OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2025 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, http://cmeerw.org)
27 */
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32#ifdef HAVE_CONFIG_VERSION_H
33#include "config-version.h"
34#endif
35
36#include "syshead.h"
37
38#include "buffer.h"
39#include "error.h"
40#include "common.h"
41#include "run_command.h"
42#include "shaper.h"
43#include "crypto.h"
44#include "ssl.h"
45#include "ssl_ncp.h"
46#include "options.h"
47#include "misc.h"
48#include "socket_util.h"
49#include "packet_id.h"
50#include "pkcs11.h"
51#include "win32.h"
52#include "push.h"
53#include "pool.h"
54#include "proto.h"
55#include "helper.h"
56#include "manage.h"
57#include "forward.h"
58#include "ssl_verify.h"
59#include "platform.h"
60#include "xkey_common.h"
61#include "dco.h"
62#include "options_util.h"
63#include "tun_afunix.h"
64#include "domain_helper.h"
65
66#include <ctype.h>
67
68#include "memdbg.h"
69#include "options_util.h"
70
71const char title_string[] = PACKAGE_STRING
72#ifdef CONFIGURE_GIT_REVISION
73 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
74#endif
75 " " TARGET_ALIAS
76#if defined(ENABLE_CRYPTO_MBEDTLS)
77 " [SSL (mbed TLS)]"
78#elif defined(ENABLE_CRYPTO_OPENSSL)
79 " [SSL (OpenSSL)]"
80#else
81 " [SSL]"
82#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
83#ifdef USE_COMP
84#ifdef ENABLE_LZO
85 " [LZO]"
86#endif
87#ifdef ENABLE_LZ4
88 " [LZ4]"
89#endif
90#ifdef ENABLE_COMP_STUB
91 " [COMP_STUB]"
92#endif
93#endif /* USE_COMP */
94#if EPOLL
95 " [EPOLL]"
96#endif
97#ifdef PRODUCT_TAP_DEBUG
98 " [TAPDBG]"
99#endif
100#ifdef ENABLE_PKCS11
101 " [PKCS11]"
102#endif
103#if ENABLE_IP_PKTINFO
104#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
105 " [MH/PKTINFO]"
106#elif defined(IP_RECVDSTADDR)
107 " [MH/RECVDA]"
108#endif
109#endif
110 " [AEAD]"
111#ifdef ENABLE_DCO
112 " [DCO]"
113#endif
114#ifdef CONFIGURE_GIT_REVISION
115 " built on " __DATE__
116#endif
117 ;
118
119#ifndef ENABLE_SMALL
120
121static const char usage_message[] =
122 "%s\n"
123 "\n"
124 "General Options:\n"
125 "--config file : Read configuration options from file.\n"
126 "--help : Show options.\n"
127 "--version : Show copyright and version information.\n"
128 "\n"
129 "Tunnel Options:\n"
130 "--local host|* [port]: Local host name or IP address and port for bind.\n"
131 " If specified, OpenVPN will bindto this address. If unspecified,\n"
132 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
133 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
134 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
135 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
136 " to open multiple listening sockets on different addresses and/or different ports.\n"
137 " In order to specify multiple listen ports without specifying an address, use '*'\n"
138 " to signal 'use what the operating system gives you as default', for\n"
139 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
140 " ``--local`` implies ``--bind``.\n"
141 "--remote host [port] : Remote host name or ip address.\n"
142 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
143 "--remote-random-hostname : Add a random string to remote DNS name.\n"
144 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
145 "--proto p : Use protocol p for communicating with peer.\n"
146 " p = udp (default), tcp-server, tcp-client\n"
147 " udp4, tcp4-server, tcp4-client\n"
148 " udp6, tcp6-server, tcp6-client\n"
149 "--proto-force p : only consider protocol p in list of connection profiles.\n"
150 " p = udp or tcp\n"
151 "--connect-retry n [m] : For client, number of seconds to wait between\n"
152 " connection retries (default=%d). On repeated retries\n"
153 " the wait time is exponentially increased to a maximum of m\n"
154 " (default=%d).\n"
155 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
156 "--http-proxy s p [up] [auth] : Connect to remote host\n"
157 " through an HTTP proxy at address s and port p.\n"
158 " If proxy authentication is required,\n"
159 " up is a file containing username/password on 2 lines, or\n"
160 " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
161 " the proxy requires NTLM authentication.\n"
162 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
163 " determine auth method and query for username/password\n"
164 " if needed. auto-nct disables weak proxy auth methods.\n"
165 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
166 " Repeat to set multiple options.\n"
167 " VERSION version (default=1.0)\n"
168 " AGENT user-agent\n"
169 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
170 " address s and port p (default port = 1080).\n"
171 " If proxy authentication is required,\n"
172 " up is a file containing username/password on 2 lines, or\n"
173 " 'stdin' to prompt for console.\n"
174 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
175 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
176 " resolve for n seconds before failing (disabled by default).\n"
177 " Set n=\"infinite\" to retry indefinitely.\n"
178 "--float : Allow remote to change its IP address/port, such as through\n"
179 " DHCP (this is the default if --remote is not used).\n"
180 "--ipchange cmd : Run command cmd on remote ip address initial\n"
181 " setting or change -- execute as: cmd ip-address port#\n"
182 "--port port : TCP/UDP port # for both local and remote.\n"
183 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
184 "--rport port : TCP/UDP port # for remote (default=%s).\n"
185 "--bind : Bind to local address and port. (This is the default unless\n"
186 " --proto tcp-client"
187 " or --http-proxy"
188 " or --socks-proxy"
189 " is used).\n"
190 "--nobind : Do not bind to local address and port.\n"
191 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
192 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
193 " this option only if the tun/tap device used with --dev\n"
194 " does not begin with \"tun\" or \"tap\".\n"
195 "--dev-node node : Explicitly set the device node rather than using\n"
196 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
197#if defined(ENABLE_DCO)
198 "--disable-dco : Do not attempt using Data Channel Offload.\n"
199#endif
200 "--lladdr hw : Set the link layer address of the tap device.\n"
201 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
202#ifdef ENABLE_IPROUTE
203 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
204#endif
205 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
206 " endpoint and rn as a remote endpoint. l & rn should be\n"
207 " swapped on the other peer. l & rn must be private\n"
208 " addresses outside of the subnets used by either peer.\n"
209 " TAP: configure device to use IP address l as a local\n"
210 " endpoint and rn as a subnet mask.\n"
211 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
212 " endpoint (as a /64) and r as remote endpoint\n"
213 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
214 " pass --ifconfig parms by environment to scripts.\n"
215 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
216 " connection doesn't match the remote side.\n"
217#ifdef TARGET_LINUX
218 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
219 " If not specified, the id of the default routing table will be used.\n"
220#endif
221 "--route network [netmask] [gateway] [metric] :\n"
222 " Add route to routing table after connection\n"
223 " is established. Multiple routes can be specified.\n"
224 " netmask default: 255.255.255.255\n"
225 " gateway default: taken from --route-gateway or --ifconfig\n"
226 " Specify default by leaving blank or setting to \"default\".\n"
227 "--route-ipv6 network/bits [gateway] [metric] :\n"
228 " Add IPv6 route to routing table after connection\n"
229 " is established. Multiple routes can be specified.\n"
230 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
231 " in --ifconfig-ipv6\n"
232 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
233 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
234 "--route-metric m : Specify a default metric for use with --route.\n"
235 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
236 " adding routes (may be 0). If not specified, routes will\n"
237 " be added immediately after tun/tap open. On Windows, wait\n"
238 " up to w seconds for TUN/TAP adapter to come up.\n"
239 "--route-up cmd : Run command cmd after routes are added.\n"
240 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
241 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
242 " --route-up script using environmental variables.\n"
243 "--route-nopull : When used with --client or --pull, accept options pushed\n"
244 " by server EXCEPT for routes, dns, and dhcp options.\n"
245 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
246 " --ifconfig, --route, and --route-gateway.\n"
247 "--redirect-gateway [flags]: Automatically execute routing\n"
248 " commands to redirect all outgoing IP traffic through the\n"
249 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
250 " connected via a common subnet, such as with WiFi.\n"
251 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
252 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
253 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
254 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
255 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
256 " the default gateway. Useful when pushing private subnets.\n"
257 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
258 " ICMPv6 host unreachable messages on the client.\n"
259 " (Server) Instead of forwarding IPv6 packets send\n"
260 " ICMPv6 host unreachable packets to the client.\n"
261 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
262 "--push-peer-info : (client only) push client info to server.\n"
263 "--setenv name value : Set a custom environmental variable to pass to script.\n"
264 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
265 " directives for future OpenVPN versions to be ignored.\n"
266 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
267 " these options to be ignored when unknown\n"
268 "--script-security level: Where level can be:\n"
269 " 0 -- strictly no calling of external programs\n"
270 " 1 -- (default) only call built-ins such as ifconfig\n"
271 " 2 -- allow calling of built-ins and scripts\n"
272 " 3 -- allow password to be passed to scripts via env\n"
273 "--shaper n : Restrict output to peer to n bytes per second.\n"
274 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
275 " ping once every n seconds, restart if ping not received\n"
276 " for m seconds.\n"
277 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
278 " produces a combined in/out byte count < bytes.\n"
279 "--session-timeout n: Limit connection time to n seconds.\n"
280 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
281 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
282 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
283 " remote address.\n"
284 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
285#if ENABLE_IP_PKTINFO
286 "--multihome : Configure a multi-homed UDP server.\n"
287#endif
288 "--fast-io : Optimize TUN/TAP/UDP writes.\n"
289 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
290 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
291 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
292 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
293#if PASSTOS_CAPABILITY
294 "--passtos : TOS passthrough (applies to IPv4 only).\n"
295#endif
296 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
297 " TCP/UDP MTU from it (default=%d).\n"
298 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
299 " as n bytes more than the tun-mtu size on read\n"
300 " (default TUN=0 TAP=%d).\n"
301 "--tun-mtu-max n : Maximum pushable MTU (default and minimum=%d).\n"
302 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
303 " from it.\n"
304 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
305 " 'no' -- Never send DF (Don't Fragment) frames\n"
306 " 'maybe' -- Use per-route hints\n"
307 " 'yes' -- Always DF (Don't Fragment)\n"
308 "--mtu-test : Empirically measure and report MTU.\n"
309#ifdef ENABLE_FRAGMENT
310 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
311 " datagrams are sent which are larger than max bytes.\n"
312 " Adds 4 bytes of overhead per datagram.\n"
313#endif
314 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
315 " or --fragment max value, whichever is lower.\n"
316 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
317 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
318#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
319 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
320 " can be matched in policy routing and packetfilter rules.\n"
321 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
322 " listening for connections. This allows sending encrypted packets\n"
323 " via a VRF present on the system.\n"
324#endif
325 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
326#ifdef ENABLE_MEMSTATS
327 "--memstats file : Write live usage stats to memory mapped binary file.\n"
328#endif
329 "--mlock : Disable Paging -- ensures key material and tunnel\n"
330 " data will never be written to disk.\n"
331 "--up cmd : Run command cmd after successful tun device open.\n"
332 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
333 " ifconfig-local-ip ifconfig-remote-ip\n"
334 " (pre --user or --group UID/GID change)\n"
335 "--up-delay : Delay tun/tap open and possible --up script execution\n"
336 " until after TCP/UDP connection establishment with peer.\n"
337 "--down cmd : Run command cmd after tun device close.\n"
338 " (post --user/--group UID/GID change and/or --chroot)\n"
339 " (command parameters are same as --up option)\n"
340 "--down-pre : Run --down command before TUN/TAP close.\n"
341 "--up-restart : Run up/down commands for all restarts including those\n"
342 " caused by --ping-restart or SIGUSR1\n"
343 "--user user : Set UID to user after initialization.\n"
344 "--group group : Set GID to group after initialization.\n"
345 "--chroot dir : Chroot to this directory after initialization.\n"
346#ifdef ENABLE_SELINUX
347 "--setcon context: Apply this SELinux context after initialization.\n"
348#endif
349 "--cd dir : Change to this directory before initialization.\n"
350 "--daemon [name] : Become a daemon after initialization.\n"
351 " The optional 'name' parameter will be passed\n"
352 " as the program name to the system logger.\n"
353 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
354 " See --daemon above for a description of the 'name' parm.\n"
355 "--log file : Output log to file which is created/truncated on open.\n"
356 "--log-append file : Append log to file, or create file if nonexistent.\n"
357 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
358 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
359 "--writepid file : Write main process ID to file.\n"
360 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
361 "--echo [parms ...] : Echo parameters to log output.\n"
362 "--verb n : Set output verbosity to n (default=%d):\n"
363 " (Level 3 is recommended if you want a good summary\n"
364 " of what's happening without being swamped by output).\n"
365 " : 0 -- no output except fatal errors\n"
366 " : 1 -- startup info + connection initiated messages +\n"
367 " non-fatal encryption & net errors\n"
368 " : 2,3 -- show TLS negotiations & route info\n"
369 " : 4 -- show parameters\n"
370 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
371 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
372 " : 6 to 11 -- debug messages of increasing verbosity\n"
373 "--mute n : Log at most n consecutive messages in the same category.\n"
374 "--status file [n] : Write operational status to file every n seconds.\n"
375 "--status-version [n] : Choose the status file format version number.\n"
376 " Currently, n can be 1, 2, or 3 (default=1).\n"
377 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
378#ifdef ENABLE_DEBUG
379 "--gremlin mask : Special stress testing mode (for debugging only).\n"
380#endif
381#if defined(USE_COMP)
382 "--compress alg : Use compression algorithm alg\n"
383 "--allow-compression: Specify whether compression should be allowed\n"
384#if defined(ENABLE_LZO)
385 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
386 " packet for incompressible data.\n"
387 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
388 " is specified.\n"
389#endif
390#endif
391#ifdef ENABLE_MANAGEMENT
392 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
393 " management functions. pass is a password file\n"
394 " or 'stdin' to prompt from console.\n"
395#if UNIX_SOCK_SUPPORT
396 " To listen on a unix domain socket, specific the pathname\n"
397 " in place of ip and use 'unix' as the port number.\n"
398#endif
399 "--management-client : Management interface will connect as a TCP client to\n"
400 " ip/port rather than listen as a TCP server.\n"
401 "--management-query-passwords : Query management channel for private key\n"
402 " and auth-user-pass passwords.\n"
403 "--management-query-proxy : Query management channel for proxy information.\n"
404 "--management-query-remote : Query management channel for --remote directive.\n"
405 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
406 " of the management interface explicitly starts it.\n"
407 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
408 "--management-forget-disconnect : Forget passwords when management disconnect\n"
409 " event occurs.\n"
410 "--management-up-down : Report tunnel up/down events to management interface.\n"
411 "--management-log-cache n : Cache n lines of log file history for usage\n"
412 " by the management channel.\n"
413#if UNIX_SOCK_SUPPORT
414 "--management-client-user u : When management interface is a unix socket, only\n"
415 " allow connections from user u.\n"
416 "--management-client-group g : When management interface is a unix socket, only\n"
417 " allow connections from group g.\n"
418#endif
419 "--management-client-auth : gives management interface client the responsibility\n"
420 " to authenticate clients after their client certificate\n"
421 " has been verified.\n"
422#endif /* ifdef ENABLE_MANAGEMENT */
423#ifdef ENABLE_PLUGIN
424 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
425 " to its initialization function.\n"
426#endif
427 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
428 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
429 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
430 "\n"
431 "Multi-Client Server options (when --mode server is used):\n"
432 "--server network netmask : Helper option to easily configure server mode.\n"
433 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
434 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
435 " easily configure ethernet bridging server mode.\n"
436 "--push \"option\" : Push a config file option back to the peer for remote\n"
437 " execution. Peer must specify --pull in its config file.\n"
438 "--push-reset : Don't inherit global push list for specific\n"
439 " client instance.\n"
440 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
441 " a specific client instance.\n"
442 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
443 " to be dynamically allocated to connecting clients.\n"
444 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
445 " data to file, at seconds intervals (default=600).\n"
446 " If seconds=0, file will be treated as read-only.\n"
447 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
448 " to be dynamically allocated to connecting clients.\n"
449 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
450 " overrides --ifconfig-pool dynamic allocation.\n"
451 " Only valid in a client-specific config file.\n"
452 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
453 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
454 " Only valid in a client-specific config file.\n"
455 "--iroute network [netmask] : Route subnet to client.\n"
456 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
457 " Sets up internal routes only.\n"
458 " Only valid in a client-specific config file.\n"
459 "--disable : Client is disabled.\n"
460 " Only valid in a client-specific config file.\n"
461 "--override-username: Overrides the client-specific username to be used.\n"
462 " Only valid in a client-specific config file.\n"
463 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
464 " mandatory client certificate verification.\n"
465 " Default is to require the client to supply a certificate.\n"
466 "--username-as-common-name : For auth-user-pass authentication, use\n"
467 " the authenticated username as the common name,\n"
468 " rather than the common name from the client cert.\n"
469 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
470 " run command cmd to verify. If method='via-env', pass\n"
471 " user/pass via environment, if method='via-file', pass\n"
472 " user/pass via temporary file.\n"
473 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
474 " to each client, replacing the password. Useful when\n"
475 " OTP based two-factor auth mechanisms are in use and\n"
476 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
477 " for generated tokens can be set.\n"
478 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
479 " with those of the server will be disconnected.\n"
480 "--auth-user-pass-optional : Allow connections by clients that don't\n"
481 " specify a username/password.\n"
482 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
483 " any printable character.\n"
484 "--client-to-client : Internally route client-to-client traffic.\n"
485 "--duplicate-cn : Allow multiple clients with the same common name to\n"
486 " concurrently connect.\n"
487 "--client-connect cmd : Run command cmd on client connection.\n"
488 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
489 "--client-config-dir dir : Directory for custom client config files.\n"
490 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
491 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
492 "--hash-size r v : Set the size of the real address hash table to r and the\n"
493 " virtual address table to v.\n"
494 "--bcast-buffers n : Allocate n broadcast buffers.\n"
495 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
496 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
497 " as well as pushes it to connecting clients.\n"
498 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
499 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
500 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
501 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
502 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
503 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
504 " older than n seconds. Run this check every t\n"
505 " seconds (defaults to n).\n"
506 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
507 " clients. n = 1 - reconnect to same server,\n"
508 " 2 - advance to next server, default=1.\n"
509#if PORT_SHARE
510 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
511 " sessions to a web server at host:port. dir specifies an\n"
512 " optional directory to write origin IP:port data.\n"
513#endif
514 "\n"
515 "Client options (when connecting to a multi-client server):\n"
516 "--client : Helper option to easily configure client mode.\n"
517 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
518 " up is a file containing the username on the first line,\n"
519 " and a password on the second. If either the password or both\n"
520 " the username and the password are omitted OpenVPN will prompt\n"
521 " for them from console.\n"
522 "--pull : Accept certain config file options from the peer as if they\n"
523 " were part of the local config file. Must be specified\n"
524 " when connecting to a '--mode server' remote host.\n"
525 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
526 " server if it starts with the text t. The action flag accept,\n"
527 " ignore or reject causes the option to be allowed, removed or\n"
528 " rejected with error. May be specified multiple times, and\n"
529 " each filter is applied in the order of appearance.\n"
530 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
531 " Valid options are :\n"
532 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
533 " resolve-domains <domain> [domain ...] : split domains\n"
534 " dnssec <yes|no|optional> : option to use DNSSEC\n"
535 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
536 " sni <domain> : DNS server name indication\n"
537 "--dns search-domains <domain> [domain ...]:\n"
538 " Add domains to DNS domain search list\n"
539 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
540 " force running the default script or disable running it.\n"
541 "--auth-retry t : How to handle auth failures. Set t to\n"
542 " none (default), interact, or nointeract.\n"
543 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
544 " challenge text t, with e indicating echo flag (0|1)\n"
545 " and optional argument scrv1 or concat to use SCRV1 protocol or"
546 " concatenate response with password. Default is scrv1.\n"
547 "--connect-timeout n : when polling possible remote servers to connect to\n"
548 " in a round-robin fashion, spend no more than n seconds\n"
549 " waiting for a response before trying the next server.\n"
550 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
551 " incoming tun packets with same destination as host.\n"
552 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
553 " server/remote. n = # of retries, default=1.\n"
554 "\n"
555 "Data Channel Encryption Options (must be compatible between peers):\n"
556 "(These options are meaningful for both Static Key & TLS-mode)\n"
557 "--auth alg : Authenticate packets with HMAC using message\n"
558 " digest algorithm alg (default=%s).\n"
559 " (usually adds 16 or 20 bytes per packet)\n"
560 " Set alg=none to disable authentication.\n"
561 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
562 " You should usually use --data-ciphers instead.\n"
563 " Set alg=none to disable encryption.\n"
564 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
565#ifndef ENABLE_CRYPTO_MBEDTLS
566 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
567#endif
568 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
569 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
570 " and a time window of t seconds.\n"
571 " Default n=%d t=%d\n"
572 "--replay-persist file : Persist replay-protection state across sessions\n"
573 " using file.\n"
574 "--test-crypto : Run a self-test of crypto features enabled.\n"
575 " For debugging only.\n"
576#ifdef ENABLE_PREDICTION_RESISTANCE
577 "--use-prediction-resistance: Enable prediction resistance on the random\n"
578 " number generator.\n"
579#endif
580 "\n"
581 "TLS Key Negotiation Options:\n"
582 "(These options are meaningful only for TLS-mode)\n"
583 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
584 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
585 "--ca file : Certificate authority file in .pem format containing\n"
586 " root certificate.\n"
587#ifndef ENABLE_CRYPTO_MBEDTLS
588 "--capath dir : A directory of trusted certificates (CAs"
589 " and CRLs).\n"
590#endif /* ENABLE_CRYPTO_MBEDTLS */
591 "--dh file : File containing Diffie Hellman parameters\n"
592 " in .pem format (for --tls-server only).\n"
593 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
594 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
595 " by a Certificate Authority in --ca file used by the peer.\n"
596 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
597 "--key file : Local private key in .pem format or a URI.\n"
598 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
599 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
600 " is specified, require max TLS version supported by SSL implementation.\n"
601 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
602#ifndef ENABLE_CRYPTO_MBEDTLS
603 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
604 " and optionally the root CA certificate.\n"
605#endif
606#ifdef ENABLE_X509ALTUSERNAME
607 "--x509-username-field : Field in x509 certificate containing the username.\n"
608 " Default is CN in the Subject field.\n"
609#endif
610 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
611 " Valid algo flags are SHA1 and SHA256. \n"
612#ifdef _WIN32
613 "--cryptoapicert select-string : Load the certificate and private key from the\n"
614 " Windows Certificate System Store.\n"
615#endif
616 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
617 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
618 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
619 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
620 " (default=legacy).\n"
621 "--providers l : A list l of OpenSSL providers to load.\n"
622 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
623 " if no ACK from remote within n seconds (default=%d).\n"
624 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
625 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
626 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
627 " and at least min (defaults to 90%% of max on servers and equal\n"
628 " to max on clients).\n"
629 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
630 " of handshake initiation by any peer (default=%d).\n"
631 "--tran-window n : Transition window -- old key can live this many seconds\n"
632 " after new key renegotiation begins (default=%d).\n"
633 "--single-session: Allow only one session (reset state on restart).\n"
634 "--tls-exit : Exit on TLS negotiation failure.\n"
635 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
636 " control channel to protect against attacks on the TLS stack\n"
637 " and DoS attacks.\n"
638 " f (required) is a shared-secret key file.\n"
639 " The optional d parameter controls key directionality.\n"
640 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
641 " of the TLS control channel to hide the TLS certificate,\n"
642 " provide basic post-quantum security and protect against\n"
643 " attacks on the TLS stack and DoS attacks.\n"
644 " key (required) provides the pre-shared key file.\n"
645 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
646 " For servers: use key to decrypt client-specific keys. For\n"
647 " key generation (--genkey tls-crypt-v2-client): use key to\n"
648 " encrypt generated client-specific key. (See --tls-crypt.)\n"
649 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
650 " fresh tls-crypt-v2 client key, and store to\n"
651 " keyfile. If supplied, include metadata in wrapped key.\n"
652 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
653 " fresh tls-crypt-v2 server key, and store to keyfile\n"
654 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
655 " client-supplied tls-crypt-v2 client key\n"
656 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
657 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
658 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
659 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
660 " pending TLS connection that has otherwise passed all other\n"
661 " tests of certification. cmd should return 0 to allow\n"
662 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
663 " executed as 'cmd certificate_depth subject')\n"
664 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
665 " DN name. The remote host must also pass all other tests\n"
666 " of verification.\n"
667#ifndef ENABLE_CRYPTO_MBEDTLS
668 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
669 " an explicit nsCertType designation t = 'client' | 'server'.\n"
670#endif
671 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
672 " plugins and management interface.\n"
673 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
674 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
675 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
676 " explicit key usage, you can specify more than one value.\n"
677 " value should be given in hex format.\n"
678 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
679 " explicit extended key usage. Extended key usage can be encoded\n"
680 " as an object identifier or OpenSSL string representation.\n"
681 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
682 " key usage and extended key usage based on RFC3280 TLS rules.\n"
683 " t = 'client' | 'server'.\n"
684#ifdef ENABLE_PKCS11
685 "\n"
686 "PKCS#11 Options:\n"
687 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
688 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
689 " path. Set for each provider.\n"
690 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
691 " 0 : Try to determine automatically (default).\n"
692 " 1 : Use Sign.\n"
693 " 2 : Use SignRecover.\n"
694 " 4 : Use Decrypt.\n"
695 " 8 : Use Unwrap.\n"
696 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
697 " certificate can be accessed. Set for each provider.\n"
698 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
699 " cache until token is removed.\n"
700 "--pkcs11-id-management : Acquire identity from management interface.\n"
701 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
702#endif /* ENABLE_PKCS11 */
703 "\n"
704 "SSL Library information:\n"
705 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
706 "--show-digests : Show message digest algorithms to use with --auth option.\n"
707 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
708 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
709#ifdef _WIN32
710 "\n"
711 "Windows Specific:\n"
712 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
713 " from SystemRoot environment variable.\n"
714 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
715 " IP address using method = manual, netsh, ipapi,\n"
716 " dynamic, or adaptive (default = adaptive).\n"
717 " Dynamic method allows two optional parameters:\n"
718 " offset: DHCP server address offset (> -256 and < 256).\n"
719 " If 0, use network address, if >0, take nth\n"
720 " address forward from network address, if <0,\n"
721 " take nth address backward from broadcast\n"
722 " address.\n"
723 " Default is 0.\n"
724 " lease-time: Lease time in seconds.\n"
725 " Default is one year.\n"
726 "--route-method : Which method to use for adding routes on Windows?\n"
727 " adaptive (default) -- Try ipapi then fall back to exe.\n"
728 " ipapi -- Use IP helper API.\n"
729 " exe -- Call the route.exe shell command.\n"
730 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
731 " be used with --ip-win32 dynamic. For options\n"
732 " which allow multiple addresses,\n"
733 " --dhcp-option must be repeated.\n"
734 " DOMAIN name : Set DNS suffix\n"
735 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
736 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
737 " NTP : Set NTP server address(es)\n"
738 " NBDD : Set NBDD server address(es)\n"
739 " WINS addr : Set WINS server address(es)\n"
740 " NBT type : Set NetBIOS over TCP/IP Node type\n"
741 " 1: B, 2: P, 4: M, 8: H\n"
742 " NBS id : Set NetBIOS scope ID\n"
743 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
744 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
745 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
746 " startup.\n"
747 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
748 " on connection initiation.\n"
749 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
750 " attempting to set adapter properties.\n"
751 "--pause-exit : When run from a console window, pause before exiting.\n"
752 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
753 " service, and should not be used directly by end-users.\n"
754 " ex is the name of an event object which, when\n"
755 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
756 " optional parameter controls the initial state of ex.\n"
757 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
758 " after TAP adapter is up and routes have been added.\n"
759 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
760 "Windows Standalone Options:\n"
761 "\n"
762 "--show-adapters : Show all TAP-Windows adapters.\n"
763 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
764 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
765 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
766 " to access TAP adapter.\n"
767#endif /* ifdef _WIN32 */
768 "\n"
769 "Generate a new key :\n"
770 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
771 " (for use with --tls-auth or --tls-crypt)."
772#ifdef ENABLE_FEATURE_TUN_PERSIST
773 "\n"
774 "Tun/tap config mode (available with linux 2.4+):\n"
775 "--mktun : Create a persistent tunnel.\n"
776 "--rmtun : Remove a persistent tunnel.\n"
777 "--dev tunX|tapX : tun/tap device\n"
778 "--dev-type dt : Device type. See tunnel options above for details.\n"
779 "--user user : User to set privilege to.\n"
780 "--group group : Group to set privilege to.\n"
781#endif
782#ifdef ENABLE_PKCS11
783 "\n"
784 "PKCS#11 standalone options:\n"
785#ifdef DEFAULT_PKCS11_MODULE
786 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
787#else
788 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
789#endif
790 " --verb option can be added *BEFORE* this.\n"
791#endif /* ENABLE_PKCS11 */
792 "\n"
793 "General Standalone Options:\n"
794#ifdef ENABLE_DEBUG
795 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
796#endif
797 ;
798
799#endif /* !ENABLE_SMALL */
800
801/*
802 * This is where the options defaults go.
803 * Any option not explicitly set here
804 * will be set to 0.
805 */
806void
807init_options(struct options *o, const bool init_gc)
808{
809 CLEAR(*o);
810 if (init_gc)
811 {
812 gc_init(&o->gc);
813 gc_init(&o->dns_options.gc);
814 o->gc_owned = true;
815 }
816 o->mode = MODE_POINT_TO_POINT;
817 o->topology = TOP_UNDEF;
818 o->ce.proto = PROTO_UDP;
819 o->ce.af = AF_UNSPEC;
820 o->ce.bind_ipv6_only = false;
821 o->ce.connect_retry_seconds = 1;
822 o->ce.connect_retry_seconds_max = 300;
823 o->ce.connect_timeout = 120;
824 o->connect_retry_max = 0;
825 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
826 o->verbosity = 1;
827 o->status_file_update_freq = 60;
828 o->status_file_version = 1;
829 o->ce.bind_local = true;
830 o->ce.tun_mtu = TUN_MTU_DEFAULT;
831 o->ce.occ_mtu = 0;
832 o->ce.link_mtu = LINK_MTU_DEFAULT;
833 o->ce.tls_mtu = TLS_MTU_DEFAULT;
834 o->ce.mtu_discover_type = -1;
835 o->ce.mssfix = 0;
836 o->ce.mssfix_default = true;
837 o->ce.mssfix_encap = true;
838 o->route_default_table_id = 0;
839 o->route_delay_window = 30;
840 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
841 o->resolve_in_advance = false;
842 o->proto_force = -1;
843 o->occ = true;
844#ifdef ENABLE_MANAGEMENT
845 o->management_log_history_cache = 250;
846 o->management_echo_buffer_size = 100;
847 o->management_state_buffer_size = 100;
848#endif
849#ifdef ENABLE_FEATURE_TUN_PERSIST
850 o->persist_mode = 1;
851#endif
852#ifdef _WIN32
853#if 0
854 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
855#else
856 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
857#endif
858 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
859 /* use network address as internal DHCP server address */
860 o->tuntap_options.dhcp_masq_offset = 0;
861 o->route_method = ROUTE_METHOD_ADAPTIVE;
862 o->block_outside_dns = false;
863 o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
864#endif
865 o->vlan_accept = VLAN_ALL;
866 o->vlan_pvid = 1;
867 o->real_hash_size = 256;
868 o->virtual_hash_size = 256;
869 o->n_bcast_buf = 256;
870 o->tcp_queue_limit = 64;
871 o->max_clients = 1024;
872 o->cf_initial_per = 10;
873 o->cf_initial_max = 100;
874 o->max_routes_per_client = 256;
875 o->stale_routes_check_interval = 0;
876 o->ifconfig_pool_persist_refresh_freq = 600;
877 o->scheduled_exit_interval = 5;
878 o->authname = "SHA1";
879 o->replay_window = DEFAULT_SEQ_BACKTRACK;
880 o->replay_time = DEFAULT_TIME_BACKTRACK;
881 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
882#ifdef ENABLE_PREDICTION_RESISTANCE
883 o->use_prediction_resistance = false;
884#endif
885 o->tls_timeout = 2;
886 o->renegotiate_bytes = -1;
887 o->renegotiate_seconds = 3600;
888 o->renegotiate_seconds_min = -1;
889 o->handshake_window = 60;
890 o->transition_window = 3600;
891 o->tls_cert_profile = NULL;
892 o->ecdh_curve = NULL;
893#ifdef ENABLE_X509ALTUSERNAME
894 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
895#endif
896#ifdef ENABLE_PKCS11
897 o->pkcs11_pin_cache_period = -1;
898#endif /* ENABLE_PKCS11 */
899
900 /* P2MP server context features */
901 o->auth_token_generate = false;
902
903 /* Set default --tmp-dir */
904#ifdef _WIN32
905 /* On Windows, find temp dir via environment variables */
906 o->tmp_dir = win_get_tempdir();
907
908 if (!o->tmp_dir)
909 {
910 /* Error out if we can't find a valid temporary directory, which should
911 * be very unlikely. */
912 msg(M_USAGE, "Could not find a suitable temporary directory."
913 " (GetTempPath() failed). Consider using --tmp-dir");
914 }
915#else /* ifdef _WIN32 */
916 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
917 o->tmp_dir = getenv("TMPDIR");
918 if (!o->tmp_dir)
919 {
920 o->tmp_dir = "/tmp";
921 }
922#endif /* _WIN32 */
923 o->allow_recursive_routing = false;
924
925#ifndef ENABLE_DCO
926 o->disable_dco = true;
927#endif /* ENABLE_DCO */
928
929#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
930 o->dns_options.updown = DEFAULT_DNS_UPDOWN;
931#endif /* ENABLE_DNS_UPDOWN_BY_DEFAULT */
932}
933
934void
935uninit_options(struct options *o)
936{
937 if (o->connection_list)
938 {
939 CLEAR(*o->connection_list);
940 }
941 if (o->remote_list)
942 {
943 CLEAR(*o->remote_list);
944 }
945 if (o->gc_owned)
946 {
947 gc_free(&o->gc);
948 gc_free(&o->dns_options.gc);
949 }
950}
951
952#ifndef ENABLE_SMALL
953
954static const char *
955pull_filter_type_name(int type)
956{
957 if (type == PUF_TYPE_ACCEPT)
958 {
959 return "accept";
960 }
961 if (type == PUF_TYPE_IGNORE)
962 {
963 return "ignore";
964 }
965 if (type == PUF_TYPE_REJECT)
966 {
967 return "reject";
968 }
969 else
970 {
971 return "???";
972 }
973}
974
975#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
976#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
977#define SHOW_STR_INLINE(var) \
978 SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
979#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
980#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
981#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
982#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
983#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
984
985#endif /* ifndef ENABLE_SMALL */
986
987static void
988setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
989{
990 setenv_str_i(es, "remote", e->remote, i);
991 setenv_str_i(es, "remote_port", e->remote_port, i);
992
993 if (e->http_proxy_options)
994 {
995 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
996 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
997 }
998 if (e->socks_proxy_server)
999 {
1000 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1001 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1002 }
1003}
1004
1005static void
1006setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
1007{
1008 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
1009 setenv_str_i(es, "local", e->local, i);
1010 setenv_str_i(es, "local_port", e->port, i);
1011}
1012
1013void
1014setenv_settings(struct env_set *es, const struct options *o)
1015{
1016 setenv_str(es, "config", o->config);
1017 setenv_int(es, "verb", o->verbosity);
1018 setenv_int(es, "daemon", o->daemon);
1019 setenv_int(es, "daemon_log_redirect", o->log);
1020 setenv_long_long(es, "daemon_start_time", time(NULL));
1021 setenv_int(es, "daemon_pid", platform_getpid());
1022
1023 if (o->connection_list)
1024 {
1025 int i;
1026 for (i = 0; i < o->connection_list->len; ++i)
1027 {
1028 setenv_connection_entry(es, o->connection_list->array[i], i + 1);
1029 }
1030 }
1031 else
1032 {
1033 setenv_connection_entry(es, &o->ce, 1);
1034 }
1035
1036 if (o->ce.local_list)
1037 {
1038 for (int i = 0; i < o->ce.local_list->len; i++)
1039 {
1040 setenv_local_entry(es, o->ce.local_list->array[i], i + 1);
1041 }
1042 }
1043}
1044
1045#ifndef _WIN32
1046static void
1047setenv_foreign_option(struct options *o, const char *option, const char *value, struct env_set *es)
1048{
1049 struct gc_arena gc = gc_new();
1050 struct buffer env_name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1051 struct buffer env_value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1052 bool good = true;
1053
1054 good &= buf_printf(&env_name, "foreign_option_%d", o->foreign_option_index + 1);
1055 if (value)
1056 {
1057 good &= buf_printf(&env_value, "dhcp-option %s %s", option, value);
1058 }
1059 else
1060 {
1061 good &= buf_printf(&env_value, "dhcp-option %s", option);
1062 }
1063 if (good)
1064 {
1065 setenv_str(es, BSTR(&env_name), BSTR(&env_value));
1066 ++o->foreign_option_index;
1067 }
1068 else
1069 {
1070 msg(M_WARN, "foreign_option: name/value overflow");
1071 }
1072 gc_free(&gc);
1073}
1074
1075static void
1076delete_all_dhcp_fo(struct options *o, struct env_item **list)
1077{
1078 struct env_item *current, *prev;
1079
1080 ASSERT(list);
1081
1082 for (current = *list, prev = NULL; current != NULL; current = current->next)
1083 {
1084 char *tmp_value = NULL;
1085 if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1))
1086 {
1087 tmp_value = strchr(current->string, '=');
1088 if (tmp_value && ++tmp_value)
1089 {
1090 if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1))
1091 {
1092 if (prev)
1093 {
1094 prev->next = current->next;
1095 }
1096 else
1097 {
1098 *list = current->next;
1099 }
1100 o->foreign_option_index--;
1101 }
1102 }
1103 }
1104 prev = current;
1105 }
1106}
1107
1108#endif /* ifndef _WIN32 */
1109
1110static in_addr_t
1111get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
1112{
1113 unsigned int flags = GETADDR_HOST_ORDER;
1114 bool succeeded = false;
1115 in_addr_t ret;
1116
1117 if (msglevel & M_FATAL)
1118 {
1119 flags |= GETADDR_FATAL;
1120 }
1121
1122 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1123 if (!succeeded && error)
1124 {
1125 *error = true;
1126 }
1127 return ret;
1128}
1129
1135static char *
1136get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1137{
1138 const char *end = strchr(addr, '/');
1139 char *ret = NULL;
1140 if (NULL == end)
1141 {
1142 ret = string_alloc(addr, gc);
1143 }
1144 else
1145 {
1146 size_t len = end - addr;
1147 ret = gc_malloc(len + 1, true, gc);
1148 memcpy(ret, addr, len);
1149 }
1150 return ret;
1151}
1152
1153static bool
1154ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
1155{
1156 struct in6_addr t_addr;
1157 unsigned int t_bits;
1158
1159 return get_ipv6_addr(ipv6_prefix_spec, &t_addr, &t_bits, M_WARN);
1160}
1161
1162#if defined(__GNUC__) || defined(__clang__)
1163#pragma GCC diagnostic push
1164#pragma GCC diagnostic ignored "-Wconversion"
1165#endif
1166
1167static char *
1168string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1169{
1170 char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc);
1171 char *dest = ret;
1172 char c;
1173
1174 do
1175 {
1176 c = *src++;
1177 if (c == from)
1178 {
1179 c = to;
1180 }
1181 *dest++ = c;
1182 } while (c);
1183 return ret;
1184}
1185
1195static struct verify_hash_list *
1196parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
1197{
1198 int i = 0;
1199 const char *cp = str;
1200
1201 struct verify_hash_list *ret;
1202 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1203
1204 char term = 0;
1205 unsigned int byte;
1206
1207 while (*cp && i < nbytes)
1208 {
1209 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1210 if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0')
1211 || sscanf(cp, "%x", &byte) != 1)
1212 {
1213 msg(msglevel, "format error in hash fingerprint: %s", str);
1214 break;
1215 }
1216
1217 ret->hash[i++] = (uint8_t)byte;
1218
1219 term = cp[2];
1220 if (term == '\0')
1221 {
1222 break;
1223 }
1224 cp += 3;
1225 }
1226 if (i < nbytes)
1227 {
1228 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i,
1229 str);
1230 }
1231 else if (term != '\0')
1232 {
1233 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1234 }
1235 return ret;
1236}
1237
1248static struct verify_hash_list *
1249parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel,
1250 struct gc_arena *gc)
1251{
1252 struct gc_arena gc_temp = gc_new();
1253 char *lines = string_alloc(str, &gc_temp);
1254
1255 struct verify_hash_list *ret = NULL;
1256
1257 const char *line;
1258 while ((line = strsep(&lines, "\n")))
1259 {
1260 /* ignore leading whitespace */
1261 while (isspace(*line))
1262 {
1263 line++;
1264 }
1265 /* skip empty lines and comment lines */
1266 if (strlen(line) == 0 || *line == '#' || *line == ';')
1267 {
1268 continue;
1269 }
1270
1271 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc);
1272
1273 if (!hash)
1274 {
1275 gc_free(&gc_temp);
1276 return NULL;
1277 }
1278
1279 hash->next = ret;
1280 ret = hash;
1281 }
1282 gc_free(&gc_temp);
1283
1284 return ret;
1285}
1286#ifdef _WIN32
1287
1288#ifndef ENABLE_SMALL
1289
1290static void
1291show_dhcp_option_list(const char *name, const char *const *array, int len)
1292{
1293 int i;
1294 for (i = 0; i < len; ++i)
1295 {
1296 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i]);
1297 }
1298}
1299
1300static void
1301show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1302{
1303 struct gc_arena gc = gc_new();
1304 int i;
1305 for (i = 0; i < len; ++i)
1306 {
1307 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t(array[i], 0, &gc));
1308 }
1309 gc_free(&gc);
1310}
1311
1312static void
1313show_tuntap_options(const struct tuntap_options *o)
1314{
1315 SHOW_BOOL(ip_win32_defined);
1316 SHOW_INT(ip_win32_type);
1317 SHOW_INT(dhcp_masq_offset);
1318 SHOW_INT(dhcp_lease_time);
1319 SHOW_INT(tap_sleep);
1320 SHOW_UNSIGNED(dhcp_options);
1321 SHOW_BOOL(dhcp_renew);
1322 SHOW_BOOL(dhcp_pre_release);
1323 SHOW_STR(domain);
1324 SHOW_STR(netbios_scope);
1325 SHOW_INT(netbios_node_type);
1326 SHOW_BOOL(disable_nbt);
1327
1328 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1329 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1330 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1331 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1332 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1333}
1334
1335#endif /* ifndef ENABLE_SMALL */
1336#endif /* ifdef _WIN32 */
1337
1338static void
1339dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, msglvl_t msglevel)
1340{
1341 struct in6_addr addr;
1342 if (*len >= N_DHCP_ADDR)
1343 {
1344 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1345 N_DHCP_ADDR);
1346 }
1347 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1348 {
1349 dns6_list[(*len)++] = addr;
1350 }
1351}
1352static void
1353dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len,
1354 msglvl_t msglevel)
1355{
1356 if (*len >= N_DHCP_ADDR)
1357 {
1358 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name,
1359 N_DHCP_ADDR, name);
1360 }
1361 else
1362 {
1363 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1364 {
1365 bool error = false;
1366 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1367 if (!error)
1368 {
1369 array[(*len)++] = addr;
1370 }
1371 }
1372 else
1373 {
1374 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1375 }
1376 }
1377}
1378
1379#ifndef ENABLE_SMALL
1380static const char *
1381print_vlan_accept(enum vlan_acceptable_frames mode)
1382{
1383 switch (mode)
1384 {
1385 case VLAN_ONLY_TAGGED:
1386 return "tagged";
1387
1388 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1389 return "untagged";
1390
1391 case VLAN_ALL:
1392 return "all";
1393 }
1394 return NULL;
1395}
1396
1397static void
1398show_p2mp_parms(const struct options *o)
1399{
1400 struct gc_arena gc = gc_new();
1401
1402 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1403 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1404 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc));
1405 SHOW_INT(server_netbits_ipv6);
1406 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1407 msg(D_SHOW_PARMS, " server_bridge_netmask = %s",
1408 print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1409 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s",
1410 print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1411 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s",
1412 print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1413 if (o->push_list.head)
1414 {
1415 const struct push_entry *e = o->push_list.head;
1416 while (e)
1417 {
1418 if (e->enable)
1419 {
1420 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1421 }
1422 e = e->next;
1423 }
1424 }
1425 SHOW_BOOL(ifconfig_pool_defined);
1426 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s",
1427 print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1428 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1429 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s",
1430 print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1431 SHOW_STR(ifconfig_pool_persist_filename);
1432 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1433 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1434 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s",
1435 print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1436 SHOW_INT(ifconfig_ipv6_pool_netbits);
1437 SHOW_INT(n_bcast_buf);
1438 SHOW_INT(tcp_queue_limit);
1439 SHOW_INT(real_hash_size);
1440 SHOW_INT(virtual_hash_size);
1441 SHOW_STR(client_connect_script);
1442 SHOW_STR(learn_address_script);
1443 SHOW_STR(client_disconnect_script);
1444 SHOW_STR(client_crresponse_script);
1445 SHOW_STR(client_config_dir);
1446 SHOW_BOOL(ccd_exclusive);
1447 SHOW_STR(tmp_dir);
1448 SHOW_BOOL(push_ifconfig_defined);
1449 msg(D_SHOW_PARMS, " push_ifconfig_local = %s",
1450 print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1451 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s",
1452 print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1453 SHOW_BOOL(push_ifconfig_ipv6_defined);
1454 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d",
1455 print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits);
1456 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s",
1457 print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1458 SHOW_BOOL(enable_c2c);
1459 SHOW_BOOL(duplicate_cn);
1460 SHOW_INT(cf_max);
1461 SHOW_INT(cf_per);
1462 SHOW_INT(cf_initial_max);
1463 SHOW_INT(cf_initial_per);
1464 SHOW_INT(max_clients);
1465 SHOW_INT(max_routes_per_client);
1466 SHOW_STR(auth_user_pass_verify_script);
1467 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1468 SHOW_BOOL(auth_token_generate);
1469 SHOW_BOOL(force_key_material_export);
1470 SHOW_INT(auth_token_lifetime);
1471 SHOW_STR_INLINE(auth_token_secret_file);
1472#if PORT_SHARE
1473 SHOW_STR(port_share_host);
1474 SHOW_STR(port_share_port);
1475#endif
1476 SHOW_BOOL(vlan_tagging);
1477 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1478 SHOW_INT(vlan_pvid);
1479
1480 SHOW_BOOL(client);
1481 SHOW_BOOL(pull);
1482 SHOW_STR_INLINE(auth_user_pass_file);
1483
1484 gc_free(&gc);
1485}
1486
1487#endif /* ! ENABLE_SMALL */
1488
1489static void
1490option_iroute(struct options *o, const char *network_str, const char *netmask_str,
1491 msglvl_t msglevel)
1492{
1493 struct iroute *ir;
1494
1495 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1496 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1497 ir->netbits = 32; /* host route if no netmask given */
1498
1499 if (netmask_str)
1500 {
1501 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1502 ir->netbits = netmask_to_netbits2(netmask);
1503
1504 if (ir->netbits < 0)
1505 {
1506 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str,
1507 netmask_str);
1508 return;
1509 }
1510 }
1511
1512 ir->next = o->iroutes;
1513 o->iroutes = ir;
1514}
1515
1516static void
1517option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
1518{
1519 struct iroute_ipv6 *ir;
1520
1521 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1522
1523 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel))
1524 {
1525 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
1526 return;
1527 }
1528
1529 ir->next = o->iroutes_ipv6;
1530 o->iroutes_ipv6 = ir;
1531}
1532
1533#ifndef ENABLE_SMALL
1534static void
1535show_http_proxy_options(const struct http_proxy_options *o)
1536{
1537 int i;
1538 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1539 SHOW_STR(server);
1540 SHOW_STR(port);
1541 SHOW_STR(auth_method_string);
1542 SHOW_STR(auth_file);
1543 SHOW_STR(auth_file_up);
1544 SHOW_BOOL(inline_creds);
1545 SHOW_BOOL(nocache);
1546 SHOW_STR(http_version);
1547 SHOW_STR(user_agent);
1548 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1549 {
1550 if (o->custom_headers[i].content)
1551 {
1552 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name,
1553 o->custom_headers[i].content);
1554 }
1555 else
1556 {
1557 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name);
1558 }
1559 }
1560 msg(D_SHOW_PARMS, "END http_proxy");
1561}
1562#endif /* ifndef ENABLE_SMALL */
1563
1564void
1565options_detach(struct options *o)
1566{
1567 gc_detach(&o->gc);
1568 o->routes = NULL;
1569 o->client_nat = NULL;
1570 clone_push_list(o);
1571}
1572
1573void
1574rol_check_alloc(struct options *options)
1575{
1576 if (!options->routes)
1577 {
1578 options->routes = new_route_option_list(&options->gc);
1579 }
1580}
1581
1582static void
1590
1591static void
1592cnol_check_alloc(struct options *options)
1593{
1594 if (!options->client_nat)
1595 {
1596 options->client_nat = new_client_nat_list(&options->gc);
1597 }
1598}
1599
1600#ifndef ENABLE_SMALL
1601static void
1602show_connection_entry(const struct connection_entry *o)
1603{
1604 /* Display the global proto only in client mode or with no '--local'*/
1605 if (o->local_list->len == 1)
1606 {
1607 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1608 }
1609
1610 msg(D_SHOW_PARMS, " Local Sockets:");
1611 for (int i = 0; i < o->local_list->len; i++)
1612 {
1613 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1614 o->local_list->array[i]->port,
1615 proto2ascii(o->local_list->array[i]->proto, o->af, false));
1616 }
1617 SHOW_STR(remote);
1618 SHOW_STR(remote_port);
1619 SHOW_BOOL(remote_float);
1620 SHOW_BOOL(bind_defined);
1621 SHOW_BOOL(bind_local);
1622 SHOW_BOOL(bind_ipv6_only);
1623 SHOW_INT(connect_retry_seconds);
1624 SHOW_INT(connect_timeout);
1625
1626 if (o->http_proxy_options)
1627 {
1628 show_http_proxy_options(o->http_proxy_options);
1629 }
1630 SHOW_STR(socks_proxy_server);
1631 SHOW_STR(socks_proxy_port);
1632 SHOW_INT(tun_mtu);
1633 SHOW_BOOL(tun_mtu_defined);
1634 SHOW_INT(link_mtu);
1635 SHOW_BOOL(link_mtu_defined);
1636 SHOW_INT(tun_mtu_extra);
1637 SHOW_BOOL(tun_mtu_extra_defined);
1638 SHOW_INT(tls_mtu);
1639
1640 SHOW_INT(mtu_discover_type);
1641
1642#ifdef ENABLE_FRAGMENT
1643 SHOW_INT(fragment);
1644#endif
1645 SHOW_INT(mssfix);
1646 SHOW_BOOL(mssfix_encap);
1647 SHOW_BOOL(mssfix_fixed);
1648
1649 SHOW_INT(explicit_exit_notification);
1650
1651 SHOW_STR_INLINE(tls_auth_file);
1652 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1653 SHOW_STR_INLINE(tls_crypt_file);
1654 SHOW_STR_INLINE(tls_crypt_v2_file);
1655}
1656
1657
1658static void
1659show_connection_entries(const struct options *o)
1660{
1661 if (o->connection_list)
1662 {
1663 const struct connection_list *l = o->connection_list;
1664 int i;
1665 for (i = 0; i < l->len; ++i)
1666 {
1667 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1668 show_connection_entry(l->array[i]);
1669 }
1670 }
1671 else
1672 {
1673 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1674 show_connection_entry(&o->ce);
1675 }
1676 msg(D_SHOW_PARMS, "Connection profiles END");
1677}
1678
1679static void
1680show_pull_filter_list(const struct pull_filter_list *l)
1681{
1682 struct pull_filter *f;
1683 if (!l)
1684 {
1685 return;
1686 }
1687
1688 msg(D_SHOW_PARMS, " Pull filters:");
1689 for (f = l->head; f; f = f->next)
1690 {
1691 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1692 }
1693}
1694
1695#endif /* ifndef ENABLE_SMALL */
1696
1697void
1698show_settings(const struct options *o)
1699{
1700#ifndef ENABLE_SMALL
1701 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1702
1703 SHOW_STR(config);
1704
1705 SHOW_INT(mode);
1706
1707#ifdef ENABLE_FEATURE_TUN_PERSIST
1708 SHOW_BOOL(persist_config);
1709 SHOW_INT(persist_mode);
1710#endif
1711
1712 SHOW_BOOL(show_ciphers);
1713 SHOW_BOOL(show_digests);
1714 SHOW_BOOL(show_engines);
1715 SHOW_BOOL(genkey);
1716 SHOW_STR(genkey_filename);
1717 SHOW_STR(key_pass_file);
1718 SHOW_BOOL(show_tls_ciphers);
1719
1720 SHOW_INT(connect_retry_max);
1721 show_connection_entries(o);
1722
1723 SHOW_BOOL(remote_random);
1724
1725 SHOW_STR(ipchange);
1726 SHOW_STR(dev);
1727 SHOW_STR(dev_type);
1728 SHOW_STR(dev_node);
1729#if defined(ENABLE_DCO)
1730 SHOW_BOOL(disable_dco);
1731#endif
1732 SHOW_STR(lladdr);
1733 SHOW_INT(topology);
1734 SHOW_STR(ifconfig_local);
1735 SHOW_STR(ifconfig_remote_netmask);
1736 SHOW_BOOL(ifconfig_noexec);
1737 SHOW_BOOL(ifconfig_nowarn);
1738 SHOW_STR(ifconfig_ipv6_local);
1739 SHOW_INT(ifconfig_ipv6_netbits);
1740 SHOW_STR(ifconfig_ipv6_remote);
1741
1742 SHOW_INT(shaper);
1743 SHOW_INT(mtu_test);
1744
1745 SHOW_BOOL(mlock);
1746
1747 SHOW_INT(keepalive_ping);
1748 SHOW_INT(keepalive_timeout);
1749 SHOW_INT(inactivity_timeout);
1750 SHOW_INT(session_timeout);
1751 SHOW_INT64(inactivity_minimum_bytes);
1752 SHOW_INT(ping_send_timeout);
1753 SHOW_INT(ping_rec_timeout);
1754 SHOW_INT(ping_rec_timeout_action);
1755 SHOW_BOOL(ping_timer_remote);
1756 SHOW_INT(remap_sigusr1);
1757 SHOW_BOOL(persist_tun);
1758 SHOW_BOOL(persist_local_ip);
1759 SHOW_BOOL(persist_remote_ip);
1760
1761#if PASSTOS_CAPABILITY
1762 SHOW_BOOL(passtos);
1763#endif
1764
1765 SHOW_INT(resolve_retry_seconds);
1766 SHOW_BOOL(resolve_in_advance);
1767
1768 SHOW_STR(username);
1769 SHOW_STR(groupname);
1770 SHOW_STR(chroot_dir);
1771 SHOW_STR(cd_dir);
1772#ifdef ENABLE_SELINUX
1773 SHOW_STR(selinux_context);
1774#endif
1775 SHOW_STR(writepid);
1776 SHOW_STR(up_script);
1777 SHOW_STR(down_script);
1778 SHOW_BOOL(down_pre);
1779 SHOW_BOOL(up_restart);
1780 SHOW_BOOL(up_delay);
1781 SHOW_BOOL(daemon);
1782 SHOW_BOOL(log);
1783 SHOW_BOOL(suppress_timestamps);
1784 SHOW_BOOL(machine_readable_output);
1785 SHOW_INT(nice);
1786 SHOW_INT(verbosity);
1787 SHOW_INT(mute);
1788#ifdef ENABLE_DEBUG
1789 SHOW_INT(gremlin);
1790#endif
1791 SHOW_STR(status_file);
1792 SHOW_INT(status_file_version);
1793 SHOW_INT(status_file_update_freq);
1794
1795 SHOW_BOOL(occ);
1796 SHOW_INT(rcvbuf);
1797 SHOW_INT(sndbuf);
1798#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1799 SHOW_INT(mark);
1800#endif
1801 SHOW_INT(sockflags);
1802
1803 SHOW_BOOL(fast_io);
1804
1805 SHOW_INT(comp.alg);
1806 SHOW_INT(comp.flags);
1807
1808 SHOW_STR(route_script);
1809 SHOW_STR(route_default_gateway);
1810 SHOW_INT(route_default_metric);
1811 SHOW_INT(route_default_table_id);
1812 SHOW_BOOL(route_noexec);
1813 SHOW_INT(route_delay);
1814 SHOW_INT(route_delay_window);
1815 SHOW_BOOL(route_delay_defined);
1816 SHOW_BOOL(route_nopull);
1817 SHOW_BOOL(route_gateway_via_dhcp);
1818 SHOW_BOOL(allow_pull_fqdn);
1819 show_pull_filter_list(o->pull_filter_list);
1820
1821 if (o->routes)
1822 {
1823 print_route_options(o->routes, D_SHOW_PARMS);
1824 }
1825
1826 if (o->client_nat)
1827 {
1828 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1829 }
1830
1831 show_dns_options(&o->dns_options);
1832
1833#ifdef ENABLE_MANAGEMENT
1834 SHOW_STR(management_addr);
1835 SHOW_STR(management_port);
1836 SHOW_STR(management_user_pass);
1837 SHOW_INT(management_log_history_cache);
1838 SHOW_INT(management_echo_buffer_size);
1839 SHOW_STR(management_client_user);
1840 SHOW_STR(management_client_group);
1841 SHOW_INT(management_flags);
1842#endif
1843#ifdef ENABLE_PLUGIN
1844 if (o->plugin_list)
1845 {
1846 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1847 }
1848#endif
1849
1850 SHOW_STR_INLINE(shared_secret_file);
1851 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1852 SHOW_STR(ciphername);
1853 SHOW_STR(ncp_ciphers);
1854 SHOW_STR(authname);
1855#ifndef ENABLE_CRYPTO_MBEDTLS
1856 SHOW_BOOL(engine);
1857#endif /* ENABLE_CRYPTO_MBEDTLS */
1858 SHOW_BOOL(mute_replay_warnings);
1859 SHOW_INT(replay_window);
1860 SHOW_INT(replay_time);
1861 SHOW_STR(packet_id_file);
1862 SHOW_BOOL(test_crypto);
1863#ifdef ENABLE_PREDICTION_RESISTANCE
1864 SHOW_BOOL(use_prediction_resistance);
1865#endif
1866
1867 SHOW_BOOL(tls_server);
1868 SHOW_BOOL(tls_client);
1869 SHOW_STR_INLINE(ca_file);
1870 SHOW_STR(ca_path);
1871 SHOW_STR_INLINE(dh_file);
1872 if ((o->management_flags & MF_EXTERNAL_CERT))
1873 {
1874 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1875 }
1876 else
1877 {
1878 SHOW_STR_INLINE(cert_file);
1879 }
1880 SHOW_STR_INLINE(extra_certs_file);
1881
1882 if ((o->management_flags & MF_EXTERNAL_KEY))
1883 {
1884 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1885 }
1886 else
1887 {
1888 SHOW_STR_INLINE(priv_key_file);
1889 }
1890#ifndef ENABLE_CRYPTO_MBEDTLS
1891 SHOW_STR_INLINE(pkcs12_file);
1892#endif
1893#ifdef ENABLE_CRYPTOAPI
1894 SHOW_STR(cryptoapi_cert);
1895#endif
1896 SHOW_STR(cipher_list);
1897 SHOW_STR(cipher_list_tls13);
1898 SHOW_STR(tls_cert_profile);
1899 SHOW_STR(tls_verify);
1900 SHOW_STR(tls_export_peer_cert_dir);
1901 SHOW_INT(verify_x509_type);
1902 SHOW_STR(verify_x509_name);
1903 SHOW_STR_INLINE(crl_file);
1904 SHOW_INT(ns_cert_type);
1905 {
1906 int i;
1907 for (i = 0; i < MAX_PARMS; i++)
1908 {
1909 SHOW_INT(remote_cert_ku[i]);
1910 }
1911 }
1912 SHOW_STR(remote_cert_eku);
1913 if (o->verify_hash)
1914 {
1915 SHOW_INT(verify_hash_algo);
1916 SHOW_INT(verify_hash_depth);
1917 struct gc_arena gc = gc_new();
1918 struct verify_hash_list *hl = o->verify_hash;
1919 int digest_len =
1920 (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH : SHA256_DIGEST_LENGTH;
1921 while (hl)
1922 {
1923 char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc);
1924 SHOW_PARM(verify_hash, s, "%s");
1925 hl = hl->next;
1926 }
1927 gc_free(&gc);
1928 }
1929 SHOW_INT(ssl_flags);
1930
1931 SHOW_INT(tls_timeout);
1932
1933 SHOW_INT64(renegotiate_bytes);
1934 SHOW_INT64(renegotiate_packets);
1935 SHOW_INT(renegotiate_seconds);
1936
1937 SHOW_INT(handshake_window);
1938 SHOW_INT(transition_window);
1939
1940 SHOW_BOOL(single_session);
1941 SHOW_BOOL(push_peer_info);
1942 SHOW_BOOL(tls_exit);
1943
1944 SHOW_STR(tls_crypt_v2_metadata);
1945
1946#ifdef ENABLE_PKCS11
1947 {
1948 int i;
1949 for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1950 {
1951 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1952 }
1953 }
1954 {
1955 int i;
1956 for (i = 0; i < MAX_PARMS; i++)
1957 {
1958 SHOW_PARM(pkcs11_protected_authentication,
1959 o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1960 }
1961 }
1962 {
1963 int i;
1964 for (i = 0; i < MAX_PARMS; i++)
1965 {
1966 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1967 }
1968 }
1969 {
1970 int i;
1971 for (i = 0; i < MAX_PARMS; i++)
1972 {
1973 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED",
1974 "%s");
1975 }
1976 }
1977 SHOW_INT(pkcs11_pin_cache_period);
1978 SHOW_STR(pkcs11_id);
1979 SHOW_BOOL(pkcs11_id_management);
1980#endif /* ENABLE_PKCS11 */
1981
1982 show_p2mp_parms(o);
1983
1984#ifdef _WIN32
1985 SHOW_BOOL(show_net_up);
1986 SHOW_INT(route_method);
1987 SHOW_BOOL(block_outside_dns);
1988 show_tuntap_options(&o->tuntap_options);
1989#endif
1990#endif /* ifndef ENABLE_SMALL */
1991}
1992
1993#undef SHOW_PARM
1994#undef SHOW_STR
1995#undef SHOW_INT
1996#undef SHOW_BOOL
1997
1998#ifdef ENABLE_MANAGEMENT
1999
2000static struct http_proxy_options *
2001parse_http_proxy_override(const char *server, const char *port, const char *flags,
2002 struct gc_arena *gc)
2003{
2004 if (server && port)
2005 {
2006 struct http_proxy_options *ho;
2007 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2008 ho->server = string_alloc(server, gc);
2009 ho->port = port;
2010 if (flags && !strcmp(flags, "nct"))
2011 {
2012 ho->auth_retry = PAR_NCT;
2013 }
2014 else
2015 {
2016 ho->auth_retry = PAR_ALL;
2017 }
2018 ho->http_version = "1.0";
2019 ho->user_agent = "OpenVPN-Autoproxy/1.0";
2020 return ho;
2021 }
2022 else
2023 {
2024 return NULL;
2025 }
2026}
2027
2028static void
2029options_postprocess_http_proxy_override(struct options *o)
2030{
2031 const struct connection_list *l = o->connection_list;
2032 int i;
2033 bool succeed = false;
2034 for (i = 0; i < l->len; ++i)
2035 {
2036 struct connection_entry *ce = l->array[i];
2037 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2038 {
2039 ce->http_proxy_options = o->http_proxy_override;
2040 succeed = true;
2041 }
2042 }
2043 if (succeed)
2044 {
2045 for (i = 0; i < l->len; ++i)
2046 {
2047 struct connection_entry *ce = l->array[i];
2048 if (ce->proto == PROTO_UDP)
2049 {
2050 ce->flags |= CE_DISABLED;
2051 }
2052 }
2053 }
2054 else
2055 {
2056 msg(M_WARN,
2057 "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2058 }
2059}
2060
2061#endif /* ifdef ENABLE_MANAGEMENT */
2062
2063static struct local_list *
2064alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
2065{
2066 if (!ce->local_list)
2067 {
2068 ALLOC_OBJ_CLEAR_GC(ce->local_list, struct local_list, gc);
2069 }
2070 return ce->local_list;
2071}
2072
2073static struct local_entry *
2074alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
2075{
2076 struct local_list *l = alloc_local_list_if_undef(ce, gc);
2077 struct local_entry *e;
2078
2079 if (l->len >= l->capacity)
2080 {
2081 const int new_cap = l->capacity + 1;
2082 const size_t elem_size = sizeof(*l->array);
2083
2084 struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
2085 if (!new_array)
2086 {
2087 msg(msglevel,
2088 "Unable to process more local options: out of memory. Number of entries = %d",
2089 l->len);
2090 return NULL;
2091 }
2092
2093 l->array = new_array;
2094 l->capacity = new_cap;
2095 }
2096
2097 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2098 e->proto = PROTO_NONE;
2099 l->array[l->len++] = e;
2100
2101 return e;
2102}
2103
2104static struct connection_list *
2113
2114static struct connection_entry *
2115alloc_connection_entry(struct options *options, const msglvl_t msglevel)
2116{
2117 struct connection_list *l = alloc_connection_list_if_undef(options);
2118 struct connection_entry *e;
2119
2120 if (l->len == l->capacity)
2121 {
2122 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2123 struct connection_entry **ce =
2124 gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc);
2125 if (ce == NULL)
2126 {
2127 msg(msglevel,
2128 "Unable to process more connection options: out of memory. Number of entries = %d",
2129 l->len);
2130 return NULL;
2131 }
2132 l->array = ce;
2133 l->capacity = capacity;
2134 }
2135 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2136 l->array[l->len++] = e;
2137 return e;
2138}
2139
2140static struct remote_list *
2141alloc_remote_list_if_undef(struct options *options)
2142{
2143 if (!options->remote_list)
2144 {
2145 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2146 }
2147 return options->remote_list;
2148}
2149
2150static struct remote_entry *
2151alloc_remote_entry(struct options *options, const msglvl_t msglevel)
2152{
2153 struct remote_list *l = alloc_remote_list_if_undef(options);
2154 struct remote_entry *e;
2155
2156 if (l->len == l->capacity)
2157 {
2158 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2159 struct remote_entry **re =
2160 gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc);
2161 if (re == NULL)
2162 {
2163 msg(msglevel,
2164 "Unable to process more remote options: out of memory. Number of entries = %d",
2165 l->len);
2166 return NULL;
2167 }
2168 l->array = re;
2169 l->capacity = capacity;
2170 }
2171 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2172 l->array[l->len++] = e;
2173 return e;
2174}
2175
2176static struct pull_filter_list *
2177alloc_pull_filter_list(struct options *o)
2178{
2179 if (!o->pull_filter_list)
2180 {
2181 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2182 }
2183 return o->pull_filter_list;
2184}
2185
2186static struct pull_filter *
2187alloc_pull_filter(struct options *o)
2188{
2189 struct pull_filter_list *l = alloc_pull_filter_list(o);
2190 struct pull_filter *f;
2191
2192 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2193 if (l->head)
2194 {
2195 ASSERT(l->tail);
2196 l->tail->next = f;
2197 }
2198 else
2199 {
2200 ASSERT(!l->tail);
2201 l->head = f;
2202 }
2203 l->tail = f;
2204 return f;
2205}
2206
2207static void
2208connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2209{
2210 if (re->remote)
2211 {
2212 ce->remote = re->remote;
2213 }
2214 if (re->remote_port)
2215 {
2216 ce->remote_port = re->remote_port;
2217 }
2218 if (re->proto >= 0)
2219 {
2220 ce->proto = re->proto;
2221 }
2222 if (re->af > 0)
2223 {
2224 ce->af = re->af;
2225 }
2226}
2227
2228static void
2229connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
2230{
2231 if (key_file && *key_file && !(*key_inline))
2232 {
2233 struct buffer in = buffer_read_from_file(*key_file, gc);
2234 if (!buf_valid(&in))
2235 {
2236 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2237 }
2238
2239 *key_file = (const char *)in.data;
2240 *key_inline = true;
2241 }
2242}
2243
2244static void
2245check_ca_required(const struct options *options)
2246{
2247#ifdef ENABLE_CRYPTO_MBEDTLS
2248 if (options->ca_path)
2249 {
2250 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2251 }
2252#endif
2253
2254 if (options->verify_hash_no_ca || options->pkcs12_file || options->ca_file
2255#ifndef ENABLE_CRYPTO_MBEDTLS
2256 || options->ca_path
2257#endif
2258 )
2259 {
2260 return;
2261 }
2262
2263 const char *const str = "You must define CA file (--ca)"
2264#ifndef ENABLE_CRYPTO_MBEDTLS
2265 " or CA path (--capath)"
2266#endif
2267 " and/or peer fingerprint verification (--peer-fingerprint)";
2268 msg(M_USAGE, "%s", str);
2269}
2270
2271#define MUST_BE_UNDEF(parm, parm_name) \
2272 if (options->parm != defaults.parm) \
2273 { \
2274 msg(M_USAGE, use_err, parm_name); \
2275 }
2276#define MUST_BE_FALSE(condition, parm_name) \
2277 if (condition) \
2278 { \
2279 msg(M_USAGE, use_err, parm_name); \
2280 }
2281
2282static void
2283options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
2284{
2285 struct options defaults;
2286 int dev = DEV_TYPE_UNDEF;
2287 bool pull = false;
2288
2289 init_options(&defaults, true);
2290
2291 if (options->test_crypto)
2292 {
2293 notnull(options->shared_secret_file, "key file (--secret)");
2294 }
2295 else
2296 {
2297 notnull(options->dev, "TUN/TAP device (--dev)");
2298 }
2299
2300 /*
2301 * Get tun/tap/null device type
2302 */
2303 dev = dev_type_enum(options->dev, options->dev_type);
2304
2305 /*
2306 * If "proto tcp" is specified, make sure we know whether it is
2307 * tcp-client or tcp-server.
2308 */
2309 if (ce->proto == PROTO_TCP)
2310 {
2311 msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify "
2312 "--proto tcp-server or --proto tcp-client");
2313 }
2314
2315 /*
2316 * Sanity check on Client mode
2317 */
2318
2319 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2320 {
2321 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2322 }
2323
2324 if (options->lladdr && dev != DEV_TYPE_TAP)
2325 {
2326 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2327 }
2328
2329 /*
2330 * Sanity check on MTU parameters
2331 */
2332 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2333 {
2334 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2335 }
2336
2337 if (!proto_is_udp(ce->proto) && options->mtu_test)
2338 {
2339 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2340 }
2341
2342 /* will we be pulling options from server? */
2343 pull = options->pull;
2344
2345 /*
2346 * Sanity check on --local, --remote, and --ifconfig
2347 */
2348
2349 if (string_defined_equal(ce->remote, options->ifconfig_local)
2350 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2351 {
2352 msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig "
2353 "addresses");
2354 }
2355
2356 if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask))
2357 {
2358 msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2359 }
2360
2361 if (ce->bind_defined && !ce->bind_local)
2362 {
2363 msg(M_USAGE, "--bind and --nobind can't be used together");
2364 }
2365
2366 if (ce->local_port_defined && !ce->bind_local)
2367 {
2368 msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2369 }
2370
2371 if (!ce->remote && !ce->bind_local)
2372 {
2373 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2374 }
2375
2376 for (int i = 0; i < ce->local_list->len; i++)
2377 {
2378 struct local_entry *le = ce->local_list->array[i];
2379
2380 if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote)
2381 && string_defined_equal(le->port, ce->remote_port))
2382 {
2383 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2384 }
2385
2386 if (string_defined_equal(le->local, options->ifconfig_local)
2387 || string_defined_equal(le->local, options->ifconfig_remote_netmask))
2388 {
2389 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2390 }
2391
2392 if (le->local && !ce->bind_local)
2393 {
2394 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2395 }
2396 }
2397
2398 /*
2399 * Check for consistency of management options
2400 */
2401#ifdef ENABLE_MANAGEMENT
2402 if (!options->management_addr
2403 && (options->management_flags
2404 || options->management_log_history_cache != defaults.management_log_history_cache))
2405 {
2406 msg(M_USAGE,
2407 "--management is not specified, however one or more options which modify the behavior of --management were specified");
2408 }
2409
2410 if ((options->management_client_user || options->management_client_group)
2411 && !(options->management_flags & MF_UNIX_SOCK))
2412 {
2413 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2414 }
2415
2416 if (options->management_addr && !(options->management_flags & MF_UNIX_SOCK)
2417 && (!options->management_user_pass))
2418 {
2419 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2420 "passwords is STRONGLY discouraged and considered insecure");
2421 }
2422
2423#endif /* ifdef ENABLE_MANAGEMENT */
2424
2425#if !defined(HAVE_XKEY_PROVIDER)
2426 if ((tls_version_max() >= TLS_VER_1_3) && (options->management_flags & MF_EXTERNAL_KEY)
2427 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)))
2428 {
2429 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2430 "nopadding argument/support");
2431 }
2432#endif
2433 /*
2434 * Windows-specific options.
2435 */
2436
2437#ifdef _WIN32
2438 if (dev == DEV_TYPE_TUN
2439 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2440 {
2441 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2442 }
2443
2444 if ((options->tuntap_options.ip_win32_defined)
2445 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2446 {
2447 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2448 }
2449
2450 if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2451 {
2452 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2453 if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2454 {
2455 msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix,
2456 print_tun_backend_driver(options->windows_driver));
2457 }
2458 else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2459 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2460 {
2461 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix);
2462 }
2463 }
2464#endif /* ifdef _WIN32 */
2465
2466 /*
2467 * Check that protocol options make sense.
2468 */
2469
2470#ifdef ENABLE_FRAGMENT
2471 if (!proto_is_udp(ce->proto) && ce->fragment)
2472 {
2473 msg(M_USAGE, "--fragment can only be used with --proto udp");
2474 }
2475#endif
2476
2477 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2478 {
2479 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2480 }
2481
2482 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2483 {
2484 msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2485 "tcp-client)");
2486 }
2487
2488 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2489 {
2490 msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2491 }
2492
2493 if (ce->http_proxy_options && ce->socks_proxy_server)
2494 {
2495 msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2496 }
2497
2498 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2499 {
2500 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2501 }
2502
2503 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2504 {
2505 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2506 }
2507
2508 /*
2509 * Check consistency of --mode server options.
2510 */
2511 if (options->mode == MODE_SERVER)
2512 {
2513 const char use_err[] = "--%s cannot be used with --mode server.";
2514
2515#define USAGE_VALID_SERVER_PROTOS \
2516 "--mode server currently only supports " \
2517 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2518#ifdef TARGET_ANDROID
2519 msg(M_FATAL, "--mode server not supported on Android");
2520#endif
2521 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2522 {
2523 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2524 }
2525 MUST_BE_UNDEF(pull, "pull");
2526 if (options->pull_filter_list)
2527 {
2528 msg(M_WARN, "--pull-filter ignored for --mode server");
2529 }
2530 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2531 {
2532 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2533 }
2534#if PORT_SHARE
2535 if ((options->port_share_host || options->port_share_port)
2536 && (ce->proto != PROTO_TCP_SERVER))
2537 {
2538 msg(M_USAGE, "--port-share only works in TCP server mode "
2539 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2540 }
2541#endif
2542 if (!options->tls_server)
2543 {
2544 msg(M_USAGE, "--mode server requires --tls-server");
2545 }
2546 MUST_BE_FALSE(ce->remote, "remote");
2547 MUST_BE_FALSE(!ce->bind_local, "nobind");
2548 MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2549 MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2550 /* <connection> blocks force to have a remote embedded, so we check
2551 * for the --remote and bail out if it is present
2552 */
2553 if (options->connection_list->len > 1 || options->connection_list->array[0]->remote)
2554 {
2555 msg(M_USAGE, "<connection> cannot be used with --mode server");
2556 }
2557
2558 MUST_BE_UNDEF(shaper, "shaper");
2559 if (options->ipchange)
2560 {
2561 msg(M_USAGE, "--ipchange cannot be used with --mode server (use "
2562 "--client-connect instead)");
2563 }
2564 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2565 {
2566 msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2567 }
2568 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2569 {
2570 msg(M_USAGE,
2571 "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2572 }
2573 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET))
2574 && options->ifconfig_pool_netmask)
2575 {
2576 msg(M_USAGE,
2577 "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2578 }
2579 if (options->routes && (options->routes->flags & RG_ENABLE))
2580 {
2581 msg(M_USAGE,
2582 "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2583 }
2584 MUST_BE_UNDEF(route_delay_defined, "route-delay");
2585 MUST_BE_UNDEF(up_delay, "up-delay");
2586 if (!options->ifconfig_pool_defined && !options->ifconfig_ipv6_pool_defined
2587 && options->ifconfig_pool_persist_filename)
2588 {
2589 msg(M_USAGE,
2590 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2591 }
2592 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2593 {
2594 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2595 }
2596 MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2597 if (options->auth_user_pass_file)
2598 {
2599 msg(M_USAGE,
2600 "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2601 }
2602 if (options->ccd_exclusive && !options->client_config_dir)
2603 {
2604 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2605 }
2606 if (options->auth_token_generate && !options->renegotiate_seconds)
2607 {
2608 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2609 "--renegotiate_seconds setting");
2610 }
2611 if (options->auth_token_generate && options->auth_token_renewal
2612 && options->auth_token_renewal < 2 * options->handshake_window)
2613 {
2614 msg(M_USAGE,
2615 "--auth-gen-token renewal time needs to be at least "
2616 " two times --hand-window (%d).",
2617 options->handshake_window);
2618 }
2619 if (!options->auth_user_pass_verify_script && !PLUGIN_OPTION_LIST(options)
2620 && !MAN_CLIENT_AUTH_ENABLED(options))
2621 {
2622 const char *use_err =
2623 "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2624
2625 MUST_BE_FALSE(options->ssl_flags
2626 & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
2627 "verify-client-cert none|optional");
2628 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
2629 "username-as-common-name");
2630 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL,
2631 "auth-user-pass-optional");
2632 }
2633
2634 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2635 {
2636 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2637 }
2638 if (!options->vlan_tagging)
2639 {
2640 const char use_err[] = "--%s requires --vlan-tagging";
2641 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2642 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2643 }
2644 }
2645 else
2646 {
2647 const char use_err[] = "--%s requires --mode server";
2648 /*
2649 * When not in server mode, err if parameters are
2650 * specified which require --mode server.
2651 */
2652 MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2653 MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2654 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2655 MUST_BE_UNDEF(real_hash_size, "hash-size");
2656 MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2657 MUST_BE_UNDEF(learn_address_script, "learn-address");
2658 MUST_BE_UNDEF(client_connect_script, "client-connect");
2659 MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2660 MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2661 MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2662 MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2663 MUST_BE_UNDEF(enable_c2c, "client-to-client");
2664 MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2665 MUST_BE_UNDEF(cf_max, "connect-freq");
2666 MUST_BE_UNDEF(cf_per, "connect-freq");
2667 MUST_BE_FALSE(options->ssl_flags
2668 & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL),
2669 "verify-client-cert");
2670 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2671 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2672 MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify");
2673 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2674 {
2675 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2676 "affect the server. To have TCP_NODELAY in both direction use "
2677 "tcp-nodelay in the server configuration instead.");
2678 }
2679 MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2680 MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2681#if PORT_SHARE
2682 if (options->port_share_host || options->port_share_port)
2683 {
2684 msg(M_USAGE,
2685 "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2686 }
2687#endif
2688 MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2689 MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2690 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2691 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2692 MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2693 }
2694
2695 /*
2696 * SSL/TLS mode sanity checks.
2697 */
2698 if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1)
2699 {
2700 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2701 }
2702
2703 if (!options->tls_server && !options->tls_client)
2704 {
2705 msglvl_t msglevel = M_USAGE;
2706 if (options->allow_deprecated_insecure_static_crypto)
2707 {
2708 msglevel = M_INFO;
2709 }
2710
2711 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2712 "configuration detected. OpenVPN 2.8 will remove the "
2713 "functionality to run a VPN without TLS. "
2714 "See the examples section in the manual page for "
2715 "examples of a similar quick setup with peer-fingerprint. "
2716 "OpenVPN 2.7 allows using this configuration when using "
2717 "--allow-deprecated-insecure-static-crypto but you should move "
2718 "to a proper configuration using TLS as soon as possible.");
2719 }
2720
2721 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED | SSLF_CLIENT_CERT_OPTIONAL))
2722 {
2723 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2724 "--verify-client-cert none|optional "
2725 "may accept clients which do not present a certificate");
2726 }
2727
2728 const unsigned int tls_version_max =
2729 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
2730 const unsigned int tls_version_min =
2731 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
2732
2733 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2734 {
2735 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2736 }
2737
2738 if (options->tls_server || options->tls_client)
2739 {
2740 check_ca_required(options);
2741#ifdef ENABLE_PKCS11
2742 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2743 {
2744 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2745 }
2746 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2747 {
2748 msg(M_WARN,
2749 "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2750 }
2751
2752 if (options->pkcs11_providers[0])
2753 {
2754 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2755 {
2756 msg(M_USAGE,
2757 "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2758 }
2759 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2760 {
2761 msg(M_USAGE,
2762 "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2763 }
2764 const char use_err[] =
2765 "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2766 MUST_BE_UNDEF(cert_file, "cert");
2767 MUST_BE_UNDEF(priv_key_file, "key");
2768 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2769 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2770 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2771#ifdef ENABLE_CRYPTOAPI
2772 MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2773#endif
2774 }
2775 else
2776#endif /* ifdef ENABLE_PKCS11 */
2777#ifdef ENABLE_CRYPTOAPI
2778 if (options->cryptoapi_cert)
2779 {
2780 const char use_err[] =
2781 "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2782 MUST_BE_UNDEF(cert_file, "cert");
2783 MUST_BE_UNDEF(priv_key_file, "key");
2784 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2785 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2786 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2787 }
2788 else
2789#endif
2790 if (options->pkcs12_file)
2791 {
2792#ifdef ENABLE_CRYPTO_MBEDTLS
2793 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2794#else
2795 const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2796 MUST_BE_UNDEF(ca_path, "capath");
2797 MUST_BE_UNDEF(cert_file, "cert");
2798 MUST_BE_UNDEF(priv_key_file, "key");
2799 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2800 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2801#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2802 }
2803 else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2804 {
2805 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2806 {
2807 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2808 }
2809 if ((options->management_flags & MF_EXTERNAL_CERT))
2810 {
2811 if (options->cert_file)
2812 {
2813 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2814 }
2815 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2816 {
2817 msg(M_USAGE,
2818 "--management-external-cert must be used with --management-external-key");
2819 }
2820 }
2821 if (pull)
2822 {
2823 const int sum =
2824 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2825 + ((options->priv_key_file != NULL)
2826 || (options->management_flags & MF_EXTERNAL_KEY));
2827
2828 if (sum == 0)
2829 {
2830 if (!options->auth_user_pass_file)
2831 {
2832 msg(M_USAGE, "No client-side authentication method is "
2833 "specified. You must use either "
2834 "--cert/--key, --pkcs12, or "
2835 "--auth-user-pass");
2836 }
2837 }
2838 else if (sum != 2)
2839 {
2840 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2841 }
2842 }
2843 else
2844 {
2845 if (!(options->management_flags & MF_EXTERNAL_CERT))
2846 {
2847 notnull(options->cert_file,
2848 "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2849 }
2850 if (!(options->management_flags & MF_EXTERNAL_KEY))
2851 {
2852 notnull(options->priv_key_file,
2853 "private key file (--key) or PKCS#12 file (--pkcs12)");
2854 }
2855 }
2856 }
2857 if (ce->tls_auth_file && ce->tls_crypt_file)
2858 {
2859 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2860 }
2861 if (options->tls_client && ce->tls_crypt_v2_file
2862 && (ce->tls_auth_file || ce->tls_crypt_file))
2863 {
2864 msg(M_USAGE,
2865 "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2866 }
2867 }
2868 else
2869 {
2870 /*
2871 * Make sure user doesn't specify any TLS options
2872 * when in non-TLS mode.
2873 */
2874
2875 const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
2876 "i.e. where --tls-server or --tls-client is also specified.";
2877
2878 MUST_BE_UNDEF(ca_file, "ca");
2879 MUST_BE_UNDEF(ca_path, "capath");
2880 MUST_BE_UNDEF(dh_file, "dh");
2881 MUST_BE_UNDEF(cert_file, "cert");
2882 MUST_BE_UNDEF(priv_key_file, "key");
2883#ifndef ENABLE_CRYPTO_MBEDTLS
2884 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2885#endif
2886 MUST_BE_UNDEF(cipher_list, "tls-cipher");
2887 MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
2888 MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
2889 MUST_BE_UNDEF(tls_verify, "tls-verify");
2890 MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
2891 MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
2892 MUST_BE_UNDEF(tls_timeout, "tls-timeout");
2893 MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
2894 MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
2895 MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
2896 MUST_BE_UNDEF(handshake_window, "hand-window");
2897 MUST_BE_UNDEF(transition_window, "tran-window");
2898 MUST_BE_UNDEF(tls_auth_file, "tls-auth");
2899 MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
2900 MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
2901 MUST_BE_UNDEF(single_session, "single-session");
2902 MUST_BE_UNDEF(push_peer_info, "push-peer-info");
2903 MUST_BE_UNDEF(tls_exit, "tls-exit");
2904 MUST_BE_UNDEF(crl_file, "crl-verify");
2905 MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
2906 MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
2907 MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
2908#ifdef ENABLE_PKCS11
2909 MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
2910 MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
2911 MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
2912 MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
2913#endif
2914
2915 if (pull)
2916 {
2917 msg(M_USAGE, use_err, "--pull");
2918 }
2919 }
2920 if (options->auth_user_pass_file && !options->pull)
2921 {
2922 msg(M_USAGE, "--auth-user-pass requires --pull");
2923 }
2924
2925 uninit_options(&defaults);
2926}
2927
2928#undef MUST_BE_UNDEF
2929#undef MUST_BE_FALSE
2930
2931static void
2932options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
2933{
2934 const int dev = dev_type_enum(o->dev, o->dev_type);
2935
2936 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2937 {
2938 if (ce->proto == PROTO_TCP)
2939 {
2940 ce->proto = PROTO_TCP_SERVER;
2941 o->ce.proto = ce->proto;
2942 }
2943 }
2944
2945 if (o->mode != MODE_SERVER)
2946 {
2947 if (ce->proto == PROTO_TCP)
2948 {
2949 ce->proto = PROTO_TCP_CLIENT;
2950 o->ce.proto = ce->proto;
2951 }
2952 }
2953
2954 /* an option is present that requires local bind to enabled */
2955 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
2956
2957 /* socks proxy is enabled */
2958 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
2959
2960 /* If binding is not forced by an explicit option and we have (at least)
2961 * one of --tcp-client, --pull (or --client), or socks we do not bind
2962 * locally to have "normal" IP client behaviour of a random source port */
2963 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
2964 {
2965 ce->bind_local = false;
2966 }
2967
2968 if (!ce->bind_local)
2969 {
2970 ce->local_port = NULL;
2971 }
2972
2973 /* if protocol forcing is enabled, disable all protocols
2974 * except for the forced one
2975 */
2976 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2977 {
2978 ce->flags |= CE_DISABLED;
2979 }
2980
2981 if (ce->http_proxy_options)
2982 {
2983 ce->http_proxy_options->nocache = ssl_get_auth_nocache();
2984 }
2985
2986 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2987 * so fall back to IPv4-only (trac #1221)
2988 */
2989 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2990 {
2991 if (ce->af == AF_INET6)
2992 {
2993 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2994 "'--socks-proxy' today. Forcing IPv4 mode.");
2995 }
2996 else
2997 {
2998 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2999 "work correctly with '--socks-proxy' today. Forcing IPv4.");
3000 }
3001 ce->af = AF_INET;
3002 }
3003
3004 /*
3005 * Set MTU defaults
3006 */
3007 {
3008 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3009 {
3010 ce->tun_mtu_defined = true;
3011 }
3012 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3013 {
3014 ce->tun_mtu_extra_defined = true;
3015 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3016 }
3017 }
3018
3019 /*
3020 * If --mssfix is supplied without a parameter or not specified at all,
3021 * default it to --fragment value, if --fragment is specified and otherwise
3022 * to the default if tun-mtu is 1500
3023 */
3024 if (o->ce.mssfix_default)
3025 {
3026#ifdef ENABLE_FRAGMENT
3027 if (ce->fragment)
3028 {
3029 ce->mssfix = ce->fragment;
3030 }
3031 else
3032#endif
3033 if (ce->tun_mtu_defined)
3034 {
3035 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3036 {
3037 /* We want to only set mssfix default value if we use a default
3038 * MTU Size, otherwise the different size of tun should either
3039 * already solve the problem or mssfix might artifically make the
3040 * payload packets smaller without mssfix 0 */
3041 ce->mssfix = MSSFIX_DEFAULT;
3042 ce->mssfix_encap = true;
3043 }
3044 else
3045 {
3046 /* We still apply the mssfix value but only adjust it to the
3047 * size of the tun interface. */
3048 ce->mssfix = ce->tun_mtu;
3049 ce->mssfix_fixed = true;
3050 }
3051 }
3052 }
3053
3054 /*
3055 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3056 *
3057 * At the end only one of these will be really set because the parser
3058 * logic prevents configurations where more are set.
3059 */
3060 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3061 {
3062 ce->tls_auth_file = o->tls_auth_file;
3063 ce->tls_auth_file_inline = o->tls_auth_file_inline;
3064 ce->key_direction = o->key_direction;
3065
3066 ce->tls_crypt_file = o->tls_crypt_file;
3067 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3068
3069 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3070 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3071 }
3072
3073 /* Pre-cache tls-auth/crypt(-v2) key file if
3074 * keys were not already embedded in the config file.
3075 */
3076 connection_entry_preload_key(&ce->tls_auth_file, &ce->tls_auth_file_inline, &o->gc);
3077 connection_entry_preload_key(&ce->tls_crypt_file, &ce->tls_crypt_file_inline, &o->gc);
3078 connection_entry_preload_key(&ce->tls_crypt_v2_file, &ce->tls_crypt_v2_file_inline, &o->gc);
3079
3080
3081 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3082 {
3083 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3084 ce->explicit_exit_notification = 0;
3085 }
3086}
3087
3088static void
3089options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
3090{
3091 /* use the global port if none is specified */
3092 if (!le->port)
3093 {
3094 le->port = ce->local_port;
3095 }
3096 /* use the global proto if none is specified and
3097 * allow proto bindings on server mode only */
3098 if (!le->proto || mode == MODE_POINT_TO_POINT)
3099 {
3100 le->proto = ce->proto;
3101 }
3102}
3103
3104#ifdef _WIN32
3105/* If iservice is in use, we need def1 method for redirect-gateway */
3106static void
3107remap_redirect_gateway_flags(struct options *opt)
3108{
3109 if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE
3110 && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1))
3111 {
3112 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3113 opt->routes->flags |= RG_DEF1;
3114 }
3115}
3116#endif /* ifdef _WIN32 */
3117
3118/*
3119 * Save/Restore certain option defaults before --pull is applied.
3120 */
3121
3122static void
3123pre_connect_save(struct options *o)
3124{
3125 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3126 o->pre_connect->tuntap_options = o->tuntap_options;
3127 o->pre_connect->tuntap_options_defined = true;
3128 o->pre_connect->foreign_option_index = o->foreign_option_index;
3129
3130 if (o->routes)
3131 {
3132 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3133 o->pre_connect->routes_defined = true;
3134 }
3135 if (o->routes_ipv6)
3136 {
3137 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3138 o->pre_connect->routes_ipv6_defined = true;
3139 }
3140 if (o->client_nat)
3141 {
3142 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3143 o->pre_connect->client_nat_defined = true;
3144 }
3145
3146 o->pre_connect->route_default_gateway = o->route_default_gateway;
3147 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3148
3149 o->pre_connect->dns_options = clone_dns_options(&o->dns_options, &o->gc);
3150
3151 /* NCP related options that can be overwritten by a push */
3152 o->pre_connect->ciphername = o->ciphername;
3153 o->pre_connect->authname = o->authname;
3154
3155 /* Ping related options should be reset to the config values on reconnect */
3156 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3157 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3158 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3159
3160 /* Miscellaneous Options */
3161 o->pre_connect->comp = o->comp;
3162}
3163
3164void
3165pre_connect_restore(struct options *o, struct gc_arena *gc)
3166{
3167 const struct options_pre_connect *pp = o->pre_connect;
3168 if (pp)
3169 {
3170 CLEAR(o->tuntap_options);
3171 if (pp->tuntap_options_defined)
3172 {
3173 o->tuntap_options = pp->tuntap_options;
3174 }
3175
3176 if (pp->routes_defined)
3177 {
3178 rol_check_alloc(o);
3179 copy_route_option_list(o->routes, pp->routes, gc);
3180 }
3181 else
3182 {
3183 o->routes = NULL;
3184 }
3185
3186 if (pp->routes_ipv6_defined)
3187 {
3188 rol6_check_alloc(o);
3189 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3190 }
3191 else
3192 {
3193 o->routes_ipv6 = NULL;
3194 }
3195
3196 o->route_default_gateway = pp->route_default_gateway;
3197 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3198
3199 /* Free DNS options and reset them to pre-pull state */
3200 gc_free(&o->dns_options.gc);
3201 struct gc_arena dns_gc = gc_new();
3202 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3203 o->dns_options.gc = dns_gc;
3204
3205 if (pp->client_nat_defined)
3206 {
3207 cnol_check_alloc(o);
3208 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3209 }
3210 else
3211 {
3212 o->client_nat = NULL;
3213 }
3214
3215 o->foreign_option_index = pp->foreign_option_index;
3216
3217 o->ciphername = pp->ciphername;
3218 o->authname = pp->authname;
3219
3220 o->ping_rec_timeout = pp->ping_rec_timeout;
3221 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3222 o->ping_send_timeout = pp->ping_send_timeout;
3223
3224 /* Miscellaneous Options */
3225 o->comp = pp->comp;
3226 }
3227
3228 o->push_continuation = 0;
3229 o->push_option_types_found = 0;
3230 o->imported_protocol_flags = 0;
3231}
3232
3233static void
3234options_postprocess_mutate_invariant(struct options *options)
3235{
3236#ifdef _WIN32
3237 const int dev = dev_type_enum(options->dev, options->dev_type);
3238
3239 /* when using ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3240 if ((options->windows_driver == DRIVER_DCO)
3241 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3242 || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3243 {
3244 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3245 }
3246
3247 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3248 {
3249 /* delay may only be necessary when we perform DHCP handshake */
3250 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3251 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3252 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3253 {
3254 options->route_delay_defined = true;
3255 options->route_delay = 5; /* Vista sometimes has a race without this */
3256 }
3257 }
3258
3259 if (options->ifconfig_noexec)
3260 {
3261 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3262 options->ifconfig_noexec = false;
3263 }
3264
3265 remap_redirect_gateway_flags(options);
3266
3267 /*
3268 * Check consistency of --mode server options.
3269 */
3270 if (options->mode == MODE_SERVER)
3271 {
3272 /*
3273 * We need to explicitly set --tap-sleep because
3274 * we do not schedule event timers in the top-level context.
3275 */
3276 options->tuntap_options.tap_sleep = 10;
3277 if (options->route_delay_defined && options->route_delay)
3278 {
3279 options->tuntap_options.tap_sleep = options->route_delay;
3280 }
3281 options->route_delay_defined = false;
3282 }
3283#endif /* ifdef _WIN32 */
3284
3285#ifdef DEFAULT_PKCS11_MODULE
3286 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3287 * by default if the user asks for PKCS#11 without otherwise specifying
3288 * the module to use. */
3289 if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management))
3290 {
3291 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3292 }
3293#endif
3294}
3295
3296static void
3297options_postprocess_verify(const struct options *o)
3298{
3299 if (o->connection_list)
3300 {
3301 int i;
3302 for (i = 0; i < o->connection_list->len; ++i)
3303 {
3304 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3305 }
3306 }
3307 else
3308 {
3309 options_postprocess_verify_ce(o, &o->ce);
3310 }
3311
3312 dns_options_verify(M_FATAL, &o->dns_options);
3313
3314 if (dco_enabled(o) && o->enable_c2c)
3315 {
3316 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3317 "channel offload: packets are always sent to the VPN "
3318 "interface and then routed based on the system routing table");
3319 }
3320}
3321
3322static void
3323options_postprocess_cipher(struct options *o)
3324{
3325 if (!o->pull && !(o->mode == MODE_SERVER))
3326 {
3327 /* If the cipher is not set, use the old default of BF-CBC. We will
3328 * warn that this is deprecated on cipher initialisation, no need
3329 * to warn here as well */
3330 if (!o->ciphername)
3331 {
3332 o->ciphername = "BF-CBC";
3333 }
3334 else
3335 {
3336 o->enable_ncp_fallback = true;
3337 }
3338 return;
3339 }
3340
3341 /* pull or P2MP mode */
3342 if (!o->ciphername)
3343 {
3344 /* We still need to set the ciphername to BF-CBC since various other
3345 * parts of OpenVPN assert that the ciphername is set */
3346 o->ciphername = "BF-CBC";
3347
3348 msg(M_INFO,
3349 "Note: --cipher is not set. OpenVPN versions before 2.5 "
3350 "defaulted to BF-CBC as fallback when cipher negotiation "
3351 "failed in this case. If you need this fallback please add "
3352 "'--data-ciphers-fallback BF-CBC' to your configuration "
3353 "and/or add BF-CBC to --data-ciphers. E.g. "
3354 "--data-ciphers %s:BF-CBC",
3355 o->ncp_ciphers_conf);
3356 }
3357 else if (!o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3358 {
3359 msg(M_WARN,
3360 "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3361 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3362 "negotiations. ",
3363 o->ciphername, o->ncp_ciphers_conf);
3364 }
3365}
3366
3382static bool
3383need_compatibility_before(const struct options *o, unsigned int version)
3384{
3385 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3386}
3387
3392static void
3393options_set_backwards_compatible_options(struct options *o)
3394{
3395 /* TLS min version is not set */
3396 unsigned int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
3397 if (tls_ver_min == 0)
3398 {
3399 unsigned int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
3400 if (need_compatibility_before(o, 20307))
3401 {
3402 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3403 o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3404 }
3405 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3406 {
3407 /* Use TLS 1.2 as proper default */
3408 o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3409 }
3410 else
3411 {
3412 /* Maximize the minimum version */
3413 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3414 }
3415 }
3416
3417 if (need_compatibility_before(o, 20400))
3418 {
3419 if (!o->ciphername)
3420 {
3421 /* If ciphername is not set default to BF-CBC when targeting these
3422 * old versions that do not have NCP */
3423 o->ciphername = "BF-CBC";
3424 }
3425 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3426 * not have OCC strings required for "poor man's NCP" */
3427 o->enable_ncp_fallback = true;
3428 }
3429
3430 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3431 * Version 2.4 probably does not need it but NCP was not so
3432 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3433 * Only do this iff --cipher is set (explicitly or by compat mode
3434 * < 2.4.0, see above). This is not 100% correct backwards compatible
3435 * behaviour but 2.5 already behaved like this */
3436 if (o->ciphername && need_compatibility_before(o, 20500)
3437 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3438 {
3439 append_cipher_to_ncp_list(o, o->ciphername);
3440 }
3441
3442#ifdef USE_COMP
3443 /* Compression is deprecated and we do not want to announce support for it
3444 * by default anymore, additionally DCO breaks with compression.
3445 *
3446 * Disable compression by default starting with 2.6.0 if no other
3447 * compression related option has been explicitly set */
3448 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3449 {
3450 if (!comp_non_stub_enabled(&o->comp))
3451 {
3452 o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3453 }
3454 }
3455#else /* ifdef USE_COMP */
3456 o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3457#endif
3458}
3459
3460static void
3461options_process_mutate_prf(struct options *o)
3462{
3463 if (!check_tls_prf_working())
3464 {
3465 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3466 "supported by the TLS library. Your system does not support this "
3467 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3468 "forbids it. Connections will only work with peers running "
3469 "OpenVPN 2.6.0 or higher)");
3470 if (o->mode == MODE_SERVER)
3471 {
3472 msg(M_WARN, "Automatically enabling option "
3473 "--force-tls-key-material-export");
3474 o->force_key_material_export = true;
3475 }
3476 }
3477}
3478
3479#if defined(_WIN32) || defined(TARGET_ANDROID)
3488static void
3489tuntap_options_postprocess_dns(struct options *o)
3490{
3491 struct dns_options *dns = &o->dns_options;
3492 struct tuntap_options *tt = &o->tuntap_options;
3493 if (!dns->servers)
3494 {
3495 /* Copy --dhcp-options to tuntap_options */
3496 struct dhcp_options *dhcp = &dns->from_dhcp;
3497 ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
3498 ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
3499 ASSERT(sizeof(dhcp->domain_search_list) == sizeof(tt->domain_search_list));
3500
3501 tt->domain = dhcp->domain;
3502 tt->dns_len = dhcp->dns_len;
3503 tt->dns6_len = dhcp->dns6_len;
3504
3505 memcpy(tt->dns, dhcp->dns, sizeof(tt->dns));
3506 memcpy(tt->dns6, dhcp->dns6, sizeof(tt->dns6));
3507
3508 tt->domain_search_list_len = dhcp->domain_search_list_len;
3509 for (size_t i = 0; i < SIZE(tt->domain_search_list); ++i)
3510 {
3511 tt->domain_search_list[i] = dhcp->domain_search_list[i];
3512 }
3513
3514 return;
3515 }
3516
3517#if defined(_WIN32)
3518 if (tt->ip_win32_type != IPW32_SET_DHCP_MASQ && tt->ip_win32_type != IPW32_SET_ADAPTIVE)
3519 {
3520 return; /* Not in DHCP mode */
3521 }
3522#endif /* if defined(_WIN32) */
3523
3524 /* Copy --dns options to tuntap_options */
3525
3526 const struct dns_domain *d = dns->search_domains;
3527 if (d)
3528 {
3529 tt->domain_search_list_len = 0;
3530 }
3531
3532 while (d && tt->domain_search_list_len + 1 < N_SEARCH_LIST_LEN)
3533 {
3534 tt->domain_search_list[tt->domain_search_list_len++] = d->name;
3535 d = d->next;
3536 }
3537 if (d)
3538 {
3539 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3540 }
3541
3542 tt->dns_len = 0;
3543 tt->dns6_len = 0;
3544
3545 const struct dns_server *s = dns->servers;
3546 while (s)
3547 {
3548 bool non_standard_server_port = false;
3549 for (int i = 0; i < s->addr_count; ++i)
3550 {
3551 if (s->addr[i].port && s->addr[i].port != 53)
3552 {
3553 non_standard_server_port = true;
3554 break;
3555 }
3556 }
3557 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3558 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3559 {
3560 /* Skip servers requiring unsupported config to be set */
3561 s = s->next;
3562 }
3563 else
3564 {
3565 bool overflow = false;
3566 for (int i = 0; i < s->addr_count; ++i)
3567 {
3568 if (s->addr[i].family == AF_INET && tt->dns_len + 1 < N_DHCP_ADDR)
3569 {
3570 tt->dns[tt->dns_len++] = ntohl(s->addr[i].in.a4.s_addr);
3571 }
3572 else if (tt->dns6_len + 1 < N_DHCP_ADDR)
3573 {
3574 tt->dns6[tt->dns6_len++] = s->addr[i].in.a6;
3575 }
3576 else
3577 {
3578 overflow = true;
3579 }
3580 }
3581 if (overflow)
3582 {
3583 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3584 }
3585 tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
3586 return;
3587 }
3588 }
3589}
3590
3591#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3592
3603static void
3604dhcp_options_postprocess_dns(struct options *o, struct env_set *es)
3605{
3606 struct gc_arena gc = gc_new();
3607 struct dns_options *dns = &o->dns_options;
3608
3609 if (is_tun_afunix(o->dev_node))
3610 {
3611 /* Disable running dns-updown script with lwipovpn */
3612 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
3613 dns->updown = NULL;
3614 }
3615
3616 if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
3617 {
3618 /* Clean up env from --dhcp-option DNS config */
3619 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3620 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3621
3622 const int fo_count = o->foreign_option_index;
3623 o->foreign_option_index = 0;
3624
3625 for (int i = 1; i <= fo_count; ++i)
3626 {
3627 buf_clear(&name);
3628 buf_printf(&name, "foreign_option_%d", i);
3629 const char *env_str = env_set_get(es, BSTR(&name));
3630 const char *item_val = strchr(env_str, '=') + 1;
3631 buf_clear(&value);
3632 buf_printf(&value, "%s", item_val);
3633
3634 /* Remove foreign option item from env set */
3635 env_set_del(es, BSTR(&name));
3636
3637 item_val = BSTR(&value);
3638 if (strncmp(item_val, "dhcp-option ", 12) != 0
3639 || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0
3640 && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0
3641 && strncmp(item_val + 12, "DOMAIN ", 7) != 0
3642 && strncmp(item_val + 12, "DNS6 ", 5) != 0
3643 && strncmp(item_val + 12, "DNS ", 4) != 0))
3644 {
3645 /* Re-set the item with potentially updated name */
3646 buf_clear(&name);
3647 buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index);
3648 setenv_str(es, BSTR(&name), BSTR(&value));
3649 }
3650 }
3651 }
3652
3653 if (!dns->servers)
3654 {
3655 /* Copy --dhcp-options to dns_options */
3656 struct dhcp_options *dhcp = &dns->from_dhcp;
3657
3658 if (dhcp->dns_len || dhcp->dns6_len)
3659 {
3660 struct dns_domain **entry = &dns->search_domains;
3661 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3662 struct dns_domain *new = *entry;
3663 new->name = dhcp->domain;
3664 entry = &new->next;
3665
3666 for (size_t i = 0; i < dhcp->domain_search_list_len; ++i)
3667 {
3668 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3669 struct dns_domain *new = *entry;
3670 new->name = dhcp->domain_search_list[i];
3671 entry = &new->next;
3672 }
3673
3674 struct dns_server *server = dns_server_get(&dns->servers, 0, &dns->gc);
3675 const size_t max_addrs = SIZE(server->addr);
3676 for (size_t i = 0; i < dhcp->dns_len && server->addr_count < max_addrs; ++i)
3677 {
3678 server->addr[server->addr_count].in.a4.s_addr = htonl(dhcp->dns[i]);
3679 server->addr[server->addr_count].family = AF_INET;
3680 server->addr_count += 1;
3681 }
3682 for (size_t i = 0; i < dhcp->dns6_len && server->addr_count < max_addrs; ++i)
3683 {
3684 server->addr[server->addr_count].in.a6 = dhcp->dns6[i];
3685 server->addr[server->addr_count].family = AF_INET6;
3686 server->addr_count += 1;
3687 }
3688 }
3689 }
3690 else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
3691 {
3692 /* Set foreign option env vars from --dns config */
3693 const struct dns_domain *d = dns->search_domains;
3694 while (d)
3695 {
3696 setenv_foreign_option(o, "DOMAIN", d->name, es);
3697 d = d->next;
3698 }
3699
3700 const struct dns_server *s = dns->servers;
3701 while (s)
3702 {
3703 bool non_standard_server_port = false;
3704 for (int i = 0; i < s->addr_count; ++i)
3705 {
3706 if (s->addr[i].port && s->addr[i].port != 53)
3707 {
3708 non_standard_server_port = true;
3709 break;
3710 }
3711 }
3712 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3713 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3714 {
3715 /* Skip servers requiring unsupported config to be set */
3716 s = s->next;
3717 }
3718 else
3719 {
3720 for (int i = 0; i < s->addr_count; ++i)
3721 {
3722 const char *option;
3723 const char *value;
3724 if (s->addr[i].family == AF_INET)
3725 {
3726 option = "DNS";
3727 value = print_in_addr_t(s->addr[i].in.a4.s_addr, IA_NET_ORDER, &gc);
3728 }
3729 else
3730 {
3731 option = "DNS6";
3732 value = print_in6_addr(s->addr[i].in.a6, 0, &gc);
3733 }
3734 setenv_foreign_option(o, option, value, es);
3735 }
3736 break;
3737 }
3738 }
3739 }
3740
3741 gc_free(&gc);
3742}
3743#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3744
3745static void
3746options_postprocess_mutate(struct options *o, struct env_set *es)
3747{
3748 int i;
3749 /*
3750 * Process helper-type options which map to other, more complex
3751 * sequences of options.
3752 */
3753 helper_client_server(o);
3754 /* must be called after helpers that might set --mode */
3755 helper_setdefault_topology(o);
3756 helper_keepalive(o);
3757 helper_tcp_nodelay(o);
3758
3759 options_postprocess_setdefault_ncpciphers(o);
3760 options_set_backwards_compatible_options(o);
3761 options_process_mutate_prf(o);
3762
3763 options_postprocess_cipher(o);
3764 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3765 if (o->ncp_ciphers == NULL)
3766 {
3767 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3768 }
3769
3770 if (o->remote_list && !o->connection_list)
3771 {
3772 /*
3773 * Convert remotes into connection list
3774 */
3775 const struct remote_list *rl = o->remote_list;
3776 for (i = 0; i < rl->len; ++i)
3777 {
3778 const struct remote_entry *re = rl->array[i];
3779 struct connection_entry ce = o->ce;
3780 struct connection_entry *ace;
3781
3782 ASSERT(re->remote);
3783 connection_entry_load_re(&ce, re);
3784 ace = alloc_connection_entry(o, M_USAGE);
3785 ASSERT(ace);
3786 *ace = ce;
3787 }
3788 }
3789 else if (!o->remote_list && !o->connection_list)
3790 {
3791 struct connection_entry *ace;
3792 ace = alloc_connection_entry(o, M_USAGE);
3793 ASSERT(ace);
3794 *ace = o->ce;
3795 }
3796
3797 ASSERT(o->connection_list);
3798 for (i = 0; i < o->connection_list->len; ++i)
3799 {
3800 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3801 }
3802
3803 if (o->ce.local_list)
3804 {
3805 for (i = 0; i < o->ce.local_list->len; i++)
3806 {
3807 options_postprocess_mutate_le(&o->ce, o->ce.local_list->array[i], o->mode);
3808 }
3809
3810 for (int i = 0; i < o->ce.local_list->len; i++)
3811 {
3812 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3813 {
3814 o->ce.local_list->array[i]->proto = PROTO_TCP_SERVER;
3815 }
3816 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3817 {
3818 o->ce.local_list->array[i]->proto = o->ce.proto;
3819 }
3820 }
3821 }
3822 else
3823 {
3824 /* if no 'local' directive was specified, convert the global port
3825 * setting to a listen entry */
3826 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3827 ASSERT(e);
3828 e->port = o->ce.local_port;
3829 e->proto = o->ce.proto;
3830 }
3831
3832 /* use the same listen list for every outgoing connection */
3833 for (i = 0; i < o->connection_list->len; ++i)
3834 {
3835 o->connection_list->array[i]->local_list = o->ce.local_list;
3836 }
3837
3838 if (o->tls_server)
3839 {
3840 if (o->dh_file && streq(o->dh_file, "none"))
3841 {
3842 o->dh_file = NULL;
3843 }
3844 }
3845 else if (o->dh_file)
3846 {
3847 /* DH file is only meaningful in a tls-server context. */
3848 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3849 "include this in your server configuration");
3850 o->dh_file = NULL;
3851 }
3852#if ENABLE_MANAGEMENT
3853 if (o->http_proxy_override)
3854 {
3855 options_postprocess_http_proxy_override(o);
3856 }
3857#endif
3858 if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0)
3859 {
3860 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3861 "option set). ");
3862 o->verify_hash_no_ca = true;
3863 }
3864
3865 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3866 {
3867 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3868 "incompatible with each other.");
3869 }
3870
3871 if (dco_enabled(o))
3872 {
3873 /* check if any option should force disabling DCO */
3874 o->disable_dco = !dco_check_option(D_DCO, o) || !dco_check_startup_option(D_DCO, o);
3875 }
3876#ifdef USE_COMP
3877 if (dco_enabled(o))
3878 {
3879 o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3880 }
3881#endif
3882
3883#ifdef _WIN32
3884 if (dco_enabled(o))
3885 {
3886 o->windows_driver = DRIVER_DCO;
3887 }
3888 else
3889 {
3890 if (o->windows_driver == DRIVER_DCO)
3891 {
3892 msg(M_WARN,
3893 "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3894 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3895 }
3896 else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3897 {
3898 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3899 }
3900 }
3901#else /* _WIN32 */
3902 if (dco_enabled(o) && o->dev_node)
3903 {
3904 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3905 "data channel offload");
3906 o->dev_node = NULL;
3907 }
3908#endif /* _WIN32 */
3909
3910 /* this depends on o->windows_driver, which is set above */
3911 options_postprocess_mutate_invariant(o);
3912
3913 /* check that compression settings in the options are okay */
3914 check_compression_settings_valid(&o->comp, M_USAGE);
3915
3916 /*
3917 * Save certain parms before modifying options during connect, especially
3918 * when using --pull
3919 */
3920 if (o->pull)
3921 {
3922 dns_options_preprocess_pull(&o->dns_options);
3923 }
3924 else
3925 {
3926#if defined(_WIN32) || defined(TARGET_ANDROID)
3927 tuntap_options_postprocess_dns(o);
3928#else
3929 dhcp_options_postprocess_dns(o, es);
3930#endif
3931 }
3932 if (o->auth_token_generate && !o->auth_token_renewal)
3933 {
3934 o->auth_token_renewal = o->renegotiate_seconds;
3935 }
3936 pre_connect_save(o);
3937}
3938
3939/*
3940 * Check file/directory sanity
3941 *
3942 */
3943/* Expect people using the stripped down version to know what they do */
3944#ifndef ENABLE_SMALL
3945
3946#define CHKACC_FILE (1 << 0)
3947#define CHKACC_DIRPATH (1 << 1)
3948#define CHKACC_FILEXSTWR (1 << 2)
3949#define CHKACC_ACPTSTDIN (1 << 3)
3950#define CHKACC_PRIVATE (1 << 4)
3951#define CHKACC_ACCEPT_URI (1 << 5)
3953static bool
3954check_file_access(const int type, const char *file, const int mode, const char *opt)
3955{
3956 int errcode = 0;
3957
3958 /* If no file configured, no errors to look for */
3959 if (!file)
3960 {
3961 return false;
3962 }
3963
3964 /* If stdin is allowed and the file name is 'stdin', then do no
3965 * further checks as stdin is always available
3966 */
3967 if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin"))
3968 {
3969 return false;
3970 }
3971
3972 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3973 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3974 */
3975 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3976 {
3977 if (!strncmp(file, "file:", 5))
3978 {
3979 file += 5;
3980 }
3981 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3982 {
3983 return false;
3984 }
3985 }
3986
3987 /* Is the directory path leading to the given file accessible? */
3988 if (type & CHKACC_DIRPATH)
3989 {
3990 char *fullpath =
3991 string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3992 char *dirpath = dirname(fullpath);
3993
3994 if (platform_access(dirpath, mode | X_OK) != 0)
3995 {
3996 errcode = errno;
3997 }
3998 free(fullpath);
3999 }
4000
4001 /* Is the file itself accessible? */
4002 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0))
4003 {
4004 errcode = errno;
4005 }
4006
4007 /* If the file exists and is accessible, is it writable? */
4008 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0))
4009 {
4010 if (platform_access(file, W_OK) != 0)
4011 {
4012 errcode = errno;
4013 }
4014 }
4015
4016 /* Warn if a given private file is group/others accessible. */
4017 if (type & CHKACC_PRIVATE)
4018 {
4019 platform_stat_t st;
4020 if (platform_stat(file, &st))
4021 {
4022 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
4023 }
4024#ifndef _WIN32
4025 else
4026 {
4027 if (st.st_mode & (S_IRWXG | S_IRWXO))
4028 {
4029 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4030 }
4031 }
4032#endif
4033 }
4034
4035 /* Scream if an error is found */
4036 if (errcode > 0)
4037 {
4038 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4039 }
4040
4041 /* Return true if an error occurred */
4042 return (errcode != 0 ? true : false);
4043}
4044
4045/* A wrapper for check_file_access() which also takes a chroot directory.
4046 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4047 * otherwise it will look for the file inside the given chroot directory instead.
4048 */
4049static bool
4050check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode,
4051 const char *opt)
4052{
4053 bool ret = false;
4054
4055 /* If no file configured, no errors to look for */
4056 if (!file)
4057 {
4058 return false;
4059 }
4060
4061 /* If chroot is set, look for the file/directory inside the chroot */
4062 if (chroot)
4063 {
4064 struct gc_arena gc = gc_new();
4065 struct buffer chroot_file;
4066
4067 chroot_file = prepend_dir(chroot, file, &gc);
4068 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4069 gc_free(&gc);
4070 }
4071 else
4072 {
4073 /* No chroot in play, just call core file check function */
4074 ret = check_file_access(type, file, mode, opt);
4075 }
4076 return ret;
4077}
4078
4083static bool
4084check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type,
4085 const char *file, const int mode, const char *opt)
4086{
4087 if (is_inline)
4088 {
4089 return false;
4090 }
4091
4092 return check_file_access_chroot(chroot, type, file, mode, opt);
4093}
4094
4099static bool
4100check_file_access_inline(bool is_inline, const int type, const char *file, const int mode,
4101 const char *opt)
4102{
4103 if (is_inline)
4104 {
4105 return false;
4106 }
4107
4108 return check_file_access(type, file, mode, opt);
4109}
4110
4111/*
4112 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4113 * valid file with appropriate permissions.
4114 *
4115 * "command" consists of a path, optionally followed by a space, which may be
4116 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4117 * performed.
4118 *
4119 * The path and arguments in "command" may be single- or double-quoted or escaped.
4120 *
4121 * The path is extracted from "command", then check_file_access() is called to check it. The
4122 * arguments, if any, are ignored.
4123 *
4124 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4125 * check_file_access() arguments.
4126 */
4127static bool
4128check_cmd_access(const char *command, const char *opt, const char *chroot)
4129{
4130 struct argv argv;
4131 bool return_code;
4132
4133 /* If no command was set, there are no errors to look for */
4134 if (!command)
4135 {
4136 return false;
4137 }
4138
4139 /* Extract executable path and arguments */
4140 argv = argv_new();
4141 argv_parse_cmd(&argv, command);
4142
4143 /* if an executable is specified then check it; otherwise, complain */
4144 if (argv.argv[0])
4145 {
4146 /* Scripts requires R_OK as well, but that might fail on binaries which
4147 * only requires X_OK to function on Unix - a scenario not unlikely to
4148 * be seen on suid binaries.
4149 */
4150 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4151 }
4152 else
4153 {
4154 msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command);
4155 return_code = true;
4156 }
4157
4158 argv_free(&argv);
4159
4160 return return_code;
4161}
4162
4163/*
4164 * Sanity check of all file/dir options. Checks that file/dir
4165 * is accessible by OpenVPN
4166 */
4167static void
4168options_postprocess_filechecks(struct options *options)
4169{
4170 bool errs = false;
4171
4172 /* ** SSL/TLS/crypto related files ** */
4173 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK,
4174 "--dh");
4175
4176 if (!options->verify_hash_no_ca)
4177 {
4178 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, options->ca_file,
4179 R_OK, "--ca");
4180 }
4181
4182 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK,
4183 "--capath");
4184
4185 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE | CHKACC_ACCEPT_URI,
4186 options->cert_file, R_OK, "--cert");
4187
4188 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4189 options->extra_certs_file, R_OK, "--extra-certs");
4190
4191 if (!(options->management_flags & MF_EXTERNAL_KEY))
4192 {
4193 errs |= check_file_access_inline(options->priv_key_file_inline,
4194 CHKACC_FILE | CHKACC_PRIVATE | CHKACC_ACCEPT_URI,
4195 options->priv_key_file, R_OK, "--key");
4196 }
4197
4198 errs |= check_file_access_inline(options->pkcs12_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4199 options->pkcs12_file, R_OK, "--pkcs12");
4200
4201 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4202 {
4203 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file,
4204 R_OK | X_OK, "--crl-verify directory");
4205 }
4206 else
4207 {
4208 errs |=
4209 check_file_access_chroot_inline(options->crl_file_inline, options->chroot_dir,
4210 CHKACC_FILE, options->crl_file, R_OK, "--crl-verify");
4211 }
4212
4213 if (options->tls_export_peer_cert_dir)
4214 {
4215 errs |=
4216 check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4217 options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert");
4218 }
4219
4220 ASSERT(options->connection_list);
4221 for (int i = 0; i < options->connection_list->len; ++i)
4222 {
4223 struct connection_entry *ce = options->connection_list->array[i];
4224
4225 errs |= check_file_access_inline(ce->tls_auth_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4226 ce->tls_auth_file, R_OK, "--tls-auth");
4227 errs |= check_file_access_inline(ce->tls_crypt_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4228 ce->tls_crypt_file, R_OK, "--tls-crypt");
4229 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4230 ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2");
4231 }
4232
4233 errs |=
4234 check_file_access_inline(options->shared_secret_file_inline, CHKACC_FILE | CHKACC_PRIVATE,
4235 options->shared_secret_file, R_OK, "--secret");
4236
4237 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->packet_id_file,
4238 R_OK | W_OK, "--replay-persist");
4239
4240 /* ** Password files ** */
4241 errs |= check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4242 options->key_pass_file, R_OK, "--askpass");
4243#ifdef ENABLE_MANAGEMENT
4244 errs |=
4245 check_file_access(CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4246 options->management_user_pass, R_OK, "--management user/password file");
4247#endif /* ENABLE_MANAGEMENT */
4248 errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4249 CHKACC_FILE | CHKACC_ACPTSTDIN | CHKACC_PRIVATE,
4250 options->auth_user_pass_file, R_OK, "--auth-user-pass");
4251 /* ** System related ** */
4252 errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory");
4253 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->writepid, R_OK | W_OK,
4254 "--writepid");
4255
4256 /* ** Log related ** */
4257 errs |= check_file_access(CHKACC_DIRPATH | CHKACC_FILEXSTWR, options->status_file, R_OK | W_OK,
4258 "--status");
4259
4260 /* ** Config related ** */
4261 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4262 R_OK | X_OK, "--client-config-dir");
4263 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4264 R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)");
4265
4266 if (errs)
4267 {
4268 msg(M_USAGE, "Please correct these errors.");
4269 }
4270}
4271#endif /* !ENABLE_SMALL */
4272
4273/*
4274 * Sanity check on options.
4275 * Also set some options based on other
4276 * options.
4277 */
4278void
4279options_postprocess(struct options *options, struct env_set *es)
4280{
4281 options_postprocess_mutate(options, es);
4282 options_postprocess_verify(options);
4283#ifndef ENABLE_SMALL
4284 options_postprocess_filechecks(options);
4285#endif /* !ENABLE_SMALL */
4286}
4287
4288/*
4289 * Sanity check on options after more options were pulled from server.
4290 * Also time to modify some options based on other options.
4291 */
4292bool
4293options_postprocess_pull(struct options *o, struct env_set *es)
4294{
4295 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4296 if (success)
4297 {
4298 dns_options_postprocess_pull(&o->dns_options);
4299#if defined(_WIN32) || defined(TARGET_ANDROID)
4300 tuntap_options_postprocess_dns(o);
4301#else
4302 dhcp_options_postprocess_dns(o, es);
4303#endif
4304 }
4305 return success;
4306}
4307
4308/*
4309 * Build an options string to represent data channel encryption options.
4310 * This string must match exactly between peers. The keysize is checked
4311 * separately by read_key().
4312 *
4313 * The following options must match on both peers:
4314 *
4315 * Tunnel options:
4316 *
4317 * --dev tun|tap [unit number need not match]
4318 * --dev-type tun|tap
4319 * --link-mtu
4320 * --udp-mtu
4321 * --tun-mtu
4322 * --proto udp
4323 * --proto tcp-client [matched with --proto tcp-server
4324 * on the other end of the connection]
4325 * --proto tcp-server [matched with --proto tcp-client on
4326 * the other end of the connection]
4327 * --tun-ipv6
4328 * --ifconfig x y [matched with --ifconfig y x on
4329 * the other end of the connection]
4330 *
4331 * --comp-lzo
4332 * --compress alg
4333 * --fragment
4334 *
4335 * Crypto Options:
4336 *
4337 * --cipher
4338 * --auth
4339 * --secret
4340 *
4341 * SSL Options:
4342 *
4343 * --tls-auth
4344 * --tls-client [matched with --tls-server on
4345 * the other end of the connection]
4346 * --tls-server [matched with --tls-client on
4347 * the other end of the connection]
4348 */
4349char *
4350options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
4351 openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
4352{
4353 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4354 bool tt_local = false;
4355
4356 buf_printf(&out, "V4");
4357
4358 /*
4359 * Tunnel Options
4360 */
4361
4362 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4363 /* the link-mtu that we send has only a meaning if have a fixed
4364 * cipher (p2p) or have a fallback cipher configured for older non
4365 * ncp clients. But not sending it will make even 2.4 complain
4366 * about it being missing. So still send it. */
4367 buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame));
4368
4369 if (o->ce.occ_mtu != 0)
4370 {
4371 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4372 }
4373 else
4374 {
4375 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4376 }
4377
4378 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4379
4380 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4381 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4382 * is usually pushed by the server, triggering a non-helpful warning
4383 */
4384 if (o->ifconfig_ipv6_local && p2p_nopull)
4385 {
4386 buf_printf(&out, ",tun-ipv6");
4387 }
4388
4389 /*
4390 * Try to get ifconfig parameters into the options string.
4391 * If tt is undefined, make a temporary instantiation.
4392 */
4393 if (!tt)
4394 {
4395 tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local,
4396 o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits,
4397 o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL);
4398 if (tt)
4399 {
4400 tt_local = true;
4401 }
4402 }
4403
4404 if (tt && p2p_nopull)
4405 {
4406 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4407 if (ios && strlen(ios))
4408 {
4409 buf_printf(&out, ",ifconfig %s", ios);
4410 }
4411 }
4412 if (tt_local)
4413 {
4414 free(tt);
4415 tt = NULL;
4416 }
4417
4418#ifdef USE_COMP
4419 if (o->comp.alg != COMP_ALG_UNDEF)
4420 {
4421 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression
4422 context is active, not necessarily LZO per-se */
4423 }
4424#endif
4425
4426#ifdef ENABLE_FRAGMENT
4427 if (o->ce.fragment)
4428 {
4429 buf_printf(&out, ",mtu-dynamic");
4430 }
4431#endif
4432
4433#define TLS_CLIENT (o->tls_client)
4434#define TLS_SERVER (o->tls_server)
4435
4436 /*
4437 * Key direction
4438 */
4439 {
4440 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4441 if (kd)
4442 {
4443 buf_printf(&out, ",keydir %s", kd);
4444 }
4445 }
4446
4447 /*
4448 * Crypto Options
4449 */
4450 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4451 {
4452 struct key_type kt;
4453
4454 ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1);
4455
4456 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4457 * to work here in the default configuration */
4458 const char *ciphername = o->ciphername;
4459 int keysize = 0;
4460
4461 if (strcmp(o->ciphername, "BF-CBC") == 0)
4462 {
4463 init_key_type(&kt, "none", o->authname, true, false);
4464 keysize = 128;
4465 }
4466 else
4467 {
4468 init_key_type(&kt, o->ciphername, o->authname, true, false);
4469 ciphername = cipher_kt_name(kt.cipher);
4470 if (cipher_defined(o->ciphername))
4471 {
4472 keysize = cipher_kt_key_size(kt.cipher) * 8;
4473 }
4474 }
4475 /* Only announce the cipher to our peer if we are willing to
4476 * support it */
4477 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4478 {
4479 buf_printf(&out, ",cipher %s", ciphername);
4480 }
4481 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4482 buf_printf(&out, ",keysize %d", keysize);
4483 if (o->shared_secret_file)
4484 {
4485 buf_printf(&out, ",secret");
4486 }
4487
4488#ifdef ENABLE_PREDICTION_RESISTANCE
4489 if (o->use_prediction_resistance)
4490 {
4491 buf_printf(&out, ",use-prediction-resistance");
4492 }
4493#endif
4494 }
4495
4496 /*
4497 * SSL Options
4498 */
4499 {
4500 if (TLS_CLIENT || TLS_SERVER)
4501 {
4502 if (o->ce.tls_auth_file)
4503 {
4504 buf_printf(&out, ",tls-auth");
4505 }
4506 /* Not adding tls-crypt here, because we won't reach this code if
4507 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4508 * break stuff, so leaving that in place. */
4509
4510 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4511 }
4512
4513 if (remote)
4514 {
4515 if (TLS_CLIENT)
4516 {
4517 buf_printf(&out, ",tls-server");
4518 }
4519 else if (TLS_SERVER)
4520 {
4521 buf_printf(&out, ",tls-client");
4522 }
4523 }
4524 else
4525 {
4526 if (TLS_CLIENT)
4527 {
4528 buf_printf(&out, ",tls-client");
4529 }
4530 else if (TLS_SERVER)
4531 {
4532 buf_printf(&out, ",tls-server");
4533 }
4534 }
4535 }
4536
4537#undef TLS_CLIENT
4538#undef TLS_SERVER
4539
4540 return BSTR(&out);
4541}
4542
4543/*
4544 * Compare option strings for equality.
4545 * If the first two chars of the strings differ, it means that
4546 * we are looking at different versions of the options string,
4547 * therefore don't compare them and return true.
4548 */
4549
4550bool
4551options_cmp_equal(char *actual, const char *expected)
4552{
4553 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4554}
4555
4556void
4557options_warning(char *actual, const char *expected)
4558{
4559 options_warning_safe(actual, expected, strlen(actual) + 1);
4560}
4561
4562static const char *
4563options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
4564{
4565 struct gc_arena gc = gc_new();
4566 struct buffer b = string_alloc_buf(option_string, &gc);
4567 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4568 const char *ret;
4569
4570 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4571 ret = string_alloc(p, gc_ret);
4572 gc_free(&gc);
4573 return ret;
4574}
4575
4576static void
4577options_warning_safe_scan2(const msglvl_t msglevel, const int delim,
4578 const bool report_inconsistent, const char *p1,
4579 const struct buffer *b2_src, const char *b1_name,
4580 const char *b2_name)
4581{
4582 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4583 * OCC in a future version (because it's not useful). To reduce questions
4584 * when interoperating, we no longer printing a warning about it.
4585 */
4586 if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ")
4587 || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher "))
4588 {
4589 return;
4590 }
4591
4592 if (strlen(p1) > 0)
4593 {
4594 struct gc_arena gc = gc_new();
4595 struct buffer b2 = *b2_src;
4596 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4597 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4598
4599 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4600 {
4601 if (strlen(p2))
4602 {
4603 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4604
4605 if (!strcmp(p1, p2))
4606 {
4607 goto done;
4608 }
4609 if (!strcmp(p1_prefix, p2_prefix))
4610 {
4611 if (report_inconsistent)
4612 {
4613 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4614 safe_print(p1_prefix, &gc), b1_name, safe_print(p1, &gc), b2_name,
4615 safe_print(p2, &gc));
4616 }
4617 goto done;
4618 }
4619 }
4620 }
4621
4622 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4623 safe_print(p1_prefix, &gc), b1_name, b2_name, b1_name, safe_print(p1, &gc));
4624
4625done:
4626 gc_free(&gc);
4627 }
4628}
4629
4630static void
4631options_warning_safe_scan1(const msglvl_t msglevel, const int delim,
4632 const bool report_inconsistent, const struct buffer *b1_src,
4633 const struct buffer *b2_src, const char *b1_name, const char *b2_name)
4634{
4635 struct gc_arena gc = gc_new();
4636 struct buffer b = *b1_src;
4637 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4638
4639 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4640 {
4641 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name,
4642 b2_name);
4643 }
4644
4645 gc_free(&gc);
4646}
4647
4648static void
4649options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
4650{
4651 struct gc_arena gc = gc_new();
4652
4653 if (actual_n > 0)
4654 {
4655 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4656 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4657 actual[actual_n - 1] = 0;
4658
4659 buf_printf(&local, "version %s", expected);
4660 buf_printf(&remote, "version %s", actual);
4661
4662 options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote");
4663
4664 options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local");
4665 }
4666
4667 gc_free(&gc);
4668}
4669
4670bool
4671options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4672{
4673 struct gc_arena gc = gc_new();
4674 bool ret = true;
4675
4676 if (actual_n > 0)
4677 {
4678 actual[actual_n - 1] = 0;
4679 if (strncmp(actual, expected, 2))
4680 {
4681 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4682 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4683 }
4684 else
4685 {
4686 ret = !strcmp(actual, expected);
4687 }
4688 }
4689 gc_free(&gc);
4690 return ret;
4691}
4692
4693void
4694options_warning_safe(char *actual, const char *expected, size_t actual_n)
4695{
4696 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4697}
4698
4699const char *
4700options_string_version(const char *s, struct gc_arena *gc)
4701{
4702 struct buffer out = alloc_buf_gc(4, gc);
4703 strncpynt((char *)BPTR(&out), s, 3);
4704 return BSTR(&out);
4705}
4706
4707char *
4708options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
4709{
4710 char *ret = NULL;
4711 const size_t opt_name_len = strlen(opt_name);
4712
4713 const char *p = options_string;
4714 while (p)
4715 {
4716 if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1)
4717 && p[opt_name_len] == ' ')
4718 {
4719 /* option found, extract value */
4720 const char *start = &p[opt_name_len + 1];
4721 const char *end = strchr(p, ',');
4722 size_t val_len = end ? end - start : strlen(start);
4723 ret = gc_malloc(val_len + 1, true, gc);
4724 memcpy(ret, start, val_len);
4725 break;
4726 }
4727 p = strchr(p, ',');
4728 if (p)
4729 {
4730 p++; /* skip delimiter */
4731 }
4732 }
4733 return ret;
4734}
4735
4736/*
4737 * parse/print topology coding
4738 */
4739
4740int
4741parse_topology(const char *str, const msglvl_t msglevel)
4742{
4743 if (streq(str, "net30"))
4744 {
4745 return TOP_NET30;
4746 }
4747 else if (streq(str, "p2p"))
4748 {
4749 return TOP_P2P;
4750 }
4751 else if (streq(str, "subnet"))
4752 {
4753 return TOP_SUBNET;
4754 }
4755 else
4756 {
4757 msg(msglevel, "--topology must be net30, p2p, or subnet");
4758 return TOP_UNDEF;
4759 }
4760}
4761
4762const char *
4763print_topology(const int topology)
4764{
4765 switch (topology)
4766 {
4767 case TOP_UNDEF:
4768 return "undef";
4769
4770 case TOP_NET30:
4771 return "net30";
4772
4773 case TOP_P2P:
4774 return "p2p";
4775
4776 case TOP_SUBNET:
4777 return "subnet";
4778
4779 default:
4780 return "unknown";
4781 }
4782}
4783
4784/*
4785 * Manage auth-retry variable
4786 */
4787
4788static int global_auth_retry; /* GLOBAL */
4789
4790int
4791auth_retry_get(void)
4792{
4793 return global_auth_retry;
4794}
4795
4796bool
4797auth_retry_set(const msglvl_t msglevel, const char *option)
4798{
4799 if (streq(option, "interact"))
4800 {
4801 global_auth_retry = AR_INTERACT;
4802 }
4803 else if (streq(option, "nointeract"))
4804 {
4805 global_auth_retry = AR_NOINTERACT;
4806 }
4807 else if (streq(option, "none"))
4808 {
4809 global_auth_retry = AR_NONE;
4810 }
4811 else
4812 {
4813 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4814 return false;
4815 }
4816 return true;
4817}
4818
4819const char *
4820auth_retry_print(void)
4821{
4822 switch (global_auth_retry)
4823 {
4824 case AR_NONE:
4825 return "none";
4826
4827 case AR_NOINTERACT:
4828 return "nointeract";
4829
4830 case AR_INTERACT:
4831 return "interact";
4832
4833 default:
4834 return "???";
4835 }
4836}
4837
4838/*
4839 * Print the help message.
4840 */
4841static void
4842usage(void)
4843{
4844 FILE *fp = msg_fp(0);
4845
4846#ifdef ENABLE_SMALL
4847
4848 fprintf(fp, "Usage message not available\n");
4849
4850#else
4851
4852 struct options o;
4853 init_options(&o, true);
4854
4855 fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds,
4856 o.ce.connect_retry_seconds_max, o.ce.local_port, o.ce.remote_port, TUN_MTU_DEFAULT,
4857 TAP_MTU_EXTRA_DEFAULT, TUN_MTU_MAX_MIN, o.verbosity, o.authname, o.replay_window,
4858 o.replay_time, o.tls_timeout, o.renegotiate_seconds, o.handshake_window,
4859 o.transition_window);
4860 fflush(fp);
4861
4862#endif /* ENABLE_SMALL */
4863
4864 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4865}
4866
4867void
4868usage_small(void)
4869{
4870 msg(M_WARN | M_NOPREFIX, "Use --help for more information.");
4871 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4872}
4873
4874#ifdef _WIN32
4875void
4876show_windows_version(const unsigned int flags)
4877{
4878 struct gc_arena gc = gc_new();
4879 msg(flags, "Windows version: %s", win32_version_string(&gc));
4880 gc_free(&gc);
4881}
4882#endif
4883
4884void
4885show_dco_version(const unsigned int flags)
4886{
4887#ifdef ENABLE_DCO
4888 struct gc_arena gc = gc_new();
4889 msg(flags, "DCO version: %s", dco_version_string(&gc));
4890 gc_free(&gc);
4891#endif
4892}
4893
4894void
4895show_library_versions(const unsigned int flags)
4896{
4897#ifdef ENABLE_LZO
4898#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4899#else
4900#define LZO_LIB_VER_STR "", ""
4901#endif
4902
4903 msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR);
4904
4905#undef LZO_LIB_VER_STR
4906}
4907
4908static void
4909usage_version(void)
4910{
4911 msg(M_INFO | M_NOPREFIX, "%s", title_string);
4912 show_library_versions(M_INFO | M_NOPREFIX);
4913#ifdef _WIN32
4914 show_windows_version(M_INFO | M_NOPREFIX);
4915#endif
4916 show_dco_version(M_INFO | M_NOPREFIX);
4917 msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan");
4918 msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>");
4919#ifndef ENABLE_SMALL
4920#ifdef CONFIGURE_DEFINES
4921 msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4922#endif
4923#ifdef CONFIGURE_SPECIAL_BUILD
4924 msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4925#endif
4926#endif
4927 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4928}
4929
4930void
4931notnull(const char *arg, const char *description)
4932{
4933 if (!arg)
4934 {
4935 msg(M_USAGE, "You must define %s", description);
4936 }
4937}
4938
4939bool
4940string_defined_equal(const char *s1, const char *s2)
4941{
4942 if (s1 && s2)
4943 {
4944 return !strcmp(s1, s2);
4945 }
4946 else
4947 {
4948 return false;
4949 }
4950}
4951
4952#if 0
4953static void
4954ping_rec_err(msglvl_t msglevel)
4955{
4956 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4957}
4958#endif
4959
4960#ifdef _WIN32 /* This function is only used when compiling on Windows */
4961static unsigned int
4962atou(const char *str)
4963{
4964 unsigned int val = 0;
4965 sscanf(str, "%u", &val);
4966 return val;
4967}
4968#endif
4969
4970static inline bool
4971space(char c)
4972{
4973 return c == '\0' || isspace(c);
4974}
4975
4976int
4977parse_line(const char *line, char *p[], const int n, const char *file, const int line_num,
4978 msglvl_t msglevel, struct gc_arena *gc)
4979{
4980 const int STATE_INITIAL = 0;
4981 const int STATE_READING_QUOTED_PARM = 1;
4982 const int STATE_READING_UNQUOTED_PARM = 2;
4983 const int STATE_DONE = 3;
4984 const int STATE_READING_SQUOTED_PARM = 4;
4985
4986 const char *error_prefix = "";
4987
4988 int ret = 0;
4989 const char *c = line;
4990 int state = STATE_INITIAL;
4991 bool backslash = false;
4992 char in, out;
4993
4994 char parm[OPTION_PARM_SIZE];
4995 unsigned int parm_len = 0;
4996
4997 msglevel &= ~M_OPTERR;
4998
4999 if (msglevel & M_MSG_VIRT_OUT)
5000 {
5001 error_prefix = "ERROR: ";
5002 }
5003
5004 do
5005 {
5006 in = *c;
5007 out = 0;
5008
5009 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
5010 {
5011 backslash = true;
5012 }
5013 else
5014 {
5015 if (state == STATE_INITIAL)
5016 {
5017 if (!space(in))
5018 {
5019 if (in == ';' || in == '#') /* comment */
5020 {
5021 break;
5022 }
5023 if (!backslash && in == '\"')
5024 {
5025 state = STATE_READING_QUOTED_PARM;
5026 }
5027 else if (!backslash && in == '\'')
5028 {
5029 state = STATE_READING_SQUOTED_PARM;
5030 }
5031 else
5032 {
5033 out = in;
5034 state = STATE_READING_UNQUOTED_PARM;
5035 }
5036 }
5037 }
5038 else if (state == STATE_READING_UNQUOTED_PARM)
5039 {
5040 if (!backslash && space(in))
5041 {
5042 state = STATE_DONE;
5043 }
5044 else
5045 {
5046 out = in;
5047 }
5048 }
5049 else if (state == STATE_READING_QUOTED_PARM)
5050 {
5051 if (!backslash && in == '\"')
5052 {
5053 state = STATE_DONE;
5054 }
5055 else
5056 {
5057 out = in;
5058 }
5059 }
5060 else if (state == STATE_READING_SQUOTED_PARM)
5061 {
5062 if (in == '\'')
5063 {
5064 state = STATE_DONE;
5065 }
5066 else
5067 {
5068 out = in;
5069 }
5070 }
5071 if (state == STATE_DONE)
5072 {
5073 /* ASSERT (parm_len > 0); */
5074 p[ret] = gc_malloc(parm_len + 1, true, gc);
5075 memcpy(p[ret], parm, parm_len);
5076 p[ret][parm_len] = '\0';
5077 state = STATE_INITIAL;
5078 parm_len = 0;
5079 ++ret;
5080 }
5081
5082 if (backslash && out)
5083 {
5084 if (!(out == '\\' || out == '\"' || space(out)))
5085 {
5086#ifdef ENABLE_SMALL
5087 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d",
5088 error_prefix, file, line_num);
5089#else
5090 msg(msglevel,
5091 "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
5092 "\\\\static.key\"",
5093 error_prefix, file, line_num);
5094#endif
5095 return 0;
5096 }
5097 }
5098 backslash = false;
5099 }
5100
5101 /* store parameter character */
5102 if (out)
5103 {
5104 if (parm_len >= SIZE(parm))
5105 {
5106 parm[SIZE(parm) - 1] = 0;
5107 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5108 error_prefix, file, line_num, (int)SIZE(parm), parm);
5109 return 0;
5110 }
5111 parm[parm_len++] = out;
5112 }
5113
5114 /* avoid overflow if too many parms in one config file line */
5115 if (ret >= n)
5116 {
5117 break;
5118 }
5119
5120 } while (*c++ != '\0');
5121
5122 if (state == STATE_READING_QUOTED_PARM)
5123 {
5124 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file,
5125 line_num);
5126 return 0;
5127 }
5128 if (state == STATE_READING_SQUOTED_PARM)
5129 {
5130 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix,
5131 file, line_num);
5132 return 0;
5133 }
5134 if (state != STATE_INITIAL)
5135 {
5136 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state,
5137 file, line_num);
5138 return 0;
5139 }
5140#if 0
5141 {
5142 int i;
5143 for (i = 0; i < ret; ++i)
5144 {
5145 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5146 }
5147 }
5148#endif
5149 return ret;
5150}
5151
5152static void
5153bypass_doubledash(char **p)
5154{
5155 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5156 {
5157 *p += 2;
5158 }
5159}
5160
5161struct in_src
5162{
5163#define IS_TYPE_FP 1
5164#define IS_TYPE_BUF 2
5165 int type;
5166 union
5167 {
5168 FILE *fp;
5169 struct buffer *multiline;
5170 } u;
5171};
5172
5173static bool
5174in_src_get(const struct in_src *is, char *line, const int size)
5175{
5176 if (is->type == IS_TYPE_FP)
5177 {
5178 return BOOL_CAST(fgets(line, size, is->u.fp));
5179 }
5180 else if (is->type == IS_TYPE_BUF)
5181 {
5182 bool status = buf_parse(is->u.multiline, '\n', line, size);
5183 if ((int)strlen(line) + 1 < size)
5184 {
5185 strcat(line, "\n");
5186 }
5187 return status;
5188 }
5189 else
5190 {
5191 ASSERT(0);
5192 return false;
5193 }
5194}
5195
5196static char *
5197read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
5198{
5199 char line[OPTION_LINE_SIZE];
5200 struct buffer buf = alloc_buf(8 * OPTION_LINE_SIZE);
5201 char *ret;
5202 bool endtagfound = false;
5203
5204 while (in_src_get(is, line, sizeof(line)))
5205 {
5206 (*num_lines)++;
5207 char *line_ptr = line;
5208 /* Remove leading spaces */
5209 while (isspace(*line_ptr))
5210 {
5211 line_ptr++;
5212 }
5213 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5214 {
5215 endtagfound = true;
5216 break;
5217 }
5218 if (!buf_safe(&buf, strlen(line) + 1))
5219 {
5220 /* Increase buffer size */
5221 struct buffer buf2 = alloc_buf(buf.capacity * 2);
5222 ASSERT(buf_copy(&buf2, &buf));
5223 buf_clear(&buf);
5224 free_buf(&buf);
5225 buf = buf2;
5226 }
5227 buf_printf(&buf, "%s", line);
5228 }
5229 if (!endtagfound)
5230 {
5231 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5232 }
5233 ret = string_alloc(BSTR(&buf), gc);
5234 buf_clear(&buf);
5235 free_buf(&buf);
5236 secure_memzero(line, sizeof(line));
5237 return ret;
5238}
5239
5240static int
5241check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5242{
5243 int num_inline_lines = 0;
5244
5245 if (p[0] && !p[1])
5246 {
5247 char *arg = p[0];
5248 if (arg[0] == '<' && arg[strlen(arg) - 1] == '>')
5249 {
5250 struct buffer close_tag;
5251
5252 arg[strlen(arg) - 1] = '\0';
5253 p[0] = string_alloc(arg + 1, gc);
5254 close_tag = alloc_buf(strlen(p[0]) + 4);
5255 buf_printf(&close_tag, "</%s>", p[0]);
5256 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5257 p[2] = NULL;
5258 free_buf(&close_tag);
5259 }
5260 }
5261 return num_inline_lines;
5262}
5263
5264static int
5265check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5266{
5267 struct in_src is;
5268 is.type = IS_TYPE_FP;
5269 is.u.fp = fp;
5270 return check_inline_file(&is, p, gc);
5271}
5272
5273static int
5274check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
5275{
5276 struct in_src is;
5277 is.type = IS_TYPE_BUF;
5278 is.u.multiline = multiline;
5279 return check_inline_file(&is, p, gc);
5280}
5281
5282static void add_option(struct options *options, char *p[], bool is_inline, const char *file,
5283 int line, const int level, const msglvl_t msglevel,
5284 const unsigned int permission_mask, unsigned int *option_types_found,
5285 struct env_set *es);
5286
5287static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5288 const char *file, int line, const msglvl_t msglevel,
5289 const unsigned int permission_mask, unsigned int *option_types_found,
5290 struct env_set *es);
5291
5292static void update_option(struct context *c, struct options *options, char *p[], bool is_inline,
5293 const char *file, int line, const int level, const msglvl_t msglevel,
5294 const unsigned int permission_mask, unsigned int *option_types_found,
5295 struct env_set *es, unsigned int *update_options_found);
5296
5297static void
5298read_config_file(struct options *options, const char *file, int level, const char *top_file,
5299 const int top_line, const msglvl_t msglevel,
5300 const unsigned int permission_mask, unsigned int *option_types_found,
5301 struct env_set *es)
5302{
5303 const int max_recursive_levels = 10;
5304 FILE *fp;
5305 int line_num;
5306 char line[OPTION_LINE_SIZE + 1];
5307 char *p[MAX_PARMS + 1];
5308
5309 ++level;
5310 if (level <= max_recursive_levels)
5311 {
5312 if (streq(file, "stdin"))
5313 {
5314 fp = stdin;
5315 }
5316 else
5317 {
5318 fp = platform_fopen(file, "r");
5319 }
5320 if (fp)
5321 {
5322 line_num = 0;
5323 while (fgets(line, sizeof(line), fp))
5324 {
5325 int offset = 0;
5326 CLEAR(p);
5327 ++line_num;
5328 if (strlen(line) == OPTION_LINE_SIZE)
5329 {
5330 msg(msglevel,
5331 "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5332 file, line_num, OPTION_LINE_SIZE, line);
5333 }
5334
5335 /* Ignore UTF-8 BOM at start of stream */
5336 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5337 {
5338 offset = 3;
5339 }
5340 if (parse_line(line + offset, p, SIZE(p) - 1, file, line_num, msglevel,
5341 &options->gc))
5342 {
5343 bypass_doubledash(&p[0]);
5344 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5345 add_option(options, p, lines_inline, file, line_num, level, msglevel,
5346 permission_mask, option_types_found, es);
5347 line_num += lines_inline;
5348 }
5349 }
5350 if (fp != stdin)
5351 {
5352 fclose(fp);
5353 }
5354 }
5355 else
5356 {
5357 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line,
5358 file);
5359 }
5360 }
5361 else
5362 {
5363 msg(msglevel,
5364 "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.",
5365 top_file, top_line, file);
5366 }
5367 secure_memzero(line, sizeof(line));
5368 CLEAR(p);
5369}
5370
5371static void
5372read_config_string(const char *prefix, struct options *options, const char *config,
5373 const msglvl_t msglevel, const unsigned int permission_mask,
5374 unsigned int *option_types_found, struct env_set *es)
5375{
5376 char line[OPTION_LINE_SIZE];
5377 struct buffer multiline;
5378 int line_num = 0;
5379
5380 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5381
5382 while (buf_parse(&multiline, '\n', line, sizeof(line)))
5383 {
5384 char *p[MAX_PARMS + 1];
5385 CLEAR(p);
5386 ++line_num;
5387 if (parse_line(line, p, SIZE(p) - 1, prefix, line_num, msglevel, &options->gc))
5388 {
5389 bypass_doubledash(&p[0]);
5390 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5391 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel, permission_mask,
5392 option_types_found, es);
5393 line_num += lines_inline;
5394 }
5395 CLEAR(p);
5396 }
5397 secure_memzero(line, sizeof(line));
5398}
5399
5400void
5401parse_argv(struct options *options, const int argc, char *argv[], const msglvl_t msglevel,
5402 const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
5403{
5404 /* usage message */
5405 if (argc <= 1)
5406 {
5407 usage();
5408 }
5409
5410 /* config filename specified only? */
5411 if (argc == 2 && strncmp(argv[1], "--", 2))
5412 {
5413 char *p[MAX_PARMS + 1];
5414 CLEAR(p);
5415 p[0] = "config";
5416 p[1] = argv[1];
5417 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found,
5418 es);
5419 }
5420 else
5421 {
5422 /* parse command line */
5423 for (int i = 1; i < argc; ++i)
5424 {
5425 char *p[MAX_PARMS + 1];
5426 CLEAR(p);
5427 p[0] = argv[i];
5428 if (strncmp(p[0], "--", 2))
5429 {
5430 msg(msglevel,
5431 "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'",
5432 p[0]);
5433 }
5434 else
5435 {
5436 p[0] += 2;
5437 }
5438
5439 int j;
5440 for (j = 1; j < MAX_PARMS; ++j)
5441 {
5442 if (i + j < argc)
5443 {
5444 char *arg = argv[i + j];
5445 if (strncmp(arg, "--", 2))
5446 {
5447 p[j] = arg;
5448 }
5449 else
5450 {
5451 break;
5452 }
5453 }
5454 }
5455 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, option_types_found,
5456 es);
5457 i += j - 1;
5458 }
5459 }
5460}
5461
5462bool
5463apply_push_options(struct context *c, struct options *options, struct buffer *buf,
5464 unsigned int permission_mask, unsigned int *option_types_found,
5465 struct env_set *es, bool is_update)
5466{
5467 char line[OPTION_PARM_SIZE];
5468 int line_num = 0;
5469 const char *file = "[PUSH-OPTIONS]";
5470 const msglvl_t msglevel = D_PUSH_ERRORS | M_OPTERR;
5471 unsigned int update_options_found = 0;
5472
5473 while (buf_parse(buf, ',', line, sizeof(line)))
5474 {
5475 char *p[MAX_PARMS + 1];
5476 CLEAR(p);
5477 ++line_num;
5478 unsigned int push_update_option_flags = 0;
5479 int i = 0;
5480
5481 /* skip leading spaces matching the behaviour of parse_line */
5482 while (isspace(line[i]))
5483 {
5484 i++;
5485 }
5486
5487 /* If we are not in a 'PUSH_UPDATE' we just check `apply_pull_filter()`
5488 * otherwise we must call `check_push_update_option_flags()` first
5489 */
5490 if ((is_update && !check_push_update_option_flags(line, &i, &push_update_option_flags))
5491 || !apply_pull_filter(options, &line[i]))
5492 {
5493 /* In case we are in a `PUSH_UPDATE` and `check_push_update_option_flags()`
5494 * or `apply_pull_filter()` fail but the option is flagged by `PUSH_OPT_OPTIONAL`,
5495 * instead of restarting, we just ignore the option and we process the next one
5496 */
5497 if (push_update_option_flags & PUSH_OPT_OPTIONAL)
5498 {
5499 continue; /* Ignoring this option */
5500 }
5501 return false; /* Cause push/pull error and stop push processing */
5502 }
5503
5504 if (parse_line(&line[i], p, SIZE(p) - 1, file, line_num, msglevel, &options->gc))
5505 {
5506 if (!is_update)
5507 {
5508 add_option(options, p, false, file, line_num, 0, msglevel, permission_mask,
5509 option_types_found, es);
5510 }
5511 else if (push_update_option_flags & PUSH_OPT_TO_REMOVE)
5512 {
5513 remove_option(c, options, p, false, file, line_num, msglevel, permission_mask,
5514 option_types_found, es);
5515 }
5516 else
5517 {
5518 update_option(c, options, p, false, file, line_num, 0, msglevel, permission_mask,
5519 option_types_found, es, &update_options_found);
5520 }
5521 }
5522 }
5523 return true;
5524}
5525
5526void
5527options_server_import(struct options *o, const char *filename, msglvl_t msglevel,
5528 unsigned int permission_mask, unsigned int *option_types_found,
5529 struct env_set *es)
5530{
5531 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5532 read_config_file(o, filename, 0, filename, 0, msglevel, permission_mask, option_types_found,
5533 es);
5534}
5535
5536void
5537options_string_import(struct options *options, const char *config, const msglvl_t msglevel,
5538 const unsigned int permission_mask, unsigned int *option_types_found,
5539 struct env_set *es)
5540{
5541 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask,
5542 option_types_found, es);
5543}
5544
5545#define VERIFY_PERMISSION(mask) \
5546 { \
5547 if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
5548 msglevel, options, is_inline)) \
5549 { \
5550 goto err; \
5551 } \
5552 }
5553
5554static bool
5555verify_permission(const char *name, const char *file, int line, const unsigned int type,
5556 const unsigned int allowed, unsigned int *found, const msglvl_t msglevel,
5557 struct options *options, bool is_inline)
5558{
5559 if (!(type & allowed))
5560 {
5561 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5562 return false;
5563 }
5564
5565 if (is_inline && !(type & OPT_P_INLINE))
5566 {
5567 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line);
5568 return false;
5569 }
5570
5571 if (found)
5572 {
5573 *found |= type;
5574 }
5575
5576#ifndef ENABLE_SMALL
5577 /* Check if this options is allowed in connection block,
5578 * but we are currently not in a connection block
5579 * unless this is a pushed option.
5580 * Parsing a connection block uses a temporary options struct without
5581 * connection_list
5582 */
5583
5584 if ((type & OPT_P_CONNECTION) && options->connection_list && !(allowed & OPT_P_PULL_MODE))
5585 {
5586 if (file)
5587 {
5588 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
5589 file, line);
5590 }
5591 else
5592 {
5593 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5594 }
5595 }
5596#endif
5597 return true;
5598}
5599
5600/*
5601 * Check that an option doesn't have too
5602 * many parameters.
5603 */
5604
5605#define NM_QUOTE_HINT (1 << 0)
5606
5607static bool
5608no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
5609{
5610 const int len = string_array_len((const char **)p);
5611
5612 if (!len)
5613 {
5614 return false;
5615 }
5616
5617 if (len > max)
5618 {
5619 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1,
5620 max >= 3 ? "s" : "",
5621 (flags & NM_QUOTE_HINT)
5622 ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
5623 : "");
5624 return false;
5625 }
5626 else
5627 {
5628 return true;
5629 }
5630}
5631
5632static inline msglvl_t
5633msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
5634{
5635 return options->forward_compatible ? M_WARN : msglevel;
5636}
5637
5638#define RESET_OPTION_ROUTES(option_ptr, field) \
5639 if (option_ptr) \
5640 { \
5641 option_ptr->field = NULL; \
5642 option_ptr->flags = 0; \
5643 }
5644
5665static void
5666remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5667 const char *file, int line, const msglvl_t msglevel,
5668 const unsigned int permission_mask, unsigned int *option_types_found,
5669 struct env_set *es)
5670{
5671 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5672
5673 if (streq(p[0], "ifconfig") && !p[1])
5674 {
5675 VERIFY_PERMISSION(OPT_P_UP);
5676 options->ifconfig_local = NULL;
5677 options->ifconfig_remote_netmask = NULL;
5678 }
5679 else if (streq(p[0], "ifconfig-ipv6") && !p[1])
5680 {
5681 VERIFY_PERMISSION(OPT_P_UP);
5682 options->ifconfig_ipv6_local = NULL;
5683 options->ifconfig_ipv6_netbits = 0;
5684 options->ifconfig_ipv6_remote = NULL;
5685 }
5686 else if (streq(p[0], "route") && !p[1])
5687 {
5688 VERIFY_PERMISSION(OPT_P_ROUTE);
5689 if (c->c1.route_list)
5690 {
5691 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options), es,
5692 &c->net_ctx);
5693 RESET_OPTION_ROUTES(options->routes, routes);
5694 }
5695 }
5696 else if (streq(p[0], "route-ipv6") && !p[1])
5697 {
5698 VERIFY_PERMISSION(OPT_P_ROUTE);
5699 if (c->c1.route_ipv6_list)
5700 {
5701 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
5702 es, &c->net_ctx);
5703 RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
5704 }
5705 }
5706 else if (streq(p[0], "route-gateway") && !p[1])
5707 {
5708 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
5709 options->route_gateway_via_dhcp = false;
5710 options->route_default_gateway = NULL;
5711 }
5712 else if (streq(p[0], "route-metric") && !p[1])
5713 {
5714 VERIFY_PERMISSION(OPT_P_ROUTE);
5715 options->route_default_metric = 0;
5716 }
5717 else if (streq(p[0], "push-continuation") && !p[1])
5718 {
5719 VERIFY_PERMISSION(OPT_P_PULL_MODE);
5720 options->push_continuation = 0;
5721 }
5722 else if ((streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private")) && !p[1])
5723 {
5724 VERIFY_PERMISSION(OPT_P_ROUTE);
5725 if (options->routes)
5726 {
5727 options->routes->flags = 0;
5728 }
5729 if (options->routes_ipv6)
5730 {
5731 options->routes_ipv6->flags = 0;
5732 }
5733 env_set_del(es, "route_redirect_gateway_ipv4");
5734 env_set_del(es, "route_redirect_gateway_ipv6");
5735 }
5736 else if (streq(p[0], "dns") && !p[1])
5737 {
5738 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5739 gc_free(&options->dns_options.gc);
5740 CLEAR(options->dns_options);
5741 }
5742 else if (streq(p[0], "topology") && !p[1])
5743 {
5744 VERIFY_PERMISSION(OPT_P_UP);
5745 options->topology = TOP_UNDEF;
5746 helper_setdefault_topology(options);
5747 }
5748 else if (streq(p[0], "tun-mtu") && !p[1])
5749 {
5750 VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
5751 options->ce.tun_mtu = TUN_MTU_DEFAULT;
5752 options->ce.tun_mtu_defined = false;
5753 options->ce.occ_mtu = 0;
5754 }
5755 else if (streq(p[0], "block-ipv6") && !p[1])
5756 {
5757 VERIFY_PERMISSION(OPT_P_ROUTE);
5758 options->block_ipv6 = false;
5759 }
5760#if defined(_WIN32) || defined(TARGET_ANDROID)
5761 else if (streq(p[0], "dhcp-option") && !p[1])
5762 {
5763 struct tuntap_options *o = &options->tuntap_options;
5764 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5765
5766 o->domain = NULL;
5767 o->netbios_scope = NULL;
5768 o->netbios_node_type = 0;
5769 o->dns6_len = 0;
5770 memset(o->dns6, 0, sizeof(o->dns6));
5771 o->dns_len = 0;
5772 memset(o->dns, 0, sizeof(o->dns));
5773 o->wins_len = 0;
5774 memset(o->wins, 0, sizeof(o->wins));
5775 o->ntp_len = 0;
5776 memset(o->ntp, 0, sizeof(o->ntp));
5777 o->nbdd_len = 0;
5778 memset(o->nbdd, 0, sizeof(o->nbdd));
5779 while (o->domain_search_list_len-- > 0)
5780 {
5781 o->domain_search_list[o->domain_search_list_len] = NULL;
5782 }
5783 o->disable_nbt = 0;
5784 o->dhcp_options = 0;
5785#if defined(TARGET_ANDROID)
5786 o->http_proxy_port = 0;
5787 o->http_proxy = NULL;
5788#endif
5789 }
5790#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5791#ifdef _WIN32
5792 else if (streq(p[0], "block-outside-dns") && !p[1])
5793 {
5794 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5795 options->block_outside_dns = false;
5796 }
5797#else /* ifdef _WIN32 */
5798 else if (streq(p[0], "dhcp-option") && !p[1])
5799 {
5800 VERIFY_PERMISSION(OPT_P_DHCPDNS);
5801 delete_all_dhcp_fo(options, &es->list);
5802 }
5803#endif
5804 else
5805 {
5806 msglvl_t msglevel_unknown = msglevel_fc;
5807 /* Check if an option is in --ignore-unknown-option and
5808 * set warning level to non fatal */
5809 for (int i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
5810 {
5811 if (streq(p[0], options->ignore_unknown_option[i]))
5812 {
5813 msglevel_unknown = M_WARN;
5814 break;
5815 }
5816 }
5817 msg(msglevel_unknown,
5818 "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
5819 p[0], PACKAGE_VERSION);
5820 }
5821 return;
5822err:
5823 msg(msglevel, "Error occurred trying to remove %s option", p[0]);
5824}
5825
5826
5827static bool
5828check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5829{
5830 rol_check_alloc(options);
5831 if (pull_mode)
5832 {
5833 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
5834 && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
5835 {
5836 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
5837 return false;
5838 }
5839 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
5840 {
5841 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
5842 return false;
5843 }
5844 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn)
5845 && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
5846 {
5847 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
5848 return false;
5849 }
5850 }
5851 return true;
5852}
5853
5854
5855static bool
5856check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5857{
5858 rol6_check_alloc(options);
5859 if (pull_mode)
5860 {
5861 if (!ipv6_addr_safe_hexplusbits(p[1]))
5862 {
5863 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5864 return false;
5865 }
5866 if (p[2] && !ipv6_addr_safe(p[2]))
5867 {
5868 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5869 return false;
5870 }
5871 /* p[3] is metric, if present */
5872 }
5873 return true;
5874}
5875
5876static bool
5877check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5878{
5879 if (streq(p[1], "search-domains") && p[2])
5880 {
5881 if (!dns_domain_list_append(&options->dns_options.search_domains, &p[2],
5882 &options->dns_options.gc))
5883 {
5884 msg(msglevel, "--dns %s contain invalid characters", p[1]);
5885 return false;
5886 }
5887 }
5888 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
5889 {
5890 long priority;
5891 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
5892 {
5893 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
5894 return false;
5895 }
5896
5897 struct dns_server *server =
5898 dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
5899
5900 if (streq(p[3], "address") && p[4])
5901 {
5902 for (int i = 4; p[i]; ++i)
5903 {
5904 if (!dns_server_addr_parse(server, p[i]))
5905 {
5906 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'",
5907 priority, p[i]);
5908 return false;
5909 }
5910 }
5911 }
5912 else if (streq(p[3], "resolve-domains"))
5913 {
5914 if (!dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc))
5915 {
5916 msg(msglevel, "--dns server %ld: %s contain invalid characters", priority, p[3]);
5917 return false;
5918 }
5919 }
5920 else if (streq(p[3], "dnssec") && !p[5])
5921 {
5922 if (streq(p[4], "yes"))
5923 {
5924 server->dnssec = DNS_SECURITY_YES;
5925 }
5926 else if (streq(p[4], "no"))
5927 {
5928 server->dnssec = DNS_SECURITY_NO;
5929 }
5930 else if (streq(p[4], "optional"))
5931 {
5932 server->dnssec = DNS_SECURITY_OPTIONAL;
5933 }
5934 else
5935 {
5936 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
5937 return false;
5938 }
5939 }
5940 else if (streq(p[3], "transport") && !p[5])
5941 {
5942 if (streq(p[4], "plain"))
5943 {
5944 server->transport = DNS_TRANSPORT_PLAIN;
5945 }
5946 else if (streq(p[4], "DoH"))
5947 {
5948 server->transport = DNS_TRANSPORT_HTTPS;
5949 }
5950 else if (streq(p[4], "DoT"))
5951 {
5952 server->transport = DNS_TRANSPORT_TLS;
5953 }
5954 else
5955 {
5956 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
5957 return false;
5958 }
5959 }
5960 else if (streq(p[3], "sni") && !p[5])
5961 {
5962 if (!validate_domain(p[4]))
5963 {
5964 msg(msglevel, "--dns server %ld: %s contains invalid characters", priority, p[3]);
5965 return false;
5966 }
5967 server->sni = p[4];
5968 }
5969 else
5970 {
5971 msg(msglevel,
5972 "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
5973 priority, p[3]);
5974 return false;
5975 }
5976 }
5977 else
5978 {
5979 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
5980 return false;
5981 }
5982 return true;
5983}
5984
6008static void
6009update_option(struct context *c, struct options *options, char *p[], bool is_inline,
6010 const char *file, int line, const int level, const msglvl_t msglevel,
6011 const unsigned int permission_mask, unsigned int *option_types_found,
6012 struct env_set *es, unsigned int *update_options_found)
6013{
6014 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
6015 ASSERT(MAX_PARMS >= 7);
6016
6017 if (streq(p[0], "route") && p[1] && !p[5])
6018 {
6019 if (!(*update_options_found & OPT_P_U_ROUTE))
6020 {
6021 VERIFY_PERMISSION(OPT_P_ROUTE);
6022 if (!check_route_option(options, p, msglevel, pull_mode))
6023 {
6024 goto err;
6025 }
6026 if (c->c1.route_list)
6027 {
6028 delete_routes_v4(c->c1.route_list, c->c1.tuntap, ROUTE_OPTION_FLAGS(&c->options),
6029 es, &c->net_ctx);
6030 RESET_OPTION_ROUTES(options->routes, routes);
6031 }
6032 *update_options_found |= OPT_P_U_ROUTE;
6033 }
6034 }
6035 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6036 {
6037 if (!(*update_options_found & OPT_P_U_ROUTE6))
6038 {
6039 VERIFY_PERMISSION(OPT_P_ROUTE);
6040 if (!check_route6_option(options, p, msglevel, pull_mode))
6041 {
6042 goto err;
6043 }
6044 if (c->c1.route_ipv6_list)
6045 {
6046 delete_routes_v6(c->c1.route_ipv6_list, c->c1.tuntap,
6047 ROUTE_OPTION_FLAGS(&c->options), es, &c->net_ctx);
6048 RESET_OPTION_ROUTES(options->routes_ipv6, routes_ipv6);
6049 }
6050 *update_options_found |= OPT_P_U_ROUTE6;
6051 }
6052 }
6053 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
6054 {
6055 if (!(*update_options_found & OPT_P_U_REDIR_GATEWAY))
6056 {
6057 VERIFY_PERMISSION(OPT_P_ROUTE);
6058 if (options->routes)
6059 {
6060 options->routes->flags = 0;
6061 }
6062 if (options->routes_ipv6)
6063 {
6064 options->routes_ipv6->flags = 0;
6065 }
6066 env_set_del(es, "route_redirect_gateway_ipv4");
6067 env_set_del(es, "route_redirect_gateway_ipv6");
6068 *update_options_found |= OPT_P_U_REDIR_GATEWAY;
6069 }
6070 }
6071 else if (streq(p[0], "dns") && p[1])
6072 {
6073 if (!(*update_options_found & OPT_P_U_DNS))
6074 {
6075 VERIFY_PERMISSION(OPT_P_DHCPDNS);
6076 if (!check_dns_option(options, p, msglevel, pull_mode))
6077 {
6078 goto err;
6079 }
6080 gc_free(&options->dns_options.gc);
6081 CLEAR(options->dns_options);
6082 *update_options_found |= OPT_P_U_DNS;
6083 }
6084 }
6085#if defined(_WIN32) || defined(TARGET_ANDROID)
6086 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
6087 {
6088 if (!(*update_options_found & OPT_P_U_DHCP))
6089 {
6090 struct tuntap_options *o = &options->tuntap_options;
6091 VERIFY_PERMISSION(OPT_P_DHCPDNS);
6092
6093 o->domain = NULL;
6094 o->netbios_scope = NULL;
6095 o->netbios_node_type = 0;
6096 o->dns6_len = 0;
6097 CLEAR(o->dns6);
6098 o->dns_len = 0;
6099 CLEAR(o->dns);
6100 o->wins_len = 0;
6101 CLEAR(o->wins);
6102 o->ntp_len = 0;
6103 CLEAR(o->ntp);
6104 o->nbdd_len = 0;
6105 CLEAR(o->nbdd);
6106 while (o->domain_search_list_len-- > 0)
6107 {
6108 o->domain_search_list[o->domain_search_list_len] = NULL;
6109 }
6110 o->disable_nbt = 0;
6111 o->dhcp_options = 0;
6112
6113 CLEAR(options->dns_options.from_dhcp);
6114#if defined(TARGET_ANDROID)
6115 o->http_proxy_port = 0;
6116 o->http_proxy = NULL;
6117#endif
6118 *update_options_found |= OPT_P_U_DHCP;
6119 }
6120 }
6121#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
6122 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
6123 {
6124 if (!(*update_options_found & OPT_P_U_DHCP))
6125 {
6126 VERIFY_PERMISSION(OPT_P_DHCPDNS);
6127 delete_all_dhcp_fo(options, &es->list);
6128 *update_options_found |= OPT_P_U_DHCP;
6129 }
6130 }
6131#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
6132 add_option(options, p, is_inline, file, line, level, msglevel, permission_mask,
6133 option_types_found, es);
6134 return;
6135err:
6136 msg(msglevel, "Error occurred trying to update %s option", p[0]);
6137}
6138
6139static void
6140set_user_script(struct options *options, const char **script, const char *new_script,
6141 const char *type, bool in_chroot)
6142{
6143 if (*script)
6144 {
6145 msg(M_WARN,
6146 "Multiple --%s scripts defined. "
6147 "The previously configured script is overridden.",
6148 type);
6149 }
6150 *script = new_script;
6151 options->user_script_used = true;
6152
6153#ifndef ENABLE_SMALL
6154 {
6155 char script_name[100];
6156 snprintf(script_name, sizeof(script_name), "--%s script", type);
6157
6158 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
6159 {
6160 msg(M_USAGE, "Please correct this error.");
6161 }
6162 }
6163#endif
6164}
6165
6166static void
6167show_compression_warning(struct compress_options *info)
6168{
6169 if (comp_non_stub_enabled(info))
6170 {
6171 msg(M_WARN, "WARNING: Compression for receiving enabled. "
6172 "Compression has been used in the past to break encryption. "
6173 "Compression support is deprecated and we recommend to disable "
6174 "it completely.");
6175 }
6176}
6177
6178bool
6179key_is_external(const struct options *options)
6180{
6181 bool ret = false;
6182 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
6183#ifdef ENABLE_PKCS11
6184 ret = ret || (options->pkcs11_providers[0] != NULL);
6185#endif
6186#ifdef ENABLE_CRYPTOAPI
6187 ret = ret || options->cryptoapi_cert;
6188#endif
6189
6190 return ret;
6191}
6192
6193static void
6194add_option(struct options *options, char *p[], bool is_inline, const char *file, int line,
6195 const int level, const msglvl_t msglevel, const unsigned int permission_mask,
6196 unsigned int *option_types_found, struct env_set *es)
6197{
6198 struct gc_arena gc = gc_new();
6199 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
6200 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
6201
6202 ASSERT(MAX_PARMS >= 7);
6203
6204 /*
6205 * If directive begins with "setenv opt" prefix, don't raise an error if
6206 * directive is unrecognized.
6207 */
6208 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
6209 {
6210 if (!p[2])
6211 {
6212 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
6213 }
6214 p += 2;
6215 msglevel_fc = M_WARN;
6216 }
6217
6218 if (!file)
6219 {
6220 file = "[CMD-LINE]";
6221 line = 1;
6222 }
6223 if (streq(p[0], "help"))
6224 {
6225 VERIFY_PERMISSION(OPT_P_GENERAL);
6226 usage();
6227 if (p[1])
6228 {
6229 msg(msglevel, "--help does not accept any parameters");
6230 goto err;
6231 }
6232 }
6233 if (streq(p[0], "version") && !p[1])
6234 {
6235 VERIFY_PERMISSION(OPT_P_GENERAL);
6236 usage_version();
6237 }
6238 else if (streq(p[0], "config") && p[1] && !p[2])
6239 {
6240 VERIFY_PERMISSION(OPT_P_CONFIG);
6241
6242 /* save first config file only in options */
6243 if (!options->config)
6244 {
6245 options->config = p[1];
6246 }
6247
6248 read_config_file(options, p[1], level, file, line, msglevel, permission_mask,
6249 option_types_found, es);
6250 }
6251#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6252 else if (streq(p[0], "show-gateway") && !p[2])
6253 {
6254 struct route_gateway_info rgi;
6255 struct route_ipv6_gateway_info rgi6;
6256 in_addr_t remote_ipv4 = 0;
6257 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
6258 openvpn_net_ctx_t net_ctx;
6259 VERIFY_PERMISSION(OPT_P_GENERAL);
6260 if (p[1])
6261 {
6262 /* try parsing the argument as a v4 or v6 address - if
6263 * possible, the output will show the exact route there, and
6264 * "the default route" for the other protocol
6265 */
6266 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
6267 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
6268 }
6269 net_ctx_init(NULL, &net_ctx);
6270 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
6271 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
6272 print_default_gateway(M_INFO, &rgi, &rgi6);
6273 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6274 }
6275#endif
6276 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
6277 {
6278 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
6279 int j;
6280 bool good = true;
6281
6282 VERIFY_PERMISSION(OPT_P_ECHO);
6283
6284 for (j = 1; j < MAX_PARMS; ++j)
6285 {
6286 if (!p[j])
6287 {
6288 break;
6289 }
6290 if (j > 1)
6291 {
6292 good &= buf_printf(&string, " ");
6293 }
6294 good &= buf_printf(&string, "%s", p[j]);
6295 }
6296 if (good)
6297 {
6298 /* only message-related ECHO are logged, since other ECHOs
6299 * can potentially include security-sensitive strings */
6300 if (p[1] && strncmp(p[1], "msg", 3) == 0)
6301 {
6302 msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string));
6303 }
6304#ifdef ENABLE_MANAGEMENT
6305 if (management)
6306 {
6307 management_echo(management, BSTR(&string), pull_mode);
6308 }
6309#endif
6310 }
6311 else
6312 {
6313 msg(M_WARN, "echo/parameter option overflow");
6314 }
6315 }
6316#ifdef ENABLE_MANAGEMENT
6317 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
6318 {
6319 VERIFY_PERMISSION(OPT_P_GENERAL);
6320 if (streq(p[2], "unix"))
6321 {
6322#if UNIX_SOCK_SUPPORT
6323 options->management_flags |= MF_UNIX_SOCK;
6324#else
6325 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
6326 goto err;
6327#endif
6328 }
6329
6330 options->management_addr = p[1];
6331 options->management_port = p[2];
6332 if (p[3])
6333 {
6334 options->management_user_pass = p[3];
6335 }
6336 }
6337 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
6338 {
6339 VERIFY_PERMISSION(OPT_P_GENERAL);
6340 options->management_client_user = p[1];
6341 }
6342 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
6343 {
6344 VERIFY_PERMISSION(OPT_P_GENERAL);
6345 options->management_client_group = p[1];
6346 }
6347 else if (streq(p[0], "management-query-passwords") && !p[1])
6348 {
6349 VERIFY_PERMISSION(OPT_P_GENERAL);
6350 options->management_flags |= MF_QUERY_PASSWORDS;
6351 }
6352 else if (streq(p[0], "management-query-remote") && !p[1])
6353 {
6354 VERIFY_PERMISSION(OPT_P_GENERAL);
6355 options->management_flags |= MF_QUERY_REMOTE;
6356 }
6357 else if (streq(p[0], "management-query-proxy") && !p[1])
6358 {
6359 VERIFY_PERMISSION(OPT_P_GENERAL);
6360 options->management_flags |= MF_QUERY_PROXY;
6361 }
6362 else if (streq(p[0], "management-hold") && !p[1])
6363 {
6364 VERIFY_PERMISSION(OPT_P_GENERAL);
6365 options->management_flags |= MF_HOLD;
6366 }
6367 else if (streq(p[0], "management-signal") && !p[1])
6368 {
6369 VERIFY_PERMISSION(OPT_P_GENERAL);
6370 options->management_flags |= MF_SIGNAL;
6371 }
6372 else if (streq(p[0], "management-forget-disconnect") && !p[1])
6373 {
6374 VERIFY_PERMISSION(OPT_P_GENERAL);
6375 options->management_flags |= MF_FORGET_DISCONNECT;
6376 }
6377 else if (streq(p[0], "management-up-down") && !p[1])
6378 {
6379 VERIFY_PERMISSION(OPT_P_GENERAL);
6380 options->management_flags |= MF_UP_DOWN;
6381 }
6382 else if (streq(p[0], "management-client") && !p[1])
6383 {
6384 VERIFY_PERMISSION(OPT_P_GENERAL);
6385 options->management_flags |= MF_CONNECT_AS_CLIENT;
6386 }
6387 else if (streq(p[0], "management-external-key"))
6388 {
6389 VERIFY_PERMISSION(OPT_P_GENERAL);
6390 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6391 {
6392 if (streq(p[j], "nopadding"))
6393 {
6394 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
6395 }
6396 else if (streq(p[j], "pkcs1"))
6397 {
6398 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
6399 }
6400 else if (streq(p[j], "pss"))
6401 {
6402 options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
6403 }
6404 else if (streq(p[j], "digest"))
6405 {
6406 options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
6407 }
6408 else
6409 {
6410 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
6411 }
6412 }
6413 /*
6414 * When no option is present, assume that only PKCS1
6415 * padding is supported
6416 */
6417 if (!(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
6418 {
6419 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
6420 }
6421 options->management_flags |= MF_EXTERNAL_KEY;
6422 }
6423 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
6424 {
6425 VERIFY_PERMISSION(OPT_P_GENERAL);
6426 options->management_flags |= MF_EXTERNAL_CERT;
6427 options->management_certificate = p[1];
6428 }
6429 else if (streq(p[0], "management-client-auth") && !p[1])
6430 {
6431 VERIFY_PERMISSION(OPT_P_GENERAL);
6432 options->management_flags |= MF_CLIENT_AUTH;
6433 }
6434 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
6435 {
6436 VERIFY_PERMISSION(OPT_P_GENERAL);
6437 if (!atoi_constrained(p[1], &options->management_log_history_cache,
6438 p[0], 1, INT_MAX, msglevel))
6439 {
6440 goto err;
6441 }
6442 }
6443#endif /* ifdef ENABLE_MANAGEMENT */
6444#ifdef ENABLE_PLUGIN
6445 else if (streq(p[0], "plugin") && p[1])
6446 {
6447 VERIFY_PERMISSION(OPT_P_PLUGIN);
6448 if (!options->plugin_list)
6449 {
6450 options->plugin_list = plugin_option_list_new(&options->gc);
6451 }
6452 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
6453 {
6454 msg(msglevel, "plugin add failed: %s", p[1]);
6455 goto err;
6456 }
6457 }
6458#endif
6459 else if (streq(p[0], "mode") && p[1] && !p[2])
6460 {
6461 VERIFY_PERMISSION(OPT_P_GENERAL);
6462 if (streq(p[1], "p2p"))
6463 {
6464 options->mode = MODE_POINT_TO_POINT;
6465 }
6466 else if (streq(p[1], "server"))
6467 {
6468 options->mode = MODE_SERVER;
6469 }
6470 else
6471 {
6472 msg(msglevel, "Bad --mode parameter: %s", p[1]);
6473 goto err;
6474 }
6475 }
6476 else if (streq(p[0], "dev") && p[1] && !p[2])
6477 {
6478 VERIFY_PERMISSION(OPT_P_GENERAL);
6479 options->dev = p[1];
6480 }
6481 else if (streq(p[0], "dev-type") && p[1] && !p[2])
6482 {
6483 VERIFY_PERMISSION(OPT_P_GENERAL);
6484 options->dev_type = p[1];
6485 }
6486#ifdef _WIN32
6487 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6488 {
6489 VERIFY_PERMISSION(OPT_P_GENERAL);
6490 msg(M_WARN,
6491 "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
6492 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
6493 }
6494#endif
6495 else if (streq(p[0], "disable-dco"))
6496 {
6497 options->disable_dco = true;
6498 }
6499 else if (streq(p[0], "dev-node") && p[1] && !p[2])
6500 {
6501 VERIFY_PERMISSION(OPT_P_GENERAL);
6502 options->dev_node = p[1];
6503 }
6504 else if (streq(p[0], "lladdr") && p[1] && !p[2])
6505 {
6506 VERIFY_PERMISSION(OPT_P_UP);
6507 if (mac_addr_safe(p[1])) /* MAC address only */
6508 {
6509 options->lladdr = p[1];
6510 }
6511 else
6512 {
6513 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6514 goto err;
6515 }
6516 }
6517 else if (streq(p[0], "topology") && p[1] && !p[2])
6518 {
6519 VERIFY_PERMISSION(OPT_P_UP);
6520 options->topology = parse_topology(p[1], msglevel);
6521 }
6522 else if (streq(p[0], "tun-ipv6") && !p[1])
6523 {
6524 if (!pull_mode)
6525 {
6526 msg(M_WARN,
6527 "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6528 }
6529 }
6530#ifdef ENABLE_IPROUTE
6531 else if (streq(p[0], "iproute") && p[1] && !p[2])
6532 {
6533 VERIFY_PERMISSION(OPT_P_GENERAL);
6534 iproute_path = p[1];
6535 }
6536#endif
6537 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6538 {
6539 VERIFY_PERMISSION(OPT_P_UP);
6540 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
6541 && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6542 {
6543 options->ifconfig_local = p[1];
6544 options->ifconfig_remote_netmask = p[2];
6545 }
6546 else
6547 {
6548 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6549 goto err;
6550 }
6551 }
6552 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6553 {
6554 unsigned int netbits;
6555
6556 VERIFY_PERMISSION(OPT_P_UP);
6557 if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2]))
6558 {
6559 if (netbits < 64 || netbits > 124)
6560 {
6561 msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
6562 netbits);
6563 goto err;
6564 }
6565
6566 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6567 options->ifconfig_ipv6_netbits = netbits;
6568 options->ifconfig_ipv6_remote = p[2];
6569 }
6570 else
6571 {
6572 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6573 goto err;
6574 }
6575 }
6576 else if (streq(p[0], "ifconfig-noexec") && !p[1])
6577 {
6578 VERIFY_PERMISSION(OPT_P_UP);
6579 options->ifconfig_noexec = true;
6580 }
6581 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6582 {
6583 VERIFY_PERMISSION(OPT_P_UP);
6584 options->ifconfig_nowarn = true;
6585 }
6586 else if (streq(p[0], "local") && p[1] && !p[4])
6587 {
6588 struct local_entry *e;
6589
6590 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6591
6592 e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
6593 ASSERT(e);
6594
6595 /* '*' is treated as 'ask the system to get some socket',
6596 * therefore force binding on a particular address only when
6597 * actually specified. */
6598 if (strcmp(p[1], "*") != 0)
6599 {
6600 e->local = p[1];
6601 }
6602
6603 if (p[2])
6604 {
6605 e->port = p[2];
6606 }
6607
6608 if (p[3])
6609 {
6610 e->proto = ascii2proto(p[3]);
6611 }
6612 }
6613 else if (streq(p[0], "remote-random") && !p[1])
6614 {
6615 VERIFY_PERMISSION(OPT_P_GENERAL);
6616 options->remote_random = true;
6617 }
6618 else if (streq(p[0], "connection") && p[1] && !p[3])
6619 {
6620 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
6621 if (is_inline)
6622 {
6623 struct options sub;
6624 struct connection_entry *e;
6625
6626 init_options(&sub, true);
6627 sub.ce = options->ce;
6628 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION,
6629 option_types_found, es);
6630 if (!sub.ce.remote)
6631 {
6632 msg(msglevel,
6633 "Each 'connection' block must contain exactly one 'remote' directive");
6634 uninit_options(&sub);
6635 goto err;
6636 }
6637
6638 e = alloc_connection_entry(options, msglevel);
6639 if (!e)
6640 {
6641 uninit_options(&sub);
6642 goto err;
6643 }
6644 *e = sub.ce;
6645 gc_transfer(&options->gc, &sub.gc);
6646 uninit_options(&sub);
6647 }
6648 }
6649 else if (streq(p[0], "ignore-unknown-option") && p[1])
6650 {
6651 int i;
6652 int j;
6653 int numignored = 0;
6654 const char **ignore;
6655
6656 VERIFY_PERMISSION(OPT_P_GENERAL);
6657 /* Find out how many options to be ignored */
6658 for (i = 1; p[i]; i++)
6659 {
6660 numignored++;
6661 }
6662
6663 /* add number of options already ignored */
6664 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
6665 {
6666 numignored++;
6667 }
6668
6669 /* Allocate array */
6670 ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc);
6671 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
6672 {
6673 ignore[i] = options->ignore_unknown_option[i];
6674 }
6675
6676 options->ignore_unknown_option = ignore;
6677
6678 for (j = 1; p[j]; j++)
6679 {
6680 /* Allow the user to specify ignore-unknown-option --opt too */
6681 if (p[j][0] == '-' && p[j][1] == '-')
6682 {
6683 options->ignore_unknown_option[i] = (p[j] + 2);
6684 }
6685 else
6686 {
6687 options->ignore_unknown_option[i] = p[j];
6688 }
6689 i++;
6690 }
6691
6692 options->ignore_unknown_option[i] = NULL;
6693 }
6694#if ENABLE_MANAGEMENT
6695 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6696 {
6697 VERIFY_PERMISSION(OPT_P_GENERAL);
6698 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], &options->gc);
6699 if (!options->http_proxy_override)
6700 {
6701 goto err;
6702 }
6703 }
6704#endif
6705 else if (streq(p[0], "remote") && p[1] && !p[4])
6706 {
6707 struct remote_entry re;
6708 re.remote = re.remote_port = NULL;
6709 re.proto = -1;
6710 re.af = 0;
6711
6712 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6713 re.remote = p[1];
6714 if (p[2])
6715 {
6716 re.remote_port = p[2];
6717 if (p[3])
6718 {
6719 const int proto = ascii2proto(p[3]);
6720 const sa_family_t af = ascii2af(p[3]);
6721 if (proto < 0)
6722 {
6723 msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
6724 goto err;
6725 }
6726 re.proto = proto;
6727 re.af = af;
6728 }
6729 }
6730 if (permission_mask & OPT_P_GENERAL)
6731 {
6732 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6733 if (!e)
6734 {
6735 goto err;
6736 }
6737 *e = re;
6738 }
6739 else if (permission_mask & OPT_P_CONNECTION)
6740 {
6741 connection_entry_load_re(&options->ce, &re);
6742 }
6743 }
6744 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6745 {
6746 VERIFY_PERMISSION(OPT_P_GENERAL);
6747 if (streq(p[1], "infinite"))
6748 {
6749 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6750 }
6751 else
6752 {
6753 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6754 }
6755 }
6756 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6757 {
6758 VERIFY_PERMISSION(OPT_P_GENERAL);
6759 options->resolve_in_advance = true;
6760 /* Note the ip-remote-hint and the argument p[1] are for
6761 * backward compatibility */
6762 if (p[1])
6763 {
6764 options->ip_remote_hint = p[1];
6765 }
6766 }
6767 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6768 {
6769 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6770 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6771 /*
6772 * Limit the base value of retry wait interval to 16 bits to avoid
6773 * overflow when scaled up for exponential backoff
6774 */
6775 if (options->ce.connect_retry_seconds > 0xFFFF)
6776 {
6777 options->ce.connect_retry_seconds = 0xFFFF;
6778 msg(M_WARN, "connect retry wait interval truncated to %d",
6779 options->ce.connect_retry_seconds);
6780 }
6781
6782 if (p[2])
6783 {
6784 options->ce.connect_retry_seconds_max =
6785 max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
6786 }
6787 }
6788 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1]
6789 && !p[2])
6790 {
6791 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6792 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6793 }
6794 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6795 {
6796 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6797 options->connect_retry_max = positive_atoi(p[1], msglevel);
6798 }
6799 else if (streq(p[0], "ipchange") && p[1])
6800 {
6801 VERIFY_PERMISSION(OPT_P_SCRIPT);
6802 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6803 {
6804 goto err;
6805 }
6806 set_user_script(options, &options->ipchange,
6807 string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true);
6808 }
6809 else if (streq(p[0], "float") && !p[1])
6810 {
6811 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
6812 options->ce.remote_float = true;
6813 }
6814#ifdef ENABLE_DEBUG
6815 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6816 {
6817 VERIFY_PERMISSION(OPT_P_GENERAL);
6818 options->gremlin = positive_atoi(p[1], msglevel);
6819 }
6820#endif
6821 else if (streq(p[0], "chroot") && p[1] && !p[2])
6822 {
6823 VERIFY_PERMISSION(OPT_P_GENERAL);
6824 options->chroot_dir = p[1];
6825 }
6826 else if (streq(p[0], "cd") && p[1] && !p[2])
6827 {
6828 VERIFY_PERMISSION(OPT_P_GENERAL);
6829 if (platform_chdir(p[1]))
6830 {
6831 msg(M_ERR, "cd to '%s' failed", p[1]);
6832 goto err;
6833 }
6834 options->cd_dir = p[1];
6835 }
6836#ifdef ENABLE_SELINUX
6837 else if (streq(p[0], "setcon") && p[1] && !p[2])
6838 {
6839 VERIFY_PERMISSION(OPT_P_GENERAL);
6840 options->selinux_context = p[1];
6841 }
6842#endif
6843 else if (streq(p[0], "writepid") && p[1] && !p[2])
6844 {
6845 VERIFY_PERMISSION(OPT_P_GENERAL);
6846 options->writepid = p[1];
6847 }
6848 else if (streq(p[0], "up") && p[1])
6849 {
6850 VERIFY_PERMISSION(OPT_P_SCRIPT);
6851 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6852 {
6853 goto err;
6854 }
6855 set_user_script(options, &options->up_script, p[1], "up", false);
6856 }
6857 else if (streq(p[0], "down") && p[1])
6858 {
6859 VERIFY_PERMISSION(OPT_P_SCRIPT);
6860 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6861 {
6862 goto err;
6863 }
6864 set_user_script(options, &options->down_script, p[1], "down", true);
6865 }
6866 else if (streq(p[0], "down-pre") && !p[1])
6867 {
6868 VERIFY_PERMISSION(OPT_P_GENERAL);
6869 options->down_pre = true;
6870 }
6871 else if (streq(p[0], "up-delay") && !p[1])
6872 {
6873 VERIFY_PERMISSION(OPT_P_GENERAL);
6874 options->up_delay = true;
6875 }
6876 else if (streq(p[0], "up-restart") && !p[1])
6877 {
6878 VERIFY_PERMISSION(OPT_P_GENERAL);
6879 options->up_restart = true;
6880 }
6881 else if (streq(p[0], "syslog") && !p[2])
6882 {
6883 VERIFY_PERMISSION(OPT_P_GENERAL);
6884 open_syslog(p[1], false);
6885 }
6886 else if (streq(p[0], "daemon") && !p[2])
6887 {
6888 bool didit = false;
6889 VERIFY_PERMISSION(OPT_P_GENERAL);
6890 if (!options->daemon)
6891 {
6892 options->daemon = didit = true;
6893 open_syslog(p[1], false);
6894 }
6895 if (p[1])
6896 {
6897 if (!didit)
6898 {
6899 msg(M_WARN,
6900 "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
6901 p[1]);
6902 goto err;
6903 }
6904 }
6905 }
6906 else if (streq(p[0], "log") && p[1] && !p[2])
6907 {
6908 VERIFY_PERMISSION(OPT_P_GENERAL);
6909 options->log = true;
6910 redirect_stdout_stderr(p[1], false);
6911 }
6912 else if (streq(p[0], "suppress-timestamps") && !p[1])
6913 {
6914 VERIFY_PERMISSION(OPT_P_GENERAL);
6915 options->suppress_timestamps = true;
6916 set_suppress_timestamps(true);
6917 }
6918 else if (streq(p[0], "machine-readable-output") && !p[1])
6919 {
6920 VERIFY_PERMISSION(OPT_P_GENERAL);
6921 options->machine_readable_output = true;
6922 set_machine_readable_output(true);
6923 }
6924 else if (streq(p[0], "log-append") && p[1] && !p[2])
6925 {
6926 VERIFY_PERMISSION(OPT_P_GENERAL);
6927 options->log = true;
6928 redirect_stdout_stderr(p[1], true);
6929 }
6930#ifdef ENABLE_MEMSTATS
6931 else if (streq(p[0], "memstats") && p[1] && !p[2])
6932 {
6933 VERIFY_PERMISSION(OPT_P_GENERAL);
6934 options->memstats_fn = p[1];
6935 }
6936#endif
6937 else if (streq(p[0], "mlock") && !p[1])
6938 {
6939 VERIFY_PERMISSION(OPT_P_GENERAL);
6940 options->mlock = true;
6941 }
6942#if ENABLE_IP_PKTINFO
6943 else if (streq(p[0], "multihome") && !p[1])
6944 {
6945 VERIFY_PERMISSION(OPT_P_GENERAL);
6946 options->sockflags |= SF_USE_IP_PKTINFO;
6947 }
6948#endif
6949 else if (streq(p[0], "verb") && p[1] && !p[2])
6950 {
6951 VERIFY_PERMISSION(OPT_P_MESSAGES);
6952 options->verbosity = positive_atoi(p[1], msglevel);
6953 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6954 {
6955 /* We pass this flag to the SSL library to avoid
6956 * mbed TLS always generating debug level logging */
6957 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6958 }
6959#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6960 /* Warn when a debug verbosity is supplied when built without debug support */
6961 if (options->verbosity >= 7)
6962 {
6963 msg(M_WARN,
6964 "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6965 options->verbosity);
6966 }
6967#endif
6968 }
6969 else if (streq(p[0], "mute") && p[1] && !p[2])
6970 {
6971 VERIFY_PERMISSION(OPT_P_MESSAGES);
6972 options->mute = positive_atoi(p[1], msglevel);
6973 }
6974 else if (streq(p[0], "errors-to-stderr") && !p[1])
6975 {
6976 VERIFY_PERMISSION(OPT_P_MESSAGES);
6977 errors_to_stderr();
6978 }
6979 else if (streq(p[0], "status") && p[1] && !p[3])
6980 {
6981 VERIFY_PERMISSION(OPT_P_GENERAL);
6982 options->status_file = p[1];
6983 if (p[2])
6984 {
6985 options->status_file_update_freq = positive_atoi(p[2], msglevel);
6986 }
6987 }
6988 else if (streq(p[0], "status-version") && p[1] && !p[2])
6989 {
6990 VERIFY_PERMISSION(OPT_P_GENERAL);
6991 if (!atoi_constrained(p[1], &options->status_file_version, p[0], 1, 3, msglevel))
6992 {
6993 goto err;
6994 }
6995 }
6996 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6997 {
6998 VERIFY_PERMISSION(OPT_P_GENERAL);
6999 if (streq(p[1], "SIGHUP"))
7000 {
7001 options->remap_sigusr1 = SIGHUP;
7002 }
7003 else if (streq(p[1], "SIGTERM"))
7004 {
7005 options->remap_sigusr1 = SIGTERM;
7006 }
7007 else
7008 {
7009 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
7010 goto err;
7011 }
7012 }
7013 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
7014 {
7015 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7016 options->ce.link_mtu = positive_atoi(p[1], msglevel);
7017 options->ce.link_mtu_defined = true;
7018 }
7019 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
7020 {
7021 VERIFY_PERMISSION(OPT_P_PUSH_MTU | OPT_P_CONNECTION);
7022 options->ce.tun_mtu = positive_atoi(p[1], msglevel);
7023 options->ce.tun_mtu_defined = true;
7024 if (p[2])
7025 {
7026 options->ce.occ_mtu = positive_atoi(p[2], msglevel);
7027 }
7028 else
7029 {
7030 options->ce.occ_mtu = 0;
7031 }
7032 }
7033 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[2])
7034 {
7035 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7036 int max_mtu = positive_atoi(p[1], msglevel);
7037 if (max_mtu < 68 || max_mtu > 65536)
7038 {
7039 msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
7040 }
7041 else
7042 {
7043 options->ce.tun_mtu_max = max_mtu;
7044 }
7045 }
7046 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
7047 {
7048 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7049 options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel);
7050 options->ce.tun_mtu_extra_defined = true;
7051 }
7052 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
7053 {
7054 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7055 int maxmtu = positive_atoi(p[1], msglevel);
7056 options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
7057
7058 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
7059 {
7060 msg(M_WARN,
7061 "Note: max-packet-size value outside of allowed "
7062 "control channel packet size (%d to %d), will use %d "
7063 "instead.",
7064 TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE, options->ce.tls_mtu);
7065 }
7066
7067 /* also set mssfix maxmtu mtu */
7068 options->ce.mssfix = maxmtu;
7069 options->ce.mssfix_default = false;
7070 options->ce.mssfix_encap = true;
7071 }
7072#ifdef ENABLE_FRAGMENT
7073 else if (streq(p[0], "mtu-dynamic"))
7074 {
7075 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7076 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
7077 goto err;
7078 }
7079 else if (streq(p[0], "fragment") && p[1] && !p[3])
7080 {
7081 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7082 options->ce.fragment = positive_atoi(p[1], msglevel);
7083
7084 if (options->ce.fragment < 68)
7085 {
7086 msg(msglevel, "--fragment needs to be at least 68");
7087 goto err;
7088 }
7089
7090 if (p[2] && streq(p[2], "mtu"))
7091 {
7092 options->ce.fragment_encap = true;
7093 }
7094 else if (p[2])
7095 {
7096 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
7097 }
7098 }
7099#endif /* ifdef ENABLE_FRAGMENT */
7100 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
7101 {
7102 VERIFY_PERMISSION(OPT_P_MTU | OPT_P_CONNECTION);
7103 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
7104 }
7105 else if (streq(p[0], "mtu-test") && !p[1])
7106 {
7107 VERIFY_PERMISSION(OPT_P_GENERAL);
7108 options->mtu_test = true;
7109 }
7110 else if (streq(p[0], "nice") && p[1] && !p[2])
7111 {
7112 VERIFY_PERMISSION(OPT_P_NICE);
7113 options->nice = atoi_warn(p[1], msglevel);
7114 }
7115 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
7116 {
7117 VERIFY_PERMISSION(OPT_P_SOCKBUF);
7118 options->rcvbuf = positive_atoi(p[1], msglevel);
7119 }
7120 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
7121 {
7122 VERIFY_PERMISSION(OPT_P_SOCKBUF);
7123 options->sndbuf = positive_atoi(p[1], msglevel);
7124 }
7125 else if (streq(p[0], "mark") && p[1] && !p[2])
7126 {
7127#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
7128 VERIFY_PERMISSION(OPT_P_GENERAL);
7129 options->mark = atoi_warn(p[1], msglevel);
7130#endif
7131 }
7132 else if (streq(p[0], "socket-flags"))
7133 {
7134 int j;
7135 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
7136 for (j = 1; j < MAX_PARMS && p[j]; ++j)
7137 {
7138 if (streq(p[j], "TCP_NODELAY"))
7139 {
7140 options->sockflags |= SF_TCP_NODELAY;
7141 }
7142 else
7143 {
7144 msg(msglevel, "unknown socket flag: %s", p[j]);
7145 }
7146 }
7147 }
7148#ifdef TARGET_LINUX
7149 else if (streq(p[0], "bind-dev") && p[1])
7150 {
7151 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
7152 options->bind_dev = p[1];
7153 }
7154#endif
7155 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
7156 {
7157 VERIFY_PERMISSION(OPT_P_GENERAL);
7158#ifdef TARGET_LINUX
7159 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
7160#else
7161 msg(msglevel, "--txqueuelen not supported on this OS");
7162 goto err;
7163#endif
7164 }
7165 else if (streq(p[0], "shaper") && p[1] && !p[2])
7166 {
7167 VERIFY_PERMISSION(OPT_P_SHAPER);
7168 if (!atoi_constrained(p[1], &options->shaper, p[0], SHAPER_MIN, SHAPER_MAX, msglevel))
7169 {
7170 goto err;
7171 }
7172 }
7173 else if (streq(p[0], "port") && p[1] && !p[2])
7174 {
7175 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7176 options->ce.local_port = options->ce.remote_port = p[1];
7177 }
7178 else if (streq(p[0], "lport") && p[1] && !p[2])
7179 {
7180 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7181
7182 /* only trigger bind() if port is not 0 (or --local is used) */
7183 if (!streq(p[1], "0"))
7184 {
7185 options->ce.local_port_defined = true;
7186 }
7187 options->ce.local_port = p[1];
7188 }
7189 else if (streq(p[0], "rport") && p[1] && !p[2])
7190 {
7191 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7192 options->ce.remote_port = p[1];
7193 }
7194 else if (streq(p[0], "bind") && !p[2])
7195 {
7196 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7197 options->ce.bind_defined = true;
7198 if (p[1] && streq(p[1], "ipv6only"))
7199 {
7200 options->ce.bind_ipv6_only = true;
7201 }
7202 }
7203 else if (streq(p[0], "nobind") && !p[1])
7204 {
7205 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7206 options->ce.bind_local = false;
7207 }
7208 else if (streq(p[0], "fast-io") && !p[1])
7209 {
7210 VERIFY_PERMISSION(OPT_P_GENERAL);
7211 options->fast_io = true;
7212 }
7213 else if (streq(p[0], "inactive") && p[1] && !p[3])
7214 {
7215 VERIFY_PERMISSION(OPT_P_TIMER);
7216 options->inactivity_timeout = positive_atoi(p[1], msglevel);
7217 if (p[2])
7218 {
7219 positive_atoll(p[2], &options->inactivity_minimum_bytes, p[0], msglevel);
7220 if (options->inactivity_minimum_bytes > INT_MAX)
7221 {
7222 msg(M_WARN,
7223 "WARNING: '--inactive' with a 'bytes' value"
7224 " >2 Gbyte was silently ignored in older versions. If "
7225 " your VPN exits unexpectedly with 'Inactivity timeout'"
7226 " in %d seconds, revisit this value.",
7227 options->inactivity_timeout);
7228 }
7229 }
7230 }
7231 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
7232 {
7233 VERIFY_PERMISSION(OPT_P_TIMER);
7234 options->session_timeout = positive_atoi(p[1], msglevel);
7235 }
7236 else if (streq(p[0], "proto") && p[1] && !p[2])
7237 {
7238 int proto;
7239 sa_family_t af;
7240 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7241 proto = ascii2proto(p[1]);
7242 af = ascii2af(p[1]);
7243 if (proto < 0)
7244 {
7245 msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
7246 proto2ascii_all(&gc));
7247 goto err;
7248 }
7249 options->ce.proto = proto;
7250 options->ce.af = af;
7251 }
7252 else if (streq(p[0], "proto-force") && p[1] && !p[2])
7253 {
7254 int proto_force;
7255 VERIFY_PERMISSION(OPT_P_GENERAL);
7256 proto_force = ascii2proto(p[1]);
7257 if (proto_force < 0)
7258 {
7259 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
7260 goto err;
7261 }
7262 options->proto_force = proto_force;
7263 }
7264 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
7265 {
7266 struct http_proxy_options *ho;
7267
7268 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7269
7270 {
7271 if (!p[2])
7272 {
7273 msg(msglevel, "http-proxy port number not defined");
7274 goto err;
7275 }
7276
7277 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
7278
7279 ho->server = p[1];
7280 ho->port = p[2];
7281 }
7282
7283 if (p[3])
7284 {
7285 /* auto -- try to figure out proxy addr, port, and type automatically */
7286 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
7287 if (streq(p[3], "auto"))
7288 {
7289 ho->auth_retry = PAR_ALL;
7290 }
7291 else if (streq(p[3], "auto-nct"))
7292 {
7293 ho->auth_retry = PAR_NCT;
7294 }
7295 else
7296 {
7297 ho->auth_method_string = "basic";
7298 ho->auth_file = p[3];
7299
7300 if (p[4])
7301 {
7302 ho->auth_method_string = p[4];
7303 }
7304 }
7305 }
7306 else
7307 {
7308 ho->auth_method_string = "none";
7309 }
7310 }
7311 else if (streq(p[0], "http-proxy-user-pass") && p[1])
7312 {
7313 struct http_proxy_options *ho;
7314 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
7315 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
7316 ho->auth_file_up = p[1];
7317 ho->inline_creds = is_inline;
7318 }
7319 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
7320 {
7321 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7322 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
7323 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
7324 "Use connect-retry-max 1 to get a similar behavior as before.");
7325 }
7326 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
7327 {
7328 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7329 msg(M_WARN,
7330 "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
7331 "server is established is managed with a single timeout set by connect-timeout");
7332 }
7333 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
7334 {
7335 struct http_proxy_options *ho;
7336
7337 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7338 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
7339
7340 if (streq(p[1], "VERSION") && p[2] && !p[3])
7341 {
7342 ho->http_version = p[2];
7343 }
7344 else if (streq(p[1], "AGENT") && p[2] && !p[3])
7345 {
7346 ho->user_agent = p[2];
7347 }
7348 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
7349 && p[2])
7350 {
7351 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
7352 * with either two argument or one */
7353
7354 struct http_custom_header *custom_header = NULL;
7355 int i;
7356 /* Find the first free header */
7357 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
7358 {
7359 if (!ho->custom_headers[i].name)
7360 {
7361 custom_header = &ho->custom_headers[i];
7362 break;
7363 }
7364 }
7365 if (!custom_header)
7366 {
7367 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
7368 MAX_CUSTOM_HTTP_HEADER, p[1]);
7369 }
7370 else
7371 {
7372 /* We will save p[2] and p[3], the proxy code will detect if
7373 * p[3] is NULL */
7374 custom_header->name = p[2];
7375 custom_header->content = p[3];
7376 }
7377 }
7378 else
7379 {
7380 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
7381 }
7382 }
7383 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
7384 {
7385 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7386
7387 if (p[2])
7388 {
7389 options->ce.socks_proxy_port = p[2];
7390 }
7391 else
7392 {
7393 options->ce.socks_proxy_port = "1080";
7394 }
7395 options->ce.socks_proxy_server = p[1];
7396 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
7397 }
7398 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
7399 {
7400 VERIFY_PERMISSION(OPT_P_GENERAL);
7401 options->keepalive_ping = atoi_warn(p[1], msglevel);
7402 options->keepalive_timeout = atoi_warn(p[2], msglevel);
7403 }
7404 else if (streq(p[0], "ping") && p[1] && !p[2])
7405 {
7406 VERIFY_PERMISSION(OPT_P_TIMER);
7407 options->ping_send_timeout = positive_atoi(p[1], msglevel);
7408 }
7409 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
7410 {
7411 VERIFY_PERMISSION(OPT_P_TIMER);
7412 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7413 options->ping_rec_timeout_action = PING_EXIT;
7414 }
7415 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
7416 {
7417 VERIFY_PERMISSION(OPT_P_TIMER);
7418 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
7419 options->ping_rec_timeout_action = PING_RESTART;
7420 }
7421 else if (streq(p[0], "ping-timer-rem") && !p[1])
7422 {
7423 VERIFY_PERMISSION(OPT_P_TIMER);
7424 options->ping_timer_remote = true;
7425 }
7426 else if (streq(p[0], "explicit-exit-notify") && !p[2])
7427 {
7428 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_EXPLICIT_NOTIFY);
7429 if (p[1])
7430 {
7431 options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
7432 }
7433 else
7434 {
7435 options->ce.explicit_exit_notification = 1;
7436 }
7437 }
7438 else if (streq(p[0], "persist-tun") && !p[1])
7439 {
7440 VERIFY_PERMISSION(OPT_P_PERSIST);
7441 options->persist_tun = true;
7442 }
7443 else if (streq(p[0], "persist-key") && !p[1])
7444 {
7445 VERIFY_PERMISSION(OPT_P_PERSIST);
7446 msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
7447 "Keys are now always persisted across restarts. ");
7448 }
7449 else if (streq(p[0], "persist-local-ip") && !p[1])
7450 {
7451 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
7452 options->persist_local_ip = true;
7453 }
7454 else if (streq(p[0], "persist-remote-ip") && !p[1])
7455 {
7456 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
7457 options->persist_remote_ip = true;
7458 }
7459 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
7460 {
7461 VERIFY_PERMISSION(OPT_P_ROUTE);
7462 cnol_check_alloc(options);
7463 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
7464 }
7465 else if (streq(p[0], "route-table") && p[1] && !p[2])
7466 {
7467#ifndef ENABLE_SITNL
7468 msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
7469#endif
7470 VERIFY_PERMISSION(OPT_P_ROUTE_TABLE);
7471 options->route_default_table_id = positive_atoi(p[1], msglevel);
7472 }
7473 else if (streq(p[0], "route") && p[1] && !p[5])
7474 {
7475 VERIFY_PERMISSION(OPT_P_ROUTE);
7476 if (!check_route_option(options, p, msglevel, pull_mode))
7477 {
7478 goto err;
7479 }
7480 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
7481 options->route_default_table_id);
7482 }
7483 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7484 {
7485 VERIFY_PERMISSION(OPT_P_ROUTE);
7486 if (!check_route6_option(options, p, msglevel, pull_mode))
7487 {
7488 goto err;
7489 }
7490 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3],
7491 options->route_default_table_id);
7492 }
7493 else if (streq(p[0], "max-routes") && !p[2])
7494 {
7495 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
7496 "The number of routes is unlimited as of OpenVPN 2.4. "
7497 "This option will be removed in a future version, "
7498 "please remove it from your configuration.");
7499 }
7500 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7501 {
7502 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7503 if (streq(p[1], "dhcp"))
7504 {
7505 options->route_gateway_via_dhcp = true;
7506 }
7507 else
7508 {
7509 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn)
7510 || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7511 {
7512 options->route_default_gateway = p[1];
7513 }
7514 else
7515 {
7516 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7517 goto err;
7518 }
7519 }
7520 }
7521 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7522 {
7523 if (ipv6_addr_safe(p[1]))
7524 {
7525 options->route_ipv6_default_gateway = p[1];
7526 }
7527 else
7528 {
7529 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7530 goto err;
7531 }
7532 }
7533 else if (streq(p[0], "route-metric") && p[1] && !p[2])
7534 {
7535 VERIFY_PERMISSION(OPT_P_ROUTE);
7536 options->route_default_metric = positive_atoi(p[1], msglevel);
7537 }
7538 else if (streq(p[0], "route-delay") && !p[3])
7539 {
7540 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7541 options->route_delay_defined = true;
7542 if (p[1])
7543 {
7544 options->route_delay = positive_atoi(p[1], msglevel);
7545 if (p[2])
7546 {
7547 options->route_delay_window = positive_atoi(p[2], msglevel);
7548 }
7549 }
7550 else
7551 {
7552 options->route_delay = 0;
7553 }
7554 }
7555 else if (streq(p[0], "route-up") && p[1])
7556 {
7557 VERIFY_PERMISSION(OPT_P_SCRIPT);
7558 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7559 {
7560 goto err;
7561 }
7562 set_user_script(options, &options->route_script, p[1], "route-up", false);
7563 }
7564 else if (streq(p[0], "route-pre-down") && p[1])
7565 {
7566 VERIFY_PERMISSION(OPT_P_SCRIPT);
7567 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7568 {
7569 goto err;
7570 }
7571 set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true);
7572 }
7573 else if (streq(p[0], "route-noexec") && !p[1])
7574 {
7575 VERIFY_PERMISSION(OPT_P_SCRIPT);
7576 options->route_noexec = true;
7577 }
7578 else if (streq(p[0], "route-nopull") && !p[1])
7579 {
7580 VERIFY_PERMISSION(OPT_P_GENERAL);
7581 options->route_nopull = true;
7582 }
7583 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7584 {
7585 struct pull_filter *f;
7586 VERIFY_PERMISSION(OPT_P_GENERAL)
7587 f = alloc_pull_filter(options);
7588
7589 if (strcmp("accept", p[1]) == 0)
7590 {
7591 f->type = PUF_TYPE_ACCEPT;
7592 }
7593 else if (strcmp("ignore", p[1]) == 0)
7594 {
7595 f->type = PUF_TYPE_IGNORE;
7596 }
7597 else if (strcmp("reject", p[1]) == 0)
7598 {
7599 f->type = PUF_TYPE_REJECT;
7600 }
7601 else
7602 {
7603 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7604 goto err;
7605 }
7606 f->pattern = p[2];
7607 f->size = strlen(p[2]);
7608 }
7609 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7610 {
7611 VERIFY_PERMISSION(OPT_P_GENERAL);
7612 options->allow_pull_fqdn = true;
7613 }
7614 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7615 {
7616 int j;
7617 VERIFY_PERMISSION(OPT_P_ROUTE);
7618 rol_check_alloc(options);
7619
7620 if (options->routes->flags & RG_ENABLE)
7621 {
7622 msg(M_WARN, "WARNING: You have specified redirect-gateway and "
7623 "redirect-private at the same time (or the same option "
7624 "multiple times). This is not well supported and may lead to "
7625 "unexpected results");
7626 }
7627
7628 options->routes->flags |= RG_ENABLE;
7629
7630 if (streq(p[0], "redirect-gateway"))
7631 {
7632 options->routes->flags |= RG_REROUTE_GW;
7633 }
7634 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7635 {
7636 if (streq(p[j], "local"))
7637 {
7638 options->routes->flags |= RG_LOCAL;
7639 }
7640 else if (streq(p[j], "autolocal"))
7641 {
7642 options->routes->flags |= RG_AUTO_LOCAL;
7643 }
7644 else if (streq(p[j], "def1"))
7645 {
7646 options->routes->flags |= RG_DEF1;
7647 }
7648 else if (streq(p[j], "bypass-dhcp"))
7649 {
7650 options->routes->flags |= RG_BYPASS_DHCP;
7651 }
7652 else if (streq(p[j], "bypass-dns"))
7653 {
7654 options->routes->flags |= RG_BYPASS_DNS;
7655 }
7656 else if (streq(p[j], "block-local"))
7657 {
7658 options->routes->flags |= RG_BLOCK_LOCAL;
7659 }
7660 else if (streq(p[j], "ipv6"))
7661 {
7662 rol6_check_alloc(options);
7663 options->routes_ipv6->flags |= RG_REROUTE_GW;
7664 }
7665 else if (streq(p[j], "!ipv4"))
7666 {
7667 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7668 }
7669 else
7670 {
7671 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7672 goto err;
7673 }
7674 }
7675 if (options->routes->flags & RG_REROUTE_GW)
7676 {
7677 setenv_int(es, "route_redirect_gateway_ipv4",
7678 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7679 }
7680 if (options->routes_ipv6 && (options->routes_ipv6->flags & RG_REROUTE_GW))
7681 {
7682 setenv_int(es, "route_redirect_gateway_ipv6",
7683 options->routes->flags & RG_BLOCK_LOCAL ? 2 : 1);
7684 }
7685#ifdef _WIN32
7686 /* we need this here to handle pushed --redirect-gateway */
7687 remap_redirect_gateway_flags(options);
7688#endif
7689 }
7690 else if (streq(p[0], "block-ipv6") && !p[1])
7691 {
7692 VERIFY_PERMISSION(OPT_P_ROUTE);
7693 options->block_ipv6 = true;
7694 }
7695 else if (streq(p[0], "remote-random-hostname") && !p[1])
7696 {
7697 VERIFY_PERMISSION(OPT_P_GENERAL);
7698 options->sockflags |= SF_HOST_RANDOMIZE;
7699 }
7700 else if (streq(p[0], "setenv") && p[1] && !p[3])
7701 {
7702 VERIFY_PERMISSION(OPT_P_GENERAL);
7703 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7704 {
7705 options->sockflags |= SF_HOST_RANDOMIZE;
7706 }
7707 else if (streq(p[1], "GENERIC_CONFIG"))
7708 {
7709 msg(msglevel, "this is a generic configuration and cannot directly be used");
7710 goto err;
7711 }
7712 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7713 {
7714 options->push_peer_info = true;
7715 }
7716 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7717 {
7718 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7719 }
7720 else
7721 {
7722 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7723 {
7724 options->forward_compatible = true;
7725 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7726 }
7727 setenv_str(es, p[1], p[2] ? p[2] : "");
7728 }
7729 }
7730 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7731 {
7732 unsigned int major, minor, patch;
7733 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7734 {
7735 msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]);
7736 goto err;
7737 }
7738
7739 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7740 }
7741 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7742 {
7743 VERIFY_PERMISSION(OPT_P_SETENV);
7744 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7745 }
7746 else if (streq(p[0], "script-security") && p[1] && !p[2])
7747 {
7748 VERIFY_PERMISSION(OPT_P_GENERAL);
7749 int security;
7750 if (atoi_constrained(p[1], &security, p[0], SSEC_NONE, SSEC_PW_ENV, msglevel))
7751 {
7752 script_security_set(security);
7753 }
7754 }
7755 else if (streq(p[0], "mssfix") && !p[3])
7756 {
7757 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
7758 if (p[1])
7759 {
7760 int mssfix = positive_atoi(p[1], msglevel);
7761 /* can be 0, but otherwise it needs to be high enough so we can
7762 * substract room for headers. */
7763 if (mssfix != 0 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7764 {
7765 msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7766 goto err;
7767 }
7768
7769 /* value specified, assume encapsulation is not
7770 * included unless "mtu" follows later */
7771 options->ce.mssfix = mssfix;
7772 options->ce.mssfix_encap = false;
7773 options->ce.mssfix_default = false;
7774 }
7775 else
7776 {
7777 /* Set MTU to default values */
7778 options->ce.mssfix_default = true;
7779 options->ce.mssfix_encap = true;
7780 options->ce.mssfix_fixed = false;
7781 }
7782
7783 if (p[2] && streq(p[2], "mtu"))
7784 {
7785 options->ce.mssfix_encap = true;
7786 }
7787 else if (p[2] && streq(p[2], "fixed"))
7788 {
7789 options->ce.mssfix_fixed = true;
7790 }
7791 else if (p[2])
7792 {
7793 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7794 }
7795 }
7796 else if (streq(p[0], "disable-occ") && !p[1])
7797 {
7798 VERIFY_PERMISSION(OPT_P_GENERAL);
7799 options->occ = false;
7800 }
7801 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7802 {
7803 const int lev = M_WARN;
7804 bool error = false;
7805 in_addr_t network, netmask;
7806
7807 VERIFY_PERMISSION(OPT_P_GENERAL);
7808 network = get_ip_addr(p[1], lev, &error);
7809 netmask = get_ip_addr(p[2], lev, &error);
7810 if (error || !network || !netmask)
7811 {
7812 msg(msglevel, "error parsing --server parameters");
7813 goto err;
7814 }
7815 options->server_defined = true;
7816 options->server_network = network;
7817 options->server_netmask = netmask;
7818
7819 if (p[3])
7820 {
7821 if (streq(p[3], "nopool"))
7822 {
7823 options->server_flags |= SF_NOPOOL;
7824 }
7825 else
7826 {
7827 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7828 goto err;
7829 }
7830 }
7831 }
7832 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7833 {
7834 const int lev = M_WARN;
7835 struct in6_addr network;
7836 unsigned int netbits = 0;
7837
7838 VERIFY_PERMISSION(OPT_P_GENERAL);
7839 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7840 {
7841 msg(msglevel, "error parsing --server-ipv6 parameter");
7842 goto err;
7843 }
7844 if (netbits < 64 || netbits > 124)
7845 {
7846 msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7847 netbits);
7848
7849 goto err;
7850 }
7851 options->server_ipv6_defined = true;
7852 options->server_network_ipv6 = network;
7853 options->server_netbits_ipv6 = netbits;
7854 }
7855 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7856 {
7857 const int lev = M_WARN;
7858 bool error = false;
7859 in_addr_t ip, netmask, pool_start, pool_end;
7860
7861 VERIFY_PERMISSION(OPT_P_GENERAL);
7862 ip = get_ip_addr(p[1], lev, &error);
7863 netmask = get_ip_addr(p[2], lev, &error);
7864 pool_start = get_ip_addr(p[3], lev, &error);
7865 pool_end = get_ip_addr(p[4], lev, &error);
7866 if (error || !ip || !netmask || !pool_start || !pool_end)
7867 {
7868 msg(msglevel, "error parsing --server-bridge parameters");
7869 goto err;
7870 }
7871 options->server_bridge_defined = true;
7872 options->server_bridge_ip = ip;
7873 options->server_bridge_netmask = netmask;
7874 options->server_bridge_pool_start = pool_start;
7875 options->server_bridge_pool_end = pool_end;
7876 }
7877 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7878 {
7879 VERIFY_PERMISSION(OPT_P_GENERAL);
7880 options->server_bridge_proxy_dhcp = true;
7881 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7882 }
7883 else if (streq(p[0], "server-bridge") && !p[1])
7884 {
7885 VERIFY_PERMISSION(OPT_P_GENERAL);
7886 options->server_bridge_proxy_dhcp = true;
7887 }
7888 else if (streq(p[0], "push") && p[1] && !p[2])
7889 {
7890 VERIFY_PERMISSION(OPT_P_PUSH);
7891 push_options(options, &p[1], msglevel, &options->gc);
7892 }
7893 else if (streq(p[0], "push-reset") && !p[1])
7894 {
7895 VERIFY_PERMISSION(OPT_P_INSTANCE);
7896 push_reset(options);
7897 }
7898 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7899 {
7900 VERIFY_PERMISSION(OPT_P_INSTANCE);
7901 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7902 push_remove_option(options, p[1]);
7903 }
7904 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7905 {
7906 const int lev = M_WARN;
7907 bool error = false;
7908 in_addr_t start, end, netmask = 0;
7909
7910 VERIFY_PERMISSION(OPT_P_GENERAL);
7911 start = get_ip_addr(p[1], lev, &error);
7912 end = get_ip_addr(p[2], lev, &error);
7913 if (p[3])
7914 {
7915 netmask = get_ip_addr(p[3], lev, &error);
7916 }
7917 if (error)
7918 {
7919 msg(msglevel, "error parsing --ifconfig-pool parameters");
7920 goto err;
7921 }
7922 if (!ifconfig_pool_verify_range(msglevel, start, end))
7923 {
7924 goto err;
7925 }
7926
7927 options->ifconfig_pool_defined = true;
7928 options->ifconfig_pool_start = start;
7929 options->ifconfig_pool_end = end;
7930 if (netmask)
7931 {
7932 options->ifconfig_pool_netmask = netmask;
7933 }
7934 }
7935 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7936 {
7937 VERIFY_PERMISSION(OPT_P_GENERAL);
7938 options->ifconfig_pool_persist_filename = p[1];
7939 if (p[2])
7940 {
7941 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2], msglevel);
7942 }
7943 }
7944 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7945 {
7946 const int lev = M_WARN;
7947 struct in6_addr network;
7948 unsigned int netbits = 0;
7949
7950 VERIFY_PERMISSION(OPT_P_GENERAL);
7951 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7952 {
7953 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7954 goto err;
7955 }
7956 if (netbits < 64 || netbits > 124)
7957 {
7958 msg(msglevel,
7959 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7960 netbits);
7961 goto err;
7962 }
7963
7964 options->ifconfig_ipv6_pool_defined = true;
7965 options->ifconfig_ipv6_pool_base = network;
7966 options->ifconfig_ipv6_pool_netbits = netbits;
7967 }
7968 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7969 {
7970 int real, virtual;
7971
7972 VERIFY_PERMISSION(OPT_P_GENERAL);
7973 if (!atoi_constrained(p[1], &real, "hash-size real", 1, INT_MAX, msglevel)
7974 || !atoi_constrained(p[2], &virtual, "hash-size virtual", 1, INT_MAX, msglevel))
7975 {
7976 goto err;
7977 }
7978 options->real_hash_size = (uint32_t)real;
7979 options->virtual_hash_size = (uint32_t)virtual;
7980 }
7981 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7982 {
7983 int cf_max, cf_per;
7984
7985 VERIFY_PERMISSION(OPT_P_GENERAL);
7986 if (!atoi_constrained(p[1], &cf_max, "connect-freq n", 1, INT_MAX, msglevel)
7987 || !atoi_constrained(p[2], &cf_per, "connect-freq seconds", 1, INT_MAX, msglevel))
7988 {
7989 goto err;
7990 }
7991 options->cf_max = cf_max;
7992 options->cf_per = cf_per;
7993 }
7994 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7995 {
7996 int cf_max, cf_per;
7997
7998 VERIFY_PERMISSION(OPT_P_GENERAL);
7999 if (!atoi_constrained(p[1], &cf_max, "connect-freq-initial n", 1, INT_MAX, msglevel)
8000 || !atoi_constrained(p[2], &cf_per, "connect-freq-initial seconds", 1, INT_MAX, msglevel))
8001 {
8002 goto err;
8003 }
8004 options->cf_initial_max = cf_max;
8005 options->cf_initial_per = cf_per;
8006 }
8007 else if (streq(p[0], "max-clients") && p[1] && !p[2])
8008 {
8009 VERIFY_PERMISSION(OPT_P_GENERAL);
8010 if (!atoi_constrained(p[1], &options->max_clients, p[0], 1, MAX_PEER_ID, msglevel))
8011 {
8012 goto err;
8013 }
8014 }
8015 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
8016 {
8017 VERIFY_PERMISSION(OPT_P_INHERIT);
8018 options->max_routes_per_client = max_int(positive_atoi(p[1], msglevel), 1);
8019 }
8020 else if (streq(p[0], "client-cert-not-required") && !p[1])
8021 {
8022 VERIFY_PERMISSION(OPT_P_GENERAL);
8023 msg(M_FATAL,
8024 "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
8025 }
8026 else if (streq(p[0], "verify-client-cert") && !p[2])
8027 {
8028 VERIFY_PERMISSION(OPT_P_GENERAL);
8029
8030 /* Reset any existing flags */
8031 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
8032 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
8033 if (p[1])
8034 {
8035 if (streq(p[1], "none"))
8036 {
8037 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
8038 }
8039 else if (streq(p[1], "optional"))
8040 {
8041 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
8042 }
8043 else if (!streq(p[1], "require"))
8044 {
8045 msg(msglevel,
8046 "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
8047 goto err;
8048 }
8049 }
8050 }
8051 else if (streq(p[0], "username-as-common-name") && !p[1])
8052 {
8053 VERIFY_PERMISSION(OPT_P_GENERAL);
8054 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
8055 }
8056 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
8057 {
8058 VERIFY_PERMISSION(OPT_P_GENERAL);
8059 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
8060 }
8061 else if (streq(p[0], "opt-verify") && !p[1])
8062 {
8063 VERIFY_PERMISSION(OPT_P_GENERAL);
8064 msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
8065 "in OpenVPN 2.7");
8066 options->ssl_flags |= SSLF_OPT_VERIFY;
8067 }
8068 else if (streq(p[0], "auth-user-pass-verify") && p[1])
8069 {
8070 VERIFY_PERMISSION(OPT_P_SCRIPT);
8071 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
8072 {
8073 goto err;
8074 }
8075 if (p[2])
8076 {
8077 if (streq(p[2], "via-env"))
8078 {
8079 options->auth_user_pass_verify_script_via_file = false;
8080 }
8081 else if (streq(p[2], "via-file"))
8082 {
8083 options->auth_user_pass_verify_script_via_file = true;
8084 }
8085 else
8086 {
8087 msg(msglevel,
8088 "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
8089 goto err;
8090 }
8091 }
8092 else
8093 {
8094 msg(msglevel,
8095 "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
8096 goto err;
8097 }
8098 set_user_script(options, &options->auth_user_pass_verify_script, p[1],
8099 "auth-user-pass-verify", true);
8100 }
8101 else if (streq(p[0], "auth-gen-token"))
8102 {
8103 VERIFY_PERMISSION(OPT_P_GENERAL);
8104 options->auth_token_generate = true;
8105 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
8106
8107 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
8108 {
8109 /* the second parameter can be the renewal time */
8110 if (i == 2 && valid_integer(p[i], true))
8111 {
8112 options->auth_token_renewal = positive_atoi(p[i], msglevel);
8113 }
8114 else if (streq(p[i], "external-auth"))
8115 {
8116 options->auth_token_call_auth = true;
8117 }
8118 else
8119 {
8120 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
8121 }
8122 }
8123 }
8124 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
8125 {
8126 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8127 options->auth_token_secret_file = p[1];
8128 options->auth_token_secret_file_inline = is_inline;
8129 }
8130 else if (streq(p[0], "client-connect") && p[1])
8131 {
8132 VERIFY_PERMISSION(OPT_P_SCRIPT);
8133 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8134 {
8135 goto err;
8136 }
8137 set_user_script(options, &options->client_connect_script, p[1], "client-connect", true);
8138 }
8139 else if (streq(p[0], "client-crresponse") && p[1])
8140 {
8141 VERIFY_PERMISSION(OPT_P_SCRIPT);
8142 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8143 {
8144 goto err;
8145 }
8146 set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse",
8147 true);
8148 }
8149 else if (streq(p[0], "client-disconnect") && p[1])
8150 {
8151 VERIFY_PERMISSION(OPT_P_SCRIPT);
8152 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8153 {
8154 goto err;
8155 }
8156 set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect",
8157 true);
8158 }
8159 else if (streq(p[0], "learn-address") && p[1])
8160 {
8161 VERIFY_PERMISSION(OPT_P_SCRIPT);
8162 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8163 {
8164 goto err;
8165 }
8166 set_user_script(options, &options->learn_address_script, p[1], "learn-address", true);
8167 }
8168 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
8169 {
8170 VERIFY_PERMISSION(OPT_P_GENERAL);
8171 options->tmp_dir = p[1];
8172 }
8173 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
8174 {
8175 VERIFY_PERMISSION(OPT_P_GENERAL);
8176 options->client_config_dir = p[1];
8177 }
8178 else if (streq(p[0], "ccd-exclusive") && !p[1])
8179 {
8180 VERIFY_PERMISSION(OPT_P_GENERAL);
8181 options->ccd_exclusive = true;
8182 }
8183 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
8184 {
8185 VERIFY_PERMISSION(OPT_P_GENERAL);
8186 atoi_constrained(p[1], &options->n_bcast_buf, p[0], 1, INT_MAX, msglevel);
8187 }
8188 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
8189 {
8190 VERIFY_PERMISSION(OPT_P_GENERAL);
8191 atoi_constrained(p[1], &options->tcp_queue_limit, p[0], 1, INT_MAX, msglevel);
8192 }
8193#if PORT_SHARE
8194 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
8195 {
8196 VERIFY_PERMISSION(OPT_P_GENERAL);
8197 options->port_share_host = p[1];
8198 options->port_share_port = p[2];
8199 options->port_share_journal_dir = p[3];
8200 }
8201#endif
8202 else if (streq(p[0], "client-to-client") && !p[1])
8203 {
8204 VERIFY_PERMISSION(OPT_P_GENERAL);
8205 options->enable_c2c = true;
8206 }
8207 else if (streq(p[0], "duplicate-cn") && !p[1])
8208 {
8209 VERIFY_PERMISSION(OPT_P_GENERAL);
8210 options->duplicate_cn = true;
8211 }
8212 else if (streq(p[0], "iroute") && p[1] && !p[3])
8213 {
8214 VERIFY_PERMISSION(OPT_P_INSTANCE);
8215 option_iroute(options, p[1], p[2], msglevel);
8216 }
8217 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
8218 {
8219 VERIFY_PERMISSION(OPT_P_INSTANCE);
8220 option_iroute_ipv6(options, p[1], msglevel);
8221 }
8222 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
8223 {
8224 in_addr_t local, remote_netmask;
8225
8226 VERIFY_PERMISSION(OPT_P_INSTANCE);
8227 local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
8228 remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL);
8229 if (local && remote_netmask)
8230 {
8231 options->push_ifconfig_defined = true;
8232 options->push_ifconfig_local = local;
8233 options->push_ifconfig_remote_netmask = remote_netmask;
8234 if (p[3])
8235 {
8236 options->push_ifconfig_local_alias =
8237 getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL);
8238 }
8239 }
8240 else
8241 {
8242 msg(msglevel, "cannot parse --ifconfig-push addresses");
8243 goto err;
8244 }
8245 }
8246 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
8247 {
8248 in_addr_t network, netmask;
8249
8250 VERIFY_PERMISSION(OPT_P_GENERAL);
8251 network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
8252 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
8253 if (network && netmask)
8254 {
8255 options->push_ifconfig_constraint_defined = true;
8256 options->push_ifconfig_constraint_network = network;
8257 options->push_ifconfig_constraint_netmask = netmask;
8258 }
8259 else
8260 {
8261 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
8262 goto err;
8263 }
8264 }
8265 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
8266 {
8267 struct in6_addr local, remote;
8268 unsigned int netbits;
8269
8270 VERIFY_PERMISSION(OPT_P_INSTANCE);
8271
8272 if (!get_ipv6_addr(p[1], &local, &netbits, msglevel))
8273 {
8274 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
8275 goto err;
8276 }
8277
8278 if (p[2])
8279 {
8280 if (!get_ipv6_addr(p[2], &remote, NULL, msglevel))
8281 {
8282 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
8283 goto err;
8284 }
8285 }
8286 else
8287 {
8288 if (!options->ifconfig_ipv6_local
8289 || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel))
8290 {
8291 msg(msglevel,
8292 "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
8293 goto err;
8294 }
8295 }
8296
8297 options->push_ifconfig_ipv6_defined = true;
8298 options->push_ifconfig_ipv6_local = local;
8299 options->push_ifconfig_ipv6_netbits = netbits;
8300 options->push_ifconfig_ipv6_remote = remote;
8301 options->push_ifconfig_ipv6_blocked = false;
8302 }
8303 else if (streq(p[0], "disable") && !p[1])
8304 {
8305 VERIFY_PERMISSION(OPT_P_INSTANCE);
8306 options->disable = true;
8307 }
8308 else if (streq(p[0], "override-username") && p[1] && !p[2])
8309 {
8310 VERIFY_PERMISSION(OPT_P_INSTANCE);
8311 if (strlen(p[1]) > USER_PASS_LEN)
8312 {
8313 msg(msglevel,
8314 "override-username exceeds the maximum length of %d "
8315 "characters",
8316 USER_PASS_LEN);
8317
8318 /* disable the connection since ignoring the request to
8319 * set another username might cause serious problems */
8320 options->disable = true;
8321 }
8322 else
8323 {
8324 options->override_username = p[1];
8325 }
8326 }
8327 else if (streq(p[0], "tcp-nodelay") && !p[1])
8328 {
8329 VERIFY_PERMISSION(OPT_P_GENERAL);
8330 options->server_flags |= SF_TCP_NODELAY_HELPER;
8331 }
8332 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
8333 {
8334 int ageing_time, check_interval;
8335
8336 VERIFY_PERMISSION(OPT_P_GENERAL);
8337 if (!atoi_constrained(p[1], &ageing_time, "stale-routes-check age", 1, INT_MAX, msglevel))
8338 {
8339 goto err;
8340 }
8341
8342 if (p[2])
8343 {
8344 if (!atoi_constrained(p[2], &check_interval,
8345 "stale-routes-check interval", 1, INT_MAX, msglevel))
8346 {
8347 goto err;
8348 }
8349 }
8350 else
8351 {
8352 check_interval = ageing_time;
8353 }
8354
8355 options->stale_routes_ageing_time = ageing_time;
8356 options->stale_routes_check_interval = check_interval;
8357 }
8358
8359 else if (streq(p[0], "client") && !p[1])
8360 {
8361 VERIFY_PERMISSION(OPT_P_GENERAL);
8362 options->client = true;
8363 }
8364 else if (streq(p[0], "pull") && !p[1])
8365 {
8366 VERIFY_PERMISSION(OPT_P_GENERAL);
8367 options->pull = true;
8368 }
8369 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
8370 {
8371 VERIFY_PERMISSION(OPT_P_PULL_MODE);
8372 atoi_constrained(p[1], &options->push_continuation, p[0], 0, 2, msglevel);
8373 }
8374 else if (streq(p[0], "auth-user-pass") && !p[2])
8375 {
8376 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8377 if (p[1])
8378 {
8379 options->auth_user_pass_file = p[1];
8380 options->auth_user_pass_file_inline = is_inline;
8381 }
8382 else
8383 {
8384 options->auth_user_pass_file = "stdin";
8385 }
8386 }
8387 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
8388 {
8389 VERIFY_PERMISSION(OPT_P_GENERAL);
8390 auth_retry_set(msglevel, p[1]);
8391 }
8392#ifdef ENABLE_MANAGEMENT
8393 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
8394 {
8395 VERIFY_PERMISSION(OPT_P_GENERAL);
8396 options->sc_info.challenge_text = p[1];
8397 if (atoi_warn(p[2], msglevel))
8398 {
8399 options->sc_info.flags |= SC_ECHO;
8400 }
8401 if (p[3] && streq(p[3], "concat"))
8402 {
8403 options->sc_info.flags |= SC_CONCAT;
8404 }
8405 else if (p[3] && !streq(p[3], "scrv1"))
8406 {
8407 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
8408 goto err;
8409 }
8410 }
8411#endif
8412 else if (streq(p[0], "msg-channel") && p[1])
8413 {
8414#ifdef _WIN32
8415 VERIFY_PERMISSION(OPT_P_GENERAL);
8416 HANDLE process = GetCurrentProcess();
8417 HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
8418 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE,
8419 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
8420 {
8421 msg(msglevel, "could not duplicate service pipe handle");
8422 goto err;
8423 }
8424 options->route_method = ROUTE_METHOD_SERVICE;
8425#else /* ifdef _WIN32 */
8426 msg(msglevel, "--msg-channel is only supported on Windows");
8427 goto err;
8428#endif
8429 }
8430#ifdef _WIN32
8431 else if (streq(p[0], "win-sys") && p[1] && !p[2])
8432 {
8433 VERIFY_PERMISSION(OPT_P_GENERAL);
8434 if (streq(p[1], "env"))
8435 {
8436 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
8437 "This entry will now be ignored. "
8438 "Please remove this entry from your configuration file.");
8439 }
8440 else
8441 {
8442 set_win_sys_path(p[1], es);
8443 }
8444 }
8445 else if (streq(p[0], "route-method") && p[1] && !p[2])
8446 {
8447 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8448 if (streq(p[1], "adaptive"))
8449 {
8450 options->route_method = ROUTE_METHOD_ADAPTIVE;
8451 }
8452 else if (streq(p[1], "ipapi"))
8453 {
8454 options->route_method = ROUTE_METHOD_IPAPI;
8455 }
8456 else if (streq(p[1], "exe"))
8457 {
8458 options->route_method = ROUTE_METHOD_EXE;
8459 }
8460 else
8461 {
8462 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
8463 goto err;
8464 }
8465 }
8466 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
8467 {
8468 const int index = ascii2ipset(p[1]);
8469 struct tuntap_options *to = &options->tuntap_options;
8470
8471 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8472
8473 if (index < 0)
8474 {
8475 msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
8476 ipset2ascii_all(&gc));
8477 goto err;
8478 }
8479
8480 if (index == IPW32_SET_ADAPTIVE)
8481 {
8482 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
8483 }
8484
8485 if (index == IPW32_SET_DHCP_MASQ)
8486 {
8487 if (p[2])
8488 {
8489 if (!streq(p[2], "default"))
8490 {
8491 int offset;
8492
8493 if (!atoi_constrained(p[2], &offset, "ip-win32 offset", -256, 256, msglevel))
8494 {
8495 goto err;
8496 }
8497 to->dhcp_masq_custom_offset = true;
8498 to->dhcp_masq_offset = offset;
8499 }
8500
8501 if (p[3])
8502 {
8503 if (!atoi_constrained(p[3], &to->dhcp_lease_time,
8504 "ip-win32 lease time", 30, INT_MAX, msglevel))
8505 {
8506 goto err;
8507 }
8508 }
8509 }
8510 }
8511 to->ip_win32_type = index;
8512 to->ip_win32_defined = true;
8513 }
8514#endif /* ifdef _WIN32 */
8515 else if (streq(p[0], "dns-updown") && p[1])
8516 {
8517 VERIFY_PERMISSION(OPT_P_SCRIPT);
8518 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8519 {
8520 goto err;
8521 }
8522 struct dns_options *dns = &options->dns_options;
8523 if (streq(p[1], "disable"))
8524 {
8525 dns->updown = NULL;
8526 dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
8527 }
8528 else if (streq(p[1], "force"))
8529 {
8530 /* force dns-updown run, even if a --up script is defined */
8531 if (!dns_updown_user_set(dns))
8532 {
8533 dns->updown = DEFAULT_DNS_UPDOWN;
8534 dns->updown_flags = DNS_UPDOWN_FORCED;
8535 }
8536 }
8537 else
8538 {
8539 if (streq(dns->updown, DEFAULT_DNS_UPDOWN))
8540 {
8541 /* Unset the default command to prevent warnings */
8542 dns->updown = NULL;
8543 }
8544 set_user_script(options, &dns->updown, p[1], p[0], false);
8545 dns->updown_flags = DNS_UPDOWN_USER_SET;
8546 }
8547 }
8548 else if (streq(p[0], "dns") && p[1])
8549 {
8550 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8551 if (!check_dns_option(options, p, msglevel, pull_mode))
8552 {
8553 goto err;
8554 }
8555 }
8556 else if (streq(p[0], "dhcp-option") && p[1])
8557 {
8558 struct dhcp_options *dhcp = &options->dns_options.from_dhcp;
8559#if defined(_WIN32) || defined(TARGET_ANDROID)
8560 struct tuntap_options *o = &options->tuntap_options;
8561#endif
8562 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8563
8564 bool dhcp_optional = false;
8565
8566 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
8567 {
8568 if (!validate_domain(p[2]))
8569 {
8570 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
8571 goto err;
8572 }
8573
8574 dhcp->domain = p[2];
8575 dhcp_optional = true;
8576 }
8577 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8578 {
8579 if (!validate_domain(p[2]))
8580 {
8581 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
8582 goto err;
8583 }
8584
8585 if (dhcp->domain_search_list_len < N_SEARCH_LIST_LEN)
8586 {
8587 dhcp->domain_search_list[dhcp->domain_search_list_len++] = p[2];
8588 }
8589 else
8590 {
8591 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8592 p[1], N_SEARCH_LIST_LEN);
8593 }
8594 dhcp_optional = true;
8595 }
8596 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8597 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8598 {
8599 if (strstr(p[2], ":"))
8600 {
8601 dhcp_option_dns6_parse(p[2], dhcp->dns6, &dhcp->dns6_len, msglevel);
8602 }
8603 else
8604 {
8605 dhcp_option_address_parse("DNS", p[2], dhcp->dns, &dhcp->dns_len, msglevel);
8606 dhcp_optional = true;
8607 }
8608 }
8609#if defined(_WIN32) || defined(TARGET_ANDROID)
8610 else if (streq(p[1], "NBS") && p[2] && !p[3])
8611 {
8612 o->netbios_scope = p[2];
8613 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8614 }
8615 else if (streq(p[1], "NBT") && p[2] && !p[3])
8616 {
8617 int t = atoi_warn(p[2], msglevel);
8618 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8619 {
8620 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8621 goto err;
8622 }
8623 o->netbios_node_type = t;
8624 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8625 }
8626 else if (streq(p[1], "WINS") && p[2] && !p[3])
8627 {
8628 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8629 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8630 }
8631 else if (streq(p[1], "NTP") && p[2] && !p[3])
8632 {
8633 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8634 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8635 }
8636 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8637 {
8638 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8639 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8640 }
8641 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8642 {
8643 o->disable_nbt = 1;
8644 o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8645 }
8646#if defined(TARGET_ANDROID)
8647 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8648 {
8649 o->http_proxy_port = positive_atoi(p[3], msglevel);
8650 o->http_proxy = p[2];
8651 }
8652#endif
8653 else
8654 {
8655 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter",
8656 p[1]);
8657 goto err;
8658 }
8659#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8660 setenv_foreign_option(options, p[1], p[2], es);
8661#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8662
8663 if (dhcp_optional)
8664 {
8665#if defined(_WIN32) || defined(TARGET_ANDROID)
8666 o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8667#endif
8668 }
8669 }
8670#ifdef _WIN32
8671 else if (streq(p[0], "show-adapters") && !p[1])
8672 {
8673 VERIFY_PERMISSION(OPT_P_GENERAL);
8674 show_tap_win_adapters(M_INFO | M_NOPREFIX, M_WARN | M_NOPREFIX);
8675 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8676 }
8677 else if (streq(p[0], "show-net") && !p[1])
8678 {
8679 VERIFY_PERMISSION(OPT_P_GENERAL);
8680 show_routes(M_INFO | M_NOPREFIX);
8681 show_adapters(M_INFO | M_NOPREFIX);
8682 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8683 }
8684 else if (streq(p[0], "show-net-up") && !p[1])
8685 {
8686 VERIFY_PERMISSION(OPT_P_UP);
8687 options->show_net_up = true;
8688 }
8689 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8690 {
8691 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8692 if (!atoi_constrained(p[1], &options->tuntap_options.tap_sleep, p[0], 0, 255, msglevel))
8693 {
8694 goto err;
8695 }
8696 }
8697 else if (streq(p[0], "dhcp-renew") && !p[1])
8698 {
8699 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8700 options->tuntap_options.dhcp_renew = true;
8701 }
8702 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8703 {
8704 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8705 options->tuntap_options.dhcp_pre_release = true;
8706 options->tuntap_options.dhcp_renew = true;
8707 }
8708 else if (streq(p[0], "dhcp-release") && !p[1])
8709 {
8710 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8711 }
8712 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8713 {
8714 unsigned int adapter_index;
8715 VERIFY_PERMISSION(OPT_P_GENERAL);
8716 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8717 adapter_index = atou(p[1]);
8718 sleep(options->tuntap_options.tap_sleep);
8719 if (options->tuntap_options.dhcp_pre_release)
8720 {
8721 dhcp_release_by_adapter_index(adapter_index);
8722 }
8723 if (options->tuntap_options.dhcp_renew)
8724 {
8725 dhcp_renew_by_adapter_index(adapter_index);
8726 }
8727 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8728 }
8729 else if (streq(p[0], "register-dns") && !p[1])
8730 {
8731 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8732 options->tuntap_options.register_dns = true;
8733 }
8734 else if (streq(p[0], "block-outside-dns") && !p[1])
8735 {
8736 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8737 options->block_outside_dns = true;
8738 }
8739 else if (streq(p[0], "rdns-internal") && !p[1])
8740 /* standalone method for internal use
8741 *
8742 * (if --register-dns is set, openvpn needs to call itself in a
8743 * sub-process to execute the required functions in a non-blocking
8744 * way, and uses --rdns-internal to signal that to itself)
8745 */
8746 {
8747 VERIFY_PERMISSION(OPT_P_GENERAL);
8748 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8749 if (options->tuntap_options.register_dns)
8750 {
8751 ipconfig_register_dns(NULL);
8752 }
8753 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8754 }
8755 else if (streq(p[0], "show-valid-subnets") && !p[1])
8756 {
8757 VERIFY_PERMISSION(OPT_P_GENERAL);
8758 show_valid_win32_tun_subnets();
8759 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8760 }
8761 else if (streq(p[0], "pause-exit") && !p[1])
8762 {
8763 VERIFY_PERMISSION(OPT_P_GENERAL);
8764 set_pause_exit_win32();
8765 }
8766 else if (streq(p[0], "service") && p[1] && !p[3])
8767 {
8768 VERIFY_PERMISSION(OPT_P_GENERAL);
8769 options->exit_event_name = p[1];
8770 if (p[2])
8771 {
8772 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8773 }
8774 }
8775 else if (streq(p[0], "allow-nonadmin") && !p[2])
8776 {
8777 VERIFY_PERMISSION(OPT_P_GENERAL);
8778 tap_allow_nonadmin_access(p[1]);
8779 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8780 }
8781 else if (streq(p[0], "user") && p[1] && !p[2])
8782 {
8783 VERIFY_PERMISSION(OPT_P_GENERAL);
8784 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8785 }
8786 else if (streq(p[0], "group") && p[1] && !p[2])
8787 {
8788 VERIFY_PERMISSION(OPT_P_GENERAL);
8789 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8790 }
8791#else /* ifdef _WIN32 */
8792 else if (streq(p[0], "user") && p[1] && !p[2])
8793 {
8794 VERIFY_PERMISSION(OPT_P_GENERAL);
8795 options->username = p[1];
8796 }
8797 else if (streq(p[0], "group") && p[1] && !p[2])
8798 {
8799 VERIFY_PERMISSION(OPT_P_GENERAL);
8800 options->groupname = p[1];
8801 }
8802 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8803 {
8804 VERIFY_PERMISSION(OPT_P_DHCPDNS);
8805 setenv_foreign_option(options, p[1], p[2], es);
8806 }
8807 else if (streq(p[0], "route-method") && p[1] && !p[2])
8808 {
8809 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8810 /* ignore when pushed to non-Windows OS */
8811 }
8812#endif /* ifdef _WIN32 */
8813#if PASSTOS_CAPABILITY
8814 else if (streq(p[0], "passtos") && !p[1])
8815 {
8816 VERIFY_PERMISSION(OPT_P_GENERAL);
8817 options->passtos = true;
8818 }
8819#endif
8820 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8821 {
8822 VERIFY_PERMISSION(OPT_P_GENERAL);
8823
8824 if (streq(p[1], "no"))
8825 {
8826 options->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
8827 if (comp_non_stub_enabled(&options->comp))
8828 {
8829 msg(msglevel, "'--allow-compression no' conflicts with "
8830 " enabling compression");
8831 }
8832 }
8833 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8834 {
8835 /* Also printed on a push to hint at configuration problems */
8836 msg(msglevel,
8837 "Cannot set allow-compression to '%s' "
8838 "after set to 'no'",
8839 p[1]);
8840 goto err;
8841 }
8842 else if (streq(p[1], "asym"))
8843 {
8844 options->comp.flags |= COMP_F_ALLOW_ASYM;
8845 }
8846 else if (streq(p[1], "yes"))
8847 {
8848 msg(M_WARN,
8849 "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8850 "We will use \"asym\" mode instead. See the manual page for more information.");
8851
8852 options->comp.flags |= COMP_F_ALLOW_ASYM;
8853 }
8854 else
8855 {
8856 msg(msglevel,
8857 "bad allow-compression option: %s -- "
8858 "must be 'yes', 'no', or 'asym'",
8859 p[1]);
8860 goto err;
8861 }
8862 }
8863 else if (streq(p[0], "comp-lzo") && !p[2])
8864 {
8865 VERIFY_PERMISSION(OPT_P_COMP);
8866
8867 /* All lzo variants do not use swap */
8868 options->comp.flags &= ~COMP_F_SWAP;
8869 options->comp.alg = COMP_ALG_LZO;
8870
8871 if (p[1])
8872 {
8873 if (streq(p[1], "no"))
8874 {
8875 options->comp.alg = COMP_ALG_STUB;
8876 }
8877 /* There is no actual difference anymore between these variants.
8878 * We never compress. On the server side we replace this with
8879 * --compress migrate later anyway.
8880 */
8881 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8882 {
8883 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
8884 p[1]);
8885 goto err;
8886 }
8887 }
8888 show_compression_warning(&options->comp);
8889 }
8890 else if (streq(p[0], "comp-noadapt") && !p[1])
8891 {
8892 /* NO-OP since we never compress anymore */
8893 }
8894 else if (streq(p[0], "compress") && !p[2])
8895 {
8896 VERIFY_PERMISSION(OPT_P_COMP);
8897 const char *alg = "stub";
8898 if (p[1])
8899 {
8900 alg = p[1];
8901 }
8902
8903 if (streq(alg, "stub"))
8904 {
8905 options->comp.alg = COMP_ALG_STUB;
8906 options->comp.flags |= (COMP_F_SWAP | COMP_F_ADVERTISE_STUBS_ONLY);
8907 }
8908 else if (streq(alg, "stub-v2"))
8909 {
8910 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8911 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8912 }
8913 else if (streq(alg, "migrate"))
8914 {
8915 options->comp.alg = COMP_ALG_UNDEF;
8916 options->comp.flags = COMP_F_MIGRATE;
8917 }
8918 else if (streq(alg, "lzo"))
8919 {
8920 options->comp.alg = COMP_ALG_LZO;
8921 options->comp.flags &= ~COMP_F_SWAP;
8922 }
8923 else if (streq(alg, "lz4"))
8924 {
8925 options->comp.alg = COMP_ALG_LZ4;
8926 options->comp.flags |= COMP_F_SWAP;
8927 }
8928 else if (streq(alg, "lz4-v2"))
8929 {
8930 options->comp.alg = COMP_ALGV2_LZ4;
8931 }
8932 else
8933 {
8934 msg(msglevel, "bad comp option: %s", alg);
8935 goto err;
8936 }
8937
8938 show_compression_warning(&options->comp);
8939 }
8940 else if (streq(p[0], "show-ciphers") && !p[1])
8941 {
8942 VERIFY_PERMISSION(OPT_P_GENERAL);
8943 options->show_ciphers = true;
8944 }
8945 else if (streq(p[0], "show-digests") && !p[1])
8946 {
8947 VERIFY_PERMISSION(OPT_P_GENERAL);
8948 options->show_digests = true;
8949 }
8950 else if (streq(p[0], "show-engines") && !p[1])
8951 {
8952 VERIFY_PERMISSION(OPT_P_GENERAL);
8953 options->show_engines = true;
8954 }
8955 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8956 {
8957 int key_direction;
8958
8959 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION);
8960
8961 key_direction = ascii2keydirection(msglevel, p[1]);
8962 if (key_direction >= 0)
8963 {
8964 if (permission_mask & OPT_P_GENERAL)
8965 {
8966 options->key_direction = key_direction;
8967 }
8968 else if (permission_mask & OPT_P_CONNECTION)
8969 {
8970 options->ce.key_direction = key_direction;
8971 }
8972 }
8973 else
8974 {
8975 goto err;
8976 }
8977 }
8978 else if (streq(p[0], "secret") && p[1] && !p[3])
8979 {
8980 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8981 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
8982 options->shared_secret_file = p[1];
8983 options->shared_secret_file_inline = is_inline;
8984 if (!is_inline && p[2])
8985 {
8986 int key_direction;
8987
8988 key_direction = ascii2keydirection(msglevel, p[2]);
8989 if (key_direction >= 0)
8990 {
8991 options->key_direction = key_direction;
8992 }
8993 else
8994 {
8995 goto err;
8996 }
8997 }
8998 }
8999 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
9000 {
9001 VERIFY_PERMISSION(OPT_P_GENERAL);
9002 options->allow_deprecated_insecure_static_crypto = true;
9003 }
9004 else if (streq(p[0], "genkey") && !p[4])
9005 {
9006 VERIFY_PERMISSION(OPT_P_GENERAL);
9007 options->genkey = true;
9008 if (!p[1])
9009 {
9010 options->genkey_type = GENKEY_SECRET;
9011 }
9012 else
9013 {
9014 if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt"))
9015 {
9016 options->genkey_type = GENKEY_SECRET;
9017 }
9018 else if (streq(p[1], "tls-crypt-v2-server"))
9019 {
9020 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
9021 }
9022 else if (streq(p[1], "tls-crypt-v2-client"))
9023 {
9024 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
9025 if (p[3])
9026 {
9027 options->genkey_extra_data = p[3];
9028 }
9029 }
9030 else if (streq(p[1], "auth-token"))
9031 {
9032 options->genkey_type = GENKEY_AUTH_TOKEN;
9033 }
9034 else
9035 {
9036 msg(msglevel, "unknown --genkey type: %s", p[1]);
9037 }
9038 }
9039 if (p[2])
9040 {
9041 options->genkey_filename = p[2];
9042 }
9043 }
9044 else if (streq(p[0], "auth") && p[1] && !p[2])
9045 {
9046 VERIFY_PERMISSION(OPT_P_GENERAL);
9047 options->authname = p[1];
9048 }
9049 else if (streq(p[0], "cipher") && p[1] && !p[2])
9050 {
9051 VERIFY_PERMISSION(OPT_P_NCP | OPT_P_INSTANCE);
9052 options->ciphername = p[1];
9053 }
9054 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
9055 {
9056 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
9057 options->ciphername = p[1];
9058 options->enable_ncp_fallback = true;
9059 }
9060 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2])
9061 {
9062 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
9063 if (streq(p[0], "ncp-ciphers"))
9064 {
9065 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
9066 " '--data-ciphers' (renamed in OpenVPN 2.5).");
9067 }
9068 options->ncp_ciphers = p[1];
9069 }
9070 else if (streq(p[0], "key-derivation") && p[1])
9071 {
9072 /* NCP only option that is pushed by the server to enable EKM,
9073 * should not be used by normal users in config files*/
9074 VERIFY_PERMISSION(OPT_P_NCP)
9075 if (streq(p[1], "tls-ekm"))
9076 {
9077 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
9078 }
9079 else
9080 {
9081 msg(msglevel, "Unknown key-derivation method %s", p[1]);
9082 }
9083 }
9084 else if (streq(p[0], "protocol-flags") && p[1])
9085 {
9086 /* NCP only option that is pushed by the server to enable protocol
9087 * features that are negotiated, should not be used by normal users
9088 * in config files */
9089 VERIFY_PERMISSION(OPT_P_NCP)
9090 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
9091 {
9092 if (streq(p[j], "cc-exit"))
9093 {
9094 options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
9095 }
9096 else if (streq(p[j], "tls-ekm"))
9097 {
9098 options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
9099 }
9100 else if (streq(p[j], "dyn-tls-crypt"))
9101 {
9102 options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
9103 }
9104 else if (streq(p[j], "aead-epoch"))
9105 {
9106 options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
9107 }
9108 else
9109 {
9110 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
9111 }
9112 }
9113 }
9114 else if (streq(p[0], "force-tls-key-material-export"))
9115 {
9116 VERIFY_PERMISSION(OPT_P_GENERAL);
9117 options->force_key_material_export = true;
9118 }
9119 else if (streq(p[0], "prng") && p[1] && !p[3])
9120 {
9121 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
9122 }
9123 else if (streq(p[0], "no-replay") && !p[1])
9124 {
9125 VERIFY_PERMISSION(OPT_P_GENERAL);
9126 /* always error out, this breaks the connection */
9127 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
9128 "Update your configuration.");
9129 }
9130 else if (streq(p[0], "replay-window") && !p[3])
9131 {
9132 VERIFY_PERMISSION(OPT_P_GENERAL);
9133 if (p[1])
9134 {
9135 if (!atoi_constrained(p[1], &options->replay_window, "replay-window windows size",
9136 MIN_SEQ_BACKTRACK, MAX_SEQ_BACKTRACK, msglevel))
9137 {
9138 goto err;
9139 }
9140
9141 if (p[2])
9142 {
9143 if (!atoi_constrained(p[2], &options->replay_time, "replay-window time window",
9144 MIN_TIME_BACKTRACK, MAX_TIME_BACKTRACK, msglevel))
9145 {
9146 goto err;
9147 }
9148 }
9149 }
9150 else
9151 {
9152 msg(msglevel, "replay-window option is missing window size parameter");
9153 goto err;
9154 }
9155 }
9156 else if (streq(p[0], "mute-replay-warnings") && !p[1])
9157 {
9158 VERIFY_PERMISSION(OPT_P_GENERAL);
9159 options->mute_replay_warnings = true;
9160 }
9161 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
9162 {
9163 VERIFY_PERMISSION(OPT_P_GENERAL);
9164 options->packet_id_file = p[1];
9165 }
9166 else if (streq(p[0], "test-crypto") && !p[1])
9167 {
9168 VERIFY_PERMISSION(OPT_P_GENERAL);
9169 options->test_crypto = true;
9170 }
9171#ifndef ENABLE_CRYPTO_MBEDTLS
9172 else if (streq(p[0], "engine") && !p[2])
9173 {
9174 VERIFY_PERMISSION(OPT_P_GENERAL);
9175 if (p[1])
9176 {
9177 options->engine = p[1];
9178 }
9179 else
9180 {
9181 options->engine = "auto";
9182 }
9183 }
9184#endif /* ENABLE_CRYPTO_MBEDTLS */
9185 else if (streq(p[0], "providers") && p[1])
9186 {
9187 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
9188 {
9189 options->providers.names[j] = p[j];
9190 }
9191 }
9192#ifdef ENABLE_PREDICTION_RESISTANCE
9193 else if (streq(p[0], "use-prediction-resistance") && !p[1])
9194 {
9195 VERIFY_PERMISSION(OPT_P_GENERAL);
9196 options->use_prediction_resistance = true;
9197 }
9198#endif
9199 else if (streq(p[0], "show-tls") && !p[1])
9200 {
9201 VERIFY_PERMISSION(OPT_P_GENERAL);
9202 options->show_tls_ciphers = true;
9203 }
9204 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
9205 {
9206 VERIFY_PERMISSION(OPT_P_GENERAL);
9207 options->show_curves = true;
9208 }
9209 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
9210 {
9211 VERIFY_PERMISSION(OPT_P_GENERAL);
9212 msg(M_WARN, "Consider setting groups/curves preference with "
9213 "tls-groups instead of forcing a specific curve with "
9214 "ecdh-curve.");
9215 options->ecdh_curve = p[1];
9216 }
9217 else if (streq(p[0], "tls-server") && !p[1])
9218 {
9219 VERIFY_PERMISSION(OPT_P_GENERAL);
9220 options->tls_server = true;
9221 }
9222 else if (streq(p[0], "tls-client") && !p[1])
9223 {
9224 VERIFY_PERMISSION(OPT_P_GENERAL);
9225 options->tls_client = true;
9226 }
9227 else if (streq(p[0], "ca") && p[1] && !p[2])
9228 {
9229 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9230 options->ca_file = p[1];
9231 options->ca_file_inline = is_inline;
9232 }
9233#ifndef ENABLE_CRYPTO_MBEDTLS
9234 else if (streq(p[0], "capath") && p[1] && !p[2])
9235 {
9236 VERIFY_PERMISSION(OPT_P_GENERAL);
9237 options->ca_path = p[1];
9238 }
9239#endif /* ENABLE_CRYPTO_MBEDTLS */
9240 else if (streq(p[0], "dh") && p[1] && !p[2])
9241 {
9242 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9243 options->dh_file = p[1];
9244 options->dh_file_inline = is_inline;
9245 }
9246 else if (streq(p[0], "cert") && p[1] && !p[2])
9247 {
9248 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9249 options->cert_file = p[1];
9250 options->cert_file_inline = is_inline;
9251 }
9252 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
9253 {
9254 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9255 options->extra_certs_file = p[1];
9256 options->extra_certs_file_inline = is_inline;
9257 }
9258 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
9259 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
9260 {
9261 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9262
9263 int verify_hash_depth = 0;
9264 if (streq(p[0], "verify-hash"))
9265 {
9266 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
9267 "You should switch to the either use the level 1 certificate as "
9268 "--ca option, use --tls-verify or use --peer-fingerprint");
9269 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
9270 verify_hash_depth = 1;
9271 }
9272
9273 options->verify_hash_algo = MD_SHA256;
9274
9275 int digest_len = SHA256_DIGEST_LENGTH;
9276
9277 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
9278 {
9279 msg(msglevel,
9280 "ERROR: Setting %s not allowed. --verify-hash and"
9281 " --peer-fingerprint are mutually exclusive",
9282 p[0]);
9283 goto err;
9284 }
9285
9286 if (streq(p[0], "verify-hash"))
9287 {
9288 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
9289 {
9290 options->verify_hash_algo = MD_SHA1;
9291 digest_len = SHA_DIGEST_LENGTH;
9292 }
9293 else if (p[2] && !streq(p[2], "SHA256"))
9294 {
9295 msg(msglevel,
9296 "invalid or unsupported hashing algorithm: %s "
9297 "(only SHA1 and SHA256 are supported)",
9298 p[2]);
9299 goto err;
9300 }
9301 }
9302
9303 struct verify_hash_list *newlist;
9304 newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc);
9305
9306 /* Append the new list to the end of our current list */
9307 if (!options->verify_hash)
9308 {
9309 options->verify_hash = newlist;
9310 options->verify_hash_depth = verify_hash_depth;
9311 }
9312 else
9313 {
9314 /* since both the old and new list can have multiple entries
9315 * we need to go to the end of one of them to concatenate them */
9316 struct verify_hash_list *listend = options->verify_hash;
9317 while (listend->next)
9318 {
9319 listend = listend->next;
9320 }
9321 listend->next = newlist;
9322 }
9323 }
9324#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
9325 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
9326 {
9327 VERIFY_PERMISSION(OPT_P_GENERAL);
9328 options->cryptoapi_cert = p[1];
9329 }
9330#endif
9331 else if (streq(p[0], "key") && p[1] && !p[2])
9332 {
9333 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9334 options->priv_key_file = p[1];
9335 options->priv_key_file_inline = is_inline;
9336 }
9337 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
9338 {
9339 VERIFY_PERMISSION(OPT_P_GENERAL);
9340 int ver = tls_version_parse(p[1], p[2]);
9341 if (ver == TLS_VER_BAD)
9342 {
9343 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
9344 goto err;
9345 }
9346
9347#ifdef ENABLE_CRYPTO_MBEDTLS
9348 if (ver < TLS_VER_1_2)
9349 {
9350 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
9351 ver = TLS_VER_1_2;
9352 }
9353#endif
9354
9355 options->ssl_flags &= ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
9356 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MIN_SHIFT);
9357 }
9358 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
9359 {
9360 VERIFY_PERMISSION(OPT_P_GENERAL);
9361 int ver = tls_version_parse(p[1], NULL);
9362 if (ver == TLS_VER_BAD)
9363 {
9364 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
9365 goto err;
9366 }
9367 options->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
9368 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MAX_SHIFT);
9369 }
9370#ifndef ENABLE_CRYPTO_MBEDTLS
9371 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
9372 {
9373 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9374 options->pkcs12_file = p[1];
9375 options->pkcs12_file_inline = is_inline;
9376 }
9377#endif /* ENABLE_CRYPTO_MBEDTLS */
9378 else if (streq(p[0], "askpass") && !p[2])
9379 {
9380 VERIFY_PERMISSION(OPT_P_GENERAL);
9381 if (p[1])
9382 {
9383 options->key_pass_file = p[1];
9384 }
9385 else
9386 {
9387 options->key_pass_file = "stdin";
9388 }
9389 }
9390 else if (streq(p[0], "auth-nocache") && !p[1])
9391 {
9392 VERIFY_PERMISSION(OPT_P_GENERAL);
9393 ssl_set_auth_nocache();
9394 }
9395 else if (streq(p[0], "auth-token") && p[1] && !p[2])
9396 {
9397 VERIFY_PERMISSION(OPT_P_ECHO);
9398 ssl_set_auth_token(p[1]);
9399#ifdef ENABLE_MANAGEMENT
9400 if (management)
9401 {
9402 management_auth_token(management, p[1]);
9403 }
9404#endif
9405 }
9406 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
9407 {
9408 VERIFY_PERMISSION(OPT_P_ECHO);
9409 ssl_set_auth_token_user(p[1]);
9410 }
9411 else if (streq(p[0], "single-session") && !p[1])
9412 {
9413 VERIFY_PERMISSION(OPT_P_GENERAL);
9414 options->single_session = true;
9415 }
9416 else if (streq(p[0], "push-peer-info") && !p[1])
9417 {
9418 VERIFY_PERMISSION(OPT_P_GENERAL);
9419 options->push_peer_info = true;
9420 }
9421 else if (streq(p[0], "tls-exit") && !p[1])
9422 {
9423 VERIFY_PERMISSION(OPT_P_GENERAL);
9424 options->tls_exit = true;
9425 }
9426 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9427 {
9428 VERIFY_PERMISSION(OPT_P_GENERAL);
9429 options->cipher_list = p[1];
9430 }
9431 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9432 {
9433 VERIFY_PERMISSION(OPT_P_GENERAL);
9434 options->tls_cert_profile = p[1];
9435 }
9436 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9437 {
9438 VERIFY_PERMISSION(OPT_P_GENERAL);
9439 options->cipher_list_tls13 = p[1];
9440 }
9441 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9442 {
9443 VERIFY_PERMISSION(OPT_P_GENERAL);
9444 options->tls_groups = p[1];
9445 }
9446 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]))
9447 {
9448 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INLINE);
9449 if (p[2] && streq(p[2], "dir"))
9450 {
9451 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
9452 }
9453 options->crl_file = p[1];
9454 options->crl_file_inline = is_inline;
9455 }
9456 else if (streq(p[0], "tls-verify") && p[1])
9457 {
9458 VERIFY_PERMISSION(OPT_P_SCRIPT);
9459 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9460 {
9461 goto err;
9462 }
9463 set_user_script(options, &options->tls_verify,
9464 string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true);
9465 }
9466 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9467 {
9468 VERIFY_PERMISSION(OPT_P_SCRIPT);
9469 options->tls_export_peer_cert_dir = p[1];
9470 }
9471 else if (streq(p[0], "compat-names"))
9472 {
9473 VERIFY_PERMISSION(OPT_P_GENERAL);
9474 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9475 "Update your configuration.");
9476 goto err;
9477 }
9478 else if (streq(p[0], "no-name-remapping") && !p[1])
9479 {
9480 VERIFY_PERMISSION(OPT_P_GENERAL);
9481 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9482 "Update your configuration.");
9483 goto err;
9484 }
9485 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9486 {
9487 int type = VERIFY_X509_SUBJECT_DN;
9488 VERIFY_PERMISSION(OPT_P_GENERAL);
9489 if (p[2])
9490 {
9491 if (streq(p[2], "subject"))
9492 {
9493 type = VERIFY_X509_SUBJECT_DN;
9494 }
9495 else if (streq(p[2], "name"))
9496 {
9497 type = VERIFY_X509_SUBJECT_RDN;
9498 }
9499 else if (streq(p[2], "name-prefix"))
9500 {
9501 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9502 }
9503 else
9504 {
9505 msg(msglevel, "unknown X.509 name type: %s", p[2]);
9506 goto err;
9507 }
9508 }
9509 options->verify_x509_type = type;
9510 options->verify_x509_name = p[1];
9511 }
9512 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9513 {
9514#ifdef ENABLE_CRYPTO_MBEDTLS
9515 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9516 goto err;
9517#else
9518 VERIFY_PERMISSION(OPT_P_GENERAL);
9519 if (streq(p[1], "server"))
9520 {
9521 options->ns_cert_type = NS_CERT_CHECK_SERVER;
9522 }
9523 else if (streq(p[1], "client"))
9524 {
9525 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9526 }
9527 else
9528 {
9529 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9530 goto err;
9531 }
9532#endif /* ENABLE_CRYPTO_MBEDTLS */
9533 }
9534 else if (streq(p[0], "remote-cert-ku"))
9535 {
9536 VERIFY_PERMISSION(OPT_P_GENERAL);
9537
9538 size_t j;
9539 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9540 {
9541 sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1]));
9542 }
9543 if (j == 1)
9544 {
9545 /* No specific KU required, but require KU to be present */
9546 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9547 }
9548 }
9549 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9550 {
9551 VERIFY_PERMISSION(OPT_P_GENERAL);
9552 options->remote_cert_eku = p[1];
9553 }
9554 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9555 {
9556 VERIFY_PERMISSION(OPT_P_GENERAL);
9557
9558 if (streq(p[1], "server"))
9559 {
9560 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9561 options->remote_cert_eku = "TLS Web Server Authentication";
9562 }
9563 else if (streq(p[1], "client"))
9564 {
9565 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9566 options->remote_cert_eku = "TLS Web Client Authentication";
9567 }
9568 else
9569 {
9570 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9571 goto err;
9572 }
9573 }
9574 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9575 {
9576 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9577 options->tls_timeout = positive_atoi(p[1], msglevel);
9578 }
9579 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9580 {
9581 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9582 if (!positive_atoll(p[1], &options->renegotiate_bytes, p[0], msglevel))
9583 {
9584 goto err;
9585 }
9586 }
9587 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9588 {
9589 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9590 if (!positive_atoll(p[1], &options->renegotiate_packets, p[0], msglevel))
9591 {
9592 goto err;
9593 }
9594 }
9595 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9596 {
9597 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9598 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
9599 if (p[2])
9600 {
9601 options->renegotiate_seconds_min = positive_atoi(p[2], msglevel);
9602 }
9603 }
9604 else if (streq(p[0], "hand-window") && p[1] && !p[2])
9605 {
9606 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9607 options->handshake_window = positive_atoi(p[1], msglevel);
9608 }
9609 else if (streq(p[0], "tran-window") && p[1] && !p[2])
9610 {
9611 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9612 options->transition_window = positive_atoi(p[1], msglevel);
9613 }
9614 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9615 {
9616 int key_direction = -1;
9617
9618 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9619
9620 if (permission_mask & OPT_P_GENERAL)
9621 {
9622 options->tls_auth_file = p[1];
9623 options->tls_auth_file_inline = is_inline;
9624
9625 if (!is_inline && p[2])
9626 {
9627 key_direction = ascii2keydirection(msglevel, p[2]);
9628 if (key_direction < 0)
9629 {
9630 goto err;
9631 }
9632 options->key_direction = key_direction;
9633 }
9634 }
9635 else if (permission_mask & OPT_P_CONNECTION)
9636 {
9637 options->ce.tls_auth_file = p[1];
9638 options->ce.tls_auth_file_inline = is_inline;
9639 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9640
9641 if (!is_inline && p[2])
9642 {
9643 key_direction = ascii2keydirection(msglevel, p[2]);
9644 if (key_direction < 0)
9645 {
9646 goto err;
9647 }
9648 options->ce.key_direction = key_direction;
9649 }
9650 }
9651 }
9652 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9653 {
9654 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9655 if (permission_mask & OPT_P_GENERAL)
9656 {
9657 options->tls_crypt_file = p[1];
9658 options->tls_crypt_file_inline = is_inline;
9659 }
9660 else if (permission_mask & OPT_P_CONNECTION)
9661 {
9662 options->ce.tls_crypt_file = p[1];
9663 options->ce.tls_crypt_file_inline = is_inline;
9664 }
9665 }
9666 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9667 {
9668 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_CONNECTION | OPT_P_INLINE);
9669 if (permission_mask & OPT_P_GENERAL)
9670 {
9671 options->tls_crypt_v2_file = p[1];
9672 options->tls_crypt_v2_file_inline = is_inline;
9673 }
9674 else if (permission_mask & OPT_P_CONNECTION)
9675 {
9676 options->ce.tls_crypt_v2_file = p[1];
9677 options->ce.tls_crypt_v2_file_inline = is_inline;
9678 }
9679
9680 if (p[2] && streq(p[2], "force-cookie"))
9681 {
9682 options->ce.tls_crypt_v2_force_cookie = true;
9683 }
9684 else if (p[2] && streq(p[2], "allow-noncookie"))
9685 {
9686 options->ce.tls_crypt_v2_force_cookie = false;
9687 }
9688 else if (p[2])
9689 {
9690 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9691 }
9692 }
9693 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9694 {
9695 VERIFY_PERMISSION(OPT_P_GENERAL);
9696 options->tls_crypt_v2_verify_script = p[1];
9697 }
9698 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9699 {
9700 VERIFY_PERMISSION(OPT_P_GENERAL);
9701 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9702 }
9703#ifdef ENABLE_X509ALTUSERNAME
9704 else if (streq(p[0], "x509-username-field") && p[1])
9705 {
9706 VERIFY_PERMISSION(OPT_P_GENERAL);
9707 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9708 {
9709 char *s = p[j];
9710
9711 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
9712 {
9713 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9714 }
9715 options->x509_username_field[j - 1] = p[j];
9716 }
9717 }
9718#endif /* ENABLE_X509ALTUSERNAME */
9719#ifdef ENABLE_PKCS11
9720 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9721 {
9722 char *provider = p[1];
9723 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0));
9724
9725#ifdef DEFAULT_PKCS11_MODULE
9726 if (!provider)
9727 {
9728 provider = DEFAULT_PKCS11_MODULE;
9729 }
9730 else if (!p[2])
9731 {
9732 char *endp = NULL;
9733 long i = strtol(provider, &endp, 10);
9734
9735 if (*endp == 0)
9736 {
9737 /* There was one argument, and it was purely numeric.
9738 * Interpret it as the cert_private argument */
9739 provider = DEFAULT_PKCS11_MODULE;
9740 cert_private = i;
9741 }
9742 }
9743#else /* ifdef DEFAULT_PKCS11_MODULE */
9744 if (!provider)
9745 {
9746 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9747 goto err;
9748 }
9749#endif /* ifdef DEFAULT_PKCS11_MODULE */
9750 VERIFY_PERMISSION(OPT_P_GENERAL);
9751
9752 set_debug_level(options->verbosity, SDL_CONSTRAIN);
9753 show_pkcs11_ids(provider, cert_private);
9754 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9755 }
9756 else if (streq(p[0], "pkcs11-providers") && p[1])
9757 {
9758 int j;
9759
9760 VERIFY_PERMISSION(OPT_P_GENERAL);
9761
9762 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9763 {
9764 options->pkcs11_providers[j - 1] = p[j];
9765 }
9766 }
9767 else if (streq(p[0], "pkcs11-protected-authentication"))
9768 {
9769 int j;
9770
9771 VERIFY_PERMISSION(OPT_P_GENERAL);
9772
9773 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9774 {
9775 options->pkcs11_protected_authentication[j - 1] =
9776 atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9777 }
9778 }
9779 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9780 {
9781 int j;
9782
9783 VERIFY_PERMISSION(OPT_P_GENERAL);
9784
9785 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9786 {
9787 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1]));
9788 }
9789 }
9790 else if (streq(p[0], "pkcs11-cert-private"))
9791 {
9792 int j;
9793
9794 VERIFY_PERMISSION(OPT_P_GENERAL);
9795
9796 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9797 {
9798 options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel));
9799 }
9800 }
9801 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9802 {
9803 VERIFY_PERMISSION(OPT_P_GENERAL);
9804 options->pkcs11_pin_cache_period = positive_atoi(p[1], msglevel);
9805 }
9806 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9807 {
9808 VERIFY_PERMISSION(OPT_P_GENERAL);
9809 options->pkcs11_id = p[1];
9810 }
9811 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9812 {
9813 VERIFY_PERMISSION(OPT_P_GENERAL);
9814 options->pkcs11_id_management = true;
9815 }
9816#endif /* ifdef ENABLE_PKCS11 */
9817 else if (streq(p[0], "rmtun") && !p[1])
9818 {
9819 VERIFY_PERMISSION(OPT_P_GENERAL);
9820 options->persist_config = true;
9821 options->persist_mode = 0;
9822 }
9823 else if (streq(p[0], "mktun") && !p[1])
9824 {
9825 VERIFY_PERMISSION(OPT_P_GENERAL);
9826 options->persist_config = true;
9827 options->persist_mode = 1;
9828 }
9829 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9830 {
9831 VERIFY_PERMISSION(OPT_P_PEER_ID);
9832 options->use_peer_id = true;
9833 options->peer_id = atoi_warn(p[1], msglevel);
9834 }
9835 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9836 {
9837 int ekm_length = positive_atoi(p[2], msglevel);
9838
9839 VERIFY_PERMISSION(OPT_P_GENERAL);
9840
9841 if (strncmp(p[1], "EXPORTER", 8))
9842 {
9843 msg(msglevel, "Keying material exporter label must begin with "
9844 "\"EXPORTER\"");
9845 goto err;
9846 }
9847 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9848 {
9849 msg(msglevel,
9850 "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'.");
9851 }
9852 if (ekm_length < 16 || ekm_length > 4095)
9853 {
9854 msg(msglevel, "Invalid keying material exporter length");
9855 goto err;
9856 }
9857
9858 options->keying_material_exporter_label = p[1];
9859 options->keying_material_exporter_length = ekm_length;
9860 }
9861 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9862 {
9863 VERIFY_PERMISSION(OPT_P_GENERAL);
9864 options->allow_recursive_routing = true;
9865 }
9866 else if (streq(p[0], "vlan-tagging") && !p[1])
9867 {
9868 VERIFY_PERMISSION(OPT_P_GENERAL);
9869 options->vlan_tagging = true;
9870 }
9871 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9872 {
9873 VERIFY_PERMISSION(OPT_P_GENERAL);
9874 if (streq(p[1], "tagged"))
9875 {
9876 options->vlan_accept = VLAN_ONLY_TAGGED;
9877 }
9878 else if (streq(p[1], "untagged"))
9879 {
9880 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9881 }
9882 else if (streq(p[1], "all"))
9883 {
9884 options->vlan_accept = VLAN_ALL;
9885 }
9886 else
9887 {
9888 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9889 goto err;
9890 }
9891 }
9892 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9893 {
9894 VERIFY_PERMISSION(OPT_P_GENERAL | OPT_P_INSTANCE);
9895 options->vlan_pvid = positive_atoi(p[1], msglevel);
9896 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9897 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9898 {
9899 msg(msglevel, "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9900 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9901 goto err;
9902 }
9903 }
9904 else
9905 {
9906 int i;
9907 msglvl_t msglevel_unknown = msglevel_fc;
9908 /* Check if an option is in --ignore-unknown-option and
9909 * set warning level to non fatal */
9910 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9911 {
9912 if (streq(p[0], options->ignore_unknown_option[i]))
9913 {
9914 msglevel_unknown = M_WARN;
9915 break;
9916 }
9917 }
9918 if (file)
9919 {
9920 msg(msglevel_unknown,
9921 "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
9922 line, p[0], PACKAGE_VERSION);
9923 }
9924 else
9925 {
9926 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)",
9927 p[0], PACKAGE_VERSION);
9928 }
9929 }
9930err:
9931 gc_free(&gc);
9932}
9933
9934#if defined(__GNUC__) || defined(__clang__)
9935#pragma GCC diagnostic pop
9936#endif
9937
9938bool
9939has_udp_in_local_list(const struct options *options)
9940{
9941 if (options->ce.local_list)
9942 {
9943 for (int i = 0; i < options->ce.local_list->len; i++)
9944 {
9945 if (proto_is_dgram(options->ce.local_list->array[i]->proto))
9946 {
9947 return true;
9948 }
9949 }
9950 }
9951
9952 return false;
9953}
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:460
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:370
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_array_len
int string_array_len(const char **array)
Definition buffer.c:703
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1348
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:825
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:752
gc_detach
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1001
BSTR
#define BSTR(buf)
Definition buffer.h:128
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
BPTR
#define BPTR(buf)
Definition buffer.h:123
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1053
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:234
gc_init
static void gc_init(struct gc_arena *a)
Definition buffer.h:994
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:959
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, msglvl_t msglevel)
Definition clinat.c:102
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, msglvl_t msglevel)
Definition clinat.c:50
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:71
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:79
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:88
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:68
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:81
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
Definition comp.h:45
COMP_F_SWAP
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
Definition comp.h:40
COMP_ALG_LZ4
#define COMP_ALG_LZ4
LZ4 algorithm.
Definition comp.h:59
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition comp.h:64
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
Definition comp.h:51
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:63
COMP_ALG_STUB
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
COMP_ALG_LZO
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
Definition comp.h:42
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:81
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:54
daemon
int daemon(int nochdir, int noclose)
Definition compat-daemon.c:50
dirname
char * dirname(char *path)
Definition compat-dirname.c:61
strsep
char * strsep(char **stringp, const char *delim)
Definition compat-strsep.c:35
PACKAGE_NAME
#define PACKAGE_NAME
Definition config.h:492
IPROUTE_PATH
#define IPROUTE_PATH
Definition config.h:468
PACKAGE_VERSION
#define PACKAGE_VERSION
Definition config.h:504
CONFIGURE_DEFINES
#define CONFIGURE_DEFINES
Definition config.h:5
PACKAGE_STRING
#define PACKAGE_STRING
Definition config.h:495
PACKAGE
#define PACKAGE
Definition config.h:486
TARGET_ALIAS
#define TARGET_ALIAS
Definition config.h:558
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:874
ascii2keydirection
int ascii2keydirection(msglvl_t msglevel, const char *str)
Definition crypto.c:1621
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1644
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1904
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1198
crypto.h
Data Channel Cryptography Module.
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:231
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:369
MD_SHA256
@ MD_SHA256
Definition crypto_backend.h:54
MD_SHA1
@ MD_SHA1
Definition crypto_backend.h:53
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition crypto_backend.h:219
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition crypto_openssl.c:1072
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition crypto_openssl.c:673
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition crypto_mbedtls.h:77
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:78
dco_check_startup_option
static bool dco_check_startup_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:282
dco_check_option
static bool dco_check_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:276
dco_version_string
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:270
dns_options_verify
bool dns_options_verify(msglvl_t msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:212
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:289
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:62
dns_domain_list_append
bool dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends safe DNS domain parameters to a linked list.
Definition dns.c:148
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:190
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:175
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:266
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:778
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:282
dns_updown_user_set
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
Definition dns.h:218
DNS_UPDOWN_FORCED
@ DNS_UPDOWN_FORCED
Definition dns.h:50
DNS_UPDOWN_NO_FLAGS
@ DNS_UPDOWN_NO_FLAGS
Definition dns.h:48
DNS_UPDOWN_USER_SET
@ DNS_UPDOWN_USER_SET
Definition dns.h:49
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition dns.h:33
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition dns.h:34
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition dns.h:35
dns_updown_forced
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
Definition dns.h:229
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition dns.h:41
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition dns.h:43
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition dns.h:42
domain_helper.h
validate_domain
static bool validate_domain(const char *domain)
Definition domain_helper.h:34
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:423
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:201
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:313
env_set_del
bool env_set_del(struct env_set *es, const char *str)
Definition env_set.c:183
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
D_SHOW_OCC
#define D_SHOW_OCC
Definition errlevel.h:150
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_DCO
#define D_DCO
Definition errlevel.h:93
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition errlevel.h:95
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:66
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
forward.h
Interface functions to the internal and external multiplexers.
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:137
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition helper.c:608
helper_client_server
void helper_client_server(struct options *o)
Definition helper.c:165
helper_keepalive
void helper_keepalive(struct options *o)
Definition helper.c:548
max_int
static int max_int(int x, int y)
Definition integer.h:92
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:118
status
static SERVICE_STATUS status
Definition interactive.c:51
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition keyingmaterialexporter.c:166
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3137
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3058
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition manage.h:31
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:38
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition manage.h:33
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:43
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:37
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition manage.h:41
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:36
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition manage.h:40
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition manage.h:28
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:42
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:44
MF_UP_DOWN
#define MF_UP_DOWN
Definition manage.h:39
MF_HOLD
#define MF_HOLD
Definition manage.h:29
MF_SIGNAL
#define MF_SIGNAL
Definition manage.h:30
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition manage.h:35
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition manage.h:32
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:781
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:547
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:64
SC_CONCAT
#define SC_CONCAT
Definition misc.h:92
SC_ECHO
#define SC_ECHO
Definition misc.h:91
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:253
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:147
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition mtu.h:84
TUN_MTU_MAX_MIN
#define TUN_MTU_MAX_MIN
Definition mtu.h:74
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:79
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition mtu.h:64
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition mtu.h:69
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition mtu.h:89
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:94
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:47
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
BOOL_CAST
#define BOOL_CAST(x)
Definition basic.h:26
CLEAR
#define CLEAR(x)
Definition basic.h:32
SIZE
#define SIZE(x)
Definition basic.h:29
errors_to_stderr
void errors_to_stderr(void)
Definition error.c:182
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:445
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:494
openvpn_exit
void openvpn_exit(const int status)
Definition error.c:703
machine_readable_output
static bool machine_readable_output
Definition error.c:77
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition error.c:146
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition error.c:152
msg_fp
FILE * msg_fp(const msglvl_t flags)
Definition error.c:191
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:104
suppress_timestamps
static bool suppress_timestamps
Definition error.c:80
M_OPTERR
#define M_OPTERR
Definition error.h:101
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition error.h:201
M_NOPREFIX
#define M_NOPREFIX
Definition error.h:98
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition error.h:88
M_USAGE
#define M_USAGE
Definition error.h:107
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:54
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:52
M_FATAL
#define M_FATAL
Definition error.h:90
M_ERR
#define M_ERR
Definition error.h:106
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_MSG_VIRT_OUT
#define M_MSG_VIRT_OUT
Definition error.h:100
M_ERRNO
#define M_ERRNO
Definition error.h:95
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:554
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4551
RESET_OPTION_ROUTES
#define RESET_OPTION_ROUTES(option_ptr, field)
Definition options.c:5638
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition options.c:1583
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3950
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4084
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4050
read_config_file
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5298
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2283
parse_argv
void parse_argv(struct options *options, const int argc, char *argv[], const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5401
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition options.c:5605
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:2932
usage_version
static void usage_version(void)
Definition options.c:4909
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
Definition options.c:1111
in_src_get
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition options.c:5174
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2187
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
SHOW_BOOL
#define SHOW_BOOL(var)
Definition options.c:983
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3947
pre_connect_save
static void pre_connect_save(struct options *o)
Definition options.c:3123
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3949
TLS_CLIENT
#define TLS_CLIENT
add_option
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:6194
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:988
check_inline_file_via_buf
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition options.c:5274
global_auth_retry
static int global_auth_retry
Definition options.c:4788
IS_TYPE_BUF
#define IS_TYPE_BUF
Definition options.c:5164
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4293
uninit_options
void uninit_options(struct options *o)
Definition options.c:935
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, msglvl_t msglevel)
Definition options.c:1339
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2208
SHOW_STR
#define SHOW_STR(var)
Definition options.c:976
check_inline_file
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition options.c:5241
parse_topology
int parse_topology(const char *str, const msglvl_t msglevel)
Definition options.c:4741
show_windows_version
void show_windows_version(const unsigned int flags)
Definition options.c:4876
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition options.c:5545
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4563
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:6179
check_ca_required
static void check_ca_required(const struct options *options)
Definition options.c:2245
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:2001
space
static bool space(char c)
Definition options.c:4971
bypass_doubledash
static void bypass_doubledash(char **p)
Definition options.c:5153
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const msglvl_t msglevel, struct options *options, bool is_inline)
Definition options.c:5555
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3948
tuntap_options_postprocess_dns
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
Definition options.c:3489
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1136
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
Definition options.c:1517
check_route_option
static bool check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5828
show_dco_version
void show_dco_version(const unsigned int flags)
Definition options.c:4885
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition options.c:1574
alloc_local_list_if_undef
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2064
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition options.c:982
show_settings
void show_settings(const struct options *o)
Definition options.c:1698
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:6140
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1249
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
no_more_than_n_args
static bool no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5608
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition options.c:1291
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, msglvl_t msglevel, struct gc_arena *gc)
Definition options.c:4977
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition options.c:1659
options_postprocess_mutate_le
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3089
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4671
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:4940
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4100
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4279
options_string_import
void options_string_import(struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5537
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition options.c:1301
usage_small
void usage_small(void)
Definition options.c:4868
auth_retry_print
const char * auth_retry_print(void)
Definition options.c:4820
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1535
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4168
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2151
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1602
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4694
show_library_versions
void show_library_versions(const unsigned int flags)
Definition options.c:4895
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:1014
CHKACC_ACCEPT_URI
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3951
options_server_import
void options_server_import(struct options *o, const char *filename, msglvl_t msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5527
usage_message
static const char usage_message[]
Definition options.c:121
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition options.c:1168
options_warning_safe_scan1
static void options_warning_safe_scan1(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4631
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2105
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4128
SHOW_INT64
#define SHOW_INT64(var)
Definition options.c:981
apply_push_options
bool apply_push_options(struct context *c, struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, bool is_update)
Definition options.c:5463
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3954
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition options.c:1398
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition options.c:955
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition options.c:1592
check_inline_file_via_fp
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition options.c:5265
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3746
options_detach
void options_detach(struct options *o)
Definition options.c:1565
options_warning_safe_ml
static void options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4649
atou
static unsigned int atou(const char *str)
Definition options.c:4962
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3165
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2177
print_topology
const char * print_topology(const int topology)
Definition options.c:4763
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4708
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1196
check_dns_option
static bool check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5877
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition options.c:977
options_warning_safe_scan2
static void options_warning_safe_scan2(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4577
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition options.c:3323
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3393
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1313
init_options
void init_options(struct options *o, const bool init_gc)
Definition options.c:807
MUST_BE_FALSE
#define MUST_BE_FALSE(condition, parm_name)
Definition options.c:2276
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm, parm_name)
Definition options.c:2271
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1381
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition options.c:975
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:2029
IS_TYPE_FP
#define IS_TYPE_FP
Definition options.c:5163
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4557
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1680
update_option
static void update_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, unsigned int *update_options_found)
Processes an option to update.
Definition options.c:6009
CHKACC_FILE
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3946
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4700
remove_option
static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Resets options found in the PUSH_UPDATE message that are preceded by the - flag.
Definition options.c:5666
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3234
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1154
title_string
const char title_string[]
Definition options.c:71
setenv_local_entry
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:1006
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3107
read_config_string
static void read_config_string(const char *prefix, struct options *options, const char *config, const msglvl_t msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition options.c:5372
TLS_SERVER
#define TLS_SERVER
usage
static void usage(void)
Definition options.c:4842
msglevel_forward_compatible
static msglvl_t msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
Definition options.c:5633
auth_retry_set
bool auth_retry_set(const msglvl_t msglevel, const char *option)
Definition options.c:4797
auth_retry_get
int auth_retry_get(void)
Definition options.c:4791
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, msglvl_t msglevel)
Definition options.c:1353
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2141
check_route6_option
static bool check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5856
notnull
void notnull(const char *arg, const char *description)
Definition options.c:4931
alloc_local_entry
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
Definition options.c:2074
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition options.c:6167
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition options.c:3461
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9939
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4350
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, msglvl_t msglevel)
Definition options.c:1490
read_inline_file
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition options.c:5197
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition options.c:3297
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2229
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2115
SHOW_INT
#define SHOW_INT(var)
Definition options.c:979
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3383
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition options.h:260
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition options.h:736
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.h:810
OPT_P_PUSH
#define OPT_P_PUSH
Definition options.h:748
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition options.h:478
OPT_P_UP
#define OPT_P_UP
Definition options.h:733
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition options.h:759
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:749
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:744
OPT_P_ECHO
#define OPT_P_ECHO
Definition options.h:752
OPT_P_ROUTE_TABLE
#define OPT_P_ROUTE_TABLE
Definition options.h:763
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition options.h:750
MODE_SERVER
#define MODE_SERVER
Definition options.h:261
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition options.h:187
streq
#define streq(x, y)
Definition options.h:727
OPT_P_U_REDIR_GATEWAY
#define OPT_P_U_REDIR_GATEWAY
Definition options.h:805
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:751
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.h:811
AR_INTERACT
#define AR_INTERACT
Definition options.h:915
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition options.h:738
OPT_P_U_ROUTE6
#define OPT_P_U_ROUTE6
Definition options.h:802
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition options.h:758
SF_NOPOOL
#define SF_NOPOOL
Definition options.h:477
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.h:812
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition options.h:743
OPT_P_SETENV
#define OPT_P_SETENV
Definition options.h:737
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition options.h:757
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition options.h:756
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition options.h:56
OPT_P_TIMER
#define OPT_P_TIMER
Definition options.h:739
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition options.h:732
PING_RESTART
#define PING_RESTART
Definition options.h:356
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition options.h:735
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition options.h:755
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition options.h:239
GENKEY_SECRET
@ GENKEY_SECRET
Definition options.h:236
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:238
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:237
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition options.h:762
AR_NONE
#define AR_NONE
Definition options.h:914
AR_NOINTERACT
#define AR_NOINTERACT
Definition options.h:916
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:479
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition options.h:740
MAX_PARMS
#define MAX_PARMS
Definition options.h:51
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition options.h:767
OPT_P_U_DNS
#define OPT_P_U_DNS
Definition options.h:803
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:787
ROUTE_OPTION_FLAGS
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:779
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition options.h:57
OPT_P_U_ROUTE
#define OPT_P_U_ROUTE
Definition options.h:801
PING_EXIT
#define PING_EXIT
Definition options.h:355
OPT_P_COMP
#define OPT_P_COMP
Definition options.h:742
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition options.h:741
OPT_P_MTU
#define OPT_P_MTU
Definition options.h:746
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition options.h:754
OPT_P_U_DHCP
#define OPT_P_U_DHCP
Definition options.h:804
OPT_P_NICE
#define OPT_P_NICE
Definition options.h:747
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition options.h:760
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition options.h:753
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition options.h:745
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition options.h:734
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:793
CE_DISABLED
#define CE_DISABLED
Definition options.h:150
OPT_P_INLINE
#define OPT_P_INLINE
Definition options.h:761
vlan_acceptable_frames
vlan_acceptable_frames
Definition options.h:220
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:222
VLAN_ALL
@ VLAN_ALL
Definition options.h:223
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition options.h:221
check_push_update_option_flags
bool check_push_update_option_flags(char *line, int *i, unsigned int *flags)
Checks the formatting and validity of options inside push-update messages.
Definition options_util.c:215
atoi_warn
int atoi_warn(const char *str, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number.
Definition options_util.c:151
positive_atoi
int positive_atoi(const char *str, msglvl_t msglevel)
Converts a str to a positive number if the string represents a postive integer number.
Definition options_util.c:120
positive_atoll
bool positive_atoll(const char *str, int64_t *value, const char *name, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is >= 0.
Definition options_util.c:135
apply_pull_filter
bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
Definition options_util.c:277
valid_integer
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
Definition options_util.c:104
atoi_constrained
bool atoi_constrained(const char *str, int *value, const char *name, int min, int max, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is between min...
Definition options_util.c:171
options_util.h
packet_id.h
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:85
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:84
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:86
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition packet_id.h:94
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:95
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition packet_id.h:93
platform_getpid
unsigned int platform_getpid(void)
Definition platform.c:337
platform_access
int platform_access(const char *path, int mode)
Definition platform.c:461
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:504
platform_chdir
int platform_chdir(const char *dir)
Definition platform.c:396
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:530
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:142
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:159
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:167
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, msglvl_t msglevel)
Definition plugin.c:187
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const msglvl_t msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:117
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:316
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:317
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
TOP_UNDEF
#define TOP_UNDEF
Definition proto.h:40
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition proto.h:34
TOP_NET30
#define TOP_NET30
Definition proto.h:41
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
TOP_P2P
#define TOP_P2P
Definition proto.h:42
TOP_SUBNET
#define TOP_SUBNET
Definition proto.h:43
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:45
PAR_NCT
#define PAR_NCT
Definition proxy.h:51
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
PAR_ALL
#define PAR_ALL
Definition proxy.h:50
push_reset
void push_reset(struct options *o)
Definition push.c:935
push_options
void push_options(struct options *o, char **p, msglvl_t msglevel, struct gc_arena *gc)
Definition push.c:909
clone_push_list
void clone_push_list(struct options *o)
Definition push.c:894
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition push.c:941
PUSH_OPT_TO_REMOVE
#define PUSH_OPT_TO_REMOVE
Definition push.h:41
PUSH_OPT_OPTIONAL
#define PUSH_OPT_OPTIONAL
Definition push.h:42
print_route_options
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1238
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:299
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:153
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3908
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:137
delete_routes_v6
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1196
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2667
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:171
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:179
print_default_gateway
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1252
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2569
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:162
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:128
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3070
delete_routes_v4
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1174
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:492
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:42
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:40
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:41
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
script_security_set
void script_security_set(int level)
Definition run_command.c:48
run_command.h
SSEC_PW_ENV
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
SSEC_NONE
#define SSEC_NONE
strictly no calling of external programs
Definition run_command.h:31
SHAPER_MAX
#define SHAPER_MAX
Definition shaper.h:40
SHAPER_MIN
#define SHAPER_MIN
Definition shaper.h:39
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:657
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:219
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:192
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition socket.h:192
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
OPENVPN_PORT
#define OPENVPN_PORT
Definition socket.h:42
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition socket.h:191
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition socket.h:194
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition socket_util.c:409
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition socket_util.c:890
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition socket_util.c:430
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition socket_util.c:396
proto_remote
const char * proto_remote(int proto, bool remote)
Definition socket_util.c:472
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition socket_util.c:837
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition socket_util.c:873
ascii2proto
int ascii2proto(const char *proto_name)
Definition socket_util.c:383
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition socket_util.c:787
socket_util.h
proto_is_net
static bool proto_is_net(int proto)
Definition socket_util.h:185
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition socket_util.h:195
GETADDR_FATAL
#define GETADDR_FATAL
Definition socket_util.h:118
PROTO_NONE
@ PROTO_NONE
Definition socket_util.h:176
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP
@ PROTO_TCP
Definition socket_util.h:178
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition socket_util.h:179
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket_util.h:119
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition socket_util.h:206
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:371
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:346
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:430
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:365
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:356
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1883
ssl.h
Control Channel SSL/Data channel negotiation module.
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:122
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2646
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:103
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:390
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:203
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:432
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:425
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:427
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:424
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:429
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:434
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:433
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:430
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:431
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:426
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition ssl_common.h:428
options_postprocess_setdefault_ncpciphers
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:584
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:195
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:96
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
ssl_verify.h
Control Channel Verification Module.
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:257
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:69
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:70
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:254
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:71
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, msglvl_t msglevel, struct gc_arena *gc)
Definition ssl_verify_openssl.c:417
argv
Definition argv.h:35
argv::argv
char ** argv
Definition argv.h:39
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition buffer.h:61
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
compress_options
Definition comp.h:75
compress_options::flags
unsigned int flags
Definition comp.h:77
compress_options::alg
int alg
Definition comp.h:76
connection_entry
Definition options.h:104
connection_entry::local_list
struct local_list * local_list
Definition options.h:105
connection_entry::tun_mtu_max
int tun_mtu_max
Definition options.h:126
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition options.h:116
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition options.h:176
connection_entry::link_mtu
int link_mtu
Definition options.h:131
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition options.h:132
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition options.h:129
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition options.h:117
connection_entry::bind_local
bool bind_local
Definition options.h:115
connection_entry::mssfix
int mssfix
Definition options.h:141
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition options.h:167
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:172
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition options.h:130
connection_entry::remote
const char * remote
Definition options.h:111
connection_entry::connect_timeout
int connect_timeout
Definition options.h:118
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition options.h:121
connection_entry::mssfix_default
bool mssfix_default
Definition options.h:142
connection_entry::mssfix_encap
bool mssfix_encap
Definition options.h:143
connection_entry::occ_mtu
int occ_mtu
Definition options.h:125
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition options.h:119
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:168
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:163
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition options.h:114
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition options.h:128
connection_entry::remote_float
bool remote_float
Definition options.h:112
connection_entry::tls_mtu
int tls_mtu
Definition options.h:133
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition options.h:147
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition options.h:122
connection_entry::remote_port
const char * remote_port
Definition options.h:110
connection_entry::fragment_encap
bool fragment_encap
Definition options.h:139
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:120
connection_entry::fragment
int fragment
Definition options.h:138
connection_entry::mtu_discover_type
int mtu_discover_type
Definition options.h:136
connection_entry::proto
int proto
Definition options.h:106
connection_entry::af
sa_family_t af
Definition options.h:107
connection_entry::tls_auth_file
const char * tls_auth_file
Definition options.h:162
connection_entry::local_port_defined
bool local_port_defined
Definition options.h:109
connection_entry::tun_mtu
int tun_mtu
Definition options.h:124
connection_entry::bind_defined
bool bind_defined
Definition options.h:113
connection_entry::local_port
const char * local_port
Definition options.h:108
connection_entry::key_direction
int key_direction
Definition options.h:164
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:173
connection_entry::flags
unsigned int flags
Definition options.h:159
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition options.h:145
connection_list
Definition options.h:197
connection_list::array
struct connection_entry ** array
Definition options.h:201
connection_list::capacity
int capacity
Definition options.h:198
connection_list::len
int len
Definition options.h:199
context_1::route_list
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
context_1::route_ipv6_list
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
context_1::tuntap
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
context
Contains all state information for one tunnel.
Definition openvpn.h:474
context::net_ctx
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:501
context::options
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:475
context::c1
struct context_1 c1
Level 1 context.
Definition openvpn.h:516
dhcp_options
Definition dns.h:100
dhcp_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition dns.h:101
dhcp
Definition dhcp.h:53
dns_domain
Definition dns.h:54
dns_domain::next
struct dns_domain * next
Definition dns.h:55
dns_domain::name
const char * name
Definition dns.h:56
dns_options
Definition dns.h:113
dns_options::servers
struct dns_server * servers
Definition dns.h:117
dns_options::updown
const char * updown
Definition dns.h:119
dns_options::from_dhcp
struct dhcp_options from_dhcp
Definition dns.h:114
dns_options::gc
struct gc_arena gc
Definition dns.h:118
dns_options::updown_flags
enum dns_updown_flags updown_flags
Definition dns.h:120
dns_options::search_domains
struct dns_domain * search_domains
Definition dns.h:115
dns_server_addr::a4
struct in_addr a4
Definition dns.h:63
dns_server_addr::in
union dns_server_addr::@0 in
dns_server_addr::family
sa_family_t family
Definition dns.h:66
dns_server_addr::a6
struct in6_addr a6
Definition dns.h:64
dns_server_addr::port
in_port_t port
Definition dns.h:67
dns_server
Definition dns.h:71
dns_server::addr
struct dns_server_addr addr[8]
Definition dns.h:75
dns_server::dnssec
enum dns_security dnssec
Definition dns.h:77
dns_server::next
struct dns_server * next
Definition dns.h:72
dns_server::priority
long priority
Definition dns.h:73
dns_server::addr_count
size_t addr_count
Definition dns.h:74
dns_server::domains
struct dns_domain * domains
Definition dns.h:76
dns_server::transport
enum dns_server_transport transport
Definition dns.h:78
dns_server::sni
const char * sni
Definition dns.h:79
env_item
Definition env_set.h:37
env_item::string
char * string
Definition env_set.h:38
env_item::next
struct env_item * next
Definition env_set.h:39
env_set
Definition env_set.h:43
env_set::list
struct env_item * list
Definition env_set.h:45
fragment
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
frame
Packet geometry parameters.
Definition mtu.h:103
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
hash
Definition list.h:53
http_custom_header
Definition proxy.h:38
http_custom_header::name
const char * name
Definition proxy.h:39
http_custom_header::content
const char * content
Definition proxy.h:40
http_proxy_options
Definition proxy.h:45
http_proxy_options::auth_file
const char * auth_file
Definition proxy.h:55
http_proxy_options::http_version
const char * http_version
Definition proxy.h:57
http_proxy_options::port
const char * port
Definition proxy.h:47
http_proxy_options::inline_creds
bool inline_creds
Definition proxy.h:60
http_proxy_options::user_agent
const char * user_agent
Definition proxy.h:58
http_proxy_options::auth_retry
int auth_retry
Definition proxy.h:52
http_proxy_options::auth_method_string
const char * auth_method_string
Definition proxy.h:54
http_proxy_options::nocache
bool nocache
Definition proxy.h:63
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:59
http_proxy_options::auth_file_up
const char * auth_file_up
Definition proxy.h:56
http_proxy_options::server
const char * server
Definition proxy.h:46
in_src
Definition options.c:5162
in_src::multiline
struct buffer * multiline
Definition options.c:5169
in_src::u
union in_src::@9 u
in_src::fp
FILE * fp
Definition options.c:5168
in_src::type
int type
Definition options.c:5165
iroute_ipv6
Definition route.h:266
iroute_ipv6::next
struct iroute_ipv6 * next
Definition route.h:269
iroute_ipv6::netbits
unsigned int netbits
Definition route.h:268
iroute_ipv6::network
struct in6_addr network
Definition route.h:267
iroute::network
in_addr_t network
Definition route.h:260
iroute::netbits
int netbits
Definition route.h:261
iroute::next
struct iroute * next
Definition route.h:262
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key_type::digest
const char * digest
Message digest static parameters.
Definition crypto.h:143
local_entry
Definition options.h:97
local_entry::port
const char * port
Definition options.h:99
local_entry::proto
int proto
Definition options.h:100
local_entry::local
const char * local
Definition options.h:98
local_list
Definition options.h:190
local_list::array
struct local_entry ** array
Definition options.h:193
local_list::len
int len
Definition options.h:192
local_list::capacity
int capacity
Definition options.h:191
options_pre_connect
Definition options.h:63
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:65
options_pre_connect::routes_defined
bool routes_defined
Definition options.h:67
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:86
options_pre_connect::foreign_option_index
int foreign_option_index
Definition options.h:88
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition options.h:64
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition options.h:70
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition options.h:85
options_pre_connect::routes
struct route_option_list * routes
Definition options.h:68
options_pre_connect::comp
struct compress_options comp
Definition options.h:89
options_pre_connect::ciphername
const char * ciphername
Definition options.h:81
options_pre_connect::dns_options
struct dns_options dns_options
Definition options.h:79
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition options.h:73
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition options.h:84
options_pre_connect::authname
const char * authname
Definition options.h:82
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:71
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition options.h:76
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition options.h:77
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:74
options::resolve_retry_seconds
int resolve_retry_seconds
Definition options.h:367
options::rcvbuf
int rcvbuf
Definition options.h:416
options::resolve_in_advance
bool resolve_in_advance
Definition options.h:368
options::route_nopull
bool route_nopull
Definition options.h:440
options::genkey_extra_data
const char * genkey_extra_data
Definition options.h:286
options::comp
struct compress_options comp
Definition options.h:413
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition options.h:309
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition options.h:526
options::proto_force
int proto_force
Definition options.h:332
options::persist_config
bool persist_config
Definition options.h:274
options::connection_list
struct connection_list * connection_list
Definition options.h:291
options::management_port
const char * management_port
Definition options.h:450
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition options.h:671
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition options.h:327
options::max_routes_per_client
int max_routes_per_client
Definition options.h:539
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:580
options::status_file_version
int status_file_version
Definition options.h:407
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition options.h:714
options::auth_token_renewal
int auth_token_renewal
Definition options.h:548
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition options.h:521
options::tmp_dir
const char * tmp_dir
Definition options.h:469
options::push_peer_info
bool push_peer_info
Definition options.h:685
options::daemon
bool daemon
Definition options.h:391
options::pre_connect
struct options_pre_connect * pre_connect
Definition options.h:564
options::route_default_metric
int route_default_metric
Definition options.h:432
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition options.h:651
options::auth_token_secret_file
const char * auth_token_secret_file
Definition options.h:549
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:724
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition options.h:616
options::crl_file_inline
bool crl_file_inline
Definition options.h:620
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:642
options::down_script
const char * down_script
Definition options.h:386
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:268
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition options.h:626
options::scheduled_exit_interval
int scheduled_exit_interval
Definition options.h:566
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition options.h:541
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:609
options::replay_time
int replay_time
Definition options.h:587
options::push_option_types_found
unsigned int push_option_types_found
Definition options.h:561
options::management_state_buffer_size
int management_state_buffer_size
Definition options.h:454
options::ca_file
const char * ca_file
Definition options.h:597
options::tls_auth_file
const char * tls_auth_file
Definition options.h:666
options::providers
struct provider_list providers
Definition options.h:584
options::duplicate_cn
bool duplicate_cn
Definition options.h:530
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition options.h:474
options::shaper
int shaper
Definition options.h:330
options::management_echo_buffer_size
int management_echo_buffer_size
Definition options.h:453
options::server_network
in_addr_t server_network
Definition options.h:471
options::real_hash_size
uint32_t real_hash_size
Definition options.h:502
options::show_net_up
bool show_net_up
Definition options.h:698
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition options.h:628
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition options.h:442
options::use_peer_id
bool use_peer_id
Definition options.h:704
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:623
options::server_bridge_defined
bool server_bridge_defined
Definition options.h:484
options::keying_material_exporter_label
const char * keying_material_exporter_label
Definition options.h:708
options::status_file
const char * status_file
Definition options.h:406
options::ssl_flags
unsigned int ssl_flags
Definition options.h:629
options::route_noexec
bool route_noexec
Definition options.h:433
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition options.h:329
options::remote_cert_eku
const char * remote_cert_eku
Definition options.h:624
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition options.h:494
options::server_netmask
in_addr_t server_netmask
Definition options.h:472
options::tls_timeout
int tls_timeout
Definition options.h:645
options::test_crypto
bool test_crypto
Definition options.h:589
options::up_delay
bool up_delay
Definition options.h:389
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition options.h:482
options::allow_recursive_routing
bool allow_recursive_routing
Definition options.h:721
options::authname
const char * authname
Definition options.h:582
options::exit_event_name
const char * exit_event_name
Definition options.h:696
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition options.h:325
options::cf_max
int cf_max
Definition options.h:532
options::dh_file_inline
bool dh_file_inline
Definition options.h:601
options::replay_window
int replay_window
Definition options.h:586
options::disable
bool disable
Definition options.h:510
options::mute
int mute
Definition options.h:400
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition options.h:544
options::dev_type
const char * dev_type
Definition options.h:319
options::persist_mode
int persist_mode
Definition options.h:275
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition options.h:496
options::show_digests
bool show_digests
Definition options.h:279
options::up_script
const char * up_script
Definition options.h:385
options::single_session
bool single_session
Definition options.h:683
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition options.h:516
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition options.h:491
options::verify_hash_depth
int verify_hash_depth
Definition options.h:627
options::route_delay_defined
bool route_delay_defined
Definition options.h:436
options::packet_id_file
const char * packet_id_file
Definition options.h:588
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition options.h:675
options::management_log_history_cache
int management_log_history_cache
Definition options.h:452
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition options.h:486
options::ip_remote_hint
const char * ip_remote_hint
Definition options.h:369
options::vlan_tagging
bool vlan_tagging
Definition options.h:713
options::peer_id
uint32_t peer_id
Definition options.h:705
options::routes
struct route_option_list * routes
Definition options.h:437
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition options.h:493
options::keepalive_timeout
int keepalive_timeout
Definition options.h:343
options::writepid
const char * writepid
Definition options.h:384
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition options.h:346
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition options.h:498
options::fast_io
bool fast_io
Definition options.h:411
options::server_flags
unsigned int server_flags
Definition options.h:480
options::block_outside_dns
bool block_outside_dns
Definition options.h:700
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition options.h:528
options::tls_exit
bool tls_exit
Definition options.h:687
options::pkcs12_file
const char * pkcs12_file
Definition options.h:608
options::client_disconnect_script
const char * client_disconnect_script
Definition options.h:505
options::show_engines
bool show_engines
Definition options.h:280
options::remote_list
struct remote_list * remote_list
Definition options.h:293
options::msg_channel
HANDLE msg_channel
Definition options.h:695
options::key_pass_file
const char * key_pass_file
Definition options.h:277
options::mute_replay_warnings
bool mute_replay_warnings
Definition options.h:585
options::tls_crypt_file
const char * tls_crypt_file
Definition options.h:670
options::inactivity_timeout
int inactivity_timeout
Definition options.h:345
options::n_bcast_buf
int n_bcast_buf
Definition options.h:512
options::handshake_window
int handshake_window
Definition options.h:655
options::server_defined
bool server_defined
Definition options.h:470
options::ifconfig_local
const char * ifconfig_local
Definition options.h:323
options::ce
struct connection_entry ce
Definition options.h:290
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:515
options::push_list
struct push_list push_list
Definition options.h:490
options::user_script_used
bool user_script_used
Definition options.h:387
options::tls_groups
const char * tls_groups
Definition options.h:612
options::show_tls_ciphers
bool show_tls_ciphers
Definition options.h:281
options::tuntap_options
struct tuntap_options tuntap_options
Definition options.h:371
options::route_method
int route_method
Definition options.h:699
options::verify_hash
struct verify_hash_list * verify_hash
Definition options.h:625
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:613
options::renegotiate_packets
int64_t renegotiate_packets
Definition options.h:649
options::management_flags
unsigned int management_flags
Definition options.h:462
options::push_continuation
int push_continuation
Definition options.h:560
options::route_default_gateway
const char * route_default_gateway
Definition options.h:429
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition options.h:519
options::dns_options
struct dns_options dns_options
Definition options.h:314
options::exit_event_initial_state
bool exit_event_initial_state
Definition options.h:697
options::sc_info
struct static_challenge_info sc_info
Definition options.h:569
options::auth_token_call_auth
bool auth_token_call_auth
Definition options.h:546
options::ipchange
const char * ipchange
Definition options.h:317
options::topology
int topology
Definition options.h:322
options::disable_dco
bool disable_dco
Definition options.h:374
options::ncp_ciphers
const char * ncp_ciphers
Definition options.h:581
options::genkey
bool genkey
Definition options.h:283
options::virtual_hash_size
uint32_t virtual_hash_size
Definition options.h:503
options::learn_address_script
const char * learn_address_script
Definition options.h:506
options::ciphername
const char * ciphername
Definition options.h:576
options::auth_user_pass_file
const char * auth_user_pass_file
Definition options.h:562
options::forward_compatible
bool forward_compatible
Definition options.h:265
options::username
const char * username
Definition options.h:377
options::cf_initial_max
int cf_initial_max
Definition options.h:535
options::stale_routes_check_interval
int stale_routes_check_interval
Definition options.h:540
options::plugin_list
struct plugin_option_list * plugin_list
Definition options.h:465
options::auth_token_lifetime
int auth_token_lifetime
Definition options.h:547
options::vlan_pvid
uint16_t vlan_pvid
Definition options.h:715
options::ns_cert_type
int ns_cert_type
Definition options.h:622
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition options.h:680
options::mode
int mode
Definition options.h:262
options::tls_server
bool tls_server
Definition options.h:595
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition options.h:543
options::connect_retry_max
int connect_retry_max
Definition options.h:289
options::bind_dev
char * bind_dev
Definition options.h:421
options::extra_certs_file
const char * extra_certs_file
Definition options.h:604
options::client
bool client
Definition options.h:558
options::pull
bool pull
Definition options.h:559
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition options.h:500
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:522
options::show_curves
bool show_curves
Definition options.h:282
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition options.h:430
options::tls_client
bool tls_client
Definition options.h:596
options::ping_timer_remote
bool ping_timer_remote
Definition options.h:352
options::auth_token_generate
bool auth_token_generate
Definition options.h:545
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:607
options::tls_verify
const char * tls_verify
Definition options.h:615
options::crl_file
const char * crl_file
Definition options.h:619
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition options.h:357
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition options.h:563
options::show_ciphers
bool show_ciphers
Definition options.h:278
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:577
options::route_predown_script
const char * route_predown_script
Definition options.h:428
options::dh_file
const char * dh_file
Definition options.h:600
options::route_delay_window
int route_delay_window
Definition options.h:435
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition options.h:517
options::mlock
bool mlock
Definition options.h:340
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition options.h:271
options::sndbuf
int sndbuf
Definition options.h:417
options::foreign_option_index
int foreign_option_index
Definition options.h:692
options::gc
struct gc_arena gc
Definition options.h:253
options::gc_owned
bool gc_owned
Definition options.h:254
options::down_pre
bool down_pre
Definition options.h:388
options::persist_tun
bool persist_tun
Definition options.h:359
options::route_default_table_id
int route_default_table_id
Definition options.h:431
options::ca_file_inline
bool ca_file_inline
Definition options.h:598
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition options.h:550
options::block_ipv6
bool block_ipv6
Definition options.h:439
options::config
const char * config
Definition options.h:257
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:605
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition options.h:520
options::mark
int mark
Definition options.h:420
options::cf_initial_per
int cf_initial_per
Definition options.h:536
options::keying_material_exporter_length
int keying_material_exporter_length
Definition options.h:709
options::suppress_timestamps
bool suppress_timestamps
Definition options.h:396
options::force_key_material_export
bool force_key_material_export
Definition options.h:711
options::mtu_test
bool mtu_test
Definition options.h:334
options::iroutes
struct iroute * iroutes
Definition options.h:514
options::verify_x509_type
int verify_x509_type
Definition options.h:617
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:611
options::ecdh_curve
const char * ecdh_curve
Definition options.h:614
options::status_file_update_freq
int status_file_update_freq
Definition options.h:408
options::management_client_user
const char * management_client_user
Definition options.h:456
options::cipher_list
const char * cipher_list
Definition options.h:610
options::ccd_exclusive
bool ccd_exclusive
Definition options.h:509
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition options.h:574
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition options.h:717
options::management_certificate
const char * management_certificate
Definition options.h:459
options::genkey_filename
const char * genkey_filename
Definition options.h:285
options::x509_track
const struct x509_track * x509_track
Definition options.h:689
options::chroot_dir
const char * chroot_dir
Definition options.h:379
options::log
bool log
Definition options.h:395
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition options.h:573
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:527
options::ca_path
const char * ca_path
Definition options.h:599
options::renegotiate_seconds
int renegotiate_seconds
Definition options.h:650
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:351
options::sockflags
unsigned int sockflags
Definition options.h:424
options::engine
const char * engine
Definition options.h:583
options::management_addr
const char * management_addr
Definition options.h:449
options::client_connect_script
const char * client_connect_script
Definition options.h:504
options::verify_x509_name
const char * verify_x509_name
Definition options.h:618
options::ping_send_timeout
int ping_send_timeout
Definition options.h:350
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition options.h:441
options::remote_random
bool remote_random
Definition options.h:316
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition options.h:524
options::tcp_queue_limit
int tcp_queue_limit
Definition options.h:513
options::route_delay
int route_delay
Definition options.h:434
options::dev_node
const char * dev_node
Definition options.h:320
options::override_username
const char * override_username
Definition options.h:511
options::client_crresponse_script
const char * client_crresponse_script
Definition options.h:507
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition options.h:438
options::machine_readable_output
bool machine_readable_output
Definition options.h:397
options::key_direction
int key_direction
Definition options.h:575
options::server_ipv6_defined
bool server_ipv6_defined
Definition options.h:473
options::priv_key_file
const char * priv_key_file
Definition options.h:606
options::persist_remote_ip
bool persist_remote_ip
Definition options.h:361
options::up_restart
bool up_restart
Definition options.h:390
options::keepalive_ping
int keepalive_ping
Definition options.h:342
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition options.h:667
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition options.h:676
options::groupname
const char * groupname
Definition options.h:378
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition options.h:487
options::cd_dir
const char * cd_dir
Definition options.h:380
options::client_nat
struct client_nat_option_list * client_nat
Definition options.h:443
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:525
options::nice
int nice
Definition options.h:398
options::max_clients
int max_clients
Definition options.h:538
options::transition_window
int transition_window
Definition options.h:663
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition options.h:324
options::lladdr
const char * lladdr
Definition options.h:321
options::verbosity
int verbosity
Definition options.h:399
options::session_timeout
int session_timeout
Definition options.h:348
options::cert_file
const char * cert_file
Definition options.h:602
options::enable_c2c
bool enable_c2c
Definition options.h:529
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition options.h:488
options::cf_per
int cf_per
Definition options.h:533
options::windows_driver
enum tun_driver_type windows_driver
Definition options.h:701
options::cert_file_inline
bool cert_file_inline
Definition options.h:603
options::remap_sigusr1
int remap_sigusr1
Definition options.h:393
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition options.h:648
options::route_script
const char * route_script
Definition options.h:427
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition options.h:492
options::management_user_pass
const char * management_user_pass
Definition options.h:451
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition options.h:475
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition options.h:518
options::occ
bool occ
Definition options.h:446
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition options.h:485
options::shared_secret_file
const char * shared_secret_file
Definition options.h:572
options::ifconfig_noexec
bool ifconfig_noexec
Definition options.h:328
options::dev
const char * dev
Definition options.h:318
options::management_client_group
const char * management_client_group
Definition options.h:457
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:499
options::client_config_dir
const char * client_config_dir
Definition options.h:508
options::genkey_type
enum genkey_type genkey_type
Definition options.h:284
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition options.h:495
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition options.h:326
options::persist_local_ip
bool persist_local_ip
Definition options.h:360
provider_list::names
const char * names[MAX_PARMS]
Definition options.h:214
pull_filter_list
Definition options.h:820
pull_filter_list::tail
struct pull_filter * tail
Definition options.h:822
pull_filter_list::head
struct pull_filter * head
Definition options.h:821
pull_filter
Definition options.h:808
pull_filter::next
struct pull_filter * next
Definition options.h:816
push_entry
Definition pushlist.h:29
push_entry::next
struct push_entry * next
Definition pushlist.h:30
push_entry::enable
bool enable
Definition pushlist.h:31
push_entry::option
const char * option
Definition pushlist.h:32
push_list::head
struct push_entry * head
Definition pushlist.h:37
remote_entry
Definition options.h:180
remote_entry::proto
int proto
Definition options.h:183
remote_entry::remote
const char * remote
Definition options.h:181
remote_entry::remote_port
const char * remote_port
Definition options.h:182
remote_entry::af
sa_family_t af
Definition options.h:184
remote_list
Definition options.h:205
remote_list::len
int len
Definition options.h:207
remote_list::array
struct remote_entry ** array
Definition options.h:208
remote_list::capacity
int capacity
Definition options.h:206
route_gateway_info
Definition route.h:158
route_ipv6_gateway_info
Definition route.h:195
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_option_list::flags
unsigned int flags
Definition route.h:97
static_challenge_info::flags
unsigned int flags
Definition misc.h:93
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:95
tuntap_options
Definition tun.h:75
tuntap_options::wins_len
int wins_len
Definition tun.h:118
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:142
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:125
tuntap_options::dns_len
int dns_len
Definition tun.h:114
tuntap_options::dns6_len
int dns6_len
Definition tun.h:143
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:121
tuntap_options::ntp_len
int ntp_len
Definition tun.h:122
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:117
tuntap_options::tap_sleep
int tap_sleep
Definition tun.h:97
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition tun.h:94
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:113
tuntap_options::netbios_scope
const char * netbios_scope
Definition tun.h:105
tuntap_options::nbdd_len
int nbdd_len
Definition tun.h:126
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition tun.h:77
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition tun.h:92
tuntap_options::domain
const char * domain
Definition tun.h:103
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition tun.h:132
tuntap_options::dhcp_renew
bool dhcp_renew
Definition tun.h:137
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:131
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition tun.h:93
tuntap_options::netbios_node_type
int netbios_node_type
Definition tun.h:107
tuntap_options::ip_win32_type
int ip_win32_type
Definition tun.h:85
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition tun.h:138
tuntap_options::register_dns
bool register_dns
Definition tun.h:140
tuntap_options::disable_nbt
bool disable_nbt
Definition tun.h:135
tuntap_options::dhcp_options
int dhcp_options
Definition tun.h:101
tuntap
Definition tun.h:183
verify_hash_list
Definition options.h:243
verify_hash_list::next
struct verify_hash_list * next
Definition options.h:247
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:246
sa_family_t
unsigned short sa_family_t
Definition syshead.h:396
sleep
#define sleep(x)
Definition syshead.h:42
es
struct env_set * es
Definition test_pkcs11.c:138
pkcs11_id_management
static bool pkcs11_id_management
Definition test_pkcs11.c:133
i
int i
Definition test_push_update_msg.c:120
gc
struct gc_arena gc
Definition test_ssl.c:131
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:5115
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:520
show_tap_win_adapters
void show_tap_win_adapters(msglvl_t msglevel, msglvl_t warnlevel)
Definition tun.c:4041
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5048
ascii2ipset
int ascii2ipset(const char *name)
Definition tun.c:6672
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:829
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:5007
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:539
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:4927
show_adapters
void show_adapters(msglvl_t msglevel)
Definition tun.c:4878
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:5074
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:693
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:6701
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition tun.c:4008
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:58
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition tun.h:80
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition tun.h:83
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:72
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition tun.h:128
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition tun.h:82
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition tun.h:79
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:45
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:46
DRIVER_DCO
@ DRIVER_DCO
Definition tun.h:53
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:67
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition tun.h:109
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition tun.h:71
tun_afunix.h
is_tun_afunix
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
win_get_tempdir
const char * win_get_tempdir(void)
Definition win32-util.c:151
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1115
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1380
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition win32.c:144
xkey_common.h
Generated by doxygen 1.9.8