OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2021 David Sommerseth <dazo@eurephia.org>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38 
39 #include "syshead.h"
40 
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "ssl_ncp.h"
49 #include "options.h"
50 #include "misc.h"
51 #include "socket.h"
52 #include "packet_id.h"
53 #include "pkcs11.h"
54 #include "win32.h"
55 #include "push.h"
56 #include "pool.h"
57 #include "proto.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include "ssl_verify.h"
62 #include "platform.h"
63 #include <ctype.h>
64 
65 #include "memdbg.h"
66 
67 const char title_string[] =
69 #ifdef CONFIGURE_GIT_REVISION
70  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
71 #endif
72  " " TARGET_ALIAS
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
74  " [SSL (mbed TLS)]"
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
76  " [SSL (OpenSSL)]"
77 #else
78  " [SSL]"
79 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
80 #ifdef USE_COMP
81 #ifdef ENABLE_LZO
82  " [LZO]"
83 #endif
84 #ifdef ENABLE_LZ4
85  " [LZ4]"
86 #endif
87 #ifdef ENABLE_COMP_STUB
88  " [COMP_STUB]"
89 #endif
90 #endif /* USE_COMP */
91 #if EPOLL
92  " [EPOLL]"
93 #endif
94 #ifdef PRODUCT_TAP_DEBUG
95  " [TAPDBG]"
96 #endif
97 #ifdef ENABLE_PKCS11
98  " [PKCS11]"
99 #endif
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
102  " [MH/PKTINFO]"
103 #elif defined(IP_RECVDSTADDR)
104  " [MH/RECVDA]"
105 #endif
106 #endif
107  " [AEAD]"
108  " built on " __DATE__
109 ;
110 
111 #ifndef ENABLE_SMALL
112 
113 static const char usage_message[] =
114  "%s\n"
115  "\n"
116  "General Options:\n"
117  "--config file : Read configuration options from file.\n"
118  "--help : Show options.\n"
119  "--version : Show copyright and version information.\n"
120  "\n"
121  "Tunnel Options:\n"
122  "--local host : Local host name or ip address. Implies --bind.\n"
123  "--remote host [port] : Remote host name or ip address.\n"
124  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
125  "--remote-random-hostname : Add a random string to remote DNS name.\n"
126  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
127  "--proto p : Use protocol p for communicating with peer.\n"
128  " p = udp (default), tcp-server, or tcp-client\n"
129  "--proto-force p : only consider protocol p in list of connection profiles.\n"
130  " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
131  "--connect-retry n [m] : For client, number of seconds to wait between\n"
132  " connection retries (default=%d). On repeated retries\n"
133  " the wait time is exponentially increased to a maximum of m\n"
134  " (default=%d).\n"
135  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
136  "--http-proxy s p [up] [auth] : Connect to remote host\n"
137  " through an HTTP proxy at address s and port p.\n"
138  " If proxy authentication is required,\n"
139  " up is a file containing username/password on 2 lines, or\n"
140  " 'stdin' to prompt from console. Add auth='ntlm' if\n"
141  " the proxy requires NTLM authentication.\n"
142  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
143  " determine auth method and query for username/password\n"
144  " if needed. auto-nct disables weak proxy auth methods.\n"
145  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
146  " Repeat to set multiple options.\n"
147  " VERSION version (default=1.0)\n"
148  " AGENT user-agent\n"
149  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
150  " address s and port p (default port = 1080).\n"
151  " If proxy authentication is required,\n"
152  " up is a file containing username/password on 2 lines, or\n"
153  " 'stdin' to prompt for console.\n"
154  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
155  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
156  " resolve for n seconds before failing (disabled by default).\n"
157  " Set n=\"infinite\" to retry indefinitely.\n"
158  "--float : Allow remote to change its IP address/port, such as through\n"
159  " DHCP (this is the default if --remote is not used).\n"
160  "--ipchange cmd : Run command cmd on remote ip address initial\n"
161  " setting or change -- execute as: cmd ip-address port#\n"
162  "--port port : TCP/UDP port # for both local and remote.\n"
163  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
164  "--rport port : TCP/UDP port # for remote (default=%s).\n"
165  "--bind : Bind to local address and port. (This is the default unless\n"
166  " --proto tcp-client"
167  " or --http-proxy"
168  " or --socks-proxy"
169  " is used).\n"
170  "--nobind : Do not bind to local address and port.\n"
171  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
172  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
173  " this option only if the tun/tap device used with --dev\n"
174  " does not begin with \"tun\" or \"tap\".\n"
175  "--dev-node node : Explicitly set the device node rather than using\n"
176  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
177  "--lladdr hw : Set the link layer address of the tap device.\n"
178  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
179 #ifdef ENABLE_IPROUTE
180  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
181 #endif
182  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
183  " endpoint and rn as a remote endpoint. l & rn should be\n"
184  " swapped on the other peer. l & rn must be private\n"
185  " addresses outside of the subnets used by either peer.\n"
186  " TAP: configure device to use IP address l as a local\n"
187  " endpoint and rn as a subnet mask.\n"
188  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
189  " endpoint (as a /64) and r as remote endpoint\n"
190  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
191  " pass --ifconfig parms by environment to scripts.\n"
192  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
193  " connection doesn't match the remote side.\n"
194  "--route network [netmask] [gateway] [metric] :\n"
195  " Add route to routing table after connection\n"
196  " is established. Multiple routes can be specified.\n"
197  " netmask default: 255.255.255.255\n"
198  " gateway default: taken from --route-gateway or --ifconfig\n"
199  " Specify default by leaving blank or setting to \"nil\".\n"
200  "--route-ipv6 network/bits [gateway] [metric] :\n"
201  " Add IPv6 route to routing table after connection\n"
202  " is established. Multiple routes can be specified.\n"
203  " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
204  " in --ifconfig-ipv6\n"
205  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
206  "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
207  "--route-metric m : Specify a default metric for use with --route.\n"
208  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
209  " adding routes (may be 0). If not specified, routes will\n"
210  " be added immediately after tun/tap open. On Windows, wait\n"
211  " up to w seconds for TUN/TAP adapter to come up.\n"
212  "--route-up cmd : Run command cmd after routes are added.\n"
213  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
214  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
215  " --route-up script using environmental variables.\n"
216  "--route-nopull : When used with --client or --pull, accept options pushed\n"
217  " by server EXCEPT for routes and dhcp options.\n"
218  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
219  " --ifconfig, --route, and --route-gateway.\n"
220  "--redirect-gateway [flags]: Automatically execute routing\n"
221  " commands to redirect all outgoing IP traffic through the\n"
222  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
223  " connected via a common subnet, such as with WiFi.\n"
224  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
225  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
226  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
227  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
228  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
229  " the default gateway. Useful when pushing private subnets.\n"
230  "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
231  " ICMPv6 host unreachable messages on the client.\n"
232  " (Server) Instead of forwarding IPv6 packets send\n"
233  " ICMPv6 host unreachable packets to the client.\n"
234  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
235  "--push-peer-info : (client only) push client info to server.\n"
236  "--setenv name value : Set a custom environmental variable to pass to script.\n"
237  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
238  " directives for future OpenVPN versions to be ignored.\n"
239  "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
240  " these options to be ignored when unknown\n"
241  "--script-security level: Where level can be:\n"
242  " 0 -- strictly no calling of external programs\n"
243  " 1 -- (default) only call built-ins such as ifconfig\n"
244  " 2 -- allow calling of built-ins and scripts\n"
245  " 3 -- allow password to be passed to scripts via env\n"
246  "--shaper n : Restrict output to peer to n bytes per second.\n"
247  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
248  " ping once every n seconds, restart if ping not received\n"
249  " for m seconds.\n"
250  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
251  " produces a combined in/out byte count < bytes.\n"
252  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
253  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
254  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
255  " remote address.\n"
256  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
257 #if ENABLE_IP_PKTINFO
258  "--multihome : Configure a multi-homed UDP server.\n"
259 #endif
260  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
261  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
262  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
263  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
264  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
265  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
266 #if PASSTOS_CAPABILITY
267  "--passtos : TOS passthrough (applies to IPv4 only).\n"
268 #endif
269  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
270  " TCP/UDP MTU from it (default=%d).\n"
271  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
272  " as n bytes more than the tun-mtu size on read\n"
273  " (default TUN=0 TAP=%d).\n"
274  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
275  " from it.\n"
276  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
277  " 'no' -- Never send DF (Don't Fragment) frames\n"
278  " 'maybe' -- Use per-route hints\n"
279  " 'yes' -- Always DF (Don't Fragment)\n"
280  "--mtu-test : Empirically measure and report MTU.\n"
281 #ifdef ENABLE_FRAGMENT
282  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
283  " datagrams are sent which are larger than max bytes.\n"
284  " Adds 4 bytes of overhead per datagram.\n"
285 #endif
286  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
287  " or --fragment max value, whichever is lower.\n"
288  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
289  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
290 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
291  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
292  " can be matched in policy routing and packetfilter rules.\n"
293  "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
294  " listening for connections. This allows sending encrypted packets\n"
295  " via a VRF present on the system.\n"
296 #endif
297  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
298 #ifdef ENABLE_MEMSTATS
299  "--memstats file : Write live usage stats to memory mapped binary file.\n"
300 #endif
301  "--mlock : Disable Paging -- ensures key material and tunnel\n"
302  " data will never be written to disk.\n"
303  "--up cmd : Run command cmd after successful tun device open.\n"
304  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
305  " ifconfig-local-ip ifconfig-remote-ip\n"
306  " (pre --user or --group UID/GID change)\n"
307  "--up-delay : Delay tun/tap open and possible --up script execution\n"
308  " until after TCP/UDP connection establishment with peer.\n"
309  "--down cmd : Run command cmd after tun device close.\n"
310  " (post --user/--group UID/GID change and/or --chroot)\n"
311  " (command parameters are same as --up option)\n"
312  "--down-pre : Run --down command before TUN/TAP close.\n"
313  "--up-restart : Run up/down commands for all restarts including those\n"
314  " caused by --ping-restart or SIGUSR1\n"
315  "--user user : Set UID to user after initialization.\n"
316  "--group group : Set GID to group after initialization.\n"
317  "--chroot dir : Chroot to this directory after initialization.\n"
318 #ifdef ENABLE_SELINUX
319  "--setcon context: Apply this SELinux context after initialization.\n"
320 #endif
321  "--cd dir : Change to this directory before initialization.\n"
322  "--daemon [name] : Become a daemon after initialization.\n"
323  " The optional 'name' parameter will be passed\n"
324  " as the program name to the system logger.\n"
325  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
326  " See --daemon above for a description of the 'name' parm.\n"
327  "--log file : Output log to file which is created/truncated on open.\n"
328  "--log-append file : Append log to file, or create file if nonexistent.\n"
329  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
330  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
331  "--writepid file : Write main process ID to file.\n"
332  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
333  "--echo [parms ...] : Echo parameters to log output.\n"
334  "--verb n : Set output verbosity to n (default=%d):\n"
335  " (Level 3 is recommended if you want a good summary\n"
336  " of what's happening without being swamped by output).\n"
337  " : 0 -- no output except fatal errors\n"
338  " : 1 -- startup info + connection initiated messages +\n"
339  " non-fatal encryption & net errors\n"
340  " : 2,3 -- show TLS negotiations & route info\n"
341  " : 4 -- show parameters\n"
342  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
343  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
344  " : 6 to 11 -- debug messages of increasing verbosity\n"
345  "--mute n : Log at most n consecutive messages in the same category.\n"
346  "--status file n : Write operational status to file every n seconds.\n"
347  "--status-version [n] : Choose the status file format version number.\n"
348  " Currently, n can be 1, 2, or 3 (default=1).\n"
349  "--disable-occ : Disable options consistency check between peers.\n"
350 #ifdef ENABLE_DEBUG
351  "--gremlin mask : Special stress testing mode (for debugging only).\n"
352 #endif
353 #if defined(USE_COMP)
354  "--compress alg : Use compression algorithm alg\n"
355  "--allow-compression: Specify whether compression should be allowed\n"
356 #if defined(ENABLE_LZO)
357  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
358  " packet for incompressible data.\n"
359  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
360  " is specified.\n"
361 #endif
362 #endif
363 #ifdef ENABLE_MANAGEMENT
364  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
365  " management functions. pass is a password file\n"
366  " or 'stdin' to prompt from console.\n"
367 #if UNIX_SOCK_SUPPORT
368  " To listen on a unix domain socket, specific the pathname\n"
369  " in place of ip and use 'unix' as the port number.\n"
370 #endif
371  "--management-client : Management interface will connect as a TCP client to\n"
372  " ip/port rather than listen as a TCP server.\n"
373  "--management-query-passwords : Query management channel for private key\n"
374  " and auth-user-pass passwords.\n"
375  "--management-query-proxy : Query management channel for proxy information.\n"
376  "--management-query-remote : Query management channel for --remote directive.\n"
377  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
378  " of the management interface explicitly starts it.\n"
379  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
380  "--management-forget-disconnect : Forget passwords when management disconnect\n"
381  " event occurs.\n"
382  "--management-up-down : Report tunnel up/down events to management interface.\n"
383  "--management-log-cache n : Cache n lines of log file history for usage\n"
384  " by the management channel.\n"
385 #if UNIX_SOCK_SUPPORT
386  "--management-client-user u : When management interface is a unix socket, only\n"
387  " allow connections from user u.\n"
388  "--management-client-group g : When management interface is a unix socket, only\n"
389  " allow connections from group g.\n"
390 #endif
391  "--management-client-auth : gives management interface client the responsibility\n"
392  " to authenticate clients after their client certificate\n"
393  " has been verified.\n"
394 #endif /* ifdef ENABLE_MANAGEMENT */
395 #ifdef ENABLE_PLUGIN
396  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
397  " to its initialization function.\n"
398 #endif
399  "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
400  "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
401  "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
402  "\n"
403  "Multi-Client Server options (when --mode server is used):\n"
404  "--server network netmask : Helper option to easily configure server mode.\n"
405  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
406  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
407  " easily configure ethernet bridging server mode.\n"
408  "--push \"option\" : Push a config file option back to the peer for remote\n"
409  " execution. Peer must specify --pull in its config file.\n"
410  "--push-reset : Don't inherit global push list for specific\n"
411  " client instance.\n"
412  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
413  " to be dynamically allocated to connecting clients.\n"
414  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
415  " data to file, at seconds intervals (default=600).\n"
416  " If seconds=0, file will be treated as read-only.\n"
417  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
418  " to be dynamically allocated to connecting clients.\n"
419  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
420  " overrides --ifconfig-pool dynamic allocation.\n"
421  " Only valid in a client-specific config file.\n"
422  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
423  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
424  " Only valid in a client-specific config file.\n"
425  "--iroute network [netmask] : Route subnet to client.\n"
426  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
427  " Sets up internal routes only.\n"
428  " Only valid in a client-specific config file.\n"
429  "--disable : Client is disabled.\n"
430  " Only valid in a client-specific config file.\n"
431  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
432  " mandatory client certificate verification.\n"
433  " Default is to require the client to supply a certificate.\n"
434  "--username-as-common-name : For auth-user-pass authentication, use\n"
435  " the authenticated username as the common name,\n"
436  " rather than the common name from the client cert.\n"
437  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
438  " run command cmd to verify. If method='via-env', pass\n"
439  " user/pass via environment, if method='via-file', pass\n"
440  " user/pass via temporary file.\n"
441  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
442  " to each client, replacing the password. Useful when\n"
443  " OTP based two-factor auth mechanisms are in use and\n"
444  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
445  " for generated tokens can be set.\n"
446  "--opt-verify : Clients that connect with options that are incompatible\n"
447  " with those of the server will be disconnected.\n"
448  "--auth-user-pass-optional : Allow connections by clients that don't\n"
449  " specify a username/password.\n"
450  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
451  " any printable character.\n"
452  "--client-to-client : Internally route client-to-client traffic.\n"
453  "--duplicate-cn : Allow multiple clients with the same common name to\n"
454  " concurrently connect.\n"
455  "--client-connect cmd : Run command cmd on client connection.\n"
456  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
457  "--client-config-dir dir : Directory for custom client config files.\n"
458  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
459  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
460  "--hash-size r v : Set the size of the real address hash table to r and the\n"
461  " virtual address table to v.\n"
462  "--bcast-buffers n : Allocate n broadcast buffers.\n"
463  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
464  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
465  " as well as pushes it to connecting clients.\n"
466  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
467  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
468  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
469  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
470  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
471  " older than n seconds. Run this check every t\n"
472  " seconds (defaults to n).\n"
473  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
474  " clients. n = 1 - reconnect to same server,\n"
475  " 2 - advance to next server, default=1.\n"
476 #if PORT_SHARE
477  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
478  " sessions to a web server at host:port. dir specifies an\n"
479  " optional directory to write origin IP:port data.\n"
480 #endif
481  "\n"
482  "Client options (when connecting to a multi-client server):\n"
483  "--client : Helper option to easily configure client mode.\n"
484  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
485  " up is a file containing the username on the first line,\n"
486  " and a password on the second. If either the password or both\n"
487  " the username and the password are omitted OpenVPN will prompt\n"
488  " for them from console.\n"
489  "--pull : Accept certain config file options from the peer as if they\n"
490  " were part of the local config file. Must be specified\n"
491  " when connecting to a '--mode server' remote host.\n"
492  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
493  " server if it starts with the text t. The action flag accept,\n"
494  " ignore or reject causes the option to be allowed, removed or\n"
495  " rejected with error. May be specified multiple times, and\n"
496  " each filter is applied in the order of appearance.\n"
497  "--auth-retry t : How to handle auth failures. Set t to\n"
498  " none (default), interact, or nointeract.\n"
499  "--static-challenge t e : Enable static challenge/response protocol using\n"
500  " challenge text t, with e indicating echo flag (0|1)\n"
501  "--connect-timeout n : when polling possible remote servers to connect to\n"
502  " in a round-robin fashion, spend no more than n seconds\n"
503  " waiting for a response before trying the next server.\n"
504  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
505  " incoming tun packets with same destination as host.\n"
506  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
507  " server/remote. n = # of retries, default=1.\n"
508  "\n"
509  "Data Channel Encryption Options (must be compatible between peers):\n"
510  "(These options are meaningful for both Static Key & TLS-mode)\n"
511  "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
512  " Use shared secret file f, generate with --genkey.\n"
513  " The optional d parameter controls key directionality.\n"
514  " If d is specified, use separate keys for each\n"
515  " direction, set d=0 on one side of the connection,\n"
516  " and d=1 on the other side.\n"
517  "--auth alg : Authenticate packets with HMAC using message\n"
518  " digest algorithm alg (default=%s).\n"
519  " (usually adds 16 or 20 bytes per packet)\n"
520  " Set alg=none to disable authentication.\n"
521  "--cipher alg : Encrypt packets with cipher algorithm alg\n"
522  " (default=%s).\n"
523  " Set alg=none to disable encryption.\n"
524  "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
525  "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
526  " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
527 #ifndef ENABLE_CRYPTO_MBEDTLS
528  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
529 #endif
530  "--no-replay : (DEPRECATED) Disable replay protection.\n"
531  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
532  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
533  " and a time window of t seconds.\n"
534  " Default n=%d t=%d\n"
535  "--replay-persist file : Persist replay-protection state across sessions\n"
536  " using file.\n"
537  "--test-crypto : Run a self-test of crypto features enabled.\n"
538  " For debugging only.\n"
539 #ifdef ENABLE_PREDICTION_RESISTANCE
540  "--use-prediction-resistance: Enable prediction resistance on the random\n"
541  " number generator.\n"
542 #endif
543  "\n"
544  "TLS Key Negotiation Options:\n"
545  "(These options are meaningful only for TLS-mode)\n"
546  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
547  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
548  "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
549  " number, such as 1 (default), 2, etc.\n"
550  "--ca file : Certificate authority file in .pem format containing\n"
551  " root certificate.\n"
552 #ifndef ENABLE_CRYPTO_MBEDTLS
553  "--capath dir : A directory of trusted certificates (CAs"
554  " and CRLs).\n"
555 #endif /* ENABLE_CRYPTO_MBEDTLS */
556  "--dh file : File containing Diffie Hellman parameters\n"
557  " in .pem format (for --tls-server only).\n"
558  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
559  "--cert file : Local certificate in .pem format -- must be signed\n"
560  " by a Certificate Authority in --ca file.\n"
561  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
562  "--key file : Local private key in .pem format.\n"
563  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
564  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
565  " is specified, require max TLS version supported by SSL implementation.\n"
566  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
567 #ifndef ENABLE_CRYPTO_MBEDTLS
568  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
569  " and optionally the root CA certificate.\n"
570 #endif
571 #ifdef ENABLE_X509ALTUSERNAME
572  "--x509-username-field : Field in x509 certificate containing the username.\n"
573  " Default is CN in the Subject field.\n"
574 #endif
575  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
576  " Valid algo flags are SHA1 and SHA256. \n"
577 #ifdef _WIN32
578  "--cryptoapicert select-string : Load the certificate and private key from the\n"
579  " Windows Certificate System Store.\n"
580 #endif
581  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
582  "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
583  " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
584  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
585  " (default=legacy).\n"
586  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
587  " if no ACK from remote within n seconds (default=%d).\n"
588  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
589  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
590  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
591  " and at least min (defaults to 90%% of max on servers and equal\n"
592  " to max on clients).\n"
593  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
594  " of handshake initiation by any peer (default=%d).\n"
595  "--tran-window n : Transition window -- old key can live this many seconds\n"
596  " after new key renegotiation begins (default=%d).\n"
597  "--single-session: Allow only one session (reset state on restart).\n"
598  "--tls-exit : Exit on TLS negotiation failure.\n"
599  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
600  " control channel to protect against attacks on the TLS stack\n"
601  " and DoS attacks.\n"
602  " f (required) is a shared-secret key file.\n"
603  " The optional d parameter controls key directionality,\n"
604  " see --secret option for more info.\n"
605  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
606  " of the TLS control channel to hide the TLS certificate,\n"
607  " provide basic post-quantum security and protect against\n"
608  " attacks on the TLS stack and DoS attacks.\n"
609  " key (required) provides the pre-shared key file.\n"
610  " see --secret option for more info.\n"
611  "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
612  " For servers: use key to decrypt client-specific keys. For\n"
613  " key generation (--genkey tls-crypt-v2-client): use key to\n"
614  " encrypt generated client-specific key. (See --tls-crypt.)\n"
615  "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
616  " fresh tls-crypt-v2 client key, and store to\n"
617  " keyfile. If supplied, include metadata in wrapped key.\n"
618  "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
619  " fresh tls-crypt-v2 server key, and store to keyfile\n"
620  "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
621  " client-supplied tls-crypt-v2 client key\n"
622  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
623  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
624  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
625  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
626  " pending TLS connection that has otherwise passed all other\n"
627  " tests of certification. cmd should return 0 to allow\n"
628  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
629  " executed as 'cmd certificate_depth subject')\n"
630  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
631  " in an openvpn temporary file in [directory]. Peer cert is \n"
632  " stored before tls-verify script execution and deleted after.\n"
633  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
634  " DN name. The remote host must also pass all other tests\n"
635  " of verification.\n"
636  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
637  " an explicit nsCertType designation t = 'client' | 'server'.\n"
638  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
639  " plugins and management interface.\n"
640 #ifdef HAVE_EXPORT_KEYING_MATERIAL
641  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
642  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
643 #endif
644  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
645  " explicit key usage, you can specify more than one value.\n"
646  " value should be given in hex format.\n"
647  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
648  " explicit extended key usage. Extended key usage can be encoded\n"
649  " as an object identifier or OpenSSL string representation.\n"
650  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
651  " key usage and extended key usage based on RFC3280 TLS rules.\n"
652  " t = 'client' | 'server'.\n"
653 #ifdef ENABLE_PKCS11
654  "\n"
655  "PKCS#11 Options:\n"
656  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
657  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
658  " path. Set for each provider.\n"
659  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
660  " 0 : Try to determine automatically (default).\n"
661  " 1 : Use Sign.\n"
662  " 2 : Use SignRecover.\n"
663  " 4 : Use Decrypt.\n"
664  " 8 : Use Unwrap.\n"
665  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
666  " certificate can be accessed. Set for each provider.\n"
667  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
668  " cache until token is removed.\n"
669  "--pkcs11-id-management : Acquire identity from management interface.\n"
670  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
671 #endif /* ENABLE_PKCS11 */
672  "\n"
673  "SSL Library information:\n"
674  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
675  "--show-digests : Show message digest algorithms to use with --auth option.\n"
676  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
677  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
678 #ifdef _WIN32
679  "\n"
680  "Windows Specific:\n"
681  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
682  " from SystemRoot environment variable.\n"
683  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
684  " IP address using method = manual, netsh, ipapi,\n"
685  " dynamic, or adaptive (default = adaptive).\n"
686  " Dynamic method allows two optional parameters:\n"
687  " offset: DHCP server address offset (> -256 and < 256).\n"
688  " If 0, use network address, if >0, take nth\n"
689  " address forward from network address, if <0,\n"
690  " take nth address backward from broadcast\n"
691  " address.\n"
692  " Default is 0.\n"
693  " lease-time: Lease time in seconds.\n"
694  " Default is one year.\n"
695  "--route-method : Which method to use for adding routes on Windows?\n"
696  " adaptive (default) -- Try ipapi then fall back to exe.\n"
697  " ipapi -- Use IP helper API.\n"
698  " exe -- Call the route.exe shell command.\n"
699  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
700  " be used with --ip-win32 dynamic. For options\n"
701  " which allow multiple addresses,\n"
702  " --dhcp-option must be repeated.\n"
703  " DOMAIN name : Set DNS suffix\n"
704  " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
705  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
706  " NTP : Set NTP server address(es)\n"
707  " NBDD : Set NBDD server address(es)\n"
708  " WINS addr : Set WINS server address(es)\n"
709  " NBT type : Set NetBIOS over TCP/IP Node type\n"
710  " 1: B, 2: P, 4: M, 8: H\n"
711  " NBS id : Set NetBIOS scope ID\n"
712  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
713  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
714  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
715  " startup.\n"
716  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
717  " on connection initiation.\n"
718  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
719  " attempting to set adapter properties.\n"
720  "--pause-exit : When run from a console window, pause before exiting.\n"
721  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
722  " service, and should not be used directly by end-users.\n"
723  " ex is the name of an event object which, when\n"
724  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
725  " optional parameter controls the initial state of ex.\n"
726  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
727  " after TAP adapter is up and routes have been added.\n"
728  "--windows-driver : Which tun driver to use?\n"
729  " tap-windows6 (default)\n"
730  " wintun\n"
731  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
732  "Windows Standalone Options:\n"
733  "\n"
734  "--show-adapters : Show all TAP-Windows adapters.\n"
735  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
736  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
737  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
738  " to access TAP adapter.\n"
739 #endif /* ifdef _WIN32 */
740  "\n"
741  "Generate a new key :\n"
742  "--genkey secret file : Generate a new random key of type and write to file\n"
743  " (for use with --secret, --tls-auth or --tls-crypt)."
744 #ifdef ENABLE_FEATURE_TUN_PERSIST
745  "\n"
746  "Tun/tap config mode (available with linux 2.4+):\n"
747  "--mktun : Create a persistent tunnel.\n"
748  "--rmtun : Remove a persistent tunnel.\n"
749  "--dev tunX|tapX : tun/tap device\n"
750  "--dev-type dt : Device type. See tunnel options above for details.\n"
751  "--user user : User to set privilege to.\n"
752  "--group group : Group to set privilege to.\n"
753 #endif
754 #ifdef ENABLE_PKCS11
755  "\n"
756  "PKCS#11 standalone options:\n"
757 #ifdef DEFAULT_PKCS11_MODULE
758  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
759 #else
760  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
761 #endif
762  " --verb option can be added *BEFORE* this.\n"
763 #endif /* ENABLE_PKCS11 */
764  "\n"
765  "General Standalone Options:\n"
766 #ifdef ENABLE_DEBUG
767  "--show-gateway : Show info about default gateway.\n"
768 #endif
769 ;
770 
771 #endif /* !ENABLE_SMALL */
772 
773 /*
774  * This is where the options defaults go.
775  * Any option not explicitly set here
776  * will be set to 0.
777  */
778 void
779 init_options(struct options *o, const bool init_gc)
780 {
781  CLEAR(*o);
782  if (init_gc)
783  {
784  gc_init(&o->gc);
785  o->gc_owned = true;
786  }
788  o->topology = TOP_NET30;
789  o->ce.proto = PROTO_UDP;
790  o->ce.af = AF_UNSPEC;
791  o->ce.bind_ipv6_only = false;
792  o->ce.connect_retry_seconds = 5;
793  o->ce.connect_retry_seconds_max = 300;
794  o->ce.connect_timeout = 120;
795  o->connect_retry_max = 0;
797  o->verbosity = 1;
798  o->status_file_update_freq = 60;
799  o->status_file_version = 1;
800  o->ce.bind_local = true;
803  o->ce.mtu_discover_type = -1;
804  o->ce.mssfix = MSSFIX_DEFAULT;
805  o->route_delay_window = 30;
807  o->resolve_in_advance = false;
808  o->proto_force = -1;
809  o->occ = true;
810 #ifdef ENABLE_MANAGEMENT
814 #endif
815 #ifdef ENABLE_FEATURE_TUN_PERSIST
816  o->persist_mode = 1;
817 #endif
818 #ifdef _WIN32
819 #if 0
821 #else
823 #endif
824  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
825  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
827  o->block_outside_dns = false;
829 #endif
830  o->vlan_accept = VLAN_ALL;
831  o->vlan_pvid = 1;
832  o->real_hash_size = 256;
833  o->virtual_hash_size = 256;
834  o->n_bcast_buf = 256;
835  o->tcp_queue_limit = 64;
836  o->max_clients = 1024;
837  o->max_routes_per_client = 256;
841  o->authname = "SHA1";
842  o->prng_hash = "SHA1";
843  o->prng_nonce_secret_len = 16;
844  o->replay = true;
848 #ifdef ENABLE_PREDICTION_RESISTANCE
849  o->use_prediction_resistance = false;
850 #endif
851  o->tls_timeout = 2;
852  o->renegotiate_bytes = -1;
853  o->renegotiate_seconds = 3600;
854  o->renegotiate_seconds_min = -1;
855  o->handshake_window = 60;
856  o->transition_window = 3600;
857  o->tls_cert_profile = NULL;
858  o->ecdh_curve = NULL;
859 #ifdef ENABLE_X509ALTUSERNAME
860  o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
861 #endif
862 #ifdef ENABLE_PKCS11
863  o->pkcs11_pin_cache_period = -1;
864 #endif /* ENABLE_PKCS11 */
865 
866 /* P2MP server context features */
867  o->auth_token_generate = false;
868 
869  /* Set default --tmp-dir */
870 #ifdef _WIN32
871  /* On Windows, find temp dir via environment variables */
872  o->tmp_dir = win_get_tempdir();
873 #else
874  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
875  o->tmp_dir = getenv("TMPDIR");
876  if (!o->tmp_dir)
877  {
878  o->tmp_dir = "/tmp";
879  }
880 #endif /* _WIN32 */
881  o->allow_recursive_routing = false;
882 }
883 
884 void
886 {
887  if (o->gc_owned)
888  {
889  gc_free(&o->gc);
890  }
891 }
892 
894 {
895 #define PUF_TYPE_UNDEF 0
896 #define PUF_TYPE_ACCEPT 1
897 #define PUF_TYPE_IGNORE 2
898 #define PUF_TYPE_REJECT 3
899  int type;
900  int size;
901  char *pattern;
902  struct pull_filter *next;
903 };
904 
906 {
907  struct pull_filter *head;
908  struct pull_filter *tail;
909 };
910 
911 static const char *
913 {
914  if (type == PUF_TYPE_ACCEPT)
915  {
916  return "accept";
917  }
918  if (type == PUF_TYPE_IGNORE)
919  {
920  return "ignore";
921  }
922  if (type == PUF_TYPE_REJECT)
923  {
924  return "reject";
925  }
926  else
927  {
928  return "???";
929  }
930 }
931 
932 #ifndef ENABLE_SMALL
933 
934 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
935 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
936 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
937  o->var ## _inline ? "[INLINE]" : \
938  (o->var ? o->var : "[UNDEF]"), \
939  "'%s'")
940 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
941 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
942 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
943 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
944 
945 #endif
946 
947 static void
949  const struct connection_entry *e,
950  const int i)
951 {
952  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
953  setenv_str_i(es, "local", e->local, i);
954  setenv_str_i(es, "local_port", e->local_port, i);
955  setenv_str_i(es, "remote", e->remote, i);
956  setenv_str_i(es, "remote_port", e->remote_port, i);
957 
958  if (e->http_proxy_options)
959  {
960  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
961  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
962  }
963  if (e->socks_proxy_server)
964  {
965  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
966  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
967  }
968 }
969 
970 void
971 setenv_settings(struct env_set *es, const struct options *o)
972 {
973  setenv_str(es, "config", o->config);
974  setenv_int(es, "verb", o->verbosity);
975  setenv_int(es, "daemon", o->daemon);
976  setenv_int(es, "daemon_log_redirect", o->log);
977  setenv_long_long(es, "daemon_start_time", time(NULL));
978  setenv_int(es, "daemon_pid", platform_getpid());
979 
980  if (o->connection_list)
981  {
982  int i;
983  for (i = 0; i < o->connection_list->len; ++i)
984  {
986  }
987  }
988  else
989  {
990  setenv_connection_entry(es, &o->ce, 1);
991  }
992 }
993 
994 static in_addr_t
995 get_ip_addr(const char *ip_string, int msglevel, bool *error)
996 {
997  unsigned int flags = GETADDR_HOST_ORDER;
998  bool succeeded = false;
999  in_addr_t ret;
1000 
1001  if (msglevel & M_FATAL)
1002  {
1003  flags |= GETADDR_FATAL;
1004  }
1005 
1006  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1007  if (!succeeded && error)
1008  {
1009  *error = true;
1010  }
1011  return ret;
1012 }
1013 
1019 static char *
1020 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1021 {
1022  const char *end = strchr(addr, '/');
1023  char *ret = NULL;
1024  if (NULL == end)
1025  {
1026  ret = string_alloc(addr, gc);
1027  }
1028  else
1029  {
1030  size_t len = end - addr;
1031  ret = gc_malloc(len + 1, true, gc);
1032  memcpy(ret, addr, len);
1033  }
1034  return ret;
1035 }
1036 
1037 static bool
1038 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1039 {
1040  struct in6_addr t_addr;
1041  unsigned int t_bits;
1042 
1043  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1044 }
1045 
1046 static char *
1047 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1048 {
1049  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1050  char *dest = ret;
1051  char c;
1052 
1053  do
1054  {
1055  c = *src++;
1056  if (c == from)
1057  {
1058  c = to;
1059  }
1060  *dest++ = c;
1061  }
1062  while (c);
1063  return ret;
1064 }
1065 
1075 static struct verify_hash_list *
1076 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1077 {
1078  int i = 0;
1079  const char *cp = str;
1080 
1081  struct verify_hash_list *ret;
1082  ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1083 
1084  char term = 0;
1085  int byte;
1086 
1087  while (*cp && i < nbytes)
1088  {
1089  /* valid segments consist of exactly two hex digits, then ':' or EOS */
1090  if (!isxdigit(cp[0])
1091  || !isxdigit(cp[1])
1092  || (cp[2] != ':' && cp[2] != '\0')
1093  || sscanf(cp, "%x", &byte) != 1)
1094  {
1095  msg(msglevel, "format error in hash fingerprint: %s", str);
1096  break;
1097  }
1098 
1099  ret->hash[i++] = (uint8_t)byte;
1100 
1101  term = cp[2];
1102  if (term == '\0')
1103  {
1104  break;
1105  }
1106  cp += 3;
1107  }
1108  if (i < nbytes)
1109  {
1110  msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1111  }
1112  else if (term != '\0')
1113  {
1114  msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1115  }
1116  return ret;
1117 }
1118 
1129 static struct verify_hash_list *
1130 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1131  struct gc_arena *gc)
1132 {
1133  struct gc_arena gc_temp = gc_new();
1134  char *lines = string_alloc(str, &gc_temp);
1135 
1136  struct verify_hash_list *ret = NULL;
1137 
1138  const char *line;
1139  while ((line = strsep(&lines, "\n")))
1140  {
1141  /* ignore leading whitespace */
1142  while(isspace(*line))
1143  {
1144  line++;
1145  }
1146  /* skip empty lines and comment lines */
1147  if (strlen(line) == 0 || *line == '#' || *line == ';')
1148  {
1149  continue;
1150  }
1151 
1152  struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1153  msglevel, gc);
1154 
1155  if (!hash)
1156  {
1157  gc_free(&gc_temp);
1158  return NULL;
1159  }
1160 
1161  hash->next = ret;
1162  ret = hash;
1163  }
1164  gc_free(&gc_temp);
1165 
1166  return ret;
1167 }
1168 #ifdef _WIN32
1169 
1170 #ifndef ENABLE_SMALL
1171 
1172 static void
1173 show_dhcp_option_list(const char *name, const char * const*array, int len)
1174 {
1175  int i;
1176  for (i = 0; i < len; ++i)
1177  {
1178  msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1179  }
1180 }
1181 
1182 static void
1183 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1184 {
1185  struct gc_arena gc = gc_new();
1186  int i;
1187  for (i = 0; i < len; ++i)
1188  {
1189  msg(D_SHOW_PARMS, " %s[%d] = %s",
1190  name,
1191  i,
1192  print_in_addr_t(array[i], 0, &gc));
1193  }
1194  gc_free(&gc);
1195 }
1196 
1197 static void
1199 {
1200  SHOW_BOOL(ip_win32_defined);
1201  SHOW_INT(ip_win32_type);
1202  SHOW_INT(dhcp_masq_offset);
1203  SHOW_INT(dhcp_lease_time);
1204  SHOW_INT(tap_sleep);
1205  SHOW_BOOL(dhcp_options);
1207  SHOW_BOOL(dhcp_pre_release);
1208  SHOW_STR(domain);
1209  SHOW_STR(netbios_scope);
1210  SHOW_INT(netbios_node_type);
1211  SHOW_BOOL(disable_nbt);
1212 
1213  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1214  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1215  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1216  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1218 }
1219 
1220 #endif /* ifndef ENABLE_SMALL */
1221 #endif /* ifdef _WIN32 */
1222 
1223 #if defined(_WIN32) || defined(TARGET_ANDROID)
1224 static void
1225 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1226 {
1227  struct in6_addr addr;
1228  if (*len >= N_DHCP_ADDR)
1229  {
1230  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1231  N_DHCP_ADDR);
1232  }
1233  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1234  {
1235  dns6_list[(*len)++] = addr;
1236  }
1237 }
1238 static void
1239 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1240 {
1241  if (*len >= N_DHCP_ADDR)
1242  {
1243  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1244  name,
1245  N_DHCP_ADDR,
1246  name);
1247  }
1248  else
1249  {
1250  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1251  {
1252  bool error = false;
1253  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1254  if (!error)
1255  {
1256  array[(*len)++] = addr;
1257  }
1258  }
1259  else
1260  {
1261  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1262  }
1263  }
1264 }
1265 
1266 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1267 
1268 static const char *
1270 {
1271  switch (mode)
1272  {
1273  case VLAN_ONLY_TAGGED:
1274  return "tagged";
1275 
1277  return "untagged";
1278 
1279  case VLAN_ALL:
1280  return "all";
1281  }
1282  return NULL;
1283 }
1284 
1285 #ifndef ENABLE_SMALL
1286 
1287 static void
1288 show_p2mp_parms(const struct options *o)
1289 {
1290  struct gc_arena gc = gc_new();
1291 
1292  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1293  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1294  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1295  SHOW_INT(server_netbits_ipv6);
1296  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1297  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1298  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1299  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1300  if (o->push_list.head)
1301  {
1302  const struct push_entry *e = o->push_list.head;
1303  while (e)
1304  {
1305  if (e->enable)
1306  {
1307  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1308  }
1309  e = e->next;
1310  }
1311  }
1312  SHOW_BOOL(ifconfig_pool_defined);
1313  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1314  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1315  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1316  SHOW_STR(ifconfig_pool_persist_filename);
1317  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1318  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1319  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1320  SHOW_INT(ifconfig_ipv6_pool_netbits);
1321  SHOW_INT(n_bcast_buf);
1322  SHOW_INT(tcp_queue_limit);
1323  SHOW_INT(real_hash_size);
1324  SHOW_INT(virtual_hash_size);
1325  SHOW_STR(client_connect_script);
1327  SHOW_STR(client_disconnect_script);
1328  SHOW_STR(client_config_dir);
1329  SHOW_BOOL(ccd_exclusive);
1330  SHOW_STR(tmp_dir);
1331  SHOW_BOOL(push_ifconfig_defined);
1332  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1333  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1334  SHOW_BOOL(push_ifconfig_ipv6_defined);
1335  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1336  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1337  SHOW_BOOL(enable_c2c);
1338  SHOW_BOOL(duplicate_cn);
1339  SHOW_INT(cf_max);
1340  SHOW_INT(cf_per);
1341  SHOW_INT(max_clients);
1342  SHOW_INT(max_routes_per_client);
1343  SHOW_STR(auth_user_pass_verify_script);
1344  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1345  SHOW_BOOL(auth_token_generate);
1346  SHOW_INT(auth_token_lifetime);
1347  SHOW_STR_INLINE(auth_token_secret_file);
1348 #if PORT_SHARE
1349  SHOW_STR(port_share_host);
1350  SHOW_STR(port_share_port);
1351 #endif
1352  SHOW_BOOL(vlan_tagging);
1353  msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1354  SHOW_INT(vlan_pvid);
1355 
1356  SHOW_BOOL(client);
1357  SHOW_BOOL(pull);
1358  SHOW_STR(auth_user_pass_file);
1359 
1360  gc_free(&gc);
1361 }
1362 
1363 #endif /* ! ENABLE_SMALL */
1364 
1365 static void
1367  const char *network_str,
1368  const char *netmask_str,
1369  int msglevel)
1370 {
1371  struct iroute *ir;
1372 
1373  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1374  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1375  ir->netbits = -1;
1376 
1377  if (netmask_str)
1378  {
1379  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1380  if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1381  {
1382  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1383  network_str,
1384  netmask_str);
1385  return;
1386  }
1387  }
1388 
1389  ir->next = o->iroutes;
1390  o->iroutes = ir;
1391 }
1392 
1393 static void
1395  const char *prefix_str,
1396  int msglevel)
1397 {
1398  struct iroute_ipv6 *ir;
1399 
1400  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1401 
1402  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1403  {
1404  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1405  prefix_str);
1406  return;
1407  }
1408 
1409  ir->next = o->iroutes_ipv6;
1410  o->iroutes_ipv6 = ir;
1411 }
1412 
1413 #ifndef ENABLE_SMALL
1414 static void
1416 {
1417  int i;
1418  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1419  SHOW_STR(server);
1420  SHOW_STR(port);
1421  SHOW_STR(auth_method_string);
1422  SHOW_STR(auth_file);
1423  SHOW_STR(http_version);
1424  SHOW_STR(user_agent);
1425  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1426  {
1427  if (o->custom_headers[i].content)
1428  {
1429  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1430  o->custom_headers[i].name, o->custom_headers[i].content);
1431  }
1432  else
1433  {
1434  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1435  o->custom_headers[i].name);
1436  }
1437  }
1438  msg(D_SHOW_PARMS, "END http_proxy");
1439 }
1440 #endif /* ifndef ENABLE_SMALL */
1441 
1442 void
1444 {
1445  gc_detach(&o->gc);
1446  o->routes = NULL;
1447  o->client_nat = NULL;
1448  clone_push_list(o);
1449 }
1450 
1451 void
1453 {
1454  if (!options->routes)
1455  {
1456  options->routes = new_route_option_list(&options->gc);
1457  }
1458 }
1459 
1460 static void
1462 {
1463  if (!options->routes_ipv6)
1464  {
1465  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1466  }
1467 }
1468 
1469 static void
1471 {
1472  if (!options->client_nat)
1473  {
1474  options->client_nat = new_client_nat_list(&options->gc);
1475  }
1476 }
1477 
1478 #ifndef ENABLE_SMALL
1479 static void
1481 {
1482  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1483  SHOW_STR(local);
1484  SHOW_STR(local_port);
1485  SHOW_STR(remote);
1486  SHOW_STR(remote_port);
1487  SHOW_BOOL(remote_float);
1488  SHOW_BOOL(bind_defined);
1490  SHOW_BOOL(bind_ipv6_only);
1491  SHOW_INT(connect_retry_seconds);
1492  SHOW_INT(connect_timeout);
1493 
1494  if (o->http_proxy_options)
1495  {
1497  }
1498  SHOW_STR(socks_proxy_server);
1499  SHOW_STR(socks_proxy_port);
1500  SHOW_INT(tun_mtu);
1501  SHOW_BOOL(tun_mtu_defined);
1502  SHOW_INT(link_mtu);
1503  SHOW_BOOL(link_mtu_defined);
1504  SHOW_INT(tun_mtu_extra);
1505  SHOW_BOOL(tun_mtu_extra_defined);
1506 
1507  SHOW_INT(mtu_discover_type);
1508 
1509 #ifdef ENABLE_FRAGMENT
1510  SHOW_INT(fragment);
1511 #endif
1512  SHOW_INT(mssfix);
1513 
1514  SHOW_INT(explicit_exit_notification);
1515 
1516  SHOW_STR_INLINE(tls_auth_file);
1517  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1518  "%s");
1519  SHOW_STR_INLINE(tls_crypt_file);
1520  SHOW_STR_INLINE(tls_crypt_v2_file);
1521 }
1522 
1523 
1524 static void
1526 {
1527  if (o->connection_list)
1528  {
1529  const struct connection_list *l = o->connection_list;
1530  int i;
1531  for (i = 0; i < l->len; ++i)
1532  {
1533  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1535  }
1536  }
1537  else
1538  {
1539  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1541  }
1542  msg(D_SHOW_PARMS, "Connection profiles END");
1543 }
1544 
1545 static void
1547 {
1548  struct pull_filter *f;
1549  if (!l)
1550  {
1551  return;
1552  }
1553 
1554  msg(D_SHOW_PARMS, " Pull filters:");
1555  for (f = l->head; f; f = f->next)
1556  {
1557  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1558  }
1559 }
1560 
1561 #endif /* ifndef ENABLE_SMALL */
1562 
1563 void
1564 show_settings(const struct options *o)
1565 {
1566 #ifndef ENABLE_SMALL
1567  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1568 
1569  SHOW_STR(config);
1570 
1571  SHOW_INT(mode);
1572 
1573 #ifdef ENABLE_FEATURE_TUN_PERSIST
1574  SHOW_BOOL(persist_config);
1575  SHOW_INT(persist_mode);
1576 #endif
1577 
1578  SHOW_BOOL(show_ciphers);
1579  SHOW_BOOL(show_digests);
1580  SHOW_BOOL(show_engines);
1581  SHOW_BOOL(genkey);
1582  SHOW_STR(genkey_filename);
1583  SHOW_STR(key_pass_file);
1584  SHOW_BOOL(show_tls_ciphers);
1585 
1586  SHOW_INT(connect_retry_max);
1588 
1589  SHOW_BOOL(remote_random);
1590 
1591  SHOW_STR(ipchange);
1592  SHOW_STR(dev);
1593  SHOW_STR(dev_type);
1594  SHOW_STR(dev_node);
1595  SHOW_STR(lladdr);
1596  SHOW_INT(topology);
1597  SHOW_STR(ifconfig_local);
1598  SHOW_STR(ifconfig_remote_netmask);
1599  SHOW_BOOL(ifconfig_noexec);
1600  SHOW_BOOL(ifconfig_nowarn);
1601  SHOW_STR(ifconfig_ipv6_local);
1602  SHOW_INT(ifconfig_ipv6_netbits);
1603  SHOW_STR(ifconfig_ipv6_remote);
1604 
1605  SHOW_INT(shaper);
1606  SHOW_INT(mtu_test);
1607 
1608  SHOW_BOOL(mlock);
1609 
1610  SHOW_INT(keepalive_ping);
1611  SHOW_INT(keepalive_timeout);
1612  SHOW_INT(inactivity_timeout);
1613  SHOW_INT(ping_send_timeout);
1614  SHOW_INT(ping_rec_timeout);
1615  SHOW_INT(ping_rec_timeout_action);
1616  SHOW_BOOL(ping_timer_remote);
1617  SHOW_INT(remap_sigusr1);
1618  SHOW_BOOL(persist_tun);
1619  SHOW_BOOL(persist_local_ip);
1620  SHOW_BOOL(persist_remote_ip);
1621  SHOW_BOOL(persist_key);
1622 
1623 #if PASSTOS_CAPABILITY
1624  SHOW_BOOL(passtos);
1625 #endif
1626 
1627  SHOW_INT(resolve_retry_seconds);
1628  SHOW_BOOL(resolve_in_advance);
1629 
1630  SHOW_STR(username);
1631  SHOW_STR(groupname);
1632  SHOW_STR(chroot_dir);
1633  SHOW_STR(cd_dir);
1634 #ifdef ENABLE_SELINUX
1635  SHOW_STR(selinux_context);
1636 #endif
1637  SHOW_STR(writepid);
1638  SHOW_STR(up_script);
1639  SHOW_STR(down_script);
1640  SHOW_BOOL(down_pre);
1641  SHOW_BOOL(up_restart);
1642  SHOW_BOOL(up_delay);
1643  SHOW_BOOL(daemon);
1644  SHOW_BOOL(log);
1647  SHOW_INT(nice);
1648  SHOW_INT(verbosity);
1649  SHOW_INT(mute);
1650 #ifdef ENABLE_DEBUG
1651  SHOW_INT(gremlin);
1652 #endif
1653  SHOW_STR(status_file);
1654  SHOW_INT(status_file_version);
1655  SHOW_INT(status_file_update_freq);
1656 
1657  SHOW_BOOL(occ);
1658  SHOW_INT(rcvbuf);
1659  SHOW_INT(sndbuf);
1660 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1661  SHOW_INT(mark);
1662 #endif
1663  SHOW_INT(sockflags);
1664 
1665  SHOW_BOOL(fast_io);
1666 
1667 #ifdef USE_COMP
1668  SHOW_INT(comp.alg);
1669  SHOW_INT(comp.flags);
1670 #endif
1671 
1672  SHOW_STR(route_script);
1673  SHOW_STR(route_default_gateway);
1674  SHOW_INT(route_default_metric);
1675  SHOW_BOOL(route_noexec);
1676  SHOW_INT(route_delay);
1677  SHOW_INT(route_delay_window);
1678  SHOW_BOOL(route_delay_defined);
1679  SHOW_BOOL(route_nopull);
1680  SHOW_BOOL(route_gateway_via_dhcp);
1681  SHOW_BOOL(allow_pull_fqdn);
1683 
1684  if (o->routes)
1685  {
1687  }
1688 
1689  if (o->client_nat)
1690  {
1692  }
1693 
1694 #ifdef ENABLE_MANAGEMENT
1695  SHOW_STR(management_addr);
1696  SHOW_STR(management_port);
1697  SHOW_STR(management_user_pass);
1698  SHOW_INT(management_log_history_cache);
1699  SHOW_INT(management_echo_buffer_size);
1700  SHOW_STR(management_write_peer_info_file);
1701  SHOW_STR(management_client_user);
1702  SHOW_STR(management_client_group);
1703  SHOW_INT(management_flags);
1704 #endif
1705 #ifdef ENABLE_PLUGIN
1706  if (o->plugin_list)
1707  {
1709  }
1710 #endif
1711 
1712  SHOW_STR_INLINE(shared_secret_file);
1713  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1714  SHOW_STR(ciphername);
1715  SHOW_STR(ncp_ciphers);
1716  SHOW_STR(authname);
1717  SHOW_STR(prng_hash);
1718  SHOW_INT(prng_nonce_secret_len);
1719 #ifndef ENABLE_CRYPTO_MBEDTLS
1720  SHOW_BOOL(engine);
1721 #endif /* ENABLE_CRYPTO_MBEDTLS */
1722  SHOW_BOOL(replay);
1723  SHOW_BOOL(mute_replay_warnings);
1724  SHOW_INT(replay_window);
1725  SHOW_INT(replay_time);
1726  SHOW_STR(packet_id_file);
1728 #ifdef ENABLE_PREDICTION_RESISTANCE
1729  SHOW_BOOL(use_prediction_resistance);
1730 #endif
1731 
1732  SHOW_BOOL(tls_server);
1733  SHOW_BOOL(tls_client);
1734  SHOW_STR_INLINE(ca_file);
1735  SHOW_STR(ca_path);
1736  SHOW_STR_INLINE(dh_file);
1737 #ifdef ENABLE_MANAGEMENT
1739  {
1740  SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1741  }
1742  else
1743 #endif
1744  SHOW_STR_INLINE(cert_file);
1745  SHOW_STR_INLINE(extra_certs_file);
1746 
1747 #ifdef ENABLE_MANAGEMENT
1748  if ((o->management_flags & MF_EXTERNAL_KEY))
1749  {
1750  SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1751  }
1752  else
1753 #endif
1754  SHOW_STR_INLINE(priv_key_file);
1755 #ifndef ENABLE_CRYPTO_MBEDTLS
1756  SHOW_STR_INLINE(pkcs12_file);
1757 #endif
1758 #ifdef ENABLE_CRYPTOAPI
1759  SHOW_STR(cryptoapi_cert);
1760 #endif
1761  SHOW_STR(cipher_list);
1762  SHOW_STR(cipher_list_tls13);
1763  SHOW_STR(tls_cert_profile);
1765  SHOW_STR(tls_export_cert);
1766  SHOW_INT(verify_x509_type);
1767  SHOW_STR(verify_x509_name);
1768  SHOW_STR_INLINE(crl_file);
1769  SHOW_INT(ns_cert_type);
1770  {
1771  int i;
1772  for (i = 0; i<MAX_PARMS; i++)
1773  {
1774  SHOW_INT(remote_cert_ku[i]);
1775  }
1776  }
1777  SHOW_STR(remote_cert_eku);
1778  if (o->verify_hash)
1779  {
1780  SHOW_INT(verify_hash_algo);
1781  SHOW_INT(verify_hash_depth);
1782  struct gc_arena gc = gc_new();
1783  struct verify_hash_list *hl = o->verify_hash;
1784  int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
1786  while (hl)
1787  {
1788  char *s = format_hex_ex(hl->hash, digest_len, 0,
1789  1, ":", &gc);
1790  SHOW_PARM(verify_hash, s, "%s");
1791  hl = hl->next;
1792  }
1793  gc_free(&gc);
1794  }
1795  SHOW_INT(ssl_flags);
1796 
1797  SHOW_INT(tls_timeout);
1798 
1799  SHOW_INT(renegotiate_bytes);
1800  SHOW_INT(renegotiate_packets);
1801  SHOW_INT(renegotiate_seconds);
1802 
1803  SHOW_INT(handshake_window);
1804  SHOW_INT(transition_window);
1805 
1806  SHOW_BOOL(single_session);
1808  SHOW_BOOL(tls_exit);
1809 
1810  SHOW_STR(tls_crypt_v2_metadata);
1811 
1812 #ifdef ENABLE_PKCS11
1813  {
1814  int i;
1815  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1816  {
1817  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1818  }
1819  }
1820  {
1821  int i;
1822  for (i = 0; i<MAX_PARMS; i++)
1823  {
1824  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1825  }
1826  }
1827  {
1828  int i;
1829  for (i = 0; i<MAX_PARMS; i++)
1830  {
1831  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1832  }
1833  }
1834  {
1835  int i;
1836  for (i = 0; i<MAX_PARMS; i++)
1837  {
1838  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1839  }
1840  }
1841  SHOW_INT(pkcs11_pin_cache_period);
1842  SHOW_STR(pkcs11_id);
1843  SHOW_BOOL(pkcs11_id_management);
1844 #endif /* ENABLE_PKCS11 */
1845 
1846  show_p2mp_parms(o);
1847 
1848 #ifdef _WIN32
1849  SHOW_BOOL(show_net_up);
1850  SHOW_INT(route_method);
1851  SHOW_BOOL(block_outside_dns);
1853 #endif
1854 #endif /* ifndef ENABLE_SMALL */
1855 }
1856 
1857 #undef SHOW_PARM
1858 #undef SHOW_STR
1859 #undef SHOW_INT
1860 #undef SHOW_BOOL
1861 
1862 #ifdef ENABLE_MANAGEMENT
1863 
1864 static struct http_proxy_options *
1866  const char *port,
1867  const char *flags,
1868  const int msglevel,
1869  struct gc_arena *gc)
1870 {
1871  if (server && port)
1872  {
1873  struct http_proxy_options *ho;
1874  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1875  ho->server = string_alloc(server, gc);
1876  ho->port = port;
1877  if (flags && !strcmp(flags, "nct"))
1878  {
1879  ho->auth_retry = PAR_NCT;
1880  }
1881  else
1882  {
1883  ho->auth_retry = PAR_ALL;
1884  }
1885  ho->http_version = "1.0";
1886  ho->user_agent = "OpenVPN-Autoproxy/1.0";
1887  return ho;
1888  }
1889  else
1890  {
1891  return NULL;
1892  }
1893 }
1894 
1895 static void
1897 {
1898  const struct connection_list *l = o->connection_list;
1899  int i;
1900  bool succeed = false;
1901  for (i = 0; i < l->len; ++i)
1902  {
1903  struct connection_entry *ce = l->array[i];
1904  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1905  {
1907  succeed = true;
1908  }
1909  }
1910  if (succeed)
1911  {
1912  for (i = 0; i < l->len; ++i)
1913  {
1914  struct connection_entry *ce = l->array[i];
1915  if (ce->proto == PROTO_UDP)
1916  {
1917  ce->flags |= CE_DISABLED;
1918  }
1919  }
1920  }
1921  else
1922  {
1923  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1924  }
1925 }
1926 
1927 #endif /* ifdef ENABLE_MANAGEMENT */
1928 
1929 static struct connection_list *
1931 {
1932  if (!options->connection_list)
1933  {
1934  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1935  }
1936  return options->connection_list;
1937 }
1938 
1939 static struct connection_entry *
1940 alloc_connection_entry(struct options *options, const int msglevel)
1941 {
1942  struct connection_list *l = alloc_connection_list_if_undef(options);
1943  struct connection_entry *e;
1944 
1945  if (l->len >= CONNECTION_LIST_SIZE)
1946  {
1947  msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1948  return NULL;
1949  }
1950  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1951  l->array[l->len++] = e;
1952  return e;
1953 }
1954 
1955 static struct remote_list *
1957 {
1958  if (!options->remote_list)
1959  {
1960  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1961  }
1962  return options->remote_list;
1963 }
1964 
1965 static struct remote_entry *
1966 alloc_remote_entry(struct options *options, const int msglevel)
1967 {
1968  struct remote_list *l = alloc_remote_list_if_undef(options);
1969  struct remote_entry *e;
1970 
1971  if (l->len >= CONNECTION_LIST_SIZE)
1972  {
1973  msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1974  return NULL;
1975  }
1976  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1977  l->array[l->len++] = e;
1978  return e;
1979 }
1980 
1981 static struct pull_filter_list *
1983 {
1984  if (!o->pull_filter_list)
1985  {
1987  }
1988  return o->pull_filter_list;
1989 }
1990 
1991 static struct pull_filter *
1992 alloc_pull_filter(struct options *o, const int msglevel)
1993 {
1995  struct pull_filter *f;
1996 
1997  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
1998  if (l->head)
1999  {
2000  ASSERT(l->tail);
2001  l->tail->next = f;
2002  }
2003  else
2004  {
2005  ASSERT(!l->tail);
2006  l->head = f;
2007  }
2008  l->tail = f;
2009  return f;
2010 }
2011 
2012 static void
2014 {
2015  if (re->remote)
2016  {
2017  ce->remote = re->remote;
2018  }
2019  if (re->remote_port)
2020  {
2021  ce->remote_port = re->remote_port;
2022  }
2023  if (re->proto >= 0)
2024  {
2025  ce->proto = re->proto;
2026  }
2027  if (re->af > 0)
2028  {
2029  ce->af = re->af;
2030  }
2031 }
2032 
2033 static void
2034 connection_entry_preload_key(const char **key_file, bool *key_inline,
2035  struct gc_arena *gc)
2036 {
2037  if (key_file && *key_file && !(*key_inline))
2038  {
2039  struct buffer in = buffer_read_from_file(*key_file, gc);
2040  if (!buf_valid(&in))
2041  {
2042  msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2043  }
2044 
2045  *key_file = (const char *) in.data;
2046  *key_inline = true;
2047  }
2048 }
2049 
2050 static void
2052 {
2053  if (options->verify_hash_no_ca
2054  || options->pkcs12_file
2055  || options->ca_file
2056 #ifndef ENABLE_CRYPTO_MBEDTLS
2057  || options->ca_path
2058 #endif
2059  )
2060  {
2061  return;
2062  }
2063 
2064  const char* const str = "You must define CA file (--ca)"
2065 #ifndef ENABLE_CRYPTO_MBEDTLS
2066  " or CA path (--capath)"
2067 #endif
2068  " and/or peer fingerprint verification (--peer-fingerprint)";
2069  msg(M_USAGE, str);
2070 }
2071 
2072 static void
2074  const struct connection_entry *ce)
2075 {
2076  struct options defaults;
2077  int dev = DEV_TYPE_UNDEF;
2078  bool pull = false;
2079 
2080  init_options(&defaults, true);
2081 
2082  if (options->test_crypto)
2083  {
2084  notnull(options->shared_secret_file, "key file (--secret)");
2085  }
2086  else
2087  {
2088  notnull(options->dev, "TUN/TAP device (--dev)");
2089  }
2090 
2091  /*
2092  * Get tun/tap/null device type
2093  */
2094  dev = dev_type_enum(options->dev, options->dev_type);
2095 
2096  /*
2097  * If "proto tcp" is specified, make sure we know whether it is
2098  * tcp-client or tcp-server.
2099  */
2100  if (ce->proto == PROTO_TCP)
2101  {
2102  msg(M_USAGE,
2103  "--proto tcp is ambiguous in this context. Please specify "
2104  "--proto tcp-server or --proto tcp-client");
2105  }
2106 
2107  if (options->lladdr && dev != DEV_TYPE_TAP)
2108  {
2109  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2110  }
2111 
2112  /*
2113  * Sanity check on MTU parameters
2114  */
2115  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2116  {
2117  msg(M_USAGE,
2118  "only one of --tun-mtu or --link-mtu may be defined (note that "
2119  "--ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2120  }
2121 
2122  if (!proto_is_udp(ce->proto) && options->mtu_test)
2123  {
2124  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2125  }
2126 
2127  /* will we be pulling options from server? */
2128  pull = options->pull;
2129 
2130  /*
2131  * Sanity check on --local, --remote, and --ifconfig
2132  */
2133 
2134  if (proto_is_net(ce->proto)
2135  && string_defined_equal(ce->local, ce->remote)
2137  {
2138  msg(M_USAGE, "--remote and --local addresses are the same");
2139  }
2140 
2141  if (string_defined_equal(ce->remote, options->ifconfig_local)
2143  {
2144  msg(M_USAGE,
2145  "--local and --remote addresses must be distinct from --ifconfig "
2146  "addresses");
2147  }
2148 
2149  if (string_defined_equal(ce->local, options->ifconfig_local)
2151  {
2152  msg(M_USAGE,
2153  "--local addresses must be distinct from --ifconfig addresses");
2154  }
2155 
2156  if (string_defined_equal(options->ifconfig_local,
2157  options->ifconfig_remote_netmask))
2158  {
2159  msg(M_USAGE,
2160  "local and remote/netmask --ifconfig addresses must be different");
2161  }
2162 
2163  if (ce->bind_defined && !ce->bind_local)
2164  {
2165  msg(M_USAGE, "--bind and --nobind can't be used together");
2166  }
2167 
2168  if (ce->local && !ce->bind_local)
2169  {
2170  msg(M_USAGE,
2171  "--local and --nobind don't make sense when used together");
2172  }
2173 
2174  if (ce->local_port_defined && !ce->bind_local)
2175  {
2176  msg(M_USAGE,
2177  "--lport and --nobind don't make sense when used together");
2178  }
2179 
2180  if (!ce->remote && !ce->bind_local)
2181  {
2182  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2183  }
2184 
2185  /*
2186  * Check for consistency of management options
2187  */
2188 #ifdef ENABLE_MANAGEMENT
2189  if (!options->management_addr
2190  && (options->management_flags
2193  {
2194  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2195  }
2196 
2197  if ((options->management_client_user || options->management_client_group)
2198  && !(options->management_flags & MF_UNIX_SOCK))
2199  {
2200  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2201  }
2202 
2203  if (options->management_addr
2204  && !(options->management_flags & MF_UNIX_SOCK)
2205  && (!options->management_user_pass))
2206  {
2207  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2208  "passwords is STRONGLY discouraged and considered insecure");
2209  }
2210 
2211 #endif /* ifdef ENABLE_MANAGEMENT */
2212 
2213 #if defined(ENABLE_MANAGEMENT)
2214  if ((tls_version_max() >= TLS_VER_1_3)
2215  && (options->management_flags & MF_EXTERNAL_KEY)
2216  && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2217  )
2218  {
2219  msg(M_ERR, "management-external-key with OpenSSL 1.1.1 requires "
2220  "the nopadding argument/support");
2221  }
2222 #endif
2223  /*
2224  * Windows-specific options.
2225  */
2226 
2227 #ifdef _WIN32
2228  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2229  {
2230  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2231  }
2232 
2233  if ((options->tuntap_options.ip_win32_defined)
2234  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2235  {
2236  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2237  }
2238 
2239  if (options->tuntap_options.dhcp_options
2240  && options->windows_driver != WINDOWS_DRIVER_WINTUN
2243  {
2244  msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
2245  }
2246 
2247  if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2248  {
2249  msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2250  }
2251 #endif /* ifdef _WIN32 */
2252 
2253  /*
2254  * Check that protocol options make sense.
2255  */
2256 
2257 #ifdef ENABLE_FRAGMENT
2258  if (!proto_is_udp(ce->proto) && ce->fragment)
2259  {
2260  msg(M_USAGE, "--fragment can only be used with --proto udp");
2261  }
2262 #endif
2263 
2264  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2265  {
2266  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2267  }
2268 
2269  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2270  {
2271  msg(M_USAGE,
2272  "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2273  "tcp-client)");
2274  }
2275 
2276  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2277  {
2278  msg(M_USAGE,
2279  "--http-proxy not specified but other http proxy options present");
2280  }
2281 
2282  if (ce->http_proxy_options && ce->socks_proxy_server)
2283  {
2284  msg(M_USAGE,
2285  "--http-proxy can not be used together with --socks-proxy");
2286  }
2287 
2288  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2289  {
2290  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2291  }
2292 
2293  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2294  {
2295  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2296  }
2297 
2298  /*
2299  * Check consistency of --mode server options.
2300  */
2301  if (options->mode == MODE_SERVER)
2302  {
2303 #ifdef TARGET_ANDROID
2304  msg(M_FATAL, "--mode server not supported on Android");
2305 #endif
2306  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2307  {
2308  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2309  }
2310  if (options->pull)
2311  {
2312  msg(M_USAGE, "--pull cannot be used with --mode server");
2313  }
2314  if (options->pull_filter_list)
2315  {
2316  msg(M_WARN, "--pull-filter ignored for --mode server");
2317  }
2318  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2319  {
2320  msg(M_USAGE, "--mode server currently only supports "
2321  "--proto udp or --proto tcp-server or proto tcp6-server");
2322  }
2323 #if PORT_SHARE
2324  if ((options->port_share_host || options->port_share_port)
2325  && (ce->proto != PROTO_TCP_SERVER))
2326  {
2327  msg(M_USAGE, "--port-share only works in TCP server mode "
2328  "(--proto tcp-server or tcp6-server)");
2329  }
2330 #endif
2331  if (!options->tls_server)
2332  {
2333  msg(M_USAGE, "--mode server requires --tls-server");
2334  }
2335  if (ce->remote)
2336  {
2337  msg(M_USAGE, "--remote cannot be used with --mode server");
2338  }
2339  if (!ce->bind_local)
2340  {
2341  msg(M_USAGE, "--nobind cannot be used with --mode server");
2342  }
2343  if (ce->http_proxy_options)
2344  {
2345  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2346  }
2347  if (ce->socks_proxy_server)
2348  {
2349  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2350  }
2351  /* <connection> blocks force to have a remote embedded, so we check
2352  * for the --remote and bail out if it is present
2353  */
2354  if (options->connection_list->len >1
2355  || options->connection_list->array[0]->remote)
2356  {
2357  msg(M_USAGE, "<connection> cannot be used with --mode server");
2358  }
2359 
2360  if (options->shaper)
2361  {
2362  msg(M_USAGE, "--shaper cannot be used with --mode server");
2363  }
2364  if (options->ipchange)
2365  {
2366  msg(M_USAGE,
2367  "--ipchange cannot be used with --mode server (use "
2368  "--client-connect instead)");
2369  }
2370  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2371  {
2372  msg(M_USAGE,
2373  "--mode server currently only supports --proto udp or --proto "
2374  "tcp-server or --proto tcp6-server");
2375  }
2376  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2377  {
2378  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2379  }
2380  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2381  {
2382  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2383  }
2384  if (options->routes && (options->routes->flags & RG_ENABLE))
2385  {
2386  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2387  }
2388  if (options->route_delay_defined)
2389  {
2390  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2391  }
2392  if (options->up_delay)
2393  {
2394  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2395  }
2396  if (!options->ifconfig_pool_defined
2397  && !options->ifconfig_ipv6_pool_defined
2398  && options->ifconfig_pool_persist_filename)
2399  {
2400  msg(M_USAGE,
2401  "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2402  }
2403  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2404  {
2405  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2406  }
2407  if (options->allow_recursive_routing)
2408  {
2409  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2410  }
2411  if (options->auth_user_pass_file)
2412  {
2413  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2414  }
2415  if (options->ccd_exclusive && !options->client_config_dir)
2416  {
2417  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2418  }
2419  if (options->auth_token_generate && !options->renegotiate_seconds)
2420  {
2421  msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2422  "--renegotiate_seconds setting");
2423  }
2424  {
2425  const bool ccnr = (options->auth_user_pass_verify_script
2426  || PLUGIN_OPTION_LIST(options)
2427  || MAN_CLIENT_AUTH_ENABLED(options));
2428  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2430  {
2431  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2432  }
2433  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2434  {
2435  msg(M_USAGE, "--username-as-common-name %s", postfix);
2436  }
2437  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2438  {
2439  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2440  }
2441  }
2442 
2443  if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2444  {
2445  msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2446  }
2447  if (!options->vlan_tagging)
2448  {
2449  if (options->vlan_accept != defaults.vlan_accept)
2450  {
2451  msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2452  }
2453  if (options->vlan_pvid != defaults.vlan_pvid)
2454  {
2455  msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2456  }
2457  }
2458  }
2459  else
2460  {
2461  /*
2462  * When not in server mode, err if parameters are
2463  * specified which require --mode server.
2464  */
2465  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2466  {
2467  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2468  }
2469  if (options->ifconfig_ipv6_pool_defined)
2470  {
2471  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2472  }
2473  if (options->real_hash_size != defaults.real_hash_size
2474  || options->virtual_hash_size != defaults.virtual_hash_size)
2475  {
2476  msg(M_USAGE, "--hash-size requires --mode server");
2477  }
2478  if (options->learn_address_script)
2479  {
2480  msg(M_USAGE, "--learn-address requires --mode server");
2481  }
2482  if (options->client_connect_script)
2483  {
2484  msg(M_USAGE, "--client-connect requires --mode server");
2485  }
2486  if (options->client_disconnect_script)
2487  {
2488  msg(M_USAGE, "--client-disconnect requires --mode server");
2489  }
2490  if (options->client_config_dir || options->ccd_exclusive)
2491  {
2492  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2493  }
2494  if (options->enable_c2c)
2495  {
2496  msg(M_USAGE, "--client-to-client requires --mode server");
2497  }
2498  if (options->duplicate_cn)
2499  {
2500  msg(M_USAGE, "--duplicate-cn requires --mode server");
2501  }
2502  if (options->cf_max || options->cf_per)
2503  {
2504  msg(M_USAGE, "--connect-freq requires --mode server");
2505  }
2507  {
2508  msg(M_USAGE, "--verify-client-cert requires --mode server");
2509  }
2510  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2511  {
2512  msg(M_USAGE, "--username-as-common-name requires --mode server");
2513  }
2514  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2515  {
2516  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2517  }
2518  if (options->ssl_flags & SSLF_OPT_VERIFY)
2519  {
2520  msg(M_USAGE, "--opt-verify requires --mode server");
2521  }
2522  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2523  {
2524  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2525  "affect the server. To have TCP_NODELAY in both direction use "
2526  "tcp-nodelay in the server configuration instead.");
2527  }
2528  if (options->auth_user_pass_verify_script)
2529  {
2530  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2531  }
2532  if (options->auth_token_generate)
2533  {
2534  msg(M_USAGE, "--auth-gen-token requires --mode server");
2535  }
2536 #if PORT_SHARE
2537  if (options->port_share_host || options->port_share_port)
2538  {
2539  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2540  }
2541 #endif
2542 
2543  if (options->stale_routes_check_interval)
2544  {
2545  msg(M_USAGE, "--stale-routes-check requires --mode server");
2546  }
2547 
2548  if (options->vlan_tagging)
2549  {
2550  msg(M_USAGE, "--vlan-tagging requires --mode server");
2551  }
2552  }
2553 
2554  /*
2555  * Check consistency of replay options
2556  */
2557  if (!options->replay
2558  && (options->replay_window != defaults.replay_window
2559  || options->replay_time != defaults.replay_time))
2560  {
2561  msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2562  }
2563 
2564  /*
2565  * SSL/TLS mode sanity checks.
2566  */
2567  if (options->tls_server + options->tls_client
2568  +(options->shared_secret_file != NULL) > 1)
2569  {
2570  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2571  }
2572 
2573  if (!options->tls_server && !options->tls_client)
2574  {
2575  msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
2576  "configuration detected. OpenVPN 2.7 will remove the "
2577  "functionality to run a VPN without TLS. "
2578  "See the examples section in the manual page for "
2579  "examples of a similar quick setup with peer-fingerprint.");
2580  }
2581 
2583  {
2584  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2585  "--verify-client-cert none|optional "
2586  "may accept clients which do not present a certificate");
2587  }
2588 
2589  const int tls_version_max =
2592  const int tls_version_min =
2595 
2596  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2597  {
2598  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2599  }
2600 
2601  if (options->tls_server || options->tls_client)
2602  {
2603  check_ca_required(options);
2604 #ifdef ENABLE_PKCS11
2605  if (options->pkcs11_providers[0])
2606  {
2607  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2608  {
2609  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2610  }
2611  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2612  {
2613  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2614  }
2615  if (options->cert_file)
2616  {
2617  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2618  }
2619  if (options->priv_key_file)
2620  {
2621  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2622  }
2623 #ifdef ENABLE_MANAGEMENT
2624  if (options->management_flags & MF_EXTERNAL_KEY)
2625  {
2626  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2627  }
2628  if (options->management_flags & MF_EXTERNAL_CERT)
2629  {
2630  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2631  }
2632 #endif
2633  if (options->pkcs12_file)
2634  {
2635  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2636  }
2637 #ifdef ENABLE_CRYPTOAPI
2638  if (options->cryptoapi_cert)
2639  {
2640  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2641  }
2642 #endif
2643  }
2644  else
2645 #endif /* ifdef ENABLE_PKCS11 */
2646 #ifdef ENABLE_MANAGEMENT
2647  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2648  {
2649  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2650  }
2651  else if ((options->management_flags & MF_EXTERNAL_CERT))
2652  {
2653  if (options->cert_file)
2654  {
2655  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2656  }
2657  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2658  {
2659  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2660  }
2661  }
2662  else
2663 #endif
2664 #ifdef ENABLE_CRYPTOAPI
2665  if (options->cryptoapi_cert)
2666  {
2667  if (options->cert_file)
2668  {
2669  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2670  }
2671  if (options->priv_key_file)
2672  {
2673  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2674  }
2675  if (options->pkcs12_file)
2676  {
2677  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2678  }
2679 #ifdef ENABLE_MANAGEMENT
2680  if (options->management_flags & MF_EXTERNAL_KEY)
2681  {
2682  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2683  }
2684  if (options->management_flags & MF_EXTERNAL_CERT)
2685  {
2686  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2687  }
2688 #endif
2689  }
2690  else
2691 #endif /* ifdef ENABLE_CRYPTOAPI */
2692  if (options->pkcs12_file)
2693  {
2694 #ifdef ENABLE_CRYPTO_MBEDTLS
2695  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2696 #else
2697  if (options->ca_path)
2698  {
2699  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2700  }
2701  if (options->cert_file)
2702  {
2703  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2704  }
2705  if (options->priv_key_file)
2706  {
2707  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2708  }
2709 #ifdef ENABLE_MANAGEMENT
2710  if (options->management_flags & MF_EXTERNAL_KEY)
2711  {
2712  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2713  }
2714  if (options->management_flags & MF_EXTERNAL_CERT)
2715  {
2716  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2717  }
2718 #endif
2719 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2720  }
2721  else
2722  {
2723 #ifdef ENABLE_CRYPTO_MBEDTLS
2724  if (options->ca_path)
2725  {
2726  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2727  }
2728 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2729  if (pull)
2730  {
2731 
2732  const int sum =
2733 #ifdef ENABLE_MANAGEMENT
2734  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2735  +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2736 #else
2737  (options->cert_file != NULL) + (options->priv_key_file != NULL);
2738 #endif
2739 
2740  if (sum == 0)
2741  {
2742  if (!options->auth_user_pass_file)
2743  {
2744  msg(M_USAGE, "No client-side authentication method is "
2745  "specified. You must use either "
2746  "--cert/--key, --pkcs12, or "
2747  "--auth-user-pass");
2748  }
2749  }
2750  else if (sum == 2)
2751  {
2752  }
2753  else
2754  {
2755  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2756  }
2757  }
2758  else
2759  {
2760 #ifdef ENABLE_MANAGEMENT
2761  if (!(options->management_flags & MF_EXTERNAL_CERT))
2762 #endif
2763  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2764 #ifdef ENABLE_MANAGEMENT
2765  if (!(options->management_flags & MF_EXTERNAL_KEY))
2766 #endif
2767  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2768  }
2769  }
2770  if (ce->tls_auth_file && ce->tls_crypt_file)
2771  {
2772  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2773  }
2774  if (options->tls_client && ce->tls_crypt_v2_file
2775  && (ce->tls_auth_file || ce->tls_crypt_file))
2776  {
2777  msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2778  }
2779  }
2780  else
2781  {
2782  /*
2783  * Make sure user doesn't specify any TLS options
2784  * when in non-TLS mode.
2785  */
2786 
2787 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2788 }
2789 
2790  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2791 
2797 #ifndef ENABLE_CRYPTO_MBEDTLS
2799 #endif
2822 #ifdef ENABLE_PKCS11
2823  MUST_BE_UNDEF(pkcs11_providers[0]);
2824  MUST_BE_UNDEF(pkcs11_private_mode[0]);
2825  MUST_BE_UNDEF(pkcs11_id);
2826  MUST_BE_UNDEF(pkcs11_id_management);
2827 #endif
2828 
2829  if (pull)
2830  {
2831  msg(M_USAGE, err, "--pull");
2832  }
2833  }
2834 #undef MUST_BE_UNDEF
2835 
2836  if (options->auth_user_pass_file && !options->pull)
2837  {
2838  msg(M_USAGE, "--auth-user-pass requires --pull");
2839  }
2840 
2841  uninit_options(&defaults);
2842 }
2843 
2844 static void
2846 {
2847  const int dev = dev_type_enum(o->dev, o->dev_type);
2848 
2850  {
2851  if (ce->proto == PROTO_TCP)
2852  {
2853  ce->proto = PROTO_TCP_SERVER;
2854  }
2855  }
2856 
2857  if (o->client)
2858  {
2859  if (ce->proto == PROTO_TCP)
2860  {
2861  ce->proto = PROTO_TCP_CLIENT;
2862  }
2863  }
2864 
2865  if (ce->proto == PROTO_TCP_CLIENT && !ce->local
2866  && !ce->local_port_defined && !ce->bind_defined)
2867  {
2868  ce->bind_local = false;
2869  }
2870 
2871  if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local
2872  && !ce->local_port_defined && !ce->bind_defined)
2873  {
2874  ce->bind_local = false;
2875  }
2876 
2877  if (!ce->bind_local)
2878  {
2879  ce->local_port = NULL;
2880  }
2881 
2882  /* if protocol forcing is enabled, disable all protocols
2883  * except for the forced one
2884  */
2885  if (o->proto_force >= 0 && o->proto_force != ce->proto)
2886  {
2887  ce->flags |= CE_DISABLED;
2888  }
2889 
2890  /*
2891  * If --mssfix is supplied without a parameter, default
2892  * it to --fragment value, if --fragment is specified.
2893  */
2894  if (o->ce.mssfix_default)
2895  {
2896 #ifdef ENABLE_FRAGMENT
2897  if (ce->fragment)
2898  {
2899  ce->mssfix = ce->fragment;
2900  }
2901 #else
2902  msg(M_USAGE, "--mssfix must specify a parameter");
2903 #endif
2904  }
2905 
2906  /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2907  * so fall back to IPv4-only (trac #1221)
2908  */
2909  if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2910  {
2911  if (ce->af == AF_INET6)
2912  {
2913  msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2914  "'--socks-proxy' today. Forcing IPv4 mode." );
2915  }
2916  else
2917  {
2918  msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2919  "work correctly with '--socks-proxy' today. Forcing IPv4." );
2920  }
2921  ce->af = AF_INET;
2922  }
2923 
2924  /*
2925  * Set MTU defaults
2926  */
2927  {
2928  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2929  {
2930  ce->tun_mtu_defined = true;
2931  }
2932  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2933  {
2934  ce->tun_mtu_extra_defined = true;
2936  }
2937  }
2938 
2939  /*
2940  * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
2941  *
2942  * At the end only one of these will be really set because the parser
2943  * logic prevents configurations where more are set.
2944  */
2945  if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
2946  {
2947  ce->tls_auth_file = o->tls_auth_file;
2949  ce->key_direction = o->key_direction;
2950 
2951  ce->tls_crypt_file = o->tls_crypt_file;
2953 
2956  }
2957 
2958  /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
2959  * keys were not already embedded in the config file.
2960  */
2961  if (o->persist_key)
2962  {
2964  &ce->tls_auth_file_inline, &o->gc);
2966  &ce->tls_crypt_file_inline, &o->gc);
2968  &ce->tls_crypt_v2_file_inline, &o->gc);
2969  }
2970 
2972  {
2973  msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
2975  }
2976 
2977 }
2978 
2979 #ifdef _WIN32
2980 /* If iservice is in use, we need def1 method for redirect-gateway */
2981 static void
2983 {
2984  if (opt->routes
2986  && opt->routes->flags & RG_REROUTE_GW
2987  && !(opt->routes->flags & RG_DEF1))
2988  {
2989  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2990  opt->routes->flags |= RG_DEF1;
2991  }
2992 }
2993 #endif
2994 
2995 static void
2997 {
2998 #ifdef _WIN32
2999  const int dev = dev_type_enum(options->dev, options->dev_type);
3000 
3001  /* when using wintun, kernel doesn't send DHCP requests, so don't use it */
3002  if (options->windows_driver == WINDOWS_DRIVER_WINTUN
3004  {
3006  }
3007 
3008  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3009  {
3010  /* delay may only be necessary when we perform DHCP handshake */
3011  const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3013  if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3014  {
3015  options->route_delay_defined = true;
3016  options->route_delay = 5; /* Vista sometimes has a race without this */
3017  }
3018  }
3019 
3020  if (options->ifconfig_noexec)
3021  {
3023  options->ifconfig_noexec = false;
3024  }
3025 
3027 
3028  /*
3029  * Check consistency of --mode server options.
3030  */
3031  if (options->mode == MODE_SERVER)
3032  {
3033  /*
3034  * We need to explicitly set --tap-sleep because
3035  * we do not schedule event timers in the top-level context.
3036  */
3037  options->tuntap_options.tap_sleep = 10;
3038  if (options->route_delay_defined && options->route_delay)
3039  {
3040  options->tuntap_options.tap_sleep = options->route_delay;
3041  }
3042  options->route_delay_defined = false;
3043  }
3044 #endif /* ifdef _WIN32 */
3045 
3046 #ifdef DEFAULT_PKCS11_MODULE
3047  /* If p11-kit is present on the system then load its p11-kit-proxy.so
3048  * by default if the user asks for PKCS#11 without otherwise specifying
3049  * the module to use. */
3050  if (!options->pkcs11_providers[0]
3051  && (options->pkcs11_id || options->pkcs11_id_management))
3052  {
3053  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3054  }
3055 #endif
3056 }
3057 
3058 static void
3060 {
3061  if (o->connection_list)
3062  {
3063  int i;
3064  for (i = 0; i < o->connection_list->len; ++i)
3065  {
3067  }
3068  }
3069  else
3070  {
3072  }
3073 }
3074 
3080 static void
3082 {
3083  if (o->ncp_ciphers)
3084  {
3085  /* custom --data-ciphers set, keep list */
3086  return;
3087  }
3088  else if (cipher_kt_get("CHACHA20-POLY1305"))
3089  {
3090  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3091  }
3092  else
3093  {
3094  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3095  }
3096 }
3097 
3098 static void
3100 {
3101  if (!o->pull && !(o->mode == MODE_SERVER))
3102  {
3103  /* If the cipher is not set, use the old default of BF-CBC. We will
3104  * warn that this is deprecated on cipher initialisation, no need
3105  * to warn here as well */
3106  if (!o->ciphername)
3107  {
3108  o->ciphername = "BF-CBC";
3109  }
3110  else
3111  {
3112  o->enable_ncp_fallback = true;
3113  }
3114  return;
3115  }
3116 
3117  /* pull or P2MP mode */
3118  if (!o->ciphername)
3119  {
3120  /* We still need to set the ciphername to BF-CBC since various other
3121  * parts of OpenVPN assert that the ciphername is set */
3122  o->ciphername = "BF-CBC";
3123 
3124  msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.6 "
3125  "defaulted to BF-CBC as fallback when cipher negotiation "
3126  "failed in this case. If you need this fallback please add "
3127  "'--data-ciphers-fallback 'BF-CBC' to your configuration "
3128  "and/or add BF-CBC to --data-ciphers.");
3129  }
3130  else if (!o->enable_ncp_fallback
3132  {
3133  msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3134  "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3135  "negotiations. ",
3136  o->ciphername, o->ncp_ciphers);
3137  }
3138 }
3139 
3154 static bool
3155 need_compatibility_before(const struct options *o, unsigned int version)
3156 {
3157  return o->backwards_compatible != 0 && o->backwards_compatible < version;
3158 }
3159 
3164 static void
3166 {
3167  /* TLS min version is not set */
3168  if ((o->ssl_flags & SSLF_TLS_VERSION_MIN_MASK) == 0)
3169  {
3170  if (need_compatibility_before(o, 20307))
3171  {
3172  /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3174  }
3175  else
3176  {
3177  /* Use TLS 1.2 as proper default */
3179  }
3180  }
3181 
3182  /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3183  * Version 2.4 might probably does not need it but NCP was not so
3184  * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3185  * Only do this iif --cipher is not explicitly (BF-CBC). This is not
3186  * 100% correct backwards compatible behaviour but 2.5 already behaved like
3187  * this */
3188  if (o->ciphername && need_compatibility_before(o, 20500)
3190  {
3192  }
3193 
3194  /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3195  * not have OCC strings required for "poor man's NCP" */
3196  if (o->ciphername && need_compatibility_before(o, 20400))
3197  {
3198  o->enable_ncp_fallback = true;
3199  }
3200 
3201  /* Compression is deprecated and we do not want to announce support for it
3202  * by default anymore, additionally DCO breaks with compression.
3203  *
3204  * Disable compression by default starting with 2.6.0 if no other
3205  * compression related option has been explicitly set */
3206  if (!comp_non_stub_enabled(&o->comp) && !need_compatibility_before(o, 20600)
3207  && (o->comp.flags == 0))
3208  {
3209  o->comp.flags = COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
3210  }
3211 }
3212 
3213 static void
3215 {
3216  int i;
3217  /*
3218  * Process helper-type options which map to other, more complex
3219  * sequences of options.
3220  */
3222  helper_keepalive(o);
3223  helper_tcp_nodelay(o);
3224 
3227 
3230 
3232  if (o->ncp_ciphers == NULL)
3233  {
3234  msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is too long.");
3235  }
3236 
3237  if (o->remote_list && !o->connection_list)
3238  {
3239  /*
3240  * Convert remotes into connection list
3241  */
3242  const struct remote_list *rl = o->remote_list;
3243  for (i = 0; i < rl->len; ++i)
3244  {
3245  const struct remote_entry *re = rl->array[i];
3246  struct connection_entry ce = o->ce;
3247  struct connection_entry *ace;
3248 
3249  ASSERT(re->remote);
3250  connection_entry_load_re(&ce, re);
3251  ace = alloc_connection_entry(o, M_USAGE);
3252  ASSERT(ace);
3253  *ace = ce;
3254  }
3255  }
3256  else if (!o->remote_list && !o->connection_list)
3257  {
3258  struct connection_entry *ace;
3259  ace = alloc_connection_entry(o, M_USAGE);
3260  ASSERT(ace);
3261  *ace = o->ce;
3262  }
3263 
3264  ASSERT(o->connection_list);
3265  for (i = 0; i < o->connection_list->len; ++i)
3266  {
3268  }
3269 
3270  if (o->tls_server)
3271  {
3272  /* Check that DH file is specified, or explicitly disabled */
3273  notnull(o->dh_file, "DH file (--dh)");
3274  if (streq(o->dh_file, "none"))
3275  {
3276  o->dh_file = NULL;
3277  }
3278  }
3279  else if (o->dh_file)
3280  {
3281  /* DH file is only meaningful in a tls-server context. */
3282  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3283  "include this in your server configuration");
3284  o->dh_file = NULL;
3285  }
3286 #if ENABLE_MANAGEMENT
3287  if (o->http_proxy_override)
3288  {
3290  }
3291 #endif
3292  if (!o->ca_file && !o->ca_path && o->verify_hash
3293  && o->verify_hash_depth == 0)
3294  {
3295  msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3296  "option set). ");
3297  o->verify_hash_no_ca = true;
3298  }
3299 
3300  /*
3301  * Save certain parms before modifying options during connect, especially
3302  * when using --pull
3303  */
3304  pre_connect_save(o);
3305 }
3306 
3307 /*
3308  * Check file/directory sanity
3309  *
3310  */
3311 #ifndef ENABLE_SMALL
3313 #define CHKACC_FILE (1<<0)
3314 #define CHKACC_DIRPATH (1<<1)
3315 #define CHKACC_FILEXSTWR (1<<2)
3316 #define CHKACC_ACPTSTDIN (1<<3)
3317 #define CHKACC_PRIVATE (1<<4)
3319 static bool
3320 check_file_access(const int type, const char *file, const int mode, const char *opt)
3321 {
3322  int errcode = 0;
3323 
3324  /* If no file configured, no errors to look for */
3325  if (!file)
3326  {
3327  return false;
3328  }
3329 
3330  /* If stdin is allowed and the file name is 'stdin', then do no
3331  * further checks as stdin is always available
3332  */
3333  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3334  {
3335  return false;
3336  }
3337 
3338  /* Is the directory path leading to the given file accessible? */
3339  if (type & CHKACC_DIRPATH)
3340  {
3341  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3342  char *dirpath = dirname(fullpath);
3343 
3344  if (platform_access(dirpath, mode|X_OK) != 0)
3345  {
3346  errcode = errno;
3347  }
3348  free(fullpath);
3349  }
3350 
3351  /* Is the file itself accessible? */
3352  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3353  {
3354  errcode = errno;
3355  }
3356 
3357  /* If the file exists and is accessible, is it writable? */
3358  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3359  {
3360  if (platform_access(file, W_OK) != 0)
3361  {
3362  errcode = errno;
3363  }
3364  }
3365 
3366  /* Warn if a given private file is group/others accessible. */
3367  if (type & CHKACC_PRIVATE)
3368  {
3369  platform_stat_t st;
3370  if (platform_stat(file, &st))
3371  {
3372  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3373  }
3374 #ifndef _WIN32
3375  else
3376  {
3377  if (st.st_mode & (S_IRWXG|S_IRWXO))
3378  {
3379  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3380  }
3381  }
3382 #endif
3383  }
3384 
3385  /* Scream if an error is found */
3386  if (errcode > 0)
3387  {
3388  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3389  }
3390 
3391  /* Return true if an error occurred */
3392  return (errcode != 0 ? true : false);
3393 }
3394 
3395 /* A wrapper for check_file_access() which also takes a chroot directory.
3396  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3397  * otherwise it will look for the file inside the given chroot directory instead.
3398  */
3399 static bool
3400 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3401 {
3402  bool ret = false;
3403 
3404  /* If no file configured, no errors to look for */
3405  if (!file)
3406  {
3407  return false;
3408  }
3409 
3410  /* If chroot is set, look for the file/directory inside the chroot */
3411  if (chroot)
3412  {
3413  struct gc_arena gc = gc_new();
3414  struct buffer chroot_file;
3415 
3416  chroot_file = prepend_dir(chroot, file, &gc);
3417  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3418  gc_free(&gc);
3419  }
3420  else
3421  {
3422  /* No chroot in play, just call core file check function */
3423  ret = check_file_access(type, file, mode, opt);
3424  }
3425  return ret;
3426 }
3427 
3432 static bool
3433 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3434  const int type, const char *file,
3435  const int mode, const char *opt)
3436 {
3437  if (is_inline)
3438  {
3439  return false;
3440  }
3441 
3442  return check_file_access_chroot(chroot, type, file, mode, opt);
3443 }
3444 
3449 static bool
3450 check_file_access_inline(bool is_inline, const int type, const char *file,
3451  const int mode, const char *opt)
3452 {
3453  if (is_inline)
3454  {
3455  return false;
3456  }
3457 
3458  return check_file_access(type, file, mode, opt);
3459 }
3460 
3461 /*
3462  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3463  * valid file with appropriate permissions.
3464  *
3465  * "command" consists of a path, optionally followed by a space, which may be
3466  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3467  * performed.
3468  *
3469  * The path and arguments in "command" may be single- or double-quoted or escaped.
3470  *
3471  * The path is extracted from "command", then check_file_access() is called to check it. The
3472  * arguments, if any, are ignored.
3473  *
3474  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3475  * check_file_access() arguments.
3476  */
3477 static bool
3478 check_cmd_access(const char *command, const char *opt, const char *chroot)
3479 {
3480  struct argv argv;
3481  bool return_code;
3482 
3483  /* If no command was set, there are no errors to look for */
3484  if (!command)
3485  {
3486  return false;
3487  }
3488 
3489  /* Extract executable path and arguments */
3490  argv = argv_new();
3491  argv_parse_cmd(&argv, command);
3492 
3493  /* if an executable is specified then check it; otherwise, complain */
3494  if (argv.argv[0])
3495  {
3496  /* Scripts requires R_OK as well, but that might fail on binaries which
3497  * only requires X_OK to function on Unix - a scenario not unlikely to
3498  * be seen on suid binaries.
3499  */
3500  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3501  }
3502  else
3503  {
3504  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3505  opt, command);
3506  return_code = true;
3507  }
3508 
3509  argv_free(&argv);
3510 
3511  return return_code;
3512 }
3513 
3514 /*
3515  * Sanity check of all file/dir options. Checks that file/dir
3516  * is accessible by OpenVPN
3517  */
3518 static void
3520 {
3521  bool errs = false;
3522 
3523  /* ** SSL/TLS/crypto related files ** */
3525  options->dh_file, R_OK, "--dh");
3526 
3527  if (!options->verify_hash_no_ca)
3528  {
3530  options->ca_file, R_OK, "--ca");
3531  }
3532 
3534  options->ca_path, R_OK, "--capath");
3535 
3537  options->cert_file, R_OK, "--cert");
3538 
3540  options->extra_certs_file, R_OK,
3541  "--extra-certs");
3542 
3543 #ifdef ENABLE_MANAGMENT
3544  if (!(options->management_flags & MF_EXTERNAL_KEY))
3545 #endif
3546  {
3549  options->priv_key_file, R_OK, "--key");
3550  }
3551 
3554  options->pkcs12_file, R_OK, "--pkcs12");
3555 
3556  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3557  {
3559  options->crl_file, R_OK|X_OK,
3560  "--crl-verify directory");
3561  }
3562  else
3563  {
3565  options->chroot_dir,
3566  CHKACC_FILE, options->crl_file,
3567  R_OK, "--crl-verify");
3568  }
3569 
3570  ASSERT(options->connection_list);
3571  for (int i = 0; i < options->connection_list->len; ++i)
3572  {
3573  struct connection_entry *ce = options->connection_list->array[i];
3574 
3577  ce->tls_auth_file, R_OK,
3578  "--tls-auth");
3581  ce->tls_crypt_file, R_OK,
3582  "--tls-crypt");
3585  ce->tls_crypt_v2_file, R_OK,
3586  "--tls-crypt-v2");
3587  }
3588 
3591  options->shared_secret_file, R_OK,
3592  "--secret");
3593 
3595  options->packet_id_file, R_OK|W_OK, "--replay-persist");
3596 
3597  /* ** Password files ** */
3599  options->key_pass_file, R_OK, "--askpass");
3600 #ifdef ENABLE_MANAGEMENT
3602  options->management_user_pass, R_OK,
3603  "--management user/password file");
3604 #endif /* ENABLE_MANAGEMENT */
3606  options->auth_user_pass_file, R_OK,
3607  "--auth-user-pass");
3608  /* ** System related ** */
3609  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3610  R_OK|X_OK, "--chroot directory");
3612  R_OK|W_OK, "--writepid");
3613 
3614  /* ** Log related ** */
3616  R_OK|W_OK, "--status");
3617 
3618  /* ** Config related ** */
3619  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3620  R_OK|W_OK|X_OK, "--tls-export-cert");
3622  R_OK|X_OK, "--client-config-dir");
3623  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3624  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3625 
3626  if (errs)
3627  {
3628  msg(M_USAGE, "Please correct these errors.");
3629  }
3630 }
3631 #endif /* !ENABLE_SMALL */
3632 
3633 /*
3634  * Sanity check on options.
3635  * Also set some options based on other
3636  * options.
3637  */
3638 void
3640 {
3641  options_postprocess_mutate(options);
3642  options_postprocess_verify(options);
3643 #ifndef ENABLE_SMALL
3645 #endif /* !ENABLE_SMALL */
3646 }
3647 
3648 /*
3649  * Save/Restore certain option defaults before --pull is applied.
3650  */
3651 
3652 void
3654 {
3659 
3660  if (o->routes)
3661  {
3663  o->pre_connect->routes_defined = true;
3664  }
3665  if (o->routes_ipv6)
3666  {
3668  o->pre_connect->routes_ipv6_defined = true;
3669  }
3670  if (o->client_nat)
3671  {
3673  o->pre_connect->client_nat_defined = true;
3674  }
3675 
3678 
3679  /* NCP related options that can be overwritten by a push */
3681  o->pre_connect->authname = o->authname;
3682 
3683  /* Ping related options should be reset to the config values on reconnect */
3687 
3688  /* Miscellaneous Options */
3689 #ifdef USE_COMP
3690  o->pre_connect->comp = o->comp;
3691 #endif
3692 }
3693 
3694 void
3695 pre_connect_restore(struct options *o, struct gc_arena *gc)
3696 {
3697  const struct options_pre_connect *pp = o->pre_connect;
3698  if (pp)
3699  {
3700  CLEAR(o->tuntap_options);
3701  if (pp->tuntap_options_defined)
3702  {
3703  o->tuntap_options = pp->tuntap_options;
3704  }
3705 
3706  if (pp->routes_defined)
3707  {
3708  rol_check_alloc(o);
3709  copy_route_option_list(o->routes, pp->routes, gc);
3710  }
3711  else
3712  {
3713  o->routes = NULL;
3714  }
3715 
3716  if (pp->routes_ipv6_defined)
3717  {
3718  rol6_check_alloc(o);
3720  }
3721  else
3722  {
3723  o->routes_ipv6 = NULL;
3724  }
3725 
3728 
3729  if (pp->client_nat_defined)
3730  {
3731  cnol_check_alloc(o);
3733  }
3734  else
3735  {
3736  o->client_nat = NULL;
3737  }
3738 
3740 
3741  o->ciphername = pp->ciphername;
3742  o->authname = pp->authname;
3743 
3747 
3748  /* Miscellaneous Options */
3749 #ifdef USE_COMP
3750  o->comp = pp->comp;
3751 #endif
3752  }
3753 
3754  o->push_continuation = 0;
3755  o->push_option_types_found = 0;
3757 }
3758 
3766 static size_t
3767 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3768 {
3769  size_t link_mtu = EXPANDED_SIZE(frame);
3770 
3771  if (o->pull || o->mode == MODE_SERVER)
3772  {
3773  struct frame fake_frame = *frame;
3774  struct key_type fake_kt;
3775 
3777 
3778 
3779  /* o->ciphername might be BF-CBC even though the underlying SSL library
3780  * does not support it. For this reason we workaround this corner case
3781  * by pretending to have no encryption enabled and by manually adding
3782  * the required packet overhead to the MTU computation.
3783  */
3784  const char* ciphername = o->ciphername;
3785 
3786  if (strcmp(o->ciphername, "BF-CBC") == 0)
3787  {
3788  /* none has no overhead, so use this to later add only --auth
3789  * overhead */
3790 
3791  /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
3792  frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
3793  }
3794 
3795  init_key_type(&fake_kt, ciphername, o->authname, true, false);
3796 
3797  crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3798  cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3799  frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3800  o->ce.tun_mtu_defined, o->ce.tun_mtu);
3801  msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3802  EXPANDED_SIZE(&fake_frame));
3803  link_mtu = EXPANDED_SIZE(&fake_frame);
3804  }
3805  return link_mtu;
3806 }
3807 /*
3808  * Build an options string to represent data channel encryption options.
3809  * This string must match exactly between peers. The keysize is checked
3810  * separately by read_key().
3811  *
3812  * The following options must match on both peers:
3813  *
3814  * Tunnel options:
3815  *
3816  * --dev tun|tap [unit number need not match]
3817  * --dev-type tun|tap
3818  * --link-mtu
3819  * --udp-mtu
3820  * --tun-mtu
3821  * --proto udp
3822  * --proto tcp-client [matched with --proto tcp-server
3823  * on the other end of the connection]
3824  * --proto tcp-server [matched with --proto tcp-client on
3825  * the other end of the connection]
3826  * --tun-ipv6
3827  * --ifconfig x y [matched with --ifconfig y x on
3828  * the other end of the connection]
3829  *
3830  * --comp-lzo
3831  * --compress alg
3832  * --fragment
3833  *
3834  * Crypto Options:
3835  *
3836  * --cipher
3837  * --auth
3838  * --keysize
3839  * --secret
3840  * --no-replay
3841  *
3842  * SSL Options:
3843  *
3844  * --tls-auth
3845  * --tls-client [matched with --tls-server on
3846  * the other end of the connection]
3847  * --tls-server [matched with --tls-client on
3848  * the other end of the connection]
3849  */
3850 char *
3851 options_string(const struct options *o,
3852  const struct frame *frame,
3853  struct tuntap *tt,
3854  openvpn_net_ctx_t *ctx,
3855  bool remote,
3856  struct gc_arena *gc)
3857 {
3858  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3859  bool tt_local = false;
3860 
3861  buf_printf(&out, "V4");
3862 
3863  /*
3864  * Tunnel Options
3865  */
3866 
3867  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3868  /* the link-mtu that we send has only a meaning if have a fixed
3869  * cipher (p2p) or have a fallback cipher configured for older non
3870  * ncp clients. But not sending it will make even 2.4 complain
3871  * about it being missing. So still send it. */
3872  buf_printf(&out, ",link-mtu %u",
3873  (unsigned int) calc_options_string_link_mtu(o, frame));
3874 
3875  buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3876  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3877 
3878  bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
3879  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3880  * is usually pushed by the server, triggering a non-helpful warning
3881  */
3882  if (o->ifconfig_ipv6_local && p2p_nopull)
3883  {
3884  buf_printf(&out, ",tun-ipv6");
3885  }
3886 
3887  /*
3888  * Try to get ifconfig parameters into the options string.
3889  * If tt is undefined, make a temporary instantiation.
3890  */
3891  if (!tt)
3892  {
3893  tt = init_tun(o->dev,
3894  o->dev_type,
3895  o->topology,
3896  o->ifconfig_local,
3901  NULL,
3902  NULL,
3903  false,
3904  NULL,
3905  ctx);
3906  if (tt)
3907  {
3908  tt_local = true;
3909  }
3910  }
3911 
3912  if (tt && p2p_nopull)
3913  {
3914  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3915  if (ios && strlen(ios))
3916  {
3917  buf_printf(&out, ",ifconfig %s", ios);
3918  }
3919  }
3920  if (tt_local)
3921  {
3922  free(tt);
3923  tt = NULL;
3924  }
3925 
3926 #ifdef USE_COMP
3927  if (o->comp.alg != COMP_ALG_UNDEF)
3928  {
3929  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3930  }
3931 #endif
3932 
3933 #ifdef ENABLE_FRAGMENT
3934  if (o->ce.fragment)
3935  {
3936  buf_printf(&out, ",mtu-dynamic");
3937  }
3938 #endif
3939 
3940 #define TLS_CLIENT (o->tls_client)
3941 #define TLS_SERVER (o->tls_server)
3942 
3943  /*
3944  * Key direction
3945  */
3946  {
3947  const char *kd = keydirection2ascii(o->key_direction, remote, false);
3948  if (kd)
3949  {
3950  buf_printf(&out, ",keydir %s", kd);
3951  }
3952  }
3953 
3954  /*
3955  * Crypto Options
3956  */
3958  {
3959  struct key_type kt;
3960 
3961  ASSERT((o->shared_secret_file != NULL)
3962  + (TLS_CLIENT == true)
3963  + (TLS_SERVER == true)
3964  <= 1);
3965 
3966  /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
3967  * to work here in the default configuration */
3968  const char *ciphername = o->ciphername;
3969  int keysize;
3970 
3971  if (strcmp(o->ciphername, "BF-CBC") == 0)
3972  {
3973  init_key_type(&kt, "none", o->authname, true, false);
3974  keysize = 128;
3975  }
3976  else
3977  {
3978  init_key_type(&kt, o->ciphername, o->authname, true, false);
3979  ciphername = cipher_kt_name(kt.cipher);
3980  keysize = kt.cipher_length * 8;
3981  }
3982  /* Only announce the cipher to our peer if we are willing to
3983  * support it */
3984  if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
3985  {
3986  buf_printf(&out, ",cipher %s", ciphername);
3987  }
3988  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3989  buf_printf(&out, ",keysize %d", keysize);
3990  if (o->shared_secret_file)
3991  {
3992  buf_printf(&out, ",secret");
3993  }
3994  if (!o->replay)
3995  {
3996  buf_printf(&out, ",no-replay");
3997  }
3998 
3999 #ifdef ENABLE_PREDICTION_RESISTANCE
4000  if (o->use_prediction_resistance)
4001  {
4002  buf_printf(&out, ",use-prediction-resistance");
4003  }
4004 #endif
4005  }
4006 
4007  /*
4008  * SSL Options
4009  */
4010  {
4011  if (TLS_CLIENT || TLS_SERVER)
4012  {
4013  if (o->ce.tls_auth_file)
4014  {
4015  buf_printf(&out, ",tls-auth");
4016  }
4017  /* Not adding tls-crypt here, because we won't reach this code if
4018  * tls-auth/tls-crypt does not match. Removing tls-auth here would
4019  * break stuff, so leaving that in place. */
4020 
4021  buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4022  }
4023 
4024  if (remote)
4025  {
4026  if (TLS_CLIENT)
4027  {
4028  buf_printf(&out, ",tls-server");
4029  }
4030  else if (TLS_SERVER)
4031  {
4032  buf_printf(&out, ",tls-client");
4033  }
4034  }
4035  else
4036  {
4037  if (TLS_CLIENT)
4038  {
4039  buf_printf(&out, ",tls-client");
4040  }
4041  else if (TLS_SERVER)
4042  {
4043  buf_printf(&out, ",tls-server");
4044  }
4045  }
4046  }
4047 
4048 #undef TLS_CLIENT
4049 #undef TLS_SERVER
4050 
4051  return BSTR(&out);
4052 }
4053 
4054 /*
4055  * Compare option strings for equality.
4056  * If the first two chars of the strings differ, it means that
4057  * we are looking at different versions of the options string,
4058  * therefore don't compare them and return true.
4059  */
4060 
4061 bool
4062 options_cmp_equal(char *actual, const char *expected)
4063 {
4064  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4065 }
4066 
4067 void
4068 options_warning(char *actual, const char *expected)
4069 {
4070  options_warning_safe(actual, expected, strlen(actual) + 1);
4071 }
4072 
4073 static const char *
4074 options_warning_extract_parm1(const char *option_string,
4075  struct gc_arena *gc_ret)
4076 {
4077  struct gc_arena gc = gc_new();
4078  struct buffer b = string_alloc_buf(option_string, &gc);
4079  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4080  const char *ret;
4081 
4082  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4083  ret = string_alloc(p, gc_ret);
4084  gc_free(&gc);
4085  return ret;
4086 }
4087 
4088 static void
4089 options_warning_safe_scan2(const int msglevel,
4090  const int delim,
4091  const bool report_inconsistent,
4092  const char *p1,
4093  const struct buffer *b2_src,
4094  const char *b1_name,
4095  const char *b2_name)
4096 {
4097  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4098  * OCC in a future version (because it's not useful). To reduce questions
4099  * when interoperating, we no longer printing a warning about it.
4100  */
4101  if (strprefix(p1, "key-method ")
4102  || strprefix(p1, "keydir ")
4103  || strprefix(p1, "proto ")
4104  || streq(p1, "tls-auth")
4105  || strprefix(p1, "tun-ipv6")
4106  || strprefix(p1, "cipher "))
4107  {
4108  return;
4109  }
4110 
4111  if (strlen(p1) > 0)
4112  {
4113  struct gc_arena gc = gc_new();
4114  struct buffer b2 = *b2_src;
4115  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4116  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4117 
4118  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4119  {
4120  if (strlen(p2))
4121  {
4122  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4123 
4124  if (!strcmp(p1, p2))
4125  {
4126  goto done;
4127  }
4128  if (!strcmp(p1_prefix, p2_prefix))
4129  {
4130  if (report_inconsistent)
4131  {
4132  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4133  safe_print(p1_prefix, &gc),
4134  b1_name,
4135  safe_print(p1, &gc),
4136  b2_name,
4137  safe_print(p2, &gc));
4138  }
4139  goto done;
4140  }
4141  }
4142  }
4143 
4144  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4145  safe_print(p1_prefix, &gc),
4146  b1_name,
4147  b2_name,
4148  b1_name,
4149  safe_print(p1, &gc));
4150 
4151 done:
4152  gc_free(&gc);
4153  }
4154 }
4155 
4156 static void
4157 options_warning_safe_scan1(const int msglevel,
4158  const int delim,
4159  const bool report_inconsistent,
4160  const struct buffer *b1_src,
4161  const struct buffer *b2_src,
4162  const char *b1_name,
4163  const char *b2_name)
4164 {
4165  struct gc_arena gc = gc_new();
4166  struct buffer b = *b1_src;
4167  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4168 
4169  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4170  {
4171  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4172  }
4173 
4174  gc_free(&gc);
4175 }
4176 
4177 static void
4178 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4179 {
4180  struct gc_arena gc = gc_new();
4181 
4182  if (actual_n > 0)
4183  {
4184  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4185  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4186  actual[actual_n - 1] = 0;
4187 
4188  buf_printf(&local, "version %s", expected);
4189  buf_printf(&remote, "version %s", actual);
4190 
4191  options_warning_safe_scan1(msglevel, ',', true,
4192  &local, &remote,
4193  "local", "remote");
4194 
4195  options_warning_safe_scan1(msglevel, ',', false,
4196  &remote, &local,
4197  "remote", "local");
4198  }
4199 
4200  gc_free(&gc);
4201 }
4202 
4203 bool
4204 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4205 {
4206  struct gc_arena gc = gc_new();
4207  bool ret = true;
4208 
4209  if (actual_n > 0)
4210  {
4211  actual[actual_n - 1] = 0;
4212 #ifndef ENABLE_STRICT_OPTIONS_CHECK
4213  if (strncmp(actual, expected, 2))
4214  {
4215  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4216  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4217  }
4218  else
4219 #endif
4220  ret = !strcmp(actual, expected);
4221  }
4222  gc_free(&gc);
4223  return ret;
4224 }
4225 
4226 void
4227 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4228 {
4229  options_warning_safe_ml(M_WARN, actual, expected, actual_n);
4230 }
4231 
4232 const char *
4233 options_string_version(const char *s, struct gc_arena *gc)
4234 {
4235  struct buffer out = alloc_buf_gc(4, gc);
4236  strncpynt((char *) BPTR(&out), s, 3);
4237  return BSTR(&out);
4238 }
4239 
4240 char *
4241 options_string_extract_option(const char *options_string,const char *opt_name,
4242  struct gc_arena *gc)
4243 {
4244  char *ret = NULL;
4245  const size_t opt_name_len = strlen(opt_name);
4246 
4247  const char *p = options_string;
4248  while (p)
4249  {
4250  if (0 == strncmp(p, opt_name, opt_name_len)
4251  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4252  {
4253  /* option found, extract value */
4254  const char *start = &p[opt_name_len+1];
4255  const char *end = strchr(p, ',');
4256  size_t val_len = end ? end - start : strlen(start);
4257  ret = gc_malloc(val_len+1, true, gc);
4258  memcpy(ret, start, val_len);
4259  break;
4260  }
4261  p = strchr(p, ',');
4262  if (p)
4263  {
4264  p++; /* skip delimiter */
4265  }
4266  }
4267  return ret;
4268 }
4269 
4270 static void
4271 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
4272 {
4273  if (len > 0)
4274  {
4275  struct gc_arena gc = gc_new();
4276  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4277  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4278  int i;
4279  bool first = true;
4280  bool good = true;
4281 
4282  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
4283  ++o->foreign_option_index;
4284  for (i = 0; i < len; ++i)
4285  {
4286  if (argv[i])
4287  {
4288  if (!first)
4289  {
4290  good &= buf_printf(&value, " ");
4291  }
4292  good &= buf_printf(&value, "%s", argv[i]);
4293  first = false;
4294  }
4295  }
4296  if (good)
4297  {
4298  setenv_str(es, BSTR(&name), BSTR(&value));
4299  }
4300  else
4301  {
4302  msg(M_WARN, "foreign_option: name/value overflow");
4303  }
4304  gc_free(&gc);
4305  }
4306 }
4307 
4308 #ifdef _WIN32
4309 
4316 static enum windows_driver_type
4317 parse_windows_driver(const char *str, const int msglevel)
4318 {
4319  if (streq(str, "tap-windows6"))
4320  {
4322  }
4323  else if (streq(str, "wintun"))
4324  {
4325  return WINDOWS_DRIVER_WINTUN;
4326  }
4327  else
4328  {
4329  msg(msglevel, "--windows-driver must be tap-windows6 or wintun");
4331  }
4332 }
4333 #endif
4334 
4335 /*
4336  * parse/print topology coding
4337  */
4338 
4339 int
4340 parse_topology(const char *str, const int msglevel)
4341 {
4342  if (streq(str, "net30"))
4343  {
4344  return TOP_NET30;
4345  }
4346  else if (streq(str, "p2p"))
4347  {
4348  return TOP_P2P;
4349  }
4350  else if (streq(str, "subnet"))
4351  {
4352  return TOP_SUBNET;
4353  }
4354  else
4355  {
4356  msg(msglevel, "--topology must be net30, p2p, or subnet");
4357  return TOP_UNDEF;
4358  }
4359 }
4360 
4361 const char *
4362 print_topology(const int topology)
4363 {
4364  switch (topology)
4365  {
4366  case TOP_UNDEF:
4367  return "undef";
4368 
4369  case TOP_NET30:
4370  return "net30";
4371 
4372  case TOP_P2P:
4373  return "p2p";
4374 
4375  case TOP_SUBNET:
4376  return "subnet";
4377 
4378  default:
4379  return "unknown";
4380  }
4381 }
4382 
4383 /*
4384  * Manage auth-retry variable
4385  */
4386 
4387 static int global_auth_retry; /* GLOBAL */
4388 
4389 int
4391 {
4392  return global_auth_retry;
4393 }
4394 
4395 bool
4396 auth_retry_set(const int msglevel, const char *option)
4397 {
4398  if (streq(option, "interact"))
4399  {
4401  }
4402  else if (streq(option, "nointeract"))
4403  {
4405  }
4406  else if (streq(option, "none"))
4407  {
4409  }
4410  else
4411  {
4412  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4413  return false;
4414  }
4415  return true;
4416 }
4417 
4418 const char *
4420 {
4421  switch (global_auth_retry)
4422  {
4423  case AR_NONE:
4424  return "none";
4425 
4426  case AR_NOINTERACT:
4427  return "nointeract";
4428 
4429  case AR_INTERACT:
4430  return "interact";
4431 
4432  default:
4433  return "???";
4434  }
4435 }
4436 
4437 /*
4438  * Print the help message.
4439  */
4440 static void
4441 usage(void)
4442 {
4443  FILE *fp = msg_fp(0);
4444 
4445 #ifdef ENABLE_SMALL
4446 
4447  fprintf(fp, "Usage message not available\n");
4448 
4449 #else
4450 
4451  struct options o;
4452  init_options(&o, true);
4453 
4454  fprintf(fp, usage_message,
4455  title_string,
4458  o.ce.local_port, o.ce.remote_port,
4460  o.verbosity,
4461  o.authname, o.ciphername,
4465  fflush(fp);
4466 
4467 #endif /* ENABLE_SMALL */
4468 
4469  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4470 }
4471 
4472 void
4474 {
4475  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4476  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4477 }
4478 
4479 #ifdef _WIN32
4480 void
4481 show_windows_version(const unsigned int flags)
4482 {
4483  struct gc_arena gc = gc_new();
4484  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4485  gc_free(&gc);
4486 }
4487 #endif
4488 
4489 void
4490 show_library_versions(const unsigned int flags)
4491 {
4492 #ifdef ENABLE_LZO
4493 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4494 #else
4495 #define LZO_LIB_VER_STR "", ""
4496 #endif
4497 
4498  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4499  LZO_LIB_VER_STR);
4500 
4501 #undef LZO_LIB_VER_STR
4502 }
4503 
4504 static void
4506 {
4509 #ifdef _WIN32
4511 #endif
4512  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4513  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>");
4514 #ifndef ENABLE_SMALL
4515 #ifdef CONFIGURE_DEFINES
4516  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4517 #endif
4518 #ifdef CONFIGURE_SPECIAL_BUILD
4519  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4520 #endif
4521 #endif
4523 }
4524 
4525 void
4526 notnull(const char *arg, const char *description)
4527 {
4528  if (!arg)
4529  {
4530  msg(M_USAGE, "You must define %s", description);
4531  }
4532 }
4533 
4534 bool
4535 string_defined_equal(const char *s1, const char *s2)
4536 {
4537  if (s1 && s2)
4538  {
4539  return !strcmp(s1, s2);
4540  }
4541  else
4542  {
4543  return false;
4544  }
4545 }
4546 
4547 #if 0
4548 static void
4549 ping_rec_err(int msglevel)
4550 {
4551  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4552 }
4553 #endif
4554 
4555 static int
4556 positive_atoi(const char *str)
4557 {
4558  const int i = atoi(str);
4559  return i < 0 ? 0 : i;
4560 }
4561 
4562 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4563 static unsigned int
4564 atou(const char *str)
4565 {
4566  unsigned int val = 0;
4567  sscanf(str, "%u", &val);
4568  return val;
4569 }
4570 #endif
4571 
4572 static inline bool
4573 space(unsigned char c)
4574 {
4575  return c == '\0' || isspace(c);
4576 }
4577 
4578 int
4579 parse_line(const char *line,
4580  char *p[],
4581  const int n,
4582  const char *file,
4583  const int line_num,
4584  int msglevel,
4585  struct gc_arena *gc)
4586 {
4587  const int STATE_INITIAL = 0;
4588  const int STATE_READING_QUOTED_PARM = 1;
4589  const int STATE_READING_UNQUOTED_PARM = 2;
4590  const int STATE_DONE = 3;
4591  const int STATE_READING_SQUOTED_PARM = 4;
4592 
4593  const char *error_prefix = "";
4594 
4595  int ret = 0;
4596  const char *c = line;
4597  int state = STATE_INITIAL;
4598  bool backslash = false;
4599  char in, out;
4600 
4601  char parm[OPTION_PARM_SIZE];
4602  unsigned int parm_len = 0;
4603 
4604  msglevel &= ~M_OPTERR;
4605 
4606  if (msglevel & M_MSG_VIRT_OUT)
4607  {
4608  error_prefix = "ERROR: ";
4609  }
4610 
4611  do
4612  {
4613  in = *c;
4614  out = 0;
4615 
4616  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4617  {
4618  backslash = true;
4619  }
4620  else
4621  {
4622  if (state == STATE_INITIAL)
4623  {
4624  if (!space(in))
4625  {
4626  if (in == ';' || in == '#') /* comment */
4627  {
4628  break;
4629  }
4630  if (!backslash && in == '\"')
4631  {
4632  state = STATE_READING_QUOTED_PARM;
4633  }
4634  else if (!backslash && in == '\'')
4635  {
4636  state = STATE_READING_SQUOTED_PARM;
4637  }
4638  else
4639  {
4640  out = in;
4641  state = STATE_READING_UNQUOTED_PARM;
4642  }
4643  }
4644  }
4645  else if (state == STATE_READING_UNQUOTED_PARM)
4646  {
4647  if (!backslash && space(in))
4648  {
4649  state = STATE_DONE;
4650  }
4651  else
4652  {
4653  out = in;
4654  }
4655  }
4656  else if (state == STATE_READING_QUOTED_PARM)
4657  {
4658  if (!backslash && in == '\"')
4659  {
4660  state = STATE_DONE;
4661  }
4662  else
4663  {
4664  out = in;
4665  }
4666  }
4667  else if (state == STATE_READING_SQUOTED_PARM)
4668  {
4669  if (in == '\'')
4670  {
4671  state = STATE_DONE;
4672  }
4673  else
4674  {
4675  out = in;
4676  }
4677  }
4678  if (state == STATE_DONE)
4679  {
4680  /* ASSERT (parm_len > 0); */
4681  p[ret] = gc_malloc(parm_len + 1, true, gc);
4682  memcpy(p[ret], parm, parm_len);
4683  p[ret][parm_len] = '\0';
4684  state = STATE_INITIAL;
4685  parm_len = 0;
4686  ++ret;
4687  }
4688 
4689  if (backslash && out)
4690  {
4691  if (!(out == '\\' || out == '\"' || space(out)))
4692  {
4693 #ifdef ENABLE_SMALL
4694  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4695 #else
4696  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4697 #endif
4698  return 0;
4699  }
4700  }
4701  backslash = false;
4702  }
4703 
4704  /* store parameter character */
4705  if (out)
4706  {
4707  if (parm_len >= SIZE(parm))
4708  {
4709  parm[SIZE(parm) - 1] = 0;
4710  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4711  error_prefix, file, line_num, (int) SIZE(parm), parm);
4712  return 0;
4713  }
4714  parm[parm_len++] = out;
4715  }
4716 
4717  /* avoid overflow if too many parms in one config file line */
4718  if (ret >= n)
4719  {
4720  break;
4721  }
4722 
4723  } while (*c++ != '\0');
4724 
4725  if (state == STATE_READING_QUOTED_PARM)
4726  {
4727  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4728  return 0;
4729  }
4730  if (state == STATE_READING_SQUOTED_PARM)
4731  {
4732  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4733  return 0;
4734  }
4735  if (state != STATE_INITIAL)
4736  {
4737  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4738  return 0;
4739  }
4740 #if 0
4741  {
4742  int i;
4743  for (i = 0; i < ret; ++i)
4744  {
4745  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4746  }
4747  }
4748 #endif
4749  return ret;
4750 }
4751 
4752 static void
4754 {
4755  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4756  {
4757  *p += 2;
4758  }
4759 }
4760 
4761 struct in_src {
4762 #define IS_TYPE_FP 1
4763 #define IS_TYPE_BUF 2
4764  int type;
4765  union {
4766  FILE *fp;
4768  } u;
4769 };
4770 
4771 static bool
4772 in_src_get(const struct in_src *is, char *line, const int size)
4773 {
4774  if (is->type == IS_TYPE_FP)
4775  {
4776  return BOOL_CAST(fgets(line, size, is->u.fp));
4777  }
4778  else if (is->type == IS_TYPE_BUF)
4779  {
4780  bool status = buf_parse(is->u.multiline, '\n', line, size);
4781  if ((int) strlen(line) + 1 < size)
4782  {
4783  strcat(line, "\n");
4784  }
4785  return status;
4786  }
4787  else
4788  {
4789  ASSERT(0);
4790  return false;
4791  }
4792 }
4793 
4794 static char *
4795 read_inline_file(struct in_src *is, const char *close_tag,
4796  int *num_lines, struct gc_arena *gc)
4797 {
4798  char line[OPTION_LINE_SIZE];
4799  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4800  char *ret;
4801  bool endtagfound = false;
4802 
4803  while (in_src_get(is, line, sizeof(line)))
4804  {
4805  (*num_lines)++;
4806  char *line_ptr = line;
4807  /* Remove leading spaces */
4808  while (isspace(*line_ptr))
4809  {
4810  line_ptr++;
4811  }
4812  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4813  {
4814  endtagfound = true;
4815  break;
4816  }
4817  if (!buf_safe(&buf, strlen(line)+1))
4818  {
4819  /* Increase buffer size */
4820  struct buffer buf2 = alloc_buf(buf.capacity * 2);
4821  ASSERT(buf_copy(&buf2, &buf));
4822  buf_clear(&buf);
4823  free_buf(&buf);
4824  buf = buf2;
4825  }
4826  buf_printf(&buf, "%s", line);
4827  }
4828  if (!endtagfound)
4829  {
4830  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4831  }
4832  ret = string_alloc(BSTR(&buf), gc);
4833  buf_clear(&buf);
4834  free_buf(&buf);
4835  secure_memzero(line, sizeof(line));
4836  return ret;
4837 }
4838 
4839 static int
4840 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4841 {
4842  int num_inline_lines = 0;
4843 
4844  if (p[0] && !p[1])
4845  {
4846  char *arg = p[0];
4847  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4848  {
4849  struct buffer close_tag;
4850 
4851  arg[strlen(arg) - 1] = '\0';
4852  p[0] = string_alloc(arg + 1, gc);
4853  close_tag = alloc_buf(strlen(p[0]) + 4);
4854  buf_printf(&close_tag, "</%s>", p[0]);
4855  p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
4856  p[2] = NULL;
4857  free_buf(&close_tag);
4858  }
4859  }
4860  return num_inline_lines;
4861 }
4862 
4863 static int
4864 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4865 {
4866  struct in_src is;
4867  is.type = IS_TYPE_FP;
4868  is.u.fp = fp;
4869  return check_inline_file(&is, p, gc);
4870 }
4871 
4872 static int
4874  struct gc_arena *gc)
4875 {
4876  struct in_src is;
4877  is.type = IS_TYPE_BUF;
4878  is.u.multiline = multiline;
4879  return check_inline_file(&is, p, gc);
4880 }
4881 
4882 static void
4883 add_option(struct options *options,
4884  char *p[],
4885  bool is_inline,
4886  const char *file,
4887  int line,
4888  const int level,
4889  const int msglevel,
4890  const unsigned int permission_mask,
4891  unsigned int *option_types_found,
4892  struct env_set *es);
4893 
4894 static void
4895 read_config_file(struct options *options,
4896  const char *file,
4897  int level,
4898  const char *top_file,
4899  const int top_line,
4900  const int msglevel,
4901  const unsigned int permission_mask,
4902  unsigned int *option_types_found,
4903  struct env_set *es)
4904 {
4905  const int max_recursive_levels = 10;
4906  FILE *fp;
4907  int line_num;
4908  char line[OPTION_LINE_SIZE+1];
4909  char *p[MAX_PARMS+1];
4910 
4911  ++level;
4912  if (level <= max_recursive_levels)
4913  {
4914  if (streq(file, "stdin"))
4915  {
4916  fp = stdin;
4917  }
4918  else
4919  {
4920  fp = platform_fopen(file, "r");
4921  }
4922  if (fp)
4923  {
4924  line_num = 0;
4925  while (fgets(line, sizeof(line), fp))
4926  {
4927  int offset = 0;
4928  CLEAR(p);
4929  ++line_num;
4930  if (strlen(line) == OPTION_LINE_SIZE)
4931  {
4932  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
4933  file, line_num, OPTION_LINE_SIZE, line);
4934  }
4935 
4936  /* Ignore UTF-8 BOM at start of stream */
4937  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4938  {
4939  offset = 3;
4940  }
4941  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4942  {
4943  bypass_doubledash(&p[0]);
4944  int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
4945  add_option(options, p, lines_inline, file, line_num, level,
4946  msglevel, permission_mask, option_types_found,
4947  es);
4948  line_num += lines_inline;
4949  }
4950  }
4951  if (fp != stdin)
4952  {
4953  fclose(fp);
4954  }
4955  }
4956  else
4957  {
4958  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4959  }
4960  }
4961  else
4962  {
4963  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4964  }
4965  secure_memzero(line, sizeof(line));
4966  CLEAR(p);
4967 }
4968 
4969 static void
4970 read_config_string(const char *prefix,
4971  struct options *options,
4972  const char *config,
4973  const int msglevel,
4974  const unsigned int permission_mask,
4975  unsigned int *option_types_found,
4976  struct env_set *es)
4977 {
4978  char line[OPTION_LINE_SIZE];
4979  struct buffer multiline;
4980  int line_num = 0;
4981 
4982  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4983 
4984  while (buf_parse(&multiline, '\n', line, sizeof(line)))
4985  {
4986  char *p[MAX_PARMS+1];
4987  CLEAR(p);
4988  ++line_num;
4989  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4990  {
4991  bypass_doubledash(&p[0]);
4992  int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
4993  add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
4994  permission_mask, option_types_found, es);
4995  line_num += lines_inline;
4996  }
4997  CLEAR(p);
4998  }
4999  secure_memzero(line, sizeof(line));
5000 }
5001 
5002 void
5003 parse_argv(struct options *options,
5004  const int argc,
5005  char *argv[],
5006  const int msglevel,
5007  const unsigned int permission_mask,
5008  unsigned int *option_types_found,
5009  struct env_set *es)
5010 {
5011  int i, j;
5012 
5013  /* usage message */
5014  if (argc <= 1)
5015  {
5016  usage();
5017  }
5018 
5019  /* config filename specified only? */
5020  if (argc == 2 && strncmp(argv[1], "--", 2))
5021  {
5022  char *p[MAX_PARMS];
5023  CLEAR(p);
5024  p[0] = "config";
5025  p[1] = argv[1];
5026  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5027  option_types_found, es);
5028  }
5029  else
5030  {
5031  /* parse command line */
5032  for (i = 1; i < argc; ++i)
5033  {
5034  char *p[MAX_PARMS];
5035  CLEAR(p);
5036  p[0] = argv[i];
5037  if (strncmp(p[0], "--", 2))
5038  {
5039  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5040  }
5041  else
5042  {
5043  p[0] += 2;
5044  }
5045 
5046  for (j = 1; j < MAX_PARMS; ++j)
5047  {
5048  if (i + j < argc)
5049  {
5050  char *arg = argv[i + j];
5051  if (strncmp(arg, "--", 2))
5052  {
5053  p[j] = arg;
5054  }
5055  else
5056  {
5057  break;
5058  }
5059  }
5060  }
5061  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5062  option_types_found, es);
5063  i += j - 1;
5064  }
5065  }
5066 }
5067 
5076 static bool
5077 apply_pull_filter(const struct options *o, char *line)
5078 {
5079  struct pull_filter *f;
5080 
5081  if (!o->pull_filter_list)
5082  {
5083  return true;
5084  }
5085 
5086  for (f = o->pull_filter_list->head; f; f = f->next)
5087  {
5088  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5089  {
5090  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5091  return true;
5092  }
5093  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5094  {
5095  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5096  *line = '\0';
5097  return true;
5098  }
5099  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5100  {
5101  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5102  *line = '\0';
5103  throw_signal_soft(SIGUSR1, "Offending option received from server");
5104  return false;
5105  }
5106  }
5107  return true;
5108 }
5109 
5110 bool
5111 apply_push_options(struct options *options,
5112  struct buffer *buf,
5113  unsigned int permission_mask,
5114  unsigned int *option_types_found,
5115  struct env_set *es)
5116 {
5117  char line[OPTION_PARM_SIZE];
5118  int line_num = 0;
5119  const char *file = "[PUSH-OPTIONS]";
5120  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5121 
5122  while (buf_parse(buf, ',', line, sizeof(line)))
5123  {
5124  char *p[MAX_PARMS+1];
5125  CLEAR(p);
5126  ++line_num;
5127  if (!apply_pull_filter(options, line))
5128  {
5129  return false; /* Cause push/pull error and stop push processing */
5130  }
5131  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5132  {
5133  add_option(options, p, false, file, line_num, 0, msglevel,
5134  permission_mask, option_types_found, es);
5135  }
5136  }
5137  return true;
5138 }
5139 
5140 void
5141 options_server_import(struct options *o,
5142  const char *filename,
5143  int msglevel,
5144  unsigned int permission_mask,
5145  unsigned int *option_types_found,
5146  struct env_set *es)
5147 {
5148  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5149  read_config_file(o,
5150  filename,
5151  0,
5152  filename,
5153  0,
5154  msglevel,
5155  permission_mask,
5156  option_types_found,
5157  es);
5158 }
5159 
5160 void
5161 options_string_import(struct options *options,
5162  const char *config,
5163  const int msglevel,
5164  const unsigned int permission_mask,
5165  unsigned int *option_types_found,
5166  struct env_set *es)
5167 {
5168  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5169 }
5170 
5171 #define VERIFY_PERMISSION(mask) { \
5172  if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5173  option_types_found, msglevel, options, is_inline)) \
5174  { \
5175  goto err; \
5176  } \
5177 }
5178 
5179 static bool
5180 verify_permission(const char *name,
5181  const char *file,
5182  int line,
5183  const unsigned int type,
5184  const unsigned int allowed,
5185  unsigned int *found,
5186  const int msglevel,
5187  struct options *options,
5188  bool is_inline)
5189 {
5190  if (!(type & allowed))
5191  {
5192  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5193  return false;
5194  }
5195 
5196  if (is_inline && !(type & OPT_P_INLINE))
5197  {
5198  msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5199  file, line);
5200  return false;
5201  }
5202 
5203  if (found)
5204  {
5205  *found |= type;
5206  }
5207 
5208 #ifndef ENABLE_SMALL
5209  /* Check if this options is allowed in connection block,
5210  * but we are currently not in a connection block
5211  * unless this is a pushed option.
5212  * Parsing a connection block uses a temporary options struct without
5213  * connection_list
5214  */
5215 
5216  if ((type & OPT_P_CONNECTION) && options->connection_list
5217  && !(allowed & OPT_P_PULL_MODE))
5218  {
5219  if (file)
5220  {
5221  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5222  }
5223  else
5224  {
5225  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5226  }
5227  }
5228 #endif
5229  return true;
5230 }
5231 
5232 /*
5233  * Check that an option doesn't have too
5234  * many parameters.
5235  */
5236 
5237 #define NM_QUOTE_HINT (1<<0)
5238 
5239 static bool
5240 no_more_than_n_args(const int msglevel,
5241  char *p[],
5242  const int max,
5243  const unsigned int flags)
5244 {
5245  const int len = string_array_len((const char **)p);
5246 
5247  if (!len)
5248  {
5249  return false;
5250  }
5251 
5252  if (len > max)
5253  {
5254  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5255  p[0],
5256  max - 1,
5257  max >= 3 ? "s" : "",
5258  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5259  return false;
5260  }
5261  else
5262  {
5263  return true;
5264  }
5265 }
5266 
5267 static inline int
5268 msglevel_forward_compatible(struct options *options, const int msglevel)
5269 {
5270  return options->forward_compatible ? M_WARN : msglevel;
5271 }
5272 
5273 static void
5274 set_user_script(struct options *options,
5275  const char **script,
5276  const char *new_script,
5277  const char *type,
5278  bool in_chroot)
5279 {
5280  if (*script)
5281  {
5282  msg(M_WARN, "Multiple --%s scripts defined. "
5283  "The previously configured script is overridden.", type);
5284  }
5285  *script = new_script;
5286  options->user_script_used = true;
5287 
5288 #ifndef ENABLE_SMALL
5289  {
5290  char script_name[100];
5291  openvpn_snprintf(script_name, sizeof(script_name),
5292  "--%s script", type);
5293 
5294  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5295  {
5296  msg(M_USAGE, "Please correct this error.");
5297  }
5298 
5299  }
5300 #endif
5301 }
5302 
5303 #ifdef USE_COMP
5304 static void
5305 show_compression_warning(struct compress_options *info)
5306 {
5307  if (comp_non_stub_enabled(info))
5308  {
5309  /*
5310  * Check if already displayed the strong warning and enabled full
5311  * compression
5312  */
5313  if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5314  {
5315  msg(M_WARN, "WARNING: Compression for receiving enabled. "
5316  "Compression has been used in the past to break encryption. "
5317  "Sent packets are not compressed unless \"allow-compression yes\" "
5318  "is also set.");
5319  }
5320  }
5321 }
5322 #endif
5323 
5324 static void
5325 add_option(struct options *options,
5326  char *p[],
5327  bool is_inline,
5328  const char *file,
5329  int line,
5330  const int level,
5331  const int msglevel,
5332  const unsigned int permission_mask,
5333  unsigned int *option_types_found,
5334  struct env_set *es)
5335 {
5336  struct gc_arena gc = gc_new();
5337  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5338  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5339 
5340  ASSERT(MAX_PARMS >= 7);
5341 
5342  /*
5343  * If directive begins with "setenv opt" prefix, don't raise an error if
5344  * directive is unrecognized.
5345  */
5346  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5347  {
5348  if (!p[2])
5349  {
5350  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5351  }
5352  p += 2;
5353  msglevel_fc = M_WARN;
5354  }
5355 
5356  if (!file)
5357  {
5358  file = "[CMD-LINE]";
5359  line = 1;
5360  }
5361  if (streq(p[0], "help"))
5362  {
5364  usage();
5365  if (p[1])
5366  {
5367  msg(msglevel, "--help does not accept any parameters");
5368  goto err;
5369  }
5370  }
5371  if (streq(p[0], "version") && !p[1])
5372  {
5374  usage_version();
5375  }
5376  else if (streq(p[0], "config") && p[1] && !p[2])
5377  {
5379 
5380  /* save first config file only in options */
5381  if (!options->config)
5382  {
5383  options->config = p[1];
5384  }
5385 
5386  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5387  }
5388 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5389  else if (streq(p[0], "show-gateway") && !p[2])
5390  {
5391  struct route_gateway_info rgi;
5392  struct route_ipv6_gateway_info rgi6;
5393  struct in6_addr remote = IN6ADDR_ANY_INIT;
5394  openvpn_net_ctx_t net_ctx;
5396  if (p[1])
5397  {
5398  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5399  }
5400  net_ctx_init(NULL, &net_ctx);
5401  get_default_gateway(&rgi, &net_ctx);
5402  get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5403  print_default_gateway(M_INFO, &rgi, &rgi6);
5404  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5405  }
5406 #endif
5407 #if 0
5408  else if (streq(p[0], "foreign-option") && p[1])
5409  {
5411  foreign_option(options, p, 3, es);
5412  }
5413 #endif
5414  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5415  {
5416  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5417  int j;
5418  bool good = true;
5419 
5421 
5422  for (j = 1; j < MAX_PARMS; ++j)
5423  {
5424  if (!p[j])
5425  {
5426  break;
5427  }
5428  if (j > 1)
5429  {
5430  good &= buf_printf(&string, " ");
5431  }
5432  good &= buf_printf(&string, "%s", p[j]);
5433  }
5434  if (good)
5435  {
5436  /* only message-related ECHO are logged, since other ECHOs
5437  * can potentially include security-sensitive strings */
5438  if (p[1] && strncmp(p[1], "msg", 3) == 0)
5439  {
5440  msg(M_INFO, "%s:%s",
5441  pull_mode ? "ECHO-PULL" : "ECHO",
5442  BSTR(&string));
5443  }
5444 #ifdef ENABLE_MANAGEMENT
5445  if (management)
5446  {
5447  management_echo(management, BSTR(&string), pull_mode);
5448  }
5449 #endif
5450  }
5451  else
5452  {
5453  msg(M_WARN, "echo/parameter option overflow");
5454  }
5455  }
5456 #ifdef ENABLE_MANAGEMENT
5457  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5458  {
5460  if (streq(p[2], "unix"))
5461  {
5462 #if UNIX_SOCK_SUPPORT
5463  options->management_flags |= MF_UNIX_SOCK;
5464 #else
5465  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5466  goto err;
5467 #endif
5468  }
5469 
5470  options->management_addr = p[1];
5471  options->management_port = p[2];
5472  if (p[3])
5473  {
5474  options->management_user_pass = p[3];
5475  }
5476  }
5477  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5478  {
5480  options->management_client_user = p[1];
5481  }
5482  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5483  {
5485  options->management_client_group = p[1];
5486  }
5487  else if (streq(p[0], "management-query-passwords") && !p[1])
5488  {
5491  }
5492  else if (streq(p[0], "management-query-remote") && !p[1])
5493  {
5495  options->management_flags |= MF_QUERY_REMOTE;
5496  }
5497  else if (streq(p[0], "management-query-proxy") && !p[1])
5498  {
5500  options->management_flags |= MF_QUERY_PROXY;
5501  }
5502  else if (streq(p[0], "management-hold") && !p[1])
5503  {
5505  options->management_flags |= MF_HOLD;
5506  }
5507  else if (streq(p[0], "management-signal") && !p[1])
5508  {
5510  options->management_flags |= MF_SIGNAL;
5511  }
5512  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5513  {
5516  }
5517  else if (streq(p[0], "management-up-down") && !p[1])
5518  {
5520  options->management_flags |= MF_UP_DOWN;
5521  }
5522  else if (streq(p[0], "management-client") && !p[2])
5523  {
5526  options->management_write_peer_info_file = p[1];
5527  }
5528 #ifdef ENABLE_MANAGEMENT
5529  else if (streq(p[0], "management-external-key"))
5530  {
5532  for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5533  {
5534  if (streq(p[j], "nopadding"))
5535  {
5537  }
5538  else if (streq(p[j], "pkcs1"))
5539  {
5541  }
5542  else
5543  {
5544  msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5545  }
5546  }
5547  /*
5548  * When no option is present, assume that only PKCS1
5549  * padding is supported
5550  */
5551  if (!(options->management_flags
5553  {
5555  }
5556  options->management_flags |= MF_EXTERNAL_KEY;
5557  }
5558  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5559  {
5561  options->management_flags |= MF_EXTERNAL_CERT;
5562  options->management_certificate = p[1];
5563  }
5564  else if (streq(p[0], "management-client-auth") && !p[1])
5565  {
5567  options->management_flags |= MF_CLIENT_AUTH;
5568  }
5569 #endif /* ifdef ENABLE_MANAGEMENT */
5570  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5571  {
5572  int cache;
5573 
5575  cache = atoi(p[1]);
5576  if (cache < 1)
5577  {
5578  msg(msglevel, "--management-log-cache parameter is out of range");
5579  goto err;
5580  }
5581  options->management_log_history_cache = cache;
5582  }
5583 #endif /* ifdef ENABLE_MANAGEMENT */
5584 #ifdef ENABLE_PLUGIN
5585  else if (streq(p[0], "plugin") && p[1])
5586  {
5588  if (!options->plugin_list)
5589  {
5590  options->plugin_list = plugin_option_list_new(&options->gc);
5591  }
5592  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5593  {
5594  msg(msglevel, "plugin add failed: %s", p[1]);
5595  goto err;
5596  }
5597  }
5598 #endif
5599  else if (streq(p[0], "mode") && p[1] && !p[2])
5600  {
5602  if (streq(p[1], "p2p"))
5603  {
5604  options->mode = MODE_POINT_TO_POINT;
5605  }
5606  else if (streq(p[1], "server"))
5607  {
5608  options->mode = MODE_SERVER;
5609  }
5610  else
5611  {
5612  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5613  goto err;
5614  }
5615  }
5616  else if (streq(p[0], "dev") && p[1] && !p[2])
5617  {
5619  options->dev = p[1];
5620  }
5621  else if (streq(p[0], "dev-type") && p[1] && !p[2])
5622  {
5624  options->dev_type = p[1];
5625  }
5626 #ifdef _WIN32
5627  else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5628  {
5630  options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5631  }
5632 #endif
5633  else if (streq(p[0], "dev-node") && p[1] && !p[2])
5634  {
5636  options->dev_node = p[1];
5637  }
5638  else if (streq(p[0], "lladdr") && p[1] && !p[2])
5639  {
5641  if (mac_addr_safe(p[1])) /* MAC address only */
5642  {
5643  options->lladdr = p[1];
5644  }
5645  else
5646  {
5647  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5648  goto err;
5649  }
5650  }
5651  else if (streq(p[0], "topology") && p[1] && !p[2])
5652  {
5654  options->topology = parse_topology(p[1], msglevel);
5655  }
5656  else if (streq(p[0], "tun-ipv6") && !p[1])
5657  {
5658  if (!pull_mode)
5659  {
5660  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5661  }
5662  }
5663 #ifdef ENABLE_IPROUTE
5664  else if (streq(p[0], "iproute") && p[1] && !p[2])
5665  {
5667  iproute_path = p[1];
5668  }
5669 #endif
5670  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5671  {
5673  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5674  {
5675  options->ifconfig_local = p[1];
5676  options->ifconfig_remote_netmask = p[2];
5677  }
5678  else
5679  {
5680  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5681  goto err;
5682  }
5683  }
5684  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5685  {
5686  unsigned int netbits;
5687 
5689  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5690  && ipv6_addr_safe( p[2] ) )
5691  {
5692  if (netbits < 64 || netbits > 124)
5693  {
5694  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5695  goto err;
5696  }
5697 
5698  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5699  options->ifconfig_ipv6_netbits = netbits;
5700  options->ifconfig_ipv6_remote = p[2];
5701  }
5702  else
5703  {
5704  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5705  goto err;
5706  }
5707  }
5708  else if (streq(p[0], "ifconfig-noexec") && !p[1])
5709  {
5711  options->ifconfig_noexec = true;
5712  }
5713  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5714  {
5716  options->ifconfig_nowarn = true;
5717  }
5718  else if (streq(p[0], "local") && p[1] && !p[2])
5719  {
5721  options->ce.local = p[1];
5722  }
5723  else if (streq(p[0], "remote-random") && !p[1])
5724  {
5726  options->remote_random = true;
5727  }
5728  else if (streq(p[0], "connection") && p[1] && !p[3])
5729  {
5731  if (is_inline)
5732  {
5733  struct options sub;
5734  struct connection_entry *e;
5735 
5736  init_options(&sub, true);
5737  sub.ce = options->ce;
5738  read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
5739