368  msg(M_USAGE, "Please correct these errors.");
3369  }
3370 }
3371 #endif /* !ENABLE_SMALL */
3372 
3373 /*
3374  * Sanity check on options.
3375  * Also set some options based on other
3376  * options.
3377  */
3378 void
3380 {
3381  options_postprocess_mutate(options);
3382  options_postprocess_verify(options);
3383 #ifndef ENABLE_SMALL
3385 #endif /* !ENABLE_SMALL */
3386 }
3387 
3388 #if P2MP
3389 
3390 /*
3391  * Save/Restore certain option defaults before --pull is applied.
3392  */
3393 
3394 void
3396 {
3397  if (o->pull)
3398  {
3401  o->pre_pull->tuntap_options_defined = true;
3403  if (o->routes)
3404  {
3406  o->pre_pull->routes_defined = true;
3407  }
3408  if (o->routes_ipv6)
3409  {
3411  o->pre_pull->routes_ipv6_defined = true;
3412  }
3413  if (o->client_nat)
3414  {
3416  o->pre_pull->client_nat_defined = true;
3417  }
3418  }
3419 }
3420 
3421 void
3422 pre_pull_restore(struct options *o, struct gc_arena *gc)
3423 {
3424  const struct options_pre_pull *pp = o->pre_pull;
3425  if (pp)
3426  {
3427  CLEAR(o->tuntap_options);
3428  if (pp->tuntap_options_defined)
3429  {
3430  o->tuntap_options = pp->tuntap_options;
3431  }
3432 
3433  if (pp->routes_defined)
3434  {
3435  rol_check_alloc(o);
3436  copy_route_option_list(o->routes, pp->routes, gc);
3437  }
3438  else
3439  {
3440  o->routes = NULL;
3441  }
3442 
3443  if (pp->routes_ipv6_defined)
3444  {
3445  rol6_check_alloc(o);
3447  }
3448  else
3449  {
3450  o->routes_ipv6 = NULL;
3451  }
3452 
3453  if (pp->client_nat_defined)
3454  {
3455  cnol_check_alloc(o);
3457  }
3458  else
3459  {
3460  o->client_nat = NULL;
3461  }
3462 
3464  }
3465 
3466  o->push_continuation = 0;
3467  o->push_option_types_found = 0;
3468 }
3469 
3470 #endif /* if P2MP */
3471 
3472 #ifdef ENABLE_OCC
3473 
3481 static size_t
3482 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3483 {
3484  size_t link_mtu = EXPANDED_SIZE(frame);
3485 
3486  if (o->pull || o->mode == MODE_SERVER)
3487  {
3488  struct frame fake_frame = *frame;
3489  struct key_type fake_kt;
3490  init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
3491  false);
3493  crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3494  cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3495  frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3496  o->ce.tun_mtu_defined, o->ce.tun_mtu);
3497  msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3498  EXPANDED_SIZE(&fake_frame));
3499  link_mtu = EXPANDED_SIZE(&fake_frame);
3500  }
3501  return link_mtu;
3502 }
3503 
3504 /*
3505  * Build an options string to represent data channel encryption options.
3506  * This string must match exactly between peers. The keysize is checked
3507  * separately by read_key().
3508  *
3509  * The following options must match on both peers:
3510  *
3511  * Tunnel options:
3512  *
3513  * --dev tun|tap [unit number need not match]
3514  * --dev-type tun|tap
3515  * --link-mtu
3516  * --udp-mtu
3517  * --tun-mtu
3518  * --proto udp
3519  * --proto tcp-client [matched with --proto tcp-server
3520  * on the other end of the connection]
3521  * --proto tcp-server [matched with --proto tcp-client on
3522  * the other end of the connection]
3523  * --tun-ipv6
3524  * --ifconfig x y [matched with --ifconfig y x on
3525  * the other end of the connection]
3526  *
3527  * --comp-lzo
3528  * --compress alg
3529  * --fragment
3530  *
3531  * Crypto Options:
3532  *
3533  * --cipher
3534  * --auth
3535  * --keysize
3536  * --secret
3537  * --no-replay
3538  *
3539  * SSL Options:
3540  *
3541  * --tls-auth
3542  * --tls-client [matched with --tls-server on
3543  * the other end of the connection]
3544  * --tls-server [matched with --tls-client on
3545  * the other end of the connection]
3546  */
3547 char *
3548 options_string(const struct options *o,
3549  const struct frame *frame,
3550  struct tuntap *tt,
3551  bool remote,
3552  struct gc_arena *gc)
3553 {
3554  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3555  bool tt_local = false;
3556 
3557  buf_printf(&out, "V4");
3558 
3559  /*
3560  * Tunnel Options
3561  */
3562 
3563  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3564  buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
3565  buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3566  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3567 
3568  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3569  * is usually pushed by the server, triggering a non-helpful warning
3570  */
3572  {
3573  buf_printf(&out, ",tun-ipv6");
3574  }
3575 
3576  /*
3577  * Try to get ifconfig parameters into the options string.
3578  * If tt is undefined, make a temporary instantiation.
3579  */
3580  if (!tt)
3581  {
3582  tt = init_tun(o->dev,
3583  o->dev_type,
3584  o->topology,
3585  o->ifconfig_local,
3590  NULL,
3591  NULL,
3592  false,
3593  NULL);
3594  if (tt)
3595  {
3596  tt_local = true;
3597  }
3598  }
3599 
3600  if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
3601  {
3602  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3603  if (ios && strlen(ios))
3604  {
3605  buf_printf(&out, ",ifconfig %s", ios);
3606  }
3607  }
3608  if (tt_local)
3609  {
3610  free(tt);
3611  tt = NULL;
3612  }
3613 
3614 #ifdef USE_COMP
3615  if (o->comp.alg != COMP_ALG_UNDEF)
3616  {
3617  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3618  }
3619 #endif
3620 
3621 #ifdef ENABLE_FRAGMENT
3622  if (o->ce.fragment)
3623  {
3624  buf_printf(&out, ",mtu-dynamic");
3625  }
3626 #endif
3627 
3628 #define TLS_CLIENT (o->tls_client)
3629 #define TLS_SERVER (o->tls_server)
3630 
3631  /*
3632  * Key direction
3633  */
3634  {
3635  const char *kd = keydirection2ascii(o->key_direction, remote, false);
3636  if (kd)
3637  {
3638  buf_printf(&out, ",keydir %s", kd);
3639  }
3640  }
3641 
3642  /*
3643  * Crypto Options
3644  */
3646  {
3647  struct key_type kt;
3648 
3649  ASSERT((o->shared_secret_file != NULL)
3650  + (TLS_CLIENT == true)
3651  + (TLS_SERVER == true)
3652  <= 1);
3653 
3654  init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
3655  false);
3656 
3657  buf_printf(&out, ",cipher %s",
3659  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3660  buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
3661  if (o->shared_secret_file)
3662  {
3663  buf_printf(&out, ",secret");
3664  }
3665  if (!o->replay)
3666  {
3667  buf_printf(&out, ",no-replay");
3668  }
3669 
3670 #ifdef ENABLE_PREDICTION_RESISTANCE
3671  if (o->use_prediction_resistance)
3672  {
3673  buf_printf(&out, ",use-prediction-resistance");
3674  }
3675 #endif
3676  }
3677 
3678  /*
3679  * SSL Options
3680  */
3681  {
3682  if (TLS_CLIENT || TLS_SERVER)
3683  {
3684  if (o->ce.tls_auth_file)
3685  {
3686  buf_printf(&out, ",tls-auth");
3687  }
3688  /* Not adding tls-crypt here, because we won't reach this code if
3689  * tls-auth/tls-crypt does not match. Removing tls-auth here would
3690  * break stuff, so leaving that in place. */
3691 
3692  if (o->key_method > 1)
3693  {
3694  buf_printf(&out, ",key-method %d", o->key_method);
3695  }
3696  }
3697 
3698  if (remote)
3699  {
3700  if (TLS_CLIENT)
3701  {
3702  buf_printf(&out, ",tls-server");
3703  }
3704  else if (TLS_SERVER)
3705  {
3706  buf_printf(&out, ",tls-client");
3707  }
3708  }
3709  else
3710  {
3711  if (TLS_CLIENT)
3712  {
3713  buf_printf(&out, ",tls-client");
3714  }
3715  else if (TLS_SERVER)
3716  {
3717  buf_printf(&out, ",tls-server");
3718  }
3719  }
3720  }
3721 
3722 #undef TLS_CLIENT
3723 #undef TLS_SERVER
3724 
3725  return BSTR(&out);
3726 }
3727 
3728 /*
3729  * Compare option strings for equality.
3730  * If the first two chars of the strings differ, it means that
3731  * we are looking at different versions of the options string,
3732  * therefore don't compare them and return true.
3733  */
3734 
3735 bool
3736 options_cmp_equal(char *actual, const char *expected)
3737 {
3738  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
3739 }
3740 
3741 void
3742 options_warning(char *actual, const char *expected)
3743 {
3744  options_warning_safe(actual, expected, strlen(actual) + 1);
3745 }
3746 
3747 static const char *
3748 options_warning_extract_parm1(const char *option_string,
3749  struct gc_arena *gc_ret)
3750 {
3751  struct gc_arena gc = gc_new();
3752  struct buffer b = string_alloc_buf(option_string, &gc);
3753  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3754  const char *ret;
3755 
3756  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
3757  ret = string_alloc(p, gc_ret);
3758  gc_free(&gc);
3759  return ret;
3760 }
3761 
3762 static void
3763 options_warning_safe_scan2(const int msglevel,
3764  const int delim,
3765  const bool report_inconsistent,
3766  const char *p1,
3767  const struct buffer *b2_src,
3768  const char *b1_name,
3769  const char *b2_name)
3770 {
3771  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
3772  * OCC in a future version (because it's not useful). To reduce questions
3773  * when interoperating, we no longer printing a warning about it.
3774  */
3775  if (strprefix(p1, "key-method ")
3776  || strprefix(p1, "keydir ")
3777  || strprefix(p1, "proto ")
3778  || strprefix(p1, "tls-auth ")
3779  || strprefix(p1, "tun-ipv6"))
3780  {
3781  return;
3782  }
3783 
3784  if (strlen(p1) > 0)
3785  {
3786  struct gc_arena gc = gc_new();
3787  struct buffer b2 = *b2_src;
3788  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
3789  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3790 
3791  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
3792  {
3793  if (strlen(p2))
3794  {
3795  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
3796 
3797  if (!strcmp(p1, p2))
3798  {
3799  goto done;
3800  }
3801  if (!strcmp(p1_prefix, p2_prefix))
3802  {
3803  if (report_inconsistent)
3804  {
3805  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
3806  safe_print(p1_prefix, &gc),
3807  b1_name,
3808  safe_print(p1, &gc),
3809  b2_name,
3810  safe_print(p2, &gc));
3811  }
3812  goto done;
3813  }
3814  }
3815  }
3816 
3817  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
3818  safe_print(p1_prefix, &gc),
3819  b1_name,
3820  b2_name,
3821  b1_name,
3822  safe_print(p1, &gc));
3823 
3824 done:
3825  gc_free(&gc);
3826  }
3827 }
3828 
3829 static void
3830 options_warning_safe_scan1(const int msglevel,
3831  const int delim,
3832  const bool report_inconsistent,
3833  const struct buffer *b1_src,
3834  const struct buffer *b2_src,
3835  const char *b1_name,
3836  const char *b2_name)
3837 {
3838  struct gc_arena gc = gc_new();
3839  struct buffer b = *b1_src;
3840  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
3841 
3842  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
3843  {
3844  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
3845  }
3846 
3847  gc_free(&gc);
3848 }
3849 
3850 static void
3851 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
3852 {
3853  struct gc_arena gc = gc_new();
3854 
3855  if (actual_n > 0)
3856  {
3857  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3858  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3859  actual[actual_n - 1] = 0;
3860 
3861  buf_printf(&local, "version %s", expected);
3862  buf_printf(&remote, "version %s", actual);
3863 
3864  options_warning_safe_scan1(msglevel, ',', true,
3865  &local, &remote,
3866  "local", "remote");
3867 
3868  options_warning_safe_scan1(msglevel, ',', false,
3869  &remote, &local,
3870  "remote", "local");
3871  }
3872 
3873  gc_free(&gc);
3874 }
3875 
3876 bool
3877 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
3878 {
3879  struct gc_arena gc = gc_new();
3880  bool ret = true;
3881 
3882  if (actual_n > 0)
3883  {
3884  actual[actual_n - 1] = 0;
3885 #ifndef ENABLE_STRICT_OPTIONS_CHECK
3886  if (strncmp(actual, expected, 2))
3887  {
3888  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
3889  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
3890  }
3891  else
3892 #endif
3893  ret = !strcmp(actual, expected);
3894  }
3895  gc_free(&gc);
3896  return ret;
3897 }
3898 
3899 void
3900 options_warning_safe(char *actual, const char *expected, size_t actual_n)
3901 {
3902  options_warning_safe_ml(M_WARN, actual, expected, actual_n);
3903 }
3904 
3905 const char *
3906 options_string_version(const char *s, struct gc_arena *gc)
3907 {
3908  struct buffer out = alloc_buf_gc(4, gc);
3909  strncpynt((char *) BPTR(&out), s, 3);
3910  return BSTR(&out);
3911 }
3912 
3913 #endif /* ENABLE_OCC */
3914 
3915 char *
3916 options_string_extract_option(const char *options_string,const char *opt_name,
3917  struct gc_arena *gc)
3918 {
3919  char *ret = NULL;
3920  const size_t opt_name_len = strlen(opt_name);
3921 
3922  const char *p = options_string;
3923  while (p)
3924  {
3925  if (0 == strncmp(p, opt_name, opt_name_len)
3926  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
3927  {
3928  /* option found, extract value */
3929  const char *start = &p[opt_name_len+1];
3930  const char *end = strchr(p, ',');
3931  size_t val_len = end ? end - start : strlen(start);
3932  ret = gc_malloc(val_len+1, true, gc);
3933  memcpy(ret, start, val_len);
3934  break;
3935  }
3936  p = strchr(p, ',');
3937  if (p)
3938  {
3939  p++; /* skip delimiter */
3940  }
3941  }
3942  return ret;
3943 }
3944 
3945 static void
3946 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
3947 {
3948  if (len > 0)
3949  {
3950  struct gc_arena gc = gc_new();
3951  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3952  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3953  int i;
3954  bool first = true;
3955  bool good = true;
3956 
3957  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
3958  ++o->foreign_option_index;
3959  for (i = 0; i < len; ++i)
3960  {
3961  if (argv[i])
3962  {
3963  if (!first)
3964  {
3965  good &= buf_printf(&value, " ");
3966  }
3967  good &= buf_printf(&value, "%s", argv[i]);
3968  first = false;
3969  }
3970  }
3971  if (good)
3972  {
3973  setenv_str(es, BSTR(&name), BSTR(&value));
3974  }
3975  else
3976  {
3977  msg(M_WARN, "foreign_option: name/value overflow");
3978  }
3979  gc_free(&gc);
3980  }
3981 }
3982 
3983 /*
3984  * parse/print topology coding
3985  */
3986 
3987 int
3988 parse_topology(const char *str, const int msglevel)
3989 {
3990  if (streq(str, "net30"))
3991  {
3992  return TOP_NET30;
3993  }
3994  else if (streq(str, "p2p"))
3995  {
3996  return TOP_P2P;
3997  }
3998  else if (streq(str, "subnet"))
3999  {
4000  return TOP_SUBNET;
4001  }
4002  else
4003  {
4004  msg(msglevel, "--topology must be net30, p2p, or subnet");
4005  return TOP_UNDEF;
4006  }
4007 }
4008 
4009 const char *
4010 print_topology(const int topology)
4011 {
4012  switch (topology)
4013  {
4014  case TOP_UNDEF:
4015  return "undef";
4016 
4017  case TOP_NET30:
4018  return "net30";
4019 
4020  case TOP_P2P:
4021  return "p2p";
4022 
4023  case TOP_SUBNET:
4024  return "subnet";
4025 
4026  default:
4027  return "unknown";
4028  }
4029 }
4030 
4031 #if P2MP
4032 
4033 /*
4034  * Manage auth-retry variable
4035  */
4036 
4037 static int global_auth_retry; /* GLOBAL */
4038 
4039 int
4041 {
4042  return global_auth_retry;
4043 }
4044 
4045 bool
4046 auth_retry_set(const int msglevel, const char *option)
4047 {
4048  if (streq(option, "interact"))
4049  {
4051  }
4052  else if (streq(option, "nointeract"))
4053  {
4055  }
4056  else if (streq(option, "none"))
4057  {
4059  }
4060  else
4061  {
4062  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4063  return false;
4064  }
4065  return true;
4066 }
4067 
4068 const char *
4070 {
4071  switch (global_auth_retry)
4072  {
4073  case AR_NONE:
4074  return "none";
4075 
4076  case AR_NOINTERACT:
4077  return "nointeract";
4078 
4079  case AR_INTERACT:
4080  return "interact";
4081 
4082  default:
4083  return "???";
4084  }
4085 }
4086 
4087 #endif /* if P2MP */
4088 
4089 /*
4090  * Print the help message.
4091  */
4092 static void
4093 usage(void)
4094 {
4095  FILE *fp = msg_fp(0);
4096 
4097 #ifdef ENABLE_SMALL
4098 
4099  fprintf(fp, "Usage message not available\n");
4100 
4101 #else
4102 
4103  struct options o;
4104  init_options(&o, true);
4105 
4106  fprintf(fp, usage_message,
4107  title_string,
4110  o.ce.local_port, o.ce.remote_port,
4112  o.verbosity,
4113  o.authname, o.ciphername,
4117  fflush(fp);
4118 
4119 #endif /* ENABLE_SMALL */
4120 
4121  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4122 }
4123 
4124 void
4126 {
4127  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4128  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4129 }
4130 
4131 #ifdef _WIN32
4132 void
4133 show_windows_version(const unsigned int flags)
4134 {
4135  struct gc_arena gc = gc_new();
4136  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4137  gc_free(&gc);
4138 }
4139 #endif
4140 
4141 void
4142 show_library_versions(const unsigned int flags)
4143 {
4144 #ifdef ENABLE_LZO
4145 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4146 #else
4147 #define LZO_LIB_VER_STR "", ""
4148 #endif
4149 
4150  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4151  LZO_LIB_VER_STR);
4152 
4153 #undef LZO_LIB_VER_STR
4154 }
4155 
4156 static void
4158 {
4161 #ifdef _WIN32
4163 #endif
4164  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4165  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>");
4166 #ifndef ENABLE_SMALL
4167 #ifdef CONFIGURE_DEFINES
4168  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4169 #endif
4170 #ifdef CONFIGURE_SPECIAL_BUILD
4171  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4172 #endif
4173 #endif
4174  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4175 }
4176 
4177 void
4178 notnull(const char *arg, const char *description)
4179 {
4180  if (!arg)
4181  {
4182  msg(M_USAGE, "You must define %s", description);
4183  }
4184 }
4185 
4186 bool
4187 string_defined_equal(const char *s1, const char *s2)
4188 {
4189  if (s1 && s2)
4190  {
4191  return !strcmp(s1, s2);
4192  }
4193  else
4194  {
4195  return false;
4196  }
4197 }
4198 
4199 #if 0
4200 static void
4201 ping_rec_err(int msglevel)
4202 {
4203  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4204 }
4205 #endif
4206 
4207 static int
4208 positive_atoi(const char *str)
4209 {
4210  const int i = atoi(str);
4211  return i < 0 ? 0 : i;
4212 }
4213 
4214 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4215 static unsigned int
4216 atou(const char *str)
4217 {
4218  unsigned int val = 0;
4219  sscanf(str, "%u", &val);
4220  return val;
4221 }
4222 #endif
4223 
4224 static inline bool
4225 space(unsigned char c)
4226 {
4227  return c == '\0' || isspace(c);
4228 }
4229 
4230 int
4231 parse_line(const char *line,
4232  char *p[],
4233  const int n,
4234  const char *file,
4235  const int line_num,
4236  int msglevel,
4237  struct gc_arena *gc)
4238 {
4239  const int STATE_INITIAL = 0;
4240  const int STATE_READING_QUOTED_PARM = 1;
4241  const int STATE_READING_UNQUOTED_PARM = 2;
4242  const int STATE_DONE = 3;
4243  const int STATE_READING_SQUOTED_PARM = 4;
4244 
4245  const char *error_prefix = "";
4246 
4247  int ret = 0;
4248  const char *c = line;
4249  int state = STATE_INITIAL;
4250  bool backslash = false;
4251  char in, out;
4252 
4253  char parm[OPTION_PARM_SIZE];
4254  unsigned int parm_len = 0;
4255 
4256  msglevel &= ~M_OPTERR;
4257 
4258  if (msglevel & M_MSG_VIRT_OUT)
4259  {
4260  error_prefix = "ERROR: ";
4261  }
4262 
4263  do
4264  {
4265  in = *c;
4266  out = 0;
4267 
4268  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4269  {
4270  backslash = true;
4271  }
4272  else
4273  {
4274  if (state == STATE_INITIAL)
4275  {
4276  if (!space(in))
4277  {
4278  if (in == ';' || in == '#') /* comment */
4279  {
4280  break;
4281  }
4282  if (!backslash && in == '\"')
4283  {
4284  state = STATE_READING_QUOTED_PARM;
4285  }
4286  else if (!backslash && in == '\'')
4287  {
4288  state = STATE_READING_SQUOTED_PARM;
4289  }
4290  else
4291  {
4292  out = in;
4293  state = STATE_READING_UNQUOTED_PARM;
4294  }
4295  }
4296  }
4297  else if (state == STATE_READING_UNQUOTED_PARM)
4298  {
4299  if (!backslash && space(in))
4300  {
4301  state = STATE_DONE;
4302  }
4303  else
4304  {
4305  out = in;
4306  }
4307  }
4308  else if (state == STATE_READING_QUOTED_PARM)
4309  {
4310  if (!backslash && in == '\"')
4311  {
4312  state = STATE_DONE;
4313  }
4314  else
4315  {
4316  out = in;
4317  }
4318  }
4319  else if (state == STATE_READING_SQUOTED_PARM)
4320  {
4321  if (in == '\'')
4322  {
4323  state = STATE_DONE;
4324  }
4325  else
4326  {
4327  out = in;
4328  }
4329  }
4330  if (state == STATE_DONE)
4331  {
4332  /* ASSERT (parm_len > 0); */
4333  p[ret] = gc_malloc(parm_len + 1, true, gc);
4334  memcpy(p[ret], parm, parm_len);
4335  p[ret][parm_len] = '\0';
4336  state = STATE_INITIAL;
4337  parm_len = 0;
4338  ++ret;
4339  }
4340 
4341  if (backslash && out)
4342  {
4343  if (!(out == '\\' || out == '\"' || space(out)))
4344  {
4345 #ifdef ENABLE_SMALL
4346  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4347 #else
4348  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4349 #endif
4350  return 0;
4351  }
4352  }
4353  backslash = false;
4354  }
4355 
4356  /* store parameter character */
4357  if (out)
4358  {
4359  if (parm_len >= SIZE(parm))
4360  {
4361  parm[SIZE(parm) - 1] = 0;
4362  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4363  error_prefix, file, line_num, (int) SIZE(parm), parm);
4364  return 0;
4365  }
4366  parm[parm_len++] = out;
4367  }
4368 
4369  /* avoid overflow if too many parms in one config file line */
4370  if (ret >= n)
4371  {
4372  break;
4373  }
4374 
4375  } while (*c++ != '\0');
4376 
4377  if (state == STATE_READING_QUOTED_PARM)
4378  {
4379  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4380  return 0;
4381  }
4382  if (state == STATE_READING_SQUOTED_PARM)
4383  {
4384  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4385  return 0;
4386  }
4387  if (state != STATE_INITIAL)
4388  {
4389  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4390  return 0;
4391  }
4392 #if 0
4393  {
4394  int i;
4395  for (i = 0; i < ret; ++i)
4396  {
4397  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4398  }
4399  }
4400 #endif
4401  return ret;
4402 }
4403 
4404 static void
4406 {
4407  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4408  {
4409  *p += 2;
4410  }
4411 }
4412 
4413 struct in_src {
4414 #define IS_TYPE_FP 1
4415 #define IS_TYPE_BUF 2
4416  int type;
4417  union {
4418  FILE *fp;
4420  } u;
4421 };
4422 
4423 static bool
4424 in_src_get(const struct in_src *is, char *line, const int size)
4425 {
4426  if (is->type == IS_TYPE_FP)
4427  {
4428  return BOOL_CAST(fgets(line, size, is->u.fp));
4429  }
4430  else if (is->type == IS_TYPE_BUF)
4431  {
4432  bool status = buf_parse(is->u.multiline, '\n', line, size);
4433  if ((int) strlen(line) + 1 < size)
4434  {
4435  strcat(line, "\n");
4436  }
4437  return status;
4438  }
4439  else
4440  {
4441  ASSERT(0);
4442  return false;
4443  }
4444 }
4445 
4446 static char *
4447 read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
4448 {
4449  char line[OPTION_LINE_SIZE];
4450  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4451  char *ret;
4452  bool endtagfound = false;
4453 
4454  while (in_src_get(is, line, sizeof(line)))
4455  {
4456  char *line_ptr = line;
4457  /* Remove leading spaces */
4458  while (isspace(*line_ptr))
4459  {
4460  line_ptr++;
4461  }
4462  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4463  {
4464  endtagfound = true;
4465  break;
4466  }
4467  if (!buf_safe(&buf, strlen(line)+1))
4468  {
4469  /* Increase buffer size */
4470  struct buffer buf2 = alloc_buf(buf.capacity * 2);
4471  ASSERT(buf_copy(&buf2, &buf));
4472  buf_clear(&buf);
4473  free_buf(&buf);
4474  buf = buf2;
4475  }
4476  buf_printf(&buf, "%s", line);
4477  }
4478  if (!endtagfound)
4479  {
4480  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4481  }
4482  ret = string_alloc(BSTR(&buf), gc);
4483  buf_clear(&buf);
4484  free_buf(&buf);
4485  secure_memzero(line, sizeof(line));
4486  return ret;
4487 }
4488 
4489 static bool
4490 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4491 {
4492  bool ret = false;
4493  if (p[0] && !p[1])
4494  {
4495  char *arg = p[0];
4496  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4497  {
4498  struct buffer close_tag;
4499  arg[strlen(arg)-1] = '\0';
4500  p[0] = string_alloc(arg+1, gc);
4501  p[1] = string_alloc(INLINE_FILE_TAG, gc);
4502  close_tag = alloc_buf(strlen(p[0]) + 4);
4503  buf_printf(&close_tag, "</%s>", p[0]);
4504  p[2] = read_inline_file(is, BSTR(&close_tag), gc);
4505  p[3] = NULL;
4506  free_buf(&close_tag);
4507  ret = true;
4508  }
4509  }
4510  return ret;
4511 }
4512 
4513 static bool
4514 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4515 {
4516  struct in_src is;
4517  is.type = IS_TYPE_FP;
4518  is.u.fp = fp;
4519  return check_inline_file(&is, p, gc);
4520 }
4521 
4522 static bool
4523 check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
4524 {
4525  struct in_src is;
4526  is.type = IS_TYPE_BUF;
4527  is.u.multiline = multiline;
4528  return check_inline_file(&is, p, gc);
4529 }
4530 
4531 static void
4532 add_option(struct options *options,
4533  char *p[],
4534  const char *file,
4535  int line,
4536  const int level,
4537  const int msglevel,
4538  const unsigned int permission_mask,
4539  unsigned int *option_types_found,
4540  struct env_set *es);
4541 
4542 static void
4543 read_config_file(struct options *options,
4544  const char *file,
4545  int level,
4546  const char *top_file,
4547  const int top_line,
4548  const int msglevel,
4549  const unsigned int permission_mask,
4550  unsigned int *option_types_found,
4551  struct env_set *es)
4552 {
4553  const int max_recursive_levels = 10;
4554  FILE *fp;
4555  int line_num;
4556  char line[OPTION_LINE_SIZE+1];
4557  char *p[MAX_PARMS+1];
4558 
4559  ++level;
4560  if (level <= max_recursive_levels)
4561  {
4562  if (streq(file, "stdin"))
4563  {
4564  fp = stdin;
4565  }
4566  else
4567  {
4568  fp = platform_fopen(file, "r");
4569  }
4570  if (fp)
4571  {
4572  line_num = 0;
4573  while (fgets(line, sizeof(line), fp))
4574  {
4575  int offset = 0;
4576  CLEAR(p);
4577  ++line_num;
4578  if (strlen(line) == OPTION_LINE_SIZE)
4579  {
4580  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
4581  file, line_num, OPTION_LINE_SIZE, line);
4582  }
4583 
4584  /* Ignore UTF-8 BOM at start of stream */
4585  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4586  {
4587  offset = 3;
4588  }
4589  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4590  {
4591  bypass_doubledash(&p[0]);
4592  check_inline_file_via_fp(fp, p, &options->gc);
4593  add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
4594  }
4595  }
4596  if (fp != stdin)
4597  {
4598  fclose(fp);
4599  }
4600  }
4601  else
4602  {
4603  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4604  }
4605  }
4606  else
4607  {
4608  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4609  }
4610  secure_memzero(line, sizeof(line));
4611  CLEAR(p);
4612 }
4613 
4614 static void
4615 read_config_string(const char *prefix,
4616  struct options *options,
4617  const char *config,
4618  const int msglevel,
4619  const unsigned int permission_mask,
4620  unsigned int *option_types_found,
4621  struct env_set *es)
4622 {
4623  char line[OPTION_LINE_SIZE];
4624  struct buffer multiline;
4625  int line_num = 0;
4626 
4627  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4628 
4629  while (buf_parse(&multiline, '\n', line, sizeof(line)))
4630  {
4631  char *p[MAX_PARMS+1];
4632  CLEAR(p);
4633  ++line_num;
4634  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4635  {
4636  bypass_doubledash(&p[0]);
4637  check_inline_file_via_buf(&multiline, p, &options->gc);
4638  add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es);
4639  }
4640  CLEAR(p);
4641  }
4642  secure_memzero(line, sizeof(line));
4643 }
4644 
4645 void
4646 parse_argv(struct options *options,
4647  const int argc,
4648  char *argv[],
4649  const int msglevel,
4650  const unsigned int permission_mask,
4651  unsigned int *option_types_found,
4652  struct env_set *es)
4653 {
4654  int i, j;
4655 
4656  /* usage message */
4657  if (argc <= 1)
4658  {
4659  usage();
4660  }
4661 
4662  /* config filename specified only? */
4663  if (argc == 2 && strncmp(argv[1], "--", 2))
4664  {
4665  char *p[MAX_PARMS];
4666  CLEAR(p);
4667  p[0] = "config";
4668  p[1] = argv[1];
4669  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4670  }
4671  else
4672  {
4673  /* parse command line */
4674  for (i = 1; i < argc; ++i)
4675  {
4676  char *p[MAX_PARMS];
4677  CLEAR(p);
4678  p[0] = argv[i];
4679  if (strncmp(p[0], "--", 2))
4680  {
4681  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
4682  }
4683  else
4684  {
4685  p[0] += 2;
4686  }
4687 
4688  for (j = 1; j < MAX_PARMS; ++j)
4689  {
4690  if (i + j < argc)
4691  {
4692  char *arg = argv[i + j];
4693  if (strncmp(arg, "--", 2))
4694  {
4695  p[j] = arg;
4696  }
4697  else
4698  {
4699  break;
4700  }
4701  }
4702  }
4703  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4704  i += j - 1;
4705  }
4706  }
4707 }
4708 
4717 static bool
4718 apply_pull_filter(const struct options *o, char *line)
4719 {
4720  struct pull_filter *f;
4721 
4722  if (!o->pull_filter_list)
4723  {
4724  return true;
4725  }
4726 
4727  for (f = o->pull_filter_list->head; f; f = f->next)
4728  {
4729  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
4730  {
4731  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
4732  return true;
4733  }
4734  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
4735  {
4736  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
4737  *line = '\0';
4738  return true;
4739  }
4740  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
4741  {
4742  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
4743  *line = '\0';
4744  throw_signal_soft(SIGUSR1, "Offending option received from server");
4745  return false;
4746  }
4747  }
4748  return true;
4749 }
4750 
4751 bool
4752 apply_push_options(struct options *options,
4753  struct buffer *buf,
4754  unsigned int permission_mask,
4755  unsigned int *option_types_found,
4756  struct env_set *es)
4757 {
4758  char line[OPTION_PARM_SIZE];
4759  int line_num = 0;
4760  const char *file = "[PUSH-OPTIONS]";
4761  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
4762 
4763  while (buf_parse(buf, ',', line, sizeof(line)))
4764  {
4765  char *p[MAX_PARMS+1];
4766  CLEAR(p);
4767  ++line_num;
4768  if (!apply_pull_filter(options, line))
4769  {
4770  return false; /* Cause push/pull error and stop push processing */
4771  }
4772  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4773  {
4774  add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
4775  }
4776  }
4777  return true;
4778 }
4779 
4780 void
4781 options_server_import(struct options *o,
4782  const char *filename,
4783  int msglevel,
4784  unsigned int permission_mask,
4785  unsigned int *option_types_found,
4786  struct env_set *es)
4787 {
4788  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
4789  read_config_file(o,
4790  filename,
4791  0,
4792  filename,
4793  0,
4794  msglevel,
4795  permission_mask,
4796  option_types_found,
4797  es);
4798 }
4799 
4800 void
4801 options_string_import(struct options *options,
4802  const char *config,
4803  const int msglevel,
4804  const unsigned int permission_mask,
4805  unsigned int *option_types_found,
4806  struct env_set *es)
4807 {
4808  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
4809 }
4810 
4811 #if P2MP
4812 
4813 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}}
4814 
4815 static bool
4816 verify_permission(const char *name,
4817  const char *file,
4818  int line,
4819  const unsigned int type,
4820  const unsigned int allowed,
4821  unsigned int *found,
4822  const int msglevel,
4823  struct options *options)
4824 {
4825  if (!(type & allowed))
4826  {
4827  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
4828  return false;
4829  }
4830 
4831  if (found)
4832  {
4833  *found |= type;
4834  }
4835 
4836 #ifndef ENABLE_SMALL
4837  /* Check if this options is allowed in connection block,
4838  * but we are currently not in a connection block
4839  * unless this is a pushed option.
4840  * Parsing a connection block uses a temporary options struct without
4841  * connection_list
4842  */
4843 
4844  if ((type & OPT_P_CONNECTION) && options->connection_list
4845  && !(allowed & OPT_P_PULL_MODE))
4846  {
4847  if (file)
4848  {
4849  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
4850  }
4851  else
4852  {
4853  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
4854  }
4855  }
4856 #endif
4857  return true;
4858 }
4859 
4860 #else /* if P2MP */
4861 
4862 #define VERIFY_PERMISSION(mask)
4863 
4864 #endif /* if P2MP */
4865 
4866 /*
4867  * Check that an option doesn't have too
4868  * many parameters.
4869  */
4870 
4871 #define NM_QUOTE_HINT (1<<0)
4872 
4873 static bool
4874 no_more_than_n_args(const int msglevel,
4875  char *p[],
4876  const int max,
4877  const unsigned int flags)
4878 {
4879  const int len = string_array_len((const char **)p);
4880 
4881  if (!len)
4882  {
4883  return false;
4884  }
4885 
4886  if (len > max)
4887  {
4888  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
4889  p[0],
4890  max - 1,
4891  max >= 3 ? "s" : "",
4892  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
4893  return false;
4894  }
4895  else
4896  {
4897  return true;
4898  }
4899 }
4900 
4901 static inline int
4902 msglevel_forward_compatible(struct options *options, const int msglevel)
4903 {
4904  return options->forward_compatible ? M_WARN : msglevel;
4905 }
4906 
4907 static void
4908 set_user_script(struct options *options,
4909  const char **script,
4910  const char *new_script,
4911  const char *type,
4912  bool in_chroot)
4913 {
4914  if (*script)
4915  {
4916  msg(M_WARN, "Multiple --%s scripts defined. "
4917  "The previously configured script is overridden.", type);
4918  }
4919  *script = new_script;
4920  options->user_script_used = true;
4921 
4922 #ifndef ENABLE_SMALL
4923  {
4924  char script_name[100];
4925  openvpn_snprintf(script_name, sizeof(script_name),
4926  "--%s script", type);
4927 
4928  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
4929  {
4930  msg(M_USAGE, "Please correct this error.");
4931  }
4932 
4933  }
4934 #endif
4935 }
4936 
4937 
4938 static void
4939 add_option(struct options *options,
4940  char *p[],
4941  const char *file,
4942  int line,
4943  const int level,
4944  const int msglevel,
4945  const unsigned int permission_mask,
4946  unsigned int *option_types_found,
4947  struct env_set *es)
4948 {
4949  struct gc_arena gc = gc_new();
4950  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
4951  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
4952 
4953  ASSERT(MAX_PARMS >= 7);
4954 
4955  /*
4956  * If directive begins with "setenv opt" prefix, don't raise an error if
4957  * directive is unrecognized.
4958  */
4959  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
4960  {
4961  if (!p[2])
4962  {
4963  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
4964  }
4965  p += 2;
4966  msglevel_fc = M_WARN;
4967  }
4968 
4969  if (!file)
4970  {
4971  file = "[CMD-LINE]";
4972  line = 1;
4973  }
4974  if (streq(p[0], "help"))
4975  {
4977  usage();
4978  if (p[1])
4979  {
4980  msg(msglevel, "--help does not accept any parameters");
4981  goto err;
4982  }
4983  }
4984  if (streq(p[0], "version") && !p[1])
4985  {
4987  usage_version();
4988  }
4989  else if (streq(p[0], "config") && p[1] && !p[2])
4990  {
4992 
4993  /* save first config file only in options */
4994  if (!options->config)
4995  {
4996  options->config = p[1];
4997  }
4998 
4999  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5000  }
5001 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5002  else if (streq(p[0], "show-gateway") && !p[2])
5003  {
5004  struct route_gateway_info rgi;
5005  struct route_ipv6_gateway_info rgi6;
5006  struct in6_addr remote = IN6ADDR_ANY_INIT;
5008  if (p[1])
5009  {
5010  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5011  }
5012  get_default_gateway(&rgi);
5013  get_default_gateway_ipv6(&rgi6, &remote);
5014  print_default_gateway(M_INFO, &rgi, &rgi6);
5015  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5016  }
5017 #endif
5018 #if 0
5019  else if (streq(p[0], "foreign-option") && p[1])
5020  {
5022  foreign_option(options, p, 3, es);
5023  }
5024 #endif
5025  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5026  {
5027  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5028  int j;
5029  bool good = true;
5030 
5032 
5033  for (j = 1; j < MAX_PARMS; ++j)
5034  {
5035  if (!p[j])
5036  {
5037  break;
5038  }
5039  if (j > 1)
5040  {
5041  good &= buf_printf(&string, " ");
5042  }
5043  good &= buf_printf(&string, "%s", p[j]);
5044  }
5045  if (good)
5046  {
5047 #if 0
5048  /* removed for now since ECHO can potentially include
5049  * security-sensitive strings */
5050  msg(M_INFO, "%s:%s",
5051  pull_mode ? "ECHO-PULL" : "ECHO",
5052  BSTR(&string));
5053 #endif
5054 #ifdef ENABLE_MANAGEMENT
5055  if (management)
5056  {
5057  management_echo(management, BSTR(&string), pull_mode);
5058  }
5059 #endif
5060  }
5061  else
5062  {
5063  msg(M_WARN, "echo/parameter option overflow");
5064  }
5065  }
5066 #ifdef ENABLE_MANAGEMENT
5067  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5068  {
5070  if (streq(p[2], "unix"))
5071  {
5072 #if UNIX_SOCK_SUPPORT
5073  options->management_flags |= MF_UNIX_SOCK;
5074 #else
5075  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5076  goto err;
5077 #endif
5078  }
5079 
5080  options->management_addr = p[1];
5081  options->management_port = p[2];
5082  if (p[3])
5083  {
5084  options->management_user_pass = p[3];
5085  }
5086  }
5087  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5088  {
5090  options->management_client_user = p[1];
5091  }
5092  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5093  {
5095  options->management_client_group = p[1];
5096  }
5097  else if (streq(p[0], "management-query-passwords") && !p[1])
5098  {
5101  }
5102  else if (streq(p[0], "management-query-remote") && !p[1])
5103  {
5105  options->management_flags |= MF_QUERY_REMOTE;
5106  }
5107  else if (streq(p[0], "management-query-proxy") && !p[1])
5108  {
5110  options->management_flags |= MF_QUERY_PROXY;
5111  }
5112  else if (streq(p[0], "management-hold") && !p[1])
5113  {
5115  options->management_flags |= MF_HOLD;
5116  }
5117  else if (streq(p[0], "management-signal") && !p[1])
5118  {
5120  options->management_flags |= MF_SIGNAL;
5121  }
5122  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5123  {
5126  }
5127  else if (streq(p[0], "management-up-down") && !p[1])
5128  {
5130  options->management_flags |= MF_UP_DOWN;
5131  }
5132  else if (streq(p[0], "management-client") && !p[2])
5133  {
5136  options->management_write_peer_info_file = p[1];
5137  }
5138 #ifdef ENABLE_MANAGEMENT
5139  else if (streq(p[0], "management-external-key") && !p[1])
5140  {
5142  options->management_flags |= MF_EXTERNAL_KEY;
5143  }
5144  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5145  {
5147  options->management_flags |= MF_EXTERNAL_CERT;
5148  options->management_certificate = p[1];
5149  }
5150 #endif
5151 #ifdef MANAGEMENT_DEF_AUTH
5152  else if (streq(p[0], "management-client-auth") && !p[1])
5153  {
5155  options->management_flags |= MF_CLIENT_AUTH;
5156  }
5157 #endif
5158 #ifdef MANAGEMENT_PF
5159  else if (streq(p[0], "management-client-pf") && !p[1])
5160  {
5162  options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
5163  }
5164 #endif
5165  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5166  {
5167  int cache;
5168 
5170  cache = atoi(p[1]);
5171  if (cache < 1)
5172  {
5173  msg(msglevel, "--management-log-cache parameter is out of range");
5174  goto err;
5175  }
5176  options->management_log_history_cache = cache;
5177  }
5178 #endif /* ifdef ENABLE_MANAGEMENT */
5179 #ifdef ENABLE_PLUGIN
5180  else if (streq(p[0], "plugin") && p[1])
5181  {
5183  if (!options->plugin_list)
5184  {
5185  options->plugin_list = plugin_option_list_new(&options->gc);
5186  }
5187  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5188  {
5189  msg(msglevel, "plugin add failed: %s", p[1]);
5190  goto err;
5191  }
5192  }
5193 #endif
5194  else if (streq(p[0], "mode") && p[1] && !p[2])
5195  {
5197  if (streq(p[1], "p2p"))
5198  {
5199  options->mode = MODE_POINT_TO_POINT;
5200  }
5201 #if P2MP_SERVER
5202  else if (streq(p[1], "server"))
5203  {
5204  options->mode = MODE_SERVER;
5205  }
5206 #endif
5207  else
5208  {
5209  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5210  goto err;
5211  }
5212  }
5213  else if (streq(p[0], "dev") && p[1] && !p[2])
5214  {
5216  options->dev = p[1];
5217  }
5218  else if (streq(p[0], "dev-type") && p[1] && !p[2])
5219  {
5221  options->dev_type = p[1];
5222  }
5223  else if (streq(p[0], "dev-node") && p[1] && !p[2])
5224  {
5226  options->dev_node = p[1];
5227  }
5228  else if (streq(p[0], "lladdr") && p[1] && !p[2])
5229  {
5231  if (mac_addr_safe(p[1])) /* MAC address only */
5232  {
5233  options->lladdr = p[1];
5234  }
5235  else
5236  {
5237  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5238  goto err;
5239  }
5240  }
5241  else if (streq(p[0], "topology") && p[1] && !p[2])
5242  {
5244  options->topology = parse_topology(p[1], msglevel);
5245  }
5246  else if (streq(p[0], "tun-ipv6") && !p[1])
5247  {
5248  if (!pull_mode)
5249  {
5250  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5251  }
5252  }
5253 #ifdef ENABLE_IPROUTE
5254  else if (streq(p[0], "iproute") && p[1] && !p[2])
5255  {
5257  iproute_path = p[1];
5258  }
5259 #endif
5260  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5261  {
5263  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5264  {
5265  options->ifconfig_local = p[1];
5266  options->ifconfig_remote_netmask = p[2];
5267  }
5268  else
5269  {
5270  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5271  goto err;
5272  }
5273  }
5274  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5275  {
5276  unsigned int netbits;
5277 
5279  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5280  && ipv6_addr_safe( p[2] ) )
5281  {
5282  if (netbits < 64 || netbits > 124)
5283  {
5284  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5285  goto err;
5286  }
5287 
5288  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5289  options->ifconfig_ipv6_netbits = netbits;
5290  options->ifconfig_ipv6_remote = p[2];
5291  }
5292  else
5293  {
5294  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5295  goto err;
5296  }
5297  }
5298  else if (streq(p[0], "ifconfig-noexec") && !p[1])
5299  {
5301  options->ifconfig_noexec = true;
5302  }
5303  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5304  {
5306  options->ifconfig_nowarn = true;
5307  }
5308  else if (streq(p[0], "local") && p[1] && !p[2])
5309  {
5311  options->ce.local = p[1];
5312  }
5313  else if (streq(p[0], "remote-random") && !p[1])
5314  {
5316  options->remote_random = true;
5317  }
5318  else if (streq(p[0], "connection") && p[1] && !p[3])
5319  {
5321  if (streq(p[1], INLINE_FILE_TAG) && p[2])
5322  {
5323  struct options sub;
5324  struct connection_entry *e;
5325 
5326  init_options(&sub, true);
5327  sub.ce = options->ce;
5328  read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
5329  if (!sub.ce.remote)
5330  {
5331  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
5332  uninit_options(&sub);
5333  goto err;
5334  }
5335 
5336  e = alloc_connection_entry(options, msglevel);
5337  if (!e)
5338  {
5339  uninit_options(&sub);
5340  goto err;
5341  }
5342  *e = sub.ce;
5343  gc_transfer(&options->gc, &sub.gc);
5344  uninit_options(&sub);
5345  }
5346  }
5347  else if (streq(p[0], "ignore-unknown-option") && p[1])
5348  {
5349  int i;
5350  int j;
5351  int numignored = 0;
5352  const char **ignore;
5353 
5355  /* Find out how many options to be ignored */
5356  for (i = 1; p[i]; i++)
5357  {
5358  numignored++;
5359  }
5360 
5361  /* add number of options already ignored */
5362  for (i = 0; options->ignore_unknown_option
5363  && options->ignore_unknown_option[i]; i++)
5364  {
5365  numignored++;
5366  }
5367 
5368  /* Allocate array */
5369  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
5370  for (i = 0; options->ignore_unknown_option
5371  && options->ignore_unknown_option[i]; i++)
5372  {
5373  ignore[i] = options->ignore_unknown_option[i];
5374  }
5375 
5376  options->ignore_unknown_option = ignore;
5377 
5378  for (j = 1; p[j]; j++)
5379  {
5380  /* Allow the user to specify ignore-unknown-option --opt too */
5381  if (p[j][0]=='-' && p[j][1]=='-')
5382  {
5383  options->ignore_unknown_option[i] = (p[j]+2);
5384  }
5385  else
5386  {
5387  options->ignore_unknown_option[i] = p[j];
5388  }
5389  i++;
5390  }
5391 
5392  options->ignore_unknown_option[i] = NULL;
5393  }
5394 #if ENABLE_MANAGEMENT
5395  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
5396  {
5398  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
5399  if (!options->http_proxy_override)
5400  {
5401  goto err;
5402  }
5403  }
5404 #endif
5405  else if (streq(p[0], "remote") && p[1] && !p[4])
5406  {
5407  struct remote_entry re;
5408  re.remote = re.remote_port = NULL;
5409  re.proto = -1;
5410  re.af = 0;
5411 
5413  re.remote = p[1];
5414  if (p[2])
5415  {
5416  re.remote_port = p[2];
5417  if (p[3])
5418  {
5419  const int proto = ascii2proto(p[3]);
5420  const sa_family_t af = ascii2af(p[3]);
5421  if (proto < 0)
5422  {
5423  msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
5424  goto err;
5425  }
5426  re.proto = proto;
5427  re.af = af;
5428  }
5429  }
5430  if (permission_mask & OPT_P_GENERAL)
5431  {
5432  struct remote_entry *e = alloc_remote_entry(options, msglevel);
5433  if (!e)
5434  {
5435  goto err;
5436  }
5437  *e = re;
5438  }
5439  else if (permission_mask & OPT_P_CONNECTION)
5440  {
5441  connection_entry_load_re(&options->ce, &re);
5442  }
5443  }
5444  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
5445  {
5447  if (streq(p[1], "infinite"))
5448  {
5450  }
5451  else
5452  {
5453  options->resolve_retry_seconds = positive_atoi(p[1]);
5454  }
5455  }
5456  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
5457  {
5459  options->resolve_in_advance = true;
5460  /* Note the ip-remote-hint and the argument p[1] are for
5461  * backward compatibility */
5462  if (p[1])
5463  {
5464  options->ip_remote_hint = p[1];
5465  }
5466  }
5467  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
5468  {
5470  options->ce.connect_retry_seconds = positive_atoi(p[1]);
5471  /*
5472  * Limit the base value of retry wait interval to 16 bits to avoid
5473  * overflow when scaled up for exponential backoff
5474  */
5475  if (options->ce.connect_retry_seconds > 0xFFFF)
5476  {
5477  options->ce.connect_retry_seconds = 0xFFFF;
5478  msg(M_WARN, "connect retry wait interval truncated to %d",
5479  options->ce.connect_retry_seconds);
5480  }
5481 
5482  if (p[2])
5483  {
5484  options->ce.connect_retry_seconds_max =
5485  max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
5486  }
5487  }
5488  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
5489  && p[1] && !p[2])
5490  {
5492  options->ce.connect_timeout = positive_atoi(p[1]);
5493  }
5494  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
5495  {
5497  options->connect_retry_max = positive_atoi(p[1]);
5498  }
5499  else if (streq(p[0], "ipchange") && p[1])
5500  {
5502  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5503  {
5504  goto err;
5505  }
5506  set_user_script(options,
5507  &options->ipchange,
5508  string_substitute(p[1], ',', ' ', &options->gc),
5509  "ipchange", true);
5510  }
5511  else if (streq(p[0], "float") && !p[1])
5512  {
5514  options->ce.remote_float = true;
5515  }
5516 #ifdef ENABLE_DEBUG
5517  else if (streq(p[0], "gremlin") && p[1] && !p[2])
5518  {
5520  options->gremlin = positive_atoi(p[1]);
5521  }
5522 #endif
5523  else if (streq(p[0], "chroot") && p[1] && !p[2])
5524  {
5526  options->chroot_dir = p[1];
5527  }
5528  else if (streq(p[0], "cd") && p[1] && !p[2])
5529  {
5531  if (platform_chdir(p[1]))
5532  {
5533  msg(M_ERR, "cd to '%s' failed", p[1]);
5534  goto err;
5535  }
5536  options->cd_dir = p[1];
5537  }
5538 #ifdef ENABLE_SELINUX
5539  else if (streq(p[0], "setcon") && p[1] && !p[2])
5540  {
5542  options->selinux_context = p[1];
5543  }
5544 #endif
5545  else if (streq(p[0], "writepid") && p[1] && !p[2])
5546  {
5548  options->writepid = p[1];
5549  }
5550  else if (streq(p[0], "up") && p[1])
5551  {
5553  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5554  {
5555  goto err;
5556  }
5557  set_user_script(options, &options->up_script, p[1], "up", false);
5558  }
5559  else if (streq(p[0], "down") && p[1])
5560  {
5562  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5563  {
5564  goto err;
5565  }
5566  set_user_script(options, &options->down_script, p[1], "down", true);
5567  }
5568  else if (streq(p[0], "down-pre") && !p[1])
5569  {
5571  options->down_pre = true;
5572  }
5573  else if (streq(p[0], "up-delay") && !p[1])
5574  {
5576  options->up_delay = true;
5577  }
5578  else if (streq(p[0], "up-restart") && !p[1])
5579  {
5581  options->up_restart = true;
5582  }
5583  else if (streq(p[0], "syslog") && !p[2])
5584  {
5586  open_syslog(p[1], false);
5587  }
5588  else if (streq(p[0], "daemon") && !p[2])
5589  {
5590  bool didit = false;
5592  if (!options->daemon)
5593  {
5594  options->daemon = didit = true;
5595  open_syslog(p[1], false);
5596  }
5597  if (p[1])
5598  {
5599  if (!didit)
5600  {
5601  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
5602  goto err;
5603  }
5604  }
5605  }
5606  else if (streq(p[0], "inetd") && !p[3])
5607  {
5609  if (!options->inetd)
5610  {
5611  int z;
5612  const char *name = NULL;
5613  const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
5614 
5615  options->inetd = -1;
5616 
5617  for (z = 1; z <= 2; ++z)
5618  {
5619  if (p[z])
5620  {
5621  if (streq(p[z], "wait"))
5622  {
5623  if (options->inetd != -1)
5624  {
5625  msg(msglevel, "%s", opterr);
5626  goto err;
5627  }
5628  else
5629  {
5630  options->inetd = INETD_WAIT;
5631  }
5632  }
5633  else if (streq(p[z], "nowait"))
5634  {
5635  if (options->inetd != -1)
5636  {
5637  msg(msglevel, "%s", opterr);
5638  goto err;
5639  }
5640  else
5641  {
5642  options->inetd = INETD_NOWAIT;
5643  }
5644  }
5645  else
5646  {
5647  if (name != NULL)
5648  {
5649  msg(msglevel, "%s", opterr);
5650  goto err;
5651  }
5652  name = p[z];
5653  }
5654  }
5655  }
5656 
5657  /* default */
5658  if (options->inetd == -1)
5659  {
5660  options->inetd = INETD_WAIT;
5661  }
5662 
5664  open_syslog(name, true);
5665  }
5666  }
5667  else if (streq(p[0], "log") && p[1] && !p[2])
5668  {
5670  options->log = true;
5671  redirect_stdout_stderr(p[1], false);
5672  }
5673  else if (streq(p[0], "suppress-timestamps") && !p[1])
5674  {
5676  options->suppress_timestamps = true;
5678  }
5679  else if (streq(p[0], "machine-readable-output") && !p[1])
5680  {
5682  options->machine_readable_output = true;
5684  }
5685  else if (streq(p[0], "log-append") && p[1] && !p[2])
5686  {
5688  options->log = true;
5689  redirect_stdout_stderr(p[1], true);
5690  }
5691 #ifdef ENABLE_MEMSTATS
5692  else if (streq(p[0], "memstats") && p[1] && !p[2])
5693  {
5695  options->memstats_fn = p[1];
5696  }
5697 #endif
5698  else if (