OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38 
39 #include "syshead.h"
40 
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "options.h"
49 #include "misc.h"
50 #include "socket.h"
51 #include "packet_id.h"
52 #include "pkcs11.h"
53 #include "win32.h"
54 #include "push.h"
55 #include "pool.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include <ctype.h>
62 
63 #include "memdbg.h"
64 
65 const char title_string[] =
67 #ifdef CONFIGURE_GIT_REVISION
68  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
69 #endif
70  " " TARGET_ALIAS
71 #if defined(ENABLE_CRYPTO_MBEDTLS)
72  " [SSL (mbed TLS)]"
73 #elif defined(ENABLE_CRYPTO_OPENSSL)
74  " [SSL (OpenSSL)]"
75 #else
76  " [SSL]"
77 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
78 #ifdef USE_COMP
79 #ifdef ENABLE_LZO
80  " [LZO]"
81 #endif
82 #ifdef ENABLE_LZ4
83  " [LZ4]"
84 #endif
85 #ifdef ENABLE_COMP_STUB
86  " [COMP_STUB]"
87 #endif
88 #endif /* USE_COMP */
89 #if EPOLL
90  " [EPOLL]"
91 #endif
92 #ifdef PRODUCT_TAP_DEBUG
93  " [TAPDBG]"
94 #endif
95 #ifdef ENABLE_PKCS11
96  " [PKCS11]"
97 #endif
98 #if ENABLE_IP_PKTINFO
99 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
100  " [MH/PKTINFO]"
101 #elif defined(IP_RECVDSTADDR)
102  " [MH/RECVDA]"
103 #endif
104 #endif
105 #ifdef HAVE_AEAD_CIPHER_MODES
106  " [AEAD]"
107 #endif
108  " built on " __DATE__
109 ;
110 
111 #ifndef ENABLE_SMALL
112 
113 static const char usage_message[] =
114  "%s\n"
115  "\n"
116  "General Options:\n"
117  "--config file : Read configuration options from file.\n"
118  "--help : Show options.\n"
119  "--version : Show copyright and version information.\n"
120  "\n"
121  "Tunnel Options:\n"
122  "--local host : Local host name or ip address. Implies --bind.\n"
123  "--remote host [port] : Remote host name or ip address.\n"
124  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
125  "--remote-random-hostname : Add a random string to remote DNS name.\n"
126  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
127  "--proto p : Use protocol p for communicating with peer.\n"
128  " p = udp (default), tcp-server, or tcp-client\n"
129  "--proto-force p : only consider protocol p in list of connection profiles.\n"
130  " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
131  "--connect-retry n [m] : For client, number of seconds to wait between\n"
132  " connection retries (default=%d). On repeated retries\n"
133  " the wait time is exponentially increased to a maximum of m\n"
134  " (default=%d).\n"
135  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
136  "--http-proxy s p [up] [auth] : Connect to remote host\n"
137  " through an HTTP proxy at address s and port p.\n"
138  " If proxy authentication is required,\n"
139  " up is a file containing username/password on 2 lines, or\n"
140  " 'stdin' to prompt from console. Add auth='ntlm' if\n"
141  " the proxy requires NTLM authentication.\n"
142  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
143  " determine auth method and query for username/password\n"
144  " if needed. auto-nct disables weak proxy auth methods.\n"
145  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
146  " Repeat to set multiple options.\n"
147  " VERSION version (default=1.0)\n"
148  " AGENT user-agent\n"
149  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
150  " address s and port p (default port = 1080).\n"
151  " If proxy authentication is required,\n"
152  " up is a file containing username/password on 2 lines, or\n"
153  " 'stdin' to prompt for console.\n"
154  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
155  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
156  " resolve for n seconds before failing (disabled by default).\n"
157  " Set n=\"infinite\" to retry indefinitely.\n"
158  "--float : Allow remote to change its IP address/port, such as through\n"
159  " DHCP (this is the default if --remote is not used).\n"
160  "--ipchange cmd : Run command cmd on remote ip address initial\n"
161  " setting or change -- execute as: cmd ip-address port#\n"
162  "--port port : TCP/UDP port # for both local and remote.\n"
163  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
164  "--rport port : TCP/UDP port # for remote (default=%s).\n"
165  "--bind : Bind to local address and port. (This is the default unless\n"
166  " --proto tcp-client"
167  " or --http-proxy"
168  " or --socks-proxy"
169  " is used).\n"
170  "--nobind : Do not bind to local address and port.\n"
171  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
172  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
173  " this option only if the tun/tap device used with --dev\n"
174  " does not begin with \"tun\" or \"tap\".\n"
175  "--dev-node node : Explicitly set the device node rather than using\n"
176  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
177  "--lladdr hw : Set the link layer address of the tap device.\n"
178  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
179 #ifdef ENABLE_IPROUTE
180  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
181 #endif
182  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
183  " endpoint and rn as a remote endpoint. l & rn should be\n"
184  " swapped on the other peer. l & rn must be private\n"
185  " addresses outside of the subnets used by either peer.\n"
186  " TAP: configure device to use IP address l as a local\n"
187  " endpoint and rn as a subnet mask.\n"
188  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
189  " endpoint (as a /64) and r as remote endpoint\n"
190  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
191  " pass --ifconfig parms by environment to scripts.\n"
192  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
193  " connection doesn't match the remote side.\n"
194  "--route network [netmask] [gateway] [metric] :\n"
195  " Add route to routing table after connection\n"
196  " is established. Multiple routes can be specified.\n"
197  " netmask default: 255.255.255.255\n"
198  " gateway default: taken from --route-gateway or --ifconfig\n"
199  " Specify default by leaving blank or setting to \"nil\".\n"
200  "--route-ipv6 network/bits [gateway] [metric] :\n"
201  " Add IPv6 route to routing table after connection\n"
202  " is established. Multiple routes can be specified.\n"
203  " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
204  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
205  "--route-metric m : Specify a default metric for use with --route.\n"
206  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
207  " adding routes (may be 0). If not specified, routes will\n"
208  " be added immediately after tun/tap open. On Windows, wait\n"
209  " up to w seconds for TUN/TAP adapter to come up.\n"
210  "--route-up cmd : Run command cmd after routes are added.\n"
211  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
212  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
213  " --route-up script using environmental variables.\n"
214  "--route-nopull : When used with --client or --pull, accept options pushed\n"
215  " by server EXCEPT for routes and dhcp options.\n"
216  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
217  " --ifconfig, --route, and --route-gateway.\n"
218  "--redirect-gateway [flags]: Automatically execute routing\n"
219  " commands to redirect all outgoing IP traffic through the\n"
220  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
221  " connected via a common subnet, such as with WiFi.\n"
222  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
223  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
224  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
225  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
226  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
227  " the default gateway. Useful when pushing private subnets.\n"
228  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
229  "--push-peer-info : (client only) push client info to server.\n"
230  "--setenv name value : Set a custom environmental variable to pass to script.\n"
231  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
232  " directives for future OpenVPN versions to be ignored.\n"
233  "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
234  " these options to be ignored when unknown\n"
235  "--script-security level: Where level can be:\n"
236  " 0 -- strictly no calling of external programs\n"
237  " 1 -- (default) only call built-ins such as ifconfig\n"
238  " 2 -- allow calling of built-ins and scripts\n"
239  " 3 -- allow password to be passed to scripts via env\n"
240  "--shaper n : Restrict output to peer to n bytes per second.\n"
241  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
242  " ping once every n seconds, restart if ping not received\n"
243  " for m seconds.\n"
244  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
245  " produces a combined in/out byte count < bytes.\n"
246  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
247  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
248  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
249  " remote address.\n"
250  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
251 #if ENABLE_IP_PKTINFO
252  "--multihome : Configure a multi-homed UDP server.\n"
253 #endif
254  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
255  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
256  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
257  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
258  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
259  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
260 #if PASSTOS_CAPABILITY
261  "--passtos : TOS passthrough (applies to IPv4 only).\n"
262 #endif
263  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
264  " TCP/UDP MTU from it (default=%d).\n"
265  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
266  " as n bytes more than the tun-mtu size on read\n"
267  " (default TUN=0 TAP=%d).\n"
268  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
269  " from it.\n"
270  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
271  " 'no' -- Never send DF (Don't Fragment) frames\n"
272  " 'maybe' -- Use per-route hints\n"
273  " 'yes' -- Always DF (Don't Fragment)\n"
274 #ifdef ENABLE_OCC
275  "--mtu-test : Empirically measure and report MTU.\n"
276 #endif
277 #ifdef ENABLE_FRAGMENT
278  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
279  " datagrams are sent which are larger than max bytes.\n"
280  " Adds 4 bytes of overhead per datagram.\n"
281 #endif
282  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
283  " or --fragment max value, whichever is lower.\n"
284  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
285  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
286 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
287  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
288  " can be matched in policy routing and packetfilter rules.\n"
289 #endif
290  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
291 #ifdef ENABLE_MEMSTATS
292  "--memstats file : Write live usage stats to memory mapped binary file.\n"
293 #endif
294  "--mlock : Disable Paging -- ensures key material and tunnel\n"
295  " data will never be written to disk.\n"
296  "--up cmd : Run command cmd after successful tun device open.\n"
297  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
298  " ifconfig-local-ip ifconfig-remote-ip\n"
299  " (pre --user or --group UID/GID change)\n"
300  "--up-delay : Delay tun/tap open and possible --up script execution\n"
301  " until after TCP/UDP connection establishment with peer.\n"
302  "--down cmd : Run command cmd after tun device close.\n"
303  " (post --user/--group UID/GID change and/or --chroot)\n"
304  " (command parameters are same as --up option)\n"
305  "--down-pre : Run --down command before TUN/TAP close.\n"
306  "--up-restart : Run up/down commands for all restarts including those\n"
307  " caused by --ping-restart or SIGUSR1\n"
308  "--user user : Set UID to user after initialization.\n"
309  "--group group : Set GID to group after initialization.\n"
310  "--chroot dir : Chroot to this directory after initialization.\n"
311 #ifdef ENABLE_SELINUX
312  "--setcon context: Apply this SELinux context after initialization.\n"
313 #endif
314  "--cd dir : Change to this directory before initialization.\n"
315  "--daemon [name] : Become a daemon after initialization.\n"
316  " The optional 'name' parameter will be passed\n"
317  " as the program name to the system logger.\n"
318  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
319  " See --daemon above for a description of the 'name' parm.\n"
320  "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
321  " See --daemon above for a description of the 'name' parm.\n"
322  "--log file : Output log to file which is created/truncated on open.\n"
323  "--log-append file : Append log to file, or create file if nonexistent.\n"
324  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
325  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
326  "--writepid file : Write main process ID to file.\n"
327  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
328  "--echo [parms ...] : Echo parameters to log output.\n"
329  "--verb n : Set output verbosity to n (default=%d):\n"
330  " (Level 3 is recommended if you want a good summary\n"
331  " of what's happening without being swamped by output).\n"
332  " : 0 -- no output except fatal errors\n"
333  " : 1 -- startup info + connection initiated messages +\n"
334  " non-fatal encryption & net errors\n"
335  " : 2,3 -- show TLS negotiations & route info\n"
336  " : 4 -- show parameters\n"
337  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
338  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
339  " : 6 to 11 -- debug messages of increasing verbosity\n"
340  "--mute n : Log at most n consecutive messages in the same category.\n"
341  "--status file n : Write operational status to file every n seconds.\n"
342  "--status-version [n] : Choose the status file format version number.\n"
343  " Currently, n can be 1, 2, or 3 (default=1).\n"
344 #ifdef ENABLE_OCC
345  "--disable-occ : Disable options consistency check between peers.\n"
346 #endif
347 #ifdef ENABLE_DEBUG
348  "--gremlin mask : Special stress testing mode (for debugging only).\n"
349 #endif
350 #if defined(USE_COMP)
351  "--compress alg : Use compression algorithm alg\n"
352 #if defined(ENABLE_LZO)
353  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
354  " packet for uncompressible data.\n"
355  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
356  " is specified.\n"
357 #endif
358 #endif
359 #ifdef ENABLE_MANAGEMENT
360  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
361  " management functions. pass is a password file\n"
362  " or 'stdin' to prompt from console.\n"
363 #if UNIX_SOCK_SUPPORT
364  " To listen on a unix domain socket, specific the pathname\n"
365  " in place of ip and use 'unix' as the port number.\n"
366 #endif
367  "--management-client : Management interface will connect as a TCP client to\n"
368  " ip/port rather than listen as a TCP server.\n"
369  "--management-query-passwords : Query management channel for private key\n"
370  " and auth-user-pass passwords.\n"
371  "--management-query-proxy : Query management channel for proxy information.\n"
372  "--management-query-remote : Query management channel for --remote directive.\n"
373  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
374  " of the management interface explicitly starts it.\n"
375  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
376  "--management-forget-disconnect : Forget passwords when management disconnect\n"
377  " event occurs.\n"
378  "--management-up-down : Report tunnel up/down events to management interface.\n"
379  "--management-log-cache n : Cache n lines of log file history for usage\n"
380  " by the management channel.\n"
381 #if UNIX_SOCK_SUPPORT
382  "--management-client-user u : When management interface is a unix socket, only\n"
383  " allow connections from user u.\n"
384  "--management-client-group g : When management interface is a unix socket, only\n"
385  " allow connections from group g.\n"
386 #endif
387 #ifdef MANAGEMENT_DEF_AUTH
388  "--management-client-auth : gives management interface client the responsibility\n"
389  " to authenticate clients after their client certificate\n"
390  " has been verified.\n"
391 #endif
392 #ifdef MANAGEMENT_PF
393  "--management-client-pf : management interface clients must specify a packet\n"
394  " filter file for each connecting client.\n"
395 #endif
396 #endif /* ifdef ENABLE_MANAGEMENT */
397 #ifdef ENABLE_PLUGIN
398  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
399  " to its initialization function.\n"
400 #endif
401 #if P2MP
402 #if P2MP_SERVER
403  "\n"
404  "Multi-Client Server options (when --mode server is used):\n"
405  "--server network netmask : Helper option to easily configure server mode.\n"
406  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
407  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
408  " easily configure ethernet bridging server mode.\n"
409  "--push \"option\" : Push a config file option back to the peer for remote\n"
410  " execution. Peer must specify --pull in its config file.\n"
411  "--push-reset : Don't inherit global push list for specific\n"
412  " client instance.\n"
413  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
414  " to be dynamically allocated to connecting clients.\n"
415  "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n"
416  " than /30 subnets\n in tun mode. Not compatible with\n"
417  " Windows clients.\n"
418  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
419  " data to file, at seconds intervals (default=600).\n"
420  " If seconds=0, file will be treated as read-only.\n"
421  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
422  " to be dynamically allocated to connecting clients.\n"
423  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
424  " overrides --ifconfig-pool dynamic allocation.\n"
425  " Only valid in a client-specific config file.\n"
426  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
427  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
428  " Only valid in a client-specific config file.\n"
429  "--iroute network [netmask] : Route subnet to client.\n"
430  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
431  " Sets up internal routes only.\n"
432  " Only valid in a client-specific config file.\n"
433  "--disable : Client is disabled.\n"
434  " Only valid in a client-specific config file.\n"
435  "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n"
436  " will authenticate using username/password.\n"
437  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
438  " mandatory client certificate verification.\n"
439  " Default is to require the client to supply a certificate.\n"
440  "--username-as-common-name : For auth-user-pass authentication, use\n"
441  " the authenticated username as the common name,\n"
442  " rather than the common name from the client cert.\n"
443  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
444  " run command cmd to verify. If method='via-env', pass\n"
445  " user/pass via environment, if method='via-file', pass\n"
446  " user/pass via temporary file.\n"
447  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
448  " to each client, replacing the password. Usefull when\n"
449  " OTP based two-factor auth mechanisms are in use and\n"
450  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
451  " for generated tokens can be set.\n"
452  "--opt-verify : Clients that connect with options that are incompatible\n"
453  " with those of the server will be disconnected.\n"
454  "--auth-user-pass-optional : Allow connections by clients that don't\n"
455  " specify a username/password.\n"
456  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
457  " any printable character.\n"
458  "--client-to-client : Internally route client-to-client traffic.\n"
459  "--duplicate-cn : Allow multiple clients with the same common name to\n"
460  " concurrently connect.\n"
461  "--client-connect cmd : Run command cmd on client connection.\n"
462  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
463  "--client-config-dir dir : Directory for custom client config files.\n"
464  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
465  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
466  "--hash-size r v : Set the size of the real address hash table to r and the\n"
467  " virtual address table to v.\n"
468  "--bcast-buffers n : Allocate n broadcast buffers.\n"
469  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
470  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
471  " as well as pushes it to connecting clients.\n"
472  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
473  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
474  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
475  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
476  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
477  " older than n seconds. Run this check every t\n"
478  " seconds (defaults to n).\n"
479  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
480  " clients. n = 1 - reconnect to same server,\n"
481  " 2 - advance to next server, default=1.\n"
482 #if PORT_SHARE
483  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
484  " sessions to a web server at host:port. dir specifies an\n"
485  " optional directory to write origin IP:port data.\n"
486 #endif
487 #endif /* if P2MP_SERVER */
488  "\n"
489  "Client options (when connecting to a multi-client server):\n"
490  "--client : Helper option to easily configure client mode.\n"
491  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
492  " up is a file containing the username on the first line,\n"
493  " and a password on the second. If either the password or both\n"
494  " the username and the password are omitted OpenVPN will prompt\n"
495  " for them from console.\n"
496  "--pull : Accept certain config file options from the peer as if they\n"
497  " were part of the local config file. Must be specified\n"
498  " when connecting to a '--mode server' remote host.\n"
499  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
500  " server if it starts with the text t. The action flag accept,\n"
501  " ignore or reject causes the option to be allowed, removed or\n"
502  " rejected with error. May be specified multiple times, and\n"
503  " each filter is applied in the order of appearance.\n"
504  "--auth-retry t : How to handle auth failures. Set t to\n"
505  " none (default), interact, or nointeract.\n"
506  "--static-challenge t e : Enable static challenge/response protocol using\n"
507  " challenge text t, with e indicating echo flag (0|1)\n"
508  "--connect-timeout n : when polling possible remote servers to connect to\n"
509  " in a round-robin fashion, spend no more than n seconds\n"
510  " waiting for a response before trying the next server.\n"
511  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
512  " incoming tun packets with same destination as host.\n"
513 #endif /* if P2MP */
514 #ifdef ENABLE_OCC
515  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
516  " server/remote. n = # of retries, default=1.\n"
517 #endif
518  "\n"
519  "Data Channel Encryption Options (must be compatible between peers):\n"
520  "(These options are meaningful for both Static Key & TLS-mode)\n"
521  "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
522  " Use shared secret file f, generate with --genkey.\n"
523  " The optional d parameter controls key directionality.\n"
524  " If d is specified, use separate keys for each\n"
525  " direction, set d=0 on one side of the connection,\n"
526  " and d=1 on the other side.\n"
527  "--auth alg : Authenticate packets with HMAC using message\n"
528  " digest algorithm alg (default=%s).\n"
529  " (usually adds 16 or 20 bytes per packet)\n"
530  " Set alg=none to disable authentication.\n"
531  "--cipher alg : Encrypt packets with cipher algorithm alg\n"
532  " (default=%s).\n"
533  " Set alg=none to disable encryption.\n"
534  "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
535  "--ncp-disable : Disable cipher negotiation.\n"
536  "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
537  " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
538 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
539  "--keysize n : (DEPRECATED) Size of cipher key in bits (optional).\n"
540  " If unspecified, defaults to cipher-specific default.\n"
541 #endif
542 #ifndef ENABLE_CRYPTO_MBEDTLS
543  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
544 #endif
545  "--no-replay : (DEPRECATED) Disable replay protection.\n"
546  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
547  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
548  " and a time window of t seconds.\n"
549  " Default n=%d t=%d\n"
550  "--replay-persist file : Persist replay-protection state across sessions\n"
551  " using file.\n"
552  "--test-crypto : Run a self-test of crypto features enabled.\n"
553  " For debugging only.\n"
554 #ifdef ENABLE_PREDICTION_RESISTANCE
555  "--use-prediction-resistance: Enable prediction resistance on the random\n"
556  " number generator.\n"
557 #endif
558  "\n"
559  "TLS Key Negotiation Options:\n"
560  "(These options are meaningful only for TLS-mode)\n"
561  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
562  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
563  "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
564  " number, such as 1 (default), 2, etc.\n"
565  "--ca file : Certificate authority file in .pem format containing\n"
566  " root certificate.\n"
567 #ifndef ENABLE_CRYPTO_MBEDTLS
568  "--capath dir : A directory of trusted certificates (CAs"
569  " and CRLs).\n"
570 #endif /* ENABLE_CRYPTO_MBEDTLS */
571  "--dh file : File containing Diffie Hellman parameters\n"
572  " in .pem format (for --tls-server only).\n"
573  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
574  "--cert file : Local certificate in .pem format -- must be signed\n"
575  " by a Certificate Authority in --ca file.\n"
576  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
577  "--key file : Local private key in .pem format.\n"
578  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
579  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
580  " is specified, require max TLS version supported by SSL implementation.\n"
581  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
582 #ifndef ENABLE_CRYPTO_MBEDTLS
583  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
584  " and optionally the root CA certificate.\n"
585 #endif
586 #ifdef ENABLE_X509ALTUSERNAME
587  "--x509-username-field : Field in x509 certificate containing the username.\n"
588  " Default is CN in the Subject field.\n"
589 #endif
590  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
591  " Valid algo flags are SHA1 and SHA256. \n"
592 #ifdef _WIN32
593  "--cryptoapicert select-string : Load the certificate and private key from the\n"
594  " Windows Certificate System Store.\n"
595 #endif
596  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
597  " : Use --show-tls to see a list of supported TLS ciphers.\n"
598  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
599  " (default=legacy).\n"
600  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
601  " if no ACK from remote within n seconds (default=%d).\n"
602  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
603  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
604  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
605  " and at least min (defaults to 90%% of max on servers and equal\n"
606  " to max on clients).\n"
607  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
608  " of handshake initiation by any peer (default=%d).\n"
609  "--tran-window n : Transition window -- old key can live this many seconds\n"
610  " after new key renegotiation begins (default=%d).\n"
611  "--single-session: Allow only one session (reset state on restart).\n"
612  "--tls-exit : Exit on TLS negotiation failure.\n"
613  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
614  " control channel to protect against attacks on the TLS stack\n"
615  " and DoS attacks.\n"
616  " f (required) is a shared-secret key file.\n"
617  " The optional d parameter controls key directionality,\n"
618  " see --secret option for more info.\n"
619  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
620  " of the TLS control channel to hide the TLS certificate,\n"
621  " provide basic post-quantum security and protect against\n"
622  " attacks on the TLS stack and DoS attacks.\n"
623  " key (required) provides the pre-shared key file.\n"
624  " see --secret option for more info.\n"
625  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
626  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
627  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
628  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
629  " pending TLS connection that has otherwise passed all other\n"
630  " tests of certification. cmd should return 0 to allow\n"
631  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
632  " executed as 'cmd certificate_depth subject')\n"
633  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
634  " in an openvpn temporary file in [directory]. Peer cert is \n"
635  " stored before tls-verify script execution and deleted after.\n"
636  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
637  " DN name. The remote host must also pass all other tests\n"
638  " of verification.\n"
639  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
640  " an explicit nsCertType designation t = 'client' | 'server'.\n"
641  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
642  " plugins and management interface.\n"
643 #if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
644  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
645  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
646 #endif
647  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
648  " explicit key usage, you can specify more than one value.\n"
649  " value should be given in hex format.\n"
650  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
651  " explicit extended key usage. Extended key usage can be encoded\n"
652  " as an object identifier or OpenSSL string representation.\n"
653  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
654  " key usage and extended key usage based on RFC3280 TLS rules.\n"
655  " t = 'client' | 'server'.\n"
656 #ifdef ENABLE_PKCS11
657  "\n"
658  "PKCS#11 Options:\n"
659  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
660  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
661  " path. Set for each provider.\n"
662  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
663  " 0 : Try to determind automatically (default).\n"
664  " 1 : Use Sign.\n"
665  " 2 : Use SignRecover.\n"
666  " 4 : Use Decrypt.\n"
667  " 8 : Use Unwrap.\n"
668  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
669  " certificate can be accessed. Set for each provider.\n"
670  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
671  " cache until token is removed.\n"
672  "--pkcs11-id-management : Acquire identity from management interface.\n"
673  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
674 #endif /* ENABLE_PKCS11 */
675  "\n"
676  "SSL Library information:\n"
677  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
678  "--show-digests : Show message digest algorithms to use with --auth option.\n"
679  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
680  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
681 #ifdef _WIN32
682  "\n"
683  "Windows Specific:\n"
684  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
685  " from SystemRoot environment variable.\n"
686  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
687  " IP address using method = manual, netsh, ipapi,\n"
688  " dynamic, or adaptive (default = adaptive).\n"
689  " Dynamic method allows two optional parameters:\n"
690  " offset: DHCP server address offset (> -256 and < 256).\n"
691  " If 0, use network address, if >0, take nth\n"
692  " address forward from network address, if <0,\n"
693  " take nth address backward from broadcast\n"
694  " address.\n"
695  " Default is 0.\n"
696  " lease-time: Lease time in seconds.\n"
697  " Default is one year.\n"
698  "--route-method : Which method to use for adding routes on Windows?\n"
699  " adaptive (default) -- Try ipapi then fall back to exe.\n"
700  " ipapi -- Use IP helper API.\n"
701  " exe -- Call the route.exe shell command.\n"
702  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
703  " be used with --ip-win32 dynamic. For options\n"
704  " which allow multiple addresses,\n"
705  " --dhcp-option must be repeated.\n"
706  " DOMAIN name : Set DNS suffix\n"
707  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
708  " NTP : Set NTP server address(es)\n"
709  " NBDD : Set NBDD server address(es)\n"
710  " WINS addr : Set WINS server address(es)\n"
711  " NBT type : Set NetBIOS over TCP/IP Node type\n"
712  " 1: B, 2: P, 4: M, 8: H\n"
713  " NBS id : Set NetBIOS scope ID\n"
714  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
715  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
716  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
717  " startup.\n"
718  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
719  " on connection initiation.\n"
720  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
721  " attempting to set adapter properties.\n"
722  "--pause-exit : When run from a console window, pause before exiting.\n"
723  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
724  " service, and should not be used directly by end-users.\n"
725  " ex is the name of an event object which, when\n"
726  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
727  " optional parameter controls the initial state of ex.\n"
728  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
729  " after TAP adapter is up and routes have been added.\n"
730 #ifdef _WIN32
731  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
732 #endif
733  "Windows Standalone Options:\n"
734  "\n"
735  "--show-adapters : Show all TAP-Windows adapters.\n"
736  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
737  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
738  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
739  " to access TAP adapter.\n"
740 #endif /* ifdef _WIN32 */
741  "\n"
742  "Generate a new key (for use with --secret, --tls-auth or --tls-crypt):\n"
743  "--genkey file : Generate a new random key and write to file.\n"
744 #ifdef ENABLE_FEATURE_TUN_PERSIST
745  "\n"
746  "Tun/tap config mode (available with linux 2.4+):\n"
747  "--mktun : Create a persistent tunnel.\n"
748  "--rmtun : Remove a persistent tunnel.\n"
749  "--dev tunX|tapX : tun/tap device\n"
750  "--dev-type dt : Device type. See tunnel options above for details.\n"
751  "--user user : User to set privilege to.\n"
752  "--group group : Group to set privilege to.\n"
753 #endif
754 #ifdef ENABLE_PKCS11
755  "\n"
756  "PKCS#11 standalone options:\n"
757 #ifdef DEFAULT_PKCS11_MODULE
758  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
759 #else
760  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
761 #endif
762  " --verb option can be added *BEFORE* this.\n"
763 #endif /* ENABLE_PKCS11 */
764  "\n"
765  "General Standalone Options:\n"
766 #ifdef ENABLE_DEBUG
767  "--show-gateway : Show info about default gateway.\n"
768 #endif
769 ;
770 
771 #endif /* !ENABLE_SMALL */
772 
773 /*
774  * This is where the options defaults go.
775  * Any option not explicitly set here
776  * will be set to 0.
777  */
778 void
779 init_options(struct options *o, const bool init_gc)
780 {
781  CLEAR(*o);
782  if (init_gc)
783  {
784  gc_init(&o->gc);
785  o->gc_owned = true;
786  }
788  o->topology = TOP_NET30;
789  o->ce.proto = PROTO_UDP;
790  o->ce.af = AF_UNSPEC;
791  o->ce.bind_ipv6_only = false;
792  o->ce.connect_retry_seconds = 5;
793  o->ce.connect_retry_seconds_max = 300;
794  o->ce.connect_timeout = 120;
795  o->connect_retry_max = 0;
797  o->verbosity = 1;
798  o->status_file_update_freq = 60;
799  o->status_file_version = 1;
800  o->ce.bind_local = true;
803  o->ce.mtu_discover_type = -1;
804  o->ce.mssfix = MSSFIX_DEFAULT;
805  o->route_delay_window = 30;
807  o->resolve_in_advance = false;
808  o->proto_force = -1;
809 #ifdef ENABLE_OCC
810  o->occ = true;
811 #endif
812 #ifdef ENABLE_MANAGEMENT
816 #endif
817 #ifdef ENABLE_FEATURE_TUN_PERSIST
818  o->persist_mode = 1;
819 #endif
820 #ifdef TARGET_LINUX
821  o->tuntap_options.txqueuelen = 100;
822 #endif
823 #ifdef _WIN32
824 #if 0
826 #else
828 #endif
829  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
830  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
832  o->block_outside_dns = false;
833 #endif
834 #if P2MP_SERVER
835  o->real_hash_size = 256;
836  o->virtual_hash_size = 256;
837  o->n_bcast_buf = 256;
838  o->tcp_queue_limit = 64;
839  o->max_clients = 1024;
840  o->max_routes_per_client = 256;
843 #endif
844 #if P2MP
846 #endif
847  o->ciphername = "BF-CBC";
848 #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
849  o->ncp_enabled = true;
850 #else
851  o->ncp_enabled = false;
852 #endif
853  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
854  o->authname = "SHA1";
855  o->prng_hash = "SHA1";
856  o->prng_nonce_secret_len = 16;
857  o->replay = true;
861 #ifdef ENABLE_PREDICTION_RESISTANCE
862  o->use_prediction_resistance = false;
863 #endif
864  o->key_method = 2;
865  o->tls_timeout = 2;
866  o->renegotiate_bytes = -1;
867  o->renegotiate_seconds = 3600;
868  o->renegotiate_seconds_min = -1;
869  o->handshake_window = 60;
870  o->transition_window = 3600;
871  o->tls_cert_profile = NULL;
872  o->ecdh_curve = NULL;
873 #ifdef ENABLE_X509ALTUSERNAME
874  o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
875 #endif
876 #ifdef ENABLE_PKCS11
877  o->pkcs11_pin_cache_period = -1;
878 #endif /* ENABLE_PKCS11 */
879 
880 /* P2MP server context features */
881 #if P2MP_SERVER
882  o->auth_token_generate = false;
883 
884  /* Set default --tmp-dir */
885 #ifdef _WIN32
886  /* On Windows, find temp dir via enviroment variables */
887  o->tmp_dir = win_get_tempdir();
888 #else
889  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
890  o->tmp_dir = getenv("TMPDIR");
891  if (!o->tmp_dir)
892  {
893  o->tmp_dir = "/tmp";
894  }
895 #endif /* _WIN32 */
896 #endif /* P2MP_SERVER */
897  o->allow_recursive_routing = false;
898 }
899 
900 void
902 {
903  if (o->gc_owned)
904  {
905  gc_free(&o->gc);
906  }
907 }
908 
910 {
911 #define PUF_TYPE_UNDEF 0
912 #define PUF_TYPE_ACCEPT 1
913 #define PUF_TYPE_IGNORE 2
914 #define PUF_TYPE_REJECT 3
915  int type;
916  int size;
917  char *pattern;
918  struct pull_filter *next;
919 };
920 
922 {
923  struct pull_filter *head;
924  struct pull_filter *tail;
925 };
926 
927 static const char *
929 {
930  if (type == PUF_TYPE_ACCEPT)
931  {
932  return "accept";
933  }
934  if (type == PUF_TYPE_IGNORE)
935  {
936  return "ignore";
937  }
938  if (type == PUF_TYPE_REJECT)
939  {
940  return "reject";
941  }
942  else
943  {
944  return "???";
945  }
946 }
947 
948 #ifndef ENABLE_SMALL
949 
950 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
951 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
952 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
953 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
954 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
955 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
956 
957 #endif
958 
959 static void
961  const struct connection_entry *e,
962  const int i)
963 {
964  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
965  setenv_str_i(es, "local", e->local, i);
966  setenv_str_i(es, "local_port", e->local_port, i);
967  setenv_str_i(es, "remote", e->remote, i);
968  setenv_str_i(es, "remote_port", e->remote_port, i);
969 
970  if (e->http_proxy_options)
971  {
972  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
973  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
974  }
975  if (e->socks_proxy_server)
976  {
977  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
978  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
979  }
980 }
981 
982 void
983 setenv_settings(struct env_set *es, const struct options *o)
984 {
985  setenv_str(es, "config", o->config);
986  setenv_int(es, "verb", o->verbosity);
987  setenv_int(es, "daemon", o->daemon);
988  setenv_int(es, "daemon_log_redirect", o->log);
989  setenv_long_long(es, "daemon_start_time", time(NULL));
990  setenv_int(es, "daemon_pid", platform_getpid());
991 
992  if (o->connection_list)
993  {
994  int i;
995  for (i = 0; i < o->connection_list->len; ++i)
996  {
998  }
999  }
1000  else
1001  {
1002  setenv_connection_entry(es, &o->ce, 1);
1003  }
1004 }
1005 
1006 static in_addr_t
1007 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1008 {
1009  unsigned int flags = GETADDR_HOST_ORDER;
1010  bool succeeded = false;
1011  in_addr_t ret;
1012 
1013  if (msglevel & M_FATAL)
1014  {
1015  flags |= GETADDR_FATAL;
1016  }
1017 
1018  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1019  if (!succeeded && error)
1020  {
1021  *error = true;
1022  }
1023  return ret;
1024 }
1025 
1031 static char *
1032 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1033 {
1034  const char *end = strchr(addr, '/');
1035  char *ret = NULL;
1036  if (NULL == end)
1037  {
1038  ret = string_alloc(addr, gc);
1039  }
1040  else
1041  {
1042  size_t len = end - addr;
1043  ret = gc_malloc(len + 1, true, gc);
1044  memcpy(ret, addr, len);
1045  }
1046  return ret;
1047 }
1048 
1049 static bool
1050 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1051 {
1052  struct in6_addr t_addr;
1053  unsigned int t_bits;
1054 
1055  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1056 }
1057 
1058 static char *
1059 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1060 {
1061  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1062  char *dest = ret;
1063  char c;
1064 
1065  do
1066  {
1067  c = *src++;
1068  if (c == from)
1069  {
1070  c = to;
1071  }
1072  *dest++ = c;
1073  }
1074  while (c);
1075  return ret;
1076 }
1077 
1078 static uint8_t *
1079 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1080 {
1081  int i;
1082  const char *cp = str;
1083  uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc);
1084  char term = 1;
1085  int byte;
1086  char bs[3];
1087 
1088  for (i = 0; i < nbytes; ++i)
1089  {
1090  if (strlen(cp) < 2)
1091  {
1092  msg(msglevel, "format error in hash fingerprint: %s", str);
1093  }
1094  bs[0] = *cp++;
1095  bs[1] = *cp++;
1096  bs[2] = 0;
1097  byte = 0;
1098  if (sscanf(bs, "%x", &byte) != 1)
1099  {
1100  msg(msglevel, "format error in hash fingerprint hex byte: %s", str);
1101  }
1102  ret[i] = (uint8_t)byte;
1103  term = *cp++;
1104  if (term != ':' && term != 0)
1105  {
1106  msg(msglevel, "format error in hash fingerprint delimiter: %s", str);
1107  }
1108  if (term == 0)
1109  {
1110  break;
1111  }
1112  }
1113  if (term != 0 || i != nbytes-1)
1114  {
1115  msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
1116  }
1117  return ret;
1118 }
1119 
1120 #ifdef _WIN32
1121 
1122 #ifndef ENABLE_SMALL
1123 
1124 static void
1125 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1126 {
1127  struct gc_arena gc = gc_new();
1128  int i;
1129  for (i = 0; i < len; ++i)
1130  {
1131  msg(D_SHOW_PARMS, " %s[%d] = %s",
1132  name,
1133  i,
1134  print_in_addr_t(array[i], 0, &gc));
1135  }
1136  gc_free(&gc);
1137 }
1138 
1139 static void
1141 {
1142  SHOW_BOOL(ip_win32_defined);
1143  SHOW_INT(ip_win32_type);
1144  SHOW_INT(dhcp_masq_offset);
1145  SHOW_INT(dhcp_lease_time);
1146  SHOW_INT(tap_sleep);
1147  SHOW_BOOL(dhcp_options);
1149  SHOW_BOOL(dhcp_pre_release);
1150  SHOW_STR(domain);
1151  SHOW_STR(netbios_scope);
1152  SHOW_INT(netbios_node_type);
1153  SHOW_BOOL(disable_nbt);
1154 
1155  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1156  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1157  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1158  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1159 }
1160 
1161 #endif /* ifndef ENABLE_SMALL */
1162 #endif /* ifdef _WIN32 */
1163 
1164 #if defined(_WIN32) || defined(TARGET_ANDROID)
1165 static void
1166 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1167 {
1168  struct in6_addr addr;
1169  if (*len >= N_DHCP_ADDR)
1170  {
1171  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1172  N_DHCP_ADDR);
1173  }
1174  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1175  {
1176  dns6_list[(*len)++] = addr;
1177  }
1178 }
1179 static void
1180 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1181 {
1182  if (*len >= N_DHCP_ADDR)
1183  {
1184  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1185  name,
1186  N_DHCP_ADDR,
1187  name);
1188  }
1189  else
1190  {
1191  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1192  {
1193  bool error = false;
1194  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1195  if (!error)
1196  {
1197  array[(*len)++] = addr;
1198  }
1199  }
1200  else
1201  {
1202  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1203  }
1204  }
1205 }
1206 
1207 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1208 
1209 #if P2MP
1210 
1211 #ifndef ENABLE_SMALL
1212 
1213 static void
1214 show_p2mp_parms(const struct options *o)
1215 {
1216  struct gc_arena gc = gc_new();
1217 
1218 #if P2MP_SERVER
1219  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1220  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1221  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1222  SHOW_INT(server_netbits_ipv6);
1223  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1224  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1225  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1226  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1227  if (o->push_list.head)
1228  {
1229  const struct push_entry *e = o->push_list.head;
1230  while (e)
1231  {
1232  if (e->enable)
1233  {
1234  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1235  }
1236  e = e->next;
1237  }
1238  }
1239  SHOW_BOOL(ifconfig_pool_defined);
1240  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1241  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1242  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1243  SHOW_STR(ifconfig_pool_persist_filename);
1244  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1245  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1246  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1247  SHOW_INT(ifconfig_ipv6_pool_netbits);
1248  SHOW_INT(n_bcast_buf);
1249  SHOW_INT(tcp_queue_limit);
1250  SHOW_INT(real_hash_size);
1251  SHOW_INT(virtual_hash_size);
1252  SHOW_STR(client_connect_script);
1254  SHOW_STR(client_disconnect_script);
1255  SHOW_STR(client_config_dir);
1256  SHOW_BOOL(ccd_exclusive);
1257  SHOW_STR(tmp_dir);
1258  SHOW_BOOL(push_ifconfig_defined);
1259  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1260  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1261  SHOW_BOOL(push_ifconfig_ipv6_defined);
1262  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1263  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1264  SHOW_BOOL(enable_c2c);
1265  SHOW_BOOL(duplicate_cn);
1266  SHOW_INT(cf_max);
1267  SHOW_INT(cf_per);
1268  SHOW_INT(max_clients);
1269  SHOW_INT(max_routes_per_client);
1270  SHOW_STR(auth_user_pass_verify_script);
1271  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1272  SHOW_BOOL(auth_token_generate);
1273  SHOW_INT(auth_token_lifetime);
1274 #if PORT_SHARE
1275  SHOW_STR(port_share_host);
1276  SHOW_STR(port_share_port);
1277 #endif
1278 #endif /* P2MP_SERVER */
1279 
1280  SHOW_BOOL(client);
1281  SHOW_BOOL(pull);
1282  SHOW_STR(auth_user_pass_file);
1283 
1284  gc_free(&gc);
1285 }
1286 
1287 #endif /* ! ENABLE_SMALL */
1288 
1289 #if P2MP_SERVER
1290 
1291 static void
1293  const char *network_str,
1294  const char *netmask_str,
1295  int msglevel)
1296 {
1297  struct iroute *ir;
1298 
1299  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1300  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1301  ir->netbits = -1;
1302 
1303  if (netmask_str)
1304  {
1305  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1306  if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1307  {
1308  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1309  network_str,
1310  netmask_str);
1311  return;
1312  }
1313  }
1314 
1315  ir->next = o->iroutes;
1316  o->iroutes = ir;
1317 }
1318 
1319 static void
1321  const char *prefix_str,
1322  int msglevel)
1323 {
1324  struct iroute_ipv6 *ir;
1325 
1326  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1327 
1328  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1329  {
1330  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1331  prefix_str);
1332  return;
1333  }
1334 
1335  ir->next = o->iroutes_ipv6;
1336  o->iroutes_ipv6 = ir;
1337 }
1338 #endif /* P2MP_SERVER */
1339 #endif /* P2MP */
1340 
1341 #ifndef ENABLE_SMALL
1342 static void
1344 {
1345  int i;
1346  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1347  SHOW_STR(server);
1348  SHOW_STR(port);
1349  SHOW_STR(auth_method_string);
1350  SHOW_STR(auth_file);
1351  SHOW_STR(http_version);
1352  SHOW_STR(user_agent);
1353  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1354  {
1355  if (o->custom_headers[i].content)
1356  {
1357  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1358  o->custom_headers[i].name, o->custom_headers[i].content);
1359  }
1360  else
1361  {
1362  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1363  o->custom_headers[i].name);
1364  }
1365  }
1366  msg(D_SHOW_PARMS, "END http_proxy");
1367 }
1368 #endif /* ifndef ENABLE_SMALL */
1369 
1370 void
1372 {
1373  gc_detach(&o->gc);
1374  o->routes = NULL;
1375  o->client_nat = NULL;
1376 #if P2MP_SERVER
1377  clone_push_list(o);
1378 #endif
1379 }
1380 
1381 void
1383 {
1384  if (!options->routes)
1385  {
1386  options->routes = new_route_option_list(&options->gc);
1387  }
1388 }
1389 
1390 static void
1392 {
1393  if (!options->routes_ipv6)
1394  {
1395  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1396  }
1397 }
1398 
1399 static void
1401 {
1402  if (!options->client_nat)
1403  {
1404  options->client_nat = new_client_nat_list(&options->gc);
1405  }
1406 }
1407 
1408 #ifndef ENABLE_SMALL
1409 static void
1411 {
1412  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1413  SHOW_STR(local);
1414  SHOW_STR(local_port);
1415  SHOW_STR(remote);
1416  SHOW_STR(remote_port);
1417  SHOW_BOOL(remote_float);
1418  SHOW_BOOL(bind_defined);
1420  SHOW_BOOL(bind_ipv6_only);
1421  SHOW_INT(connect_retry_seconds);
1422  SHOW_INT(connect_timeout);
1423 
1424  if (o->http_proxy_options)
1425  {
1427  }
1428  SHOW_STR(socks_proxy_server);
1429  SHOW_STR(socks_proxy_port);
1430  SHOW_INT(tun_mtu);
1431  SHOW_BOOL(tun_mtu_defined);
1432  SHOW_INT(link_mtu);
1433  SHOW_BOOL(link_mtu_defined);
1434  SHOW_INT(tun_mtu_extra);
1435  SHOW_BOOL(tun_mtu_extra_defined);
1436 
1437  SHOW_INT(mtu_discover_type);
1438 
1439 #ifdef ENABLE_FRAGMENT
1440  SHOW_INT(fragment);
1441 #endif
1442  SHOW_INT(mssfix);
1443 
1444 #ifdef ENABLE_OCC
1445  SHOW_INT(explicit_exit_notification);
1446 #endif
1447 
1448  SHOW_STR(tls_auth_file);
1449  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1450  "%s");
1451  SHOW_STR(tls_crypt_file);
1452 }
1453 
1454 
1455 static void
1457 {
1458  if (o->connection_list)
1459  {
1460  const struct connection_list *l = o->connection_list;
1461  int i;
1462  for (i = 0; i < l->len; ++i)
1463  {
1464  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1466  }
1467  }
1468  else
1469  {
1470  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1472  }
1473  msg(D_SHOW_PARMS, "Connection profiles END");
1474 }
1475 
1476 static void
1478 {
1479  struct pull_filter *f;
1480  if (!l)
1481  {
1482  return;
1483  }
1484 
1485  msg(D_SHOW_PARMS, " Pull filters:");
1486  for (f = l->head; f; f = f->next)
1487  {
1488  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1489  }
1490 }
1491 
1492 #endif /* ifndef ENABLE_SMALL */
1493 
1494 void
1495 show_settings(const struct options *o)
1496 {
1497 #ifndef ENABLE_SMALL
1498  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1499 
1500  SHOW_STR(config);
1501 
1502  SHOW_INT(mode);
1503 
1504 #ifdef ENABLE_FEATURE_TUN_PERSIST
1505  SHOW_BOOL(persist_config);
1506  SHOW_INT(persist_mode);
1507 #endif
1508 
1509  SHOW_BOOL(show_ciphers);
1510  SHOW_BOOL(show_digests);
1511  SHOW_BOOL(show_engines);
1512  SHOW_BOOL(genkey);
1513  SHOW_STR(key_pass_file);
1514  SHOW_BOOL(show_tls_ciphers);
1515 
1516  SHOW_INT(connect_retry_max);
1518 
1519  SHOW_BOOL(remote_random);
1520 
1521  SHOW_STR(ipchange);
1522  SHOW_STR(dev);
1523  SHOW_STR(dev_type);
1524  SHOW_STR(dev_node);
1525  SHOW_STR(lladdr);
1526  SHOW_INT(topology);
1527  SHOW_STR(ifconfig_local);
1528  SHOW_STR(ifconfig_remote_netmask);
1529  SHOW_BOOL(ifconfig_noexec);
1530  SHOW_BOOL(ifconfig_nowarn);
1531  SHOW_STR(ifconfig_ipv6_local);
1532  SHOW_INT(ifconfig_ipv6_netbits);
1533  SHOW_STR(ifconfig_ipv6_remote);
1534 
1535 #ifdef ENABLE_FEATURE_SHAPER
1536  SHOW_INT(shaper);
1537 #endif
1538 #ifdef ENABLE_OCC
1539  SHOW_INT(mtu_test);
1540 #endif
1541 
1542  SHOW_BOOL(mlock);
1543 
1544  SHOW_INT(keepalive_ping);
1545  SHOW_INT(keepalive_timeout);
1546  SHOW_INT(inactivity_timeout);
1547  SHOW_INT(ping_send_timeout);
1548  SHOW_INT(ping_rec_timeout);
1549  SHOW_INT(ping_rec_timeout_action);
1550  SHOW_BOOL(ping_timer_remote);
1551  SHOW_INT(remap_sigusr1);
1552  SHOW_BOOL(persist_tun);
1553  SHOW_BOOL(persist_local_ip);
1554  SHOW_BOOL(persist_remote_ip);
1555  SHOW_BOOL(persist_key);
1556 
1557 #if PASSTOS_CAPABILITY
1558  SHOW_BOOL(passtos);
1559 #endif
1560 
1561  SHOW_INT(resolve_retry_seconds);
1562  SHOW_BOOL(resolve_in_advance);
1563 
1564  SHOW_STR(username);
1565  SHOW_STR(groupname);
1566  SHOW_STR(chroot_dir);
1567  SHOW_STR(cd_dir);
1568 #ifdef ENABLE_SELINUX
1569  SHOW_STR(selinux_context);
1570 #endif
1571  SHOW_STR(writepid);
1572  SHOW_STR(up_script);
1573  SHOW_STR(down_script);
1574  SHOW_BOOL(down_pre);
1575  SHOW_BOOL(up_restart);
1576  SHOW_BOOL(up_delay);
1577  SHOW_BOOL(daemon);
1578  SHOW_INT(inetd);
1579  SHOW_BOOL(log);
1582  SHOW_INT(nice);
1583  SHOW_INT(verbosity);
1584  SHOW_INT(mute);
1585 #ifdef ENABLE_DEBUG
1586  SHOW_INT(gremlin);
1587 #endif
1588  SHOW_STR(status_file);
1589  SHOW_INT(status_file_version);
1590  SHOW_INT(status_file_update_freq);
1591 
1592 #ifdef ENABLE_OCC
1593  SHOW_BOOL(occ);
1594 #endif
1595  SHOW_INT(rcvbuf);
1596  SHOW_INT(sndbuf);
1597 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1598  SHOW_INT(mark);
1599 #endif
1600  SHOW_INT(sockflags);
1601 
1602  SHOW_BOOL(fast_io);
1603 
1604 #ifdef USE_COMP
1605  SHOW_INT(comp.alg);
1606  SHOW_INT(comp.flags);
1607 #endif
1608 
1609  SHOW_STR(route_script);
1610  SHOW_STR(route_default_gateway);
1611  SHOW_INT(route_default_metric);
1612  SHOW_BOOL(route_noexec);
1613  SHOW_INT(route_delay);
1614  SHOW_INT(route_delay_window);
1615  SHOW_BOOL(route_delay_defined);
1616  SHOW_BOOL(route_nopull);
1617  SHOW_BOOL(route_gateway_via_dhcp);
1618  SHOW_BOOL(allow_pull_fqdn);
1620 
1621  if (o->routes)
1622  {
1624  }
1625 
1626  if (o->client_nat)
1627  {
1629  }
1630 
1631 #ifdef ENABLE_MANAGEMENT
1632  SHOW_STR(management_addr);
1633  SHOW_STR(management_port);
1634  SHOW_STR(management_user_pass);
1635  SHOW_INT(management_log_history_cache);
1636  SHOW_INT(management_echo_buffer_size);
1637  SHOW_STR(management_write_peer_info_file);
1638  SHOW_STR(management_client_user);
1639  SHOW_STR(management_client_group);
1640  SHOW_INT(management_flags);
1641 #endif
1642 #ifdef ENABLE_PLUGIN
1643  if (o->plugin_list)
1644  {
1646  }
1647 #endif
1648 
1649  SHOW_STR(shared_secret_file);
1650  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1651  SHOW_STR(ciphername);
1652  SHOW_BOOL(ncp_enabled);
1653  SHOW_STR(ncp_ciphers);
1654  SHOW_STR(authname);
1655  SHOW_STR(prng_hash);
1656  SHOW_INT(prng_nonce_secret_len);
1657  SHOW_INT(keysize);
1658 #ifndef ENABLE_CRYPTO_MBEDTLS
1659  SHOW_BOOL(engine);
1660 #endif /* ENABLE_CRYPTO_MBEDTLS */
1661  SHOW_BOOL(replay);
1662  SHOW_BOOL(mute_replay_warnings);
1663  SHOW_INT(replay_window);
1664  SHOW_INT(replay_time);
1665  SHOW_STR(packet_id_file);
1667 #ifdef ENABLE_PREDICTION_RESISTANCE
1668  SHOW_BOOL(use_prediction_resistance);
1669 #endif
1670 
1671  SHOW_BOOL(tls_server);
1672  SHOW_BOOL(tls_client);
1673  SHOW_INT(key_method);
1674  SHOW_STR(ca_file);
1675  SHOW_STR(ca_path);
1676  SHOW_STR(dh_file);
1677 #ifdef ENABLE_MANAGEMENT
1679  {
1680  SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1681  }
1682  else
1683 #endif
1684  SHOW_STR(cert_file);
1685  SHOW_STR(extra_certs_file);
1686 
1687 #ifdef ENABLE_MANAGEMENT
1688  if ((o->management_flags & MF_EXTERNAL_KEY))
1689  {
1690  SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1691  }
1692  else
1693 #endif
1694  SHOW_STR(priv_key_file);
1695 #ifndef ENABLE_CRYPTO_MBEDTLS
1696  SHOW_STR(pkcs12_file);
1697 #endif
1698 #ifdef ENABLE_CRYPTOAPI
1699  SHOW_STR(cryptoapi_cert);
1700 #endif
1701  SHOW_STR(cipher_list);
1702  SHOW_STR(cipher_list_tls13);
1703  SHOW_STR(tls_cert_profile);
1705  SHOW_STR(tls_export_cert);
1706  SHOW_INT(verify_x509_type);
1707  SHOW_STR(verify_x509_name);
1708  SHOW_STR(crl_file);
1709  SHOW_INT(ns_cert_type);
1710  {
1711  int i;
1712  for (i = 0; i<MAX_PARMS; i++)
1713  {
1714  SHOW_INT(remote_cert_ku[i]);
1715  }
1716  }
1717  SHOW_STR(remote_cert_eku);
1718  SHOW_INT(ssl_flags);
1719 
1720  SHOW_INT(tls_timeout);
1721 
1722  SHOW_INT(renegotiate_bytes);
1723  SHOW_INT(renegotiate_packets);
1724  SHOW_INT(renegotiate_seconds);
1725 
1726  SHOW_INT(handshake_window);
1727  SHOW_INT(transition_window);
1728 
1729  SHOW_BOOL(single_session);
1731  SHOW_BOOL(tls_exit);
1732 
1733 #ifdef ENABLE_PKCS11
1734  {
1735  int i;
1736  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1737  {
1738  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1739  }
1740  }
1741  {
1742  int i;
1743  for (i = 0; i<MAX_PARMS; i++)
1744  {
1745  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1746  }
1747  }
1748  {
1749  int i;
1750  for (i = 0; i<MAX_PARMS; i++)
1751  {
1752  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1753  }
1754  }
1755  {
1756  int i;
1757  for (i = 0; i<MAX_PARMS; i++)
1758  {
1759  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1760  }
1761  }
1762  SHOW_INT(pkcs11_pin_cache_period);
1763  SHOW_STR(pkcs11_id);
1764  SHOW_BOOL(pkcs11_id_management);
1765 #endif /* ENABLE_PKCS11 */
1766 
1767 #if P2MP
1768  show_p2mp_parms(o);
1769 #endif
1770 
1771 #ifdef _WIN32
1772  SHOW_BOOL(show_net_up);
1773  SHOW_INT(route_method);
1774  SHOW_BOOL(block_outside_dns);
1776 #endif
1777 #endif /* ifndef ENABLE_SMALL */
1778 }
1779 
1780 #undef SHOW_PARM
1781 #undef SHOW_STR
1782 #undef SHOW_INT
1783 #undef SHOW_BOOL
1784 
1785 #ifdef ENABLE_MANAGEMENT
1786 
1787 static struct http_proxy_options *
1789  const char *port,
1790  const char *flags,
1791  const int msglevel,
1792  struct gc_arena *gc)
1793 {
1794  if (server && port)
1795  {
1796  struct http_proxy_options *ho;
1797  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1798  ho->server = string_alloc(server, gc);
1799  ho->port = port;
1800  if (flags && !strcmp(flags, "nct"))
1801  {
1802  ho->auth_retry = PAR_NCT;
1803  }
1804  else
1805  {
1806  ho->auth_retry = PAR_ALL;
1807  }
1808  ho->http_version = "1.0";
1809  ho->user_agent = "OpenVPN-Autoproxy/1.0";
1810  return ho;
1811  }
1812  else
1813  {
1814  return NULL;
1815  }
1816 }
1817 
1818 static void
1820 {
1821  const struct connection_list *l = o->connection_list;
1822  int i;
1823  bool succeed = false;
1824  for (i = 0; i < l->len; ++i)
1825  {
1826  struct connection_entry *ce = l->array[i];
1827  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1828  {
1830  succeed = true;
1831  }
1832  }
1833  if (succeed)
1834  {
1835  for (i = 0; i < l->len; ++i)
1836  {
1837  struct connection_entry *ce = l->array[i];
1838  if (ce->proto == PROTO_UDP)
1839  {
1840  ce->flags |= CE_DISABLED;
1841  }
1842  }
1843  }
1844  else
1845  {
1846  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1847  }
1848 }
1849 
1850 #endif /* ifdef ENABLE_MANAGEMENT */
1851 
1852 static struct connection_list *
1854 {
1855  if (!options->connection_list)
1856  {
1857  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1858  }
1859  return options->connection_list;
1860 }
1861 
1862 static struct connection_entry *
1863 alloc_connection_entry(struct options *options, const int msglevel)
1864 {
1865  struct connection_list *l = alloc_connection_list_if_undef(options);
1866  struct connection_entry *e;
1867 
1868  if (l->len >= CONNECTION_LIST_SIZE)
1869  {
1870  msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1871  return NULL;
1872  }
1873  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1874  l->array[l->len++] = e;
1875  return e;
1876 }
1877 
1878 static struct remote_list *
1880 {
1881  if (!options->remote_list)
1882  {
1883  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1884  }
1885  return options->remote_list;
1886 }
1887 
1888 static struct remote_entry *
1889 alloc_remote_entry(struct options *options, const int msglevel)
1890 {
1891  struct remote_list *l = alloc_remote_list_if_undef(options);
1892  struct remote_entry *e;
1893 
1894  if (l->len >= CONNECTION_LIST_SIZE)
1895  {
1896  msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1897  return NULL;
1898  }
1899  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1900  l->array[l->len++] = e;
1901  return e;
1902 }
1903 
1904 static struct pull_filter_list *
1906 {
1907  if (!o->pull_filter_list)
1908  {
1910  }
1911  return o->pull_filter_list;
1912 }
1913 
1914 static struct pull_filter *
1915 alloc_pull_filter(struct options *o, const int msglevel)
1916 {
1918  struct pull_filter *f;
1919 
1920  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
1921  if (l->head)
1922  {
1923  ASSERT(l->tail);
1924  l->tail->next = f;
1925  }
1926  else
1927  {
1928  ASSERT(!l->tail);
1929  l->head = f;
1930  }
1931  l->tail = f;
1932  return f;
1933 }
1934 
1935 static void
1937 {
1938  if (re->remote)
1939  {
1940  ce->remote = re->remote;
1941  }
1942  if (re->remote_port)
1943  {
1944  ce->remote_port = re->remote_port;
1945  }
1946  if (re->proto >= 0)
1947  {
1948  ce->proto = re->proto;
1949  }
1950  if (re->af > 0)
1951  {
1952  ce->af = re->af;
1953  }
1954 }
1955 
1956 static void
1958 {
1959  struct options defaults;
1960  int dev = DEV_TYPE_UNDEF;
1961  bool pull = false;
1962 
1963  init_options(&defaults, true);
1964 
1965  if (options->test_crypto)
1966  {
1967  notnull(options->shared_secret_file, "key file (--secret)");
1968  }
1969  else
1970  {
1971  notnull(options->dev, "TUN/TAP device (--dev)");
1972  }
1973 
1974  /*
1975  * Get tun/tap/null device type
1976  */
1977  dev = dev_type_enum(options->dev, options->dev_type);
1978 
1979  /*
1980  * If "proto tcp" is specified, make sure we know whether it is
1981  * tcp-client or tcp-server.
1982  */
1983  if (ce->proto == PROTO_TCP)
1984  {
1985  msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1986  }
1987 
1988  /*
1989  * Sanity check on daemon/inetd modes
1990  */
1991 
1992  if (options->daemon && options->inetd)
1993  {
1994  msg(M_USAGE, "only one of --daemon or --inetd may be specified");
1995  }
1996 
1997  if (options->inetd && (ce->local || ce->remote))
1998  {
1999  msg(M_USAGE, "--local or --remote cannot be used with --inetd");
2000  }
2001 
2002  if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
2003  {
2004  msg(M_USAGE, "--proto tcp-client cannot be used with --inetd");
2005  }
2006 
2007  if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
2008  {
2009  msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
2010  }
2011 
2012  if (options->inetd == INETD_NOWAIT
2013  && !(options->tls_server || options->tls_client))
2014  {
2015  msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
2016  }
2017 
2018  if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
2019  {
2020  msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
2021  }
2022 
2023 
2024  if (options->lladdr && dev != DEV_TYPE_TAP)
2025  {
2026  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2027  }
2028 
2029  /*
2030  * Sanity check on MTU parameters
2031  */
2032  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2033  {
2034  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2035  }
2036 
2037 #ifdef ENABLE_OCC
2038  if (!proto_is_udp(ce->proto) && options->mtu_test)
2039  {
2040  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2041  }
2042 #endif
2043 
2044  /* will we be pulling options from server? */
2045 #if P2MP
2046  pull = options->pull;
2047 #endif
2048 
2049  /*
2050  * Sanity check on --local, --remote, and --ifconfig
2051  */
2052 
2053  if (proto_is_net(ce->proto)
2054  && string_defined_equal(ce->local, ce->remote)
2056  {
2057  msg(M_USAGE, "--remote and --local addresses are the same");
2058  }
2059 
2060  if (string_defined_equal(ce->remote, options->ifconfig_local)
2062  {
2063  msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
2064  }
2065 
2066  if (string_defined_equal(ce->local, options->ifconfig_local)
2068  {
2069  msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2070  }
2071 
2073  {
2074  msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2075  }
2076 
2077  if (ce->bind_defined && !ce->bind_local)
2078  {
2079  msg(M_USAGE, "--bind and --nobind can't be used together");
2080  }
2081 
2082  if (ce->local && !ce->bind_local)
2083  {
2084  msg(M_USAGE, "--local and --nobind don't make sense when used together");
2085  }
2086 
2087  if (ce->local_port_defined && !ce->bind_local)
2088  {
2089  msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2090  }
2091 
2092  if (!ce->remote && !ce->bind_local)
2093  {
2094  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2095  }
2096 
2097  /*
2098  * Check for consistency of management options
2099  */
2100 #ifdef ENABLE_MANAGEMENT
2101  if (!options->management_addr
2102  && (options->management_flags
2105  {
2106  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2107  }
2108 
2109  if ((options->management_client_user || options->management_client_group)
2110  && !(options->management_flags & MF_UNIX_SOCK))
2111  {
2112  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2113  }
2114 
2115  if (options->management_addr
2116  && !(options->management_flags & MF_UNIX_SOCK)
2117  && (!options->management_user_pass))
2118  {
2119  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2120  "passwords is STRONGLY discouraged and considered insecure");
2121  }
2122 
2123 #endif
2124 
2125  /*
2126  * Windows-specific options.
2127  */
2128 
2129 #ifdef _WIN32
2130  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2131  {
2132  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2133  }
2134 
2135  if ((options->tuntap_options.ip_win32_defined)
2136  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2137  {
2138  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2139  }
2140 
2141  if (options->tuntap_options.dhcp_options
2144  {
2145  msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
2146  }
2147 #endif
2148 
2149  /*
2150  * Check that protocol options make sense.
2151  */
2152 
2153 #ifdef ENABLE_FRAGMENT
2154  if (!proto_is_udp(ce->proto) && ce->fragment)
2155  {
2156  msg(M_USAGE, "--fragment can only be used with --proto udp");
2157  }
2158 #endif
2159 
2160 #ifdef ENABLE_OCC
2162  {
2163  msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
2164  }
2165 #endif
2166 
2167  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2168  {
2169  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2170  }
2171 
2172  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2173  {
2174  msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
2175  }
2176  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2177  {
2178  msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2179  }
2180 
2181  if (ce->http_proxy_options && ce->socks_proxy_server)
2182  {
2183  msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2184  }
2185 
2186  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2187  {
2188  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2189  }
2190 
2191  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2192  {
2193  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2194  }
2195 
2196 #if P2MP_SERVER
2197 
2198  /*
2199  * Check consistency of --mode server options.
2200  */
2201  if (options->mode == MODE_SERVER)
2202  {
2203  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2204  {
2205  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2206  }
2207  if (options->pull)
2208  {
2209  msg(M_USAGE, "--pull cannot be used with --mode server");
2210  }
2211  if (options->pull_filter_list)
2212  {
2213  msg(M_USAGE, "--pull-filter cannot be used with --mode server");
2214  }
2215  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2216  {
2217  msg(M_USAGE, "--mode server currently only supports "
2218  "--proto udp or --proto tcp-server or proto tcp6-server");
2219  }
2220 #if PORT_SHARE
2221  if ((options->port_share_host || options->port_share_port)
2222  && (ce->proto != PROTO_TCP_SERVER))
2223  {
2224  msg(M_USAGE, "--port-share only works in TCP server mode "
2225  "(--proto tcp-server or tcp6-server)");
2226  }
2227 #endif
2228  if (!options->tls_server)
2229  {
2230  msg(M_USAGE, "--mode server requires --tls-server");
2231  }
2232  if (ce->remote)
2233  {
2234  msg(M_USAGE, "--remote cannot be used with --mode server");
2235  }
2236  if (!ce->bind_local)
2237  {
2238  msg(M_USAGE, "--nobind cannot be used with --mode server");
2239  }
2240  if (ce->http_proxy_options)
2241  {
2242  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2243  }
2244  if (ce->socks_proxy_server)
2245  {
2246  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2247  }
2248  /* <connection> blocks force to have a remote embedded, so we check for the
2249  * --remote and bail out if it is present */
2250  if (options->connection_list->len >1
2251  || options->connection_list->array[0]->remote)
2252  {
2253  msg(M_USAGE, "<connection> cannot be used with --mode server");
2254  }
2255 
2256  if (options->shaper)
2257  {
2258  msg(M_USAGE, "--shaper cannot be used with --mode server");
2259  }
2260  if (options->inetd)
2261  {
2262  msg(M_USAGE, "--inetd cannot be used with --mode server");
2263  }
2264  if (options->ipchange)
2265  {
2266  msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
2267  }
2268  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2269  {
2270  msg(M_USAGE, "--mode server currently only supports "
2271  "--proto udp or --proto tcp-server or --proto tcp6-server");
2272  }
2273  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2274  {
2275  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2276  }
2277  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2278  {
2279  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2280  }
2281  if (options->routes && (options->routes->flags & RG_ENABLE))
2282  {
2283  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2284  }
2285  if (options->route_delay_defined)
2286  {
2287  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2288  }
2289  if (options->up_delay)
2290  {
2291  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2292  }
2293  if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
2294  {
2295  msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2296  }
2297  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2298  {
2299  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2300  }
2301  if (options->allow_recursive_routing)
2302  {
2303  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2304  }
2305  if (options->auth_user_pass_file)
2306  {
2307  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2308  }
2309  if (options->ccd_exclusive && !options->client_config_dir)
2310  {
2311  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2312  }
2313  if (options->key_method != 2)
2314  {
2315  msg(M_USAGE, "--mode server requires --key-method 2");
2316  }
2317 
2318  {
2319  const bool ccnr = (options->auth_user_pass_verify_script
2320  || PLUGIN_OPTION_LIST(options)
2321  || MAN_CLIENT_AUTH_ENABLED(options));
2322  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2324  {
2325  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2326  }
2327  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2328  {
2329  msg(M_USAGE, "--username-as-common-name %s", postfix);
2330  }
2331  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2332  {
2333  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2334  }
2335  }
2336  }
2337  else
2338  {
2339  /*
2340  * When not in server mode, err if parameters are
2341  * specified which require --mode server.
2342  */
2343  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2344  {
2345  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2346  }
2347  if (options->ifconfig_ipv6_pool_defined)
2348  {
2349  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2350  }
2351  if (options->real_hash_size != defaults.real_hash_size
2352  || options->virtual_hash_size != defaults.virtual_hash_size)
2353  {
2354  msg(M_USAGE, "--hash-size requires --mode server");
2355  }
2356  if (options->learn_address_script)
2357  {
2358  msg(M_USAGE, "--learn-address requires --mode server");
2359  }
2360  if (options->client_connect_script)
2361  {
2362  msg(M_USAGE, "--client-connect requires --mode server");
2363  }
2364  if (options->client_disconnect_script)
2365  {
2366  msg(M_USAGE, "--client-disconnect requires --mode server");
2367  }
2368  if (options->client_config_dir || options->ccd_exclusive)
2369  {
2370  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2371  }
2372  if (options->enable_c2c)
2373  {
2374  msg(M_USAGE, "--client-to-client requires --mode server");
2375  }
2376  if (options->duplicate_cn)
2377  {
2378  msg(M_USAGE, "--duplicate-cn requires --mode server");
2379  }
2380  if (options->cf_max || options->cf_per)
2381  {
2382  msg(M_USAGE, "--connect-freq requires --mode server");
2383  }
2385  {
2386  msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
2387  }
2388  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2389  {
2390  msg(M_USAGE, "--username-as-common-name requires --mode server");
2391  }
2392  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2393  {
2394  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2395  }
2396  if (options->ssl_flags & SSLF_OPT_VERIFY)
2397  {
2398  msg(M_USAGE, "--opt-verify requires --mode server");
2399  }
2400  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2401  {
2402  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2403  "affect the server. To have TCP_NODELAY in both direction use "
2404  "tcp-nodelay in the server configuration instead.");
2405  }
2406  if (options->auth_user_pass_verify_script)
2407  {
2408  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2409  }
2410  if (options->auth_token_generate)
2411  {
2412  msg(M_USAGE, "--auth-gen-token requires --mode server");
2413  }
2414 #if PORT_SHARE
2415  if (options->port_share_host || options->port_share_port)
2416  {
2417  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2418  }
2419 #endif
2420 
2421  if (options->stale_routes_check_interval)
2422  {
2423  msg(M_USAGE, "--stale-routes-check requires --mode server");
2424  }
2426  {
2427  msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server");
2428  }
2429  }
2430 #endif /* P2MP_SERVER */
2431 
2432  if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
2433  {
2434  msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
2435  }
2436 
2437  if (options->keysize)
2438  {
2439  msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6");
2440  }
2441 
2442  /*
2443  * Check consistency of replay options
2444  */
2445  if (!options->replay
2446  && (options->replay_window != defaults.replay_window
2447  || options->replay_time != defaults.replay_time))
2448  {
2449  msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2450  }
2451 
2452  /*
2453  * SSL/TLS mode sanity checks.
2454  */
2455  if (options->tls_server + options->tls_client
2456  +(options->shared_secret_file != NULL) > 1)
2457  {
2458  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2459  }
2460 
2462  {
2463  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2464  "--verify-client-cert none|optional (or --client-cert-not-required) "
2465  "may accept clients which do not present a certificate");
2466  }
2467 
2468  if (options->key_method == 1)
2469  {
2470  msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
2471  "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
2472  "in the configuration file, which is the recommended approach.");
2473  }
2474 
2475  const int tls_version_max =
2478  const int tls_version_min =
2481 
2482  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2483  {
2484  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2485  }
2486 
2487  if (options->tls_server || options->tls_client)
2488  {
2489 #ifdef ENABLE_PKCS11
2490  if (options->pkcs11_providers[0])
2491  {
2492  notnull(options->ca_file, "CA file (--ca)");
2493 
2494  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2495  {
2496  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2497  }
2498  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2499  {
2500  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2501  }
2502  if (options->cert_file)
2503  {
2504  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2505  }
2506  if (options->priv_key_file)
2507  {
2508  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2509  }
2510 #ifdef ENABLE_MANAGEMENT
2511  if (options->management_flags & MF_EXTERNAL_KEY)
2512  {
2513  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2514  }
2515  if (options->management_flags & MF_EXTERNAL_CERT)
2516  {
2517  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2518  }
2519 #endif
2520  if (options->pkcs12_file)
2521  {
2522  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2523  }
2524 #ifdef ENABLE_CRYPTOAPI
2525  if (options->cryptoapi_cert)
2526  {
2527  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2528  }
2529 #endif
2530  }
2531  else
2532 #endif /* ifdef ENABLE_PKCS11 */
2533 #ifdef ENABLE_MANAGEMENT
2534  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2535  {
2536  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2537  }
2538  else if ((options->management_flags & MF_EXTERNAL_CERT))
2539  {
2540  if (options->cert_file)
2541  {
2542  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2543  }
2544  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2545  {
2546  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2547  }
2548  }
2549  else
2550 #endif
2551 #ifdef ENABLE_CRYPTOAPI
2552  if (options->cryptoapi_cert)
2553  {
2554  if ((!(options->ca_file)) && (!(options->ca_path)))
2555  {
2556  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2557  }
2558  if (options->cert_file)
2559  {
2560  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2561  }
2562  if (options->priv_key_file)
2563  {
2564  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2565  }
2566  if (options->pkcs12_file)
2567  {
2568  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2569  }
2570 #ifdef ENABLE_MANAGEMENT
2571  if (options->management_flags & MF_EXTERNAL_KEY)
2572  {
2573  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2574  }
2575  if (options->management_flags & MF_EXTERNAL_CERT)
2576  {
2577  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2578  }
2579 #endif
2580  }
2581  else
2582 #endif /* ifdef ENABLE_CRYPTOAPI */
2583  if (options->pkcs12_file)
2584  {
2585 #ifdef ENABLE_CRYPTO_MBEDTLS
2586  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2587 #else
2588  if (options->ca_path)
2589  {
2590  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2591  }
2592  if (options->cert_file)
2593  {
2594  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2595  }
2596  if (options->priv_key_file)
2597  {
2598  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2599  }
2600 #ifdef ENABLE_MANAGEMENT
2601  if (options->management_flags & MF_EXTERNAL_KEY)
2602  {
2603  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2604  }
2605  if (options->management_flags & MF_EXTERNAL_CERT)
2606  {
2607  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2608  }
2609 #endif
2610 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2611  }
2612  else
2613  {
2614 #ifdef ENABLE_CRYPTO_MBEDTLS
2615  if (!(options->ca_file))
2616  {
2617  msg(M_USAGE, "You must define CA file (--ca)");
2618  }
2619  if (options->ca_path)
2620  {
2621  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2622  }
2623 #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
2624  if ((!(options->ca_file)) && (!(options->ca_path)))
2625  {
2626  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2627  }
2628 #endif
2629  if (pull)
2630  {
2631 
2632  const int sum =
2633 #ifdef ENABLE_MANAGEMENT
2634  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2635  +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2636 #else
2637  (options->cert_file != NULL) + (options->priv_key_file != NULL);
2638 #endif
2639 
2640  if (sum == 0)
2641  {
2642 #if P2MP
2643  if (!options->auth_user_pass_file)
2644 #endif
2645  msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2646  }
2647  else if (sum == 2)
2648  {
2649  }
2650  else
2651  {
2652  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2653  }
2654  }
2655  else
2656  {
2657 #ifdef ENABLE_MANAGEMENT
2658  if (!(options->management_flags & MF_EXTERNAL_CERT))
2659 #endif
2660  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2661 #ifdef ENABLE_MANAGEMENT
2662  if (!(options->management_flags & MF_EXTERNAL_KEY))
2663 #endif
2664  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2665  }
2666  }
2667  if (ce->tls_auth_file && ce->tls_crypt_file)
2668  {
2669  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2670  }
2671  }
2672  else
2673  {
2674  /*
2675  * Make sure user doesn't specify any TLS options
2676  * when in non-TLS mode.
2677  */
2678 
2679 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2680 }
2681 
2682  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2683 
2689 #ifndef ENABLE_CRYPTO_MBEDTLS
2691 #endif
2714 #ifdef ENABLE_PKCS11
2715  MUST_BE_UNDEF(pkcs11_providers[0]);
2716  MUST_BE_UNDEF(pkcs11_private_mode[0]);
2717  MUST_BE_UNDEF(pkcs11_id);
2718  MUST_BE_UNDEF(pkcs11_id_management);
2719 #endif
2720 
2721  if (pull)
2722  {
2723  msg(M_USAGE, err, "--pull");
2724  }
2725  }
2726 #undef MUST_BE_UNDEF
2727 
2728 #if P2MP
2729  if (options->auth_user_pass_file && !options->pull)
2730  {
2731  msg(M_USAGE, "--auth-user-pass requires --pull");
2732  }
2733 #endif
2734 
2735  uninit_options(&defaults);
2736 }
2737 
2738 static void
2740 {
2741  const int dev = dev_type_enum(o->dev, o->dev_type);
2742 
2743 #if P2MP_SERVER
2745  {
2746  if (ce->proto == PROTO_TCP)
2747  {
2748  ce->proto = PROTO_TCP_SERVER;
2749  }
2750  }
2751 #endif
2752 #if P2MP
2753  if (o->client)
2754  {
2755  if (ce->proto == PROTO_TCP)
2756  {
2757  ce->proto = PROTO_TCP_CLIENT;
2758  }
2759  }
2760 #endif
2761 
2762  if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2763  {
2764  ce->bind_local = false;
2765  }
2766 
2767  if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2768  {
2769  ce->bind_local = false;
2770  }
2771 
2772  if (!ce->bind_local)
2773  {
2774  ce->local_port = NULL;
2775  }
2776 
2777  /* if protocol forcing is enabled, disable all protocols except for the forced one */
2778  if (o->proto_force >= 0 && o->proto_force != ce->proto)
2779  {
2780  ce->flags |= CE_DISABLED;
2781  }
2782 
2783  /*
2784  * If --mssfix is supplied without a parameter, default
2785  * it to --fragment value, if --fragment is specified.
2786  */
2787  if (o->ce.mssfix_default)
2788  {
2789 #ifdef ENABLE_FRAGMENT
2790  if (ce->fragment)
2791  {
2792  ce->mssfix = ce->fragment;
2793  }
2794 #else
2795  msg(M_USAGE, "--mssfix must specify a parameter");
2796 #endif
2797  }
2798 
2799  /*
2800  * Set MTU defaults
2801  */
2802  {
2803  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2804  {
2805  ce->tun_mtu_defined = true;
2806  }
2807  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2808  {
2809  ce->tun_mtu_extra_defined = true;
2811  }
2812  }
2813 
2814  /*
2815  * Set per-connection block tls-auth/crypt fields if undefined.
2816  *
2817  * At the end only one of the two will be really set because the parser
2818  * logic prevents configurations where both are set.
2819  */
2820  if (!ce->tls_auth_file && !ce->tls_crypt_file)
2821  {
2822  ce->tls_auth_file = o->tls_auth_file;
2824  ce->key_direction = o->key_direction;
2825 
2826  ce->tls_crypt_file = o->tls_crypt_file;
2828  }
2829 
2830  /* pre-cache tls-auth/crypt key file if persist-key was specified and keys
2831  * were not already embedded in the config file
2832  */
2833  if (o->persist_key)
2834  {
2835  if (ce->tls_auth_file && !ce->tls_auth_file_inline)
2836  {
2837  struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
2838  if (!buf_valid(&in))
2839  msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
2840  o->tls_auth_file);
2841 
2843  ce->tls_auth_file_inline = (char *)in.data;
2844  }
2845 
2846  if (ce->tls_crypt_file && !ce->tls_crypt_inline)
2847  {
2848  struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
2849  if (!buf_valid(&in))
2850  msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
2851  o->tls_auth_file);
2852 
2854  ce->tls_crypt_inline = (char *)in.data;
2855  }
2856  }
2857 }
2858 
2859 #ifdef _WIN32
2860 /* If iservice is in use, we need def1 method for redirect-gateway */
2861 static void
2863 {
2864  if (opt->routes
2866  && opt->routes->flags & RG_REROUTE_GW
2867  && !(opt->routes->flags & RG_DEF1))
2868  {
2869  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2870  opt->routes->flags |= RG_DEF1;
2871  }
2872 }
2873 #endif
2874 
2875 static void
2877 {
2878 #ifdef _WIN32
2879  const int dev = dev_type_enum(options->dev, options->dev_type);
2880 #endif
2881 
2882  /*
2883  * In forking TCP server mode, you don't need to ifconfig
2884  * the tap device (the assumption is that it will be bridged).
2885  */
2886  if (options->inetd == INETD_NOWAIT)
2887  {
2888  options->ifconfig_noexec = true;
2889  }
2890 
2891 #ifdef _WIN32
2892  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2893  {
2894  if (options->mode == MODE_POINT_TO_POINT)
2895  {
2896  options->route_delay_defined = true;
2897  options->route_delay = 5; /* Vista sometimes has a race without this */
2898  }
2899  }
2900 
2901  if (options->ifconfig_noexec)
2902  {
2904  options->ifconfig_noexec = false;
2905  }
2906 
2908 #endif
2909 
2910 #if P2MP_SERVER
2911  /*
2912  * Check consistency of --mode server options.
2913  */
2914  if (options->mode == MODE_SERVER)
2915  {
2916 #ifdef _WIN32
2917  /*
2918  * We need to explicitly set --tap-sleep because
2919  * we do not schedule event timers in the top-level context.
2920  */
2921  options->tuntap_options.tap_sleep = 10;
2922  if (options->route_delay_defined && options->route_delay)
2923  {
2924  options->tuntap_options.tap_sleep = options->route_delay;
2925  }
2926  options->route_delay_defined = false;
2927 #endif
2928  }
2929 #endif
2930 
2931 #ifdef DEFAULT_PKCS11_MODULE
2932  /* If p11-kit is present on the system then load its p11-kit-proxy.so
2933  * by default if the user asks for PKCS#11 without otherwise specifying
2934  * the module to use. */
2935  if (!options->pkcs11_providers[0]
2936  && (options->pkcs11_id || options->pkcs11_id_management))
2937  {
2938  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
2939  }
2940 #endif
2941 }
2942 
2943 static void
2945 {
2946  if (o->connection_list)
2947  {
2948  int i;
2949  for (i = 0; i < o->connection_list->len; ++i)
2950  {
2952  }
2953  }
2954  else
2955  {
2957  }
2958 }
2959 
2960 static void
2962 {
2963  int i;
2964  /*
2965  * Process helper-type options which map to other, more complex
2966  * sequences of options.
2967  */
2969  helper_keepalive(o);
2970  helper_tcp_nodelay(o);
2971 
2973 
2974  if (o->remote_list && !o->connection_list)
2975  {
2976  /*
2977  * Convert remotes into connection list
2978  */
2979  const struct remote_list *rl = o->remote_list;
2980  for (i = 0; i < rl->len; ++i)
2981  {
2982  const struct remote_entry *re = rl->array[i];
2983  struct connection_entry ce = o->ce;
2984  struct connection_entry *ace;
2985 
2986  ASSERT(re->remote);
2987  connection_entry_load_re(&ce, re);
2988  ace = alloc_connection_entry(o, M_USAGE);
2989  ASSERT(ace);
2990  *ace = ce;
2991  }
2992  }
2993  else if (!o->remote_list && !o->connection_list)
2994  {
2995  struct connection_entry *ace;
2996  ace = alloc_connection_entry(o, M_USAGE);
2997  ASSERT(ace);
2998  *ace = o->ce;
2999  }
3000 
3001  ASSERT(o->connection_list);
3002  for (i = 0; i < o->connection_list->len; ++i)
3003  {
3005  }
3006 
3007  if (o->tls_server)
3008  {
3009  /* Check that DH file is specified, or explicitly disabled */
3010  notnull(o->dh_file, "DH file (--dh)");
3011  if (streq(o->dh_file, "none"))
3012  {
3013  o->dh_file = NULL;
3014  }
3015  }
3016  else if (o->dh_file)
3017  {
3018  /* DH file is only meaningful in a tls-server context. */
3019  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3020  "include this in your server configuration");
3021  o->dh_file = NULL;
3022  }
3023 
3024  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
3025  if (o->ncp_enabled
3026  && !(o->pull || o->mode == MODE_SERVER) )
3027  {
3028  msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
3029  "in P2MP client or server mode" );
3030  o->ncp_enabled = false;
3031  }
3032 
3033 #if ENABLE_MANAGEMENT
3034  if (o->http_proxy_override)
3035  {
3037  }
3038 #endif
3039 
3040 #if P2MP
3041  /*
3042  * Save certain parms before modifying options via --pull
3043  */
3044  pre_pull_save(o);
3045 #endif
3046 }
3047 
3048 /*
3049  * Check file/directory sanity
3050  *
3051  */
3052 #ifndef ENABLE_SMALL
3054 #define CHKACC_FILE (1<<0)
3055 #define CHKACC_DIRPATH (1<<1)
3056 #define CHKACC_FILEXSTWR (1<<2)
3057 #define CHKACC_INLINE (1<<3)
3058 #define CHKACC_ACPTSTDIN (1<<4)
3059 #define CHKACC_PRIVATE (1<<5)
3061 static bool
3062 check_file_access(const int type, const char *file, const int mode, const char *opt)
3063 {
3064  int errcode = 0;
3065 
3066  /* If no file configured, no errors to look for */
3067  if (!file)
3068  {
3069  return false;
3070  }
3071 
3072  /* If this may be an inline file, and the proper inline "filename" is set - no issues */
3073  if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
3074  {
3075  return false;
3076  }
3077 
3078  /* If stdin is allowed and the file name is 'stdin', then do no
3079  * further checks as stdin is always available
3080  */
3081  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3082  {
3083  return false;
3084  }
3085 
3086  /* Is the directory path leading to the given file accessible? */
3087  if (type & CHKACC_DIRPATH)
3088  {
3089  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */
3090  char *dirpath = dirname(fullpath);
3091 
3092  if (platform_access(dirpath, mode|X_OK) != 0)
3093  {
3094  errcode = errno;
3095  }
3096  free(fullpath);
3097  }
3098 
3099  /* Is the file itself accessible? */
3100  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3101  {
3102  errcode = errno;
3103  }
3104 
3105  /* If the file exists and is accessible, is it writable? */
3106  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3107  {
3108  if (platform_access(file, W_OK) != 0)
3109  {
3110  errcode = errno;
3111  }
3112  }
3113 
3114  /* Warn if a given private file is group/others accessible. */
3115  if (type & CHKACC_PRIVATE)
3116  {
3117  platform_stat_t st;
3118  if (platform_stat(file, &st))
3119  {
3120  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3121  }
3122 #ifndef _WIN32
3123  else
3124  {
3125  if (st.st_mode & (S_IRWXG|S_IRWXO))
3126  {
3127  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3128  }
3129  }
3130 #endif
3131  }
3132 
3133  /* Scream if an error is found */
3134  if (errcode > 0)
3135  {
3136  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3137  }
3138 
3139  /* Return true if an error occured */
3140  return (errcode != 0 ? true : false);
3141 }
3142 
3143 /* A wrapper for check_file_access() which also takes a chroot directory.
3144  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3145  * otherwise it will look for the file inside the given chroot directory instead.
3146  */
3147 static bool
3148 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3149 {
3150  bool ret = false;
3151 
3152  /* If no file configured, no errors to look for */
3153  if (!file)
3154  {
3155  return false;
3156  }
3157 
3158  /* If chroot is set, look for the file/directory inside the chroot */
3159  if (chroot)
3160  {
3161  struct gc_arena gc = gc_new();
3162  struct buffer chroot_file;
3163  int len = 0;
3164 
3165  /* Build up a new full path including chroot directory */
3166  len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
3167  chroot_file = alloc_buf_gc(len, &gc);
3168  buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
3169  ASSERT(chroot_file.len > 0);
3170 
3171  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3172  gc_free(&gc);
3173  }
3174  else
3175  {
3176  /* No chroot in play, just call core file check function */
3177  ret = check_file_access(type, file, mode, opt);
3178  }
3179  return ret;
3180 }
3181 
3182 
3183 /*
3184  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3185  * valid file with appropriate permissions.
3186  *
3187  * "command" consists of a path, optionally followed by a space, which may be
3188  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3189  * performed.
3190  *
3191  * The path and arguments in "command" may be single- or double-quoted or escaped.
3192  *
3193  * The path is extracted from "command", then check_file_access() is called to check it. The
3194  * arguments, if any, are ignored.
3195  *
3196  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3197  * check_file_access() arguments.
3198  */
3199 static bool
3200 check_cmd_access(const char *command, const char *opt, const char *chroot)
3201 {
3202  struct argv argv;
3203  bool return_code;
3204 
3205  /* If no command was set, there are no errors to look for */
3206  if (!command)
3207  {
3208  return false;
3209  }
3210 
3211  /* Extract executable path and arguments */
3212  argv = argv_new();
3213  argv_parse_cmd(&argv, command);
3214 
3215  /* if an executable is specified then check it; otherwise, complain */
3216  if (argv.argv[0])
3217  {
3218  /* Scripts requires R_OK as well, but that might fail on binaries which
3219  * only requires X_OK to function on Unix - a scenario not unlikely to
3220  * be seen on suid binaries.
3221  */
3222  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3223  }
3224  else
3225  {
3226  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3227  opt, command);
3228  return_code = true;
3229  }
3230 
3231  argv_reset(&argv);
3232 
3233  return return_code;
3234 }
3235 
3236 /*
3237  * Sanity check of all file/dir options. Checks that file/dir
3238  * is accessible by OpenVPN
3239  */
3240 static void
3242 {
3243  bool errs = false;
3244 
3245  /* ** SSL/TLS/crypto related files ** */
3246  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
3247  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
3248  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
3249  errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
3251  "--extra-certs");
3252 #ifdef ENABLE_MANAGEMENT
3253  if (!(options->management_flags & MF_EXTERNAL_KEY))
3254 #endif
3255  {
3257  options->priv_key_file, R_OK, "--key");
3258  }
3260  options->pkcs12_file, R_OK, "--pkcs12");
3261 
3262  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3263  {
3264  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
3265  "--crl-verify directory");
3266  }
3267  else
3268  {
3270  options->crl_file, R_OK, "--crl-verify");
3271  }
3272 
3273  ASSERT(options->connection_list);
3274  for (int i = 0; i < options->connection_list->len; ++i)
3275  {
3276  struct connection_entry *ce = options->connection_list->array[i];
3277 
3279  ce->tls_auth_file, R_OK, "--tls-auth");
3280 
3282  ce->tls_crypt_file, R_OK, "--tls-crypt");
3283 
3284  }
3285 
3287  options->shared_secret_file, R_OK, "--secret");
3288 
3290  options->packet_id_file, R_OK|W_OK, "--replay-persist");
3291 
3292  /* ** Password files ** */
3294  options->key_pass_file, R_OK, "--askpass");
3295 #ifdef ENABLE_MANAGEMENT
3297  options->management_user_pass, R_OK,
3298  "--management user/password file");
3299 #endif /* ENABLE_MANAGEMENT */
3300 #if P2MP
3302  options->auth_user_pass_file, R_OK,
3303  "--auth-user-pass");
3304 #endif /* P2MP */
3305 
3306  /* ** System related ** */
3307  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3308  R_OK|X_OK, "--chroot directory");
3310  R_OK|W_OK, "--writepid");
3311 
3312  /* ** Log related ** */
3314  R_OK|W_OK, "--status");
3315 
3316  /* ** Config related ** */
3317  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3318  R_OK|W_OK|X_OK, "--tls-export-cert");
3319 #if P2MP_SERVER
3321  R_OK|X_OK, "--client-config-dir");
3322  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3323  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3324 
3325 #endif /* P2MP_SERVER */
3326 
3327  if (errs)
3328  {
3329  msg(M_USAGE, "Please correct these errors.");
3330  }
3331 }
3332 #endif /* !ENABLE_SMALL */
3333 
3334 /*
3335  * Sanity check on options.
3336  * Also set some options based on other
3337  * options.
3338  */
3339 void
3341 {
3342  options_postprocess_mutate(options);
3343  options_postprocess_verify(options);
3344 #ifndef ENABLE_SMALL
3346 #endif /* !ENABLE_SMALL */
3347 }
3348 
3349 #if P2MP
3350 
3351 /*
3352  * Save/Restore certain option defaults before --pull is applied.
3353  */
3354 
3355 void
3357 {
3358  if (o->pull)
3359  {
3362  o->pre_pull->tuntap_options_defined = true;
3364  if (o->routes)
3365  {
3367  o->pre_pull->routes_defined = true;
3368  }
3369  if (o->routes_ipv6)
3370  {
3372  o->pre_pull->routes_ipv6_defined = true;
3373  }
3374  if (o->client_nat)
3375  {
3377  o->pre_pull->client_nat_defined = true;
3378  }
3379  }
3380 }
3381 
3382 void
3383 pre_pull_restore(struct options *o, struct gc_arena *gc)
3384 {
3385  const struct options_pre_pull *pp = o->pre_pull;
3386  if (pp)
3387  {
3388  CLEAR(o->tuntap_options);
3389  if (pp->tuntap_options_defined)
3390  {
3391  o->tuntap_options = pp->tuntap_options;
3392  }
3393 
3394  if (pp->routes_defined)
3395  {
3396  rol_check_alloc(o);
3397  copy_route_option_list(o->routes, pp->routes, gc);
3398  }
3399  else
3400  {
3401  o->routes = NULL;
3402  }
3403 
3404  if (pp->routes_ipv6_defined)
3405  {
3406  rol6_check_alloc(o);
3408  }
3409  else
3410  {
3411  o->routes_ipv6 = NULL;
3412  }
3413 
3414  if (pp->client_nat_defined)
3415  {
3416  cnol_check_alloc(o);
3418  }
3419  else
3420  {
3421  o->client_nat = NULL;
3422  }
3423 
3425  }
3426 
3427  o->push_continuation = 0;
3428  o->push_option_types_found = 0;
3429 }
3430 
3431 #endif /* if P2MP */
3432 
3433 #ifdef ENABLE_OCC
3434 
3442 static size_t
3443 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3444 {
3445  size_t link_mtu = EXPANDED_SIZE(frame);
3446 
3447  if (o->pull || o->mode == MODE_SERVER)
3448  {
3449  struct frame fake_frame = *frame;
3450  struct key_type fake_kt;
3451  init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
3452  false);
3454  crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3455  cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3456  frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3457  o->ce.tun_mtu_defined, o->ce.tun_mtu);
3458  msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3459  EXPANDED_SIZE(&fake_frame));
3460  link_mtu = EXPANDED_SIZE(&fake_frame);
3461  }
3462  return link_mtu;
3463 }
3464 
3465 /*
3466  * Build an options string to represent data channel encryption options.
3467  * This string must match exactly between peers. The keysize is checked
3468  * separately by read_key().
3469  *
3470  * The following options must match on both peers:
3471  *
3472  * Tunnel options:
3473  *
3474  * --dev tun|tap [unit number need not match]
3475  * --dev-type tun|tap
3476  * --link-mtu
3477  * --udp-mtu
3478  * --tun-mtu
3479  * --proto udp
3480  * --proto tcp-client [matched with --proto tcp-server
3481  * on the other end of the connection]
3482  * --proto tcp-server [matched with --proto tcp-client on
3483  * the other end of the connection]
3484  * --tun-ipv6
3485  * --ifconfig x y [matched with --ifconfig y x on
3486  * the other end of the connection]
3487  *
3488  * --comp-lzo
3489  * --compress alg
3490  * --fragment
3491  *
3492  * Crypto Options:
3493  *
3494  * --cipher
3495  * --auth
3496  * --keysize
3497  * --secret
3498  * --no-replay
3499  *
3500  * SSL Options:
3501  *
3502  * --tls-auth
3503  * --tls-client [matched with --tls-server on
3504  * the other end of the connection]
3505  * --tls-server [matched with --tls-client on
3506  * the other end of the connection]
3507  */
3508 char *
3509 options_string(const struct options *o,
3510  const struct frame *frame,
3511  struct tuntap *tt,
3512  bool remote,
3513  struct gc_arena *gc)
3514 {
3515  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3516  bool tt_local = false;
3517 
3518  buf_printf(&out, "V4");
3519 
3520  /*
3521  * Tunnel Options
3522  */
3523 
3524  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3525  buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
3526  buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3527  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3528 
3529  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3530  * is usually pushed by the server, triggering a non-helpful warning
3531  */
3533  {
3534  buf_printf(&out, ",tun-ipv6");
3535  }
3536 
3537  /*
3538  * Try to get ifconfig parameters into the options string.
3539  * If tt is undefined, make a temporary instantiation.
3540  */
3541  if (!tt)
3542  {
3543  tt = init_tun(o->dev,
3544  o->dev_type,
3545  o->topology,
3546  o->ifconfig_local,
3551  NULL,
3552  NULL,
3553  false,
3554  NULL);
3555  if (tt)
3556  {
3557  tt_local = true;
3558  }
3559  }
3560 
3561  if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
3562  {
3563  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3564  if (ios && strlen(ios))
3565  {
3566  buf_printf(&out, ",ifconfig %s", ios);
3567  }
3568  }
3569  if (tt_local)
3570  {
3571  free(tt);
3572  tt = NULL;
3573  }
3574 
3575 #ifdef USE_COMP
3576  if (o->comp.alg != COMP_ALG_UNDEF)
3577  {
3578  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3579  }
3580 #endif
3581 
3582 #ifdef ENABLE_FRAGMENT
3583  if (o->ce.fragment)
3584  {
3585  buf_printf(&out, ",mtu-dynamic");
3586  }
3587 #endif
3588 
3589 #define TLS_CLIENT (o->tls_client)
3590 #define TLS_SERVER (o->tls_server)
3591 
3592  /*
3593  * Key direction
3594  */
3595  {
3596  const char *kd = keydirection2ascii(o->key_direction, remote, false);
3597  if (kd)
3598  {
3599  buf_printf(&out, ",keydir %s", kd);
3600  }
3601  }
3602 
3603  /*
3604  * Crypto Options
3605  */
3607  {
3608  struct key_type kt;
3609 
3610  ASSERT((o->shared_secret_file != NULL)
3611  + (TLS_CLIENT == true)
3612  + (TLS_SERVER == true)
3613  <= 1);
3614 
3615  init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
3616  false);
3617 
3618  buf_printf(&out, ",cipher %s",
3620  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3621  buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
3622  if (o->shared_secret_file)
3623  {
3624  buf_printf(&out, ",secret");
3625  }
3626  if (!o->replay)
3627  {
3628  buf_printf(&out, ",no-replay");
3629  }
3630 
3631 #ifdef ENABLE_PREDICTION_RESISTANCE
3632  if (o->use_prediction_resistance)
3633  {
3634  buf_printf(&out, ",use-prediction-resistance");
3635  }
3636 #endif
3637  }
3638 
3639  /*
3640  * SSL Options
3641  */
3642  {
3643  if (TLS_CLIENT || TLS_SERVER)
3644  {
3645  if (o->ce.tls_auth_file)
3646  {
3647  buf_printf(&out, ",tls-auth");
3648  }
3649  /* Not adding tls-crypt here, because we won't reach this code if
3650  * tls-auth/tls-crypt does not match. Removing tls-auth here would
3651  * break stuff, so leaving that in place. */
3652 
3653  if (o->key_method > 1)
3654  {
3655  buf_printf(&out, ",key-method %d", o->key_method);
3656  }
3657  }
3658 
3659  if (remote)
3660  {
3661  if (TLS_CLIENT)
3662  {
3663  buf_printf(&out, ",tls-server");
3664  }
3665  else if (TLS_SERVER)
3666  {
3667  buf_printf(&out, ",tls-client");
3668  }
3669  }
3670  else
3671  {
3672  if (TLS_CLIENT)
3673  {
3674  buf_printf(&out, ",tls-client");
3675  }
3676  else if (TLS_SERVER)
3677  {
3678  buf_printf(&out, ",tls-server");
3679  }
3680  }
3681  }
3682 
3683 #undef TLS_CLIENT
3684 #undef TLS_SERVER
3685 
3686  return BSTR(&out);
3687 }
3688 
3689 /*
3690  * Compare option strings for equality.
3691  * If the first two chars of the strings differ, it means that
3692  * we are looking at different versions of the options string,
3693  * therefore don't compare them and return true.
3694  */
3695 
3696 bool
3697 options_cmp_equal(char *actual, const char *expected)
3698 {
3699  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
3700 }
3701 
3702 void
3703 options_warning(char *actual, const char *expected)
3704 {
3705  options_warning_safe(actual, expected, strlen(actual) + 1);
3706 }
3707 
3708 static const char *
3709 options_warning_extract_parm1(const char *option_string,
3710  struct gc_arena *gc_ret)
3711 {
3712  struct gc_arena gc = gc_new();
3713  struct buffer b = string_alloc_buf(option_string, &gc);
3714  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3715  const char *ret;
3716 
3717  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
3718  ret = string_alloc(p, gc_ret);
3719  gc_free(&gc);
3720  return ret;
3721 }
3722 
3723 static void
3724 options_warning_safe_scan2(const int msglevel,
3725  const int delim,
3726  const bool report_inconsistent,
3727  const char *p1,
3728  const struct buffer *b2_src,
3729  const char *b1_name,
3730  const char *b2_name)
3731 {
3732  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
3733  * OCC in a future version (because it's not useful). To reduce questions
3734  * when interoperating, we no longer printing a warning about it.
3735  */
3736  if (strprefix(p1, "key-method ")
3737  || strprefix(p1, "keydir ")
3738  || strprefix(p1, "proto ")
3739  || strprefix(p1, "tls-auth ")
3740  || strprefix(p1, "tun-ipv6"))
3741  {
3742  return;
3743  }
3744 
3745  if (strlen(p1) > 0)
3746  {
3747  struct gc_arena gc = gc_new();
3748  struct buffer b2 = *b2_src;
3749  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
3750  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
3751 
3752  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
3753  {
3754  if (strlen(p2))
3755  {
3756  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
3757 
3758  if (!strcmp(p1, p2))
3759  {
3760  goto done;
3761  }
3762  if (!strcmp(p1_prefix, p2_prefix))
3763  {
3764  if (report_inconsistent)
3765  {
3766  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
3767  safe_print(p1_prefix, &gc),
3768  b1_name,
3769  safe_print(p1, &gc),
3770  b2_name,
3771  safe_print(p2, &gc));
3772  }
3773  goto done;
3774  }
3775  }
3776  }
3777 
3778  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
3779  safe_print(p1_prefix, &gc),
3780  b1_name,
3781  b2_name,
3782  b1_name,
3783  safe_print(p1, &gc));
3784 
3785 done:
3786  gc_free(&gc);
3787  }
3788 }
3789 
3790 static void
3791 options_warning_safe_scan1(const int msglevel,
3792  const int delim,
3793  const bool report_inconsistent,
3794  const struct buffer *b1_src,
3795  const struct buffer *b2_src,
3796  const char *b1_name,
3797  const char *b2_name)
3798 {
3799  struct gc_arena gc = gc_new();
3800  struct buffer b = *b1_src;
3801  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
3802 
3803  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
3804  {
3805  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
3806  }
3807 
3808  gc_free(&gc);
3809 }
3810 
3811 static void
3812 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
3813 {
3814  struct gc_arena gc = gc_new();
3815 
3816  if (actual_n > 0)
3817  {
3818  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3819  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
3820  actual[actual_n - 1] = 0;
3821 
3822  buf_printf(&local, "version %s", expected);
3823  buf_printf(&remote, "version %s", actual);
3824 
3825  options_warning_safe_scan1(msglevel, ',', true,
3826  &local, &remote,
3827  "local", "remote");
3828 
3829  options_warning_safe_scan1(msglevel, ',', false,
3830  &remote, &local,
3831  "remote", "local");
3832  }
3833 
3834  gc_free(&gc);
3835 }
3836 
3837 bool
3838 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
3839 {
3840  struct gc_arena gc = gc_new();
3841  bool ret = true;
3842 
3843  if (actual_n > 0)
3844  {
3845  actual[actual_n - 1] = 0;
3846 #ifndef ENABLE_STRICT_OPTIONS_CHECK
3847  if (strncmp(actual, expected, 2))
3848  {
3849  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
3850  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
3851  }
3852  else
3853 #endif
3854  ret = !strcmp(actual, expected);
3855  }
3856  gc_free(&gc);
3857  return ret;
3858 }
3859 
3860 void
3861 options_warning_safe(char *actual, const char *expected, size_t actual_n)
3862 {
3863  options_warning_safe_ml(M_WARN, actual, expected, actual_n);
3864 }
3865 
3866 const char *
3867 options_string_version(const char *s, struct gc_arena *gc)
3868 {
3869  struct buffer out = alloc_buf_gc(4, gc);
3870  strncpynt((char *) BPTR(&out), s, 3);
3871  return BSTR(&out);
3872 }
3873 
3874 #endif /* ENABLE_OCC */
3875 
3876 char *
3877 options_string_extract_option(const char *options_string,const char *opt_name,
3878  struct gc_arena *gc)
3879 {
3880  char *ret = NULL;
3881  const size_t opt_name_len = strlen(opt_name);
3882 
3883  const char *p = options_string;
3884  while (p)
3885  {
3886  if (0 == strncmp(p, opt_name, opt_name_len)
3887  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
3888  {
3889  /* option found, extract value */
3890  const char *start = &p[opt_name_len+1];
3891  const char *end = strchr(p, ',');
3892  size_t val_len = end ? end - start : strlen(start);
3893  ret = gc_malloc(val_len+1, true, gc);
3894  memcpy(ret, start, val_len);
3895  break;
3896  }
3897  p = strchr(p, ',');
3898  if (p)
3899  {
3900  p++; /* skip delimiter */
3901  }
3902  }
3903  return ret;
3904 }
3905 
3906 static void
3907 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
3908 {
3909  if (len > 0)
3910  {
3911  struct gc_arena gc = gc_new();
3912  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3913  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3914  int i;
3915  bool first = true;
3916  bool good = true;
3917 
3918  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
3919  ++o->foreign_option_index;
3920  for (i = 0; i < len; ++i)
3921  {
3922  if (argv[i])
3923  {
3924  if (!first)
3925  {
3926  good &= buf_printf(&value, " ");
3927  }
3928  good &= buf_printf(&value, "%s", argv[i]);
3929  first = false;
3930  }
3931  }
3932  if (good)
3933  {
3934  setenv_str(es, BSTR(&name), BSTR(&value));
3935  }
3936  else
3937  {
3938  msg(M_WARN, "foreign_option: name/value overflow");
3939  }
3940  gc_free(&gc);
3941  }
3942 }
3943 
3944 /*
3945  * parse/print topology coding
3946  */
3947 
3948 int
3949 parse_topology(const char *str, const int msglevel)
3950 {
3951  if (streq(str, "net30"))
3952  {
3953  return TOP_NET30;
3954  }
3955  else if (streq(str, "p2p"))
3956  {
3957  return TOP_P2P;
3958  }
3959  else if (streq(str, "subnet"))
3960  {
3961  return TOP_SUBNET;
3962  }
3963  else
3964  {
3965  msg(msglevel, "--topology must be net30, p2p, or subnet");
3966  return TOP_UNDEF;
3967  }
3968 }
3969 
3970 const char *
3971 print_topology(const int topology)
3972 {
3973  switch (topology)
3974  {
3975  case TOP_UNDEF:
3976  return "undef";
3977 
3978  case TOP_NET30:
3979  return "net30";
3980 
3981  case TOP_P2P:
3982  return "p2p";
3983 
3984  case TOP_SUBNET:
3985  return "subnet";
3986 
3987  default:
3988  return "unknown";
3989  }
3990 }
3991 
3992 #if P2MP
3993 
3994 /*
3995  * Manage auth-retry variable
3996  */
3997 
3998 static int global_auth_retry; /* GLOBAL */
3999 
4000 int
4002 {
4003  return global_auth_retry;
4004 }
4005 
4006 bool
4007 auth_retry_set(const int msglevel, const char *option)
4008 {
4009  if (streq(option, "interact"))
4010  {
4012  }
4013  else if (streq(option, "nointeract"))
4014  {
4016  }
4017  else if (streq(option, "none"))
4018  {
4020  }
4021  else
4022  {
4023  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4024  return false;
4025  }
4026  return true;
4027 }
4028 
4029 const char *
4031 {
4032  switch (global_auth_retry)
4033  {
4034  case AR_NONE:
4035  return "none";
4036 
4037  case AR_NOINTERACT:
4038  return "nointeract";
4039 
4040  case AR_INTERACT:
4041  return "interact";
4042 
4043  default:
4044  return "???";
4045  }
4046 }
4047 
4048 #endif /* if P2MP */
4049 
4050 /*
4051  * Print the help message.
4052  */
4053 static void
4054 usage(void)
4055 {
4056  FILE *fp = msg_fp(0);
4057 
4058 #ifdef ENABLE_SMALL
4059 
4060  fprintf(fp, "Usage message not available\n");
4061 
4062 #else
4063 
4064  struct options o;
4065  init_options(&o, true);
4066 
4067  fprintf(fp, usage_message,
4068  title_string,
4071  o.ce.local_port, o.ce.remote_port,
4073  o.verbosity,
4074  o.authname, o.ciphername,
4078  fflush(fp);
4079 
4080 #endif /* ENABLE_SMALL */
4081 
4082  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4083 }
4084 
4085 void
4087 {
4088  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4089  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4090 }
4091 
4092 #ifdef _WIN32
4093 void
4094 show_windows_version(const unsigned int flags)
4095 {
4096  struct gc_arena gc = gc_new();
4097  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4098  gc_free(&gc);
4099 }
4100 #endif
4101 
4102 void
4103 show_library_versions(const unsigned int flags)
4104 {
4105 #ifdef ENABLE_LZO
4106 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4107 #else
4108 #define LZO_LIB_VER_STR "", ""
4109 #endif
4110 
4111  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4112  LZO_LIB_VER_STR);
4113 
4114 #undef LZO_LIB_VER_STR
4115 }
4116 
4117 static void
4119 {
4122 #ifdef _WIN32
4124 #endif
4125  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4126  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>");
4127 #ifndef ENABLE_SMALL
4128 #ifdef CONFIGURE_DEFINES
4129  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4130 #endif
4131 #ifdef CONFIGURE_SPECIAL_BUILD
4132  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4133 #endif
4134 #endif
4135  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4136 }
4137 
4138 void
4139 notnull(const char *arg, const char *description)
4140 {
4141  if (!arg)
4142  {
4143  msg(M_USAGE, "You must define %s", description);
4144  }
4145 }
4146 
4147 bool
4148 string_defined_equal(const char *s1, const char *s2)
4149 {
4150  if (s1 && s2)
4151  {
4152  return !strcmp(s1, s2);
4153  }
4154  else
4155  {
4156  return false;
4157  }
4158 }
4159 
4160 #if 0
4161 static void
4162 ping_rec_err(int msglevel)
4163 {
4164  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4165 }
4166 #endif
4167 
4168 static int
4169 positive_atoi(const char *str)
4170 {
4171  const int i = atoi(str);
4172  return i < 0 ? 0 : i;
4173 }
4174 
4175 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4176 static unsigned int
4177 atou(const char *str)
4178 {
4179  unsigned int val = 0;
4180  sscanf(str, "%u", &val);
4181  return val;
4182 }
4183 #endif
4184 
4185 static inline bool
4186 space(unsigned char c)
4187 {
4188  return c == '\0' || isspace(c);
4189 }
4190 
4191 int
4192 parse_line(const char *line,
4193  char *p[],
4194  const int n,
4195  const char *file,
4196  const int line_num,
4197  int msglevel,
4198  struct gc_arena *gc)
4199 {
4200  const int STATE_INITIAL = 0;
4201  const int STATE_READING_QUOTED_PARM = 1;
4202  const int STATE_READING_UNQUOTED_PARM = 2;
4203  const int STATE_DONE = 3;
4204  const int STATE_READING_SQUOTED_PARM = 4;
4205 
4206  const char *error_prefix = "";
4207 
4208  int ret = 0;
4209  const char *c = line;
4210  int state = STATE_INITIAL;
4211  bool backslash = false;
4212  char in, out;
4213 
4214  char parm[OPTION_PARM_SIZE];
4215  unsigned int parm_len = 0;
4216 
4217  msglevel &= ~M_OPTERR;
4218 
4219  if (msglevel & M_MSG_VIRT_OUT)
4220  {
4221  error_prefix = "ERROR: ";
4222  }
4223 
4224  do
4225  {
4226  in = *c;
4227  out = 0;
4228 
4229  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4230  {
4231  backslash = true;
4232  }
4233  else
4234  {
4235  if (state == STATE_INITIAL)
4236  {
4237  if (!space(in))
4238  {
4239  if (in == ';' || in == '#') /* comment */
4240  {
4241  break;
4242  }
4243  if (!backslash && in == '\"')
4244  {
4245  state = STATE_READING_QUOTED_PARM;
4246  }
4247  else if (!backslash && in == '\'')
4248  {
4249  state = STATE_READING_SQUOTED_PARM;
4250  }
4251  else
4252  {
4253  out = in;
4254  state = STATE_READING_UNQUOTED_PARM;
4255  }
4256  }
4257  }
4258  else if (state == STATE_READING_UNQUOTED_PARM)
4259  {
4260  if (!backslash && space(in))
4261  {
4262  state = STATE_DONE;
4263  }
4264  else
4265  {
4266  out = in;
4267  }
4268  }
4269  else if (state == STATE_READING_QUOTED_PARM)
4270  {
4271  if (!backslash && in == '\"')
4272  {
4273  state = STATE_DONE;
4274  }
4275  else
4276  {
4277  out = in;
4278  }
4279  }
4280  else if (state == STATE_READING_SQUOTED_PARM)
4281  {
4282  if (in == '\'')
4283  {
4284  state = STATE_DONE;
4285  }
4286  else
4287  {
4288  out = in;
4289  }
4290  }
4291  if (state == STATE_DONE)
4292  {
4293  /* ASSERT (parm_len > 0); */
4294  p[ret] = gc_malloc(parm_len + 1, true, gc);
4295  memcpy(p[ret], parm, parm_len);
4296  p[ret][parm_len] = '\0';
4297  state = STATE_INITIAL;
4298  parm_len = 0;
4299  ++ret;
4300  }
4301 
4302  if (backslash && out)
4303  {
4304  if (!(out == '\\' || out == '\"' || space(out)))
4305  {
4306 #ifdef ENABLE_SMALL
4307  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4308 #else
4309  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4310 #endif
4311  return 0;
4312  }
4313  }
4314  backslash = false;
4315  }
4316 
4317  /* store parameter character */
4318  if (out)
4319  {
4320  if (parm_len >= SIZE(parm))
4321  {
4322  parm[SIZE(parm) - 1] = 0;
4323  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4324  error_prefix, file, line_num, (int) SIZE(parm), parm);
4325  return 0;
4326  }
4327  parm[parm_len++] = out;
4328  }
4329 
4330  /* avoid overflow if too many parms in one config file line */
4331  if (ret >= n)
4332  {
4333  break;
4334  }
4335 
4336  } while (*c++ != '\0');
4337 
4338  if (state == STATE_READING_QUOTED_PARM)
4339  {
4340  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4341  return 0;
4342  }
4343  if (state == STATE_READING_SQUOTED_PARM)
4344  {
4345  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4346  return 0;
4347  }
4348  if (state != STATE_INITIAL)
4349  {
4350  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4351  return 0;
4352  }
4353 #if 0
4354  {
4355  int i;
4356  for (i = 0; i < ret; ++i)
4357  {
4358  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4359  }
4360  }
4361 #endif
4362  return ret;
4363 }
4364 
4365 static void
4367 {
4368  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4369  {
4370  *p += 2;
4371  }
4372 }
4373 
4374 struct in_src {
4375 #define IS_TYPE_FP 1
4376 #define IS_TYPE_BUF 2
4377  int type;
4378  union {
4379  FILE *fp;
4381  } u;
4382 };
4383 
4384 static bool
4385 in_src_get(const struct in_src *is, char *line, const int size)
4386 {
4387  if (is->type == IS_TYPE_FP)
4388  {
4389  return BOOL_CAST(fgets(line, size, is->u.fp));
4390  }
4391  else if (is->type == IS_TYPE_BUF)
4392  {
4393  bool status = buf_parse(is->u.multiline, '\n', line, size);
4394  if ((int) strlen(line) + 1 < size)
4395  {
4396  strcat(line, "\n");
4397  }
4398  return status;
4399  }
4400  else
4401  {
4402  ASSERT(0);
4403  return false;
4404  }
4405 }
4406 
4407 static char *
4408 read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
4409 {
4410  char line[OPTION_LINE_SIZE];
4411  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4412  char *ret;
4413  bool endtagfound = false;
4414 
4415  while (in_src_get(is, line, sizeof(line)))
4416  {
4417  char *line_ptr = line;
4418  /* Remove leading spaces */
4419  while (isspace(*line_ptr))
4420  {
4421  line_ptr++;
4422  }
4423  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4424  {
4425  endtagfound = true;
4426  break;
4427  }
4428  if (!buf_safe(&buf, strlen(line)+1))
4429  {
4430  /* Increase buffer size */
4431  struct buffer buf2 = alloc_buf(buf.capacity * 2);
4432  ASSERT(buf_copy(&buf2, &buf));
4433  buf_clear(&buf);
4434  free_buf(&buf);
4435  buf = buf2;
4436  }
4437  buf_printf(&buf, "%s", line);
4438  }
4439  if (!endtagfound)
4440  {
4441  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4442  }
4443  ret = string_alloc(BSTR(&buf), gc);
4444  buf_clear(&buf);
4445  free_buf(&buf);
4446  secure_memzero(line, sizeof(line));
4447  return ret;
4448 }
4449 
4450 static bool
4451 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4452 {
4453  bool ret = false;
4454  if (p[0] && !p[1])
4455  {
4456  char *arg = p[0];
4457  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4458  {
4459  struct buffer close_tag;
4460  arg[strlen(arg)-1] = '\0';
4461  p[0] = string_alloc(arg+1, gc);
4462  p[1] = string_alloc(INLINE_FILE_TAG, gc);
4463  close_tag = alloc_buf(strlen(p[0]) + 4);
4464  buf_printf(&close_tag, "</%s>", p[0]);
4465  p[2] = read_inline_file(is, BSTR(&close_tag), gc);
4466  p[3] = NULL;
4467  free_buf(&close_tag);
4468  ret = true;
4469  }
4470  }
4471  return ret;
4472 }
4473 
4474 static bool
4475 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4476 {
4477  struct in_src is;
4478  is.type = IS_TYPE_FP;
4479  is.u.fp = fp;
4480  return check_inline_file(&is, p, gc);
4481 }
4482 
4483 static bool
4484 check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
4485 {
4486  struct in_src is;
4487  is.type = IS_TYPE_BUF;
4488  is.u.multiline = multiline;
4489  return check_inline_file(&is, p, gc);
4490 }
4491 
4492 static void
4493 add_option(struct options *options,
4494  char *p[],
4495  const char *file,
4496  int line,
4497  const int level,
4498  const int msglevel,
4499  const unsigned int permission_mask,
4500  unsigned int *option_types_found,
4501  struct env_set *es);
4502 
4503 static void
4504 read_config_file(struct options *options,
4505  const char *file,
4506  int level,
4507  const char *top_file,
4508  const int top_line,
4509  const int msglevel,
4510  const unsigned int permission_mask,
4511  unsigned int *option_types_found,
4512  struct env_set *es)
4513 {
4514  const int max_recursive_levels = 10;
4515  FILE *fp;
4516  int line_num;
4517  char line[OPTION_LINE_SIZE+1];
4518  char *p[MAX_PARMS+1];
4519 
4520  ++level;
4521  if (level <= max_recursive_levels)
4522  {
4523  if (streq(file, "stdin"))
4524  {
4525  fp = stdin;
4526  }
4527  else
4528  {
4529  fp = platform_fopen(file, "r");
4530  }
4531  if (fp)
4532  {
4533  line_num = 0;
4534  while (fgets(line, sizeof(line), fp))
4535  {
4536  int offset = 0;
4537  CLEAR(p);
4538  ++line_num;
4539  if (strlen(line) == OPTION_LINE_SIZE)
4540  {
4541  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
4542  file, line_num, OPTION_LINE_SIZE, line);
4543  }
4544 
4545  /* Ignore UTF-8 BOM at start of stream */
4546  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4547  {
4548  offset = 3;
4549  }
4550  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4551  {
4552  bypass_doubledash(&p[0]);
4553  check_inline_file_via_fp(fp, p, &options->gc);
4554  add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
4555  }
4556  }
4557  if (fp != stdin)
4558  {
4559  fclose(fp);
4560  }
4561  }
4562  else
4563  {
4564  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4565  }
4566  }
4567  else
4568  {
4569  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4570  }
4571  secure_memzero(line, sizeof(line));
4572  CLEAR(p);
4573 }
4574 
4575 static void
4576 read_config_string(const char *prefix,
4577  struct options *options,
4578  const char *config,
4579  const int msglevel,
4580  const unsigned int permission_mask,
4581  unsigned int *option_types_found,
4582  struct env_set *es)
4583 {
4584  char line[OPTION_LINE_SIZE];
4585  struct buffer multiline;
4586  int line_num = 0;
4587 
4588  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4589 
4590  while (buf_parse(&multiline, '\n', line, sizeof(line)))
4591  {
4592  char *p[MAX_PARMS+1];
4593  CLEAR(p);
4594  ++line_num;
4595  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4596  {
4597  bypass_doubledash(&p[0]);
4598  check_inline_file_via_buf(&multiline, p, &options->gc);
4599  add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es);
4600  }
4601  CLEAR(p);
4602  }
4603  secure_memzero(line, sizeof(line));
4604 }
4605 
4606 void
4607 parse_argv(struct options *options,
4608  const int argc,
4609  char *argv[],
4610  const int msglevel,
4611  const unsigned int permission_mask,
4612  unsigned int *option_types_found,
4613  struct env_set *es)
4614 {
4615  int i, j;
4616 
4617  /* usage message */
4618  if (argc <= 1)
4619  {
4620  usage();
4621  }
4622 
4623  /* config filename specified only? */
4624  if (argc == 2 && strncmp(argv[1], "--", 2))
4625  {
4626  char *p[MAX_PARMS];
4627  CLEAR(p);
4628  p[0] = "config";
4629  p[1] = argv[1];
4630  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4631  }
4632  else
4633  {
4634  /* parse command line */
4635  for (i = 1; i < argc; ++i)
4636  {
4637  char *p[MAX_PARMS];
4638  CLEAR(p);
4639  p[0] = argv[i];
4640  if (strncmp(p[0], "--", 2))
4641  {
4642  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
4643  }
4644  else
4645  {
4646  p[0] += 2;
4647  }
4648 
4649  for (j = 1; j < MAX_PARMS; ++j)
4650  {
4651  if (i + j < argc)
4652  {
4653  char *arg = argv[i + j];
4654  if (strncmp(arg, "--", 2))
4655  {
4656  p[j] = arg;
4657  }
4658  else
4659  {
4660  break;
4661  }
4662  }
4663  }
4664  add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
4665  i += j - 1;
4666  }
4667  }
4668 }
4669 
4678 static bool
4679 apply_pull_filter(const struct options *o, char *line)
4680 {
4681  struct pull_filter *f;
4682 
4683  if (!o->pull_filter_list)
4684  {
4685  return true;
4686  }
4687 
4688  for (f = o->pull_filter_list->head; f; f = f->next)
4689  {
4690  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
4691  {
4692  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
4693  return true;
4694  }
4695  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
4696  {
4697  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
4698  *line = '\0';
4699  return true;
4700  }
4701  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
4702  {
4703  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
4704  *line = '\0';
4705  throw_signal_soft(SIGUSR1, "Offending option received from server");
4706  return false;
4707  }
4708  }
4709  return true;
4710 }
4711 
4712 bool
4713 apply_push_options(struct options *options,
4714  struct buffer *buf,
4715  unsigned int permission_mask,
4716  unsigned int *option_types_found,
4717  struct env_set *es)
4718 {
4719  char line[OPTION_PARM_SIZE];
4720  int line_num = 0;
4721  const char *file = "[PUSH-OPTIONS]";
4722  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
4723 
4724  while (buf_parse(buf, ',', line, sizeof(line)))
4725  {
4726  char *p[MAX_PARMS+1];
4727  CLEAR(p);
4728  ++line_num;
4729  if (!apply_pull_filter(options, line))
4730  {
4731  return false; /* Cause push/pull error and stop push processing */
4732  }
4733  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4734  {
4735  add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
4736  }
4737  }
4738  return true;
4739 }
4740 
4741 void
4742 options_server_import(struct options *o,
4743  const char *filename,
4744  int msglevel,
4745  unsigned int permission_mask,
4746  unsigned int *option_types_found,
4747  struct env_set *es)
4748 {
4749  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
4750  read_config_file(o,
4751  filename,
4752  0,
4753  filename,
4754  0,
4755  msglevel,
4756  permission_mask,
4757  option_types_found,
4758  es);
4759 }
4760 
4761 void
4762 options_string_import(struct options *options,
4763  const char *config,
4764  const int msglevel,
4765  const unsigned int permission_mask,
4766  unsigned int *option_types_found,
4767  struct env_set *es)
4768 {
4769  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
4770 }
4771 
4772 #if P2MP
4773 
4774 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}}
4775 
4776 static bool
4777 verify_permission(const char *name,
4778  const char *file,
4779  int line,
4780  const unsigned int type,
4781  const unsigned int allowed,
4782  unsigned int *found,
4783  const int msglevel,
4784  struct options *options)
4785 {
4786  if (!(type & allowed))
4787  {
4788  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
4789  return false;
4790  }
4791 
4792  if (found)
4793  {
4794  *found |= type;
4795  }
4796 
4797 #ifndef ENABLE_SMALL
4798  /* Check if this options is allowed in connection block,
4799  * but we are currently not in a connection block
4800  * unless this is a pushed option.
4801  * Parsing a connection block uses a temporary options struct without
4802  * connection_list
4803  */
4804 
4805  if ((type & OPT_P_CONNECTION) && options->connection_list
4806  && !(allowed & OPT_P_PULL_MODE))
4807  {
4808  if (file)
4809  {
4810  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
4811  }
4812  else
4813  {
4814  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
4815  }
4816  }
4817 #endif
4818  return true;
4819 }
4820 
4821 #else /* if P2MP */
4822 
4823 #define VERIFY_PERMISSION(mask)
4824 
4825 #endif /* if P2MP */
4826 
4827 /*
4828  * Check that an option doesn't have too
4829  * many parameters.
4830  */
4831 
4832 #define NM_QUOTE_HINT (1<<0)
4833 
4834 static bool
4835 no_more_than_n_args(const int msglevel,
4836  char *p[],
4837  const int max,
4838  const unsigned int flags)
4839 {
4840  const int len = string_array_len((const char **)p);
4841 
4842  if (!len)
4843  {
4844  return false;
4845  }
4846 
4847  if (len > max)
4848  {
4849  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
4850  p[0],
4851  max - 1,
4852  max >= 3 ? "s" : "",
4853  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
4854  return false;
4855  }
4856  else
4857  {
4858  return true;
4859  }
4860 }
4861 
4862 static inline int
4863 msglevel_forward_compatible(struct options *options, const int msglevel)
4864 {
4865  return options->forward_compatible ? M_WARN : msglevel;
4866 }
4867 
4868 static void
4869 set_user_script(struct options *options,
4870  const char **script,
4871  const char *new_script,
4872  const char *type,
4873  bool in_chroot)
4874 {
4875  if (*script)
4876  {
4877  msg(M_WARN, "Multiple --%s scripts defined. "
4878  "The previously configured script is overridden.", type);
4879  }
4880  *script = new_script;
4881  options->user_script_used = true;
4882 
4883 #ifndef ENABLE_SMALL
4884  {
4885  char script_name[100];
4886  openvpn_snprintf(script_name, sizeof(script_name),
4887  "--%s script", type);
4888 
4889  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
4890  {
4891  msg(M_USAGE, "Please correct this error.");
4892  }
4893 
4894  }
4895 #endif
4896 }
4897 
4898 
4899 static void
4900 add_option(struct options *options,
4901  char *p[],
4902  const char *file,
4903  int line,
4904  const int level,
4905  const int msglevel,
4906  const unsigned int permission_mask,
4907  unsigned int *option_types_found,
4908  struct env_set *es)
4909 {
4910  struct gc_arena gc = gc_new();
4911  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
4912  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
4913 
4914  ASSERT(MAX_PARMS >= 7);
4915 
4916  /*
4917  * If directive begins with "setenv opt" prefix, don't raise an error if
4918  * directive is unrecognized.
4919  */
4920  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
4921  {
4922  if (!p[2])
4923  {
4924  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
4925  }
4926  p += 2;
4927  msglevel_fc = M_WARN;
4928  }
4929 
4930  if (!file)
4931  {
4932  file = "[CMD-LINE]";
4933  line = 1;
4934  }
4935  if (streq(p[0], "help"))
4936  {
4938  usage();
4939  if (p[1])
4940  {
4941  msg(msglevel, "--help does not accept any parameters");
4942  goto err;
4943  }
4944  }
4945  if (streq(p[0], "version") && !p[1])
4946  {
4948  usage_version();
4949  }
4950  else if (streq(p[0], "config") && p[1] && !p[2])
4951  {
4953 
4954  /* save first config file only in options */
4955  if (!options->config)
4956  {
4957  options->config = p[1];
4958  }
4959 
4960  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
4961  }
4962 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
4963  else if (streq(p[0], "show-gateway") && !p[2])
4964  {
4965  struct route_gateway_info rgi;
4966  struct route_ipv6_gateway_info rgi6;
4967  struct in6_addr remote = IN6ADDR_ANY_INIT;
4969  if (p[1])
4970  {
4971  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
4972  }
4973  get_default_gateway(&rgi);
4974  get_default_gateway_ipv6(&rgi6, &remote);
4975  print_default_gateway(M_INFO, &rgi, &rgi6);
4976  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4977  }
4978 #endif
4979 #if 0
4980  else if (streq(p[0], "foreign-option") && p[1])
4981  {
4983  foreign_option(options, p, 3, es);
4984  }
4985 #endif
4986  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
4987  {
4988  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4989  int j;
4990  bool good = true;
4991 
4993 
4994  for (j = 1; j < MAX_PARMS; ++j)
4995  {
4996  if (!p[j])
4997  {
4998  break;
4999  }
5000  if (j > 1)
5001  {
5002  good &= buf_printf(&string, " ");
5003  }
5004  good &= buf_printf(&string, "%s", p[j]);
5005  }
5006  if (good)
5007  {
5008 #if 0
5009  /* removed for now since ECHO can potentially include
5010  * security-sensitive strings */
5011  msg(M_INFO, "%s:%s",
5012  pull_mode ? "ECHO-PULL" : "ECHO",
5013  BSTR(&string));
5014 #endif
5015 #ifdef ENABLE_MANAGEMENT
5016  if (management)
5017  {
5018  management_echo(management, BSTR(&string), pull_mode);
5019  }
5020 #endif
5021  }
5022  else
5023  {
5024  msg(M_WARN, "echo/parameter option overflow");
5025  }
5026  }
5027 #ifdef ENABLE_MANAGEMENT
5028  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5029  {
5031  if (streq(p[2], "unix"))
5032  {
5033 #if UNIX_SOCK_SUPPORT
5034  options->management_flags |= MF_UNIX_SOCK;
5035 #else
5036  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5037  goto err;
5038 #endif
5039  }
5040 
5041  options->management_addr = p[1];
5042  options->management_port = p[2];
5043  if (p[3])
5044  {
5045  options->management_user_pass = p[3];
5046  }
5047  }
5048  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5049  {
5051  options->management_client_user = p[1];
5052  }
5053  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5054  {
5056  options->management_client_group = p[1];
5057  }
5058  else if (streq(p[0], "management-query-passwords") && !p[1])
5059  {
5062  }
5063  else if (streq(p[0], "management-query-remote") && !p[1])
5064  {
5066  options->management_flags |= MF_QUERY_REMOTE;
5067  }
5068  else if (streq(p[0], "management-query-proxy") && !p[1])
5069  {
5071  options->management_flags |= MF_QUERY_PROXY;
5072  }
5073  else if (streq(p[0], "management-hold") && !p[1])
5074  {
5076  options->management_flags |= MF_HOLD;
5077  }
5078  else if (streq(p[0], "management-signal") && !p[1])
5079  {
5081  options->management_flags |= MF_SIGNAL;
5082  }
5083  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5084  {
5087  }
5088  else if (streq(p[0], "management-up-down") && !p[1])
5089  {
5091  options->management_flags |= MF_UP_DOWN;
5092  }
5093  else if (streq(p[0], "management-client") && !p[2])
5094  {
5097  options->management_write_peer_info_file = p[1];
5098  }
5099 #ifdef ENABLE_MANAGEMENT
5100  else if (streq(p[0], "management-external-key") && !p[1])
5101  {
5103  options->management_flags |= MF_EXTERNAL_KEY;
5104  }
5105  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5106  {
5108  options->management_flags |= MF_EXTERNAL_CERT;
5109  options->management_certificate = p[1];
5110  }
5111 #endif
5112 #ifdef MANAGEMENT_DEF_AUTH
5113  else if (streq(p[0], "management-client-auth") && !p[1])
5114  {
5116  options->management_flags |= MF_CLIENT_AUTH;
5117  }
5118 #endif
5119 #ifdef MANAGEMENT_PF
5120  else if (streq(p[0], "management-client-pf") && !p[1])
5121  {
5123  options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
5124  }
5125 #endif
5126  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5127  {
5128  int cache;
5129 
5131  cache = atoi(p[1]);
5132  if (cache < 1)
5133  {
5134  msg(msglevel, "--management-log-cache parameter is out of range");
5135  goto err;
5136  }
5137  options->management_log_history_cache = cache;
5138  }
5139 #endif /* ifdef ENABLE_MANAGEMENT */
5140 #ifdef ENABLE_PLUGIN
5141  else if (streq(p[0], "plugin") && p[1])
5142  {
5144  if (!options->plugin_list)
5145  {
5146  options->plugin_list = plugin_option_list_new(&options->gc);
5147  }
5148  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5149  {
5150  msg(msglevel, "plugin add failed: %s", p[1]);
5151  goto err;
5152  }
5153  }
5154 #endif
5155  else if (streq(p[0], "mode") && p[1] && !p[2])
5156  {
5158  if (streq(p[1], "p2p"))
5159  {
5160  options->mode = MODE_POINT_TO_POINT;
5161  }
5162 #if P2MP_SERVER
5163  else if (streq(p[1], "server"))
5164  {
5165  options->mode = MODE_SERVER;
5166  }
5167 #endif
5168  else
5169  {
5170  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5171  goto err;
5172  }
5173  }
5174  else if (streq(p[0], "dev") && p[1] && !p[2])
5175  {
5177  options->dev = p[1];
5178  }
5179  else if (streq(p[0], "dev-type") && p[1] && !p[2])
5180  {
5182  options->dev_type = p[1];
5183  }
5184  else if (streq(p[0], "dev-node") && p[1] && !p[2])
5185  {
5187  options->dev_node = p[1];
5188  }
5189  else if (streq(p[0], "lladdr") && p[1] && !p[2])
5190  {
5192  if (mac_addr_safe(p[1])) /* MAC address only */
5193  {
5194  options->lladdr = p[1];
5195  }
5196  else
5197  {
5198  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5199  goto err;
5200  }
5201  }
5202  else if (streq(p[0], "topology") && p[1] && !p[2])
5203  {
5205  options->topology = parse_topology(p[1], msglevel);
5206  }
5207  else if (streq(p[0], "tun-ipv6") && !p[1])
5208  {
5209  if (!pull_mode)
5210  {
5211  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5212  }
5213  }
5214 #ifdef ENABLE_IPROUTE
5215  else if (streq(p[0], "iproute") && p[1] && !p[2])
5216  {
5218  iproute_path = p[1];
5219  }
5220 #endif
5221  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5222  {
5224  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5225  {
5226  options->ifconfig_local = p[1];
5227  options->ifconfig_remote_netmask = p[2];
5228  }
5229  else
5230  {
5231  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5232  goto err;
5233  }
5234  }
5235  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5236  {
5237  unsigned int netbits;
5238 
5240  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5241  && ipv6_addr_safe( p[2] ) )
5242  {
5243  if (netbits < 64 || netbits > 124)
5244  {
5245  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5246  goto err;
5247  }
5248 
5249  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5250  options->ifconfig_ipv6_netbits = netbits;
5251  options->ifconfig_ipv6_remote = p[2];
5252  }
5253  else
5254  {
5255  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5256  goto err;
5257  }
5258  }
5259  else if (streq(p[0], "ifconfig-noexec") && !p[1])
5260  {
5262  options->ifconfig_noexec = true;
5263  }
5264  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5265  {
5267  options->ifconfig_nowarn = true;
5268  }
5269  else if (streq(p[0], "local") && p[1] && !p[2])
5270  {
5272  options->ce.local = p[1];
5273  }
5274  else if (streq(p[0], "remote-random") && !p[1])
5275  {
5277  options->remote_random = true;
5278  }
5279  else if (streq(p[0], "connection") && p[1] && !p[3])
5280  {
5282  if (streq(p[1], INLINE_FILE_TAG) && p[2])
5283  {
5284  struct options sub;
5285  struct connection_entry *e;
5286 
5287  init_options(&sub, true);
5288  sub.ce = options->ce;
5289  read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
5290  if (!sub.ce.remote)
5291  {
5292  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
5293  uninit_options(&sub);
5294  goto err;
5295  }
5296 
5297  e = alloc_connection_entry(options, msglevel);
5298  if (!e)
5299  {
5300  uninit_options(&sub);
5301  goto err;
5302  }
5303  *e = sub.ce;
5304  gc_transfer(&options->gc, &sub.gc);
5305  uninit_options(&sub);
5306  }
5307  }
5308  else if (streq(p[0], "ignore-unknown-option") && p[1])
5309  {
5310  int i;
5311  int j;
5312  int numignored = 0;
5313  const char **ignore;
5314 
5316  /* Find out how many options to be ignored */
5317  for (i = 1; p[i]; i++)
5318  {
5319  numignored++;
5320  }
5321 
5322  /* add number of options already ignored */
5323  for (i = 0; options->ignore_unknown_option
5324  && options->ignore_unknown_option[i]; i++)
5325  {
5326  numignored++;
5327  }
5328 
5329  /* Allocate array */
5330  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
5331  for (i = 0; options->ignore_unknown_option
5332  && options->ignore_unknown_option[i]; i++)
5333  {
5334  ignore[i] = options->ignore_unknown_option[i];
5335  }
5336 
5337  options->ignore_unknown_option = ignore;
5338 
5339  for (j = 1; p[j]; j++)
5340  {
5341  /* Allow the user to specify ignore-unknown-option --opt too */
5342  if (p[j][0]=='-' && p[j][1]=='-')
5343  {
5344  options->ignore_unknown_option[i] = (p[j]+2);
5345  }
5346  else
5347  {
5348  options->ignore_unknown_option[i] = p[j];
5349  }
5350  i++;
5351  }
5352 
5353  options->ignore_unknown_option[i] = NULL;
5354  }
5355 #if ENABLE_MANAGEMENT
5356  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
5357  {
5359  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
5360  if (!options->http_proxy_override)
5361  {
5362  goto err;
5363  }
5364  }
5365 #endif
5366  else if (streq(p[0], "remote") && p[1] && !p[4])
5367  {
5368  struct remote_entry re;
5369  re.remote = re.remote_port = NULL;
5370  re.proto = -1;
5371  re.af = 0;
5372 
5374  re.remote = p[1];
5375  if (p[2])
5376  {
5377  re.remote_port = p[2];
5378  if (p[3])
5379  {
5380  const int proto = ascii2proto(p[3]);
5381  const sa_family_t af = ascii2af(p[3]);
5382  if (proto < 0)
5383  {
5384  msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
5385  goto err;
5386  }
5387  re.proto = proto;
5388  re.af = af;
5389  }
5390  }
5391  if (permission_mask & OPT_P_GENERAL)
5392  {
5393  struct remote_entry *e = alloc_remote_entry(options, msglevel);
5394  if (!e)
5395  {
5396  goto err;
5397  }
5398  *e = re;
5399  }
5400  else if (permission_mask & OPT_P_CONNECTION)
5401  {
5402  connection_entry_load_re(&options->ce, &re);
5403  }
5404  }
5405  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
5406  {
5408  if (streq(p[1], "infinite"))
5409  {
5411  }
5412  else
5413  {
5414  options->resolve_retry_seconds = positive_atoi(p[1]);
5415  }
5416  }
5417  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
5418  {
5420  options->resolve_in_advance = true;
5421  /* Note the ip-remote-hint and the argument p[1] are for
5422  * backward compatibility */
5423  if (p[1])
5424  {
5425  options->ip_remote_hint = p[1];
5426  }
5427  }
5428  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
5429  {
5431  options->ce.connect_retry_seconds = positive_atoi(p[1]);
5432  /*
5433  * Limit the base value of retry wait interval to 16 bits to avoid
5434  * overflow when scaled up for exponential backoff
5435  */
5436  if (options->ce.connect_retry_seconds > 0xFFFF)
5437  {
5438  options->ce.connect_retry_seconds = 0xFFFF;
5439  msg(M_WARN, "connect retry wait interval truncated to %d",
5440  options->ce.connect_retry_seconds);
5441  }
5442 
5443  if (p[2])
5444  {
5445  options->ce.connect_retry_seconds_max =
5446  max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
5447  }
5448  }
5449  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
5450  && p[1] && !p[2])
5451  {
5453  options->ce.connect_timeout = positive_atoi(p[1]);
5454  }
5455  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
5456  {
5458  options->connect_retry_max = positive_atoi(p[1]);
5459  }
5460  else if (streq(p[0], "ipchange") && p[1])
5461  {
5463  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5464  {
5465  goto err;
5466  }
5467  set_user_script(options,
5468  &options->ipchange,
5469  string_substitute(p[1], ',', ' ', &options->gc),
5470  "ipchange", true);
5471  }
5472  else if (streq(p[0], "float") && !p[1])
5473  {
5475  options->ce.remote_float = true;
5476  }
5477 #ifdef ENABLE_DEBUG
5478  else if (streq(p[0], "gremlin") && p[1] && !p[2])
5479  {
5481  options->gremlin = positive_atoi(p[1]);
5482  }
5483 #endif
5484  else if (streq(p[0], "chroot") && p[1] && !p[2])
5485  {
5487  options->chroot_dir = p[1];
5488  }
5489  else if (streq(p[0], "cd") && p[1] && !p[2])
5490  {
5492  if (platform_chdir(p[1]))
5493  {
5494  msg(M_ERR, "cd to '%s' failed", p[1]);
5495  goto err;
5496  }
5497  options->cd_dir = p[1];
5498  }
5499 #ifdef ENABLE_SELINUX
5500  else if (streq(p[0], "setcon") && p[1] && !p[2])
5501  {
5503  options->selinux_context = p[1];
5504  }
5505 #endif
5506  else if (streq(p[0], "writepid") && p[1] && !p[2])
5507  {
5509  options->writepid = p[1];
5510  }
5511  else if (streq(p[0], "up") && p[1])
5512  {
5514  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5515  {
5516  goto err;
5517  }
5518  set_user_script(options, &options->up_script, p[1], "up", false);
5519  }
5520  else if (streq(p[0], "down") && p[1])
5521  {
5523  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5524  {
5525  goto err;
5526  }
5527  set_user_script(options, &options->down_script, p[1], "down", true);
5528  }
5529  else if (streq(p[0], "down-pre") && !p[1])
5530  {
5532  options->down_pre = true;
5533  }
5534  else if (streq(p[0], "up-delay") && !p[1])
5535  {
5537  options->up_delay = true;
5538  }
5539  else if (streq(p[0], "up-restart") && !p[1])
5540  {
5542  options->up_restart = true;
5543  }
5544  else if (streq(p[0], "syslog") && !p[2])
5545  {
5547  open_syslog(p[1], false);
5548  }
5549  else if (streq(p[0], "daemon") && !p[2])
5550  {
5551  bool didit = false;
5553  if (!options->daemon)
5554  {
5555  options->daemon = didit = true;
5556  open_syslog(p[1], false);
5557  }
5558  if (p[1])
5559  {
5560  if (!didit)
5561  {
5562  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
5563  goto err;
5564  }
5565  }
5566  }
5567  else if (streq(p[0], "inetd") && !p[3])
5568  {
5570  if (!options->inetd)
5571  {
5572  int z;
5573  const char *name = NULL;
5574  const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
5575 
5576  options->inetd = -1;
5577 
5578  for (z = 1; z <= 2; ++z)
5579  {
5580  if (p[z])
5581  {
5582  if (streq(p[z], "wait"))
5583  {
5584  if (options->inetd != -1)
5585  {
5586  msg(msglevel, "%s", opterr);
5587  goto err;
5588  }
5589  else
5590  {
5591  options->inetd = INETD_WAIT;
5592  }
5593  }
5594  else if (streq(p[z], "nowait"))
5595  {
5596  if (options->inetd != -1)
5597  {
5598  msg(msglevel, "%s", opterr);
5599  goto err;
5600  }
5601  else
5602  {
5603  options->inetd = INETD_NOWAIT;
5604  }
5605  }
5606  else
5607  {
5608  if (name != NULL)
5609  {
5610  msg(msglevel, "%s", opterr);
5611  goto err;
5612  }
5613  name = p[z];
5614  }
5615  }
5616  }
5617 
5618  /* default */
5619  if (options->inetd == -1)
5620  {
5621  options->inetd = INETD_WAIT;
5622  }
5623 
5625  open_syslog(name, true);
5626  }
5627  }
5628  else if (streq(p[0], "log") && p[1] && !p[2])
5629  {
5631  options->log = true;
5632  redirect_stdout_stderr(p[1], false);
5633  }
5634  else if (streq(p[0], "suppress-timestamps") && !p[1])
5635  {
5637  options->suppress_timestamps = true;
5639  }
5640  else if (streq(p[0], "machine-readable-output") && !p[1])
5641  {
5643  options->machine_readable_output = true;
5645  }
5646  else if (streq(p[0], "log-append") && p[1] && !p[2])
5647  {
5649  options->log = true;
5650  redirect_stdout_stderr(p[1], true);
5651  }
5652 #ifdef ENABLE_MEMSTATS
5653  else if (streq(p[0], "memstats") && p[1] && !p[2])
5654  {
5656  options->memstats_fn = p[1];
5657  }
5658 #endif
5659  else if (streq(p[0], "mlock") && !p[1])
5660  {
5662  options->mlock = true;
5663  }
5664 #if ENABLE_IP_PKTINFO
5665  else if (streq(p[0], "multihome") && !p[1])
5666  {
5668  options->sockflags |= SF_USE_IP_PKTINFO;
5669  }
5670 #endif
5671  else if (streq(p[0], "verb") && p[1] && !p[2])
5672  {
5674  options->verbosity = positive_atoi(p[1]);
5675 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5676  /* Warn when a debug verbosity is supplied when built without debug support */
5677  if (options->verbosity >= 7)
5678  {
5679  msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
5680  options->verbosity);
5681  }
5682 #endif
5683  }
5684  else if (streq(p[0], "mute") && p[1] && !p[2])
5685  {
5687  options->mute = positive_atoi(p[1]);
5688  }
5689  else if (streq(p[0], "errors-to-stderr") && !p[1])
5690  {
5692  errors_to_stderr();
5693  }
5694  else if (streq(p[0], "status") && p[1] && !p[3])
5695  {
5697  options->status_file = p[1];
5698  if (p[2])
5699  {
5700  options->status_file_update_freq = positive_atoi(p[2]);
5701  }
5702  }
5703  else if (streq(p[0],