OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38 
39 #include "syshead.h"
40 
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "ssl_ncp.h"
49 #include "options.h"
50 #include "misc.h"
51 #include "socket.h"
52 #include "packet_id.h"
53 #include "pkcs11.h"
54 #include "win32.h"
55 #include "push.h"
56 #include "pool.h"
57 #include "proto.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include "ssl_verify.h"
62 #include "platform.h"
63 #include <ctype.h>
64 
65 #include "memdbg.h"
66 
67 const char title_string[] =
69 #ifdef CONFIGURE_GIT_REVISION
70  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
71 #endif
72  " " TARGET_ALIAS
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
74  " [SSL (mbed TLS)]"
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
76  " [SSL (OpenSSL)]"
77 #else
78  " [SSL]"
79 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
80 #ifdef USE_COMP
81 #ifdef ENABLE_LZO
82  " [LZO]"
83 #endif
84 #ifdef ENABLE_LZ4
85  " [LZ4]"
86 #endif
87 #ifdef ENABLE_COMP_STUB
88  " [COMP_STUB]"
89 #endif
90 #endif /* USE_COMP */
91 #if EPOLL
92  " [EPOLL]"
93 #endif
94 #ifdef PRODUCT_TAP_DEBUG
95  " [TAPDBG]"
96 #endif
97 #ifdef ENABLE_PKCS11
98  " [PKCS11]"
99 #endif
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
102  " [MH/PKTINFO]"
103 #elif defined(IP_RECVDSTADDR)
104  " [MH/RECVDA]"
105 #endif
106 #endif
107  " [AEAD]"
108  " built on " __DATE__
109 ;
110 
111 #ifndef ENABLE_SMALL
112 
113 static const char usage_message[] =
114  "%s\n"
115  "\n"
116  "General Options:\n"
117  "--config file : Read configuration options from file.\n"
118  "--help : Show options.\n"
119  "--version : Show copyright and version information.\n"
120  "\n"
121  "Tunnel Options:\n"
122  "--local host : Local host name or ip address. Implies --bind.\n"
123  "--remote host [port] : Remote host name or ip address.\n"
124  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
125  "--remote-random-hostname : Add a random string to remote DNS name.\n"
126  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
127  "--proto p : Use protocol p for communicating with peer.\n"
128  " p = udp (default), tcp-server, or tcp-client\n"
129  "--proto-force p : only consider protocol p in list of connection profiles.\n"
130  " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
131  "--connect-retry n [m] : For client, number of seconds to wait between\n"
132  " connection retries (default=%d). On repeated retries\n"
133  " the wait time is exponentially increased to a maximum of m\n"
134  " (default=%d).\n"
135  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
136  "--http-proxy s p [up] [auth] : Connect to remote host\n"
137  " through an HTTP proxy at address s and port p.\n"
138  " If proxy authentication is required,\n"
139  " up is a file containing username/password on 2 lines, or\n"
140  " 'stdin' to prompt from console. Add auth='ntlm' if\n"
141  " the proxy requires NTLM authentication.\n"
142  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
143  " determine auth method and query for username/password\n"
144  " if needed. auto-nct disables weak proxy auth methods.\n"
145  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
146  " Repeat to set multiple options.\n"
147  " VERSION version (default=1.0)\n"
148  " AGENT user-agent\n"
149  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
150  " address s and port p (default port = 1080).\n"
151  " If proxy authentication is required,\n"
152  " up is a file containing username/password on 2 lines, or\n"
153  " 'stdin' to prompt for console.\n"
154  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
155  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
156  " resolve for n seconds before failing (disabled by default).\n"
157  " Set n=\"infinite\" to retry indefinitely.\n"
158  "--float : Allow remote to change its IP address/port, such as through\n"
159  " DHCP (this is the default if --remote is not used).\n"
160  "--ipchange cmd : Run command cmd on remote ip address initial\n"
161  " setting or change -- execute as: cmd ip-address port#\n"
162  "--port port : TCP/UDP port # for both local and remote.\n"
163  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
164  "--rport port : TCP/UDP port # for remote (default=%s).\n"
165  "--bind : Bind to local address and port. (This is the default unless\n"
166  " --proto tcp-client"
167  " or --http-proxy"
168  " or --socks-proxy"
169  " is used).\n"
170  "--nobind : Do not bind to local address and port.\n"
171  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
172  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
173  " this option only if the tun/tap device used with --dev\n"
174  " does not begin with \"tun\" or \"tap\".\n"
175  "--dev-node node : Explicitly set the device node rather than using\n"
176  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
177  "--lladdr hw : Set the link layer address of the tap device.\n"
178  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
179 #ifdef ENABLE_IPROUTE
180  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
181 #endif
182  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
183  " endpoint and rn as a remote endpoint. l & rn should be\n"
184  " swapped on the other peer. l & rn must be private\n"
185  " addresses outside of the subnets used by either peer.\n"
186  " TAP: configure device to use IP address l as a local\n"
187  " endpoint and rn as a subnet mask.\n"
188  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
189  " endpoint (as a /64) and r as remote endpoint\n"
190  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
191  " pass --ifconfig parms by environment to scripts.\n"
192  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
193  " connection doesn't match the remote side.\n"
194  "--route network [netmask] [gateway] [metric] :\n"
195  " Add route to routing table after connection\n"
196  " is established. Multiple routes can be specified.\n"
197  " netmask default: 255.255.255.255\n"
198  " gateway default: taken from --route-gateway or --ifconfig\n"
199  " Specify default by leaving blank or setting to \"nil\".\n"
200  "--route-ipv6 network/bits [gateway] [metric] :\n"
201  " Add IPv6 route to routing table after connection\n"
202  " is established. Multiple routes can be specified.\n"
203  " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
204  " in --ifconfig-ipv6\n"
205  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
206  "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
207  "--route-metric m : Specify a default metric for use with --route.\n"
208  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
209  " adding routes (may be 0). If not specified, routes will\n"
210  " be added immediately after tun/tap open. On Windows, wait\n"
211  " up to w seconds for TUN/TAP adapter to come up.\n"
212  "--route-up cmd : Run command cmd after routes are added.\n"
213  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
214  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
215  " --route-up script using environmental variables.\n"
216  "--route-nopull : When used with --client or --pull, accept options pushed\n"
217  " by server EXCEPT for routes and dhcp options.\n"
218  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
219  " --ifconfig, --route, and --route-gateway.\n"
220  "--redirect-gateway [flags]: Automatically execute routing\n"
221  " commands to redirect all outgoing IP traffic through the\n"
222  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
223  " connected via a common subnet, such as with WiFi.\n"
224  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
225  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
226  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
227  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
228  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
229  " the default gateway. Useful when pushing private subnets.\n"
230  "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
231  " ICMPv6 host unreachable messages on the client.\n"
232  " (Server) Instead of forwarding IPv6 packets send\n"
233  " ICMPv6 host unreachable packets to the client.\n"
234  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
235  "--push-peer-info : (client only) push client info to server.\n"
236  "--setenv name value : Set a custom environmental variable to pass to script.\n"
237  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
238  " directives for future OpenVPN versions to be ignored.\n"
239  "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
240  " these options to be ignored when unknown\n"
241  "--script-security level: Where level can be:\n"
242  " 0 -- strictly no calling of external programs\n"
243  " 1 -- (default) only call built-ins such as ifconfig\n"
244  " 2 -- allow calling of built-ins and scripts\n"
245  " 3 -- allow password to be passed to scripts via env\n"
246  "--shaper n : Restrict output to peer to n bytes per second.\n"
247  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
248  " ping once every n seconds, restart if ping not received\n"
249  " for m seconds.\n"
250  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
251  " produces a combined in/out byte count < bytes.\n"
252  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
253  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
254  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
255  " remote address.\n"
256  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
257 #if ENABLE_IP_PKTINFO
258  "--multihome : Configure a multi-homed UDP server.\n"
259 #endif
260  "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
261  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
262  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
263  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
264  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
265  "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
266 #if PASSTOS_CAPABILITY
267  "--passtos : TOS passthrough (applies to IPv4 only).\n"
268 #endif
269  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
270  " TCP/UDP MTU from it (default=%d).\n"
271  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
272  " as n bytes more than the tun-mtu size on read\n"
273  " (default TUN=0 TAP=%d).\n"
274  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
275  " from it.\n"
276  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
277  " 'no' -- Never send DF (Don't Fragment) frames\n"
278  " 'maybe' -- Use per-route hints\n"
279  " 'yes' -- Always DF (Don't Fragment)\n"
280  "--mtu-test : Empirically measure and report MTU.\n"
281 #ifdef ENABLE_FRAGMENT
282  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
283  " datagrams are sent which are larger than max bytes.\n"
284  " Adds 4 bytes of overhead per datagram.\n"
285 #endif
286  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
287  " or --fragment max value, whichever is lower.\n"
288  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
289  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
290 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
291  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
292  " can be matched in policy routing and packetfilter rules.\n"
293  "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
294  " listening for connections. This allows sending encrypted packets\n"
295  " via a VRF present on the system.\n"
296 #endif
297  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
298 #ifdef ENABLE_MEMSTATS
299  "--memstats file : Write live usage stats to memory mapped binary file.\n"
300 #endif
301  "--mlock : Disable Paging -- ensures key material and tunnel\n"
302  " data will never be written to disk.\n"
303  "--up cmd : Run command cmd after successful tun device open.\n"
304  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
305  " ifconfig-local-ip ifconfig-remote-ip\n"
306  " (pre --user or --group UID/GID change)\n"
307  "--up-delay : Delay tun/tap open and possible --up script execution\n"
308  " until after TCP/UDP connection establishment with peer.\n"
309  "--down cmd : Run command cmd after tun device close.\n"
310  " (post --user/--group UID/GID change and/or --chroot)\n"
311  " (command parameters are same as --up option)\n"
312  "--down-pre : Run --down command before TUN/TAP close.\n"
313  "--up-restart : Run up/down commands for all restarts including those\n"
314  " caused by --ping-restart or SIGUSR1\n"
315  "--user user : Set UID to user after initialization.\n"
316  "--group group : Set GID to group after initialization.\n"
317  "--chroot dir : Chroot to this directory after initialization.\n"
318 #ifdef ENABLE_SELINUX
319  "--setcon context: Apply this SELinux context after initialization.\n"
320 #endif
321  "--cd dir : Change to this directory before initialization.\n"
322  "--daemon [name] : Become a daemon after initialization.\n"
323  " The optional 'name' parameter will be passed\n"
324  " as the program name to the system logger.\n"
325  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
326  " See --daemon above for a description of the 'name' parm.\n"
327  "--log file : Output log to file which is created/truncated on open.\n"
328  "--log-append file : Append log to file, or create file if nonexistent.\n"
329  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
330  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
331  "--writepid file : Write main process ID to file.\n"
332  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
333  "--echo [parms ...] : Echo parameters to log output.\n"
334  "--verb n : Set output verbosity to n (default=%d):\n"
335  " (Level 3 is recommended if you want a good summary\n"
336  " of what's happening without being swamped by output).\n"
337  " : 0 -- no output except fatal errors\n"
338  " : 1 -- startup info + connection initiated messages +\n"
339  " non-fatal encryption & net errors\n"
340  " : 2,3 -- show TLS negotiations & route info\n"
341  " : 4 -- show parameters\n"
342  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
343  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
344  " : 6 to 11 -- debug messages of increasing verbosity\n"
345  "--mute n : Log at most n consecutive messages in the same category.\n"
346  "--status file n : Write operational status to file every n seconds.\n"
347  "--status-version [n] : Choose the status file format version number.\n"
348  " Currently, n can be 1, 2, or 3 (default=1).\n"
349  "--disable-occ : Disable options consistency check between peers.\n"
350 #ifdef ENABLE_DEBUG
351  "--gremlin mask : Special stress testing mode (for debugging only).\n"
352 #endif
353 #if defined(USE_COMP)
354  "--compress alg : Use compression algorithm alg\n"
355  "--allow-compression: Specify whether compression should be allowed\n"
356 #if defined(ENABLE_LZO)
357  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
358  " packet for incompressible data.\n"
359  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
360  " is specified.\n"
361 #endif
362 #endif
363 #ifdef ENABLE_MANAGEMENT
364  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
365  " management functions. pass is a password file\n"
366  " or 'stdin' to prompt from console.\n"
367 #if UNIX_SOCK_SUPPORT
368  " To listen on a unix domain socket, specific the pathname\n"
369  " in place of ip and use 'unix' as the port number.\n"
370 #endif
371  "--management-client : Management interface will connect as a TCP client to\n"
372  " ip/port rather than listen as a TCP server.\n"
373  "--management-query-passwords : Query management channel for private key\n"
374  " and auth-user-pass passwords.\n"
375  "--management-query-proxy : Query management channel for proxy information.\n"
376  "--management-query-remote : Query management channel for --remote directive.\n"
377  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
378  " of the management interface explicitly starts it.\n"
379  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
380  "--management-forget-disconnect : Forget passwords when management disconnect\n"
381  " event occurs.\n"
382  "--management-up-down : Report tunnel up/down events to management interface.\n"
383  "--management-log-cache n : Cache n lines of log file history for usage\n"
384  " by the management channel.\n"
385 #if UNIX_SOCK_SUPPORT
386  "--management-client-user u : When management interface is a unix socket, only\n"
387  " allow connections from user u.\n"
388  "--management-client-group g : When management interface is a unix socket, only\n"
389  " allow connections from group g.\n"
390 #endif
391  "--management-client-auth : gives management interface client the responsibility\n"
392  " to authenticate clients after their client certificate\n"
393  " has been verified.\n"
394 #ifdef MANAGEMENT_PF
395  "--management-client-pf : management interface clients must specify a packet\n"
396  " filter file for each connecting client.\n"
397 #endif
398 #endif /* ifdef ENABLE_MANAGEMENT */
399 #ifdef ENABLE_PLUGIN
400  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
401  " to its initialization function.\n"
402 #endif
403  "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
404  "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
405  "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
406  "\n"
407  "Multi-Client Server options (when --mode server is used):\n"
408  "--server network netmask : Helper option to easily configure server mode.\n"
409  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
410  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
411  " easily configure ethernet bridging server mode.\n"
412  "--push \"option\" : Push a config file option back to the peer for remote\n"
413  " execution. Peer must specify --pull in its config file.\n"
414  "--push-reset : Don't inherit global push list for specific\n"
415  " client instance.\n"
416  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
417  " to be dynamically allocated to connecting clients.\n"
418  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
419  " data to file, at seconds intervals (default=600).\n"
420  " If seconds=0, file will be treated as read-only.\n"
421  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
422  " to be dynamically allocated to connecting clients.\n"
423  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
424  " overrides --ifconfig-pool dynamic allocation.\n"
425  " Only valid in a client-specific config file.\n"
426  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
427  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
428  " Only valid in a client-specific config file.\n"
429  "--iroute network [netmask] : Route subnet to client.\n"
430  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
431  " Sets up internal routes only.\n"
432  " Only valid in a client-specific config file.\n"
433  "--disable : Client is disabled.\n"
434  " Only valid in a client-specific config file.\n"
435  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
436  " mandatory client certificate verification.\n"
437  " Default is to require the client to supply a certificate.\n"
438  "--username-as-common-name : For auth-user-pass authentication, use\n"
439  " the authenticated username as the common name,\n"
440  " rather than the common name from the client cert.\n"
441  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
442  " run command cmd to verify. If method='via-env', pass\n"
443  " user/pass via environment, if method='via-file', pass\n"
444  " user/pass via temporary file.\n"
445  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
446  " to each client, replacing the password. Useful when\n"
447  " OTP based two-factor auth mechanisms are in use and\n"
448  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
449  " for generated tokens can be set.\n"
450  "--opt-verify : Clients that connect with options that are incompatible\n"
451  " with those of the server will be disconnected.\n"
452  "--auth-user-pass-optional : Allow connections by clients that don't\n"
453  " specify a username/password.\n"
454  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
455  " any printable character.\n"
456  "--client-to-client : Internally route client-to-client traffic.\n"
457  "--duplicate-cn : Allow multiple clients with the same common name to\n"
458  " concurrently connect.\n"
459  "--client-connect cmd : Run command cmd on client connection.\n"
460  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
461  "--client-config-dir dir : Directory for custom client config files.\n"
462  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
463  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
464  "--hash-size r v : Set the size of the real address hash table to r and the\n"
465  " virtual address table to v.\n"
466  "--bcast-buffers n : Allocate n broadcast buffers.\n"
467  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
468  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
469  " as well as pushes it to connecting clients.\n"
470  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
471  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
472  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
473  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
474  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
475  " older than n seconds. Run this check every t\n"
476  " seconds (defaults to n).\n"
477  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
478  " clients. n = 1 - reconnect to same server,\n"
479  " 2 - advance to next server, default=1.\n"
480 #if PORT_SHARE
481  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
482  " sessions to a web server at host:port. dir specifies an\n"
483  " optional directory to write origin IP:port data.\n"
484 #endif
485  "\n"
486  "Client options (when connecting to a multi-client server):\n"
487  "--client : Helper option to easily configure client mode.\n"
488  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
489  " up is a file containing the username on the first line,\n"
490  " and a password on the second. If either the password or both\n"
491  " the username and the password are omitted OpenVPN will prompt\n"
492  " for them from console.\n"
493  "--pull : Accept certain config file options from the peer as if they\n"
494  " were part of the local config file. Must be specified\n"
495  " when connecting to a '--mode server' remote host.\n"
496  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
497  " server if it starts with the text t. The action flag accept,\n"
498  " ignore or reject causes the option to be allowed, removed or\n"
499  " rejected with error. May be specified multiple times, and\n"
500  " each filter is applied in the order of appearance.\n"
501  "--auth-retry t : How to handle auth failures. Set t to\n"
502  " none (default), interact, or nointeract.\n"
503  "--static-challenge t e : Enable static challenge/response protocol using\n"
504  " challenge text t, with e indicating echo flag (0|1)\n"
505  "--connect-timeout n : when polling possible remote servers to connect to\n"
506  " in a round-robin fashion, spend no more than n seconds\n"
507  " waiting for a response before trying the next server.\n"
508  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
509  " incoming tun packets with same destination as host.\n"
510  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
511  " server/remote. n = # of retries, default=1.\n"
512  "\n"
513  "Data Channel Encryption Options (must be compatible between peers):\n"
514  "(These options are meaningful for both Static Key & TLS-mode)\n"
515  "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
516  " Use shared secret file f, generate with --genkey.\n"
517  " The optional d parameter controls key directionality.\n"
518  " If d is specified, use separate keys for each\n"
519  " direction, set d=0 on one side of the connection,\n"
520  " and d=1 on the other side.\n"
521  "--auth alg : Authenticate packets with HMAC using message\n"
522  " digest algorithm alg (default=%s).\n"
523  " (usually adds 16 or 20 bytes per packet)\n"
524  " Set alg=none to disable authentication.\n"
525  "--cipher alg : Encrypt packets with cipher algorithm alg\n"
526  " (default=%s).\n"
527  " Set alg=none to disable encryption.\n"
528  "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
529  "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
530  "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
531  " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
532 #ifndef ENABLE_CRYPTO_MBEDTLS
533  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
534 #endif
535  "--no-replay : (DEPRECATED) Disable replay protection.\n"
536  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
537  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
538  " and a time window of t seconds.\n"
539  " Default n=%d t=%d\n"
540  "--replay-persist file : Persist replay-protection state across sessions\n"
541  " using file.\n"
542  "--test-crypto : Run a self-test of crypto features enabled.\n"
543  " For debugging only.\n"
544 #ifdef ENABLE_PREDICTION_RESISTANCE
545  "--use-prediction-resistance: Enable prediction resistance on the random\n"
546  " number generator.\n"
547 #endif
548  "\n"
549  "TLS Key Negotiation Options:\n"
550  "(These options are meaningful only for TLS-mode)\n"
551  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
552  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
553  "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
554  " number, such as 1 (default), 2, etc.\n"
555  "--ca file : Certificate authority file in .pem format containing\n"
556  " root certificate.\n"
557 #ifndef ENABLE_CRYPTO_MBEDTLS
558  "--capath dir : A directory of trusted certificates (CAs"
559  " and CRLs).\n"
560 #endif /* ENABLE_CRYPTO_MBEDTLS */
561  "--dh file : File containing Diffie Hellman parameters\n"
562  " in .pem format (for --tls-server only).\n"
563  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
564  "--cert file : Local certificate in .pem format -- must be signed\n"
565  " by a Certificate Authority in --ca file.\n"
566  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
567  "--key file : Local private key in .pem format.\n"
568  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
569  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
570  " is specified, require max TLS version supported by SSL implementation.\n"
571  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
572 #ifndef ENABLE_CRYPTO_MBEDTLS
573  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
574  " and optionally the root CA certificate.\n"
575 #endif
576 #ifdef ENABLE_X509ALTUSERNAME
577  "--x509-username-field : Field in x509 certificate containing the username.\n"
578  " Default is CN in the Subject field.\n"
579 #endif
580  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
581  " Valid algo flags are SHA1 and SHA256. \n"
582 #ifdef _WIN32
583  "--cryptoapicert select-string : Load the certificate and private key from the\n"
584  " Windows Certificate System Store.\n"
585 #endif
586  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
587  "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
588  " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
589  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
590  " (default=legacy).\n"
591  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
592  " if no ACK from remote within n seconds (default=%d).\n"
593  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
594  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
595  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
596  " and at least min (defaults to 90%% of max on servers and equal\n"
597  " to max on clients).\n"
598  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
599  " of handshake initiation by any peer (default=%d).\n"
600  "--tran-window n : Transition window -- old key can live this many seconds\n"
601  " after new key renegotiation begins (default=%d).\n"
602  "--single-session: Allow only one session (reset state on restart).\n"
603  "--tls-exit : Exit on TLS negotiation failure.\n"
604  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
605  " control channel to protect against attacks on the TLS stack\n"
606  " and DoS attacks.\n"
607  " f (required) is a shared-secret key file.\n"
608  " The optional d parameter controls key directionality,\n"
609  " see --secret option for more info.\n"
610  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
611  " of the TLS control channel to hide the TLS certificate,\n"
612  " provide basic post-quantum security and protect against\n"
613  " attacks on the TLS stack and DoS attacks.\n"
614  " key (required) provides the pre-shared key file.\n"
615  " see --secret option for more info.\n"
616  "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
617  " For servers: use key to decrypt client-specific keys. For\n"
618  " key generation (--tls-crypt-v2-genkey): use key to\n"
619  " encrypt generated client-specific key. (See --tls-crypt.)\n"
620  "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
621  " fresh tls-crypt-v2 client key, and store to\n"
622  " keyfile. If supplied, include metadata in wrapped key.\n"
623  "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
624  " fresh tls-crypt-v2 server key, and store to keyfile\n"
625  "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
626  " client-supplied tls-crypt-v2 client key\n"
627  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
628  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
629  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
630  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
631  " pending TLS connection that has otherwise passed all other\n"
632  " tests of certification. cmd should return 0 to allow\n"
633  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
634  " executed as 'cmd certificate_depth subject')\n"
635  "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
636  " in an openvpn temporary file in [directory]. Peer cert is \n"
637  " stored before tls-verify script execution and deleted after.\n"
638  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
639  " DN name. The remote host must also pass all other tests\n"
640  " of verification.\n"
641  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
642  " an explicit nsCertType designation t = 'client' | 'server'.\n"
643  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
644  " plugins and management interface.\n"
645 #ifdef HAVE_EXPORT_KEYING_MATERIAL
646  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
647  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
648 #endif
649  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
650  " explicit key usage, you can specify more than one value.\n"
651  " value should be given in hex format.\n"
652  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
653  " explicit extended key usage. Extended key usage can be encoded\n"
654  " as an object identifier or OpenSSL string representation.\n"
655  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
656  " key usage and extended key usage based on RFC3280 TLS rules.\n"
657  " t = 'client' | 'server'.\n"
658 #ifdef ENABLE_PKCS11
659  "\n"
660  "PKCS#11 Options:\n"
661  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
662  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
663  " path. Set for each provider.\n"
664  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
665  " 0 : Try to determine automatically (default).\n"
666  " 1 : Use Sign.\n"
667  " 2 : Use SignRecover.\n"
668  " 4 : Use Decrypt.\n"
669  " 8 : Use Unwrap.\n"
670  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
671  " certificate can be accessed. Set for each provider.\n"
672  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
673  " cache until token is removed.\n"
674  "--pkcs11-id-management : Acquire identity from management interface.\n"
675  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
676 #endif /* ENABLE_PKCS11 */
677  "\n"
678  "SSL Library information:\n"
679  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
680  "--show-digests : Show message digest algorithms to use with --auth option.\n"
681  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
682  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
683 #ifdef _WIN32
684  "\n"
685  "Windows Specific:\n"
686  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
687  " from SystemRoot environment variable.\n"
688  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
689  " IP address using method = manual, netsh, ipapi,\n"
690  " dynamic, or adaptive (default = adaptive).\n"
691  " Dynamic method allows two optional parameters:\n"
692  " offset: DHCP server address offset (> -256 and < 256).\n"
693  " If 0, use network address, if >0, take nth\n"
694  " address forward from network address, if <0,\n"
695  " take nth address backward from broadcast\n"
696  " address.\n"
697  " Default is 0.\n"
698  " lease-time: Lease time in seconds.\n"
699  " Default is one year.\n"
700  "--route-method : Which method to use for adding routes on Windows?\n"
701  " adaptive (default) -- Try ipapi then fall back to exe.\n"
702  " ipapi -- Use IP helper API.\n"
703  " exe -- Call the route.exe shell command.\n"
704  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
705  " be used with --ip-win32 dynamic. For options\n"
706  " which allow multiple addresses,\n"
707  " --dhcp-option must be repeated.\n"
708  " DOMAIN name : Set DNS suffix\n"
709  " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
710  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
711  " NTP : Set NTP server address(es)\n"
712  " NBDD : Set NBDD server address(es)\n"
713  " WINS addr : Set WINS server address(es)\n"
714  " NBT type : Set NetBIOS over TCP/IP Node type\n"
715  " 1: B, 2: P, 4: M, 8: H\n"
716  " NBS id : Set NetBIOS scope ID\n"
717  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
718  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
719  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
720  " startup.\n"
721  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
722  " on connection initiation.\n"
723  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
724  " attempting to set adapter properties.\n"
725  "--pause-exit : When run from a console window, pause before exiting.\n"
726  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
727  " service, and should not be used directly by end-users.\n"
728  " ex is the name of an event object which, when\n"
729  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
730  " optional parameter controls the initial state of ex.\n"
731  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
732  " after TAP adapter is up and routes have been added.\n"
733  "--windows-driver : Which tun driver to use?\n"
734  " tap-windows6 (default)\n"
735  " wintun\n"
736  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
737  "Windows Standalone Options:\n"
738  "\n"
739  "--show-adapters : Show all TAP-Windows adapters.\n"
740  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
741  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
742  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
743  " to access TAP adapter.\n"
744 #endif /* ifdef _WIN32 */
745  "\n"
746  "Generate a new key :\n"
747  "--genkey secret file : Generate a new random key of type and write to file\n"
748  " (for use with --secret, --tls-auth or --tls-crypt)."
749 #ifdef ENABLE_FEATURE_TUN_PERSIST
750  "\n"
751  "Tun/tap config mode (available with linux 2.4+):\n"
752  "--mktun : Create a persistent tunnel.\n"
753  "--rmtun : Remove a persistent tunnel.\n"
754  "--dev tunX|tapX : tun/tap device\n"
755  "--dev-type dt : Device type. See tunnel options above for details.\n"
756  "--user user : User to set privilege to.\n"
757  "--group group : Group to set privilege to.\n"
758 #endif
759 #ifdef ENABLE_PKCS11
760  "\n"
761  "PKCS#11 standalone options:\n"
762 #ifdef DEFAULT_PKCS11_MODULE
763  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
764 #else
765  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
766 #endif
767  " --verb option can be added *BEFORE* this.\n"
768 #endif /* ENABLE_PKCS11 */
769  "\n"
770  "General Standalone Options:\n"
771 #ifdef ENABLE_DEBUG
772  "--show-gateway : Show info about default gateway.\n"
773 #endif
774 ;
775 
776 #endif /* !ENABLE_SMALL */
777 
778 /*
779  * This is where the options defaults go.
780  * Any option not explicitly set here
781  * will be set to 0.
782  */
783 void
784 init_options(struct options *o, const bool init_gc)
785 {
786  CLEAR(*o);
787  if (init_gc)
788  {
789  gc_init(&o->gc);
790  o->gc_owned = true;
791  }
793  o->topology = TOP_NET30;
794  o->ce.proto = PROTO_UDP;
795  o->ce.af = AF_UNSPEC;
796  o->ce.bind_ipv6_only = false;
797  o->ce.connect_retry_seconds = 5;
798  o->ce.connect_retry_seconds_max = 300;
799  o->ce.connect_timeout = 120;
800  o->connect_retry_max = 0;
802  o->verbosity = 1;
803  o->status_file_update_freq = 60;
804  o->status_file_version = 1;
805  o->ce.bind_local = true;
808  o->ce.mtu_discover_type = -1;
809  o->ce.mssfix = MSSFIX_DEFAULT;
810  o->route_delay_window = 30;
812  o->resolve_in_advance = false;
813  o->proto_force = -1;
814  o->occ = true;
815 #ifdef ENABLE_MANAGEMENT
819 #endif
820 #ifdef ENABLE_FEATURE_TUN_PERSIST
821  o->persist_mode = 1;
822 #endif
823 #ifdef _WIN32
824 #if 0
826 #else
828 #endif
829  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
830  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
832  o->block_outside_dns = false;
834 #endif
835  o->vlan_accept = VLAN_ALL;
836  o->vlan_pvid = 1;
837  o->real_hash_size = 256;
838  o->virtual_hash_size = 256;
839  o->n_bcast_buf = 256;
840  o->tcp_queue_limit = 64;
841  o->max_clients = 1024;
842  o->max_routes_per_client = 256;
846  o->ncp_enabled = true;
847  o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
848  o->authname = "SHA1";
849  o->prng_hash = "SHA1";
850  o->prng_nonce_secret_len = 16;
851  o->replay = true;
855 #ifdef ENABLE_PREDICTION_RESISTANCE
856  o->use_prediction_resistance = false;
857 #endif
858  o->tls_timeout = 2;
859  o->renegotiate_bytes = -1;
860  o->renegotiate_seconds = 3600;
861  o->renegotiate_seconds_min = -1;
862  o->handshake_window = 60;
863  o->transition_window = 3600;
864  o->tls_cert_profile = NULL;
865  o->ecdh_curve = NULL;
866 #ifdef ENABLE_X509ALTUSERNAME
867  o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
868 #endif
869 #ifdef ENABLE_PKCS11
870  o->pkcs11_pin_cache_period = -1;
871 #endif /* ENABLE_PKCS11 */
872 
873 /* P2MP server context features */
874  o->auth_token_generate = false;
875 
876  /* Set default --tmp-dir */
877 #ifdef _WIN32
878  /* On Windows, find temp dir via environment variables */
879  o->tmp_dir = win_get_tempdir();
880 #else
881  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
882  o->tmp_dir = getenv("TMPDIR");
883  if (!o->tmp_dir)
884  {
885  o->tmp_dir = "/tmp";
886  }
887 #endif /* _WIN32 */
888  o->allow_recursive_routing = false;
889 }
890 
891 void
893 {
894  if (o->gc_owned)
895  {
896  gc_free(&o->gc);
897  }
898 }
899 
901 {
902 #define PUF_TYPE_UNDEF 0
903 #define PUF_TYPE_ACCEPT 1
904 #define PUF_TYPE_IGNORE 2
905 #define PUF_TYPE_REJECT 3
906  int type;
907  int size;
908  char *pattern;
909  struct pull_filter *next;
910 };
911 
913 {
914  struct pull_filter *head;
915  struct pull_filter *tail;
916 };
917 
918 static const char *
920 {
921  if (type == PUF_TYPE_ACCEPT)
922  {
923  return "accept";
924  }
925  if (type == PUF_TYPE_IGNORE)
926  {
927  return "ignore";
928  }
929  if (type == PUF_TYPE_REJECT)
930  {
931  return "reject";
932  }
933  else
934  {
935  return "???";
936  }
937 }
938 
939 #ifndef ENABLE_SMALL
940 
941 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
942 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
943 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
944  o->var ## _inline ? "[INLINE]" : \
945  (o->var ? o->var : "[UNDEF]"), \
946  "'%s'")
947 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
948 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
949 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
950 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
951 
952 #endif
953 
954 static void
956  const struct connection_entry *e,
957  const int i)
958 {
959  setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
960  setenv_str_i(es, "local", e->local, i);
961  setenv_str_i(es, "local_port", e->local_port, i);
962  setenv_str_i(es, "remote", e->remote, i);
963  setenv_str_i(es, "remote_port", e->remote_port, i);
964 
965  if (e->http_proxy_options)
966  {
967  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
968  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
969  }
970  if (e->socks_proxy_server)
971  {
972  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
973  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
974  }
975 }
976 
977 void
978 setenv_settings(struct env_set *es, const struct options *o)
979 {
980  setenv_str(es, "config", o->config);
981  setenv_int(es, "verb", o->verbosity);
982  setenv_int(es, "daemon", o->daemon);
983  setenv_int(es, "daemon_log_redirect", o->log);
984  setenv_long_long(es, "daemon_start_time", time(NULL));
985  setenv_int(es, "daemon_pid", platform_getpid());
986 
987  if (o->connection_list)
988  {
989  int i;
990  for (i = 0; i < o->connection_list->len; ++i)
991  {
993  }
994  }
995  else
996  {
997  setenv_connection_entry(es, &o->ce, 1);
998  }
999 }
1000 
1001 static in_addr_t
1002 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1003 {
1004  unsigned int flags = GETADDR_HOST_ORDER;
1005  bool succeeded = false;
1006  in_addr_t ret;
1007 
1008  if (msglevel & M_FATAL)
1009  {
1010  flags |= GETADDR_FATAL;
1011  }
1012 
1013  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1014  if (!succeeded && error)
1015  {
1016  *error = true;
1017  }
1018  return ret;
1019 }
1020 
1026 static char *
1027 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1028 {
1029  const char *end = strchr(addr, '/');
1030  char *ret = NULL;
1031  if (NULL == end)
1032  {
1033  ret = string_alloc(addr, gc);
1034  }
1035  else
1036  {
1037  size_t len = end - addr;
1038  ret = gc_malloc(len + 1, true, gc);
1039  memcpy(ret, addr, len);
1040  }
1041  return ret;
1042 }
1043 
1044 static bool
1045 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1046 {
1047  struct in6_addr t_addr;
1048  unsigned int t_bits;
1049 
1050  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1051 }
1052 
1053 static char *
1054 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1055 {
1056  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1057  char *dest = ret;
1058  char c;
1059 
1060  do
1061  {
1062  c = *src++;
1063  if (c == from)
1064  {
1065  c = to;
1066  }
1067  *dest++ = c;
1068  }
1069  while (c);
1070  return ret;
1071 }
1072 
1082 static struct verify_hash_list *
1083 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1084 {
1085  int i = 0;
1086  const char *cp = str;
1087 
1088  struct verify_hash_list *ret;
1089  ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1090 
1091  char term = 0;
1092  int byte;
1093 
1094  while (*cp && i < nbytes)
1095  {
1096  /* valid segments consist of exactly two hex digits, then ':' or EOS */
1097  if (!isxdigit(cp[0])
1098  || !isxdigit(cp[1])
1099  || (cp[2] != ':' && cp[2] != '\0')
1100  || sscanf(cp, "%x", &byte) != 1)
1101  {
1102  msg(msglevel, "format error in hash fingerprint: %s", str);
1103  break;
1104  }
1105 
1106  ret->hash[i++] = (uint8_t)byte;
1107 
1108  term = cp[2];
1109  if (term == '\0')
1110  {
1111  break;
1112  }
1113  cp += 3;
1114  }
1115  if (i < nbytes)
1116  {
1117  msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1118  }
1119  else if (term != '\0')
1120  {
1121  msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1122  }
1123  return ret;
1124 }
1125 
1136 static struct verify_hash_list *
1137 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1138  struct gc_arena *gc)
1139 {
1140  struct gc_arena gc_temp = gc_new();
1141  char *lines = string_alloc(str, &gc_temp);
1142 
1143  struct verify_hash_list *ret = NULL;
1144 
1145  const char *line;
1146  while ((line = strsep(&lines, "\n")))
1147  {
1148  /* skip empty lines */
1149  if (strlen(line) == 0)
1150  {
1151  continue;
1152  }
1153 
1154  struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1155  msglevel, gc);
1156 
1157  if (!hash)
1158  {
1159  gc_free(&gc_temp);
1160  return NULL;
1161  }
1162 
1163  hash->next = ret;
1164  ret = hash;
1165  }
1166  gc_free(&gc_temp);
1167 
1168  return ret;
1169 }
1170 #ifdef _WIN32
1171 
1172 #ifndef ENABLE_SMALL
1173 
1174 static void
1175 show_dhcp_option_list(const char *name, const char * const*array, int len)
1176 {
1177  int i;
1178  for (i = 0; i < len; ++i)
1179  {
1180  msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1181  }
1182 }
1183 
1184 static void
1185 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1186 {
1187  struct gc_arena gc = gc_new();
1188  int i;
1189  for (i = 0; i < len; ++i)
1190  {
1191  msg(D_SHOW_PARMS, " %s[%d] = %s",
1192  name,
1193  i,
1194  print_in_addr_t(array[i], 0, &gc));
1195  }
1196  gc_free(&gc);
1197 }
1198 
1199 static void
1201 {
1202  SHOW_BOOL(ip_win32_defined);
1203  SHOW_INT(ip_win32_type);
1204  SHOW_INT(dhcp_masq_offset);
1205  SHOW_INT(dhcp_lease_time);
1206  SHOW_INT(tap_sleep);
1207  SHOW_BOOL(dhcp_options);
1209  SHOW_BOOL(dhcp_pre_release);
1210  SHOW_STR(domain);
1211  SHOW_STR(netbios_scope);
1212  SHOW_INT(netbios_node_type);
1213  SHOW_BOOL(disable_nbt);
1214 
1215  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1216  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1217  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1218  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1220 }
1221 
1222 #endif /* ifndef ENABLE_SMALL */
1223 #endif /* ifdef _WIN32 */
1224 
1225 #if defined(_WIN32) || defined(TARGET_ANDROID)
1226 static void
1227 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1228 {
1229  struct in6_addr addr;
1230  if (*len >= N_DHCP_ADDR)
1231  {
1232  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1233  N_DHCP_ADDR);
1234  }
1235  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1236  {
1237  dns6_list[(*len)++] = addr;
1238  }
1239 }
1240 static void
1241 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1242 {
1243  if (*len >= N_DHCP_ADDR)
1244  {
1245  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1246  name,
1247  N_DHCP_ADDR,
1248  name);
1249  }
1250  else
1251  {
1252  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1253  {
1254  bool error = false;
1255  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1256  if (!error)
1257  {
1258  array[(*len)++] = addr;
1259  }
1260  }
1261  else
1262  {
1263  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1264  }
1265  }
1266 }
1267 
1268 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1269 
1270 static const char *
1272 {
1273  switch (mode)
1274  {
1275  case VLAN_ONLY_TAGGED:
1276  return "tagged";
1277 
1279  return "untagged";
1280 
1281  case VLAN_ALL:
1282  return "all";
1283  }
1284  return NULL;
1285 }
1286 
1287 #ifndef ENABLE_SMALL
1288 
1289 static void
1290 show_p2mp_parms(const struct options *o)
1291 {
1292  struct gc_arena gc = gc_new();
1293 
1294  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1295  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1296  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1297  SHOW_INT(server_netbits_ipv6);
1298  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1299  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1300  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1301  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1302  if (o->push_list.head)
1303  {
1304  const struct push_entry *e = o->push_list.head;
1305  while (e)
1306  {
1307  if (e->enable)
1308  {
1309  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1310  }
1311  e = e->next;
1312  }
1313  }
1314  SHOW_BOOL(ifconfig_pool_defined);
1315  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1316  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1317  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1318  SHOW_STR(ifconfig_pool_persist_filename);
1319  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1320  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1321  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1322  SHOW_INT(ifconfig_ipv6_pool_netbits);
1323  SHOW_INT(n_bcast_buf);
1324  SHOW_INT(tcp_queue_limit);
1325  SHOW_INT(real_hash_size);
1326  SHOW_INT(virtual_hash_size);
1327  SHOW_STR(client_connect_script);
1329  SHOW_STR(client_disconnect_script);
1330  SHOW_STR(client_config_dir);
1331  SHOW_BOOL(ccd_exclusive);
1332  SHOW_STR(tmp_dir);
1333  SHOW_BOOL(push_ifconfig_defined);
1334  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1335  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1336  SHOW_BOOL(push_ifconfig_ipv6_defined);
1337  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1338  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1339  SHOW_BOOL(enable_c2c);
1340  SHOW_BOOL(duplicate_cn);
1341  SHOW_INT(cf_max);
1342  SHOW_INT(cf_per);
1343  SHOW_INT(max_clients);
1344  SHOW_INT(max_routes_per_client);
1345  SHOW_STR(auth_user_pass_verify_script);
1346  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1347  SHOW_BOOL(auth_token_generate);
1348  SHOW_INT(auth_token_lifetime);
1349  SHOW_STR_INLINE(auth_token_secret_file);
1350 #if PORT_SHARE
1351  SHOW_STR(port_share_host);
1352  SHOW_STR(port_share_port);
1353 #endif
1354  SHOW_BOOL(vlan_tagging);
1355  msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1356  SHOW_INT(vlan_pvid);
1357 
1358  SHOW_BOOL(client);
1359  SHOW_BOOL(pull);
1360  SHOW_STR(auth_user_pass_file);
1361 
1362  gc_free(&gc);
1363 }
1364 
1365 #endif /* ! ENABLE_SMALL */
1366 
1367 static void
1369  const char *network_str,
1370  const char *netmask_str,
1371  int msglevel)
1372 {
1373  struct iroute *ir;
1374 
1375  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1376  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1377  ir->netbits = -1;
1378 
1379  if (netmask_str)
1380  {
1381  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1382  if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1383  {
1384  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1385  network_str,
1386  netmask_str);
1387  return;
1388  }
1389  }
1390 
1391  ir->next = o->iroutes;
1392  o->iroutes = ir;
1393 }
1394 
1395 static void
1397  const char *prefix_str,
1398  int msglevel)
1399 {
1400  struct iroute_ipv6 *ir;
1401 
1402  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1403 
1404  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1405  {
1406  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1407  prefix_str);
1408  return;
1409  }
1410 
1411  ir->next = o->iroutes_ipv6;
1412  o->iroutes_ipv6 = ir;
1413 }
1414 
1415 #ifndef ENABLE_SMALL
1416 static void
1418 {
1419  int i;
1420  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1421  SHOW_STR(server);
1422  SHOW_STR(port);
1423  SHOW_STR(auth_method_string);
1424  SHOW_STR(auth_file);
1425  SHOW_STR(http_version);
1426  SHOW_STR(user_agent);
1427  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1428  {
1429  if (o->custom_headers[i].content)
1430  {
1431  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1432  o->custom_headers[i].name, o->custom_headers[i].content);
1433  }
1434  else
1435  {
1436  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1437  o->custom_headers[i].name);
1438  }
1439  }
1440  msg(D_SHOW_PARMS, "END http_proxy");
1441 }
1442 #endif /* ifndef ENABLE_SMALL */
1443 
1444 void
1446 {
1447  gc_detach(&o->gc);
1448  o->routes = NULL;
1449  o->client_nat = NULL;
1450  clone_push_list(o);
1451 }
1452 
1453 void
1455 {
1456  if (!options->routes)
1457  {
1458  options->routes = new_route_option_list(&options->gc);
1459  }
1460 }
1461 
1462 static void
1464 {
1465  if (!options->routes_ipv6)
1466  {
1467  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1468  }
1469 }
1470 
1471 static void
1473 {
1474  if (!options->client_nat)
1475  {
1476  options->client_nat = new_client_nat_list(&options->gc);
1477  }
1478 }
1479 
1480 #ifndef ENABLE_SMALL
1481 static void
1483 {
1484  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1485  SHOW_STR(local);
1486  SHOW_STR(local_port);
1487  SHOW_STR(remote);
1488  SHOW_STR(remote_port);
1489  SHOW_BOOL(remote_float);
1490  SHOW_BOOL(bind_defined);
1492  SHOW_BOOL(bind_ipv6_only);
1493  SHOW_INT(connect_retry_seconds);
1494  SHOW_INT(connect_timeout);
1495 
1496  if (o->http_proxy_options)
1497  {
1499  }
1500  SHOW_STR(socks_proxy_server);
1501  SHOW_STR(socks_proxy_port);
1502  SHOW_INT(tun_mtu);
1503  SHOW_BOOL(tun_mtu_defined);
1504  SHOW_INT(link_mtu);
1505  SHOW_BOOL(link_mtu_defined);
1506  SHOW_INT(tun_mtu_extra);
1507  SHOW_BOOL(tun_mtu_extra_defined);
1508 
1509  SHOW_INT(mtu_discover_type);
1510 
1511 #ifdef ENABLE_FRAGMENT
1512  SHOW_INT(fragment);
1513 #endif
1514  SHOW_INT(mssfix);
1515 
1516  SHOW_INT(explicit_exit_notification);
1517 
1518  SHOW_STR_INLINE(tls_auth_file);
1519  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1520  "%s");
1521  SHOW_STR_INLINE(tls_crypt_file);
1522  SHOW_STR_INLINE(tls_crypt_v2_file);
1523 }
1524 
1525 
1526 static void
1528 {
1529  if (o->connection_list)
1530  {
1531  const struct connection_list *l = o->connection_list;
1532  int i;
1533  for (i = 0; i < l->len; ++i)
1534  {
1535  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1537  }
1538  }
1539  else
1540  {
1541  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1543  }
1544  msg(D_SHOW_PARMS, "Connection profiles END");
1545 }
1546 
1547 static void
1549 {
1550  struct pull_filter *f;
1551  if (!l)
1552  {
1553  return;
1554  }
1555 
1556  msg(D_SHOW_PARMS, " Pull filters:");
1557  for (f = l->head; f; f = f->next)
1558  {
1559  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1560  }
1561 }
1562 
1563 #endif /* ifndef ENABLE_SMALL */
1564 
1565 void
1566 show_settings(const struct options *o)
1567 {
1568 #ifndef ENABLE_SMALL
1569  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1570 
1571  SHOW_STR(config);
1572 
1573  SHOW_INT(mode);
1574 
1575 #ifdef ENABLE_FEATURE_TUN_PERSIST
1576  SHOW_BOOL(persist_config);
1577  SHOW_INT(persist_mode);
1578 #endif
1579 
1580  SHOW_BOOL(show_ciphers);
1581  SHOW_BOOL(show_digests);
1582  SHOW_BOOL(show_engines);
1583  SHOW_BOOL(genkey);
1584  SHOW_STR(genkey_filename);
1585  SHOW_STR(key_pass_file);
1586  SHOW_BOOL(show_tls_ciphers);
1587 
1588  SHOW_INT(connect_retry_max);
1590 
1591  SHOW_BOOL(remote_random);
1592 
1593  SHOW_STR(ipchange);
1594  SHOW_STR(dev);
1595  SHOW_STR(dev_type);
1596  SHOW_STR(dev_node);
1597  SHOW_STR(lladdr);
1598  SHOW_INT(topology);
1599  SHOW_STR(ifconfig_local);
1600  SHOW_STR(ifconfig_remote_netmask);
1601  SHOW_BOOL(ifconfig_noexec);
1602  SHOW_BOOL(ifconfig_nowarn);
1603  SHOW_STR(ifconfig_ipv6_local);
1604  SHOW_INT(ifconfig_ipv6_netbits);
1605  SHOW_STR(ifconfig_ipv6_remote);
1606 
1607  SHOW_INT(shaper);
1608  SHOW_INT(mtu_test);
1609 
1610  SHOW_BOOL(mlock);
1611 
1612  SHOW_INT(keepalive_ping);
1613  SHOW_INT(keepalive_timeout);
1614  SHOW_INT(inactivity_timeout);
1615  SHOW_INT(ping_send_timeout);
1616  SHOW_INT(ping_rec_timeout);
1617  SHOW_INT(ping_rec_timeout_action);
1618  SHOW_BOOL(ping_timer_remote);
1619  SHOW_INT(remap_sigusr1);
1620  SHOW_BOOL(persist_tun);
1621  SHOW_BOOL(persist_local_ip);
1622  SHOW_BOOL(persist_remote_ip);
1623  SHOW_BOOL(persist_key);
1624 
1625 #if PASSTOS_CAPABILITY
1626  SHOW_BOOL(passtos);
1627 #endif
1628 
1629  SHOW_INT(resolve_retry_seconds);
1630  SHOW_BOOL(resolve_in_advance);
1631 
1632  SHOW_STR(username);
1633  SHOW_STR(groupname);
1634  SHOW_STR(chroot_dir);
1635  SHOW_STR(cd_dir);
1636 #ifdef ENABLE_SELINUX
1637  SHOW_STR(selinux_context);
1638 #endif
1639  SHOW_STR(writepid);
1640  SHOW_STR(up_script);
1641  SHOW_STR(down_script);
1642  SHOW_BOOL(down_pre);
1643  SHOW_BOOL(up_restart);
1644  SHOW_BOOL(up_delay);
1645  SHOW_BOOL(daemon);
1646  SHOW_BOOL(log);
1649  SHOW_INT(nice);
1650  SHOW_INT(verbosity);
1651  SHOW_INT(mute);
1652 #ifdef ENABLE_DEBUG
1653  SHOW_INT(gremlin);
1654 #endif
1655  SHOW_STR(status_file);
1656  SHOW_INT(status_file_version);
1657  SHOW_INT(status_file_update_freq);
1658 
1659  SHOW_BOOL(occ);
1660  SHOW_INT(rcvbuf);
1661  SHOW_INT(sndbuf);
1662 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1663  SHOW_INT(mark);
1664 #endif
1665  SHOW_INT(sockflags);
1666 
1667  SHOW_BOOL(fast_io);
1668 
1669 #ifdef USE_COMP
1670  SHOW_INT(comp.alg);
1671  SHOW_INT(comp.flags);
1672 #endif
1673 
1674  SHOW_STR(route_script);
1675  SHOW_STR(route_default_gateway);
1676  SHOW_INT(route_default_metric);
1677  SHOW_BOOL(route_noexec);
1678  SHOW_INT(route_delay);
1679  SHOW_INT(route_delay_window);
1680  SHOW_BOOL(route_delay_defined);
1681  SHOW_BOOL(route_nopull);
1682  SHOW_BOOL(route_gateway_via_dhcp);
1683  SHOW_BOOL(allow_pull_fqdn);
1685 
1686  if (o->routes)
1687  {
1689  }
1690 
1691  if (o->client_nat)
1692  {
1694  }
1695 
1696 #ifdef ENABLE_MANAGEMENT
1697  SHOW_STR(management_addr);
1698  SHOW_STR(management_port);
1699  SHOW_STR(management_user_pass);
1700  SHOW_INT(management_log_history_cache);
1701  SHOW_INT(management_echo_buffer_size);
1702  SHOW_STR(management_write_peer_info_file);
1703  SHOW_STR(management_client_user);
1704  SHOW_STR(management_client_group);
1705  SHOW_INT(management_flags);
1706 #endif
1707 #ifdef ENABLE_PLUGIN
1708  if (o->plugin_list)
1709  {
1711  }
1712 #endif
1713 
1714  SHOW_STR_INLINE(shared_secret_file);
1715  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1716  SHOW_STR(ciphername);
1717  SHOW_BOOL(ncp_enabled);
1718  SHOW_STR(ncp_ciphers);
1719  SHOW_STR(authname);
1720  SHOW_STR(prng_hash);
1721  SHOW_INT(prng_nonce_secret_len);
1722 #ifndef ENABLE_CRYPTO_MBEDTLS
1723  SHOW_BOOL(engine);
1724 #endif /* ENABLE_CRYPTO_MBEDTLS */
1725  SHOW_BOOL(replay);
1726  SHOW_BOOL(mute_replay_warnings);
1727  SHOW_INT(replay_window);
1728  SHOW_INT(replay_time);
1729  SHOW_STR(packet_id_file);
1731 #ifdef ENABLE_PREDICTION_RESISTANCE
1732  SHOW_BOOL(use_prediction_resistance);
1733 #endif
1734 
1735  SHOW_BOOL(tls_server);
1736  SHOW_BOOL(tls_client);
1737  SHOW_STR_INLINE(ca_file);
1738  SHOW_STR(ca_path);
1739  SHOW_STR_INLINE(dh_file);
1740 #ifdef ENABLE_MANAGEMENT
1742  {
1743  SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1744  }
1745  else
1746 #endif
1747  SHOW_STR_INLINE(cert_file);
1748  SHOW_STR_INLINE(extra_certs_file);
1749 
1750 #ifdef ENABLE_MANAGEMENT
1751  if ((o->management_flags & MF_EXTERNAL_KEY))
1752  {
1753  SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1754  }
1755  else
1756 #endif
1757  SHOW_STR_INLINE(priv_key_file);
1758 #ifndef ENABLE_CRYPTO_MBEDTLS
1759  SHOW_STR_INLINE(pkcs12_file);
1760 #endif
1761 #ifdef ENABLE_CRYPTOAPI
1762  SHOW_STR(cryptoapi_cert);
1763 #endif
1764  SHOW_STR(cipher_list);
1765  SHOW_STR(cipher_list_tls13);
1766  SHOW_STR(tls_cert_profile);
1768  SHOW_STR(tls_export_cert);
1769  SHOW_INT(verify_x509_type);
1770  SHOW_STR(verify_x509_name);
1771  SHOW_STR_INLINE(crl_file);
1772  SHOW_INT(ns_cert_type);
1773  {
1774  int i;
1775  for (i = 0; i<MAX_PARMS; i++)
1776  {
1777  SHOW_INT(remote_cert_ku[i]);
1778  }
1779  }
1780  SHOW_STR(remote_cert_eku);
1781  if (o->verify_hash)
1782  {
1783  SHOW_INT(verify_hash_algo);
1784  SHOW_INT(verify_hash_depth);
1785  struct gc_arena gc = gc_new();
1786  struct verify_hash_list *hl = o->verify_hash;
1787  int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
1789  while (hl)
1790  {
1791  char *s = format_hex_ex(hl->hash, digest_len, 0,
1792  1, ":", &gc);
1793  SHOW_PARM(verify_hash, s, "%s");
1794  hl = hl->next;
1795  }
1796  gc_free(&gc);
1797  }
1798  SHOW_INT(ssl_flags);
1799 
1800  SHOW_INT(tls_timeout);
1801 
1802  SHOW_INT(renegotiate_bytes);
1803  SHOW_INT(renegotiate_packets);
1804  SHOW_INT(renegotiate_seconds);
1805 
1806  SHOW_INT(handshake_window);
1807  SHOW_INT(transition_window);
1808 
1809  SHOW_BOOL(single_session);
1811  SHOW_BOOL(tls_exit);
1812 
1813  SHOW_STR(tls_crypt_v2_metadata);
1814 
1815 #ifdef ENABLE_PKCS11
1816  {
1817  int i;
1818  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1819  {
1820  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1821  }
1822  }
1823  {
1824  int i;
1825  for (i = 0; i<MAX_PARMS; i++)
1826  {
1827  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1828  }
1829  }
1830  {
1831  int i;
1832  for (i = 0; i<MAX_PARMS; i++)
1833  {
1834  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1835  }
1836  }
1837  {
1838  int i;
1839  for (i = 0; i<MAX_PARMS; i++)
1840  {
1841  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1842  }
1843  }
1844  SHOW_INT(pkcs11_pin_cache_period);
1845  SHOW_STR(pkcs11_id);
1846  SHOW_BOOL(pkcs11_id_management);
1847 #endif /* ENABLE_PKCS11 */
1848 
1849  show_p2mp_parms(o);
1850 
1851 #ifdef _WIN32
1852  SHOW_BOOL(show_net_up);
1853  SHOW_INT(route_method);
1854  SHOW_BOOL(block_outside_dns);
1856 #endif
1857 #endif /* ifndef ENABLE_SMALL */
1858 }
1859 
1860 #undef SHOW_PARM
1861 #undef SHOW_STR
1862 #undef SHOW_INT
1863 #undef SHOW_BOOL
1864 
1865 #ifdef ENABLE_MANAGEMENT
1866 
1867 static struct http_proxy_options *
1869  const char *port,
1870  const char *flags,
1871  const int msglevel,
1872  struct gc_arena *gc)
1873 {
1874  if (server && port)
1875  {
1876  struct http_proxy_options *ho;
1877  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1878  ho->server = string_alloc(server, gc);
1879  ho->port = port;
1880  if (flags && !strcmp(flags, "nct"))
1881  {
1882  ho->auth_retry = PAR_NCT;
1883  }
1884  else
1885  {
1886  ho->auth_retry = PAR_ALL;
1887  }
1888  ho->http_version = "1.0";
1889  ho->user_agent = "OpenVPN-Autoproxy/1.0";
1890  return ho;
1891  }
1892  else
1893  {
1894  return NULL;
1895  }
1896 }
1897 
1898 static void
1900 {
1901  const struct connection_list *l = o->connection_list;
1902  int i;
1903  bool succeed = false;
1904  for (i = 0; i < l->len; ++i)
1905  {
1906  struct connection_entry *ce = l->array[i];
1907  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1908  {
1910  succeed = true;
1911  }
1912  }
1913  if (succeed)
1914  {
1915  for (i = 0; i < l->len; ++i)
1916  {
1917  struct connection_entry *ce = l->array[i];
1918  if (ce->proto == PROTO_UDP)
1919  {
1920  ce->flags |= CE_DISABLED;
1921  }
1922  }
1923  }
1924  else
1925  {
1926  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1927  }
1928 }
1929 
1930 #endif /* ifdef ENABLE_MANAGEMENT */
1931 
1932 static struct connection_list *
1934 {
1935  if (!options->connection_list)
1936  {
1937  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1938  }
1939  return options->connection_list;
1940 }
1941 
1942 static struct connection_entry *
1943 alloc_connection_entry(struct options *options, const int msglevel)
1944 {
1945  struct connection_list *l = alloc_connection_list_if_undef(options);
1946  struct connection_entry *e;
1947 
1948  if (l->len >= CONNECTION_LIST_SIZE)
1949  {
1950  msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1951  return NULL;
1952  }
1953  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1954  l->array[l->len++] = e;
1955  return e;
1956 }
1957 
1958 static struct remote_list *
1960 {
1961  if (!options->remote_list)
1962  {
1963  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1964  }
1965  return options->remote_list;
1966 }
1967 
1968 static struct remote_entry *
1969 alloc_remote_entry(struct options *options, const int msglevel)
1970 {
1971  struct remote_list *l = alloc_remote_list_if_undef(options);
1972  struct remote_entry *e;
1973 
1974  if (l->len >= CONNECTION_LIST_SIZE)
1975  {
1976  msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1977  return NULL;
1978  }
1979  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1980  l->array[l->len++] = e;
1981  return e;
1982 }
1983 
1984 static struct pull_filter_list *
1986 {
1987  if (!o->pull_filter_list)
1988  {
1990  }
1991  return o->pull_filter_list;
1992 }
1993 
1994 static struct pull_filter *
1995 alloc_pull_filter(struct options *o, const int msglevel)
1996 {
1998  struct pull_filter *f;
1999 
2000  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2001  if (l->head)
2002  {
2003  ASSERT(l->tail);
2004  l->tail->next = f;
2005  }
2006  else
2007  {
2008  ASSERT(!l->tail);
2009  l->head = f;
2010  }
2011  l->tail = f;
2012  return f;
2013 }
2014 
2015 static void
2017 {
2018  if (re->remote)
2019  {
2020  ce->remote = re->remote;
2021  }
2022  if (re->remote_port)
2023  {
2024  ce->remote_port = re->remote_port;
2025  }
2026  if (re->proto >= 0)
2027  {
2028  ce->proto = re->proto;
2029  }
2030  if (re->af > 0)
2031  {
2032  ce->af = re->af;
2033  }
2034 }
2035 
2036 static void
2037 connection_entry_preload_key(const char **key_file, bool *key_inline,
2038  struct gc_arena *gc)
2039 {
2040  if (key_file && *key_file && !(*key_inline))
2041  {
2042  struct buffer in = buffer_read_from_file(*key_file, gc);
2043  if (!buf_valid(&in))
2044  {
2045  msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2046  }
2047 
2048  *key_file = (const char *) in.data;
2049  *key_inline = true;
2050  }
2051 }
2052 
2053 static void
2055  const struct connection_entry *ce)
2056 {
2057  struct options defaults;
2058  int dev = DEV_TYPE_UNDEF;
2059  bool pull = false;
2060 
2061  init_options(&defaults, true);
2062 
2063  if (options->test_crypto)
2064  {
2065  notnull(options->shared_secret_file, "key file (--secret)");
2066  }
2067  else
2068  {
2069  notnull(options->dev, "TUN/TAP device (--dev)");
2070  }
2071 
2072  /*
2073  * Get tun/tap/null device type
2074  */
2075  dev = dev_type_enum(options->dev, options->dev_type);
2076 
2077  /*
2078  * If "proto tcp" is specified, make sure we know whether it is
2079  * tcp-client or tcp-server.
2080  */
2081  if (ce->proto == PROTO_TCP)
2082  {
2083  msg(M_USAGE,
2084  "--proto tcp is ambiguous in this context. Please specify "
2085  "--proto tcp-server or --proto tcp-client");
2086  }
2087 
2088  if (options->lladdr && dev != DEV_TYPE_TAP)
2089  {
2090  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2091  }
2092 
2093  /*
2094  * Sanity check on MTU parameters
2095  */
2096  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2097  {
2098  msg(M_USAGE,
2099  "only one of --tun-mtu or --link-mtu may be defined (note that "
2100  "--ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2101  }
2102 
2103  if (!proto_is_udp(ce->proto) && options->mtu_test)
2104  {
2105  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2106  }
2107 
2108  /* will we be pulling options from server? */
2109  pull = options->pull;
2110 
2111  /*
2112  * Sanity check on --local, --remote, and --ifconfig
2113  */
2114 
2115  if (proto_is_net(ce->proto)
2116  && string_defined_equal(ce->local, ce->remote)
2118  {
2119  msg(M_USAGE, "--remote and --local addresses are the same");
2120  }
2121 
2122  if (string_defined_equal(ce->remote, options->ifconfig_local)
2124  {
2125  msg(M_USAGE,
2126  "--local and --remote addresses must be distinct from --ifconfig "
2127  "addresses");
2128  }
2129 
2130  if (string_defined_equal(ce->local, options->ifconfig_local)
2132  {
2133  msg(M_USAGE,
2134  "--local addresses must be distinct from --ifconfig addresses");
2135  }
2136 
2137  if (string_defined_equal(options->ifconfig_local,
2138  options->ifconfig_remote_netmask))
2139  {
2140  msg(M_USAGE,
2141  "local and remote/netmask --ifconfig addresses must be different");
2142  }
2143 
2144  if (ce->bind_defined && !ce->bind_local)
2145  {
2146  msg(M_USAGE, "--bind and --nobind can't be used together");
2147  }
2148 
2149  if (ce->local && !ce->bind_local)
2150  {
2151  msg(M_USAGE,
2152  "--local and --nobind don't make sense when used together");
2153  }
2154 
2155  if (ce->local_port_defined && !ce->bind_local)
2156  {
2157  msg(M_USAGE,
2158  "--lport and --nobind don't make sense when used together");
2159  }
2160 
2161  if (!ce->remote && !ce->bind_local)
2162  {
2163  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2164  }
2165 
2166  /*
2167  * Check for consistency of management options
2168  */
2169 #ifdef ENABLE_MANAGEMENT
2170  if (!options->management_addr
2171  && (options->management_flags
2174  {
2175  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2176  }
2177 
2178  if ((options->management_client_user || options->management_client_group)
2179  && !(options->management_flags & MF_UNIX_SOCK))
2180  {
2181  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2182  }
2183 
2184  if (options->management_addr
2185  && !(options->management_flags & MF_UNIX_SOCK)
2186  && (!options->management_user_pass))
2187  {
2188  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2189  "passwords is STRONGLY discouraged and considered insecure");
2190  }
2191 
2192 #endif /* ifdef ENABLE_MANAGEMENT */
2193 
2194 #if defined(ENABLE_MANAGEMENT)
2195  if ((tls_version_max() >= TLS_VER_1_3)
2196  && (options->management_flags & MF_EXTERNAL_KEY)
2197  && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2198  )
2199  {
2200  msg(M_ERR, "management-external-key with OpenSSL 1.1.1 requires "
2201  "the nopadding argument/support");
2202  }
2203 #endif
2204  /*
2205  * Windows-specific options.
2206  */
2207 
2208 #ifdef _WIN32
2209  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2210  {
2211  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2212  }
2213 
2214  if ((options->tuntap_options.ip_win32_defined)
2215  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2216  {
2217  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2218  }
2219 
2220  if (options->tuntap_options.dhcp_options
2221  && options->windows_driver != WINDOWS_DRIVER_WINTUN
2224  {
2225  msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
2226  }
2227 
2228  if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2229  {
2230  msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2231  }
2232 #endif /* ifdef _WIN32 */
2233 
2234  /*
2235  * Check that protocol options make sense.
2236  */
2237 
2238 #ifdef ENABLE_FRAGMENT
2239  if (!proto_is_udp(ce->proto) && ce->fragment)
2240  {
2241  msg(M_USAGE, "--fragment can only be used with --proto udp");
2242  }
2243 #endif
2244 
2246  {
2247  msg(M_USAGE,
2248  "--explicit-exit-notify can only be used with --proto udp");
2249  }
2250 
2251  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2252  {
2253  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2254  }
2255 
2256  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2257  {
2258  msg(M_USAGE,
2259  "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2260  "tcp-client)");
2261  }
2262 
2263  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2264  {
2265  msg(M_USAGE,
2266  "--http-proxy not specified but other http proxy options present");
2267  }
2268 
2269  if (ce->http_proxy_options && ce->socks_proxy_server)
2270  {
2271  msg(M_USAGE,
2272  "--http-proxy can not be used together with --socks-proxy");
2273  }
2274 
2275  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2276  {
2277  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2278  }
2279 
2280  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2281  {
2282  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2283  }
2284 
2285  /*
2286  * Check consistency of --mode server options.
2287  */
2288  if (options->mode == MODE_SERVER)
2289  {
2290 #ifdef TARGET_ANDROID
2291  msg(M_FATAL, "--mode server not supported on Android");
2292 #endif
2293  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2294  {
2295  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2296  }
2297  if (options->pull)
2298  {
2299  msg(M_USAGE, "--pull cannot be used with --mode server");
2300  }
2301  if (options->pull_filter_list)
2302  {
2303  msg(M_WARN, "--pull-filter ignored for --mode server");
2304  }
2305  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2306  {
2307  msg(M_USAGE, "--mode server currently only supports "
2308  "--proto udp or --proto tcp-server or proto tcp6-server");
2309  }
2310 #if PORT_SHARE
2311  if ((options->port_share_host || options->port_share_port)
2312  && (ce->proto != PROTO_TCP_SERVER))
2313  {
2314  msg(M_USAGE, "--port-share only works in TCP server mode "
2315  "(--proto tcp-server or tcp6-server)");
2316  }
2317 #endif
2318  if (!options->tls_server)
2319  {
2320  msg(M_USAGE, "--mode server requires --tls-server");
2321  }
2322  if (ce->remote)
2323  {
2324  msg(M_USAGE, "--remote cannot be used with --mode server");
2325  }
2326  if (!ce->bind_local)
2327  {
2328  msg(M_USAGE, "--nobind cannot be used with --mode server");
2329  }
2330  if (ce->http_proxy_options)
2331  {
2332  msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2333  }
2334  if (ce->socks_proxy_server)
2335  {
2336  msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2337  }
2338  /* <connection> blocks force to have a remote embedded, so we check
2339  * for the --remote and bail out if it is present
2340  */
2341  if (options->connection_list->len >1
2342  || options->connection_list->array[0]->remote)
2343  {
2344  msg(M_USAGE, "<connection> cannot be used with --mode server");
2345  }
2346 
2347  if (options->shaper)
2348  {
2349  msg(M_USAGE, "--shaper cannot be used with --mode server");
2350  }
2351  if (options->ipchange)
2352  {
2353  msg(M_USAGE,
2354  "--ipchange cannot be used with --mode server (use "
2355  "--client-connect instead)");
2356  }
2357  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2358  {
2359  msg(M_USAGE,
2360  "--mode server currently only supports --proto udp or --proto "
2361  "tcp-server or --proto tcp6-server");
2362  }
2363  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2364  {
2365  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2366  }
2367  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2368  {
2369  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2370  }
2371  if (options->routes && (options->routes->flags & RG_ENABLE))
2372  {
2373  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2374  }
2375  if (options->route_delay_defined)
2376  {
2377  msg(M_USAGE, "--route-delay cannot be used with --mode server");
2378  }
2379  if (options->up_delay)
2380  {
2381  msg(M_USAGE, "--up-delay cannot be used with --mode server");
2382  }
2383  if (!options->ifconfig_pool_defined
2384  && !options->ifconfig_ipv6_pool_defined
2385  && options->ifconfig_pool_persist_filename)
2386  {
2387  msg(M_USAGE,
2388  "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2389  }
2390  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2391  {
2392  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2393  }
2394  if (options->allow_recursive_routing)
2395  {
2396  msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2397  }
2398  if (options->auth_user_pass_file)
2399  {
2400  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2401  }
2402  if (options->ccd_exclusive && !options->client_config_dir)
2403  {
2404  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2405  }
2406  if (options->auth_token_generate && !options->renegotiate_seconds)
2407  {
2408  msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2409  "--renegotiate_seconds setting");
2410  }
2411  {
2412  const bool ccnr = (options->auth_user_pass_verify_script
2413  || PLUGIN_OPTION_LIST(options)
2414  || MAN_CLIENT_AUTH_ENABLED(options));
2415  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2417  {
2418  msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2419  }
2420  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2421  {
2422  msg(M_USAGE, "--username-as-common-name %s", postfix);
2423  }
2424  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2425  {
2426  msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2427  }
2428  }
2429 
2430  if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2431  {
2432  msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2433  }
2434  if (!options->vlan_tagging)
2435  {
2436  if (options->vlan_accept != defaults.vlan_accept)
2437  {
2438  msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2439  }
2440  if (options->vlan_pvid != defaults.vlan_pvid)
2441  {
2442  msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2443  }
2444  }
2445  }
2446  else
2447  {
2448  /*
2449  * When not in server mode, err if parameters are
2450  * specified which require --mode server.
2451  */
2452  if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2453  {
2454  msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2455  }
2456  if (options->ifconfig_ipv6_pool_defined)
2457  {
2458  msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2459  }
2460  if (options->real_hash_size != defaults.real_hash_size
2461  || options->virtual_hash_size != defaults.virtual_hash_size)
2462  {
2463  msg(M_USAGE, "--hash-size requires --mode server");
2464  }
2465  if (options->learn_address_script)
2466  {
2467  msg(M_USAGE, "--learn-address requires --mode server");
2468  }
2469  if (options->client_connect_script)
2470  {
2471  msg(M_USAGE, "--client-connect requires --mode server");
2472  }
2473  if (options->client_disconnect_script)
2474  {
2475  msg(M_USAGE, "--client-disconnect requires --mode server");
2476  }
2477  if (options->client_config_dir || options->ccd_exclusive)
2478  {
2479  msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2480  }
2481  if (options->enable_c2c)
2482  {
2483  msg(M_USAGE, "--client-to-client requires --mode server");
2484  }
2485  if (options->duplicate_cn)
2486  {
2487  msg(M_USAGE, "--duplicate-cn requires --mode server");
2488  }
2489  if (options->cf_max || options->cf_per)
2490  {
2491  msg(M_USAGE, "--connect-freq requires --mode server");
2492  }
2494  {
2495  msg(M_USAGE, "--verify-client-cert requires --mode server");
2496  }
2497  if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2498  {
2499  msg(M_USAGE, "--username-as-common-name requires --mode server");
2500  }
2501  if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2502  {
2503  msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2504  }
2505  if (options->ssl_flags & SSLF_OPT_VERIFY)
2506  {
2507  msg(M_USAGE, "--opt-verify requires --mode server");
2508  }
2509  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2510  {
2511  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2512  "affect the server. To have TCP_NODELAY in both direction use "
2513  "tcp-nodelay in the server configuration instead.");
2514  }
2515  if (options->auth_user_pass_verify_script)
2516  {
2517  msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2518  }
2519  if (options->auth_token_generate)
2520  {
2521  msg(M_USAGE, "--auth-gen-token requires --mode server");
2522  }
2523 #if PORT_SHARE
2524  if (options->port_share_host || options->port_share_port)
2525  {
2526  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2527  }
2528 #endif
2529 
2530  if (options->stale_routes_check_interval)
2531  {
2532  msg(M_USAGE, "--stale-routes-check requires --mode server");
2533  }
2534 
2535  if (options->vlan_tagging)
2536  {
2537  msg(M_USAGE, "--vlan-tagging requires --mode server");
2538  }
2539  }
2540 
2541  /*
2542  * Check consistency of replay options
2543  */
2544  if (!options->replay
2545  && (options->replay_window != defaults.replay_window
2546  || options->replay_time != defaults.replay_time))
2547  {
2548  msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2549  }
2550 
2551  /*
2552  * SSL/TLS mode sanity checks.
2553  */
2554  if (options->tls_server + options->tls_client
2555  +(options->shared_secret_file != NULL) > 1)
2556  {
2557  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2558  }
2559 
2560  if (!options->tls_server && !options->tls_client)
2561  {
2562  msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
2563  "configuration detected. OpenVPN 2.7 will remove the "
2564  "functionality to run a VPN without TLS. "
2565  "See the examples section in the manual page for "
2566  "examples of a similar quick setup with peer-fingerprint.");
2567  }
2568 
2570  {
2571  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2572  "--verify-client-cert none|optional "
2573  "may accept clients which do not present a certificate");
2574  }
2575 
2576  const int tls_version_max =
2579  const int tls_version_min =
2582 
2583  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2584  {
2585  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2586  }
2587 
2588  if (options->tls_server || options->tls_client)
2589  {
2590 #ifdef ENABLE_PKCS11
2591  if (options->pkcs11_providers[0])
2592  {
2593  notnull(options->ca_file, "CA file (--ca)");
2594 
2595  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2596  {
2597  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2598  }
2599  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2600  {
2601  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2602  }
2603  if (options->cert_file)
2604  {
2605  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2606  }
2607  if (options->priv_key_file)
2608  {
2609  msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2610  }
2611 #ifdef ENABLE_MANAGEMENT
2612  if (options->management_flags & MF_EXTERNAL_KEY)
2613  {
2614  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2615  }
2616  if (options->management_flags & MF_EXTERNAL_CERT)
2617  {
2618  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2619  }
2620 #endif
2621  if (options->pkcs12_file)
2622  {
2623  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2624  }
2625 #ifdef ENABLE_CRYPTOAPI
2626  if (options->cryptoapi_cert)
2627  {
2628  msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2629  }
2630 #endif
2631  }
2632  else
2633 #endif /* ifdef ENABLE_PKCS11 */
2634 #ifdef ENABLE_MANAGEMENT
2635  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2636  {
2637  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2638  }
2639  else if ((options->management_flags & MF_EXTERNAL_CERT))
2640  {
2641  if (options->cert_file)
2642  {
2643  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2644  }
2645  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2646  {
2647  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2648  }
2649  }
2650  else
2651 #endif
2652 #ifdef ENABLE_CRYPTOAPI
2653  if (options->cryptoapi_cert)
2654  {
2655  if ((!(options->ca_file)) && (!(options->ca_path)))
2656  {
2657  msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2658  }
2659  if (options->cert_file)
2660  {
2661  msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2662  }
2663  if (options->priv_key_file)
2664  {
2665  msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2666  }
2667  if (options->pkcs12_file)
2668  {
2669  msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2670  }
2671 #ifdef ENABLE_MANAGEMENT
2672  if (options->management_flags & MF_EXTERNAL_KEY)
2673  {
2674  msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2675  }
2676  if (options->management_flags & MF_EXTERNAL_CERT)
2677  {
2678  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2679  }
2680 #endif
2681  }
2682  else
2683 #endif /* ifdef ENABLE_CRYPTOAPI */
2684  if (options->pkcs12_file)
2685  {
2686 #ifdef ENABLE_CRYPTO_MBEDTLS
2687  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2688 #else
2689  if (options->ca_path)
2690  {
2691  msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2692  }
2693  if (options->cert_file)
2694  {
2695  msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2696  }
2697  if (options->priv_key_file)
2698  {
2699  msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2700  }
2701 #ifdef ENABLE_MANAGEMENT
2702  if (options->management_flags & MF_EXTERNAL_KEY)
2703  {
2704  msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2705  }
2706  if (options->management_flags & MF_EXTERNAL_CERT)
2707  {
2708  msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2709  }
2710 #endif
2711 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2712  }
2713  else
2714  {
2715 #ifdef ENABLE_CRYPTO_MBEDTLS
2716  if (!(options->ca_file || options->verify_hash_no_ca))
2717  {
2718  msg(M_USAGE, "You must define CA file (--ca) and/or "
2719  "peer fingeprint verification "
2720  "(--peer-fingerprint)");
2721  }
2722  if (options->ca_path)
2723  {
2724  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2725  }
2726 #else /* ifdef ENABLE_CRYPTO_MBEDTLS */
2727  if ((!(options->ca_file)) && (!(options->ca_path))
2728  && (!(options->verify_hash_no_ca)))
2729  {
2730  msg(M_USAGE, "You must define CA file (--ca) or CA path "
2731  "(--capath) and/or peer fingeprint verification "
2732  "(--peer-fingerprint)");
2733  }
2734 #endif
2735  if (pull)
2736  {
2737 
2738  const int sum =
2739 #ifdef ENABLE_MANAGEMENT
2740  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2741  +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2742 #else
2743  (options->cert_file != NULL) + (options->priv_key_file != NULL);
2744 #endif
2745 
2746  if (sum == 0)
2747  {
2748  if (!options->auth_user_pass_file)
2749  {
2750  msg(M_USAGE, "No client-side authentication method is "
2751  "specified. You must use either "
2752  "--cert/--key, --pkcs12, or "
2753  "--auth-user-pass");
2754  }
2755  }
2756  else if (sum == 2)
2757  {
2758  }
2759  else
2760  {
2761  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2762  }
2763  }
2764  else
2765  {
2766 #ifdef ENABLE_MANAGEMENT
2767  if (!(options->management_flags & MF_EXTERNAL_CERT))
2768 #endif
2769  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2770 #ifdef ENABLE_MANAGEMENT
2771  if (!(options->management_flags & MF_EXTERNAL_KEY))
2772 #endif
2773  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2774  }
2775  }
2776  if (ce->tls_auth_file && ce->tls_crypt_file)
2777  {
2778  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2779  }
2780  if (options->tls_client && ce->tls_crypt_v2_file
2781  && (ce->tls_auth_file || ce->tls_crypt_file))
2782  {
2783  msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2784  }
2785  }
2786  else
2787  {
2788  /*
2789  * Make sure user doesn't specify any TLS options
2790  * when in non-TLS mode.
2791  */
2792 
2793 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2794 }
2795 
2796  const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2797 
2803 #ifndef ENABLE_CRYPTO_MBEDTLS
2805 #endif
2828 #ifdef ENABLE_PKCS11
2829  MUST_BE_UNDEF(pkcs11_providers[0]);
2830  MUST_BE_UNDEF(pkcs11_private_mode[0]);
2831  MUST_BE_UNDEF(pkcs11_id);
2832  MUST_BE_UNDEF(pkcs11_id_management);
2833 #endif
2834 
2835  if (pull)
2836  {
2837  msg(M_USAGE, err, "--pull");
2838  }
2839  }
2840 #undef MUST_BE_UNDEF
2841 
2842  if (options->auth_user_pass_file && !options->pull)
2843  {
2844  msg(M_USAGE, "--auth-user-pass requires --pull");
2845  }
2846 
2847  uninit_options(&defaults);
2848 }
2849 
2850 static void
2852 {
2853  const int dev = dev_type_enum(o->dev, o->dev_type);
2854 
2856  {
2857  if (ce->proto == PROTO_TCP)
2858  {
2859  ce->proto = PROTO_TCP_SERVER;
2860  }
2861  }
2862 
2863  if (o->client)
2864  {
2865  if (ce->proto == PROTO_TCP)
2866  {
2867  ce->proto = PROTO_TCP_CLIENT;
2868  }
2869  }
2870 
2871  if (ce->proto == PROTO_TCP_CLIENT && !ce->local
2872  && !ce->local_port_defined && !ce->bind_defined)
2873  {
2874  ce->bind_local = false;
2875  }
2876 
2877  if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local
2878  && !ce->local_port_defined && !ce->bind_defined)
2879  {
2880  ce->bind_local = false;
2881  }
2882 
2883  if (!ce->bind_local)
2884  {
2885  ce->local_port = NULL;
2886  }
2887 
2888  /* if protocol forcing is enabled, disable all protocols
2889  * except for the forced one
2890  */
2891  if (o->proto_force >= 0 && o->proto_force != ce->proto)
2892  {
2893  ce->flags |= CE_DISABLED;
2894  }
2895 
2896  /*
2897  * If --mssfix is supplied without a parameter, default
2898  * it to --fragment value, if --fragment is specified.
2899  */
2900  if (o->ce.mssfix_default)
2901  {
2902 #ifdef ENABLE_FRAGMENT
2903  if (ce->fragment)
2904  {
2905  ce->mssfix = ce->fragment;
2906  }
2907 #else
2908  msg(M_USAGE, "--mssfix must specify a parameter");
2909 #endif
2910  }
2911 
2912  /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2913  * so fall back to IPv4-only (trac #1221)
2914  */
2915  if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2916  {
2917  if (ce->af == AF_INET6)
2918  {
2919  msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2920  "'--socks-proxy' today. Forcing IPv4 mode." );
2921  }
2922  else
2923  {
2924  msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2925  "work correctly with '--socks-proxy' today. Forcing IPv4." );
2926  }
2927  ce->af = AF_INET;
2928  }
2929 
2930  /*
2931  * Set MTU defaults
2932  */
2933  {
2934  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2935  {
2936  ce->tun_mtu_defined = true;
2937  }
2938  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2939  {
2940  ce->tun_mtu_extra_defined = true;
2942  }
2943  }
2944 
2945  /*
2946  * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
2947  *
2948  * At the end only one of these will be really set because the parser
2949  * logic prevents configurations where more are set.
2950  */
2951  if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
2952  {
2953  ce->tls_auth_file = o->tls_auth_file;
2955  ce->key_direction = o->key_direction;
2956 
2957  ce->tls_crypt_file = o->tls_crypt_file;
2959 
2962  }
2963 
2964  /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
2965  * keys were not already embedded in the config file.
2966  */
2967  if (o->persist_key)
2968  {
2970  &ce->tls_auth_file_inline, &o->gc);
2972  &ce->tls_crypt_file_inline, &o->gc);
2974  &ce->tls_crypt_v2_file_inline, &o->gc);
2975  }
2976 }
2977 
2978 #ifdef _WIN32
2979 /* If iservice is in use, we need def1 method for redirect-gateway */
2980 static void
2982 {
2983  if (opt->routes
2985  && opt->routes->flags & RG_REROUTE_GW
2986  && !(opt->routes->flags & RG_DEF1))
2987  {
2988  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2989  opt->routes->flags |= RG_DEF1;
2990  }
2991 }
2992 #endif
2993 
2994 static void
2996 {
2997 #ifdef _WIN32
2998  const int dev = dev_type_enum(options->dev, options->dev_type);
2999 
3000  /* when using wintun, kernel doesn't send DHCP requests, so don't use it */
3001  if (options->windows_driver == WINDOWS_DRIVER_WINTUN
3003  {
3005  }
3006 
3007  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3008  {
3009  /* delay may only be necessary when we perform DHCP handshake */
3010  const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3012  if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3013  {
3014  options->route_delay_defined = true;
3015  options->route_delay = 5; /* Vista sometimes has a race without this */
3016  }
3017  }
3018 
3019  if (options->ifconfig_noexec)
3020  {
3022  options->ifconfig_noexec = false;
3023  }
3024 
3026 
3027  /*
3028  * Check consistency of --mode server options.
3029  */
3030  if (options->mode == MODE_SERVER)
3031  {
3032  /*
3033  * We need to explicitly set --tap-sleep because
3034  * we do not schedule event timers in the top-level context.
3035  */
3036  options->tuntap_options.tap_sleep = 10;
3037  if (options->route_delay_defined && options->route_delay)
3038  {
3039  options->tuntap_options.tap_sleep = options->route_delay;
3040  }
3041  options->route_delay_defined = false;
3042  }
3043 #endif /* ifdef _WIN32 */
3044 
3045 #ifdef DEFAULT_PKCS11_MODULE
3046  /* If p11-kit is present on the system then load its p11-kit-proxy.so
3047  * by default if the user asks for PKCS#11 without otherwise specifying
3048  * the module to use. */
3049  if (!options->pkcs11_providers[0]
3050  && (options->pkcs11_id || options->pkcs11_id_management))
3051  {
3052  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3053  }
3054 #endif
3055 }
3056 
3057 static void
3059 {
3060  if (o->connection_list)
3061  {
3062  int i;
3063  for (i = 0; i < o->connection_list->len; ++i)
3064  {
3066  }
3067  }
3068  else
3069  {
3071  }
3072 }
3073 
3074 static void
3076 {
3077  if (!o->pull && !(o->mode == MODE_SERVER))
3078  {
3079  /* we are in the classic P2P mode */
3080  o->ncp_enabled = false;
3081  msg( M_WARN, "Cipher negotiation is disabled since neither "
3082  "P2MP client nor server mode is enabled");
3083 
3084  /* If the cipher is not set, use the old default of BF-CBC. We will
3085  * warn that this is deprecated on cipher initialisation, no need
3086  * to warn here as well */
3087  if (!o->ciphername)
3088  {
3089  o->ciphername = "BF-CBC";
3090  }
3091  return;
3092  }
3093 
3094  /* pull or P2MP mode */
3095  if (!o->ciphername)
3096  {
3097  if (!o->ncp_enabled)
3098  {
3099  msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
3100  "--data-ciphers-fallback config option");
3101  }
3102 
3103  msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
3104  "BF-CBC as fallback when cipher negotiation failed in this case. "
3105  "If you need this fallback please add '--data-ciphers-fallback "
3106  "BF-CBC' to your configuration and/or add BF-CBC to "
3107  "--data-ciphers.");
3108 
3109  /* We still need to set the ciphername to BF-CBC since various other
3110  * parts of OpenVPN assert that the ciphername is set */
3111  o->ciphername = "BF-CBC";
3112  }
3113  else if (!o->enable_ncp_fallback
3115  {
3116  msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in"
3117  " --data-ciphers (%s). Future OpenVPN version will "
3118  "ignore --cipher for cipher negotiations. "
3119  "Add '%s' to --data-ciphers or change --cipher '%s' to "
3120  "--data-ciphers-fallback '%s' to silence this warning.",
3121  o->ciphername, o->ncp_ciphers, o->ciphername,
3122  o->ciphername, o->ciphername);
3123  o->enable_ncp_fallback = true;
3124 
3125  /* Append the --cipher to ncp_ciphers to allow it in NCP */
3126  size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(o->ciphername) + 1;
3127  char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
3128 
3129  ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
3130  o->ciphername));
3131  o->ncp_ciphers = ncp_ciphers;
3132  }
3133 }
3134 
3135 static void
3137 {
3138  int i;
3139  /*
3140  * Process helper-type options which map to other, more complex
3141  * sequences of options.
3142  */
3144  helper_keepalive(o);
3145  helper_tcp_nodelay(o);
3146 
3149 
3150  if (o->ncp_enabled)
3151  {
3153  if (o->ncp_ciphers == NULL)
3154  {
3155  msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is too long.");
3156  }
3157  }
3158 
3159  if (o->remote_list && !o->connection_list)
3160  {
3161  /*
3162  * Convert remotes into connection list
3163  */
3164  const struct remote_list *rl = o->remote_list;
3165  for (i = 0; i < rl->len; ++i)
3166  {
3167  const struct remote_entry *re = rl->array[i];
3168  struct connection_entry ce = o->ce;
3169  struct connection_entry *ace;
3170 
3171  ASSERT(re->remote);
3172  connection_entry_load_re(&ce, re);
3173  ace = alloc_connection_entry(o, M_USAGE);
3174  ASSERT(ace);
3175  *ace = ce;
3176  }
3177  }
3178  else if (!o->remote_list && !o->connection_list)
3179  {
3180  struct connection_entry *ace;
3181  ace = alloc_connection_entry(o, M_USAGE);
3182  ASSERT(ace);
3183  *ace = o->ce;
3184  }
3185 
3186  ASSERT(o->connection_list);
3187  for (i = 0; i < o->connection_list->len; ++i)
3188  {
3190  }
3191 
3192  if (o->tls_server)
3193  {
3194  /* Check that DH file is specified, or explicitly disabled */
3195  notnull(o->dh_file, "DH file (--dh)");
3196  if (streq(o->dh_file, "none"))
3197  {
3198  o->dh_file = NULL;
3199  }
3200  }
3201  else if (o->dh_file)
3202  {
3203  /* DH file is only meaningful in a tls-server context. */
3204  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3205  "include this in your server configuration");
3206  o->dh_file = NULL;
3207  }
3208 #if ENABLE_MANAGEMENT
3209  if (o->http_proxy_override)
3210  {
3212  }
3213 #endif
3214  if (!o->ca_file && !o->ca_path && o->verify_hash
3215  && o->verify_hash_depth == 0)
3216  {
3217  msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3218  "option set). ");
3219  o->verify_hash_no_ca = true;
3220  }
3221 
3222  /*
3223  * Save certain parms before modifying options during connect, especially
3224  * when using --pull
3225  */
3226  pre_connect_save(o);
3227 }
3228 
3229 /*
3230  * Check file/directory sanity
3231  *
3232  */
3233 #ifndef ENABLE_SMALL
3235 #define CHKACC_FILE (1<<0)
3236 #define CHKACC_DIRPATH (1<<1)
3237 #define CHKACC_FILEXSTWR (1<<2)
3238 #define CHKACC_ACPTSTDIN (1<<3)
3239 #define CHKACC_PRIVATE (1<<4)
3241 static bool
3242 check_file_access(const int type, const char *file, const int mode, const char *opt)
3243 {
3244  int errcode = 0;
3245 
3246  /* If no file configured, no errors to look for */
3247  if (!file)
3248  {
3249  return false;
3250  }
3251 
3252  /* If stdin is allowed and the file name is 'stdin', then do no
3253  * further checks as stdin is always available
3254  */
3255  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3256  {
3257  return false;
3258  }
3259 
3260  /* Is the directory path leading to the given file accessible? */
3261  if (type & CHKACC_DIRPATH)
3262  {
3263  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3264  char *dirpath = dirname(fullpath);
3265 
3266  if (platform_access(dirpath, mode|X_OK) != 0)
3267  {
3268  errcode = errno;
3269  }
3270  free(fullpath);
3271  }
3272 
3273  /* Is the file itself accessible? */
3274  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3275  {
3276  errcode = errno;
3277  }
3278 
3279  /* If the file exists and is accessible, is it writable? */
3280  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3281  {
3282  if (platform_access(file, W_OK) != 0)
3283  {
3284  errcode = errno;
3285  }
3286  }
3287 
3288  /* Warn if a given private file is group/others accessible. */
3289  if (type & CHKACC_PRIVATE)
3290  {
3291  platform_stat_t st;
3292  if (platform_stat(file, &st))
3293  {
3294  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3295  }
3296 #ifndef _WIN32
3297  else
3298  {
3299  if (st.st_mode & (S_IRWXG|S_IRWXO))
3300  {
3301  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3302  }
3303  }
3304 #endif
3305  }
3306 
3307  /* Scream if an error is found */
3308  if (errcode > 0)
3309  {
3310  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3311  }
3312 
3313  /* Return true if an error occurred */
3314  return (errcode != 0 ? true : false);
3315 }
3316 
3317 /* A wrapper for check_file_access() which also takes a chroot directory.
3318  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3319  * otherwise it will look for the file inside the given chroot directory instead.
3320  */
3321 static bool
3322 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3323 {
3324  bool ret = false;
3325 
3326  /* If no file configured, no errors to look for */
3327  if (!file)
3328  {
3329  return false;
3330  }
3331 
3332  /* If chroot is set, look for the file/directory inside the chroot */
3333  if (chroot)
3334  {
3335  struct gc_arena gc = gc_new();
3336  struct buffer chroot_file;
3337 
3338  chroot_file = prepend_dir(chroot, file, &gc);
3339  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3340  gc_free(&gc);
3341  }
3342  else
3343  {
3344  /* No chroot in play, just call core file check function */
3345  ret = check_file_access(type, file, mode, opt);
3346  }
3347  return ret;
3348 }
3349 
3354 static bool
3355 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3356  const int type, const char *file,
3357  const int mode, const char *opt)
3358 {
3359  if (is_inline)
3360  {
3361  return false;
3362  }
3363 
3364  return check_file_access_chroot(chroot, type, file, mode, opt);
3365 }
3366 
3371 static bool
3372 check_file_access_inline(bool is_inline, const int type, const char *file,
3373  const int mode, const char *opt)
3374 {
3375  if (is_inline)
3376  {
3377  return false;
3378  }
3379 
3380  return check_file_access(type, file, mode, opt);
3381 }
3382 
3383 /*
3384  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3385  * valid file with appropriate permissions.
3386  *
3387  * "command" consists of a path, optionally followed by a space, which may be
3388  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3389  * performed.
3390  *
3391  * The path and arguments in "command" may be single- or double-quoted or escaped.
3392  *
3393  * The path is extracted from "command", then check_file_access() is called to check it. The
3394  * arguments, if any, are ignored.
3395  *
3396  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3397  * check_file_access() arguments.
3398  */
3399 static bool
3400 check_cmd_access(const char *command, const char *opt, const char *chroot)
3401 {
3402  struct argv argv;
3403  bool return_code;
3404 
3405  /* If no command was set, there are no errors to look for */
3406  if (!command)
3407  {
3408  return false;
3409  }
3410 
3411  /* Extract executable path and arguments */
3412  argv = argv_new();
3413  argv_parse_cmd(&argv, command);
3414 
3415  /* if an executable is specified then check it; otherwise, complain */
3416  if (argv.argv[0])
3417  {
3418  /* Scripts requires R_OK as well, but that might fail on binaries which
3419  * only requires X_OK to function on Unix - a scenario not unlikely to
3420  * be seen on suid binaries.
3421  */
3422  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3423  }
3424  else
3425  {
3426  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3427  opt, command);
3428  return_code = true;
3429  }
3430 
3431  argv_free(&argv);
3432 
3433  return return_code;
3434 }
3435 
3436 /*
3437  * Sanity check of all file/dir options. Checks that file/dir
3438  * is accessible by OpenVPN
3439  */
3440 static void
3442 {
3443  bool errs = false;
3444 
3445  /* ** SSL/TLS/crypto related files ** */
3447  options->dh_file, R_OK, "--dh");
3448 
3449  if (!options->verify_hash_no_ca)
3450  {
3452  options->ca_file, R_OK, "--ca");
3453  }
3454 
3456  options->ca_path, R_OK, "--capath");
3457 
3459  options->cert_file, R_OK, "--cert");
3460 
3462  options->extra_certs_file, R_OK,
3463  "--extra-certs");
3464 
3465 #ifdef ENABLE_MANAGMENT
3466  if (!(options->management_flags & MF_EXTERNAL_KEY))
3467 #endif
3468  {
3471  options->priv_key_file, R_OK, "--key");
3472  }
3473 
3476  options->pkcs12_file, R_OK, "--pkcs12");
3477 
3478  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3479  {
3481  options->crl_file, R_OK|X_OK,
3482  "--crl-verify directory");
3483  }
3484  else
3485  {
3487  options->chroot_dir,
3488  CHKACC_FILE, options->crl_file,
3489  R_OK, "--crl-verify");
3490  }
3491 
3492  ASSERT(options->connection_list);
3493  for (int i = 0; i < options->connection_list->len; ++i)
3494  {
3495  struct connection_entry *ce = options->connection_list->array[i];
3496 
3499  ce->tls_auth_file, R_OK,
3500  "--tls-auth");
3503  ce->tls_crypt_file, R_OK,
3504  "--tls-crypt");
3507  ce->tls_crypt_v2_file, R_OK,
3508  "--tls-crypt-v2");
3509  }
3510 
3513  options->shared_secret_file, R_OK,
3514  "--secret");
3515 
3517  options->packet_id_file, R_OK|W_OK, "--replay-persist");
3518 
3519  /* ** Password files ** */
3521  options->key_pass_file, R_OK, "--askpass");
3522 #ifdef ENABLE_MANAGEMENT
3524  options->management_user_pass, R_OK,
3525  "--management user/password file");
3526 #endif /* ENABLE_MANAGEMENT */
3528  options->auth_user_pass_file, R_OK,
3529  "--auth-user-pass");
3530  /* ** System related ** */
3531  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3532  R_OK|X_OK, "--chroot directory");
3534  R_OK|W_OK, "--writepid");
3535 
3536  /* ** Log related ** */
3538  R_OK|W_OK, "--status");
3539 
3540  /* ** Config related ** */
3541  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3542  R_OK|W_OK|X_OK, "--tls-export-cert");
3544  R_OK|X_OK, "--client-config-dir");
3545  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3546  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3547 
3548  if (errs)
3549  {
3550  msg(M_USAGE, "Please correct these errors.");
3551  }
3552 }
3553 #endif /* !ENABLE_SMALL */
3554 
3555 /*
3556  * Sanity check on options.
3557  * Also set some options based on other
3558  * options.
3559  */
3560 void
3562 {
3563  options_postprocess_mutate(options);
3564  options_postprocess_verify(options);
3565 #ifndef ENABLE_SMALL
3567 #endif /* !ENABLE_SMALL */
3568 }
3569 
3570 /*
3571  * Save/Restore certain option defaults before --pull is applied.
3572  */
3573 
3574 void
3576 {
3581 
3582  if (o->routes)
3583  {
3585  o->pre_connect->routes_defined = true;
3586  }
3587  if (o->routes_ipv6)
3588  {
3590  o->pre_connect->routes_ipv6_defined = true;
3591  }
3592  if (o->client_nat)
3593  {
3595  o->pre_connect->client_nat_defined = true;
3596  }
3597 
3600 
3601  /* NCP related options that can be overwritten by a push */
3603  o->pre_connect->authname = o->authname;
3604 
3605  /* Ping related options should be reset to the config values on reconnect */
3609 
3610  /* Miscellaneous Options */
3611 #ifdef USE_COMP
3612  o->pre_connect->comp = o->comp;
3613 #endif
3614 }
3615 
3616 void
3617 pre_connect_restore(struct options *o, struct gc_arena *gc)
3618 {
3619  const struct options_pre_connect *pp = o->pre_connect;
3620  if (pp)
3621  {
3622  CLEAR(o->tuntap_options);
3623  if (pp->tuntap_options_defined)
3624  {
3625  o->tuntap_options = pp->tuntap_options;
3626  }
3627 
3628  if (pp->routes_defined)
3629  {
3630  rol_check_alloc(o);
3631  copy_route_option_list(o->routes, pp->routes, gc);
3632  }
3633  else
3634  {
3635  o->routes = NULL;
3636  }
3637 
3638  if (pp->routes_ipv6_defined)
3639  {
3640  rol6_check_alloc(o);
3642  }
3643  else
3644  {
3645  o->routes_ipv6 = NULL;
3646  }
3647 
3650 
3651  if (pp->client_nat_defined)
3652  {
3653  cnol_check_alloc(o);
3655  }
3656  else
3657  {
3658  o->client_nat = NULL;
3659  }
3660 
3662 
3663  o->ciphername = pp->ciphername;
3664  o->authname = pp->authname;
3665 
3669 
3670  /* Miscellaneous Options */
3671 #ifdef USE_COMP
3672  o->comp = pp->comp;
3673 #endif
3674  }
3675 
3676  o->push_continuation = 0;
3677  o->push_option_types_found = 0;
3679 }
3680 
3688 static size_t
3689 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3690 {
3691  size_t link_mtu = EXPANDED_SIZE(frame);
3692 
3693  if (o->pull || o->mode == MODE_SERVER)
3694  {
3695  struct frame fake_frame = *frame;
3696  struct key_type fake_kt;
3697 
3699 
3700 
3701  /* o->ciphername might be BF-CBC even though the underlying SSL library
3702  * does not support it. For this reason we workaround this corner case
3703  * by pretending to have no encryption enabled and by manually adding
3704  * the required packet overhead to the MTU computation.
3705  */
3706  const char* ciphername = o->ciphername;
3707 
3708  if (strcmp(o->ciphername, "BF-CBC") == 0)
3709  {
3710  /* none has no overhead, so use this to later add only --auth
3711  * overhead */
3712 
3713  /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
3714  frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
3715  }
3716 
3717  init_key_type(&fake_kt, ciphername, o->authname, true, false);
3718 
3719  crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3720  cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3721  frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3722  o->ce.tun_mtu_defined, o->ce.tun_mtu);
3723  msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3724  EXPANDED_SIZE(&fake_frame));
3725  link_mtu = EXPANDED_SIZE(&fake_frame);
3726  }
3727  return link_mtu;
3728 }
3729 /*
3730  * Build an options string to represent data channel encryption options.
3731  * This string must match exactly between peers. The keysize is checked
3732  * separately by read_key().
3733  *
3734  * The following options must match on both peers:
3735  *
3736  * Tunnel options:
3737  *
3738  * --dev tun|tap [unit number need not match]
3739  * --dev-type tun|tap
3740  * --link-mtu
3741  * --udp-mtu
3742  * --tun-mtu
3743  * --proto udp
3744  * --proto tcp-client [matched with --proto tcp-server
3745  * on the other end of the connection]
3746  * --proto tcp-server [matched with --proto tcp-client on
3747  * the other end of the connection]
3748  * --tun-ipv6
3749  * --ifconfig x y [matched with --ifconfig y x on
3750  * the other end of the connection]
3751  *
3752  * --comp-lzo
3753  * --compress alg
3754  * --fragment
3755  *
3756  * Crypto Options:
3757  *
3758  * --cipher
3759  * --auth
3760  * --keysize
3761  * --secret
3762  * --no-replay
3763  *
3764  * SSL Options:
3765  *
3766  * --tls-auth
3767  * --tls-client [matched with --tls-server on
3768  * the other end of the connection]
3769  * --tls-server [matched with --tls-client on
3770  * the other end of the connection]
3771  */
3772 char *
3773 options_string(const struct options *o,
3774  const struct frame *frame,
3775  struct tuntap *tt,
3776  openvpn_net_ctx_t *ctx,
3777  bool remote,
3778  struct gc_arena *gc)
3779 {
3780  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3781  bool tt_local = false;
3782 
3783  buf_printf(&out, "V4");
3784 
3785  /*
3786  * Tunnel Options
3787  */
3788 
3789  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3790  /* the link-mtu that we send has only a meaning if have a fixed
3791  * cipher (p2p) or have a fallback cipher configured for older non
3792  * ncp clients. But not sending it will make even 2.4 complain
3793  * about it being missing. So still send it. */
3794  buf_printf(&out, ",link-mtu %u",
3795  (unsigned int) calc_options_string_link_mtu(o, frame));
3796 
3797  buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3798  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3799 
3800  bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
3801  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3802  * is usually pushed by the server, triggering a non-helpful warning
3803  */
3804  if (o->ifconfig_ipv6_local && p2p_nopull)
3805  {
3806  buf_printf(&out, ",tun-ipv6");
3807  }
3808 
3809  /*
3810  * Try to get ifconfig parameters into the options string.
3811  * If tt is undefined, make a temporary instantiation.
3812  */
3813  if (!tt)
3814  {
3815  tt = init_tun(o->dev,
3816  o->dev_type,
3817  o->topology,
3818  o->ifconfig_local,
3823  NULL,
3824  NULL,
3825  false,
3826  NULL,
3827  ctx);
3828  if (tt)
3829  {
3830  tt_local = true;
3831  }
3832  }
3833 
3834  if (tt && p2p_nopull)
3835  {
3836  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3837  if (ios && strlen(ios))
3838  {
3839  buf_printf(&out, ",ifconfig %s", ios);
3840  }
3841  }
3842  if (tt_local)
3843  {
3844  free(tt);
3845  tt = NULL;
3846  }
3847 
3848 #ifdef USE_COMP
3849  if (o->comp.alg != COMP_ALG_UNDEF)
3850  {
3851  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3852  }
3853 #endif
3854 
3855 #ifdef ENABLE_FRAGMENT
3856  if (o->ce.fragment)
3857  {
3858  buf_printf(&out, ",mtu-dynamic");
3859  }
3860 #endif
3861 
3862 #define TLS_CLIENT (o->tls_client)
3863 #define TLS_SERVER (o->tls_server)
3864 
3865  /*
3866  * Key direction
3867  */
3868  {
3869  const char *kd = keydirection2ascii(o->key_direction, remote, false);
3870  if (kd)
3871  {
3872  buf_printf(&out, ",keydir %s", kd);
3873  }
3874  }
3875 
3876  /*
3877  * Crypto Options
3878  */
3880  {
3881  struct key_type kt;
3882 
3883  ASSERT((o->shared_secret_file != NULL)
3884  + (TLS_CLIENT == true)
3885  + (TLS_SERVER == true)
3886  <= 1);
3887 
3888  /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
3889  * to work here in the default configuration */
3890  const char *ciphername = o->ciphername;
3891  int keysize;
3892 
3893  if (strcmp(o->ciphername, "BF-CBC") == 0)
3894  {
3895  init_key_type(&kt, "none", o->authname, true, false);
3896  keysize = 128;
3897  }
3898  else
3899  {
3900  init_key_type(&kt, o->ciphername, o->authname, true, false);
3901  ciphername = cipher_kt_name(kt.cipher);
3902  keysize = kt.cipher_length * 8;
3903  }
3904  /* Only announce the cipher to our peer if we are willing to
3905  * support it */
3906  if (p2p_nopull || !o->ncp_enabled
3907  || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
3908  {
3909  buf_printf(&out, ",cipher %s", ciphername);
3910  }
3911  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3912  buf_printf(&out, ",keysize %d", keysize);
3913  if (o->shared_secret_file)
3914  {
3915  buf_printf(&out, ",secret");
3916  }
3917  if (!o->replay)
3918  {
3919  buf_printf(&out, ",no-replay");
3920  }
3921 
3922 #ifdef ENABLE_PREDICTION_RESISTANCE
3923  if (o->use_prediction_resistance)
3924  {
3925  buf_printf(&out, ",use-prediction-resistance");
3926  }
3927 #endif
3928  }
3929 
3930  /*
3931  * SSL Options
3932  */
3933  {
3934  if (TLS_CLIENT || TLS_SERVER)
3935  {
3936  if (o->ce.tls_auth_file)
3937  {
3938  buf_printf(&out, ",tls-auth");
3939  }
3940  /* Not adding tls-crypt here, because we won't reach this code if
3941  * tls-auth/tls-crypt does not match. Removing tls-auth here would
3942  * break stuff, so leaving that in place. */
3943 
3944  buf_printf(&out, ",key-method %d", KEY_METHOD_2);
3945  }
3946 
3947  if (remote)
3948  {
3949  if (TLS_CLIENT)
3950  {
3951  buf_printf(&out, ",tls-server");
3952  }
3953  else if (TLS_SERVER)
3954  {
3955  buf_printf(&out, ",tls-client");
3956  }
3957  }
3958  else
3959  {
3960  if (TLS_CLIENT)
3961  {
3962  buf_printf(&out, ",tls-client");
3963  }
3964  else if (TLS_SERVER)
3965  {
3966  buf_printf(&out, ",tls-server");
3967  }
3968  }
3969  }
3970 
3971 #undef TLS_CLIENT
3972 #undef TLS_SERVER
3973 
3974  return BSTR(&out);
3975 }
3976 
3977 /*
3978  * Compare option strings for equality.
3979  * If the first two chars of the strings differ, it means that
3980  * we are looking at different versions of the options string,
3981  * therefore don't compare them and return true.
3982  */
3983 
3984 bool
3985 options_cmp_equal(char *actual, const char *expected)
3986 {
3987  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
3988 }
3989 
3990 void
3991 options_warning(char *actual, const char *expected)
3992 {
3993  options_warning_safe(actual, expected, strlen(actual) + 1);
3994 }
3995 
3996 static const char *
3997 options_warning_extract_parm1(const char *option_string,
3998  struct gc_arena *gc_ret)
3999 {
4000  struct gc_arena gc = gc_new();
4001  struct buffer b = string_alloc_buf(option_string, &gc);
4002  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4003  const char *ret;
4004 
4005  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4006  ret = string_alloc(p, gc_ret);
4007  gc_free(&gc);
4008  return ret;
4009 }
4010 
4011 static void
4012 options_warning_safe_scan2(const int msglevel,
4013  const int delim,
4014  const bool report_inconsistent,
4015  const char *p1,
4016  const struct buffer *b2_src,
4017  const char *b1_name,
4018  const char *b2_name)
4019 {
4020  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4021  * OCC in a future version (because it's not useful). To reduce questions
4022  * when interoperating, we no longer printing a warning about it.
4023  */
4024  if (strprefix(p1, "key-method ")
4025  || strprefix(p1, "keydir ")
4026  || strprefix(p1, "proto ")
4027  || streq(p1, "tls-auth")
4028  || strprefix(p1, "tun-ipv6")
4029  || strprefix(p1, "cipher "))
4030  {
4031  return;
4032  }
4033 
4034  if (strlen(p1) > 0)
4035  {
4036  struct gc_arena gc = gc_new();
4037  struct buffer b2 = *b2_src;
4038  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4039  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4040 
4041  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4042  {
4043  if (strlen(p2))
4044  {
4045  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4046 
4047  if (!strcmp(p1, p2))
4048  {
4049  goto done;
4050  }
4051  if (!strcmp(p1_prefix, p2_prefix))
4052  {
4053  if (report_inconsistent)
4054  {
4055  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4056  safe_print(p1_prefix, &gc),
4057  b1_name,
4058  safe_print(p1, &gc),
4059  b2_name,
4060  safe_print(p2, &gc));
4061  }
4062  goto done;
4063  }
4064  }
4065  }
4066 
4067  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4068  safe_print(p1_prefix, &gc),
4069  b1_name,
4070  b2_name,
4071  b1_name,
4072  safe_print(p1, &gc));
4073 
4074 done:
4075  gc_free(&gc);
4076  }
4077 }
4078 
4079 static void
4080 options_warning_safe_scan1(const int msglevel,
4081  const int delim,
4082  const bool report_inconsistent,
4083  const struct buffer *b1_src,
4084  const struct buffer *b2_src,
4085  const char *b1_name,
4086  const char *b2_name)
4087 {
4088  struct gc_arena gc = gc_new();
4089  struct buffer b = *b1_src;
4090  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4091 
4092  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4093  {
4094  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4095  }
4096 
4097  gc_free(&gc);
4098 }
4099 
4100 static void
4101 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4102 {
4103  struct gc_arena gc = gc_new();
4104 
4105  if (actual_n > 0)
4106  {
4107  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4108  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4109  actual[actual_n - 1] = 0;
4110 
4111  buf_printf(&local, "version %s", expected);
4112  buf_printf(&remote, "version %s", actual);
4113 
4114  options_warning_safe_scan1(msglevel, ',', true,
4115  &local, &remote,
4116  "local", "remote");
4117 
4118  options_warning_safe_scan1(msglevel, ',', false,
4119  &remote, &local,
4120  "remote", "local");
4121  }
4122 
4123  gc_free(&gc);
4124 }
4125 
4126 bool
4127 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4128 {
4129  struct gc_arena gc = gc_new();
4130  bool ret = true;
4131 
4132  if (actual_n > 0)
4133  {
4134  actual[actual_n - 1] = 0;
4135 #ifndef ENABLE_STRICT_OPTIONS_CHECK
4136  if (strncmp(actual, expected, 2))
4137  {
4138  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4139  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4140  }
4141  else
4142 #endif
4143  ret = !strcmp(actual, expected);
4144  }
4145  gc_free(&gc);
4146  return ret;
4147 }
4148 
4149 void
4150 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4151 {
4152  options_warning_safe_ml(M_WARN, actual, expected, actual_n);
4153 }
4154 
4155 const char *
4156 options_string_version(const char *s, struct gc_arena *gc)
4157 {
4158  struct buffer out = alloc_buf_gc(4, gc);
4159  strncpynt((char *) BPTR(&out), s, 3);
4160  return BSTR(&out);
4161 }
4162 
4163 char *
4164 options_string_extract_option(const char *options_string,const char *opt_name,
4165  struct gc_arena *gc)
4166 {
4167  char *ret = NULL;
4168  const size_t opt_name_len = strlen(opt_name);
4169 
4170  const char *p = options_string;
4171  while (p)
4172  {
4173  if (0 == strncmp(p, opt_name, opt_name_len)
4174  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4175  {
4176  /* option found, extract value */
4177  const char *start = &p[opt_name_len+1];
4178  const char *end = strchr(p, ',');
4179  size_t val_len = end ? end - start : strlen(start);
4180  ret = gc_malloc(val_len+1, true, gc);
4181  memcpy(ret, start, val_len);
4182  break;
4183  }
4184  p = strchr(p, ',');
4185  if (p)
4186  {
4187  p++; /* skip delimiter */
4188  }
4189  }
4190  return ret;
4191 }
4192 
4193 static void
4194 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
4195 {
4196  if (len > 0)
4197  {
4198  struct gc_arena gc = gc_new();
4199  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4200  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4201  int i;
4202  bool first = true;
4203  bool good = true;
4204 
4205  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
4206  ++o->foreign_option_index;
4207  for (i = 0; i < len; ++i)
4208  {
4209  if (argv[i])
4210  {
4211  if (!first)
4212  {
4213  good &= buf_printf(&value, " ");
4214  }
4215  good &= buf_printf(&value, "%s", argv[i]);
4216  first = false;
4217  }
4218  }
4219  if (good)
4220  {
4221  setenv_str(es, BSTR(&name), BSTR(&value));
4222  }
4223  else
4224  {
4225  msg(M_WARN, "foreign_option: name/value overflow");
4226  }
4227  gc_free(&gc);
4228  }
4229 }
4230 
4231 #ifdef _WIN32
4232 
4239 static enum windows_driver_type
4240 parse_windows_driver(const char *str, const int msglevel)
4241 {
4242  if (streq(str, "tap-windows6"))
4243  {
4245  }
4246  else if (streq(str, "wintun"))
4247  {
4248  return WINDOWS_DRIVER_WINTUN;
4249  }
4250  else
4251  {
4252  msg(msglevel, "--windows-driver must be tap-windows6 or wintun");
4254  }
4255 }
4256 #endif
4257 
4258 /*
4259  * parse/print topology coding
4260  */
4261 
4262 int
4263 parse_topology(const char *str, const int msglevel)
4264 {
4265  if (streq(str, "net30"))
4266  {
4267  return TOP_NET30;
4268  }
4269  else if (streq(str, "p2p"))
4270  {
4271  return TOP_P2P;
4272  }
4273  else if (streq(str, "subnet"))
4274  {
4275  return TOP_SUBNET;
4276  }
4277  else
4278  {
4279  msg(msglevel, "--topology must be net30, p2p, or subnet");
4280  return TOP_UNDEF;
4281  }
4282 }
4283 
4284 const char *
4285 print_topology(const int topology)
4286 {
4287  switch (topology)
4288  {
4289  case TOP_UNDEF:
4290  return "undef";
4291 
4292  case TOP_NET30:
4293  return "net30";
4294 
4295  case TOP_P2P:
4296  return "p2p";
4297 
4298  case TOP_SUBNET:
4299  return "subnet";
4300 
4301  default:
4302  return "unknown";
4303  }
4304 }
4305 
4306 /*
4307  * Manage auth-retry variable
4308  */
4309 
4310 static int global_auth_retry; /* GLOBAL */
4311 
4312 int
4314 {
4315  return global_auth_retry;
4316 }
4317 
4318 bool
4319 auth_retry_set(const int msglevel, const char *option)
4320 {
4321  if (streq(option, "interact"))
4322  {
4324  }
4325  else if (streq(option, "nointeract"))
4326  {
4328  }
4329  else if (streq(option, "none"))
4330  {
4332  }
4333  else
4334  {
4335  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4336  return false;
4337  }
4338  return true;
4339 }
4340 
4341 const char *
4343 {
4344  switch (global_auth_retry)
4345  {
4346  case AR_NONE:
4347  return "none";
4348 
4349  case AR_NOINTERACT:
4350  return "nointeract";
4351 
4352  case AR_INTERACT:
4353  return "interact";
4354 
4355  default:
4356  return "???";
4357  }
4358 }
4359 
4360 /*
4361  * Print the help message.
4362  */
4363 static void
4364 usage(void)
4365 {
4366  FILE *fp = msg_fp(0);
4367 
4368 #ifdef ENABLE_SMALL
4369 
4370  fprintf(fp, "Usage message not available\n");
4371 
4372 #else
4373 
4374  struct options o;
4375  init_options(&o, true);
4376 
4377  fprintf(fp, usage_message,
4378  title_string,
4381  o.ce.local_port, o.ce.remote_port,
4383  o.verbosity,
4384  o.authname, o.ciphername,
4388  fflush(fp);
4389 
4390 #endif /* ENABLE_SMALL */
4391 
4392  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4393 }
4394 
4395 void
4397 {
4398  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4399  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4400 }
4401 
4402 #ifdef _WIN32
4403 void
4404 show_windows_version(const unsigned int flags)
4405 {
4406  struct gc_arena gc = gc_new();
4407  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4408  gc_free(&gc);
4409 }
4410 #endif
4411 
4412 void
4413 show_library_versions(const unsigned int flags)
4414 {
4415 #ifdef ENABLE_LZO
4416 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4417 #else
4418 #define LZO_LIB_VER_STR "", ""
4419 #endif
4420 
4421  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4422  LZO_LIB_VER_STR);
4423 
4424 #undef LZO_LIB_VER_STR
4425 }
4426 
4427 static void
4429 {
4432 #ifdef _WIN32
4434 #endif
4435  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4436  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>");
4437 #ifndef ENABLE_SMALL
4438 #ifdef CONFIGURE_DEFINES
4439  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4440 #endif
4441 #ifdef CONFIGURE_SPECIAL_BUILD
4442  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4443 #endif
4444 #endif
4446 }
4447 
4448 void
4449 notnull(const char *arg, const char *description)
4450 {
4451  if (!arg)
4452  {
4453  msg(M_USAGE, "You must define %s", description);
4454  }
4455 }
4456 
4457 bool
4458 string_defined_equal(const char *s1, const char *s2)
4459 {
4460  if (s1 && s2)
4461  {
4462  return !strcmp(s1, s2);
4463  }
4464  else
4465  {
4466  return false;
4467  }
4468 }
4469 
4470 #if 0
4471 static void
4472 ping_rec_err(int msglevel)
4473 {
4474  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4475 }
4476 #endif
4477 
4478 static int
4479 positive_atoi(const char *str)
4480 {
4481  const int i = atoi(str);
4482  return i < 0 ? 0 : i;
4483 }
4484 
4485 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4486 static unsigned int
4487 atou(const char *str)
4488 {
4489  unsigned int val = 0;
4490  sscanf(str, "%u", &val);
4491  return val;
4492 }
4493 #endif
4494 
4495 static inline bool
4496 space(unsigned char c)
4497 {
4498  return c == '\0' || isspace(c);
4499 }
4500 
4501 int
4502 parse_line(const char *line,
4503  char *p[],
4504  const int n,
4505  const char *file,
4506  const int line_num,
4507  int msglevel,
4508  struct gc_arena *gc)
4509 {
4510  const int STATE_INITIAL = 0;
4511  const int STATE_READING_QUOTED_PARM = 1;
4512  const int STATE_READING_UNQUOTED_PARM = 2;
4513  const int STATE_DONE = 3;
4514  const int STATE_READING_SQUOTED_PARM = 4;
4515 
4516  const char *error_prefix = "";
4517 
4518  int ret = 0;
4519  const char *c = line;
4520  int state = STATE_INITIAL;
4521  bool backslash = false;
4522  char in, out;
4523 
4524  char parm[OPTION_PARM_SIZE];
4525  unsigned int parm_len = 0;
4526 
4527  msglevel &= ~M_OPTERR;
4528 
4529  if (msglevel & M_MSG_VIRT_OUT)
4530  {
4531  error_prefix = "ERROR: ";
4532  }
4533 
4534  do
4535  {
4536  in = *c;
4537  out = 0;
4538 
4539  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4540  {
4541  backslash = true;
4542  }
4543  else
4544  {
4545  if (state == STATE_INITIAL)
4546  {
4547  if (!space(in))
4548  {
4549  if (in == ';' || in == '#') /* comment */
4550  {
4551  break;
4552  }
4553  if (!backslash && in == '\"')
4554  {
4555  state = STATE_READING_QUOTED_PARM;
4556  }
4557  else if (!backslash && in == '\'')
4558  {
4559  state = STATE_READING_SQUOTED_PARM;
4560  }
4561  else
4562  {
4563  out = in;
4564  state = STATE_READING_UNQUOTED_PARM;
4565  }
4566  }
4567  }
4568  else if (state == STATE_READING_UNQUOTED_PARM)
4569  {
4570  if (!backslash && space(in))
4571  {
4572  state = STATE_DONE;
4573  }
4574  else
4575  {
4576  out = in;
4577  }
4578  }
4579  else if (state == STATE_READING_QUOTED_PARM)
4580  {
4581  if (!backslash && in == '\"')
4582  {
4583  state = STATE_DONE;
4584  }
4585  else
4586  {
4587  out = in;
4588  }
4589  }
4590  else if (state == STATE_READING_SQUOTED_PARM)
4591  {
4592  if (in == '\'')
4593  {
4594  state = STATE_DONE;
4595  }
4596  else
4597  {
4598  out = in;
4599  }
4600  }
4601  if (state == STATE_DONE)
4602  {
4603  /* ASSERT (parm_len > 0); */
4604  p[ret] = gc_malloc(parm_len + 1, true, gc);
4605  memcpy(p[ret], parm, parm_len);
4606  p[ret][parm_len] = '\0';
4607  state = STATE_INITIAL;
4608  parm_len = 0;
4609  ++ret;
4610  }
4611 
4612  if (backslash && out)
4613  {
4614  if (!(out == '\\' || out == '\"' || space(out)))
4615  {
4616 #ifdef ENABLE_SMALL
4617  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4618 #else
4619  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4620 #endif
4621  return 0;
4622  }
4623  }
4624  backslash = false;
4625  }
4626 
4627  /* store parameter character */
4628  if (out)
4629  {
4630  if (parm_len >= SIZE(parm))
4631  {
4632  parm[SIZE(parm) - 1] = 0;
4633  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4634  error_prefix, file, line_num, (int) SIZE(parm), parm);
4635  return 0;
4636  }
4637  parm[parm_len++] = out;
4638  }
4639 
4640  /* avoid overflow if too many parms in one config file line */
4641  if (ret >= n)
4642  {
4643  break;
4644  }
4645 
4646  } while (*c++ != '\0');
4647 
4648  if (state == STATE_READING_QUOTED_PARM)
4649  {
4650  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4651  return 0;
4652  }
4653  if (state == STATE_READING_SQUOTED_PARM)
4654  {
4655  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4656  return 0;
4657  }
4658  if (state != STATE_INITIAL)
4659  {
4660  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4661  return 0;
4662  }
4663 #if 0
4664  {
4665  int i;
4666  for (i = 0; i < ret; ++i)
4667  {
4668  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4669  }
4670  }
4671 #endif
4672  return ret;
4673 }
4674 
4675 static void
4677 {
4678  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4679  {
4680  *p += 2;
4681  }
4682 }
4683 
4684 struct in_src {
4685 #define IS_TYPE_FP 1
4686 #define IS_TYPE_BUF 2
4687  int type;
4688  union {
4689  FILE *fp;
4691  } u;
4692 };
4693 
4694 static bool
4695 in_src_get(const struct in_src *is, char *line, const int size)
4696 {
4697  if (is->type == IS_TYPE_FP)
4698  {
4699  return BOOL_CAST(fgets(line, size, is->u.fp));
4700  }
4701  else if (is->type == IS_TYPE_BUF)
4702  {
4703  bool status = buf_parse(is->u.multiline, '\n', line, size);
4704  if ((int) strlen(line) + 1 < size)
4705  {
4706  strcat(line, "\n");
4707  }
4708  return status;
4709  }
4710  else
4711  {
4712  ASSERT(0);
4713  return false;
4714  }
4715 }
4716 
4717 static char *
4718 read_inline_file(struct in_src *is, const char *close_tag,
4719  int *num_lines, struct gc_arena *gc)
4720 {
4721  char line[OPTION_LINE_SIZE];
4722  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4723  char *ret;
4724  bool endtagfound = false;
4725 
4726  while (in_src_get(is, line, sizeof(line)))
4727  {
4728  (*num_lines)++;
4729  char *line_ptr = line;
4730  /* Remove leading spaces */
4731  while (isspace(*line_ptr))
4732  {
4733  line_ptr++;
4734  }
4735  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4736  {
4737  endtagfound = true;
4738  break;
4739  }
4740  if (!buf_safe(&buf, strlen(line)+1))
4741  {
4742  /* Increase buffer size */
4743  struct buffer buf2 = alloc_buf(buf.capacity * 2);
4744  ASSERT(buf_copy(&buf2, &buf));
4745  buf_clear(&buf);
4746  free_buf(&buf);
4747  buf = buf2;
4748  }
4749  buf_printf(&buf, "%s", line);
4750  }
4751  if (!endtagfound)
4752  {
4753  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4754  }
4755  ret = string_alloc(BSTR(&buf), gc);
4756  buf_clear(&buf);
4757  free_buf(&buf);
4758  secure_memzero(line, sizeof(line));
4759  return ret;
4760 }
4761 
4762 static int
4763 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4764 {
4765  int num_inline_lines = 0;
4766 
4767  if (p[0] && !p[1])
4768  {
4769  char *arg = p[0];
4770  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4771  {
4772  struct buffer close_tag;
4773 
4774  arg[strlen(arg) - 1] = '\0';
4775  p[0] = string_alloc(arg + 1, gc);
4776  close_tag = alloc_buf(strlen(p[0]) + 4);
4777  buf_printf(&close_tag, "</%s>", p[0]);
4778  p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
4779  p[2] = NULL;
4780  free_buf(&close_tag);
4781  }
4782  }
4783  return num_inline_lines;
4784 }
4785 
4786 static int
4787 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4788 {
4789  struct in_src is;
4790  is.type = IS_TYPE_FP;
4791  is.u.fp = fp;
4792  return check_inline_file(&is, p, gc);
4793 }
4794 
4795 static int
4797  struct gc_arena *gc)
4798 {
4799  struct in_src is;
4800  is.type = IS_TYPE_BUF;
4801  is.u.multiline = multiline;
4802  return check_inline_file(&is, p, gc);
4803 }
4804 
4805 static void
4806 add_option(struct options *options,
4807  char *p[],
4808  bool is_inline,
4809  const char *file,
4810  int line,
4811  const int level,
4812  const int msglevel,
4813  const unsigned int permission_mask,
4814  unsigned int *option_types_found,
4815  struct env_set *es);
4816 
4817 static void
4818 read_config_file(struct options *options,
4819  const char *file,
4820  int level,
4821  const char *top_file,
4822  const int top_line,
4823  const int msglevel,
4824  const unsigned int permission_mask,
4825  unsigned int *option_types_found,
4826  struct env_set *es)
4827 {
4828  const int max_recursive_levels = 10;
4829  FILE *fp;
4830  int line_num;
4831  char line[OPTION_LINE_SIZE+1];
4832  char *p[MAX_PARMS+1];
4833 
4834  ++level;
4835  if (level <= max_recursive_levels)
4836  {
4837  if (streq(file, "stdin"))
4838  {
4839  fp = stdin;
4840  }
4841  else
4842  {
4843  fp = platform_fopen(file, "r");
4844  }
4845  if (fp)
4846  {
4847  line_num = 0;
4848  while (fgets(line, sizeof(line), fp))
4849  {
4850  int offset = 0;
4851  CLEAR(p);
4852  ++line_num;
4853  if (strlen(line) == OPTION_LINE_SIZE)
4854  {
4855  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
4856  file, line_num, OPTION_LINE_SIZE, line);
4857  }
4858 
4859  /* Ignore UTF-8 BOM at start of stream */
4860  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4861  {
4862  offset = 3;
4863  }
4864  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4865  {
4866  bypass_doubledash(&p[0]);
4867  int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
4868  add_option(options, p, lines_inline, file, line_num, level,
4869  msglevel, permission_mask, option_types_found,
4870  es);
4871  line_num += lines_inline;
4872  }
4873  }
4874  if (fp != stdin)
4875  {
4876  fclose(fp);
4877  }
4878  }
4879  else
4880  {
4881  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4882  }
4883  }
4884  else
4885  {
4886  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4887  }
4888  secure_memzero(line, sizeof(line));
4889  CLEAR(p);
4890 }
4891 
4892 static void
4893 read_config_string(const char *prefix,
4894  struct options *options,
4895  const char *config,
4896  const int msglevel,
4897  const unsigned int permission_mask,
4898  unsigned int *option_types_found,
4899  struct env_set *es)
4900 {
4901  char line[OPTION_LINE_SIZE];
4902  struct buffer multiline;
4903  int line_num = 0;
4904 
4905  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4906 
4907  while (buf_parse(&multiline, '\n', line, sizeof(line)))
4908  {
4909  char *p[MAX_PARMS+1];
4910  CLEAR(p);
4911  ++line_num;
4912  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4913  {
4914  bypass_doubledash(&p[0]);
4915  int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
4916  add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
4917  permission_mask, option_types_found, es);
4918  line_num += lines_inline;
4919  }
4920  CLEAR(p);
4921  }
4922  secure_memzero(line, sizeof(line));
4923 }
4924 
4925 void
4926 parse_argv(struct options *options,
4927  const int argc,
4928  char *argv[],
4929  const int msglevel,
4930  const unsigned int permission_mask,
4931  unsigned int *option_types_found,
4932  struct env_set *es)
4933 {
4934  int i, j;
4935 
4936  /* usage message */
4937  if (argc <= 1)
4938  {
4939  usage();
4940  }
4941 
4942  /* config filename specified only? */
4943  if (argc == 2 && strncmp(argv[1], "--", 2))
4944  {
4945  char *p[MAX_PARMS];
4946  CLEAR(p);
4947  p[0] = "config";
4948  p[1] = argv[1];
4949  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
4950  option_types_found, es);
4951  }
4952  else
4953  {
4954  /* parse command line */
4955  for (i = 1; i < argc; ++i)
4956  {
4957  char *p[MAX_PARMS];
4958  CLEAR(p);
4959  p[0] = argv[i];
4960  if (strncmp(p[0], "--", 2))
4961  {
4962  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
4963  }
4964  else
4965  {
4966  p[0] += 2;
4967  }
4968 
4969  for (j = 1; j < MAX_PARMS; ++j)
4970  {
4971  if (i + j < argc)
4972  {
4973  char *arg = argv[i + j];
4974  if (strncmp(arg, "--", 2))
4975  {
4976  p[j] = arg;
4977  }
4978  else
4979  {
4980  break;
4981  }
4982  }
4983  }
4984  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
4985  option_types_found, es);
4986  i += j - 1;
4987  }
4988  }
4989 }
4990 
4999 static bool
5000 apply_pull_filter(const struct options *o, char *line)
5001 {
5002  struct pull_filter *f;
5003 
5004  if (!o->pull_filter_list)
5005  {
5006  return true;
5007  }
5008 
5009  for (f = o->pull_filter_list->head; f; f = f->next)
5010  {
5011  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5012  {
5013  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5014  return true;
5015  }
5016  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5017  {
5018  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5019  *line = '\0';
5020  return true;
5021  }
5022  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5023  {
5024  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5025  *line = '\0';
5026  throw_signal_soft(SIGUSR1, "Offending option received from server");
5027  return false;
5028  }
5029  }
5030  return true;
5031 }
5032 
5033 bool
5034 apply_push_options(struct options *options,
5035  struct buffer *buf,
5036  unsigned int permission_mask,
5037  unsigned int *option_types_found,
5038  struct env_set *es)
5039 {
5040  char line[OPTION_PARM_SIZE];
5041  int line_num = 0;
5042  const char *file = "[PUSH-OPTIONS]";
5043  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5044 
5045  while (buf_parse(buf, ',', line, sizeof(line)))
5046  {
5047  char *p[MAX_PARMS+1];
5048  CLEAR(p);
5049  ++line_num;
5050  if (!apply_pull_filter(options, line))
5051  {
5052  return false; /* Cause push/pull error and stop push processing */
5053  }
5054  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5055  {
5056  add_option(options, p, false, file, line_num, 0, msglevel,
5057  permission_mask, option_types_found, es);
5058  }
5059  }
5060  return true;
5061 }
5062 
5063 void
5064 options_server_import(struct options *o,
5065  const char *filename,
5066  int msglevel,
5067  unsigned int permission_mask,
5068  unsigned int *option_types_found,
5069  struct env_set *es)
5070 {
5071  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5072  read_config_file(o,
5073  filename,
5074  0,
5075  filename,
5076  0,
5077  msglevel,
5078  permission_mask,
5079  option_types_found,
5080  es);
5081 }
5082 
5083 void
5084 options_string_import(struct options *options,
5085  const char *config,
5086  const int msglevel,
5087  const unsigned int permission_mask,
5088  unsigned int *option_types_found,
5089  struct env_set *es)
5090 {
5091  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5092 }
5093 
5094 #define VERIFY_PERMISSION(mask) { \
5095  if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5096  option_types_found, msglevel, options, is_inline)) \
5097  { \
5098  goto err; \
5099  } \
5100 }
5101 
5102 static bool
5103 verify_permission(const char *name,
5104  const char *file,
5105  int line,
5106  const unsigned int type,
5107  const unsigned int allowed,
5108  unsigned int *found,
5109  const int msglevel,
5110  struct options *options,
5111  bool is_inline)
5112 {
5113  if (!(type & allowed))
5114  {
5115  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5116  return false;
5117  }
5118 
5119  if (is_inline && !(type & OPT_P_INLINE))
5120  {
5121  msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5122  file, line);
5123  return false;
5124  }
5125 
5126  if (found)
5127  {
5128  *found |= type;
5129  }
5130 
5131 #ifndef ENABLE_SMALL
5132  /* Check if this options is allowed in connection block,
5133  * but we are currently not in a connection block
5134  * unless this is a pushed option.
5135  * Parsing a connection block uses a temporary options struct without
5136  * connection_list
5137  */
5138 
5139  if ((type & OPT_P_CONNECTION) && options->connection_list
5140  && !(allowed & OPT_P_PULL_MODE))
5141  {
5142  if (file)
5143  {
5144  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5145  }
5146  else
5147  {
5148  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5149  }
5150  }
5151 #endif
5152  return true;
5153 }
5154 
5155 /*
5156  * Check that an option doesn't have too
5157  * many parameters.
5158  */
5159 
5160 #define NM_QUOTE_HINT (1<<0)
5161 
5162 static bool
5163 no_more_than_n_args(const int msglevel,
5164  char *p[],
5165  const int max,
5166  const unsigned int flags)
5167 {
5168  const int len = string_array_len((const char **)p);
5169 
5170  if (!len)
5171  {
5172  return false;
5173  }
5174 
5175  if (len > max)
5176  {
5177  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5178  p[0],
5179  max - 1,
5180  max >= 3 ? "s" : "",
5181  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5182  return false;
5183  }
5184  else
5185  {
5186  return true;
5187  }
5188 }
5189 
5190 static inline int
5191 msglevel_forward_compatible(struct options *options, const int msglevel)
5192 {
5193  return options->forward_compatible ? M_WARN : msglevel;
5194 }
5195 
5196 static void
5197 set_user_script(struct options *options,
5198  const char **script,
5199  const char *new_script,
5200  const char *type,
5201  bool in_chroot)
5202 {
5203  if (*script)
5204  {
5205  msg(M_WARN, "Multiple --%s scripts defined. "
5206  "The previously configured script is overridden.", type);
5207  }
5208  *script = new_script;
5209  options->user_script_used = true;
5210 
5211 #ifndef ENABLE_SMALL
5212  {
5213  char script_name[100];
5214  openvpn_snprintf(script_name, sizeof(script_name),
5215  "--%s script", type);
5216 
5217  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5218  {
5219  msg(M_USAGE, "Please correct this error.");
5220  }
5221 
5222  }
5223 #endif
5224 }
5225 
5226 #ifdef USE_COMP
5227 static void
5228 show_compression_warning(struct compress_options *info)
5229 {
5230  if (comp_non_stub_enabled(info))
5231  {
5232  /*
5233  * Check if already displayed the strong warning and enabled full
5234  * compression
5235  */
5236  if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5237  {
5238  msg(M_WARN, "WARNING: Compression for receiving enabled. "
5239  "Compression has been used in the past to break encryption. "
5240  "Sent packets are not compressed unless \"allow-compression yes\" "
5241  "is also set.");
5242  }
5243  }
5244 }
5245 #endif
5246 
5247 static void
5248 add_option(struct options *options,
5249  char *p[],
5250  bool is_inline,
5251  const char *file,
5252  int line,
5253  const int level,
5254  const int msglevel,
5255  const unsigned int permission_mask,
5256  unsigned int *option_types_found,
5257  struct env_set *es)
5258 {
5259  struct gc_arena gc = gc_new();
5260  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5261  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5262 
5263  ASSERT(MAX_PARMS >= 7);
5264 
5265  /*
5266  * If directive begins with "setenv opt" prefix, don't raise an error if
5267  * directive is unrecognized.
5268  */
5269  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5270  {
5271  if (!p[2])
5272  {
5273  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5274  }
5275  p += 2;
5276  msglevel_fc = M_WARN;
5277  }
5278 
5279  if (!file)
5280  {
5281  file = "[CMD-LINE]";
5282  line = 1;
5283  }
5284  if (streq(p[0], "help"))
5285  {
5287  usage();
5288  if (p[1])
5289  {
5290  msg(msglevel, "--help does not accept any parameters");
5291  goto err;
5292  }
5293  }
5294  if (streq(p[0], "version") && !p[1])
5295  {
5297  usage_version();
5298  }
5299  else if (streq(p[0], "config") && p[1] && !p[2])
5300  {
5302 
5303  /* save first config file only in options */
5304  if (!options->config)
5305  {
5306  options->config = p[1];
5307  }
5308 
5309  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5310  }
5311 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5312  else if (streq(p[0], "show-gateway") && !p[2])
5313  {
5314  struct route_gateway_info rgi;
5315  struct route_ipv6_gateway_info rgi6;
5316  struct in6_addr remote = IN6ADDR_ANY_INIT;
5317  openvpn_net_ctx_t net_ctx;
5319  if (p[1])
5320  {
5321  get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5322  }
5323  net_ctx_init(NULL, &net_ctx);
5324  get_default_gateway(&rgi, &net_ctx);
5325  get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5326  print_default_gateway(M_INFO, &rgi, &rgi6);
5327  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5328  }
5329 #endif
5330 #if 0
5331  else if (streq(p[0], "foreign-option") && p[1])
5332  {
5334  foreign_option(options, p, 3, es);
5335  }
5336 #endif
5337  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5338  {
5339  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5340  int j;
5341  bool good = true;
5342 
5344 
5345  for (j = 1; j < MAX_PARMS; ++j)
5346  {
5347  if (!p[j])
5348  {
5349  break;
5350  }
5351  if (j > 1)
5352  {
5353  good &= buf_printf(&string, " ");
5354  }
5355  good &= buf_printf(&string, "%s", p[j]);
5356  }
5357  if (good)
5358  {
5359  /* only message-related ECHO are logged, since other ECHOs
5360  * can potentially include security-sensitive strings */
5361  if (strncmp(p[1], "msg", 3) == 0)
5362  {
5363  msg(M_INFO, "%s:%s",
5364  pull_mode ? "ECHO-PULL" : "ECHO",
5365  BSTR(&string));
5366  }
5367 #ifdef ENABLE_MANAGEMENT
5368  if (management)
5369  {
5370  management_echo(management, BSTR(&string), pull_mode);
5371  }
5372 #endif
5373  }
5374  else
5375  {
5376  msg(M_WARN, "echo/parameter option overflow");
5377  }
5378  }
5379 #ifdef ENABLE_MANAGEMENT
5380  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5381  {
5383  if (streq(p[2], "unix"))
5384  {
5385 #if UNIX_SOCK_SUPPORT
5386  options->management_flags |= MF_UNIX_SOCK;
5387 #else
5388  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5389  goto err;
5390 #endif
5391  }
5392 
5393  options->management_addr = p[1];
5394  options->management_port = p[2];
5395  if (p[3])
5396  {
5397  options->management_user_pass = p[3];
5398  }
5399  }
5400  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5401  {
5403  options->management_client_user = p[1];
5404  }
5405  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5406  {
5408  options->management_client_group = p[1];
5409  }
5410  else if (streq(p[0], "management-query-passwords") && !p[1])
5411  {
5414  }
5415  else if (streq(p[0], "management-query-remote") && !p[1])
5416  {
5418  options->management_flags |= MF_QUERY_REMOTE;
5419  }
5420  else if (streq(p[0], "management-query-proxy") && !p[1])
5421  {
5423  options->management_flags |= MF_QUERY_PROXY;
5424  }
5425  else if (streq(p[0], "management-hold") && !p[1])
5426  {
5428  options->management_flags |= MF_HOLD;
5429  }
5430  else if (streq(p[0], "management-signal") && !p[1])
5431  {
5433  options->management_flags |= MF_SIGNAL;
5434  }
5435  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5436  {
5439  }
5440  else if (streq(p[0], "management-up-down") && !p[1])
5441  {
5443  options->management_flags |= MF_UP_DOWN;
5444  }
5445  else if (streq(p[0], "management-client") && !p[2])
5446  {
5449  options->management_write_peer_info_file = p[1];
5450  }
5451 #ifdef ENABLE_MANAGEMENT
5452  else if (streq(p[0], "management-external-key"))
5453  {
5455  for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5456  {
5457  if (streq(p[j], "nopadding"))
5458  {
5460  }
5461  else if (streq(p[j], "pkcs1"))
5462  {
5464  }
5465  else
5466  {
5467  msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5468  }
5469  }
5470  /*
5471  * When no option is present, assume that only PKCS1
5472  * padding is supported
5473  */
5474  if (!(options->management_flags
5476  {
5478  }
5479  options->management_flags |= MF_EXTERNAL_KEY;
5480  }
5481  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5482  {
5484  options->management_flags |= MF_EXTERNAL_CERT;
5485  options->management_certificate = p[1];
5486  }
5487  else if (streq(p[0], "management-client-auth") && !p[1])
5488  {
5490  options->management_flags |= MF_CLIENT_AUTH;
5491  }
5492 #endif /* ifdef ENABLE_MANAGEMENT */
5493 #ifdef MANAGEMENT_PF
5494  else if (streq(p[0], "management-client-pf") && !p[1])
5495  {
5497  options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
5498  }
5499 #endif
5500  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5501  {
5502  int cache;
5503 
5505  cache = atoi(p[1]);
5506  if (cache < 1)
5507  {
5508  msg(msglevel, "--management-log-cache parameter is out of range");
5509  goto err;
5510  }
5511  options->management_log_history_cache = cache;
5512  }
5513 #endif /* ifdef ENABLE_MANAGEMENT */
5514 #ifdef ENABLE_PLUGIN
5515  else if (streq(p[0], "plugin") && p[1])
5516  {
5518  if (!options->plugin_list)
5519  {
5520  options->plugin_list = plugin_option_list_new(&options->gc);
5521  }
5522  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5523  {
5524  msg(msglevel, "plugin add failed: %s", p[1]);
5525  goto err;
5526  }
5527  }
5528 #endif
5529  else if (streq(p[0], "mode") && p[1] && !p[2])
5530  {
5532  if (streq(p[1], "p2p"))
5533  {
5534  options->mode = MODE_POINT_TO_POINT;
5535  }
5536  else if (streq(p[1], "server"))
5537  {
5538  options->mode = MODE_SERVER;
5539  }
5540  else
5541  {
5542  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5543  goto err;
5544  }
5545  }
5546  else if (streq(p[0], "dev") && p[1] && !p[2])
5547  {
5549  options->dev = p[1];
5550  }
5551  else if (streq(p[0], "dev-type") && p[1] && !p[2])
5552  {
5554  options->dev_type = p[1];
5555  }
5556 #ifdef _WIN32
5557  else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5558  {
5560  options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5561  }
5562 #endif
5563  else if (streq(p[0], "dev-node") && p[1] && !p[2])
5564  {
5566  options->dev_node = p[1];
5567  }
5568  else if (streq(p[0], "lladdr") && p[1] && !p[2])
5569  {
5571  if (mac_addr_safe(p[1])) /* MAC address only */
5572  {
5573  options->lladdr = p[1];
5574  }
5575  else
5576  {
5577  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5578  goto err;
5579  }
5580  }
5581  else if (streq(p[0], "topology") && p[1] && !p[2])
5582  {
5584  options->topology = parse_topology(p[1], msglevel);
5585  }
5586  else if (streq(p[0], "tun-ipv6") && !p[1])
5587  {
5588  if (!pull_mode)
5589  {
5590  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5591  }
5592  }
5593 #ifdef ENABLE_IPROUTE
5594  else if (streq(p[0], "iproute") && p[1] && !p[2])
5595  {
5597  iproute_path = p[1];
5598  }
5599 #endif
5600  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5601  {
5603  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5604  {
5605  options->ifconfig_local = p[1];
5606  options->ifconfig_remote_netmask = p[2];
5607  }
5608  else
5609  {
5610  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5611  goto err;
5612  }
5613  }
5614  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5615  {
5616  unsigned int netbits;
5617 
5619  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5620  && ipv6_addr_safe( p[2] ) )
5621  {
5622  if (netbits < 64 || netbits > 124)
5623  {
5624  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5625  goto err;
5626  }
5627 
5628  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5629  options->ifconfig_ipv6_netbits = netbits;
5630  options->ifconfig_ipv6_remote = p[2];
5631  }
5632  else
5633  {
5634  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5635  goto err;
5636  }
5637  }
5638  else if (streq(p[0], "ifconfig-noexec") && !p[1])
5639  {
5641  options->ifconfig_noexec = true;
5642  }
5643  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5644  {
5646  options->ifconfig_nowarn = true;
5647  }
5648  else if (streq(p[0], "local") && p[1] && !p[2])
5649  {
5651  options->ce.local = p[1];
5652  }
5653  else if (streq(p[0], "remote-random") && !p[1])
5654  {
5656  options->remote_random = true;
5657  }
5658  else if (streq(p[0], "connection") && p[1] && !p[3])
5659  {
5661  if (is_inline)
5662  {
5663  struct options sub;
5664  struct connection_entry *e;
5665 
5666  init_options(&sub, true);
5667  sub.ce = options->ce;
5668  read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
5669  OPT_P_CONNECTION, option_types_found, es);
5670  if (!sub.ce.remote)
5671  {
5672  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
5673  uninit_options(&sub);
5674  goto err;
5675  }
5676 
5677  e = alloc_connection_entry(options, msglevel);
5678  if (!e)
5679  {
5680  uninit_options(&sub);
5681  goto err;
5682  }
5683  *e = sub.ce;
5684  gc_transfer(&options->gc, &sub.gc);
5685  uninit_options(&sub);
5686  }
5687  }
5688  else if (streq(p[0], "ignore-unknown-option") && p[1])
5689  {
5690  int i;
5691  int j;
5692  int numignored = 0;
5693  const char **ignore;
5694 
5696  /* Find out how many options to be ignored */
5697  for (i = 1; p[i]; i++)
5698  {
5699  numignored++;
5700  }
5701 
5702  /* add number of options already ignored */