OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2024 David Sommerseth <dazo@eurephia.org>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33 #ifdef HAVE_CONFIG_VERSION_H
34 #include "config-version.h"
35 #endif
36 
37 #include "syshead.h"
38 
39 #include "buffer.h"
40 #include "error.h"
41 #include "common.h"
42 #include "run_command.h"
43 #include "shaper.h"
44 #include "crypto.h"
45 #include "ssl.h"
46 #include "ssl_ncp.h"
47 #include "options.h"
48 #include "misc.h"
49 #include "socket.h"
50 #include "packet_id.h"
51 #include "pkcs11.h"
52 #include "win32.h"
53 #include "push.h"
54 #include "pool.h"
55 #include "proto.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include "xkey_common.h"
62 #include "dco.h"
63 #include <ctype.h>
64 
65 #include "memdbg.h"
66 
67 const char title_string[] =
68  PACKAGE_STRING
69 #ifdef CONFIGURE_GIT_REVISION
70  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
71 #endif
72  " " TARGET_ALIAS
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
74  " [SSL (mbed TLS)]"
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
76  " [SSL (OpenSSL)]"
77 #else
78  " [SSL]"
79 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
80 #ifdef USE_COMP
81 #ifdef ENABLE_LZO
82  " [LZO]"
83 #endif
84 #ifdef ENABLE_LZ4
85  " [LZ4]"
86 #endif
87 #ifdef ENABLE_COMP_STUB
88  " [COMP_STUB]"
89 #endif
90 #endif /* USE_COMP */
91 #if EPOLL
92  " [EPOLL]"
93 #endif
94 #ifdef PRODUCT_TAP_DEBUG
95  " [TAPDBG]"
96 #endif
97 #ifdef ENABLE_PKCS11
98  " [PKCS11]"
99 #endif
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
102  " [MH/PKTINFO]"
103 #elif defined(IP_RECVDSTADDR)
104  " [MH/RECVDA]"
105 #endif
106 #endif
107  " [AEAD]"
108 #ifdef ENABLE_DCO
109  " [DCO]"
110 #endif
111 #ifdef CONFIGURE_GIT_REVISION
112  " built on " __DATE__
113 #endif
114 ;
115 
116 #ifndef ENABLE_SMALL
117 
118 static const char usage_message[] =
119  "%s\n"
120  "\n"
121  "General Options:\n"
122  "--config file : Read configuration options from file.\n"
123  "--help : Show options.\n"
124  "--version : Show copyright and version information.\n"
125  "\n"
126  "Tunnel Options:\n"
127  "--local host : Local host name or ip address. Implies --bind.\n"
128  "--remote host [port] : Remote host name or ip address.\n"
129  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
130  "--remote-random-hostname : Add a random string to remote DNS name.\n"
131  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
132  "--proto p : Use protocol p for communicating with peer.\n"
133  " p = udp (default), tcp-server, tcp-client\n"
134  " udp4, tcp4-server, tcp4-client\n"
135  " udp6, tcp6-server, tcp6-client\n"
136  "--proto-force p : only consider protocol p in list of connection profiles.\n"
137  " p = udp or tcp\n"
138  "--connect-retry n [m] : For client, number of seconds to wait between\n"
139  " connection retries (default=%d). On repeated retries\n"
140  " the wait time is exponentially increased to a maximum of m\n"
141  " (default=%d).\n"
142  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
143  "--http-proxy s p [up] [auth] : Connect to remote host\n"
144  " through an HTTP proxy at address s and port p.\n"
145  " If proxy authentication is required,\n"
146  " up is a file containing username/password on 2 lines, or\n"
147  " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
148  " the proxy requires NTLM authentication.\n"
149  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
150  " determine auth method and query for username/password\n"
151  " if needed. auto-nct disables weak proxy auth methods.\n"
152  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
153  " Repeat to set multiple options.\n"
154  " VERSION version (default=1.0)\n"
155  " AGENT user-agent\n"
156  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
157  " address s and port p (default port = 1080).\n"
158  " If proxy authentication is required,\n"
159  " up is a file containing username/password on 2 lines, or\n"
160  " 'stdin' to prompt for console.\n"
161  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
162  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
163  " resolve for n seconds before failing (disabled by default).\n"
164  " Set n=\"infinite\" to retry indefinitely.\n"
165  "--float : Allow remote to change its IP address/port, such as through\n"
166  " DHCP (this is the default if --remote is not used).\n"
167  "--ipchange cmd : Run command cmd on remote ip address initial\n"
168  " setting or change -- execute as: cmd ip-address port#\n"
169  "--port port : TCP/UDP port # for both local and remote.\n"
170  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
171  "--rport port : TCP/UDP port # for remote (default=%s).\n"
172  "--bind : Bind to local address and port. (This is the default unless\n"
173  " --proto tcp-client"
174  " or --http-proxy"
175  " or --socks-proxy"
176  " is used).\n"
177  "--nobind : Do not bind to local address and port.\n"
178  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
179  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
180  " this option only if the tun/tap device used with --dev\n"
181  " does not begin with \"tun\" or \"tap\".\n"
182  "--dev-node node : Explicitly set the device node rather than using\n"
183  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
184 #if defined(ENABLE_DCO)
185  "--disable-dco : Do not attempt using Data Channel Offload.\n"
186 #endif
187  "--lladdr hw : Set the link layer address of the tap device.\n"
188  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
189 #ifdef ENABLE_IPROUTE
190  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
191 #endif
192  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
193  " endpoint and rn as a remote endpoint. l & rn should be\n"
194  " swapped on the other peer. l & rn must be private\n"
195  " addresses outside of the subnets used by either peer.\n"
196  " TAP: configure device to use IP address l as a local\n"
197  " endpoint and rn as a subnet mask.\n"
198  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
199  " endpoint (as a /64) and r as remote endpoint\n"
200  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
201  " pass --ifconfig parms by environment to scripts.\n"
202  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
203  " connection doesn't match the remote side.\n"
204  "--route network [netmask] [gateway] [metric] :\n"
205  " Add route to routing table after connection\n"
206  " is established. Multiple routes can be specified.\n"
207  " netmask default: 255.255.255.255\n"
208  " gateway default: taken from --route-gateway or --ifconfig\n"
209  " Specify default by leaving blank or setting to \"default\".\n"
210  "--route-ipv6 network/bits [gateway] [metric] :\n"
211  " Add IPv6 route to routing table after connection\n"
212  " is established. Multiple routes can be specified.\n"
213  " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
214  " in --ifconfig-ipv6\n"
215  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
216  "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
217  "--route-metric m : Specify a default metric for use with --route.\n"
218  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
219  " adding routes (may be 0). If not specified, routes will\n"
220  " be added immediately after tun/tap open. On Windows, wait\n"
221  " up to w seconds for TUN/TAP adapter to come up.\n"
222  "--route-up cmd : Run command cmd after routes are added.\n"
223  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
224  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
225  " --route-up script using environmental variables.\n"
226  "--route-nopull : When used with --client or --pull, accept options pushed\n"
227  " by server EXCEPT for routes, dns, and dhcp options.\n"
228  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
229  " --ifconfig, --route, and --route-gateway.\n"
230  "--redirect-gateway [flags]: Automatically execute routing\n"
231  " commands to redirect all outgoing IP traffic through the\n"
232  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
233  " connected via a common subnet, such as with WiFi.\n"
234  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
235  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
236  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
237  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
238  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
239  " the default gateway. Useful when pushing private subnets.\n"
240  "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
241  " ICMPv6 host unreachable messages on the client.\n"
242  " (Server) Instead of forwarding IPv6 packets send\n"
243  " ICMPv6 host unreachable packets to the client.\n"
244  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
245  "--push-peer-info : (client only) push client info to server.\n"
246  "--setenv name value : Set a custom environmental variable to pass to script.\n"
247  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
248  " directives for future OpenVPN versions to be ignored.\n"
249  "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
250  " these options to be ignored when unknown\n"
251  "--script-security level: Where level can be:\n"
252  " 0 -- strictly no calling of external programs\n"
253  " 1 -- (default) only call built-ins such as ifconfig\n"
254  " 2 -- allow calling of built-ins and scripts\n"
255  " 3 -- allow password to be passed to scripts via env\n"
256  "--shaper n : Restrict output to peer to n bytes per second.\n"
257  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
258  " ping once every n seconds, restart if ping not received\n"
259  " for m seconds.\n"
260  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
261  " produces a combined in/out byte count < bytes.\n"
262  "--session-timeout n: Limit connection time to n seconds.\n"
263  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
264  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
265  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
266  " remote address.\n"
267  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
268 #if ENABLE_IP_PKTINFO
269  "--multihome : Configure a multi-homed UDP server.\n"
270 #endif
271  "--fast-io : Optimize TUN/TAP/UDP writes.\n"
272  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
273  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
274  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
275  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
276 #if PASSTOS_CAPABILITY
277  "--passtos : TOS passthrough (applies to IPv4 only).\n"
278 #endif
279  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
280  " TCP/UDP MTU from it (default=%d).\n"
281  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
282  " as n bytes more than the tun-mtu size on read\n"
283  " (default TUN=0 TAP=%d).\n"
284  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
285  " from it.\n"
286  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
287  " 'no' -- Never send DF (Don't Fragment) frames\n"
288  " 'maybe' -- Use per-route hints\n"
289  " 'yes' -- Always DF (Don't Fragment)\n"
290  "--mtu-test : Empirically measure and report MTU.\n"
291 #ifdef ENABLE_FRAGMENT
292  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
293  " datagrams are sent which are larger than max bytes.\n"
294  " Adds 4 bytes of overhead per datagram.\n"
295 #endif
296  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
297  " or --fragment max value, whichever is lower.\n"
298  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
299  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
300 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
301  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
302  " can be matched in policy routing and packetfilter rules.\n"
303  "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
304  " listening for connections. This allows sending encrypted packets\n"
305  " via a VRF present on the system.\n"
306 #endif
307  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
308 #ifdef ENABLE_MEMSTATS
309  "--memstats file : Write live usage stats to memory mapped binary file.\n"
310 #endif
311  "--mlock : Disable Paging -- ensures key material and tunnel\n"
312  " data will never be written to disk.\n"
313  "--up cmd : Run command cmd after successful tun device open.\n"
314  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
315  " ifconfig-local-ip ifconfig-remote-ip\n"
316  " (pre --user or --group UID/GID change)\n"
317  "--up-delay : Delay tun/tap open and possible --up script execution\n"
318  " until after TCP/UDP connection establishment with peer.\n"
319  "--down cmd : Run command cmd after tun device close.\n"
320  " (post --user/--group UID/GID change and/or --chroot)\n"
321  " (command parameters are same as --up option)\n"
322  "--down-pre : Run --down command before TUN/TAP close.\n"
323  "--up-restart : Run up/down commands for all restarts including those\n"
324  " caused by --ping-restart or SIGUSR1\n"
325  "--user user : Set UID to user after initialization.\n"
326  "--group group : Set GID to group after initialization.\n"
327  "--chroot dir : Chroot to this directory after initialization.\n"
328 #ifdef ENABLE_SELINUX
329  "--setcon context: Apply this SELinux context after initialization.\n"
330 #endif
331  "--cd dir : Change to this directory before initialization.\n"
332  "--daemon [name] : Become a daemon after initialization.\n"
333  " The optional 'name' parameter will be passed\n"
334  " as the program name to the system logger.\n"
335  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
336  " See --daemon above for a description of the 'name' parm.\n"
337  "--log file : Output log to file which is created/truncated on open.\n"
338  "--log-append file : Append log to file, or create file if nonexistent.\n"
339  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
340  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
341  "--writepid file : Write main process ID to file.\n"
342  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
343  "--echo [parms ...] : Echo parameters to log output.\n"
344  "--verb n : Set output verbosity to n (default=%d):\n"
345  " (Level 3 is recommended if you want a good summary\n"
346  " of what's happening without being swamped by output).\n"
347  " : 0 -- no output except fatal errors\n"
348  " : 1 -- startup info + connection initiated messages +\n"
349  " non-fatal encryption & net errors\n"
350  " : 2,3 -- show TLS negotiations & route info\n"
351  " : 4 -- show parameters\n"
352  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
353  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
354  " : 6 to 11 -- debug messages of increasing verbosity\n"
355  "--mute n : Log at most n consecutive messages in the same category.\n"
356  "--status file [n] : Write operational status to file every n seconds.\n"
357  "--status-version [n] : Choose the status file format version number.\n"
358  " Currently, n can be 1, 2, or 3 (default=1).\n"
359  "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
360 #ifdef ENABLE_DEBUG
361  "--gremlin mask : Special stress testing mode (for debugging only).\n"
362 #endif
363 #if defined(USE_COMP)
364  "--compress alg : Use compression algorithm alg\n"
365  "--allow-compression: Specify whether compression should be allowed\n"
366 #if defined(ENABLE_LZO)
367  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
368  " packet for incompressible data.\n"
369  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
370  " is specified.\n"
371 #endif
372 #endif
373 #ifdef ENABLE_MANAGEMENT
374  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
375  " management functions. pass is a password file\n"
376  " or 'stdin' to prompt from console.\n"
377 #if UNIX_SOCK_SUPPORT
378  " To listen on a unix domain socket, specific the pathname\n"
379  " in place of ip and use 'unix' as the port number.\n"
380 #endif
381  "--management-client : Management interface will connect as a TCP client to\n"
382  " ip/port rather than listen as a TCP server.\n"
383  "--management-query-passwords : Query management channel for private key\n"
384  " and auth-user-pass passwords.\n"
385  "--management-query-proxy : Query management channel for proxy information.\n"
386  "--management-query-remote : Query management channel for --remote directive.\n"
387  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
388  " of the management interface explicitly starts it.\n"
389  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
390  "--management-forget-disconnect : Forget passwords when management disconnect\n"
391  " event occurs.\n"
392  "--management-up-down : Report tunnel up/down events to management interface.\n"
393  "--management-log-cache n : Cache n lines of log file history for usage\n"
394  " by the management channel.\n"
395 #if UNIX_SOCK_SUPPORT
396  "--management-client-user u : When management interface is a unix socket, only\n"
397  " allow connections from user u.\n"
398  "--management-client-group g : When management interface is a unix socket, only\n"
399  " allow connections from group g.\n"
400 #endif
401  "--management-client-auth : gives management interface client the responsibility\n"
402  " to authenticate clients after their client certificate\n"
403  " has been verified.\n"
404 #endif /* ifdef ENABLE_MANAGEMENT */
405 #ifdef ENABLE_PLUGIN
406  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
407  " to its initialization function.\n"
408 #endif
409  "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
410  "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
411  "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
412  "\n"
413  "Multi-Client Server options (when --mode server is used):\n"
414  "--server network netmask : Helper option to easily configure server mode.\n"
415  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
416  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
417  " easily configure ethernet bridging server mode.\n"
418  "--push \"option\" : Push a config file option back to the peer for remote\n"
419  " execution. Peer must specify --pull in its config file.\n"
420  "--push-reset : Don't inherit global push list for specific\n"
421  " client instance.\n"
422  "--push-remove opt : Remove options matching 'opt' from the push list for\n"
423  " a specific client instance.\n"
424  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
425  " to be dynamically allocated to connecting clients.\n"
426  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
427  " data to file, at seconds intervals (default=600).\n"
428  " If seconds=0, file will be treated as read-only.\n"
429  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
430  " to be dynamically allocated to connecting clients.\n"
431  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
432  " overrides --ifconfig-pool dynamic allocation.\n"
433  " Only valid in a client-specific config file.\n"
434  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
435  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
436  " Only valid in a client-specific config file.\n"
437  "--iroute network [netmask] : Route subnet to client.\n"
438  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
439  " Sets up internal routes only.\n"
440  " Only valid in a client-specific config file.\n"
441  "--disable : Client is disabled.\n"
442  " Only valid in a client-specific config file.\n"
443  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
444  " mandatory client certificate verification.\n"
445  " Default is to require the client to supply a certificate.\n"
446  "--username-as-common-name : For auth-user-pass authentication, use\n"
447  " the authenticated username as the common name,\n"
448  " rather than the common name from the client cert.\n"
449  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
450  " run command cmd to verify. If method='via-env', pass\n"
451  " user/pass via environment, if method='via-file', pass\n"
452  " user/pass via temporary file.\n"
453  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
454  " to each client, replacing the password. Useful when\n"
455  " OTP based two-factor auth mechanisms are in use and\n"
456  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
457  " for generated tokens can be set.\n"
458  "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
459  " with those of the server will be disconnected.\n"
460  "--auth-user-pass-optional : Allow connections by clients that don't\n"
461  " specify a username/password.\n"
462  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
463  " any printable character.\n"
464  "--client-to-client : Internally route client-to-client traffic.\n"
465  "--duplicate-cn : Allow multiple clients with the same common name to\n"
466  " concurrently connect.\n"
467  "--client-connect cmd : Run command cmd on client connection.\n"
468  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
469  "--client-config-dir dir : Directory for custom client config files.\n"
470  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
471  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
472  "--hash-size r v : Set the size of the real address hash table to r and the\n"
473  " virtual address table to v.\n"
474  "--bcast-buffers n : Allocate n broadcast buffers.\n"
475  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
476  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
477  " as well as pushes it to connecting clients.\n"
478  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
479  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
480  "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
481  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
482  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
483  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
484  " older than n seconds. Run this check every t\n"
485  " seconds (defaults to n).\n"
486  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
487  " clients. n = 1 - reconnect to same server,\n"
488  " 2 - advance to next server, default=1.\n"
489 #if PORT_SHARE
490  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
491  " sessions to a web server at host:port. dir specifies an\n"
492  " optional directory to write origin IP:port data.\n"
493 #endif
494  "\n"
495  "Client options (when connecting to a multi-client server):\n"
496  "--client : Helper option to easily configure client mode.\n"
497  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
498  " up is a file containing the username on the first line,\n"
499  " and a password on the second. If either the password or both\n"
500  " the username and the password are omitted OpenVPN will prompt\n"
501  " for them from console.\n"
502  "--pull : Accept certain config file options from the peer as if they\n"
503  " were part of the local config file. Must be specified\n"
504  " when connecting to a '--mode server' remote host.\n"
505  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
506  " server if it starts with the text t. The action flag accept,\n"
507  " ignore or reject causes the option to be allowed, removed or\n"
508  " rejected with error. May be specified multiple times, and\n"
509  " each filter is applied in the order of appearance.\n"
510  "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
511  " Valid options are :\n"
512  " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
513  " resolve-domains <domain> [domain ...] : split domains\n"
514  " dnssec <yes|no|optional> : option to use DNSSEC\n"
515  " type <DoH|DoT> : query server over HTTPS / TLS\n"
516  " sni <domain> : DNS server name indication\n"
517  "--dns search-domains <domain> [domain ...]:\n"
518  " Add domains to DNS domain search list\n"
519  "--auth-retry t : How to handle auth failures. Set t to\n"
520  " none (default), interact, or nointeract.\n"
521  "--static-challenge t e : Enable static challenge/response protocol using\n"
522  " challenge text t, with e indicating echo flag (0|1)\n"
523  "--connect-timeout n : when polling possible remote servers to connect to\n"
524  " in a round-robin fashion, spend no more than n seconds\n"
525  " waiting for a response before trying the next server.\n"
526  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
527  " incoming tun packets with same destination as host.\n"
528  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
529  " server/remote. n = # of retries, default=1.\n"
530  "\n"
531  "Data Channel Encryption Options (must be compatible between peers):\n"
532  "(These options are meaningful for both Static Key & TLS-mode)\n"
533  "--auth alg : Authenticate packets with HMAC using message\n"
534  " digest algorithm alg (default=%s).\n"
535  " (usually adds 16 or 20 bytes per packet)\n"
536  " Set alg=none to disable authentication.\n"
537  "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
538  " You should usually use --data-ciphers instead.\n"
539  " Set alg=none to disable encryption.\n"
540  "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
541 #ifndef ENABLE_CRYPTO_MBEDTLS
542  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
543 #endif
544  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
545  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
546  " and a time window of t seconds.\n"
547  " Default n=%d t=%d\n"
548  "--replay-persist file : Persist replay-protection state across sessions\n"
549  " using file.\n"
550  "--test-crypto : Run a self-test of crypto features enabled.\n"
551  " For debugging only.\n"
552 #ifdef ENABLE_PREDICTION_RESISTANCE
553  "--use-prediction-resistance: Enable prediction resistance on the random\n"
554  " number generator.\n"
555 #endif
556  "\n"
557  "TLS Key Negotiation Options:\n"
558  "(These options are meaningful only for TLS-mode)\n"
559  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
560  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
561  "--ca file : Certificate authority file in .pem format containing\n"
562  " root certificate.\n"
563 #ifndef ENABLE_CRYPTO_MBEDTLS
564  "--capath dir : A directory of trusted certificates (CAs"
565  " and CRLs).\n"
566 #endif /* ENABLE_CRYPTO_MBEDTLS */
567  "--dh file : File containing Diffie Hellman parameters\n"
568  " in .pem format (for --tls-server only).\n"
569  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
570  "--cert file : Local certificate in .pem format -- must be signed\n"
571  " by a Certificate Authority in --ca file.\n"
572  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
573  "--key file : Local private key in .pem format.\n"
574  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
575  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
576  " is specified, require max TLS version supported by SSL implementation.\n"
577  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
578 #ifndef ENABLE_CRYPTO_MBEDTLS
579  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
580  " and optionally the root CA certificate.\n"
581 #endif
582 #ifdef ENABLE_X509ALTUSERNAME
583  "--x509-username-field : Field in x509 certificate containing the username.\n"
584  " Default is CN in the Subject field.\n"
585 #endif
586  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
587  " Valid algo flags are SHA1 and SHA256. \n"
588 #ifdef _WIN32
589  "--cryptoapicert select-string : Load the certificate and private key from the\n"
590  " Windows Certificate System Store.\n"
591 #endif
592  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
593  "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
594  " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
595  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
596  " (default=legacy).\n"
597  "--providers l : A list l of OpenSSL providers to load.\n"
598  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
599  " if no ACK from remote within n seconds (default=%d).\n"
600  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
601  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
602  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
603  " and at least min (defaults to 90%% of max on servers and equal\n"
604  " to max on clients).\n"
605  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
606  " of handshake initiation by any peer (default=%d).\n"
607  "--tran-window n : Transition window -- old key can live this many seconds\n"
608  " after new key renegotiation begins (default=%d).\n"
609  "--single-session: Allow only one session (reset state on restart).\n"
610  "--tls-exit : Exit on TLS negotiation failure.\n"
611  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
612  " control channel to protect against attacks on the TLS stack\n"
613  " and DoS attacks.\n"
614  " f (required) is a shared-secret key file.\n"
615  " The optional d parameter controls key directionality.\n"
616  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
617  " of the TLS control channel to hide the TLS certificate,\n"
618  " provide basic post-quantum security and protect against\n"
619  " attacks on the TLS stack and DoS attacks.\n"
620  " key (required) provides the pre-shared key file.\n"
621  "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
622  " For servers: use key to decrypt client-specific keys. For\n"
623  " key generation (--genkey tls-crypt-v2-client): use key to\n"
624  " encrypt generated client-specific key. (See --tls-crypt.)\n"
625  "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
626  " fresh tls-crypt-v2 client key, and store to\n"
627  " keyfile. If supplied, include metadata in wrapped key.\n"
628  "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
629  " fresh tls-crypt-v2 server key, and store to keyfile\n"
630  "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
631  " client-supplied tls-crypt-v2 client key\n"
632  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
633  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
634  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
635  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
636  " pending TLS connection that has otherwise passed all other\n"
637  " tests of certification. cmd should return 0 to allow\n"
638  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
639  " executed as 'cmd certificate_depth subject')\n"
640  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
641  " DN name. The remote host must also pass all other tests\n"
642  " of verification.\n"
643 #ifndef ENABLE_CRYPTO_MBEDTLS
644  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
645  " an explicit nsCertType designation t = 'client' | 'server'.\n"
646 #endif
647  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
648  " plugins and management interface.\n"
649 #ifdef HAVE_EXPORT_KEYING_MATERIAL
650  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
651  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
652 #endif
653  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
654  " explicit key usage, you can specify more than one value.\n"
655  " value should be given in hex format.\n"
656  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
657  " explicit extended key usage. Extended key usage can be encoded\n"
658  " as an object identifier or OpenSSL string representation.\n"
659  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
660  " key usage and extended key usage based on RFC3280 TLS rules.\n"
661  " t = 'client' | 'server'.\n"
662 #ifdef ENABLE_PKCS11
663  "\n"
664  "PKCS#11 Options:\n"
665  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
666  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
667  " path. Set for each provider.\n"
668  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
669  " 0 : Try to determine automatically (default).\n"
670  " 1 : Use Sign.\n"
671  " 2 : Use SignRecover.\n"
672  " 4 : Use Decrypt.\n"
673  " 8 : Use Unwrap.\n"
674  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
675  " certificate can be accessed. Set for each provider.\n"
676  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
677  " cache until token is removed.\n"
678  "--pkcs11-id-management : Acquire identity from management interface.\n"
679  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
680 #endif /* ENABLE_PKCS11 */
681  "\n"
682  "SSL Library information:\n"
683  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
684  "--show-digests : Show message digest algorithms to use with --auth option.\n"
685  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
686  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
687 #ifdef _WIN32
688  "\n"
689  "Windows Specific:\n"
690  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
691  " from SystemRoot environment variable.\n"
692  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
693  " IP address using method = manual, netsh, ipapi,\n"
694  " dynamic, or adaptive (default = adaptive).\n"
695  " Dynamic method allows two optional parameters:\n"
696  " offset: DHCP server address offset (> -256 and < 256).\n"
697  " If 0, use network address, if >0, take nth\n"
698  " address forward from network address, if <0,\n"
699  " take nth address backward from broadcast\n"
700  " address.\n"
701  " Default is 0.\n"
702  " lease-time: Lease time in seconds.\n"
703  " Default is one year.\n"
704  "--route-method : Which method to use for adding routes on Windows?\n"
705  " adaptive (default) -- Try ipapi then fall back to exe.\n"
706  " ipapi -- Use IP helper API.\n"
707  " exe -- Call the route.exe shell command.\n"
708  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
709  " be used with --ip-win32 dynamic. For options\n"
710  " which allow multiple addresses,\n"
711  " --dhcp-option must be repeated.\n"
712  " DOMAIN name : Set DNS suffix\n"
713  " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
714  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
715  " NTP : Set NTP server address(es)\n"
716  " NBDD : Set NBDD server address(es)\n"
717  " WINS addr : Set WINS server address(es)\n"
718  " NBT type : Set NetBIOS over TCP/IP Node type\n"
719  " 1: B, 2: P, 4: M, 8: H\n"
720  " NBS id : Set NetBIOS scope ID\n"
721  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
722  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
723  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
724  " startup.\n"
725  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
726  " on connection initiation.\n"
727  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
728  " attempting to set adapter properties.\n"
729  "--pause-exit : When run from a console window, pause before exiting.\n"
730  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
731  " service, and should not be used directly by end-users.\n"
732  " ex is the name of an event object which, when\n"
733  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
734  " optional parameter controls the initial state of ex.\n"
735  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
736  " after TAP adapter is up and routes have been added.\n"
737  "--windows-driver : Which tun driver to use?\n"
738  " ovpn-dco (default)\n"
739  " tap-windows6\n"
740  " wintun\n"
741  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
742  "Windows Standalone Options:\n"
743  "\n"
744  "--show-adapters : Show all TAP-Windows adapters.\n"
745  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
746  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
747  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
748  " to access TAP adapter.\n"
749 #endif /* ifdef _WIN32 */
750  "\n"
751  "Generate a new key :\n"
752  "--genkey tls-auth file : Generate a new random key of type and write to file\n"
753  " (for use with --tls-auth or --tls-crypt)."
754 #ifdef ENABLE_FEATURE_TUN_PERSIST
755  "\n"
756  "Tun/tap config mode (available with linux 2.4+):\n"
757  "--mktun : Create a persistent tunnel.\n"
758  "--rmtun : Remove a persistent tunnel.\n"
759  "--dev tunX|tapX : tun/tap device\n"
760  "--dev-type dt : Device type. See tunnel options above for details.\n"
761  "--user user : User to set privilege to.\n"
762  "--group group : Group to set privilege to.\n"
763 #endif
764 #ifdef ENABLE_PKCS11
765  "\n"
766  "PKCS#11 standalone options:\n"
767 #ifdef DEFAULT_PKCS11_MODULE
768  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
769 #else
770  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
771 #endif
772  " --verb option can be added *BEFORE* this.\n"
773 #endif /* ENABLE_PKCS11 */
774  "\n"
775  "General Standalone Options:\n"
776 #ifdef ENABLE_DEBUG
777  "--show-gateway : Show info about default gateway.\n"
778 #endif
779 ;
780 
781 #endif /* !ENABLE_SMALL */
782 
783 /*
784  * This is where the options defaults go.
785  * Any option not explicitly set here
786  * will be set to 0.
787  */
788 void
789 init_options(struct options *o, const bool init_gc)
790 {
791  CLEAR(*o);
792  if (init_gc)
793  {
794  gc_init(&o->gc);
795  gc_init(&o->dns_options.gc);
796  o->gc_owned = true;
797  }
798  o->mode = MODE_POINT_TO_POINT;
799  o->topology = TOP_UNDEF;
800  o->ce.proto = PROTO_UDP;
801  o->ce.af = AF_UNSPEC;
802  o->ce.bind_ipv6_only = false;
803  o->ce.connect_retry_seconds = 1;
804  o->ce.connect_retry_seconds_max = 300;
805  o->ce.connect_timeout = 120;
806  o->connect_retry_max = 0;
807  o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
808  o->verbosity = 1;
809  o->status_file_update_freq = 60;
810  o->status_file_version = 1;
811  o->ce.bind_local = true;
812  o->ce.tun_mtu = TUN_MTU_DEFAULT;
813  o->ce.occ_mtu = 0;
814  o->ce.link_mtu = LINK_MTU_DEFAULT;
815  o->ce.tls_mtu = TLS_MTU_DEFAULT;
816  o->ce.mtu_discover_type = -1;
817  o->ce.mssfix = 0;
818  o->ce.mssfix_default = true;
819  o->ce.mssfix_encap = true;
820  o->route_delay_window = 30;
821  o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
822  o->resolve_in_advance = false;
823  o->proto_force = -1;
824  o->occ = true;
825 #ifdef ENABLE_MANAGEMENT
826  o->management_log_history_cache = 250;
827  o->management_echo_buffer_size = 100;
828  o->management_state_buffer_size = 100;
829 #endif
830 #ifdef ENABLE_FEATURE_TUN_PERSIST
831  o->persist_mode = 1;
832 #endif
833 #ifdef _WIN32
834 #if 0
835  o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
836 #else
837  o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
838 #endif
839  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
840  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
841  o->route_method = ROUTE_METHOD_ADAPTIVE;
842  o->block_outside_dns = false;
843  o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
844 #endif
845  o->vlan_accept = VLAN_ALL;
846  o->vlan_pvid = 1;
847  o->real_hash_size = 256;
848  o->virtual_hash_size = 256;
849  o->n_bcast_buf = 256;
850  o->tcp_queue_limit = 64;
851  o->max_clients = 1024;
852  o->cf_initial_per = 10;
853  o->cf_initial_max = 100;
854  o->max_routes_per_client = 256;
855  o->stale_routes_check_interval = 0;
856  o->ifconfig_pool_persist_refresh_freq = 600;
857  o->scheduled_exit_interval = 5;
858  o->authname = "SHA1";
859  o->replay_window = DEFAULT_SEQ_BACKTRACK;
860  o->replay_time = DEFAULT_TIME_BACKTRACK;
861  o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
862 #ifdef ENABLE_PREDICTION_RESISTANCE
863  o->use_prediction_resistance = false;
864 #endif
865  o->tls_timeout = 2;
866  o->renegotiate_bytes = -1;
867  o->renegotiate_seconds = 3600;
868  o->renegotiate_seconds_min = -1;
869  o->handshake_window = 60;
870  o->transition_window = 3600;
871  o->tls_cert_profile = NULL;
872  o->ecdh_curve = NULL;
873 #ifdef ENABLE_X509ALTUSERNAME
874  o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
875 #endif
876 #ifdef ENABLE_PKCS11
877  o->pkcs11_pin_cache_period = -1;
878 #endif /* ENABLE_PKCS11 */
879 
880 /* P2MP server context features */
881  o->auth_token_generate = false;
882 
883  /* Set default --tmp-dir */
884 #ifdef _WIN32
885  /* On Windows, find temp dir via environment variables */
886  o->tmp_dir = win_get_tempdir();
887 
888  if (!o->tmp_dir)
889  {
890  /* Error out if we can't find a valid temporary directory, which should
891  * be very unlikely. */
892  msg(M_USAGE, "Could not find a suitable temporary directory."
893  " (GetTempPath() failed). Consider using --tmp-dir");
894  }
895 #else /* ifdef _WIN32 */
896  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
897  o->tmp_dir = getenv("TMPDIR");
898  if (!o->tmp_dir)
899  {
900  o->tmp_dir = "/tmp";
901  }
902 #endif /* _WIN32 */
903  o->allow_recursive_routing = false;
904 
905 #ifndef ENABLE_DCO
906  o->tuntap_options.disable_dco = true;
907 #endif /* ENABLE_DCO */
908 }
909 
910 void
911 uninit_options(struct options *o)
912 {
913  if (o->connection_list)
914  {
915  CLEAR(*o->connection_list);
916  }
917  if (o->remote_list)
918  {
919  CLEAR(*o->remote_list);
920  }
921  if (o->gc_owned)
922  {
923  gc_free(&o->gc);
924  gc_free(&o->dns_options.gc);
925  }
926 }
927 
928 struct pull_filter
929 {
930 #define PUF_TYPE_UNDEF 0
931 #define PUF_TYPE_ACCEPT 1
932 #define PUF_TYPE_IGNORE 2
933 #define PUF_TYPE_REJECT 3
934  int type;
935  int size;
936  char *pattern;
937  struct pull_filter *next;
938 };
939 
940 struct pull_filter_list
941 {
942  struct pull_filter *head;
943  struct pull_filter *tail;
944 };
945 
946 #ifndef ENABLE_SMALL
947 
948 static const char *
949 pull_filter_type_name(int type)
950 {
951  if (type == PUF_TYPE_ACCEPT)
952  {
953  return "accept";
954  }
955  if (type == PUF_TYPE_IGNORE)
956  {
957  return "ignore";
958  }
959  if (type == PUF_TYPE_REJECT)
960  {
961  return "reject";
962  }
963  else
964  {
965  return "???";
966  }
967 }
968 
969 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
970 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
971 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
972  o->var ## _inline ? "[INLINE]" : \
973  (o->var ? o->var : "[UNDEF]"), \
974  "'%s'")
975 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
976 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
977 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
978 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
979 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
980 
981 #endif /* ifndef ENABLE_SMALL */
982 
983 static void
984 setenv_connection_entry(struct env_set *es,
985  const struct connection_entry *e,
986  const int i)
987 {
988  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
989  setenv_str_i(es, "local", e->local, i);
990  setenv_str_i(es, "local_port", e->local_port, i);
991  setenv_str_i(es, "remote", e->remote, i);
992  setenv_str_i(es, "remote_port", e->remote_port, i);
993 
994  if (e->http_proxy_options)
995  {
996  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
997  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
998  }
999  if (e->socks_proxy_server)
1000  {
1001  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1002  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1003  }
1004 }
1005 
1006 void
1007 setenv_settings(struct env_set *es, const struct options *o)
1008 {
1009  setenv_str(es, "config", o->config);
1010  setenv_int(es, "verb", o->verbosity);
1011  setenv_int(es, "daemon", o->daemon);
1012  setenv_int(es, "daemon_log_redirect", o->log);
1013  setenv_long_long(es, "daemon_start_time", time(NULL));
1014  setenv_int(es, "daemon_pid", platform_getpid());
1015 
1016  if (o->connection_list)
1017  {
1018  int i;
1019  for (i = 0; i < o->connection_list->len; ++i)
1020  {
1021  setenv_connection_entry(es, o->connection_list->array[i], i+1);
1022  }
1023  }
1024  else
1025  {
1026  setenv_connection_entry(es, &o->ce, 1);
1027  }
1028 
1029  if (!o->pull)
1030  {
1031  setenv_dns_options(&o->dns_options, es);
1032  }
1033 }
1034 
1035 #ifndef _WIN32
1036 static void
1037 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1038 {
1039  if (len > 0)
1040  {
1041  struct gc_arena gc = gc_new();
1042  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1043  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1044  int i;
1045  bool first = true;
1046  bool good = true;
1047 
1048  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1049  ++o->foreign_option_index;
1050  for (i = 0; i < len; ++i)
1051  {
1052  if (argv[i])
1053  {
1054  if (!first)
1055  {
1056  good &= buf_printf(&value, " ");
1057  }
1058  good &= buf_printf(&value, "%s", argv[i]);
1059  first = false;
1060  }
1061  }
1062  if (good)
1063  {
1064  setenv_str(es, BSTR(&name), BSTR(&value));
1065  }
1066  else
1067  {
1068  msg(M_WARN, "foreign_option: name/value overflow");
1069  }
1070  gc_free(&gc);
1071  }
1072 }
1073 #endif /* ifndef _WIN32 */
1074 
1075 static in_addr_t
1076 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1077 {
1078  unsigned int flags = GETADDR_HOST_ORDER;
1079  bool succeeded = false;
1080  in_addr_t ret;
1081 
1082  if (msglevel & M_FATAL)
1083  {
1084  flags |= GETADDR_FATAL;
1085  }
1086 
1087  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1088  if (!succeeded && error)
1089  {
1090  *error = true;
1091  }
1092  return ret;
1093 }
1094 
1100 static char *
1101 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1102 {
1103  const char *end = strchr(addr, '/');
1104  char *ret = NULL;
1105  if (NULL == end)
1106  {
1107  ret = string_alloc(addr, gc);
1108  }
1109  else
1110  {
1111  size_t len = end - addr;
1112  ret = gc_malloc(len + 1, true, gc);
1113  memcpy(ret, addr, len);
1114  }
1115  return ret;
1116 }
1117 
1118 static bool
1119 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1120 {
1121  struct in6_addr t_addr;
1122  unsigned int t_bits;
1123 
1124  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1125 }
1126 
1127 static char *
1128 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1129 {
1130  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1131  char *dest = ret;
1132  char c;
1133 
1134  do
1135  {
1136  c = *src++;
1137  if (c == from)
1138  {
1139  c = to;
1140  }
1141  *dest++ = c;
1142  }
1143  while (c);
1144  return ret;
1145 }
1146 
1156 static struct verify_hash_list *
1157 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1158 {
1159  int i = 0;
1160  const char *cp = str;
1161 
1162  struct verify_hash_list *ret;
1163  ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1164 
1165  char term = 0;
1166  unsigned int byte;
1167 
1168  while (*cp && i < nbytes)
1169  {
1170  /* valid segments consist of exactly two hex digits, then ':' or EOS */
1171  if (!isxdigit(cp[0])
1172  || !isxdigit(cp[1])
1173  || (cp[2] != ':' && cp[2] != '\0')
1174  || sscanf(cp, "%x", &byte) != 1)
1175  {
1176  msg(msglevel, "format error in hash fingerprint: %s", str);
1177  break;
1178  }
1179 
1180  ret->hash[i++] = (uint8_t)byte;
1181 
1182  term = cp[2];
1183  if (term == '\0')
1184  {
1185  break;
1186  }
1187  cp += 3;
1188  }
1189  if (i < nbytes)
1190  {
1191  msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1192  }
1193  else if (term != '\0')
1194  {
1195  msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1196  }
1197  return ret;
1198 }
1199 
1210 static struct verify_hash_list *
1211 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1212  struct gc_arena *gc)
1213 {
1214  struct gc_arena gc_temp = gc_new();
1215  char *lines = string_alloc(str, &gc_temp);
1216 
1217  struct verify_hash_list *ret = NULL;
1218 
1219  const char *line;
1220  while ((line = strsep(&lines, "\n")))
1221  {
1222  /* ignore leading whitespace */
1223  while (isspace(*line))
1224  {
1225  line++;
1226  }
1227  /* skip empty lines and comment lines */
1228  if (strlen(line) == 0 || *line == '#' || *line == ';')
1229  {
1230  continue;
1231  }
1232 
1233  struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1234  msglevel, gc);
1235 
1236  if (!hash)
1237  {
1238  gc_free(&gc_temp);
1239  return NULL;
1240  }
1241 
1242  hash->next = ret;
1243  ret = hash;
1244  }
1245  gc_free(&gc_temp);
1246 
1247  return ret;
1248 }
1249 #ifdef _WIN32
1250 
1251 #ifndef ENABLE_SMALL
1252 
1253 static void
1254 show_dhcp_option_list(const char *name, const char *const *array, int len)
1255 {
1256  int i;
1257  for (i = 0; i < len; ++i)
1258  {
1259  msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1260  }
1261 }
1262 
1263 static void
1264 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1265 {
1266  struct gc_arena gc = gc_new();
1267  int i;
1268  for (i = 0; i < len; ++i)
1269  {
1270  msg(D_SHOW_PARMS, " %s[%d] = %s",
1271  name,
1272  i,
1273  print_in_addr_t(array[i], 0, &gc));
1274  }
1275  gc_free(&gc);
1276 }
1277 
1278 static void
1279 show_tuntap_options(const struct tuntap_options *o)
1280 {
1281  SHOW_BOOL(ip_win32_defined);
1282  SHOW_INT(ip_win32_type);
1283  SHOW_INT(dhcp_masq_offset);
1284  SHOW_INT(dhcp_lease_time);
1285  SHOW_INT(tap_sleep);
1286  SHOW_UNSIGNED(dhcp_options);
1287  SHOW_BOOL(dhcp_renew);
1288  SHOW_BOOL(dhcp_pre_release);
1289  SHOW_STR(domain);
1290  SHOW_STR(netbios_scope);
1291  SHOW_INT(netbios_node_type);
1292  SHOW_BOOL(disable_nbt);
1293 
1294  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1295  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1296  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1297  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1298  show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1299 }
1300 
1301 #endif /* ifndef ENABLE_SMALL */
1302 #endif /* ifdef _WIN32 */
1303 
1304 #if defined(_WIN32) || defined(TARGET_ANDROID)
1305 static void
1306 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1307 {
1308  struct in6_addr addr;
1309  if (*len >= N_DHCP_ADDR)
1310  {
1311  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1312  N_DHCP_ADDR);
1313  }
1314  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1315  {
1316  dns6_list[(*len)++] = addr;
1317  }
1318 }
1319 static void
1320 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1321 {
1322  if (*len >= N_DHCP_ADDR)
1323  {
1324  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1325  name,
1326  N_DHCP_ADDR,
1327  name);
1328  }
1329  else
1330  {
1331  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1332  {
1333  bool error = false;
1334  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1335  if (!error)
1336  {
1337  array[(*len)++] = addr;
1338  }
1339  }
1340  else
1341  {
1342  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1343  }
1344  }
1345 }
1346 
1347 /*
1348  * If DNS options are set use these for TUN/TAP options as well.
1349  * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1350  * Existing options will be discarded.
1351  */
1352 static void
1353 tuntap_options_copy_dns(struct options *o)
1354 {
1355  struct tuntap_options *tt = &o->tuntap_options;
1356  struct dns_options *dns = &o->dns_options;
1357 
1358  if (dns->search_domains)
1359  {
1360  tt->domain_search_list_len = 0;
1361  const struct dns_domain *domain = dns->search_domains;
1362  while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1363  {
1364  tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1365  domain = domain->next;
1366  }
1367  if (domain)
1368  {
1369  msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1370  }
1371  tt->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
1372  }
1373 
1374  if (dns->servers)
1375  {
1376  tt->dns_len = 0;
1377  tt->dns6_len = 0;
1378  bool overflow = false;
1379  const struct dns_server *server = dns->servers;
1380  while (server)
1381  {
1382  for (int i = 0; i < server->addr_count; ++i)
1383  {
1384  if (server->addr[i].family == AF_INET)
1385  {
1386  if (tt->dns_len >= N_DHCP_ADDR)
1387  {
1388  overflow = true;
1389  continue;
1390  }
1391  tt->dns[tt->dns_len++] = server->addr[i].in.a4.s_addr;
1392  }
1393  else
1394  {
1395  if (tt->dns6_len >= N_DHCP_ADDR)
1396  {
1397  overflow = true;
1398  continue;
1399  }
1400  tt->dns6[tt->dns6_len++] = server->addr[i].in.a6;
1401  }
1402  }
1403  server = server->next;
1404  }
1405  if (overflow)
1406  {
1407  msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1408  }
1409  tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
1410  }
1411 }
1412 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1413 static void
1414 foreign_options_copy_dns(struct options *o, struct env_set *es)
1415 {
1416  const struct dns_domain *domain = o->dns_options.search_domains;
1417  const struct dns_server *server = o->dns_options.servers;
1418  if (!domain && !server)
1419  {
1420  return;
1421  }
1422 
1423  /* reset the index since we're starting all over again */
1424  int opt_max = o->foreign_option_index;
1425  o->foreign_option_index = 0;
1426 
1427  for (int i = 1; i <= opt_max; ++i)
1428  {
1429  char name[32];
1430  snprintf(name, sizeof(name), "foreign_option_%d", i);
1431 
1432  const char *env_str = env_set_get(es, name);
1433  const char *value = strchr(env_str, '=') + 1;
1434  if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1435  || (server && strstr(value, "dhcp-option DNS") == value))
1436  {
1437  setenv_del(es, name);
1438  }
1439  else
1440  {
1441  setenv_foreign_option(o, &value, 1, es);
1442  }
1443  }
1444 
1445  struct gc_arena gc = gc_new();
1446 
1447  while (server)
1448  {
1449  for (int i = 0; i < server->addr_count; ++i)
1450  {
1451  if (server->addr[i].family == AF_INET)
1452  {
1453  const char *argv[] = {
1454  "dhcp-option",
1455  "DNS",
1456  print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc)
1457  };
1458  setenv_foreign_option(o, argv, 3, es);
1459  }
1460  else
1461  {
1462  const char *argv[] = {
1463  "dhcp-option",
1464  "DNS6",
1465  print_in6_addr(server->addr[i].in.a6, 0, &gc)
1466  };
1467  setenv_foreign_option(o, argv, 3, es);
1468  }
1469  }
1470  server = server->next;
1471  }
1472  while (domain)
1473  {
1474  const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1475  setenv_foreign_option(o, argv, 3, es);
1476  domain = domain->next;
1477  }
1478 
1479  gc_free(&gc);
1480 
1481  /* remove old leftover entries */
1482  while (o->foreign_option_index < opt_max)
1483  {
1484  char name[32];
1485  snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1486  setenv_del(es, name);
1487  }
1488 }
1489 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1490 
1491 #ifndef ENABLE_SMALL
1492 static const char *
1493 print_vlan_accept(enum vlan_acceptable_frames mode)
1494 {
1495  switch (mode)
1496  {
1497  case VLAN_ONLY_TAGGED:
1498  return "tagged";
1499 
1500  case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1501  return "untagged";
1502 
1503  case VLAN_ALL:
1504  return "all";
1505  }
1506  return NULL;
1507 }
1508 
1509 static void
1510 show_p2mp_parms(const struct options *o)
1511 {
1512  struct gc_arena gc = gc_new();
1513 
1514  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1515  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1516  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1517  SHOW_INT(server_netbits_ipv6);
1518  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1519  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1520  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1521  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1522  if (o->push_list.head)
1523  {
1524  const struct push_entry *e = o->push_list.head;
1525  while (e)
1526  {
1527  if (e->enable)
1528  {
1529  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1530  }
1531  e = e->next;
1532  }
1533  }
1534  SHOW_BOOL(ifconfig_pool_defined);
1535  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1536  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1537  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1538  SHOW_STR(ifconfig_pool_persist_filename);
1539  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1540  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1541  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1542  SHOW_INT(ifconfig_ipv6_pool_netbits);
1543  SHOW_INT(n_bcast_buf);
1544  SHOW_INT(tcp_queue_limit);
1545  SHOW_INT(real_hash_size);
1546  SHOW_INT(virtual_hash_size);
1547  SHOW_STR(client_connect_script);
1548  SHOW_STR(learn_address_script);
1549  SHOW_STR(client_disconnect_script);
1550  SHOW_STR(client_crresponse_script);
1551  SHOW_STR(client_config_dir);
1552  SHOW_BOOL(ccd_exclusive);
1553  SHOW_STR(tmp_dir);
1554  SHOW_BOOL(push_ifconfig_defined);
1555  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1556  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1557  SHOW_BOOL(push_ifconfig_ipv6_defined);
1558  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1559  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1560  SHOW_BOOL(enable_c2c);
1561  SHOW_BOOL(duplicate_cn);
1562  SHOW_INT(cf_max);
1563  SHOW_INT(cf_per);
1564  SHOW_INT(cf_initial_max);
1565  SHOW_INT(cf_initial_per);
1566  SHOW_INT(max_clients);
1567  SHOW_INT(max_routes_per_client);
1568  SHOW_STR(auth_user_pass_verify_script);
1569  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1570  SHOW_BOOL(auth_token_generate);
1571  SHOW_BOOL(force_key_material_export);
1572  SHOW_INT(auth_token_lifetime);
1573  SHOW_STR_INLINE(auth_token_secret_file);
1574 #if PORT_SHARE
1575  SHOW_STR(port_share_host);
1576  SHOW_STR(port_share_port);
1577 #endif
1578  SHOW_BOOL(vlan_tagging);
1579  msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1580  SHOW_INT(vlan_pvid);
1581 
1582  SHOW_BOOL(client);
1583  SHOW_BOOL(pull);
1584  SHOW_STR_INLINE(auth_user_pass_file);
1585 
1586  gc_free(&gc);
1587 }
1588 
1589 #endif /* ! ENABLE_SMALL */
1590 
1591 static void
1592 option_iroute(struct options *o,
1593  const char *network_str,
1594  const char *netmask_str,
1595  int msglevel)
1596 {
1597  struct iroute *ir;
1598 
1599  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1600  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1601  ir->netbits = 32; /* host route if no netmask given */
1602 
1603  if (netmask_str)
1604  {
1605  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1606  ir->netbits = netmask_to_netbits2(netmask);
1607 
1608  if (ir->netbits < 0)
1609  {
1610  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1611  network_str,
1612  netmask_str);
1613  return;
1614  }
1615  }
1616 
1617  ir->next = o->iroutes;
1618  o->iroutes = ir;
1619 }
1620 
1621 static void
1622 option_iroute_ipv6(struct options *o,
1623  const char *prefix_str,
1624  int msglevel)
1625 {
1626  struct iroute_ipv6 *ir;
1627 
1628  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1629 
1630  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1631  {
1632  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1633  prefix_str);
1634  return;
1635  }
1636 
1637  ir->next = o->iroutes_ipv6;
1638  o->iroutes_ipv6 = ir;
1639 }
1640 
1641 #ifndef ENABLE_SMALL
1642 static void
1643 show_http_proxy_options(const struct http_proxy_options *o)
1644 {
1645  int i;
1646  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1647  SHOW_STR(server);
1648  SHOW_STR(port);
1649  SHOW_STR(auth_method_string);
1650  SHOW_STR(auth_file);
1651  SHOW_STR(auth_file_up);
1652  SHOW_BOOL(inline_creds);
1653  SHOW_BOOL(nocache);
1654  SHOW_STR(http_version);
1655  SHOW_STR(user_agent);
1656  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1657  {
1658  if (o->custom_headers[i].content)
1659  {
1660  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1661  o->custom_headers[i].name, o->custom_headers[i].content);
1662  }
1663  else
1664  {
1665  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1666  o->custom_headers[i].name);
1667  }
1668  }
1669  msg(D_SHOW_PARMS, "END http_proxy");
1670 }
1671 #endif /* ifndef ENABLE_SMALL */
1672 
1673 void
1674 options_detach(struct options *o)
1675 {
1676  gc_detach(&o->gc);
1677  o->routes = NULL;
1678  o->client_nat = NULL;
1679  clone_push_list(o);
1680 }
1681 
1682 void
1683 rol_check_alloc(struct options *options)
1684 {
1685  if (!options->routes)
1686  {
1687  options->routes = new_route_option_list(&options->gc);
1688  }
1689 }
1690 
1691 static void
1692 rol6_check_alloc(struct options *options)
1693 {
1694  if (!options->routes_ipv6)
1695  {
1696  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1697  }
1698 }
1699 
1700 static void
1701 cnol_check_alloc(struct options *options)
1702 {
1703  if (!options->client_nat)
1704  {
1705  options->client_nat = new_client_nat_list(&options->gc);
1706  }
1707 }
1708 
1709 #ifndef ENABLE_SMALL
1710 static void
1711 show_connection_entry(const struct connection_entry *o)
1712 {
1713  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1714  SHOW_STR(local);
1715  SHOW_STR(local_port);
1716  SHOW_STR(remote);
1717  SHOW_STR(remote_port);
1718  SHOW_BOOL(remote_float);
1719  SHOW_BOOL(bind_defined);
1720  SHOW_BOOL(bind_local);
1721  SHOW_BOOL(bind_ipv6_only);
1722  SHOW_INT(connect_retry_seconds);
1723  SHOW_INT(connect_timeout);
1724 
1725  if (o->http_proxy_options)
1726  {
1727  show_http_proxy_options(o->http_proxy_options);
1728  }
1729  SHOW_STR(socks_proxy_server);
1730  SHOW_STR(socks_proxy_port);
1731  SHOW_INT(tun_mtu);
1732  SHOW_BOOL(tun_mtu_defined);
1733  SHOW_INT(link_mtu);
1734  SHOW_BOOL(link_mtu_defined);
1735  SHOW_INT(tun_mtu_extra);
1736  SHOW_BOOL(tun_mtu_extra_defined);
1737  SHOW_INT(tls_mtu);
1738 
1739  SHOW_INT(mtu_discover_type);
1740 
1741 #ifdef ENABLE_FRAGMENT
1742  SHOW_INT(fragment);
1743 #endif
1744  SHOW_INT(mssfix);
1745  SHOW_BOOL(mssfix_encap);
1746  SHOW_BOOL(mssfix_fixed);
1747 
1748  SHOW_INT(explicit_exit_notification);
1749 
1750  SHOW_STR_INLINE(tls_auth_file);
1751  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1752  "%s");
1753  SHOW_STR_INLINE(tls_crypt_file);
1754  SHOW_STR_INLINE(tls_crypt_v2_file);
1755 }
1756 
1757 
1758 static void
1759 show_connection_entries(const struct options *o)
1760 {
1761  if (o->connection_list)
1762  {
1763  const struct connection_list *l = o->connection_list;
1764  int i;
1765  for (i = 0; i < l->len; ++i)
1766  {
1767  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1768  show_connection_entry(l->array[i]);
1769  }
1770  }
1771  else
1772  {
1773  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1774  show_connection_entry(&o->ce);
1775  }
1776  msg(D_SHOW_PARMS, "Connection profiles END");
1777 }
1778 
1779 static void
1780 show_pull_filter_list(const struct pull_filter_list *l)
1781 {
1782  struct pull_filter *f;
1783  if (!l)
1784  {
1785  return;
1786  }
1787 
1788  msg(D_SHOW_PARMS, " Pull filters:");
1789  for (f = l->head; f; f = f->next)
1790  {
1791  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1792  }
1793 }
1794 
1795 #endif /* ifndef ENABLE_SMALL */
1796 
1797 void
1798 show_settings(const struct options *o)
1799 {
1800 #ifndef ENABLE_SMALL
1801  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1802 
1803  SHOW_STR(config);
1804 
1805  SHOW_INT(mode);
1806 
1807 #ifdef ENABLE_FEATURE_TUN_PERSIST
1808  SHOW_BOOL(persist_config);
1809  SHOW_INT(persist_mode);
1810 #endif
1811 
1812  SHOW_BOOL(show_ciphers);
1813  SHOW_BOOL(show_digests);
1814  SHOW_BOOL(show_engines);
1815  SHOW_BOOL(genkey);
1816  SHOW_STR(genkey_filename);
1817  SHOW_STR(key_pass_file);
1818  SHOW_BOOL(show_tls_ciphers);
1819 
1820  SHOW_INT(connect_retry_max);
1821  show_connection_entries(o);
1822 
1823  SHOW_BOOL(remote_random);
1824 
1825  SHOW_STR(ipchange);
1826  SHOW_STR(dev);
1827  SHOW_STR(dev_type);
1828  SHOW_STR(dev_node);
1829 #if defined(ENABLE_DCO)
1830  SHOW_BOOL(tuntap_options.disable_dco);
1831 #endif
1832  SHOW_STR(lladdr);
1833  SHOW_INT(topology);
1834  SHOW_STR(ifconfig_local);
1835  SHOW_STR(ifconfig_remote_netmask);
1836  SHOW_BOOL(ifconfig_noexec);
1837  SHOW_BOOL(ifconfig_nowarn);
1838  SHOW_STR(ifconfig_ipv6_local);
1839  SHOW_INT(ifconfig_ipv6_netbits);
1840  SHOW_STR(ifconfig_ipv6_remote);
1841 
1842  SHOW_INT(shaper);
1843  SHOW_INT(mtu_test);
1844 
1845  SHOW_BOOL(mlock);
1846 
1847  SHOW_INT(keepalive_ping);
1848  SHOW_INT(keepalive_timeout);
1849  SHOW_INT(inactivity_timeout);
1850  SHOW_INT(session_timeout);
1851  SHOW_INT64(inactivity_minimum_bytes);
1852  SHOW_INT(ping_send_timeout);
1853  SHOW_INT(ping_rec_timeout);
1854  SHOW_INT(ping_rec_timeout_action);
1855  SHOW_BOOL(ping_timer_remote);
1856  SHOW_INT(remap_sigusr1);
1857  SHOW_BOOL(persist_tun);
1858  SHOW_BOOL(persist_local_ip);
1859  SHOW_BOOL(persist_remote_ip);
1860 
1861 #if PASSTOS_CAPABILITY
1862  SHOW_BOOL(passtos);
1863 #endif
1864 
1865  SHOW_INT(resolve_retry_seconds);
1866  SHOW_BOOL(resolve_in_advance);
1867 
1868  SHOW_STR(username);
1869  SHOW_STR(groupname);
1870  SHOW_STR(chroot_dir);
1871  SHOW_STR(cd_dir);
1872 #ifdef ENABLE_SELINUX
1873  SHOW_STR(selinux_context);
1874 #endif
1875  SHOW_STR(writepid);
1876  SHOW_STR(up_script);
1877  SHOW_STR(down_script);
1878  SHOW_BOOL(down_pre);
1879  SHOW_BOOL(up_restart);
1880  SHOW_BOOL(up_delay);
1881  SHOW_BOOL(daemon);
1882  SHOW_BOOL(log);
1883  SHOW_BOOL(suppress_timestamps);
1884  SHOW_BOOL(machine_readable_output);
1885  SHOW_INT(nice);
1886  SHOW_INT(verbosity);
1887  SHOW_INT(mute);
1888 #ifdef ENABLE_DEBUG
1889  SHOW_INT(gremlin);
1890 #endif
1891  SHOW_STR(status_file);
1892  SHOW_INT(status_file_version);
1893  SHOW_INT(status_file_update_freq);
1894 
1895  SHOW_BOOL(occ);
1896  SHOW_INT(rcvbuf);
1897  SHOW_INT(sndbuf);
1898 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1899  SHOW_INT(mark);
1900 #endif
1901  SHOW_INT(sockflags);
1902 
1903  SHOW_BOOL(fast_io);
1904 
1905  SHOW_INT(comp.alg);
1906  SHOW_INT(comp.flags);
1907 
1908  SHOW_STR(route_script);
1909  SHOW_STR(route_default_gateway);
1910  SHOW_INT(route_default_metric);
1911  SHOW_BOOL(route_noexec);
1912  SHOW_INT(route_delay);
1913  SHOW_INT(route_delay_window);
1914  SHOW_BOOL(route_delay_defined);
1915  SHOW_BOOL(route_nopull);
1916  SHOW_BOOL(route_gateway_via_dhcp);
1917  SHOW_BOOL(allow_pull_fqdn);
1918  show_pull_filter_list(o->pull_filter_list);
1919 
1920  if (o->routes)
1921  {
1922  print_route_options(o->routes, D_SHOW_PARMS);
1923  }
1924 
1925  if (o->client_nat)
1926  {
1927  print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1928  }
1929 
1930  show_dns_options(&o->dns_options);
1931 
1932 #ifdef ENABLE_MANAGEMENT
1933  SHOW_STR(management_addr);
1934  SHOW_STR(management_port);
1935  SHOW_STR(management_user_pass);
1936  SHOW_INT(management_log_history_cache);
1937  SHOW_INT(management_echo_buffer_size);
1938  SHOW_STR(management_client_user);
1939  SHOW_STR(management_client_group);
1940  SHOW_INT(management_flags);
1941 #endif
1942 #ifdef ENABLE_PLUGIN
1943  if (o->plugin_list)
1944  {
1945  plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1946  }
1947 #endif
1948 
1949  SHOW_STR_INLINE(shared_secret_file);
1950  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1951  SHOW_STR(ciphername);
1952  SHOW_STR(ncp_ciphers);
1953  SHOW_STR(authname);
1954 #ifndef ENABLE_CRYPTO_MBEDTLS
1955  SHOW_BOOL(engine);
1956 #endif /* ENABLE_CRYPTO_MBEDTLS */
1957  SHOW_BOOL(mute_replay_warnings);
1958  SHOW_INT(replay_window);
1959  SHOW_INT(replay_time);
1960  SHOW_STR(packet_id_file);
1961  SHOW_BOOL(test_crypto);
1962 #ifdef ENABLE_PREDICTION_RESISTANCE
1963  SHOW_BOOL(use_prediction_resistance);
1964 #endif
1965 
1966  SHOW_BOOL(tls_server);
1967  SHOW_BOOL(tls_client);
1968  SHOW_STR_INLINE(ca_file);
1969  SHOW_STR(ca_path);
1970  SHOW_STR_INLINE(dh_file);
1971  if ((o->management_flags & MF_EXTERNAL_CERT))
1972  {
1973  SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1974  }
1975  else
1976  {
1977  SHOW_STR_INLINE(cert_file);
1978  }
1979  SHOW_STR_INLINE(extra_certs_file);
1980 
1981  if ((o->management_flags & MF_EXTERNAL_KEY))
1982  {
1983  SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1984  }
1985  else
1986  {
1987  SHOW_STR_INLINE(priv_key_file);
1988  }
1989 #ifndef ENABLE_CRYPTO_MBEDTLS
1990  SHOW_STR_INLINE(pkcs12_file);
1991 #endif
1992 #ifdef ENABLE_CRYPTOAPI
1993  SHOW_STR(cryptoapi_cert);
1994 #endif
1995  SHOW_STR(cipher_list);
1996  SHOW_STR(cipher_list_tls13);
1997  SHOW_STR(tls_cert_profile);
1998  SHOW_STR(tls_verify);
1999  SHOW_STR(tls_export_peer_cert_dir);
2000  SHOW_INT(verify_x509_type);
2001  SHOW_STR(verify_x509_name);
2002  SHOW_STR_INLINE(crl_file);
2003  SHOW_INT(ns_cert_type);
2004  {
2005  int i;
2006  for (i = 0; i<MAX_PARMS; i++)
2007  {
2008  SHOW_INT(remote_cert_ku[i]);
2009  }
2010  }
2011  SHOW_STR(remote_cert_eku);
2012  if (o->verify_hash)
2013  {
2014  SHOW_INT(verify_hash_algo);
2015  SHOW_INT(verify_hash_depth);
2016  struct gc_arena gc = gc_new();
2017  struct verify_hash_list *hl = o->verify_hash;
2018  int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2019  SHA256_DIGEST_LENGTH;
2020  while (hl)
2021  {
2022  char *s = format_hex_ex(hl->hash, digest_len, 0,
2023  1, ":", &gc);
2024  SHOW_PARM(verify_hash, s, "%s");
2025  hl = hl->next;
2026  }
2027  gc_free(&gc);
2028  }
2029  SHOW_INT(ssl_flags);
2030 
2031  SHOW_INT(tls_timeout);
2032 
2033  SHOW_INT(renegotiate_bytes);
2034  SHOW_INT(renegotiate_packets);
2035  SHOW_INT(renegotiate_seconds);
2036 
2037  SHOW_INT(handshake_window);
2038  SHOW_INT(transition_window);
2039 
2040  SHOW_BOOL(single_session);
2041  SHOW_BOOL(push_peer_info);
2042  SHOW_BOOL(tls_exit);
2043 
2044  SHOW_STR(tls_crypt_v2_metadata);
2045 
2046 #ifdef ENABLE_PKCS11
2047  {
2048  int i;
2049  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2050  {
2051  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2052  }
2053  }
2054  {
2055  int i;
2056  for (i = 0; i<MAX_PARMS; i++)
2057  {
2058  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2059  }
2060  }
2061  {
2062  int i;
2063  for (i = 0; i<MAX_PARMS; i++)
2064  {
2065  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2066  }
2067  }
2068  {
2069  int i;
2070  for (i = 0; i<MAX_PARMS; i++)
2071  {
2072  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2073  }
2074  }
2075  SHOW_INT(pkcs11_pin_cache_period);
2076  SHOW_STR(pkcs11_id);
2077  SHOW_BOOL(pkcs11_id_management);
2078 #endif /* ENABLE_PKCS11 */
2079 
2080  show_p2mp_parms(o);
2081 
2082 #ifdef _WIN32
2083  SHOW_BOOL(show_net_up);
2084  SHOW_INT(route_method);
2085  SHOW_BOOL(block_outside_dns);
2086  show_tuntap_options(&o->tuntap_options);
2087 #endif
2088 #endif /* ifndef ENABLE_SMALL */
2089 }
2090 
2091 #undef SHOW_PARM
2092 #undef SHOW_STR
2093 #undef SHOW_INT
2094 #undef SHOW_BOOL
2095 
2096 #ifdef ENABLE_MANAGEMENT
2097 
2098 static struct http_proxy_options *
2099 parse_http_proxy_override(const char *server,
2100  const char *port,
2101  const char *flags,
2102  const int msglevel,
2103  struct gc_arena *gc)
2104 {
2105  if (server && port)
2106  {
2107  struct http_proxy_options *ho;
2108  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2109  ho->server = string_alloc(server, gc);
2110  ho->port = port;
2111  if (flags && !strcmp(flags, "nct"))
2112  {
2113  ho->auth_retry = PAR_NCT;
2114  }
2115  else
2116  {
2117  ho->auth_retry = PAR_ALL;
2118  }
2119  ho->http_version = "1.0";
2120  ho->user_agent = "OpenVPN-Autoproxy/1.0";
2121  return ho;
2122  }
2123  else
2124  {
2125  return NULL;
2126  }
2127 }
2128 
2129 static void
2130 options_postprocess_http_proxy_override(struct options *o)
2131 {
2132  const struct connection_list *l = o->connection_list;
2133  int i;
2134  bool succeed = false;
2135  for (i = 0; i < l->len; ++i)
2136  {
2137  struct connection_entry *ce = l->array[i];
2138  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2139  {
2140  ce->http_proxy_options = o->http_proxy_override;
2141  succeed = true;
2142  }
2143  }
2144  if (succeed)
2145  {
2146  for (i = 0; i < l->len; ++i)
2147  {
2148  struct connection_entry *ce = l->array[i];
2149  if (ce->proto == PROTO_UDP)
2150  {
2151  ce->flags |= CE_DISABLED;
2152  }
2153  }
2154  }
2155  else
2156  {
2157  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2158  }
2159 }
2160 
2161 #endif /* ifdef ENABLE_MANAGEMENT */
2162 
2163 static struct connection_list *
2164 alloc_connection_list_if_undef(struct options *options)
2165 {
2166  if (!options->connection_list)
2167  {
2168  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2169  }
2170  return options->connection_list;
2171 }
2172 
2173 static struct connection_entry *
2174 alloc_connection_entry(struct options *options, const int msglevel)
2175 {
2176  struct connection_list *l = alloc_connection_list_if_undef(options);
2177  struct connection_entry *e;
2178 
2179  if (l->len == l->capacity)
2180  {
2181  int capacity = l->capacity + CONNECTION_LIST_SIZE;
2182  struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2183  if (ce == NULL)
2184  {
2185  msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2186  return NULL;
2187  }
2188  l->array = ce;
2189  l->capacity = capacity;
2190  }
2191  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2192  l->array[l->len++] = e;
2193  return e;
2194 }
2195 
2196 static struct remote_list *
2197 alloc_remote_list_if_undef(struct options *options)
2198 {
2199  if (!options->remote_list)
2200  {
2201  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2202  }
2203  return options->remote_list;
2204 }
2205 
2206 static struct remote_entry *
2207 alloc_remote_entry(struct options *options, const int msglevel)
2208 {
2209  struct remote_list *l = alloc_remote_list_if_undef(options);
2210  struct remote_entry *e;
2211 
2212  if (l->len == l->capacity)
2213  {
2214  int capacity = l->capacity + CONNECTION_LIST_SIZE;
2215  struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2216  if (re == NULL)
2217  {
2218  msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2219  return NULL;
2220  }
2221  l->array = re;
2222  l->capacity = capacity;
2223  }
2224  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2225  l->array[l->len++] = e;
2226  return e;
2227 }
2228 
2229 static struct pull_filter_list *
2230 alloc_pull_filter_list(struct options *o)
2231 {
2232  if (!o->pull_filter_list)
2233  {
2234  ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2235  }
2236  return o->pull_filter_list;
2237 }
2238 
2239 static struct pull_filter *
2240 alloc_pull_filter(struct options *o, const int msglevel)
2241 {
2242  struct pull_filter_list *l = alloc_pull_filter_list(o);
2243  struct pull_filter *f;
2244 
2245  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2246  if (l->head)
2247  {
2248  ASSERT(l->tail);
2249  l->tail->next = f;
2250  }
2251  else
2252  {
2253  ASSERT(!l->tail);
2254  l->head = f;
2255  }
2256  l->tail = f;
2257  return f;
2258 }
2259 
2260 static void
2261 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2262 {
2263  if (re->remote)
2264  {
2265  ce->remote = re->remote;
2266  }
2267  if (re->remote_port)
2268  {
2269  ce->remote_port = re->remote_port;
2270  }
2271  if (re->proto >= 0)
2272  {
2273  ce->proto = re->proto;
2274  }
2275  if (re->af > 0)
2276  {
2277  ce->af = re->af;
2278  }
2279 }
2280 
2281 static void
2282 connection_entry_preload_key(const char **key_file, bool *key_inline,
2283  struct gc_arena *gc)
2284 {
2285  if (key_file && *key_file && !(*key_inline))
2286  {
2287  struct buffer in = buffer_read_from_file(*key_file, gc);
2288  if (!buf_valid(&in))
2289  {
2290  msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2291  }
2292 
2293  *key_file = (const char *) in.data;
2294  *key_inline = true;
2295  }
2296 }
2297 
2298 static void
2299 check_ca_required(const struct options *options)
2300 {
2301  if (options->verify_hash_no_ca
2302  || options->pkcs12_file
2303  || options->ca_file
2304 #ifndef ENABLE_CRYPTO_MBEDTLS
2305  || options->ca_path
2306 #endif
2307  )
2308  {
2309  return;
2310  }
2311 
2312  const char *const str = "You must define CA file (--ca)"
2313 #ifndef ENABLE_CRYPTO_MBEDTLS
2314  " or CA path (--capath)"
2315 #endif
2316  " and/or peer fingerprint verification (--peer-fingerprint)";
2317  msg(M_USAGE, "%s", str);
2318 }
2319 
2320 static void
2321 options_postprocess_verify_ce(const struct options *options,
2322  const struct connection_entry *ce)
2323 {
2324  struct options defaults;
2325  int dev = DEV_TYPE_UNDEF;
2326  bool pull = false;
2327 
2328  init_options(&defaults, true);
2329 
2330  if (options->test_crypto)
2331  {
2332  notnull(options->shared_secret_file, "key file (--secret)");
2333  }
2334  else
2335  {
2336  notnull(options->dev, "TUN/TAP device (--dev)");
2337  }
2338 
2339  /*
2340  * Get tun/tap/null device type
2341  */
2342  dev = dev_type_enum(options->dev, options->dev_type);
2343 
2344  /*
2345  * If "proto tcp" is specified, make sure we know whether it is
2346  * tcp-client or tcp-server.
2347  */
2348  if (ce->proto == PROTO_TCP)
2349  {
2350  msg(M_USAGE,
2351  "--proto tcp is ambiguous in this context. Please specify "
2352  "--proto tcp-server or --proto tcp-client");
2353  }
2354 
2355  if (options->lladdr && dev != DEV_TYPE_TAP)
2356  {
2357  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2358  }
2359 
2360  /*
2361  * Sanity check on MTU parameters
2362  */
2363  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2364  {
2365  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2366  }
2367 
2368  if (!proto_is_udp(ce->proto) && options->mtu_test)
2369  {
2370  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2371  }
2372 
2373  /* will we be pulling options from server? */
2374  pull = options->pull;
2375 
2376  /*
2377  * Sanity check on --local, --remote, and --ifconfig
2378  */
2379 
2380  if (proto_is_net(ce->proto)
2381  && string_defined_equal(ce->local, ce->remote)
2382  && string_defined_equal(ce->local_port, ce->remote_port))
2383  {
2384  msg(M_USAGE, "--remote and --local addresses are the same");
2385  }
2386 
2387  if (string_defined_equal(ce->remote, options->ifconfig_local)
2388  || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2389  {
2390  msg(M_USAGE,
2391  "--local and --remote addresses must be distinct from --ifconfig "
2392  "addresses");
2393  }
2394 
2395  if (string_defined_equal(ce->local, options->ifconfig_local)
2396  || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2397  {
2398  msg(M_USAGE,
2399  "--local addresses must be distinct from --ifconfig addresses");
2400  }
2401 
2402  if (string_defined_equal(options->ifconfig_local,
2403  options->ifconfig_remote_netmask))
2404  {
2405  msg(M_USAGE,
2406  "local and remote/netmask --ifconfig addresses must be different");
2407  }
2408 
2409  if (ce->bind_defined && !ce->bind_local)
2410  {
2411  msg(M_USAGE, "--bind and --nobind can't be used together");
2412  }
2413 
2414  if (ce->local && !ce->bind_local)
2415  {
2416  msg(M_USAGE,
2417  "--local and --nobind don't make sense when used together");
2418  }
2419 
2420  if (ce->local_port_defined && !ce->bind_local)
2421  {
2422  msg(M_USAGE,
2423  "--lport and --nobind don't make sense when used together");
2424  }
2425 
2426  if (!ce->remote && !ce->bind_local)
2427  {
2428  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2429  }
2430 
2431  /*
2432  * Check for consistency of management options
2433  */
2434 #ifdef ENABLE_MANAGEMENT
2435  if (!options->management_addr
2436  && (options->management_flags
2437  || options->management_log_history_cache != defaults.management_log_history_cache))
2438  {
2439  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2440  }
2441 
2442  if ((options->management_client_user || options->management_client_group)
2443  && !(options->management_flags & MF_UNIX_SOCK))
2444  {
2445  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2446  }
2447 
2448  if (options->management_addr
2449  && !(options->management_flags & MF_UNIX_SOCK)
2450  && (!options->management_user_pass))
2451  {
2452  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2453  "passwords is STRONGLY discouraged and considered insecure");
2454  }
2455 
2456 #endif /* ifdef ENABLE_MANAGEMENT */
2457 
2458 #if !defined(HAVE_XKEY_PROVIDER)
2459  if ((tls_version_max() >= TLS_VER_1_3)
2460  && (options->management_flags & MF_EXTERNAL_KEY)
2461  && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2462  )
2463  {
2464  msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2465  "nopadding argument/support");
2466  }
2467 #endif
2468  /*
2469  * Windows-specific options.
2470  */
2471 
2472 #ifdef _WIN32
2473  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2474  {
2475  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2476  }
2477 
2478  if ((options->tuntap_options.ip_win32_defined)
2479  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2480  {
2481  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2482  }
2483 
2484  if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2485  {
2486  const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2487  if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2488  {
2489  msg(M_USAGE, "%s, which is not supported by the selected %s driver",
2490  prefix, print_windows_driver(options->windows_driver));
2491  }
2492  else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2493  && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2494  {
2495  msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2496  prefix);
2497  }
2498  }
2499 
2500  if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2501  {
2502  msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2503  }
2504 #endif /* ifdef _WIN32 */
2505 
2506  /*
2507  * Check that protocol options make sense.
2508  */
2509 
2510 #ifdef ENABLE_FRAGMENT
2511  if (!proto_is_udp(ce->proto) && ce->fragment)
2512  {
2513  msg(M_USAGE, "--fragment can only be used with --proto udp");
2514  }
2515 #endif
2516 
2517  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2518  {
2519  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2520  }
2521 
2522  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2523  {
2524  msg(M_USAGE,
2525  "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2526  "tcp-client)");
2527  }
2528 
2529  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2530  {
2531  msg(M_USAGE,
2532  "--http-proxy not specified but other http proxy options present");
2533  }
2534 
2535  if (ce->http_proxy_options && ce->socks_proxy_server)
2536  {
2537  msg(M_USAGE,
2538  "--http-proxy can not be used together with --socks-proxy");
2539  }
2540 
2541  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2542  {
2543  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2544  }
2545 
2546  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2547  {
2548  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2549  }
2550 
2551  /*
2552  * Check consistency of --mode server options.
2553  */
2554  if (options->mode == MODE_SERVER)
2555  {
2556 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2557  "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2558 #ifdef TARGET_ANDROID
2559  msg(M_FATAL, "--mode server not supported on Android");
2560 #endif
2561  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2562  {
2563  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2564  }
2565  if (options->pull)
2566  {
2567  msg(M_USAGE, "--pull cannot be used with --mode server");
2568  }
2569  if (options->pull_filter_list)
2570  {
2571  msg(M_WARN, "--pull-filter ignored for --mode server");
2572  }
2573  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2574  {
2575  msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2576  }
2577 #if PORT_SHARE
2578  if ((options->port_share_host || options->port_share_port)
2579  && (ce->proto != PROTO_TCP_SERVER))
2580  {
2581  msg(M_USAGE, "--port-share only works in TCP server mode "
2582  "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2583  }
2584 #endif
2585  if (!options->tls_server)
2586  {
2587  msg(M_USAGE, "--mode server requires --tls-server");
2588  }
2589  if (ce->remote)
2590  {
2591  msg(M_USAGE, "--remote cannot be used with --mode server");
2592  }
2593  if (!ce->bind_local)
2594  {
2595  msg(M_USAGE, "--nobind cannot be used with --mode server");
2596  }
2597  if (ce->http_proxy_options)
2598  {
2599  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2600  }
2601  if (ce->socks_proxy_server)
2602  {
2603  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2604  }
2605  /* <connection> blocks force to have a remote embedded, so we check
2606  * for the --remote and bail out if it is present
2607  */
2608  if (options->connection_list->len >1
2609  || options->connection_list->array[0]->remote)
2610  {
2611  msg(M_USAGE, "<connection> cannot be used with --mode server");
2612  }
2613 
2614  if (options->shaper)
2615  {
2616  msg(M_USAGE, "--shaper cannot be used with --mode server");
2617  }
2618  if (options->ipchange)
2619  {
2620  msg(M_USAGE,
2621  "--ipchange cannot be used with --mode server (use "
2622  "--client-connect instead)");
2623  }
2624  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2625  {
2626  msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2627  }
2628  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2629  {
2630  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2631  }
2632  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2633  {
2634  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2635  }
2636  if (options->routes && (options->routes->flags & RG_ENABLE))
2637  {
2638  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2639  }
2640  if (options->route_delay_defined)
2641  {
2642  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2643  }
2644  if (options->up_delay)
2645  {
2646  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2647  }
2648  if (!options->ifconfig_pool_defined
2649  && !options->ifconfig_ipv6_pool_defined
2650  && options->ifconfig_pool_persist_filename)
2651  {
2652  msg(M_USAGE,
2653  "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2654  }
2655  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2656  {
2657  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2658  }
2659  if (options->allow_recursive_routing)
2660  {
2661  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2662  }
2663  if (options->auth_user_pass_file)
2664  {
2665  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2666  }
2667  if (options->ccd_exclusive && !options->client_config_dir)
2668  {
2669  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2670  }
2671  if (options->auth_token_generate && !options->renegotiate_seconds)
2672  {
2673  msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2674  "--renegotiate_seconds setting");
2675  }
2676  if (options->auth_token_generate && options->auth_token_renewal
2677  && options->auth_token_renewal < 2 * options->handshake_window)
2678  {
2679  msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2680  " two times --hand-window (%d).",
2681  options->handshake_window);
2682 
2683  }
2684  {
2685  const bool ccnr = (options->auth_user_pass_verify_script
2686  || PLUGIN_OPTION_LIST(options)
2687  || MAN_CLIENT_AUTH_ENABLED(options));
2688  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2689  if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2690  {
2691  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2692  }
2693  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2694  {
2695  msg(M_USAGE, "--username-as-common-name %s", postfix);
2696  }
2697  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2698  {
2699  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2700  }
2701  }
2702 
2703  if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2704  {
2705  msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2706  }
2707  if (!options->vlan_tagging)
2708  {
2709  if (options->vlan_accept != defaults.vlan_accept)
2710  {
2711  msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2712  }
2713  if (options->vlan_pvid != defaults.vlan_pvid)
2714  {
2715  msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2716  }
2717  }
2718  }
2719  else
2720  {
2721  /*
2722  * When not in server mode, err if parameters are
2723  * specified which require --mode server.
2724  */
2725  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2726  {
2727  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2728  }
2729  if (options->ifconfig_ipv6_pool_defined)
2730  {
2731  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2732  }
2733  if (options->real_hash_size != defaults.real_hash_size
2734  || options->virtual_hash_size != defaults.virtual_hash_size)
2735  {
2736  msg(M_USAGE, "--hash-size requires --mode server");
2737  }
2738  if (options->learn_address_script)
2739  {
2740  msg(M_USAGE, "--learn-address requires --mode server");
2741  }
2742  if (options->client_connect_script)
2743  {
2744  msg(M_USAGE, "--client-connect requires --mode server");
2745  }
2746  if (options->client_crresponse_script)
2747  {
2748  msg(M_USAGE, "--client-crresponse requires --mode server");
2749  }
2750  if (options->client_disconnect_script)
2751  {
2752  msg(M_USAGE, "--client-disconnect requires --mode server");
2753  }
2754  if (options->client_config_dir || options->ccd_exclusive)
2755  {
2756  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2757  }
2758  if (options->enable_c2c)
2759  {
2760  msg(M_USAGE, "--client-to-client requires --mode server");
2761  }
2762  if (options->duplicate_cn)
2763  {
2764  msg(M_USAGE, "--duplicate-cn requires --mode server");
2765  }
2766  if (options->cf_max || options->cf_per)
2767  {
2768  msg(M_USAGE, "--connect-freq requires --mode server");
2769  }
2770  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2771  {
2772  msg(M_USAGE, "--verify-client-cert requires --mode server");
2773  }
2774  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2775  {
2776  msg(M_USAGE, "--username-as-common-name requires --mode server");
2777  }
2778  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2779  {
2780  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2781  }
2782  if (options->ssl_flags & SSLF_OPT_VERIFY)
2783  {
2784  msg(M_USAGE, "--opt-verify requires --mode server");
2785  }
2786  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2787  {
2788  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2789  "affect the server. To have TCP_NODELAY in both direction use "
2790  "tcp-nodelay in the server configuration instead.");
2791  }
2792  if (options->auth_user_pass_verify_script)
2793  {
2794  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2795  }
2796  if (options->auth_token_generate)
2797  {
2798  msg(M_USAGE, "--auth-gen-token requires --mode server");
2799  }
2800 #if PORT_SHARE
2801  if (options->port_share_host || options->port_share_port)
2802  {
2803  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2804  }
2805 #endif
2806 
2807  if (options->stale_routes_check_interval)
2808  {
2809  msg(M_USAGE, "--stale-routes-check requires --mode server");
2810  }
2811 
2812  if (options->vlan_tagging)
2813  {
2814  msg(M_USAGE, "--vlan-tagging requires --mode server");
2815  }
2816 
2817  if (options->force_key_material_export)
2818  {
2819  msg(M_USAGE, "--force-tls-key-material-export requires --mode server");
2820  }
2821  }
2822 
2823  /*
2824  * SSL/TLS mode sanity checks.
2825  */
2826  if (options->tls_server + options->tls_client
2827  +(options->shared_secret_file != NULL) > 1)
2828  {
2829  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2830  }
2831 
2832  if (!options->tls_server && !options->tls_client)
2833  {
2834  int msglevel = M_USAGE;
2835  if (options->allow_deprecated_insecure_static_crypto)
2836  {
2837  msglevel = M_INFO;
2838  }
2839 
2840  msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2841  "configuration detected. OpenVPN 2.8 will remove the "
2842  "functionality to run a VPN without TLS. "
2843  "See the examples section in the manual page for "
2844  "examples of a similar quick setup with peer-fingerprint."
2845  "OpenVPN 2.7 allows using this configuration when using "
2846  "--allow-deprecated-insecure-static-crypto but you should move"
2847  "to a proper configuration using TLS as soon as possible."
2848  );
2849  }
2850 
2851  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2852  {
2853  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2854  "--verify-client-cert none|optional "
2855  "may accept clients which do not present a certificate");
2856  }
2857 
2858  const int tls_version_max =
2859  (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2860  & SSLF_TLS_VERSION_MAX_MASK;
2861  const int tls_version_min =
2862  (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2863  & SSLF_TLS_VERSION_MIN_MASK;
2864 
2865  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2866  {
2867  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2868  }
2869 
2870  if (options->tls_server || options->tls_client)
2871  {
2872  check_ca_required(options);
2873 #ifdef ENABLE_PKCS11
2874  if (!options->pkcs11_providers[0] && options->pkcs11_id)
2875  {
2876  msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2877  }
2878  else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2879  {
2880  msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2881  }
2882 
2883  if (options->pkcs11_providers[0])
2884  {
2885  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2886  {
2887  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2888  }
2889  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2890  {
2891  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2892  }
2893  if (options->cert_file)
2894  {
2895  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2896  }
2897  if (options->priv_key_file)
2898  {
2899  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2900  }
2901  if (options->management_flags & MF_EXTERNAL_KEY)
2902  {
2903  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2904  }
2905  if (options->management_flags & MF_EXTERNAL_CERT)
2906  {
2907  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2908  }
2909  if (options->pkcs12_file)
2910  {
2911  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2912  }
2913 #ifdef ENABLE_CRYPTOAPI
2914  if (options->cryptoapi_cert)
2915  {
2916  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2917  }
2918 #endif
2919  }
2920  else
2921 #endif /* ifdef ENABLE_PKCS11 */
2922  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2923  {
2924  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2925  }
2926  else if ((options->management_flags & MF_EXTERNAL_CERT))
2927  {
2928  if (options->cert_file)
2929  {
2930  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2931  }
2932  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2933  {
2934  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2935  }
2936  }
2937  else
2938 #ifdef ENABLE_CRYPTOAPI
2939  if (options->cryptoapi_cert)
2940  {
2941  if (options->cert_file)
2942  {
2943  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2944  }
2945  if (options->priv_key_file)
2946  {
2947  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2948  }
2949  if (options->pkcs12_file)
2950  {
2951  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2952  }
2953  if (options->management_flags & MF_EXTERNAL_KEY)
2954  {
2955  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2956  }
2957  if (options->management_flags & MF_EXTERNAL_CERT)
2958  {
2959  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2960  }
2961  }
2962  else
2963 #endif /* ifdef ENABLE_CRYPTOAPI */
2964  if (options->pkcs12_file)
2965  {
2966 #ifdef ENABLE_CRYPTO_MBEDTLS
2967  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2968 #else
2969  if (options->ca_path)
2970  {
2971  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2972  }
2973  if (options->cert_file)
2974  {
2975  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2976  }
2977  if (options->priv_key_file)
2978  {
2979  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2980  }
2981  if (options->management_flags & MF_EXTERNAL_KEY)
2982  {
2983  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2984  }
2985  if (options->management_flags & MF_EXTERNAL_CERT)
2986  {
2987  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2988  }
2989 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2990  }
2991  else
2992  {
2993 #ifdef ENABLE_CRYPTO_MBEDTLS
2994  if (options->ca_path)
2995  {
2996  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2997  }
2998 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2999  if (pull)
3000  {
3001 
3002  const int sum =
3003  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
3004  + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
3005 
3006  if (sum == 0)
3007  {
3008  if (!options->auth_user_pass_file)
3009  {
3010  msg(M_USAGE, "No client-side authentication method is "
3011  "specified. You must use either "
3012  "--cert/--key, --pkcs12, or "
3013  "--auth-user-pass");
3014  }
3015  }
3016  else if (sum != 2)
3017  {
3018  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
3019  }
3020  }
3021  else
3022  {
3023  if (!(options->management_flags & MF_EXTERNAL_CERT))
3024  {
3025  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
3026  }
3027  if (!(options->management_flags & MF_EXTERNAL_KEY))
3028  {
3029  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
3030  }
3031  }
3032  }
3033  if (ce->tls_auth_file && ce->tls_crypt_file)
3034  {
3035  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
3036  }
3037  if (options->tls_client && ce->tls_crypt_v2_file
3038  && (ce->tls_auth_file || ce->tls_crypt_file))
3039  {
3040  msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3041  }
3042  }
3043  else
3044  {
3045  /*
3046  * Make sure user doesn't specify any TLS options
3047  * when in non-TLS mode.
3048  */
3049 
3050 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3051 }
3052 
3053  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3054 
3055  MUST_BE_UNDEF(ca_file);
3056  MUST_BE_UNDEF(ca_path);
3057  MUST_BE_UNDEF(dh_file);
3058  MUST_BE_UNDEF(cert_file);
3059  MUST_BE_UNDEF(priv_key_file);
3060 #ifndef ENABLE_CRYPTO_MBEDTLS
3061  MUST_BE_UNDEF(pkcs12_file);
3062 #endif
3063  MUST_BE_UNDEF(cipher_list);
3064  MUST_BE_UNDEF(cipher_list_tls13);
3065  MUST_BE_UNDEF(tls_cert_profile);
3066  MUST_BE_UNDEF(tls_verify);
3067  MUST_BE_UNDEF(tls_export_peer_cert_dir);
3068  MUST_BE_UNDEF(verify_x509_name);
3069  MUST_BE_UNDEF(tls_timeout);
3070  MUST_BE_UNDEF(renegotiate_bytes);
3071  MUST_BE_UNDEF(renegotiate_packets);
3072  MUST_BE_UNDEF(renegotiate_seconds);
3073  MUST_BE_UNDEF(handshake_window);
3074  MUST_BE_UNDEF(transition_window);
3075  MUST_BE_UNDEF(tls_auth_file);
3076  MUST_BE_UNDEF(tls_crypt_file);
3077  MUST_BE_UNDEF(tls_crypt_v2_file);
3078  MUST_BE_UNDEF(single_session);
3079  MUST_BE_UNDEF(push_peer_info);
3080  MUST_BE_UNDEF(tls_exit);
3081  MUST_BE_UNDEF(crl_file);
3082  MUST_BE_UNDEF(ns_cert_type);
3083  MUST_BE_UNDEF(remote_cert_ku[0]);
3084  MUST_BE_UNDEF(remote_cert_eku);
3085 #ifdef ENABLE_PKCS11
3086  MUST_BE_UNDEF(pkcs11_providers[0]);
3087  MUST_BE_UNDEF(pkcs11_private_mode[0]);
3088  MUST_BE_UNDEF(pkcs11_id);
3089  MUST_BE_UNDEF(pkcs11_id_management);
3090 #endif
3091 
3092  if (pull)
3093  {
3094  msg(M_USAGE, err, "--pull");
3095  }
3096  }
3097 #undef MUST_BE_UNDEF
3098 
3099  if (options->auth_user_pass_file && !options->pull)
3100  {
3101  msg(M_USAGE, "--auth-user-pass requires --pull");
3102  }
3103 
3104  uninit_options(&defaults);
3105 }
3106 
3107 static void
3108 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3109 {
3110  const int dev = dev_type_enum(o->dev, o->dev_type);
3111 
3112  if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3113  {
3114  if (ce->proto == PROTO_TCP)
3115  {
3116  ce->proto = PROTO_TCP_SERVER;
3117  }
3118  }
3119 
3120  if (o->client)
3121  {
3122  if (ce->proto == PROTO_TCP)
3123  {
3124  ce->proto = PROTO_TCP_CLIENT;
3125  }
3126  }
3127 
3128  /* an option is present that requires local bind to enabled */
3129  bool need_bind = ce->local || ce->local_port_defined || ce->bind_defined;
3130 
3131  /* socks proxy is enabled */
3132  bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3133 
3134  /* If binding is not forced by an explicit option and we have (at least)
3135  * one of --tcp-client, --pull (or --client), or socks we do not bind
3136  * locally to have "normal" IP client behaviour of a random source port */
3137  if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3138  {
3139  ce->bind_local = false;
3140  }
3141 
3142  if (!ce->bind_local)
3143  {
3144  ce->local_port = NULL;
3145  }
3146 
3147  /* if protocol forcing is enabled, disable all protocols
3148  * except for the forced one
3149  */
3150  if (o->proto_force >= 0 && o->proto_force != ce->proto)
3151  {
3152  ce->flags |= CE_DISABLED;
3153  }
3154 
3155  if (ce->http_proxy_options)
3156  {
3157  ce->http_proxy_options->nocache = ssl_get_auth_nocache();
3158  }
3159 
3160  /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3161  * so fall back to IPv4-only (trac #1221)
3162  */
3163  if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3164  {
3165  if (ce->af == AF_INET6)
3166  {
3167  msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3168  "'--socks-proxy' today. Forcing IPv4 mode." );
3169  }
3170  else
3171  {
3172  msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3173  "work correctly with '--socks-proxy' today. Forcing IPv4." );
3174  }
3175  ce->af = AF_INET;
3176  }
3177 
3178  /*
3179  * Set MTU defaults
3180  */
3181  {
3182  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3183  {
3184  ce->tun_mtu_defined = true;
3185  }
3186  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3187  {
3188  ce->tun_mtu_extra_defined = true;
3189  ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3190  }
3191  }
3192 
3193  /*
3194  * If --mssfix is supplied without a parameter or not specified at all,
3195  * default it to --fragment value, if --fragment is specified and otherwise
3196  * to the default if tun-mtu is 1500
3197  */
3198  if (o->ce.mssfix_default)
3199  {
3200 #ifdef ENABLE_FRAGMENT
3201  if (ce->fragment)
3202  {
3203  ce->mssfix = ce->fragment;
3204  }
3205  else
3206 #endif
3207  if (ce->tun_mtu_defined)
3208  {
3209  if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3210  {
3211  /* We want to only set mssfix default value if we use a default
3212  * MTU Size, otherwise the different size of tun should either
3213  * already solve the problem or mssfix might artifically make the
3214  * payload packets smaller without mssfix 0 */
3215  ce->mssfix = MSSFIX_DEFAULT;
3216  ce->mssfix_encap = true;
3217  }
3218  else
3219  {
3220  /* We still apply the mssfix value but only adjust it to the
3221  * size of the tun interface. */
3222  ce->mssfix = ce->tun_mtu;
3223  ce->mssfix_fixed = true;
3224  }
3225  }
3226  }
3227 
3228  /*
3229  * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3230  *
3231  * At the end only one of these will be really set because the parser
3232  * logic prevents configurations where more are set.
3233  */
3234  if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3235  {
3236  ce->tls_auth_file = o->tls_auth_file;
3237  ce->tls_auth_file_inline = o->tls_auth_file_inline;
3238  ce->key_direction = o->key_direction;
3239 
3240  ce->tls_crypt_file = o->tls_crypt_file;
3241  ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3242 
3243  ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3244  ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3245  }
3246 
3247  /* Pre-cache tls-auth/crypt(-v2) key file if
3248  * keys were not already embedded in the config file.
3249  */
3250  connection_entry_preload_key(&ce->tls_auth_file,
3251  &ce->tls_auth_file_inline, &o->gc);
3252  connection_entry_preload_key(&ce->tls_crypt_file,
3253  &ce->tls_crypt_file_inline, &o->gc);
3254  connection_entry_preload_key(&ce->tls_crypt_v2_file,
3255  &ce->tls_crypt_v2_file_inline, &o->gc);
3256 
3257 
3258  if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3259  {
3260  msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3261  ce->explicit_exit_notification = 0;
3262  }
3263 }
3264 
3265 #ifdef _WIN32
3266 /* If iservice is in use, we need def1 method for redirect-gateway */
3267 static void
3268 remap_redirect_gateway_flags(struct options *opt)
3269 {
3270  if (opt->routes
3271  && opt->route_method == ROUTE_METHOD_SERVICE
3272  && opt->routes->flags & RG_REROUTE_GW
3273  && !(opt->routes->flags & RG_DEF1))
3274  {
3275  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3276  opt->routes->flags |= RG_DEF1;
3277  }
3278 }
3279 #endif
3280 
3281 /*
3282  * Save/Restore certain option defaults before --pull is applied.
3283  */
3284 
3285 static void
3286 pre_connect_save(struct options *o)
3287 {
3288  ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3289  o->pre_connect->tuntap_options = o->tuntap_options;
3290  o->pre_connect->tuntap_options_defined = true;
3291  o->pre_connect->foreign_option_index = o->foreign_option_index;
3292 
3293  if (o->routes)
3294  {
3295  o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3296  o->pre_connect->routes_defined = true;
3297  }
3298  if (o->routes_ipv6)
3299  {
3300  o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3301  o->pre_connect->routes_ipv6_defined = true;
3302  }
3303  if (o->client_nat)
3304  {
3305  o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3306  o->pre_connect->client_nat_defined = true;
3307  }
3308 
3309  o->pre_connect->route_default_gateway = o->route_default_gateway;
3310  o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3311 
3312  o->pre_connect->dns_options = clone_dns_options(o->dns_options, &o->gc);
3313 
3314  /* NCP related options that can be overwritten by a push */
3315  o->pre_connect->ciphername = o->ciphername;
3316  o->pre_connect->authname = o->authname;
3317 
3318  /* Ping related options should be reset to the config values on reconnect */
3319  o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3320  o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3321  o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3322 
3323  /* Miscellaneous Options */
3324  o->pre_connect->comp = o->comp;
3325 }
3326 
3327 void
3328 pre_connect_restore(struct options *o, struct gc_arena *gc)
3329 {
3330  const struct options_pre_connect *pp = o->pre_connect;
3331  if (pp)
3332  {
3333  CLEAR(o->tuntap_options);
3334  if (pp->tuntap_options_defined)
3335  {
3336  o->tuntap_options = pp->tuntap_options;
3337  }
3338 
3339  if (pp->routes_defined)
3340  {
3341  rol_check_alloc(o);
3342  copy_route_option_list(o->routes, pp->routes, gc);
3343  }
3344  else
3345  {
3346  o->routes = NULL;
3347  }
3348 
3349  if (pp->routes_ipv6_defined)
3350  {
3351  rol6_check_alloc(o);
3352  copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3353  }
3354  else
3355  {
3356  o->routes_ipv6 = NULL;
3357  }
3358 
3359  o->route_default_gateway = pp->route_default_gateway;
3360  o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3361 
3362  /* Free DNS options and reset them to pre-pull state */
3363  gc_free(&o->dns_options.gc);
3364  struct gc_arena dns_gc = gc_new();
3365  o->dns_options = clone_dns_options(pp->dns_options, &dns_gc);
3366  o->dns_options.gc = dns_gc;
3367 
3368  if (pp->client_nat_defined)
3369  {
3370  cnol_check_alloc(o);
3371  copy_client_nat_option_list(o->client_nat, pp->client_nat);
3372  }
3373  else
3374  {
3375  o->client_nat = NULL;
3376  }
3377 
3378  o->foreign_option_index = pp->foreign_option_index;
3379 
3380  o->ciphername = pp->ciphername;
3381  o->authname = pp->authname;
3382 
3383  o->ping_rec_timeout = pp->ping_rec_timeout;
3384  o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3385  o->ping_send_timeout = pp->ping_send_timeout;
3386 
3387  /* Miscellaneous Options */
3388  o->comp = pp->comp;
3389  }
3390 
3391  o->push_continuation = 0;
3392  o->push_option_types_found = 0;
3393  o->imported_protocol_flags = 0;
3394 }
3395 
3396 static void
3397 options_postprocess_mutate_invariant(struct options *options)
3398 {
3399 #ifdef _WIN32
3400  const int dev = dev_type_enum(options->dev, options->dev_type);
3401 
3402  /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3403  if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3404  || options->windows_driver == WINDOWS_DRIVER_DCO)
3405  && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3406  || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3407  {
3408  options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3409  }
3410 
3411  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3412  {
3413  /* delay may only be necessary when we perform DHCP handshake */
3414  const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3415  || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3416  if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3417  {
3418  options->route_delay_defined = true;
3419  options->route_delay = 5; /* Vista sometimes has a race without this */
3420  }
3421  }
3422 
3423  if (options->ifconfig_noexec)
3424  {
3425  options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3426  options->ifconfig_noexec = false;
3427  }
3428 
3429  remap_redirect_gateway_flags(options);
3430 
3431  /*
3432  * Check consistency of --mode server options.
3433  */
3434  if (options->mode == MODE_SERVER)
3435  {
3436  /*
3437  * We need to explicitly set --tap-sleep because
3438  * we do not schedule event timers in the top-level context.
3439  */
3440  options->tuntap_options.tap_sleep = 10;
3441  if (options->route_delay_defined && options->route_delay)
3442  {
3443  options->tuntap_options.tap_sleep = options->route_delay;
3444  }
3445  options->route_delay_defined = false;
3446  }
3447 #endif /* ifdef _WIN32 */
3448 
3449 #ifdef DEFAULT_PKCS11_MODULE
3450  /* If p11-kit is present on the system then load its p11-kit-proxy.so
3451  * by default if the user asks for PKCS#11 without otherwise specifying
3452  * the module to use. */
3453  if (!options->pkcs11_providers[0]
3454  && (options->pkcs11_id || options->pkcs11_id_management))
3455  {
3456  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3457  }
3458 #endif
3459 }
3460 
3461 static void
3462 options_postprocess_verify(const struct options *o)
3463 {
3464  if (o->connection_list)
3465  {
3466  int i;
3467  for (i = 0; i < o->connection_list->len; ++i)
3468  {
3469  options_postprocess_verify_ce(o, o->connection_list->array[i]);
3470  }
3471  }
3472  else
3473  {
3474  options_postprocess_verify_ce(o, &o->ce);
3475  }
3476 
3477  dns_options_verify(M_FATAL, &o->dns_options);
3478 
3479  if (dco_enabled(o) && o->enable_c2c)
3480  {
3481  msg(M_WARN, "Note: --client-to-client has no effect when using data "
3482  "channel offload: packets are always sent to the VPN "
3483  "interface and then routed based on the system routing table");
3484  }
3485 }
3486 
3487 
3493 static void
3494 options_postprocess_setdefault_ncpciphers(struct options *o)
3495 {
3496  if (o->ncp_ciphers)
3497  {
3498  /* custom --data-ciphers set, keep list */
3499  return;
3500  }
3501 
3502  /* check if crypto library supports chacha */
3503  bool can_do_chacha = cipher_valid("CHACHA20-POLY1305");
3504 
3505  if (can_do_chacha && dco_enabled(o))
3506  {
3507  /* also make sure that dco supports chacha */
3508  can_do_chacha = tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3509  }
3510 
3511  if (can_do_chacha)
3512  {
3513  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3514  }
3515  else
3516  {
3517  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
3518  }
3519 }
3520 
3521 static void
3522 options_postprocess_cipher(struct options *o)
3523 {
3524  if (!o->pull && !(o->mode == MODE_SERVER))
3525  {
3526  /* If the cipher is not set, use the old default of BF-CBC. We will
3527  * warn that this is deprecated on cipher initialisation, no need
3528  * to warn here as well */
3529  if (!o->ciphername)
3530  {
3531  o->ciphername = "BF-CBC";
3532  }
3533  else
3534  {
3535  o->enable_ncp_fallback = true;
3536  }
3537  return;
3538  }
3539 
3540  /* pull or P2MP mode */
3541  if (!o->ciphername)
3542  {
3543  /* We still need to set the ciphername to BF-CBC since various other
3544  * parts of OpenVPN assert that the ciphername is set */
3545  o->ciphername = "BF-CBC";
3546 
3547  msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3548  "defaulted to BF-CBC as fallback when cipher negotiation "
3549  "failed in this case. If you need this fallback please add "
3550  "'--data-ciphers-fallback BF-CBC' to your configuration "
3551  "and/or add BF-CBC to --data-ciphers.");
3552  }
3553  else if (!o->enable_ncp_fallback
3554  && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3555  {
3556  msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3557  "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3558  "negotiations. ",
3559  o->ciphername, o->ncp_ciphers);
3560  }
3561 }
3562 
3577 static bool
3578 need_compatibility_before(const struct options *o, unsigned int version)
3579 {
3580  return o->backwards_compatible != 0 && o->backwards_compatible < version;
3581 }
3582 
3587 static void
3588 options_set_backwards_compatible_options(struct options *o)
3589 {
3590  /* TLS min version is not set */
3591  int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3592  & SSLF_TLS_VERSION_MIN_MASK;
3593  if (tls_ver_min == 0)
3594  {
3595  int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3596  & SSLF_TLS_VERSION_MAX_MASK;
3597  if (need_compatibility_before(o, 20307))
3598  {
3599  /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3600  o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3601  }
3602  else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3603  {
3604  /* Use TLS 1.2 as proper default */
3605  o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3606  }
3607  else
3608  {
3609  /* Maximize the minimum version */
3610  o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3611  }
3612  }
3613 
3614  if (need_compatibility_before(o, 20400))
3615  {
3616  if (!o->ciphername)
3617  {
3618  /* If ciphername is not set default to BF-CBC when targeting these
3619  * old versions that do not have NCP */
3620  o->ciphername = "BF-CBC";
3621  }
3622  /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3623  * not have OCC strings required for "poor man's NCP" */
3624  o->enable_ncp_fallback = true;
3625  }
3626 
3627  /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3628  * Version 2.4 probably does not need it but NCP was not so
3629  * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3630  * Only do this iff --cipher is set (explicitly or by compat mode
3631  * < 2.4.0, see above). This is not 100% correct backwards compatible
3632  * behaviour but 2.5 already behaved like this */
3633  if (o->ciphername && need_compatibility_before(o, 20500)
3634  && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3635  {
3636  append_cipher_to_ncp_list(o, o->ciphername);
3637  }
3638 
3639 #ifdef USE_COMP
3640  /* Compression is deprecated and we do not want to announce support for it
3641  * by default anymore, additionally DCO breaks with compression.
3642  *
3643  * Disable compression by default starting with 2.6.0 if no other
3644  * compression related option has been explicitly set */
3645  if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3646  {
3647  if (!comp_non_stub_enabled(&o->comp))
3648  {
3649  o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3650  }
3651  }
3652 #else /* ifdef USE_COMP */
3653  o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3654 #endif
3655 }
3656 
3657 static void
3658 options_process_mutate_prf(struct options *o)
3659 {
3660  if (!check_tls_prf_working())
3661  {
3662  msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3663  "supported by the TLS library. Your system does not support this "
3664  "calculation anymore or your security policy (e.g. FIPS 140-2) "
3665  "forbids it. Connections will only work with peers running "
3666  "OpenVPN 2.6.0 or higher)");
3667 #ifndef HAVE_EXPORT_KEYING_MATERIAL
3668  msg(M_FATAL, "Keying Material Exporters (RFC 5705) not available either. "
3669  "No way to generate data channel keys left.");
3670 #endif
3671  if (o->mode == MODE_SERVER)
3672  {
3673  msg(M_WARN, "Automatically enabling option "
3674  "--force-tls-key-material-export");
3675  o->force_key_material_export = true;
3676  }
3677 
3678  }
3679 }
3680 
3681 static void
3682 options_postprocess_mutate(struct options *o, struct env_set *es)
3683 {
3684  int i;
3685  /*
3686  * Process helper-type options which map to other, more complex
3687  * sequences of options.
3688  */
3689  helper_client_server(o);
3690  /* must be called after helpers that might set --mode */
3691  helper_setdefault_topology(o);
3692  helper_keepalive(o);
3693  helper_tcp_nodelay(o);
3694 
3695  options_postprocess_setdefault_ncpciphers(o);
3696  options_set_backwards_compatible_options(o);
3697  options_process_mutate_prf(o);
3698 
3699  options_postprocess_cipher(o);
3700  o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3701  if (o->ncp_ciphers == NULL)
3702  {
3703  msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3704  }
3705 
3706  if (o->remote_list && !o->connection_list)
3707  {
3708  /*
3709  * Convert remotes into connection list
3710  */
3711  const struct remote_list *rl = o->remote_list;
3712  for (i = 0; i < rl->len; ++i)
3713  {
3714  const struct remote_entry *re = rl->array[i];
3715  struct connection_entry ce = o->ce;
3716  struct connection_entry *ace;
3717 
3718  ASSERT(re->remote);
3719  connection_entry_load_re(&ce, re);
3720  ace = alloc_connection_entry(o, M_USAGE);
3721  ASSERT(ace);
3722  *ace = ce;
3723  }
3724  }
3725  else if (!o->remote_list && !o->connection_list)
3726  {
3727  struct connection_entry *ace;
3728  ace = alloc_connection_entry(o, M_USAGE);
3729  ASSERT(ace);
3730  *ace = o->ce;
3731  }
3732 
3733  ASSERT(o->connection_list);
3734  for (i = 0; i < o->connection_list->len; ++i)
3735  {
3736  options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3737  }
3738 
3739  if (o->tls_server)
3740  {
3741  /* Check that DH file is specified, or explicitly disabled */
3742  notnull(o->dh_file, "DH file (--dh)");
3743  if (streq(o->dh_file, "none"))
3744  {
3745  o->dh_file = NULL;
3746  }
3747  }
3748  else if (o->dh_file)
3749  {
3750  /* DH file is only meaningful in a tls-server context. */
3751  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3752  "include this in your server configuration");
3753  o->dh_file = NULL;
3754  }
3755 #if ENABLE_MANAGEMENT
3756  if (o->http_proxy_override)
3757  {
3758  options_postprocess_http_proxy_override(o);
3759  }
3760 #endif
3761  if (!o->ca_file && !o->ca_path && o->verify_hash
3762  && o->verify_hash_depth == 0)
3763  {
3764  msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3765  "option set). ");
3766  o->verify_hash_no_ca = true;
3767  }
3768 
3769  if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3770  {
3771  msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3772  "incompatible with each other.");
3773  }
3774 
3775  if (dco_enabled(o))
3776  {
3777  /* check if any option should force disabling DCO */
3778  o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
3779  || !dco_check_startup_option(D_DCO, o);
3780  }
3781 #ifdef USE_COMP
3782  if (dco_enabled(o))
3783  {
3784  o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3785  }
3786 #endif
3787 
3788 #ifdef _WIN32
3789  if (dco_enabled(o))
3790  {
3791  o->windows_driver = WINDOWS_DRIVER_DCO;
3792  }
3793  else
3794  {
3795  if (o->windows_driver == WINDOWS_DRIVER_DCO)
3796  {
3797  msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3798  o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3799  }
3800  else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3801  {
3802  o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3803  }
3804  }
3805 #else /* _WIN32 */
3806  if (dco_enabled(o) && o->dev_node)
3807  {
3808  msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3809  "data channel offload");
3810  o->dev_node = NULL;
3811  }
3812 #endif /* _WIN32 */
3813 
3814  /* this depends on o->windows_driver, which is set above */
3815  options_postprocess_mutate_invariant(o);
3816 
3817  /* check that compression settings in the options are okay */
3818  check_compression_settings_valid(&o->comp, M_USAGE);
3819 
3820  /*
3821  * Save certain parms before modifying options during connect, especially
3822  * when using --pull
3823  */
3824  if (o->pull)
3825  {
3826  dns_options_preprocess_pull(&o->dns_options);
3827  }
3828  else
3829  {
3830 #if defined(_WIN32) || defined(TARGET_ANDROID)
3831  tuntap_options_copy_dns(o);
3832 #else
3833  foreign_options_copy_dns(o, es);
3834 #endif
3835  }
3836  if (o->auth_token_generate && !o->auth_token_renewal)
3837  {
3838  o->auth_token_renewal = o->renegotiate_seconds;
3839  }
3840  pre_connect_save(o);
3841 }
3842 
3843 /*
3844  * Check file/directory sanity
3845  *
3846  */
3847 #ifndef ENABLE_SMALL
3849 #define CHKACC_FILE (1<<0)
3850 #define CHKACC_DIRPATH (1<<1)
3851 #define CHKACC_FILEXSTWR (1<<2)
3852 #define CHKACC_ACPTSTDIN (1<<3)
3853 #define CHKACC_PRIVATE (1<<4)
3855 static bool
3856 check_file_access(const int type, const char *file, const int mode, const char *opt)
3857 {
3858  int errcode = 0;
3859 
3860  /* If no file configured, no errors to look for */
3861  if (!file)
3862  {
3863  return false;
3864  }
3865 
3866  /* If stdin is allowed and the file name is 'stdin', then do no
3867  * further checks as stdin is always available
3868  */
3869  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3870  {
3871  return false;
3872  }
3873 
3874  /* Is the directory path leading to the given file accessible? */
3875  if (type & CHKACC_DIRPATH)
3876  {
3877  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3878  char *dirpath = dirname(fullpath);
3879 
3880  if (platform_access(dirpath, mode|X_OK) != 0)
3881  {
3882  errcode = errno;
3883  }
3884  free(fullpath);
3885  }
3886 
3887  /* Is the file itself accessible? */
3888  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3889  {
3890  errcode = errno;
3891  }
3892 
3893  /* If the file exists and is accessible, is it writable? */
3894  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3895  {
3896  if (platform_access(file, W_OK) != 0)
3897  {
3898  errcode = errno;
3899  }
3900  }
3901 
3902  /* Warn if a given private file is group/others accessible. */
3903  if (type & CHKACC_PRIVATE)
3904  {
3905  platform_stat_t st;
3906  if (platform_stat(file, &st))
3907  {
3908  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3909  }
3910 #ifndef _WIN32
3911  else
3912  {
3913  if (st.st_mode & (S_IRWXG|S_IRWXO))
3914  {
3915  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3916  }
3917  }
3918 #endif
3919  }
3920 
3921  /* Scream if an error is found */
3922  if (errcode > 0)
3923  {
3924  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3925  }
3926 
3927  /* Return true if an error occurred */
3928  return (errcode != 0 ? true : false);
3929 }
3930 
3931 /* A wrapper for check_file_access() which also takes a chroot directory.
3932  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3933  * otherwise it will look for the file inside the given chroot directory instead.
3934  */
3935 static bool
3936 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3937 {
3938  bool ret = false;
3939 
3940  /* If no file configured, no errors to look for */
3941  if (!file)
3942  {
3943  return false;
3944  }
3945 
3946  /* If chroot is set, look for the file/directory inside the chroot */
3947  if (chroot)
3948  {
3949  struct gc_arena gc = gc_new();
3950  struct buffer chroot_file;
3951 
3952  chroot_file = prepend_dir(chroot, file, &gc);
3953  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3954  gc_free(&gc);
3955  }
3956  else
3957  {
3958  /* No chroot in play, just call core file check function */
3959  ret = check_file_access(type, file, mode, opt);
3960  }
3961  return ret;
3962 }
3963 
3968 static bool
3969 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3970  const int type, const char *file,
3971  const int mode, const char *opt)
3972 {
3973  if (is_inline)
3974  {
3975  return false;
3976  }
3977 
3978  return check_file_access_chroot(chroot, type, file, mode, opt);
3979 }
3980 
3985 static bool
3986 check_file_access_inline(bool is_inline, const int type, const char *file,
3987  const int mode, const char *opt)
3988 {
3989  if (is_inline)
3990  {
3991  return false;
3992  }
3993 
3994  return check_file_access(type, file, mode, opt);
3995 }
3996 
3997 /*
3998  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3999  * valid file with appropriate permissions.
4000  *
4001  * "command" consists of a path, optionally followed by a space, which may be
4002  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4003  * performed.
4004  *
4005  * The path and arguments in "command" may be single- or double-quoted or escaped.
4006  *
4007  * The path is extracted from "command", then check_file_access() is called to check it. The
4008  * arguments, if any, are ignored.
4009  *
4010  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4011  * check_file_access() arguments.
4012  */
4013 static bool
4014 check_cmd_access(const char *command, const char *opt, const char *chroot)
4015 {
4016  struct argv argv;
4017  bool return_code;
4018 
4019  /* If no command was set, there are no errors to look for */
4020  if (!command)
4021  {
4022  return false;
4023  }
4024 
4025  /* Extract executable path and arguments */
4026  argv = argv_new();
4027  argv_parse_cmd(&argv, command);
4028 
4029  /* if an executable is specified then check it; otherwise, complain */
4030  if (argv.argv[0])
4031  {
4032  /* Scripts requires R_OK as well, but that might fail on binaries which
4033  * only requires X_OK to function on Unix - a scenario not unlikely to
4034  * be seen on suid binaries.
4035  */
4036  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4037  }
4038  else
4039  {
4040  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
4041  opt, command);
4042  return_code = true;
4043  }
4044 
4045  argv_free(&argv);
4046 
4047  return return_code;
4048 }
4049 
4050 /*
4051  * Sanity check of all file/dir options. Checks that file/dir
4052  * is accessible by OpenVPN
4053  */
4054 static void
4055 options_postprocess_filechecks(struct options *options)
4056 {
4057  bool errs = false;
4058 
4059  /* ** SSL/TLS/crypto related files ** */
4060  errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4061  options->dh_file, R_OK, "--dh");
4062 
4063  if (!options->verify_hash_no_ca)
4064  {
4065  errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4066  options->ca_file, R_OK, "--ca");
4067  }
4068 
4069  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4070  options->ca_path, R_OK, "--capath");
4071 
4072  errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
4073  options->cert_file, R_OK, "--cert");
4074 
4075  errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4076  options->extra_certs_file, R_OK,
4077  "--extra-certs");
4078 
4079  if (!(options->management_flags & MF_EXTERNAL_KEY))
4080  {
4081  errs |= check_file_access_inline(options->priv_key_file_inline,
4082  CHKACC_FILE|CHKACC_PRIVATE,
4083  options->priv_key_file, R_OK, "--key");
4084  }
4085 
4086  errs |= check_file_access_inline(options->pkcs12_file_inline,
4087  CHKACC_FILE|CHKACC_PRIVATE,
4088  options->pkcs12_file, R_OK, "--pkcs12");
4089 
4090  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4091  {
4092  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4093  options->crl_file, R_OK|X_OK,
4094  "--crl-verify directory");
4095  }
4096  else
4097  {
4098  errs |= check_file_access_chroot_inline(options->crl_file_inline,
4099  options->chroot_dir,
4100  CHKACC_FILE, options->crl_file,
4101  R_OK, "--crl-verify");
4102  }
4103 
4104  if (options->tls_export_peer_cert_dir)
4105  {
4106  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4107  options->tls_export_peer_cert_dir,
4108  W_OK, "--tls-export-cert");
4109  }
4110 
4111  ASSERT(options->connection_list);
4112  for (int i = 0; i < options->connection_list->len; ++i)
4113  {
4114  struct connection_entry *ce = options->connection_list->array[i];
4115 
4116  errs |= check_file_access_inline(ce->tls_auth_file_inline,
4117  CHKACC_FILE|CHKACC_PRIVATE,
4118  ce->tls_auth_file, R_OK,
4119  "--tls-auth");
4120  errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4121  CHKACC_FILE|CHKACC_PRIVATE,
4122  ce->tls_crypt_file, R_OK,
4123  "--tls-crypt");
4124  errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4125  CHKACC_FILE|CHKACC_PRIVATE,
4126  ce->tls_crypt_v2_file, R_OK,
4127  "--tls-crypt-v2");
4128  }
4129 
4130  errs |= check_file_access_inline(options->shared_secret_file_inline,
4131  CHKACC_FILE|CHKACC_PRIVATE,
4132  options->shared_secret_file, R_OK,
4133  "--secret");
4134 
4135  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4136  options->packet_id_file, R_OK|W_OK, "--replay-persist");
4137 
4138  /* ** Password files ** */
4139  errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4140  options->key_pass_file, R_OK, "--askpass");
4141 #ifdef ENABLE_MANAGEMENT
4142  errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4143  options->management_user_pass, R_OK,
4144  "--management user/password file");
4145 #endif /* ENABLE_MANAGEMENT */
4146  errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4147  CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4148  options->auth_user_pass_file, R_OK,
4149  "--auth-user-pass");
4150  /* ** System related ** */
4151  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4152  R_OK|X_OK, "--chroot directory");
4153  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4154  R_OK|W_OK, "--writepid");
4155 
4156  /* ** Log related ** */
4157  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4158  R_OK|W_OK, "--status");
4159 
4160  /* ** Config related ** */
4161  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4162  R_OK|X_OK, "--client-config-dir");
4163  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4164  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4165 
4166  if (errs)
4167  {
4168  msg(M_USAGE, "Please correct these errors.");
4169  }
4170 }
4171 #endif /* !ENABLE_SMALL */
4172 
4173 /*
4174  * Sanity check on options.
4175  * Also set some options based on other
4176  * options.
4177  */
4178 void
4179 options_postprocess(struct options *options, struct env_set *es)
4180 {
4181  options_postprocess_mutate(options, es);
4182  options_postprocess_verify(options);
4183 #ifndef ENABLE_SMALL
4184  options_postprocess_filechecks(options);
4185 #endif /* !ENABLE_SMALL */
4186 }
4187 
4188 /*
4189  * Sanity check on options after more options were pulled from server.
4190  * Also time to modify some options based on other options.
4191  */
4192 bool
4193 options_postprocess_pull(struct options *o, struct env_set *es)
4194 {
4195  bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4196  if (success)
4197  {
4198  dns_options_postprocess_pull(&o->dns_options);
4199  setenv_dns_options(&o->dns_options, es);
4200 #if defined(_WIN32) || defined(TARGET_ANDROID)
4201  tuntap_options_copy_dns(o);
4202 #else
4203  foreign_options_copy_dns(o, es);
4204 #endif
4205  }
4206  return success;
4207 }
4208 
4209 /*
4210  * Build an options string to represent data channel encryption options.
4211  * This string must match exactly between peers. The keysize is checked
4212  * separately by read_key().
4213  *
4214  * The following options must match on both peers:
4215  *
4216  * Tunnel options:
4217  *
4218  * --dev tun|tap [unit number need not match]
4219  * --dev-type tun|tap
4220  * --link-mtu
4221  * --udp-mtu
4222  * --tun-mtu
4223  * --proto udp
4224  * --proto tcp-client [matched with --proto tcp-server
4225  * on the other end of the connection]
4226  * --proto tcp-server [matched with --proto tcp-client on
4227  * the other end of the connection]
4228  * --tun-ipv6
4229  * --ifconfig x y [matched with --ifconfig y x on
4230  * the other end of the connection]
4231  *
4232  * --comp-lzo
4233  * --compress alg
4234  * --fragment
4235  *
4236  * Crypto Options:
4237  *
4238  * --cipher
4239  * --auth
4240  * --secret
4241  *
4242  * SSL Options:
4243  *
4244  * --tls-auth
4245  * --tls-client [matched with --tls-server on
4246  * the other end of the connection]
4247  * --tls-server [matched with --tls-client on
4248  * the other end of the connection]
4249  */
4250 char *
4251 options_string(const struct options *o,
4252  const struct frame *frame,
4253  struct tuntap *tt,
4254  openvpn_net_ctx_t *ctx,
4255  bool remote,
4256  struct gc_arena *gc)
4257 {
4258  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4259  bool tt_local = false;
4260 
4261  buf_printf(&out, "V4");
4262 
4263  /*
4264  * Tunnel Options
4265  */
4266 
4267  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4268  /* the link-mtu that we send has only a meaning if have a fixed
4269  * cipher (p2p) or have a fallback cipher configured for older non
4270  * ncp clients. But not sending it will make even 2.4 complain
4271  * about it being missing. So still send it. */
4272  buf_printf(&out, ",link-mtu %u",
4273  (unsigned int) calc_options_string_link_mtu(o, frame));
4274 
4275  if (o->ce.occ_mtu != 0)
4276  {
4277  buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4278  }
4279  else
4280  {
4281  buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4282  }
4283 
4284  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4285 
4286  bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4287  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4288  * is usually pushed by the server, triggering a non-helpful warning
4289  */
4290  if (o->ifconfig_ipv6_local && p2p_nopull)
4291  {
4292  buf_printf(&out, ",tun-ipv6");
4293  }
4294 
4295  /*
4296  * Try to get ifconfig parameters into the options string.
4297  * If tt is undefined, make a temporary instantiation.
4298  */
4299  if (!tt)
4300  {
4301  tt = init_tun(o->dev,
4302  o->dev_type,
4303  o->topology,
4304  o->ifconfig_local,
4305  o->ifconfig_remote_netmask,
4306  o->ifconfig_ipv6_local,
4307  o->ifconfig_ipv6_netbits,
4308  o->ifconfig_ipv6_remote,
4309  NULL,
4310  NULL,
4311  false,
4312  NULL,
4313  ctx,
4314  NULL);
4315  if (tt)
4316  {
4317  tt_local = true;
4318  }
4319  }
4320 
4321  if (tt && p2p_nopull)
4322  {
4323  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4324  if (ios && strlen(ios))
4325  {
4326  buf_printf(&out, ",ifconfig %s", ios);
4327  }
4328  }
4329  if (tt_local)
4330  {
4331  free(tt);
4332  tt = NULL;
4333  }
4334 
4335 #ifdef USE_COMP
4336  if (o->comp.alg != COMP_ALG_UNDEF)
4337  {
4338  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4339  }
4340 #endif
4341 
4342 #ifdef ENABLE_FRAGMENT
4343  if (o->ce.fragment)
4344  {
4345  buf_printf(&out, ",mtu-dynamic");
4346  }
4347 #endif
4348 
4349 #define TLS_CLIENT (o->tls_client)
4350 #define TLS_SERVER (o->tls_server)
4351 
4352  /*
4353  * Key direction
4354  */
4355  {
4356  const char *kd = keydirection2ascii(o->key_direction, remote, false);
4357  if (kd)
4358  {
4359  buf_printf(&out, ",keydir %s", kd);
4360  }
4361  }
4362 
4363  /*
4364  * Crypto Options
4365  */
4366  if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4367  {
4368  struct key_type kt;
4369 
4370  ASSERT((o->shared_secret_file != NULL)
4371  + (TLS_CLIENT == true)
4372  + (TLS_SERVER == true)
4373  <= 1);
4374 
4375  /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4376  * to work here in the default configuration */
4377  const char *ciphername = o->ciphername;
4378  int keysize = 0;
4379 
4380  if (strcmp(o->ciphername, "BF-CBC") == 0)
4381  {
4382  init_key_type(&kt, "none", o->authname, true, false);
4383  keysize = 128;
4384  }
4385  else
4386  {
4387  init_key_type(&kt, o->ciphername, o->authname, true, false);
4388  ciphername = cipher_kt_name(kt.cipher);
4389  if (cipher_defined(o->ciphername))
4390  {
4391  keysize = cipher_kt_key_size(kt.cipher) * 8;
4392  }
4393  }
4394  /* Only announce the cipher to our peer if we are willing to
4395  * support it */
4396  if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4397  {
4398  buf_printf(&out, ",cipher %s", ciphername);
4399  }
4400  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4401  buf_printf(&out, ",keysize %d", keysize);
4402  if (o->shared_secret_file)
4403  {
4404  buf_printf(&out, ",secret");
4405  }
4406 
4407 #ifdef ENABLE_PREDICTION_RESISTANCE
4408  if (o->use_prediction_resistance)
4409  {
4410  buf_printf(&out, ",use-prediction-resistance");
4411  }
4412 #endif
4413  }
4414 
4415  /*
4416  * SSL Options
4417  */
4418  {
4419  if (TLS_CLIENT || TLS_SERVER)
4420  {
4421  if (o->ce.tls_auth_file)
4422  {
4423  buf_printf(&out, ",tls-auth");
4424  }
4425  /* Not adding tls-crypt here, because we won't reach this code if
4426  * tls-auth/tls-crypt does not match. Removing tls-auth here would
4427  * break stuff, so leaving that in place. */
4428 
4429  buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4430  }
4431 
4432  if (remote)
4433  {
4434  if (TLS_CLIENT)
4435  {
4436  buf_printf(&out, ",tls-server");
4437  }
4438  else if (TLS_SERVER)
4439  {
4440  buf_printf(&out, ",tls-client");
4441  }
4442  }
4443  else
4444  {
4445  if (TLS_CLIENT)
4446  {
4447  buf_printf(&out, ",tls-client");
4448  }
4449  else if (TLS_SERVER)
4450  {
4451  buf_printf(&out, ",tls-server");
4452  }
4453  }
4454  }
4455 
4456 #undef TLS_CLIENT
4457 #undef TLS_SERVER
4458 
4459  return BSTR(&out);
4460 }
4461 
4462 /*
4463  * Compare option strings for equality.
4464  * If the first two chars of the strings differ, it means that
4465  * we are looking at different versions of the options string,
4466  * therefore don't compare them and return true.
4467  */
4468 
4469 bool
4470 options_cmp_equal(char *actual, const char *expected)
4471 {
4472  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4473 }
4474 
4475 void
4476 options_warning(char *actual, const char *expected)
4477 {
4478  options_warning_safe(actual, expected, strlen(actual) + 1);
4479 }
4480 
4481 static const char *
4482 options_warning_extract_parm1(const char *option_string,
4483  struct gc_arena *gc_ret)
4484 {
4485  struct gc_arena gc = gc_new();
4486  struct buffer b = string_alloc_buf(option_string, &gc);
4487  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4488  const char *ret;
4489 
4490  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4491  ret = string_alloc(p, gc_ret);
4492  gc_free(&gc);
4493  return ret;
4494 }
4495 
4496 static void
4497 options_warning_safe_scan2(const int msglevel,
4498  const int delim,
4499  const bool report_inconsistent,
4500  const char *p1,
4501  const struct buffer *b2_src,
4502  const char *b1_name,
4503  const char *b2_name)
4504 {
4505  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4506  * OCC in a future version (because it's not useful). To reduce questions
4507  * when interoperating, we no longer printing a warning about it.
4508  */
4509  if (strprefix(p1, "key-method ")
4510  || strprefix(p1, "keydir ")
4511  || strprefix(p1, "proto ")
4512  || streq(p1, "tls-auth")
4513  || strprefix(p1, "tun-ipv6")
4514  || strprefix(p1, "cipher "))
4515  {
4516  return;
4517  }
4518 
4519  if (strlen(p1) > 0)
4520  {
4521  struct gc_arena gc = gc_new();
4522  struct buffer b2 = *b2_src;
4523  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4524  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4525 
4526  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4527  {
4528  if (strlen(p2))
4529  {
4530  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4531 
4532  if (!strcmp(p1, p2))
4533  {
4534  goto done;
4535  }
4536  if (!strcmp(p1_prefix, p2_prefix))
4537  {
4538  if (report_inconsistent)
4539  {
4540  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4541  safe_print(p1_prefix, &gc),
4542  b1_name,
4543  safe_print(p1, &gc),
4544  b2_name,
4545  safe_print(p2, &gc));
4546  }
4547  goto done;
4548  }
4549  }
4550  }
4551 
4552  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4553  safe_print(p1_prefix, &gc),
4554  b1_name,
4555  b2_name,
4556  b1_name,
4557  safe_print(p1, &gc));
4558 
4559 done:
4560  gc_free(&gc);
4561  }
4562 }
4563 
4564 static void
4565 options_warning_safe_scan1(const int msglevel,
4566  const int delim,
4567  const bool report_inconsistent,
4568  const struct buffer *b1_src,
4569  const struct buffer *b2_src,
4570  const char *b1_name,
4571  const char *b2_name)
4572 {
4573  struct gc_arena gc = gc_new();
4574  struct buffer b = *b1_src;
4575  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4576 
4577  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4578  {
4579  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4580  }
4581 
4582  gc_free(&gc);
4583 }
4584 
4585 static void
4586 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4587 {
4588  struct gc_arena gc = gc_new();
4589 
4590  if (actual_n > 0)
4591  {
4592  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4593  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4594  actual[actual_n - 1] = 0;
4595 
4596  buf_printf(&local, "version %s", expected);
4597  buf_printf(&remote, "version %s", actual);
4598 
4599  options_warning_safe_scan1(msglevel, ',', true,
4600  &local, &remote,
4601  "local", "remote");
4602 
4603  options_warning_safe_scan1(msglevel, ',', false,
4604  &remote, &local,
4605  "remote", "local");
4606  }
4607 
4608  gc_free(&gc);
4609 }
4610 
4611 bool
4612 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4613 {
4614  struct gc_arena gc = gc_new();
4615  bool ret = true;
4616 
4617  if (actual_n > 0)
4618  {
4619  actual[actual_n - 1] = 0;
4620  if (strncmp(actual, expected, 2))
4621  {
4622  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4623  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4624  }
4625  else
4626  {
4627  ret = !strcmp(actual, expected);
4628  }
4629  }
4630  gc_free(&gc);
4631  return ret;
4632 }
4633 
4634 void
4635 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4636 {
4637  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4638 }
4639 
4640 const char *
4641 options_string_version(const char *s, struct gc_arena *gc)
4642 {
4643  struct buffer out = alloc_buf_gc(4, gc);
4644  strncpynt((char *) BPTR(&out), s, 3);
4645  return BSTR(&out);
4646 }
4647 
4648 char *
4649 options_string_extract_option(const char *options_string, const char *opt_name,
4650  struct gc_arena *gc)
4651 {
4652  char *ret = NULL;
4653  const size_t opt_name_len = strlen(opt_name);
4654 
4655  const char *p = options_string;
4656  while (p)
4657  {
4658  if (0 == strncmp(p, opt_name, opt_name_len)
4659  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4660  {
4661  /* option found, extract value */
4662  const char *start = &p[opt_name_len+1];
4663  const char *end = strchr(p, ',');
4664  size_t val_len = end ? end - start : strlen(start);
4665  ret = gc_malloc(val_len+1, true, gc);
4666  memcpy(ret, start, val_len);
4667  break;
4668  }
4669  p = strchr(p, ',');
4670  if (p)
4671  {
4672  p++; /* skip delimiter */
4673  }
4674  }
4675  return ret;
4676 }
4677 
4678 #ifdef _WIN32
4679 
4686 static enum windows_driver_type
4687 parse_windows_driver(const char *str, const int msglevel)
4688 {
4689  if (streq(str, "tap-windows6"))
4690  {
4691  return WINDOWS_DRIVER_TAP_WINDOWS6;
4692  }
4693  else if (streq(str, "wintun"))
4694  {
4695  return WINDOWS_DRIVER_WINTUN;
4696  }
4697 
4698  else if (streq(str, "ovpn-dco"))
4699  {
4700  return WINDOWS_DRIVER_DCO;
4701  }
4702  else
4703  {
4704  msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4705  "or ovpn-dco");
4706  return WINDOWS_DRIVER_UNSPECIFIED;
4707  }
4708 }
4709 #endif /* ifdef _WIN32 */
4710 
4711 /*
4712  * parse/print topology coding
4713  */
4714 
4715 int
4716 parse_topology(const char *str, const int msglevel)
4717 {
4718  if (streq(str, "net30"))
4719  {
4720  return TOP_NET30;
4721  }
4722  else if (streq(str, "p2p"))
4723  {
4724  return TOP_P2P;
4725  }
4726  else if (streq(str, "subnet"))
4727  {
4728  return TOP_SUBNET;
4729  }
4730  else
4731  {
4732  msg(msglevel, "--topology must be net30, p2p, or subnet");
4733  return TOP_UNDEF;
4734  }
4735 }
4736 
4737 const char *
4738 print_topology(const int topology)
4739 {
4740  switch (topology)
4741  {
4742  case TOP_UNDEF:
4743  return "undef";
4744 
4745  case TOP_NET30:
4746  return "net30";
4747 
4748  case TOP_P2P:
4749  return "p2p";
4750 
4751  case TOP_SUBNET:
4752  return "subnet";
4753 
4754  default:
4755  return "unknown";
4756  }
4757 }
4758 
4759 /*
4760  * Manage auth-retry variable
4761  */
4762 
4763 static int global_auth_retry; /* GLOBAL */
4764 
4765 int
4766 auth_retry_get(void)
4767 {
4768  return global_auth_retry;
4769 }
4770 
4771 bool
4772 auth_retry_set(const int msglevel, const char *option)
4773 {
4774  if (streq(option, "interact"))
4775  {
4776  global_auth_retry = AR_INTERACT;
4777  }
4778  else if (streq(option, "nointeract"))
4779  {
4780  global_auth_retry = AR_NOINTERACT;
4781  }
4782  else if (streq(option, "none"))
4783  {
4784  global_auth_retry = AR_NONE;
4785  }
4786  else
4787  {
4788  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4789  return false;
4790  }
4791  return true;
4792 }
4793 
4794 const char *
4795 auth_retry_print(void)
4796 {
4797  switch (global_auth_retry)
4798  {
4799  case AR_NONE:
4800  return "none";
4801 
4802  case AR_NOINTERACT:
4803  return "nointeract";
4804 
4805  case AR_INTERACT:
4806  return "interact";
4807 
4808  default:
4809  return "???";
4810  }
4811 }
4812 
4813 /*
4814  * Print the help message.
4815  */
4816 static void
4817 usage(void)
4818 {
4819  FILE *fp = msg_fp(0);
4820 
4821 #ifdef ENABLE_SMALL
4822 
4823  fprintf(fp, "Usage message not available\n");
4824 
4825 #else
4826 
4827  struct options o;
4828  init_options(&o, true);
4829 
4830  fprintf(fp, usage_message,
4831  title_string,
4832  o.ce.connect_retry_seconds,
4833  o.ce.connect_retry_seconds_max,
4834  o.ce.local_port, o.ce.remote_port,
4835  TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4836  o.verbosity,
4837  o.authname,
4838  o.replay_window, o.replay_time,
4839  o.tls_timeout, o.renegotiate_seconds,
4840  o.handshake_window, o.transition_window);
4841  fflush(fp);
4842 
4843 #endif /* ENABLE_SMALL */
4844 
4845  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4846 }
4847 
4848 void
4849 usage_small(void)
4850 {
4851  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4852  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4853 }
4854 
4855 #ifdef _WIN32
4856 void
4857 show_windows_version(const unsigned int flags)
4858 {
4859  struct gc_arena gc = gc_new();
4860  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4861  gc_free(&gc);
4862 }
4863 #endif
4864 
4865 void
4866 show_dco_version(const unsigned int flags)
4867 {
4868 #ifdef ENABLE_DCO
4869  struct gc_arena gc = gc_new();
4870  msg(flags, "DCO version: %s", dco_version_string(&gc));
4871  gc_free(&gc);
4872 #endif
4873 }
4874 
4875 void
4876 show_library_versions(const unsigned int flags)
4877 {
4878 #ifdef ENABLE_LZO
4879 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4880 #else
4881 #define LZO_LIB_VER_STR "", ""
4882 #endif
4883 
4884  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4885  LZO_LIB_VER_STR);
4886 
4887 #undef LZO_LIB_VER_STR
4888 }
4889 
4890 static void
4891 usage_version(void)
4892 {
4893  msg(M_INFO|M_NOPREFIX, "%s", title_string);
4894  show_library_versions( M_INFO|M_NOPREFIX );
4895 #ifdef _WIN32
4896  show_windows_version( M_INFO|M_NOPREFIX );
4897 #endif
4898  show_dco_version(M_INFO | M_NOPREFIX);
4899  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4900  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>");
4901 #ifndef ENABLE_SMALL
4902 #ifdef CONFIGURE_DEFINES
4903  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4904 #endif
4905 #ifdef CONFIGURE_SPECIAL_BUILD
4906  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4907 #endif
4908 #endif
4909  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4910 }
4911 
4912 void
4913 notnull(const char *arg, const char *description)
4914 {
4915  if (!arg)
4916  {
4917  msg(M_USAGE, "You must define %s", description);
4918  }
4919 }
4920 
4921 bool
4922 string_defined_equal(const char *s1, const char *s2)
4923 {
4924  if (s1 && s2)
4925  {
4926  return !strcmp(s1, s2);
4927  }
4928  else
4929  {
4930  return false;
4931  }
4932 }
4933 
4934 #if 0
4935 static void
4936 ping_rec_err(int msglevel)
4937 {
4938  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4939 }
4940 #endif
4941 
4942 static int
4943 positive_atoi(const char *str)
4944 {
4945  const int i = atoi(str);
4946  return i < 0 ? 0 : i;
4947 }
4948 
4949 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4950 static unsigned int
4951 atou(const char *str)
4952 {
4953  unsigned int val = 0;
4954  sscanf(str, "%u", &val);
4955  return val;
4956 }
4957 #endif
4958 
4959 static inline bool
4960 space(unsigned char c)
4961 {
4962  return c == '\0' || isspace(c);
4963 }
4964 
4965 int
4966 parse_line(const char *line,
4967  char *p[],
4968  const int n,
4969  const char *file,
4970  const int line_num,
4971  int msglevel,
4972  struct gc_arena *gc)
4973 {
4974  const int STATE_INITIAL = 0;
4975  const int STATE_READING_QUOTED_PARM = 1;
4976  const int STATE_READING_UNQUOTED_PARM = 2;
4977  const int STATE_DONE = 3;
4978  const int STATE_READING_SQUOTED_PARM = 4;
4979 
4980  const char *error_prefix = "";
4981 
4982  int ret = 0;
4983  const char *c = line;
4984  int state = STATE_INITIAL;
4985  bool backslash = false;
4986  char in, out;
4987 
4988  char parm[OPTION_PARM_SIZE];
4989  unsigned int parm_len = 0;
4990 
4991  msglevel &= ~M_OPTERR;
4992 
4993  if (msglevel & M_MSG_VIRT_OUT)
4994  {
4995  error_prefix = "ERROR: ";
4996  }
4997 
4998  do
4999  {
5000  in = *c;
5001  out = 0;
5002 
5003  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
5004  {
5005  backslash = true;
5006  }
5007  else
5008  {
5009  if (state == STATE_INITIAL)
5010  {
5011  if (!space(in))
5012  {
5013  if (in == ';' || in == '#') /* comment */
5014  {
5015  break;
5016  }
5017  if (!backslash && in == '\"')
5018  {
5019  state = STATE_READING_QUOTED_PARM;
5020  }
5021  else if (!backslash && in == '\'')
5022  {
5023  state = STATE_READING_SQUOTED_PARM;
5024  }
5025  else
5026  {
5027  out = in;
5028  state = STATE_READING_UNQUOTED_PARM;
5029  }
5030  }
5031  }
5032  else if (state == STATE_READING_UNQUOTED_PARM)
5033  {
5034  if (!backslash && space(in))
5035  {
5036  state = STATE_DONE;
5037  }
5038  else
5039  {
5040  out = in;
5041  }
5042  }
5043  else if (state == STATE_READING_QUOTED_PARM)
5044  {
5045  if (!backslash && in == '\"')
5046  {
5047  state = STATE_DONE;
5048  }
5049  else
5050  {
5051  out = in;
5052  }
5053  }
5054  else if (state == STATE_READING_SQUOTED_PARM)
5055  {
5056  if (in == '\'')
5057  {
5058  state = STATE_DONE;
5059  }
5060  else
5061  {
5062  out = in;
5063  }
5064  }
5065  if (state == STATE_DONE)
5066  {
5067  /* ASSERT (parm_len > 0); */
5068  p[ret] = gc_malloc(parm_len + 1, true, gc);
5069  memcpy(p[ret], parm, parm_len);
5070  p[ret][parm_len] = '\0';
5071  state = STATE_INITIAL;
5072  parm_len = 0;
5073  ++ret;
5074  }
5075 
5076  if (backslash && out)
5077  {
5078  if (!(out == '\\' || out == '\"' || space(out)))
5079  {
5080 #ifdef ENABLE_SMALL
5081  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5082 #else
5083  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5084 #endif
5085  return 0;
5086  }
5087  }
5088  backslash = false;
5089  }
5090 
5091  /* store parameter character */
5092  if (out)
5093  {
5094  if (parm_len >= SIZE(parm))
5095  {
5096  parm[SIZE(parm) - 1] = 0;
5097  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5098  error_prefix, file, line_num, (int) SIZE(parm), parm);
5099  return 0;
5100  }
5101  parm[parm_len++] = out;
5102  }
5103 
5104  /* avoid overflow if too many parms in one config file line */
5105  if (ret >= n)
5106  {
5107  break;
5108  }
5109 
5110  } while (*c++ != '\0');
5111 
5112  if (state == STATE_READING_QUOTED_PARM)
5113  {
5114  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5115  return 0;
5116  }
5117  if (state == STATE_READING_SQUOTED_PARM)
5118  {
5119  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5120  return 0;
5121  }
5122  if (state != STATE_INITIAL)
5123  {
5124  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5125  return 0;
5126  }
5127 #if 0
5128  {
5129  int i;
5130  for (i = 0; i < ret; ++i)
5131  {
5132  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5133  }
5134  }
5135 #endif
5136  return ret;
5137 }
5138 
5139 static void
5140 bypass_doubledash(char **p)
5141 {
5142  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5143  {
5144  *p += 2;
5145  }
5146 }
5147 
5148 struct in_src {
5149 #define IS_TYPE_FP 1
5150 #define IS_TYPE_BUF 2
5151  int type;
5152  union {
5153  FILE *fp;
5154  struct buffer *multiline;
5155  } u;
5156 };
5157 
5158 static bool
5159 in_src_get(const struct in_src *is, char *line, const int size)
5160 {
5161  if (is->type == IS_TYPE_FP)
5162  {
5163  return BOOL_CAST(fgets(line, size, is->u.fp));
5164  }
5165  else if (is->type == IS_TYPE_BUF)
5166  {
5167  bool status = buf_parse(is->u.multiline, '\n', line, size);
5168  if ((int) strlen(line) + 1 < size)
5169  {
5170  strcat(line, "\n");
5171  }
5172  return status;
5173  }
5174  else
5175  {
5176  ASSERT(0);
5177  return false;
5178  }
5179 }
5180 
5181 static char *
5182 read_inline_file(struct in_src *is, const char *close_tag,
5183  int *num_lines, struct gc_arena *gc)
5184 {
5185  char line[OPTION_LINE_SIZE];
5186  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5187  char *ret;
5188  bool endtagfound = false;
5189 
5190  while (in_src_get(is, line, sizeof(line)))
5191  {
5192  (*num_lines)++;
5193  char *line_ptr = line;
5194  /* Remove leading spaces */
5195  while (isspace(*line_ptr))
5196  {
5197  line_ptr++;
5198  }
5199  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5200  {
5201  endtagfound = true;
5202  break;
5203  }
5204  if (!buf_safe(&buf, strlen(line)+1))
5205  {
5206  /* Increase buffer size */
5207  struct buffer buf2 = alloc_buf(buf.capacity * 2);
5208  ASSERT(buf_copy(&buf2, &buf));
5209  buf_clear(&buf);
5210  free_buf(&buf);
5211  buf = buf2;
5212  }
5213  buf_printf(&buf, "%s", line);
5214  }
5215  if (!endtagfound)
5216  {
5217  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5218  }
5219  ret = string_alloc(BSTR(&buf), gc);
5220  buf_clear(&buf);
5221  free_buf(&buf);
5222  secure_memzero(line, sizeof(line));
5223  return ret;
5224 }
5225 
5226 static int
5227 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5228 {
5229  int num_inline_lines = 0;
5230 
5231  if (p[0] && !p[1])
5232  {
5233  char *arg = p[0];
5234  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5235  {
5236  struct buffer close_tag;
5237 
5238  arg[strlen(arg) - 1] = '\0';
5239  p[0] = string_alloc(arg + 1, gc);
5240  close_tag = alloc_buf(strlen(p[0]) + 4);
5241  buf_printf(&close_tag, "</%s>", p[0]);
5242  p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5243  p[2] = NULL;
5244  free_buf(&close_tag);
5245  }
5246  }
5247  return num_inline_lines;
5248 }
5249 
5250 static int
5251 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5252 {
5253  struct in_src is;
5254  is.type = IS_TYPE_FP;
5255  is.u.fp = fp;
5256  return check_inline_file(&is, p, gc);
5257 }
5258 
5259 static int
5260 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5261  struct gc_arena *gc)
5262 {
5263  struct in_src is;
5264  is.type = IS_TYPE_BUF;
5265  is.u.multiline = multiline;
5266  return check_inline_file(&is, p, gc);
5267 }
5268 
5269 static void
5270 add_option(struct options *options,
5271  char *p[],
5272  bool is_inline,
5273  const char *file,
5274  int line,
5275  const int level,
5276  const int msglevel,
5277  const unsigned int permission_mask,
5278  unsigned int *option_types_found,
5279  struct env_set *es);
5280 
5281 static void
5282 read_config_file(struct options *options,
5283  const char *file,
5284  int level,
5285  const char *top_file,
5286  const int top_line,
5287  const int msglevel,
5288  const unsigned int permission_mask,
5289  unsigned int *option_types_found,
5290  struct env_set *es)
5291 {
5292  const int max_recursive_levels = 10;
5293  FILE *fp;
5294  int line_num;
5295  char line[OPTION_LINE_SIZE+1];
5296  char *p[MAX_PARMS+1];
5297 
5298  ++level;
5299  if (level <= max_recursive_levels)
5300  {
5301  if (streq(file, "stdin"))
5302  {
5303  fp = stdin;
5304  }
5305  else
5306  {
5307  fp = platform_fopen(file, "r");
5308  }
5309  if (fp)
5310  {
5311  line_num = 0;
5312  while (fgets(line, sizeof(line), fp))
5313  {
5314  int offset = 0;
5315  CLEAR(p);
5316  ++line_num;
5317  if (strlen(line) == OPTION_LINE_SIZE)
5318  {
5319  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5320  file, line_num, OPTION_LINE_SIZE, line);
5321  }
5322 
5323  /* Ignore UTF-8 BOM at start of stream */
5324  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5325  {
5326  offset = 3;
5327  }
5328  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5329  {
5330  bypass_doubledash(&p[0]);
5331  int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5332  add_option(options, p, lines_inline, file, line_num, level,
5333  msglevel, permission_mask, option_types_found,
5334  es);
5335  line_num += lines_inline;
5336  }
5337  }
5338  if (fp != stdin)
5339  {
5340  fclose(fp);
5341  }
5342  }
5343  else
5344  {
5345  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5346  }
5347  }
5348  else
5349  {
5350  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5351  }
5352  secure_memzero(line, sizeof(line));
5353  CLEAR(p);
5354 }
5355 
5356 static void
5357 read_config_string(const char *prefix,
5358  struct options *options,
5359  const char *config,
5360  const int msglevel,
5361  const unsigned int permission_mask,
5362  unsigned int *option_types_found,
5363  struct env_set *es)
5364 {
5365  char line[OPTION_LINE_SIZE];
5366  struct buffer multiline;
5367  int line_num = 0;
5368 
5369  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5370 
5371  while (buf_parse(&multiline, '\n', line, sizeof(line)))
5372  {
5373  char *p[MAX_PARMS+1];
5374  CLEAR(p);
5375  ++line_num;
5376  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5377  {
5378  bypass_doubledash(&p[0]);
5379  int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5380  add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5381  permission_mask, option_types_found, es);
5382  line_num += lines_inline;
5383  }
5384  CLEAR(p);
5385  }
5386  secure_memzero(line, sizeof(line));
5387 }
5388 
5389 void
5390 parse_argv(struct options *options,
5391  const int argc,
5392  char *argv[],
5393  const int msglevel,
5394  const unsigned int permission_mask,
5395  unsigned int *option_types_found,
5396  struct env_set *es)
5397 {
5398  /* usage message */
5399  if (argc <= 1)
5400  {
5401  usage();
5402  }
5403 
5404  /* config filename specified only? */
5405  if (argc == 2 && strncmp(argv[1], "--", 2))
5406  {
5407  char *p[MAX_PARMS+1];
5408  CLEAR(p);
5409  p[0] = "config";
5410  p[1] = argv[1];
5411  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5412  option_types_found, es);
5413  }
5414  else
5415  {
5416  /* parse command line */
5417  for (int i = 1; i < argc; ++i)
5418  {
5419  char *p[MAX_PARMS+1];
5420  CLEAR(p);
5421  p[0] = argv[i];
5422  if (strncmp(p[0], "--", 2))
5423  {
5424  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5425  }
5426  else
5427  {
5428  p[0] += 2;
5429  }
5430 
5431  int j;
5432  for (j = 1; j < MAX_PARMS; ++j)
5433  {
5434  if (i + j < argc)
5435  {
5436  char *arg = argv[i + j];
5437  if (strncmp(arg, "--", 2))
5438  {
5439  p[j] = arg;
5440  }
5441  else
5442  {
5443  break;
5444  }
5445  }
5446  }
5447  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5448  option_types_found, es);
5449  i += j - 1;
5450  }
5451  }
5452 }
5453 
5462 static bool
5463 apply_pull_filter(const struct options *o, char *line)
5464 {
5465  struct pull_filter *f;
5466 
5467  if (!o->pull_filter_list)
5468  {
5469  return true;
5470  }
5471 
5472  /* skip leading spaces matching the behaviour of parse_line */
5473  while (isspace(*line))
5474  {
5475  line++;
5476  }
5477 
5478  for (f = o->pull_filter_list->head; f; f = f->next)
5479  {
5480  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5481  {
5482  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5483  return true;
5484  }
5485  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5486  {
5487  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5488  *line = '\0';
5489  return true;
5490  }
5491  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5492  {
5493  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5494  *line = '\0';
5495  throw_signal_soft(SIGUSR1, "Offending option received from server");
5496  return false;
5497  }
5498  }
5499  return true;
5500 }
5501 
5502 bool
5503 apply_push_options(struct options *options,
5504  struct buffer *buf,
5505  unsigned int permission_mask,
5506  unsigned int *option_types_found,
5507  struct env_set *es)
5508 {
5509  char line[OPTION_PARM_SIZE];
5510  int line_num = 0;
5511  const char *file = "[PUSH-OPTIONS]";
5512  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5513 
5514  while (buf_parse(buf, ',', line, sizeof(line)))
5515  {
5516  char *p[MAX_PARMS+1];
5517  CLEAR(p);
5518  ++line_num;
5519  if (!apply_pull_filter(options, line))
5520  {
5521  return false; /* Cause push/pull error and stop push processing */
5522  }
5523  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5524  {
5525  add_option(options, p, false, file, line_num, 0, msglevel,
5526  permission_mask, option_types_found, es);
5527  }
5528  }
5529  return true;
5530 }
5531 
5532 void
5533 options_server_import(struct options *o,
5534  const char *filename,
5535  int msglevel,
5536  unsigned int permission_mask,
5537  unsigned int *option_types_found,
5538  struct env_set *es)
5539 {
5540  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5541  read_config_file(o,
5542  filename,
5543  0,
5544  filename,
5545  0,
5546  msglevel,
5547  permission_mask,
5548  option_types_found,
5549  es);
5550 }
5551 
5552 void
5553 options_string_import(struct options *options,
5554  const char *config,
5555  const int msglevel,
5556  const unsigned int permission_mask,
5557  unsigned int *option_types_found,
5558  struct env_set *es)
5559 {
5560  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5561 }
5562 
5563 #define VERIFY_PERMISSION(mask) { \
5564  if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5565  option_types_found, msglevel, options, is_inline)) \
5566  { \
5567  goto err; \
5568  } \
5569 }
5570 
5571 static bool
5572 verify_permission(const char *name,
5573  const char *file,
5574  int line,
5575  const unsigned int type,
5576  const unsigned int allowed,
5577  unsigned int *found,
5578  const int msglevel,
5579  struct options *options,
5580  bool is_inline)
5581 {
5582  if (!(type & allowed))
5583  {
5584  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5585  return false;
5586  }
5587 
5588  if (is_inline && !(type & OPT_P_INLINE))
5589  {
5590  msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5591  file, line);
5592  return false;
5593  }
5594 
5595  if (found)
5596  {
5597  *found |= type;
5598  }
5599 
5600 #ifndef ENABLE_SMALL
5601  /* Check if this options is allowed in connection block,
5602  * but we are currently not in a connection block
5603  * unless this is a pushed option.
5604  * Parsing a connection block uses a temporary options struct without
5605  * connection_list
5606  */
5607 
5608  if ((type & OPT_P_CONNECTION) && options->connection_list
5609  && !(allowed & OPT_P_PULL_MODE))
5610  {
5611  if (file)
5612  {
5613  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5614  }
5615  else
5616  {
5617  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5618  }
5619  }
5620 #endif
5621  return true;
5622 }
5623 
5624 /*
5625  * Check that an option doesn't have too
5626  * many parameters.
5627  */
5628 
5629 #define NM_QUOTE_HINT (1<<0)
5630 
5631 static bool
5632 no_more_than_n_args(const int msglevel,
5633  char *p[],
5634  const int max,
5635  const unsigned int flags)
5636 {
5637  const int len = string_array_len((const char **)p);
5638 
5639  if (!len)
5640  {
5641  return false;
5642  }
5643 
5644  if (len > max)
5645  {
5646  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5647  p[0],
5648  max - 1,
5649  max >= 3 ? "s" : "",
5650  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5651  return false;
5652  }
5653  else
5654  {
5655  return true;
5656  }
5657 }
5658 
5659 static inline int
5660 msglevel_forward_compatible(struct options *options, const int msglevel)
5661 {
5662  return options->forward_compatible ? M_WARN : msglevel;
5663 }
5664 
5665 static void
5666 set_user_script(struct options *options,
5667  const char **script,
5668  const char *new_script,
5669  const char *type,
5670  bool in_chroot)
5671 {
5672  if (*script)
5673  {
5674  msg(M_WARN, "Multiple --%s scripts defined. "
5675  "The previously configured script is overridden.", type);
5676  }
5677  *script = new_script;
5678  options->user_script_used = true;
5679 
5680 #ifndef ENABLE_SMALL
5681  {
5682  char script_name[100];
5683  snprintf(script_name, sizeof(script_name),
5684  "--%s script", type);
5685 
5686  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5687  {
5688  msg(M_USAGE, "Please correct this error.");
5689  }
5690 
5691  }
5692 #endif
5693 }
5694 
5695 static void
5696 show_compression_warning(struct compress_options *info)
5697 {
5698  if (comp_non_stub_enabled(info))
5699  {
5700  /*
5701  * Check if already displayed the strong warning and enabled full
5702  * compression
5703  */
5704  if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5705  {
5706  msg(M_WARN, "WARNING: Compression for receiving enabled. "
5707  "Compression has been used in the past to break encryption. "
5708  "Sent packets are not compressed unless \"allow-compression yes\" "
5709  "is also set.");
5710  }
5711  }
5712 }
5713 
5714 bool
5715 key_is_external(const struct options *options)
5716 {
5717  bool ret = false;
5718  ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5719 #ifdef ENABLE_PKCS11
5720  ret = ret || (options->pkcs11_providers[0] != NULL);
5721 #endif
5722 #ifdef ENABLE_CRYPTOAPI
5723  ret = ret || options->cryptoapi_cert;
5724 #endif
5725 
5726  return ret;
5727 }
5728 
5729 static void
5730 add_option(struct options *options,
5731  char *p[],
5732  bool is_inline,
5733  const char *file,
5734  int line,
5735  const int level,
5736  const int msglevel,
5737  const unsigned int permission_mask,
5738  unsigned int *option_types_found,
5739  struct env_set *es)
5740 {
5741  struct gc_arena gc = gc_new();
5742  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5743  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5744 
5745  ASSERT(MAX_PARMS >= 7);
5746 
5747  /*
5748  * If directive begins with "setenv opt" prefix, don't raise an error if
5749  * directive is unrecognized.
5750  */
5751  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5752  {
5753  if (!p[2])
5754  {
5755  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5756  }
5757  p += 2;
5758  msglevel_fc = M_WARN;
5759  }
5760 
5761  if (!file)
5762  {
5763  file = "[CMD-LINE]";
5764  line = 1;
5765  }
5766  if (streq(p[0], "help"))
5767  {
5768  VERIFY_PERMISSION(OPT_P_GENERAL);
5769  usage();
5770  if (p[1])
5771  {
5772  msg(msglevel, "--help does not accept any parameters");
5773  goto err;
5774  }
5775  }
5776  if (streq(p[0], "version") && !p[1])
5777  {
5778  VERIFY_PERMISSION(OPT_P_GENERAL);
5779  usage_version();
5780  }
5781  else if (streq(p[0], "config") && p[1] && !p[2])
5782  {
5783  VERIFY_PERMISSION(OPT_P_CONFIG);
5784 
5785  /* save first config file only in options */
5786  if (!options->config)
5787  {
5788  options->config = p[1];
5789  }
5790 
5791  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5792  }
5793 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5794  else if (streq(p[0], "show-gateway") && !p[2])
5795  {
5796  struct route_gateway_info rgi;
5797  struct route_ipv6_gateway_info rgi6;
5798  struct in6_addr remote = IN6ADDR_ANY_INIT;
5799  openvpn_net_ctx_t net_ctx;
5800  VERIFY_PERMISSION(OPT_P_GENERAL);
5801  if (p[1])
5802  {
5803  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5804  }
5805  net_ctx_init(NULL, &net_ctx);
5806  get_default_gateway(&rgi, &net_ctx);
5807  get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5808  print_default_gateway(M_INFO, &rgi, &rgi6);
5809  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5810  }
5811 #endif
5812  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5813  {
5814  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5815  int j;
5816  bool good = true;
5817 
5818  VERIFY_PERMISSION(OPT_P_ECHO);
5819 
5820  for (j = 1; j < MAX_PARMS; ++j)
5821  {
5822  if (!p[j])
5823  {
5824  break;
5825  }
5826  if (j > 1)
5827  {
5828  good &= buf_printf(&string, " ");
5829  }
5830  good &= buf_printf(&string, "%s", p[j]);
5831  }
5832  if (good)
5833  {
5834  /* only message-related ECHO are logged, since other ECHOs
5835  * can potentially include security-sensitive strings */
5836  if (p[1] && strncmp(p[1], "msg", 3) == 0)
5837  {
5838  msg(M_INFO, "%s:%s",
5839  pull_mode ? "ECHO-PULL" : "ECHO",
5840  BSTR(&string));
5841  }
5842 #ifdef ENABLE_MANAGEMENT
5843  if (management)
5844  {
5845  management_echo(management, BSTR(&string), pull_mode);
5846  }
5847 #endif
5848  }
5849  else
5850  {
5851  msg(M_WARN, "echo/parameter option overflow");
5852  }
5853  }
5854 #ifdef ENABLE_MANAGEMENT
5855  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5856  {
5857  VERIFY_PERMISSION(OPT_P_GENERAL);
5858  if (streq(p[2], "unix"))
5859  {
5860 #if UNIX_SOCK_SUPPORT
5861  options->management_flags |= MF_UNIX_SOCK;
5862 #else
5863  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5864  goto err;
5865 #endif
5866  }
5867 
5868  options->management_addr = p[1];
5869  options->management_port = p[2];
5870  if (p[3])
5871  {
5872  options->management_user_pass = p[3];
5873  }
5874  }
5875  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5876  {
5877  VERIFY_PERMISSION(OPT_P_GENERAL);
5878  options->management_client_user = p[1];
5879  }
5880  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5881  {
5882  VERIFY_PERMISSION(OPT_P_GENERAL);
5883  options->management_client_group = p[1];
5884  }
5885  else if (streq(p[0], "management-query-passwords") && !p[1])
5886  {
5887  VERIFY_PERMISSION(OPT_P_GENERAL);
5888  options->management_flags |= MF_QUERY_PASSWORDS;
5889  }
5890  else if (streq(p[0], "management-query-remote") && !p[1])
5891  {
5892  VERIFY_PERMISSION(OPT_P_GENERAL);
5893  options->management_flags |= MF_QUERY_REMOTE;
5894  }
5895  else if (streq(p[0], "management-query-proxy") && !p[1])
5896  {
5897  VERIFY_PERMISSION(OPT_P_GENERAL);
5898  options->management_flags |= MF_QUERY_PROXY;
5899  }
5900  else if (streq(p[0], "management-hold") && !p[1])
5901  {
5902  VERIFY_PERMISSION(OPT_P_GENERAL);
5903  options->management_flags |= MF_HOLD;
5904  }
5905  else if (streq(p[0], "management-signal") && !p[1])
5906  {
5907  VERIFY_PERMISSION(OPT_P_GENERAL);
5908  options->management_flags |= MF_SIGNAL;
5909  }
5910  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5911  {
5912  VERIFY_PERMISSION(OPT_P_GENERAL);
5913  options->management_flags |= MF_FORGET_DISCONNECT;
5914  }
5915  else if (streq(p[0], "management-up-down") && !p[1])
5916  {
5917  VERIFY_PERMISSION(OPT_P_GENERAL);
5918  options->management_flags |= MF_UP_DOWN;
5919  }
5920  else if (streq(p[0], "management-client") && !p[1])
5921  {
5922  VERIFY_PERMISSION(OPT_P_GENERAL);
5923  options->management_flags |= MF_CONNECT_AS_CLIENT;
5924  }
5925  else if (streq(p[0], "management-external-key"))
5926  {
5927  VERIFY_PERMISSION(OPT_P_GENERAL);
5928  for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5929  {
5930  if (streq(p[j], "nopadding"))
5931  {
5932  options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5933  }
5934  else if (streq(p[j], "pkcs1"))
5935  {
5936  options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5937  }
5938  else if (streq(p[j], "pss"))
5939  {
5940  options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5941  }
5942  else if (streq(p[j], "digest"))
5943  {
5944  options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5945  }
5946  else
5947  {
5948  msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5949  }
5950  }
5951  /*
5952  * When no option is present, assume that only PKCS1
5953  * padding is supported
5954  */
5955  if (!(options->management_flags
5956  &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5957  {
5958  options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5959  }
5960  options->management_flags |= MF_EXTERNAL_KEY;
5961  }
5962  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5963  {
5964  VERIFY_PERMISSION(OPT_P_GENERAL);
5965  options->management_flags |= MF_EXTERNAL_CERT;
5966  options->management_certificate = p[1];
5967  }
5968  else if (streq(p[0], "management-client-auth") && !p[1])
5969  {
5970  VERIFY_PERMISSION(OPT_P_GENERAL);
5971  options->management_flags |= MF_CLIENT_AUTH;
5972  }
5973  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5974  {
5975  int cache;
5976 
5977  VERIFY_PERMISSION(OPT_P_GENERAL);
5978  cache = atoi(p[1]);
5979  if (cache < 1)
5980  {
5981  msg(msglevel, "--management-log-cache parameter is out of range");
5982  goto err;
5983  }
5984  options->management_log_history_cache = cache;
5985  }
5986 #endif /* ifdef ENABLE_MANAGEMENT */
5987 #ifdef ENABLE_PLUGIN
5988  else if (streq(p[0], "plugin") && p[1])
5989  {
5990  VERIFY_PERMISSION(OPT_P_PLUGIN);
5991  if (!options->plugin_list)
5992  {
5993  options->plugin_list = plugin_option_list_new(&options->gc);
5994  }
5995  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5996  {
5997  msg(msglevel, "plugin add failed: %s", p[1]);
5998  goto err;
5999  }
6000  }
6001 #endif
6002  else if (streq(p[0], "mode") && p[1] && !p[2])
6003  {
6004  VERIFY_PERMISSION(OPT_P_GENERAL);
6005  if (streq(p[1], "p2p"))
6006  {
6007  options->mode = MODE_POINT_TO_POINT;
6008  }
6009  else if (streq(p[1], "server"))
6010  {
6011  options->mode = MODE_SERVER;
6012  }
6013  else
6014  {
6015  msg(msglevel, "Bad --mode parameter: %s", p[1]);
6016  goto err;
6017  }
6018  }
6019  else if (streq(p[0], "dev") && p[1] && !p[2])
6020  {
6021  VERIFY_PERMISSION(OPT_P_GENERAL);
6022  options->dev = p[1];
6023  }
6024  else if (streq(p[0], "dev-type") && p[1] && !p[2])
6025  {
6026  VERIFY_PERMISSION(OPT_P_GENERAL);
6027  options->dev_type = p[1];
6028  }
6029 #ifdef _WIN32
6030  else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6031  {
6032  VERIFY_PERMISSION(OPT_P_GENERAL);
6033  options->windows_driver = parse_windows_driver(p[1], M_FATAL);
6034  }
6035 #endif
6036  else if (streq(p[0], "disable-dco"))
6037  {
6038  options->tuntap_options.disable_dco = true;
6039  }
6040  else if (streq(p[0], "dev-node") && p[1] && !p[2])
6041  {
6042  VERIFY_PERMISSION(OPT_P_GENERAL);
6043  options->dev_node = p[1];
6044  }
6045  else if (streq(p[0], "lladdr") && p[1] && !p[2])
6046  {
6047  VERIFY_PERMISSION(OPT_P_UP);
6048  if (mac_addr_safe(p[1])) /* MAC address only */
6049  {
6050  options->lladdr = p[1];
6051  }
6052  else
6053  {
6054  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6055  goto err;
6056  }
6057  }
6058  else if (streq(p[0], "topology") && p[1] && !p[2])
6059  {
6060  VERIFY_PERMISSION(OPT_P_UP);
6061  options->topology = parse_topology(p[1], msglevel);
6062  }
6063  else if (streq(p[0], "tun-ipv6") && !p[1])
6064  {
6065  if (!pull_mode)
6066  {
6067  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6068  }
6069  }
6070 #ifdef ENABLE_IPROUTE
6071  else if (streq(p[0], "iproute") && p[1] && !p[2])
6072  {
6073  VERIFY_PERMISSION(OPT_P_GENERAL);
6074  iproute_path = p[1];
6075  }
6076 #endif
6077  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6078  {
6079  VERIFY_PERMISSION(OPT_P_UP);
6080  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6081  {
6082  options->ifconfig_local = p[1];
6083  options->ifconfig_remote_netmask = p[2];
6084  }
6085  else
6086  {
6087  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6088  goto err;
6089  }
6090  }
6091  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6092  {
6093  unsigned int netbits;
6094 
6095  VERIFY_PERMISSION(OPT_P_UP);
6096  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6097  && ipv6_addr_safe( p[2] ) )
6098  {
6099  if (netbits < 64 || netbits > 124)
6100  {
6101  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6102  goto err;
6103  }
6104 
6105  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6106  options->ifconfig_ipv6_netbits = netbits;
6107  options->ifconfig_ipv6_remote = p[2];
6108  }
6109  else
6110  {
6111  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6112  goto err;
6113  }
6114  }
6115  else if (streq(p[0], "ifconfig-noexec") && !p[1])
6116  {
6117  VERIFY_PERMISSION(OPT_P_UP);
6118  options->ifconfig_noexec = true;
6119  }
6120  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6121  {
6122  VERIFY_PERMISSION(OPT_P_UP);
6123  options->ifconfig_nowarn = true;
6124  }
6125  else if (streq(p[0], "local") && p[1] && !p[2])
6126  {
6127  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6128  options->ce.local = p[1];
6129  }
6130  else if (streq(p[0], "remote-random") && !p[1])
6131  {
6132  VERIFY_PERMISSION(OPT_P_GENERAL);
6133  options->remote_random = true;
6134  }
6135  else if (streq(p[0], "connection") && p[1] && !p[3])
6136  {
6137  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6138  if (is_inline)
6139  {
6140  struct options sub;
6141  struct connection_entry *e;
6142 
6143  init_options(&sub, true);
6144  sub.ce = options->ce;
6145  read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6146  OPT_P_CONNECTION, option_types_found, es);
6147  if (!sub.ce.remote)
6148  {
6149  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6150  uninit_options(&sub);
6151  goto err;
6152  }
6153 
6154  e = alloc_connection_entry(options, msglevel);
6155  if (!e)
6156  {
6157  uninit_options(&sub);
6158  goto err;
6159  }
6160  *e = sub.ce;
6161  gc_transfer(&options->gc, &sub.gc);
6162  uninit_options(&sub);
6163  }
6164  }
6165  else if (streq(p[0], "ignore-unknown-option") && p[1])
6166  {
6167  int i;
6168  int j;
6169  int numignored = 0;
6170  const char **ignore;
6171 
6172  VERIFY_PERMISSION(OPT_P_GENERAL);
6173  /* Find out how many options to be ignored */
6174  for (i = 1; p[i]; i++)
6175  {
6176  numignored++;
6177  }
6178 
6179  /* add number of options already ignored */
6180  for (i = 0; options->ignore_unknown_option
6181  && options->ignore_unknown_option[i]; i++)
6182  {
6183  numignored++;
6184  }
6185 
6186  /* Allocate array */
6187  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6188  for (i = 0; options->ignore_unknown_option
6189  && options->ignore_unknown_option[i]; i++)
6190  {
6191  ignore[i] = options->ignore_unknown_option[i];
6192  }
6193 
6194  options->ignore_unknown_option = ignore;
6195 
6196  for (j = 1; p[j]; j++)
6197  {
6198  /* Allow the user to specify ignore-unknown-option --opt too */
6199  if (p[j][0]=='-' && p[j][1]=='-')
6200  {
6201  options->ignore_unknown_option[i] = (p[j]+2);
6202  }
6203  else
6204  {
6205  options->ignore_unknown_option[i] = p[j];
6206  }
6207  i++;
6208  }
6209 
6210  options->ignore_unknown_option[i] = NULL;
6211  }
6212 #if ENABLE_MANAGEMENT
6213  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6214  {
6215  VERIFY_PERMISSION(OPT_P_GENERAL);
6216  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
6217  if (!options->http_proxy_override)
6218  {
6219  goto err;
6220  }
6221  }
6222 #endif
6223  else if (streq(p[0], "remote") && p[1] && !p[4])
6224  {
6225  struct remote_entry re;
6226  re.remote = re.remote_port = NULL;
6227  re.proto = -1;
6228  re.af = 0;
6229 
6230  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6231  re.remote = p[1];
6232  if (p[2])
6233  {
6234  re.remote_port = p[2];
6235  if (p[3])
6236  {
6237  const int proto = ascii2proto(p[3]);
6238  const sa_family_t af = ascii2af(p[3]);
6239  if (proto < 0)
6240  {
6241  msg(msglevel,
6242  "remote: bad protocol associated with host %s: '%s'",
6243  p[1], p[3]);
6244  goto err;
6245  }
6246  re.proto = proto;
6247  re.af = af;
6248  }
6249  }
6250  if (permission_mask & OPT_P_GENERAL)
6251  {
6252  struct remote_entry *e = alloc_remote_entry(options, msglevel);
6253  if (!e)
6254  {
6255  goto err;
6256  }
6257  *e = re;
6258  }
6259  else if (permission_mask & OPT_P_CONNECTION)
6260  {
6261  connection_entry_load_re(&options->ce, &re);
6262  }
6263  }
6264  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6265  {
6266  VERIFY_PERMISSION(OPT_P_GENERAL);
6267  if (streq(p[1], "infinite"))
6268  {
6269  options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6270  }
6271  else
6272  {
6273  options->resolve_retry_seconds = positive_atoi(p[1]);
6274  }
6275  }
6276  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6277  {
6278  VERIFY_PERMISSION(OPT_P_GENERAL);
6279  options->resolve_in_advance = true;
6280  /* Note the ip-remote-hint and the argument p[1] are for
6281  * backward compatibility */
6282  if (p[1])
6283  {
6284  options->ip_remote_hint = p[1];
6285  }
6286  }
6287  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6288  {
6289  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6290  options->ce.connect_retry_seconds = positive_atoi(p[1]);
6291  /*
6292  * Limit the base value of retry wait interval to 16 bits to avoid
6293  * overflow when scaled up for exponential backoff
6294  */
6295  if (options->ce.connect_retry_seconds > 0xFFFF)
6296  {
6297  options->ce.connect_retry_seconds = 0xFFFF;
6298  msg(M_WARN, "connect retry wait interval truncated to %d",
6299  options->ce.connect_retry_seconds);
6300  }
6301 
6302  if (p[2])
6303  {
6304  options->ce.connect_retry_seconds_max =
6305  max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
6306  }
6307  }
6308  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6309  && p[1] && !p[2])
6310  {
6311  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6312  options->ce.connect_timeout = positive_atoi(p[1]);
6313  }
6314  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6315  {
6316  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6317  options->connect_retry_max = positive_atoi(p[1]);
6318  }
6319  else if (streq(p[0], "ipchange") && p[1])
6320  {
6321  VERIFY_PERMISSION(OPT_P_SCRIPT);
6322  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6323  {
6324  goto err;
6325  }
6326  set_user_script(options,
6327  &options->ipchange,
6328  string_substitute(p[1], ',', ' ', &options->gc),
6329  "ipchange", true);
6330  }
6331  else if (streq(p[0], "float") && !p[1])
6332  {
6333  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6334  options->ce.remote_float = true;
6335  }
6336 #ifdef ENABLE_DEBUG
6337  else if (streq(p[0], "gremlin") && p[1] && !p[2])
6338  {
6339  VERIFY_PERMISSION(OPT_P_GENERAL);
6340  options->gremlin = positive_atoi(p[1]);
6341  }
6342 #endif
6343  else if (streq(p[0], "chroot") && p[1] && !p[2])
6344  {
6345  VERIFY_PERMISSION(OPT_P_GENERAL);
6346  options->chroot_dir = p[1];
6347  }
6348  else if (streq(p[0], "cd") && p[1] && !p[2])
6349  {
6350  VERIFY_PERMISSION(OPT_P_GENERAL);
6351  if (platform_chdir(p[1]))
6352  {
6353  msg(M_ERR, "cd to '%s' failed", p[1]);
6354  goto err;
6355  }
6356  options->cd_dir = p[1];
6357  }
6358 #ifdef ENABLE_SELINUX
6359  else if (streq(p[0], "setcon") && p[1] && !p[2])
6360  {
6361  VERIFY_PERMISSION(OPT_P_GENERAL);
6362  options->selinux_context = p[1];
6363  }
6364 #endif
6365  else if (streq(p[0], "writepid") && p[1] && !p[2])
6366  {
6367  VERIFY_PERMISSION(OPT_P_GENERAL);
6368  options->writepid = p[1];
6369  }
6370  else if (streq(p[0], "up") && p[1])
6371  {
6372  VERIFY_PERMISSION(OPT_P_SCRIPT);
6373  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6374  {
6375  goto err;
6376  }
6377  set_user_script(options, &options->up_script, p[1], "up", false);
6378  }
6379  else if (streq(p[0], "down") && p[1])
6380  {
6381  VERIFY_PERMISSION(OPT_P_SCRIPT);
6382  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6383  {
6384  goto err;
6385  }
6386  set_user_script(options, &options->down_script, p[1], "down", true);
6387  }
6388  else if (streq(p[0], "down-pre") && !p[1])
6389  {
6390  VERIFY_PERMISSION(OPT_P_GENERAL);
6391  options->down_pre = true;
6392  }
6393  else if (streq(p[0], "up-delay") && !p[1])
6394  {
6395  VERIFY_PERMISSION(OPT_P_GENERAL);
6396  options->up_delay = true;
6397  }
6398  else if (streq(p[0], "up-restart") && !p[1])
6399  {
6400  VERIFY_PERMISSION(OPT_P_GENERAL);
6401  options->up_restart = true;
6402  }
6403  else if (streq(p[0], "syslog") && !p[2])
6404  {
6405  VERIFY_PERMISSION(OPT_P_GENERAL);
6406  open_syslog(p[1], false);
6407  }
6408  else if (streq(p[0], "daemon") && !p[2])
6409  {
6410  bool didit = false;
6411  VERIFY_PERMISSION(OPT_P_GENERAL);
6412  if (!options->daemon)
6413  {
6414  options->daemon = didit = true;
6415  open_syslog(p[1], false);
6416  }
6417  if (p[1])
6418  {
6419  if (!didit)
6420  {
6421  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6422  goto err;
6423  }
6424  }
6425  }
6426  else if (streq(p[0], "log") && p[1] && !p[2])
6427  {
6428  VERIFY_PERMISSION(OPT_P_GENERAL);
6429  options->log = true;
6430  redirect_stdout_stderr(p[1], false);
6431  }
6432  else if (streq(p[0], "suppress-timestamps") && !p[1])
6433  {
6434  VERIFY_PERMISSION(OPT_P_GENERAL);
6435  options->suppress_timestamps = true;
6436  set_suppress_timestamps(true);
6437  }
6438  else if (streq(p[0], "machine-readable-output") && !p[1])
6439  {
6440  VERIFY_PERMISSION(OPT_P_GENERAL);
6441  options->machine_readable_output = true;
6442  set_machine_readable_output(true);
6443  }
6444  else if (streq(p[0], "log-append") && p[1] && !p[2])
6445  {
6446  VERIFY_PERMISSION(OPT_P_GENERAL);
6447  options->log = true;
6448  redirect_stdout_stderr(p[1], true);
6449  }
6450 #ifdef ENABLE_MEMSTATS
6451  else if (streq(p[0], "memstats") && p[1] && !p[2])
6452  {
6453  VERIFY_PERMISSION(OPT_P_GENERAL);
6454  options->memstats_fn = p[1];
6455  }
6456 #endif
6457  else if (streq(p[0], "mlock") && !p[1])
6458  {
6459  VERIFY_PERMISSION(OPT_P_GENERAL);
6460  options->mlock = true;
6461  }
6462 #if ENABLE_IP_PKTINFO
6463  else if (streq(p[0], "multihome") && !p[1])
6464  {
6465  VERIFY_PERMISSION(OPT_P_GENERAL);
6466  options->sockflags |= SF_USE_IP_PKTINFO;
6467  }
6468 #endif
6469  else if (streq(p[0], "verb") && p[1] && !p[2])
6470  {
6471  VERIFY_PERMISSION(OPT_P_MESSAGES);
6472  options->verbosity = positive_atoi(p[1]);
6473  if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6474  {
6475  /* We pass this flag to the SSL library to avoid
6476  * mbed TLS always generating debug level logging */
6477  options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6478  }
6479 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6480  /* Warn when a debug verbosity is supplied when built without debug support */
6481  if (options->verbosity >= 7)
6482  {
6483  msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6484  options->verbosity);
6485  }
6486 #endif
6487  }
6488  else if (streq(p[0], "mute") && p[1] && !p[2])
6489  {
6490  VERIFY_PERMISSION(OPT_P_MESSAGES);
6491  options->mute = positive_atoi(p[1]);
6492  }
6493  else if (streq(p[0], "errors-to-stderr") && !p[1])
6494  {
6495  VERIFY_PERMISSION(OPT_P_MESSAGES);
6496  errors_to_stderr();
6497  }
6498  else if (streq(p[0], "status") && p[1] && !p[3])
6499  {
6500  VERIFY_PERMISSION(OPT_P_GENERAL);
6501  options->status_file = p[1];
6502  if (p[2])
6503  {
6504  options->status_file_update_freq = positive_atoi(p[2]);
6505  }
6506  }
6507  else if (streq(p[0], "status-version") && p[1] && !p[2])
6508  {
6509  int version;
6510 
6511  VERIFY_PERMISSION(OPT_P_GENERAL);
6512  version = atoi(p[1]);
6513  if (version < 1 || version > 3)
6514  {
6515  msg(msglevel, "--status-version must be 1 to 3");
6516  goto err;
6517  }
6518  options->status_file_version = version;
6519  }
6520  else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6521  {
6522  VERIFY_PERMISSION(OPT_P_GENERAL);
6523  if (streq(p[1], "SIGHUP"))
6524  {
6525  options->remap_sigusr1 = SIGHUP;
6526  }
6527  else if (streq(p[1], "SIGTERM"))
6528  {
6529  options->remap_sigusr1 = SIGTERM;
6530  }
6531  else
6532  {
6533  msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6534  goto err;
6535  }
6536  }
6537  else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6538  {
6539  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6540  options->ce.link_mtu = positive_atoi(p[1]);
6541  options->ce.link_mtu_defined = true;
6542  }
6543  else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6544  {
6545  VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6546  options->ce.tun_mtu = positive_atoi(p[1]);
6547  options->ce.tun_mtu_defined = true;
6548  if (p[2])
6549  {
6550  options->ce.occ_mtu = positive_atoi(p[2]);
6551  }
6552  else
6553  {
6554  options->ce.occ_mtu = 0;
6555  }
6556  }
6557  else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6558  {
6559  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6560  int max_mtu = positive_atoi(p[1]);
6561  if (max_mtu < 68 || max_mtu > 65536)
6562  {
6563  msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6564  }
6565  else
6566  {
6567  options->ce.tun_mtu_max = max_mtu;
6568  }
6569  }
6570  else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6571  {
6572  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6573  options->ce.tun_mtu_extra = positive_atoi(p[1]);
6574  options->ce.tun_mtu_extra_defined = true;
6575  }
6576  else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6577  {
6578  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6579  int maxmtu = positive_atoi(p[1]);
6580  options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6581 
6582  if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6583  {
6584  msg(M_WARN, "Note: max-packet-size value outside of allowed "
6585  "control channel packet size (%d to %d), will use %d "
6586  "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6587  options->ce.tls_mtu);
6588  }
6589 
6590  /* also set mssfix maxmtu mtu */
6591  options->ce.mssfix = maxmtu;
6592  options->ce.mssfix_default = false;
6593  options->ce.mssfix_encap = true;
6594  }
6595 #ifdef ENABLE_FRAGMENT
6596  else if (streq(p[0], "mtu-dynamic"))
6597  {
6598  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6599  msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6600  goto err;
6601  }
6602  else if (streq(p[0], "fragment") && p[1] && !p[3])
6603  {
6604  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6605  options->ce.fragment = positive_atoi(p[1]);
6606 
6607  if (options->ce.fragment < 68)
6608  {
6609  msg(msglevel, "--fragment needs to be at least 68");
6610  goto err;
6611  }
6612 
6613  if (p[2] && streq(p[2], "mtu"))
6614  {
6615  options->ce.fragment_encap = true;
6616  }
6617  else if (p[2])
6618  {
6619  msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6620  }
6621  }
6622 #endif /* ifdef ENABLE_FRAGMENT */
6623  else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6624  {
6625  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6626  options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6627  }
6628  else if (streq(p[0], "mtu-test") && !p[1])
6629  {
6630  VERIFY_PERMISSION(OPT_P_GENERAL);
6631  options->mtu_test = true;
6632  }
6633  else if (streq(p[0], "nice") && p[1] && !p[2])
6634  {
6635  VERIFY_PERMISSION(OPT_P_NICE);
6636  options->nice = atoi(p[1]);
6637  }
6638  else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6639  {
6640  VERIFY_PERMISSION(OPT_P_SOCKBUF);
6641  options->rcvbuf = positive_atoi(p[1]);
6642  }
6643  else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6644  {
6645  VERIFY_PERMISSION(OPT_P_SOCKBUF);
6646  options->sndbuf = positive_atoi(p[1]);
6647  }
6648  else if (streq(p[0], "mark") && p[1] && !p[2])
6649  {
6650 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6651  VERIFY_PERMISSION(OPT_P_GENERAL);
6652  options->mark = atoi(p[1]);
6653 #endif
6654  }
6655  else if (streq(p[0], "socket-flags"))
6656  {
6657  int j;
6658  VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6659  for (j = 1; j < MAX_PARMS && p[j]; ++j)
6660  {
6661  if (streq(p[j], "TCP_NODELAY"))
6662  {
6663  options->sockflags |= SF_TCP_NODELAY;
6664  }
6665  else
6666  {
6667  msg(msglevel, "unknown socket flag: %s", p[j]);
6668  }
6669  }
6670  }
6671 #ifdef TARGET_LINUX
6672  else if (streq(p[0], "bind-dev") && p[1])
6673  {
6674  VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6675  options->bind_dev = p[1];
6676  }
6677 #endif
6678  else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6679  {
6680  VERIFY_PERMISSION(OPT_P_GENERAL);
6681 #ifdef TARGET_LINUX
6682  options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6683 #else
6684  msg(msglevel, "--txqueuelen not supported on this OS");
6685  goto err;
6686 #endif
6687  }
6688  else if (streq(p[0], "shaper") && p[1] && !p[2])
6689  {
6690  int shaper;
6691 
6692  VERIFY_PERMISSION(OPT_P_SHAPER);
6693  shaper = atoi(p[1]);
6694  if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6695  {
6696  msg(msglevel, "Bad shaper value, must be between %d and %d",
6697  SHAPER_MIN, SHAPER_MAX);
6698  goto err;
6699  }
6700  options->shaper = shaper;
6701  }
6702  else if (streq(p[0], "port") && p[1] && !p[2])
6703  {
6704  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6705  options->ce.local_port = options->ce.remote_port = p[1];
6706  }
6707  else if (streq(p[0], "lport") && p[1] && !p[2])
6708  {
6709  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6710  options->ce.local_port_defined = true;
6711  options->ce.local_port = p[1];
6712  }
6713  else if (streq(p[0], "rport") && p[1] && !p[2])
6714  {
6715  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6716  options->ce.remote_port = p[1];
6717  }
6718  else if (streq(p[0], "bind") && !p[2])
6719  {
6720  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6721  options->ce.bind_defined = true;
6722  if (p[1] && streq(p[1], "ipv6only"))
6723  {
6724  options->ce.bind_ipv6_only = true;
6725  }
6726 
6727  }
6728  else if (streq(p[0], "nobind") && !p[1])
6729  {
6730  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6731  options->ce.bind_local = false;
6732  }
6733  else if (streq(p[0], "fast-io") && !p[1])
6734  {
6735  VERIFY_PERMISSION(OPT_P_GENERAL);
6736  options->fast_io = true;
6737  }
6738  else if (streq(p[0], "inactive") && p[1] && !p[3])
6739  {
6740  VERIFY_PERMISSION(OPT_P_TIMER);
6741  options->inactivity_timeout = positive_atoi(p[1]);
6742  if (p[2])
6743  {
6744  int64_t val = atoll(p[2]);
6745  options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6746  if (options->inactivity_minimum_bytes > INT_MAX)
6747  {
6748  msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6749  " >2 Gbyte was silently ignored in older versions. If "
6750  " your VPN exits unexpectedly with 'Inactivity timeout'"
6751  " in %d seconds, revisit this value.",
6752  options->inactivity_timeout );
6753  }
6754  }
6755  }
6756  else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6757  {
6758  VERIFY_PERMISSION(OPT_P_TIMER);
6759  options->session_timeout = positive_atoi(p[1]);
6760  }
6761  else if (streq(p[0], "proto") && p[1] && !p[2])
6762  {
6763  int proto;
6764  sa_family_t af;
6765  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6766  proto = ascii2proto(p[1]);
6767  af = ascii2af(p[1]);
6768  if (proto < 0)
6769  {
6770  msg(msglevel,
6771  "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6772  p[1],
6773  proto2ascii_all(&gc));
6774  goto err;
6775  }
6776  options->ce.proto = proto;
6777  options->ce.af = af;
6778  }
6779  else if (streq(p[0], "proto-force") && p[1] && !p[2])
6780  {
6781  int proto_force;
6782  VERIFY_PERMISSION(OPT_P_GENERAL);
6783  proto_force = ascii2proto(p[1]);
6784  if (proto_force < 0)
6785  {
6786  msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6787  goto err;
6788  }
6789  options->proto_force = proto_force;
6790  }
6791  else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6792  {
6793  struct http_proxy_options *ho;
6794 
6795  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6796 
6797  {
6798  if (!p[2])
6799  {
6800  msg(msglevel, "http-proxy port number not defined");
6801  goto err;
6802  }
6803 
6804  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6805 
6806  ho->server = p[1];
6807  ho->port = p[2];
6808  }
6809 
6810  if (p[3])
6811  {
6812  /* auto -- try to figure out proxy addr, port, and type automatically */
6813  /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6814  if (streq(p[3], "auto"))
6815  {
6816  ho->auth_retry = PAR_ALL;
6817  }
6818  else if (streq(p[3], "auto-nct"))
6819  {
6820  ho->auth_retry = PAR_NCT;
6821  }
6822  else
6823  {
6824  ho->auth_method_string = "basic";
6825  ho->auth_file = p[3];
6826 
6827  if (p[4])
6828  {
6829  ho->auth_method_string = p[4];
6830  }
6831  }
6832  }
6833  else
6834  {
6835  ho->auth_method_string = "none";
6836  }
6837  }
6838  else if (streq(p[0], "http-proxy-user-pass") && p[1])
6839  {
6840  struct http_proxy_options *ho;
6841  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6842  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6843  ho->auth_file_up = p[1];
6844  ho->inline_creds = is_inline;
6845  }
6846  else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6847  {
6848  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6849  msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6850  "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6851  "Use connect-retry-max 1 to get a similar behavior as before.");
6852  }
6853  else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6854  {
6855  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6856  msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6857  "server is established is managed with a single timeout set by connect-timeout");
6858  }
6859  else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6860  {
6861  struct http_proxy_options *ho;
6862 
6863  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6864  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6865 
6866  if (streq(p[1], "VERSION") && p[2] && !p[3])
6867  {
6868  ho->http_version = p[2];
6869  }
6870  else if (streq(p[1], "AGENT") && p[2] && !p[3])
6871  {
6872  ho->user_agent = p[2];
6873  }
6874  else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6875  && p[2])
6876  {
6877  /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6878  * with either two argument or one */
6879 
6880  struct http_custom_header *custom_header = NULL;
6881  int i;
6882  /* Find the first free header */
6883  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6884  {
6885  if (!ho->custom_headers[i].name)
6886  {
6887  custom_header = &ho->custom_headers[i];
6888  break;
6889  }
6890  }
6891  if (!custom_header)
6892  {
6893  msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6894  }
6895  else
6896  {
6897  /* We will save p[2] and p[3], the proxy code will detect if
6898  * p[3] is NULL */
6899  custom_header->name = p[2];
6900  custom_header->content = p[3];
6901  }
6902  }
6903  else
6904  {
6905  msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6906  }
6907  }
6908  else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6909  {
6910  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6911 
6912  if (p[2])
6913  {
6914  options->ce.socks_proxy_port = p[2];
6915  }
6916  else
6917  {
6918  options->ce.socks_proxy_port = "1080";
6919  }
6920  options->ce.socks_proxy_server = p[1];
6921  options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6922  }
6923  else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6924  {
6925  VERIFY_PERMISSION(OPT_P_GENERAL);
6926  options->keepalive_ping = atoi(p[1]);
6927  options->keepalive_timeout = atoi(p[2]);
6928  }
6929  else if (streq(p[0], "ping") && p[1] && !p[2])
6930  {
6931  VERIFY_PERMISSION(OPT_P_TIMER);
6932  options->ping_send_timeout = positive_atoi(p[1]);
6933  }
6934  else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6935  {
6936  VERIFY_PERMISSION(OPT_P_TIMER);
6937  options->ping_rec_timeout = positive_atoi(p[1]);
6938  options->ping_rec_timeout_action = PING_EXIT;
6939  }
6940  else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6941  {
6942  VERIFY_PERMISSION(OPT_P_TIMER);
6943  options->ping_rec_timeout = positive_atoi(p[1]);
6944  options->ping_rec_timeout_action = PING_RESTART;
6945  }
6946  else if (streq(p[0], "ping-timer-rem") && !p[1])
6947  {
6948  VERIFY_PERMISSION(OPT_P_TIMER);
6949  options->ping_timer_remote = true;
6950  }
6951  else if (streq(p[0], "explicit-exit-notify") && !p[2])
6952  {
6953  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6954  if (p[1])
6955  {
6956  options->ce.explicit_exit_notification = positive_atoi(p[1]);
6957  }
6958  else
6959  {
6960  options->ce.explicit_exit_notification = 1;
6961  }
6962  }
6963  else if (streq(p[0], "persist-tun") && !p[1])
6964  {
6965  VERIFY_PERMISSION(OPT_P_PERSIST);
6966  options->persist_tun = true;
6967  }
6968  else if (streq(p[0], "persist-key") && !p[1])
6969  {
6970  VERIFY_PERMISSION(OPT_P_PERSIST);
6971  msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
6972  "Keys are now always persisted across restarts. ");
6973  }
6974  else if (streq(p[0], "persist-local-ip") && !p[1])
6975  {
6976  VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6977  options->persist_local_ip = true;
6978  }
6979  else if (streq(p[0], "persist-remote-ip") && !p[1])
6980  {
6981  VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6982  options->persist_remote_ip = true;
6983  }
6984  else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6985  {
6986  VERIFY_PERMISSION(OPT_P_ROUTE);
6987  cnol_check_alloc(options);
6988  add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6989  }
6990  else if (streq(p[0], "route") && p[1] && !p[5])
6991  {
6992  VERIFY_PERMISSION(OPT_P_ROUTE);
6993  rol_check_alloc(options);
6994  if (pull_mode)
6995  {
6996  if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6997  {
6998  msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6999  goto err;
7000  }
7001  if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
7002  {
7003  msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
7004  goto err;
7005  }
7006  if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
7007  {
7008  msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
7009  goto err;
7010  }
7011  }
7012  add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
7013  }
7014  else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7015  {
7016  VERIFY_PERMISSION(OPT_P_ROUTE);
7017  rol6_check_alloc(options);
7018  if (pull_mode)
7019  {
7020  if (!ipv6_addr_safe_hexplusbits(p[1]))
7021  {
7022  msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
7023  goto err;
7024  }
7025  if (p[2] && !ipv6_addr_safe(p[2]))
7026  {
7027  msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
7028  goto err;
7029  }
7030  /* p[3] is metric, if present */
7031  }
7032  add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
7033  }
7034  else if (streq(p[0], "max-routes") && !p[2])
7035  {
7036  msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
7037  "The number of routes is unlimited as of OpenVPN 2.4. "
7038  "This option will be removed in a future version, "
7039  "please remove it from your configuration.");
7040  }
7041  else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7042  {
7043  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7044  if (streq(p[1], "dhcp"))
7045  {
7046  options->route_gateway_via_dhcp = true;
7047  }
7048  else
7049  {
7050  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7051  {
7052  options->route_default_gateway = p[1];
7053  }
7054  else
7055  {
7056  msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7057  goto err;
7058  }
7059  }
7060  }
7061  else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7062  {
7063  if (ipv6_addr_safe(p[1]))
7064  {
7065  options->route_ipv6_default_gateway = p[1];
7066  }
7067  else
7068  {
7069  msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7070  goto err;
7071  }
7072  }
7073  else if (streq(p[0], "route-metric") && p[1] && !p[2])
7074  {
7075  VERIFY_PERMISSION(OPT_P_ROUTE);
7076  options->route_default_metric = positive_atoi(p[1]);
7077  }
7078  else if (streq(p[0], "route-delay") && !p[3])
7079  {
7080  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7081  options->route_delay_defined = true;
7082  if (p[1])
7083  {
7084  options->route_delay = positive_atoi(p[1]);
7085  if (p[2])
7086  {
7087  options->route_delay_window = positive_atoi(p[2]);
7088  }
7089  }
7090  else
7091  {
7092  options->route_delay = 0;
7093  }
7094  }
7095  else if (streq(p[0], "route-up") && p[1])
7096  {
7097  VERIFY_PERMISSION(OPT_P_SCRIPT);
7098  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7099  {
7100  goto err;
7101  }
7102  set_user_script(options, &options->route_script, p[1], "route-up", false);
7103  }
7104  else if (streq(p[0], "route-pre-down") && p[1])
7105  {
7106  VERIFY_PERMISSION(OPT_P_SCRIPT);
7107  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7108  {
7109  goto err;
7110  }
7111  set_user_script(options,
7112  &options->route_predown_script,
7113  p[1],
7114  "route-pre-down", true);
7115  }
7116  else if (streq(p[0], "route-noexec") && !p[1])
7117  {
7118  VERIFY_PERMISSION(OPT_P_SCRIPT);
7119  options->route_noexec = true;
7120  }
7121  else if (streq(p[0], "route-nopull") && !p[1])
7122  {
7123  VERIFY_PERMISSION(OPT_P_GENERAL);
7124  options->route_nopull = true;
7125  }
7126  else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7127  {
7128  struct pull_filter *f;
7129  VERIFY_PERMISSION(OPT_P_GENERAL)
7130  f = alloc_pull_filter(options, msglevel);
7131 
7132  if (strcmp("accept", p[1]) == 0)
7133  {
7134  f->type = PUF_TYPE_ACCEPT;
7135  }
7136  else if (strcmp("ignore", p[1]) == 0)
7137  {
7138  f->type = PUF_TYPE_IGNORE;
7139  }
7140  else if (strcmp("reject", p[1]) == 0)
7141  {
7142  f->type = PUF_TYPE_REJECT;
7143  }
7144  else
7145  {
7146  msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7147  goto err;
7148  }
7149  f->pattern = p[2];
7150  f->size = strlen(p[2]);
7151  }
7152  else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7153  {
7154  VERIFY_PERMISSION(OPT_P_GENERAL);
7155  options->allow_pull_fqdn = true;
7156  }
7157  else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7158  {
7159  int j;
7160  VERIFY_PERMISSION(OPT_P_ROUTE);
7161  rol_check_alloc(options);
7162 
7163  if (options->routes->flags & RG_ENABLE)
7164  {
7165  msg(M_WARN,
7166  "WARNING: You have specified redirect-gateway and "
7167  "redirect-private at the same time (or the same option "
7168  "multiple times). This is not well supported and may lead to "
7169  "unexpected results");
7170  }
7171 
7172  options->routes->flags |= RG_ENABLE;
7173 
7174  if (streq(p[0], "redirect-gateway"))
7175  {
7176  options->routes->flags |= RG_REROUTE_GW;
7177  }
7178  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7179  {
7180  if (streq(p[j], "local"))
7181  {
7182  options->routes->flags |= RG_LOCAL;
7183  }
7184  else if (streq(p[j], "autolocal"))
7185  {
7186  options->routes->flags |= RG_AUTO_LOCAL;
7187  }
7188  else if (streq(p[j], "def1"))
7189  {
7190  options->routes->flags |= RG_DEF1;
7191  }
7192  else if (streq(p[j], "bypass-dhcp"))
7193  {
7194  options->routes->flags |= RG_BYPASS_DHCP;
7195  }
7196  else if (streq(p[j], "bypass-dns"))
7197  {
7198  options->routes->flags |= RG_BYPASS_DNS;
7199  }
7200  else if (streq(p[j], "block-local"))
7201  {
7202  options->routes->flags |= RG_BLOCK_LOCAL;
7203  }
7204  else if (streq(p[j], "ipv6"))
7205  {
7206  rol6_check_alloc(options);
7207  options->routes_ipv6->flags |= RG_REROUTE_GW;
7208  }
7209  else if (streq(p[j], "!ipv4"))
7210  {
7211  options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7212  }
7213  else
7214  {
7215  msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7216  goto err;
7217  }
7218  }
7219 #ifdef _WIN32
7220  /* we need this here to handle pushed --redirect-gateway */
7221  remap_redirect_gateway_flags(options);
7222 #endif
7223  }
7224  else if (streq(p[0], "block-ipv6") && !p[1])
7225  {
7226  VERIFY_PERMISSION(OPT_P_ROUTE);
7227  options->block_ipv6 = true;
7228  }
7229  else if (streq(p[0], "remote-random-hostname") && !p[1])
7230  {
7231  VERIFY_PERMISSION(OPT_P_GENERAL);
7232  options->sockflags |= SF_HOST_RANDOMIZE;
7233  }
7234  else if (streq(p[0], "setenv") && p[1] && !p[3])
7235  {
7236  VERIFY_PERMISSION(OPT_P_GENERAL);
7237  if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7238  {
7239  options->sockflags |= SF_HOST_RANDOMIZE;
7240  }
7241  else if (streq(p[1], "GENERIC_CONFIG"))
7242  {
7243  msg(msglevel, "this is a generic configuration and cannot directly be used");
7244  goto err;
7245  }
7246  else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7247  {
7248  options->push_peer_info = true;
7249  }
7250  else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7251  {
7252  options->ce.connect_timeout = positive_atoi(p[2]);
7253  }
7254  else
7255  {
7256  if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7257  {
7258  options->forward_compatible = true;
7259  msglevel_fc = msglevel_forward_compatible(options, msglevel);
7260  }
7261  setenv_str(es, p[1], p[2] ? p[2] : "");
7262  }
7263  }
7264  else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7265  {
7266  unsigned int major, minor, patch;
7267  if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7268  {
7269  msg(msglevel, "cannot parse version number for --compat-mode: %s",
7270  p[1]);
7271  goto err;
7272  }
7273 
7274  options->backwards_compatible = major * 10000 + minor * 100 + patch;
7275  }
7276  else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7277  {
7278  VERIFY_PERMISSION(OPT_P_SETENV);
7279  setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7280  }
7281  else if (streq(p[0], "script-security") && p[1] && !p[2])
7282  {
7283  VERIFY_PERMISSION(OPT_P_GENERAL);
7284  script_security_set(atoi(p[1]));
7285  }
7286  else if (streq(p[0], "mssfix") && !p[3])
7287  {
7288  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7289  if (p[1])
7290  {
7291  int mssfix = positive_atoi(p[1]);
7292  /* can be 0, but otherwise it needs to be high enough so we can
7293  * substract room for headers. */
7294  if (mssfix != 0
7295  && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7296  {
7297  msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7298  goto err;
7299  }
7300 
7301  /* value specified, assume encapsulation is not
7302  * included unless "mtu" follows later */
7303  options->ce.mssfix = mssfix;
7304  options->ce.mssfix_encap = false;
7305  options->ce.mssfix_default = false;
7306  }
7307  else
7308  {
7309  /* Set MTU to default values */
7310  options->ce.mssfix_default = true;
7311  options->ce.mssfix_encap = true;
7312  options->ce.mssfix_fixed = false;
7313  }
7314 
7315  if (p[2] && streq(p[2], "mtu"))
7316  {
7317  options->ce.mssfix_encap = true;
7318  }
7319  else if (p[2] && streq(p[2], "fixed"))
7320  {
7321  options->ce.mssfix_fixed = true;
7322  }
7323  else if (p[2])
7324  {
7325  msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7326  }
7327  }
7328  else if (streq(p[0], "disable-occ") && !p[1])
7329  {
7330  VERIFY_PERMISSION(OPT_P_GENERAL);
7331  options->occ = false;
7332  }
7333  else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7334  {
7335  const int lev = M_WARN;
7336  bool error = false;
7337  in_addr_t network, netmask;
7338 
7339  VERIFY_PERMISSION(OPT_P_GENERAL);
7340  network = get_ip_addr(p[1], lev, &error);
7341  netmask = get_ip_addr(p[2], lev, &error);
7342  if (error || !network || !netmask)
7343  {
7344  msg(msglevel, "error parsing --server parameters");
7345  goto err;
7346  }
7347  options->server_defined = true;
7348  options->server_network = network;
7349  options->server_netmask = netmask;
7350 
7351  if (p[3])
7352  {
7353  if (streq(p[3], "nopool"))
7354  {
7355  options->server_flags |= SF_NOPOOL;
7356  }
7357  else
7358  {
7359  msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7360  goto err;
7361  }
7362  }
7363  }
7364  else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7365  {
7366  const int lev = M_WARN;
7367  struct in6_addr network;
7368  unsigned int netbits = 0;
7369 
7370  VERIFY_PERMISSION(OPT_P_GENERAL);
7371  if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7372  {
7373  msg(msglevel, "error parsing --server-ipv6 parameter");
7374  goto err;
7375  }
7376  if (netbits < 64 || netbits > 124)
7377  {
7378  msg(msglevel,
7379  "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7380  netbits);
7381 
7382  goto err;
7383  }
7384  options->server_ipv6_defined = true;
7385  options->server_network_ipv6 = network;
7386  options->server_netbits_ipv6 = netbits;
7387  }
7388  else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7389  {
7390  const int lev = M_WARN;
7391  bool error = false;
7392  in_addr_t ip, netmask, pool_start, pool_end;
7393 
7394  VERIFY_PERMISSION(OPT_P_GENERAL);
7395  ip = get_ip_addr(p[1], lev, &error);
7396  netmask = get_ip_addr(p[2], lev, &error);
7397  pool_start = get_ip_addr(p[3], lev, &error);
7398  pool_end = get_ip_addr(p[4], lev, &error);
7399  if (error || !ip || !netmask || !pool_start || !pool_end)
7400  {
7401  msg(msglevel, "error parsing --server-bridge parameters");
7402  goto err;
7403  }
7404  options->server_bridge_defined = true;
7405  options->server_bridge_ip = ip;
7406  options->server_bridge_netmask = netmask;
7407  options->server_bridge_pool_start = pool_start;
7408  options->server_bridge_pool_end = pool_end;
7409  }
7410  else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7411  {
7412  VERIFY_PERMISSION(OPT_P_GENERAL);
7413  options->server_bridge_proxy_dhcp = true;
7414  options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7415  }
7416  else if (streq(p[0], "server-bridge") && !p[1])
7417  {
7418  VERIFY_PERMISSION(OPT_P_GENERAL);
7419  options->server_bridge_proxy_dhcp = true;
7420  }
7421  else if (streq(p[0], "push") && p[1] && !p[2])
7422  {
7423  VERIFY_PERMISSION(OPT_P_PUSH);
7424  push_options(options, &p[1], msglevel, &options->gc);
7425  }
7426  else if (streq(p[0], "push-reset") && !p[1])
7427  {
7428  VERIFY_PERMISSION(OPT_P_INSTANCE);
7429  push_reset(options);
7430  }
7431  else if (streq(p[0], "push-remove") && p[1] && !p[2])
7432  {
7433  VERIFY_PERMISSION(OPT_P_INSTANCE);
7434  msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7435  push_remove_option(options, p[1]);
7436  }
7437  else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7438  {
7439  const int lev = M_WARN;
7440  bool error = false;
7441  in_addr_t start, end, netmask = 0;
7442 
7443  VERIFY_PERMISSION(OPT_P_GENERAL);
7444  start = get_ip_addr(p[1], lev, &error);
7445  end = get_ip_addr(p[2], lev, &error);
7446  if (p[3])
7447  {
7448  netmask = get_ip_addr(p[3], lev, &error);
7449  }
7450  if (error)
7451  {
7452  msg(msglevel, "error parsing --ifconfig-pool parameters");
7453  goto err;
7454  }
7455  if (!ifconfig_pool_verify_range(msglevel, start, end))
7456  {
7457  goto err;
7458  }
7459 
7460  options->ifconfig_pool_defined = true;
7461  options->ifconfig_pool_start = start;
7462  options->ifconfig_pool_end = end;
7463  if (netmask)
7464  {
7465  options->ifconfig_pool_netmask = netmask;
7466  }
7467  }
7468  else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7469  {
7470  VERIFY_PERMISSION(OPT_P_GENERAL);
7471  options->ifconfig_pool_persist_filename = p[1];
7472  if (p[2])
7473  {
7474  options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
7475  }
7476  }
7477  else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7478  {
7479  const int lev = M_WARN;
7480  struct in6_addr network;
7481  unsigned int netbits = 0;
7482 
7483  VERIFY_PERMISSION(OPT_P_GENERAL);
7484  if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7485  {
7486  msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7487  goto err;
7488  }
7489  if (netbits < 64 || netbits > 124)
7490  {
7491  msg(msglevel,
7492  "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7493  netbits);
7494  goto err;
7495  }
7496 
7497  options->ifconfig_ipv6_pool_defined = true;
7498  options->ifconfig_ipv6_pool_base = network;
7499  options->ifconfig_ipv6_pool_netbits = netbits;
7500  }
7501  else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7502  {
7503  int real, virtual;
7504 
7505  VERIFY_PERMISSION(OPT_P_GENERAL);
7506  real = atoi(p[1]);
7507  virtual = atoi(p[2]);
7508  if (real < 1 || virtual < 1)
7509  {
7510  msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7511  goto err;
7512  }
7513  options->real_hash_size = real;
7514  options->virtual_hash_size = real;
7515  }
7516  else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7517  {
7518  int cf_max, cf_per;
7519 
7520  VERIFY_PERMISSION(OPT_P_GENERAL);
7521  cf_max = atoi(p[1]);
7522  cf_per = atoi(p[2]);
7523  if (cf_max < 0 || cf_per < 0)
7524  {
7525  msg(msglevel, "--connect-freq parms must be > 0");
7526  goto err;
7527  }
7528  options->cf_max = cf_max;
7529  options->cf_per = cf_per;
7530  }
7531  else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7532  {
7533  long cf_max, cf_per;
7534 
7535  VERIFY_PERMISSION(OPT_P_GENERAL);
7536  char *e1, *e2;
7537  cf_max = strtol(p[1], &e1, 10);
7538  cf_per = strtol(p[2], &e2, 10);
7539  if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7540  {
7541  msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7542  goto err;
7543  }
7544  options->cf_initial_max = cf_max;
7545  options->cf_initial_per = cf_per;
7546  }
7547  else if (streq(p[0], "max-clients") && p[1] && !p[2])
7548  {
7549  int max_clients;
7550 
7551  VERIFY_PERMISSION(OPT_P_GENERAL);
7552  max_clients = atoi(p[1]);
7553  if (max_clients < 0)
7554  {
7555  msg(msglevel, "--max-clients must be at least 1");
7556  goto err;
7557  }
7558  if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7559  {
7560  msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7561  goto err;
7562  }
7563  options->max_clients = max_clients;
7564  }
7565  else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7566  {
7567  VERIFY_PERMISSION(OPT_P_INHERIT);
7568  options->max_routes_per_client = max_int(atoi(p[1]), 1);
7569  }
7570  else if (streq(p[0], "client-cert-not-required") && !p[1])
7571  {
7572  VERIFY_PERMISSION(OPT_P_GENERAL);
7573  msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7574  }
7575  else if (streq(p[0], "verify-client-cert") && !p[2])
7576  {
7577  VERIFY_PERMISSION(OPT_P_GENERAL);
7578 
7579  /* Reset any existing flags */
7580  options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7581  options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7582  if (p[1])
7583  {
7584  if (streq(p[1], "none"))
7585  {
7586  options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7587  }
7588  else if (streq(p[1], "optional"))
7589  {
7590  options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7591  }
7592  else if (!streq(p[1], "require"))
7593  {
7594  msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7595  goto err;
7596  }
7597  }
7598  }
7599  else if (streq(p[0], "username-as-common-name") && !p[1])
7600  {
7601  VERIFY_PERMISSION(OPT_P_GENERAL);
7602  options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7603  }
7604  else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7605  {
7606  VERIFY_PERMISSION(OPT_P_GENERAL);
7607  options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7608  }
7609  else if (streq(p[0], "opt-verify") && !p[1])
7610  {
7611  VERIFY_PERMISSION(OPT_P_GENERAL);
7612  msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7613  "in OpenVPN 2.7");
7614  options->ssl_flags |= SSLF_OPT_VERIFY;
7615  }
7616  else if (streq(p[0], "auth-user-pass-verify") && p[1])
7617  {
7618  VERIFY_PERMISSION(OPT_P_SCRIPT);
7619  if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7620  {
7621  goto err;
7622  }
7623  if (p[2])
7624  {
7625  if (streq(p[2], "via-env"))
7626  {
7627  options->auth_user_pass_verify_script_via_file = false;
7628  }
7629  else if (streq(p[2], "via-file"))
7630  {
7631  options->auth_user_pass_verify_script_via_file = true;
7632  }
7633  else
7634  {
7635  msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7636  goto err;
7637  }
7638  }
7639  else
7640  {
7641  msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7642  goto err;
7643  }
7644  set_user_script(options,
7645  &options->auth_user_pass_verify_script,
7646  p[1], "auth-user-pass-verify", true);
7647  }
7648  else if (streq(p[0], "auth-gen-token"))
7649  {
7650  VERIFY_PERMISSION(OPT_P_GENERAL);
7651  options->auth_token_generate = true;
7652  options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7653 
7654  for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7655  {
7656  /* the second parameter can be the renewal time */
7657  if (i == 2 && positive_atoi(p[i]))
7658  {
7659  options->auth_token_renewal = positive_atoi(p[i]);
7660  }
7661  else if (streq(p[i], "external-auth"))
7662  {
7663  options->auth_token_call_auth = true;
7664  }
7665  else
7666  {
7667  msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7668  }
7669  }
7670 
7671  }
7672  else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7673  {
7674  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7675  options->auth_token_secret_file = p[1];
7676  options->auth_token_secret_file_inline = is_inline;
7677 
7678  }
7679  else if (streq(p[0], "client-connect") && p[1])
7680  {
7681  VERIFY_PERMISSION(OPT_P_SCRIPT);
7682  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7683  {
7684  goto err;
7685  }
7686  set_user_script(options, &options->client_connect_script,
7687  p[1], "client-connect", true);
7688  }
7689  else if (streq(p[0], "client-crresponse") && p[1])
7690  {
7691  VERIFY_PERMISSION(OPT_P_SCRIPT);
7692  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7693  {
7694  goto err;
7695  }
7696  set_user_script(options, &options->client_crresponse_script,
7697  p[1], "client-crresponse", true);
7698  }
7699  else if (streq(p[0], "client-disconnect") && p[1])
7700  {
7701  VERIFY_PERMISSION(OPT_P_SCRIPT);
7702  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7703  {
7704  goto err;
7705  }
7706  set_user_script(options, &options->client_disconnect_script,
7707  p[1], "client-disconnect", true);
7708  }
7709  else if (streq(p[0], "learn-address") && p[1])
7710  {
7711  VERIFY_PERMISSION(OPT_P_SCRIPT);
7712  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7713  {
7714  goto err;
7715  }
7716  set_user_script(options, &options->learn_address_script,
7717  p[1], "learn-address", true);
7718  }
7719  else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7720  {
7721  VERIFY_PERMISSION(OPT_P_GENERAL);
7722  options->tmp_dir = p[1];
7723  }
7724  else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7725  {
7726  VERIFY_PERMISSION(OPT_P_GENERAL);
7727  options->client_config_dir = p[1];
7728  }
7729  else if (streq(p[0], "ccd-exclusive") && !p[1])
7730  {
7731  VERIFY_PERMISSION(OPT_P_GENERAL);
7732  options->ccd_exclusive = true;
7733  }
7734  else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7735  {
7736  int n_bcast_buf;
7737 
7738  VERIFY_PERMISSION(OPT_P_GENERAL);
7739  n_bcast_buf = atoi(p[1]);
7740  if (n_bcast_buf < 1)
7741  {
7742  msg(msglevel, "--bcast-buffers parameter must be > 0");
7743  }
7744  options->n_bcast_buf = n_bcast_buf;
7745  }
7746  else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7747  {
7748  int tcp_queue_limit;
7749 
7750  VERIFY_PERMISSION(OPT_P_GENERAL);
7751  tcp_queue_limit = atoi(p[1]);
7752  if (tcp_queue_limit < 1)
7753  {
7754  msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7755  }
7756  options->tcp_queue_limit = tcp_queue_limit;
7757  }
7758 #if PORT_SHARE
7759  else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7760  {
7761  VERIFY_PERMISSION(OPT_P_GENERAL);
7762  options->port_share_host = p[1];
7763  options->port_share_port = p[2];
7764  options->port_share_journal_dir = p[3];
7765  }
7766 #endif
7767  else if (streq(p[0], "client-to-client") && !p[1])
7768  {
7769  VERIFY_PERMISSION(OPT_P_GENERAL);
7770  options->enable_c2c = true;
7771  }
7772  else if (streq(p[0], "duplicate-cn") && !p[1])
7773  {
7774  VERIFY_PERMISSION(OPT_P_GENERAL);
7775  options->duplicate_cn = true;
7776  }
7777  else if (streq(p[0], "iroute") && p[1] && !p[3])
7778  {
7779  VERIFY_PERMISSION(OPT_P_INSTANCE);
7780  option_iroute(options, p[1], p[2], msglevel);
7781  }
7782  else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7783  {
7784  VERIFY_PERMISSION(OPT_P_INSTANCE);
7785  option_iroute_ipv6(options, p[1], msglevel);
7786  }
7787  else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7788  {
7789  in_addr_t local, remote_netmask;
7790 
7791  VERIFY_PERMISSION(OPT_P_INSTANCE);
7792  local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7793  remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7794  if (local && remote_netmask)
7795  {
7796  options->push_ifconfig_defined = true;
7797  options->push_ifconfig_local = local;
7798  options->push_ifconfig_remote_netmask = remote_netmask;
7799  if (p[3])
7800  {
7801  options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7802  }
7803  }
7804  else
7805  {
7806  msg(msglevel, "cannot parse --ifconfig-push addresses");
7807  goto err;
7808  }
7809  }
7810  else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7811  {
7812  in_addr_t network, netmask;
7813 
7814  VERIFY_PERMISSION(OPT_P_GENERAL);
7815  network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7816  netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7817  if (network && netmask)
7818  {
7819  options->push_ifconfig_constraint_defined = true;
7820  options->push_ifconfig_constraint_network = network;
7821  options->push_ifconfig_constraint_netmask = netmask;
7822  }
7823  else
7824  {
7825  msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7826  goto err;
7827  }
7828  }
7829  else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7830  {
7831  struct in6_addr local, remote;
7832  unsigned int netbits;
7833 
7834  VERIFY_PERMISSION(OPT_P_INSTANCE);
7835 
7836  if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7837  {
7838  msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7839  goto err;
7840  }
7841 
7842  if (p[2])
7843  {
7844  if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7845  {
7846  msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7847  goto err;
7848  }
7849  }
7850  else
7851  {
7852  if (!options->ifconfig_ipv6_local
7853  || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7854  NULL, msglevel ) )
7855  {
7856  msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7857  goto err;
7858  }
7859  }
7860 
7861  options->push_ifconfig_ipv6_defined = true;
7862  options->push_ifconfig_ipv6_local = local;
7863  options->push_ifconfig_ipv6_netbits = netbits;
7864  options->push_ifconfig_ipv6_remote = remote;
7865  options->push_ifconfig_ipv6_blocked = false;
7866  }
7867  else if (streq(p[0], "disable") && !p[1])
7868  {
7869  VERIFY_PERMISSION(OPT_P_INSTANCE);
7870  options->disable = true;
7871  }
7872  else if (streq(p[0], "tcp-nodelay") && !p[1])
7873  {
7874  VERIFY_PERMISSION(OPT_P_GENERAL);
7875  options->server_flags |= SF_TCP_NODELAY_HELPER;
7876  }
7877  else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7878  {
7879  int ageing_time, check_interval;
7880 
7881  VERIFY_PERMISSION(OPT_P_GENERAL);
7882  ageing_time = atoi(p[1]);
7883  if (p[2])
7884  {
7885  check_interval = atoi(p[2]);
7886  }
7887  else
7888  {
7889  check_interval = ageing_time;
7890  }
7891 
7892  if (ageing_time < 1 || check_interval < 1)
7893  {
7894  msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7895  goto err;
7896  }
7897  options->stale_routes_ageing_time = ageing_time;
7898  options->stale_routes_check_interval = check_interval;
7899  }
7900 
7901  else if (streq(p[0], "client") && !p[1])
7902  {
7903  VERIFY_PERMISSION(OPT_P_GENERAL);
7904  options->client = true;
7905  }
7906  else if (streq(p[0], "pull") && !p[1])
7907  {
7908  VERIFY_PERMISSION(OPT_P_GENERAL);
7909  options->pull = true;
7910  }
7911  else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7912  {
7913  VERIFY_PERMISSION(OPT_P_PULL_MODE);
7914  options->push_continuation = atoi(p[1]);
7915  }
7916  else if (streq(p[0], "auth-user-pass") && !p[2])
7917  {
7918  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7919  if (p[1])
7920  {
7921  options->auth_user_pass_file = p[1];
7922  options->auth_user_pass_file_inline = is_inline;
7923  }
7924  else
7925  {
7926  options->auth_user_pass_file = "stdin";
7927  }
7928  }
7929  else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7930  {
7931  VERIFY_PERMISSION(OPT_P_GENERAL);
7932  auth_retry_set(msglevel, p[1]);
7933  }
7934 #ifdef ENABLE_MANAGEMENT
7935  else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7936  {
7937  VERIFY_PERMISSION(OPT_P_GENERAL);
7938  options->sc_info.challenge_text = p[1];
7939  if (atoi(p[2]))
7940  {
7941  options->sc_info.flags |= SC_ECHO;
7942  }
7943  }
7944 #endif
7945  else if (streq(p[0], "msg-channel") && p[1])
7946  {
7947 #ifdef _WIN32
7948  VERIFY_PERMISSION(OPT_P_GENERAL);
7949  HANDLE process = GetCurrentProcess();
7950  HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
7951  if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7952  FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7953  {
7954  msg(msglevel, "could not duplicate service pipe handle");
7955  goto err;
7956  }
7957  options->route_method = ROUTE_METHOD_SERVICE;
7958 #else /* ifdef _WIN32 */
7959  msg(msglevel, "--msg-channel is only supported on Windows");
7960  goto err;
7961 #endif
7962  }
7963 #ifdef _WIN32
7964  else if (streq(p[0], "win-sys") && p[1] && !p[2])
7965  {
7966  VERIFY_PERMISSION(OPT_P_GENERAL);
7967  if (streq(p[1], "env"))
7968  {
7969  msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7970  "This entry will now be ignored. "
7971  "Please remove this entry from your configuration file.");
7972  }
7973  else
7974  {
7975  set_win_sys_path(p[1], es);
7976  }
7977  }
7978  else if (streq(p[0], "route-method") && p[1] && !p[2])
7979  {
7980  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7981  if (streq(p[1], "adaptive"))
7982  {
7983  options->route_method = ROUTE_METHOD_ADAPTIVE;
7984  }
7985  else if (streq(p[1], "ipapi"))
7986  {
7987  options->route_method = ROUTE_METHOD_IPAPI;
7988  }
7989  else if (streq(p[1], "exe"))
7990  {
7991  options->route_method = ROUTE_METHOD_EXE;
7992  }
7993  else
7994  {
7995  msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7996  goto err;
7997  }
7998  }
7999  else if (streq(p[0], "ip-win32") && p[1] && !p[4])
8000  {
8001  const int index = ascii2ipset(p[1]);
8002  struct tuntap_options *to = &options->tuntap_options;
8003 
8004  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8005 
8006  if (index < 0)
8007  {
8008  msg(msglevel,
8009  "Bad --ip-win32 method: '%s'. Allowed methods: %s",
8010  p[1],
8011  ipset2ascii_all(&gc));
8012  goto err;
8013  }
8014 
8015  if (index == IPW32_SET_ADAPTIVE)
8016  {
8017  options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
8018  }
8019 
8020  if (index == IPW32_SET_DHCP_MASQ)
8021  {
8022  if (p[2])
8023  {
8024  if (!streq(p[2], "default"))
8025  {
8026  int offset = atoi(p[2]);
8027 
8028  if (!(offset > -256 && offset < 256))
8029  {
8030  msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
8031  goto err;
8032  }
8033 
8034  to->dhcp_masq_custom_offset = true;
8035  to->dhcp_masq_offset = offset;
8036  }
8037 
8038  if (p[3])
8039  {
8040  const int min_lease = 30;
8041  int lease_time;
8042  lease_time = atoi(p[3]);
8043  if (lease_time < min_lease)
8044  {
8045  msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
8046  goto err;
8047  }
8048  to->dhcp_lease_time = lease_time;
8049  }
8050  }
8051  }
8052  to->ip_win32_type = index;
8053  to->ip_win32_defined = true;
8054  }
8055 #endif /* ifdef _WIN32 */
8056  else if (streq(p[0], "dns") && p[1])
8057  {
8058  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8059 
8060  if (streq(p[1], "search-domains") && p[2])
8061  {
8062  dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
8063  }
8064  else if (streq(p[1], "server") && p[2] && p[3] && p[4])
8065  {
8066  long priority;
8067  if (!dns_server_priority_parse(&priority, p[2], pull_mode))
8068  {
8069  msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
8070  goto err;
8071  }
8072 
8073  struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8074 
8075  if (streq(p[3], "address") && p[4])
8076  {
8077  for (int i = 4; p[i]; ++i)
8078  {
8079  if (!dns_server_addr_parse(server, p[i]))
8080  {
8081  msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
8082  goto err;
8083  }
8084  }
8085  }
8086  else if (streq(p[3], "resolve-domains"))
8087  {
8088  dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8089  }
8090  else if (streq(p[3], "dnssec") && !p[5])
8091  {
8092  if (streq(p[4], "yes"))
8093  {
8094  server->dnssec = DNS_SECURITY_YES;
8095  }
8096  else if (streq(p[4], "no"))
8097  {
8098  server->dnssec = DNS_SECURITY_NO;
8099  }
8100  else if (streq(p[4], "optional"))
8101  {
8102  server->dnssec = DNS_SECURITY_OPTIONAL;
8103  }
8104  else
8105  {
8106  msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8107  goto err;
8108  }
8109  }
8110  else if (streq(p[3], "transport") && !p[5])
8111  {
8112  if (streq(p[4], "plain"))
8113  {
8114  server->transport = DNS_TRANSPORT_PLAIN;
8115  }
8116  else if (streq(p[4], "DoH"))
8117  {
8118  server->transport = DNS_TRANSPORT_HTTPS;
8119  }
8120  else if (streq(p[4], "DoT"))
8121  {
8122  server->transport = DNS_TRANSPORT_TLS;
8123  }
8124  else
8125  {
8126  msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8127  goto err;
8128  }
8129  }
8130  else if (streq(p[3], "sni") && !p[5])
8131  {
8132  server->sni = p[4];
8133  }
8134  else
8135  {
8136  msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8137  goto err;
8138  }
8139  }
8140  else
8141  {
8142  msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8143  goto err;
8144  }
8145  }
8146 #if defined(_WIN32) || defined(TARGET_ANDROID)
8147  else if (streq(p[0], "dhcp-option") && p[1])
8148  {
8149  struct tuntap_options *o = &options->tuntap_options;
8150  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8151 
8152  if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8153  && p[2] && !p[3])
8154  {
8155  o->domain = p[2];
8156  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8157  }
8158  else if (streq(p[1], "NBS") && p[2] && !p[3])
8159  {
8160  o->netbios_scope = p[2];
8161  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8162  }
8163  else if (streq(p[1], "NBT") && p[2] && !p[3])
8164  {
8165  int t;
8166  t = atoi(p[2]);
8167  if (!(t == 1 || t == 2 || t == 4 || t == 8))
8168  {
8169  msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8170  goto err;
8171  }
8172  o->netbios_node_type = t;
8173  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8174  }
8175  else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8176  && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8177  {
8178  if (strstr(p[2], ":"))
8179  {
8180  dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8181  }
8182  else
8183  {
8184  dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8185  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8186  }
8187  }
8188  else if (streq(p[1], "WINS") && p[2] && !p[3])
8189  {
8190  dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8191  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8192  }
8193  else if (streq(p[1], "NTP") && p[2] && !p[3])
8194  {
8195  dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8196  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8197  }
8198  else if (streq(p[1], "NBDD") && p[2] && !p[3])
8199  {
8200  dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8201  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8202  }
8203  else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8204  {
8205  if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8206  {
8207  o->domain_search_list[o->domain_search_list_len++] = p[2];
8208  }
8209  else
8210  {
8211  msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8212  p[1], N_SEARCH_LIST_LEN);
8213  }
8214  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8215  }
8216  else if (streq(p[1], "DISABLE-NBT") && !p[2])
8217  {
8218  o->disable_nbt = 1;
8219  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8220  }
8221 #if defined(TARGET_ANDROID)
8222  else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8223  {
8224  o->http_proxy_port = atoi(p[3]);
8225  o->http_proxy = p[2];
8226  }
8227 #endif
8228  else
8229  {
8230  msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8231  goto err;
8232  }
8233  }
8234 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8235 #ifdef _WIN32
8236  else if (streq(p[0], "show-adapters") && !p[1])
8237  {
8238  VERIFY_PERMISSION(OPT_P_GENERAL);
8239  show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8240  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8241  }
8242  else if (streq(p[0], "show-net") && !p[1])
8243  {
8244  VERIFY_PERMISSION(OPT_P_GENERAL);
8245  show_routes(M_INFO|M_NOPREFIX);
8246  show_adapters(M_INFO|M_NOPREFIX);
8247  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8248  }
8249  else if (streq(p[0], "show-net-up") && !p[1])
8250  {
8251  VERIFY_PERMISSION(OPT_P_UP);
8252  options->show_net_up = true;
8253  }
8254  else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8255  {
8256  int s;
8257  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8258  s = atoi(p[1]);
8259  if (s < 0 || s >= 256)
8260  {
8261  msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8262  goto err;
8263  }
8264  options->tuntap_options.tap_sleep = s;
8265  }
8266  else if (streq(p[0], "dhcp-renew") && !p[1])
8267  {
8268  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8269  options->tuntap_options.dhcp_renew = true;
8270  }
8271  else if (streq(p[0], "dhcp-pre-release") && !p[1])
8272  {
8273  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8274  options->tuntap_options.dhcp_pre_release = true;
8275  options->tuntap_options.dhcp_renew = true;
8276  }
8277  else if (streq(p[0], "dhcp-release") && !p[1])
8278  {
8279  msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8280  }
8281  else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8282  {
8283  unsigned int adapter_index;
8284  VERIFY_PERMISSION(OPT_P_GENERAL);
8285  set_debug_level(options->verbosity, SDL_CONSTRAIN);
8286  adapter_index = atou(p[1]);
8287  sleep(options->tuntap_options.tap_sleep);
8288  if (options->tuntap_options.dhcp_pre_release)
8289  {
8290  dhcp_release_by_adapter_index(adapter_index);
8291  }
8292  if (options->tuntap_options.dhcp_renew)
8293  {
8294  dhcp_renew_by_adapter_index(adapter_index);
8295  }
8296  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8297  }
8298  else if (streq(p[0], "register-dns") && !p[1])
8299  {
8300  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8301  options->tuntap_options.register_dns = true;
8302  }
8303  else if (streq(p[0], "block-outside-dns") && !p[1])
8304  {
8305  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8306  options->block_outside_dns = true;
8307  }
8308  else if (streq(p[0], "rdns-internal") && !p[1])
8309  /* standalone method for internal use
8310  *
8311  * (if --register-dns is set, openvpn needs to call itself in a
8312  * sub-process to execute the required functions in a non-blocking
8313  * way, and uses --rdns-internal to signal that to itself)
8314  */
8315  {
8316  VERIFY_PERMISSION(OPT_P_GENERAL);
8317  set_debug_level(options->verbosity, SDL_CONSTRAIN);
8318  if (options->tuntap_options.register_dns)
8319  {
8320  ipconfig_register_dns(NULL);
8321  }
8322  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8323  }
8324  else if (streq(p[0], "show-valid-subnets") && !p[1])
8325  {
8326  VERIFY_PERMISSION(OPT_P_GENERAL);
8327  show_valid_win32_tun_subnets();
8328  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8329  }
8330  else if (streq(p[0], "pause-exit") && !p[1])
8331  {
8332  VERIFY_PERMISSION(OPT_P_GENERAL);
8333  set_pause_exit_win32();
8334  }
8335  else if (streq(p[0], "service") && p[1] && !p[3])
8336  {
8337  VERIFY_PERMISSION(OPT_P_GENERAL);
8338  options->exit_event_name = p[1];
8339  if (p[2])
8340  {
8341  options->exit_event_initial_state = (atoi(p[2]) != 0);
8342  }
8343  }
8344  else if (streq(p[0], "allow-nonadmin") && !p[2])
8345  {
8346  VERIFY_PERMISSION(OPT_P_GENERAL);
8347  tap_allow_nonadmin_access(p[1]);
8348  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8349  }
8350  else if (streq(p[0], "user") && p[1] && !p[2])
8351  {
8352  VERIFY_PERMISSION(OPT_P_GENERAL);
8353  msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8354  }
8355  else if (streq(p[0], "group") && p[1] && !p[2])
8356  {
8357  VERIFY_PERMISSION(OPT_P_GENERAL);
8358  msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8359  }
8360 #else /* ifdef _WIN32 */
8361  else if (streq(p[0], "user") && p[1] && !p[2])
8362  {
8363  VERIFY_PERMISSION(OPT_P_GENERAL);
8364  options->username = p[1];
8365  }
8366  else if (streq(p[0], "group") && p[1] && !p[2])
8367  {
8368  VERIFY_PERMISSION(OPT_P_GENERAL);
8369  options->groupname = p[1];
8370  }
8371  else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8372  {
8373  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8374  setenv_foreign_option(options, (const char **)p, 3, es);
8375  }
8376  else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8377  {
8378  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8379  }
8380 #endif /* ifdef _WIN32 */
8381 #if PASSTOS_CAPABILITY
8382  else if (streq(p[0], "passtos") && !p[1])
8383  {
8384  VERIFY_PERMISSION(OPT_P_GENERAL);
8385  options->passtos = true;
8386  }
8387 #endif
8388  else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8389  {
8390  VERIFY_PERMISSION(OPT_P_GENERAL);
8391 
8392  if (streq(p[1], "no"))
8393  {
8394  options->comp.flags =
8395  COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8396  if (comp_non_stub_enabled(&options->comp))
8397  {
8398  msg(msglevel, "'--allow-compression no' conflicts with "
8399  " enabling compression");
8400  }
8401  }
8402  else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8403  {
8404  /* Also printed on a push to hint at configuration problems */
8405  msg(msglevel, "Cannot set allow-compression to '%s' "
8406  "after set to 'no'", p[1]);
8407  goto err;
8408  }
8409  else if (streq(p[1], "asym"))
8410  {
8411  options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
8412  options->comp.flags |= COMP_F_ALLOW_ASYM;
8413  }
8414  else if (streq(p[1], "yes"))
8415  {
8416  msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
8417  "been used in the past to break encryption. Allowing compression allows "
8418  "attacks that break encryption. Using \"--allow-compression yes\" is "
8419  "strongly discouraged for common usage. See --compress in the manual "
8420  "page for more information ");
8421 
8422  options->comp.flags |= COMP_F_ALLOW_COMPRESS;
8423  }
8424  else
8425  {
8426  msg(msglevel, "bad allow-compression option: %s -- "
8427  "must be 'yes', 'no', or 'asym'", p[1]);
8428  goto err;
8429  }
8430  }
8431  else if (streq(p[0], "comp-lzo") && !p[2])
8432  {
8433  VERIFY_PERMISSION(OPT_P_COMP);
8434 
8435  /* All lzo variants do not use swap */
8436  options->comp.flags &= ~COMP_F_SWAP;
8437 
8438  if (p[1] && streq(p[1], "no"))
8439  {
8440  options->comp.alg = COMP_ALG_STUB;
8441  options->comp.flags &= ~COMP_F_ADAPTIVE;
8442  }
8443  else if (p[1])
8444  {
8445  if (streq(p[1], "yes"))
8446  {
8447  options->comp.alg = COMP_ALG_LZO;
8448  options->comp.flags &= ~COMP_F_ADAPTIVE;
8449  }
8450  else if (streq(p[1], "adaptive"))
8451  {
8452  options->comp.alg = COMP_ALG_LZO;
8453  options->comp.flags |= COMP_F_ADAPTIVE;
8454  }
8455  else
8456  {
8457  msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8458  goto err;
8459  }
8460  }
8461  else
8462  {
8463  options->comp.alg = COMP_ALG_LZO;
8464  options->comp.flags |= COMP_F_ADAPTIVE;
8465  }
8466  show_compression_warning(&options->comp);
8467  }
8468  else if (streq(p[0], "comp-noadapt") && !p[1])
8469  {
8470  /*
8471  * We do not need to check here if we allow compression since
8472  * it only modifies a flag if compression is enabled
8473  */
8474  VERIFY_PERMISSION(OPT_P_COMP);
8475  options->comp.flags &= ~COMP_F_ADAPTIVE;
8476  }
8477  else if (streq(p[0], "compress") && !p[2])
8478  {
8479  VERIFY_PERMISSION(OPT_P_COMP);
8480  const char *alg = "stub";
8481  if (p[1])
8482  {
8483  alg = p[1];
8484  }
8485 
8486  if (streq(alg, "stub"))
8487  {
8488  options->comp.alg = COMP_ALG_STUB;
8489  options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8490  }
8491  else if (streq(alg, "stub-v2"))
8492  {
8493  options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8494  options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8495  }
8496  else if (streq(alg, "migrate"))
8497  {
8498  options->comp.alg = COMP_ALG_UNDEF;
8499  options->comp.flags = COMP_F_MIGRATE;
8500  }
8501  else if (streq(alg, "lzo"))
8502  {
8503  options->comp.alg = COMP_ALG_LZO;
8504  options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
8505  }
8506  else if (streq(alg, "lz4"))
8507  {
8508  options->comp.alg = COMP_ALG_LZ4;
8509  options->comp.flags |= COMP_F_SWAP;
8510  }
8511  else if (streq(alg, "lz4-v2"))
8512  {
8513  options->comp.alg = COMP_ALGV2_LZ4;
8514  }
8515  else
8516  {
8517  msg(msglevel, "bad comp option: %s", alg);
8518  goto err;
8519  }
8520 
8521  show_compression_warning(&options->comp);
8522  }
8523  else if (streq(p[0], "show-ciphers") && !p[1])
8524  {
8525  VERIFY_PERMISSION(OPT_P_GENERAL);
8526  options->show_ciphers = true;
8527  }
8528  else if (streq(p[0], "show-digests") && !p[1])
8529  {
8530  VERIFY_PERMISSION(OPT_P_GENERAL);
8531  options->show_digests = true;
8532  }
8533  else if (streq(p[0], "show-engines") && !p[1])
8534  {
8535  VERIFY_PERMISSION(OPT_P_GENERAL);
8536  options->show_engines = true;
8537  }
8538  else if (streq(p[0], "key-direction") && p[1] && !p[2])
8539  {
8540  int key_direction;
8541 
8542  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8543 
8544  key_direction = ascii2keydirection(msglevel, p[1]);
8545  if (key_direction >= 0)
8546  {
8547  if (permission_mask & OPT_P_GENERAL)
8548  {
8549  options->key_direction = key_direction;
8550  }
8551  else if (permission_mask & OPT_P_CONNECTION)
8552  {
8553  options->ce.key_direction = key_direction;
8554  }
8555  }
8556  else
8557  {
8558  goto err;
8559  }
8560  }
8561  else if (streq(p[0], "secret") && p[1] && !p[3])
8562  {
8563  msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8564  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8565  options->shared_secret_file = p[1];
8566  options->shared_secret_file_inline = is_inline;
8567  if (!is_inline && p[2])
8568  {
8569  int key_direction;
8570 
8571  key_direction = ascii2keydirection(msglevel, p[2]);
8572  if (key_direction >= 0)
8573  {
8574  options->key_direction = key_direction;
8575  }
8576  else
8577  {
8578  goto err;
8579  }
8580  }
8581  }
8582  else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8583  {
8584  VERIFY_PERMISSION(OPT_P_GENERAL);
8585  options->allow_deprecated_insecure_static_crypto = true;
8586 
8587  }
8588  else if (streq(p[0], "genkey") && !p[4])
8589  {
8590  VERIFY_PERMISSION(OPT_P_GENERAL);
8591  options->genkey = true;
8592  if (!p[1])
8593  {
8594  options->genkey_type = GENKEY_SECRET;
8595  }
8596  else
8597  {
8598  if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8599  || streq(p[1], "tls-crypt"))
8600  {
8601  options->genkey_type = GENKEY_SECRET;
8602  }
8603  else if (streq(p[1], "tls-crypt-v2-server"))
8604  {
8605  options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8606  }
8607  else if (streq(p[1], "tls-crypt-v2-client"))
8608  {
8609  options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8610  if (p[3])
8611  {
8612  options->genkey_extra_data = p[3];
8613  }
8614  }
8615  else if (streq(p[1], "auth-token"))
8616  {
8617  options->genkey_type = GENKEY_AUTH_TOKEN;
8618  }
8619  else
8620  {
8621  msg(msglevel, "unknown --genkey type: %s", p[1]);
8622  }
8623 
8624  }
8625  if (p[2])
8626  {
8627  options->genkey_filename = p[2];
8628  }
8629  }
8630  else if (streq(p[0], "auth") && p[1] && !p[2])
8631  {
8632  VERIFY_PERMISSION(OPT_P_GENERAL);
8633  options->authname = p[1];
8634  }
8635  else if (streq(p[0], "cipher") && p[1] && !p[2])
8636  {
8637  VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8638  options->ciphername = p[1];
8639  }
8640  else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8641  {
8642  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8643  options->ciphername = p[1];
8644  options->enable_ncp_fallback = true;
8645  }
8646  else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8647  && p[1] && !p[2])
8648  {
8649  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8650  if (streq(p[0], "ncp-ciphers"))
8651  {
8652  msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8653  " '--data-ciphers' (renamed in OpenVPN 2.5).");
8654  }
8655  options->ncp_ciphers = p[1];
8656  }
8657  else if (streq(p[0], "key-derivation") && p[1])
8658  {
8659  /* NCP only option that is pushed by the server to enable EKM,
8660  * should not be used by normal users in config files*/
8661  VERIFY_PERMISSION(OPT_P_NCP)
8662 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8663  if (streq(p[1], "tls-ekm"))
8664  {
8665  options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8666  }
8667  else
8668 #endif
8669  {
8670  msg(msglevel, "Unknown key-derivation method %s", p[1]);
8671  }
8672  }
8673  else if (streq(p[0], "protocol-flags") && p[1])
8674  {
8675  /* NCP only option that is pushed by the server to enable protocol
8676  * features that are negotiated, should not be used by normal users
8677  * in config files */
8678  VERIFY_PERMISSION(OPT_P_NCP)
8679  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8680  {
8681  if (streq(p[j], "cc-exit"))
8682  {
8683  options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8684  }
8685 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8686  else if (streq(p[j], "tls-ekm"))
8687  {
8688  options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8689  }
8690  else if (streq(p[j], "dyn-tls-crypt"))
8691  {
8692  options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8693  }
8694 #endif
8695  else
8696  {
8697  msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8698  }
8699  }
8700  }
8701  else if (streq(p[0], "force-tls-key-material-export"))
8702  {
8703  VERIFY_PERMISSION(OPT_P_GENERAL);
8704  options->force_key_material_export = true;
8705  }
8706  else if (streq(p[0], "prng") && p[1] && !p[3])
8707  {
8708  msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8709  }
8710  else if (streq(p[0], "no-replay") && !p[1])
8711  {
8712  VERIFY_PERMISSION(OPT_P_GENERAL);
8713  /* always error out, this breaks the connection */
8714  msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8715  "Update your configuration.");
8716  }
8717  else if (streq(p[0], "replay-window") && !p[3])
8718  {
8719  VERIFY_PERMISSION(OPT_P_GENERAL);
8720  if (p[1])
8721  {
8722  int replay_window;
8723 
8724  replay_window = atoi(p[1]);
8725  if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8726  {
8727  msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8728  replay_window,
8729  MIN_SEQ_BACKTRACK,
8730  MAX_SEQ_BACKTRACK);
8731  goto err;
8732  }
8733  options->replay_window = replay_window;
8734 
8735  if (p[2])
8736  {
8737  int replay_time;
8738 
8739  replay_time = atoi(p[2]);
8740  if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8741  {
8742  msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8743  replay_time,
8744  MIN_TIME_BACKTRACK,
8745  MAX_TIME_BACKTRACK);
8746  goto err;
8747  }
8748  options->replay_time = replay_time;
8749  }
8750  }
8751  else
8752  {
8753  msg(msglevel, "replay-window option is missing window size parameter");
8754  goto err;
8755  }
8756  }
8757  else if (streq(p[0], "mute-replay-warnings") && !p[1])
8758  {
8759  VERIFY_PERMISSION(OPT_P_GENERAL);
8760  options->mute_replay_warnings = true;
8761  }
8762  else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8763  {
8764  VERIFY_PERMISSION(OPT_P_GENERAL);
8765  options->packet_id_file = p[1];
8766  }
8767  else if (streq(p[0], "test-crypto") && !p[1])
8768  {
8769  VERIFY_PERMISSION(OPT_P_GENERAL);
8770  options->test_crypto = true;
8771  }
8772 #ifndef ENABLE_CRYPTO_MBEDTLS
8773  else if (streq(p[0], "engine") && !p[2])
8774  {
8775  VERIFY_PERMISSION(OPT_P_GENERAL);
8776  if (p[1])
8777  {
8778  options->engine = p[1];
8779  }
8780  else
8781  {
8782  options->engine = "auto";
8783  }
8784  }
8785 #endif /* ENABLE_CRYPTO_MBEDTLS */
8786  else if (streq(p[0], "providers") && p[1])
8787  {
8788  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8789  {
8790  options->providers.names[j] = p[j];
8791  }
8792  }
8793 #ifdef ENABLE_PREDICTION_RESISTANCE
8794  else if (streq(p[0], "use-prediction-resistance") && !p[1])
8795  {
8796  VERIFY_PERMISSION(OPT_P_GENERAL);
8797  options->use_prediction_resistance = true;
8798  }
8799 #endif
8800  else if (streq(p[0], "show-tls") && !p[1])
8801  {
8802  VERIFY_PERMISSION(OPT_P_GENERAL);
8803  options->show_tls_ciphers = true;
8804  }
8805  else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8806  {
8807  VERIFY_PERMISSION(OPT_P_GENERAL);
8808  options->show_curves = true;
8809  }
8810  else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8811  {
8812  VERIFY_PERMISSION(OPT_P_GENERAL);
8813  msg(M_WARN, "Consider setting groups/curves preference with "
8814  "tls-groups instead of forcing a specific curve with "
8815  "ecdh-curve.");
8816  options->ecdh_curve = p[1];
8817  }
8818  else if (streq(p[0], "tls-server") && !p[1])
8819  {
8820  VERIFY_PERMISSION(OPT_P_GENERAL);
8821  options->tls_server = true;
8822  }
8823  else if (streq(p[0], "tls-client") && !p[1])
8824  {
8825  VERIFY_PERMISSION(OPT_P_GENERAL);
8826  options->tls_client = true;
8827  }
8828  else if (streq(p[0], "ca") && p[1] && !p[2])
8829  {
8830  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8831  options->ca_file = p[1];
8832  options->ca_file_inline = is_inline;
8833  }
8834 #ifndef ENABLE_CRYPTO_MBEDTLS
8835  else if (streq(p[0], "capath") && p[1] && !p[2])
8836  {
8837  VERIFY_PERMISSION(OPT_P_GENERAL);
8838  options->ca_path = p[1];
8839  }
8840 #endif /* ENABLE_CRYPTO_MBEDTLS */
8841  else if (streq(p[0], "dh") && p[1] && !p[2])
8842  {
8843  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8844  options->dh_file = p[1];
8845  options->dh_file_inline = is_inline;
8846  }
8847  else if (streq(p[0], "cert") && p[1] && !p[2])
8848  {
8849  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8850  options->cert_file = p[1];
8851  options->cert_file_inline = is_inline;
8852  }
8853  else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8854  {
8855  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8856  options->extra_certs_file = p[1];
8857  options->extra_certs_file_inline = is_inline;
8858  }
8859  else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8860  || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8861  {
8862  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8863 
8864  int verify_hash_depth = 0;
8865  if (streq(p[0], "verify-hash"))
8866  {
8867  msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8868  "You should switch to the either use the level 1 certificate as "
8869  "--ca option, use --tls-verify or use --peer-fingerprint");
8870  /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8871  verify_hash_depth = 1;
8872  }
8873 
8874  options->verify_hash_algo = MD_SHA256;
8875 
8876  int digest_len = SHA256_DIGEST_LENGTH;
8877 
8878  if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8879  {
8880  msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8881  " --peer-fingerprint are mutually exclusive", p[0]);
8882  goto err;
8883  }
8884 
8885  if (streq(p[0], "verify-hash"))
8886  {
8887  if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8888  {
8889  options->verify_hash_algo = MD_SHA1;
8890  digest_len = SHA_DIGEST_LENGTH;
8891  }
8892  else if (p[2] && !streq(p[2], "SHA256"))
8893  {
8894  msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8895  "(only SHA1 and SHA256 are supported)", p[2]);
8896  goto err;
8897  }
8898  }
8899 
8900  struct verify_hash_list *newlist;
8901  newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8902  msglevel, &options->gc);
8903 
8904  /* Append the new list to the end of our current list */
8905  if (!options->verify_hash)
8906  {
8907  options->verify_hash = newlist;
8908  options->verify_hash_depth = verify_hash_depth;
8909  }
8910  else
8911  {
8912  /* since both the old and new list can have multiple entries
8913  * we need to go to the end of one of them to concatenate them */
8914  struct verify_hash_list *listend = options->verify_hash;
8915  while (listend->next)
8916  {
8917  listend = listend->next;
8918  }
8919  listend->next = newlist;
8920  }
8921  }
8922 #if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8923  else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8924  {
8925  VERIFY_PERMISSION(OPT_P_GENERAL);
8926  options->cryptoapi_cert = p[1];
8927  }
8928 #endif
8929  else if (streq(p[0], "key") && p[1] && !p[2])
8930  {
8931  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8932  options->priv_key_file = p[1];
8933  options->priv_key_file_inline = is_inline;
8934  }
8935  else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8936  {
8937  int ver;
8938  VERIFY_PERMISSION(OPT_P_GENERAL);
8939  ver = tls_version_parse(p[1], p[2]);
8940  if (ver == TLS_VER_BAD)
8941  {
8942  msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8943  goto err;
8944  }
8945  options->ssl_flags &=
8946  ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8947  options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8948  }
8949  else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8950  {
8951  int ver;
8952  VERIFY_PERMISSION(OPT_P_GENERAL);
8953  ver = tls_version_parse(p[1], NULL);
8954  if (ver == TLS_VER_BAD)
8955  {
8956  msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8957  goto err;
8958  }
8959  options->ssl_flags &=
8960  ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8961  options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8962  }
8963 #ifndef ENABLE_CRYPTO_MBEDTLS
8964  else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8965  {
8966  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8967  options->pkcs12_file = p[1];
8968  options->pkcs12_file_inline = is_inline;
8969  }
8970 #endif /* ENABLE_CRYPTO_MBEDTLS */
8971  else if (streq(p[0], "askpass") && !p[2])
8972  {
8973  VERIFY_PERMISSION(OPT_P_GENERAL);
8974  if (p[1])
8975  {
8976  options->key_pass_file = p[1];
8977  }
8978  else
8979  {
8980  options->key_pass_file = "stdin";
8981  }
8982  }
8983  else if (streq(p[0], "auth-nocache") && !p[1])
8984  {
8985  VERIFY_PERMISSION(OPT_P_GENERAL);
8986  ssl_set_auth_nocache();
8987  }
8988  else if (streq(p[0], "auth-token") && p[1] && !p[2])
8989  {
8990  VERIFY_PERMISSION(OPT_P_ECHO);
8991  ssl_set_auth_token(p[1]);
8992 #ifdef ENABLE_MANAGEMENT
8993  if (management)
8994  {
8995  management_auth_token(management, p[1]);
8996  }
8997 #endif
8998  }
8999  else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
9000  {
9001  VERIFY_PERMISSION(OPT_P_ECHO);
9002  ssl_set_auth_token_user(p[1]);
9003  }
9004  else if (streq(p[0], "single-session") && !p[1])
9005  {
9006  VERIFY_PERMISSION(OPT_P_GENERAL);
9007  options->single_session = true;
9008  }
9009  else if (streq(p[0], "push-peer-info") && !p[1])
9010  {
9011  VERIFY_PERMISSION(OPT_P_GENERAL);
9012  options->push_peer_info = true;
9013  }
9014  else if (streq(p[0], "tls-exit") && !p[1])
9015  {
9016  VERIFY_PERMISSION(OPT_P_GENERAL);
9017  options->tls_exit = true;
9018  }
9019  else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9020  {
9021  VERIFY_PERMISSION(OPT_P_GENERAL);
9022  options->cipher_list = p[1];
9023  }
9024  else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9025  {
9026  VERIFY_PERMISSION(OPT_P_GENERAL);
9027  options->tls_cert_profile = p[1];
9028  }
9029  else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9030  {
9031  VERIFY_PERMISSION(OPT_P_GENERAL);
9032  options->cipher_list_tls13 = p[1];
9033  }
9034  else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9035  {
9036  VERIFY_PERMISSION(OPT_P_GENERAL);
9037  options->tls_groups = p[1];
9038  }
9039  else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
9040  || !p[2]))
9041  {
9042  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9043  if (p[2] && streq(p[2], "dir"))
9044  {
9045  options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
9046  }
9047  options->crl_file = p[1];
9048  options->crl_file_inline = is_inline;
9049  }
9050  else if (streq(p[0], "tls-verify") && p[1])
9051  {
9052  VERIFY_PERMISSION(OPT_P_SCRIPT);
9053  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9054  {
9055  goto err;
9056  }
9057  set_user_script(options, &options->tls_verify,
9058  string_substitute(p[1], ',', ' ', &options->gc),
9059  "tls-verify", true);
9060  }
9061  else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9062  {
9063  VERIFY_PERMISSION(OPT_P_SCRIPT);
9064  options->tls_export_peer_cert_dir = p[1];
9065  }
9066  else if (streq(p[0], "compat-names"))
9067  {
9068  VERIFY_PERMISSION(OPT_P_GENERAL);
9069  msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9070  "Update your configuration.");
9071  goto err;
9072  }
9073  else if (streq(p[0], "no-name-remapping") && !p[1])
9074  {
9075  VERIFY_PERMISSION(OPT_P_GENERAL);
9076  msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9077  "Update your configuration.");
9078  goto err;
9079  }
9080  else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9081  {
9082  int type = VERIFY_X509_SUBJECT_DN;
9083  VERIFY_PERMISSION(OPT_P_GENERAL);
9084  if (p[2])
9085  {
9086  if (streq(p[2], "subject"))
9087  {
9088  type = VERIFY_X509_SUBJECT_DN;
9089  }
9090  else if (streq(p[2], "name"))
9091  {
9092  type = VERIFY_X509_SUBJECT_RDN;
9093  }
9094  else if (streq(p[2], "name-prefix"))
9095  {
9096  type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9097  }
9098  else
9099  {
9100  msg(msglevel, "unknown X.509 name type: %s", p[2]);
9101  goto err;
9102  }
9103  }
9104  options->verify_x509_type = type;
9105  options->verify_x509_name = p[1];
9106  }
9107  else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9108  {
9109 #ifdef ENABLE_CRYPTO_MBEDTLS
9110  msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9111  goto err;
9112 #else
9113  VERIFY_PERMISSION(OPT_P_GENERAL);
9114  if (streq(p[1], "server"))
9115  {
9116  options->ns_cert_type = NS_CERT_CHECK_SERVER;
9117  }
9118  else if (streq(p[1], "client"))
9119  {
9120  options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9121  }
9122  else
9123  {
9124  msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9125  goto err;
9126  }
9127 #endif /* ENABLE_CRYPTO_MBEDTLS */
9128  }
9129  else if (streq(p[0], "remote-cert-ku"))
9130  {
9131  VERIFY_PERMISSION(OPT_P_GENERAL);
9132 
9133  size_t j;
9134  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9135  {
9136  sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9137  }
9138  if (j == 1)
9139  {
9140  /* No specific KU required, but require KU to be present */
9141  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9142  }
9143  }
9144  else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9145  {
9146  VERIFY_PERMISSION(OPT_P_GENERAL);
9147  options->remote_cert_eku = p[1];
9148  }
9149  else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9150  {
9151  VERIFY_PERMISSION(OPT_P_GENERAL);
9152 
9153  if (streq(p[1], "server"))
9154  {
9155  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9156  options->remote_cert_eku = "TLS Web Server Authentication";
9157  }
9158  else if (streq(p[1], "client"))
9159  {
9160  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9161  options->remote_cert_eku = "TLS Web Client Authentication";
9162  }
9163  else
9164  {
9165  msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9166  goto err;
9167  }
9168  }
9169  else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9170  {
9171  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9172  options->tls_timeout = positive_atoi(p[1]);
9173  }
9174  else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9175  {
9176  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9177  options->renegotiate_bytes = positive_atoi(p[1]);
9178  }
9179  else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9180  {
9181  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9182  options->renegotiate_packets = positive_atoi(p[1]);
9183  }
9184  else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9185  {
9186  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9187  options->renegotiate_seconds = positive_atoi(p[1]);
9188  if (p[2])
9189  {
9190  options->renegotiate_seconds_min = positive_atoi(p[2]);
9191  }
9192  }
9193  else if (streq(p[0], "hand-window") && p[1] && !p[2])
9194  {
9195  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9196  options->handshake_window = positive_atoi(p[1]);
9197  }
9198  else if (streq(p[0], "tran-window") && p[1] && !p[2])
9199  {
9200  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9201  options->transition_window = positive_atoi(p[1]);
9202  }
9203  else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9204  {
9205  int key_direction = -1;
9206 
9207  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9208 
9209  if (permission_mask & OPT_P_GENERAL)
9210  {
9211  options->tls_auth_file = p[1];
9212  options->tls_auth_file_inline = is_inline;
9213 
9214  if (!is_inline && p[2])
9215  {
9216  key_direction = ascii2keydirection(msglevel, p[2]);
9217  if (key_direction < 0)
9218  {
9219  goto err;
9220  }
9221  options->key_direction = key_direction;
9222  }
9223 
9224  }
9225  else if (permission_mask & OPT_P_CONNECTION)
9226  {
9227  options->ce.tls_auth_file = p[1];
9228  options->ce.tls_auth_file_inline = is_inline;
9229  options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9230 
9231  if (!is_inline && p[2])
9232  {
9233  key_direction = ascii2keydirection(msglevel, p[2]);
9234  if (key_direction < 0)
9235  {
9236  goto err;
9237  }
9238  options->ce.key_direction = key_direction;
9239  }
9240  }
9241  }
9242  else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9243  {
9244  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9245  if (permission_mask & OPT_P_GENERAL)
9246  {
9247  options->tls_crypt_file = p[1];
9248  options->tls_crypt_file_inline = is_inline;
9249  }
9250  else if (permission_mask & OPT_P_CONNECTION)
9251  {
9252  options->ce.tls_crypt_file = p[1];
9253  options->ce.tls_crypt_file_inline = is_inline;
9254  }
9255  }
9256  else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9257  {
9258  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9259  if (permission_mask & OPT_P_GENERAL)
9260  {
9261  options->tls_crypt_v2_file = p[1];
9262  options->tls_crypt_v2_file_inline = is_inline;
9263  }
9264  else if (permission_mask & OPT_P_CONNECTION)
9265  {
9266  options->ce.tls_crypt_v2_file = p[1];
9267  options->ce.tls_crypt_v2_file_inline = is_inline;
9268  }
9269 
9270  if (p[2] && streq(p[2], "force-cookie"))
9271  {
9272  options->ce.tls_crypt_v2_force_cookie = true;
9273  }
9274  else if (p[2] && streq(p[2], "allow-noncookie"))
9275  {
9276  options->ce.tls_crypt_v2_force_cookie = false;
9277  }
9278  else if (p[2])
9279  {
9280  msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9281  }
9282  }
9283  else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9284  {
9285  VERIFY_PERMISSION(OPT_P_GENERAL);
9286  options->tls_crypt_v2_verify_script = p[1];
9287  }
9288  else if (streq(p[0], "x509-track") && p[1] && !p[2])
9289  {
9290  VERIFY_PERMISSION(OPT_P_GENERAL);
9291  x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9292  }
9293 #ifdef ENABLE_X509ALTUSERNAME
9294  else if (streq(p[0], "x509-username-field") && p[1])
9295  {
9296  /* This option used to automatically upcase the fieldnames passed as the
9297  * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9298  * fine-tuned by only upcasing Subject field attribute names which consist
9299  * of all lower-case characters. Mixed-case attributes such as
9300  * "emailAddress" are left as-is. An option parameter having the "ext:"
9301  * prefix for matching X.509v3 extended fields will also remain unchanged.
9302  */
9303  VERIFY_PERMISSION(OPT_P_GENERAL);
9304  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9305  {
9306  char *s = p[j];
9307 
9308  if (strncmp("ext:", s, 4) != 0)
9309  {
9310  size_t i = 0;
9311  while (s[i] && !isupper(s[i]))
9312  {
9313  i++;
9314  }
9315  if (strlen(s) == i)
9316  {
9317  while ((*s = toupper(*s)) != '\0')
9318  {
9319  s++;
9320  }
9321  msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
9322  "--x509-username-field parameter to '%s'; please update your"
9323  "configuration", p[j]);
9324  }
9325  }
9326  else if (!x509_username_field_ext_supported(s+4))
9327  {
9328  msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9329  }
9330  options->x509_username_field[j-1] = p[j];
9331  }
9332  }
9333 #endif /* ENABLE_X509ALTUSERNAME */
9334 #ifdef ENABLE_PKCS11
9335  else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9336  {
9337  char *provider = p[1];
9338  bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
9339 
9340 #ifdef DEFAULT_PKCS11_MODULE
9341  if (!provider)
9342  {
9343  provider = DEFAULT_PKCS11_MODULE;
9344  }
9345  else if (!p[2])
9346  {
9347  char *endp = NULL;
9348  int i = strtol(provider, &endp, 10);
9349 
9350  if (*endp == 0)
9351  {
9352  /* There was one argument, and it was purely numeric.
9353  * Interpret it as the cert_private argument */
9354  provider = DEFAULT_PKCS11_MODULE;
9355  cert_private = i;
9356  }
9357  }
9358 #else /* ifdef DEFAULT_PKCS11_MODULE */
9359  if (!provider)
9360  {
9361  msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9362  goto err;
9363  }
9364 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9365  VERIFY_PERMISSION(OPT_P_GENERAL);
9366 
9367  set_debug_level(options->verbosity, SDL_CONSTRAIN);
9368  show_pkcs11_ids(provider, cert_private);
9369  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9370  }
9371  else if (streq(p[0], "pkcs11-providers") && p[1])
9372  {
9373  int j;
9374 
9375  VERIFY_PERMISSION(OPT_P_GENERAL);
9376 
9377  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9378  {
9379  options->pkcs11_providers[j-1] = p[j];
9380  }
9381  }
9382  else if (streq(p[0], "pkcs11-protected-authentication"))
9383  {
9384  int j;
9385 
9386  VERIFY_PERMISSION(OPT_P_GENERAL);
9387 
9388  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9389  {
9390  options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9391  }
9392  }
9393  else if (streq(p[0], "pkcs11-private-mode") && p[1])
9394  {
9395  int j;
9396 
9397  VERIFY_PERMISSION(OPT_P_GENERAL);
9398 
9399  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9400  {
9401  sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9402  }
9403  }
9404  else if (streq(p[0], "pkcs11-cert-private"))
9405  {
9406  int j;
9407 
9408  VERIFY_PERMISSION(OPT_P_GENERAL);
9409 
9410  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9411  {
9412  options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
9413  }
9414  }
9415  else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9416  {
9417  VERIFY_PERMISSION(OPT_P_GENERAL);
9418  options->pkcs11_pin_cache_period = atoi(p[1]);
9419  }
9420  else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9421  {
9422  VERIFY_PERMISSION(OPT_P_GENERAL);
9423  options->pkcs11_id = p[1];
9424  }
9425  else if (streq(p[0], "pkcs11-id-management") && !p[1])
9426  {
9427  VERIFY_PERMISSION(OPT_P_GENERAL);
9428  options->pkcs11_id_management = true;
9429  }
9430 #endif /* ifdef ENABLE_PKCS11 */
9431  else if (streq(p[0], "rmtun") && !p[1])
9432  {
9433  VERIFY_PERMISSION(OPT_P_GENERAL);
9434  options->persist_config = true;
9435  options->persist_mode = 0;
9436  }
9437  else if (streq(p[0], "mktun") && !p[1])
9438  {
9439  VERIFY_PERMISSION(OPT_P_GENERAL);
9440  options->persist_config = true;
9441  options->persist_mode = 1;
9442  }
9443  else if (streq(p[0], "peer-id") && p[1] && !p[2])
9444  {
9445  VERIFY_PERMISSION(OPT_P_PEER_ID);
9446  options->use_peer_id = true;
9447  options->peer_id = atoi(p[1]);
9448  }
9449 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9450  else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9451  {
9452  int ekm_length = positive_atoi(p[2]);
9453 
9454  VERIFY_PERMISSION(OPT_P_GENERAL);
9455 
9456  if (strncmp(p[1], "EXPORTER", 8))
9457  {
9458  msg(msglevel, "Keying material exporter label must begin with "
9459  "\"EXPORTER\"");
9460  goto err;
9461  }
9462  if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9463  {
9464  msg(msglevel, "Keying material exporter label must not be '"
9465  EXPORT_KEY_DATA_LABEL "'.");
9466  }
9467  if (ekm_length < 16 || ekm_length > 4095)
9468  {
9469  msg(msglevel, "Invalid keying material exporter length");
9470  goto err;
9471  }
9472 
9473  options->keying_material_exporter_label = p[1];
9474  options->keying_material_exporter_length = ekm_length;
9475  }
9476 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9477  else if (streq(p[0], "allow-recursive-routing") && !p[1])
9478  {
9479  VERIFY_PERMISSION(OPT_P_GENERAL);
9480  options->allow_recursive_routing = true;
9481  }
9482  else if (streq(p[0], "vlan-tagging") && !p[1])
9483  {
9484  VERIFY_PERMISSION(OPT_P_GENERAL);
9485  options->vlan_tagging = true;
9486  }
9487  else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9488  {
9489  VERIFY_PERMISSION(OPT_P_GENERAL);
9490  if (streq(p[1], "tagged"))
9491  {
9492  options->vlan_accept = VLAN_ONLY_TAGGED;
9493  }
9494  else if (streq(p[1], "untagged"))
9495  {
9496  options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9497  }
9498  else if (streq(p[1], "all"))
9499  {
9500  options->vlan_accept = VLAN_ALL;
9501  }
9502  else
9503  {
9504  msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9505  goto err;
9506  }
9507  }
9508  else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9509  {
9510  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9511  options->vlan_pvid = positive_atoi(p[1]);
9512  if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9513  || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9514  {
9515  msg(msglevel,
9516  "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9517  OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9518  goto err;
9519  }
9520  }
9521  else
9522  {
9523  int i;
9524  int msglevel_unknown = msglevel_fc;
9525  /* Check if an option is in --ignore-unknown-option and
9526  * set warning level to non fatal */
9527  for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9528  {
9529  if (streq(p[0], options->ignore_unknown_option[i]))
9530  {
9531  msglevel_unknown = M_WARN;
9532  break;
9533  }
9534  }
9535  if (file)
9536  {
9537  msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9538  }
9539  else
9540  {
9541  msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9542  }
9543  }
9544 err:
9545  gc_free(&gc);
9546 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:160
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:328
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition: ssl_common.h:413
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition: options.h:455
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition: win32.c:1120
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition: tun.c:808
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition: options.c:2164
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:525
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition: mtu.h:80
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
Definition: options.c:1592
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:173
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition: buffer.c:1376
OPT_P_PUSH
#define OPT_P_PUSH
Definition: options.h:728
options::replay_time
int replay_time
Definition: options.h:565
options_pre_connect::dns_options
struct dns_options dns_options
Definition: options.h:80
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:224
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition: options.c:1493
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:269
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
Definition: options.c:3851
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition: tun.c:5286
options::vlan_tagging
bool vlan_tagging
Definition: options.h:693
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition: tun.h:88
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition: ssl.c:1863
options::show_engines
bool show_engines
Definition: options.h:265
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition: tun.h:108
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition: manage.h:44
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:269
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition: comp.h:71
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition: options.c:4922
cipher_valid
static bool cipher_valid(const char *ciphername)
Returns if the cipher is valid, based on the given cipher name.
Definition: crypto_backend.h:204
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition: helper.c:144
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:607
options_warning_safe_scan1
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition: options.c:4565
SHOW_INT64
#define SHOW_INT64(var)
Definition: options.c:977
options::verbosity
int verbosity
Definition: options.h:381
iroute
Definition: route.h:234
connection_entry::mtu_discover_type
int mtu_discover_type
Definition: options.h:130
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition: tun.h:126
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:4470
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:603
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:137
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2766
http_proxy_options::auth_file
const char * auth_file
Definition: proxy.h:54
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:135
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition: manage.c:3093
helper_client_server
void helper_client_server(struct options *o)
Definition: helper.c:172
compress_options
Definition: comp.h:64
compress_options::alg
int alg
Definition: comp.h:66
tuntap_options::dhcp_renew
bool dhcp_renew
Definition: tun.h:132
options::show_digests
bool show_digests
Definition: options.h:264
pull_filter_list
Definition: options.c:940
connection_entry::link_mtu
int link_mtu
Definition: options.h:125
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition: manage.h:39
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition: route.h:91
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition: tun.h:50
push_list::head
struct push_entry * head
Definition: pushlist.h:36
options::use_peer_id
bool use_peer_id
Definition: options.h:682
error.h
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4913
is_special_addr
bool is_special_addr(const char *addr_str)
Definition: route.c:306
M_OPTERR
#define M_OPTERR
Definition: error.h:100
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:549
options::client_connect_script
const char * client_connect_script
Definition: options.h:485
SHOW_STR
#define SHOW_STR(var)
Definition: options.c:970
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition: manage.h:38
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:493
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
Definition: options.c:1320
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:557
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:528
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition: crypto.h:171
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition: options.h:460
pull_filter::pattern
char * pattern
Definition: options.c:936
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:164
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:221
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition: options.h:208
options::nice
int nice
Definition: options.h:380
options::cf_initial_per
int cf_initial_per
Definition: options.h:516
string_array_len
int string_array_len(const char **array)
Definition: buffer.c:721
run_command.h
M_ERRNO
#define M_ERRNO
Definition: error.h:94
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition: options.h:459
dco_get_supported_ciphers
const char * dco_get_supported_ciphers()
Definition: dco_win.c:469
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:37
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition: push.c:923
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition: ssl_verify.h:66
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition: ssl_common.h:416
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:110
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:141
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition: ssl_verify.h:64
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
Definition: options.c:3852
forward.h
tuntap_options::register_dns
bool register_dns
Definition: tun.h:135
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition: options.h:422
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition: socket.c:736
http_proxy_options::http_version
const char * http_version
Definition: proxy.h:56
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition: ssl.c:356
read_config_file
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5282
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5533
options::up_script
const char * up_script
Definition: options.h:367
usage_small
void usage_small(void)
Definition: options.c:4849
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition: options.h:742
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition: socket.c:3150
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition: tun.h:120
options::keepalive_ping
int keepalive_ping
Definition: options.h:327
options::push_list
struct push_list push_list
Definition: options.h:471
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:114
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition: dns.c:269
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition: misc.c:773
dns_domain::next
struct dns_domain * next
Definition: dns.h:45
M_FATAL
#define M_FATAL
Definition: error.h:89
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:75
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:207
tuntap_options::tap_sleep
int tap_sleep
Definition: tun.h:93
win32.h
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition: crypto_mbedtls.h:76
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition: crypto_backend.h:218
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition: packet_id.h:99
options::server_flags
unsigned int server_flags
Definition: options.h:461
http_custom_header::name
const char * name
Definition: proxy.h:39
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:529
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition: dns.h:34
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition: env_set.c:404
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:4251
options::ipchange
const char * ipchange
Definition: options.h:302
push_entry
Definition: pushlist.h:29
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition: options.c:949
route_gateway_info
Definition: route.h:146
options::show_ciphers
bool show_ciphers
Definition: options.h:263
dco_version_string
const char * dco_version_string(struct gc_arena *gc)
Definition: dco_win.c:387
argv
Definition: argv.h:35
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition: tun.h:127
options::enable_c2c
bool enable_c2c
Definition: options.h:509
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:4612
options::duplicate_cn
bool duplicate_cn
Definition: options.h:510
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:161
streq
#define streq(x, y)
Definition: options.h:707
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition: tun.h:67
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3128
options::server_network
in_addr_t server_network
Definition: options.h:452
ascii2ipset
int ascii2ipset(const char *name)
Definition: tun.c:7098
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:331
manage.h
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition: route.h:43
options::ca_path
const char * ca_path
Definition: options.h:577
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition: options.c:1780
connection_entry::remote_port
const char * remote_port
Definition: options.h:103
script_security_set
void script_security_set(int level)
Definition: run_command.c:49
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition: ssl_verify.h:65
options::forward_compatible
bool forward_compatible
Definition: options.h:250
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition: route.h:88
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition: options.c:1157
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition: tun.c:5312
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition: options.c:1264
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:155
options::cert_file
const char * cert_file
Definition: options.h:580
es
struct env_set * es
Definition: test_pkcs11.c:133
hash
Definition: list.h:56
options::route_nopull
bool route_nopull
Definition: options.h:421
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition: options.h:466
http_proxy_options::auth_file_up
const char * auth_file_up
Definition: proxy.h:55
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition: options.c:3588
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:122
tuntap_options::netbios_node_type
int netbios_node_type
Definition: tun.h:103
options::key_direction
int key_direction
Definition: options.h:555
options::topology
int topology
Definition: options.h:307
verify_hash_list::next
struct verify_hash_list * next
Definition: options.h:232
BSTR
#define BSTR(buf)
Definition: buffer.h:129
options::authname
const char * authname
Definition: options.h:560
options::dev_type
const char * dev_type
Definition: options.h:304
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition: ssl_common.h:409
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition: dns.c:175
AR_NONE
#define AR_NONE
Definition: options.h:884
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition: packet_id.h:108
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2409
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:333
options::iroutes
struct iroute * iroutes
Definition: options.h:494
proto_remote
const char * proto_remote(int proto, bool remote)
Definition: socket.c:3191
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:390
COMP_F_ALLOW_COMPRESS
#define COMP_F_ALLOW_COMPRESS
Definition: comp.h:36
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:891
http_proxy_options::auth_method_string
const char * auth_method_string
Definition: proxy.h:53
options::tls_client
bool tls_client
Definition: options.h:574
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition: error.h:53
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:552
in_src::u
union in_src::@7 u
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition: crypto.c:1449
dns_domain_list_append
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
Definition: dns.c:141
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition: options.h:583
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:169
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition: socket.c:686
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:112
TARGET_ALIAS
#define TARGET_ALIAS
Definition: config.h:558
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
options::server_defined
bool server_defined
Definition: options.h:451
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:110
windows_driver_type
windows_driver_type
Definition: tun.h:49
route_ipv6_gateway_info
Definition: route.h:179
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:105
dns_options_verify
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition: dns.c:197
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:222
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition: options.c:1101
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition: common.h:82
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:736
pull_filter_list::head
struct pull_filter * head
Definition: options.c:942
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:457
options::cipher_list
const char * cipher_list
Definition: options.h:588
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition: mtu.h:75
vlan_acceptable_frames
vlan_acceptable_frames
Definition: options.h:205
options::mode
int mode
Definition: options.h:247
options::session_timeout
int session_timeout
Definition: options.h:333
read_config_string
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5357
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition: tun.c:5144
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition: options.c:3682
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition: ssl_ncp.c:95
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition: mtu.h:65
xkey_common.h
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition: socket.c:1086
options::mute
int mute
Definition: options.h:382
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition: misc.c:537
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition: options.h:207
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4966
MF_HOLD
#define MF_HOLD
Definition: manage.h:30
PACKAGE_VERSION
#define PACKAGE_VERSION
Definition: config.h:504
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:126
fragment
Structure for reassembling one incoming fragmented packet.
Definition: fragment.h:65
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition: keyingmaterialexporter.c:166
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:505
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:93
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:4635
tuntap_options::netbios_scope
const char * netbios_scope
Definition: tun.h:101
in_src::type
int type
Definition: options.c:5151
options::ce
struct connection_entry ce
Definition: options.h:275
options::msg_channel
HANDLE msg_channel
Definition: options.h:673
dns_server::dnssec
enum dns_security dnssec
Definition: dns.h:65
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition: route.c:130
tuntap_options::ntp_len
int ntp_len
Definition: tun.h:117
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition: socket.c:772
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition: manage.h:41
read_inline_file
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition: options.c:5182
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:717
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:501
iroute::netbits
int netbits
Definition: route.h:236
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:410
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition: route.h:41
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:492
ascii2keydirection
int ascii2keydirection(int msglevel, const char *str)
Definition: crypto.c:1426
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:479
verify_hash_list
Definition: options.h:227
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:604
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:28
D_LOW
#define D_LOW
Definition: errlevel.h:97
dns_server::transport
enum dns_server_transport transport
Definition: dns.h:66
PACKAGE
#define PACKAGE
Definition: config.h:486
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:271
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:97
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition: socket.h:205
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:45
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition: error.h:87
remote_entry::remote
const char * remote
Definition: options.h:174
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
options_pre_connect::foreign_option_index
int foreign_option_index
Definition: options.h:89
connection_list::capacity
int capacity
Definition: options.h:184
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:584
atou
static unsigned int atou(const char *str)
Definition: options.c:4951
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:87
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition: options.c:3108
pull_filter_list::tail
struct pull_filter * tail
Definition: options.c:943
options::shaper
int shaper
Definition: options.h:315
options.h
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition: options.c:1701
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition: crypto_openssl.c:659
IPROUTE_PATH
#define IPROUTE_PATH
Definition: config.h:468
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition: clinat.c:83
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition: options.h:594
dns_options::gc
struct gc_arena gc
Definition: dns.h:74
TLS_VER_1_0
#define TLS_VER_1_0
Definition: ssl_backend.h:105
options::cd_dir
const char * cd_dir
Definition: options.h:362
MODE_SERVER
#define MODE_SERVER
Definition: options.h:246
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition: route.c:3959
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition: clinat.c:52
options::remote_random
bool remote_random
Definition: options.h:301
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:313
frame
Packet geometry parameters.
Definition: mtu.h:98
options::push_continuation
int push_continuation
Definition: options.h:540
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition: options.c:4055
push_entry::option
const char * option
Definition: pushlist.h:32
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:549
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition: manage.h:34
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
Definition: plugin.c:189
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition: socket.h:557
connection_entry::fragment_encap
bool fragment_encap
Definition: options.h:133
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition: options.h:554
options::tls_server
bool tls_server
Definition: options.h:573
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition: options.c:1211
options::auth_token_renewal
int auth_token_renewal
Definition: options.h:528
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:72
connection_entry::bind_local
bool bind_local
Definition: options.h:109
http_custom_header
Definition: proxy.h:38
provider_list::names
const char * names[MAX_PARMS]
Definition: options.h:200
shaper.h
throw_signal_soft
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition: sig.c:206
dns_options::servers
struct dns_server * servers
Definition: dns.h:73
connection_entry
Definition: options.h:97
remote_entry::af
sa_family_t af
Definition: options.h:177
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition: tun.h:123
iroute_ipv6::network
struct in6_addr network
Definition: route.h:241
push_reset
void push_reset(struct options *o)
Definition: push.c:917
usage_message
static const char usage_message[]
Definition: options.c:118
SHOW_INT
#define SHOW_INT(var)
Definition: options.c:975
http_proxy_options::inline_creds
bool inline_creds
Definition: proxy.h:59
options::allow_recursive_routing
bool allow_recursive_routing
Definition: options.h:701
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition: networking.h:48
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition: mtu.c:261
sleep
#define sleep(x)
Definition: syshead.h:43
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:419
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:510
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:717
iroute::next
struct iroute * next
Definition: route.h:237
options::tls_exit
bool tls_exit
Definition: options.h:665
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition: options.c:978
options::route_noexec
bool route_noexec
Definition: options.h:414
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition: manage.h:42
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:591
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition: manage.c:3015
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition: route.h:42
KEY_METHOD_2
#define KEY_METHOD_2
Definition: ssl.h:112
sa_family_t
unsigned short sa_family_t
Definition: syshead.h:385
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:628
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:415
PING_RESTART
#define PING_RESTART
Definition: options.h:341
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition: route.h:90
RG_LOCAL
#define RG_LOCAL
Definition: route.h:85
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition: options.c:2261
options::persist_local_ip
bool persist_local_ip
Definition: options.h:345
MD_SHA256
@ MD_SHA256
Definition: crypto_backend.h:53
http_proxy_options::nocache
bool nocache
Definition: proxy.h:61
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:999
CLEAR
#define CLEAR(x)
Definition: basic.h:33
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition: dns.h:40
options::verify_hash_depth
int verify_hash_depth
Definition: options.h:605
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition: options.h:256
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:737
dns_server::priority
long priority
Definition: dns.h:61
options::ecdh_curve
const char * ecdh_curve
Definition: options.h:592
iroute::network
in_addr_t network
Definition: route.h:235
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition: tun.c:5352
pull_filter::size
int size
Definition: options.c:935
options::show_curves
bool show_curves
Definition: options.h:267
connection_list::len
int len
Definition: options.h:185
SF_NOPOOL
#define SF_NOPOOL
Definition: options.h:458
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition: options.h:294
options::cipher_list_tls13
const char * cipher_list_tls13
Definition: options.h:589
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
Definition: options.c:932
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition: options.c:4193
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition: tun.h:105
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:180
options::up_delay
bool up_delay
Definition: options.h:371
options::writepid
const char * writepid
Definition: options.h:366
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition: options.h:65
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition: tun.h:71
options_pre_connect::ciphername
const char * ciphername
Definition: options.h:82
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition: options.c:1759
options::max_clients
int max_clients
Definition: options.h:518
platform_stat_t
struct _stat platform_stat_t
Definition: platform.h:146
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:667
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:414
options::disable
bool disable
Definition: options.h:491
SC_ECHO
#define SC_ECHO
Definition: misc.h:93
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:115
options::dh_file
const char * dh_file
Definition: options.h:578
options::resolve_in_advance
bool resolve_in_advance
Definition: options.h:353
IS_TYPE_FP
#define IS_TYPE_FP
Definition: options.c:5149
ssl_verify.h
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition: options.h:314
options::dev
const char * dev
Definition: options.h:303
ASSERT
#define ASSERT(x)
Definition: error.h:195
options::management_port
const char * management_port
Definition: options.h:431
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition: helper.c:600
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2924
OPENVPN_PORT
#define OPENVPN_PORT
Definition: socket.h:42
options::groupname
const char * groupname
Definition: options.h:360
D_SHOW_OCC
#define D_SHOW_OCC
Definition: errlevel.h:151
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition: options.h:111
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:242
print_topology
const char * print_topology(const int topology)
Definition: options.c:4738
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition: options.c:1279
options::ip_remote_hint
const char * ip_remote_hint
Definition: options.h:354
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:558
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition: socket.c:789
options::single_session
bool single_session
Definition: options.h:661
options::dns_options
struct dns_options dns_options
Definition: options.h:299
options::auth_user_pass_file
const char * auth_user_pass_file
Definition: options.h:542
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition: options.c:1254
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:746
options::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:424
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition: options.h:57
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition: ssl.c:341
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition: error.c:155
D_DCO
#define D_DCO
Definition: errlevel.h:94
options_pre_connect::routes
struct route_option_list * routes
Definition: options.h:69
options::server_netmask
in_addr_t server_netmask
Definition: options.h:453
bypass_doubledash
static void bypass_doubledash(char **p)
Definition: options.c:5140
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
Definition: options.c:1622
connection_list
Definition: options.h:182
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition: error.c:149
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition: ssl_common.h:414
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition: route.h:89
options::cf_initial_max
int cf_initial_max
Definition: options.h:515
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition: crypto_openssl.c:1070
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:335
argv::argv
char ** argv
Definition: argv.h:39
remote_entry::remote_port
const char * remote_port
Definition: options.h:175
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition: dns.c:55
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition: proxy.h:43
http_proxy_options::user_agent
const char * user_agent
Definition: proxy.h:57
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition: route.h:40
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition: options.c:1119
options::x509_track
const struct x509_track * x509_track
Definition: options.h:667
options::windows_driver
enum windows_driver_type windows_driver
Definition: options.h:679
options::client
bool client
Definition: options.h:538
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition: options.c:3578
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
WINDOWS_DRIVER_DCO
@ WINDOWS_DRIVER_DCO
Definition: tun.h:53
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition: manage.h:45
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition: options.h:553
options::pre_connect
struct options_pre_connect * pre_connect
Definition: options.h:544
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition: mtu.h:85
tuntap_options::ip_win32_type
int ip_win32_type
Definition: tun.h:81
connection_entry::bind_defined
bool bind_defined
Definition: options.h:107
options::management_client_group
const char * management_client_group
Definition: options.h:438
COMP_ALG_LZ4
#define COMP_ALG_LZ4
Definition: comp.h:49
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
Definition: options.c:5572
packet_id.h
options::test_crypto
bool test_crypto
Definition: options.h:567
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:606
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition: comp.h:40
msglevel_forward_compatible
static int msglevel_forward_compatible(struct options *options, const int msglevel)
Definition: options.c:5660
options::block_outside_dns
bool block_outside_dns
Definition: options.h:678
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition: options.h:74
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:723
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition: options.c:3268
proto.h
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:411
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:311
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:559
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:504
options::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:648
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition: options.h:139
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition: options.h:58
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:735
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition: ssl_common.h:417
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition: options.h:715
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:142
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition: socket.h:48
dns_domain::name
const char * name
Definition: dns.h:46
options::comp
struct compress_options comp
Definition: options.h:395
options::persist_config
bool persist_config
Definition: options.h:259
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition: options.h:71
clone_push_list
void clone_push_list(struct options *o)
Definition: push.c:875
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:704
dns_server_addr::in
union dns_server_addr::@0 in
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition: options.c:3522
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition: options.h:724
options::auth_token_lifetime
int auth_token_lifetime
Definition: options.h:527
ascii2proto
int ascii2proto(const char *proto_name)
Definition: socket.c:3100
OPT_P_INLINE
#define OPT_P_INLINE
Definition: options.h:741
print_route_options
void print_route_options(const struct route_option_list *rol, int level)
Definition: route.c:1317
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition: options.c:5696
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition: mtu.c:152
options::push_peer_info
bool push_peer_info
Definition: options.h:663
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:412
dns_server
Definition: dns.h:59
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition: options.h:725
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4649
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition: options.c:1128
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition: proto.h:326
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition: options.h:423
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition: manage.h:29
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:653
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
Definition: comp.h:38
misc.h
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition: options.h:508
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition: route.h:87
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition: ssl.c:350
push.h
in_src
Definition: options.c:5148
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:435
M_WARN
#define M_WARN
Definition: error.h:91
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition: dns.c:262
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:496
options::persist_tun
bool persist_tun
Definition: options.h:344
PACKAGE_STRING
#define PACKAGE_STRING
Definition: config.h:495
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition: comp.h:45
connection_entry::tls_auth_file
const char * tls_auth_file
Definition: options.h:155
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition: options.h:253
CONFIGURE_DEFINES
#define CONFIGURE_DEFINES
Definition: config.h:5
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition: options.h:718
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition: tun.h:52
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:654
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1102
options::proto_force
int proto_force
Definition: options.h:317
check_inline_file_via_buf
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition: options.c:5260
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition: options.c:5563
msg_fp
FILE * msg_fp(const unsigned int flags)
Definition: error.c:194
options::tls_auth_file
const char * tls_auth_file
Definition: options.h:644
in_src::multiline
struct buffer * multiline
Definition: options.c:5154
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:166
options::route_predown_script
const char * route_predown_script
Definition: options.h:410
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition: ssl_openssl.c:200
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition: comp.h:53
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:500
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition: options.h:729
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:156
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition: plugin.c:160
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition: options.h:530
options_postprocess_setdefault_ncpciphers
static void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition: options.c:3494
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition: options.h:456
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition: options.c:5629
CHKACC_FILE
#define CHKACC_FILE
Expect people using the stripped down version to know what they do.
Definition: options.c:3849
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:165
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition: options.h:587
space
static bool space(unsigned char c)
Definition: options.c:4960
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::verify_x509_type
int verify_x509_type
Definition: options.h:595
options
Definition: options.h:236
pool.h
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: options.h:543
RG_ENABLE
#define RG_ENABLE
Definition: route.h:84
connection_entry::key_direction
int key_direction
Definition: options.h:157
options::providers
struct provider_list providers
Definition: options.h:562
crypto.h
dns_server::domains
struct dns_domain * domains
Definition: dns.h:64
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition: tun.h:76
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition: socket.h:504
options::log
bool log
Definition: options.h:377
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
Definition: options.c:2207
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition: tun.c:4207
TLS_CLIENT
#define TLS_CLIENT
static_challenge_info::flags
unsigned int flags
Definition: misc.h:94
options::gc
struct gc_arena gc
Definition: options.h:238
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:722
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition: dns.h:32
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5553
options::mlock
bool mlock
Definition: options.h:325
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition: manage.h:37
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition: options.h:85
M_ERR
#define M_ERR
Definition: error.h:105
options::tls_timeout
int tls_timeout
Definition: options.h:623
options::management_addr
const char * management_addr
Definition: options.h:430
options::tls_verify
const char * tls_verify
Definition: options.h:593
COMP_F_SWAP
#define COMP_F_SWAP
Definition: comp.h:37
options::down_script
const char * down_script
Definition: options.h:368
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition: options.h:123
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition: ssl_common.h:407
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition: error.h:55
check_ca_required
static void check_ca_required(const struct options *options)
Definition: options.c:2299
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition: buffer.c:478
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:177
options_warning_safe_scan2
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition: options.c:4497
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition: buffer.h:234
helper_keepalive
void helper_keepalive(struct options *o)
Definition: helper.c:541
dns_domain
Definition: dns.h:44
tuntap_options
Definition: tun.h:69
gc_detach
static void gc_detach(struct gc_arena *a)
Definition: buffer.h:1024
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition: manage.h:32
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition: tun.c:7127
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:484
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4766
add_option
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5730
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition: options.c:4179
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:475
dns_options::search_domains
struct dns_domain * search_domains
Definition: dns.h:71
dns_server::addr_count
size_t addr_count
Definition: dns.h:62
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition: dns.h:39
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition: clinat.c:92
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition: tun.c:665
options::server_ipv6_defined
bool server_ipv6_defined
Definition: options.h:454
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition: win32.c:146
compress_options::flags
unsigned int flags
Definition: comp.h:67
connection_entry::local_port_defined
bool local_port_defined
Definition: options.h:102
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:266
parse_topology
int parse_topology(const char *str, const int msglevel)
Definition: options.c:4716
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition: options.c:3936
TOP_UNDEF
#define TOP_UNDEF
Definition: proto.h:42
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:506
tuntap_options_copy_dns
static void tuntap_options_copy_dns(struct options *o)
Definition: options.c:1353
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:649
OPT_P_ECHO
#define OPT_P_ECHO
Definition: options.h:732
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:629
static_challenge_info::challenge_text
const char * challenge_text
Definition: misc.h:96
dns_server::addr
struct dns_server_addr addr[8]
Definition: dns.h:63
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition: error.c:467
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition: options.c:2197
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:38
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:346
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:490
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:520
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:546
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:78
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:336
options::pkcs12_file
const char * pkcs12_file
Definition: options.h:586
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition: options.h:721
options::client_crresponse_script
const char * client_crresponse_script
Definition: options.h:488
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition: tun.h:79
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition: options.h:223
errors_to_stderr
void errors_to_stderr(void)
Definition: error.c:185
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:573
options::genkey
bool genkey
Definition: options.h:268
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:596
options::replay_window
int replay_window
Definition: options.h:564
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
SHAPER_MIN
#define SHAPER_MIN
Definition: shaper.h:40
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:412
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
options::foreign_option_index
int foreign_option_index
Definition: options.h:670
http_proxy_options::server
const char * server
Definition: proxy.h:45
global_auth_retry
static int global_auth_retry
Definition: options.c:4763
options::exit_event_name
const char * exit_event_name
Definition: options.h:674
openvpn_exit
void openvpn_exit(const int status)
Definition: error.c:735
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition: options.c:2282
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:507
options::management_certificate
const char * management_certificate
Definition: options.h:440
show_windows_version
void show_windows_version(const unsigned int flags)
Definition: options.c:4857
options_pre_connect::comp
struct compress_options comp
Definition: options.h:90
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:278
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition: options.c:5666
options::route_delay_defined
bool route_delay_defined
Definition: options.h:417
key_type
Definition: crypto.h:139
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition: route.c:139
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2904
options::handshake_window
int handshake_window
Definition: options.h:633
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: options.h:601
suppress_timestamps
static bool suppress_timestamps
Definition: error.c:81
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition: options.c:2130
connection_entry::occ_mtu
int occ_mtu
Definition: options.h:119
options::ping_timer_remote
bool ping_timer_remote
Definition: options.h:337
options::crl_file_inline
bool crl_file_inline
Definition: options.h:598
options::status_file_version
int status_file_version
Definition: options.h:389
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition: options.h:772
TLS_VER_1_2
#define TLS_VER_1_2
Definition: ssl_backend.h:107
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition: options.h:231
options::route_default_metric
int route_default_metric
Definition: options.h:413
ssl.h
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition: options.h:720
show_tap_win_adapters
void show_tap_win_adapters(int msglev, int warnlev)
Definition: tun.c:4240
options::sndbuf
int sndbuf
Definition: options.h:399
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:46
options::block_ipv6
bool block_ipv6
Definition: options.h:420
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5095
buffer.h
check_inline_file_via_fp
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition: options.c:5251
options::fast_io
bool fast_io
Definition: options.h:393
options::force_key_material_export
bool force_key_material_export
Definition: options.h:691
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:463
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition: options.h:712
tuntap_options::wins_len
int wins_len
Definition: tun.h:113
syshead.h
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:514
COMP_F_ADAPTIVE
#define COMP_F_ADAPTIVE
Definition: comp.h:35
options::dh_file_inline
bool dh_file_inline
Definition: options.h:579
BPTR
#define BPTR(buf)
Definition: buffer.h:124
pkcs11.h
options::management_flags
unsigned int management_flags
Definition: options.h:443
options::route_method
int route_method
Definition: options.h:677
no_more_than_n_args
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
Definition: options.c:5632
auth_retry_print
const char * auth_retry_print(void)
Definition: options.c:4795
options::cert_file_inline
bool cert_file_inline
Definition: options.h:581
platform.h
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition: options.h:468
options::management_echo_buffer_size
int management_echo_buffer_size
Definition: options.h:434
proto_is_net
static bool proto_is_net(int proto)
Definition: socket.h:563
connection_list::array
struct connection_entry ** array
Definition: options.h:187
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition: options.h:714
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
shaper
Definition: shaper.h:47
show_routes
void show_routes(int msglev)
Definition: route.c:3209
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
Definition: options.c:933
options::client_config_dir
const char * client_config_dir
Definition: options.h:489
in_src_get
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition: options.c:5159
dco_check_startup_option
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition: dco.h:275
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition: ssl_common.h:415
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition: clinat.c:106
options::status_file
const char * status_file
Definition: options.h:388
options::genkey_filename
const char * genkey_filename
Definition: options.h:270
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Definition: comp.h:42
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:243
key_is_external
bool key_is_external(const struct options *options)
Definition: options.c:5715
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:245
tuntap_options::nbdd_len
int nbdd_len
Definition: tun.h:121
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o, const int msglevel)
Definition: options.c:2240
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition: options.c:3986
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition: dns.h:41
key_type::cipher
const char * cipher
const name of the cipher
Definition: crypto.h:141
daemon
int daemon(int nochdir, int noclose)
Definition: compat-daemon.c:51
pull_filter
Definition: options.c:928
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:526
remote_list::array
struct remote_entry ** array
Definition: options.h:194
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
Definition: options.c:931
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:695
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:352
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition: options.h:113
options::ca_file
const char * ca_file
Definition: options.h:575
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition: ssl_backend.h:390
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition: options.c:3969
show_library_versions
void show_library_versions(const unsigned int flags)
Definition: options.c:4876
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition: tun.h:89
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm)
win32_version_string
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1424
env_set
Definition: env_set.h:42
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2680
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition: plugin.c:168
OPT_P_TIMER
#define OPT_P_TIMER
Definition: options.h:719
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition: options.c:3658
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition: options.h:467
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:180
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition: options.h:739
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:540
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition: packet_id.h:107
MF_SIGNAL
#define MF_SIGNAL
Definition: manage.h:31
options::config
const char * config
Definition: options.h:242
usage
static void usage(void)
Definition: options.c:4817
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition: clinat.c:75
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition: crypto_openssl.c:679
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:446
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
options::priv_key_file_inline
bool priv_key_file_inline
Definition: options.h:585
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition: dns.c:251
TOP_P2P
#define TOP_P2P
Definition: proto.h:44
SHAPER_MAX
#define SHAPER_MAX
Definition: shaper.h:41
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:907
pull_filter::type
int type
Definition: options.c:934
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
connection_entry::flags
unsigned int flags
Definition: options.h:152
tuntap_options::disable_nbt
bool disable_nbt
Definition: tun.h:130
uninit_options
void uninit_options(struct options *o)
Definition: options.c:911
tuntap_options::dns6_len
int dns6_len
Definition: tun.h:138
dco.h
common.h
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition: ssl.c:331
options::connect_retry_max
int connect_retry_max
Definition: options.h:274
PING_EXIT
#define PING_EXIT
Definition: options.h:340
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:645
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:982
machine_readable_output
static bool machine_readable_output
Definition: error.c:78
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:433
show_dco_version
void show_dco_version(const unsigned int flags)
Definition: options.c:4866
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition: errlevel.h:96
options_detach
void options_detach(struct options *o)
Definition: options.c:1674
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition: dns.h:33
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition: options.c:1683
tuntap_options::disable_dco
bool disable_dco
Definition: tun.h:73
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition: error.c:515
options::daemon
bool daemon
Definition: options.h:373
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, const int msglevel, struct gc_arena *gc)
Definition: options.c:2099
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:211
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition: options.h:116
options_pre_connect::routes_defined
bool routes_defined
Definition: options.h:68
VLAN_ALL
@ VLAN_ALL
Definition: options.h:209
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:474
COMP_ALG_STUB
#define COMP_ALG_STUB
Definition: comp.h:46
options::tls_groups
const char * tls_groups
Definition: options.h:590
options::gc_owned
bool gc_owned
Definition: options.h:239
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Definition: options.c:3850
options::rcvbuf
int rcvbuf
Definition: options.h:398
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
Definition: options.c:2174
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition: options.c:4014
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:506
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:375
dns_server_addr::family
sa_family_t family
Definition: dns.h:55
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:675
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition: tun.h:133
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition: options.h:77
in_src::fp
FILE * fp
Definition: options.c:5153
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition: options.h:766
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition: options.c:1692
options::peer_id
uint32_t peer_id
Definition: options.h:683
options_pre_connect
Definition: options.h:63
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition: tun.h:112
setenv_dns_options
void setenv_dns_options(const struct dns_options *o, struct env_set *es)
Puts the DNS options into an environment set.
Definition: dns.c:368
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: crypto_mbedtls.h:77
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:472
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition: manage.h:33
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition: socket.c:3114
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
Definition: options.c:1076
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition: tun.h:78
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:354
max_int
static int max_int(int x, int y)
Definition: integer.h:76
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition: errlevel.h:157
connection_entry::remote_float
bool remote_float
Definition: options.h:106
connection_entry::remote
const char * remote
Definition: options.h:105
init_options
void init_options(struct options *o, const bool init_gc)
Definition: options.c:789
options::machine_readable_output
bool machine_readable_output
Definition: options.h:379
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition: manage.h:36
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: options.h:658
options::key_pass_file
const char * key_pass_file
Definition: options.h:262
iroute_ipv6
Definition: route.h:240
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition: tun.h:62
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition: tun.h:66
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition: options.c:1643
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition: options.h:738
usage_version
static void usage_version(void)
Definition: options.c:4891
status
static SERVICE_STATUS status
Definition: interactive.c:53
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition: options.c:1711
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition: options.h:124
options::ns_cert_type
int ns_cert_type
Definition: options.h:600
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition: options.h:733
options::packet_id_file
const char * packet_id_file
Definition: options.h:566
remote_entry::proto
int proto
Definition: options.h:176
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:498
management
Definition: manage.h:335
show_settings
void show_settings(const struct options *o)
Definition: options.c:1798
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition: tun.h:137
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition: dns.c:430
dns_options
Definition: dns.h:70
dirname
char * dirname(char *path)
Definition: compat-dirname.c:62
tuntap_options::domain
const char * domain
Definition: tun.h:99
options::renegotiate_packets
int renegotiate_packets
Definition: options.h:627
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition: options.c:2230
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Definition: options.c:3853
options::connection_list
struct connection_list * connection_list
Definition: options.h:276
options::cf_per
int cf_per
Definition: options.h:513
win_get_tempdir
const char * win_get_tempdir(void)
Definition: win32-util.c:152
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition: options.h:309
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition: buffer.c:770
options::routes
struct route_option_list * routes
Definition: options.h:418
options::chroot_dir
const char * chroot_dir
Definition: options.h:361
options::down_pre
bool down_pre
Definition: options.h:370
tuntap
Definition: tun.h:171
TLS_VER_1_3
#define TLS_VER_1_3
Definition: ssl_backend.h:108
socket.h
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:481
options::mark
int mark
Definition: options.h:402
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:519
options::cryptoapi_cert
const char * cryptoapi_cert
Definition: options.h:620
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition: tun.h:90
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition: options.c:1510
M_MSG_VIRT_OUT
#define M_MSG_VIRT_OUT
Definition: error.h:99
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition: options.h:716
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition: options.h:469
options::sockflags
unsigned int sockflags
Definition: options.h:406
options::username
const char * username
Definition: options.h:359
connection_entry::mssfix_default
bool mssfix_default
Definition: options.h:136
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition: tun.h:51
dns_server::sni
const char * sni
Definition: dns.h:67
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition: ssl_ncp.c:195
connection_entry::local
const char * local
Definition: options.h:104
strsep
char * strsep(char **stringp, const char *delim)
Definition: compat-strsep.c:36
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition: options.c:4482
platform_chdir
int platform_chdir(const char *dir)
Definition: platform.c:393
AR_INTERACT
#define AR_INTERACT
Definition: options.h:885
OPT_P_NICE
#define OPT_P_NICE
Definition: options.h:727
IS_TYPE_BUF
#define IS_TYPE_BUF
Definition: options.c:5150
TOP_NET30
#define TOP_NET30
Definition: proto.h:43
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:473
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition: options.c:1007
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
http_proxy_options
Definition: proxy.h:44
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition: packet_id.h:100
options::extra_certs_file
const char * extra_certs_file
Definition: options.h:582
ssl_ncp.h
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition: options.h:108
dns_server::next
struct dns_server * next
Definition: dns.h:60
check_inline_file
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition: options.c:5227
connection_entry::fragment
int fragment
Definition: options.h:132
tuntap_options::dns_len
int dns_len
Definition: tun.h:109
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition: options.c:984
options::up_restart
bool up_restart
Definition: options.h:372
MD_SHA1
@ MD_SHA1
Definition: crypto_backend.h:52
positive_atoi
static int positive_atoi(const char *str)
Definition: options.c:4943
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition: options.c:3856
gc_init
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1017
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:476
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition: options.c:2321
connection_entry::tls_mtu
int tls_mtu
Definition: options.h:127
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition: proto.h:325
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:524
route_option_list::flags
unsigned int flags
Definition: route.h:94
options::transition_window
int transition_window
Definition: options.h:641
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition: options.c:971
parse_argv
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5390
tuntap_options::dhcp_options
int dhcp_options
Definition: tun.h:97
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition: options.c:4641
connection_entry::proto
int proto
Definition: options.h:99
dns_server_addr::a6
struct in6_addr a6
Definition: dns.h:53
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition: options.c:969
parse_windows_driver
static enum windows_driver_type parse_windows_driver(const char *str, const int msglevel)
Parses –windows-driver config option.
Definition: options.c:4687
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:563
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:480
options::auth_token_generate
bool auth_token_generate
Definition: options.h:525
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition: options.h:310
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition: options.h:730
options::engine
const char * engine
Definition: options.h:561
push_entry::next
struct push_entry * next
Definition: pushlist.h:30
options::real_hash_size
int real_hash_size
Definition: options.h:483
options::priv_key_file
const char * priv_key_file
Definition: options.h:584
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:886
OPT_P_UP
#define OPT_P_UP
Definition: options.h:713
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:486
remote_entry
Definition: options.h:172
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:744
options::push_option_types_found
unsigned int push_option_types_found
Definition: options.h:541
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition: options.c:3328
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:521
options::show_net_up
bool show_net_up
Definition: options.h:676
RG_DEF1
#define RG_DEF1
Definition: route.h:86
options::tmp_dir
const char * tmp_dir
Definition: options.h:450
options::cf_max
int cf_max
Definition: options.h:512
options::crl_file
const char * crl_file
Definition: options.h:597
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5503
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:495
helper.h
options_pre_connect::authname
const char * authname
Definition: options.h:83
remote_list::len
int len
Definition: options.h:193
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:102
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition: socket.h:207
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Definition: comp.h:41
apply_pull_filter
static bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
Definition: options.c:5463
options::route_delay_window
int route_delay_window
Definition: options.h:416
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition: tun.c:5246
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition: options.h:734
CE_DISABLED
#define CE_DISABLED
Definition: options.h:143
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition: socket.h:204
platform_access
int platform_access(const char *path, int mode)
Definition: platform.c:458
options::occ
bool occ
Definition: options.h:427
options::persist_mode
int persist_mode
Definition: options.h:260
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition: options.c:3462
options::remote_list
struct remote_list * remote_list
Definition: options.h:278
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition: ssl_verify.h:234
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:66
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition: options.h:697
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:499
connection_entry::af
sa_family_t af
Definition: options.h:100
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:501
http_custom_header::content
const char * content
Definition: proxy.h:40
dns_server_addr::a4
struct in_addr a4
Definition: dns.h:52
COMP_ALG_LZO
#define COMP_ALG_LZO
Definition: comp.h:47
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition: packet_id.h:98
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition: tun.h:75
options::route_script
const char * route_script
Definition: options.h:409
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:423
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:262
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition: pool.c:121
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:356
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition: mtu.h:70
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition: options.c:3397
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition: options.h:694
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:103
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:328
options::route_delay
int route_delay
Definition: options.h:415
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:308
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:118
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: options.h:497
memdbg.h
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition: dns.c:160
options::user_script_used
bool user_script_used
Definition: options.h:369
options::learn_address_script
const char * learn_address_script
Definition: options.h:487
connection_entry::tun_mtu_max
int tun_mtu_max
Definition: options.h:120
print_windows_driver
const char * print_windows_driver(enum windows_driver_type windows_driver)
Definition: tun.c:7145
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition: packet_id.h:109
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:342
auth_retry_set
bool auth_retry_set(const int msglevel, const char *option)
Definition: options.c:4772
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition: proto.h:35
options::bind_dev
char * bind_dev
Definition: options.h:403
options::mtu_test
bool mtu_test
Definition: options.h:319
options::management_client_user
const char * management_client_user
Definition: options.h:437
options::ciphername
const char * ciphername
Definition: options.h:556
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:330
options::suppress_timestamps
bool suppress_timestamps
Definition: options.h:378
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition: options.h:731
title_string
const char title_string[]
Definition: options.c:67
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition: comp.h:54
connection_entry::local_port
const char * local_port
Definition: options.h:101
M_USAGE
#define M_USAGE
Definition: error.h:106
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:289
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:274
options::dev_node
const char * dev_node
Definition: options.h:305
msg
#define msg(flags,...)
Definition: error.h:144
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition: env_set.c:201
pkcs11_id_management
static bool pkcs11_id_management
Definition: test_pkcs11.c:128
OPT_P_MTU
#define OPT_P_MTU
Definition: options.h:726
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition: proxy.h:58
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: options.h:523
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition: options.h:740
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition: buffer.c:388
push_entry::enable
bool enable
Definition: pushlist.h:31
pull_filter::next
struct pull_filter * next
Definition: options.c:937
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:86
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:477
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:275
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition: ssl_common.h:408
remote_list
Definition: options.h:190
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:312
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition: manage.h:43
http-client.f
string f
Definition: http-client.py:6
options::renegotiate_bytes
int renegotiate_bytes
Definition: options.h:626
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:69
MF_UP_DOWN
#define MF_UP_DOWN
Definition: manage.h:40
options::lladdr
const char * lladdr
Definition: options.h:306
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
options::server_bridge_defined
bool server_bridge_defined
Definition: options.h:465
dhcp
Definition: dhcp.h:53
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition: buffer.h:1076
remote_list::capacity
int capacity
Definition: options.h:192
SHOW_BOOL
#define SHOW_BOOL(var)
Definition: options.c:979
pre_connect_save
static void pre_connect_save(struct options *o)
Definition: options.c:3286
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition: options.h:180
BOOL_CAST
#define BOOL_CAST(x)
Definition: basic.h:27
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:348
options_warning
void options_warning(char *actual, const char *expected)
Definition: options.c:4476
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1097
options::ca_file_inline
bool ca_file_inline
Definition: options.h:576
options::management_user_pass
const char * management_user_pass
Definition: options.h:432
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:229
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:502
options::remote_cert_eku
const char * remote_cert_eku
Definition: options.h:602
options::pull
bool pull
Definition: options.h:539
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1333
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:231
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:555
TLS_SERVER
#define TLS_SERVER
GETADDR_FATAL
#define GETADDR_FATAL
Definition: socket.h:505
PROTO_TCP
@ PROTO_TCP
Definition: socket.h:556
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition: tun.h:116
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Definition: comp.h:39
options_warning_safe_ml
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
Definition: options.c:4586
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:436
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
Definition: options.c:1306
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:843
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:411
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition: crypto.c:1795
Generated by   doxygen 1.8.17