OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2023 David Sommerseth <dazo@eurephia.org>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33 #ifdef HAVE_CONFIG_VERSION_H
34 #include "config-version.h"
35 #endif
36 
37 #include "syshead.h"
38 
39 #include "buffer.h"
40 #include "error.h"
41 #include "common.h"
42 #include "run_command.h"
43 #include "shaper.h"
44 #include "crypto.h"
45 #include "ssl.h"
46 #include "ssl_ncp.h"
47 #include "options.h"
48 #include "misc.h"
49 #include "socket.h"
50 #include "packet_id.h"
51 #include "pkcs11.h"
52 #include "win32.h"
53 #include "push.h"
54 #include "pool.h"
55 #include "proto.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include "xkey_common.h"
62 #include "dco.h"
63 #include <ctype.h>
64 
65 #include "memdbg.h"
66 
67 const char title_string[] =
68  PACKAGE_STRING
69 #ifdef CONFIGURE_GIT_REVISION
70  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
71 #endif
72  " " TARGET_ALIAS
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
74  " [SSL (mbed TLS)]"
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
76  " [SSL (OpenSSL)]"
77 #else
78  " [SSL]"
79 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
80 #ifdef USE_COMP
81 #ifdef ENABLE_LZO
82  " [LZO]"
83 #endif
84 #ifdef ENABLE_LZ4
85  " [LZ4]"
86 #endif
87 #ifdef ENABLE_COMP_STUB
88  " [COMP_STUB]"
89 #endif
90 #endif /* USE_COMP */
91 #if EPOLL
92  " [EPOLL]"
93 #endif
94 #ifdef PRODUCT_TAP_DEBUG
95  " [TAPDBG]"
96 #endif
97 #ifdef ENABLE_PKCS11
98  " [PKCS11]"
99 #endif
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
102  " [MH/PKTINFO]"
103 #elif defined(IP_RECVDSTADDR)
104  " [MH/RECVDA]"
105 #endif
106 #endif
107  " [AEAD]"
108 #ifdef ENABLE_DCO
109  " [DCO]"
110 #endif
111 #ifdef CONFIGURE_GIT_REVISION
112  " built on " __DATE__
113 #endif
114 ;
115 
116 #ifndef ENABLE_SMALL
117 
118 static const char usage_message[] =
119  "%s\n"
120  "\n"
121  "General Options:\n"
122  "--config file : Read configuration options from file.\n"
123  "--help : Show options.\n"
124  "--version : Show copyright and version information.\n"
125  "\n"
126  "Tunnel Options:\n"
127  "--local host : Local host name or ip address. Implies --bind.\n"
128  "--remote host [port] : Remote host name or ip address.\n"
129  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
130  "--remote-random-hostname : Add a random string to remote DNS name.\n"
131  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
132  "--proto p : Use protocol p for communicating with peer.\n"
133  " p = udp (default), tcp-server, tcp-client\n"
134  " udp4, tcp4-server, tcp4-client\n"
135  " udp6, tcp6-server, tcp6-client\n"
136  "--proto-force p : only consider protocol p in list of connection profiles.\n"
137  " p = udp or tcp\n"
138  "--connect-retry n [m] : For client, number of seconds to wait between\n"
139  " connection retries (default=%d). On repeated retries\n"
140  " the wait time is exponentially increased to a maximum of m\n"
141  " (default=%d).\n"
142  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
143  "--http-proxy s p [up] [auth] : Connect to remote host\n"
144  " through an HTTP proxy at address s and port p.\n"
145  " If proxy authentication is required,\n"
146  " up is a file containing username/password on 2 lines, or\n"
147  " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
148  " the proxy requires NTLM authentication.\n"
149  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
150  " determine auth method and query for username/password\n"
151  " if needed. auto-nct disables weak proxy auth methods.\n"
152  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
153  " Repeat to set multiple options.\n"
154  " VERSION version (default=1.0)\n"
155  " AGENT user-agent\n"
156  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
157  " address s and port p (default port = 1080).\n"
158  " If proxy authentication is required,\n"
159  " up is a file containing username/password on 2 lines, or\n"
160  " 'stdin' to prompt for console.\n"
161  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
162  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
163  " resolve for n seconds before failing (disabled by default).\n"
164  " Set n=\"infinite\" to retry indefinitely.\n"
165  "--float : Allow remote to change its IP address/port, such as through\n"
166  " DHCP (this is the default if --remote is not used).\n"
167  "--ipchange cmd : Run command cmd on remote ip address initial\n"
168  " setting or change -- execute as: cmd ip-address port#\n"
169  "--port port : TCP/UDP port # for both local and remote.\n"
170  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
171  "--rport port : TCP/UDP port # for remote (default=%s).\n"
172  "--bind : Bind to local address and port. (This is the default unless\n"
173  " --proto tcp-client"
174  " or --http-proxy"
175  " or --socks-proxy"
176  " is used).\n"
177  "--nobind : Do not bind to local address and port.\n"
178  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
179  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
180  " this option only if the tun/tap device used with --dev\n"
181  " does not begin with \"tun\" or \"tap\".\n"
182  "--dev-node node : Explicitly set the device node rather than using\n"
183  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
184 #if defined(ENABLE_DCO)
185  "--disable-dco : Do not attempt using Data Channel Offload.\n"
186 #endif
187  "--lladdr hw : Set the link layer address of the tap device.\n"
188  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
189 #ifdef ENABLE_IPROUTE
190  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
191 #endif
192  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
193  " endpoint and rn as a remote endpoint. l & rn should be\n"
194  " swapped on the other peer. l & rn must be private\n"
195  " addresses outside of the subnets used by either peer.\n"
196  " TAP: configure device to use IP address l as a local\n"
197  " endpoint and rn as a subnet mask.\n"
198  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
199  " endpoint (as a /64) and r as remote endpoint\n"
200  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
201  " pass --ifconfig parms by environment to scripts.\n"
202  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
203  " connection doesn't match the remote side.\n"
204  "--route network [netmask] [gateway] [metric] :\n"
205  " Add route to routing table after connection\n"
206  " is established. Multiple routes can be specified.\n"
207  " netmask default: 255.255.255.255\n"
208  " gateway default: taken from --route-gateway or --ifconfig\n"
209  " Specify default by leaving blank or setting to \"default\".\n"
210  "--route-ipv6 network/bits [gateway] [metric] :\n"
211  " Add IPv6 route to routing table after connection\n"
212  " is established. Multiple routes can be specified.\n"
213  " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
214  " in --ifconfig-ipv6\n"
215  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
216  "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
217  "--route-metric m : Specify a default metric for use with --route.\n"
218  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
219  " adding routes (may be 0). If not specified, routes will\n"
220  " be added immediately after tun/tap open. On Windows, wait\n"
221  " up to w seconds for TUN/TAP adapter to come up.\n"
222  "--route-up cmd : Run command cmd after routes are added.\n"
223  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
224  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
225  " --route-up script using environmental variables.\n"
226  "--route-nopull : When used with --client or --pull, accept options pushed\n"
227  " by server EXCEPT for routes, dns, and dhcp options.\n"
228  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
229  " --ifconfig, --route, and --route-gateway.\n"
230  "--redirect-gateway [flags]: Automatically execute routing\n"
231  " commands to redirect all outgoing IP traffic through the\n"
232  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
233  " connected via a common subnet, such as with WiFi.\n"
234  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
235  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
236  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
237  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
238  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
239  " the default gateway. Useful when pushing private subnets.\n"
240  "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
241  " ICMPv6 host unreachable messages on the client.\n"
242  " (Server) Instead of forwarding IPv6 packets send\n"
243  " ICMPv6 host unreachable packets to the client.\n"
244  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
245  "--push-peer-info : (client only) push client info to server.\n"
246  "--setenv name value : Set a custom environmental variable to pass to script.\n"
247  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
248  " directives for future OpenVPN versions to be ignored.\n"
249  "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
250  " these options to be ignored when unknown\n"
251  "--script-security level: Where level can be:\n"
252  " 0 -- strictly no calling of external programs\n"
253  " 1 -- (default) only call built-ins such as ifconfig\n"
254  " 2 -- allow calling of built-ins and scripts\n"
255  " 3 -- allow password to be passed to scripts via env\n"
256  "--shaper n : Restrict output to peer to n bytes per second.\n"
257  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
258  " ping once every n seconds, restart if ping not received\n"
259  " for m seconds.\n"
260  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
261  " produces a combined in/out byte count < bytes.\n"
262  "--session-timeout n: Limit connection time to n seconds.\n"
263  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
264  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
265  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
266  " remote address.\n"
267  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
268 #if ENABLE_IP_PKTINFO
269  "--multihome : Configure a multi-homed UDP server.\n"
270 #endif
271  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
272  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
273  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
274  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
275  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
276  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
277 #if PASSTOS_CAPABILITY
278  "--passtos : TOS passthrough (applies to IPv4 only).\n"
279 #endif
280  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
281  " TCP/UDP MTU from it (default=%d).\n"
282  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
283  " as n bytes more than the tun-mtu size on read\n"
284  " (default TUN=0 TAP=%d).\n"
285  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
286  " from it.\n"
287  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
288  " 'no' -- Never send DF (Don't Fragment) frames\n"
289  " 'maybe' -- Use per-route hints\n"
290  " 'yes' -- Always DF (Don't Fragment)\n"
291  "--mtu-test : Empirically measure and report MTU.\n"
292 #ifdef ENABLE_FRAGMENT
293  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
294  " datagrams are sent which are larger than max bytes.\n"
295  " Adds 4 bytes of overhead per datagram.\n"
296 #endif
297  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
298  " or --fragment max value, whichever is lower.\n"
299  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
300  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
301 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
302  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
303  " can be matched in policy routing and packetfilter rules.\n"
304  "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
305  " listening for connections. This allows sending encrypted packets\n"
306  " via a VRF present on the system.\n"
307 #endif
308  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
309 #ifdef ENABLE_MEMSTATS
310  "--memstats file : Write live usage stats to memory mapped binary file.\n"
311 #endif
312  "--mlock : Disable Paging -- ensures key material and tunnel\n"
313  " data will never be written to disk.\n"
314  "--up cmd : Run command cmd after successful tun device open.\n"
315  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
316  " ifconfig-local-ip ifconfig-remote-ip\n"
317  " (pre --user or --group UID/GID change)\n"
318  "--up-delay : Delay tun/tap open and possible --up script execution\n"
319  " until after TCP/UDP connection establishment with peer.\n"
320  "--down cmd : Run command cmd after tun device close.\n"
321  " (post --user/--group UID/GID change and/or --chroot)\n"
322  " (command parameters are same as --up option)\n"
323  "--down-pre : Run --down command before TUN/TAP close.\n"
324  "--up-restart : Run up/down commands for all restarts including those\n"
325  " caused by --ping-restart or SIGUSR1\n"
326  "--user user : Set UID to user after initialization.\n"
327  "--group group : Set GID to group after initialization.\n"
328  "--chroot dir : Chroot to this directory after initialization.\n"
329 #ifdef ENABLE_SELINUX
330  "--setcon context: Apply this SELinux context after initialization.\n"
331 #endif
332  "--cd dir : Change to this directory before initialization.\n"
333  "--daemon [name] : Become a daemon after initialization.\n"
334  " The optional 'name' parameter will be passed\n"
335  " as the program name to the system logger.\n"
336  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
337  " See --daemon above for a description of the 'name' parm.\n"
338  "--log file : Output log to file which is created/truncated on open.\n"
339  "--log-append file : Append log to file, or create file if nonexistent.\n"
340  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
341  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
342  "--writepid file : Write main process ID to file.\n"
343  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
344  "--echo [parms ...] : Echo parameters to log output.\n"
345  "--verb n : Set output verbosity to n (default=%d):\n"
346  " (Level 3 is recommended if you want a good summary\n"
347  " of what's happening without being swamped by output).\n"
348  " : 0 -- no output except fatal errors\n"
349  " : 1 -- startup info + connection initiated messages +\n"
350  " non-fatal encryption & net errors\n"
351  " : 2,3 -- show TLS negotiations & route info\n"
352  " : 4 -- show parameters\n"
353  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
354  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
355  " : 6 to 11 -- debug messages of increasing verbosity\n"
356  "--mute n : Log at most n consecutive messages in the same category.\n"
357  "--status file [n] : Write operational status to file every n seconds.\n"
358  "--status-version [n] : Choose the status file format version number.\n"
359  " Currently, n can be 1, 2, or 3 (default=1).\n"
360  "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
361 #ifdef ENABLE_DEBUG
362  "--gremlin mask : Special stress testing mode (for debugging only).\n"
363 #endif
364 #if defined(USE_COMP)
365  "--compress alg : Use compression algorithm alg\n"
366  "--allow-compression: Specify whether compression should be allowed\n"
367 #if defined(ENABLE_LZO)
368  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
369  " packet for incompressible data.\n"
370  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
371  " is specified.\n"
372 #endif
373 #endif
374 #ifdef ENABLE_MANAGEMENT
375  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
376  " management functions. pass is a password file\n"
377  " or 'stdin' to prompt from console.\n"
378 #if UNIX_SOCK_SUPPORT
379  " To listen on a unix domain socket, specific the pathname\n"
380  " in place of ip and use 'unix' as the port number.\n"
381 #endif
382  "--management-client : Management interface will connect as a TCP client to\n"
383  " ip/port rather than listen as a TCP server.\n"
384  "--management-query-passwords : Query management channel for private key\n"
385  " and auth-user-pass passwords.\n"
386  "--management-query-proxy : Query management channel for proxy information.\n"
387  "--management-query-remote : Query management channel for --remote directive.\n"
388  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
389  " of the management interface explicitly starts it.\n"
390  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
391  "--management-forget-disconnect : Forget passwords when management disconnect\n"
392  " event occurs.\n"
393  "--management-up-down : Report tunnel up/down events to management interface.\n"
394  "--management-log-cache n : Cache n lines of log file history for usage\n"
395  " by the management channel.\n"
396 #if UNIX_SOCK_SUPPORT
397  "--management-client-user u : When management interface is a unix socket, only\n"
398  " allow connections from user u.\n"
399  "--management-client-group g : When management interface is a unix socket, only\n"
400  " allow connections from group g.\n"
401 #endif
402  "--management-client-auth : gives management interface client the responsibility\n"
403  " to authenticate clients after their client certificate\n"
404  " has been verified.\n"
405 #endif /* ifdef ENABLE_MANAGEMENT */
406 #ifdef ENABLE_PLUGIN
407  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
408  " to its initialization function.\n"
409 #endif
410  "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
411  "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
412  "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
413  "\n"
414  "Multi-Client Server options (when --mode server is used):\n"
415  "--server network netmask : Helper option to easily configure server mode.\n"
416  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
417  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
418  " easily configure ethernet bridging server mode.\n"
419  "--push \"option\" : Push a config file option back to the peer for remote\n"
420  " execution. Peer must specify --pull in its config file.\n"
421  "--push-reset : Don't inherit global push list for specific\n"
422  " client instance.\n"
423  "--push-remove opt : Remove options matching 'opt' from the push list for\n"
424  " a specific client instance.\n"
425  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
426  " to be dynamically allocated to connecting clients.\n"
427  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
428  " data to file, at seconds intervals (default=600).\n"
429  " If seconds=0, file will be treated as read-only.\n"
430  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
431  " to be dynamically allocated to connecting clients.\n"
432  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
433  " overrides --ifconfig-pool dynamic allocation.\n"
434  " Only valid in a client-specific config file.\n"
435  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
436  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
437  " Only valid in a client-specific config file.\n"
438  "--iroute network [netmask] : Route subnet to client.\n"
439  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
440  " Sets up internal routes only.\n"
441  " Only valid in a client-specific config file.\n"
442  "--disable : Client is disabled.\n"
443  " Only valid in a client-specific config file.\n"
444  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
445  " mandatory client certificate verification.\n"
446  " Default is to require the client to supply a certificate.\n"
447  "--username-as-common-name : For auth-user-pass authentication, use\n"
448  " the authenticated username as the common name,\n"
449  " rather than the common name from the client cert.\n"
450  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
451  " run command cmd to verify. If method='via-env', pass\n"
452  " user/pass via environment, if method='via-file', pass\n"
453  " user/pass via temporary file.\n"
454  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
455  " to each client, replacing the password. Useful when\n"
456  " OTP based two-factor auth mechanisms are in use and\n"
457  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
458  " for generated tokens can be set.\n"
459  "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
460  " with those of the server will be disconnected.\n"
461  "--auth-user-pass-optional : Allow connections by clients that don't\n"
462  " specify a username/password.\n"
463  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
464  " any printable character.\n"
465  "--client-to-client : Internally route client-to-client traffic.\n"
466  "--duplicate-cn : Allow multiple clients with the same common name to\n"
467  " concurrently connect.\n"
468  "--client-connect cmd : Run command cmd on client connection.\n"
469  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
470  "--client-config-dir dir : Directory for custom client config files.\n"
471  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
472  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
473  "--hash-size r v : Set the size of the real address hash table to r and the\n"
474  " virtual address table to v.\n"
475  "--bcast-buffers n : Allocate n broadcast buffers.\n"
476  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
477  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
478  " as well as pushes it to connecting clients.\n"
479  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
480  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
481  "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
482  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
483  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
484  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
485  " older than n seconds. Run this check every t\n"
486  " seconds (defaults to n).\n"
487  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
488  " clients. n = 1 - reconnect to same server,\n"
489  " 2 - advance to next server, default=1.\n"
490 #if PORT_SHARE
491  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
492  " sessions to a web server at host:port. dir specifies an\n"
493  " optional directory to write origin IP:port data.\n"
494 #endif
495  "\n"
496  "Client options (when connecting to a multi-client server):\n"
497  "--client : Helper option to easily configure client mode.\n"
498  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
499  " up is a file containing the username on the first line,\n"
500  " and a password on the second. If either the password or both\n"
501  " the username and the password are omitted OpenVPN will prompt\n"
502  " for them from console.\n"
503  "--pull : Accept certain config file options from the peer as if they\n"
504  " were part of the local config file. Must be specified\n"
505  " when connecting to a '--mode server' remote host.\n"
506  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
507  " server if it starts with the text t. The action flag accept,\n"
508  " ignore or reject causes the option to be allowed, removed or\n"
509  " rejected with error. May be specified multiple times, and\n"
510  " each filter is applied in the order of appearance.\n"
511  "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
512  " Valid options are :\n"
513  " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
514  " resolve-domains <domain> [domain ...] : split domains\n"
515  " dnssec <yes|no|optional> : option to use DNSSEC\n"
516  " type <DoH|DoT> : query server over HTTPS / TLS\n"
517  " sni <domain> : DNS server name indication\n"
518  "--dns search-domains <domain> [domain ...]:\n"
519  " Add domains to DNS domain search list\n"
520  "--auth-retry t : How to handle auth failures. Set t to\n"
521  " none (default), interact, or nointeract.\n"
522  "--static-challenge t e : Enable static challenge/response protocol using\n"
523  " challenge text t, with e indicating echo flag (0|1)\n"
524  "--connect-timeout n : when polling possible remote servers to connect to\n"
525  " in a round-robin fashion, spend no more than n seconds\n"
526  " waiting for a response before trying the next server.\n"
527  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
528  " incoming tun packets with same destination as host.\n"
529  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
530  " server/remote. n = # of retries, default=1.\n"
531  "\n"
532  "Data Channel Encryption Options (must be compatible between peers):\n"
533  "(These options are meaningful for both Static Key & TLS-mode)\n"
534  "--auth alg : Authenticate packets with HMAC using message\n"
535  " digest algorithm alg (default=%s).\n"
536  " (usually adds 16 or 20 bytes per packet)\n"
537  " Set alg=none to disable authentication.\n"
538  "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
539  " You should usually use --data-ciphers instead.\n"
540  " Set alg=none to disable encryption.\n"
541  "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
542 #ifndef ENABLE_CRYPTO_MBEDTLS
543  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
544 #endif
545  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
546  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
547  " and a time window of t seconds.\n"
548  " Default n=%d t=%d\n"
549  "--replay-persist file : Persist replay-protection state across sessions\n"
550  " using file.\n"
551  "--test-crypto : Run a self-test of crypto features enabled.\n"
552  " For debugging only.\n"
553 #ifdef ENABLE_PREDICTION_RESISTANCE
554  "--use-prediction-resistance: Enable prediction resistance on the random\n"
555  " number generator.\n"
556 #endif
557  "\n"
558  "TLS Key Negotiation Options:\n"
559  "(These options are meaningful only for TLS-mode)\n"
560  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
561  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
562  "--ca file : Certificate authority file in .pem format containing\n"
563  " root certificate.\n"
564 #ifndef ENABLE_CRYPTO_MBEDTLS
565  "--capath dir : A directory of trusted certificates (CAs"
566  " and CRLs).\n"
567 #endif /* ENABLE_CRYPTO_MBEDTLS */
568  "--dh file : File containing Diffie Hellman parameters\n"
569  " in .pem format (for --tls-server only).\n"
570  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
571  "--cert file : Local certificate in .pem format -- must be signed\n"
572  " by a Certificate Authority in --ca file.\n"
573  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
574  "--key file : Local private key in .pem format.\n"
575  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
576  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
577  " is specified, require max TLS version supported by SSL implementation.\n"
578  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
579 #ifndef ENABLE_CRYPTO_MBEDTLS
580  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
581  " and optionally the root CA certificate.\n"
582 #endif
583 #ifdef ENABLE_X509ALTUSERNAME
584  "--x509-username-field : Field in x509 certificate containing the username.\n"
585  " Default is CN in the Subject field.\n"
586 #endif
587  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
588  " Valid algo flags are SHA1 and SHA256. \n"
589 #ifdef _WIN32
590  "--cryptoapicert select-string : Load the certificate and private key from the\n"
591  " Windows Certificate System Store.\n"
592 #endif
593  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
594  "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
595  " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
596  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
597  " (default=legacy).\n"
598  "--providers l : A list l of OpenSSL providers to load.\n"
599  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
600  " if no ACK from remote within n seconds (default=%d).\n"
601  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
602  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
603  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
604  " and at least min (defaults to 90%% of max on servers and equal\n"
605  " to max on clients).\n"
606  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
607  " of handshake initiation by any peer (default=%d).\n"
608  "--tran-window n : Transition window -- old key can live this many seconds\n"
609  " after new key renegotiation begins (default=%d).\n"
610  "--single-session: Allow only one session (reset state on restart).\n"
611  "--tls-exit : Exit on TLS negotiation failure.\n"
612  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
613  " control channel to protect against attacks on the TLS stack\n"
614  " and DoS attacks.\n"
615  " f (required) is a shared-secret key file.\n"
616  " The optional d parameter controls key directionality.\n"
617  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
618  " of the TLS control channel to hide the TLS certificate,\n"
619  " provide basic post-quantum security and protect against\n"
620  " attacks on the TLS stack and DoS attacks.\n"
621  " key (required) provides the pre-shared key file.\n"
622  "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
623  " For servers: use key to decrypt client-specific keys. For\n"
624  " key generation (--genkey tls-crypt-v2-client): use key to\n"
625  " encrypt generated client-specific key. (See --tls-crypt.)\n"
626  "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
627  " fresh tls-crypt-v2 client key, and store to\n"
628  " keyfile. If supplied, include metadata in wrapped key.\n"
629  "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
630  " fresh tls-crypt-v2 server key, and store to keyfile\n"
631  "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
632  " client-supplied tls-crypt-v2 client key\n"
633  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
634  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
635  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
636  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
637  " pending TLS connection that has otherwise passed all other\n"
638  " tests of certification. cmd should return 0 to allow\n"
639  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
640  " executed as 'cmd certificate_depth subject')\n"
641  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
642  " DN name. The remote host must also pass all other tests\n"
643  " of verification.\n"
644 #ifndef ENABLE_CRYPTO_MBEDTLS
645  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
646  " an explicit nsCertType designation t = 'client' | 'server'.\n"
647 #endif
648  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
649  " plugins and management interface.\n"
650 #ifdef HAVE_EXPORT_KEYING_MATERIAL
651  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
652  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
653 #endif
654  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
655  " explicit key usage, you can specify more than one value.\n"
656  " value should be given in hex format.\n"
657  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
658  " explicit extended key usage. Extended key usage can be encoded\n"
659  " as an object identifier or OpenSSL string representation.\n"
660  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
661  " key usage and extended key usage based on RFC3280 TLS rules.\n"
662  " t = 'client' | 'server'.\n"
663 #ifdef ENABLE_PKCS11
664  "\n"
665  "PKCS#11 Options:\n"
666  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
667  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
668  " path. Set for each provider.\n"
669  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
670  " 0 : Try to determine automatically (default).\n"
671  " 1 : Use Sign.\n"
672  " 2 : Use SignRecover.\n"
673  " 4 : Use Decrypt.\n"
674  " 8 : Use Unwrap.\n"
675  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
676  " certificate can be accessed. Set for each provider.\n"
677  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
678  " cache until token is removed.\n"
679  "--pkcs11-id-management : Acquire identity from management interface.\n"
680  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
681 #endif /* ENABLE_PKCS11 */
682  "\n"
683  "SSL Library information:\n"
684  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
685  "--show-digests : Show message digest algorithms to use with --auth option.\n"
686  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
687  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
688 #ifdef _WIN32
689  "\n"
690  "Windows Specific:\n"
691  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
692  " from SystemRoot environment variable.\n"
693  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
694  " IP address using method = manual, netsh, ipapi,\n"
695  " dynamic, or adaptive (default = adaptive).\n"
696  " Dynamic method allows two optional parameters:\n"
697  " offset: DHCP server address offset (> -256 and < 256).\n"
698  " If 0, use network address, if >0, take nth\n"
699  " address forward from network address, if <0,\n"
700  " take nth address backward from broadcast\n"
701  " address.\n"
702  " Default is 0.\n"
703  " lease-time: Lease time in seconds.\n"
704  " Default is one year.\n"
705  "--route-method : Which method to use for adding routes on Windows?\n"
706  " adaptive (default) -- Try ipapi then fall back to exe.\n"
707  " ipapi -- Use IP helper API.\n"
708  " exe -- Call the route.exe shell command.\n"
709  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
710  " be used with --ip-win32 dynamic. For options\n"
711  " which allow multiple addresses,\n"
712  " --dhcp-option must be repeated.\n"
713  " DOMAIN name : Set DNS suffix\n"
714  " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
715  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
716  " NTP : Set NTP server address(es)\n"
717  " NBDD : Set NBDD server address(es)\n"
718  " WINS addr : Set WINS server address(es)\n"
719  " NBT type : Set NetBIOS over TCP/IP Node type\n"
720  " 1: B, 2: P, 4: M, 8: H\n"
721  " NBS id : Set NetBIOS scope ID\n"
722  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
723  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
724  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
725  " startup.\n"
726  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
727  " on connection initiation.\n"
728  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
729  " attempting to set adapter properties.\n"
730  "--pause-exit : When run from a console window, pause before exiting.\n"
731  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
732  " service, and should not be used directly by end-users.\n"
733  " ex is the name of an event object which, when\n"
734  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
735  " optional parameter controls the initial state of ex.\n"
736  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
737  " after TAP adapter is up and routes have been added.\n"
738  "--windows-driver : Which tun driver to use?\n"
739  " ovpn-dco (default)\n"
740  " tap-windows6\n"
741  " wintun\n"
742  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
743  "Windows Standalone Options:\n"
744  "\n"
745  "--show-adapters : Show all TAP-Windows adapters.\n"
746  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
747  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
748  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
749  " to access TAP adapter.\n"
750 #endif /* ifdef _WIN32 */
751  "\n"
752  "Generate a new key :\n"
753  "--genkey tls-auth file : Generate a new random key of type and write to file\n"
754  " (for use with --tls-auth or --tls-crypt)."
755 #ifdef ENABLE_FEATURE_TUN_PERSIST
756  "\n"
757  "Tun/tap config mode (available with linux 2.4+):\n"
758  "--mktun : Create a persistent tunnel.\n"
759  "--rmtun : Remove a persistent tunnel.\n"
760  "--dev tunX|tapX : tun/tap device\n"
761  "--dev-type dt : Device type. See tunnel options above for details.\n"
762  "--user user : User to set privilege to.\n"
763  "--group group : Group to set privilege to.\n"
764 #endif
765 #ifdef ENABLE_PKCS11
766  "\n"
767  "PKCS#11 standalone options:\n"
768 #ifdef DEFAULT_PKCS11_MODULE
769  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
770 #else
771  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
772 #endif
773  " --verb option can be added *BEFORE* this.\n"
774 #endif /* ENABLE_PKCS11 */
775  "\n"
776  "General Standalone Options:\n"
777 #ifdef ENABLE_DEBUG
778  "--show-gateway : Show info about default gateway.\n"
779 #endif
780 ;
781 
782 #endif /* !ENABLE_SMALL */
783 
784 /*
785  * This is where the options defaults go.
786  * Any option not explicitly set here
787  * will be set to 0.
788  */
789 void
790 init_options(struct options *o, const bool init_gc)
791 {
792  CLEAR(*o);
793  if (init_gc)
794  {
795  gc_init(&o->gc);
796  gc_init(&o->dns_options.gc);
797  o->gc_owned = true;
798  }
799  o->mode = MODE_POINT_TO_POINT;
800  o->topology = TOP_NET30;
801  o->ce.proto = PROTO_UDP;
802  o->ce.af = AF_UNSPEC;
803  o->ce.bind_ipv6_only = false;
804  o->ce.connect_retry_seconds = 1;
805  o->ce.connect_retry_seconds_max = 300;
806  o->ce.connect_timeout = 120;
807  o->connect_retry_max = 0;
808  o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
809  o->verbosity = 1;
810  o->status_file_update_freq = 60;
811  o->status_file_version = 1;
812  o->ce.bind_local = true;
813  o->ce.tun_mtu = TUN_MTU_DEFAULT;
814  o->ce.occ_mtu = 0;
815  o->ce.link_mtu = LINK_MTU_DEFAULT;
816  o->ce.tls_mtu = TLS_MTU_DEFAULT;
817  o->ce.mtu_discover_type = -1;
818  o->ce.mssfix = 0;
819  o->ce.mssfix_default = true;
820  o->ce.mssfix_encap = true;
821  o->route_delay_window = 30;
822  o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
823  o->resolve_in_advance = false;
824  o->proto_force = -1;
825  o->occ = true;
826 #ifdef ENABLE_MANAGEMENT
827  o->management_log_history_cache = 250;
828  o->management_echo_buffer_size = 100;
829  o->management_state_buffer_size = 100;
830 #endif
831 #ifdef ENABLE_FEATURE_TUN_PERSIST
832  o->persist_mode = 1;
833 #endif
834 #ifdef _WIN32
835 #if 0
836  o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
837 #else
838  o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
839 #endif
840  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
841  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
842  o->route_method = ROUTE_METHOD_ADAPTIVE;
843  o->block_outside_dns = false;
844  o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
845 #endif
846  o->vlan_accept = VLAN_ALL;
847  o->vlan_pvid = 1;
848  o->real_hash_size = 256;
849  o->virtual_hash_size = 256;
850  o->n_bcast_buf = 256;
851  o->tcp_queue_limit = 64;
852  o->max_clients = 1024;
853  o->cf_initial_per = 10;
854  o->cf_initial_max = 100;
855  o->max_routes_per_client = 256;
856  o->stale_routes_check_interval = 0;
857  o->ifconfig_pool_persist_refresh_freq = 600;
858  o->scheduled_exit_interval = 5;
859  o->authname = "SHA1";
860  o->replay_window = DEFAULT_SEQ_BACKTRACK;
861  o->replay_time = DEFAULT_TIME_BACKTRACK;
862  o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
863 #ifdef ENABLE_PREDICTION_RESISTANCE
864  o->use_prediction_resistance = false;
865 #endif
866  o->tls_timeout = 2;
867  o->renegotiate_bytes = -1;
868  o->renegotiate_seconds = 3600;
869  o->renegotiate_seconds_min = -1;
870  o->handshake_window = 60;
871  o->transition_window = 3600;
872  o->tls_cert_profile = NULL;
873  o->ecdh_curve = NULL;
874 #ifdef ENABLE_X509ALTUSERNAME
875  o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
876 #endif
877 #ifdef ENABLE_PKCS11
878  o->pkcs11_pin_cache_period = -1;
879 #endif /* ENABLE_PKCS11 */
880 
881 /* P2MP server context features */
882  o->auth_token_generate = false;
883 
884  /* Set default --tmp-dir */
885 #ifdef _WIN32
886  /* On Windows, find temp dir via environment variables */
887  o->tmp_dir = win_get_tempdir();
888 
889  if (!o->tmp_dir)
890  {
891  /* Error out if we can't find a valid temporary directory, which should
892  * be very unlikely. */
893  msg(M_USAGE, "Could not find a suitable temporary directory."
894  " (GetTempPath() failed). Consider using --tmp-dir");
895  }
896 #else /* ifdef _WIN32 */
897  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
898  o->tmp_dir = getenv("TMPDIR");
899  if (!o->tmp_dir)
900  {
901  o->tmp_dir = "/tmp";
902  }
903 #endif /* _WIN32 */
904  o->allow_recursive_routing = false;
905 
906 #ifndef ENABLE_DCO
907  o->tuntap_options.disable_dco = true;
908 #endif /* ENABLE_DCO */
909 }
910 
911 void
912 uninit_options(struct options *o)
913 {
914  if (o->connection_list)
915  {
916  CLEAR(*o->connection_list);
917  }
918  if (o->remote_list)
919  {
920  CLEAR(*o->remote_list);
921  }
922  if (o->gc_owned)
923  {
924  gc_free(&o->gc);
925  gc_free(&o->dns_options.gc);
926  }
927 }
928 
929 struct pull_filter
930 {
931 #define PUF_TYPE_UNDEF 0
932 #define PUF_TYPE_ACCEPT 1
933 #define PUF_TYPE_IGNORE 2
934 #define PUF_TYPE_REJECT 3
935  int type;
936  int size;
937  char *pattern;
938  struct pull_filter *next;
939 };
940 
941 struct pull_filter_list
942 {
943  struct pull_filter *head;
944  struct pull_filter *tail;
945 };
946 
947 #ifndef ENABLE_SMALL
948 
949 static const char *
950 pull_filter_type_name(int type)
951 {
952  if (type == PUF_TYPE_ACCEPT)
953  {
954  return "accept";
955  }
956  if (type == PUF_TYPE_IGNORE)
957  {
958  return "ignore";
959  }
960  if (type == PUF_TYPE_REJECT)
961  {
962  return "reject";
963  }
964  else
965  {
966  return "???";
967  }
968 }
969 
970 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
971 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
972 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
973  o->var ## _inline ? "[INLINE]" : \
974  (o->var ? o->var : "[UNDEF]"), \
975  "'%s'")
976 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
977 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
978 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
979 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
980 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
981 
982 #endif /* ifndef ENABLE_SMALL */
983 
984 static void
985 setenv_connection_entry(struct env_set *es,
986  const struct connection_entry *e,
987  const int i)
988 {
989  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
990  setenv_str_i(es, "local", e->local, i);
991  setenv_str_i(es, "local_port", e->local_port, i);
992  setenv_str_i(es, "remote", e->remote, i);
993  setenv_str_i(es, "remote_port", e->remote_port, i);
994 
995  if (e->http_proxy_options)
996  {
997  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
998  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
999  }
1000  if (e->socks_proxy_server)
1001  {
1002  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1003  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1004  }
1005 }
1006 
1007 void
1008 setenv_settings(struct env_set *es, const struct options *o)
1009 {
1010  setenv_str(es, "config", o->config);
1011  setenv_int(es, "verb", o->verbosity);
1012  setenv_int(es, "daemon", o->daemon);
1013  setenv_int(es, "daemon_log_redirect", o->log);
1014  setenv_long_long(es, "daemon_start_time", time(NULL));
1015  setenv_int(es, "daemon_pid", platform_getpid());
1016 
1017  if (o->connection_list)
1018  {
1019  int i;
1020  for (i = 0; i < o->connection_list->len; ++i)
1021  {
1022  setenv_connection_entry(es, o->connection_list->array[i], i+1);
1023  }
1024  }
1025  else
1026  {
1027  setenv_connection_entry(es, &o->ce, 1);
1028  }
1029 
1030  if (!o->pull)
1031  {
1032  setenv_dns_options(&o->dns_options, es);
1033  }
1034 }
1035 
1036 #ifndef _WIN32
1037 static void
1038 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1039 {
1040  if (len > 0)
1041  {
1042  struct gc_arena gc = gc_new();
1043  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1044  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1045  int i;
1046  bool first = true;
1047  bool good = true;
1048 
1049  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1050  ++o->foreign_option_index;
1051  for (i = 0; i < len; ++i)
1052  {
1053  if (argv[i])
1054  {
1055  if (!first)
1056  {
1057  good &= buf_printf(&value, " ");
1058  }
1059  good &= buf_printf(&value, "%s", argv[i]);
1060  first = false;
1061  }
1062  }
1063  if (good)
1064  {
1065  setenv_str(es, BSTR(&name), BSTR(&value));
1066  }
1067  else
1068  {
1069  msg(M_WARN, "foreign_option: name/value overflow");
1070  }
1071  gc_free(&gc);
1072  }
1073 }
1074 #endif /* ifndef _WIN32 */
1075 
1076 static in_addr_t
1077 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1078 {
1079  unsigned int flags = GETADDR_HOST_ORDER;
1080  bool succeeded = false;
1081  in_addr_t ret;
1082 
1083  if (msglevel & M_FATAL)
1084  {
1085  flags |= GETADDR_FATAL;
1086  }
1087 
1088  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1089  if (!succeeded && error)
1090  {
1091  *error = true;
1092  }
1093  return ret;
1094 }
1095 
1101 static char *
1102 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1103 {
1104  const char *end = strchr(addr, '/');
1105  char *ret = NULL;
1106  if (NULL == end)
1107  {
1108  ret = string_alloc(addr, gc);
1109  }
1110  else
1111  {
1112  size_t len = end - addr;
1113  ret = gc_malloc(len + 1, true, gc);
1114  memcpy(ret, addr, len);
1115  }
1116  return ret;
1117 }
1118 
1119 static bool
1120 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1121 {
1122  struct in6_addr t_addr;
1123  unsigned int t_bits;
1124 
1125  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1126 }
1127 
1128 static char *
1129 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1130 {
1131  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1132  char *dest = ret;
1133  char c;
1134 
1135  do
1136  {
1137  c = *src++;
1138  if (c == from)
1139  {
1140  c = to;
1141  }
1142  *dest++ = c;
1143  }
1144  while (c);
1145  return ret;
1146 }
1147 
1157 static struct verify_hash_list *
1158 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1159 {
1160  int i = 0;
1161  const char *cp = str;
1162 
1163  struct verify_hash_list *ret;
1164  ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1165 
1166  char term = 0;
1167  unsigned int byte;
1168 
1169  while (*cp && i < nbytes)
1170  {
1171  /* valid segments consist of exactly two hex digits, then ':' or EOS */
1172  if (!isxdigit(cp[0])
1173  || !isxdigit(cp[1])
1174  || (cp[2] != ':' && cp[2] != '\0')
1175  || sscanf(cp, "%x", &byte) != 1)
1176  {
1177  msg(msglevel, "format error in hash fingerprint: %s", str);
1178  break;
1179  }
1180 
1181  ret->hash[i++] = (uint8_t)byte;
1182 
1183  term = cp[2];
1184  if (term == '\0')
1185  {
1186  break;
1187  }
1188  cp += 3;
1189  }
1190  if (i < nbytes)
1191  {
1192  msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1193  }
1194  else if (term != '\0')
1195  {
1196  msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1197  }
1198  return ret;
1199 }
1200 
1211 static struct verify_hash_list *
1212 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1213  struct gc_arena *gc)
1214 {
1215  struct gc_arena gc_temp = gc_new();
1216  char *lines = string_alloc(str, &gc_temp);
1217 
1218  struct verify_hash_list *ret = NULL;
1219 
1220  const char *line;
1221  while ((line = strsep(&lines, "\n")))
1222  {
1223  /* ignore leading whitespace */
1224  while (isspace(*line))
1225  {
1226  line++;
1227  }
1228  /* skip empty lines and comment lines */
1229  if (strlen(line) == 0 || *line == '#' || *line == ';')
1230  {
1231  continue;
1232  }
1233 
1234  struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1235  msglevel, gc);
1236 
1237  if (!hash)
1238  {
1239  gc_free(&gc_temp);
1240  return NULL;
1241  }
1242 
1243  hash->next = ret;
1244  ret = hash;
1245  }
1246  gc_free(&gc_temp);
1247 
1248  return ret;
1249 }
1250 #ifdef _WIN32
1251 
1252 #ifndef ENABLE_SMALL
1253 
1254 static void
1255 show_dhcp_option_list(const char *name, const char *const *array, int len)
1256 {
1257  int i;
1258  for (i = 0; i < len; ++i)
1259  {
1260  msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1261  }
1262 }
1263 
1264 static void
1265 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1266 {
1267  struct gc_arena gc = gc_new();
1268  int i;
1269  for (i = 0; i < len; ++i)
1270  {
1271  msg(D_SHOW_PARMS, " %s[%d] = %s",
1272  name,
1273  i,
1274  print_in_addr_t(array[i], 0, &gc));
1275  }
1276  gc_free(&gc);
1277 }
1278 
1279 static void
1280 show_tuntap_options(const struct tuntap_options *o)
1281 {
1282  SHOW_BOOL(ip_win32_defined);
1283  SHOW_INT(ip_win32_type);
1284  SHOW_INT(dhcp_masq_offset);
1285  SHOW_INT(dhcp_lease_time);
1286  SHOW_INT(tap_sleep);
1287  SHOW_UNSIGNED(dhcp_options);
1288  SHOW_BOOL(dhcp_renew);
1289  SHOW_BOOL(dhcp_pre_release);
1290  SHOW_STR(domain);
1291  SHOW_STR(netbios_scope);
1292  SHOW_INT(netbios_node_type);
1293  SHOW_BOOL(disable_nbt);
1294 
1295  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1296  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1297  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1298  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1299  show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1300 }
1301 
1302 #endif /* ifndef ENABLE_SMALL */
1303 #endif /* ifdef _WIN32 */
1304 
1305 #if defined(_WIN32) || defined(TARGET_ANDROID)
1306 static void
1307 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1308 {
1309  struct in6_addr addr;
1310  if (*len >= N_DHCP_ADDR)
1311  {
1312  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1313  N_DHCP_ADDR);
1314  }
1315  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1316  {
1317  dns6_list[(*len)++] = addr;
1318  }
1319 }
1320 static void
1321 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1322 {
1323  if (*len >= N_DHCP_ADDR)
1324  {
1325  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1326  name,
1327  N_DHCP_ADDR,
1328  name);
1329  }
1330  else
1331  {
1332  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1333  {
1334  bool error = false;
1335  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1336  if (!error)
1337  {
1338  array[(*len)++] = addr;
1339  }
1340  }
1341  else
1342  {
1343  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1344  }
1345  }
1346 }
1347 
1348 /*
1349  * If DNS options are set use these for TUN/TAP options as well.
1350  * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1351  * Existing options will be discarded.
1352  */
1353 static void
1354 tuntap_options_copy_dns(struct options *o)
1355 {
1356  struct tuntap_options *tt = &o->tuntap_options;
1357  struct dns_options *dns = &o->dns_options;
1358 
1359  if (dns->search_domains)
1360  {
1361  tt->domain_search_list_len = 0;
1362  const struct dns_domain *domain = dns->search_domains;
1363  while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1364  {
1365  tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1366  domain = domain->next;
1367  }
1368  if (domain)
1369  {
1370  msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1371  }
1372  tt->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
1373  }
1374 
1375  if (dns->servers)
1376  {
1377  tt->dns_len = 0;
1378  tt->dns6_len = 0;
1379  bool overflow = false;
1380  const struct dns_server *server = dns->servers;
1381  while (server)
1382  {
1383  for (int i = 0; i < server->addr_count; ++i)
1384  {
1385  if (server->addr[i].family == AF_INET)
1386  {
1387  if (tt->dns_len >= N_DHCP_ADDR)
1388  {
1389  overflow = true;
1390  continue;
1391  }
1392  tt->dns[tt->dns_len++] = server->addr[i].in.a4.s_addr;
1393  }
1394  else
1395  {
1396  if (tt->dns6_len >= N_DHCP_ADDR)
1397  {
1398  overflow = true;
1399  continue;
1400  }
1401  tt->dns6[tt->dns6_len++] = server->addr[i].in.a6;
1402  }
1403  }
1404  server = server->next;
1405  }
1406  if (overflow)
1407  {
1408  msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1409  }
1410  tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
1411  }
1412 }
1413 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1414 static void
1415 foreign_options_copy_dns(struct options *o, struct env_set *es)
1416 {
1417  const struct dns_domain *domain = o->dns_options.search_domains;
1418  const struct dns_server *server = o->dns_options.servers;
1419  if (!domain && !server)
1420  {
1421  return;
1422  }
1423 
1424  /* reset the index since we're starting all over again */
1425  int opt_max = o->foreign_option_index;
1426  o->foreign_option_index = 0;
1427 
1428  for (int i = 1; i <= opt_max; ++i)
1429  {
1430  char name[32];
1431  openvpn_snprintf(name, sizeof(name), "foreign_option_%d", i);
1432 
1433  const char *env_str = env_set_get(es, name);
1434  const char *value = strchr(env_str, '=') + 1;
1435  if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1436  || (server && strstr(value, "dhcp-option DNS") == value))
1437  {
1438  setenv_del(es, name);
1439  }
1440  else
1441  {
1442  setenv_foreign_option(o, &value, 1, es);
1443  }
1444  }
1445 
1446  struct gc_arena gc = gc_new();
1447 
1448  while (server)
1449  {
1450  for (int i = 0; i < server->addr_count; ++i)
1451  {
1452  if (server->addr[i].family == AF_INET)
1453  {
1454  const char *argv[] = {
1455  "dhcp-option",
1456  "DNS",
1457  print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc)
1458  };
1459  setenv_foreign_option(o, argv, 3, es);
1460  }
1461  else
1462  {
1463  const char *argv[] = {
1464  "dhcp-option",
1465  "DNS6",
1466  print_in6_addr(server->addr[i].in.a6, 0, &gc)
1467  };
1468  setenv_foreign_option(o, argv, 3, es);
1469  }
1470  }
1471  server = server->next;
1472  }
1473  while (domain)
1474  {
1475  const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1476  setenv_foreign_option(o, argv, 3, es);
1477  domain = domain->next;
1478  }
1479 
1480  gc_free(&gc);
1481 
1482  /* remove old leftover entries */
1483  while (o->foreign_option_index < opt_max)
1484  {
1485  char name[32];
1486  openvpn_snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1487  setenv_del(es, name);
1488  }
1489 }
1490 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1491 
1492 #ifndef ENABLE_SMALL
1493 static const char *
1494 print_vlan_accept(enum vlan_acceptable_frames mode)
1495 {
1496  switch (mode)
1497  {
1498  case VLAN_ONLY_TAGGED:
1499  return "tagged";
1500 
1501  case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1502  return "untagged";
1503 
1504  case VLAN_ALL:
1505  return "all";
1506  }
1507  return NULL;
1508 }
1509 
1510 static void
1511 show_p2mp_parms(const struct options *o)
1512 {
1513  struct gc_arena gc = gc_new();
1514 
1515  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1516  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1517  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1518  SHOW_INT(server_netbits_ipv6);
1519  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1520  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1521  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1522  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1523  if (o->push_list.head)
1524  {
1525  const struct push_entry *e = o->push_list.head;
1526  while (e)
1527  {
1528  if (e->enable)
1529  {
1530  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1531  }
1532  e = e->next;
1533  }
1534  }
1535  SHOW_BOOL(ifconfig_pool_defined);
1536  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1537  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1538  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1539  SHOW_STR(ifconfig_pool_persist_filename);
1540  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1541  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1542  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1543  SHOW_INT(ifconfig_ipv6_pool_netbits);
1544  SHOW_INT(n_bcast_buf);
1545  SHOW_INT(tcp_queue_limit);
1546  SHOW_INT(real_hash_size);
1547  SHOW_INT(virtual_hash_size);
1548  SHOW_STR(client_connect_script);
1549  SHOW_STR(learn_address_script);
1550  SHOW_STR(client_disconnect_script);
1551  SHOW_STR(client_crresponse_script);
1552  SHOW_STR(client_config_dir);
1553  SHOW_BOOL(ccd_exclusive);
1554  SHOW_STR(tmp_dir);
1555  SHOW_BOOL(push_ifconfig_defined);
1556  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1557  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1558  SHOW_BOOL(push_ifconfig_ipv6_defined);
1559  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1560  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1561  SHOW_BOOL(enable_c2c);
1562  SHOW_BOOL(duplicate_cn);
1563  SHOW_INT(cf_max);
1564  SHOW_INT(cf_per);
1565  SHOW_INT(cf_initial_max);
1566  SHOW_INT(cf_initial_per);
1567  SHOW_INT(max_clients);
1568  SHOW_INT(max_routes_per_client);
1569  SHOW_STR(auth_user_pass_verify_script);
1570  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1571  SHOW_BOOL(auth_token_generate);
1572  SHOW_BOOL(force_key_material_export);
1573  SHOW_INT(auth_token_lifetime);
1574  SHOW_STR_INLINE(auth_token_secret_file);
1575 #if PORT_SHARE
1576  SHOW_STR(port_share_host);
1577  SHOW_STR(port_share_port);
1578 #endif
1579  SHOW_BOOL(vlan_tagging);
1580  msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1581  SHOW_INT(vlan_pvid);
1582 
1583  SHOW_BOOL(client);
1584  SHOW_BOOL(pull);
1585  SHOW_STR_INLINE(auth_user_pass_file);
1586 
1587  gc_free(&gc);
1588 }
1589 
1590 #endif /* ! ENABLE_SMALL */
1591 
1592 static void
1593 option_iroute(struct options *o,
1594  const char *network_str,
1595  const char *netmask_str,
1596  int msglevel)
1597 {
1598  struct iroute *ir;
1599 
1600  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1601  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1602  ir->netbits = 32; /* host route if no netmask given */
1603 
1604  if (netmask_str)
1605  {
1606  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1607  ir->netbits = netmask_to_netbits2(netmask);
1608 
1609  if (ir->netbits < 0)
1610  {
1611  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1612  network_str,
1613  netmask_str);
1614  return;
1615  }
1616  }
1617 
1618  ir->next = o->iroutes;
1619  o->iroutes = ir;
1620 }
1621 
1622 static void
1623 option_iroute_ipv6(struct options *o,
1624  const char *prefix_str,
1625  int msglevel)
1626 {
1627  struct iroute_ipv6 *ir;
1628 
1629  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1630 
1631  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1632  {
1633  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1634  prefix_str);
1635  return;
1636  }
1637 
1638  ir->next = o->iroutes_ipv6;
1639  o->iroutes_ipv6 = ir;
1640 }
1641 
1642 #ifndef ENABLE_SMALL
1643 static void
1644 show_http_proxy_options(const struct http_proxy_options *o)
1645 {
1646  int i;
1647  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1648  SHOW_STR(server);
1649  SHOW_STR(port);
1650  SHOW_STR(auth_method_string);
1651  SHOW_STR(auth_file);
1652  SHOW_STR(auth_file_up);
1653  SHOW_BOOL(inline_creds);
1654  SHOW_STR(http_version);
1655  SHOW_STR(user_agent);
1656  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1657  {
1658  if (o->custom_headers[i].content)
1659  {
1660  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1661  o->custom_headers[i].name, o->custom_headers[i].content);
1662  }
1663  else
1664  {
1665  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1666  o->custom_headers[i].name);
1667  }
1668  }
1669  msg(D_SHOW_PARMS, "END http_proxy");
1670 }
1671 #endif /* ifndef ENABLE_SMALL */
1672 
1673 void
1674 options_detach(struct options *o)
1675 {
1676  gc_detach(&o->gc);
1677  o->routes = NULL;
1678  o->client_nat = NULL;
1679  clone_push_list(o);
1680 }
1681 
1682 void
1683 rol_check_alloc(struct options *options)
1684 {
1685  if (!options->routes)
1686  {
1687  options->routes = new_route_option_list(&options->gc);
1688  }
1689 }
1690 
1691 static void
1692 rol6_check_alloc(struct options *options)
1693 {
1694  if (!options->routes_ipv6)
1695  {
1696  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1697  }
1698 }
1699 
1700 static void
1701 cnol_check_alloc(struct options *options)
1702 {
1703  if (!options->client_nat)
1704  {
1705  options->client_nat = new_client_nat_list(&options->gc);
1706  }
1707 }
1708 
1709 #ifndef ENABLE_SMALL
1710 static void
1711 show_connection_entry(const struct connection_entry *o)
1712 {
1713  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1714  SHOW_STR(local);
1715  SHOW_STR(local_port);
1716  SHOW_STR(remote);
1717  SHOW_STR(remote_port);
1718  SHOW_BOOL(remote_float);
1719  SHOW_BOOL(bind_defined);
1720  SHOW_BOOL(bind_local);
1721  SHOW_BOOL(bind_ipv6_only);
1722  SHOW_INT(connect_retry_seconds);
1723  SHOW_INT(connect_timeout);
1724 
1725  if (o->http_proxy_options)
1726  {
1727  show_http_proxy_options(o->http_proxy_options);
1728  }
1729  SHOW_STR(socks_proxy_server);
1730  SHOW_STR(socks_proxy_port);
1731  SHOW_INT(tun_mtu);
1732  SHOW_BOOL(tun_mtu_defined);
1733  SHOW_INT(link_mtu);
1734  SHOW_BOOL(link_mtu_defined);
1735  SHOW_INT(tun_mtu_extra);
1736  SHOW_BOOL(tun_mtu_extra_defined);
1737  SHOW_INT(tls_mtu);
1738 
1739  SHOW_INT(mtu_discover_type);
1740 
1741 #ifdef ENABLE_FRAGMENT
1742  SHOW_INT(fragment);
1743 #endif
1744  SHOW_INT(mssfix);
1745  SHOW_BOOL(mssfix_encap);
1746  SHOW_BOOL(mssfix_fixed);
1747 
1748  SHOW_INT(explicit_exit_notification);
1749 
1750  SHOW_STR_INLINE(tls_auth_file);
1751  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1752  "%s");
1753  SHOW_STR_INLINE(tls_crypt_file);
1754  SHOW_STR_INLINE(tls_crypt_v2_file);
1755 }
1756 
1757 
1758 static void
1759 show_connection_entries(const struct options *o)
1760 {
1761  if (o->connection_list)
1762  {
1763  const struct connection_list *l = o->connection_list;
1764  int i;
1765  for (i = 0; i < l->len; ++i)
1766  {
1767  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1768  show_connection_entry(l->array[i]);
1769  }
1770  }
1771  else
1772  {
1773  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1774  show_connection_entry(&o->ce);
1775  }
1776  msg(D_SHOW_PARMS, "Connection profiles END");
1777 }
1778 
1779 static void
1780 show_pull_filter_list(const struct pull_filter_list *l)
1781 {
1782  struct pull_filter *f;
1783  if (!l)
1784  {
1785  return;
1786  }
1787 
1788  msg(D_SHOW_PARMS, " Pull filters:");
1789  for (f = l->head; f; f = f->next)
1790  {
1791  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1792  }
1793 }
1794 
1795 #endif /* ifndef ENABLE_SMALL */
1796 
1797 void
1798 show_settings(const struct options *o)
1799 {
1800 #ifndef ENABLE_SMALL
1801  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1802 
1803  SHOW_STR(config);
1804 
1805  SHOW_INT(mode);
1806 
1807 #ifdef ENABLE_FEATURE_TUN_PERSIST
1808  SHOW_BOOL(persist_config);
1809  SHOW_INT(persist_mode);
1810 #endif
1811 
1812  SHOW_BOOL(show_ciphers);
1813  SHOW_BOOL(show_digests);
1814  SHOW_BOOL(show_engines);
1815  SHOW_BOOL(genkey);
1816  SHOW_STR(genkey_filename);
1817  SHOW_STR(key_pass_file);
1818  SHOW_BOOL(show_tls_ciphers);
1819 
1820  SHOW_INT(connect_retry_max);
1821  show_connection_entries(o);
1822 
1823  SHOW_BOOL(remote_random);
1824 
1825  SHOW_STR(ipchange);
1826  SHOW_STR(dev);
1827  SHOW_STR(dev_type);
1828  SHOW_STR(dev_node);
1829 #if defined(ENABLE_DCO)
1830  SHOW_BOOL(tuntap_options.disable_dco);
1831 #endif
1832  SHOW_STR(lladdr);
1833  SHOW_INT(topology);
1834  SHOW_STR(ifconfig_local);
1835  SHOW_STR(ifconfig_remote_netmask);
1836  SHOW_BOOL(ifconfig_noexec);
1837  SHOW_BOOL(ifconfig_nowarn);
1838  SHOW_STR(ifconfig_ipv6_local);
1839  SHOW_INT(ifconfig_ipv6_netbits);
1840  SHOW_STR(ifconfig_ipv6_remote);
1841 
1842  SHOW_INT(shaper);
1843  SHOW_INT(mtu_test);
1844 
1845  SHOW_BOOL(mlock);
1846 
1847  SHOW_INT(keepalive_ping);
1848  SHOW_INT(keepalive_timeout);
1849  SHOW_INT(inactivity_timeout);
1850  SHOW_INT(session_timeout);
1851  SHOW_INT64(inactivity_minimum_bytes);
1852  SHOW_INT(ping_send_timeout);
1853  SHOW_INT(ping_rec_timeout);
1854  SHOW_INT(ping_rec_timeout_action);
1855  SHOW_BOOL(ping_timer_remote);
1856  SHOW_INT(remap_sigusr1);
1857  SHOW_BOOL(persist_tun);
1858  SHOW_BOOL(persist_local_ip);
1859  SHOW_BOOL(persist_remote_ip);
1860  SHOW_BOOL(persist_key);
1861 
1862 #if PASSTOS_CAPABILITY
1863  SHOW_BOOL(passtos);
1864 #endif
1865 
1866  SHOW_INT(resolve_retry_seconds);
1867  SHOW_BOOL(resolve_in_advance);
1868 
1869  SHOW_STR(username);
1870  SHOW_STR(groupname);
1871  SHOW_STR(chroot_dir);
1872  SHOW_STR(cd_dir);
1873 #ifdef ENABLE_SELINUX
1874  SHOW_STR(selinux_context);
1875 #endif
1876  SHOW_STR(writepid);
1877  SHOW_STR(up_script);
1878  SHOW_STR(down_script);
1879  SHOW_BOOL(down_pre);
1880  SHOW_BOOL(up_restart);
1881  SHOW_BOOL(up_delay);
1882  SHOW_BOOL(daemon);
1883  SHOW_BOOL(log);
1884  SHOW_BOOL(suppress_timestamps);
1885  SHOW_BOOL(machine_readable_output);
1886  SHOW_INT(nice);
1887  SHOW_INT(verbosity);
1888  SHOW_INT(mute);
1889 #ifdef ENABLE_DEBUG
1890  SHOW_INT(gremlin);
1891 #endif
1892  SHOW_STR(status_file);
1893  SHOW_INT(status_file_version);
1894  SHOW_INT(status_file_update_freq);
1895 
1896  SHOW_BOOL(occ);
1897  SHOW_INT(rcvbuf);
1898  SHOW_INT(sndbuf);
1899 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1900  SHOW_INT(mark);
1901 #endif
1902  SHOW_INT(sockflags);
1903 
1904  SHOW_BOOL(fast_io);
1905 
1906  SHOW_INT(comp.alg);
1907  SHOW_INT(comp.flags);
1908 
1909  SHOW_STR(route_script);
1910  SHOW_STR(route_default_gateway);
1911  SHOW_INT(route_default_metric);
1912  SHOW_BOOL(route_noexec);
1913  SHOW_INT(route_delay);
1914  SHOW_INT(route_delay_window);
1915  SHOW_BOOL(route_delay_defined);
1916  SHOW_BOOL(route_nopull);
1917  SHOW_BOOL(route_gateway_via_dhcp);
1918  SHOW_BOOL(allow_pull_fqdn);
1919  show_pull_filter_list(o->pull_filter_list);
1920 
1921  if (o->routes)
1922  {
1923  print_route_options(o->routes, D_SHOW_PARMS);
1924  }
1925 
1926  if (o->client_nat)
1927  {
1928  print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1929  }
1930 
1931  show_dns_options(&o->dns_options);
1932 
1933 #ifdef ENABLE_MANAGEMENT
1934  SHOW_STR(management_addr);
1935  SHOW_STR(management_port);
1936  SHOW_STR(management_user_pass);
1937  SHOW_INT(management_log_history_cache);
1938  SHOW_INT(management_echo_buffer_size);
1939  SHOW_STR(management_client_user);
1940  SHOW_STR(management_client_group);
1941  SHOW_INT(management_flags);
1942 #endif
1943 #ifdef ENABLE_PLUGIN
1944  if (o->plugin_list)
1945  {
1946  plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1947  }
1948 #endif
1949 
1950  SHOW_STR_INLINE(shared_secret_file);
1951  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1952  SHOW_STR(ciphername);
1953  SHOW_STR(ncp_ciphers);
1954  SHOW_STR(authname);
1955 #ifndef ENABLE_CRYPTO_MBEDTLS
1956  SHOW_BOOL(engine);
1957 #endif /* ENABLE_CRYPTO_MBEDTLS */
1958  SHOW_BOOL(mute_replay_warnings);
1959  SHOW_INT(replay_window);
1960  SHOW_INT(replay_time);
1961  SHOW_STR(packet_id_file);
1962  SHOW_BOOL(test_crypto);
1963 #ifdef ENABLE_PREDICTION_RESISTANCE
1964  SHOW_BOOL(use_prediction_resistance);
1965 #endif
1966 
1967  SHOW_BOOL(tls_server);
1968  SHOW_BOOL(tls_client);
1969  SHOW_STR_INLINE(ca_file);
1970  SHOW_STR(ca_path);
1971  SHOW_STR_INLINE(dh_file);
1972  if ((o->management_flags & MF_EXTERNAL_CERT))
1973  {
1974  SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1975  }
1976  else
1977  {
1978  SHOW_STR_INLINE(cert_file);
1979  }
1980  SHOW_STR_INLINE(extra_certs_file);
1981 
1982  if ((o->management_flags & MF_EXTERNAL_KEY))
1983  {
1984  SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1985  }
1986  else
1987  {
1988  SHOW_STR_INLINE(priv_key_file);
1989  }
1990 #ifndef ENABLE_CRYPTO_MBEDTLS
1991  SHOW_STR_INLINE(pkcs12_file);
1992 #endif
1993 #ifdef ENABLE_CRYPTOAPI
1994  SHOW_STR(cryptoapi_cert);
1995 #endif
1996  SHOW_STR(cipher_list);
1997  SHOW_STR(cipher_list_tls13);
1998  SHOW_STR(tls_cert_profile);
1999  SHOW_STR(tls_verify);
2000  SHOW_STR(tls_export_peer_cert_dir);
2001  SHOW_INT(verify_x509_type);
2002  SHOW_STR(verify_x509_name);
2003  SHOW_STR_INLINE(crl_file);
2004  SHOW_INT(ns_cert_type);
2005  {
2006  int i;
2007  for (i = 0; i<MAX_PARMS; i++)
2008  {
2009  SHOW_INT(remote_cert_ku[i]);
2010  }
2011  }
2012  SHOW_STR(remote_cert_eku);
2013  if (o->verify_hash)
2014  {
2015  SHOW_INT(verify_hash_algo);
2016  SHOW_INT(verify_hash_depth);
2017  struct gc_arena gc = gc_new();
2018  struct verify_hash_list *hl = o->verify_hash;
2019  int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2020  SHA256_DIGEST_LENGTH;
2021  while (hl)
2022  {
2023  char *s = format_hex_ex(hl->hash, digest_len, 0,
2024  1, ":", &gc);
2025  SHOW_PARM(verify_hash, s, "%s");
2026  hl = hl->next;
2027  }
2028  gc_free(&gc);
2029  }
2030  SHOW_INT(ssl_flags);
2031 
2032  SHOW_INT(tls_timeout);
2033 
2034  SHOW_INT(renegotiate_bytes);
2035  SHOW_INT(renegotiate_packets);
2036  SHOW_INT(renegotiate_seconds);
2037 
2038  SHOW_INT(handshake_window);
2039  SHOW_INT(transition_window);
2040 
2041  SHOW_BOOL(single_session);
2042  SHOW_BOOL(push_peer_info);
2043  SHOW_BOOL(tls_exit);
2044 
2045  SHOW_STR(tls_crypt_v2_metadata);
2046 
2047 #ifdef ENABLE_PKCS11
2048  {
2049  int i;
2050  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2051  {
2052  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2053  }
2054  }
2055  {
2056  int i;
2057  for (i = 0; i<MAX_PARMS; i++)
2058  {
2059  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2060  }
2061  }
2062  {
2063  int i;
2064  for (i = 0; i<MAX_PARMS; i++)
2065  {
2066  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2067  }
2068  }
2069  {
2070  int i;
2071  for (i = 0; i<MAX_PARMS; i++)
2072  {
2073  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2074  }
2075  }
2076  SHOW_INT(pkcs11_pin_cache_period);
2077  SHOW_STR(pkcs11_id);
2078  SHOW_BOOL(pkcs11_id_management);
2079 #endif /* ENABLE_PKCS11 */
2080 
2081  show_p2mp_parms(o);
2082 
2083 #ifdef _WIN32
2084  SHOW_BOOL(show_net_up);
2085  SHOW_INT(route_method);
2086  SHOW_BOOL(block_outside_dns);
2087  show_tuntap_options(&o->tuntap_options);
2088 #endif
2089 #endif /* ifndef ENABLE_SMALL */
2090 }
2091 
2092 #undef SHOW_PARM
2093 #undef SHOW_STR
2094 #undef SHOW_INT
2095 #undef SHOW_BOOL
2096 
2097 #ifdef ENABLE_MANAGEMENT
2098 
2099 static struct http_proxy_options *
2100 parse_http_proxy_override(const char *server,
2101  const char *port,
2102  const char *flags,
2103  const int msglevel,
2104  struct gc_arena *gc)
2105 {
2106  if (server && port)
2107  {
2108  struct http_proxy_options *ho;
2109  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2110  ho->server = string_alloc(server, gc);
2111  ho->port = port;
2112  if (flags && !strcmp(flags, "nct"))
2113  {
2114  ho->auth_retry = PAR_NCT;
2115  }
2116  else
2117  {
2118  ho->auth_retry = PAR_ALL;
2119  }
2120  ho->http_version = "1.0";
2121  ho->user_agent = "OpenVPN-Autoproxy/1.0";
2122  return ho;
2123  }
2124  else
2125  {
2126  return NULL;
2127  }
2128 }
2129 
2130 static void
2131 options_postprocess_http_proxy_override(struct options *o)
2132 {
2133  const struct connection_list *l = o->connection_list;
2134  int i;
2135  bool succeed = false;
2136  for (i = 0; i < l->len; ++i)
2137  {
2138  struct connection_entry *ce = l->array[i];
2139  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2140  {
2141  ce->http_proxy_options = o->http_proxy_override;
2142  succeed = true;
2143  }
2144  }
2145  if (succeed)
2146  {
2147  for (i = 0; i < l->len; ++i)
2148  {
2149  struct connection_entry *ce = l->array[i];
2150  if (ce->proto == PROTO_UDP)
2151  {
2152  ce->flags |= CE_DISABLED;
2153  }
2154  }
2155  }
2156  else
2157  {
2158  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2159  }
2160 }
2161 
2162 #endif /* ifdef ENABLE_MANAGEMENT */
2163 
2164 static struct connection_list *
2165 alloc_connection_list_if_undef(struct options *options)
2166 {
2167  if (!options->connection_list)
2168  {
2169  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2170  }
2171  return options->connection_list;
2172 }
2173 
2174 static struct connection_entry *
2175 alloc_connection_entry(struct options *options, const int msglevel)
2176 {
2177  struct connection_list *l = alloc_connection_list_if_undef(options);
2178  struct connection_entry *e;
2179 
2180  if (l->len == l->capacity)
2181  {
2182  int capacity = l->capacity + CONNECTION_LIST_SIZE;
2183  struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2184  if (ce == NULL)
2185  {
2186  msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2187  return NULL;
2188  }
2189  l->array = ce;
2190  l->capacity = capacity;
2191  }
2192  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2193  l->array[l->len++] = e;
2194  return e;
2195 }
2196 
2197 static struct remote_list *
2198 alloc_remote_list_if_undef(struct options *options)
2199 {
2200  if (!options->remote_list)
2201  {
2202  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2203  }
2204  return options->remote_list;
2205 }
2206 
2207 static struct remote_entry *
2208 alloc_remote_entry(struct options *options, const int msglevel)
2209 {
2210  struct remote_list *l = alloc_remote_list_if_undef(options);
2211  struct remote_entry *e;
2212 
2213  if (l->len == l->capacity)
2214  {
2215  int capacity = l->capacity + CONNECTION_LIST_SIZE;
2216  struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2217  if (re == NULL)
2218  {
2219  msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2220  return NULL;
2221  }
2222  l->array = re;
2223  l->capacity = capacity;
2224  }
2225  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2226  l->array[l->len++] = e;
2227  return e;
2228 }
2229 
2230 static struct pull_filter_list *
2231 alloc_pull_filter_list(struct options *o)
2232 {
2233  if (!o->pull_filter_list)
2234  {
2235  ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2236  }
2237  return o->pull_filter_list;
2238 }
2239 
2240 static struct pull_filter *
2241 alloc_pull_filter(struct options *o, const int msglevel)
2242 {
2243  struct pull_filter_list *l = alloc_pull_filter_list(o);
2244  struct pull_filter *f;
2245 
2246  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2247  if (l->head)
2248  {
2249  ASSERT(l->tail);
2250  l->tail->next = f;
2251  }
2252  else
2253  {
2254  ASSERT(!l->tail);
2255  l->head = f;
2256  }
2257  l->tail = f;
2258  return f;
2259 }
2260 
2261 static void
2262 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2263 {
2264  if (re->remote)
2265  {
2266  ce->remote = re->remote;
2267  }
2268  if (re->remote_port)
2269  {
2270  ce->remote_port = re->remote_port;
2271  }
2272  if (re->proto >= 0)
2273  {
2274  ce->proto = re->proto;
2275  }
2276  if (re->af > 0)
2277  {
2278  ce->af = re->af;
2279  }
2280 }
2281 
2282 static void
2283 connection_entry_preload_key(const char **key_file, bool *key_inline,
2284  struct gc_arena *gc)
2285 {
2286  if (key_file && *key_file && !(*key_inline))
2287  {
2288  struct buffer in = buffer_read_from_file(*key_file, gc);
2289  if (!buf_valid(&in))
2290  {
2291  msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2292  }
2293 
2294  *key_file = (const char *) in.data;
2295  *key_inline = true;
2296  }
2297 }
2298 
2299 static void
2300 check_ca_required(const struct options *options)
2301 {
2302  if (options->verify_hash_no_ca
2303  || options->pkcs12_file
2304  || options->ca_file
2305 #ifndef ENABLE_CRYPTO_MBEDTLS
2306  || options->ca_path
2307 #endif
2308  )
2309  {
2310  return;
2311  }
2312 
2313  const char *const str = "You must define CA file (--ca)"
2314 #ifndef ENABLE_CRYPTO_MBEDTLS
2315  " or CA path (--capath)"
2316 #endif
2317  " and/or peer fingerprint verification (--peer-fingerprint)";
2318  msg(M_USAGE, "%s", str);
2319 }
2320 
2321 static void
2322 options_postprocess_verify_ce(const struct options *options,
2323  const struct connection_entry *ce)
2324 {
2325  struct options defaults;
2326  int dev = DEV_TYPE_UNDEF;
2327  bool pull = false;
2328 
2329  init_options(&defaults, true);
2330 
2331  if (options->test_crypto)
2332  {
2333  notnull(options->shared_secret_file, "key file (--secret)");
2334  }
2335  else
2336  {
2337  notnull(options->dev, "TUN/TAP device (--dev)");
2338  }
2339 
2340  /*
2341  * Get tun/tap/null device type
2342  */
2343  dev = dev_type_enum(options->dev, options->dev_type);
2344 
2345  /*
2346  * If "proto tcp" is specified, make sure we know whether it is
2347  * tcp-client or tcp-server.
2348  */
2349  if (ce->proto == PROTO_TCP)
2350  {
2351  msg(M_USAGE,
2352  "--proto tcp is ambiguous in this context. Please specify "
2353  "--proto tcp-server or --proto tcp-client");
2354  }
2355 
2356  if (options->lladdr && dev != DEV_TYPE_TAP)
2357  {
2358  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2359  }
2360 
2361  /*
2362  * Sanity check on MTU parameters
2363  */
2364  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2365  {
2366  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2367  }
2368 
2369  if (!proto_is_udp(ce->proto) && options->mtu_test)
2370  {
2371  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2372  }
2373 
2374  /* will we be pulling options from server? */
2375  pull = options->pull;
2376 
2377  /*
2378  * Sanity check on --local, --remote, and --ifconfig
2379  */
2380 
2381  if (proto_is_net(ce->proto)
2382  && string_defined_equal(ce->local, ce->remote)
2383  && string_defined_equal(ce->local_port, ce->remote_port))
2384  {
2385  msg(M_USAGE, "--remote and --local addresses are the same");
2386  }
2387 
2388  if (string_defined_equal(ce->remote, options->ifconfig_local)
2389  || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2390  {
2391  msg(M_USAGE,
2392  "--local and --remote addresses must be distinct from --ifconfig "
2393  "addresses");
2394  }
2395 
2396  if (string_defined_equal(ce->local, options->ifconfig_local)
2397  || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2398  {
2399  msg(M_USAGE,
2400  "--local addresses must be distinct from --ifconfig addresses");
2401  }
2402 
2403  if (string_defined_equal(options->ifconfig_local,
2404  options->ifconfig_remote_netmask))
2405  {
2406  msg(M_USAGE,
2407  "local and remote/netmask --ifconfig addresses must be different");
2408  }
2409 
2410  if (ce->bind_defined && !ce->bind_local)
2411  {
2412  msg(M_USAGE, "--bind and --nobind can't be used together");
2413  }
2414 
2415  if (ce->local && !ce->bind_local)
2416  {
2417  msg(M_USAGE,
2418  "--local and --nobind don't make sense when used together");
2419  }
2420 
2421  if (ce->local_port_defined && !ce->bind_local)
2422  {
2423  msg(M_USAGE,
2424  "--lport and --nobind don't make sense when used together");
2425  }
2426 
2427  if (!ce->remote && !ce->bind_local)
2428  {
2429  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2430  }
2431 
2432  /*
2433  * Check for consistency of management options
2434  */
2435 #ifdef ENABLE_MANAGEMENT
2436  if (!options->management_addr
2437  && (options->management_flags
2438  || options->management_log_history_cache != defaults.management_log_history_cache))
2439  {
2440  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2441  }
2442 
2443  if ((options->management_client_user || options->management_client_group)
2444  && !(options->management_flags & MF_UNIX_SOCK))
2445  {
2446  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2447  }
2448 
2449  if (options->management_addr
2450  && !(options->management_flags & MF_UNIX_SOCK)
2451  && (!options->management_user_pass))
2452  {
2453  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2454  "passwords is STRONGLY discouraged and considered insecure");
2455  }
2456 
2457 #endif /* ifdef ENABLE_MANAGEMENT */
2458 
2459 #if !defined(HAVE_XKEY_PROVIDER)
2460  if ((tls_version_max() >= TLS_VER_1_3)
2461  && (options->management_flags & MF_EXTERNAL_KEY)
2462  && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2463  )
2464  {
2465  msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2466  "nopadding argument/support");
2467  }
2468 #endif
2469  /*
2470  * Windows-specific options.
2471  */
2472 
2473 #ifdef _WIN32
2474  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2475  {
2476  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2477  }
2478 
2479  if ((options->tuntap_options.ip_win32_defined)
2480  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2481  {
2482  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2483  }
2484 
2485  if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2486  {
2487  const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2488  if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2489  {
2490  msg(M_USAGE, "%s, which is not supported by the selected %s driver",
2491  prefix, print_windows_driver(options->windows_driver));
2492  }
2493  else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2494  && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2495  {
2496  msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2497  prefix);
2498  }
2499  }
2500 
2501  if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2502  {
2503  msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2504  }
2505 #endif /* ifdef _WIN32 */
2506 
2507  /*
2508  * Check that protocol options make sense.
2509  */
2510 
2511 #ifdef ENABLE_FRAGMENT
2512  if (!proto_is_udp(ce->proto) && ce->fragment)
2513  {
2514  msg(M_USAGE, "--fragment can only be used with --proto udp");
2515  }
2516 #endif
2517 
2518  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2519  {
2520  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2521  }
2522 
2523  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2524  {
2525  msg(M_USAGE,
2526  "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2527  "tcp-client)");
2528  }
2529 
2530  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2531  {
2532  msg(M_USAGE,
2533  "--http-proxy not specified but other http proxy options present");
2534  }
2535 
2536  if (ce->http_proxy_options && ce->socks_proxy_server)
2537  {
2538  msg(M_USAGE,
2539  "--http-proxy can not be used together with --socks-proxy");
2540  }
2541 
2542  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2543  {
2544  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2545  }
2546 
2547  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2548  {
2549  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2550  }
2551 
2552  /*
2553  * Check consistency of --mode server options.
2554  */
2555  if (options->mode == MODE_SERVER)
2556  {
2557 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2558  "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2559 #ifdef TARGET_ANDROID
2560  msg(M_FATAL, "--mode server not supported on Android");
2561 #endif
2562  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2563  {
2564  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2565  }
2566  if (options->pull)
2567  {
2568  msg(M_USAGE, "--pull cannot be used with --mode server");
2569  }
2570  if (options->pull_filter_list)
2571  {
2572  msg(M_WARN, "--pull-filter ignored for --mode server");
2573  }
2574  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2575  {
2576  msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2577  }
2578 #if PORT_SHARE
2579  if ((options->port_share_host || options->port_share_port)
2580  && (ce->proto != PROTO_TCP_SERVER))
2581  {
2582  msg(M_USAGE, "--port-share only works in TCP server mode "
2583  "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2584  }
2585 #endif
2586  if (!options->tls_server)
2587  {
2588  msg(M_USAGE, "--mode server requires --tls-server");
2589  }
2590  if (ce->remote)
2591  {
2592  msg(M_USAGE, "--remote cannot be used with --mode server");
2593  }
2594  if (!ce->bind_local)
2595  {
2596  msg(M_USAGE, "--nobind cannot be used with --mode server");
2597  }
2598  if (ce->http_proxy_options)
2599  {
2600  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2601  }
2602  if (ce->socks_proxy_server)
2603  {
2604  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2605  }
2606  /* <connection> blocks force to have a remote embedded, so we check
2607  * for the --remote and bail out if it is present
2608  */
2609  if (options->connection_list->len >1
2610  || options->connection_list->array[0]->remote)
2611  {
2612  msg(M_USAGE, "<connection> cannot be used with --mode server");
2613  }
2614 
2615  if (options->shaper)
2616  {
2617  msg(M_USAGE, "--shaper cannot be used with --mode server");
2618  }
2619  if (options->ipchange)
2620  {
2621  msg(M_USAGE,
2622  "--ipchange cannot be used with --mode server (use "
2623  "--client-connect instead)");
2624  }
2625  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2626  {
2627  msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2628  }
2629  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2630  {
2631  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2632  }
2633  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2634  {
2635  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2636  }
2637  if (options->routes && (options->routes->flags & RG_ENABLE))
2638  {
2639  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2640  }
2641  if (options->route_delay_defined)
2642  {
2643  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2644  }
2645  if (options->up_delay)
2646  {
2647  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2648  }
2649  if (!options->ifconfig_pool_defined
2650  && !options->ifconfig_ipv6_pool_defined
2651  && options->ifconfig_pool_persist_filename)
2652  {
2653  msg(M_USAGE,
2654  "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2655  }
2656  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2657  {
2658  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2659  }
2660  if (options->allow_recursive_routing)
2661  {
2662  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2663  }
2664  if (options->auth_user_pass_file)
2665  {
2666  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2667  }
2668  if (options->ccd_exclusive && !options->client_config_dir)
2669  {
2670  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2671  }
2672  if (options->auth_token_generate && !options->renegotiate_seconds)
2673  {
2674  msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2675  "--renegotiate_seconds setting");
2676  }
2677  if (options->auth_token_generate && options->auth_token_renewal
2678  && options->auth_token_renewal < 2 * options->handshake_window)
2679  {
2680  msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2681  " two times --hand-window (%d).",
2682  options->handshake_window);
2683 
2684  }
2685  {
2686  const bool ccnr = (options->auth_user_pass_verify_script
2687  || PLUGIN_OPTION_LIST(options)
2688  || MAN_CLIENT_AUTH_ENABLED(options));
2689  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2690  if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2691  {
2692  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2693  }
2694  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2695  {
2696  msg(M_USAGE, "--username-as-common-name %s", postfix);
2697  }
2698  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2699  {
2700  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2701  }
2702  }
2703 
2704  if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2705  {
2706  msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2707  }
2708  if (!options->vlan_tagging)
2709  {
2710  if (options->vlan_accept != defaults.vlan_accept)
2711  {
2712  msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2713  }
2714  if (options->vlan_pvid != defaults.vlan_pvid)
2715  {
2716  msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2717  }
2718  }
2719  }
2720  else
2721  {
2722  /*
2723  * When not in server mode, err if parameters are
2724  * specified which require --mode server.
2725  */
2726  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2727  {
2728  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2729  }
2730  if (options->ifconfig_ipv6_pool_defined)
2731  {
2732  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2733  }
2734  if (options->real_hash_size != defaults.real_hash_size
2735  || options->virtual_hash_size != defaults.virtual_hash_size)
2736  {
2737  msg(M_USAGE, "--hash-size requires --mode server");
2738  }
2739  if (options->learn_address_script)
2740  {
2741  msg(M_USAGE, "--learn-address requires --mode server");
2742  }
2743  if (options->client_connect_script)
2744  {
2745  msg(M_USAGE, "--client-connect requires --mode server");
2746  }
2747  if (options->client_crresponse_script)
2748  {
2749  msg(M_USAGE, "--client-crresponse requires --mode server");
2750  }
2751  if (options->client_disconnect_script)
2752  {
2753  msg(M_USAGE, "--client-disconnect requires --mode server");
2754  }
2755  if (options->client_config_dir || options->ccd_exclusive)
2756  {
2757  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2758  }
2759  if (options->enable_c2c)
2760  {
2761  msg(M_USAGE, "--client-to-client requires --mode server");
2762  }
2763  if (options->duplicate_cn)
2764  {
2765  msg(M_USAGE, "--duplicate-cn requires --mode server");
2766  }
2767  if (options->cf_max || options->cf_per)
2768  {
2769  msg(M_USAGE, "--connect-freq requires --mode server");
2770  }
2771  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2772  {
2773  msg(M_USAGE, "--verify-client-cert requires --mode server");
2774  }
2775  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2776  {
2777  msg(M_USAGE, "--username-as-common-name requires --mode server");
2778  }
2779  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2780  {
2781  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2782  }
2783  if (options->ssl_flags & SSLF_OPT_VERIFY)
2784  {
2785  msg(M_USAGE, "--opt-verify requires --mode server");
2786  }
2787  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2788  {
2789  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2790  "affect the server. To have TCP_NODELAY in both direction use "
2791  "tcp-nodelay in the server configuration instead.");
2792  }
2793  if (options->auth_user_pass_verify_script)
2794  {
2795  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2796  }
2797  if (options->auth_token_generate)
2798  {
2799  msg(M_USAGE, "--auth-gen-token requires --mode server");
2800  }
2801 #if PORT_SHARE
2802  if (options->port_share_host || options->port_share_port)
2803  {
2804  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2805  }
2806 #endif
2807 
2808  if (options->stale_routes_check_interval)
2809  {
2810  msg(M_USAGE, "--stale-routes-check requires --mode server");
2811  }
2812 
2813  if (options->vlan_tagging)
2814  {
2815  msg(M_USAGE, "--vlan-tagging requires --mode server");
2816  }
2817 
2818  if (options->force_key_material_export)
2819  {
2820  msg(M_USAGE, "--force-tls-key-material-export requires --mode server");
2821  }
2822  }
2823 
2824  /*
2825  * SSL/TLS mode sanity checks.
2826  */
2827  if (options->tls_server + options->tls_client
2828  +(options->shared_secret_file != NULL) > 1)
2829  {
2830  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2831  }
2832 
2833  if (!options->tls_server && !options->tls_client)
2834  {
2835  int msglevel = M_USAGE;
2836  if (options->allow_deprecated_insecure_static_crypto)
2837  {
2838  msglevel = M_INFO;
2839  }
2840 
2841  msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2842  "configuration detected. OpenVPN 2.8 will remove the "
2843  "functionality to run a VPN without TLS. "
2844  "See the examples section in the manual page for "
2845  "examples of a similar quick setup with peer-fingerprint."
2846  "OpenVPN 2.7 allows using this configuration when using "
2847  "--allow-deprecated-insecure-static-crypto but you should move"
2848  "to a proper configuration using TLS as soon as possible."
2849  );
2850  }
2851 
2852  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2853  {
2854  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2855  "--verify-client-cert none|optional "
2856  "may accept clients which do not present a certificate");
2857  }
2858 
2859  const int tls_version_max =
2860  (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2861  & SSLF_TLS_VERSION_MAX_MASK;
2862  const int tls_version_min =
2863  (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2864  & SSLF_TLS_VERSION_MIN_MASK;
2865 
2866  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2867  {
2868  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2869  }
2870 
2871  if (options->tls_server || options->tls_client)
2872  {
2873  check_ca_required(options);
2874 #ifdef ENABLE_PKCS11
2875  if (!options->pkcs11_providers[0] && options->pkcs11_id)
2876  {
2877  msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2878  }
2879  else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2880  {
2881  msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2882  }
2883 
2884  if (options->pkcs11_providers[0])
2885  {
2886  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2887  {
2888  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2889  }
2890  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2891  {
2892  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2893  }
2894  if (options->cert_file)
2895  {
2896  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2897  }
2898  if (options->priv_key_file)
2899  {
2900  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2901  }
2902  if (options->management_flags & MF_EXTERNAL_KEY)
2903  {
2904  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2905  }
2906  if (options->management_flags & MF_EXTERNAL_CERT)
2907  {
2908  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2909  }
2910  if (options->pkcs12_file)
2911  {
2912  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2913  }
2914 #ifdef ENABLE_CRYPTOAPI
2915  if (options->cryptoapi_cert)
2916  {
2917  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2918  }
2919 #endif
2920  }
2921  else
2922 #endif /* ifdef ENABLE_PKCS11 */
2923  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2924  {
2925  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2926  }
2927  else if ((options->management_flags & MF_EXTERNAL_CERT))
2928  {
2929  if (options->cert_file)
2930  {
2931  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2932  }
2933  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2934  {
2935  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2936  }
2937  }
2938  else
2939 #ifdef ENABLE_CRYPTOAPI
2940  if (options->cryptoapi_cert)
2941  {
2942  if (options->cert_file)
2943  {
2944  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2945  }
2946  if (options->priv_key_file)
2947  {
2948  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2949  }
2950  if (options->pkcs12_file)
2951  {
2952  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2953  }
2954  if (options->management_flags & MF_EXTERNAL_KEY)
2955  {
2956  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2957  }
2958  if (options->management_flags & MF_EXTERNAL_CERT)
2959  {
2960  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2961  }
2962  }
2963  else
2964 #endif /* ifdef ENABLE_CRYPTOAPI */
2965  if (options->pkcs12_file)
2966  {
2967 #ifdef ENABLE_CRYPTO_MBEDTLS
2968  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2969 #else
2970  if (options->ca_path)
2971  {
2972  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2973  }
2974  if (options->cert_file)
2975  {
2976  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2977  }
2978  if (options->priv_key_file)
2979  {
2980  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2981  }
2982  if (options->management_flags & MF_EXTERNAL_KEY)
2983  {
2984  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2985  }
2986  if (options->management_flags & MF_EXTERNAL_CERT)
2987  {
2988  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2989  }
2990 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2991  }
2992  else
2993  {
2994 #ifdef ENABLE_CRYPTO_MBEDTLS
2995  if (options->ca_path)
2996  {
2997  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2998  }
2999 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
3000  if (pull)
3001  {
3002 
3003  const int sum =
3004  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
3005  + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
3006 
3007  if (sum == 0)
3008  {
3009  if (!options->auth_user_pass_file)
3010  {
3011  msg(M_USAGE, "No client-side authentication method is "
3012  "specified. You must use either "
3013  "--cert/--key, --pkcs12, or "
3014  "--auth-user-pass");
3015  }
3016  }
3017  else if (sum != 2)
3018  {
3019  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
3020  }
3021  }
3022  else
3023  {
3024  if (!(options->management_flags & MF_EXTERNAL_CERT))
3025  {
3026  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
3027  }
3028  if (!(options->management_flags & MF_EXTERNAL_KEY))
3029  {
3030  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
3031  }
3032  }
3033  }
3034  if (ce->tls_auth_file && ce->tls_crypt_file)
3035  {
3036  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
3037  }
3038  if (options->tls_client && ce->tls_crypt_v2_file
3039  && (ce->tls_auth_file || ce->tls_crypt_file))
3040  {
3041  msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3042  }
3043  }
3044  else
3045  {
3046  /*
3047  * Make sure user doesn't specify any TLS options
3048  * when in non-TLS mode.
3049  */
3050 
3051 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3052 }
3053 
3054  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3055 
3056  MUST_BE_UNDEF(ca_file);
3057  MUST_BE_UNDEF(ca_path);
3058  MUST_BE_UNDEF(dh_file);
3059  MUST_BE_UNDEF(cert_file);
3060  MUST_BE_UNDEF(priv_key_file);
3061 #ifndef ENABLE_CRYPTO_MBEDTLS
3062  MUST_BE_UNDEF(pkcs12_file);
3063 #endif
3064  MUST_BE_UNDEF(cipher_list);
3065  MUST_BE_UNDEF(cipher_list_tls13);
3066  MUST_BE_UNDEF(tls_cert_profile);
3067  MUST_BE_UNDEF(tls_verify);
3068  MUST_BE_UNDEF(tls_export_peer_cert_dir);
3069  MUST_BE_UNDEF(verify_x509_name);
3070  MUST_BE_UNDEF(tls_timeout);
3071  MUST_BE_UNDEF(renegotiate_bytes);
3072  MUST_BE_UNDEF(renegotiate_packets);
3073  MUST_BE_UNDEF(renegotiate_seconds);
3074  MUST_BE_UNDEF(handshake_window);
3075  MUST_BE_UNDEF(transition_window);
3076  MUST_BE_UNDEF(tls_auth_file);
3077  MUST_BE_UNDEF(tls_crypt_file);
3078  MUST_BE_UNDEF(tls_crypt_v2_file);
3079  MUST_BE_UNDEF(single_session);
3080  MUST_BE_UNDEF(push_peer_info);
3081  MUST_BE_UNDEF(tls_exit);
3082  MUST_BE_UNDEF(crl_file);
3083  MUST_BE_UNDEF(ns_cert_type);
3084  MUST_BE_UNDEF(remote_cert_ku[0]);
3085  MUST_BE_UNDEF(remote_cert_eku);
3086 #ifdef ENABLE_PKCS11
3087  MUST_BE_UNDEF(pkcs11_providers[0]);
3088  MUST_BE_UNDEF(pkcs11_private_mode[0]);
3089  MUST_BE_UNDEF(pkcs11_id);
3090  MUST_BE_UNDEF(pkcs11_id_management);
3091 #endif
3092 
3093  if (pull)
3094  {
3095  msg(M_USAGE, err, "--pull");
3096  }
3097  }
3098 #undef MUST_BE_UNDEF
3099 
3100  if (options->auth_user_pass_file && !options->pull)
3101  {
3102  msg(M_USAGE, "--auth-user-pass requires --pull");
3103  }
3104 
3105  uninit_options(&defaults);
3106 }
3107 
3108 static void
3109 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3110 {
3111  const int dev = dev_type_enum(o->dev, o->dev_type);
3112 
3113  if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3114  {
3115  if (ce->proto == PROTO_TCP)
3116  {
3117  ce->proto = PROTO_TCP_SERVER;
3118  }
3119  }
3120 
3121  if (o->client)
3122  {
3123  if (ce->proto == PROTO_TCP)
3124  {
3125  ce->proto = PROTO_TCP_CLIENT;
3126  }
3127  }
3128 
3129  /* an option is present that requires local bind to enabled */
3130  bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
3131 
3132  /* socks proxy is enabled */
3133  bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3134 
3135  /* If binding is not forced by an explicit option and we have (at least)
3136  * one of --tcp-client, --pull (or --client), or socks we do not bind
3137  * locally to have "normal" IP client behaviour of a random source port */
3138  if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3139  {
3140  ce->bind_local = false;
3141  }
3142 
3143  if (!ce->bind_local)
3144  {
3145  ce->local_port = NULL;
3146  }
3147 
3148  /* if protocol forcing is enabled, disable all protocols
3149  * except for the forced one
3150  */
3151  if (o->proto_force >= 0 && o->proto_force != ce->proto)
3152  {
3153  ce->flags |= CE_DISABLED;
3154  }
3155 
3156  /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3157  * so fall back to IPv4-only (trac #1221)
3158  */
3159  if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3160  {
3161  if (ce->af == AF_INET6)
3162  {
3163  msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3164  "'--socks-proxy' today. Forcing IPv4 mode." );
3165  }
3166  else
3167  {
3168  msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3169  "work correctly with '--socks-proxy' today. Forcing IPv4." );
3170  }
3171  ce->af = AF_INET;
3172  }
3173 
3174  /*
3175  * Set MTU defaults
3176  */
3177  {
3178  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3179  {
3180  ce->tun_mtu_defined = true;
3181  }
3182  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3183  {
3184  ce->tun_mtu_extra_defined = true;
3185  ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3186  }
3187  }
3188 
3189  /*
3190  * If --mssfix is supplied without a parameter or not specified at all,
3191  * default it to --fragment value, if --fragment is specified and otherwise
3192  * to the default if tun-mtu is 1500
3193  */
3194  if (o->ce.mssfix_default)
3195  {
3196 #ifdef ENABLE_FRAGMENT
3197  if (ce->fragment)
3198  {
3199  ce->mssfix = ce->fragment;
3200  }
3201  else
3202 #endif
3203  if (ce->tun_mtu_defined)
3204  {
3205  if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3206  {
3207  /* We want to only set mssfix default value if we use a default
3208  * MTU Size, otherwise the different size of tun should either
3209  * already solve the problem or mssfix might artifically make the
3210  * payload packets smaller without mssfix 0 */
3211  ce->mssfix = MSSFIX_DEFAULT;
3212  ce->mssfix_encap = true;
3213  }
3214  else
3215  {
3216  /* We still apply the mssfix value but only adjust it to the
3217  * size of the tun interface. */
3218  ce->mssfix = ce->tun_mtu;
3219  ce->mssfix_fixed = true;
3220  }
3221  }
3222  }
3223 
3224  /*
3225  * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3226  *
3227  * At the end only one of these will be really set because the parser
3228  * logic prevents configurations where more are set.
3229  */
3230  if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3231  {
3232  ce->tls_auth_file = o->tls_auth_file;
3233  ce->tls_auth_file_inline = o->tls_auth_file_inline;
3234  ce->key_direction = o->key_direction;
3235 
3236  ce->tls_crypt_file = o->tls_crypt_file;
3237  ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3238 
3239  ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3240  ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3241  }
3242 
3243  /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
3244  * keys were not already embedded in the config file.
3245  */
3246  if (o->persist_key)
3247  {
3248  connection_entry_preload_key(&ce->tls_auth_file,
3249  &ce->tls_auth_file_inline, &o->gc);
3250  connection_entry_preload_key(&ce->tls_crypt_file,
3251  &ce->tls_crypt_file_inline, &o->gc);
3252  connection_entry_preload_key(&ce->tls_crypt_v2_file,
3253  &ce->tls_crypt_v2_file_inline, &o->gc);
3254  }
3255 
3256  if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3257  {
3258  msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3259  ce->explicit_exit_notification = 0;
3260  }
3261 }
3262 
3263 #ifdef _WIN32
3264 /* If iservice is in use, we need def1 method for redirect-gateway */
3265 static void
3266 remap_redirect_gateway_flags(struct options *opt)
3267 {
3268  if (opt->routes
3269  && opt->route_method == ROUTE_METHOD_SERVICE
3270  && opt->routes->flags & RG_REROUTE_GW
3271  && !(opt->routes->flags & RG_DEF1))
3272  {
3273  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3274  opt->routes->flags |= RG_DEF1;
3275  }
3276 }
3277 #endif
3278 
3279 /*
3280  * Save/Restore certain option defaults before --pull is applied.
3281  */
3282 
3283 static void
3284 pre_connect_save(struct options *o)
3285 {
3286  ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3287  o->pre_connect->tuntap_options = o->tuntap_options;
3288  o->pre_connect->tuntap_options_defined = true;
3289  o->pre_connect->foreign_option_index = o->foreign_option_index;
3290 
3291  if (o->routes)
3292  {
3293  o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3294  o->pre_connect->routes_defined = true;
3295  }
3296  if (o->routes_ipv6)
3297  {
3298  o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3299  o->pre_connect->routes_ipv6_defined = true;
3300  }
3301  if (o->client_nat)
3302  {
3303  o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3304  o->pre_connect->client_nat_defined = true;
3305  }
3306 
3307  o->pre_connect->route_default_gateway = o->route_default_gateway;
3308  o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3309 
3310  o->pre_connect->dns_options = clone_dns_options(o->dns_options, &o->gc);
3311 
3312  /* NCP related options that can be overwritten by a push */
3313  o->pre_connect->ciphername = o->ciphername;
3314  o->pre_connect->authname = o->authname;
3315 
3316  /* Ping related options should be reset to the config values on reconnect */
3317  o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3318  o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3319  o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3320 
3321  /* Miscellaneous Options */
3322  o->pre_connect->comp = o->comp;
3323 }
3324 
3325 void
3326 pre_connect_restore(struct options *o, struct gc_arena *gc)
3327 {
3328  const struct options_pre_connect *pp = o->pre_connect;
3329  if (pp)
3330  {
3331  CLEAR(o->tuntap_options);
3332  if (pp->tuntap_options_defined)
3333  {
3334  o->tuntap_options = pp->tuntap_options;
3335  }
3336 
3337  if (pp->routes_defined)
3338  {
3339  rol_check_alloc(o);
3340  copy_route_option_list(o->routes, pp->routes, gc);
3341  }
3342  else
3343  {
3344  o->routes = NULL;
3345  }
3346 
3347  if (pp->routes_ipv6_defined)
3348  {
3349  rol6_check_alloc(o);
3350  copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3351  }
3352  else
3353  {
3354  o->routes_ipv6 = NULL;
3355  }
3356 
3357  o->route_default_gateway = pp->route_default_gateway;
3358  o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3359 
3360  /* Free DNS options and reset them to pre-pull state */
3361  gc_free(&o->dns_options.gc);
3362  struct gc_arena dns_gc = gc_new();
3363  o->dns_options = clone_dns_options(pp->dns_options, &dns_gc);
3364  o->dns_options.gc = dns_gc;
3365 
3366  if (pp->client_nat_defined)
3367  {
3368  cnol_check_alloc(o);
3369  copy_client_nat_option_list(o->client_nat, pp->client_nat);
3370  }
3371  else
3372  {
3373  o->client_nat = NULL;
3374  }
3375 
3376  o->foreign_option_index = pp->foreign_option_index;
3377 
3378  o->ciphername = pp->ciphername;
3379  o->authname = pp->authname;
3380 
3381  o->ping_rec_timeout = pp->ping_rec_timeout;
3382  o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3383  o->ping_send_timeout = pp->ping_send_timeout;
3384 
3385  /* Miscellaneous Options */
3386  o->comp = pp->comp;
3387  }
3388 
3389  o->push_continuation = 0;
3390  o->push_option_types_found = 0;
3391  o->imported_protocol_flags = 0;
3392 }
3393 
3394 static void
3395 options_postprocess_mutate_invariant(struct options *options)
3396 {
3397 #ifdef _WIN32
3398  const int dev = dev_type_enum(options->dev, options->dev_type);
3399 
3400  /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3401  if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3402  || options->windows_driver == WINDOWS_DRIVER_DCO)
3403  && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3404  || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3405  {
3406  options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3407  }
3408 
3409  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3410  {
3411  /* delay may only be necessary when we perform DHCP handshake */
3412  const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3413  || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3414  if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3415  {
3416  options->route_delay_defined = true;
3417  options->route_delay = 5; /* Vista sometimes has a race without this */
3418  }
3419  }
3420 
3421  if (options->ifconfig_noexec)
3422  {
3423  options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3424  options->ifconfig_noexec = false;
3425  }
3426 
3427  remap_redirect_gateway_flags(options);
3428 
3429  /*
3430  * Check consistency of --mode server options.
3431  */
3432  if (options->mode == MODE_SERVER)
3433  {
3434  /*
3435  * We need to explicitly set --tap-sleep because
3436  * we do not schedule event timers in the top-level context.
3437  */
3438  options->tuntap_options.tap_sleep = 10;
3439  if (options->route_delay_defined && options->route_delay)
3440  {
3441  options->tuntap_options.tap_sleep = options->route_delay;
3442  }
3443  options->route_delay_defined = false;
3444  }
3445 #endif /* ifdef _WIN32 */
3446 
3447 #ifdef DEFAULT_PKCS11_MODULE
3448  /* If p11-kit is present on the system then load its p11-kit-proxy.so
3449  * by default if the user asks for PKCS#11 without otherwise specifying
3450  * the module to use. */
3451  if (!options->pkcs11_providers[0]
3452  && (options->pkcs11_id || options->pkcs11_id_management))
3453  {
3454  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3455  }
3456 #endif
3457 }
3458 
3459 static void
3460 options_postprocess_verify(const struct options *o)
3461 {
3462  if (o->connection_list)
3463  {
3464  int i;
3465  for (i = 0; i < o->connection_list->len; ++i)
3466  {
3467  options_postprocess_verify_ce(o, o->connection_list->array[i]);
3468  }
3469  }
3470  else
3471  {
3472  options_postprocess_verify_ce(o, &o->ce);
3473  }
3474 
3475  dns_options_verify(M_FATAL, &o->dns_options);
3476 
3477  if (dco_enabled(o) && o->enable_c2c)
3478  {
3479  msg(M_WARN, "Note: --client-to-client has no effect when using data "
3480  "channel offload: packets are always sent to the VPN "
3481  "interface and then routed based on the system routing table");
3482  }
3483 }
3484 
3490 static void
3491 options_postprocess_setdefault_ncpciphers(struct options *o)
3492 {
3493  if (o->ncp_ciphers)
3494  {
3495  /* custom --data-ciphers set, keep list */
3496  return;
3497  }
3498 
3499  /* check if crypto library supports chacha */
3500  bool can_do_chacha = cipher_valid("CHACHA20-POLY1305");
3501 
3502  if (can_do_chacha && dco_enabled(o))
3503  {
3504  /* also make sure that dco supports chacha */
3505  can_do_chacha = tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3506  }
3507 
3508  if (can_do_chacha)
3509  {
3510  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3511  }
3512  else
3513  {
3514  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3515  }
3516 }
3517 
3518 static void
3519 options_postprocess_cipher(struct options *o)
3520 {
3521  if (!o->pull && !(o->mode == MODE_SERVER))
3522  {
3523  /* If the cipher is not set, use the old default of BF-CBC. We will
3524  * warn that this is deprecated on cipher initialisation, no need
3525  * to warn here as well */
3526  if (!o->ciphername)
3527  {
3528  o->ciphername = "BF-CBC";
3529  }
3530  else
3531  {
3532  o->enable_ncp_fallback = true;
3533  }
3534  return;
3535  }
3536 
3537  /* pull or P2MP mode */
3538  if (!o->ciphername)
3539  {
3540  /* We still need to set the ciphername to BF-CBC since various other
3541  * parts of OpenVPN assert that the ciphername is set */
3542  o->ciphername = "BF-CBC";
3543 
3544  msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3545  "defaulted to BF-CBC as fallback when cipher negotiation "
3546  "failed in this case. If you need this fallback please add "
3547  "'--data-ciphers-fallback BF-CBC' to your configuration "
3548  "and/or add BF-CBC to --data-ciphers.");
3549  }
3550  else if (!o->enable_ncp_fallback
3551  && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3552  {
3553  msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3554  "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3555  "negotiations. ",
3556  o->ciphername, o->ncp_ciphers);
3557  }
3558 }
3559 
3574 static bool
3575 need_compatibility_before(const struct options *o, unsigned int version)
3576 {
3577  return o->backwards_compatible != 0 && o->backwards_compatible < version;
3578 }
3579 
3584 static void
3585 options_set_backwards_compatible_options(struct options *o)
3586 {
3587  /* TLS min version is not set */
3588  int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3589  & SSLF_TLS_VERSION_MIN_MASK;
3590  if (tls_ver_min == 0)
3591  {
3592  int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3593  & SSLF_TLS_VERSION_MAX_MASK;
3594  if (need_compatibility_before(o, 20307))
3595  {
3596  /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3597  o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3598  }
3599  else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3600  {
3601  /* Use TLS 1.2 as proper default */
3602  o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3603  }
3604  else
3605  {
3606  /* Maximize the minimum version */
3607  o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3608  }
3609  }
3610 
3611  if (need_compatibility_before(o, 20400))
3612  {
3613  if (!o->ciphername)
3614  {
3615  /* If ciphername is not set default to BF-CBC when targeting these
3616  * old versions that do not have NCP */
3617  o->ciphername = "BF-CBC";
3618  }
3619  /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3620  * not have OCC strings required for "poor man's NCP" */
3621  o->enable_ncp_fallback = true;
3622  }
3623 
3624  /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3625  * Version 2.4 probably does not need it but NCP was not so
3626  * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3627  * Only do this iff --cipher is set (explicitly or by compat mode
3628  * < 2.4.0, see above). This is not 100% correct backwards compatible
3629  * behaviour but 2.5 already behaved like this */
3630  if (o->ciphername && need_compatibility_before(o, 20500)
3631  && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3632  {
3633  append_cipher_to_ncp_list(o, o->ciphername);
3634  }
3635 
3636 #ifdef USE_COMP
3637  /* Compression is deprecated and we do not want to announce support for it
3638  * by default anymore, additionally DCO breaks with compression.
3639  *
3640  * Disable compression by default starting with 2.6.0 if no other
3641  * compression related option has been explicitly set */
3642  if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3643  {
3644  if (!comp_non_stub_enabled(&o->comp))
3645  {
3646  o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3647  }
3648  }
3649 #else /* ifdef USE_COMP */
3650  o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3651 #endif
3652 }
3653 
3654 static void
3655 options_process_mutate_prf(struct options *o)
3656 {
3657  if (!check_tls_prf_working())
3658  {
3659  msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3660  "supported by the TLS library. Your system does not support this "
3661  "calculation anymore or your security policy (e.g. FIPS 140-2) "
3662  "forbids it. Connections will only work with peers running "
3663  "OpenVPN 2.6.0 or higher)");
3664 #ifndef HAVE_EXPORT_KEYING_MATERIAL
3665  msg(M_FATAL, "Keying Material Exporters (RFC 5705) not available either. "
3666  "No way to generate data channel keys left.");
3667 #endif
3668  if (o->mode == MODE_SERVER)
3669  {
3670  msg(M_WARN, "Automatically enabling option "
3671  "--force-tls-key-material-export");
3672  o->force_key_material_export = true;
3673  }
3674 
3675  }
3676 }
3677 
3678 static void
3679 options_postprocess_mutate(struct options *o, struct env_set *es)
3680 {
3681  int i;
3682  /*
3683  * Process helper-type options which map to other, more complex
3684  * sequences of options.
3685  */
3686  helper_client_server(o);
3687  helper_keepalive(o);
3688  helper_tcp_nodelay(o);
3689 
3690  options_postprocess_setdefault_ncpciphers(o);
3691  options_set_backwards_compatible_options(o);
3692  options_process_mutate_prf(o);
3693 
3694  options_postprocess_cipher(o);
3695  o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3696  if (o->ncp_ciphers == NULL)
3697  {
3698  msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3699  }
3700 
3701  if (o->remote_list && !o->connection_list)
3702  {
3703  /*
3704  * Convert remotes into connection list
3705  */
3706  const struct remote_list *rl = o->remote_list;
3707  for (i = 0; i < rl->len; ++i)
3708  {
3709  const struct remote_entry *re = rl->array[i];
3710  struct connection_entry ce = o->ce;
3711  struct connection_entry *ace;
3712 
3713  ASSERT(re->remote);
3714  connection_entry_load_re(&ce, re);
3715  ace = alloc_connection_entry(o, M_USAGE);
3716  ASSERT(ace);
3717  *ace = ce;
3718  }
3719  }
3720  else if (!o->remote_list && !o->connection_list)
3721  {
3722  struct connection_entry *ace;
3723  ace = alloc_connection_entry(o, M_USAGE);
3724  ASSERT(ace);
3725  *ace = o->ce;
3726  }
3727 
3728  ASSERT(o->connection_list);
3729  for (i = 0; i < o->connection_list->len; ++i)
3730  {
3731  options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3732  }
3733 
3734  if (o->tls_server)
3735  {
3736  /* Check that DH file is specified, or explicitly disabled */
3737  notnull(o->dh_file, "DH file (--dh)");
3738  if (streq(o->dh_file, "none"))
3739  {
3740  o->dh_file = NULL;
3741  }
3742  }
3743  else if (o->dh_file)
3744  {
3745  /* DH file is only meaningful in a tls-server context. */
3746  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3747  "include this in your server configuration");
3748  o->dh_file = NULL;
3749  }
3750 #if ENABLE_MANAGEMENT
3751  if (o->http_proxy_override)
3752  {
3753  options_postprocess_http_proxy_override(o);
3754  }
3755 #endif
3756  if (!o->ca_file && !o->ca_path && o->verify_hash
3757  && o->verify_hash_depth == 0)
3758  {
3759  msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3760  "option set). ");
3761  o->verify_hash_no_ca = true;
3762  }
3763 
3764  if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3765  {
3766  msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3767  "incompatible with each other.");
3768  }
3769 
3770  if (dco_enabled(o))
3771  {
3772  /* check if any option should force disabling DCO */
3773  o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
3774  || !dco_check_startup_option(D_DCO, o);
3775  }
3776 #ifdef USE_COMP
3777  if (dco_enabled(o))
3778  {
3779  o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3780  }
3781 #endif
3782 
3783 #ifdef _WIN32
3784  if (dco_enabled(o))
3785  {
3786  o->windows_driver = WINDOWS_DRIVER_DCO;
3787  }
3788  else
3789  {
3790  if (o->windows_driver == WINDOWS_DRIVER_DCO)
3791  {
3792  msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3793  o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3794  }
3795  else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3796  {
3797  o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3798  }
3799  }
3800 #else /* _WIN32 */
3801  if (dco_enabled(o) && o->dev_node)
3802  {
3803  msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3804  "data channel offload");
3805  o->dev_node = NULL;
3806  }
3807 #endif /* _WIN32 */
3808 
3809  /* this depends on o->windows_driver, which is set above */
3810  options_postprocess_mutate_invariant(o);
3811 
3812  /* check that compression settings in the options are okay */
3813  check_compression_settings_valid(&o->comp, M_USAGE);
3814 
3815  /*
3816  * Save certain parms before modifying options during connect, especially
3817  * when using --pull
3818  */
3819  if (o->pull)
3820  {
3821  dns_options_preprocess_pull(&o->dns_options);
3822  }
3823  else
3824  {
3825 #if defined(_WIN32) || defined(TARGET_ANDROID)
3826  tuntap_options_copy_dns(o);
3827 #else
3828  foreign_options_copy_dns(o, es);
3829 #endif
3830  }
3831  if (o->auth_token_generate && !o->auth_token_renewal)
3832  {
3833  o->auth_token_renewal = o->renegotiate_seconds;
3834  }
3835  pre_connect_save(o);
3836 }
3837 
3838 /*
3839  * Check file/directory sanity
3840  *
3841  */
3842 #ifndef ENABLE_SMALL
3844 #define CHKACC_FILE (1<<0)
3845 #define CHKACC_DIRPATH (1<<1)
3846 #define CHKACC_FILEXSTWR (1<<2)
3847 #define CHKACC_ACPTSTDIN (1<<3)
3848 #define CHKACC_PRIVATE (1<<4)
3850 static bool
3851 check_file_access(const int type, const char *file, const int mode, const char *opt)
3852 {
3853  int errcode = 0;
3854 
3855  /* If no file configured, no errors to look for */
3856  if (!file)
3857  {
3858  return false;
3859  }
3860 
3861  /* If stdin is allowed and the file name is 'stdin', then do no
3862  * further checks as stdin is always available
3863  */
3864  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3865  {
3866  return false;
3867  }
3868 
3869  /* Is the directory path leading to the given file accessible? */
3870  if (type & CHKACC_DIRPATH)
3871  {
3872  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3873  char *dirpath = dirname(fullpath);
3874 
3875  if (platform_access(dirpath, mode|X_OK) != 0)
3876  {
3877  errcode = errno;
3878  }
3879  free(fullpath);
3880  }
3881 
3882  /* Is the file itself accessible? */
3883  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3884  {
3885  errcode = errno;
3886  }
3887 
3888  /* If the file exists and is accessible, is it writable? */
3889  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3890  {
3891  if (platform_access(file, W_OK) != 0)
3892  {
3893  errcode = errno;
3894  }
3895  }
3896 
3897  /* Warn if a given private file is group/others accessible. */
3898  if (type & CHKACC_PRIVATE)
3899  {
3900  platform_stat_t st;
3901  if (platform_stat(file, &st))
3902  {
3903  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3904  }
3905 #ifndef _WIN32
3906  else
3907  {
3908  if (st.st_mode & (S_IRWXG|S_IRWXO))
3909  {
3910  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3911  }
3912  }
3913 #endif
3914  }
3915 
3916  /* Scream if an error is found */
3917  if (errcode > 0)
3918  {
3919  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3920  }
3921 
3922  /* Return true if an error occurred */
3923  return (errcode != 0 ? true : false);
3924 }
3925 
3926 /* A wrapper for check_file_access() which also takes a chroot directory.
3927  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3928  * otherwise it will look for the file inside the given chroot directory instead.
3929  */
3930 static bool
3931 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3932 {
3933  bool ret = false;
3934 
3935  /* If no file configured, no errors to look for */
3936  if (!file)
3937  {
3938  return false;
3939  }
3940 
3941  /* If chroot is set, look for the file/directory inside the chroot */
3942  if (chroot)
3943  {
3944  struct gc_arena gc = gc_new();
3945  struct buffer chroot_file;
3946 
3947  chroot_file = prepend_dir(chroot, file, &gc);
3948  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3949  gc_free(&gc);
3950  }
3951  else
3952  {
3953  /* No chroot in play, just call core file check function */
3954  ret = check_file_access(type, file, mode, opt);
3955  }
3956  return ret;
3957 }
3958 
3963 static bool
3964 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3965  const int type, const char *file,
3966  const int mode, const char *opt)
3967 {
3968  if (is_inline)
3969  {
3970  return false;
3971  }
3972 
3973  return check_file_access_chroot(chroot, type, file, mode, opt);
3974 }
3975 
3980 static bool
3981 check_file_access_inline(bool is_inline, const int type, const char *file,
3982  const int mode, const char *opt)
3983 {
3984  if (is_inline)
3985  {
3986  return false;
3987  }
3988 
3989  return check_file_access(type, file, mode, opt);
3990 }
3991 
3992 /*
3993  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3994  * valid file with appropriate permissions.
3995  *
3996  * "command" consists of a path, optionally followed by a space, which may be
3997  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3998  * performed.
3999  *
4000  * The path and arguments in "command" may be single- or double-quoted or escaped.
4001  *
4002  * The path is extracted from "command", then check_file_access() is called to check it. The
4003  * arguments, if any, are ignored.
4004  *
4005  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4006  * check_file_access() arguments.
4007  */
4008 static bool
4009 check_cmd_access(const char *command, const char *opt, const char *chroot)
4010 {
4011  struct argv argv;
4012  bool return_code;
4013 
4014  /* If no command was set, there are no errors to look for */
4015  if (!command)
4016  {
4017  return false;
4018  }
4019 
4020  /* Extract executable path and arguments */
4021  argv = argv_new();
4022  argv_parse_cmd(&argv, command);
4023 
4024  /* if an executable is specified then check it; otherwise, complain */
4025  if (argv.argv[0])
4026  {
4027  /* Scripts requires R_OK as well, but that might fail on binaries which
4028  * only requires X_OK to function on Unix - a scenario not unlikely to
4029  * be seen on suid binaries.
4030  */
4031  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4032  }
4033  else
4034  {
4035  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
4036  opt, command);
4037  return_code = true;
4038  }
4039 
4040  argv_free(&argv);
4041 
4042  return return_code;
4043 }
4044 
4045 /*
4046  * Sanity check of all file/dir options. Checks that file/dir
4047  * is accessible by OpenVPN
4048  */
4049 static void
4050 options_postprocess_filechecks(struct options *options)
4051 {
4052  bool errs = false;
4053 
4054  /* ** SSL/TLS/crypto related files ** */
4055  errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4056  options->dh_file, R_OK, "--dh");
4057 
4058  if (!options->verify_hash_no_ca)
4059  {
4060  errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4061  options->ca_file, R_OK, "--ca");
4062  }
4063 
4064  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4065  options->ca_path, R_OK, "--capath");
4066 
4067  errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
4068  options->cert_file, R_OK, "--cert");
4069 
4070  errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4071  options->extra_certs_file, R_OK,
4072  "--extra-certs");
4073 
4074  if (!(options->management_flags & MF_EXTERNAL_KEY))
4075  {
4076  errs |= check_file_access_inline(options->priv_key_file_inline,
4077  CHKACC_FILE|CHKACC_PRIVATE,
4078  options->priv_key_file, R_OK, "--key");
4079  }
4080 
4081  errs |= check_file_access_inline(options->pkcs12_file_inline,
4082  CHKACC_FILE|CHKACC_PRIVATE,
4083  options->pkcs12_file, R_OK, "--pkcs12");
4084 
4085  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4086  {
4087  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4088  options->crl_file, R_OK|X_OK,
4089  "--crl-verify directory");
4090  }
4091  else
4092  {
4093  errs |= check_file_access_chroot_inline(options->crl_file_inline,
4094  options->chroot_dir,
4095  CHKACC_FILE, options->crl_file,
4096  R_OK, "--crl-verify");
4097  }
4098 
4099  if (options->tls_export_peer_cert_dir)
4100  {
4101  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4102  options->tls_export_peer_cert_dir,
4103  W_OK, "--tls-export-cert");
4104  }
4105 
4106  ASSERT(options->connection_list);
4107  for (int i = 0; i < options->connection_list->len; ++i)
4108  {
4109  struct connection_entry *ce = options->connection_list->array[i];
4110 
4111  errs |= check_file_access_inline(ce->tls_auth_file_inline,
4112  CHKACC_FILE|CHKACC_PRIVATE,
4113  ce->tls_auth_file, R_OK,
4114  "--tls-auth");
4115  errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4116  CHKACC_FILE|CHKACC_PRIVATE,
4117  ce->tls_crypt_file, R_OK,
4118  "--tls-crypt");
4119  errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4120  CHKACC_FILE|CHKACC_PRIVATE,
4121  ce->tls_crypt_v2_file, R_OK,
4122  "--tls-crypt-v2");
4123  }
4124 
4125  errs |= check_file_access_inline(options->shared_secret_file_inline,
4126  CHKACC_FILE|CHKACC_PRIVATE,
4127  options->shared_secret_file, R_OK,
4128  "--secret");
4129 
4130  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4131  options->packet_id_file, R_OK|W_OK, "--replay-persist");
4132 
4133  /* ** Password files ** */
4134  errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4135  options->key_pass_file, R_OK, "--askpass");
4136 #ifdef ENABLE_MANAGEMENT
4137  errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4138  options->management_user_pass, R_OK,
4139  "--management user/password file");
4140 #endif /* ENABLE_MANAGEMENT */
4141  errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4142  CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4143  options->auth_user_pass_file, R_OK,
4144  "--auth-user-pass");
4145  /* ** System related ** */
4146  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4147  R_OK|X_OK, "--chroot directory");
4148  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4149  R_OK|W_OK, "--writepid");
4150 
4151  /* ** Log related ** */
4152  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4153  R_OK|W_OK, "--status");
4154 
4155  /* ** Config related ** */
4156  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4157  R_OK|X_OK, "--client-config-dir");
4158  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4159  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4160 
4161  if (errs)
4162  {
4163  msg(M_USAGE, "Please correct these errors.");
4164  }
4165 }
4166 #endif /* !ENABLE_SMALL */
4167 
4168 /*
4169  * Sanity check on options.
4170  * Also set some options based on other
4171  * options.
4172  */
4173 void
4174 options_postprocess(struct options *options, struct env_set *es)
4175 {
4176  options_postprocess_mutate(options, es);
4177  options_postprocess_verify(options);
4178 #ifndef ENABLE_SMALL
4179  options_postprocess_filechecks(options);
4180 #endif /* !ENABLE_SMALL */
4181 }
4182 
4183 /*
4184  * Sanity check on options after more options were pulled from server.
4185  * Also time to modify some options based on other options.
4186  */
4187 bool
4188 options_postprocess_pull(struct options *o, struct env_set *es)
4189 {
4190  bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4191  if (success)
4192  {
4193  dns_options_postprocess_pull(&o->dns_options);
4194  setenv_dns_options(&o->dns_options, es);
4195 #if defined(_WIN32) || defined(TARGET_ANDROID)
4196  tuntap_options_copy_dns(o);
4197 #else
4198  foreign_options_copy_dns(o, es);
4199 #endif
4200  }
4201  return success;
4202 }
4203 
4204 /*
4205  * Build an options string to represent data channel encryption options.
4206  * This string must match exactly between peers. The keysize is checked
4207  * separately by read_key().
4208  *
4209  * The following options must match on both peers:
4210  *
4211  * Tunnel options:
4212  *
4213  * --dev tun|tap [unit number need not match]
4214  * --dev-type tun|tap
4215  * --link-mtu
4216  * --udp-mtu
4217  * --tun-mtu
4218  * --proto udp
4219  * --proto tcp-client [matched with --proto tcp-server
4220  * on the other end of the connection]
4221  * --proto tcp-server [matched with --proto tcp-client on
4222  * the other end of the connection]
4223  * --tun-ipv6
4224  * --ifconfig x y [matched with --ifconfig y x on
4225  * the other end of the connection]
4226  *
4227  * --comp-lzo
4228  * --compress alg
4229  * --fragment
4230  *
4231  * Crypto Options:
4232  *
4233  * --cipher
4234  * --auth
4235  * --secret
4236  *
4237  * SSL Options:
4238  *
4239  * --tls-auth
4240  * --tls-client [matched with --tls-server on
4241  * the other end of the connection]
4242  * --tls-server [matched with --tls-client on
4243  * the other end of the connection]
4244  */
4245 char *
4246 options_string(const struct options *o,
4247  const struct frame *frame,
4248  struct tuntap *tt,
4249  openvpn_net_ctx_t *ctx,
4250  bool remote,
4251  struct gc_arena *gc)
4252 {
4253  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4254  bool tt_local = false;
4255 
4256  buf_printf(&out, "V4");
4257 
4258  /*
4259  * Tunnel Options
4260  */
4261 
4262  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4263  /* the link-mtu that we send has only a meaning if have a fixed
4264  * cipher (p2p) or have a fallback cipher configured for older non
4265  * ncp clients. But not sending it will make even 2.4 complain
4266  * about it being missing. So still send it. */
4267  buf_printf(&out, ",link-mtu %u",
4268  (unsigned int) calc_options_string_link_mtu(o, frame));
4269 
4270  if (o->ce.occ_mtu != 0)
4271  {
4272  buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4273  }
4274  else
4275  {
4276  buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4277  }
4278 
4279  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4280 
4281  bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4282  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4283  * is usually pushed by the server, triggering a non-helpful warning
4284  */
4285  if (o->ifconfig_ipv6_local && p2p_nopull)
4286  {
4287  buf_printf(&out, ",tun-ipv6");
4288  }
4289 
4290  /*
4291  * Try to get ifconfig parameters into the options string.
4292  * If tt is undefined, make a temporary instantiation.
4293  */
4294  if (!tt)
4295  {
4296  tt = init_tun(o->dev,
4297  o->dev_type,
4298  o->topology,
4299  o->ifconfig_local,
4300  o->ifconfig_remote_netmask,
4301  o->ifconfig_ipv6_local,
4302  o->ifconfig_ipv6_netbits,
4303  o->ifconfig_ipv6_remote,
4304  NULL,
4305  NULL,
4306  false,
4307  NULL,
4308  ctx,
4309  NULL);
4310  if (tt)
4311  {
4312  tt_local = true;
4313  }
4314  }
4315 
4316  if (tt && p2p_nopull)
4317  {
4318  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4319  if (ios && strlen(ios))
4320  {
4321  buf_printf(&out, ",ifconfig %s", ios);
4322  }
4323  }
4324  if (tt_local)
4325  {
4326  free(tt);
4327  tt = NULL;
4328  }
4329 
4330 #ifdef USE_COMP
4331  if (o->comp.alg != COMP_ALG_UNDEF)
4332  {
4333  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4334  }
4335 #endif
4336 
4337 #ifdef ENABLE_FRAGMENT
4338  if (o->ce.fragment)
4339  {
4340  buf_printf(&out, ",mtu-dynamic");
4341  }
4342 #endif
4343 
4344 #define TLS_CLIENT (o->tls_client)
4345 #define TLS_SERVER (o->tls_server)
4346 
4347  /*
4348  * Key direction
4349  */
4350  {
4351  const char *kd = keydirection2ascii(o->key_direction, remote, false);
4352  if (kd)
4353  {
4354  buf_printf(&out, ",keydir %s", kd);
4355  }
4356  }
4357 
4358  /*
4359  * Crypto Options
4360  */
4361  if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4362  {
4363  struct key_type kt;
4364 
4365  ASSERT((o->shared_secret_file != NULL)
4366  + (TLS_CLIENT == true)
4367  + (TLS_SERVER == true)
4368  <= 1);
4369 
4370  /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4371  * to work here in the default configuration */
4372  const char *ciphername = o->ciphername;
4373  int keysize = 0;
4374 
4375  if (strcmp(o->ciphername, "BF-CBC") == 0)
4376  {
4377  init_key_type(&kt, "none", o->authname, true, false);
4378  keysize = 128;
4379  }
4380  else
4381  {
4382  init_key_type(&kt, o->ciphername, o->authname, true, false);
4383  ciphername = cipher_kt_name(kt.cipher);
4384  if (cipher_defined(o->ciphername))
4385  {
4386  keysize = cipher_kt_key_size(kt.cipher) * 8;
4387  }
4388  }
4389  /* Only announce the cipher to our peer if we are willing to
4390  * support it */
4391  if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4392  {
4393  buf_printf(&out, ",cipher %s", ciphername);
4394  }
4395  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4396  buf_printf(&out, ",keysize %d", keysize);
4397  if (o->shared_secret_file)
4398  {
4399  buf_printf(&out, ",secret");
4400  }
4401 
4402 #ifdef ENABLE_PREDICTION_RESISTANCE
4403  if (o->use_prediction_resistance)
4404  {
4405  buf_printf(&out, ",use-prediction-resistance");
4406  }
4407 #endif
4408  }
4409 
4410  /*
4411  * SSL Options
4412  */
4413  {
4414  if (TLS_CLIENT || TLS_SERVER)
4415  {
4416  if (o->ce.tls_auth_file)
4417  {
4418  buf_printf(&out, ",tls-auth");
4419  }
4420  /* Not adding tls-crypt here, because we won't reach this code if
4421  * tls-auth/tls-crypt does not match. Removing tls-auth here would
4422  * break stuff, so leaving that in place. */
4423 
4424  buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4425  }
4426 
4427  if (remote)
4428  {
4429  if (TLS_CLIENT)
4430  {
4431  buf_printf(&out, ",tls-server");
4432  }
4433  else if (TLS_SERVER)
4434  {
4435  buf_printf(&out, ",tls-client");
4436  }
4437  }
4438  else
4439  {
4440  if (TLS_CLIENT)
4441  {
4442  buf_printf(&out, ",tls-client");
4443  }
4444  else if (TLS_SERVER)
4445  {
4446  buf_printf(&out, ",tls-server");
4447  }
4448  }
4449  }
4450 
4451 #undef TLS_CLIENT
4452 #undef TLS_SERVER
4453 
4454  return BSTR(&out);
4455 }
4456 
4457 /*
4458  * Compare option strings for equality.
4459  * If the first two chars of the strings differ, it means that
4460  * we are looking at different versions of the options string,
4461  * therefore don't compare them and return true.
4462  */
4463 
4464 bool
4465 options_cmp_equal(char *actual, const char *expected)
4466 {
4467  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4468 }
4469 
4470 void
4471 options_warning(char *actual, const char *expected)
4472 {
4473  options_warning_safe(actual, expected, strlen(actual) + 1);
4474 }
4475 
4476 static const char *
4477 options_warning_extract_parm1(const char *option_string,
4478  struct gc_arena *gc_ret)
4479 {
4480  struct gc_arena gc = gc_new();
4481  struct buffer b = string_alloc_buf(option_string, &gc);
4482  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4483  const char *ret;
4484 
4485  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4486  ret = string_alloc(p, gc_ret);
4487  gc_free(&gc);
4488  return ret;
4489 }
4490 
4491 static void
4492 options_warning_safe_scan2(const int msglevel,
4493  const int delim,
4494  const bool report_inconsistent,
4495  const char *p1,
4496  const struct buffer *b2_src,
4497  const char *b1_name,
4498  const char *b2_name)
4499 {
4500  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4501  * OCC in a future version (because it's not useful). To reduce questions
4502  * when interoperating, we no longer printing a warning about it.
4503  */
4504  if (strprefix(p1, "key-method ")
4505  || strprefix(p1, "keydir ")
4506  || strprefix(p1, "proto ")
4507  || streq(p1, "tls-auth")
4508  || strprefix(p1, "tun-ipv6")
4509  || strprefix(p1, "cipher "))
4510  {
4511  return;
4512  }
4513 
4514  if (strlen(p1) > 0)
4515  {
4516  struct gc_arena gc = gc_new();
4517  struct buffer b2 = *b2_src;
4518  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4519  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4520 
4521  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4522  {
4523  if (strlen(p2))
4524  {
4525  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4526 
4527  if (!strcmp(p1, p2))
4528  {
4529  goto done;
4530  }
4531  if (!strcmp(p1_prefix, p2_prefix))
4532  {
4533  if (report_inconsistent)
4534  {
4535  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4536  safe_print(p1_prefix, &gc),
4537  b1_name,
4538  safe_print(p1, &gc),
4539  b2_name,
4540  safe_print(p2, &gc));
4541  }
4542  goto done;
4543  }
4544  }
4545  }
4546 
4547  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4548  safe_print(p1_prefix, &gc),
4549  b1_name,
4550  b2_name,
4551  b1_name,
4552  safe_print(p1, &gc));
4553 
4554 done:
4555  gc_free(&gc);
4556  }
4557 }
4558 
4559 static void
4560 options_warning_safe_scan1(const int msglevel,
4561  const int delim,
4562  const bool report_inconsistent,
4563  const struct buffer *b1_src,
4564  const struct buffer *b2_src,
4565  const char *b1_name,
4566  const char *b2_name)
4567 {
4568  struct gc_arena gc = gc_new();
4569  struct buffer b = *b1_src;
4570  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4571 
4572  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4573  {
4574  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4575  }
4576 
4577  gc_free(&gc);
4578 }
4579 
4580 static void
4581 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4582 {
4583  struct gc_arena gc = gc_new();
4584 
4585  if (actual_n > 0)
4586  {
4587  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4588  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4589  actual[actual_n - 1] = 0;
4590 
4591  buf_printf(&local, "version %s", expected);
4592  buf_printf(&remote, "version %s", actual);
4593 
4594  options_warning_safe_scan1(msglevel, ',', true,
4595  &local, &remote,
4596  "local", "remote");
4597 
4598  options_warning_safe_scan1(msglevel, ',', false,
4599  &remote, &local,
4600  "remote", "local");
4601  }
4602 
4603  gc_free(&gc);
4604 }
4605 
4606 bool
4607 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4608 {
4609  struct gc_arena gc = gc_new();
4610  bool ret = true;
4611 
4612  if (actual_n > 0)
4613  {
4614  actual[actual_n - 1] = 0;
4615  if (strncmp(actual, expected, 2))
4616  {
4617  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4618  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4619  }
4620  else
4621  {
4622  ret = !strcmp(actual, expected);
4623  }
4624  }
4625  gc_free(&gc);
4626  return ret;
4627 }
4628 
4629 void
4630 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4631 {
4632  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4633 }
4634 
4635 const char *
4636 options_string_version(const char *s, struct gc_arena *gc)
4637 {
4638  struct buffer out = alloc_buf_gc(4, gc);
4639  strncpynt((char *) BPTR(&out), s, 3);
4640  return BSTR(&out);
4641 }
4642 
4643 char *
4644 options_string_extract_option(const char *options_string, const char *opt_name,
4645  struct gc_arena *gc)
4646 {
4647  char *ret = NULL;
4648  const size_t opt_name_len = strlen(opt_name);
4649 
4650  const char *p = options_string;
4651  while (p)
4652  {
4653  if (0 == strncmp(p, opt_name, opt_name_len)
4654  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4655  {
4656  /* option found, extract value */
4657  const char *start = &p[opt_name_len+1];
4658  const char *end = strchr(p, ',');
4659  size_t val_len = end ? end - start : strlen(start);
4660  ret = gc_malloc(val_len+1, true, gc);
4661  memcpy(ret, start, val_len);
4662  break;
4663  }
4664  p = strchr(p, ',');
4665  if (p)
4666  {
4667  p++; /* skip delimiter */
4668  }
4669  }
4670  return ret;
4671 }
4672 
4673 #ifdef _WIN32
4674 
4681 static enum windows_driver_type
4682 parse_windows_driver(const char *str, const int msglevel)
4683 {
4684  if (streq(str, "tap-windows6"))
4685  {
4686  return WINDOWS_DRIVER_TAP_WINDOWS6;
4687  }
4688  else if (streq(str, "wintun"))
4689  {
4690  return WINDOWS_DRIVER_WINTUN;
4691  }
4692 
4693  else if (streq(str, "ovpn-dco"))
4694  {
4695  return WINDOWS_DRIVER_DCO;
4696  }
4697  else
4698  {
4699  msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4700  "or ovpn-dco");
4701  return WINDOWS_DRIVER_UNSPECIFIED;
4702  }
4703 }
4704 #endif /* ifdef _WIN32 */
4705 
4706 /*
4707  * parse/print topology coding
4708  */
4709 
4710 int
4711 parse_topology(const char *str, const int msglevel)
4712 {
4713  if (streq(str, "net30"))
4714  {
4715  return TOP_NET30;
4716  }
4717  else if (streq(str, "p2p"))
4718  {
4719  return TOP_P2P;
4720  }
4721  else if (streq(str, "subnet"))
4722  {
4723  return TOP_SUBNET;
4724  }
4725  else
4726  {
4727  msg(msglevel, "--topology must be net30, p2p, or subnet");
4728  return TOP_UNDEF;
4729  }
4730 }
4731 
4732 const char *
4733 print_topology(const int topology)
4734 {
4735  switch (topology)
4736  {
4737  case TOP_UNDEF:
4738  return "undef";
4739 
4740  case TOP_NET30:
4741  return "net30";
4742 
4743  case TOP_P2P:
4744  return "p2p";
4745 
4746  case TOP_SUBNET:
4747  return "subnet";
4748 
4749  default:
4750  return "unknown";
4751  }
4752 }
4753 
4754 /*
4755  * Manage auth-retry variable
4756  */
4757 
4758 static int global_auth_retry; /* GLOBAL */
4759 
4760 int
4761 auth_retry_get(void)
4762 {
4763  return global_auth_retry;
4764 }
4765 
4766 bool
4767 auth_retry_set(const int msglevel, const char *option)
4768 {
4769  if (streq(option, "interact"))
4770  {
4771  global_auth_retry = AR_INTERACT;
4772  }
4773  else if (streq(option, "nointeract"))
4774  {
4775  global_auth_retry = AR_NOINTERACT;
4776  }
4777  else if (streq(option, "none"))
4778  {
4779  global_auth_retry = AR_NONE;
4780  }
4781  else
4782  {
4783  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4784  return false;
4785  }
4786  return true;
4787 }
4788 
4789 const char *
4790 auth_retry_print(void)
4791 {
4792  switch (global_auth_retry)
4793  {
4794  case AR_NONE:
4795  return "none";
4796 
4797  case AR_NOINTERACT:
4798  return "nointeract";
4799 
4800  case AR_INTERACT:
4801  return "interact";
4802 
4803  default:
4804  return "???";
4805  }
4806 }
4807 
4808 /*
4809  * Print the help message.
4810  */
4811 static void
4812 usage(void)
4813 {
4814  FILE *fp = msg_fp(0);
4815 
4816 #ifdef ENABLE_SMALL
4817 
4818  fprintf(fp, "Usage message not available\n");
4819 
4820 #else
4821 
4822  struct options o;
4823  init_options(&o, true);
4824 
4825  fprintf(fp, usage_message,
4826  title_string,
4827  o.ce.connect_retry_seconds,
4828  o.ce.connect_retry_seconds_max,
4829  o.ce.local_port, o.ce.remote_port,
4830  TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4831  o.verbosity,
4832  o.authname,
4833  o.replay_window, o.replay_time,
4834  o.tls_timeout, o.renegotiate_seconds,
4835  o.handshake_window, o.transition_window);
4836  fflush(fp);
4837 
4838 #endif /* ENABLE_SMALL */
4839 
4840  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4841 }
4842 
4843 void
4844 usage_small(void)
4845 {
4846  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4847  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4848 }
4849 
4850 #ifdef _WIN32
4851 void
4852 show_windows_version(const unsigned int flags)
4853 {
4854  struct gc_arena gc = gc_new();
4855  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4856  gc_free(&gc);
4857 }
4858 #endif
4859 
4860 void
4861 show_dco_version(const unsigned int flags)
4862 {
4863 #ifdef ENABLE_DCO
4864  struct gc_arena gc = gc_new();
4865  msg(flags, "DCO version: %s", dco_version_string(&gc));
4866  gc_free(&gc);
4867 #endif
4868 }
4869 
4870 void
4871 show_library_versions(const unsigned int flags)
4872 {
4873 #ifdef ENABLE_LZO
4874 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4875 #else
4876 #define LZO_LIB_VER_STR "", ""
4877 #endif
4878 
4879  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4880  LZO_LIB_VER_STR);
4881 
4882 #undef LZO_LIB_VER_STR
4883 }
4884 
4885 static void
4886 usage_version(void)
4887 {
4888  msg(M_INFO|M_NOPREFIX, "%s", title_string);
4889  show_library_versions( M_INFO|M_NOPREFIX );
4890 #ifdef _WIN32
4891  show_windows_version( M_INFO|M_NOPREFIX );
4892 #endif
4893  show_dco_version(M_INFO | M_NOPREFIX);
4894  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4895  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>");
4896 #ifndef ENABLE_SMALL
4897 #ifdef CONFIGURE_DEFINES
4898  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4899 #endif
4900 #ifdef CONFIGURE_SPECIAL_BUILD
4901  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4902 #endif
4903 #endif
4904  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4905 }
4906 
4907 void
4908 notnull(const char *arg, const char *description)
4909 {
4910  if (!arg)
4911  {
4912  msg(M_USAGE, "You must define %s", description);
4913  }
4914 }
4915 
4916 bool
4917 string_defined_equal(const char *s1, const char *s2)
4918 {
4919  if (s1 && s2)
4920  {
4921  return !strcmp(s1, s2);
4922  }
4923  else
4924  {
4925  return false;
4926  }
4927 }
4928 
4929 #if 0
4930 static void
4931 ping_rec_err(int msglevel)
4932 {
4933  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4934 }
4935 #endif
4936 
4937 static int
4938 positive_atoi(const char *str)
4939 {
4940  const int i = atoi(str);
4941  return i < 0 ? 0 : i;
4942 }
4943 
4944 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4945 static unsigned int
4946 atou(const char *str)
4947 {
4948  unsigned int val = 0;
4949  sscanf(str, "%u", &val);
4950  return val;
4951 }
4952 #endif
4953 
4954 static inline bool
4955 space(unsigned char c)
4956 {
4957  return c == '\0' || isspace(c);
4958 }
4959 
4960 int
4961 parse_line(const char *line,
4962  char *p[],
4963  const int n,
4964  const char *file,
4965  const int line_num,
4966  int msglevel,
4967  struct gc_arena *gc)
4968 {
4969  const int STATE_INITIAL = 0;
4970  const int STATE_READING_QUOTED_PARM = 1;
4971  const int STATE_READING_UNQUOTED_PARM = 2;
4972  const int STATE_DONE = 3;
4973  const int STATE_READING_SQUOTED_PARM = 4;
4974 
4975  const char *error_prefix = "";
4976 
4977  int ret = 0;
4978  const char *c = line;
4979  int state = STATE_INITIAL;
4980  bool backslash = false;
4981  char in, out;
4982 
4983  char parm[OPTION_PARM_SIZE];
4984  unsigned int parm_len = 0;
4985 
4986  msglevel &= ~M_OPTERR;
4987 
4988  if (msglevel & M_MSG_VIRT_OUT)
4989  {
4990  error_prefix = "ERROR: ";
4991  }
4992 
4993  do
4994  {
4995  in = *c;
4996  out = 0;
4997 
4998  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4999  {
5000  backslash = true;
5001  }
5002  else
5003  {
5004  if (state == STATE_INITIAL)
5005  {
5006  if (!space(in))
5007  {
5008  if (in == ';' || in == '#') /* comment */
5009  {
5010  break;
5011  }
5012  if (!backslash && in == '\"')
5013  {
5014  state = STATE_READING_QUOTED_PARM;
5015  }
5016  else if (!backslash && in == '\'')
5017  {
5018  state = STATE_READING_SQUOTED_PARM;
5019  }
5020  else
5021  {
5022  out = in;
5023  state = STATE_READING_UNQUOTED_PARM;
5024  }
5025  }
5026  }
5027  else if (state == STATE_READING_UNQUOTED_PARM)
5028  {
5029  if (!backslash && space(in))
5030  {
5031  state = STATE_DONE;
5032  }
5033  else
5034  {
5035  out = in;
5036  }
5037  }
5038  else if (state == STATE_READING_QUOTED_PARM)
5039  {
5040  if (!backslash && in == '\"')
5041  {
5042  state = STATE_DONE;
5043  }
5044  else
5045  {
5046  out = in;
5047  }
5048  }
5049  else if (state == STATE_READING_SQUOTED_PARM)
5050  {
5051  if (in == '\'')
5052  {
5053  state = STATE_DONE;
5054  }
5055  else
5056  {
5057  out = in;
5058  }
5059  }
5060  if (state == STATE_DONE)
5061  {
5062  /* ASSERT (parm_len > 0); */
5063  p[ret] = gc_malloc(parm_len + 1, true, gc);
5064  memcpy(p[ret], parm, parm_len);
5065  p[ret][parm_len] = '\0';
5066  state = STATE_INITIAL;
5067  parm_len = 0;
5068  ++ret;
5069  }
5070 
5071  if (backslash && out)
5072  {
5073  if (!(out == '\\' || out == '\"' || space(out)))
5074  {
5075 #ifdef ENABLE_SMALL
5076  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5077 #else
5078  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5079 #endif
5080  return 0;
5081  }
5082  }
5083  backslash = false;
5084  }
5085 
5086  /* store parameter character */
5087  if (out)
5088  {
5089  if (parm_len >= SIZE(parm))
5090  {
5091  parm[SIZE(parm) - 1] = 0;
5092  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5093  error_prefix, file, line_num, (int) SIZE(parm), parm);
5094  return 0;
5095  }
5096  parm[parm_len++] = out;
5097  }
5098 
5099  /* avoid overflow if too many parms in one config file line */
5100  if (ret >= n)
5101  {
5102  break;
5103  }
5104 
5105  } while (*c++ != '\0');
5106 
5107  if (state == STATE_READING_QUOTED_PARM)
5108  {
5109  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5110  return 0;
5111  }
5112  if (state == STATE_READING_SQUOTED_PARM)
5113  {
5114  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5115  return 0;
5116  }
5117  if (state != STATE_INITIAL)
5118  {
5119  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5120  return 0;
5121  }
5122 #if 0
5123  {
5124  int i;
5125  for (i = 0; i < ret; ++i)
5126  {
5127  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5128  }
5129  }
5130 #endif
5131  return ret;
5132 }
5133 
5134 static void
5135 bypass_doubledash(char **p)
5136 {
5137  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5138  {
5139  *p += 2;
5140  }
5141 }
5142 
5143 struct in_src {
5144 #define IS_TYPE_FP 1
5145 #define IS_TYPE_BUF 2
5146  int type;
5147  union {
5148  FILE *fp;
5149  struct buffer *multiline;
5150  } u;
5151 };
5152 
5153 static bool
5154 in_src_get(const struct in_src *is, char *line, const int size)
5155 {
5156  if (is->type == IS_TYPE_FP)
5157  {
5158  return BOOL_CAST(fgets(line, size, is->u.fp));
5159  }
5160  else if (is->type == IS_TYPE_BUF)
5161  {
5162  bool status = buf_parse(is->u.multiline, '\n', line, size);
5163  if ((int) strlen(line) + 1 < size)
5164  {
5165  strcat(line, "\n");
5166  }
5167  return status;
5168  }
5169  else
5170  {
5171  ASSERT(0);
5172  return false;
5173  }
5174 }
5175 
5176 static char *
5177 read_inline_file(struct in_src *is, const char *close_tag,
5178  int *num_lines, struct gc_arena *gc)
5179 {
5180  char line[OPTION_LINE_SIZE];
5181  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5182  char *ret;
5183  bool endtagfound = false;
5184 
5185  while (in_src_get(is, line, sizeof(line)))
5186  {
5187  (*num_lines)++;
5188  char *line_ptr = line;
5189  /* Remove leading spaces */
5190  while (isspace(*line_ptr))
5191  {
5192  line_ptr++;
5193  }
5194  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5195  {
5196  endtagfound = true;
5197  break;
5198  }
5199  if (!buf_safe(&buf, strlen(line)+1))
5200  {
5201  /* Increase buffer size */
5202  struct buffer buf2 = alloc_buf(buf.capacity * 2);
5203  ASSERT(buf_copy(&buf2, &buf));
5204  buf_clear(&buf);
5205  free_buf(&buf);
5206  buf = buf2;
5207  }
5208  buf_printf(&buf, "%s", line);
5209  }
5210  if (!endtagfound)
5211  {
5212  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5213  }
5214  ret = string_alloc(BSTR(&buf), gc);
5215  buf_clear(&buf);
5216  free_buf(&buf);
5217  secure_memzero(line, sizeof(line));
5218  return ret;
5219 }
5220 
5221 static int
5222 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5223 {
5224  int num_inline_lines = 0;
5225 
5226  if (p[0] && !p[1])
5227  {
5228  char *arg = p[0];
5229  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5230  {
5231  struct buffer close_tag;
5232 
5233  arg[strlen(arg) - 1] = '\0';
5234  p[0] = string_alloc(arg + 1, gc);
5235  close_tag = alloc_buf(strlen(p[0]) + 4);
5236  buf_printf(&close_tag, "</%s>", p[0]);
5237  p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5238  p[2] = NULL;
5239  free_buf(&close_tag);
5240  }
5241  }
5242  return num_inline_lines;
5243 }
5244 
5245 static int
5246 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5247 {
5248  struct in_src is;
5249  is.type = IS_TYPE_FP;
5250  is.u.fp = fp;
5251  return check_inline_file(&is, p, gc);
5252 }
5253 
5254 static int
5255 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5256  struct gc_arena *gc)
5257 {
5258  struct in_src is;
5259  is.type = IS_TYPE_BUF;
5260  is.u.multiline = multiline;
5261  return check_inline_file(&is, p, gc);
5262 }
5263 
5264 static void
5265 add_option(struct options *options,
5266  char *p[],
5267  bool is_inline,
5268  const char *file,
5269  int line,
5270  const int level,
5271  const int msglevel,
5272  const unsigned int permission_mask,
5273  unsigned int *option_types_found,
5274  struct env_set *es);
5275 
5276 static void
5277 read_config_file(struct options *options,
5278  const char *file,
5279  int level,
5280  const char *top_file,
5281  const int top_line,
5282  const int msglevel,
5283  const unsigned int permission_mask,
5284  unsigned int *option_types_found,
5285  struct env_set *es)
5286 {
5287  const int max_recursive_levels = 10;
5288  FILE *fp;
5289  int line_num;
5290  char line[OPTION_LINE_SIZE+1];
5291  char *p[MAX_PARMS+1];
5292 
5293  ++level;
5294  if (level <= max_recursive_levels)
5295  {
5296  if (streq(file, "stdin"))
5297  {
5298  fp = stdin;
5299  }
5300  else
5301  {
5302  fp = platform_fopen(file, "r");
5303  }
5304  if (fp)
5305  {
5306  line_num = 0;
5307  while (fgets(line, sizeof(line), fp))
5308  {
5309  int offset = 0;
5310  CLEAR(p);
5311  ++line_num;
5312  if (strlen(line) == OPTION_LINE_SIZE)
5313  {
5314  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5315  file, line_num, OPTION_LINE_SIZE, line);
5316  }
5317 
5318  /* Ignore UTF-8 BOM at start of stream */
5319  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5320  {
5321  offset = 3;
5322  }
5323  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5324  {
5325  bypass_doubledash(&p[0]);
5326  int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5327  add_option(options, p, lines_inline, file, line_num, level,
5328  msglevel, permission_mask, option_types_found,
5329  es);
5330  line_num += lines_inline;
5331  }
5332  }
5333  if (fp != stdin)
5334  {
5335  fclose(fp);
5336  }
5337  }
5338  else
5339  {
5340  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5341  }
5342  }
5343  else
5344  {
5345  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5346  }
5347  secure_memzero(line, sizeof(line));
5348  CLEAR(p);
5349 }
5350 
5351 static void
5352 read_config_string(const char *prefix,
5353  struct options *options,
5354  const char *config,
5355  const int msglevel,
5356  const unsigned int permission_mask,
5357  unsigned int *option_types_found,
5358  struct env_set *es)
5359 {
5360  char line[OPTION_LINE_SIZE];
5361  struct buffer multiline;
5362  int line_num = 0;
5363 
5364  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5365 
5366  while (buf_parse(&multiline, '\n', line, sizeof(line)))
5367  {
5368  char *p[MAX_PARMS+1];
5369  CLEAR(p);
5370  ++line_num;
5371  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5372  {
5373  bypass_doubledash(&p[0]);
5374  int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5375  add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5376  permission_mask, option_types_found, es);
5377  line_num += lines_inline;
5378  }
5379  CLEAR(p);
5380  }
5381  secure_memzero(line, sizeof(line));
5382 }
5383 
5384 void
5385 parse_argv(struct options *options,
5386  const int argc,
5387  char *argv[],
5388  const int msglevel,
5389  const unsigned int permission_mask,
5390  unsigned int *option_types_found,
5391  struct env_set *es)
5392 {
5393  /* usage message */
5394  if (argc <= 1)
5395  {
5396  usage();
5397  }
5398 
5399  /* config filename specified only? */
5400  if (argc == 2 && strncmp(argv[1], "--", 2))
5401  {
5402  char *p[MAX_PARMS+1];
5403  CLEAR(p);
5404  p[0] = "config";
5405  p[1] = argv[1];
5406  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5407  option_types_found, es);
5408  }
5409  else
5410  {
5411  /* parse command line */
5412  for (int i = 1; i < argc; ++i)
5413  {
5414  char *p[MAX_PARMS+1];
5415  CLEAR(p);
5416  p[0] = argv[i];
5417  if (strncmp(p[0], "--", 2))
5418  {
5419  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5420  }
5421  else
5422  {
5423  p[0] += 2;
5424  }
5425 
5426  int j;
5427  for (j = 1; j < MAX_PARMS; ++j)
5428  {
5429  if (i + j < argc)
5430  {
5431  char *arg = argv[i + j];
5432  if (strncmp(arg, "--", 2))
5433  {
5434  p[j] = arg;
5435  }
5436  else
5437  {
5438  break;
5439  }
5440  }
5441  }
5442  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5443  option_types_found, es);
5444  i += j - 1;
5445  }
5446  }
5447 }
5448 
5457 static bool
5458 apply_pull_filter(const struct options *o, char *line)
5459 {
5460  struct pull_filter *f;
5461 
5462  if (!o->pull_filter_list)
5463  {
5464  return true;
5465  }
5466 
5467  /* skip leading spaces matching the behaviour of parse_line */
5468  while (isspace(*line))
5469  {
5470  line++;
5471  }
5472 
5473  for (f = o->pull_filter_list->head; f; f = f->next)
5474  {
5475  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5476  {
5477  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5478  return true;
5479  }
5480  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5481  {
5482  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5483  *line = '\0';
5484  return true;
5485  }
5486  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5487  {
5488  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5489  *line = '\0';
5490  throw_signal_soft(SIGUSR1, "Offending option received from server");
5491  return false;
5492  }
5493  }
5494  return true;
5495 }
5496 
5497 bool
5498 apply_push_options(struct options *options,
5499  struct buffer *buf,
5500  unsigned int permission_mask,
5501  unsigned int *option_types_found,
5502  struct env_set *es)
5503 {
5504  char line[OPTION_PARM_SIZE];
5505  int line_num = 0;
5506  const char *file = "[PUSH-OPTIONS]";
5507  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5508 
5509  while (buf_parse(buf, ',', line, sizeof(line)))
5510  {
5511  char *p[MAX_PARMS+1];
5512  CLEAR(p);
5513  ++line_num;
5514  if (!apply_pull_filter(options, line))
5515  {
5516  return false; /* Cause push/pull error and stop push processing */
5517  }
5518  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5519  {
5520  add_option(options, p, false, file, line_num, 0, msglevel,
5521  permission_mask, option_types_found, es);
5522  }
5523  }
5524  return true;
5525 }
5526 
5527 void
5528 options_server_import(struct options *o,
5529  const char *filename,
5530  int msglevel,
5531  unsigned int permission_mask,
5532  unsigned int *option_types_found,
5533  struct env_set *es)
5534 {
5535  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5536  read_config_file(o,
5537  filename,
5538  0,
5539  filename,
5540  0,
5541  msglevel,
5542  permission_mask,
5543  option_types_found,
5544  es);
5545 }
5546 
5547 void
5548 options_string_import(struct options *options,
5549  const char *config,
5550  const int msglevel,
5551  const unsigned int permission_mask,
5552  unsigned int *option_types_found,
5553  struct env_set *es)
5554 {
5555  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5556 }
5557 
5558 #define VERIFY_PERMISSION(mask) { \
5559  if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5560  option_types_found, msglevel, options, is_inline)) \
5561  { \
5562  goto err; \
5563  } \
5564 }
5565 
5566 static bool
5567 verify_permission(const char *name,
5568  const char *file,
5569  int line,
5570  const unsigned int type,
5571  const unsigned int allowed,
5572  unsigned int *found,
5573  const int msglevel,
5574  struct options *options,
5575  bool is_inline)
5576 {
5577  if (!(type & allowed))
5578  {
5579  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5580  return false;
5581  }
5582 
5583  if (is_inline && !(type & OPT_P_INLINE))
5584  {
5585  msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5586  file, line);
5587  return false;
5588  }
5589 
5590  if (found)
5591  {
5592  *found |= type;
5593  }
5594 
5595 #ifndef ENABLE_SMALL
5596  /* Check if this options is allowed in connection block,
5597  * but we are currently not in a connection block
5598  * unless this is a pushed option.
5599  * Parsing a connection block uses a temporary options struct without
5600  * connection_list
5601  */
5602 
5603  if ((type & OPT_P_CONNECTION) && options->connection_list
5604  && !(allowed & OPT_P_PULL_MODE))
5605  {
5606  if (file)
5607  {
5608  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5609  }
5610  else
5611  {
5612  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5613  }
5614  }
5615 #endif
5616  return true;
5617 }
5618 
5619 /*
5620  * Check that an option doesn't have too
5621  * many parameters.
5622  */
5623 
5624 #define NM_QUOTE_HINT (1<<0)
5625 
5626 static bool
5627 no_more_than_n_args(const int msglevel,
5628  char *p[],
5629  const int max,
5630  const unsigned int flags)
5631 {
5632  const int len = string_array_len((const char **)p);
5633 
5634  if (!len)
5635  {
5636  return false;
5637  }
5638 
5639  if (len > max)
5640  {
5641  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5642  p[0],
5643  max - 1,
5644  max >= 3 ? "s" : "",
5645  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5646  return false;
5647  }
5648  else
5649  {
5650  return true;
5651  }
5652 }
5653 
5654 static inline int
5655 msglevel_forward_compatible(struct options *options, const int msglevel)
5656 {
5657  return options->forward_compatible ? M_WARN : msglevel;
5658 }
5659 
5660 static void
5661 set_user_script(struct options *options,
5662  const char **script,
5663  const char *new_script,
5664  const char *type,
5665  bool in_chroot)
5666 {
5667  if (*script)
5668  {
5669  msg(M_WARN, "Multiple --%s scripts defined. "
5670  "The previously configured script is overridden.", type);
5671  }
5672  *script = new_script;
5673  options->user_script_used = true;
5674 
5675 #ifndef ENABLE_SMALL
5676  {
5677  char script_name[100];
5678  openvpn_snprintf(script_name, sizeof(script_name),
5679  "--%s script", type);
5680 
5681  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5682  {
5683  msg(M_USAGE, "Please correct this error.");
5684  }
5685 
5686  }
5687 #endif
5688 }
5689 
5690 static void
5691 show_compression_warning(struct compress_options *info)
5692 {
5693  if (comp_non_stub_enabled(info))
5694  {
5695  /*
5696  * Check if already displayed the strong warning and enabled full
5697  * compression
5698  */
5699  if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5700  {
5701  msg(M_WARN, "WARNING: Compression for receiving enabled. "
5702  "Compression has been used in the past to break encryption. "
5703  "Sent packets are not compressed unless \"allow-compression yes\" "
5704  "is also set.");
5705  }
5706  }
5707 }
5708 
5709 bool
5710 key_is_external(const struct options *options)
5711 {
5712  bool ret = false;
5713  ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5714 #ifdef ENABLE_PKCS11
5715  ret = ret || (options->pkcs11_providers[0] != NULL);
5716 #endif
5717 #ifdef ENABLE_CRYPTOAPI
5718  ret = ret || options->cryptoapi_cert;
5719 #endif
5720 
5721  return ret;
5722 }
5723 
5724 static void
5725 add_option(struct options *options,
5726  char *p[],
5727  bool is_inline,
5728  const char *file,
5729  int line,
5730  const int level,
5731  const int msglevel,
5732  const unsigned int permission_mask,
5733  unsigned int *option_types_found,
5734  struct env_set *es)
5735 {
5736  struct gc_arena gc = gc_new();
5737  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5738  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5739 
5740  ASSERT(MAX_PARMS >= 7);
5741 
5742  /*
5743  * If directive begins with "setenv opt" prefix, don't raise an error if
5744  * directive is unrecognized.
5745  */
5746  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5747  {
5748  if (!p[2])
5749  {
5750  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5751  }
5752  p += 2;
5753  msglevel_fc = M_WARN;
5754  }
5755 
5756  if (!file)
5757  {
5758  file = "[CMD-LINE]";
5759  line = 1;
5760  }
5761  if (streq(p[0], "help"))
5762  {
5763  VERIFY_PERMISSION(OPT_P_GENERAL);
5764  usage();
5765  if (p[1])
5766  {
5767  msg(msglevel, "--help does not accept any parameters");
5768  goto err;
5769  }
5770  }
5771  if (streq(p[0], "version") && !p[1])
5772  {
5773  VERIFY_PERMISSION(OPT_P_GENERAL);
5774  usage_version();
5775  }
5776  else if (streq(p[0], "config") && p[1] && !p[2])
5777  {
5778  VERIFY_PERMISSION(OPT_P_CONFIG);
5779 
5780  /* save first config file only in options */
5781  if (!options->config)
5782  {
5783  options->config = p[1];
5784  }
5785 
5786  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5787  }
5788 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5789  else if (streq(p[0], "show-gateway") && !p[2])
5790  {
5791  struct route_gateway_info rgi;
5792  struct route_ipv6_gateway_info rgi6;
5793  struct in6_addr remote = IN6ADDR_ANY_INIT;
5794  openvpn_net_ctx_t net_ctx;
5795  VERIFY_PERMISSION(OPT_P_GENERAL);
5796  if (p[1])
5797  {
5798  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5799  }
5800  net_ctx_init(NULL, &net_ctx);
5801  get_default_gateway(&rgi, &net_ctx);
5802  get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5803  print_default_gateway(M_INFO, &rgi, &rgi6);
5804  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5805  }
5806 #endif
5807  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5808  {
5809  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5810  int j;
5811  bool good = true;
5812 
5813  VERIFY_PERMISSION(OPT_P_ECHO);
5814 
5815  for (j = 1; j < MAX_PARMS; ++j)
5816  {
5817  if (!p[j])
5818  {
5819  break;
5820  }
5821  if (j > 1)
5822  {
5823  good &= buf_printf(&string, " ");
5824  }
5825  good &= buf_printf(&string, "%s", p[j]);
5826  }
5827  if (good)
5828  {
5829  /* only message-related ECHO are logged, since other ECHOs
5830  * can potentially include security-sensitive strings */
5831  if (p[1] && strncmp(p[1], "msg", 3) == 0)
5832  {
5833  msg(M_INFO, "%s:%s",
5834  pull_mode ? "ECHO-PULL" : "ECHO",
5835  BSTR(&string));
5836  }
5837 #ifdef ENABLE_MANAGEMENT
5838  if (management)
5839  {
5840  management_echo(management, BSTR(&string), pull_mode);
5841  }
5842 #endif
5843  }
5844  else
5845  {
5846  msg(M_WARN, "echo/parameter option overflow");
5847  }
5848  }
5849 #ifdef ENABLE_MANAGEMENT
5850  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5851  {
5852  VERIFY_PERMISSION(OPT_P_GENERAL);
5853  if (streq(p[2], "unix"))
5854  {
5855 #if UNIX_SOCK_SUPPORT
5856  options->management_flags |= MF_UNIX_SOCK;
5857 #else
5858  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5859  goto err;
5860 #endif
5861  }
5862 
5863  options->management_addr = p[1];
5864  options->management_port = p[2];
5865  if (p[3])
5866  {
5867  options->management_user_pass = p[3];
5868  }
5869  }
5870  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5871  {
5872  VERIFY_PERMISSION(OPT_P_GENERAL);
5873  options->management_client_user = p[1];
5874  }
5875  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5876  {
5877  VERIFY_PERMISSION(OPT_P_GENERAL);
5878  options->management_client_group = p[1];
5879  }
5880  else if (streq(p[0], "management-query-passwords") && !p[1])
5881  {
5882  VERIFY_PERMISSION(OPT_P_GENERAL);
5883  options->management_flags |= MF_QUERY_PASSWORDS;
5884  }
5885  else if (streq(p[0], "management-query-remote") && !p[1])
5886  {
5887  VERIFY_PERMISSION(OPT_P_GENERAL);
5888  options->management_flags |= MF_QUERY_REMOTE;
5889  }
5890  else if (streq(p[0], "management-query-proxy") && !p[1])
5891  {
5892  VERIFY_PERMISSION(OPT_P_GENERAL);
5893  options->management_flags |= MF_QUERY_PROXY;
5894  }
5895  else if (streq(p[0], "management-hold") && !p[1])
5896  {
5897  VERIFY_PERMISSION(OPT_P_GENERAL);
5898  options->management_flags |= MF_HOLD;
5899  }
5900  else if (streq(p[0], "management-signal") && !p[1])
5901  {
5902  VERIFY_PERMISSION(OPT_P_GENERAL);
5903  options->management_flags |= MF_SIGNAL;
5904  }
5905  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5906  {
5907  VERIFY_PERMISSION(OPT_P_GENERAL);
5908  options->management_flags |= MF_FORGET_DISCONNECT;
5909  }
5910  else if (streq(p[0], "management-up-down") && !p[1])
5911  {
5912  VERIFY_PERMISSION(OPT_P_GENERAL);
5913  options->management_flags |= MF_UP_DOWN;
5914  }
5915  else if (streq(p[0], "management-client") && !p[1])
5916  {
5917  VERIFY_PERMISSION(OPT_P_GENERAL);
5918  options->management_flags |= MF_CONNECT_AS_CLIENT;
5919  }
5920  else if (streq(p[0], "management-external-key"))
5921  {
5922  VERIFY_PERMISSION(OPT_P_GENERAL);
5923  for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5924  {
5925  if (streq(p[j], "nopadding"))
5926  {
5927  options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5928  }
5929  else if (streq(p[j], "pkcs1"))
5930  {
5931  options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5932  }
5933  else if (streq(p[j], "pss"))
5934  {
5935  options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5936  }
5937  else if (streq(p[j], "digest"))
5938  {
5939  options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5940  }
5941  else
5942  {
5943  msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5944  }
5945  }
5946  /*
5947  * When no option is present, assume that only PKCS1
5948  * padding is supported
5949  */
5950  if (!(options->management_flags
5951  &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5952  {
5953  options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5954  }
5955  options->management_flags |= MF_EXTERNAL_KEY;
5956  }
5957  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5958  {
5959  VERIFY_PERMISSION(OPT_P_GENERAL);
5960  options->management_flags |= MF_EXTERNAL_CERT;
5961  options->management_certificate = p[1];
5962  }
5963  else if (streq(p[0], "management-client-auth") && !p[1])
5964  {
5965  VERIFY_PERMISSION(OPT_P_GENERAL);
5966  options->management_flags |= MF_CLIENT_AUTH;
5967  }
5968  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5969  {
5970  int cache;
5971 
5972  VERIFY_PERMISSION(OPT_P_GENERAL);
5973  cache = atoi(p[1]);
5974  if (cache < 1)
5975  {
5976  msg(msglevel, "--management-log-cache parameter is out of range");
5977  goto err;
5978  }
5979  options->management_log_history_cache = cache;
5980  }
5981 #endif /* ifdef ENABLE_MANAGEMENT */
5982 #ifdef ENABLE_PLUGIN
5983  else if (streq(p[0], "plugin") && p[1])
5984  {
5985  VERIFY_PERMISSION(OPT_P_PLUGIN);
5986  if (!options->plugin_list)
5987  {
5988  options->plugin_list = plugin_option_list_new(&options->gc);
5989  }
5990  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5991  {
5992  msg(msglevel, "plugin add failed: %s", p[1]);
5993  goto err;
5994  }
5995  }
5996 #endif
5997  else if (streq(p[0], "mode") && p[1] && !p[2])
5998  {
5999  VERIFY_PERMISSION(OPT_P_GENERAL);
6000  if (streq(p[1], "p2p"))
6001  {
6002  options->mode = MODE_POINT_TO_POINT;
6003  }
6004  else if (streq(p[1], "server"))
6005  {
6006  options->mode = MODE_SERVER;
6007  }
6008  else
6009  {
6010  msg(msglevel, "Bad --mode parameter: %s", p[1]);
6011  goto err;
6012  }
6013  }
6014  else if (streq(p[0], "dev") && p[1] && !p[2])
6015  {
6016  VERIFY_PERMISSION(OPT_P_GENERAL);
6017  options->dev = p[1];
6018  }
6019  else if (streq(p[0], "dev-type") && p[1] && !p[2])
6020  {
6021  VERIFY_PERMISSION(OPT_P_GENERAL);
6022  options->dev_type = p[1];
6023  }
6024 #ifdef _WIN32
6025  else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6026  {
6027  VERIFY_PERMISSION(OPT_P_GENERAL);
6028  options->windows_driver = parse_windows_driver(p[1], M_FATAL);
6029  }
6030 #endif
6031  else if (streq(p[0], "disable-dco"))
6032  {
6033  options->tuntap_options.disable_dco = true;
6034  }
6035  else if (streq(p[0], "dev-node") && p[1] && !p[2])
6036  {
6037  VERIFY_PERMISSION(OPT_P_GENERAL);
6038  options->dev_node = p[1];
6039  }
6040  else if (streq(p[0], "lladdr") && p[1] && !p[2])
6041  {
6042  VERIFY_PERMISSION(OPT_P_UP);
6043  if (mac_addr_safe(p[1])) /* MAC address only */
6044  {
6045  options->lladdr = p[1];
6046  }
6047  else
6048  {
6049  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6050  goto err;
6051  }
6052  }
6053  else if (streq(p[0], "topology") && p[1] && !p[2])
6054  {
6055  VERIFY_PERMISSION(OPT_P_UP);
6056  options->topology = parse_topology(p[1], msglevel);
6057  }
6058  else if (streq(p[0], "tun-ipv6") && !p[1])
6059  {
6060  if (!pull_mode)
6061  {
6062  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6063  }
6064  }
6065 #ifdef ENABLE_IPROUTE
6066  else if (streq(p[0], "iproute") && p[1] && !p[2])
6067  {
6068  VERIFY_PERMISSION(OPT_P_GENERAL);
6069  iproute_path = p[1];
6070  }
6071 #endif
6072  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6073  {
6074  VERIFY_PERMISSION(OPT_P_UP);
6075  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6076  {
6077  options->ifconfig_local = p[1];
6078  options->ifconfig_remote_netmask = p[2];
6079  }
6080  else
6081  {
6082  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6083  goto err;
6084  }
6085  }
6086  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6087  {
6088  unsigned int netbits;
6089 
6090  VERIFY_PERMISSION(OPT_P_UP);
6091  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6092  && ipv6_addr_safe( p[2] ) )
6093  {
6094  if (netbits < 64 || netbits > 124)
6095  {
6096  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6097  goto err;
6098  }
6099 
6100  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6101  options->ifconfig_ipv6_netbits = netbits;
6102  options->ifconfig_ipv6_remote = p[2];
6103  }
6104  else
6105  {
6106  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6107  goto err;
6108  }
6109  }
6110  else if (streq(p[0], "ifconfig-noexec") && !p[1])
6111  {
6112  VERIFY_PERMISSION(OPT_P_UP);
6113  options->ifconfig_noexec = true;
6114  }
6115  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6116  {
6117  VERIFY_PERMISSION(OPT_P_UP);
6118  options->ifconfig_nowarn = true;
6119  }
6120  else if (streq(p[0], "local") && p[1] && !p[2])
6121  {
6122  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6123  options->ce.local = p[1];
6124  }
6125  else if (streq(p[0], "remote-random") && !p[1])
6126  {
6127  VERIFY_PERMISSION(OPT_P_GENERAL);
6128  options->remote_random = true;
6129  }
6130  else if (streq(p[0], "connection") && p[1] && !p[3])
6131  {
6132  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6133  if (is_inline)
6134  {
6135  struct options sub;
6136  struct connection_entry *e;
6137 
6138  init_options(&sub, true);
6139  sub.ce = options->ce;
6140  read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6141  OPT_P_CONNECTION, option_types_found, es);
6142  if (!sub.ce.remote)
6143  {
6144  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6145  uninit_options(&sub);
6146  goto err;
6147  }
6148 
6149  e = alloc_connection_entry(options, msglevel);
6150  if (!e)
6151  {
6152  uninit_options(&sub);
6153  goto err;
6154  }
6155  *e = sub.ce;
6156  gc_transfer(&options->gc, &sub.gc);
6157  uninit_options(&sub);
6158  }
6159  }
6160  else if (streq(p[0], "ignore-unknown-option") && p[1])
6161  {
6162  int i;
6163  int j;
6164  int numignored = 0;
6165  const char **ignore;
6166 
6167  VERIFY_PERMISSION(OPT_P_GENERAL);
6168  /* Find out how many options to be ignored */
6169  for (i = 1; p[i]; i++)
6170  {
6171  numignored++;
6172  }
6173 
6174  /* add number of options already ignored */
6175  for (i = 0; options->ignore_unknown_option
6176  && options->ignore_unknown_option[i]; i++)
6177  {
6178  numignored++;
6179  }
6180 
6181  /* Allocate array */
6182  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6183  for (i = 0; options->ignore_unknown_option
6184  && options->ignore_unknown_option[i]; i++)
6185  {
6186  ignore[i] = options->ignore_unknown_option[i];
6187  }
6188 
6189  options->ignore_unknown_option = ignore;
6190 
6191  for (j = 1; p[j]; j++)
6192  {
6193  /* Allow the user to specify ignore-unknown-option --opt too */
6194  if (p[j][0]=='-' && p[j][1]=='-')
6195  {
6196  options->ignore_unknown_option[i] = (p[j]+2);
6197  }
6198  else
6199  {
6200  options->ignore_unknown_option[i] = p[j];
6201  }
6202  i++;
6203  }
6204 
6205  options->ignore_unknown_option[i] = NULL;
6206  }
6207 #if ENABLE_MANAGEMENT
6208  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6209  {
6210  VERIFY_PERMISSION(OPT_P_GENERAL);
6211  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
6212  if (!options->http_proxy_override)
6213  {
6214  goto err;
6215  }
6216  }
6217 #endif
6218  else if (streq(p[0], "remote") && p[1] && !p[4])
6219  {
6220  struct remote_entry re;
6221  re.remote = re.remote_port = NULL;
6222  re.proto = -1;
6223  re.af = 0;
6224 
6225  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6226  re.remote = p[1];
6227  if (p[2])
6228  {
6229  re.remote_port = p[2];
6230  if (p[3])
6231  {
6232  const int proto = ascii2proto(p[3]);
6233  const sa_family_t af = ascii2af(p[3]);
6234  if (proto < 0)
6235  {
6236  msg(msglevel,
6237  "remote: bad protocol associated with host %s: '%s'",
6238  p[1], p[3]);
6239  goto err;
6240  }
6241  re.proto = proto;
6242  re.af = af;
6243  }
6244  }
6245  if (permission_mask & OPT_P_GENERAL)
6246  {
6247  struct remote_entry *e = alloc_remote_entry(options, msglevel);
6248  if (!e)
6249  {
6250  goto err;
6251  }
6252  *e = re;
6253  }
6254  else if (permission_mask & OPT_P_CONNECTION)
6255  {
6256  connection_entry_load_re(&options->ce, &re);
6257  }
6258  }
6259  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6260  {
6261  VERIFY_PERMISSION(OPT_P_GENERAL);
6262  if (streq(p[1], "infinite"))
6263  {
6264  options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6265  }
6266  else
6267  {
6268  options->resolve_retry_seconds = positive_atoi(p[1]);
6269  }
6270  }
6271  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6272  {
6273  VERIFY_PERMISSION(OPT_P_GENERAL);
6274  options->resolve_in_advance = true;
6275  /* Note the ip-remote-hint and the argument p[1] are for
6276  * backward compatibility */
6277  if (p[1])
6278  {
6279  options->ip_remote_hint = p[1];
6280  }
6281  }
6282  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6283  {
6284  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6285  options->ce.connect_retry_seconds = positive_atoi(p[1]);
6286  /*
6287  * Limit the base value of retry wait interval to 16 bits to avoid
6288  * overflow when scaled up for exponential backoff
6289  */
6290  if (options->ce.connect_retry_seconds > 0xFFFF)
6291  {
6292  options->ce.connect_retry_seconds = 0xFFFF;
6293  msg(M_WARN, "connect retry wait interval truncated to %d",
6294  options->ce.connect_retry_seconds);
6295  }
6296 
6297  if (p[2])
6298  {
6299  options->ce.connect_retry_seconds_max =
6300  max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
6301  }
6302  }
6303  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6304  && p[1] && !p[2])
6305  {
6306  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6307  options->ce.connect_timeout = positive_atoi(p[1]);
6308  }
6309  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6310  {
6311  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6312  options->connect_retry_max = positive_atoi(p[1]);
6313  }
6314  else if (streq(p[0], "ipchange") && p[1])
6315  {
6316  VERIFY_PERMISSION(OPT_P_SCRIPT);
6317  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6318  {
6319  goto err;
6320  }
6321  set_user_script(options,
6322  &options->ipchange,
6323  string_substitute(p[1], ',', ' ', &options->gc),
6324  "ipchange", true);
6325  }
6326  else if (streq(p[0], "float") && !p[1])
6327  {
6328  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6329  options->ce.remote_float = true;
6330  }
6331 #ifdef ENABLE_DEBUG
6332  else if (streq(p[0], "gremlin") && p[1] && !p[2])
6333  {
6334  VERIFY_PERMISSION(OPT_P_GENERAL);
6335  options->gremlin = positive_atoi(p[1]);
6336  }
6337 #endif
6338  else if (streq(p[0], "chroot") && p[1] && !p[2])
6339  {
6340  VERIFY_PERMISSION(OPT_P_GENERAL);
6341  options->chroot_dir = p[1];
6342  }
6343  else if (streq(p[0], "cd") && p[1] && !p[2])
6344  {
6345  VERIFY_PERMISSION(OPT_P_GENERAL);
6346  if (platform_chdir(p[1]))
6347  {
6348  msg(M_ERR, "cd to '%s' failed", p[1]);
6349  goto err;
6350  }
6351  options->cd_dir = p[1];
6352  }
6353 #ifdef ENABLE_SELINUX
6354  else if (streq(p[0], "setcon") && p[1] && !p[2])
6355  {
6356  VERIFY_PERMISSION(OPT_P_GENERAL);
6357  options->selinux_context = p[1];
6358  }
6359 #endif
6360  else if (streq(p[0], "writepid") && p[1] && !p[2])
6361  {
6362  VERIFY_PERMISSION(OPT_P_GENERAL);
6363  options->writepid = p[1];
6364  }
6365  else if (streq(p[0], "up") && p[1])
6366  {
6367  VERIFY_PERMISSION(OPT_P_SCRIPT);
6368  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6369  {
6370  goto err;
6371  }
6372  set_user_script(options, &options->up_script, p[1], "up", false);
6373  }
6374  else if (streq(p[0], "down") && p[1])
6375  {
6376  VERIFY_PERMISSION(OPT_P_SCRIPT);
6377  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6378  {
6379  goto err;
6380  }
6381  set_user_script(options, &options->down_script, p[1], "down", true);
6382  }
6383  else if (streq(p[0], "down-pre") && !p[1])
6384  {
6385  VERIFY_PERMISSION(OPT_P_GENERAL);
6386  options->down_pre = true;
6387  }
6388  else if (streq(p[0], "up-delay") && !p[1])
6389  {
6390  VERIFY_PERMISSION(OPT_P_GENERAL);
6391  options->up_delay = true;
6392  }
6393  else if (streq(p[0], "up-restart") && !p[1])
6394  {
6395  VERIFY_PERMISSION(OPT_P_GENERAL);
6396  options->up_restart = true;
6397  }
6398  else if (streq(p[0], "syslog") && !p[2])
6399  {
6400  VERIFY_PERMISSION(OPT_P_GENERAL);
6401  open_syslog(p[1], false);
6402  }
6403  else if (streq(p[0], "daemon") && !p[2])
6404  {
6405  bool didit = false;
6406  VERIFY_PERMISSION(OPT_P_GENERAL);
6407  if (!options->daemon)
6408  {
6409  options->daemon = didit = true;
6410  open_syslog(p[1], false);
6411  }
6412  if (p[1])
6413  {
6414  if (!didit)
6415  {
6416  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6417  goto err;
6418  }
6419  }
6420  }
6421  else if (streq(p[0], "log") && p[1] && !p[2])
6422  {
6423  VERIFY_PERMISSION(OPT_P_GENERAL);
6424  options->log = true;
6425  redirect_stdout_stderr(p[1], false);
6426  }
6427  else if (streq(p[0], "suppress-timestamps") && !p[1])
6428  {
6429  VERIFY_PERMISSION(OPT_P_GENERAL);
6430  options->suppress_timestamps = true;
6431  set_suppress_timestamps(true);
6432  }
6433  else if (streq(p[0], "machine-readable-output") && !p[1])
6434  {
6435  VERIFY_PERMISSION(OPT_P_GENERAL);
6436  options->machine_readable_output = true;
6437  set_machine_readable_output(true);
6438  }
6439  else if (streq(p[0], "log-append") && p[1] && !p[2])
6440  {
6441  VERIFY_PERMISSION(OPT_P_GENERAL);
6442  options->log = true;
6443  redirect_stdout_stderr(p[1], true);
6444  }
6445 #ifdef ENABLE_MEMSTATS
6446  else if (streq(p[0], "memstats") && p[1] && !p[2])
6447  {
6448  VERIFY_PERMISSION(OPT_P_GENERAL);
6449  options->memstats_fn = p[1];
6450  }
6451 #endif
6452  else if (streq(p[0], "mlock") && !p[1])
6453  {
6454  VERIFY_PERMISSION(OPT_P_GENERAL);
6455  options->mlock = true;
6456  }
6457 #if ENABLE_IP_PKTINFO
6458  else if (streq(p[0], "multihome") && !p[1])
6459  {
6460  VERIFY_PERMISSION(OPT_P_GENERAL);
6461  options->sockflags |= SF_USE_IP_PKTINFO;
6462  }
6463 #endif
6464  else if (streq(p[0], "verb") && p[1] && !p[2])
6465  {
6466  VERIFY_PERMISSION(OPT_P_MESSAGES);
6467  options->verbosity = positive_atoi(p[1]);
6468  if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6469  {
6470  /* We pass this flag to the SSL library to avoid
6471  * mbed TLS always generating debug level logging */
6472  options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6473  }
6474 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6475  /* Warn when a debug verbosity is supplied when built without debug support */
6476  if (options->verbosity >= 7)
6477  {
6478  msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6479  options->verbosity);
6480  }
6481 #endif
6482  }
6483  else if (streq(p[0], "mute") && p[1] && !p[2])
6484  {
6485  VERIFY_PERMISSION(OPT_P_MESSAGES);
6486  options->mute = positive_atoi(p[1]);
6487  }
6488  else if (streq(p[0], "errors-to-stderr") && !p[1])
6489  {
6490  VERIFY_PERMISSION(OPT_P_MESSAGES);
6491  errors_to_stderr();
6492  }
6493  else if (streq(p[0], "status") && p[1] && !p[3])
6494  {
6495  VERIFY_PERMISSION(OPT_P_GENERAL);
6496  options->status_file = p[1];
6497  if (p[2])
6498  {
6499  options->status_file_update_freq = positive_atoi(p[2]);
6500  }
6501  }
6502  else if (streq(p[0], "status-version") && p[1] && !p[2])
6503  {
6504  int version;
6505 
6506  VERIFY_PERMISSION(OPT_P_GENERAL);
6507  version = atoi(p[1]);
6508  if (version < 1 || version > 3)
6509  {
6510  msg(msglevel, "--status-version must be 1 to 3");
6511  goto err;
6512  }
6513  options->status_file_version = version;
6514  }
6515  else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6516  {
6517  VERIFY_PERMISSION(OPT_P_GENERAL);
6518  if (streq(p[1], "SIGHUP"))
6519  {
6520  options->remap_sigusr1 = SIGHUP;
6521  }
6522  else if (streq(p[1], "SIGTERM"))
6523  {
6524  options->remap_sigusr1 = SIGTERM;
6525  }
6526  else
6527  {
6528  msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6529  goto err;
6530  }
6531  }
6532  else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6533  {
6534  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6535  options->ce.link_mtu = positive_atoi(p[1]);
6536  options->ce.link_mtu_defined = true;
6537  }
6538  else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6539  {
6540  VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6541  options->ce.tun_mtu = positive_atoi(p[1]);
6542  options->ce.tun_mtu_defined = true;
6543  if (p[2])
6544  {
6545  options->ce.occ_mtu = positive_atoi(p[2]);
6546  }
6547  else
6548  {
6549  options->ce.occ_mtu = 0;
6550  }
6551  }
6552  else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6553  {
6554  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6555  int max_mtu = positive_atoi(p[1]);
6556  if (max_mtu < 68 || max_mtu > 65536)
6557  {
6558  msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6559  }
6560  else
6561  {
6562  options->ce.tun_mtu_max = max_mtu;
6563  }
6564  }
6565  else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6566  {
6567  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6568  options->ce.tun_mtu_extra = positive_atoi(p[1]);
6569  options->ce.tun_mtu_extra_defined = true;
6570  }
6571  else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6572  {
6573  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6574  int maxmtu = positive_atoi(p[1]);
6575  options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6576 
6577  if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6578  {
6579  msg(M_WARN, "Note: max-packet-size value outside of allowed "
6580  "control channel packet size (%d to %d), will use %d "
6581  "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6582  options->ce.tls_mtu);
6583  }
6584 
6585  /* also set mssfix maxmtu mtu */
6586  options->ce.mssfix = maxmtu;
6587  options->ce.mssfix_default = false;
6588  options->ce.mssfix_encap = true;
6589  }
6590 #ifdef ENABLE_FRAGMENT
6591  else if (streq(p[0], "mtu-dynamic"))
6592  {
6593  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6594  msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6595  goto err;
6596  }
6597  else if (streq(p[0], "fragment") && p[1] && !p[3])
6598  {
6599  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6600  options->ce.fragment = positive_atoi(p[1]);
6601 
6602  if (options->ce.fragment < 68)
6603  {
6604  msg(msglevel, "--fragment needs to be at least 68");
6605  goto err;
6606  }
6607 
6608  if (p[2] && streq(p[2], "mtu"))
6609  {
6610  options->ce.fragment_encap = true;
6611  }
6612  else if (p[2])
6613  {
6614  msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6615  }
6616  }
6617 #endif /* ifdef ENABLE_FRAGMENT */
6618  else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6619  {
6620  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6621  options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6622  }
6623  else if (streq(p[0], "mtu-test") && !p[1])
6624  {
6625  VERIFY_PERMISSION(OPT_P_GENERAL);
6626  options->mtu_test = true;
6627  }
6628  else if (streq(p[0], "nice") && p[1] && !p[2])
6629  {
6630  VERIFY_PERMISSION(OPT_P_NICE);
6631  options->nice = atoi(p[1]);
6632  }
6633  else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6634  {
6635  VERIFY_PERMISSION(OPT_P_SOCKBUF);
6636  options->rcvbuf = positive_atoi(p[1]);
6637  }
6638  else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6639  {
6640  VERIFY_PERMISSION(OPT_P_SOCKBUF);
6641  options->sndbuf = positive_atoi(p[1]);
6642  }
6643  else if (streq(p[0], "mark") && p[1] && !p[2])
6644  {
6645 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6646  VERIFY_PERMISSION(OPT_P_GENERAL);
6647  options->mark = atoi(p[1]);
6648 #endif
6649  }
6650  else if (streq(p[0], "socket-flags"))
6651  {
6652  int j;
6653  VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6654  for (j = 1; j < MAX_PARMS && p[j]; ++j)
6655  {
6656  if (streq(p[j], "TCP_NODELAY"))
6657  {
6658  options->sockflags |= SF_TCP_NODELAY;
6659  }
6660  else
6661  {
6662  msg(msglevel, "unknown socket flag: %s", p[j]);
6663  }
6664  }
6665  }
6666 #ifdef TARGET_LINUX
6667  else if (streq(p[0], "bind-dev") && p[1])
6668  {
6669  VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6670  options->bind_dev = p[1];
6671  }
6672 #endif
6673  else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6674  {
6675  VERIFY_PERMISSION(OPT_P_GENERAL);
6676 #ifdef TARGET_LINUX
6677  options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6678 #else
6679  msg(msglevel, "--txqueuelen not supported on this OS");
6680  goto err;
6681 #endif
6682  }
6683  else if (streq(p[0], "shaper") && p[1] && !p[2])
6684  {
6685  int shaper;
6686 
6687  VERIFY_PERMISSION(OPT_P_SHAPER);
6688  shaper = atoi(p[1]);
6689  if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6690  {
6691  msg(msglevel, "Bad shaper value, must be between %d and %d",
6692  SHAPER_MIN, SHAPER_MAX);
6693  goto err;
6694  }
6695  options->shaper = shaper;
6696  }
6697  else if (streq(p[0], "port") && p[1] && !p[2])
6698  {
6699  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6700  options->ce.local_port = options->ce.remote_port = p[1];
6701  }
6702  else if (streq(p[0], "lport") && p[1] && !p[2])
6703  {
6704  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6705  options->ce.local_port_defined = true;
6706  options->ce.local_port = p[1];
6707  }
6708  else if (streq(p[0], "rport") && p[1] && !p[2])
6709  {
6710  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6711  options->ce.remote_port = p[1];
6712  }
6713  else if (streq(p[0], "bind") && !p[2])
6714  {
6715  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6716  options->ce.bind_defined = true;
6717  if (p[1] && streq(p[1], "ipv6only"))
6718  {
6719  options->ce.bind_ipv6_only = true;
6720  }
6721 
6722  }
6723  else if (streq(p[0], "nobind") && !p[1])
6724  {
6725  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6726  options->ce.bind_local = false;
6727  }
6728  else if (streq(p[0], "fast-io") && !p[1])
6729  {
6730  VERIFY_PERMISSION(OPT_P_GENERAL);
6731  options->fast_io = true;
6732  }
6733  else if (streq(p[0], "inactive") && p[1] && !p[3])
6734  {
6735  VERIFY_PERMISSION(OPT_P_TIMER);
6736  options->inactivity_timeout = positive_atoi(p[1]);
6737  if (p[2])
6738  {
6739  int64_t val = atoll(p[2]);
6740  options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6741  if (options->inactivity_minimum_bytes > INT_MAX)
6742  {
6743  msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6744  " >2 Gbyte was silently ignored in older versions. If "
6745  " your VPN exits unexpectedly with 'Inactivity timeout'"
6746  " in %d seconds, revisit this value.",
6747  options->inactivity_timeout );
6748  }
6749  }
6750  }
6751  else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6752  {
6753  VERIFY_PERMISSION(OPT_P_TIMER);
6754  options->session_timeout = positive_atoi(p[1]);
6755  }
6756  else if (streq(p[0], "proto") && p[1] && !p[2])
6757  {
6758  int proto;
6759  sa_family_t af;
6760  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6761  proto = ascii2proto(p[1]);
6762  af = ascii2af(p[1]);
6763  if (proto < 0)
6764  {
6765  msg(msglevel,
6766  "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6767  p[1],
6768  proto2ascii_all(&gc));
6769  goto err;
6770  }
6771  options->ce.proto = proto;
6772  options->ce.af = af;
6773  }
6774  else if (streq(p[0], "proto-force") && p[1] && !p[2])
6775  {
6776  int proto_force;
6777  VERIFY_PERMISSION(OPT_P_GENERAL);
6778  proto_force = ascii2proto(p[1]);
6779  if (proto_force < 0)
6780  {
6781  msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6782  goto err;
6783  }
6784  options->proto_force = proto_force;
6785  }
6786  else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6787  {
6788  struct http_proxy_options *ho;
6789 
6790  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6791 
6792  {
6793  if (!p[2])
6794  {
6795  msg(msglevel, "http-proxy port number not defined");
6796  goto err;
6797  }
6798 
6799  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6800 
6801  ho->server = p[1];
6802  ho->port = p[2];
6803  }
6804 
6805  if (p[3])
6806  {
6807  /* auto -- try to figure out proxy addr, port, and type automatically */
6808  /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6809  if (streq(p[3], "auto"))
6810  {
6811  ho->auth_retry = PAR_ALL;
6812  }
6813  else if (streq(p[3], "auto-nct"))
6814  {
6815  ho->auth_retry = PAR_NCT;
6816  }
6817  else
6818  {
6819  ho->auth_method_string = "basic";
6820  ho->auth_file = p[3];
6821 
6822  if (p[4])
6823  {
6824  ho->auth_method_string = p[4];
6825  }
6826  }
6827  }
6828  else
6829  {
6830  ho->auth_method_string = "none";
6831  }
6832  }
6833  else if (streq(p[0], "http-proxy-user-pass") && p[1])
6834  {
6835  struct http_proxy_options *ho;
6836  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6837  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6838  ho->auth_file_up = p[1];
6839  ho->inline_creds = is_inline;
6840  }
6841  else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6842  {
6843  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6844  msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6845  "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6846  "Use connect-retry-max 1 to get a similar behavior as before.");
6847  }
6848  else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6849  {
6850  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6851  msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6852  "server is established is managed with a single timeout set by connect-timeout");
6853  }
6854  else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6855  {
6856  struct http_proxy_options *ho;
6857 
6858  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6859  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6860 
6861  if (streq(p[1], "VERSION") && p[2] && !p[3])
6862  {
6863  ho->http_version = p[2];
6864  }
6865  else if (streq(p[1], "AGENT") && p[2] && !p[3])
6866  {
6867  ho->user_agent = p[2];
6868  }
6869  else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6870  && p[2])
6871  {
6872  /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6873  * with either two argument or one */
6874 
6875  struct http_custom_header *custom_header = NULL;
6876  int i;
6877  /* Find the first free header */
6878  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6879  {
6880  if (!ho->custom_headers[i].name)
6881  {
6882  custom_header = &ho->custom_headers[i];
6883  break;
6884  }
6885  }
6886  if (!custom_header)
6887  {
6888  msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6889  }
6890  else
6891  {
6892  /* We will save p[2] and p[3], the proxy code will detect if
6893  * p[3] is NULL */
6894  custom_header->name = p[2];
6895  custom_header->content = p[3];
6896  }
6897  }
6898  else
6899  {
6900  msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6901  }
6902  }
6903  else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6904  {
6905  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6906 
6907  if (p[2])
6908  {
6909  options->ce.socks_proxy_port = p[2];
6910  }
6911  else
6912  {
6913  options->ce.socks_proxy_port = "1080";
6914  }
6915  options->ce.socks_proxy_server = p[1];
6916  options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6917  }
6918  else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6919  {
6920  VERIFY_PERMISSION(OPT_P_GENERAL);
6921  options->keepalive_ping = atoi(p[1]);
6922  options->keepalive_timeout = atoi(p[2]);
6923  }
6924  else if (streq(p[0], "ping") && p[1] && !p[2])
6925  {
6926  VERIFY_PERMISSION(OPT_P_TIMER);
6927  options->ping_send_timeout = positive_atoi(p[1]);
6928  }
6929  else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6930  {
6931  VERIFY_PERMISSION(OPT_P_TIMER);
6932  options->ping_rec_timeout = positive_atoi(p[1]);
6933  options->ping_rec_timeout_action = PING_EXIT;
6934  }
6935  else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6936  {
6937  VERIFY_PERMISSION(OPT_P_TIMER);
6938  options->ping_rec_timeout = positive_atoi(p[1]);
6939  options->ping_rec_timeout_action = PING_RESTART;
6940  }
6941  else if (streq(p[0], "ping-timer-rem") && !p[1])
6942  {
6943  VERIFY_PERMISSION(OPT_P_TIMER);
6944  options->ping_timer_remote = true;
6945  }
6946  else if (streq(p[0], "explicit-exit-notify") && !p[2])
6947  {
6948  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6949  if (p[1])
6950  {
6951  options->ce.explicit_exit_notification = positive_atoi(p[1]);
6952  }
6953  else
6954  {
6955  options->ce.explicit_exit_notification = 1;
6956  }
6957  }
6958  else if (streq(p[0], "persist-tun") && !p[1])
6959  {
6960  VERIFY_PERMISSION(OPT_P_PERSIST);
6961  options->persist_tun = true;
6962  }
6963  else if (streq(p[0], "persist-key") && !p[1])
6964  {
6965  VERIFY_PERMISSION(OPT_P_PERSIST);
6966  options->persist_key = true;
6967  }
6968  else if (streq(p[0], "persist-local-ip") && !p[1])
6969  {
6970  VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6971  options->persist_local_ip = true;
6972  }
6973  else if (streq(p[0], "persist-remote-ip") && !p[1])
6974  {
6975  VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6976  options->persist_remote_ip = true;
6977  }
6978  else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6979  {
6980  VERIFY_PERMISSION(OPT_P_ROUTE);
6981  cnol_check_alloc(options);
6982  add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6983  }
6984  else if (streq(p[0], "route") && p[1] && !p[5])
6985  {
6986  VERIFY_PERMISSION(OPT_P_ROUTE);
6987  rol_check_alloc(options);
6988  if (pull_mode)
6989  {
6990  if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6991  {
6992  msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6993  goto err;
6994  }
6995  if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
6996  {
6997  msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
6998  goto err;
6999  }
7000  if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
7001  {
7002  msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
7003  goto err;
7004  }
7005  }
7006  add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
7007  }
7008  else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7009  {
7010  VERIFY_PERMISSION(OPT_P_ROUTE);
7011  rol6_check_alloc(options);
7012  if (pull_mode)
7013  {
7014  if (!ipv6_addr_safe_hexplusbits(p[1]))
7015  {
7016  msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
7017  goto err;
7018  }
7019  if (p[2] && !ipv6_addr_safe(p[2]))
7020  {
7021  msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
7022  goto err;
7023  }
7024  /* p[3] is metric, if present */
7025  }
7026  add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
7027  }
7028  else if (streq(p[0], "max-routes") && !p[2])
7029  {
7030  msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
7031  "The number of routes is unlimited as of OpenVPN 2.4. "
7032  "This option will be removed in a future version, "
7033  "please remove it from your configuration.");
7034  }
7035  else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7036  {
7037  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7038  if (streq(p[1], "dhcp"))
7039  {
7040  options->route_gateway_via_dhcp = true;
7041  }
7042  else
7043  {
7044  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7045  {
7046  options->route_default_gateway = p[1];
7047  }
7048  else
7049  {
7050  msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7051  goto err;
7052  }
7053  }
7054  }
7055  else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7056  {
7057  if (ipv6_addr_safe(p[1]))
7058  {
7059  options->route_ipv6_default_gateway = p[1];
7060  }
7061  else
7062  {
7063  msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7064  goto err;
7065  }
7066  }
7067  else if (streq(p[0], "route-metric") && p[1] && !p[2])
7068  {
7069  VERIFY_PERMISSION(OPT_P_ROUTE);
7070  options->route_default_metric = positive_atoi(p[1]);
7071  }
7072  else if (streq(p[0], "route-delay") && !p[3])
7073  {
7074  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7075  options->route_delay_defined = true;
7076  if (p[1])
7077  {
7078  options->route_delay = positive_atoi(p[1]);
7079  if (p[2])
7080  {
7081  options->route_delay_window = positive_atoi(p[2]);
7082  }
7083  }
7084  else
7085  {
7086  options->route_delay = 0;
7087  }
7088  }
7089  else if (streq(p[0], "route-up") && p[1])
7090  {
7091  VERIFY_PERMISSION(OPT_P_SCRIPT);
7092  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7093  {
7094  goto err;
7095  }
7096  set_user_script(options, &options->route_script, p[1], "route-up", false);
7097  }
7098  else if (streq(p[0], "route-pre-down") && p[1])
7099  {
7100  VERIFY_PERMISSION(OPT_P_SCRIPT);
7101  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7102  {
7103  goto err;
7104  }
7105  set_user_script(options,
7106  &options->route_predown_script,
7107  p[1],
7108  "route-pre-down", true);
7109  }
7110  else if (streq(p[0], "route-noexec") && !p[1])
7111  {
7112  VERIFY_PERMISSION(OPT_P_SCRIPT);
7113  options->route_noexec = true;
7114  }
7115  else if (streq(p[0], "route-nopull") && !p[1])
7116  {
7117  VERIFY_PERMISSION(OPT_P_GENERAL);
7118  options->route_nopull = true;
7119  }
7120  else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7121  {
7122  struct pull_filter *f;
7123  VERIFY_PERMISSION(OPT_P_GENERAL)
7124  f = alloc_pull_filter(options, msglevel);
7125 
7126  if (strcmp("accept", p[1]) == 0)
7127  {
7128  f->type = PUF_TYPE_ACCEPT;
7129  }
7130  else if (strcmp("ignore", p[1]) == 0)
7131  {
7132  f->type = PUF_TYPE_IGNORE;
7133  }
7134  else if (strcmp("reject", p[1]) == 0)
7135  {
7136  f->type = PUF_TYPE_REJECT;
7137  }
7138  else
7139  {
7140  msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7141  goto err;
7142  }
7143  f->pattern = p[2];
7144  f->size = strlen(p[2]);
7145  }
7146  else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7147  {
7148  VERIFY_PERMISSION(OPT_P_GENERAL);
7149  options->allow_pull_fqdn = true;
7150  }
7151  else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7152  {
7153  int j;
7154  VERIFY_PERMISSION(OPT_P_ROUTE);
7155  rol_check_alloc(options);
7156 
7157  if (options->routes->flags & RG_ENABLE)
7158  {
7159  msg(M_WARN,
7160  "WARNING: You have specified redirect-gateway and "
7161  "redirect-private at the same time (or the same option "
7162  "multiple times). This is not well supported and may lead to "
7163  "unexpected results");
7164  }
7165 
7166  options->routes->flags |= RG_ENABLE;
7167 
7168  if (streq(p[0], "redirect-gateway"))
7169  {
7170  options->routes->flags |= RG_REROUTE_GW;
7171  }
7172  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7173  {
7174  if (streq(p[j], "local"))
7175  {
7176  options->routes->flags |= RG_LOCAL;
7177  }
7178  else if (streq(p[j], "autolocal"))
7179  {
7180  options->routes->flags |= RG_AUTO_LOCAL;
7181  }
7182  else if (streq(p[j], "def1"))
7183  {
7184  options->routes->flags |= RG_DEF1;
7185  }
7186  else if (streq(p[j], "bypass-dhcp"))
7187  {
7188  options->routes->flags |= RG_BYPASS_DHCP;
7189  }
7190  else if (streq(p[j], "bypass-dns"))
7191  {
7192  options->routes->flags |= RG_BYPASS_DNS;
7193  }
7194  else if (streq(p[j], "block-local"))
7195  {
7196  options->routes->flags |= RG_BLOCK_LOCAL;
7197  }
7198  else if (streq(p[j], "ipv6"))
7199  {
7200  rol6_check_alloc(options);
7201  options->routes_ipv6->flags |= RG_REROUTE_GW;
7202  }
7203  else if (streq(p[j], "!ipv4"))
7204  {
7205  options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7206  }
7207  else
7208  {
7209  msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7210  goto err;
7211  }
7212  }
7213 #ifdef _WIN32
7214  /* we need this here to handle pushed --redirect-gateway */
7215  remap_redirect_gateway_flags(options);
7216 #endif
7217  }
7218  else if (streq(p[0], "block-ipv6") && !p[1])
7219  {
7220  VERIFY_PERMISSION(OPT_P_ROUTE);
7221  options->block_ipv6 = true;
7222  }
7223  else if (streq(p[0], "remote-random-hostname") && !p[1])
7224  {
7225  VERIFY_PERMISSION(OPT_P_GENERAL);
7226  options->sockflags |= SF_HOST_RANDOMIZE;
7227  }
7228  else if (streq(p[0], "setenv") && p[1] && !p[3])
7229  {
7230  VERIFY_PERMISSION(OPT_P_GENERAL);
7231  if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7232  {
7233  options->sockflags |= SF_HOST_RANDOMIZE;
7234  }
7235  else if (streq(p[1], "GENERIC_CONFIG"))
7236  {
7237  msg(msglevel, "this is a generic configuration and cannot directly be used");
7238  goto err;
7239  }
7240  else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7241  {
7242  options->push_peer_info = true;
7243  }
7244  else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7245  {
7246  options->ce.connect_timeout = positive_atoi(p[2]);
7247  }
7248  else
7249  {
7250  if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7251  {
7252  options->forward_compatible = true;
7253  msglevel_fc = msglevel_forward_compatible(options, msglevel);
7254  }
7255  setenv_str(es, p[1], p[2] ? p[2] : "");
7256  }
7257  }
7258  else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7259  {
7260  unsigned int major, minor, patch;
7261  if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7262  {
7263  msg(msglevel, "cannot parse version number for --compat-mode: %s",
7264  p[1]);
7265  goto err;
7266  }
7267 
7268  options->backwards_compatible = major * 10000 + minor * 100 + patch;
7269  }
7270  else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7271  {
7272  VERIFY_PERMISSION(OPT_P_SETENV);
7273  setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7274  }
7275  else if (streq(p[0], "script-security") && p[1] && !p[2])
7276  {
7277  VERIFY_PERMISSION(OPT_P_GENERAL);
7278  script_security_set(atoi(p[1]));
7279  }
7280  else if (streq(p[0], "mssfix") && !p[3])
7281  {
7282  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7283  if (p[1])
7284  {
7285  int mssfix = positive_atoi(p[1]);
7286  /* can be 0, but otherwise it needs to be high enough so we can
7287  * substract room for headers. */
7288  if (mssfix != 0
7289  && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7290  {
7291  msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7292  goto err;
7293  }
7294 
7295  /* value specified, assume encapsulation is not
7296  * included unless "mtu" follows later */
7297  options->ce.mssfix = mssfix;
7298  options->ce.mssfix_encap = false;
7299  options->ce.mssfix_default = false;
7300  }
7301  else
7302  {
7303  /* Set MTU to default values */
7304  options->ce.mssfix_default = true;
7305  options->ce.mssfix_encap = true;
7306  options->ce.mssfix_fixed = false;
7307  }
7308 
7309  if (p[2] && streq(p[2], "mtu"))
7310  {
7311  options->ce.mssfix_encap = true;
7312  }
7313  else if (p[2] && streq(p[2], "fixed"))
7314  {
7315  options->ce.mssfix_fixed = true;
7316  }
7317  else if (p[2])
7318  {
7319  msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7320  }
7321  }
7322  else if (streq(p[0], "disable-occ") && !p[1])
7323  {
7324  VERIFY_PERMISSION(OPT_P_GENERAL);
7325  options->occ = false;
7326  }
7327  else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7328  {
7329  const int lev = M_WARN;
7330  bool error = false;
7331  in_addr_t network, netmask;
7332 
7333  VERIFY_PERMISSION(OPT_P_GENERAL);
7334  network = get_ip_addr(p[1], lev, &error);
7335  netmask = get_ip_addr(p[2], lev, &error);
7336  if (error || !network || !netmask)
7337  {
7338  msg(msglevel, "error parsing --server parameters");
7339  goto err;
7340  }
7341  options->server_defined = true;
7342  options->server_network = network;
7343  options->server_netmask = netmask;
7344 
7345  if (p[3])
7346  {
7347  if (streq(p[3], "nopool"))
7348  {
7349  options->server_flags |= SF_NOPOOL;
7350  }
7351  else
7352  {
7353  msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7354  goto err;
7355  }
7356  }
7357  }
7358  else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7359  {
7360  const int lev = M_WARN;
7361  struct in6_addr network;
7362  unsigned int netbits = 0;
7363 
7364  VERIFY_PERMISSION(OPT_P_GENERAL);
7365  if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7366  {
7367  msg(msglevel, "error parsing --server-ipv6 parameter");
7368  goto err;
7369  }
7370  if (netbits < 64 || netbits > 124)
7371  {
7372  msg(msglevel,
7373  "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7374  netbits);
7375 
7376  goto err;
7377  }
7378  options->server_ipv6_defined = true;
7379  options->server_network_ipv6 = network;
7380  options->server_netbits_ipv6 = netbits;
7381  }
7382  else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7383  {
7384  const int lev = M_WARN;
7385  bool error = false;
7386  in_addr_t ip, netmask, pool_start, pool_end;
7387 
7388  VERIFY_PERMISSION(OPT_P_GENERAL);
7389  ip = get_ip_addr(p[1], lev, &error);
7390  netmask = get_ip_addr(p[2], lev, &error);
7391  pool_start = get_ip_addr(p[3], lev, &error);
7392  pool_end = get_ip_addr(p[4], lev, &error);
7393  if (error || !ip || !netmask || !pool_start || !pool_end)
7394  {
7395  msg(msglevel, "error parsing --server-bridge parameters");
7396  goto err;
7397  }
7398  options->server_bridge_defined = true;
7399  options->server_bridge_ip = ip;
7400  options->server_bridge_netmask = netmask;
7401  options->server_bridge_pool_start = pool_start;
7402  options->server_bridge_pool_end = pool_end;
7403  }
7404  else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7405  {
7406  VERIFY_PERMISSION(OPT_P_GENERAL);
7407  options->server_bridge_proxy_dhcp = true;
7408  options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7409  }
7410  else if (streq(p[0], "server-bridge") && !p[1])
7411  {
7412  VERIFY_PERMISSION(OPT_P_GENERAL);
7413  options->server_bridge_proxy_dhcp = true;
7414  }
7415  else if (streq(p[0], "push") && p[1] && !p[2])
7416  {
7417  VERIFY_PERMISSION(OPT_P_PUSH);
7418  push_options(options, &p[1], msglevel, &options->gc);
7419  }
7420  else if (streq(p[0], "push-reset") && !p[1])
7421  {
7422  VERIFY_PERMISSION(OPT_P_INSTANCE);
7423  push_reset(options);
7424  }
7425  else if (streq(p[0], "push-remove") && p[1] && !p[2])
7426  {
7427  VERIFY_PERMISSION(OPT_P_INSTANCE);
7428  msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7429  push_remove_option(options, p[1]);
7430  }
7431  else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7432  {
7433  const int lev = M_WARN;
7434  bool error = false;
7435  in_addr_t start, end, netmask = 0;
7436 
7437  VERIFY_PERMISSION(OPT_P_GENERAL);
7438  start = get_ip_addr(p[1], lev, &error);
7439  end = get_ip_addr(p[2], lev, &error);
7440  if (p[3])
7441  {
7442  netmask = get_ip_addr(p[3], lev, &error);
7443  }
7444  if (error)
7445  {
7446  msg(msglevel, "error parsing --ifconfig-pool parameters");
7447  goto err;
7448  }
7449  if (!ifconfig_pool_verify_range(msglevel, start, end))
7450  {
7451  goto err;
7452  }
7453 
7454  options->ifconfig_pool_defined = true;
7455  options->ifconfig_pool_start = start;
7456  options->ifconfig_pool_end = end;
7457  if (netmask)
7458  {
7459  options->ifconfig_pool_netmask = netmask;
7460  }
7461  }
7462  else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7463  {
7464  VERIFY_PERMISSION(OPT_P_GENERAL);
7465  options->ifconfig_pool_persist_filename = p[1];
7466  if (p[2])
7467  {
7468  options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
7469  }
7470  }
7471  else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7472  {
7473  const int lev = M_WARN;
7474  struct in6_addr network;
7475  unsigned int netbits = 0;
7476 
7477  VERIFY_PERMISSION(OPT_P_GENERAL);
7478  if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7479  {
7480  msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7481  goto err;
7482  }
7483  if (netbits < 64 || netbits > 124)
7484  {
7485  msg(msglevel,
7486  "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7487  netbits);
7488  goto err;
7489  }
7490 
7491  options->ifconfig_ipv6_pool_defined = true;
7492  options->ifconfig_ipv6_pool_base = network;
7493  options->ifconfig_ipv6_pool_netbits = netbits;
7494  }
7495  else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7496  {
7497  int real, virtual;
7498 
7499  VERIFY_PERMISSION(OPT_P_GENERAL);
7500  real = atoi(p[1]);
7501  virtual = atoi(p[2]);
7502  if (real < 1 || virtual < 1)
7503  {
7504  msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7505  goto err;
7506  }
7507  options->real_hash_size = real;
7508  options->virtual_hash_size = real;
7509  }
7510  else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7511  {
7512  int cf_max, cf_per;
7513 
7514  VERIFY_PERMISSION(OPT_P_GENERAL);
7515  cf_max = atoi(p[1]);
7516  cf_per = atoi(p[2]);
7517  if (cf_max < 0 || cf_per < 0)
7518  {
7519  msg(msglevel, "--connect-freq parms must be > 0");
7520  goto err;
7521  }
7522  options->cf_max = cf_max;
7523  options->cf_per = cf_per;
7524  }
7525  else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7526  {
7527  long cf_max, cf_per;
7528 
7529  VERIFY_PERMISSION(OPT_P_GENERAL);
7530  char *e1, *e2;
7531  cf_max = strtol(p[1], &e1, 10);
7532  cf_per = strtol(p[2], &e2, 10);
7533  if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7534  {
7535  msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7536  goto err;
7537  }
7538  options->cf_initial_max = cf_max;
7539  options->cf_initial_per = cf_per;
7540  }
7541  else if (streq(p[0], "max-clients") && p[1] && !p[2])
7542  {
7543  int max_clients;
7544 
7545  VERIFY_PERMISSION(OPT_P_GENERAL);
7546  max_clients = atoi(p[1]);
7547  if (max_clients < 0)
7548  {
7549  msg(msglevel, "--max-clients must be at least 1");
7550  goto err;
7551  }
7552  if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7553  {
7554  msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7555  goto err;
7556  }
7557  options->max_clients = max_clients;
7558  }
7559  else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7560  {
7561  VERIFY_PERMISSION(OPT_P_INHERIT);
7562  options->max_routes_per_client = max_int(atoi(p[1]), 1);
7563  }
7564  else if (streq(p[0], "client-cert-not-required") && !p[1])
7565  {
7566  VERIFY_PERMISSION(OPT_P_GENERAL);
7567  msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7568  }
7569  else if (streq(p[0], "verify-client-cert") && !p[2])
7570  {
7571  VERIFY_PERMISSION(OPT_P_GENERAL);
7572 
7573  /* Reset any existing flags */
7574  options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7575  options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7576  if (p[1])
7577  {
7578  if (streq(p[1], "none"))
7579  {
7580  options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7581  }
7582  else if (streq(p[1], "optional"))
7583  {
7584  options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7585  }
7586  else if (!streq(p[1], "require"))
7587  {
7588  msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7589  goto err;
7590  }
7591  }
7592  }
7593  else if (streq(p[0], "username-as-common-name") && !p[1])
7594  {
7595  VERIFY_PERMISSION(OPT_P_GENERAL);
7596  options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7597  }
7598  else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7599  {
7600  VERIFY_PERMISSION(OPT_P_GENERAL);
7601  options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7602  }
7603  else if (streq(p[0], "opt-verify") && !p[1])
7604  {
7605  VERIFY_PERMISSION(OPT_P_GENERAL);
7606  msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7607  "in OpenVPN 2.7");
7608  options->ssl_flags |= SSLF_OPT_VERIFY;
7609  }
7610  else if (streq(p[0], "auth-user-pass-verify") && p[1])
7611  {
7612  VERIFY_PERMISSION(OPT_P_SCRIPT);
7613  if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7614  {
7615  goto err;
7616  }
7617  if (p[2])
7618  {
7619  if (streq(p[2], "via-env"))
7620  {
7621  options->auth_user_pass_verify_script_via_file = false;
7622  }
7623  else if (streq(p[2], "via-file"))
7624  {
7625  options->auth_user_pass_verify_script_via_file = true;
7626  }
7627  else
7628  {
7629  msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7630  goto err;
7631  }
7632  }
7633  else
7634  {
7635  msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7636  goto err;
7637  }
7638  set_user_script(options,
7639  &options->auth_user_pass_verify_script,
7640  p[1], "auth-user-pass-verify", true);
7641  }
7642  else if (streq(p[0], "auth-gen-token"))
7643  {
7644  VERIFY_PERMISSION(OPT_P_GENERAL);
7645  options->auth_token_generate = true;
7646  options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7647 
7648  for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7649  {
7650  /* the second parameter can be the renewal time */
7651  if (i == 2 && positive_atoi(p[i]))
7652  {
7653  options->auth_token_renewal = positive_atoi(p[i]);
7654  }
7655  else if (streq(p[i], "external-auth"))
7656  {
7657  options->auth_token_call_auth = true;
7658  }
7659  else
7660  {
7661  msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7662  }
7663  }
7664 
7665  }
7666  else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7667  {
7668  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7669  options->auth_token_secret_file = p[1];
7670  options->auth_token_secret_file_inline = is_inline;
7671 
7672  }
7673  else if (streq(p[0], "client-connect") && p[1])
7674  {
7675  VERIFY_PERMISSION(OPT_P_SCRIPT);
7676  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7677  {
7678  goto err;
7679  }
7680  set_user_script(options, &options->client_connect_script,
7681  p[1], "client-connect", true);
7682  }
7683  else if (streq(p[0], "client-crresponse") && p[1])
7684  {
7685  VERIFY_PERMISSION(OPT_P_SCRIPT);
7686  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7687  {
7688  goto err;
7689  }
7690  set_user_script(options, &options->client_crresponse_script,
7691  p[1], "client-crresponse", true);
7692  }
7693  else if (streq(p[0], "client-disconnect") && p[1])
7694  {
7695  VERIFY_PERMISSION(OPT_P_SCRIPT);
7696  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7697  {
7698  goto err;
7699  }
7700  set_user_script(options, &options->client_disconnect_script,
7701  p[1], "client-disconnect", true);
7702  }
7703  else if (streq(p[0], "learn-address") && p[1])
7704  {
7705  VERIFY_PERMISSION(OPT_P_SCRIPT);
7706  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7707  {
7708  goto err;
7709  }
7710  set_user_script(options, &options->learn_address_script,
7711  p[1], "learn-address", true);
7712  }
7713  else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7714  {
7715  VERIFY_PERMISSION(OPT_P_GENERAL);
7716  options->tmp_dir = p[1];
7717  }
7718  else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7719  {
7720  VERIFY_PERMISSION(OPT_P_GENERAL);
7721  options->client_config_dir = p[1];
7722  }
7723  else if (streq(p[0], "ccd-exclusive") && !p[1])
7724  {
7725  VERIFY_PERMISSION(OPT_P_GENERAL);
7726  options->ccd_exclusive = true;
7727  }
7728  else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7729  {
7730  int n_bcast_buf;
7731 
7732  VERIFY_PERMISSION(OPT_P_GENERAL);
7733  n_bcast_buf = atoi(p[1]);
7734  if (n_bcast_buf < 1)
7735  {
7736  msg(msglevel, "--bcast-buffers parameter must be > 0");
7737  }
7738  options->n_bcast_buf = n_bcast_buf;
7739  }
7740  else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7741  {
7742  int tcp_queue_limit;
7743 
7744  VERIFY_PERMISSION(OPT_P_GENERAL);
7745  tcp_queue_limit = atoi(p[1]);
7746  if (tcp_queue_limit < 1)
7747  {
7748  msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7749  }
7750  options->tcp_queue_limit = tcp_queue_limit;
7751  }
7752 #if PORT_SHARE
7753  else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7754  {
7755  VERIFY_PERMISSION(OPT_P_GENERAL);
7756  options->port_share_host = p[1];
7757  options->port_share_port = p[2];
7758  options->port_share_journal_dir = p[3];
7759  }
7760 #endif
7761  else if (streq(p[0], "client-to-client") && !p[1])
7762  {
7763  VERIFY_PERMISSION(OPT_P_GENERAL);
7764  options->enable_c2c = true;
7765  }
7766  else if (streq(p[0], "duplicate-cn") && !p[1])
7767  {
7768  VERIFY_PERMISSION(OPT_P_GENERAL);
7769  options->duplicate_cn = true;
7770  }
7771  else if (streq(p[0], "iroute") && p[1] && !p[3])
7772  {
7773  VERIFY_PERMISSION(OPT_P_INSTANCE);
7774  option_iroute(options, p[1], p[2], msglevel);
7775  }
7776  else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7777  {
7778  VERIFY_PERMISSION(OPT_P_INSTANCE);
7779  option_iroute_ipv6(options, p[1], msglevel);
7780  }
7781  else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7782  {
7783  in_addr_t local, remote_netmask;
7784 
7785  VERIFY_PERMISSION(OPT_P_INSTANCE);
7786  local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7787  remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7788  if (local && remote_netmask)
7789  {
7790  options->push_ifconfig_defined = true;
7791  options->push_ifconfig_local = local;
7792  options->push_ifconfig_remote_netmask = remote_netmask;
7793  if (p[3])
7794  {
7795  options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7796  }
7797  }
7798  else
7799  {
7800  msg(msglevel, "cannot parse --ifconfig-push addresses");
7801  goto err;
7802  }
7803  }
7804  else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7805  {
7806  in_addr_t network, netmask;
7807 
7808  VERIFY_PERMISSION(OPT_P_GENERAL);
7809  network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7810  netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7811  if (network && netmask)
7812  {
7813  options->push_ifconfig_constraint_defined = true;
7814  options->push_ifconfig_constraint_network = network;
7815  options->push_ifconfig_constraint_netmask = netmask;
7816  }
7817  else
7818  {
7819  msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7820  goto err;
7821  }
7822  }
7823  else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7824  {
7825  struct in6_addr local, remote;
7826  unsigned int netbits;
7827 
7828  VERIFY_PERMISSION(OPT_P_INSTANCE);
7829 
7830  if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7831  {
7832  msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7833  goto err;
7834  }
7835 
7836  if (p[2])
7837  {
7838  if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7839  {
7840  msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7841  goto err;
7842  }
7843  }
7844  else
7845  {
7846  if (!options->ifconfig_ipv6_local
7847  || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7848  NULL, msglevel ) )
7849  {
7850  msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7851  goto err;
7852  }
7853  }
7854 
7855  options->push_ifconfig_ipv6_defined = true;
7856  options->push_ifconfig_ipv6_local = local;
7857  options->push_ifconfig_ipv6_netbits = netbits;
7858  options->push_ifconfig_ipv6_remote = remote;
7859  options->push_ifconfig_ipv6_blocked = false;
7860  }
7861  else if (streq(p[0], "disable") && !p[1])
7862  {
7863  VERIFY_PERMISSION(OPT_P_INSTANCE);
7864  options->disable = true;
7865  }
7866  else if (streq(p[0], "tcp-nodelay") && !p[1])
7867  {
7868  VERIFY_PERMISSION(OPT_P_GENERAL);
7869  options->server_flags |= SF_TCP_NODELAY_HELPER;
7870  }
7871  else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7872  {
7873  int ageing_time, check_interval;
7874 
7875  VERIFY_PERMISSION(OPT_P_GENERAL);
7876  ageing_time = atoi(p[1]);
7877  if (p[2])
7878  {
7879  check_interval = atoi(p[2]);
7880  }
7881  else
7882  {
7883  check_interval = ageing_time;
7884  }
7885 
7886  if (ageing_time < 1 || check_interval < 1)
7887  {
7888  msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7889  goto err;
7890  }
7891  options->stale_routes_ageing_time = ageing_time;
7892  options->stale_routes_check_interval = check_interval;
7893  }
7894 
7895  else if (streq(p[0], "client") && !p[1])
7896  {
7897  VERIFY_PERMISSION(OPT_P_GENERAL);
7898  options->client = true;
7899  }
7900  else if (streq(p[0], "pull") && !p[1])
7901  {
7902  VERIFY_PERMISSION(OPT_P_GENERAL);
7903  options->pull = true;
7904  }
7905  else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7906  {
7907  VERIFY_PERMISSION(OPT_P_PULL_MODE);
7908  options->push_continuation = atoi(p[1]);
7909  }
7910  else if (streq(p[0], "auth-user-pass") && !p[2])
7911  {
7912  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7913  if (p[1])
7914  {
7915  options->auth_user_pass_file = p[1];
7916  options->auth_user_pass_file_inline = is_inline;
7917  }
7918  else
7919  {
7920  options->auth_user_pass_file = "stdin";
7921  }
7922  }
7923  else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7924  {
7925  VERIFY_PERMISSION(OPT_P_GENERAL);
7926  auth_retry_set(msglevel, p[1]);
7927  }
7928 #ifdef ENABLE_MANAGEMENT
7929  else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7930  {
7931  VERIFY_PERMISSION(OPT_P_GENERAL);
7932  options->sc_info.challenge_text = p[1];
7933  if (atoi(p[2]))
7934  {
7935  options->sc_info.flags |= SC_ECHO;
7936  }
7937  }
7938 #endif
7939  else if (streq(p[0], "msg-channel") && p[1])
7940  {
7941 #ifdef _WIN32
7942  VERIFY_PERMISSION(OPT_P_GENERAL);
7943  HANDLE process = GetCurrentProcess();
7944  HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
7945  if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7946  FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7947  {
7948  msg(msglevel, "could not duplicate service pipe handle");
7949  goto err;
7950  }
7951  options->route_method = ROUTE_METHOD_SERVICE;
7952 #else /* ifdef _WIN32 */
7953  msg(msglevel, "--msg-channel is only supported on Windows");
7954  goto err;
7955 #endif
7956  }
7957 #ifdef _WIN32
7958  else if (streq(p[0], "win-sys") && p[1] && !p[2])
7959  {
7960  VERIFY_PERMISSION(OPT_P_GENERAL);
7961  if (streq(p[1], "env"))
7962  {
7963  msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7964  "This entry will now be ignored. "
7965  "Please remove this entry from your configuration file.");
7966  }
7967  else
7968  {
7969  set_win_sys_path(p[1], es);
7970  }
7971  }
7972  else if (streq(p[0], "route-method") && p[1] && !p[2])
7973  {
7974  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7975  if (streq(p[1], "adaptive"))
7976  {
7977  options->route_method = ROUTE_METHOD_ADAPTIVE;
7978  }
7979  else if (streq(p[1], "ipapi"))
7980  {
7981  options->route_method = ROUTE_METHOD_IPAPI;
7982  }
7983  else if (streq(p[1], "exe"))
7984  {
7985  options->route_method = ROUTE_METHOD_EXE;
7986  }
7987  else
7988  {
7989  msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7990  goto err;
7991  }
7992  }
7993  else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7994  {
7995  const int index = ascii2ipset(p[1]);
7996  struct tuntap_options *to = &options->tuntap_options;
7997 
7998  VERIFY_PERMISSION(OPT_P_DHCPDNS);
7999 
8000  if (index < 0)
8001  {
8002  msg(msglevel,
8003  "Bad --ip-win32 method: '%s'. Allowed methods: %s",
8004  p[1],
8005  ipset2ascii_all(&gc));
8006  goto err;
8007  }
8008 
8009  if (index == IPW32_SET_ADAPTIVE)
8010  {
8011  options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
8012  }
8013 
8014  if (index == IPW32_SET_DHCP_MASQ)
8015  {
8016  if (p[2])
8017  {
8018  if (!streq(p[2], "default"))
8019  {
8020  int offset = atoi(p[2]);
8021 
8022  if (!(offset > -256 && offset < 256))
8023  {
8024  msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
8025  goto err;
8026  }
8027 
8028  to->dhcp_masq_custom_offset = true;
8029  to->dhcp_masq_offset = offset;
8030  }
8031 
8032  if (p[3])
8033  {
8034  const int min_lease = 30;
8035  int lease_time;
8036  lease_time = atoi(p[3]);
8037  if (lease_time < min_lease)
8038  {
8039  msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
8040  goto err;
8041  }
8042  to->dhcp_lease_time = lease_time;
8043  }
8044  }
8045  }
8046  to->ip_win32_type = index;
8047  to->ip_win32_defined = true;
8048  }
8049 #endif /* ifdef _WIN32 */
8050  else if (streq(p[0], "dns") && p[1])
8051  {
8052  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8053 
8054  if (streq(p[1], "search-domains") && p[2])
8055  {
8056  dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
8057  }
8058  else if (streq(p[1], "server") && p[2] && p[3] && p[4])
8059  {
8060  long priority;
8061  if (!dns_server_priority_parse(&priority, p[2], pull_mode))
8062  {
8063  msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
8064  goto err;
8065  }
8066 
8067  struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8068 
8069  if (streq(p[3], "address") && p[4])
8070  {
8071  for (int i = 4; p[i]; ++i)
8072  {
8073  if (!dns_server_addr_parse(server, p[i]))
8074  {
8075  msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
8076  goto err;
8077  }
8078  }
8079  }
8080  else if (streq(p[3], "resolve-domains"))
8081  {
8082  dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8083  }
8084  else if (streq(p[3], "dnssec") && !p[5])
8085  {
8086  if (streq(p[4], "yes"))
8087  {
8088  server->dnssec = DNS_SECURITY_YES;
8089  }
8090  else if (streq(p[4], "no"))
8091  {
8092  server->dnssec = DNS_SECURITY_NO;
8093  }
8094  else if (streq(p[4], "optional"))
8095  {
8096  server->dnssec = DNS_SECURITY_OPTIONAL;
8097  }
8098  else
8099  {
8100  msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8101  goto err;
8102  }
8103  }
8104  else if (streq(p[3], "transport") && !p[5])
8105  {
8106  if (streq(p[4], "plain"))
8107  {
8108  server->transport = DNS_TRANSPORT_PLAIN;
8109  }
8110  else if (streq(p[4], "DoH"))
8111  {
8112  server->transport = DNS_TRANSPORT_HTTPS;
8113  }
8114  else if (streq(p[4], "DoT"))
8115  {
8116  server->transport = DNS_TRANSPORT_TLS;
8117  }
8118  else
8119  {
8120  msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8121  goto err;
8122  }
8123  }
8124  else if (streq(p[3], "sni") && !p[5])
8125  {
8126  server->sni = p[4];
8127  }
8128  else
8129  {
8130  msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8131  goto err;
8132  }
8133  }
8134  else
8135  {
8136  msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8137  goto err;
8138  }
8139  }
8140 #if defined(_WIN32) || defined(TARGET_ANDROID)
8141  else if (streq(p[0], "dhcp-option") && p[1])
8142  {
8143  struct tuntap_options *o = &options->tuntap_options;
8144  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8145 
8146  if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8147  && p[2] && !p[3])
8148  {
8149  o->domain = p[2];
8150  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8151  }
8152  else if (streq(p[1], "NBS") && p[2] && !p[3])
8153  {
8154  o->netbios_scope = p[2];
8155  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8156  }
8157  else if (streq(p[1], "NBT") && p[2] && !p[3])
8158  {
8159  int t;
8160  t = atoi(p[2]);
8161  if (!(t == 1 || t == 2 || t == 4 || t == 8))
8162  {
8163  msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8164  goto err;
8165  }
8166  o->netbios_node_type = t;
8167  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8168  }
8169  else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8170  && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8171  {
8172  if (strstr(p[2], ":"))
8173  {
8174  dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8175  }
8176  else
8177  {
8178  dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8179  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8180  }
8181  }
8182  else if (streq(p[1], "WINS") && p[2] && !p[3])
8183  {
8184  dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8185  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8186  }
8187  else if (streq(p[1], "NTP") && p[2] && !p[3])
8188  {
8189  dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8190  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8191  }
8192  else if (streq(p[1], "NBDD") && p[2] && !p[3])
8193  {
8194  dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8195  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8196  }
8197  else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8198  {
8199  if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8200  {
8201  o->domain_search_list[o->domain_search_list_len++] = p[2];
8202  }
8203  else
8204  {
8205  msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8206  p[1], N_SEARCH_LIST_LEN);
8207  }
8208  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8209  }
8210  else if (streq(p[1], "DISABLE-NBT") && !p[2])
8211  {
8212  o->disable_nbt = 1;
8213  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8214  }
8215 #if defined(TARGET_ANDROID)
8216  else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8217  {
8218  o->http_proxy_port = atoi(p[3]);
8219  o->http_proxy = p[2];
8220  }
8221 #endif
8222  else
8223  {
8224  msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8225  goto err;
8226  }
8227  }
8228 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8229 #ifdef _WIN32
8230  else if (streq(p[0], "show-adapters") && !p[1])
8231  {
8232  VERIFY_PERMISSION(OPT_P_GENERAL);
8233  show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8234  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8235  }
8236  else if (streq(p[0], "show-net") && !p[1])
8237  {
8238  VERIFY_PERMISSION(OPT_P_GENERAL);
8239  show_routes(M_INFO|M_NOPREFIX);
8240  show_adapters(M_INFO|M_NOPREFIX);
8241  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8242  }
8243  else if (streq(p[0], "show-net-up") && !p[1])
8244  {
8245  VERIFY_PERMISSION(OPT_P_UP);
8246  options->show_net_up = true;
8247  }
8248  else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8249  {
8250  int s;
8251  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8252  s = atoi(p[1]);
8253  if (s < 0 || s >= 256)
8254  {
8255  msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8256  goto err;
8257  }
8258  options->tuntap_options.tap_sleep = s;
8259  }
8260  else if (streq(p[0], "dhcp-renew") && !p[1])
8261  {
8262  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8263  options->tuntap_options.dhcp_renew = true;
8264  }
8265  else if (streq(p[0], "dhcp-pre-release") && !p[1])
8266  {
8267  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8268  options->tuntap_options.dhcp_pre_release = true;
8269  options->tuntap_options.dhcp_renew = true;
8270  }
8271  else if (streq(p[0], "dhcp-release") && !p[1])
8272  {
8273  msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8274  }
8275  else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8276  {
8277  unsigned int adapter_index;
8278  VERIFY_PERMISSION(OPT_P_GENERAL);
8279  set_debug_level(options->verbosity, SDL_CONSTRAIN);
8280  adapter_index = atou(p[1]);
8281  sleep(options->tuntap_options.tap_sleep);
8282  if (options->tuntap_options.dhcp_pre_release)
8283  {
8284  dhcp_release_by_adapter_index(adapter_index);
8285  }
8286  if (options->tuntap_options.dhcp_renew)
8287  {
8288  dhcp_renew_by_adapter_index(adapter_index);
8289  }
8290  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8291  }
8292  else if (streq(p[0], "register-dns") && !p[1])
8293  {
8294  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8295  options->tuntap_options.register_dns = true;
8296  }
8297  else if (streq(p[0], "block-outside-dns") && !p[1])
8298  {
8299  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8300  options->block_outside_dns = true;
8301  }
8302  else if (streq(p[0], "rdns-internal") && !p[1])
8303  /* standalone method for internal use
8304  *
8305  * (if --register-dns is set, openvpn needs to call itself in a
8306  * sub-process to execute the required functions in a non-blocking
8307  * way, and uses --rdns-internal to signal that to itself)
8308  */
8309  {
8310  VERIFY_PERMISSION(OPT_P_GENERAL);
8311  set_debug_level(options->verbosity, SDL_CONSTRAIN);
8312  if (options->tuntap_options.register_dns)
8313  {
8314  ipconfig_register_dns(NULL);
8315  }
8316  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8317  }
8318  else if (streq(p[0], "show-valid-subnets") && !p[1])
8319  {
8320  VERIFY_PERMISSION(OPT_P_GENERAL);
8321  show_valid_win32_tun_subnets();
8322  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8323  }
8324  else if (streq(p[0], "pause-exit") && !p[1])
8325  {
8326  VERIFY_PERMISSION(OPT_P_GENERAL);
8327  set_pause_exit_win32();
8328  }
8329  else if (streq(p[0], "service") && p[1] && !p[3])
8330  {
8331  VERIFY_PERMISSION(OPT_P_GENERAL);
8332  options->exit_event_name = p[1];
8333  if (p[2])
8334  {
8335  options->exit_event_initial_state = (atoi(p[2]) != 0);
8336  }
8337  }
8338  else if (streq(p[0], "allow-nonadmin") && !p[2])
8339  {
8340  VERIFY_PERMISSION(OPT_P_GENERAL);
8341  tap_allow_nonadmin_access(p[1]);
8342  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8343  }
8344  else if (streq(p[0], "user") && p[1] && !p[2])
8345  {
8346  VERIFY_PERMISSION(OPT_P_GENERAL);
8347  msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8348  }
8349  else if (streq(p[0], "group") && p[1] && !p[2])
8350  {
8351  VERIFY_PERMISSION(OPT_P_GENERAL);
8352  msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8353  }
8354 #else /* ifdef _WIN32 */
8355  else if (streq(p[0], "user") && p[1] && !p[2])
8356  {
8357  VERIFY_PERMISSION(OPT_P_GENERAL);
8358  options->username = p[1];
8359  }
8360  else if (streq(p[0], "group") && p[1] && !p[2])
8361  {
8362  VERIFY_PERMISSION(OPT_P_GENERAL);
8363  options->groupname = p[1];
8364  }
8365  else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8366  {
8367  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8368  setenv_foreign_option(options, (const char **)p, 3, es);
8369  }
8370  else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8371  {
8372  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8373  }
8374 #endif /* ifdef _WIN32 */
8375 #if PASSTOS_CAPABILITY
8376  else if (streq(p[0], "passtos") && !p[1])
8377  {
8378  VERIFY_PERMISSION(OPT_P_GENERAL);
8379  options->passtos = true;
8380  }
8381 #endif
8382  else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8383  {
8384  VERIFY_PERMISSION(OPT_P_GENERAL);
8385 
8386  if (streq(p[1], "no"))
8387  {
8388  options->comp.flags =
8389  COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8390  if (comp_non_stub_enabled(&options->comp))
8391  {
8392  msg(msglevel, "'--allow-compression no' conflicts with "
8393  " enabling compression");
8394  }
8395  }
8396  else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8397  {
8398  /* Also printed on a push to hint at configuration problems */
8399  msg(msglevel, "Cannot set allow-compression to '%s' "
8400  "after set to 'no'", p[1]);
8401  goto err;
8402  }
8403  else if (streq(p[1], "asym"))
8404  {
8405  options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
8406  options->comp.flags |= COMP_F_ALLOW_ASYM;
8407  }
8408  else if (streq(p[1], "yes"))
8409  {
8410  msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
8411  "been used in the past to break encryption. Allowing compression allows "
8412  "attacks that break encryption. Using \"--allow-compression yes\" is "
8413  "strongly discouraged for common usage. See --compress in the manual "
8414  "page for more information ");
8415 
8416  options->comp.flags |= COMP_F_ALLOW_COMPRESS;
8417  }
8418  else
8419  {
8420  msg(msglevel, "bad allow-compression option: %s -- "
8421  "must be 'yes', 'no', or 'asym'", p[1]);
8422  goto err;
8423  }
8424  }
8425  else if (streq(p[0], "comp-lzo") && !p[2])
8426  {
8427  VERIFY_PERMISSION(OPT_P_COMP);
8428 
8429  /* All lzo variants do not use swap */
8430  options->comp.flags &= ~COMP_F_SWAP;
8431 
8432  if (p[1] && streq(p[1], "no"))
8433  {
8434  options->comp.alg = COMP_ALG_STUB;
8435  options->comp.flags &= ~COMP_F_ADAPTIVE;
8436  }
8437  else if (p[1])
8438  {
8439  if (streq(p[1], "yes"))
8440  {
8441  options->comp.alg = COMP_ALG_LZO;
8442  options->comp.flags &= ~COMP_F_ADAPTIVE;
8443  }
8444  else if (streq(p[1], "adaptive"))
8445  {
8446  options->comp.alg = COMP_ALG_LZO;
8447  options->comp.flags |= COMP_F_ADAPTIVE;
8448  }
8449  else
8450  {
8451  msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8452  goto err;
8453  }
8454  }
8455  else
8456  {
8457  options->comp.alg = COMP_ALG_LZO;
8458  options->comp.flags |= COMP_F_ADAPTIVE;
8459  }
8460  show_compression_warning(&options->comp);
8461  }
8462  else if (streq(p[0], "comp-noadapt") && !p[1])
8463  {
8464  /*
8465  * We do not need to check here if we allow compression since
8466  * it only modifies a flag if compression is enabled
8467  */
8468  VERIFY_PERMISSION(OPT_P_COMP);
8469  options->comp.flags &= ~COMP_F_ADAPTIVE;
8470  }
8471  else if (streq(p[0], "compress") && !p[2])
8472  {
8473  VERIFY_PERMISSION(OPT_P_COMP);
8474  const char *alg = "stub";
8475  if (p[1])
8476  {
8477  alg = p[1];
8478  }
8479 
8480  if (streq(alg, "stub"))
8481  {
8482  options->comp.alg = COMP_ALG_STUB;
8483  options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8484  }
8485  else if (streq(alg, "stub-v2"))
8486  {
8487  options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8488  options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8489  }
8490  else if (streq(alg, "migrate"))
8491  {
8492  options->comp.alg = COMP_ALG_UNDEF;
8493  options->comp.flags = COMP_F_MIGRATE;
8494  }
8495  else if (streq(alg, "lzo"))
8496  {
8497  options->comp.alg = COMP_ALG_LZO;
8498  options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
8499  }
8500  else if (streq(alg, "lz4"))
8501  {
8502  options->comp.alg = COMP_ALG_LZ4;
8503  options->comp.flags |= COMP_F_SWAP;
8504  }
8505  else if (streq(alg, "lz4-v2"))
8506  {
8507  options->comp.alg = COMP_ALGV2_LZ4;
8508  }
8509  else
8510  {
8511  msg(msglevel, "bad comp option: %s", alg);
8512  goto err;
8513  }
8514 
8515  show_compression_warning(&options->comp);
8516  }
8517  else if (streq(p[0], "show-ciphers") && !p[1])
8518  {
8519  VERIFY_PERMISSION(OPT_P_GENERAL);
8520  options->show_ciphers = true;
8521  }
8522  else if (streq(p[0], "show-digests") && !p[1])
8523  {
8524  VERIFY_PERMISSION(OPT_P_GENERAL);
8525  options->show_digests = true;
8526  }
8527  else if (streq(p[0], "show-engines") && !p[1])
8528  {
8529  VERIFY_PERMISSION(OPT_P_GENERAL);
8530  options->show_engines = true;
8531  }
8532  else if (streq(p[0], "key-direction") && p[1] && !p[2])
8533  {
8534  int key_direction;
8535 
8536  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8537 
8538  key_direction = ascii2keydirection(msglevel, p[1]);
8539  if (key_direction >= 0)
8540  {
8541  if (permission_mask & OPT_P_GENERAL)
8542  {
8543  options->key_direction = key_direction;
8544  }
8545  else if (permission_mask & OPT_P_CONNECTION)
8546  {
8547  options->ce.key_direction = key_direction;
8548  }
8549  }
8550  else
8551  {
8552  goto err;
8553  }
8554  }
8555  else if (streq(p[0], "secret") && p[1] && !p[3])
8556  {
8557  msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8558  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8559  options->shared_secret_file = p[1];
8560  options->shared_secret_file_inline = is_inline;
8561  if (!is_inline && p[2])
8562  {
8563  int key_direction;
8564 
8565  key_direction = ascii2keydirection(msglevel, p[2]);
8566  if (key_direction >= 0)
8567  {
8568  options->key_direction = key_direction;
8569  }
8570  else
8571  {
8572  goto err;
8573  }
8574  }
8575  }
8576  else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8577  {
8578  VERIFY_PERMISSION(OPT_P_GENERAL);
8579  options->allow_deprecated_insecure_static_crypto = true;
8580 
8581  }
8582  else if (streq(p[0], "genkey") && !p[4])
8583  {
8584  VERIFY_PERMISSION(OPT_P_GENERAL);
8585  options->genkey = true;
8586  if (!p[1])
8587  {
8588  options->genkey_type = GENKEY_SECRET;
8589  }
8590  else
8591  {
8592  if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8593  || streq(p[1], "tls-crypt"))
8594  {
8595  options->genkey_type = GENKEY_SECRET;
8596  }
8597  else if (streq(p[1], "tls-crypt-v2-server"))
8598  {
8599  options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8600  }
8601  else if (streq(p[1], "tls-crypt-v2-client"))
8602  {
8603  options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8604  if (p[3])
8605  {
8606  options->genkey_extra_data = p[3];
8607  }
8608  }
8609  else if (streq(p[1], "auth-token"))
8610  {
8611  options->genkey_type = GENKEY_AUTH_TOKEN;
8612  }
8613  else
8614  {
8615  msg(msglevel, "unknown --genkey type: %s", p[1]);
8616  }
8617 
8618  }
8619  if (p[2])
8620  {
8621  options->genkey_filename = p[2];
8622  }
8623  }
8624  else if (streq(p[0], "auth") && p[1] && !p[2])
8625  {
8626  VERIFY_PERMISSION(OPT_P_GENERAL);
8627  options->authname = p[1];
8628  }
8629  else if (streq(p[0], "cipher") && p[1] && !p[2])
8630  {
8631  VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8632  options->ciphername = p[1];
8633  }
8634  else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8635  {
8636  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8637  options->ciphername = p[1];
8638  options->enable_ncp_fallback = true;
8639  }
8640  else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8641  && p[1] && !p[2])
8642  {
8643  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8644  if (streq(p[0], "ncp-ciphers"))
8645  {
8646  msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8647  " '--data-ciphers' (renamed in OpenVPN 2.5).");
8648  }
8649  options->ncp_ciphers = p[1];
8650  }
8651  else if (streq(p[0], "key-derivation") && p[1])
8652  {
8653  /* NCP only option that is pushed by the server to enable EKM,
8654  * should not be used by normal users in config files*/
8655  VERIFY_PERMISSION(OPT_P_NCP)
8656 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8657  if (streq(p[1], "tls-ekm"))
8658  {
8659  options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8660  }
8661  else
8662 #endif
8663  {
8664  msg(msglevel, "Unknown key-derivation method %s", p[1]);
8665  }
8666  }
8667  else if (streq(p[0], "protocol-flags") && p[1])
8668  {
8669  /* NCP only option that is pushed by the server to enable protocol
8670  * features that are negotiated, should not be used by normal users
8671  * in config files */
8672  VERIFY_PERMISSION(OPT_P_NCP)
8673  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8674  {
8675  if (streq(p[j], "cc-exit"))
8676  {
8677  options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8678  }
8679 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8680  else if (streq(p[j], "tls-ekm"))
8681  {
8682  options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8683  }
8684  else if (streq(p[j], "dyn-tls-crypt"))
8685  {
8686  options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8687  }
8688 #endif
8689  else
8690  {
8691  msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8692  }
8693  }
8694  }
8695  else if (streq(p[0], "force-tls-key-material-export"))
8696  {
8697  VERIFY_PERMISSION(OPT_P_GENERAL);
8698  options->force_key_material_export = true;
8699  }
8700  else if (streq(p[0], "prng") && p[1] && !p[3])
8701  {
8702  msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8703  }
8704  else if (streq(p[0], "no-replay") && !p[1])
8705  {
8706  VERIFY_PERMISSION(OPT_P_GENERAL);
8707  /* always error out, this breaks the connection */
8708  msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8709  "Update your configuration.");
8710  }
8711  else if (streq(p[0], "replay-window") && !p[3])
8712  {
8713  VERIFY_PERMISSION(OPT_P_GENERAL);
8714  if (p[1])
8715  {
8716  int replay_window;
8717 
8718  replay_window = atoi(p[1]);
8719  if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8720  {
8721  msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8722  replay_window,
8723  MIN_SEQ_BACKTRACK,
8724  MAX_SEQ_BACKTRACK);
8725  goto err;
8726  }
8727  options->replay_window = replay_window;
8728 
8729  if (p[2])
8730  {
8731  int replay_time;
8732 
8733  replay_time = atoi(p[2]);
8734  if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8735  {
8736  msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8737  replay_time,
8738  MIN_TIME_BACKTRACK,
8739  MAX_TIME_BACKTRACK);
8740  goto err;
8741  }
8742  options->replay_time = replay_time;
8743  }
8744  }
8745  else
8746  {
8747  msg(msglevel, "replay-window option is missing window size parameter");
8748  goto err;
8749  }
8750  }
8751  else if (streq(p[0], "mute-replay-warnings") && !p[1])
8752  {
8753  VERIFY_PERMISSION(OPT_P_GENERAL);
8754  options->mute_replay_warnings = true;
8755  }
8756  else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8757  {
8758  VERIFY_PERMISSION(OPT_P_GENERAL);
8759  options->packet_id_file = p[1];
8760  }
8761  else if (streq(p[0], "test-crypto") && !p[1])
8762  {
8763  VERIFY_PERMISSION(OPT_P_GENERAL);
8764  options->test_crypto = true;
8765  }
8766 #ifndef ENABLE_CRYPTO_MBEDTLS
8767  else if (streq(p[0], "engine") && !p[2])
8768  {
8769  VERIFY_PERMISSION(OPT_P_GENERAL);
8770  if (p[1])
8771  {
8772  options->engine = p[1];
8773  }
8774  else
8775  {
8776  options->engine = "auto";
8777  }
8778  }
8779 #endif /* ENABLE_CRYPTO_MBEDTLS */
8780  else if (streq(p[0], "providers") && p[1])
8781  {
8782  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8783  {
8784  options->providers.names[j] = p[j];
8785  }
8786  }
8787 #ifdef ENABLE_PREDICTION_RESISTANCE
8788  else if (streq(p[0], "use-prediction-resistance") && !p[1])
8789  {
8790  VERIFY_PERMISSION(OPT_P_GENERAL);
8791  options->use_prediction_resistance = true;
8792  }
8793 #endif
8794  else if (streq(p[0], "show-tls") && !p[1])
8795  {
8796  VERIFY_PERMISSION(OPT_P_GENERAL);
8797  options->show_tls_ciphers = true;
8798  }
8799  else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8800  {
8801  VERIFY_PERMISSION(OPT_P_GENERAL);
8802  options->show_curves = true;
8803  }
8804  else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8805  {
8806  VERIFY_PERMISSION(OPT_P_GENERAL);
8807  msg(M_WARN, "Consider setting groups/curves preference with "
8808  "tls-groups instead of forcing a specific curve with "
8809  "ecdh-curve.");
8810  options->ecdh_curve = p[1];
8811  }
8812  else if (streq(p[0], "tls-server") && !p[1])
8813  {
8814  VERIFY_PERMISSION(OPT_P_GENERAL);
8815  options->tls_server = true;
8816  }
8817  else if (streq(p[0], "tls-client") && !p[1])
8818  {
8819  VERIFY_PERMISSION(OPT_P_GENERAL);
8820  options->tls_client = true;
8821  }
8822  else if (streq(p[0], "ca") && p[1] && !p[2])
8823  {
8824  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8825  options->ca_file = p[1];
8826  options->ca_file_inline = is_inline;
8827  }
8828 #ifndef ENABLE_CRYPTO_MBEDTLS
8829  else if (streq(p[0], "capath") && p[1] && !p[2])
8830  {
8831  VERIFY_PERMISSION(OPT_P_GENERAL);
8832  options->ca_path = p[1];
8833  }
8834 #endif /* ENABLE_CRYPTO_MBEDTLS */
8835  else if (streq(p[0], "dh") && p[1] && !p[2])
8836  {
8837  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8838  options->dh_file = p[1];
8839  options->dh_file_inline = is_inline;
8840  }
8841  else if (streq(p[0], "cert") && p[1] && !p[2])
8842  {
8843  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8844  options->cert_file = p[1];
8845  options->cert_file_inline = is_inline;
8846  }
8847  else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8848  {
8849  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8850  options->extra_certs_file = p[1];
8851  options->extra_certs_file_inline = is_inline;
8852  }
8853  else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8854  || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8855  {
8856  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8857 
8858  int verify_hash_depth = 0;
8859  if (streq(p[0], "verify-hash"))
8860  {
8861  msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8862  "You should switch to the either use the level 1 certificate as "
8863  "--ca option, use --tls-verify or use --peer-fingerprint");
8864  /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8865  verify_hash_depth = 1;
8866  }
8867 
8868  options->verify_hash_algo = MD_SHA256;
8869 
8870  int digest_len = SHA256_DIGEST_LENGTH;
8871 
8872  if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8873  {
8874  msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8875  " --peer-fingerprint are mutually exclusive", p[0]);
8876  goto err;
8877  }
8878 
8879  if (streq(p[0], "verify-hash"))
8880  {
8881  if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8882  {
8883  options->verify_hash_algo = MD_SHA1;
8884  digest_len = SHA_DIGEST_LENGTH;
8885  }
8886  else if (p[2] && !streq(p[2], "SHA256"))
8887  {
8888  msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8889  "(only SHA1 and SHA256 are supported)", p[2]);
8890  goto err;
8891  }
8892  }
8893 
8894  struct verify_hash_list *newlist;
8895  newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8896  msglevel, &options->gc);
8897 
8898  /* Append the new list to the end of our current list */
8899  if (!options->verify_hash)
8900  {
8901  options->verify_hash = newlist;
8902  options->verify_hash_depth = verify_hash_depth;
8903  }
8904  else
8905  {
8906  /* since both the old and new list can have multiple entries
8907  * we need to go to the end of one of them to concatenate them */
8908  struct verify_hash_list *listend = options->verify_hash;
8909  while (listend->next)
8910  {
8911  listend = listend->next;
8912  }
8913  listend->next = newlist;
8914  }
8915  }
8916 #if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8917  else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8918  {
8919  VERIFY_PERMISSION(OPT_P_GENERAL);
8920  options->cryptoapi_cert = p[1];
8921  }
8922 #endif
8923  else if (streq(p[0], "key") && p[1] && !p[2])
8924  {
8925  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8926  options->priv_key_file = p[1];
8927  options->priv_key_file_inline = is_inline;
8928  }
8929  else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8930  {
8931  int ver;
8932  VERIFY_PERMISSION(OPT_P_GENERAL);
8933  ver = tls_version_parse(p[1], p[2]);
8934  if (ver == TLS_VER_BAD)
8935  {
8936  msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8937  goto err;
8938  }
8939  options->ssl_flags &=
8940  ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8941  options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8942  }
8943  else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8944  {
8945  int ver;
8946  VERIFY_PERMISSION(OPT_P_GENERAL);
8947  ver = tls_version_parse(p[1], NULL);
8948  if (ver == TLS_VER_BAD)
8949  {
8950  msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8951  goto err;
8952  }
8953  options->ssl_flags &=
8954  ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8955  options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8956  }
8957 #ifndef ENABLE_CRYPTO_MBEDTLS
8958  else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8959  {
8960  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8961  options->pkcs12_file = p[1];
8962  options->pkcs12_file_inline = is_inline;
8963  }
8964 #endif /* ENABLE_CRYPTO_MBEDTLS */
8965  else if (streq(p[0], "askpass") && !p[2])
8966  {
8967  VERIFY_PERMISSION(OPT_P_GENERAL);
8968  if (p[1])
8969  {
8970  options->key_pass_file = p[1];
8971  }
8972  else
8973  {
8974  options->key_pass_file = "stdin";
8975  }
8976  }
8977  else if (streq(p[0], "auth-nocache") && !p[1])
8978  {
8979  VERIFY_PERMISSION(OPT_P_GENERAL);
8980  ssl_set_auth_nocache();
8981  }
8982  else if (streq(p[0], "auth-token") && p[1] && !p[2])
8983  {
8984  VERIFY_PERMISSION(OPT_P_ECHO);
8985  ssl_set_auth_token(p[1]);
8986 #ifdef ENABLE_MANAGEMENT
8987  if (management)
8988  {
8989  management_auth_token(management, p[1]);
8990  }
8991 #endif
8992  }
8993  else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8994  {
8995  VERIFY_PERMISSION(OPT_P_ECHO);
8996  ssl_set_auth_token_user(p[1]);
8997  }
8998  else if (streq(p[0], "single-session") && !p[1])
8999  {
9000  VERIFY_PERMISSION(OPT_P_GENERAL);
9001  options->single_session = true;
9002  }
9003  else if (streq(p[0], "push-peer-info") && !p[1])
9004  {
9005  VERIFY_PERMISSION(OPT_P_GENERAL);
9006  options->push_peer_info = true;
9007  }
9008  else if (streq(p[0], "tls-exit") && !p[1])
9009  {
9010  VERIFY_PERMISSION(OPT_P_GENERAL);
9011  options->tls_exit = true;
9012  }
9013  else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9014  {
9015  VERIFY_PERMISSION(OPT_P_GENERAL);
9016  options->cipher_list = p[1];
9017  }
9018  else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9019  {
9020  VERIFY_PERMISSION(OPT_P_GENERAL);
9021  options->tls_cert_profile = p[1];
9022  }
9023  else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9024  {
9025  VERIFY_PERMISSION(OPT_P_GENERAL);
9026  options->cipher_list_tls13 = p[1];
9027  }
9028  else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9029  {
9030  VERIFY_PERMISSION(OPT_P_GENERAL);
9031  options->tls_groups = p[1];
9032  }
9033  else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
9034  || !p[2]))
9035  {
9036  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9037  if (p[2] && streq(p[2], "dir"))
9038  {
9039  options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
9040  }
9041  options->crl_file = p[1];
9042  options->crl_file_inline = is_inline;
9043  }
9044  else if (streq(p[0], "tls-verify") && p[1])
9045  {
9046  VERIFY_PERMISSION(OPT_P_SCRIPT);
9047  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9048  {
9049  goto err;
9050  }
9051  set_user_script(options, &options->tls_verify,
9052  string_substitute(p[1], ',', ' ', &options->gc),
9053  "tls-verify", true);
9054  }
9055  else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9056  {
9057  VERIFY_PERMISSION(OPT_P_SCRIPT);
9058  options->tls_export_peer_cert_dir = p[1];
9059  }
9060  else if (streq(p[0], "compat-names"))
9061  {
9062  VERIFY_PERMISSION(OPT_P_GENERAL);
9063  msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9064  "Update your configuration.");
9065  goto err;
9066  }
9067  else if (streq(p[0], "no-name-remapping") && !p[1])
9068  {
9069  VERIFY_PERMISSION(OPT_P_GENERAL);
9070  msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9071  "Update your configuration.");
9072  goto err;
9073  }
9074  else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9075  {
9076  int type = VERIFY_X509_SUBJECT_DN;
9077  VERIFY_PERMISSION(OPT_P_GENERAL);
9078  if (p[2])
9079  {
9080  if (streq(p[2], "subject"))
9081  {
9082  type = VERIFY_X509_SUBJECT_DN;
9083  }
9084  else if (streq(p[2], "name"))
9085  {
9086  type = VERIFY_X509_SUBJECT_RDN;
9087  }
9088  else if (streq(p[2], "name-prefix"))
9089  {
9090  type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9091  }
9092  else
9093  {
9094  msg(msglevel, "unknown X.509 name type: %s", p[2]);
9095  goto err;
9096  }
9097  }
9098  options->verify_x509_type = type;
9099  options->verify_x509_name = p[1];
9100  }
9101  else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9102  {
9103 #ifdef ENABLE_CRYPTO_MBEDTLS
9104  msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9105  goto err;
9106 #else
9107  VERIFY_PERMISSION(OPT_P_GENERAL);
9108  if (streq(p[1], "server"))
9109  {
9110  options->ns_cert_type = NS_CERT_CHECK_SERVER;
9111  }
9112  else if (streq(p[1], "client"))
9113  {
9114  options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9115  }
9116  else
9117  {
9118  msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9119  goto err;
9120  }
9121 #endif /* ENABLE_CRYPTO_MBEDTLS */
9122  }
9123  else if (streq(p[0], "remote-cert-ku"))
9124  {
9125  VERIFY_PERMISSION(OPT_P_GENERAL);
9126 
9127  size_t j;
9128  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9129  {
9130  sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9131  }
9132  if (j == 1)
9133  {
9134  /* No specific KU required, but require KU to be present */
9135  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9136  }
9137  }
9138  else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9139  {
9140  VERIFY_PERMISSION(OPT_P_GENERAL);
9141  options->remote_cert_eku = p[1];
9142  }
9143  else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9144  {
9145  VERIFY_PERMISSION(OPT_P_GENERAL);
9146 
9147  if (streq(p[1], "server"))
9148  {
9149  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9150  options->remote_cert_eku = "TLS Web Server Authentication";
9151  }
9152  else if (streq(p[1], "client"))
9153  {
9154  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9155  options->remote_cert_eku = "TLS Web Client Authentication";
9156  }
9157  else
9158  {
9159  msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9160  goto err;
9161  }
9162  }
9163  else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9164  {
9165  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9166  options->tls_timeout = positive_atoi(p[1]);
9167  }
9168  else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9169  {
9170  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9171  options->renegotiate_bytes = positive_atoi(p[1]);
9172  }
9173  else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9174  {
9175  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9176  options->renegotiate_packets = positive_atoi(p[1]);
9177  }
9178  else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9179  {
9180  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9181  options->renegotiate_seconds = positive_atoi(p[1]);
9182  if (p[2])
9183  {
9184  options->renegotiate_seconds_min = positive_atoi(p[2]);
9185  }
9186  }
9187  else if (streq(p[0], "hand-window") && p[1] && !p[2])
9188  {
9189  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9190  options->handshake_window = positive_atoi(p[1]);
9191  }
9192  else if (streq(p[0], "tran-window") && p[1] && !p[2])
9193  {
9194  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9195  options->transition_window = positive_atoi(p[1]);
9196  }
9197  else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9198  {
9199  int key_direction = -1;
9200 
9201  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9202 
9203  if (permission_mask & OPT_P_GENERAL)
9204  {
9205  options->tls_auth_file = p[1];
9206  options->tls_auth_file_inline = is_inline;
9207 
9208  if (!is_inline && p[2])
9209  {
9210  key_direction = ascii2keydirection(msglevel, p[2]);
9211  if (key_direction < 0)
9212  {
9213  goto err;
9214  }
9215  options->key_direction = key_direction;
9216  }
9217 
9218  }
9219  else if (permission_mask & OPT_P_CONNECTION)
9220  {
9221  options->ce.tls_auth_file = p[1];
9222  options->ce.tls_auth_file_inline = is_inline;
9223  options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9224 
9225  if (!is_inline && p[2])
9226  {
9227  key_direction = ascii2keydirection(msglevel, p[2]);
9228  if (key_direction < 0)
9229  {
9230  goto err;
9231  }
9232  options->ce.key_direction = key_direction;
9233  }
9234  }
9235  }
9236  else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9237  {
9238  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9239  if (permission_mask & OPT_P_GENERAL)
9240  {
9241  options->tls_crypt_file = p[1];
9242  options->tls_crypt_file_inline = is_inline;
9243  }
9244  else if (permission_mask & OPT_P_CONNECTION)
9245  {
9246  options->ce.tls_crypt_file = p[1];
9247  options->ce.tls_crypt_file_inline = is_inline;
9248  }
9249  }
9250  else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9251  {
9252  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9253  if (permission_mask & OPT_P_GENERAL)
9254  {
9255  options->tls_crypt_v2_file = p[1];
9256  options->tls_crypt_v2_file_inline = is_inline;
9257  }
9258  else if (permission_mask & OPT_P_CONNECTION)
9259  {
9260  options->ce.tls_crypt_v2_file = p[1];
9261  options->ce.tls_crypt_v2_file_inline = is_inline;
9262  }
9263 
9264  if (p[2] && streq(p[2], "force-cookie"))
9265  {
9266  options->ce.tls_crypt_v2_force_cookie = true;
9267  }
9268  else if (p[2] && streq(p[2], "allow-noncookie"))
9269  {
9270  options->ce.tls_crypt_v2_force_cookie = false;
9271  }
9272  else if (p[2])
9273  {
9274  msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9275  }
9276  }
9277  else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9278  {
9279  VERIFY_PERMISSION(OPT_P_GENERAL);
9280  options->tls_crypt_v2_verify_script = p[1];
9281  }
9282  else if (streq(p[0], "x509-track") && p[1] && !p[2])
9283  {
9284  VERIFY_PERMISSION(OPT_P_GENERAL);
9285  x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9286  }
9287 #ifdef ENABLE_X509ALTUSERNAME
9288  else if (streq(p[0], "x509-username-field") && p[1])
9289  {
9290  /* This option used to automatically upcase the fieldnames passed as the
9291  * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9292  * fine-tuned by only upcasing Subject field attribute names which consist
9293  * of all lower-case characters. Mixed-case attributes such as
9294  * "emailAddress" are left as-is. An option parameter having the "ext:"
9295  * prefix for matching X.509v3 extended fields will also remain unchanged.
9296  */
9297  VERIFY_PERMISSION(OPT_P_GENERAL);
9298  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9299  {
9300  char *s = p[j];
9301 
9302  if (strncmp("ext:", s, 4) != 0)
9303  {
9304  size_t i = 0;
9305  while (s[i] && !isupper(s[i]))
9306  {
9307  i++;
9308  }
9309  if (strlen(s) == i)
9310  {
9311  while ((*s = toupper(*s)) != '\0')
9312  {
9313  s++;
9314  }
9315  msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
9316  "--x509-username-field parameter to '%s'; please update your"
9317  "configuration", p[j]);
9318  }
9319  }
9320  else if (!x509_username_field_ext_supported(s+4))
9321  {
9322  msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9323  }
9324  options->x509_username_field[j-1] = p[j];
9325  }
9326  }
9327 #endif /* ENABLE_X509ALTUSERNAME */
9328 #ifdef ENABLE_PKCS11
9329  else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9330  {
9331  char *provider = p[1];
9332  bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
9333 
9334 #ifdef DEFAULT_PKCS11_MODULE
9335  if (!provider)
9336  {
9337  provider = DEFAULT_PKCS11_MODULE;
9338  }
9339  else if (!p[2])
9340  {
9341  char *endp = NULL;
9342  int i = strtol(provider, &endp, 10);
9343 
9344  if (*endp == 0)
9345  {
9346  /* There was one argument, and it was purely numeric.
9347  * Interpret it as the cert_private argument */
9348  provider = DEFAULT_PKCS11_MODULE;
9349  cert_private = i;
9350  }
9351  }
9352 #else /* ifdef DEFAULT_PKCS11_MODULE */
9353  if (!provider)
9354  {
9355  msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9356  goto err;
9357  }
9358 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9359  VERIFY_PERMISSION(OPT_P_GENERAL);
9360 
9361  set_debug_level(options->verbosity, SDL_CONSTRAIN);
9362  show_pkcs11_ids(provider, cert_private);
9363  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9364  }
9365  else if (streq(p[0], "pkcs11-providers") && p[1])
9366  {
9367  int j;
9368 
9369  VERIFY_PERMISSION(OPT_P_GENERAL);
9370 
9371  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9372  {
9373  options->pkcs11_providers[j-1] = p[j];
9374  }
9375  }
9376  else if (streq(p[0], "pkcs11-protected-authentication"))
9377  {
9378  int j;
9379 
9380  VERIFY_PERMISSION(OPT_P_GENERAL);
9381 
9382  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9383  {
9384  options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9385  }
9386  }
9387  else if (streq(p[0], "pkcs11-private-mode") && p[1])
9388  {
9389  int j;
9390 
9391  VERIFY_PERMISSION(OPT_P_GENERAL);
9392 
9393  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9394  {
9395  sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9396  }
9397  }
9398  else if (streq(p[0], "pkcs11-cert-private"))
9399  {
9400  int j;
9401 
9402  VERIFY_PERMISSION(OPT_P_GENERAL);
9403 
9404  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9405  {
9406  options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9407  }
9408  }
9409  else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9410  {
9411  VERIFY_PERMISSION(OPT_P_GENERAL);
9412  options->pkcs11_pin_cache_period = atoi(p[1]);
9413  }
9414  else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9415  {
9416  VERIFY_PERMISSION(OPT_P_GENERAL);
9417  options->pkcs11_id = p[1];
9418  }
9419  else if (streq(p[0], "pkcs11-id-management") && !p[1])
9420  {
9421  VERIFY_PERMISSION(OPT_P_GENERAL);
9422  options->pkcs11_id_management = true;
9423  }
9424 #endif /* ifdef ENABLE_PKCS11 */
9425  else if (streq(p[0], "rmtun") && !p[1])
9426  {
9427  VERIFY_PERMISSION(OPT_P_GENERAL);
9428  options->persist_config = true;
9429  options->persist_mode = 0;
9430  }
9431  else if (streq(p[0], "mktun") && !p[1])
9432  {
9433  VERIFY_PERMISSION(OPT_P_GENERAL);
9434  options->persist_config = true;
9435  options->persist_mode = 1;
9436  }
9437  else if (streq(p[0], "peer-id") && p[1] && !p[2])
9438  {
9439  VERIFY_PERMISSION(OPT_P_PEER_ID);
9440  options->use_peer_id = true;
9441  options->peer_id = atoi(p[1]);
9442  }
9443 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9444  else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9445  {
9446  int ekm_length = positive_atoi(p[2]);
9447 
9448  VERIFY_PERMISSION(OPT_P_GENERAL);
9449 
9450  if (strncmp(p[1], "EXPORTER", 8))
9451  {
9452  msg(msglevel, "Keying material exporter label must begin with "
9453  "\"EXPORTER\"");
9454  goto err;
9455  }
9456  if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9457  {
9458  msg(msglevel, "Keying material exporter label must not be '"
9459  EXPORT_KEY_DATA_LABEL "'.");
9460  }
9461  if (ekm_length < 16 || ekm_length > 4095)
9462  {
9463  msg(msglevel, "Invalid keying material exporter length");
9464  goto err;
9465  }
9466 
9467  options->keying_material_exporter_label = p[1];
9468  options->keying_material_exporter_length = ekm_length;
9469  }
9470 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9471  else if (streq(p[0], "allow-recursive-routing") && !p[1])
9472  {
9473  VERIFY_PERMISSION(OPT_P_GENERAL);
9474  options->allow_recursive_routing = true;
9475  }
9476  else if (streq(p[0], "vlan-tagging") && !p[1])
9477  {
9478  VERIFY_PERMISSION(OPT_P_GENERAL);
9479  options->vlan_tagging = true;
9480  }
9481  else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9482  {
9483  VERIFY_PERMISSION(OPT_P_GENERAL);
9484  if (streq(p[1], "tagged"))
9485  {
9486  options->vlan_accept = VLAN_ONLY_TAGGED;
9487  }
9488  else if (streq(p[1], "untagged"))
9489  {
9490  options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9491  }
9492  else if (streq(p[1], "all"))
9493  {
9494  options->vlan_accept = VLAN_ALL;
9495  }
9496  else
9497  {
9498  msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9499  goto err;
9500  }
9501  }
9502  else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9503  {
9504  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9505  options->vlan_pvid = positive_atoi(p[1]);
9506  if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9507  || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9508  {
9509  msg(msglevel,
9510  "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9511  OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9512  goto err;
9513  }
9514  }
9515  else
9516  {
9517  int i;
9518  int msglevel_unknown = msglevel_fc;
9519  /* Check if an option is in --ignore-unknown-option and
9520  * set warning level to non fatal */
9521  for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9522  {
9523  if (streq(p[0], options->ignore_unknown_option[i]))
9524  {
9525  msglevel_unknown = M_WARN;
9526  break;
9527  }
9528  }
9529  if (file)
9530  {
9531  msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9532  }
9533  else
9534  {
9535  msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9536  }
9537  }
9538 err:
9539  gc_free(&gc);
9540 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:160
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:328
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition: ssl_common.h:410
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition: options.h:456
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition: win32.c:1117
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition: tun.c:808
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition: options.c:2165
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:538
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition: mtu.h:80
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
Definition: options.c:1593
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:170
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition: buffer.c:1385
OPT_P_PUSH
#define OPT_P_PUSH
Definition: options.h:729
options::replay_time
int replay_time
Definition: options.h:566
options_pre_connect::dns_options
struct dns_options dns_options
Definition: options.h:80
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:224
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition: options.c:1494
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:269
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
Definition: options.c:3846
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition: tun.c:5286
options::vlan_tagging
bool vlan_tagging
Definition: options.h:694
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition: tun.h:88
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition: ssl.c:1851
options::show_engines
bool show_engines
Definition: options.h:265
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition: tun.h:108
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition: manage.h:44
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:269
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition: comp.h:71
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition: options.c:4917
cipher_valid
static bool cipher_valid(const char *ciphername)
Returns if the cipher is valid, based on the given cipher name.
Definition: crypto_backend.h:204
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:608
options_warning_safe_scan1
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition: options.c:4560
SHOW_INT64
#define SHOW_INT64(var)
Definition: options.c:978
options::verbosity
int verbosity
Definition: options.h:382
iroute
Definition: route.h:234
connection_entry::mtu_discover_type
int mtu_discover_type
Definition: options.h:130
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition: tun.h:126
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:4465
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:604
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:137
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2760
http_proxy_options::auth_file
const char * auth_file
Definition: proxy.h:54
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:135
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition: manage.c:3093
helper_client_server
void helper_client_server(struct options *o)
Definition: helper.c:146
compress_options
Definition: comp.h:64
compress_options::alg
int alg
Definition: comp.h:66
tuntap_options::dhcp_renew
bool dhcp_renew
Definition: tun.h:132
options::show_digests
bool show_digests
Definition: options.h:264
pull_filter_list
Definition: options.c:941
connection_entry::link_mtu
int link_mtu
Definition: options.h:125
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition: manage.h:39
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition: route.h:91
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition: tun.h:50
push_list::head
struct push_entry * head
Definition: pushlist.h:36
options::use_peer_id
bool use_peer_id
Definition: options.h:683
error.h
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4908
is_special_addr
bool is_special_addr(const char *addr_str)
Definition: route.c:303
M_OPTERR
#define M_OPTERR
Definition: error.h:106
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:550
options::client_connect_script
const char * client_connect_script
Definition: options.h:486
SHOW_STR
#define SHOW_STR(var)
Definition: options.c:971
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition: manage.h:38
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:494
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
Definition: options.c:1321
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:558
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:525
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition: crypto.h:171
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition: options.h:461
pull_filter::pattern
char * pattern
Definition: options.c:937
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1031
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:161
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:221
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition: options.h:208
options::nice
int nice
Definition: options.h:381
options::cf_initial_per
int cf_initial_per
Definition: options.h:517
string_array_len
int string_array_len(const char **array)
Definition: buffer.c:747
run_command.h
M_ERRNO
#define M_ERRNO
Definition: error.h:100
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition: options.h:460
dco_get_supported_ciphers
const char * dco_get_supported_ciphers()
Definition: dco_win.c:469
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition: push.c:921
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition: ssl_verify.h:66
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition: ssl_common.h:413
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:110
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:141
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition: ssl_verify.h:64
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
Definition: options.c:3847
forward.h
tuntap_options::register_dns
bool register_dns
Definition: tun.h:135
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition: options.h:423
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition: socket.c:736
http_proxy_options::http_version
const char * http_version
Definition: proxy.h:56
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition: ssl.c:347
read_config_file
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5277
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5528
options::up_script
const char * up_script
Definition: options.h:368
usage_small
void usage_small(void)
Definition: options.c:4844
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition: options.h:743
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition: socket.c:3147
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition: tun.h:120
options::keepalive_ping
int keepalive_ping
Definition: options.h:327
options::push_list
struct push_list push_list
Definition: options.h:472
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:114
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition: dns.c:269
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition: misc.c:777
dns_domain::next
struct dns_domain * next
Definition: dns.h:45
M_FATAL
#define M_FATAL
Definition: error.h:95
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:75
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:207
tuntap_options::tap_sleep
int tap_sleep
Definition: tun.h:93
win32.h
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition: crypto_mbedtls.h:74
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition: crypto_backend.h:218
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition: packet_id.h:99
options::server_flags
unsigned int server_flags
Definition: options.h:462
http_custom_header::name
const char * name
Definition: proxy.h:39
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:530
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition: dns.h:34
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition: env_set.c:404
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:4246
options::ipchange
const char * ipchange
Definition: options.h:302
push_entry
Definition: pushlist.h:29
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition: options.c:950
route_gateway_info
Definition: route.h:146
options::show_ciphers
bool show_ciphers
Definition: options.h:263
dco_version_string
const char * dco_version_string(struct gc_arena *gc)
Definition: dco_win.c:387
argv
Definition: argv.h:35
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition: tun.h:127
options::enable_c2c
bool enable_c2c
Definition: options.h:510
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:4607
options::duplicate_cn
bool duplicate_cn
Definition: options.h:511
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:161
streq
#define streq(x, y)
Definition: options.h:708
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition: tun.h:67
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3125
options::server_network
in_addr_t server_network
Definition: options.h:453
ascii2ipset
int ascii2ipset(const char *name)
Definition: tun.c:7098
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:331
manage.h
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition: route.h:43
options::ca_path
const char * ca_path
Definition: options.h:578
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition: options.c:1780
connection_entry::remote_port
const char * remote_port
Definition: options.h:103
script_security_set
void script_security_set(int level)
Definition: run_command.c:49
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition: ssl_verify.h:65
options::forward_compatible
bool forward_compatible
Definition: options.h:250
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition: route.h:88
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition: options.c:1158
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition: tun.c:5312
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition: options.c:1265
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:152
options::cert_file
const char * cert_file
Definition: options.h:581
es
struct env_set * es
Definition: test_pkcs11.c:133
hash
Definition: list.h:58
options::route_nopull
bool route_nopull
Definition: options.h:422
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition: options.h:467
http_proxy_options::auth_file_up
const char * auth_file_up
Definition: proxy.h:55
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition: options.c:3585
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:122
tuntap_options::netbios_node_type
int netbios_node_type
Definition: tun.h:103
options::key_direction
int key_direction
Definition: options.h:556
options::topology
int topology
Definition: options.h:307
verify_hash_list::next
struct verify_hash_list * next
Definition: options.h:232
BSTR
#define BSTR(buf)
Definition: buffer.h:129
options::authname
const char * authname
Definition: options.h:561
options::dev_type
const char * dev_type
Definition: options.h:304
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition: ssl_common.h:406
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition: dns.c:175
AR_NONE
#define AR_NONE
Definition: options.h:885
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition: packet_id.h:108
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2344
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:333
options::iroutes
struct iroute * iroutes
Definition: options.h:495
proto_remote
const char * proto_remote(int proto, bool remote)
Definition: socket.c:3188
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:391
COMP_F_ALLOW_COMPRESS
#define COMP_F_ALLOW_COMPRESS
Definition: comp.h:36
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:889
http_proxy_options::auth_method_string
const char * auth_method_string
Definition: proxy.h:53
options::tls_client
bool tls_client
Definition: options.h:575
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition: error.h:59
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:553
in_src::u
union in_src::@7 u
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition: crypto.c:1449
dns_domain_list_append
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
Definition: dns.c:141
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition: options.h:584
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:169
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition: socket.c:686
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:112
TARGET_ALIAS
#define TARGET_ALIAS
Definition: config.h:558
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
options::server_defined
bool server_defined
Definition: options.h:452
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:110
windows_driver_type
windows_driver_type
Definition: tun.h:49
route_ipv6_gateway_info
Definition: route.h:179
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:105
dns_options_verify
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition: dns.c:197
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:222
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition: options.c:1102
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition: common.h:82
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:737
pull_filter_list::head
struct pull_filter * head
Definition: options.c:943
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:457
options::cipher_list
const char * cipher_list
Definition: options.h:589
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition: mtu.h:75
vlan_acceptable_frames
vlan_acceptable_frames
Definition: options.h:205
options::mode
int mode
Definition: options.h:247
options::session_timeout
int session_timeout
Definition: options.h:333
read_config_string
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5352
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition: tun.c:5144
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition: options.c:3679
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition: ssl_ncp.c:95
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition: mtu.h:65
xkey_common.h
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition: socket.c:1086
options::mute
int mute
Definition: options.h:383
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition: misc.c:541
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition: options.h:207
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4961
MF_HOLD
#define MF_HOLD
Definition: manage.h:30
PACKAGE_VERSION
#define PACKAGE_VERSION
Definition: config.h:504
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:126
fragment
Structure for reassembling one incoming fragmented packet.
Definition: fragment.h:65
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition: keyingmaterialexporter.c:166
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:506
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:93
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:4630
tuntap_options::netbios_scope
const char * netbios_scope
Definition: tun.h:101
in_src::type
int type
Definition: options.c:5146
options::ce
struct connection_entry ce
Definition: options.h:275
options::msg_channel
HANDLE msg_channel
Definition: options.h:674
dns_server::dnssec
enum dns_security dnssec
Definition: dns.h:65
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition: route.c:127
tuntap_options::ntp_len
int ntp_len
Definition: tun.h:117
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition: socket.c:772
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition: manage.h:41
read_inline_file
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition: options.c:5177
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:730
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:527
iroute::netbits
int netbits
Definition: route.h:236
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:407
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition: route.h:41
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:493
ascii2keydirection
int ascii2keydirection(int msglevel, const char *str)
Definition: crypto.c:1426
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:480
verify_hash_list
Definition: options.h:227
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:605
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:28
D_LOW
#define D_LOW
Definition: errlevel.h:97
dns_server::transport
enum dns_server_transport transport
Definition: dns.h:66
PACKAGE
#define PACKAGE
Definition: config.h:486
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:271
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:103
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition: socket.h:205
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition: error.h:93
remote_entry::remote
const char * remote
Definition: options.h:174
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
options_pre_connect::foreign_option_index
int foreign_option_index
Definition: options.h:89
connection_list::capacity
int capacity
Definition: options.h:184
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
atou
static unsigned int atou(const char *str)
Definition: options.c:4946
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:87
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition: options.c:3109
pull_filter_list::tail
struct pull_filter * tail
Definition: options.c:944
options::shaper
int shaper
Definition: options.h:315
options.h
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition: options.c:1701
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition: crypto_openssl.c:638
IPROUTE_PATH
#define IPROUTE_PATH
Definition: config.h:468
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition: clinat.c:83
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition: options.h:595
dns_options::gc
struct gc_arena gc
Definition: dns.h:74
TLS_VER_1_0
#define TLS_VER_1_0
Definition: ssl_backend.h:105
options::cd_dir
const char * cd_dir
Definition: options.h:363
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition: route.c:3953
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition: clinat.c:52
options::remote_random
bool remote_random
Definition: options.h:301
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:313
frame
Packet geometry parameters.
Definition: mtu.h:98
options::push_continuation
int push_continuation
Definition: options.h:541
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition: options.c:4050
push_entry::option
const char * option
Definition: pushlist.h:32
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:549
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition: manage.h:34
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
Definition: plugin.c:189
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition: socket.h:557
connection_entry::fragment_encap
bool fragment_encap
Definition: options.h:133
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition: options.h:555
options::tls_server
bool tls_server
Definition: options.h:574
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition: options.c:1212
options::auth_token_renewal
int auth_token_renewal
Definition: options.h:529
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:72
connection_entry::bind_local
bool bind_local
Definition: options.h:109
http_custom_header
Definition: proxy.h:38
provider_list::names
const char * names[MAX_PARMS]
Definition: options.h:200
shaper.h
throw_signal_soft
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition: sig.c:206
dns_options::servers
struct dns_server * servers
Definition: dns.h:73
connection_entry
Definition: options.h:97
remote_entry::af
sa_family_t af
Definition: options.h:177
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition: tun.h:123
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
push_reset
void push_reset(struct options *o)
Definition: push.c:915
usage_message
static const char usage_message[]
Definition: options.c:118
SHOW_INT
#define SHOW_INT(var)
Definition: options.c:976
http_proxy_options::inline_creds
bool inline_creds
Definition: proxy.h:59
options::allow_recursive_routing
bool allow_recursive_routing
Definition: options.h:702
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition: networking.h:48
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition: mtu.c:261
sleep
#define sleep(x)
Definition: syshead.h:43
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:420
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:507
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:718
iroute::next
struct iroute * next
Definition: route.h:237
options::tls_exit
bool tls_exit
Definition: options.h:666
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition: options.c:979
options::route_noexec
bool route_noexec
Definition: options.h:415
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition: manage.h:42
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:592
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition: manage.c:3015
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition: route.h:42
KEY_METHOD_2
#define KEY_METHOD_2
Definition: ssl.h:112
sa_family_t
unsigned short sa_family_t
Definition: syshead.h:385
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:629
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:406
PING_RESTART
#define PING_RESTART
Definition: options.h:341
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition: route.h:90
RG_LOCAL
#define RG_LOCAL
Definition: route.h:85
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition: options.c:2262
options::persist_local_ip
bool persist_local_ip
Definition: options.h:345
MD_SHA256
@ MD_SHA256
Definition: crypto_backend.h:53
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:999
CLEAR
#define CLEAR(x)
Definition: basic.h:33
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition: dns.h:40
options::verify_hash_depth
int verify_hash_depth
Definition: options.h:606
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition: options.h:256
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:738
dns_server::priority
long priority
Definition: dns.h:61
options::ecdh_curve
const char * ecdh_curve
Definition: options.h:593
iroute::network
in_addr_t network
Definition: route.h:235
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition: tun.c:5352
pull_filter::size
int size
Definition: options.c:936
options::show_curves
bool show_curves
Definition: options.h:267
connection_list::len
int len
Definition: options.h:185
SF_NOPOOL
#define SF_NOPOOL
Definition: options.h:459
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition: options.h:294
options::cipher_list_tls13
const char * cipher_list_tls13
Definition: options.h:590
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
Definition: options.c:933
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition: options.c:4188
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition: tun.h:105
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:180
options::up_delay
bool up_delay
Definition: options.h:372
options::writepid
const char * writepid
Definition: options.h:367
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition: options.h:65
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition: tun.h:71
options_pre_connect::ciphername
const char * ciphername
Definition: options.h:82
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition: options.c:1759
options::max_clients
int max_clients
Definition: options.h:519
platform_stat_t
struct _stat platform_stat_t
Definition: platform.h:146
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:693
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:414
options::disable
bool disable
Definition: options.h:492
SC_ECHO
#define SC_ECHO
Definition: misc.h:93
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:115
options::dh_file
const char * dh_file
Definition: options.h:579
options::resolve_in_advance
bool resolve_in_advance
Definition: options.h:354
IS_TYPE_FP
#define IS_TYPE_FP
Definition: options.c:5144
ssl_verify.h
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition: options.h:314
options::dev
const char * dev
Definition: options.h:303
ASSERT
#define ASSERT(x)
Definition: error.h:201
options::management_port
const char * management_port
Definition: options.h:432
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition: helper.c:573
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2921
OPENVPN_PORT
#define OPENVPN_PORT
Definition: socket.h:42
options::groupname
const char * groupname
Definition: options.h:361
D_SHOW_OCC
#define D_SHOW_OCC
Definition: errlevel.h:151
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition: options.h:111
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
print_topology
const char * print_topology(const int topology)
Definition: options.c:4733
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition: options.c:1280
options::ip_remote_hint
const char * ip_remote_hint
Definition: options.h:355
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:558
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition: socket.c:789
options::single_session
bool single_session
Definition: options.h:662
options::dns_options
struct dns_options dns_options
Definition: options.h:299
options::auth_user_pass_file
const char * auth_user_pass_file
Definition: options.h:543
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition: options.c:1255
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:747
options::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:425
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition: options.h:57
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition: error.c:155
D_DCO
#define D_DCO
Definition: errlevel.h:94
options_pre_connect::routes
struct route_option_list * routes
Definition: options.h:69
options::server_netmask
in_addr_t server_netmask
Definition: options.h:454
bypass_doubledash
static void bypass_doubledash(char **p)
Definition: options.c:5135
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
Definition: options.c:1623
connection_list
Definition: options.h:182
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition: error.c:149
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition: ssl_common.h:411
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition: route.h:89
options::cf_initial_max
int cf_initial_max
Definition: options.h:516
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition: crypto_openssl.c:1053
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:335
argv::argv
char ** argv
Definition: argv.h:39
remote_entry::remote_port
const char * remote_port
Definition: options.h:175
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition: dns.c:55
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition: proxy.h:43
http_proxy_options::user_agent
const char * user_agent
Definition: proxy.h:57
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition: route.h:40
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition: options.c:1120
options::x509_track
const struct x509_track * x509_track
Definition: options.h:668
options::windows_driver
enum windows_driver_type windows_driver
Definition: options.h:680
options::client
bool client
Definition: options.h:539
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition: options.c:3575
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
WINDOWS_DRIVER_DCO
@ WINDOWS_DRIVER_DCO
Definition: tun.h:53
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition: manage.h:45
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition: options.h:554
options::pre_connect
struct options_pre_connect * pre_connect
Definition: options.h:545
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition: mtu.h:85
tuntap_options::ip_win32_type
int ip_win32_type
Definition: tun.h:81
connection_entry::bind_defined
bool bind_defined
Definition: options.h:107
options::management_client_group
const char * management_client_group
Definition: options.h:439
COMP_ALG_LZ4
#define COMP_ALG_LZ4
Definition: comp.h:49
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
Definition: options.c:5567
packet_id.h
options::test_crypto
bool test_crypto
Definition: options.h:568
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:607
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition: comp.h:40
msglevel_forward_compatible
static int msglevel_forward_compatible(struct options *options, const int msglevel)
Definition: options.c:5655
options::block_outside_dns
bool block_outside_dns
Definition: options.h:679
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition: options.h:74
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:724
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition: options.c:3266
proto.h
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:408
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:311
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:560
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:505
options::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:649
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition: options.h:139
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition: options.h:58
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:736
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition: ssl_common.h:414
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition: options.h:716
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:142
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition: socket.h:48
dns_domain::name
const char * name
Definition: dns.h:46
options::comp
struct compress_options comp
Definition: options.h:396
options::persist_config
bool persist_config
Definition: options.h:259
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition: options.h:71
clone_push_list
void clone_push_list(struct options *o)
Definition: push.c:873
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:705
dns_server_addr::in
union dns_server_addr::@0 in
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition: options.c:3519
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition: options.h:725
options::auth_token_lifetime
int auth_token_lifetime
Definition: options.h:528
ascii2proto
int ascii2proto(const char *proto_name)
Definition: socket.c:3097
OPT_P_INLINE
#define OPT_P_INLINE
Definition: options.h:742
print_route_options
void print_route_options(const struct route_option_list *rol, int level)
Definition: route.c:1311
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition: options.c:5691
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition: mtu.c:152
options::push_peer_info
bool push_peer_info
Definition: options.h:664
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:409
dns_server
Definition: dns.h:59
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition: options.h:726
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4644
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition: options.c:1129
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition: proto.h:326
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition: options.h:424
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition: manage.h:29
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:654
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
Definition: comp.h:38
misc.h
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition: options.h:509
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition: route.h:87
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition: ssl.c:341
push.h
in_src
Definition: options.c:5143
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:436
M_WARN
#define M_WARN
Definition: error.h:97
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition: dns.c:262
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:497
options::persist_tun
bool persist_tun
Definition: options.h:344
PACKAGE_STRING
#define PACKAGE_STRING
Definition: config.h:495
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition: comp.h:45
connection_entry::tls_auth_file
const char * tls_auth_file
Definition: options.h:155
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition: options.h:253
CONFIGURE_DEFINES
#define CONFIGURE_DEFINES
Definition: config.h:5
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition: options.h:719
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition: tun.h:52
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:655
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1103
options::proto_force
int proto_force
Definition: options.h:317
check_inline_file_via_buf
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition: options.c:5255
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition: options.c:5558
msg_fp
FILE * msg_fp(const unsigned int flags)
Definition: error.c:194
options::tls_auth_file
const char * tls_auth_file
Definition: options.h:645
in_src::multiline
struct buffer * multiline
Definition: options.c:5149
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:166
options::route_predown_script
const char * route_predown_script
Definition: options.h:411
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition: ssl_openssl.c:213
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition: comp.h:53
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:501
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition: options.h:730
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:156
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition: plugin.c:160
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition: options.h:531
options_postprocess_setdefault_ncpciphers
static void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition: options.c:3491
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition: options.h:457
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition: options.c:5624
CHKACC_FILE
#define CHKACC_FILE
Expect people using the stripped down version to know what they do.
Definition: options.c:3844
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:165
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition: options.h:588
space
static bool space(unsigned char c)
Definition: options.c:4955
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::verify_x509_type
int verify_x509_type
Definition: options.h:596
options
Definition: options.h:236
pool.h
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: options.h:544
RG_ENABLE
#define RG_ENABLE
Definition: route.h:84
connection_entry::key_direction
int key_direction
Definition: options.h:157
options::providers
struct provider_list providers
Definition: options.h:563
crypto.h
dns_server::domains
struct dns_domain * domains
Definition: dns.h:64
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition: tun.h:76
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition: socket.h:504
options::log
bool log
Definition: options.h:378
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
Definition: options.c:2208
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition: tun.c:4207
TLS_CLIENT
#define TLS_CLIENT
static_challenge_info::flags
unsigned int flags
Definition: misc.h:94
options::gc
struct gc_arena gc
Definition: options.h:238
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:723
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition: dns.h:32
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5548
options::mlock
bool mlock
Definition: options.h:325
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition: manage.h:37
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition: options.h:85
M_ERR
#define M_ERR
Definition: error.h:111
options::tls_timeout
int tls_timeout
Definition: options.h:624
options::management_addr
const char * management_addr
Definition: options.h:431
options::tls_verify
const char * tls_verify
Definition: options.h:594
COMP_F_SWAP
#define COMP_F_SWAP
Definition: comp.h:37
options::down_script
const char * down_script
Definition: options.h:369
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition: options.h:123
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition: ssl_common.h:404
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition: error.h:61
check_ca_required
static void check_ca_required(const struct options *options)
Definition: options.c:2300
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition: buffer.c:504
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:183
options_warning_safe_scan2
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition: options.c:4492
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition: buffer.h:234
helper_keepalive
void helper_keepalive(struct options *o)
Definition: helper.c:514
dns_domain
Definition: dns.h:44
tuntap_options
Definition: tun.h:69
gc_detach
static void gc_detach(struct gc_arena *a)
Definition: buffer.h:1025
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition: manage.h:32
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition: tun.c:7127
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:485
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4761
add_option
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5725
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition: options.c:4174
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:476
dns_options::search_domains
struct dns_domain * search_domains
Definition: dns.h:71
dns_server::addr_count
size_t addr_count
Definition: dns.h:62
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition: dns.h:39
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition: clinat.c:92
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition: tun.c:665
options::server_ipv6_defined
bool server_ipv6_defined
Definition: options.h:455
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition: win32.c:143
compress_options::flags
unsigned int flags
Definition: comp.h:67
connection_entry::local_port_defined
bool local_port_defined
Definition: options.h:102
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:266
parse_topology
int parse_topology(const char *str, const int msglevel)
Definition: options.c:4711
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition: options.c:3931
TOP_UNDEF
#define TOP_UNDEF
Definition: proto.h:42
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:507
tuntap_options_copy_dns
static void tuntap_options_copy_dns(struct options *o)
Definition: options.c:1354
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:650
OPT_P_ECHO
#define OPT_P_ECHO
Definition: options.h:733
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:630
static_challenge_info::challenge_text
const char * challenge_text
Definition: misc.h:96
dns_server::addr
struct dns_server_addr addr[8]
Definition: dns.h:63
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition: error.c:467
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition: options.c:2198
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:346
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:491
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:521
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:547
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:78
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:336
options::pkcs12_file
const char * pkcs12_file
Definition: options.h:587
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition: options.h:722
options::client_crresponse_script
const char * client_crresponse_script
Definition: options.h:489
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition: tun.h:79
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition: options.h:223
errors_to_stderr
void errors_to_stderr(void)
Definition: error.c:185
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:573
options::genkey
bool genkey
Definition: options.h:268
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:597
options::replay_window
int replay_window
Definition: options.h:565
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
SHAPER_MIN
#define SHAPER_MIN
Definition: shaper.h:40
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:413
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
options::foreign_option_index
int foreign_option_index
Definition: options.h:671
http_proxy_options::server
const char * server
Definition: proxy.h:45
global_auth_retry
static int global_auth_retry
Definition: options.c:4758
options::exit_event_name
const char * exit_event_name
Definition: options.h:675
openvpn_exit
void openvpn_exit(const int status)
Definition: error.c:735
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition: options.c:2283
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:508
options::management_certificate
const char * management_certificate
Definition: options.h:441
show_windows_version
void show_windows_version(const unsigned int flags)
Definition: options.c:4852
options_pre_connect::comp
struct compress_options comp
Definition: options.h:90
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition: options.c:5661
options::route_delay_defined
bool route_delay_defined
Definition: options.h:418
key_type
Definition: crypto.h:139
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition: route.c:136
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2901
options::handshake_window
int handshake_window
Definition: options.h:634
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: options.h:602
suppress_timestamps
static bool suppress_timestamps
Definition: error.c:81
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition: options.c:2131
connection_entry::occ_mtu
int occ_mtu
Definition: options.h:119
options::ping_timer_remote
bool ping_timer_remote
Definition: options.h:337
options::crl_file_inline
bool crl_file_inline
Definition: options.h:599
options::status_file_version
int status_file_version
Definition: options.h:390
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition: options.h:773
TLS_VER_1_2
#define TLS_VER_1_2
Definition: ssl_backend.h:107
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition: options.h:231
options::route_default_metric
int route_default_metric
Definition: options.h:414
ssl.h
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition: options.h:721
show_tap_win_adapters
void show_tap_win_adapters(int msglev, int warnlev)
Definition: tun.c:4240
options::sndbuf
int sndbuf
Definition: options.h:400
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:46
options::block_ipv6
bool block_ipv6
Definition: options.h:421
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5095
buffer.h
check_inline_file_via_fp
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition: options.c:5246
options::fast_io
bool fast_io
Definition: options.h:394
options::force_key_material_export
bool force_key_material_export
Definition: options.h:692
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:464
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition: options.h:713
tuntap_options::wins_len
int wins_len
Definition: tun.h:113
syshead.h
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:514
COMP_F_ADAPTIVE
#define COMP_F_ADAPTIVE
Definition: comp.h:35
options::dh_file_inline
bool dh_file_inline
Definition: options.h:580
BPTR
#define BPTR(buf)
Definition: buffer.h:124
pkcs11.h
options::management_flags
unsigned int management_flags
Definition: options.h:444
options::route_method
int route_method
Definition: options.h:678
no_more_than_n_args
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
Definition: options.c:5627
auth_retry_print
const char * auth_retry_print(void)
Definition: options.c:4790
options::cert_file_inline
bool cert_file_inline
Definition: options.h:582
platform.h
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition: options.h:469
options::management_echo_buffer_size
int management_echo_buffer_size
Definition: options.h:435
proto_is_net
static bool proto_is_net(int proto)
Definition: socket.h:563
connection_list::array
struct connection_entry ** array
Definition: options.h:187
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition: options.h:715
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
shaper
Definition: shaper.h:47
show_routes
void show_routes(int msglev)
Definition: route.c:3203
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
Definition: options.c:934
options::client_config_dir
const char * client_config_dir
Definition: options.h:490
in_src_get
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition: options.c:5154
dco_check_startup_option
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition: dco.h:275
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition: ssl_common.h:412
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition: clinat.c:106
options::status_file
const char * status_file
Definition: options.h:389
options::genkey_filename
const char * genkey_filename
Definition: options.h:270
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Definition: comp.h:42
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
key_is_external
bool key_is_external(const struct options *options)
Definition: options.c:5710
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:245
tuntap_options::nbdd_len
int nbdd_len
Definition: tun.h:121
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o, const int msglevel)
Definition: options.c:2241
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition: options.c:3981
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition: dns.h:41
key_type::cipher
const char * cipher
const name of the cipher
Definition: crypto.h:141
daemon
int daemon(int nochdir, int noclose)
Definition: compat-daemon.c:51
pull_filter
Definition: options.c:929
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:527
remote_list::array
struct remote_entry ** array
Definition: options.h:194
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
Definition: options.c:932
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:696
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:353
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition: options.h:113
options::ca_file
const char * ca_file
Definition: options.h:576
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition: ssl_backend.h:383
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition: options.c:3964
show_library_versions
void show_library_versions(const unsigned int flags)
Definition: options.c:4871
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition: tun.h:89
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm)
win32_version_string
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1409
env_set
Definition: env_set.h:42
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2674
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition: plugin.c:168
OPT_P_TIMER
#define OPT_P_TIMER
Definition: options.h:720
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition: options.c:3655
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition: options.h:468
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:177
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition: options.h:740
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:540
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition: packet_id.h:107
MF_SIGNAL
#define MF_SIGNAL
Definition: manage.h:31
options::config
const char * config
Definition: options.h:242
usage
static void usage(void)
Definition: options.c:4812
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition: clinat.c:75
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition: crypto_openssl.c:658
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:447
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
options::priv_key_file_inline
bool priv_key_file_inline
Definition: options.h:586
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition: dns.c:251
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
SHAPER_MAX
#define SHAPER_MAX
Definition: shaper.h:41
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:908
pull_filter::type
int type
Definition: options.c:935
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
connection_entry::flags
unsigned int flags
Definition: options.h:152
tuntap_options::disable_nbt
bool disable_nbt
Definition: tun.h:130
uninit_options
void uninit_options(struct options *o)
Definition: options.c:912
tuntap_options::dns6_len
int dns6_len
Definition: tun.h:138
dco.h
common.h
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition: ssl.c:331
options::connect_retry_max
int connect_retry_max
Definition: options.h:274
PING_EXIT
#define PING_EXIT
Definition: options.h:340
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:646
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:983
machine_readable_output
static bool machine_readable_output
Definition: error.c:78
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:434
show_dco_version
void show_dco_version(const unsigned int flags)
Definition: options.c:4861
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition: errlevel.h:96
options_detach
void options_detach(struct options *o)
Definition: options.c:1674
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition: dns.h:33
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition: options.c:1683
tuntap_options::disable_dco
bool disable_dco
Definition: tun.h:73
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition: error.c:515
options::daemon
bool daemon
Definition: options.h:374
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, const int msglevel, struct gc_arena *gc)
Definition: options.c:2100
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:211
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition: options.h:116
options_pre_connect::routes_defined
bool routes_defined
Definition: options.h:68
VLAN_ALL
@ VLAN_ALL
Definition: options.h:209
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:475
COMP_ALG_STUB
#define COMP_ALG_STUB
Definition: comp.h:46
options::tls_groups
const char * tls_groups
Definition: options.h:591
options::gc_owned
bool gc_owned
Definition: options.h:239
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Definition: options.c:3845
options::rcvbuf
int rcvbuf
Definition: options.h:399
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
Definition: options.c:2175
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition: options.c:4009
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:506
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:376
dns_server_addr::family
sa_family_t family
Definition: dns.h:55
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:676
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition: tun.h:133
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition: options.h:77
in_src::fp
FILE * fp
Definition: options.c:5148
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition: options.h:767
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition: options.c:1692
options::peer_id
uint32_t peer_id
Definition: options.h:684
options_pre_connect
Definition: options.h:63
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition: tun.h:112
setenv_dns_options
void setenv_dns_options(const struct dns_options *o, struct env_set *es)
Puts the DNS options into an environment set.
Definition: dns.c:368
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: crypto_mbedtls.h:75
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:473
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition: manage.h:33
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition: socket.c:3111
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
Definition: options.c:1077
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition: tun.h:78
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:380
max_int
static int max_int(int x, int y)
Definition: integer.h:76
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition: errlevel.h:157
connection_entry::remote_float
bool remote_float
Definition: options.h:106
connection_entry::remote
const char * remote
Definition: options.h:105
init_options
void init_options(struct options *o, const bool init_gc)
Definition: options.c:790
options::machine_readable_output
bool machine_readable_output
Definition: options.h:380
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition: manage.h:36
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: options.h:659
options::key_pass_file
const char * key_pass_file
Definition: options.h:262
iroute_ipv6
Definition: route.h:240
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition: tun.h:62
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition: tun.h:66
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition: options.c:1644
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition: options.h:739
usage_version
static void usage_version(void)
Definition: options.c:4886
openvpn_snprintf
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:294
status
static SERVICE_STATUS status
Definition: interactive.c:52
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition: options.c:1711
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition: options.h:124
options::ns_cert_type
int ns_cert_type
Definition: options.h:601
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition: options.h:734
options::packet_id_file
const char * packet_id_file
Definition: options.h:567
remote_entry::proto
int proto
Definition: options.h:176
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:499
management
Definition: manage.h:335
show_settings
void show_settings(const struct options *o)
Definition: options.c:1798
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1039
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition: tun.h:137
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition: dns.c:430
dns_options
Definition: dns.h:70
dirname
char * dirname(char *path)
Definition: compat-dirname.c:62
tuntap_options::domain
const char * domain
Definition: tun.h:99
options::renegotiate_packets
int renegotiate_packets
Definition: options.h:628
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition: options.c:2231
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Definition: options.c:3848
options::connection_list
struct connection_list * connection_list
Definition: options.h:276
options::cf_per
int cf_per
Definition: options.h:514
win_get_tempdir
const char * win_get_tempdir(void)
Definition: win32-util.c:152
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition: options.h:309
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition: buffer.c:796
options::routes
struct route_option_list * routes
Definition: options.h:419
options::chroot_dir
const char * chroot_dir
Definition: options.h:362
options::down_pre
bool down_pre
Definition: options.h:371
tuntap
Definition: tun.h:171
TLS_VER_1_3
#define TLS_VER_1_3
Definition: ssl_backend.h:108
socket.h
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:482
options::mark
int mark
Definition: options.h:403
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:520
options::cryptoapi_cert
const char * cryptoapi_cert
Definition: options.h:621
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition: tun.h:90
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition: options.c:1511
M_MSG_VIRT_OUT
#define M_MSG_VIRT_OUT
Definition: error.h:105
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition: options.h:717
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition: options.h:470
options::sockflags
unsigned int sockflags
Definition: options.h:407
options::username
const char * username
Definition: options.h:360
connection_entry::mssfix_default
bool mssfix_default
Definition: options.h:136
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition: tun.h:51
dns_server::sni
const char * sni
Definition: dns.h:67
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition: ssl_ncp.c:195
connection_entry::local
const char * local
Definition: options.h:104
strsep
char * strsep(char **stringp, const char *delim)
Definition: compat-strsep.c:36
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition: options.c:4477
platform_chdir
int platform_chdir(const char *dir)
Definition: platform.c:393
AR_INTERACT
#define AR_INTERACT
Definition: options.h:886
OPT_P_NICE
#define OPT_P_NICE
Definition: options.h:728
IS_TYPE_BUF
#define IS_TYPE_BUF
Definition: options.c:5145
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:474
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition: options.c:1008
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
http_proxy_options
Definition: proxy.h:44
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition: packet_id.h:100
options::extra_certs_file
const char * extra_certs_file
Definition: options.h:583
ssl_ncp.h
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition: options.h:108
dns_server::next
struct dns_server * next
Definition: dns.h:60
check_inline_file
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition: options.c:5222
connection_entry::fragment
int fragment
Definition: options.h:132
tuntap_options::dns_len
int dns_len
Definition: tun.h:109
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition: options.c:985
options::up_restart
bool up_restart
Definition: options.h:373
MD_SHA1
@ MD_SHA1
Definition: crypto_backend.h:52
positive_atoi
static int positive_atoi(const char *str)
Definition: options.c:4938
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition: options.c:3851
gc_init
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1018
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:477
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition: options.c:2322
connection_entry::tls_mtu
int tls_mtu
Definition: options.h:127
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition: proto.h:325
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:525
route_option_list::flags
unsigned int flags
Definition: route.h:94
options::transition_window
int transition_window
Definition: options.h:642
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition: options.c:972
parse_argv
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5385
tuntap_options::dhcp_options
int dhcp_options
Definition: tun.h:97
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition: options.c:4636
connection_entry::proto
int proto
Definition: options.h:99
dns_server_addr::a6
struct in6_addr a6
Definition: dns.h:53
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition: options.c:970
parse_windows_driver
static enum windows_driver_type parse_windows_driver(const char *str, const int msglevel)
Parses –windows-driver config option.
Definition: options.c:4682
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:564
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:481
options::auth_token_generate
bool auth_token_generate
Definition: options.h:526
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition: options.h:310
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition: options.h:731
options::persist_key
bool persist_key
Definition: options.h:347
options::engine
const char * engine
Definition: options.h:562
push_entry::next
struct push_entry * next
Definition: pushlist.h:30
options::real_hash_size
int real_hash_size
Definition: options.h:484
options::priv_key_file
const char * priv_key_file
Definition: options.h:585
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:887
OPT_P_UP
#define OPT_P_UP
Definition: options.h:714
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:487
remote_entry
Definition: options.h:172
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:744
options::push_option_types_found
unsigned int push_option_types_found
Definition: options.h:542
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition: options.c:3326
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:522
options::show_net_up
bool show_net_up
Definition: options.h:677
RG_DEF1
#define RG_DEF1
Definition: route.h:86
options::tmp_dir
const char * tmp_dir
Definition: options.h:451
options::cf_max
int cf_max
Definition: options.h:513
options::crl_file
const char * crl_file
Definition: options.h:598
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5498
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:496
helper.h
options_pre_connect::authname
const char * authname
Definition: options.h:83
remote_list::len
int len
Definition: options.h:193
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:102
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition: socket.h:207
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Definition: comp.h:41
apply_pull_filter
static bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
Definition: options.c:5458
options::route_delay_window
int route_delay_window
Definition: options.h:417
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition: tun.c:5246
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition: options.h:735
CE_DISABLED
#define CE_DISABLED
Definition: options.h:143
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition: socket.h:204
platform_access
int platform_access(const char *path, int mode)
Definition: platform.c:458
options::occ
bool occ
Definition: options.h:428
options::persist_mode
int persist_mode
Definition: options.h:260
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition: options.c:3460
options::remote_list
struct remote_list * remote_list
Definition: options.h:278
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition: ssl_verify.h:234
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:66
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition: options.h:698
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:500
connection_entry::af
sa_family_t af
Definition: options.h:100
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:502
http_custom_header::content
const char * content
Definition: proxy.h:40
dns_server_addr::a4
struct in_addr a4
Definition: dns.h:52
COMP_ALG_LZO
#define COMP_ALG_LZO
Definition: comp.h:47
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition: packet_id.h:98
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition: tun.h:75
options::route_script
const char * route_script
Definition: options.h:410
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:423
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:262
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition: pool.c:121
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:357
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition: mtu.h:70
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition: options.c:3395
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition: options.h:695
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:103
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:328
options::route_delay
int route_delay
Definition: options.h:416
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:308
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:118
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: options.h:498
memdbg.h
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition: dns.c:160
options::user_script_used
bool user_script_used
Definition: options.h:370
options::learn_address_script
const char * learn_address_script
Definition: options.h:488
connection_entry::tun_mtu_max
int tun_mtu_max
Definition: options.h:120
print_windows_driver
const char * print_windows_driver(enum windows_driver_type windows_driver)
Definition: tun.c:7145
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition: packet_id.h:109
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:342
auth_retry_set
bool auth_retry_set(const int msglevel, const char *option)
Definition: options.c:4767
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition: proto.h:35
options::bind_dev
char * bind_dev
Definition: options.h:404
options::mtu_test
bool mtu_test
Definition: options.h:319
options::management_client_user
const char * management_client_user
Definition: options.h:438
options::ciphername
const char * ciphername
Definition: options.h:557
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:330
options::suppress_timestamps
bool suppress_timestamps
Definition: options.h:379
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition: options.h:732
title_string
const char title_string[]
Definition: options.c:67
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition: comp.h:54
connection_entry::local_port
const char * local_port
Definition: options.h:101
M_USAGE
#define M_USAGE
Definition: error.h:112
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:289
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:274
options::dev_node
const char * dev_node
Definition: options.h:305
msg
#define msg(flags,...)
Definition: error.h:150
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition: env_set.c:201
pkcs11_id_management
static bool pkcs11_id_management
Definition: test_pkcs11.c:128
OPT_P_MTU
#define OPT_P_MTU
Definition: options.h:727
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition: proxy.h:58
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: options.h:524
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition: options.h:741
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition: buffer.c:414
push_entry::enable
bool enable
Definition: pushlist.h:31
pull_filter::next
struct pull_filter * next
Definition: options.c:938
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:86
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:478
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:275
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition: ssl_common.h:405
remote_list
Definition: options.h:190
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:312
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition: manage.h:43
http-client.f
string f
Definition: http-client.py:6
options::renegotiate_bytes
int renegotiate_bytes
Definition: options.h:627
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:69
MF_UP_DOWN
#define MF_UP_DOWN
Definition: manage.h:40
options::lladdr
const char * lladdr
Definition: options.h:306
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
options::server_bridge_defined
bool server_bridge_defined
Definition: options.h:466
dhcp
Definition: dhcp.h:53
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition: buffer.h:1077
remote_list::capacity
int capacity
Definition: options.h:192
SHOW_BOOL
#define SHOW_BOOL(var)
Definition: options.c:980
pre_connect_save
static void pre_connect_save(struct options *o)
Definition: options.c:3284
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition: options.h:180
BOOL_CAST
#define BOOL_CAST(x)
Definition: basic.h:27
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:348
options_warning
void options_warning(char *actual, const char *expected)
Definition: options.c:4471
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1098
options::ca_file_inline
bool ca_file_inline
Definition: options.h:577
options::management_user_pass
const char * management_user_pass
Definition: options.h:433
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:229
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:503
options::remote_cert_eku
const char * remote_cert_eku
Definition: options.h:603
options::pull
bool pull
Definition: options.h:540
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1327
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:231
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:555
TLS_SERVER
#define TLS_SERVER
GETADDR_FATAL
#define GETADDR_FATAL
Definition: socket.h:505
PROTO_TCP
@ PROTO_TCP
Definition: socket.h:556
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition: tun.h:116
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Definition: comp.h:39
options_warning_safe_ml
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
Definition: options.c:4581
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:436
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
Definition: options.c:1307
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:869
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:412
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition: crypto.c:1795
Generated by   doxygen 1.8.17