OpenVPN
options.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2008-2024 David Sommerseth <dazo@eurephia.org>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
25 /*
26  * 2004-01-28: Added Socks5 proxy support
27  * (Christof Meerwald, http://cmeerw.org)
28  */
29 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33 #ifdef HAVE_CONFIG_VERSION_H
34 #include "config-version.h"
35 #endif
36 
37 #include "syshead.h"
38 
39 #include "buffer.h"
40 #include "error.h"
41 #include "common.h"
42 #include "run_command.h"
43 #include "shaper.h"
44 #include "crypto.h"
45 #include "ssl.h"
46 #include "ssl_ncp.h"
47 #include "options.h"
48 #include "misc.h"
49 #include "socket.h"
50 #include "packet_id.h"
51 #include "pkcs11.h"
52 #include "win32.h"
53 #include "push.h"
54 #include "pool.h"
55 #include "proto.h"
56 #include "helper.h"
57 #include "manage.h"
58 #include "forward.h"
59 #include "ssl_verify.h"
60 #include "platform.h"
61 #include "xkey_common.h"
62 #include "dco.h"
63 #include "options_util.h"
64 
65 #include <ctype.h>
66 
67 #include "memdbg.h"
68 
69 const char title_string[] =
70  PACKAGE_STRING
71 #ifdef CONFIGURE_GIT_REVISION
72  " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
73 #endif
74  " " TARGET_ALIAS
75 #if defined(ENABLE_CRYPTO_MBEDTLS)
76  " [SSL (mbed TLS)]"
77 #elif defined(ENABLE_CRYPTO_OPENSSL)
78  " [SSL (OpenSSL)]"
79 #else
80  " [SSL]"
81 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
82 #ifdef USE_COMP
83 #ifdef ENABLE_LZO
84  " [LZO]"
85 #endif
86 #ifdef ENABLE_LZ4
87  " [LZ4]"
88 #endif
89 #ifdef ENABLE_COMP_STUB
90  " [COMP_STUB]"
91 #endif
92 #endif /* USE_COMP */
93 #if EPOLL
94  " [EPOLL]"
95 #endif
96 #ifdef PRODUCT_TAP_DEBUG
97  " [TAPDBG]"
98 #endif
99 #ifdef ENABLE_PKCS11
100  " [PKCS11]"
101 #endif
102 #if ENABLE_IP_PKTINFO
103 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
104  " [MH/PKTINFO]"
105 #elif defined(IP_RECVDSTADDR)
106  " [MH/RECVDA]"
107 #endif
108 #endif
109  " [AEAD]"
110 #ifdef ENABLE_DCO
111  " [DCO]"
112 #endif
113 #ifdef CONFIGURE_GIT_REVISION
114  " built on " __DATE__
115 #endif
116 ;
117 
118 #ifndef ENABLE_SMALL
119 
120 static const char usage_message[] =
121  "%s\n"
122  "\n"
123  "General Options:\n"
124  "--config file : Read configuration options from file.\n"
125  "--help : Show options.\n"
126  "--version : Show copyright and version information.\n"
127  "\n"
128  "Tunnel Options:\n"
129  "--local host|* [port]: Local host name or IP address and port for bind.\n"
130  " If specified, OpenVPN will bindto this address. If unspecified,\n"
131  " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
132  " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
133  " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
134  " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
135  " to open multiple listening sockets on different addresses and/or different ports.\n"
136  " In order to specify multiple listen ports without specifying an address, use '*'\n"
137  " to signal 'use what the operating system gives you as default', for\n"
138  " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
139  " ``--local`` implies ``--bind``.\n"
140  "--remote host [port] : Remote host name or ip address.\n"
141  "--remote-random : If multiple --remote options specified, choose one randomly.\n"
142  "--remote-random-hostname : Add a random string to remote DNS name.\n"
143  "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
144  "--proto p : Use protocol p for communicating with peer.\n"
145  " p = udp (default), tcp-server, tcp-client\n"
146  " udp4, tcp4-server, tcp4-client\n"
147  " udp6, tcp6-server, tcp6-client\n"
148  "--proto-force p : only consider protocol p in list of connection profiles.\n"
149  " p = udp or tcp\n"
150  "--connect-retry n [m] : For client, number of seconds to wait between\n"
151  " connection retries (default=%d). On repeated retries\n"
152  " the wait time is exponentially increased to a maximum of m\n"
153  " (default=%d).\n"
154  "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
155  "--http-proxy s p [up] [auth] : Connect to remote host\n"
156  " through an HTTP proxy at address s and port p.\n"
157  " If proxy authentication is required,\n"
158  " up is a file containing username/password on 2 lines, or\n"
159  " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
160  " the proxy requires NTLM authentication.\n"
161  "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
162  " determine auth method and query for username/password\n"
163  " if needed. auto-nct disables weak proxy auth methods.\n"
164  "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
165  " Repeat to set multiple options.\n"
166  " VERSION version (default=1.0)\n"
167  " AGENT user-agent\n"
168  "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
169  " address s and port p (default port = 1080).\n"
170  " If proxy authentication is required,\n"
171  " up is a file containing username/password on 2 lines, or\n"
172  " 'stdin' to prompt for console.\n"
173  "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
174  "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
175  " resolve for n seconds before failing (disabled by default).\n"
176  " Set n=\"infinite\" to retry indefinitely.\n"
177  "--float : Allow remote to change its IP address/port, such as through\n"
178  " DHCP (this is the default if --remote is not used).\n"
179  "--ipchange cmd : Run command cmd on remote ip address initial\n"
180  " setting or change -- execute as: cmd ip-address port#\n"
181  "--port port : TCP/UDP port # for both local and remote.\n"
182  "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
183  "--rport port : TCP/UDP port # for remote (default=%s).\n"
184  "--bind : Bind to local address and port. (This is the default unless\n"
185  " --proto tcp-client"
186  " or --http-proxy"
187  " or --socks-proxy"
188  " is used).\n"
189  "--nobind : Do not bind to local address and port.\n"
190  "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
191  "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
192  " this option only if the tun/tap device used with --dev\n"
193  " does not begin with \"tun\" or \"tap\".\n"
194  "--dev-node node : Explicitly set the device node rather than using\n"
195  " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
196 #if defined(ENABLE_DCO)
197  "--disable-dco : Do not attempt using Data Channel Offload.\n"
198 #endif
199  "--lladdr hw : Set the link layer address of the tap device.\n"
200  "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
201 #ifdef ENABLE_IPROUTE
202  "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
203 #endif
204  "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
205  " endpoint and rn as a remote endpoint. l & rn should be\n"
206  " swapped on the other peer. l & rn must be private\n"
207  " addresses outside of the subnets used by either peer.\n"
208  " TAP: configure device to use IP address l as a local\n"
209  " endpoint and rn as a subnet mask.\n"
210  "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
211  " endpoint (as a /64) and r as remote endpoint\n"
212  "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
213  " pass --ifconfig parms by environment to scripts.\n"
214  "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
215  " connection doesn't match the remote side.\n"
216  "--route network [netmask] [gateway] [metric] :\n"
217  " Add route to routing table after connection\n"
218  " is established. Multiple routes can be specified.\n"
219  " netmask default: 255.255.255.255\n"
220  " gateway default: taken from --route-gateway or --ifconfig\n"
221  " Specify default by leaving blank or setting to \"default\".\n"
222  "--route-ipv6 network/bits [gateway] [metric] :\n"
223  " Add IPv6 route to routing table after connection\n"
224  " is established. Multiple routes can be specified.\n"
225  " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
226  " in --ifconfig-ipv6\n"
227  "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
228  "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
229  "--route-metric m : Specify a default metric for use with --route.\n"
230  "--route-delay n [w] : Delay n seconds after connection initiation before\n"
231  " adding routes (may be 0). If not specified, routes will\n"
232  " be added immediately after tun/tap open. On Windows, wait\n"
233  " up to w seconds for TUN/TAP adapter to come up.\n"
234  "--route-up cmd : Run command cmd after routes are added.\n"
235  "--route-pre-down cmd : Run command cmd before routes are removed.\n"
236  "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
237  " --route-up script using environmental variables.\n"
238  "--route-nopull : When used with --client or --pull, accept options pushed\n"
239  " by server EXCEPT for routes, dns, and dhcp options.\n"
240  "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
241  " --ifconfig, --route, and --route-gateway.\n"
242  "--redirect-gateway [flags]: Automatically execute routing\n"
243  " commands to redirect all outgoing IP traffic through the\n"
244  " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
245  " connected via a common subnet, such as with WiFi.\n"
246  " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
247  " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
248  " flag to add a direct route to DHCP server, bypassing tunnel.\n"
249  " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
250  "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
251  " the default gateway. Useful when pushing private subnets.\n"
252  "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
253  " ICMPv6 host unreachable messages on the client.\n"
254  " (Server) Instead of forwarding IPv6 packets send\n"
255  " ICMPv6 host unreachable packets to the client.\n"
256  "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
257  "--push-peer-info : (client only) push client info to server.\n"
258  "--setenv name value : Set a custom environmental variable to pass to script.\n"
259  "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
260  " directives for future OpenVPN versions to be ignored.\n"
261  "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
262  " these options to be ignored when unknown\n"
263  "--script-security level: Where level can be:\n"
264  " 0 -- strictly no calling of external programs\n"
265  " 1 -- (default) only call built-ins such as ifconfig\n"
266  " 2 -- allow calling of built-ins and scripts\n"
267  " 3 -- allow password to be passed to scripts via env\n"
268  "--shaper n : Restrict output to peer to n bytes per second.\n"
269  "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
270  " ping once every n seconds, restart if ping not received\n"
271  " for m seconds.\n"
272  "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
273  " produces a combined in/out byte count < bytes.\n"
274  "--session-timeout n: Limit connection time to n seconds.\n"
275  "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
276  "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
277  "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
278  " remote address.\n"
279  "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
280 #if ENABLE_IP_PKTINFO
281  "--multihome : Configure a multi-homed UDP server.\n"
282 #endif
283  "--fast-io : Optimize TUN/TAP/UDP writes.\n"
284  "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
285  "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
286  "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
287  "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
288 #if PASSTOS_CAPABILITY
289  "--passtos : TOS passthrough (applies to IPv4 only).\n"
290 #endif
291  "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
292  " TCP/UDP MTU from it (default=%d).\n"
293  "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
294  " as n bytes more than the tun-mtu size on read\n"
295  " (default TUN=0 TAP=%d).\n"
296  "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
297  " from it.\n"
298  "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
299  " 'no' -- Never send DF (Don't Fragment) frames\n"
300  " 'maybe' -- Use per-route hints\n"
301  " 'yes' -- Always DF (Don't Fragment)\n"
302  "--mtu-test : Empirically measure and report MTU.\n"
303 #ifdef ENABLE_FRAGMENT
304  "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
305  " datagrams are sent which are larger than max bytes.\n"
306  " Adds 4 bytes of overhead per datagram.\n"
307 #endif
308  "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
309  " or --fragment max value, whichever is lower.\n"
310  "--sndbuf size : Set the TCP/UDP send buffer size.\n"
311  "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
312 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
313  "--mark value : Mark encrypted packets being sent with value. The mark value\n"
314  " can be matched in policy routing and packetfilter rules.\n"
315  "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
316  " listening for connections. This allows sending encrypted packets\n"
317  " via a VRF present on the system.\n"
318 #endif
319  "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
320 #ifdef ENABLE_MEMSTATS
321  "--memstats file : Write live usage stats to memory mapped binary file.\n"
322 #endif
323  "--mlock : Disable Paging -- ensures key material and tunnel\n"
324  " data will never be written to disk.\n"
325  "--up cmd : Run command cmd after successful tun device open.\n"
326  " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
327  " ifconfig-local-ip ifconfig-remote-ip\n"
328  " (pre --user or --group UID/GID change)\n"
329  "--up-delay : Delay tun/tap open and possible --up script execution\n"
330  " until after TCP/UDP connection establishment with peer.\n"
331  "--down cmd : Run command cmd after tun device close.\n"
332  " (post --user/--group UID/GID change and/or --chroot)\n"
333  " (command parameters are same as --up option)\n"
334  "--down-pre : Run --down command before TUN/TAP close.\n"
335  "--up-restart : Run up/down commands for all restarts including those\n"
336  " caused by --ping-restart or SIGUSR1\n"
337  "--user user : Set UID to user after initialization.\n"
338  "--group group : Set GID to group after initialization.\n"
339  "--chroot dir : Chroot to this directory after initialization.\n"
340 #ifdef ENABLE_SELINUX
341  "--setcon context: Apply this SELinux context after initialization.\n"
342 #endif
343  "--cd dir : Change to this directory before initialization.\n"
344  "--daemon [name] : Become a daemon after initialization.\n"
345  " The optional 'name' parameter will be passed\n"
346  " as the program name to the system logger.\n"
347  "--syslog [name] : Output to syslog, but do not become a daemon.\n"
348  " See --daemon above for a description of the 'name' parm.\n"
349  "--log file : Output log to file which is created/truncated on open.\n"
350  "--log-append file : Append log to file, or create file if nonexistent.\n"
351  "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
352  "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
353  "--writepid file : Write main process ID to file.\n"
354  "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
355  "--echo [parms ...] : Echo parameters to log output.\n"
356  "--verb n : Set output verbosity to n (default=%d):\n"
357  " (Level 3 is recommended if you want a good summary\n"
358  " of what's happening without being swamped by output).\n"
359  " : 0 -- no output except fatal errors\n"
360  " : 1 -- startup info + connection initiated messages +\n"
361  " non-fatal encryption & net errors\n"
362  " : 2,3 -- show TLS negotiations & route info\n"
363  " : 4 -- show parameters\n"
364  " : 5 -- show 'RrWw' chars on console for each packet sent\n"
365  " and received from TCP/UDP (caps) or tun/tap (lc)\n"
366  " : 6 to 11 -- debug messages of increasing verbosity\n"
367  "--mute n : Log at most n consecutive messages in the same category.\n"
368  "--status file [n] : Write operational status to file every n seconds.\n"
369  "--status-version [n] : Choose the status file format version number.\n"
370  " Currently, n can be 1, 2, or 3 (default=1).\n"
371  "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
372 #ifdef ENABLE_DEBUG
373  "--gremlin mask : Special stress testing mode (for debugging only).\n"
374 #endif
375 #if defined(USE_COMP)
376  "--compress alg : Use compression algorithm alg\n"
377  "--allow-compression: Specify whether compression should be allowed\n"
378 #if defined(ENABLE_LZO)
379  "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
380  " packet for incompressible data.\n"
381  "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
382  " is specified.\n"
383 #endif
384 #endif
385 #ifdef ENABLE_MANAGEMENT
386  "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
387  " management functions. pass is a password file\n"
388  " or 'stdin' to prompt from console.\n"
389 #if UNIX_SOCK_SUPPORT
390  " To listen on a unix domain socket, specific the pathname\n"
391  " in place of ip and use 'unix' as the port number.\n"
392 #endif
393  "--management-client : Management interface will connect as a TCP client to\n"
394  " ip/port rather than listen as a TCP server.\n"
395  "--management-query-passwords : Query management channel for private key\n"
396  " and auth-user-pass passwords.\n"
397  "--management-query-proxy : Query management channel for proxy information.\n"
398  "--management-query-remote : Query management channel for --remote directive.\n"
399  "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
400  " of the management interface explicitly starts it.\n"
401  "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
402  "--management-forget-disconnect : Forget passwords when management disconnect\n"
403  " event occurs.\n"
404  "--management-up-down : Report tunnel up/down events to management interface.\n"
405  "--management-log-cache n : Cache n lines of log file history for usage\n"
406  " by the management channel.\n"
407 #if UNIX_SOCK_SUPPORT
408  "--management-client-user u : When management interface is a unix socket, only\n"
409  " allow connections from user u.\n"
410  "--management-client-group g : When management interface is a unix socket, only\n"
411  " allow connections from group g.\n"
412 #endif
413  "--management-client-auth : gives management interface client the responsibility\n"
414  " to authenticate clients after their client certificate\n"
415  " has been verified.\n"
416 #endif /* ifdef ENABLE_MANAGEMENT */
417 #ifdef ENABLE_PLUGIN
418  "--plugin m [str]: Load plug-in module m passing str as an argument\n"
419  " to its initialization function.\n"
420 #endif
421  "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
422  "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
423  "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
424  "\n"
425  "Multi-Client Server options (when --mode server is used):\n"
426  "--server network netmask : Helper option to easily configure server mode.\n"
427  "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
428  "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
429  " easily configure ethernet bridging server mode.\n"
430  "--push \"option\" : Push a config file option back to the peer for remote\n"
431  " execution. Peer must specify --pull in its config file.\n"
432  "--push-reset : Don't inherit global push list for specific\n"
433  " client instance.\n"
434  "--push-remove opt : Remove options matching 'opt' from the push list for\n"
435  " a specific client instance.\n"
436  "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
437  " to be dynamically allocated to connecting clients.\n"
438  "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
439  " data to file, at seconds intervals (default=600).\n"
440  " If seconds=0, file will be treated as read-only.\n"
441  "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
442  " to be dynamically allocated to connecting clients.\n"
443  "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
444  " overrides --ifconfig-pool dynamic allocation.\n"
445  " Only valid in a client-specific config file.\n"
446  "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
447  " remote, overrides --ifconfig-ipv6-pool allocation.\n"
448  " Only valid in a client-specific config file.\n"
449  "--iroute network [netmask] : Route subnet to client.\n"
450  "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
451  " Sets up internal routes only.\n"
452  " Only valid in a client-specific config file.\n"
453  "--disable : Client is disabled.\n"
454  " Only valid in a client-specific config file.\n"
455  "--override-username: Overrides the client-specific username to be used.\n"
456  " Only valid in a client-specific config file.\n"
457  "--verify-client-cert [none|optional|require] : perform no, optional or\n"
458  " mandatory client certificate verification.\n"
459  " Default is to require the client to supply a certificate.\n"
460  "--username-as-common-name : For auth-user-pass authentication, use\n"
461  " the authenticated username as the common name,\n"
462  " rather than the common name from the client cert.\n"
463  "--auth-user-pass-verify cmd method: Query client for username/password and\n"
464  " run command cmd to verify. If method='via-env', pass\n"
465  " user/pass via environment, if method='via-file', pass\n"
466  " user/pass via temporary file.\n"
467  "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
468  " to each client, replacing the password. Useful when\n"
469  " OTP based two-factor auth mechanisms are in use and\n"
470  " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
471  " for generated tokens can be set.\n"
472  "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
473  " with those of the server will be disconnected.\n"
474  "--auth-user-pass-optional : Allow connections by clients that don't\n"
475  " specify a username/password.\n"
476  "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
477  " any printable character.\n"
478  "--client-to-client : Internally route client-to-client traffic.\n"
479  "--duplicate-cn : Allow multiple clients with the same common name to\n"
480  " concurrently connect.\n"
481  "--client-connect cmd : Run command cmd on client connection.\n"
482  "--client-disconnect cmd : Run command cmd on client disconnection.\n"
483  "--client-config-dir dir : Directory for custom client config files.\n"
484  "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
485  "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
486  "--hash-size r v : Set the size of the real address hash table to r and the\n"
487  " virtual address table to v.\n"
488  "--bcast-buffers n : Allocate n broadcast buffers.\n"
489  "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
490  "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
491  " as well as pushes it to connecting clients.\n"
492  "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
493  "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
494  "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
495  "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
496  "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
497  "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
498  " older than n seconds. Run this check every t\n"
499  " seconds (defaults to n).\n"
500  "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
501  " clients. n = 1 - reconnect to same server,\n"
502  " 2 - advance to next server, default=1.\n"
503 #if PORT_SHARE
504  "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
505  " sessions to a web server at host:port. dir specifies an\n"
506  " optional directory to write origin IP:port data.\n"
507 #endif
508  "\n"
509  "Client options (when connecting to a multi-client server):\n"
510  "--client : Helper option to easily configure client mode.\n"
511  "--auth-user-pass [up] : Authenticate with server using username/password.\n"
512  " up is a file containing the username on the first line,\n"
513  " and a password on the second. If either the password or both\n"
514  " the username and the password are omitted OpenVPN will prompt\n"
515  " for them from console.\n"
516  "--pull : Accept certain config file options from the peer as if they\n"
517  " were part of the local config file. Must be specified\n"
518  " when connecting to a '--mode server' remote host.\n"
519  "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
520  " server if it starts with the text t. The action flag accept,\n"
521  " ignore or reject causes the option to be allowed, removed or\n"
522  " rejected with error. May be specified multiple times, and\n"
523  " each filter is applied in the order of appearance.\n"
524  "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
525  " Valid options are :\n"
526  " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
527  " resolve-domains <domain> [domain ...] : split domains\n"
528  " dnssec <yes|no|optional> : option to use DNSSEC\n"
529  " type <DoH|DoT> : query server over HTTPS / TLS\n"
530  " sni <domain> : DNS server name indication\n"
531  "--dns search-domains <domain> [domain ...]:\n"
532  " Add domains to DNS domain search list\n"
533  "--auth-retry t : How to handle auth failures. Set t to\n"
534  " none (default), interact, or nointeract.\n"
535  "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
536  " challenge text t, with e indicating echo flag (0|1)\n"
537  " and optional argument scrv1 or concat to use SCRV1 protocol or"
538  " concatenate response with password. Default is scrv1.\n"
539  "--connect-timeout n : when polling possible remote servers to connect to\n"
540  " in a round-robin fashion, spend no more than n seconds\n"
541  " waiting for a response before trying the next server.\n"
542  "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
543  " incoming tun packets with same destination as host.\n"
544  "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
545  " server/remote. n = # of retries, default=1.\n"
546  "\n"
547  "Data Channel Encryption Options (must be compatible between peers):\n"
548  "(These options are meaningful for both Static Key & TLS-mode)\n"
549  "--auth alg : Authenticate packets with HMAC using message\n"
550  " digest algorithm alg (default=%s).\n"
551  " (usually adds 16 or 20 bytes per packet)\n"
552  " Set alg=none to disable authentication.\n"
553  "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
554  " You should usually use --data-ciphers instead.\n"
555  " Set alg=none to disable encryption.\n"
556  "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
557 #ifndef ENABLE_CRYPTO_MBEDTLS
558  "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
559 #endif
560  "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
561  "--replay-window n [t] : Use a replay protection sliding window of size n\n"
562  " and a time window of t seconds.\n"
563  " Default n=%d t=%d\n"
564  "--replay-persist file : Persist replay-protection state across sessions\n"
565  " using file.\n"
566  "--test-crypto : Run a self-test of crypto features enabled.\n"
567  " For debugging only.\n"
568 #ifdef ENABLE_PREDICTION_RESISTANCE
569  "--use-prediction-resistance: Enable prediction resistance on the random\n"
570  " number generator.\n"
571 #endif
572  "\n"
573  "TLS Key Negotiation Options:\n"
574  "(These options are meaningful only for TLS-mode)\n"
575  "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
576  "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
577  "--ca file : Certificate authority file in .pem format containing\n"
578  " root certificate.\n"
579 #ifndef ENABLE_CRYPTO_MBEDTLS
580  "--capath dir : A directory of trusted certificates (CAs"
581  " and CRLs).\n"
582 #endif /* ENABLE_CRYPTO_MBEDTLS */
583  "--dh file : File containing Diffie Hellman parameters\n"
584  " in .pem format (for --tls-server only).\n"
585  " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
586  "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
587  " by a Certificate Authority in --ca file used by the peer.\n"
588  "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
589  "--key file : Local private key in .pem format or a URI.\n"
590  "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
591  " will accept from the peer. If version is unrecognized and 'or-highest'\n"
592  " is specified, require max TLS version supported by SSL implementation.\n"
593  "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
594 #ifndef ENABLE_CRYPTO_MBEDTLS
595  "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
596  " and optionally the root CA certificate.\n"
597 #endif
598 #ifdef ENABLE_X509ALTUSERNAME
599  "--x509-username-field : Field in x509 certificate containing the username.\n"
600  " Default is CN in the Subject field.\n"
601 #endif
602  "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
603  " Valid algo flags are SHA1 and SHA256. \n"
604 #ifdef _WIN32
605  "--cryptoapicert select-string : Load the certificate and private key from the\n"
606  " Windows Certificate System Store.\n"
607 #endif
608  "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
609  "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
610  " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
611  "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
612  " (default=legacy).\n"
613  "--providers l : A list l of OpenSSL providers to load.\n"
614  "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
615  " if no ACK from remote within n seconds (default=%d).\n"
616  "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
617  "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
618  "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
619  " and at least min (defaults to 90%% of max on servers and equal\n"
620  " to max on clients).\n"
621  "--hand-window n : Data channel key exchange must finalize within n seconds\n"
622  " of handshake initiation by any peer (default=%d).\n"
623  "--tran-window n : Transition window -- old key can live this many seconds\n"
624  " after new key renegotiation begins (default=%d).\n"
625  "--single-session: Allow only one session (reset state on restart).\n"
626  "--tls-exit : Exit on TLS negotiation failure.\n"
627  "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
628  " control channel to protect against attacks on the TLS stack\n"
629  " and DoS attacks.\n"
630  " f (required) is a shared-secret key file.\n"
631  " The optional d parameter controls key directionality.\n"
632  "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
633  " of the TLS control channel to hide the TLS certificate,\n"
634  " provide basic post-quantum security and protect against\n"
635  " attacks on the TLS stack and DoS attacks.\n"
636  " key (required) provides the pre-shared key file.\n"
637  "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
638  " For servers: use key to decrypt client-specific keys. For\n"
639  " key generation (--genkey tls-crypt-v2-client): use key to\n"
640  " encrypt generated client-specific key. (See --tls-crypt.)\n"
641  "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
642  " fresh tls-crypt-v2 client key, and store to\n"
643  " keyfile. If supplied, include metadata in wrapped key.\n"
644  "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
645  " fresh tls-crypt-v2 server key, and store to keyfile\n"
646  "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
647  " client-supplied tls-crypt-v2 client key\n"
648  "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
649  "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
650  "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
651  "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
652  " pending TLS connection that has otherwise passed all other\n"
653  " tests of certification. cmd should return 0 to allow\n"
654  " TLS handshake to proceed, or 1 to fail. (cmd is\n"
655  " executed as 'cmd certificate_depth subject')\n"
656  "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
657  " DN name. The remote host must also pass all other tests\n"
658  " of verification.\n"
659 #ifndef ENABLE_CRYPTO_MBEDTLS
660  "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
661  " an explicit nsCertType designation t = 'client' | 'server'.\n"
662 #endif
663  "--x509-track x : Save peer X509 attribute x in environment for use by\n"
664  " plugins and management interface.\n"
665 #ifdef HAVE_EXPORT_KEYING_MATERIAL
666  "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
667  " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
668 #endif
669  "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
670  " explicit key usage, you can specify more than one value.\n"
671  " value should be given in hex format.\n"
672  "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
673  " explicit extended key usage. Extended key usage can be encoded\n"
674  " as an object identifier or OpenSSL string representation.\n"
675  "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
676  " key usage and extended key usage based on RFC3280 TLS rules.\n"
677  " t = 'client' | 'server'.\n"
678 #ifdef ENABLE_PKCS11
679  "\n"
680  "PKCS#11 Options:\n"
681  "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
682  "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
683  " path. Set for each provider.\n"
684  "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
685  " 0 : Try to determine automatically (default).\n"
686  " 1 : Use Sign.\n"
687  " 2 : Use SignRecover.\n"
688  " 4 : Use Decrypt.\n"
689  " 8 : Use Unwrap.\n"
690  "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
691  " certificate can be accessed. Set for each provider.\n"
692  "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
693  " cache until token is removed.\n"
694  "--pkcs11-id-management : Acquire identity from management interface.\n"
695  "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
696 #endif /* ENABLE_PKCS11 */
697  "\n"
698  "SSL Library information:\n"
699  "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
700  "--show-digests : Show message digest algorithms to use with --auth option.\n"
701  "--show-engines : Show hardware crypto accelerator engines (if available).\n"
702  "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
703 #ifdef _WIN32
704  "\n"
705  "Windows Specific:\n"
706  "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
707  " from SystemRoot environment variable.\n"
708  "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
709  " IP address using method = manual, netsh, ipapi,\n"
710  " dynamic, or adaptive (default = adaptive).\n"
711  " Dynamic method allows two optional parameters:\n"
712  " offset: DHCP server address offset (> -256 and < 256).\n"
713  " If 0, use network address, if >0, take nth\n"
714  " address forward from network address, if <0,\n"
715  " take nth address backward from broadcast\n"
716  " address.\n"
717  " Default is 0.\n"
718  " lease-time: Lease time in seconds.\n"
719  " Default is one year.\n"
720  "--route-method : Which method to use for adding routes on Windows?\n"
721  " adaptive (default) -- Try ipapi then fall back to exe.\n"
722  " ipapi -- Use IP helper API.\n"
723  " exe -- Call the route.exe shell command.\n"
724  "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
725  " be used with --ip-win32 dynamic. For options\n"
726  " which allow multiple addresses,\n"
727  " --dhcp-option must be repeated.\n"
728  " DOMAIN name : Set DNS suffix\n"
729  " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
730  " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
731  " NTP : Set NTP server address(es)\n"
732  " NBDD : Set NBDD server address(es)\n"
733  " WINS addr : Set WINS server address(es)\n"
734  " NBT type : Set NetBIOS over TCP/IP Node type\n"
735  " 1: B, 2: P, 4: M, 8: H\n"
736  " NBS id : Set NetBIOS scope ID\n"
737  " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
738  "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
739  "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
740  " startup.\n"
741  "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
742  " on connection initiation.\n"
743  "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
744  " attempting to set adapter properties.\n"
745  "--pause-exit : When run from a console window, pause before exiting.\n"
746  "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
747  " service, and should not be used directly by end-users.\n"
748  " ex is the name of an event object which, when\n"
749  " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
750  " optional parameter controls the initial state of ex.\n"
751  "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
752  " after TAP adapter is up and routes have been added.\n"
753  "--windows-driver : Which tun driver to use?\n"
754  " ovpn-dco (default)\n"
755  " tap-windows6\n"
756  " wintun\n"
757  "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
758  "Windows Standalone Options:\n"
759  "\n"
760  "--show-adapters : Show all TAP-Windows adapters.\n"
761  "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
762  "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
763  "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
764  " to access TAP adapter.\n"
765 #endif /* ifdef _WIN32 */
766  "\n"
767  "Generate a new key :\n"
768  "--genkey tls-auth file : Generate a new random key of type and write to file\n"
769  " (for use with --tls-auth or --tls-crypt)."
770 #ifdef ENABLE_FEATURE_TUN_PERSIST
771  "\n"
772  "Tun/tap config mode (available with linux 2.4+):\n"
773  "--mktun : Create a persistent tunnel.\n"
774  "--rmtun : Remove a persistent tunnel.\n"
775  "--dev tunX|tapX : tun/tap device\n"
776  "--dev-type dt : Device type. See tunnel options above for details.\n"
777  "--user user : User to set privilege to.\n"
778  "--group group : Group to set privilege to.\n"
779 #endif
780 #ifdef ENABLE_PKCS11
781  "\n"
782  "PKCS#11 standalone options:\n"
783 #ifdef DEFAULT_PKCS11_MODULE
784  "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
785 #else
786  "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
787 #endif
788  " --verb option can be added *BEFORE* this.\n"
789 #endif /* ENABLE_PKCS11 */
790  "\n"
791  "General Standalone Options:\n"
792 #ifdef ENABLE_DEBUG
793  "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
794 #endif
795 ;
796 
797 #endif /* !ENABLE_SMALL */
798 
799 /*
800  * This is where the options defaults go.
801  * Any option not explicitly set here
802  * will be set to 0.
803  */
804 void
805 init_options(struct options *o, const bool init_gc)
806 {
807  CLEAR(*o);
808  if (init_gc)
809  {
810  gc_init(&o->gc);
811  gc_init(&o->dns_options.gc);
812  o->gc_owned = true;
813  }
814  o->mode = MODE_POINT_TO_POINT;
815  o->topology = TOP_UNDEF;
816  o->ce.proto = PROTO_UDP;
817  o->ce.af = AF_UNSPEC;
818  o->ce.bind_ipv6_only = false;
819  o->ce.connect_retry_seconds = 1;
820  o->ce.connect_retry_seconds_max = 300;
821  o->ce.connect_timeout = 120;
822  o->connect_retry_max = 0;
823  o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
824  o->verbosity = 1;
825  o->status_file_update_freq = 60;
826  o->status_file_version = 1;
827  o->ce.bind_local = true;
828  o->ce.tun_mtu = TUN_MTU_DEFAULT;
829  o->ce.occ_mtu = 0;
830  o->ce.link_mtu = LINK_MTU_DEFAULT;
831  o->ce.tls_mtu = TLS_MTU_DEFAULT;
832  o->ce.mtu_discover_type = -1;
833  o->ce.mssfix = 0;
834  o->ce.mssfix_default = true;
835  o->ce.mssfix_encap = true;
836  o->route_delay_window = 30;
837  o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
838  o->resolve_in_advance = false;
839  o->proto_force = -1;
840  o->occ = true;
841 #ifdef ENABLE_MANAGEMENT
842  o->management_log_history_cache = 250;
843  o->management_echo_buffer_size = 100;
844  o->management_state_buffer_size = 100;
845 #endif
846 #ifdef ENABLE_FEATURE_TUN_PERSIST
847  o->persist_mode = 1;
848 #endif
849 #ifdef _WIN32
850 #if 0
851  o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
852 #else
853  o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
854 #endif
855  o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
856  o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
857  o->route_method = ROUTE_METHOD_ADAPTIVE;
858  o->block_outside_dns = false;
859  o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
860 #endif
861  o->vlan_accept = VLAN_ALL;
862  o->vlan_pvid = 1;
863  o->real_hash_size = 256;
864  o->virtual_hash_size = 256;
865  o->n_bcast_buf = 256;
866  o->tcp_queue_limit = 64;
867  o->max_clients = 1024;
868  o->cf_initial_per = 10;
869  o->cf_initial_max = 100;
870  o->max_routes_per_client = 256;
871  o->stale_routes_check_interval = 0;
872  o->ifconfig_pool_persist_refresh_freq = 600;
873  o->scheduled_exit_interval = 5;
874  o->authname = "SHA1";
875  o->replay_window = DEFAULT_SEQ_BACKTRACK;
876  o->replay_time = DEFAULT_TIME_BACKTRACK;
877  o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
878 #ifdef ENABLE_PREDICTION_RESISTANCE
879  o->use_prediction_resistance = false;
880 #endif
881  o->tls_timeout = 2;
882  o->renegotiate_bytes = -1;
883  o->renegotiate_seconds = 3600;
884  o->renegotiate_seconds_min = -1;
885  o->handshake_window = 60;
886  o->transition_window = 3600;
887  o->tls_cert_profile = NULL;
888  o->ecdh_curve = NULL;
889 #ifdef ENABLE_X509ALTUSERNAME
890  o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
891 #endif
892 #ifdef ENABLE_PKCS11
893  o->pkcs11_pin_cache_period = -1;
894 #endif /* ENABLE_PKCS11 */
895 
896  /* P2MP server context features */
897  o->auth_token_generate = false;
898 
899  /* Set default --tmp-dir */
900 #ifdef _WIN32
901  /* On Windows, find temp dir via environment variables */
902  o->tmp_dir = win_get_tempdir();
903 
904  if (!o->tmp_dir)
905  {
906  /* Error out if we can't find a valid temporary directory, which should
907  * be very unlikely. */
908  msg(M_USAGE, "Could not find a suitable temporary directory."
909  " (GetTempPath() failed). Consider using --tmp-dir");
910  }
911 #else /* ifdef _WIN32 */
912  /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
913  o->tmp_dir = getenv("TMPDIR");
914  if (!o->tmp_dir)
915  {
916  o->tmp_dir = "/tmp";
917  }
918 #endif /* _WIN32 */
919  o->allow_recursive_routing = false;
920 
921 #ifndef ENABLE_DCO
922  o->disable_dco = true;
923 #endif /* ENABLE_DCO */
924 }
925 
926 void
927 uninit_options(struct options *o)
928 {
929  if (o->connection_list)
930  {
931  CLEAR(*o->connection_list);
932  }
933  if (o->remote_list)
934  {
935  CLEAR(*o->remote_list);
936  }
937  if (o->gc_owned)
938  {
939  gc_free(&o->gc);
940  gc_free(&o->dns_options.gc);
941  }
942 }
943 
944 struct pull_filter
945 {
946 #define PUF_TYPE_UNDEF 0
947 #define PUF_TYPE_ACCEPT 1
948 #define PUF_TYPE_IGNORE 2
949 #define PUF_TYPE_REJECT 3
950  int type;
951  int size;
952  char *pattern;
953  struct pull_filter *next;
954 };
955 
956 struct pull_filter_list
957 {
958  struct pull_filter *head;
959  struct pull_filter *tail;
960 };
961 
962 #ifndef ENABLE_SMALL
963 
964 static const char *
965 pull_filter_type_name(int type)
966 {
967  if (type == PUF_TYPE_ACCEPT)
968  {
969  return "accept";
970  }
971  if (type == PUF_TYPE_IGNORE)
972  {
973  return "ignore";
974  }
975  if (type == PUF_TYPE_REJECT)
976  {
977  return "reject";
978  }
979  else
980  {
981  return "???";
982  }
983 }
984 
985 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
986 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
987 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
988  o->var ## _inline ? "[INLINE]" : \
989  (o->var ? o->var : "[UNDEF]"), \
990  "'%s'")
991 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
992 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
993 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
994 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
995 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
996 
997 #endif /* ifndef ENABLE_SMALL */
998 
999 static void
1000 setenv_connection_entry(struct env_set *es,
1001  const struct connection_entry *e,
1002  const int i)
1003 {
1004  setenv_str_i(es, "remote", e->remote, i);
1005  setenv_str_i(es, "remote_port", e->remote_port, i);
1006 
1007  if (e->http_proxy_options)
1008  {
1009  setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
1010  setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
1011  }
1012  if (e->socks_proxy_server)
1013  {
1014  setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
1015  setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
1016  }
1017 }
1018 
1019 static void
1020 setenv_local_entry(struct env_set *es,
1021  const struct local_entry *e,
1022  const int i)
1023 {
1024  setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
1025  setenv_str_i(es, "local", e->local, i);
1026  setenv_str_i(es, "local_port", e->port, i);
1027 }
1028 
1029 void
1030 setenv_settings(struct env_set *es, const struct options *o)
1031 {
1032  setenv_str(es, "config", o->config);
1033  setenv_int(es, "verb", o->verbosity);
1034  setenv_int(es, "daemon", o->daemon);
1035  setenv_int(es, "daemon_log_redirect", o->log);
1036  setenv_long_long(es, "daemon_start_time", time(NULL));
1037  setenv_int(es, "daemon_pid", platform_getpid());
1038 
1039  if (o->connection_list)
1040  {
1041  int i;
1042  for (i = 0; i < o->connection_list->len; ++i)
1043  {
1044  setenv_connection_entry(es, o->connection_list->array[i], i+1);
1045  }
1046  }
1047  else
1048  {
1049  setenv_connection_entry(es, &o->ce, 1);
1050  }
1051 
1052  if (o->ce.local_list)
1053  {
1054  for (int i = 0; i < o->ce.local_list->len; i++)
1055  {
1056  setenv_local_entry(es, o->ce.local_list->array[i], i+1);
1057  }
1058  }
1059 
1060  if (!o->pull)
1061  {
1062  setenv_dns_options(&o->dns_options, es);
1063  }
1064 }
1065 
1066 #ifndef _WIN32
1067 static void
1068 setenv_foreign_option(struct options *o, const char *argv[], int len, struct env_set *es)
1069 {
1070  if (len > 0)
1071  {
1072  struct gc_arena gc = gc_new();
1073  struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1074  struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
1075  int i;
1076  bool first = true;
1077  bool good = true;
1078 
1079  good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
1080  ++o->foreign_option_index;
1081  for (i = 0; i < len; ++i)
1082  {
1083  if (argv[i])
1084  {
1085  if (!first)
1086  {
1087  good &= buf_printf(&value, " ");
1088  }
1089  good &= buf_printf(&value, "%s", argv[i]);
1090  first = false;
1091  }
1092  }
1093  if (good)
1094  {
1095  setenv_str(es, BSTR(&name), BSTR(&value));
1096  }
1097  else
1098  {
1099  msg(M_WARN, "foreign_option: name/value overflow");
1100  }
1101  gc_free(&gc);
1102  }
1103 }
1104 #endif /* ifndef _WIN32 */
1105 
1106 static in_addr_t
1107 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1108 {
1109  unsigned int flags = GETADDR_HOST_ORDER;
1110  bool succeeded = false;
1111  in_addr_t ret;
1112 
1113  if (msglevel & M_FATAL)
1114  {
1115  flags |= GETADDR_FATAL;
1116  }
1117 
1118  ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1119  if (!succeeded && error)
1120  {
1121  *error = true;
1122  }
1123  return ret;
1124 }
1125 
1131 static char *
1132 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1133 {
1134  const char *end = strchr(addr, '/');
1135  char *ret = NULL;
1136  if (NULL == end)
1137  {
1138  ret = string_alloc(addr, gc);
1139  }
1140  else
1141  {
1142  size_t len = end - addr;
1143  ret = gc_malloc(len + 1, true, gc);
1144  memcpy(ret, addr, len);
1145  }
1146  return ret;
1147 }
1148 
1149 static bool
1150 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1151 {
1152  struct in6_addr t_addr;
1153  unsigned int t_bits;
1154 
1155  return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1156 }
1157 
1158 static char *
1159 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1160 {
1161  char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1162  char *dest = ret;
1163  char c;
1164 
1165  do
1166  {
1167  c = *src++;
1168  if (c == from)
1169  {
1170  c = to;
1171  }
1172  *dest++ = c;
1173  }
1174  while (c);
1175  return ret;
1176 }
1177 
1187 static struct verify_hash_list *
1188 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1189 {
1190  int i = 0;
1191  const char *cp = str;
1192 
1193  struct verify_hash_list *ret;
1194  ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1195 
1196  char term = 0;
1197  unsigned int byte;
1198 
1199  while (*cp && i < nbytes)
1200  {
1201  /* valid segments consist of exactly two hex digits, then ':' or EOS */
1202  if (!isxdigit(cp[0])
1203  || !isxdigit(cp[1])
1204  || (cp[2] != ':' && cp[2] != '\0')
1205  || sscanf(cp, "%x", &byte) != 1)
1206  {
1207  msg(msglevel, "format error in hash fingerprint: %s", str);
1208  break;
1209  }
1210 
1211  ret->hash[i++] = (uint8_t)byte;
1212 
1213  term = cp[2];
1214  if (term == '\0')
1215  {
1216  break;
1217  }
1218  cp += 3;
1219  }
1220  if (i < nbytes)
1221  {
1222  msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1223  }
1224  else if (term != '\0')
1225  {
1226  msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1227  }
1228  return ret;
1229 }
1230 
1241 static struct verify_hash_list *
1242 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1243  struct gc_arena *gc)
1244 {
1245  struct gc_arena gc_temp = gc_new();
1246  char *lines = string_alloc(str, &gc_temp);
1247 
1248  struct verify_hash_list *ret = NULL;
1249 
1250  const char *line;
1251  while ((line = strsep(&lines, "\n")))
1252  {
1253  /* ignore leading whitespace */
1254  while (isspace(*line))
1255  {
1256  line++;
1257  }
1258  /* skip empty lines and comment lines */
1259  if (strlen(line) == 0 || *line == '#' || *line == ';')
1260  {
1261  continue;
1262  }
1263 
1264  struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1265  msglevel, gc);
1266 
1267  if (!hash)
1268  {
1269  gc_free(&gc_temp);
1270  return NULL;
1271  }
1272 
1273  hash->next = ret;
1274  ret = hash;
1275  }
1276  gc_free(&gc_temp);
1277 
1278  return ret;
1279 }
1280 #ifdef _WIN32
1281 
1282 #ifndef ENABLE_SMALL
1283 
1284 static void
1285 show_dhcp_option_list(const char *name, const char *const *array, int len)
1286 {
1287  int i;
1288  for (i = 0; i < len; ++i)
1289  {
1290  msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1291  }
1292 }
1293 
1294 static void
1295 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1296 {
1297  struct gc_arena gc = gc_new();
1298  int i;
1299  for (i = 0; i < len; ++i)
1300  {
1301  msg(D_SHOW_PARMS, " %s[%d] = %s",
1302  name,
1303  i,
1304  print_in_addr_t(array[i], 0, &gc));
1305  }
1306  gc_free(&gc);
1307 }
1308 
1309 static void
1310 show_tuntap_options(const struct tuntap_options *o)
1311 {
1312  SHOW_BOOL(ip_win32_defined);
1313  SHOW_INT(ip_win32_type);
1314  SHOW_INT(dhcp_masq_offset);
1315  SHOW_INT(dhcp_lease_time);
1316  SHOW_INT(tap_sleep);
1317  SHOW_UNSIGNED(dhcp_options);
1318  SHOW_BOOL(dhcp_renew);
1319  SHOW_BOOL(dhcp_pre_release);
1320  SHOW_STR(domain);
1321  SHOW_STR(netbios_scope);
1322  SHOW_INT(netbios_node_type);
1323  SHOW_BOOL(disable_nbt);
1324 
1325  show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1326  show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1327  show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1328  show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1329  show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1330 }
1331 
1332 #endif /* ifndef ENABLE_SMALL */
1333 #endif /* ifdef _WIN32 */
1334 
1335 #if defined(_WIN32) || defined(TARGET_ANDROID)
1336 static void
1337 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1338 {
1339  struct in6_addr addr;
1340  if (*len >= N_DHCP_ADDR)
1341  {
1342  msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1343  N_DHCP_ADDR);
1344  }
1345  else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1346  {
1347  dns6_list[(*len)++] = addr;
1348  }
1349 }
1350 static void
1351 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1352 {
1353  if (*len >= N_DHCP_ADDR)
1354  {
1355  msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1356  name,
1357  N_DHCP_ADDR,
1358  name);
1359  }
1360  else
1361  {
1362  if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1363  {
1364  bool error = false;
1365  const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1366  if (!error)
1367  {
1368  array[(*len)++] = addr;
1369  }
1370  }
1371  else
1372  {
1373  msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1374  }
1375  }
1376 }
1377 
1378 /*
1379  * If DNS options are set use these for TUN/TAP options as well.
1380  * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1381  * Existing options will be discarded.
1382  */
1383 static void
1384 tuntap_options_copy_dns(struct options *o)
1385 {
1386  struct tuntap_options *tt = &o->tuntap_options;
1387  struct dns_options *dns = &o->dns_options;
1388 
1389  if (dns->search_domains)
1390  {
1391  tt->domain_search_list_len = 0;
1392  const struct dns_domain *domain = dns->search_domains;
1393  while (domain && tt->domain_search_list_len < N_SEARCH_LIST_LEN)
1394  {
1395  tt->domain_search_list[tt->domain_search_list_len++] = domain->name;
1396  domain = domain->next;
1397  }
1398  if (domain)
1399  {
1400  msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1401  }
1402  tt->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
1403  }
1404 
1405  if (dns->servers)
1406  {
1407  tt->dns_len = 0;
1408  tt->dns6_len = 0;
1409  bool overflow = false;
1410  const struct dns_server *server = dns->servers;
1411  while (server)
1412  {
1413  for (int i = 0; i < server->addr_count; ++i)
1414  {
1415  if (server->addr[i].family == AF_INET)
1416  {
1417  if (tt->dns_len >= N_DHCP_ADDR)
1418  {
1419  overflow = true;
1420  continue;
1421  }
1422  tt->dns[tt->dns_len++] = ntohl(server->addr[i].in.a4.s_addr);
1423  }
1424  else
1425  {
1426  if (tt->dns6_len >= N_DHCP_ADDR)
1427  {
1428  overflow = true;
1429  continue;
1430  }
1431  tt->dns6[tt->dns6_len++] = server->addr[i].in.a6;
1432  }
1433  }
1434  server = server->next;
1435  }
1436  if (overflow)
1437  {
1438  msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1439  }
1440  tt->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
1441  }
1442 }
1443 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1444 static void
1445 foreign_options_copy_dns(struct options *o, struct env_set *es)
1446 {
1447  const struct dns_domain *domain = o->dns_options.search_domains;
1448  const struct dns_server *server = o->dns_options.servers;
1449  if (!domain && !server)
1450  {
1451  return;
1452  }
1453 
1454  /* reset the index since we're starting all over again */
1455  int opt_max = o->foreign_option_index;
1456  o->foreign_option_index = 0;
1457 
1458  for (int i = 1; i <= opt_max; ++i)
1459  {
1460  char name[32];
1461  snprintf(name, sizeof(name), "foreign_option_%d", i);
1462 
1463  const char *env_str = env_set_get(es, name);
1464  const char *value = strchr(env_str, '=') + 1;
1465  if ((domain && strstr(value, "dhcp-option DOMAIN-SEARCH") == value)
1466  || (server && strstr(value, "dhcp-option DNS") == value))
1467  {
1468  setenv_del(es, name);
1469  }
1470  else
1471  {
1472  setenv_foreign_option(o, &value, 1, es);
1473  }
1474  }
1475 
1476  struct gc_arena gc = gc_new();
1477 
1478  while (server)
1479  {
1480  for (size_t i = 0; i < server->addr_count; ++i)
1481  {
1482  if (server->addr[i].family == AF_INET)
1483  {
1484  const char *argv[] = {
1485  "dhcp-option",
1486  "DNS",
1487  print_in_addr_t(server->addr[i].in.a4.s_addr, 0, &gc)
1488  };
1489  setenv_foreign_option(o, argv, 3, es);
1490  }
1491  else
1492  {
1493  const char *argv[] = {
1494  "dhcp-option",
1495  "DNS6",
1496  print_in6_addr(server->addr[i].in.a6, 0, &gc)
1497  };
1498  setenv_foreign_option(o, argv, 3, es);
1499  }
1500  }
1501  server = server->next;
1502  }
1503  while (domain)
1504  {
1505  const char *argv[] = { "dhcp-option", "DOMAIN-SEARCH", domain->name };
1506  setenv_foreign_option(o, argv, 3, es);
1507  domain = domain->next;
1508  }
1509 
1510  gc_free(&gc);
1511 
1512  /* remove old leftover entries */
1513  while (o->foreign_option_index < opt_max)
1514  {
1515  char name[32];
1516  snprintf(name, sizeof(name), "foreign_option_%d", opt_max--);
1517  setenv_del(es, name);
1518  }
1519 }
1520 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1521 
1522 #ifndef ENABLE_SMALL
1523 static const char *
1524 print_vlan_accept(enum vlan_acceptable_frames mode)
1525 {
1526  switch (mode)
1527  {
1528  case VLAN_ONLY_TAGGED:
1529  return "tagged";
1530 
1531  case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1532  return "untagged";
1533 
1534  case VLAN_ALL:
1535  return "all";
1536  }
1537  return NULL;
1538 }
1539 
1540 static void
1541 show_p2mp_parms(const struct options *o)
1542 {
1543  struct gc_arena gc = gc_new();
1544 
1545  msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1546  msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1547  msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1548  SHOW_INT(server_netbits_ipv6);
1549  msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1550  msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1551  msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1552  msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1553  if (o->push_list.head)
1554  {
1555  const struct push_entry *e = o->push_list.head;
1556  while (e)
1557  {
1558  if (e->enable)
1559  {
1560  msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1561  }
1562  e = e->next;
1563  }
1564  }
1565  SHOW_BOOL(ifconfig_pool_defined);
1566  msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1567  msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1568  msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1569  SHOW_STR(ifconfig_pool_persist_filename);
1570  SHOW_INT(ifconfig_pool_persist_refresh_freq);
1571  SHOW_BOOL(ifconfig_ipv6_pool_defined);
1572  msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1573  SHOW_INT(ifconfig_ipv6_pool_netbits);
1574  SHOW_INT(n_bcast_buf);
1575  SHOW_INT(tcp_queue_limit);
1576  SHOW_INT(real_hash_size);
1577  SHOW_INT(virtual_hash_size);
1578  SHOW_STR(client_connect_script);
1579  SHOW_STR(learn_address_script);
1580  SHOW_STR(client_disconnect_script);
1581  SHOW_STR(client_crresponse_script);
1582  SHOW_STR(client_config_dir);
1583  SHOW_BOOL(ccd_exclusive);
1584  SHOW_STR(tmp_dir);
1585  SHOW_BOOL(push_ifconfig_defined);
1586  msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1587  msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1588  SHOW_BOOL(push_ifconfig_ipv6_defined);
1589  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1590  msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1591  SHOW_BOOL(enable_c2c);
1592  SHOW_BOOL(duplicate_cn);
1593  SHOW_INT(cf_max);
1594  SHOW_INT(cf_per);
1595  SHOW_INT(cf_initial_max);
1596  SHOW_INT(cf_initial_per);
1597  SHOW_INT(max_clients);
1598  SHOW_INT(max_routes_per_client);
1599  SHOW_STR(auth_user_pass_verify_script);
1600  SHOW_BOOL(auth_user_pass_verify_script_via_file);
1601  SHOW_BOOL(auth_token_generate);
1602  SHOW_BOOL(force_key_material_export);
1603  SHOW_INT(auth_token_lifetime);
1604  SHOW_STR_INLINE(auth_token_secret_file);
1605 #if PORT_SHARE
1606  SHOW_STR(port_share_host);
1607  SHOW_STR(port_share_port);
1608 #endif
1609  SHOW_BOOL(vlan_tagging);
1610  msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1611  SHOW_INT(vlan_pvid);
1612 
1613  SHOW_BOOL(client);
1614  SHOW_BOOL(pull);
1615  SHOW_STR_INLINE(auth_user_pass_file);
1616 
1617  gc_free(&gc);
1618 }
1619 
1620 #endif /* ! ENABLE_SMALL */
1621 
1622 static void
1623 option_iroute(struct options *o,
1624  const char *network_str,
1625  const char *netmask_str,
1626  int msglevel)
1627 {
1628  struct iroute *ir;
1629 
1630  ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1631  ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1632  ir->netbits = 32; /* host route if no netmask given */
1633 
1634  if (netmask_str)
1635  {
1636  const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1637  ir->netbits = netmask_to_netbits2(netmask);
1638 
1639  if (ir->netbits < 0)
1640  {
1641  msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1642  network_str,
1643  netmask_str);
1644  return;
1645  }
1646  }
1647 
1648  ir->next = o->iroutes;
1649  o->iroutes = ir;
1650 }
1651 
1652 static void
1653 option_iroute_ipv6(struct options *o,
1654  const char *prefix_str,
1655  int msglevel)
1656 {
1657  struct iroute_ipv6 *ir;
1658 
1659  ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1660 
1661  if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1662  {
1663  msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1664  prefix_str);
1665  return;
1666  }
1667 
1668  ir->next = o->iroutes_ipv6;
1669  o->iroutes_ipv6 = ir;
1670 }
1671 
1672 #ifndef ENABLE_SMALL
1673 static void
1674 show_http_proxy_options(const struct http_proxy_options *o)
1675 {
1676  int i;
1677  msg(D_SHOW_PARMS, "BEGIN http_proxy");
1678  SHOW_STR(server);
1679  SHOW_STR(port);
1680  SHOW_STR(auth_method_string);
1681  SHOW_STR(auth_file);
1682  SHOW_STR(auth_file_up);
1683  SHOW_BOOL(inline_creds);
1684  SHOW_BOOL(nocache);
1685  SHOW_STR(http_version);
1686  SHOW_STR(user_agent);
1687  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1688  {
1689  if (o->custom_headers[i].content)
1690  {
1691  msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1692  o->custom_headers[i].name, o->custom_headers[i].content);
1693  }
1694  else
1695  {
1696  msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1697  o->custom_headers[i].name);
1698  }
1699  }
1700  msg(D_SHOW_PARMS, "END http_proxy");
1701 }
1702 #endif /* ifndef ENABLE_SMALL */
1703 
1704 void
1705 options_detach(struct options *o)
1706 {
1707  gc_detach(&o->gc);
1708  o->routes = NULL;
1709  o->client_nat = NULL;
1710  clone_push_list(o);
1711 }
1712 
1713 void
1714 rol_check_alloc(struct options *options)
1715 {
1716  if (!options->routes)
1717  {
1718  options->routes = new_route_option_list(&options->gc);
1719  }
1720 }
1721 
1722 static void
1723 rol6_check_alloc(struct options *options)
1724 {
1725  if (!options->routes_ipv6)
1726  {
1727  options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1728  }
1729 }
1730 
1731 static void
1732 cnol_check_alloc(struct options *options)
1733 {
1734  if (!options->client_nat)
1735  {
1736  options->client_nat = new_client_nat_list(&options->gc);
1737  }
1738 }
1739 
1740 #ifndef ENABLE_SMALL
1741 static void
1742 show_connection_entry(const struct connection_entry *o)
1743 {
1744  /* Display the global proto only in client mode or with no '--local'*/
1745  if (o->local_list->len == 1)
1746  {
1747  msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1748  }
1749 
1750  msg(D_SHOW_PARMS, " Local Sockets:");
1751  for (int i = 0; i < o->local_list->len; i++)
1752  {
1753  msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1754  o->local_list->array[i]->port, proto2ascii(o->local_list->array[i]->proto, o->af, false));
1755  }
1756  SHOW_STR(remote);
1757  SHOW_STR(remote_port);
1758  SHOW_BOOL(remote_float);
1759  SHOW_BOOL(bind_defined);
1760  SHOW_BOOL(bind_local);
1761  SHOW_BOOL(bind_ipv6_only);
1762  SHOW_INT(connect_retry_seconds);
1763  SHOW_INT(connect_timeout);
1764 
1765  if (o->http_proxy_options)
1766  {
1767  show_http_proxy_options(o->http_proxy_options);
1768  }
1769  SHOW_STR(socks_proxy_server);
1770  SHOW_STR(socks_proxy_port);
1771  SHOW_INT(tun_mtu);
1772  SHOW_BOOL(tun_mtu_defined);
1773  SHOW_INT(link_mtu);
1774  SHOW_BOOL(link_mtu_defined);
1775  SHOW_INT(tun_mtu_extra);
1776  SHOW_BOOL(tun_mtu_extra_defined);
1777  SHOW_INT(tls_mtu);
1778 
1779  SHOW_INT(mtu_discover_type);
1780 
1781 #ifdef ENABLE_FRAGMENT
1782  SHOW_INT(fragment);
1783 #endif
1784  SHOW_INT(mssfix);
1785  SHOW_BOOL(mssfix_encap);
1786  SHOW_BOOL(mssfix_fixed);
1787 
1788  SHOW_INT(explicit_exit_notification);
1789 
1790  SHOW_STR_INLINE(tls_auth_file);
1791  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1792  "%s");
1793  SHOW_STR_INLINE(tls_crypt_file);
1794  SHOW_STR_INLINE(tls_crypt_v2_file);
1795 }
1796 
1797 
1798 static void
1799 show_connection_entries(const struct options *o)
1800 {
1801  if (o->connection_list)
1802  {
1803  const struct connection_list *l = o->connection_list;
1804  int i;
1805  for (i = 0; i < l->len; ++i)
1806  {
1807  msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1808  show_connection_entry(l->array[i]);
1809  }
1810  }
1811  else
1812  {
1813  msg(D_SHOW_PARMS, "Connection profiles [default]:");
1814  show_connection_entry(&o->ce);
1815  }
1816  msg(D_SHOW_PARMS, "Connection profiles END");
1817 }
1818 
1819 static void
1820 show_pull_filter_list(const struct pull_filter_list *l)
1821 {
1822  struct pull_filter *f;
1823  if (!l)
1824  {
1825  return;
1826  }
1827 
1828  msg(D_SHOW_PARMS, " Pull filters:");
1829  for (f = l->head; f; f = f->next)
1830  {
1831  msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1832  }
1833 }
1834 
1835 #endif /* ifndef ENABLE_SMALL */
1836 
1837 void
1838 show_settings(const struct options *o)
1839 {
1840 #ifndef ENABLE_SMALL
1841  msg(D_SHOW_PARMS, "Current Parameter Settings:");
1842 
1843  SHOW_STR(config);
1844 
1845  SHOW_INT(mode);
1846 
1847 #ifdef ENABLE_FEATURE_TUN_PERSIST
1848  SHOW_BOOL(persist_config);
1849  SHOW_INT(persist_mode);
1850 #endif
1851 
1852  SHOW_BOOL(show_ciphers);
1853  SHOW_BOOL(show_digests);
1854  SHOW_BOOL(show_engines);
1855  SHOW_BOOL(genkey);
1856  SHOW_STR(genkey_filename);
1857  SHOW_STR(key_pass_file);
1858  SHOW_BOOL(show_tls_ciphers);
1859 
1860  SHOW_INT(connect_retry_max);
1861  show_connection_entries(o);
1862 
1863  SHOW_BOOL(remote_random);
1864 
1865  SHOW_STR(ipchange);
1866  SHOW_STR(dev);
1867  SHOW_STR(dev_type);
1868  SHOW_STR(dev_node);
1869 #if defined(ENABLE_DCO)
1870  SHOW_BOOL(disable_dco);
1871 #endif
1872  SHOW_STR(lladdr);
1873  SHOW_INT(topology);
1874  SHOW_STR(ifconfig_local);
1875  SHOW_STR(ifconfig_remote_netmask);
1876  SHOW_BOOL(ifconfig_noexec);
1877  SHOW_BOOL(ifconfig_nowarn);
1878  SHOW_STR(ifconfig_ipv6_local);
1879  SHOW_INT(ifconfig_ipv6_netbits);
1880  SHOW_STR(ifconfig_ipv6_remote);
1881 
1882  SHOW_INT(shaper);
1883  SHOW_INT(mtu_test);
1884 
1885  SHOW_BOOL(mlock);
1886 
1887  SHOW_INT(keepalive_ping);
1888  SHOW_INT(keepalive_timeout);
1889  SHOW_INT(inactivity_timeout);
1890  SHOW_INT(session_timeout);
1891  SHOW_INT64(inactivity_minimum_bytes);
1892  SHOW_INT(ping_send_timeout);
1893  SHOW_INT(ping_rec_timeout);
1894  SHOW_INT(ping_rec_timeout_action);
1895  SHOW_BOOL(ping_timer_remote);
1896  SHOW_INT(remap_sigusr1);
1897  SHOW_BOOL(persist_tun);
1898  SHOW_BOOL(persist_local_ip);
1899  SHOW_BOOL(persist_remote_ip);
1900 
1901 #if PASSTOS_CAPABILITY
1902  SHOW_BOOL(passtos);
1903 #endif
1904 
1905  SHOW_INT(resolve_retry_seconds);
1906  SHOW_BOOL(resolve_in_advance);
1907 
1908  SHOW_STR(username);
1909  SHOW_STR(groupname);
1910  SHOW_STR(chroot_dir);
1911  SHOW_STR(cd_dir);
1912 #ifdef ENABLE_SELINUX
1913  SHOW_STR(selinux_context);
1914 #endif
1915  SHOW_STR(writepid);
1916  SHOW_STR(up_script);
1917  SHOW_STR(down_script);
1918  SHOW_BOOL(down_pre);
1919  SHOW_BOOL(up_restart);
1920  SHOW_BOOL(up_delay);
1921  SHOW_BOOL(daemon);
1922  SHOW_BOOL(log);
1923  SHOW_BOOL(suppress_timestamps);
1924  SHOW_BOOL(machine_readable_output);
1925  SHOW_INT(nice);
1926  SHOW_INT(verbosity);
1927  SHOW_INT(mute);
1928 #ifdef ENABLE_DEBUG
1929  SHOW_INT(gremlin);
1930 #endif
1931  SHOW_STR(status_file);
1932  SHOW_INT(status_file_version);
1933  SHOW_INT(status_file_update_freq);
1934 
1935  SHOW_BOOL(occ);
1936  SHOW_INT(rcvbuf);
1937  SHOW_INT(sndbuf);
1938 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1939  SHOW_INT(mark);
1940 #endif
1941  SHOW_INT(sockflags);
1942 
1943  SHOW_BOOL(fast_io);
1944 
1945  SHOW_INT(comp.alg);
1946  SHOW_INT(comp.flags);
1947 
1948  SHOW_STR(route_script);
1949  SHOW_STR(route_default_gateway);
1950  SHOW_INT(route_default_metric);
1951  SHOW_BOOL(route_noexec);
1952  SHOW_INT(route_delay);
1953  SHOW_INT(route_delay_window);
1954  SHOW_BOOL(route_delay_defined);
1955  SHOW_BOOL(route_nopull);
1956  SHOW_BOOL(route_gateway_via_dhcp);
1957  SHOW_BOOL(allow_pull_fqdn);
1958  show_pull_filter_list(o->pull_filter_list);
1959 
1960  if (o->routes)
1961  {
1962  print_route_options(o->routes, D_SHOW_PARMS);
1963  }
1964 
1965  if (o->client_nat)
1966  {
1967  print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1968  }
1969 
1970  show_dns_options(&o->dns_options);
1971 
1972 #ifdef ENABLE_MANAGEMENT
1973  SHOW_STR(management_addr);
1974  SHOW_STR(management_port);
1975  SHOW_STR(management_user_pass);
1976  SHOW_INT(management_log_history_cache);
1977  SHOW_INT(management_echo_buffer_size);
1978  SHOW_STR(management_client_user);
1979  SHOW_STR(management_client_group);
1980  SHOW_INT(management_flags);
1981 #endif
1982 #ifdef ENABLE_PLUGIN
1983  if (o->plugin_list)
1984  {
1985  plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1986  }
1987 #endif
1988 
1989  SHOW_STR_INLINE(shared_secret_file);
1990  SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1991  SHOW_STR(ciphername);
1992  SHOW_STR(ncp_ciphers);
1993  SHOW_STR(authname);
1994 #ifndef ENABLE_CRYPTO_MBEDTLS
1995  SHOW_BOOL(engine);
1996 #endif /* ENABLE_CRYPTO_MBEDTLS */
1997  SHOW_BOOL(mute_replay_warnings);
1998  SHOW_INT(replay_window);
1999  SHOW_INT(replay_time);
2000  SHOW_STR(packet_id_file);
2001  SHOW_BOOL(test_crypto);
2002 #ifdef ENABLE_PREDICTION_RESISTANCE
2003  SHOW_BOOL(use_prediction_resistance);
2004 #endif
2005 
2006  SHOW_BOOL(tls_server);
2007  SHOW_BOOL(tls_client);
2008  SHOW_STR_INLINE(ca_file);
2009  SHOW_STR(ca_path);
2010  SHOW_STR_INLINE(dh_file);
2011  if ((o->management_flags & MF_EXTERNAL_CERT))
2012  {
2013  SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
2014  }
2015  else
2016  {
2017  SHOW_STR_INLINE(cert_file);
2018  }
2019  SHOW_STR_INLINE(extra_certs_file);
2020 
2021  if ((o->management_flags & MF_EXTERNAL_KEY))
2022  {
2023  SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
2024  }
2025  else
2026  {
2027  SHOW_STR_INLINE(priv_key_file);
2028  }
2029 #ifndef ENABLE_CRYPTO_MBEDTLS
2030  SHOW_STR_INLINE(pkcs12_file);
2031 #endif
2032 #ifdef ENABLE_CRYPTOAPI
2033  SHOW_STR(cryptoapi_cert);
2034 #endif
2035  SHOW_STR(cipher_list);
2036  SHOW_STR(cipher_list_tls13);
2037  SHOW_STR(tls_cert_profile);
2038  SHOW_STR(tls_verify);
2039  SHOW_STR(tls_export_peer_cert_dir);
2040  SHOW_INT(verify_x509_type);
2041  SHOW_STR(verify_x509_name);
2042  SHOW_STR_INLINE(crl_file);
2043  SHOW_INT(ns_cert_type);
2044  {
2045  int i;
2046  for (i = 0; i<MAX_PARMS; i++)
2047  {
2048  SHOW_INT(remote_cert_ku[i]);
2049  }
2050  }
2051  SHOW_STR(remote_cert_eku);
2052  if (o->verify_hash)
2053  {
2054  SHOW_INT(verify_hash_algo);
2055  SHOW_INT(verify_hash_depth);
2056  struct gc_arena gc = gc_new();
2057  struct verify_hash_list *hl = o->verify_hash;
2058  int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
2059  SHA256_DIGEST_LENGTH;
2060  while (hl)
2061  {
2062  char *s = format_hex_ex(hl->hash, digest_len, 0,
2063  1, ":", &gc);
2064  SHOW_PARM(verify_hash, s, "%s");
2065  hl = hl->next;
2066  }
2067  gc_free(&gc);
2068  }
2069  SHOW_INT(ssl_flags);
2070 
2071  SHOW_INT(tls_timeout);
2072 
2073  SHOW_INT64(renegotiate_bytes);
2074  SHOW_INT64(renegotiate_packets);
2075  SHOW_INT(renegotiate_seconds);
2076 
2077  SHOW_INT(handshake_window);
2078  SHOW_INT(transition_window);
2079 
2080  SHOW_BOOL(single_session);
2081  SHOW_BOOL(push_peer_info);
2082  SHOW_BOOL(tls_exit);
2083 
2084  SHOW_STR(tls_crypt_v2_metadata);
2085 
2086 #ifdef ENABLE_PKCS11
2087  {
2088  int i;
2089  for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
2090  {
2091  SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
2092  }
2093  }
2094  {
2095  int i;
2096  for (i = 0; i<MAX_PARMS; i++)
2097  {
2098  SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
2099  }
2100  }
2101  {
2102  int i;
2103  for (i = 0; i<MAX_PARMS; i++)
2104  {
2105  SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
2106  }
2107  }
2108  {
2109  int i;
2110  for (i = 0; i<MAX_PARMS; i++)
2111  {
2112  SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
2113  }
2114  }
2115  SHOW_INT(pkcs11_pin_cache_period);
2116  SHOW_STR(pkcs11_id);
2117  SHOW_BOOL(pkcs11_id_management);
2118 #endif /* ENABLE_PKCS11 */
2119 
2120  show_p2mp_parms(o);
2121 
2122 #ifdef _WIN32
2123  SHOW_BOOL(show_net_up);
2124  SHOW_INT(route_method);
2125  SHOW_BOOL(block_outside_dns);
2126  show_tuntap_options(&o->tuntap_options);
2127 #endif
2128 #endif /* ifndef ENABLE_SMALL */
2129 }
2130 
2131 #undef SHOW_PARM
2132 #undef SHOW_STR
2133 #undef SHOW_INT
2134 #undef SHOW_BOOL
2135 
2136 #ifdef ENABLE_MANAGEMENT
2137 
2138 static struct http_proxy_options *
2139 parse_http_proxy_override(const char *server,
2140  const char *port,
2141  const char *flags,
2142  struct gc_arena *gc)
2143 {
2144  if (server && port)
2145  {
2146  struct http_proxy_options *ho;
2147  ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
2148  ho->server = string_alloc(server, gc);
2149  ho->port = port;
2150  if (flags && !strcmp(flags, "nct"))
2151  {
2152  ho->auth_retry = PAR_NCT;
2153  }
2154  else
2155  {
2156  ho->auth_retry = PAR_ALL;
2157  }
2158  ho->http_version = "1.0";
2159  ho->user_agent = "OpenVPN-Autoproxy/1.0";
2160  return ho;
2161  }
2162  else
2163  {
2164  return NULL;
2165  }
2166 }
2167 
2168 static void
2169 options_postprocess_http_proxy_override(struct options *o)
2170 {
2171  const struct connection_list *l = o->connection_list;
2172  int i;
2173  bool succeed = false;
2174  for (i = 0; i < l->len; ++i)
2175  {
2176  struct connection_entry *ce = l->array[i];
2177  if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2178  {
2179  ce->http_proxy_options = o->http_proxy_override;
2180  succeed = true;
2181  }
2182  }
2183  if (succeed)
2184  {
2185  for (i = 0; i < l->len; ++i)
2186  {
2187  struct connection_entry *ce = l->array[i];
2188  if (ce->proto == PROTO_UDP)
2189  {
2190  ce->flags |= CE_DISABLED;
2191  }
2192  }
2193  }
2194  else
2195  {
2196  msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2197  }
2198 }
2199 
2200 #endif /* ifdef ENABLE_MANAGEMENT */
2201 
2202 static struct local_list *
2203 alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
2204 {
2205  if (!ce->local_list)
2206  {
2207  ALLOC_OBJ_CLEAR_GC(ce->local_list, struct local_list, gc);
2208  }
2209  return ce->local_list;
2210 }
2211 
2212 static struct local_entry *
2213 alloc_local_entry(struct connection_entry *ce, const int msglevel,
2214  struct gc_arena *gc)
2215 {
2216  struct local_list *l = alloc_local_list_if_undef(ce, gc);
2217  struct local_entry *e;
2218 
2219  if (l->len >= CONNECTION_LIST_SIZE)
2220  {
2221  msg(msglevel, "Maximum number of 'local' options (%d) exceeded",
2222  CONNECTION_LIST_SIZE);
2223 
2224  return NULL;
2225  }
2226 
2227  ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2228  e->proto = PROTO_NONE;
2229  l->array[l->len++] = e;
2230 
2231  return e;
2232 }
2233 
2234 static struct connection_list *
2235 alloc_connection_list_if_undef(struct options *options)
2236 {
2237  if (!options->connection_list)
2238  {
2239  ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
2240  }
2241  return options->connection_list;
2242 }
2243 
2244 static struct connection_entry *
2245 alloc_connection_entry(struct options *options, const int msglevel)
2246 {
2247  struct connection_list *l = alloc_connection_list_if_undef(options);
2248  struct connection_entry *e;
2249 
2250  if (l->len == l->capacity)
2251  {
2252  int capacity = l->capacity + CONNECTION_LIST_SIZE;
2253  struct connection_entry **ce = gc_realloc(l->array, capacity*sizeof(struct connection_entry *), &options->gc);
2254  if (ce == NULL)
2255  {
2256  msg(msglevel, "Unable to process more connection options: out of memory. Number of entries = %d", l->len);
2257  return NULL;
2258  }
2259  l->array = ce;
2260  l->capacity = capacity;
2261  }
2262  ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
2263  l->array[l->len++] = e;
2264  return e;
2265 }
2266 
2267 static struct remote_list *
2268 alloc_remote_list_if_undef(struct options *options)
2269 {
2270  if (!options->remote_list)
2271  {
2272  ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
2273  }
2274  return options->remote_list;
2275 }
2276 
2277 static struct remote_entry *
2278 alloc_remote_entry(struct options *options, const int msglevel)
2279 {
2280  struct remote_list *l = alloc_remote_list_if_undef(options);
2281  struct remote_entry *e;
2282 
2283  if (l->len == l->capacity)
2284  {
2285  int capacity = l->capacity + CONNECTION_LIST_SIZE;
2286  struct remote_entry **re = gc_realloc(l->array, capacity*sizeof(struct remote_entry *), &options->gc);
2287  if (re == NULL)
2288  {
2289  msg(msglevel, "Unable to process more remote options: out of memory. Number of entries = %d", l->len);
2290  return NULL;
2291  }
2292  l->array = re;
2293  l->capacity = capacity;
2294  }
2295  ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2296  l->array[l->len++] = e;
2297  return e;
2298 }
2299 
2300 static struct pull_filter_list *
2301 alloc_pull_filter_list(struct options *o)
2302 {
2303  if (!o->pull_filter_list)
2304  {
2305  ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
2306  }
2307  return o->pull_filter_list;
2308 }
2309 
2310 static struct pull_filter *
2311 alloc_pull_filter(struct options *o)
2312 {
2313  struct pull_filter_list *l = alloc_pull_filter_list(o);
2314  struct pull_filter *f;
2315 
2316  ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2317  if (l->head)
2318  {
2319  ASSERT(l->tail);
2320  l->tail->next = f;
2321  }
2322  else
2323  {
2324  ASSERT(!l->tail);
2325  l->head = f;
2326  }
2327  l->tail = f;
2328  return f;
2329 }
2330 
2331 static void
2332 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2333 {
2334  if (re->remote)
2335  {
2336  ce->remote = re->remote;
2337  }
2338  if (re->remote_port)
2339  {
2340  ce->remote_port = re->remote_port;
2341  }
2342  if (re->proto >= 0)
2343  {
2344  ce->proto = re->proto;
2345  }
2346  if (re->af > 0)
2347  {
2348  ce->af = re->af;
2349  }
2350 }
2351 
2352 static void
2353 connection_entry_preload_key(const char **key_file, bool *key_inline,
2354  struct gc_arena *gc)
2355 {
2356  if (key_file && *key_file && !(*key_inline))
2357  {
2358  struct buffer in = buffer_read_from_file(*key_file, gc);
2359  if (!buf_valid(&in))
2360  {
2361  msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2362  }
2363 
2364  *key_file = (const char *) in.data;
2365  *key_inline = true;
2366  }
2367 }
2368 
2369 static void
2370 check_ca_required(const struct options *options)
2371 {
2372 #ifdef ENABLE_CRYPTO_MBEDTLS
2373  if (options->ca_path)
2374  {
2375  msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2376  }
2377 #endif
2378 
2379  if (options->verify_hash_no_ca
2380  || options->pkcs12_file
2381  || options->ca_file
2382 #ifndef ENABLE_CRYPTO_MBEDTLS
2383  || options->ca_path
2384 #endif
2385  )
2386  {
2387  return;
2388  }
2389 
2390  const char *const str = "You must define CA file (--ca)"
2391 #ifndef ENABLE_CRYPTO_MBEDTLS
2392  " or CA path (--capath)"
2393 #endif
2394  " and/or peer fingerprint verification (--peer-fingerprint)";
2395  msg(M_USAGE, "%s", str);
2396 }
2397 
2398 #define MUST_BE_UNDEF(parm, parm_name) \
2399  if (options->parm != defaults.parm) { msg(M_USAGE, use_err, parm_name); }
2400 #define MUST_BE_FALSE(condition, parm_name) \
2401  if (condition) { msg(M_USAGE, use_err, parm_name); }
2402 
2403 static void
2404 options_postprocess_verify_ce(const struct options *options,
2405  const struct connection_entry *ce)
2406 {
2407  struct options defaults;
2408  int dev = DEV_TYPE_UNDEF;
2409  bool pull = false;
2410 
2411  init_options(&defaults, true);
2412 
2413  if (options->test_crypto)
2414  {
2415  notnull(options->shared_secret_file, "key file (--secret)");
2416  }
2417  else
2418  {
2419  notnull(options->dev, "TUN/TAP device (--dev)");
2420  }
2421 
2422  /*
2423  * Get tun/tap/null device type
2424  */
2425  dev = dev_type_enum(options->dev, options->dev_type);
2426 
2427  /*
2428  * If "proto tcp" is specified, make sure we know whether it is
2429  * tcp-client or tcp-server.
2430  */
2431  if (ce->proto == PROTO_TCP)
2432  {
2433  msg(M_USAGE,
2434  "--proto tcp is ambiguous in this context. Please specify "
2435  "--proto tcp-server or --proto tcp-client");
2436  }
2437 
2438  /*
2439  * Sanity check on Client mode
2440  */
2441 
2442  if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2443  {
2444  msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2445  }
2446 
2447  if (options->lladdr && dev != DEV_TYPE_TAP)
2448  {
2449  msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2450  }
2451 
2452  /*
2453  * Sanity check on MTU parameters
2454  */
2455  if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2456  {
2457  msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2458  }
2459 
2460  if (!proto_is_udp(ce->proto) && options->mtu_test)
2461  {
2462  msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2463  }
2464 
2465  /* will we be pulling options from server? */
2466  pull = options->pull;
2467 
2468  /*
2469  * Sanity check on --local, --remote, and --ifconfig
2470  */
2471 
2472  if (string_defined_equal(ce->remote, options->ifconfig_local)
2473  || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2474  {
2475  msg(M_USAGE,
2476  "--local and --remote addresses must be distinct from --ifconfig "
2477  "addresses");
2478  }
2479 
2480  if (string_defined_equal(options->ifconfig_local,
2481  options->ifconfig_remote_netmask))
2482  {
2483  msg(M_USAGE,
2484  "local and remote/netmask --ifconfig addresses must be different");
2485  }
2486 
2487  if (ce->bind_defined && !ce->bind_local)
2488  {
2489  msg(M_USAGE, "--bind and --nobind can't be used together");
2490  }
2491 
2492  if (ce->local_port_defined && !ce->bind_local)
2493  {
2494  msg(M_USAGE,
2495  "--lport and --nobind don't make sense when used together");
2496  }
2497 
2498  if (!ce->remote && !ce->bind_local)
2499  {
2500  msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2501  }
2502 
2503  for (int i = 0; i < ce->local_list->len; i++)
2504  {
2505  struct local_entry *le = ce->local_list->array[i];
2506 
2507  if (proto_is_net(le->proto)
2508  && string_defined_equal(le->local, ce->remote)
2509  && string_defined_equal(le->port, ce->remote_port))
2510  {
2511  msg(M_USAGE, "--remote and one of the --local addresses are the same");
2512  }
2513 
2514  if (string_defined_equal(le->local, options->ifconfig_local)
2515  || string_defined_equal(le->local, options->ifconfig_remote_netmask))
2516  {
2517  msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2518  }
2519 
2520  if (le->local && !ce->bind_local)
2521  {
2522  msg(M_USAGE, "--local and --nobind don't make sense when used together");
2523  }
2524  }
2525 
2526  /*
2527  * Check for consistency of management options
2528  */
2529 #ifdef ENABLE_MANAGEMENT
2530  if (!options->management_addr
2531  && (options->management_flags
2532  || options->management_log_history_cache != defaults.management_log_history_cache))
2533  {
2534  msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2535  }
2536 
2537  if ((options->management_client_user || options->management_client_group)
2538  && !(options->management_flags & MF_UNIX_SOCK))
2539  {
2540  msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2541  }
2542 
2543  if (options->management_addr
2544  && !(options->management_flags & MF_UNIX_SOCK)
2545  && (!options->management_user_pass))
2546  {
2547  msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2548  "passwords is STRONGLY discouraged and considered insecure");
2549  }
2550 
2551 #endif /* ifdef ENABLE_MANAGEMENT */
2552 
2553 #if !defined(HAVE_XKEY_PROVIDER)
2554  if ((tls_version_max() >= TLS_VER_1_3)
2555  && (options->management_flags & MF_EXTERNAL_KEY)
2556  && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2557  )
2558  {
2559  msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2560  "nopadding argument/support");
2561  }
2562 #endif
2563  /*
2564  * Windows-specific options.
2565  */
2566 
2567 #ifdef _WIN32
2568  if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2569  {
2570  msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2571  }
2572 
2573  if ((options->tuntap_options.ip_win32_defined)
2574  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2575  {
2576  msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2577  }
2578 
2579  if (options->tuntap_options.dhcp_options & DHCP_OPTIONS_DHCP_REQUIRED)
2580  {
2581  const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2582  if (options->windows_driver != WINDOWS_DRIVER_TAP_WINDOWS6)
2583  {
2584  msg(M_USAGE, "%s, which is not supported by the selected %s driver",
2585  prefix, print_tun_backend_driver(options->windows_driver));
2586  }
2587  else if (options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2588  && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2589  {
2590  msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive",
2591  prefix);
2592  }
2593  }
2594 
2595  if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2596  {
2597  msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2598  }
2599 #endif /* ifdef _WIN32 */
2600 
2601  /*
2602  * Check that protocol options make sense.
2603  */
2604 
2605 #ifdef ENABLE_FRAGMENT
2606  if (!proto_is_udp(ce->proto) && ce->fragment)
2607  {
2608  msg(M_USAGE, "--fragment can only be used with --proto udp");
2609  }
2610 #endif
2611 
2612  if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2613  {
2614  msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2615  }
2616 
2617  if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2618  {
2619  msg(M_USAGE,
2620  "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2621  "tcp-client)");
2622  }
2623 
2624  if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2625  {
2626  msg(M_USAGE,
2627  "--http-proxy not specified but other http proxy options present");
2628  }
2629 
2630  if (ce->http_proxy_options && ce->socks_proxy_server)
2631  {
2632  msg(M_USAGE,
2633  "--http-proxy can not be used together with --socks-proxy");
2634  }
2635 
2636  if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2637  {
2638  msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2639  }
2640 
2641  if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2642  {
2643  msg(M_USAGE, "TCP server mode allows at most one --remote address");
2644  }
2645 
2646  /*
2647  * Check consistency of --mode server options.
2648  */
2649  if (options->mode == MODE_SERVER)
2650  {
2651  const char use_err[] = "--%s cannot be used with --mode server.";
2652 
2653 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2654  "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2655 #ifdef TARGET_ANDROID
2656  msg(M_FATAL, "--mode server not supported on Android");
2657 #endif
2658  if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2659  {
2660  msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2661  }
2662  MUST_BE_UNDEF(pull, "pull");
2663  if (options->pull_filter_list)
2664  {
2665  msg(M_WARN, "--pull-filter ignored for --mode server");
2666  }
2667  if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2668  {
2669  msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2670  }
2671 #if PORT_SHARE
2672  if ((options->port_share_host || options->port_share_port)
2673  && (ce->proto != PROTO_TCP_SERVER))
2674  {
2675  msg(M_USAGE, "--port-share only works in TCP server mode "
2676  "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2677  }
2678 #endif
2679  if (!options->tls_server)
2680  {
2681  msg(M_USAGE, "--mode server requires --tls-server");
2682  }
2683  MUST_BE_FALSE(ce->remote, "remote");
2684  MUST_BE_FALSE(!ce->bind_local, "nobind");
2685  MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2686  MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2687  /* <connection> blocks force to have a remote embedded, so we check
2688  * for the --remote and bail out if it is present
2689  */
2690  if (options->connection_list->len >1
2691  || options->connection_list->array[0]->remote)
2692  {
2693  msg(M_USAGE, "<connection> cannot be used with --mode server");
2694  }
2695 
2696  MUST_BE_UNDEF(shaper, "shaper");
2697  if (options->ipchange)
2698  {
2699  msg(M_USAGE,
2700  "--ipchange cannot be used with --mode server (use "
2701  "--client-connect instead)");
2702  }
2703  if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2704  {
2705  msg(M_USAGE, USAGE_VALID_SERVER_PROTOS);
2706  }
2707  if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2708  {
2709  msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2710  }
2711  if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2712  {
2713  msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2714  }
2715  if (options->routes && (options->routes->flags & RG_ENABLE))
2716  {
2717  msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2718  }
2719  MUST_BE_UNDEF(route_delay_defined, "route-delay");
2720  MUST_BE_UNDEF(up_delay, "up-delay");
2721  if (!options->ifconfig_pool_defined
2722  && !options->ifconfig_ipv6_pool_defined
2723  && options->ifconfig_pool_persist_filename)
2724  {
2725  msg(M_USAGE,
2726  "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2727  }
2728  if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2729  {
2730  msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2731  }
2732  MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2733  if (options->auth_user_pass_file)
2734  {
2735  msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2736  }
2737  if (options->ccd_exclusive && !options->client_config_dir)
2738  {
2739  msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2740  }
2741  if (options->auth_token_generate && !options->renegotiate_seconds)
2742  {
2743  msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2744  "--renegotiate_seconds setting");
2745  }
2746  if (options->auth_token_generate && options->auth_token_renewal
2747  && options->auth_token_renewal < 2 * options->handshake_window)
2748  {
2749  msg(M_USAGE, "--auth-gen-token renewal time needs to be at least "
2750  " two times --hand-window (%d).",
2751  options->handshake_window);
2752 
2753  }
2754  if (!options->auth_user_pass_verify_script
2755  && !PLUGIN_OPTION_LIST(options)
2756  && !MAN_CLIENT_AUTH_ENABLED(options))
2757  {
2758  const char *use_err = "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2759 
2760  MUST_BE_FALSE(options->ssl_flags
2761  & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
2762  "verify-client-cert none|optional");
2763  MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
2764  "username-as-common-name");
2765  MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL,
2766  "auth-user-pass-optional");
2767  }
2768 
2769  if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2770  {
2771  msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2772  }
2773  if (!options->vlan_tagging)
2774  {
2775  const char use_err[] = "--%s requires --vlan-tagging";
2776  MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2777  MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2778  }
2779  }
2780  else
2781  {
2782  const char use_err[] = "--%s requires --mode server";
2783  /*
2784  * When not in server mode, err if parameters are
2785  * specified which require --mode server.
2786  */
2787  MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2788  MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2789  MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2790  MUST_BE_UNDEF(real_hash_size, "hash-size");
2791  MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2792  MUST_BE_UNDEF(learn_address_script, "learn-address");
2793  MUST_BE_UNDEF(client_connect_script, "client-connect");
2794  MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2795  MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2796  MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2797  MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2798  MUST_BE_UNDEF(enable_c2c, "client-to-client");
2799  MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2800  MUST_BE_UNDEF(cf_max, "connect-freq");
2801  MUST_BE_UNDEF(cf_per, "connect-freq");
2802  MUST_BE_FALSE(options->ssl_flags
2803  & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
2804  "verify-client-cert");
2805  MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2806  MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2807  MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify");
2808  if (options->server_flags & SF_TCP_NODELAY_HELPER)
2809  {
2810  msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2811  "affect the server. To have TCP_NODELAY in both direction use "
2812  "tcp-nodelay in the server configuration instead.");
2813  }
2814  MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2815  MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2816 #if PORT_SHARE
2817  if (options->port_share_host || options->port_share_port)
2818  {
2819  msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2820  }
2821 #endif
2822  MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2823  MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2824  MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2825  MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2826  MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2827  }
2828 
2829  /*
2830  * SSL/TLS mode sanity checks.
2831  */
2832  if (options->tls_server + options->tls_client
2833  + (options->shared_secret_file != NULL) > 1)
2834  {
2835  msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2836  }
2837 
2838  if (!options->tls_server && !options->tls_client)
2839  {
2840  int msglevel = M_USAGE;
2841  if (options->allow_deprecated_insecure_static_crypto)
2842  {
2843  msglevel = M_INFO;
2844  }
2845 
2846  msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2847  "configuration detected. OpenVPN 2.8 will remove the "
2848  "functionality to run a VPN without TLS. "
2849  "See the examples section in the manual page for "
2850  "examples of a similar quick setup with peer-fingerprint. "
2851  "OpenVPN 2.7 allows using this configuration when using "
2852  "--allow-deprecated-insecure-static-crypto but you should move "
2853  "to a proper configuration using TLS as soon as possible."
2854  );
2855  }
2856 
2857  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2858  {
2859  msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2860  "--verify-client-cert none|optional "
2861  "may accept clients which do not present a certificate");
2862  }
2863 
2864  const int tls_version_max =
2865  (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2866  & SSLF_TLS_VERSION_MAX_MASK;
2867  const int tls_version_min =
2868  (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2869  & SSLF_TLS_VERSION_MIN_MASK;
2870 
2871  if (tls_version_max > 0 && tls_version_max < tls_version_min)
2872  {
2873  msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2874  }
2875 
2876  if (options->tls_server || options->tls_client)
2877  {
2878  check_ca_required(options);
2879 #ifdef ENABLE_PKCS11
2880  if (!options->pkcs11_providers[0] && options->pkcs11_id)
2881  {
2882  msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2883  }
2884  else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2885  {
2886  msg(M_WARN, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2887  }
2888 
2889  if (options->pkcs11_providers[0])
2890  {
2891  if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2892  {
2893  msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2894  }
2895  if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2896  {
2897  msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2898  }
2899  const char use_err[] = "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2900  MUST_BE_UNDEF(cert_file, "cert");
2901  MUST_BE_UNDEF(priv_key_file, "key");
2902  MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2903  MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2904  MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2905 #ifdef ENABLE_CRYPTOAPI
2906  MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2907 #endif
2908  }
2909  else
2910 #endif /* ifdef ENABLE_PKCS11 */
2911 #ifdef ENABLE_CRYPTOAPI
2912  if (options->cryptoapi_cert)
2913  {
2914  const char use_err[] = "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2915  MUST_BE_UNDEF(cert_file, "cert");
2916  MUST_BE_UNDEF(priv_key_file, "key");
2917  MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2918  MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2919  MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2920  }
2921  else
2922 #endif
2923  if (options->pkcs12_file)
2924  {
2925 #ifdef ENABLE_CRYPTO_MBEDTLS
2926  msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2927 #else
2928  const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2929  MUST_BE_UNDEF(ca_path, "capath");
2930  MUST_BE_UNDEF(cert_file, "cert");
2931  MUST_BE_UNDEF(priv_key_file, "key");
2932  MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2933  MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2934 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2935  }
2936  else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2937  {
2938  if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2939  {
2940  msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2941  }
2942  if ((options->management_flags & MF_EXTERNAL_CERT))
2943  {
2944  if (options->cert_file)
2945  {
2946  msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2947  }
2948  else if (!(options->management_flags & MF_EXTERNAL_KEY))
2949  {
2950  msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2951  }
2952  }
2953  if (pull)
2954  {
2955 
2956  const int sum =
2957  ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2958  + ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2959 
2960  if (sum == 0)
2961  {
2962  if (!options->auth_user_pass_file)
2963  {
2964  msg(M_USAGE, "No client-side authentication method is "
2965  "specified. You must use either "
2966  "--cert/--key, --pkcs12, or "
2967  "--auth-user-pass");
2968  }
2969  }
2970  else if (sum != 2)
2971  {
2972  msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2973  }
2974  }
2975  else
2976  {
2977  if (!(options->management_flags & MF_EXTERNAL_CERT))
2978  {
2979  notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2980  }
2981  if (!(options->management_flags & MF_EXTERNAL_KEY))
2982  {
2983  notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2984  }
2985  }
2986  }
2987  if (ce->tls_auth_file && ce->tls_crypt_file)
2988  {
2989  msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2990  }
2991  if (options->tls_client && ce->tls_crypt_v2_file
2992  && (ce->tls_auth_file || ce->tls_crypt_file))
2993  {
2994  msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2995  }
2996  }
2997  else
2998  {
2999  /*
3000  * Make sure user doesn't specify any TLS options
3001  * when in non-TLS mode.
3002  */
3003 
3004  const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
3005  "i.e. where --tls-server or --tls-client is also specified.";
3006 
3007  MUST_BE_UNDEF(ca_file, "ca");
3008  MUST_BE_UNDEF(ca_path, "capath");
3009  MUST_BE_UNDEF(dh_file, "dh");
3010  MUST_BE_UNDEF(cert_file, "cert");
3011  MUST_BE_UNDEF(priv_key_file, "key");
3012 #ifndef ENABLE_CRYPTO_MBEDTLS
3013  MUST_BE_UNDEF(pkcs12_file, "pkcs12");
3014 #endif
3015  MUST_BE_UNDEF(cipher_list, "tls-cipher");
3016  MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
3017  MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
3018  MUST_BE_UNDEF(tls_verify, "tls-verify");
3019  MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
3020  MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
3021  MUST_BE_UNDEF(tls_timeout, "tls-timeout");
3022  MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
3023  MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
3024  MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
3025  MUST_BE_UNDEF(handshake_window, "hand-window");
3026  MUST_BE_UNDEF(transition_window, "tran-window");
3027  MUST_BE_UNDEF(tls_auth_file, "tls-auth");
3028  MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
3029  MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
3030  MUST_BE_UNDEF(single_session, "single-session");
3031  MUST_BE_UNDEF(push_peer_info, "push-peer-info");
3032  MUST_BE_UNDEF(tls_exit, "tls-exit");
3033  MUST_BE_UNDEF(crl_file, "crl-verify");
3034  MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
3035  MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
3036  MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
3037 #ifdef ENABLE_PKCS11
3038  MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
3039  MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
3040  MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
3041  MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
3042 #endif
3043 
3044  if (pull)
3045  {
3046  msg(M_USAGE, use_err, "--pull");
3047  }
3048  }
3049  if (options->auth_user_pass_file && !options->pull)
3050  {
3051  msg(M_USAGE, "--auth-user-pass requires --pull");
3052  }
3053 
3054  uninit_options(&defaults);
3055 }
3056 
3057 #undef MUST_BE_UNDEF
3058 #undef MUST_BE_FALSE
3059 
3060 static void
3061 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
3062 {
3063  const int dev = dev_type_enum(o->dev, o->dev_type);
3064 
3065  if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
3066  {
3067  if (ce->proto == PROTO_TCP)
3068  {
3069  ce->proto = PROTO_TCP_SERVER;
3070  o->ce.proto = ce->proto;
3071  }
3072  }
3073 
3074  if (o->mode != MODE_SERVER)
3075  {
3076  if (ce->proto == PROTO_TCP)
3077  {
3078  ce->proto = PROTO_TCP_CLIENT;
3079  o->ce.proto = ce->proto;
3080  }
3081  }
3082 
3083  /* an option is present that requires local bind to enabled */
3084  bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
3085 
3086  /* socks proxy is enabled */
3087  bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
3088 
3089  /* If binding is not forced by an explicit option and we have (at least)
3090  * one of --tcp-client, --pull (or --client), or socks we do not bind
3091  * locally to have "normal" IP client behaviour of a random source port */
3092  if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
3093  {
3094  ce->bind_local = false;
3095  }
3096 
3097  if (!ce->bind_local)
3098  {
3099  ce->local_port = NULL;
3100  }
3101 
3102  /* if protocol forcing is enabled, disable all protocols
3103  * except for the forced one
3104  */
3105  if (o->proto_force >= 0 && o->proto_force != ce->proto)
3106  {
3107  ce->flags |= CE_DISABLED;
3108  }
3109 
3110  if (ce->http_proxy_options)
3111  {
3112  ce->http_proxy_options->nocache = ssl_get_auth_nocache();
3113  }
3114 
3115  /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3116  * so fall back to IPv4-only (trac #1221)
3117  */
3118  if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
3119  {
3120  if (ce->af == AF_INET6)
3121  {
3122  msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
3123  "'--socks-proxy' today. Forcing IPv4 mode." );
3124  }
3125  else
3126  {
3127  msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
3128  "work correctly with '--socks-proxy' today. Forcing IPv4." );
3129  }
3130  ce->af = AF_INET;
3131  }
3132 
3133  /*
3134  * Set MTU defaults
3135  */
3136  {
3137  if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
3138  {
3139  ce->tun_mtu_defined = true;
3140  }
3141  if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
3142  {
3143  ce->tun_mtu_extra_defined = true;
3144  ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
3145  }
3146  }
3147 
3148  /*
3149  * If --mssfix is supplied without a parameter or not specified at all,
3150  * default it to --fragment value, if --fragment is specified and otherwise
3151  * to the default if tun-mtu is 1500
3152  */
3153  if (o->ce.mssfix_default)
3154  {
3155 #ifdef ENABLE_FRAGMENT
3156  if (ce->fragment)
3157  {
3158  ce->mssfix = ce->fragment;
3159  }
3160  else
3161 #endif
3162  if (ce->tun_mtu_defined)
3163  {
3164  if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3165  {
3166  /* We want to only set mssfix default value if we use a default
3167  * MTU Size, otherwise the different size of tun should either
3168  * already solve the problem or mssfix might artifically make the
3169  * payload packets smaller without mssfix 0 */
3170  ce->mssfix = MSSFIX_DEFAULT;
3171  ce->mssfix_encap = true;
3172  }
3173  else
3174  {
3175  /* We still apply the mssfix value but only adjust it to the
3176  * size of the tun interface. */
3177  ce->mssfix = ce->tun_mtu;
3178  ce->mssfix_fixed = true;
3179  }
3180  }
3181  }
3182 
3183  /*
3184  * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3185  *
3186  * At the end only one of these will be really set because the parser
3187  * logic prevents configurations where more are set.
3188  */
3189  if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3190  {
3191  ce->tls_auth_file = o->tls_auth_file;
3192  ce->tls_auth_file_inline = o->tls_auth_file_inline;
3193  ce->key_direction = o->key_direction;
3194 
3195  ce->tls_crypt_file = o->tls_crypt_file;
3196  ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
3197 
3198  ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
3199  ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
3200  }
3201 
3202  /* Pre-cache tls-auth/crypt(-v2) key file if
3203  * keys were not already embedded in the config file.
3204  */
3205  connection_entry_preload_key(&ce->tls_auth_file,
3206  &ce->tls_auth_file_inline, &o->gc);
3207  connection_entry_preload_key(&ce->tls_crypt_file,
3208  &ce->tls_crypt_file_inline, &o->gc);
3209  connection_entry_preload_key(&ce->tls_crypt_v2_file,
3210  &ce->tls_crypt_v2_file_inline, &o->gc);
3211 
3212 
3213  if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
3214  {
3215  msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3216  ce->explicit_exit_notification = 0;
3217  }
3218 }
3219 
3220 static void
3221 options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
3222 {
3223  /* use the global port if none is specified */
3224  if (!le->port)
3225  {
3226  le->port = ce->local_port;
3227  }
3228  /* use the global proto if none is specified and
3229  * allow proto bindings on server mode only */
3230  if (!le->proto || mode == MODE_POINT_TO_POINT)
3231  {
3232  le->proto = ce->proto;
3233  }
3234 }
3235 
3236 #ifdef _WIN32
3237 /* If iservice is in use, we need def1 method for redirect-gateway */
3238 static void
3239 remap_redirect_gateway_flags(struct options *opt)
3240 {
3241  if (opt->routes
3242  && opt->route_method == ROUTE_METHOD_SERVICE
3243  && opt->routes->flags & RG_REROUTE_GW
3244  && !(opt->routes->flags & RG_DEF1))
3245  {
3246  msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3247  opt->routes->flags |= RG_DEF1;
3248  }
3249 }
3250 #endif
3251 
3252 /*
3253  * Save/Restore certain option defaults before --pull is applied.
3254  */
3255 
3256 static void
3257 pre_connect_save(struct options *o)
3258 {
3259  ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3260  o->pre_connect->tuntap_options = o->tuntap_options;
3261  o->pre_connect->tuntap_options_defined = true;
3262  o->pre_connect->foreign_option_index = o->foreign_option_index;
3263 
3264  if (o->routes)
3265  {
3266  o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3267  o->pre_connect->routes_defined = true;
3268  }
3269  if (o->routes_ipv6)
3270  {
3271  o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3272  o->pre_connect->routes_ipv6_defined = true;
3273  }
3274  if (o->client_nat)
3275  {
3276  o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3277  o->pre_connect->client_nat_defined = true;
3278  }
3279 
3280  o->pre_connect->route_default_gateway = o->route_default_gateway;
3281  o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3282 
3283  o->pre_connect->dns_options = clone_dns_options(&o->dns_options, &o->gc);
3284 
3285  /* NCP related options that can be overwritten by a push */
3286  o->pre_connect->ciphername = o->ciphername;
3287  o->pre_connect->authname = o->authname;
3288 
3289  /* Ping related options should be reset to the config values on reconnect */
3290  o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3291  o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3292  o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3293 
3294  /* Miscellaneous Options */
3295  o->pre_connect->comp = o->comp;
3296 }
3297 
3298 void
3299 pre_connect_restore(struct options *o, struct gc_arena *gc)
3300 {
3301  const struct options_pre_connect *pp = o->pre_connect;
3302  if (pp)
3303  {
3304  CLEAR(o->tuntap_options);
3305  if (pp->tuntap_options_defined)
3306  {
3307  o->tuntap_options = pp->tuntap_options;
3308  }
3309 
3310  if (pp->routes_defined)
3311  {
3312  rol_check_alloc(o);
3313  copy_route_option_list(o->routes, pp->routes, gc);
3314  }
3315  else
3316  {
3317  o->routes = NULL;
3318  }
3319 
3320  if (pp->routes_ipv6_defined)
3321  {
3322  rol6_check_alloc(o);
3323  copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3324  }
3325  else
3326  {
3327  o->routes_ipv6 = NULL;
3328  }
3329 
3330  o->route_default_gateway = pp->route_default_gateway;
3331  o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3332 
3333  /* Free DNS options and reset them to pre-pull state */
3334  gc_free(&o->dns_options.gc);
3335  struct gc_arena dns_gc = gc_new();
3336  o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3337  o->dns_options.gc = dns_gc;
3338 
3339  if (pp->client_nat_defined)
3340  {
3341  cnol_check_alloc(o);
3342  copy_client_nat_option_list(o->client_nat, pp->client_nat);
3343  }
3344  else
3345  {
3346  o->client_nat = NULL;
3347  }
3348 
3349  o->foreign_option_index = pp->foreign_option_index;
3350 
3351  o->ciphername = pp->ciphername;
3352  o->authname = pp->authname;
3353 
3354  o->ping_rec_timeout = pp->ping_rec_timeout;
3355  o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3356  o->ping_send_timeout = pp->ping_send_timeout;
3357 
3358  /* Miscellaneous Options */
3359  o->comp = pp->comp;
3360  }
3361 
3362  o->push_continuation = 0;
3363  o->push_option_types_found = 0;
3364  o->imported_protocol_flags = 0;
3365 }
3366 
3367 static void
3368 options_postprocess_mutate_invariant(struct options *options)
3369 {
3370 #ifdef _WIN32
3371  const int dev = dev_type_enum(options->dev, options->dev_type);
3372 
3373  /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3374  if ((options->windows_driver == WINDOWS_DRIVER_WINTUN
3375  || options->windows_driver == DRIVER_DCO)
3376  && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
3377  || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3378  {
3379  options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3380  }
3381 
3382  if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3383  {
3384  /* delay may only be necessary when we perform DHCP handshake */
3385  const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3386  || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3387  if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3388  {
3389  options->route_delay_defined = true;
3390  options->route_delay = 5; /* Vista sometimes has a race without this */
3391  }
3392  }
3393 
3394  if (options->ifconfig_noexec)
3395  {
3396  options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3397  options->ifconfig_noexec = false;
3398  }
3399 
3400  remap_redirect_gateway_flags(options);
3401 
3402  /*
3403  * Check consistency of --mode server options.
3404  */
3405  if (options->mode == MODE_SERVER)
3406  {
3407  /*
3408  * We need to explicitly set --tap-sleep because
3409  * we do not schedule event timers in the top-level context.
3410  */
3411  options->tuntap_options.tap_sleep = 10;
3412  if (options->route_delay_defined && options->route_delay)
3413  {
3414  options->tuntap_options.tap_sleep = options->route_delay;
3415  }
3416  options->route_delay_defined = false;
3417  }
3418 #endif /* ifdef _WIN32 */
3419 
3420 #ifdef DEFAULT_PKCS11_MODULE
3421  /* If p11-kit is present on the system then load its p11-kit-proxy.so
3422  * by default if the user asks for PKCS#11 without otherwise specifying
3423  * the module to use. */
3424  if (!options->pkcs11_providers[0]
3425  && (options->pkcs11_id || options->pkcs11_id_management))
3426  {
3427  options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3428  }
3429 #endif
3430 }
3431 
3432 static void
3433 options_postprocess_verify(const struct options *o)
3434 {
3435  if (o->connection_list)
3436  {
3437  int i;
3438  for (i = 0; i < o->connection_list->len; ++i)
3439  {
3440  options_postprocess_verify_ce(o, o->connection_list->array[i]);
3441  }
3442  }
3443  else
3444  {
3445  options_postprocess_verify_ce(o, &o->ce);
3446  }
3447 
3448  dns_options_verify(M_FATAL, &o->dns_options);
3449 
3450  if (dco_enabled(o) && o->enable_c2c)
3451  {
3452  msg(M_WARN, "Note: --client-to-client has no effect when using data "
3453  "channel offload: packets are always sent to the VPN "
3454  "interface and then routed based on the system routing table");
3455  }
3456 }
3457 
3458 static void
3459 options_postprocess_cipher(struct options *o)
3460 {
3461  if (!o->pull && !(o->mode == MODE_SERVER))
3462  {
3463  /* If the cipher is not set, use the old default of BF-CBC. We will
3464  * warn that this is deprecated on cipher initialisation, no need
3465  * to warn here as well */
3466  if (!o->ciphername)
3467  {
3468  o->ciphername = "BF-CBC";
3469  }
3470  else
3471  {
3472  o->enable_ncp_fallback = true;
3473  }
3474  return;
3475  }
3476 
3477  /* pull or P2MP mode */
3478  if (!o->ciphername)
3479  {
3480  /* We still need to set the ciphername to BF-CBC since various other
3481  * parts of OpenVPN assert that the ciphername is set */
3482  o->ciphername = "BF-CBC";
3483 
3484  msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3485  "defaulted to BF-CBC as fallback when cipher negotiation "
3486  "failed in this case. If you need this fallback please add "
3487  "'--data-ciphers-fallback BF-CBC' to your configuration "
3488  "and/or add BF-CBC to --data-ciphers. E.g. "
3489  "--data-ciphers %s:BF-CBC", o->ncp_ciphers_conf);
3490  }
3491  else if (!o->enable_ncp_fallback
3492  && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3493  {
3494  msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3495  "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3496  "negotiations. ",
3497  o->ciphername, o->ncp_ciphers_conf);
3498  }
3499 }
3500 
3515 static bool
3516 need_compatibility_before(const struct options *o, unsigned int version)
3517 {
3518  return o->backwards_compatible != 0 && o->backwards_compatible < version;
3519 }
3520 
3525 static void
3526 options_set_backwards_compatible_options(struct options *o)
3527 {
3528  /* TLS min version is not set */
3529  int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
3530  & SSLF_TLS_VERSION_MIN_MASK;
3531  if (tls_ver_min == 0)
3532  {
3533  int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
3534  & SSLF_TLS_VERSION_MAX_MASK;
3535  if (need_compatibility_before(o, 20307))
3536  {
3537  /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3538  o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT);
3539  }
3540  else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3541  {
3542  /* Use TLS 1.2 as proper default */
3543  o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT);
3544  }
3545  else
3546  {
3547  /* Maximize the minimum version */
3548  o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3549  }
3550  }
3551 
3552  if (need_compatibility_before(o, 20400))
3553  {
3554  if (!o->ciphername)
3555  {
3556  /* If ciphername is not set default to BF-CBC when targeting these
3557  * old versions that do not have NCP */
3558  o->ciphername = "BF-CBC";
3559  }
3560  /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3561  * not have OCC strings required for "poor man's NCP" */
3562  o->enable_ncp_fallback = true;
3563  }
3564 
3565  /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3566  * Version 2.4 probably does not need it but NCP was not so
3567  * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3568  * Only do this iff --cipher is set (explicitly or by compat mode
3569  * < 2.4.0, see above). This is not 100% correct backwards compatible
3570  * behaviour but 2.5 already behaved like this */
3571  if (o->ciphername && need_compatibility_before(o, 20500)
3572  && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3573  {
3574  append_cipher_to_ncp_list(o, o->ciphername);
3575  }
3576 
3577 #ifdef USE_COMP
3578  /* Compression is deprecated and we do not want to announce support for it
3579  * by default anymore, additionally DCO breaks with compression.
3580  *
3581  * Disable compression by default starting with 2.6.0 if no other
3582  * compression related option has been explicitly set */
3583  if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3584  {
3585  if (!comp_non_stub_enabled(&o->comp))
3586  {
3587  o->comp.flags = COMP_F_ALLOW_STUB_ONLY | COMP_F_ADVERTISE_STUBS_ONLY;
3588  }
3589  }
3590 #else /* ifdef USE_COMP */
3591  o->comp.flags = COMP_F_ALLOW_NOCOMP_ONLY;
3592 #endif
3593 }
3594 
3595 static void
3596 options_process_mutate_prf(struct options *o)
3597 {
3598  if (!check_tls_prf_working())
3599  {
3600  msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3601  "supported by the TLS library. Your system does not support this "
3602  "calculation anymore or your security policy (e.g. FIPS 140-2) "
3603  "forbids it. Connections will only work with peers running "
3604  "OpenVPN 2.6.0 or higher)");
3605 #ifndef HAVE_EXPORT_KEYING_MATERIAL
3606  msg(M_FATAL, "Keying Material Exporters (RFC 5705) not available either. "
3607  "No way to generate data channel keys left.");
3608 #endif
3609  if (o->mode == MODE_SERVER)
3610  {
3611  msg(M_WARN, "Automatically enabling option "
3612  "--force-tls-key-material-export");
3613  o->force_key_material_export = true;
3614  }
3615 
3616  }
3617 }
3618 
3619 static void
3620 options_postprocess_mutate(struct options *o, struct env_set *es)
3621 {
3622  int i;
3623  /*
3624  * Process helper-type options which map to other, more complex
3625  * sequences of options.
3626  */
3627  helper_client_server(o);
3628  /* must be called after helpers that might set --mode */
3629  helper_setdefault_topology(o);
3630  helper_keepalive(o);
3631  helper_tcp_nodelay(o);
3632 
3633  options_postprocess_setdefault_ncpciphers(o);
3634  options_set_backwards_compatible_options(o);
3635  options_process_mutate_prf(o);
3636 
3637  options_postprocess_cipher(o);
3638  o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3639  if (o->ncp_ciphers == NULL)
3640  {
3641  msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3642  }
3643 
3644  if (o->remote_list && !o->connection_list)
3645  {
3646  /*
3647  * Convert remotes into connection list
3648  */
3649  const struct remote_list *rl = o->remote_list;
3650  for (i = 0; i < rl->len; ++i)
3651  {
3652  const struct remote_entry *re = rl->array[i];
3653  struct connection_entry ce = o->ce;
3654  struct connection_entry *ace;
3655 
3656  ASSERT(re->remote);
3657  connection_entry_load_re(&ce, re);
3658  ace = alloc_connection_entry(o, M_USAGE);
3659  ASSERT(ace);
3660  *ace = ce;
3661  }
3662  }
3663  else if (!o->remote_list && !o->connection_list)
3664  {
3665  struct connection_entry *ace;
3666  ace = alloc_connection_entry(o, M_USAGE);
3667  ASSERT(ace);
3668  *ace = o->ce;
3669  }
3670 
3671  ASSERT(o->connection_list);
3672  for (i = 0; i < o->connection_list->len; ++i)
3673  {
3674  options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3675  }
3676 
3677  if (o->ce.local_list)
3678  {
3679  for (i = 0; i < o->ce.local_list->len; i++)
3680  {
3681  options_postprocess_mutate_le(&o->ce, o->ce.local_list->array[i], o->mode);
3682  }
3683 
3684  for (int i = 0; i < o->ce.local_list->len; i++)
3685  {
3686  if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3687  {
3688  o->ce.local_list->array[i]->proto = PROTO_TCP_SERVER;
3689  }
3690  else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3691  {
3692  o->ce.local_list->array[i]->proto = o->ce.proto;
3693  }
3694  }
3695  }
3696  else
3697  {
3698  /* if no 'local' directive was specified, convert the global port
3699  * setting to a listen entry */
3700  struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3701  ASSERT(e);
3702  e->port = o->ce.local_port;
3703  e->proto = o->ce.proto;
3704  }
3705 
3706  /* use the same listen list for every outgoing connection */
3707  for (i = 0; i < o->connection_list->len; ++i)
3708  {
3709  o->connection_list->array[i]->local_list = o->ce.local_list;
3710  }
3711 
3712  if (o->tls_server)
3713  {
3714  /* Check that DH file is specified, or explicitly disabled */
3715  notnull(o->dh_file, "DH file (--dh)");
3716  if (streq(o->dh_file, "none"))
3717  {
3718  o->dh_file = NULL;
3719  }
3720  }
3721  else if (o->dh_file)
3722  {
3723  /* DH file is only meaningful in a tls-server context. */
3724  msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3725  "include this in your server configuration");
3726  o->dh_file = NULL;
3727  }
3728 #if ENABLE_MANAGEMENT
3729  if (o->http_proxy_override)
3730  {
3731  options_postprocess_http_proxy_override(o);
3732  }
3733 #endif
3734  if (!o->ca_file && !o->ca_path && o->verify_hash
3735  && o->verify_hash_depth == 0)
3736  {
3737  msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3738  "option set). ");
3739  o->verify_hash_no_ca = true;
3740  }
3741 
3742  if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3743  {
3744  msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3745  "incompatible with each other.");
3746  }
3747 
3748  if (dco_enabled(o))
3749  {
3750  /* check if any option should force disabling DCO */
3751  o->disable_dco = !dco_check_option(D_DCO, o)
3752  || !dco_check_startup_option(D_DCO, o);
3753  }
3754 #ifdef USE_COMP
3755  if (dco_enabled(o))
3756  {
3757  o->comp.flags |= COMP_F_ALLOW_NOCOMP_ONLY;
3758  }
3759 #endif
3760 
3761 #ifdef _WIN32
3762  if (dco_enabled(o))
3763  {
3764  o->windows_driver = DRIVER_DCO;
3765  }
3766  else
3767  {
3768  if (o->windows_driver == DRIVER_DCO)
3769  {
3770  msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3771  o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3772  }
3773  else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED)
3774  {
3775  o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
3776  }
3777  }
3778 #else /* _WIN32 */
3779  if (dco_enabled(o) && o->dev_node)
3780  {
3781  msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3782  "data channel offload");
3783  o->dev_node = NULL;
3784  }
3785 #endif /* _WIN32 */
3786 
3787  /* this depends on o->windows_driver, which is set above */
3788  options_postprocess_mutate_invariant(o);
3789 
3790  /* check that compression settings in the options are okay */
3791  check_compression_settings_valid(&o->comp, M_USAGE);
3792 
3793  /*
3794  * Save certain parms before modifying options during connect, especially
3795  * when using --pull
3796  */
3797  if (o->pull)
3798  {
3799  dns_options_preprocess_pull(&o->dns_options);
3800  }
3801  else
3802  {
3803 #if defined(_WIN32) || defined(TARGET_ANDROID)
3804  tuntap_options_copy_dns(o);
3805 #else
3806  foreign_options_copy_dns(o, es);
3807 #endif
3808  }
3809  if (o->auth_token_generate && !o->auth_token_renewal)
3810  {
3811  o->auth_token_renewal = o->renegotiate_seconds;
3812  }
3813  pre_connect_save(o);
3814 }
3815 
3816 /*
3817  * Check file/directory sanity
3818  *
3819  */
3820 #ifndef ENABLE_SMALL /* Expect people using the stripped down version to know what they do */
3821 
3822 #define CHKACC_FILE (1<<0)
3823 #define CHKACC_DIRPATH (1<<1)
3824 #define CHKACC_FILEXSTWR (1<<2)
3825 #define CHKACC_ACPTSTDIN (1<<3)
3826 #define CHKACC_PRIVATE (1<<4)
3827 #define CHKACC_ACCEPT_URI (1<<5)
3829 static bool
3830 check_file_access(const int type, const char *file, const int mode, const char *opt)
3831 {
3832  int errcode = 0;
3833 
3834  /* If no file configured, no errors to look for */
3835  if (!file)
3836  {
3837  return false;
3838  }
3839 
3840  /* If stdin is allowed and the file name is 'stdin', then do no
3841  * further checks as stdin is always available
3842  */
3843  if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3844  {
3845  return false;
3846  }
3847 
3848  /* file name is a URI if its first segment has ":" (i.e., before any "/")
3849  * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3850  */
3851  if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3852  {
3853  if (!strncmp(file, "file:", 5))
3854  {
3855  file += 5;
3856  }
3857  else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3858  {
3859  return false;
3860  }
3861  }
3862 
3863  /* Is the directory path leading to the given file accessible? */
3864  if (type & CHKACC_DIRPATH)
3865  {
3866  char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3867  char *dirpath = dirname(fullpath);
3868 
3869  if (platform_access(dirpath, mode|X_OK) != 0)
3870  {
3871  errcode = errno;
3872  }
3873  free(fullpath);
3874  }
3875 
3876  /* Is the file itself accessible? */
3877  if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3878  {
3879  errcode = errno;
3880  }
3881 
3882  /* If the file exists and is accessible, is it writable? */
3883  if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3884  {
3885  if (platform_access(file, W_OK) != 0)
3886  {
3887  errcode = errno;
3888  }
3889  }
3890 
3891  /* Warn if a given private file is group/others accessible. */
3892  if (type & CHKACC_PRIVATE)
3893  {
3894  platform_stat_t st;
3895  if (platform_stat(file, &st))
3896  {
3897  msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3898  }
3899 #ifndef _WIN32
3900  else
3901  {
3902  if (st.st_mode & (S_IRWXG|S_IRWXO))
3903  {
3904  msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3905  }
3906  }
3907 #endif
3908  }
3909 
3910  /* Scream if an error is found */
3911  if (errcode > 0)
3912  {
3913  msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3914  }
3915 
3916  /* Return true if an error occurred */
3917  return (errcode != 0 ? true : false);
3918 }
3919 
3920 /* A wrapper for check_file_access() which also takes a chroot directory.
3921  * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3922  * otherwise it will look for the file inside the given chroot directory instead.
3923  */
3924 static bool
3925 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3926 {
3927  bool ret = false;
3928 
3929  /* If no file configured, no errors to look for */
3930  if (!file)
3931  {
3932  return false;
3933  }
3934 
3935  /* If chroot is set, look for the file/directory inside the chroot */
3936  if (chroot)
3937  {
3938  struct gc_arena gc = gc_new();
3939  struct buffer chroot_file;
3940 
3941  chroot_file = prepend_dir(chroot, file, &gc);
3942  ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3943  gc_free(&gc);
3944  }
3945  else
3946  {
3947  /* No chroot in play, just call core file check function */
3948  ret = check_file_access(type, file, mode, opt);
3949  }
3950  return ret;
3951 }
3952 
3957 static bool
3958 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3959  const int type, const char *file,
3960  const int mode, const char *opt)
3961 {
3962  if (is_inline)
3963  {
3964  return false;
3965  }
3966 
3967  return check_file_access_chroot(chroot, type, file, mode, opt);
3968 }
3969 
3974 static bool
3975 check_file_access_inline(bool is_inline, const int type, const char *file,
3976  const int mode, const char *opt)
3977 {
3978  if (is_inline)
3979  {
3980  return false;
3981  }
3982 
3983  return check_file_access(type, file, mode, opt);
3984 }
3985 
3986 /*
3987  * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3988  * valid file with appropriate permissions.
3989  *
3990  * "command" consists of a path, optionally followed by a space, which may be
3991  * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3992  * performed.
3993  *
3994  * The path and arguments in "command" may be single- or double-quoted or escaped.
3995  *
3996  * The path is extracted from "command", then check_file_access() is called to check it. The
3997  * arguments, if any, are ignored.
3998  *
3999  * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4000  * check_file_access() arguments.
4001  */
4002 static bool
4003 check_cmd_access(const char *command, const char *opt, const char *chroot)
4004 {
4005  struct argv argv;
4006  bool return_code;
4007 
4008  /* If no command was set, there are no errors to look for */
4009  if (!command)
4010  {
4011  return false;
4012  }
4013 
4014  /* Extract executable path and arguments */
4015  argv = argv_new();
4016  argv_parse_cmd(&argv, command);
4017 
4018  /* if an executable is specified then check it; otherwise, complain */
4019  if (argv.argv[0])
4020  {
4021  /* Scripts requires R_OK as well, but that might fail on binaries which
4022  * only requires X_OK to function on Unix - a scenario not unlikely to
4023  * be seen on suid binaries.
4024  */
4025  return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4026  }
4027  else
4028  {
4029  msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
4030  opt, command);
4031  return_code = true;
4032  }
4033 
4034  argv_free(&argv);
4035 
4036  return return_code;
4037 }
4038 
4039 /*
4040  * Sanity check of all file/dir options. Checks that file/dir
4041  * is accessible by OpenVPN
4042  */
4043 static void
4044 options_postprocess_filechecks(struct options *options)
4045 {
4046  bool errs = false;
4047 
4048  /* ** SSL/TLS/crypto related files ** */
4049  errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
4050  options->dh_file, R_OK, "--dh");
4051 
4052  if (!options->verify_hash_no_ca)
4053  {
4054  errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
4055  options->ca_file, R_OK, "--ca");
4056  }
4057 
4058  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4059  options->ca_path, R_OK, "--capath");
4060 
4061  errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE|CHKACC_ACCEPT_URI,
4062  options->cert_file, R_OK, "--cert");
4063 
4064  errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
4065  options->extra_certs_file, R_OK,
4066  "--extra-certs");
4067 
4068  if (!(options->management_flags & MF_EXTERNAL_KEY))
4069  {
4070  errs |= check_file_access_inline(options->priv_key_file_inline,
4071  CHKACC_FILE|CHKACC_PRIVATE|CHKACC_ACCEPT_URI,
4072  options->priv_key_file, R_OK, "--key");
4073  }
4074 
4075  errs |= check_file_access_inline(options->pkcs12_file_inline,
4076  CHKACC_FILE|CHKACC_PRIVATE,
4077  options->pkcs12_file, R_OK, "--pkcs12");
4078 
4079  if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
4080  {
4081  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4082  options->crl_file, R_OK|X_OK,
4083  "--crl-verify directory");
4084  }
4085  else
4086  {
4087  errs |= check_file_access_chroot_inline(options->crl_file_inline,
4088  options->chroot_dir,
4089  CHKACC_FILE, options->crl_file,
4090  R_OK, "--crl-verify");
4091  }
4092 
4093  if (options->tls_export_peer_cert_dir)
4094  {
4095  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
4096  options->tls_export_peer_cert_dir,
4097  W_OK, "--tls-export-cert");
4098  }
4099 
4100  ASSERT(options->connection_list);
4101  for (int i = 0; i < options->connection_list->len; ++i)
4102  {
4103  struct connection_entry *ce = options->connection_list->array[i];
4104 
4105  errs |= check_file_access_inline(ce->tls_auth_file_inline,
4106  CHKACC_FILE|CHKACC_PRIVATE,
4107  ce->tls_auth_file, R_OK,
4108  "--tls-auth");
4109  errs |= check_file_access_inline(ce->tls_crypt_file_inline,
4110  CHKACC_FILE|CHKACC_PRIVATE,
4111  ce->tls_crypt_file, R_OK,
4112  "--tls-crypt");
4113  errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
4114  CHKACC_FILE|CHKACC_PRIVATE,
4115  ce->tls_crypt_v2_file, R_OK,
4116  "--tls-crypt-v2");
4117  }
4118 
4119  errs |= check_file_access_inline(options->shared_secret_file_inline,
4120  CHKACC_FILE|CHKACC_PRIVATE,
4121  options->shared_secret_file, R_OK,
4122  "--secret");
4123 
4124  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
4125  options->packet_id_file, R_OK|W_OK, "--replay-persist");
4126 
4127  /* ** Password files ** */
4128  errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4129  options->key_pass_file, R_OK, "--askpass");
4130 #ifdef ENABLE_MANAGEMENT
4131  errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4132  options->management_user_pass, R_OK,
4133  "--management user/password file");
4134 #endif /* ENABLE_MANAGEMENT */
4135  errs |= check_file_access_inline(options->auth_user_pass_file_inline,
4136  CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
4137  options->auth_user_pass_file, R_OK,
4138  "--auth-user-pass");
4139  /* ** System related ** */
4140  errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
4141  R_OK|X_OK, "--chroot directory");
4142  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
4143  R_OK|W_OK, "--writepid");
4144 
4145  /* ** Log related ** */
4146  errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
4147  R_OK|W_OK, "--status");
4148 
4149  /* ** Config related ** */
4150  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
4151  R_OK|X_OK, "--client-config-dir");
4152  errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
4153  R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
4154 
4155  if (errs)
4156  {
4157  msg(M_USAGE, "Please correct these errors.");
4158  }
4159 }
4160 #endif /* !ENABLE_SMALL */
4161 
4162 /*
4163  * Sanity check on options.
4164  * Also set some options based on other
4165  * options.
4166  */
4167 void
4168 options_postprocess(struct options *options, struct env_set *es)
4169 {
4170  options_postprocess_mutate(options, es);
4171  options_postprocess_verify(options);
4172 #ifndef ENABLE_SMALL
4173  options_postprocess_filechecks(options);
4174 #endif /* !ENABLE_SMALL */
4175 }
4176 
4177 /*
4178  * Sanity check on options after more options were pulled from server.
4179  * Also time to modify some options based on other options.
4180  */
4181 bool
4182 options_postprocess_pull(struct options *o, struct env_set *es)
4183 {
4184  bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4185  if (success)
4186  {
4187  dns_options_postprocess_pull(&o->dns_options);
4188  setenv_dns_options(&o->dns_options, es);
4189 #if defined(_WIN32) || defined(TARGET_ANDROID)
4190  tuntap_options_copy_dns(o);
4191 #else
4192  foreign_options_copy_dns(o, es);
4193 #endif
4194  }
4195  return success;
4196 }
4197 
4198 /*
4199  * Build an options string to represent data channel encryption options.
4200  * This string must match exactly between peers. The keysize is checked
4201  * separately by read_key().
4202  *
4203  * The following options must match on both peers:
4204  *
4205  * Tunnel options:
4206  *
4207  * --dev tun|tap [unit number need not match]
4208  * --dev-type tun|tap
4209  * --link-mtu
4210  * --udp-mtu
4211  * --tun-mtu
4212  * --proto udp
4213  * --proto tcp-client [matched with --proto tcp-server
4214  * on the other end of the connection]
4215  * --proto tcp-server [matched with --proto tcp-client on
4216  * the other end of the connection]
4217  * --tun-ipv6
4218  * --ifconfig x y [matched with --ifconfig y x on
4219  * the other end of the connection]
4220  *
4221  * --comp-lzo
4222  * --compress alg
4223  * --fragment
4224  *
4225  * Crypto Options:
4226  *
4227  * --cipher
4228  * --auth
4229  * --secret
4230  *
4231  * SSL Options:
4232  *
4233  * --tls-auth
4234  * --tls-client [matched with --tls-server on
4235  * the other end of the connection]
4236  * --tls-server [matched with --tls-client on
4237  * the other end of the connection]
4238  */
4239 char *
4240 options_string(const struct options *o,
4241  const struct frame *frame,
4242  struct tuntap *tt,
4243  openvpn_net_ctx_t *ctx,
4244  bool remote,
4245  struct gc_arena *gc)
4246 {
4247  struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4248  bool tt_local = false;
4249 
4250  buf_printf(&out, "V4");
4251 
4252  /*
4253  * Tunnel Options
4254  */
4255 
4256  buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4257  /* the link-mtu that we send has only a meaning if have a fixed
4258  * cipher (p2p) or have a fallback cipher configured for older non
4259  * ncp clients. But not sending it will make even 2.4 complain
4260  * about it being missing. So still send it. */
4261  buf_printf(&out, ",link-mtu %u",
4262  (unsigned int) calc_options_string_link_mtu(o, frame));
4263 
4264  if (o->ce.occ_mtu != 0)
4265  {
4266  buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4267  }
4268  else
4269  {
4270  buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4271  }
4272 
4273  buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4274 
4275  bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4276  /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4277  * is usually pushed by the server, triggering a non-helpful warning
4278  */
4279  if (o->ifconfig_ipv6_local && p2p_nopull)
4280  {
4281  buf_printf(&out, ",tun-ipv6");
4282  }
4283 
4284  /*
4285  * Try to get ifconfig parameters into the options string.
4286  * If tt is undefined, make a temporary instantiation.
4287  */
4288  if (!tt)
4289  {
4290  tt = init_tun(o->dev,
4291  o->dev_type,
4292  o->topology,
4293  o->ifconfig_local,
4294  o->ifconfig_remote_netmask,
4295  o->ifconfig_ipv6_local,
4296  o->ifconfig_ipv6_netbits,
4297  o->ifconfig_ipv6_remote,
4298  NULL,
4299  NULL,
4300  false,
4301  NULL,
4302  ctx,
4303  NULL);
4304  if (tt)
4305  {
4306  tt_local = true;
4307  }
4308  }
4309 
4310  if (tt && p2p_nopull)
4311  {
4312  const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4313  if (ios && strlen(ios))
4314  {
4315  buf_printf(&out, ",ifconfig %s", ios);
4316  }
4317  }
4318  if (tt_local)
4319  {
4320  free(tt);
4321  tt = NULL;
4322  }
4323 
4324 #ifdef USE_COMP
4325  if (o->comp.alg != COMP_ALG_UNDEF)
4326  {
4327  buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4328  }
4329 #endif
4330 
4331 #ifdef ENABLE_FRAGMENT
4332  if (o->ce.fragment)
4333  {
4334  buf_printf(&out, ",mtu-dynamic");
4335  }
4336 #endif
4337 
4338 #define TLS_CLIENT (o->tls_client)
4339 #define TLS_SERVER (o->tls_server)
4340 
4341  /*
4342  * Key direction
4343  */
4344  {
4345  const char *kd = keydirection2ascii(o->key_direction, remote, false);
4346  if (kd)
4347  {
4348  buf_printf(&out, ",keydir %s", kd);
4349  }
4350  }
4351 
4352  /*
4353  * Crypto Options
4354  */
4355  if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4356  {
4357  struct key_type kt;
4358 
4359  ASSERT((o->shared_secret_file != NULL)
4360  + (TLS_CLIENT == true)
4361  + (TLS_SERVER == true)
4362  <= 1);
4363 
4364  /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4365  * to work here in the default configuration */
4366  const char *ciphername = o->ciphername;
4367  int keysize = 0;
4368 
4369  if (strcmp(o->ciphername, "BF-CBC") == 0)
4370  {
4371  init_key_type(&kt, "none", o->authname, true, false);
4372  keysize = 128;
4373  }
4374  else
4375  {
4376  init_key_type(&kt, o->ciphername, o->authname, true, false);
4377  ciphername = cipher_kt_name(kt.cipher);
4378  if (cipher_defined(o->ciphername))
4379  {
4380  keysize = cipher_kt_key_size(kt.cipher) * 8;
4381  }
4382  }
4383  /* Only announce the cipher to our peer if we are willing to
4384  * support it */
4385  if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4386  {
4387  buf_printf(&out, ",cipher %s", ciphername);
4388  }
4389  buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4390  buf_printf(&out, ",keysize %d", keysize);
4391  if (o->shared_secret_file)
4392  {
4393  buf_printf(&out, ",secret");
4394  }
4395 
4396 #ifdef ENABLE_PREDICTION_RESISTANCE
4397  if (o->use_prediction_resistance)
4398  {
4399  buf_printf(&out, ",use-prediction-resistance");
4400  }
4401 #endif
4402  }
4403 
4404  /*
4405  * SSL Options
4406  */
4407  {
4408  if (TLS_CLIENT || TLS_SERVER)
4409  {
4410  if (o->ce.tls_auth_file)
4411  {
4412  buf_printf(&out, ",tls-auth");
4413  }
4414  /* Not adding tls-crypt here, because we won't reach this code if
4415  * tls-auth/tls-crypt does not match. Removing tls-auth here would
4416  * break stuff, so leaving that in place. */
4417 
4418  buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4419  }
4420 
4421  if (remote)
4422  {
4423  if (TLS_CLIENT)
4424  {
4425  buf_printf(&out, ",tls-server");
4426  }
4427  else if (TLS_SERVER)
4428  {
4429  buf_printf(&out, ",tls-client");
4430  }
4431  }
4432  else
4433  {
4434  if (TLS_CLIENT)
4435  {
4436  buf_printf(&out, ",tls-client");
4437  }
4438  else if (TLS_SERVER)
4439  {
4440  buf_printf(&out, ",tls-server");
4441  }
4442  }
4443  }
4444 
4445 #undef TLS_CLIENT
4446 #undef TLS_SERVER
4447 
4448  return BSTR(&out);
4449 }
4450 
4451 /*
4452  * Compare option strings for equality.
4453  * If the first two chars of the strings differ, it means that
4454  * we are looking at different versions of the options string,
4455  * therefore don't compare them and return true.
4456  */
4457 
4458 bool
4459 options_cmp_equal(char *actual, const char *expected)
4460 {
4461  return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4462 }
4463 
4464 void
4465 options_warning(char *actual, const char *expected)
4466 {
4467  options_warning_safe(actual, expected, strlen(actual) + 1);
4468 }
4469 
4470 static const char *
4471 options_warning_extract_parm1(const char *option_string,
4472  struct gc_arena *gc_ret)
4473 {
4474  struct gc_arena gc = gc_new();
4475  struct buffer b = string_alloc_buf(option_string, &gc);
4476  char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4477  const char *ret;
4478 
4479  buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4480  ret = string_alloc(p, gc_ret);
4481  gc_free(&gc);
4482  return ret;
4483 }
4484 
4485 static void
4486 options_warning_safe_scan2(const int msglevel,
4487  const int delim,
4488  const bool report_inconsistent,
4489  const char *p1,
4490  const struct buffer *b2_src,
4491  const char *b1_name,
4492  const char *b2_name)
4493 {
4494  /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4495  * OCC in a future version (because it's not useful). To reduce questions
4496  * when interoperating, we no longer printing a warning about it.
4497  */
4498  if (strprefix(p1, "key-method ")
4499  || strprefix(p1, "keydir ")
4500  || strprefix(p1, "proto ")
4501  || streq(p1, "tls-auth")
4502  || strprefix(p1, "tun-ipv6")
4503  || strprefix(p1, "cipher "))
4504  {
4505  return;
4506  }
4507 
4508  if (strlen(p1) > 0)
4509  {
4510  struct gc_arena gc = gc_new();
4511  struct buffer b2 = *b2_src;
4512  const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4513  char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4514 
4515  while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4516  {
4517  if (strlen(p2))
4518  {
4519  const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4520 
4521  if (!strcmp(p1, p2))
4522  {
4523  goto done;
4524  }
4525  if (!strcmp(p1_prefix, p2_prefix))
4526  {
4527  if (report_inconsistent)
4528  {
4529  msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4530  safe_print(p1_prefix, &gc),
4531  b1_name,
4532  safe_print(p1, &gc),
4533  b2_name,
4534  safe_print(p2, &gc));
4535  }
4536  goto done;
4537  }
4538  }
4539  }
4540 
4541  msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4542  safe_print(p1_prefix, &gc),
4543  b1_name,
4544  b2_name,
4545  b1_name,
4546  safe_print(p1, &gc));
4547 
4548 done:
4549  gc_free(&gc);
4550  }
4551 }
4552 
4553 static void
4554 options_warning_safe_scan1(const int msglevel,
4555  const int delim,
4556  const bool report_inconsistent,
4557  const struct buffer *b1_src,
4558  const struct buffer *b2_src,
4559  const char *b1_name,
4560  const char *b2_name)
4561 {
4562  struct gc_arena gc = gc_new();
4563  struct buffer b = *b1_src;
4564  char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4565 
4566  while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4567  {
4568  options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4569  }
4570 
4571  gc_free(&gc);
4572 }
4573 
4574 static void
4575 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4576 {
4577  struct gc_arena gc = gc_new();
4578 
4579  if (actual_n > 0)
4580  {
4581  struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4582  struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4583  actual[actual_n - 1] = 0;
4584 
4585  buf_printf(&local, "version %s", expected);
4586  buf_printf(&remote, "version %s", actual);
4587 
4588  options_warning_safe_scan1(msglevel, ',', true,
4589  &local, &remote,
4590  "local", "remote");
4591 
4592  options_warning_safe_scan1(msglevel, ',', false,
4593  &remote, &local,
4594  "remote", "local");
4595  }
4596 
4597  gc_free(&gc);
4598 }
4599 
4600 bool
4601 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4602 {
4603  struct gc_arena gc = gc_new();
4604  bool ret = true;
4605 
4606  if (actual_n > 0)
4607  {
4608  actual[actual_n - 1] = 0;
4609  if (strncmp(actual, expected, 2))
4610  {
4611  msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4612  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4613  }
4614  else
4615  {
4616  ret = !strcmp(actual, expected);
4617  }
4618  }
4619  gc_free(&gc);
4620  return ret;
4621 }
4622 
4623 void
4624 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4625 {
4626  options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4627 }
4628 
4629 const char *
4630 options_string_version(const char *s, struct gc_arena *gc)
4631 {
4632  struct buffer out = alloc_buf_gc(4, gc);
4633  strncpynt((char *) BPTR(&out), s, 3);
4634  return BSTR(&out);
4635 }
4636 
4637 char *
4638 options_string_extract_option(const char *options_string, const char *opt_name,
4639  struct gc_arena *gc)
4640 {
4641  char *ret = NULL;
4642  const size_t opt_name_len = strlen(opt_name);
4643 
4644  const char *p = options_string;
4645  while (p)
4646  {
4647  if (0 == strncmp(p, opt_name, opt_name_len)
4648  && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4649  {
4650  /* option found, extract value */
4651  const char *start = &p[opt_name_len+1];
4652  const char *end = strchr(p, ',');
4653  size_t val_len = end ? end - start : strlen(start);
4654  ret = gc_malloc(val_len+1, true, gc);
4655  memcpy(ret, start, val_len);
4656  break;
4657  }
4658  p = strchr(p, ',');
4659  if (p)
4660  {
4661  p++; /* skip delimiter */
4662  }
4663  }
4664  return ret;
4665 }
4666 
4667 #ifdef _WIN32
4668 
4675 static enum tun_driver_type
4676 parse_windows_driver(const char *str, const int msglevel)
4677 {
4678  if (streq(str, "tap-windows6"))
4679  {
4680  return WINDOWS_DRIVER_TAP_WINDOWS6;
4681  }
4682  else if (streq(str, "wintun"))
4683  {
4684  return WINDOWS_DRIVER_WINTUN;
4685  }
4686 
4687  else if (streq(str, "ovpn-dco"))
4688  {
4689  return DRIVER_DCO;
4690  }
4691  else
4692  {
4693  msg(msglevel, "--windows-driver must be tap-windows6, wintun "
4694  "or ovpn-dco");
4695  return WINDOWS_DRIVER_UNSPECIFIED;
4696  }
4697 }
4698 #endif /* ifdef _WIN32 */
4699 
4700 /*
4701  * parse/print topology coding
4702  */
4703 
4704 int
4705 parse_topology(const char *str, const int msglevel)
4706 {
4707  if (streq(str, "net30"))
4708  {
4709  return TOP_NET30;
4710  }
4711  else if (streq(str, "p2p"))
4712  {
4713  return TOP_P2P;
4714  }
4715  else if (streq(str, "subnet"))
4716  {
4717  return TOP_SUBNET;
4718  }
4719  else
4720  {
4721  msg(msglevel, "--topology must be net30, p2p, or subnet");
4722  return TOP_UNDEF;
4723  }
4724 }
4725 
4726 const char *
4727 print_topology(const int topology)
4728 {
4729  switch (topology)
4730  {
4731  case TOP_UNDEF:
4732  return "undef";
4733 
4734  case TOP_NET30:
4735  return "net30";
4736 
4737  case TOP_P2P:
4738  return "p2p";
4739 
4740  case TOP_SUBNET:
4741  return "subnet";
4742 
4743  default:
4744  return "unknown";
4745  }
4746 }
4747 
4748 /*
4749  * Manage auth-retry variable
4750  */
4751 
4752 static int global_auth_retry; /* GLOBAL */
4753 
4754 int
4755 auth_retry_get(void)
4756 {
4757  return global_auth_retry;
4758 }
4759 
4760 bool
4761 auth_retry_set(const int msglevel, const char *option)
4762 {
4763  if (streq(option, "interact"))
4764  {
4765  global_auth_retry = AR_INTERACT;
4766  }
4767  else if (streq(option, "nointeract"))
4768  {
4769  global_auth_retry = AR_NOINTERACT;
4770  }
4771  else if (streq(option, "none"))
4772  {
4773  global_auth_retry = AR_NONE;
4774  }
4775  else
4776  {
4777  msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4778  return false;
4779  }
4780  return true;
4781 }
4782 
4783 const char *
4784 auth_retry_print(void)
4785 {
4786  switch (global_auth_retry)
4787  {
4788  case AR_NONE:
4789  return "none";
4790 
4791  case AR_NOINTERACT:
4792  return "nointeract";
4793 
4794  case AR_INTERACT:
4795  return "interact";
4796 
4797  default:
4798  return "???";
4799  }
4800 }
4801 
4802 /*
4803  * Print the help message.
4804  */
4805 static void
4806 usage(void)
4807 {
4808  FILE *fp = msg_fp(0);
4809 
4810 #ifdef ENABLE_SMALL
4811 
4812  fprintf(fp, "Usage message not available\n");
4813 
4814 #else
4815 
4816  struct options o;
4817  init_options(&o, true);
4818 
4819  fprintf(fp, usage_message,
4820  title_string,
4821  o.ce.connect_retry_seconds,
4822  o.ce.connect_retry_seconds_max,
4823  o.ce.local_port, o.ce.remote_port,
4824  TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4825  o.verbosity,
4826  o.authname,
4827  o.replay_window, o.replay_time,
4828  o.tls_timeout, o.renegotiate_seconds,
4829  o.handshake_window, o.transition_window);
4830  fflush(fp);
4831 
4832 #endif /* ENABLE_SMALL */
4833 
4834  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4835 }
4836 
4837 void
4838 usage_small(void)
4839 {
4840  msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4841  openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4842 }
4843 
4844 #ifdef _WIN32
4845 void
4846 show_windows_version(const unsigned int flags)
4847 {
4848  struct gc_arena gc = gc_new();
4849  msg(flags, "Windows version %s", win32_version_string(&gc, true));
4850  gc_free(&gc);
4851 }
4852 #endif
4853 
4854 void
4855 show_dco_version(const unsigned int flags)
4856 {
4857 #ifdef ENABLE_DCO
4858  struct gc_arena gc = gc_new();
4859  msg(flags, "DCO version: %s", dco_version_string(&gc));
4860  gc_free(&gc);
4861 #endif
4862 }
4863 
4864 void
4865 show_library_versions(const unsigned int flags)
4866 {
4867 #ifdef ENABLE_LZO
4868 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4869 #else
4870 #define LZO_LIB_VER_STR "", ""
4871 #endif
4872 
4873  msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4874  LZO_LIB_VER_STR);
4875 
4876 #undef LZO_LIB_VER_STR
4877 }
4878 
4879 static void
4880 usage_version(void)
4881 {
4882  msg(M_INFO|M_NOPREFIX, "%s", title_string);
4883  show_library_versions( M_INFO|M_NOPREFIX );
4884 #ifdef _WIN32
4885  show_windows_version( M_INFO|M_NOPREFIX );
4886 #endif
4887  show_dco_version(M_INFO | M_NOPREFIX);
4888  msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4889  msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>");
4890 #ifndef ENABLE_SMALL
4891 #ifdef CONFIGURE_DEFINES
4892  msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4893 #endif
4894 #ifdef CONFIGURE_SPECIAL_BUILD
4895  msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4896 #endif
4897 #endif
4898  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4899 }
4900 
4901 void
4902 notnull(const char *arg, const char *description)
4903 {
4904  if (!arg)
4905  {
4906  msg(M_USAGE, "You must define %s", description);
4907  }
4908 }
4909 
4910 bool
4911 string_defined_equal(const char *s1, const char *s2)
4912 {
4913  if (s1 && s2)
4914  {
4915  return !strcmp(s1, s2);
4916  }
4917  else
4918  {
4919  return false;
4920  }
4921 }
4922 
4923 #if 0
4924 static void
4925 ping_rec_err(int msglevel)
4926 {
4927  msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4928 }
4929 #endif
4930 
4931 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4932 static unsigned int
4933 atou(const char *str)
4934 {
4935  unsigned int val = 0;
4936  sscanf(str, "%u", &val);
4937  return val;
4938 }
4939 #endif
4940 
4941 static inline bool
4942 space(unsigned char c)
4943 {
4944  return c == '\0' || isspace(c);
4945 }
4946 
4947 int
4948 parse_line(const char *line,
4949  char *p[],
4950  const int n,
4951  const char *file,
4952  const int line_num,
4953  int msglevel,
4954  struct gc_arena *gc)
4955 {
4956  const int STATE_INITIAL = 0;
4957  const int STATE_READING_QUOTED_PARM = 1;
4958  const int STATE_READING_UNQUOTED_PARM = 2;
4959  const int STATE_DONE = 3;
4960  const int STATE_READING_SQUOTED_PARM = 4;
4961 
4962  const char *error_prefix = "";
4963 
4964  int ret = 0;
4965  const char *c = line;
4966  int state = STATE_INITIAL;
4967  bool backslash = false;
4968  char in, out;
4969 
4970  char parm[OPTION_PARM_SIZE];
4971  unsigned int parm_len = 0;
4972 
4973  msglevel &= ~M_OPTERR;
4974 
4975  if (msglevel & M_MSG_VIRT_OUT)
4976  {
4977  error_prefix = "ERROR: ";
4978  }
4979 
4980  do
4981  {
4982  in = *c;
4983  out = 0;
4984 
4985  if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4986  {
4987  backslash = true;
4988  }
4989  else
4990  {
4991  if (state == STATE_INITIAL)
4992  {
4993  if (!space(in))
4994  {
4995  if (in == ';' || in == '#') /* comment */
4996  {
4997  break;
4998  }
4999  if (!backslash && in == '\"')
5000  {
5001  state = STATE_READING_QUOTED_PARM;
5002  }
5003  else if (!backslash && in == '\'')
5004  {
5005  state = STATE_READING_SQUOTED_PARM;
5006  }
5007  else
5008  {
5009  out = in;
5010  state = STATE_READING_UNQUOTED_PARM;
5011  }
5012  }
5013  }
5014  else if (state == STATE_READING_UNQUOTED_PARM)
5015  {
5016  if (!backslash && space(in))
5017  {
5018  state = STATE_DONE;
5019  }
5020  else
5021  {
5022  out = in;
5023  }
5024  }
5025  else if (state == STATE_READING_QUOTED_PARM)
5026  {
5027  if (!backslash && in == '\"')
5028  {
5029  state = STATE_DONE;
5030  }
5031  else
5032  {
5033  out = in;
5034  }
5035  }
5036  else if (state == STATE_READING_SQUOTED_PARM)
5037  {
5038  if (in == '\'')
5039  {
5040  state = STATE_DONE;
5041  }
5042  else
5043  {
5044  out = in;
5045  }
5046  }
5047  if (state == STATE_DONE)
5048  {
5049  /* ASSERT (parm_len > 0); */
5050  p[ret] = gc_malloc(parm_len + 1, true, gc);
5051  memcpy(p[ret], parm, parm_len);
5052  p[ret][parm_len] = '\0';
5053  state = STATE_INITIAL;
5054  parm_len = 0;
5055  ++ret;
5056  }
5057 
5058  if (backslash && out)
5059  {
5060  if (!(out == '\\' || out == '\"' || space(out)))
5061  {
5062 #ifdef ENABLE_SMALL
5063  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
5064 #else
5065  msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
5066 #endif
5067  return 0;
5068  }
5069  }
5070  backslash = false;
5071  }
5072 
5073  /* store parameter character */
5074  if (out)
5075  {
5076  if (parm_len >= SIZE(parm))
5077  {
5078  parm[SIZE(parm) - 1] = 0;
5079  msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5080  error_prefix, file, line_num, (int) SIZE(parm), parm);
5081  return 0;
5082  }
5083  parm[parm_len++] = out;
5084  }
5085 
5086  /* avoid overflow if too many parms in one config file line */
5087  if (ret >= n)
5088  {
5089  break;
5090  }
5091 
5092  } while (*c++ != '\0');
5093 
5094  if (state == STATE_READING_QUOTED_PARM)
5095  {
5096  msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
5097  return 0;
5098  }
5099  if (state == STATE_READING_SQUOTED_PARM)
5100  {
5101  msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
5102  return 0;
5103  }
5104  if (state != STATE_INITIAL)
5105  {
5106  msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
5107  return 0;
5108  }
5109 #if 0
5110  {
5111  int i;
5112  for (i = 0; i < ret; ++i)
5113  {
5114  msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
5115  }
5116  }
5117 #endif
5118  return ret;
5119 }
5120 
5121 static void
5122 bypass_doubledash(char **p)
5123 {
5124  if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
5125  {
5126  *p += 2;
5127  }
5128 }
5129 
5130 struct in_src {
5131 #define IS_TYPE_FP 1
5132 #define IS_TYPE_BUF 2
5133  int type;
5134  union {
5135  FILE *fp;
5136  struct buffer *multiline;
5137  } u;
5138 };
5139 
5140 static bool
5141 in_src_get(const struct in_src *is, char *line, const int size)
5142 {
5143  if (is->type == IS_TYPE_FP)
5144  {
5145  return BOOL_CAST(fgets(line, size, is->u.fp));
5146  }
5147  else if (is->type == IS_TYPE_BUF)
5148  {
5149  bool status = buf_parse(is->u.multiline, '\n', line, size);
5150  if ((int) strlen(line) + 1 < size)
5151  {
5152  strcat(line, "\n");
5153  }
5154  return status;
5155  }
5156  else
5157  {
5158  ASSERT(0);
5159  return false;
5160  }
5161 }
5162 
5163 static char *
5164 read_inline_file(struct in_src *is, const char *close_tag,
5165  int *num_lines, struct gc_arena *gc)
5166 {
5167  char line[OPTION_LINE_SIZE];
5168  struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
5169  char *ret;
5170  bool endtagfound = false;
5171 
5172  while (in_src_get(is, line, sizeof(line)))
5173  {
5174  (*num_lines)++;
5175  char *line_ptr = line;
5176  /* Remove leading spaces */
5177  while (isspace(*line_ptr))
5178  {
5179  line_ptr++;
5180  }
5181  if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
5182  {
5183  endtagfound = true;
5184  break;
5185  }
5186  if (!buf_safe(&buf, strlen(line)+1))
5187  {
5188  /* Increase buffer size */
5189  struct buffer buf2 = alloc_buf(buf.capacity * 2);
5190  ASSERT(buf_copy(&buf2, &buf));
5191  buf_clear(&buf);
5192  free_buf(&buf);
5193  buf = buf2;
5194  }
5195  buf_printf(&buf, "%s", line);
5196  }
5197  if (!endtagfound)
5198  {
5199  msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
5200  }
5201  ret = string_alloc(BSTR(&buf), gc);
5202  buf_clear(&buf);
5203  free_buf(&buf);
5204  secure_memzero(line, sizeof(line));
5205  return ret;
5206 }
5207 
5208 static int
5209 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
5210 {
5211  int num_inline_lines = 0;
5212 
5213  if (p[0] && !p[1])
5214  {
5215  char *arg = p[0];
5216  if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
5217  {
5218  struct buffer close_tag;
5219 
5220  arg[strlen(arg) - 1] = '\0';
5221  p[0] = string_alloc(arg + 1, gc);
5222  close_tag = alloc_buf(strlen(p[0]) + 4);
5223  buf_printf(&close_tag, "</%s>", p[0]);
5224  p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
5225  p[2] = NULL;
5226  free_buf(&close_tag);
5227  }
5228  }
5229  return num_inline_lines;
5230 }
5231 
5232 static int
5233 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
5234 {
5235  struct in_src is;
5236  is.type = IS_TYPE_FP;
5237  is.u.fp = fp;
5238  return check_inline_file(&is, p, gc);
5239 }
5240 
5241 static int
5242 check_inline_file_via_buf(struct buffer *multiline, char *p[],
5243  struct gc_arena *gc)
5244 {
5245  struct in_src is;
5246  is.type = IS_TYPE_BUF;
5247  is.u.multiline = multiline;
5248  return check_inline_file(&is, p, gc);
5249 }
5250 
5251 static void
5252 add_option(struct options *options,
5253  char *p[],
5254  bool is_inline,
5255  const char *file,
5256  int line,
5257  const int level,
5258  const int msglevel,
5259  const unsigned int permission_mask,
5260  unsigned int *option_types_found,
5261  struct env_set *es);
5262 
5263 static void
5264 read_config_file(struct options *options,
5265  const char *file,
5266  int level,
5267  const char *top_file,
5268  const int top_line,
5269  const int msglevel,
5270  const unsigned int permission_mask,
5271  unsigned int *option_types_found,
5272  struct env_set *es)
5273 {
5274  const int max_recursive_levels = 10;
5275  FILE *fp;
5276  int line_num;
5277  char line[OPTION_LINE_SIZE+1];
5278  char *p[MAX_PARMS+1];
5279 
5280  ++level;
5281  if (level <= max_recursive_levels)
5282  {
5283  if (streq(file, "stdin"))
5284  {
5285  fp = stdin;
5286  }
5287  else
5288  {
5289  fp = platform_fopen(file, "r");
5290  }
5291  if (fp)
5292  {
5293  line_num = 0;
5294  while (fgets(line, sizeof(line), fp))
5295  {
5296  int offset = 0;
5297  CLEAR(p);
5298  ++line_num;
5299  if (strlen(line) == OPTION_LINE_SIZE)
5300  {
5301  msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5302  file, line_num, OPTION_LINE_SIZE, line);
5303  }
5304 
5305  /* Ignore UTF-8 BOM at start of stream */
5306  if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
5307  {
5308  offset = 3;
5309  }
5310  if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5311  {
5312  bypass_doubledash(&p[0]);
5313  int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
5314  add_option(options, p, lines_inline, file, line_num, level,
5315  msglevel, permission_mask, option_types_found,
5316  es);
5317  line_num += lines_inline;
5318  }
5319  }
5320  if (fp != stdin)
5321  {
5322  fclose(fp);
5323  }
5324  }
5325  else
5326  {
5327  msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
5328  }
5329  }
5330  else
5331  {
5332  msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
5333  }
5334  secure_memzero(line, sizeof(line));
5335  CLEAR(p);
5336 }
5337 
5338 static void
5339 read_config_string(const char *prefix,
5340  struct options *options,
5341  const char *config,
5342  const int msglevel,
5343  const unsigned int permission_mask,
5344  unsigned int *option_types_found,
5345  struct env_set *es)
5346 {
5347  char line[OPTION_LINE_SIZE];
5348  struct buffer multiline;
5349  int line_num = 0;
5350 
5351  buf_set_read(&multiline, (uint8_t *)config, strlen(config));
5352 
5353  while (buf_parse(&multiline, '\n', line, sizeof(line)))
5354  {
5355  char *p[MAX_PARMS+1];
5356  CLEAR(p);
5357  ++line_num;
5358  if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
5359  {
5360  bypass_doubledash(&p[0]);
5361  int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
5362  add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
5363  permission_mask, option_types_found, es);
5364  line_num += lines_inline;
5365  }
5366  CLEAR(p);
5367  }
5368  secure_memzero(line, sizeof(line));
5369 }
5370 
5371 void
5372 parse_argv(struct options *options,
5373  const int argc,
5374  char *argv[],
5375  const int msglevel,
5376  const unsigned int permission_mask,
5377  unsigned int *option_types_found,
5378  struct env_set *es)
5379 {
5380  /* usage message */
5381  if (argc <= 1)
5382  {
5383  usage();
5384  }
5385 
5386  /* config filename specified only? */
5387  if (argc == 2 && strncmp(argv[1], "--", 2))
5388  {
5389  char *p[MAX_PARMS+1];
5390  CLEAR(p);
5391  p[0] = "config";
5392  p[1] = argv[1];
5393  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5394  option_types_found, es);
5395  }
5396  else
5397  {
5398  /* parse command line */
5399  for (int i = 1; i < argc; ++i)
5400  {
5401  char *p[MAX_PARMS+1];
5402  CLEAR(p);
5403  p[0] = argv[i];
5404  if (strncmp(p[0], "--", 2))
5405  {
5406  msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
5407  }
5408  else
5409  {
5410  p[0] += 2;
5411  }
5412 
5413  int j;
5414  for (j = 1; j < MAX_PARMS; ++j)
5415  {
5416  if (i + j < argc)
5417  {
5418  char *arg = argv[i + j];
5419  if (strncmp(arg, "--", 2))
5420  {
5421  p[j] = arg;
5422  }
5423  else
5424  {
5425  break;
5426  }
5427  }
5428  }
5429  add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
5430  option_types_found, es);
5431  i += j - 1;
5432  }
5433  }
5434 }
5435 
5444 static bool
5445 apply_pull_filter(const struct options *o, char *line)
5446 {
5447  struct pull_filter *f;
5448 
5449  if (!o->pull_filter_list)
5450  {
5451  return true;
5452  }
5453 
5454  /* skip leading spaces matching the behaviour of parse_line */
5455  while (isspace(*line))
5456  {
5457  line++;
5458  }
5459 
5460  for (f = o->pull_filter_list->head; f; f = f->next)
5461  {
5462  if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5463  {
5464  msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5465  return true;
5466  }
5467  else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5468  {
5469  msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5470  *line = '\0';
5471  return true;
5472  }
5473  else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5474  {
5475  msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5476  *line = '\0';
5477  throw_signal_soft(SIGUSR1, "Offending option received from server");
5478  return false;
5479  }
5480  }
5481  return true;
5482 }
5483 
5484 bool
5485 apply_push_options(struct options *options,
5486  struct buffer *buf,
5487  unsigned int permission_mask,
5488  unsigned int *option_types_found,
5489  struct env_set *es)
5490 {
5491  char line[OPTION_PARM_SIZE];
5492  int line_num = 0;
5493  const char *file = "[PUSH-OPTIONS]";
5494  const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5495 
5496  while (buf_parse(buf, ',', line, sizeof(line)))
5497  {
5498  char *p[MAX_PARMS+1];
5499  CLEAR(p);
5500  ++line_num;
5501  if (!apply_pull_filter(options, line))
5502  {
5503  return false; /* Cause push/pull error and stop push processing */
5504  }
5505  if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5506  {
5507  add_option(options, p, false, file, line_num, 0, msglevel,
5508  permission_mask, option_types_found, es);
5509  }
5510  }
5511  return true;
5512 }
5513 
5514 void
5515 options_server_import(struct options *o,
5516  const char *filename,
5517  int msglevel,
5518  unsigned int permission_mask,
5519  unsigned int *option_types_found,
5520  struct env_set *es)
5521 {
5522  msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5523  read_config_file(o,
5524  filename,
5525  0,
5526  filename,
5527  0,
5528  msglevel,
5529  permission_mask,
5530  option_types_found,
5531  es);
5532 }
5533 
5534 void
5535 options_string_import(struct options *options,
5536  const char *config,
5537  const int msglevel,
5538  const unsigned int permission_mask,
5539  unsigned int *option_types_found,
5540  struct env_set *es)
5541 {
5542  read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5543 }
5544 
5545 #define VERIFY_PERMISSION(mask) { \
5546  if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5547  option_types_found, msglevel, options, is_inline)) \
5548  { \
5549  goto err; \
5550  } \
5551 }
5552 
5553 static bool
5554 verify_permission(const char *name,
5555  const char *file,
5556  int line,
5557  const unsigned int type,
5558  const unsigned int allowed,
5559  unsigned int *found,
5560  const int msglevel,
5561  struct options *options,
5562  bool is_inline)
5563 {
5564  if (!(type & allowed))
5565  {
5566  msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5567  return false;
5568  }
5569 
5570  if (is_inline && !(type & OPT_P_INLINE))
5571  {
5572  msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5573  file, line);
5574  return false;
5575  }
5576 
5577  if (found)
5578  {
5579  *found |= type;
5580  }
5581 
5582 #ifndef ENABLE_SMALL
5583  /* Check if this options is allowed in connection block,
5584  * but we are currently not in a connection block
5585  * unless this is a pushed option.
5586  * Parsing a connection block uses a temporary options struct without
5587  * connection_list
5588  */
5589 
5590  if ((type & OPT_P_CONNECTION) && options->connection_list
5591  && !(allowed & OPT_P_PULL_MODE))
5592  {
5593  if (file)
5594  {
5595  msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5596  }
5597  else
5598  {
5599  msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5600  }
5601  }
5602 #endif
5603  return true;
5604 }
5605 
5606 /*
5607  * Check that an option doesn't have too
5608  * many parameters.
5609  */
5610 
5611 #define NM_QUOTE_HINT (1<<0)
5612 
5613 static bool
5614 no_more_than_n_args(const int msglevel,
5615  char *p[],
5616  const int max,
5617  const unsigned int flags)
5618 {
5619  const int len = string_array_len((const char **)p);
5620 
5621  if (!len)
5622  {
5623  return false;
5624  }
5625 
5626  if (len > max)
5627  {
5628  msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5629  p[0],
5630  max - 1,
5631  max >= 3 ? "s" : "",
5632  (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5633  return false;
5634  }
5635  else
5636  {
5637  return true;
5638  }
5639 }
5640 
5641 static inline int
5642 msglevel_forward_compatible(struct options *options, const int msglevel)
5643 {
5644  return options->forward_compatible ? M_WARN : msglevel;
5645 }
5646 
5647 static void
5648 set_user_script(struct options *options,
5649  const char **script,
5650  const char *new_script,
5651  const char *type,
5652  bool in_chroot)
5653 {
5654  if (*script)
5655  {
5656  msg(M_WARN, "Multiple --%s scripts defined. "
5657  "The previously configured script is overridden.", type);
5658  }
5659  *script = new_script;
5660  options->user_script_used = true;
5661 
5662 #ifndef ENABLE_SMALL
5663  {
5664  char script_name[100];
5665  snprintf(script_name, sizeof(script_name),
5666  "--%s script", type);
5667 
5668  if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5669  {
5670  msg(M_USAGE, "Please correct this error.");
5671  }
5672 
5673  }
5674 #endif
5675 }
5676 
5677 static void
5678 show_compression_warning(struct compress_options *info)
5679 {
5680  if (comp_non_stub_enabled(info))
5681  {
5682  msg(M_WARN, "WARNING: Compression for receiving enabled. "
5683  "Compression has been used in the past to break encryption. "
5684  "Compression support is deprecated and we recommend to disable "
5685  "it completely.");
5686  }
5687 }
5688 
5689 bool
5690 key_is_external(const struct options *options)
5691 {
5692  bool ret = false;
5693  ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5694 #ifdef ENABLE_PKCS11
5695  ret = ret || (options->pkcs11_providers[0] != NULL);
5696 #endif
5697 #ifdef ENABLE_CRYPTOAPI
5698  ret = ret || options->cryptoapi_cert;
5699 #endif
5700 
5701  return ret;
5702 }
5703 
5704 static void
5705 add_option(struct options *options,
5706  char *p[],
5707  bool is_inline,
5708  const char *file,
5709  int line,
5710  const int level,
5711  const int msglevel,
5712  const unsigned int permission_mask,
5713  unsigned int *option_types_found,
5714  struct env_set *es)
5715 {
5716  struct gc_arena gc = gc_new();
5717  const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5718  int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5719 
5720  ASSERT(MAX_PARMS >= 7);
5721 
5722  /*
5723  * If directive begins with "setenv opt" prefix, don't raise an error if
5724  * directive is unrecognized.
5725  */
5726  if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5727  {
5728  if (!p[2])
5729  {
5730  p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5731  }
5732  p += 2;
5733  msglevel_fc = M_WARN;
5734  }
5735 
5736  if (!file)
5737  {
5738  file = "[CMD-LINE]";
5739  line = 1;
5740  }
5741  if (streq(p[0], "help"))
5742  {
5743  VERIFY_PERMISSION(OPT_P_GENERAL);
5744  usage();
5745  if (p[1])
5746  {
5747  msg(msglevel, "--help does not accept any parameters");
5748  goto err;
5749  }
5750  }
5751  if (streq(p[0], "version") && !p[1])
5752  {
5753  VERIFY_PERMISSION(OPT_P_GENERAL);
5754  usage_version();
5755  }
5756  else if (streq(p[0], "config") && p[1] && !p[2])
5757  {
5758  VERIFY_PERMISSION(OPT_P_CONFIG);
5759 
5760  /* save first config file only in options */
5761  if (!options->config)
5762  {
5763  options->config = p[1];
5764  }
5765 
5766  read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5767  }
5768 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5769  else if (streq(p[0], "show-gateway") && !p[2])
5770  {
5771  struct route_gateway_info rgi;
5772  struct route_ipv6_gateway_info rgi6;
5773  in_addr_t remote_ipv4 = 0;
5774  struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
5775  openvpn_net_ctx_t net_ctx;
5776  VERIFY_PERMISSION(OPT_P_GENERAL);
5777  if (p[1])
5778  {
5779  /* try parsing the argument as a v4 or v6 address - if
5780  * possible, the output will show the exact route there, and
5781  * "the default route" for the other protocol
5782  */
5783  remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
5784  get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
5785  }
5786  net_ctx_init(NULL, &net_ctx);
5787  get_default_gateway(&rgi, remote_ipv4, &net_ctx);
5788  get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
5789  print_default_gateway(M_INFO, &rgi, &rgi6);
5790  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5791  }
5792 #endif /* if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) */
5793  else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5794  {
5795  struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5796  int j;
5797  bool good = true;
5798 
5799  VERIFY_PERMISSION(OPT_P_ECHO);
5800 
5801  for (j = 1; j < MAX_PARMS; ++j)
5802  {
5803  if (!p[j])
5804  {
5805  break;
5806  }
5807  if (j > 1)
5808  {
5809  good &= buf_printf(&string, " ");
5810  }
5811  good &= buf_printf(&string, "%s", p[j]);
5812  }
5813  if (good)
5814  {
5815  /* only message-related ECHO are logged, since other ECHOs
5816  * can potentially include security-sensitive strings */
5817  if (p[1] && strncmp(p[1], "msg", 3) == 0)
5818  {
5819  msg(M_INFO, "%s:%s",
5820  pull_mode ? "ECHO-PULL" : "ECHO",
5821  BSTR(&string));
5822  }
5823 #ifdef ENABLE_MANAGEMENT
5824  if (management)
5825  {
5826  management_echo(management, BSTR(&string), pull_mode);
5827  }
5828 #endif
5829  }
5830  else
5831  {
5832  msg(M_WARN, "echo/parameter option overflow");
5833  }
5834  }
5835 #ifdef ENABLE_MANAGEMENT
5836  else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5837  {
5838  VERIFY_PERMISSION(OPT_P_GENERAL);
5839  if (streq(p[2], "unix"))
5840  {
5841 #if UNIX_SOCK_SUPPORT
5842  options->management_flags |= MF_UNIX_SOCK;
5843 #else
5844  msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5845  goto err;
5846 #endif
5847  }
5848 
5849  options->management_addr = p[1];
5850  options->management_port = p[2];
5851  if (p[3])
5852  {
5853  options->management_user_pass = p[3];
5854  }
5855  }
5856  else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5857  {
5858  VERIFY_PERMISSION(OPT_P_GENERAL);
5859  options->management_client_user = p[1];
5860  }
5861  else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5862  {
5863  VERIFY_PERMISSION(OPT_P_GENERAL);
5864  options->management_client_group = p[1];
5865  }
5866  else if (streq(p[0], "management-query-passwords") && !p[1])
5867  {
5868  VERIFY_PERMISSION(OPT_P_GENERAL);
5869  options->management_flags |= MF_QUERY_PASSWORDS;
5870  }
5871  else if (streq(p[0], "management-query-remote") && !p[1])
5872  {
5873  VERIFY_PERMISSION(OPT_P_GENERAL);
5874  options->management_flags |= MF_QUERY_REMOTE;
5875  }
5876  else if (streq(p[0], "management-query-proxy") && !p[1])
5877  {
5878  VERIFY_PERMISSION(OPT_P_GENERAL);
5879  options->management_flags |= MF_QUERY_PROXY;
5880  }
5881  else if (streq(p[0], "management-hold") && !p[1])
5882  {
5883  VERIFY_PERMISSION(OPT_P_GENERAL);
5884  options->management_flags |= MF_HOLD;
5885  }
5886  else if (streq(p[0], "management-signal") && !p[1])
5887  {
5888  VERIFY_PERMISSION(OPT_P_GENERAL);
5889  options->management_flags |= MF_SIGNAL;
5890  }
5891  else if (streq(p[0], "management-forget-disconnect") && !p[1])
5892  {
5893  VERIFY_PERMISSION(OPT_P_GENERAL);
5894  options->management_flags |= MF_FORGET_DISCONNECT;
5895  }
5896  else if (streq(p[0], "management-up-down") && !p[1])
5897  {
5898  VERIFY_PERMISSION(OPT_P_GENERAL);
5899  options->management_flags |= MF_UP_DOWN;
5900  }
5901  else if (streq(p[0], "management-client") && !p[1])
5902  {
5903  VERIFY_PERMISSION(OPT_P_GENERAL);
5904  options->management_flags |= MF_CONNECT_AS_CLIENT;
5905  }
5906  else if (streq(p[0], "management-external-key"))
5907  {
5908  VERIFY_PERMISSION(OPT_P_GENERAL);
5909  for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5910  {
5911  if (streq(p[j], "nopadding"))
5912  {
5913  options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5914  }
5915  else if (streq(p[j], "pkcs1"))
5916  {
5917  options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5918  }
5919  else if (streq(p[j], "pss"))
5920  {
5921  options->management_flags |= MF_EXTERNAL_KEY_PSSPAD;
5922  }
5923  else if (streq(p[j], "digest"))
5924  {
5925  options->management_flags |= MF_EXTERNAL_KEY_DIGEST;
5926  }
5927  else
5928  {
5929  msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5930  }
5931  }
5932  /*
5933  * When no option is present, assume that only PKCS1
5934  * padding is supported
5935  */
5936  if (!(options->management_flags
5937  &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5938  {
5939  options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5940  }
5941  options->management_flags |= MF_EXTERNAL_KEY;
5942  }
5943  else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5944  {
5945  VERIFY_PERMISSION(OPT_P_GENERAL);
5946  options->management_flags |= MF_EXTERNAL_CERT;
5947  options->management_certificate = p[1];
5948  }
5949  else if (streq(p[0], "management-client-auth") && !p[1])
5950  {
5951  VERIFY_PERMISSION(OPT_P_GENERAL);
5952  options->management_flags |= MF_CLIENT_AUTH;
5953  }
5954  else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5955  {
5956  int cache;
5957 
5958  VERIFY_PERMISSION(OPT_P_GENERAL);
5959  cache = atoi_warn(p[1], msglevel);
5960  if (cache < 1)
5961  {
5962  msg(msglevel, "--management-log-cache parameter is out of range");
5963  goto err;
5964  }
5965  options->management_log_history_cache = cache;
5966  }
5967 #endif /* ifdef ENABLE_MANAGEMENT */
5968 #ifdef ENABLE_PLUGIN
5969  else if (streq(p[0], "plugin") && p[1])
5970  {
5971  VERIFY_PERMISSION(OPT_P_PLUGIN);
5972  if (!options->plugin_list)
5973  {
5974  options->plugin_list = plugin_option_list_new(&options->gc);
5975  }
5976  if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5977  {
5978  msg(msglevel, "plugin add failed: %s", p[1]);
5979  goto err;
5980  }
5981  }
5982 #endif
5983  else if (streq(p[0], "mode") && p[1] && !p[2])
5984  {
5985  VERIFY_PERMISSION(OPT_P_GENERAL);
5986  if (streq(p[1], "p2p"))
5987  {
5988  options->mode = MODE_POINT_TO_POINT;
5989  }
5990  else if (streq(p[1], "server"))
5991  {
5992  options->mode = MODE_SERVER;
5993  }
5994  else
5995  {
5996  msg(msglevel, "Bad --mode parameter: %s", p[1]);
5997  goto err;
5998  }
5999  }
6000  else if (streq(p[0], "dev") && p[1] && !p[2])
6001  {
6002  VERIFY_PERMISSION(OPT_P_GENERAL);
6003  options->dev = p[1];
6004  }
6005  else if (streq(p[0], "dev-type") && p[1] && !p[2])
6006  {
6007  VERIFY_PERMISSION(OPT_P_GENERAL);
6008  options->dev_type = p[1];
6009  }
6010 #ifdef _WIN32
6011  else if (streq(p[0], "windows-driver") && p[1] && !p[2])
6012  {
6013  VERIFY_PERMISSION(OPT_P_GENERAL);
6014  options->windows_driver = parse_windows_driver(p[1], M_FATAL);
6015  }
6016 #endif
6017  else if (streq(p[0], "disable-dco"))
6018  {
6019  options->disable_dco = true;
6020  }
6021  else if (streq(p[0], "dev-node") && p[1] && !p[2])
6022  {
6023  VERIFY_PERMISSION(OPT_P_GENERAL);
6024  options->dev_node = p[1];
6025  }
6026  else if (streq(p[0], "lladdr") && p[1] && !p[2])
6027  {
6028  VERIFY_PERMISSION(OPT_P_UP);
6029  if (mac_addr_safe(p[1])) /* MAC address only */
6030  {
6031  options->lladdr = p[1];
6032  }
6033  else
6034  {
6035  msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
6036  goto err;
6037  }
6038  }
6039  else if (streq(p[0], "topology") && p[1] && !p[2])
6040  {
6041  VERIFY_PERMISSION(OPT_P_UP);
6042  options->topology = parse_topology(p[1], msglevel);
6043  }
6044  else if (streq(p[0], "tun-ipv6") && !p[1])
6045  {
6046  if (!pull_mode)
6047  {
6048  msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6049  }
6050  }
6051 #ifdef ENABLE_IPROUTE
6052  else if (streq(p[0], "iproute") && p[1] && !p[2])
6053  {
6054  VERIFY_PERMISSION(OPT_P_GENERAL);
6055  iproute_path = p[1];
6056  }
6057 #endif
6058  else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
6059  {
6060  VERIFY_PERMISSION(OPT_P_UP);
6061  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
6062  {
6063  options->ifconfig_local = p[1];
6064  options->ifconfig_remote_netmask = p[2];
6065  }
6066  else
6067  {
6068  msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6069  goto err;
6070  }
6071  }
6072  else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
6073  {
6074  unsigned int netbits;
6075 
6076  VERIFY_PERMISSION(OPT_P_UP);
6077  if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
6078  && ipv6_addr_safe( p[2] ) )
6079  {
6080  if (netbits < 64 || netbits > 124)
6081  {
6082  msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
6083  goto err;
6084  }
6085 
6086  options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
6087  options->ifconfig_ipv6_netbits = netbits;
6088  options->ifconfig_ipv6_remote = p[2];
6089  }
6090  else
6091  {
6092  msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
6093  goto err;
6094  }
6095  }
6096  else if (streq(p[0], "ifconfig-noexec") && !p[1])
6097  {
6098  VERIFY_PERMISSION(OPT_P_UP);
6099  options->ifconfig_noexec = true;
6100  }
6101  else if (streq(p[0], "ifconfig-nowarn") && !p[1])
6102  {
6103  VERIFY_PERMISSION(OPT_P_UP);
6104  options->ifconfig_nowarn = true;
6105  }
6106  else if (streq(p[0], "local") && p[1] && !p[4])
6107  {
6108  struct local_entry *e;
6109 
6110  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6111 
6112  e = alloc_local_entry(&options->ce, M_USAGE, &options->gc);
6113  ASSERT(e);
6114 
6115  /* '*' is treated as 'ask the system to get some socket',
6116  * therefore force binding on a particular address only when
6117  * actually specified. */
6118  if (strcmp(p[1], "*") != 0)
6119  {
6120  e->local = p[1];
6121  }
6122 
6123  if (p[2])
6124  {
6125  e->port = p[2];
6126  }
6127 
6128  if (p[3])
6129  {
6130  e->proto = ascii2proto(p[3]);
6131  }
6132  }
6133  else if (streq(p[0], "remote-random") && !p[1])
6134  {
6135  VERIFY_PERMISSION(OPT_P_GENERAL);
6136  options->remote_random = true;
6137  }
6138  else if (streq(p[0], "connection") && p[1] && !p[3])
6139  {
6140  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6141  if (is_inline)
6142  {
6143  struct options sub;
6144  struct connection_entry *e;
6145 
6146  init_options(&sub, true);
6147  sub.ce = options->ce;
6148  read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
6149  OPT_P_CONNECTION, option_types_found, es);
6150  if (!sub.ce.remote)
6151  {
6152  msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
6153  uninit_options(&sub);
6154  goto err;
6155  }
6156 
6157  e = alloc_connection_entry(options, msglevel);
6158  if (!e)
6159  {
6160  uninit_options(&sub);
6161  goto err;
6162  }
6163  *e = sub.ce;
6164  gc_transfer(&options->gc, &sub.gc);
6165  uninit_options(&sub);
6166  }
6167  }
6168  else if (streq(p[0], "ignore-unknown-option") && p[1])
6169  {
6170  int i;
6171  int j;
6172  int numignored = 0;
6173  const char **ignore;
6174 
6175  VERIFY_PERMISSION(OPT_P_GENERAL);
6176  /* Find out how many options to be ignored */
6177  for (i = 1; p[i]; i++)
6178  {
6179  numignored++;
6180  }
6181 
6182  /* add number of options already ignored */
6183  for (i = 0; options->ignore_unknown_option
6184  && options->ignore_unknown_option[i]; i++)
6185  {
6186  numignored++;
6187  }
6188 
6189  /* Allocate array */
6190  ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
6191  for (i = 0; options->ignore_unknown_option
6192  && options->ignore_unknown_option[i]; i++)
6193  {
6194  ignore[i] = options->ignore_unknown_option[i];
6195  }
6196 
6197  options->ignore_unknown_option = ignore;
6198 
6199  for (j = 1; p[j]; j++)
6200  {
6201  /* Allow the user to specify ignore-unknown-option --opt too */
6202  if (p[j][0]=='-' && p[j][1]=='-')
6203  {
6204  options->ignore_unknown_option[i] = (p[j]+2);
6205  }
6206  else
6207  {
6208  options->ignore_unknown_option[i] = p[j];
6209  }
6210  i++;
6211  }
6212 
6213  options->ignore_unknown_option[i] = NULL;
6214  }
6215 #if ENABLE_MANAGEMENT
6216  else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6217  {
6218  VERIFY_PERMISSION(OPT_P_GENERAL);
6219  options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], &options->gc);
6220  if (!options->http_proxy_override)
6221  {
6222  goto err;
6223  }
6224  }
6225 #endif
6226  else if (streq(p[0], "remote") && p[1] && !p[4])
6227  {
6228  struct remote_entry re;
6229  re.remote = re.remote_port = NULL;
6230  re.proto = -1;
6231  re.af = 0;
6232 
6233  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6234  re.remote = p[1];
6235  if (p[2])
6236  {
6237  re.remote_port = p[2];
6238  if (p[3])
6239  {
6240  const int proto = ascii2proto(p[3]);
6241  const sa_family_t af = ascii2af(p[3]);
6242  if (proto < 0)
6243  {
6244  msg(msglevel,
6245  "remote: bad protocol associated with host %s: '%s'",
6246  p[1], p[3]);
6247  goto err;
6248  }
6249  re.proto = proto;
6250  re.af = af;
6251  }
6252  }
6253  if (permission_mask & OPT_P_GENERAL)
6254  {
6255  struct remote_entry *e = alloc_remote_entry(options, msglevel);
6256  if (!e)
6257  {
6258  goto err;
6259  }
6260  *e = re;
6261  }
6262  else if (permission_mask & OPT_P_CONNECTION)
6263  {
6264  connection_entry_load_re(&options->ce, &re);
6265  }
6266  }
6267  else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6268  {
6269  VERIFY_PERMISSION(OPT_P_GENERAL);
6270  if (streq(p[1], "infinite"))
6271  {
6272  options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
6273  }
6274  else
6275  {
6276  options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6277  }
6278  }
6279  else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6280  {
6281  VERIFY_PERMISSION(OPT_P_GENERAL);
6282  options->resolve_in_advance = true;
6283  /* Note the ip-remote-hint and the argument p[1] are for
6284  * backward compatibility */
6285  if (p[1])
6286  {
6287  options->ip_remote_hint = p[1];
6288  }
6289  }
6290  else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6291  {
6292  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6293  options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6294  /*
6295  * Limit the base value of retry wait interval to 16 bits to avoid
6296  * overflow when scaled up for exponential backoff
6297  */
6298  if (options->ce.connect_retry_seconds > 0xFFFF)
6299  {
6300  options->ce.connect_retry_seconds = 0xFFFF;
6301  msg(M_WARN, "connect retry wait interval truncated to %d",
6302  options->ce.connect_retry_seconds);
6303  }
6304 
6305  if (p[2])
6306  {
6307  options->ce.connect_retry_seconds_max =
6308  max_int(positive_atoi(p[2], msglevel), options->ce.connect_retry_seconds);
6309  }
6310  }
6311  else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
6312  && p[1] && !p[2])
6313  {
6314  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6315  options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6316  }
6317  else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6318  {
6319  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6320  options->connect_retry_max = positive_atoi(p[1], msglevel);
6321  }
6322  else if (streq(p[0], "ipchange") && p[1])
6323  {
6324  VERIFY_PERMISSION(OPT_P_SCRIPT);
6325  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6326  {
6327  goto err;
6328  }
6329  set_user_script(options,
6330  &options->ipchange,
6331  string_substitute(p[1], ',', ' ', &options->gc),
6332  "ipchange", true);
6333  }
6334  else if (streq(p[0], "float") && !p[1])
6335  {
6336  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6337  options->ce.remote_float = true;
6338  }
6339 #ifdef ENABLE_DEBUG
6340  else if (streq(p[0], "gremlin") && p[1] && !p[2])
6341  {
6342  VERIFY_PERMISSION(OPT_P_GENERAL);
6343  options->gremlin = positive_atoi(p[1], msglevel);
6344  }
6345 #endif
6346  else if (streq(p[0], "chroot") && p[1] && !p[2])
6347  {
6348  VERIFY_PERMISSION(OPT_P_GENERAL);
6349  options->chroot_dir = p[1];
6350  }
6351  else if (streq(p[0], "cd") && p[1] && !p[2])
6352  {
6353  VERIFY_PERMISSION(OPT_P_GENERAL);
6354  if (platform_chdir(p[1]))
6355  {
6356  msg(M_ERR, "cd to '%s' failed", p[1]);
6357  goto err;
6358  }
6359  options->cd_dir = p[1];
6360  }
6361 #ifdef ENABLE_SELINUX
6362  else if (streq(p[0], "setcon") && p[1] && !p[2])
6363  {
6364  VERIFY_PERMISSION(OPT_P_GENERAL);
6365  options->selinux_context = p[1];
6366  }
6367 #endif
6368  else if (streq(p[0], "writepid") && p[1] && !p[2])
6369  {
6370  VERIFY_PERMISSION(OPT_P_GENERAL);
6371  options->writepid = p[1];
6372  }
6373  else if (streq(p[0], "up") && p[1])
6374  {
6375  VERIFY_PERMISSION(OPT_P_SCRIPT);
6376  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6377  {
6378  goto err;
6379  }
6380  set_user_script(options, &options->up_script, p[1], "up", false);
6381  }
6382  else if (streq(p[0], "down") && p[1])
6383  {
6384  VERIFY_PERMISSION(OPT_P_SCRIPT);
6385  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6386  {
6387  goto err;
6388  }
6389  set_user_script(options, &options->down_script, p[1], "down", true);
6390  }
6391  else if (streq(p[0], "down-pre") && !p[1])
6392  {
6393  VERIFY_PERMISSION(OPT_P_GENERAL);
6394  options->down_pre = true;
6395  }
6396  else if (streq(p[0], "up-delay") && !p[1])
6397  {
6398  VERIFY_PERMISSION(OPT_P_GENERAL);
6399  options->up_delay = true;
6400  }
6401  else if (streq(p[0], "up-restart") && !p[1])
6402  {
6403  VERIFY_PERMISSION(OPT_P_GENERAL);
6404  options->up_restart = true;
6405  }
6406  else if (streq(p[0], "syslog") && !p[2])
6407  {
6408  VERIFY_PERMISSION(OPT_P_GENERAL);
6409  open_syslog(p[1], false);
6410  }
6411  else if (streq(p[0], "daemon") && !p[2])
6412  {
6413  bool didit = false;
6414  VERIFY_PERMISSION(OPT_P_GENERAL);
6415  if (!options->daemon)
6416  {
6417  options->daemon = didit = true;
6418  open_syslog(p[1], false);
6419  }
6420  if (p[1])
6421  {
6422  if (!didit)
6423  {
6424  msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
6425  goto err;
6426  }
6427  }
6428  }
6429  else if (streq(p[0], "log") && p[1] && !p[2])
6430  {
6431  VERIFY_PERMISSION(OPT_P_GENERAL);
6432  options->log = true;
6433  redirect_stdout_stderr(p[1], false);
6434  }
6435  else if (streq(p[0], "suppress-timestamps") && !p[1])
6436  {
6437  VERIFY_PERMISSION(OPT_P_GENERAL);
6438  options->suppress_timestamps = true;
6439  set_suppress_timestamps(true);
6440  }
6441  else if (streq(p[0], "machine-readable-output") && !p[1])
6442  {
6443  VERIFY_PERMISSION(OPT_P_GENERAL);
6444  options->machine_readable_output = true;
6445  set_machine_readable_output(true);
6446  }
6447  else if (streq(p[0], "log-append") && p[1] && !p[2])
6448  {
6449  VERIFY_PERMISSION(OPT_P_GENERAL);
6450  options->log = true;
6451  redirect_stdout_stderr(p[1], true);
6452  }
6453 #ifdef ENABLE_MEMSTATS
6454  else if (streq(p[0], "memstats") && p[1] && !p[2])
6455  {
6456  VERIFY_PERMISSION(OPT_P_GENERAL);
6457  options->memstats_fn = p[1];
6458  }
6459 #endif
6460  else if (streq(p[0], "mlock") && !p[1])
6461  {
6462  VERIFY_PERMISSION(OPT_P_GENERAL);
6463  options->mlock = true;
6464  }
6465 #if ENABLE_IP_PKTINFO
6466  else if (streq(p[0], "multihome") && !p[1])
6467  {
6468  VERIFY_PERMISSION(OPT_P_GENERAL);
6469  options->sockflags |= SF_USE_IP_PKTINFO;
6470  }
6471 #endif
6472  else if (streq(p[0], "verb") && p[1] && !p[2])
6473  {
6474  VERIFY_PERMISSION(OPT_P_MESSAGES);
6475  options->verbosity = positive_atoi(p[1], msglevel);
6476  if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6477  {
6478  /* We pass this flag to the SSL library to avoid
6479  * mbed TLS always generating debug level logging */
6480  options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6481  }
6482 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6483  /* Warn when a debug verbosity is supplied when built without debug support */
6484  if (options->verbosity >= 7)
6485  {
6486  msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6487  options->verbosity);
6488  }
6489 #endif
6490  }
6491  else if (streq(p[0], "mute") && p[1] && !p[2])
6492  {
6493  VERIFY_PERMISSION(OPT_P_MESSAGES);
6494  options->mute = positive_atoi(p[1], msglevel);
6495  }
6496  else if (streq(p[0], "errors-to-stderr") && !p[1])
6497  {
6498  VERIFY_PERMISSION(OPT_P_MESSAGES);
6499  errors_to_stderr();
6500  }
6501  else if (streq(p[0], "status") && p[1] && !p[3])
6502  {
6503  VERIFY_PERMISSION(OPT_P_GENERAL);
6504  options->status_file = p[1];
6505  if (p[2])
6506  {
6507  options->status_file_update_freq = positive_atoi(p[2], msglevel);
6508  }
6509  }
6510  else if (streq(p[0], "status-version") && p[1] && !p[2])
6511  {
6512  int version;
6513 
6514  VERIFY_PERMISSION(OPT_P_GENERAL);
6515  version = atoi_warn(p[1], msglevel);
6516  if (version < 1 || version > 3)
6517  {
6518  msg(msglevel, "--status-version must be 1 to 3");
6519  goto err;
6520  }
6521  options->status_file_version = version;
6522  }
6523  else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6524  {
6525  VERIFY_PERMISSION(OPT_P_GENERAL);
6526  if (streq(p[1], "SIGHUP"))
6527  {
6528  options->remap_sigusr1 = SIGHUP;
6529  }
6530  else if (streq(p[1], "SIGTERM"))
6531  {
6532  options->remap_sigusr1 = SIGTERM;
6533  }
6534  else
6535  {
6536  msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6537  goto err;
6538  }
6539  }
6540  else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6541  {
6542  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6543  options->ce.link_mtu = positive_atoi(p[1], msglevel);
6544  options->ce.link_mtu_defined = true;
6545  }
6546  else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6547  {
6548  VERIFY_PERMISSION(OPT_P_PUSH_MTU|OPT_P_CONNECTION);
6549  options->ce.tun_mtu = positive_atoi(p[1], msglevel);
6550  options->ce.tun_mtu_defined = true;
6551  if (p[2])
6552  {
6553  options->ce.occ_mtu = positive_atoi(p[2], msglevel);
6554  }
6555  else
6556  {
6557  options->ce.occ_mtu = 0;
6558  }
6559  }
6560  else if (streq(p[0], "tun-mtu-max") && p[1] && !p[3])
6561  {
6562  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6563  int max_mtu = positive_atoi(p[1], msglevel);
6564  if (max_mtu < 68 || max_mtu > 65536)
6565  {
6566  msg(msglevel, "--tun-mtu-max value '%s' is invalid", p[1]);
6567  }
6568  else
6569  {
6570  options->ce.tun_mtu_max = max_mtu;
6571  }
6572  }
6573  else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6574  {
6575  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6576  options->ce.tun_mtu_extra = positive_atoi(p[1], msglevel);
6577  options->ce.tun_mtu_extra_defined = true;
6578  }
6579  else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6580  {
6581  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6582  int maxmtu = positive_atoi(p[1], msglevel);
6583  options->ce.tls_mtu = constrain_int(maxmtu, TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE);
6584 
6585  if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6586  {
6587  msg(M_WARN, "Note: max-packet-size value outside of allowed "
6588  "control channel packet size (%d to %d), will use %d "
6589  "instead.", TLS_CHANNEL_MTU_MIN, TLS_CHANNEL_BUF_SIZE,
6590  options->ce.tls_mtu);
6591  }
6592 
6593  /* also set mssfix maxmtu mtu */
6594  options->ce.mssfix = maxmtu;
6595  options->ce.mssfix_default = false;
6596  options->ce.mssfix_encap = true;
6597  }
6598 #ifdef ENABLE_FRAGMENT
6599  else if (streq(p[0], "mtu-dynamic"))
6600  {
6601  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6602  msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6603  goto err;
6604  }
6605  else if (streq(p[0], "fragment") && p[1] && !p[3])
6606  {
6607  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6608  options->ce.fragment = positive_atoi(p[1], msglevel);
6609 
6610  if (options->ce.fragment < 68)
6611  {
6612  msg(msglevel, "--fragment needs to be at least 68");
6613  goto err;
6614  }
6615 
6616  if (p[2] && streq(p[2], "mtu"))
6617  {
6618  options->ce.fragment_encap = true;
6619  }
6620  else if (p[2])
6621  {
6622  msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6623  }
6624  }
6625 #endif /* ifdef ENABLE_FRAGMENT */
6626  else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6627  {
6628  VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6629  options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6630  }
6631  else if (streq(p[0], "mtu-test") && !p[1])
6632  {
6633  VERIFY_PERMISSION(OPT_P_GENERAL);
6634  options->mtu_test = true;
6635  }
6636  else if (streq(p[0], "nice") && p[1] && !p[2])
6637  {
6638  VERIFY_PERMISSION(OPT_P_NICE);
6639  options->nice = atoi_warn(p[1], msglevel);
6640  }
6641  else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6642  {
6643  VERIFY_PERMISSION(OPT_P_SOCKBUF);
6644  options->rcvbuf = positive_atoi(p[1], msglevel);
6645  }
6646  else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6647  {
6648  VERIFY_PERMISSION(OPT_P_SOCKBUF);
6649  options->sndbuf = positive_atoi(p[1], msglevel);
6650  }
6651  else if (streq(p[0], "mark") && p[1] && !p[2])
6652  {
6653 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6654  VERIFY_PERMISSION(OPT_P_GENERAL);
6655  options->mark = atoi_warn(p[1], msglevel);
6656 #endif
6657  }
6658  else if (streq(p[0], "socket-flags"))
6659  {
6660  int j;
6661  VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6662  for (j = 1; j < MAX_PARMS && p[j]; ++j)
6663  {
6664  if (streq(p[j], "TCP_NODELAY"))
6665  {
6666  options->sockflags |= SF_TCP_NODELAY;
6667  }
6668  else
6669  {
6670  msg(msglevel, "unknown socket flag: %s", p[j]);
6671  }
6672  }
6673  }
6674 #ifdef TARGET_LINUX
6675  else if (streq(p[0], "bind-dev") && p[1])
6676  {
6677  VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6678  options->bind_dev = p[1];
6679  }
6680 #endif
6681  else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6682  {
6683  VERIFY_PERMISSION(OPT_P_GENERAL);
6684 #ifdef TARGET_LINUX
6685  options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
6686 #else
6687  msg(msglevel, "--txqueuelen not supported on this OS");
6688  goto err;
6689 #endif
6690  }
6691  else if (streq(p[0], "shaper") && p[1] && !p[2])
6692  {
6693  int shaper;
6694 
6695  VERIFY_PERMISSION(OPT_P_SHAPER);
6696  shaper = atoi_warn(p[1], msglevel);
6697  if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6698  {
6699  msg(msglevel, "Bad shaper value, must be between %d and %d",
6700  SHAPER_MIN, SHAPER_MAX);
6701  goto err;
6702  }
6703  options->shaper = shaper;
6704  }
6705  else if (streq(p[0], "port") && p[1] && !p[2])
6706  {
6707  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6708  options->ce.local_port = options->ce.remote_port = p[1];
6709  }
6710  else if (streq(p[0], "lport") && p[1] && !p[2])
6711  {
6712  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6713 
6714  /* only trigger bind() if port is not 0 (or --local is used) */
6715  if (!streq(p[1], "0"))
6716  {
6717  options->ce.local_port_defined = true;
6718  }
6719  options->ce.local_port = p[1];
6720  }
6721  else if (streq(p[0], "rport") && p[1] && !p[2])
6722  {
6723  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6724  options->ce.remote_port = p[1];
6725  }
6726  else if (streq(p[0], "bind") && !p[2])
6727  {
6728  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6729  options->ce.bind_defined = true;
6730  if (p[1] && streq(p[1], "ipv6only"))
6731  {
6732  options->ce.bind_ipv6_only = true;
6733  }
6734 
6735  }
6736  else if (streq(p[0], "nobind") && !p[1])
6737  {
6738  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6739  options->ce.bind_local = false;
6740  }
6741  else if (streq(p[0], "fast-io") && !p[1])
6742  {
6743  VERIFY_PERMISSION(OPT_P_GENERAL);
6744  options->fast_io = true;
6745  }
6746  else if (streq(p[0], "inactive") && p[1] && !p[3])
6747  {
6748  VERIFY_PERMISSION(OPT_P_TIMER);
6749  options->inactivity_timeout = positive_atoi(p[1], msglevel);
6750  if (p[2])
6751  {
6752  int64_t val = atoll(p[2]);
6753  options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
6754  if (options->inactivity_minimum_bytes > INT_MAX)
6755  {
6756  msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
6757  " >2 Gbyte was silently ignored in older versions. If "
6758  " your VPN exits unexpectedly with 'Inactivity timeout'"
6759  " in %d seconds, revisit this value.",
6760  options->inactivity_timeout );
6761  }
6762  }
6763  }
6764  else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6765  {
6766  VERIFY_PERMISSION(OPT_P_TIMER);
6767  options->session_timeout = positive_atoi(p[1], msglevel);
6768  }
6769  else if (streq(p[0], "proto") && p[1] && !p[2])
6770  {
6771  int proto;
6772  sa_family_t af;
6773  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6774  proto = ascii2proto(p[1]);
6775  af = ascii2af(p[1]);
6776  if (proto < 0)
6777  {
6778  msg(msglevel,
6779  "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6780  p[1],
6781  proto2ascii_all(&gc));
6782  goto err;
6783  }
6784  options->ce.proto = proto;
6785  options->ce.af = af;
6786  }
6787  else if (streq(p[0], "proto-force") && p[1] && !p[2])
6788  {
6789  int proto_force;
6790  VERIFY_PERMISSION(OPT_P_GENERAL);
6791  proto_force = ascii2proto(p[1]);
6792  if (proto_force < 0)
6793  {
6794  msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6795  goto err;
6796  }
6797  options->proto_force = proto_force;
6798  }
6799  else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6800  {
6801  struct http_proxy_options *ho;
6802 
6803  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6804 
6805  {
6806  if (!p[2])
6807  {
6808  msg(msglevel, "http-proxy port number not defined");
6809  goto err;
6810  }
6811 
6812  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6813 
6814  ho->server = p[1];
6815  ho->port = p[2];
6816  }
6817 
6818  if (p[3])
6819  {
6820  /* auto -- try to figure out proxy addr, port, and type automatically */
6821  /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6822  if (streq(p[3], "auto"))
6823  {
6824  ho->auth_retry = PAR_ALL;
6825  }
6826  else if (streq(p[3], "auto-nct"))
6827  {
6828  ho->auth_retry = PAR_NCT;
6829  }
6830  else
6831  {
6832  ho->auth_method_string = "basic";
6833  ho->auth_file = p[3];
6834 
6835  if (p[4])
6836  {
6837  ho->auth_method_string = p[4];
6838  }
6839  }
6840  }
6841  else
6842  {
6843  ho->auth_method_string = "none";
6844  }
6845  }
6846  else if (streq(p[0], "http-proxy-user-pass") && p[1])
6847  {
6848  struct http_proxy_options *ho;
6849  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6850  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6851  ho->auth_file_up = p[1];
6852  ho->inline_creds = is_inline;
6853  }
6854  else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6855  {
6856  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6857  msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6858  "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6859  "Use connect-retry-max 1 to get a similar behavior as before.");
6860  }
6861  else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6862  {
6863  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6864  msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6865  "server is established is managed with a single timeout set by connect-timeout");
6866  }
6867  else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6868  {
6869  struct http_proxy_options *ho;
6870 
6871  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6872  ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6873 
6874  if (streq(p[1], "VERSION") && p[2] && !p[3])
6875  {
6876  ho->http_version = p[2];
6877  }
6878  else if (streq(p[1], "AGENT") && p[2] && !p[3])
6879  {
6880  ho->user_agent = p[2];
6881  }
6882  else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6883  && p[2])
6884  {
6885  /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6886  * with either two argument or one */
6887 
6888  struct http_custom_header *custom_header = NULL;
6889  int i;
6890  /* Find the first free header */
6891  for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6892  {
6893  if (!ho->custom_headers[i].name)
6894  {
6895  custom_header = &ho->custom_headers[i];
6896  break;
6897  }
6898  }
6899  if (!custom_header)
6900  {
6901  msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6902  }
6903  else
6904  {
6905  /* We will save p[2] and p[3], the proxy code will detect if
6906  * p[3] is NULL */
6907  custom_header->name = p[2];
6908  custom_header->content = p[3];
6909  }
6910  }
6911  else
6912  {
6913  msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6914  }
6915  }
6916  else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6917  {
6918  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6919 
6920  if (p[2])
6921  {
6922  options->ce.socks_proxy_port = p[2];
6923  }
6924  else
6925  {
6926  options->ce.socks_proxy_port = "1080";
6927  }
6928  options->ce.socks_proxy_server = p[1];
6929  options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6930  }
6931  else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6932  {
6933  VERIFY_PERMISSION(OPT_P_GENERAL);
6934  options->keepalive_ping = atoi_warn(p[1], msglevel);
6935  options->keepalive_timeout = atoi_warn(p[2], msglevel);
6936  }
6937  else if (streq(p[0], "ping") && p[1] && !p[2])
6938  {
6939  VERIFY_PERMISSION(OPT_P_TIMER);
6940  options->ping_send_timeout = positive_atoi(p[1], msglevel);
6941  }
6942  else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6943  {
6944  VERIFY_PERMISSION(OPT_P_TIMER);
6945  options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6946  options->ping_rec_timeout_action = PING_EXIT;
6947  }
6948  else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6949  {
6950  VERIFY_PERMISSION(OPT_P_TIMER);
6951  options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6952  options->ping_rec_timeout_action = PING_RESTART;
6953  }
6954  else if (streq(p[0], "ping-timer-rem") && !p[1])
6955  {
6956  VERIFY_PERMISSION(OPT_P_TIMER);
6957  options->ping_timer_remote = true;
6958  }
6959  else if (streq(p[0], "explicit-exit-notify") && !p[2])
6960  {
6961  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6962  if (p[1])
6963  {
6964  options->ce.explicit_exit_notification = positive_atoi(p[1], msglevel);
6965  }
6966  else
6967  {
6968  options->ce.explicit_exit_notification = 1;
6969  }
6970  }
6971  else if (streq(p[0], "persist-tun") && !p[1])
6972  {
6973  VERIFY_PERMISSION(OPT_P_PERSIST);
6974  options->persist_tun = true;
6975  }
6976  else if (streq(p[0], "persist-key") && !p[1])
6977  {
6978  VERIFY_PERMISSION(OPT_P_PERSIST);
6979  msg(M_WARN, "DEPRECATED: --persist-key option ignored. "
6980  "Keys are now always persisted across restarts. ");
6981  }
6982  else if (streq(p[0], "persist-local-ip") && !p[1])
6983  {
6984  VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6985  options->persist_local_ip = true;
6986  }
6987  else if (streq(p[0], "persist-remote-ip") && !p[1])
6988  {
6989  VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6990  options->persist_remote_ip = true;
6991  }
6992  else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6993  {
6994  VERIFY_PERMISSION(OPT_P_ROUTE);
6995  cnol_check_alloc(options);
6996  add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6997  }
6998  else if (streq(p[0], "route") && p[1] && !p[5])
6999  {
7000  VERIFY_PERMISSION(OPT_P_ROUTE);
7001  rol_check_alloc(options);
7002  if (pull_mode)
7003  {
7004  if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
7005  {
7006  msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
7007  goto err;
7008  }
7009  if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
7010  {
7011  msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
7012  goto err;
7013  }
7014  if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
7015  {
7016  msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
7017  goto err;
7018  }
7019  }
7020  add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
7021  }
7022  else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
7023  {
7024  VERIFY_PERMISSION(OPT_P_ROUTE);
7025  rol6_check_alloc(options);
7026  if (pull_mode)
7027  {
7028  if (!ipv6_addr_safe_hexplusbits(p[1]))
7029  {
7030  msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
7031  goto err;
7032  }
7033  if (p[2] && !ipv6_addr_safe(p[2]))
7034  {
7035  msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
7036  goto err;
7037  }
7038  /* p[3] is metric, if present */
7039  }
7040  add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
7041  }
7042  else if (streq(p[0], "max-routes") && !p[2])
7043  {
7044  msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored. "
7045  "The number of routes is unlimited as of OpenVPN 2.4. "
7046  "This option will be removed in a future version, "
7047  "please remove it from your configuration.");
7048  }
7049  else if (streq(p[0], "route-gateway") && p[1] && !p[2])
7050  {
7051  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7052  if (streq(p[1], "dhcp"))
7053  {
7054  options->route_gateway_via_dhcp = true;
7055  }
7056  else
7057  {
7058  if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
7059  {
7060  options->route_default_gateway = p[1];
7061  }
7062  else
7063  {
7064  msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
7065  goto err;
7066  }
7067  }
7068  }
7069  else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
7070  {
7071  if (ipv6_addr_safe(p[1]))
7072  {
7073  options->route_ipv6_default_gateway = p[1];
7074  }
7075  else
7076  {
7077  msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7078  goto err;
7079  }
7080  }
7081  else if (streq(p[0], "route-metric") && p[1] && !p[2])
7082  {
7083  VERIFY_PERMISSION(OPT_P_ROUTE);
7084  options->route_default_metric = positive_atoi(p[1], msglevel);
7085  }
7086  else if (streq(p[0], "route-delay") && !p[3])
7087  {
7088  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7089  options->route_delay_defined = true;
7090  if (p[1])
7091  {
7092  options->route_delay = positive_atoi(p[1], msglevel);
7093  if (p[2])
7094  {
7095  options->route_delay_window = positive_atoi(p[2], msglevel);
7096  }
7097  }
7098  else
7099  {
7100  options->route_delay = 0;
7101  }
7102  }
7103  else if (streq(p[0], "route-up") && p[1])
7104  {
7105  VERIFY_PERMISSION(OPT_P_SCRIPT);
7106  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7107  {
7108  goto err;
7109  }
7110  set_user_script(options, &options->route_script, p[1], "route-up", false);
7111  }
7112  else if (streq(p[0], "route-pre-down") && p[1])
7113  {
7114  VERIFY_PERMISSION(OPT_P_SCRIPT);
7115  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7116  {
7117  goto err;
7118  }
7119  set_user_script(options,
7120  &options->route_predown_script,
7121  p[1],
7122  "route-pre-down", true);
7123  }
7124  else if (streq(p[0], "route-noexec") && !p[1])
7125  {
7126  VERIFY_PERMISSION(OPT_P_SCRIPT);
7127  options->route_noexec = true;
7128  }
7129  else if (streq(p[0], "route-nopull") && !p[1])
7130  {
7131  VERIFY_PERMISSION(OPT_P_GENERAL);
7132  options->route_nopull = true;
7133  }
7134  else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
7135  {
7136  struct pull_filter *f;
7137  VERIFY_PERMISSION(OPT_P_GENERAL)
7138  f = alloc_pull_filter(options);
7139 
7140  if (strcmp("accept", p[1]) == 0)
7141  {
7142  f->type = PUF_TYPE_ACCEPT;
7143  }
7144  else if (strcmp("ignore", p[1]) == 0)
7145  {
7146  f->type = PUF_TYPE_IGNORE;
7147  }
7148  else if (strcmp("reject", p[1]) == 0)
7149  {
7150  f->type = PUF_TYPE_REJECT;
7151  }
7152  else
7153  {
7154  msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
7155  goto err;
7156  }
7157  f->pattern = p[2];
7158  f->size = strlen(p[2]);
7159  }
7160  else if (streq(p[0], "allow-pull-fqdn") && !p[1])
7161  {
7162  VERIFY_PERMISSION(OPT_P_GENERAL);
7163  options->allow_pull_fqdn = true;
7164  }
7165  else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7166  {
7167  int j;
7168  VERIFY_PERMISSION(OPT_P_ROUTE);
7169  rol_check_alloc(options);
7170 
7171  if (options->routes->flags & RG_ENABLE)
7172  {
7173  msg(M_WARN,
7174  "WARNING: You have specified redirect-gateway and "
7175  "redirect-private at the same time (or the same option "
7176  "multiple times). This is not well supported and may lead to "
7177  "unexpected results");
7178  }
7179 
7180  options->routes->flags |= RG_ENABLE;
7181 
7182  if (streq(p[0], "redirect-gateway"))
7183  {
7184  options->routes->flags |= RG_REROUTE_GW;
7185  }
7186  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7187  {
7188  if (streq(p[j], "local"))
7189  {
7190  options->routes->flags |= RG_LOCAL;
7191  }
7192  else if (streq(p[j], "autolocal"))
7193  {
7194  options->routes->flags |= RG_AUTO_LOCAL;
7195  }
7196  else if (streq(p[j], "def1"))
7197  {
7198  options->routes->flags |= RG_DEF1;
7199  }
7200  else if (streq(p[j], "bypass-dhcp"))
7201  {
7202  options->routes->flags |= RG_BYPASS_DHCP;
7203  }
7204  else if (streq(p[j], "bypass-dns"))
7205  {
7206  options->routes->flags |= RG_BYPASS_DNS;
7207  }
7208  else if (streq(p[j], "block-local"))
7209  {
7210  options->routes->flags |= RG_BLOCK_LOCAL;
7211  }
7212  else if (streq(p[j], "ipv6"))
7213  {
7214  rol6_check_alloc(options);
7215  options->routes_ipv6->flags |= RG_REROUTE_GW;
7216  }
7217  else if (streq(p[j], "!ipv4"))
7218  {
7219  options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
7220  }
7221  else
7222  {
7223  msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7224  goto err;
7225  }
7226  }
7227 #ifdef _WIN32
7228  /* we need this here to handle pushed --redirect-gateway */
7229  remap_redirect_gateway_flags(options);
7230 #endif
7231  }
7232  else if (streq(p[0], "block-ipv6") && !p[1])
7233  {
7234  VERIFY_PERMISSION(OPT_P_ROUTE);
7235  options->block_ipv6 = true;
7236  }
7237  else if (streq(p[0], "remote-random-hostname") && !p[1])
7238  {
7239  VERIFY_PERMISSION(OPT_P_GENERAL);
7240  options->sockflags |= SF_HOST_RANDOMIZE;
7241  }
7242  else if (streq(p[0], "setenv") && p[1] && !p[3])
7243  {
7244  VERIFY_PERMISSION(OPT_P_GENERAL);
7245  if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7246  {
7247  options->sockflags |= SF_HOST_RANDOMIZE;
7248  }
7249  else if (streq(p[1], "GENERIC_CONFIG"))
7250  {
7251  msg(msglevel, "this is a generic configuration and cannot directly be used");
7252  goto err;
7253  }
7254  else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7255  {
7256  options->push_peer_info = true;
7257  }
7258  else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7259  {
7260  options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7261  }
7262  else
7263  {
7264  if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7265  {
7266  options->forward_compatible = true;
7267  msglevel_fc = msglevel_forward_compatible(options, msglevel);
7268  }
7269  setenv_str(es, p[1], p[2] ? p[2] : "");
7270  }
7271  }
7272  else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7273  {
7274  unsigned int major, minor, patch;
7275  if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7276  {
7277  msg(msglevel, "cannot parse version number for --compat-mode: %s",
7278  p[1]);
7279  goto err;
7280  }
7281 
7282  options->backwards_compatible = major * 10000 + minor * 100 + patch;
7283  }
7284  else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7285  {
7286  VERIFY_PERMISSION(OPT_P_SETENV);
7287  setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7288  }
7289  else if (streq(p[0], "script-security") && p[1] && !p[2])
7290  {
7291  VERIFY_PERMISSION(OPT_P_GENERAL);
7292  script_security_set(atoi_warn(p[1], msglevel));
7293  }
7294  else if (streq(p[0], "mssfix") && !p[3])
7295  {
7296  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7297  if (p[1])
7298  {
7299  int mssfix = positive_atoi(p[1], msglevel);
7300  /* can be 0, but otherwise it needs to be high enough so we can
7301  * substract room for headers. */
7302  if (mssfix != 0
7303  && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7304  {
7305  msg(msglevel, "--mssfix value '%s' is invalid", p[1]);
7306  goto err;
7307  }
7308 
7309  /* value specified, assume encapsulation is not
7310  * included unless "mtu" follows later */
7311  options->ce.mssfix = mssfix;
7312  options->ce.mssfix_encap = false;
7313  options->ce.mssfix_default = false;
7314  }
7315  else
7316  {
7317  /* Set MTU to default values */
7318  options->ce.mssfix_default = true;
7319  options->ce.mssfix_encap = true;
7320  options->ce.mssfix_fixed = false;
7321  }
7322 
7323  if (p[2] && streq(p[2], "mtu"))
7324  {
7325  options->ce.mssfix_encap = true;
7326  }
7327  else if (p[2] && streq(p[2], "fixed"))
7328  {
7329  options->ce.mssfix_fixed = true;
7330  }
7331  else if (p[2])
7332  {
7333  msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7334  }
7335  }
7336  else if (streq(p[0], "disable-occ") && !p[1])
7337  {
7338  VERIFY_PERMISSION(OPT_P_GENERAL);
7339  options->occ = false;
7340  }
7341  else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7342  {
7343  const int lev = M_WARN;
7344  bool error = false;
7345  in_addr_t network, netmask;
7346 
7347  VERIFY_PERMISSION(OPT_P_GENERAL);
7348  network = get_ip_addr(p[1], lev, &error);
7349  netmask = get_ip_addr(p[2], lev, &error);
7350  if (error || !network || !netmask)
7351  {
7352  msg(msglevel, "error parsing --server parameters");
7353  goto err;
7354  }
7355  options->server_defined = true;
7356  options->server_network = network;
7357  options->server_netmask = netmask;
7358 
7359  if (p[3])
7360  {
7361  if (streq(p[3], "nopool"))
7362  {
7363  options->server_flags |= SF_NOPOOL;
7364  }
7365  else
7366  {
7367  msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7368  goto err;
7369  }
7370  }
7371  }
7372  else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7373  {
7374  const int lev = M_WARN;
7375  struct in6_addr network;
7376  unsigned int netbits = 0;
7377 
7378  VERIFY_PERMISSION(OPT_P_GENERAL);
7379  if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
7380  {
7381  msg(msglevel, "error parsing --server-ipv6 parameter");
7382  goto err;
7383  }
7384  if (netbits < 64 || netbits > 124)
7385  {
7386  msg(msglevel,
7387  "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7388  netbits);
7389 
7390  goto err;
7391  }
7392  options->server_ipv6_defined = true;
7393  options->server_network_ipv6 = network;
7394  options->server_netbits_ipv6 = netbits;
7395  }
7396  else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7397  {
7398  const int lev = M_WARN;
7399  bool error = false;
7400  in_addr_t ip, netmask, pool_start, pool_end;
7401 
7402  VERIFY_PERMISSION(OPT_P_GENERAL);
7403  ip = get_ip_addr(p[1], lev, &error);
7404  netmask = get_ip_addr(p[2], lev, &error);
7405  pool_start = get_ip_addr(p[3], lev, &error);
7406  pool_end = get_ip_addr(p[4], lev, &error);
7407  if (error || !ip || !netmask || !pool_start || !pool_end)
7408  {
7409  msg(msglevel, "error parsing --server-bridge parameters");
7410  goto err;
7411  }
7412  options->server_bridge_defined = true;
7413  options->server_bridge_ip = ip;
7414  options->server_bridge_netmask = netmask;
7415  options->server_bridge_pool_start = pool_start;
7416  options->server_bridge_pool_end = pool_end;
7417  }
7418  else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7419  {
7420  VERIFY_PERMISSION(OPT_P_GENERAL);
7421  options->server_bridge_proxy_dhcp = true;
7422  options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
7423  }
7424  else if (streq(p[0], "server-bridge") && !p[1])
7425  {
7426  VERIFY_PERMISSION(OPT_P_GENERAL);
7427  options->server_bridge_proxy_dhcp = true;
7428  }
7429  else if (streq(p[0], "push") && p[1] && !p[2])
7430  {
7431  VERIFY_PERMISSION(OPT_P_PUSH);
7432  push_options(options, &p[1], msglevel, &options->gc);
7433  }
7434  else if (streq(p[0], "push-reset") && !p[1])
7435  {
7436  VERIFY_PERMISSION(OPT_P_INSTANCE);
7437  push_reset(options);
7438  }
7439  else if (streq(p[0], "push-remove") && p[1] && !p[2])
7440  {
7441  VERIFY_PERMISSION(OPT_P_INSTANCE);
7442  msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7443  push_remove_option(options, p[1]);
7444  }
7445  else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7446  {
7447  const int lev = M_WARN;
7448  bool error = false;
7449  in_addr_t start, end, netmask = 0;
7450 
7451  VERIFY_PERMISSION(OPT_P_GENERAL);
7452  start = get_ip_addr(p[1], lev, &error);
7453  end = get_ip_addr(p[2], lev, &error);
7454  if (p[3])
7455  {
7456  netmask = get_ip_addr(p[3], lev, &error);
7457  }
7458  if (error)
7459  {
7460  msg(msglevel, "error parsing --ifconfig-pool parameters");
7461  goto err;
7462  }
7463  if (!ifconfig_pool_verify_range(msglevel, start, end))
7464  {
7465  goto err;
7466  }
7467 
7468  options->ifconfig_pool_defined = true;
7469  options->ifconfig_pool_start = start;
7470  options->ifconfig_pool_end = end;
7471  if (netmask)
7472  {
7473  options->ifconfig_pool_netmask = netmask;
7474  }
7475  }
7476  else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7477  {
7478  VERIFY_PERMISSION(OPT_P_GENERAL);
7479  options->ifconfig_pool_persist_filename = p[1];
7480  if (p[2])
7481  {
7482  options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2], msglevel);
7483  }
7484  }
7485  else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7486  {
7487  const int lev = M_WARN;
7488  struct in6_addr network;
7489  unsigned int netbits = 0;
7490 
7491  VERIFY_PERMISSION(OPT_P_GENERAL);
7492  if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
7493  {
7494  msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7495  goto err;
7496  }
7497  if (netbits < 64 || netbits > 124)
7498  {
7499  msg(msglevel,
7500  "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7501  netbits);
7502  goto err;
7503  }
7504 
7505  options->ifconfig_ipv6_pool_defined = true;
7506  options->ifconfig_ipv6_pool_base = network;
7507  options->ifconfig_ipv6_pool_netbits = netbits;
7508  }
7509  else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7510  {
7511  int real, virtual;
7512 
7513  VERIFY_PERMISSION(OPT_P_GENERAL);
7514  real = atoi_warn(p[1], msglevel);
7515  virtual = atoi_warn(p[2], msglevel);
7516  if (real < 1 || virtual < 1)
7517  {
7518  msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7519  goto err;
7520  }
7521  options->real_hash_size = real;
7522  options->virtual_hash_size = real;
7523  }
7524  else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7525  {
7526  int cf_max, cf_per;
7527 
7528  VERIFY_PERMISSION(OPT_P_GENERAL);
7529  cf_max = atoi_warn(p[1], msglevel);
7530  cf_per = atoi_warn(p[2], msglevel);
7531  if (cf_max < 0 || cf_per < 0)
7532  {
7533  msg(msglevel, "--connect-freq parms must be > 0");
7534  goto err;
7535  }
7536  options->cf_max = cf_max;
7537  options->cf_per = cf_per;
7538  }
7539  else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7540  {
7541  long cf_max, cf_per;
7542 
7543  VERIFY_PERMISSION(OPT_P_GENERAL);
7544  char *e1, *e2;
7545  cf_max = strtol(p[1], &e1, 10);
7546  cf_per = strtol(p[2], &e2, 10);
7547  if (cf_max < 0 || cf_per < 0 || *e1 != '\0' || *e2 != '\0')
7548  {
7549  msg(msglevel, "--connect-freq-initial parameters must be integers and >= 0");
7550  goto err;
7551  }
7552  options->cf_initial_max = cf_max;
7553  options->cf_initial_per = cf_per;
7554  }
7555  else if (streq(p[0], "max-clients") && p[1] && !p[2])
7556  {
7557  int max_clients;
7558 
7559  VERIFY_PERMISSION(OPT_P_GENERAL);
7560  max_clients = atoi_warn(p[1], msglevel);
7561  if (max_clients < 0)
7562  {
7563  msg(msglevel, "--max-clients must be at least 1");
7564  goto err;
7565  }
7566  if (max_clients >= MAX_PEER_ID) /* max peer-id value */
7567  {
7568  msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
7569  goto err;
7570  }
7571  options->max_clients = max_clients;
7572  }
7573  else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7574  {
7575  VERIFY_PERMISSION(OPT_P_INHERIT);
7576  options->max_routes_per_client = max_int(positive_atoi(p[1], msglevel), 1);
7577  }
7578  else if (streq(p[0], "client-cert-not-required") && !p[1])
7579  {
7580  VERIFY_PERMISSION(OPT_P_GENERAL);
7581  msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7582  }
7583  else if (streq(p[0], "verify-client-cert") && !p[2])
7584  {
7585  VERIFY_PERMISSION(OPT_P_GENERAL);
7586 
7587  /* Reset any existing flags */
7588  options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7589  options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7590  if (p[1])
7591  {
7592  if (streq(p[1], "none"))
7593  {
7594  options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
7595  }
7596  else if (streq(p[1], "optional"))
7597  {
7598  options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7599  }
7600  else if (!streq(p[1], "require"))
7601  {
7602  msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7603  goto err;
7604  }
7605  }
7606  }
7607  else if (streq(p[0], "username-as-common-name") && !p[1])
7608  {
7609  VERIFY_PERMISSION(OPT_P_GENERAL);
7610  options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7611  }
7612  else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7613  {
7614  VERIFY_PERMISSION(OPT_P_GENERAL);
7615  options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7616  }
7617  else if (streq(p[0], "opt-verify") && !p[1])
7618  {
7619  VERIFY_PERMISSION(OPT_P_GENERAL);
7620  msg(M_INFO, "DEPRECATION: opt-verify is deprecated and will be removed "
7621  "in OpenVPN 2.7");
7622  options->ssl_flags |= SSLF_OPT_VERIFY;
7623  }
7624  else if (streq(p[0], "auth-user-pass-verify") && p[1])
7625  {
7626  VERIFY_PERMISSION(OPT_P_SCRIPT);
7627  if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7628  {
7629  goto err;
7630  }
7631  if (p[2])
7632  {
7633  if (streq(p[2], "via-env"))
7634  {
7635  options->auth_user_pass_verify_script_via_file = false;
7636  }
7637  else if (streq(p[2], "via-file"))
7638  {
7639  options->auth_user_pass_verify_script_via_file = true;
7640  }
7641  else
7642  {
7643  msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7644  goto err;
7645  }
7646  }
7647  else
7648  {
7649  msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7650  goto err;
7651  }
7652  set_user_script(options,
7653  &options->auth_user_pass_verify_script,
7654  p[1], "auth-user-pass-verify", true);
7655  }
7656  else if (streq(p[0], "auth-gen-token"))
7657  {
7658  VERIFY_PERMISSION(OPT_P_GENERAL);
7659  options->auth_token_generate = true;
7660  options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
7661 
7662  for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7663  {
7664  /* the second parameter can be the renewal time */
7665  if (i == 2 && valid_integer(p[i], true))
7666  {
7667  options->auth_token_renewal = positive_atoi(p[i], msglevel);
7668  }
7669  else if (streq(p[i], "external-auth"))
7670  {
7671  options->auth_token_call_auth = true;
7672  }
7673  else
7674  {
7675  msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7676  }
7677  }
7678 
7679  }
7680  else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7681  {
7682  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7683  options->auth_token_secret_file = p[1];
7684  options->auth_token_secret_file_inline = is_inline;
7685 
7686  }
7687  else if (streq(p[0], "client-connect") && p[1])
7688  {
7689  VERIFY_PERMISSION(OPT_P_SCRIPT);
7690  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7691  {
7692  goto err;
7693  }
7694  set_user_script(options, &options->client_connect_script,
7695  p[1], "client-connect", true);
7696  }
7697  else if (streq(p[0], "client-crresponse") && p[1])
7698  {
7699  VERIFY_PERMISSION(OPT_P_SCRIPT);
7700  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7701  {
7702  goto err;
7703  }
7704  set_user_script(options, &options->client_crresponse_script,
7705  p[1], "client-crresponse", true);
7706  }
7707  else if (streq(p[0], "client-disconnect") && p[1])
7708  {
7709  VERIFY_PERMISSION(OPT_P_SCRIPT);
7710  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7711  {
7712  goto err;
7713  }
7714  set_user_script(options, &options->client_disconnect_script,
7715  p[1], "client-disconnect", true);
7716  }
7717  else if (streq(p[0], "learn-address") && p[1])
7718  {
7719  VERIFY_PERMISSION(OPT_P_SCRIPT);
7720  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7721  {
7722  goto err;
7723  }
7724  set_user_script(options, &options->learn_address_script,
7725  p[1], "learn-address", true);
7726  }
7727  else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7728  {
7729  VERIFY_PERMISSION(OPT_P_GENERAL);
7730  options->tmp_dir = p[1];
7731  }
7732  else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7733  {
7734  VERIFY_PERMISSION(OPT_P_GENERAL);
7735  options->client_config_dir = p[1];
7736  }
7737  else if (streq(p[0], "ccd-exclusive") && !p[1])
7738  {
7739  VERIFY_PERMISSION(OPT_P_GENERAL);
7740  options->ccd_exclusive = true;
7741  }
7742  else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7743  {
7744  int n_bcast_buf;
7745 
7746  VERIFY_PERMISSION(OPT_P_GENERAL);
7747  n_bcast_buf = atoi_warn(p[1], msglevel);
7748  if (n_bcast_buf < 1)
7749  {
7750  msg(msglevel, "--bcast-buffers parameter must be > 0");
7751  }
7752  options->n_bcast_buf = n_bcast_buf;
7753  }
7754  else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7755  {
7756  int tcp_queue_limit;
7757 
7758  VERIFY_PERMISSION(OPT_P_GENERAL);
7759  tcp_queue_limit = atoi_warn(p[1], msglevel);
7760  if (tcp_queue_limit < 1)
7761  {
7762  msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7763  }
7764  options->tcp_queue_limit = tcp_queue_limit;
7765  }
7766 #if PORT_SHARE
7767  else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7768  {
7769  VERIFY_PERMISSION(OPT_P_GENERAL);
7770  options->port_share_host = p[1];
7771  options->port_share_port = p[2];
7772  options->port_share_journal_dir = p[3];
7773  }
7774 #endif
7775  else if (streq(p[0], "client-to-client") && !p[1])
7776  {
7777  VERIFY_PERMISSION(OPT_P_GENERAL);
7778  options->enable_c2c = true;
7779  }
7780  else if (streq(p[0], "duplicate-cn") && !p[1])
7781  {
7782  VERIFY_PERMISSION(OPT_P_GENERAL);
7783  options->duplicate_cn = true;
7784  }
7785  else if (streq(p[0], "iroute") && p[1] && !p[3])
7786  {
7787  VERIFY_PERMISSION(OPT_P_INSTANCE);
7788  option_iroute(options, p[1], p[2], msglevel);
7789  }
7790  else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7791  {
7792  VERIFY_PERMISSION(OPT_P_INSTANCE);
7793  option_iroute_ipv6(options, p[1], msglevel);
7794  }
7795  else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7796  {
7797  in_addr_t local, remote_netmask;
7798 
7799  VERIFY_PERMISSION(OPT_P_INSTANCE);
7800  local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7801  remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7802  if (local && remote_netmask)
7803  {
7804  options->push_ifconfig_defined = true;
7805  options->push_ifconfig_local = local;
7806  options->push_ifconfig_remote_netmask = remote_netmask;
7807  if (p[3])
7808  {
7809  options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7810  }
7811  }
7812  else
7813  {
7814  msg(msglevel, "cannot parse --ifconfig-push addresses");
7815  goto err;
7816  }
7817  }
7818  else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7819  {
7820  in_addr_t network, netmask;
7821 
7822  VERIFY_PERMISSION(OPT_P_GENERAL);
7823  network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7824  netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7825  if (network && netmask)
7826  {
7827  options->push_ifconfig_constraint_defined = true;
7828  options->push_ifconfig_constraint_network = network;
7829  options->push_ifconfig_constraint_netmask = netmask;
7830  }
7831  else
7832  {
7833  msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7834  goto err;
7835  }
7836  }
7837  else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7838  {
7839  struct in6_addr local, remote;
7840  unsigned int netbits;
7841 
7842  VERIFY_PERMISSION(OPT_P_INSTANCE);
7843 
7844  if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7845  {
7846  msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7847  goto err;
7848  }
7849 
7850  if (p[2])
7851  {
7852  if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7853  {
7854  msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7855  goto err;
7856  }
7857  }
7858  else
7859  {
7860  if (!options->ifconfig_ipv6_local
7861  || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7862  NULL, msglevel ) )
7863  {
7864  msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7865  goto err;
7866  }
7867  }
7868 
7869  options->push_ifconfig_ipv6_defined = true;
7870  options->push_ifconfig_ipv6_local = local;
7871  options->push_ifconfig_ipv6_netbits = netbits;
7872  options->push_ifconfig_ipv6_remote = remote;
7873  options->push_ifconfig_ipv6_blocked = false;
7874  }
7875  else if (streq(p[0], "disable") && !p[1])
7876  {
7877  VERIFY_PERMISSION(OPT_P_INSTANCE);
7878  options->disable = true;
7879  }
7880  else if (streq(p[0], "override-username") && p[1] && !p[2])
7881  {
7882  VERIFY_PERMISSION(OPT_P_INSTANCE);
7883  if (strlen(p[1]) > TLS_USERNAME_LEN)
7884  {
7885  msg(msglevel, "override-username exceeds the maximum length of %d "
7886  "characters", TLS_USERNAME_LEN);
7887 
7888  /* disable the connection since ignoring the request to
7889  * set another username might cause serious problems */
7890  options->disable = true;
7891  }
7892  else
7893  {
7894  options->override_username = p[1];
7895  }
7896  }
7897  else if (streq(p[0], "tcp-nodelay") && !p[1])
7898  {
7899  VERIFY_PERMISSION(OPT_P_GENERAL);
7900  options->server_flags |= SF_TCP_NODELAY_HELPER;
7901  }
7902  else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7903  {
7904  int ageing_time, check_interval;
7905 
7906  VERIFY_PERMISSION(OPT_P_GENERAL);
7907  ageing_time = atoi_warn(p[1], msglevel);
7908  if (p[2])
7909  {
7910  check_interval = atoi_warn(p[2], msglevel);
7911  }
7912  else
7913  {
7914  check_interval = ageing_time;
7915  }
7916 
7917  if (ageing_time < 1 || check_interval < 1)
7918  {
7919  msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7920  goto err;
7921  }
7922  options->stale_routes_ageing_time = ageing_time;
7923  options->stale_routes_check_interval = check_interval;
7924  }
7925 
7926  else if (streq(p[0], "client") && !p[1])
7927  {
7928  VERIFY_PERMISSION(OPT_P_GENERAL);
7929  options->client = true;
7930  }
7931  else if (streq(p[0], "pull") && !p[1])
7932  {
7933  VERIFY_PERMISSION(OPT_P_GENERAL);
7934  options->pull = true;
7935  }
7936  else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7937  {
7938  VERIFY_PERMISSION(OPT_P_PULL_MODE);
7939  options->push_continuation = atoi_warn(p[1], msglevel);
7940  }
7941  else if (streq(p[0], "auth-user-pass") && !p[2])
7942  {
7943  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7944  if (p[1])
7945  {
7946  options->auth_user_pass_file = p[1];
7947  options->auth_user_pass_file_inline = is_inline;
7948  }
7949  else
7950  {
7951  options->auth_user_pass_file = "stdin";
7952  }
7953  }
7954  else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7955  {
7956  VERIFY_PERMISSION(OPT_P_GENERAL);
7957  auth_retry_set(msglevel, p[1]);
7958  }
7959 #ifdef ENABLE_MANAGEMENT
7960  else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
7961  {
7962  VERIFY_PERMISSION(OPT_P_GENERAL);
7963  options->sc_info.challenge_text = p[1];
7964  if (atoi_warn(p[2], msglevel))
7965  {
7966  options->sc_info.flags |= SC_ECHO;
7967  }
7968  if (p[3] && streq(p[3], "concat"))
7969  {
7970  options->sc_info.flags |= SC_CONCAT;
7971  }
7972  else if (p[3] && !streq(p[3], "scrv1"))
7973  {
7974  msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
7975  goto err;
7976  }
7977  }
7978 #endif
7979  else if (streq(p[0], "msg-channel") && p[1])
7980  {
7981 #ifdef _WIN32
7982  VERIFY_PERMISSION(OPT_P_GENERAL);
7983  HANDLE process = GetCurrentProcess();
7984  HANDLE handle = (HANDLE) ((intptr_t) atoll(p[1]));
7985  if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7986  FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7987  {
7988  msg(msglevel, "could not duplicate service pipe handle");
7989  goto err;
7990  }
7991  options->route_method = ROUTE_METHOD_SERVICE;
7992 #else /* ifdef _WIN32 */
7993  msg(msglevel, "--msg-channel is only supported on Windows");
7994  goto err;
7995 #endif
7996  }
7997 #ifdef _WIN32
7998  else if (streq(p[0], "win-sys") && p[1] && !p[2])
7999  {
8000  VERIFY_PERMISSION(OPT_P_GENERAL);
8001  if (streq(p[1], "env"))
8002  {
8003  msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
8004  "This entry will now be ignored. "
8005  "Please remove this entry from your configuration file.");
8006  }
8007  else
8008  {
8009  set_win_sys_path(p[1], es);
8010  }
8011  }
8012  else if (streq(p[0], "route-method") && p[1] && !p[2])
8013  {
8014  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8015  if (streq(p[1], "adaptive"))
8016  {
8017  options->route_method = ROUTE_METHOD_ADAPTIVE;
8018  }
8019  else if (streq(p[1], "ipapi"))
8020  {
8021  options->route_method = ROUTE_METHOD_IPAPI;
8022  }
8023  else if (streq(p[1], "exe"))
8024  {
8025  options->route_method = ROUTE_METHOD_EXE;
8026  }
8027  else
8028  {
8029  msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
8030  goto err;
8031  }
8032  }
8033  else if (streq(p[0], "ip-win32") && p[1] && !p[4])
8034  {
8035  const int index = ascii2ipset(p[1]);
8036  struct tuntap_options *to = &options->tuntap_options;
8037 
8038  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8039 
8040  if (index < 0)
8041  {
8042  msg(msglevel,
8043  "Bad --ip-win32 method: '%s'. Allowed methods: %s",
8044  p[1],
8045  ipset2ascii_all(&gc));
8046  goto err;
8047  }
8048 
8049  if (index == IPW32_SET_ADAPTIVE)
8050  {
8051  options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
8052  }
8053 
8054  if (index == IPW32_SET_DHCP_MASQ)
8055  {
8056  if (p[2])
8057  {
8058  if (!streq(p[2], "default"))
8059  {
8060  int offset = atoi_warn(p[2], msglevel);
8061 
8062  if (!(offset > -256 && offset < 256))
8063  {
8064  msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
8065  goto err;
8066  }
8067 
8068  to->dhcp_masq_custom_offset = true;
8069  to->dhcp_masq_offset = offset;
8070  }
8071 
8072  if (p[3])
8073  {
8074  const int min_lease = 30;
8075  int lease_time;
8076  lease_time = atoi_warn(p[3], msglevel);
8077  if (lease_time < min_lease)
8078  {
8079  msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
8080  goto err;
8081  }
8082  to->dhcp_lease_time = lease_time;
8083  }
8084  }
8085  }
8086  to->ip_win32_type = index;
8087  to->ip_win32_defined = true;
8088  }
8089 #endif /* ifdef _WIN32 */
8090  else if (streq(p[0], "dns") && p[1])
8091  {
8092  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8093 
8094  if (streq(p[1], "search-domains") && p[2])
8095  {
8096  dns_domain_list_append(&options->dns_options.search_domains, &p[2], &options->dns_options.gc);
8097  }
8098  else if (streq(p[1], "server") && p[2] && p[3] && p[4])
8099  {
8100  long priority;
8101  if (!dns_server_priority_parse(&priority, p[2], pull_mode))
8102  {
8103  msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
8104  goto err;
8105  }
8106 
8107  struct dns_server *server = dns_server_get(&options->dns_options.servers, priority, &options->dns_options.gc);
8108 
8109  if (streq(p[3], "address") && p[4])
8110  {
8111  for (int i = 4; p[i]; ++i)
8112  {
8113  if (!dns_server_addr_parse(server, p[i]))
8114  {
8115  msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'", priority, p[i]);
8116  goto err;
8117  }
8118  }
8119  }
8120  else if (streq(p[3], "resolve-domains"))
8121  {
8122  dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc);
8123  }
8124  else if (streq(p[3], "dnssec") && !p[5])
8125  {
8126  if (streq(p[4], "yes"))
8127  {
8128  server->dnssec = DNS_SECURITY_YES;
8129  }
8130  else if (streq(p[4], "no"))
8131  {
8132  server->dnssec = DNS_SECURITY_NO;
8133  }
8134  else if (streq(p[4], "optional"))
8135  {
8136  server->dnssec = DNS_SECURITY_OPTIONAL;
8137  }
8138  else
8139  {
8140  msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
8141  goto err;
8142  }
8143  }
8144  else if (streq(p[3], "transport") && !p[5])
8145  {
8146  if (streq(p[4], "plain"))
8147  {
8148  server->transport = DNS_TRANSPORT_PLAIN;
8149  }
8150  else if (streq(p[4], "DoH"))
8151  {
8152  server->transport = DNS_TRANSPORT_HTTPS;
8153  }
8154  else if (streq(p[4], "DoT"))
8155  {
8156  server->transport = DNS_TRANSPORT_TLS;
8157  }
8158  else
8159  {
8160  msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
8161  goto err;
8162  }
8163  }
8164  else if (streq(p[3], "sni") && !p[5])
8165  {
8166  server->sni = p[4];
8167  }
8168  else
8169  {
8170  msg(msglevel, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority, p[3]);
8171  goto err;
8172  }
8173  }
8174  else
8175  {
8176  msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
8177  goto err;
8178  }
8179  }
8180 #if defined(_WIN32) || defined(TARGET_ANDROID)
8181  else if (streq(p[0], "dhcp-option") && p[1])
8182  {
8183  struct tuntap_options *o = &options->tuntap_options;
8184  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8185 
8186  if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
8187  && p[2] && !p[3])
8188  {
8189  o->domain = p[2];
8190  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8191  }
8192  else if (streq(p[1], "NBS") && p[2] && !p[3])
8193  {
8194  o->netbios_scope = p[2];
8195  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8196  }
8197  else if (streq(p[1], "NBT") && p[2] && !p[3])
8198  {
8199  int t;
8200  t = atoi_warn(p[2], msglevel);
8201  if (!(t == 1 || t == 2 || t == 4 || t == 8))
8202  {
8203  msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8204  goto err;
8205  }
8206  o->netbios_node_type = t;
8207  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8208  }
8209  else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
8210  && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
8211  {
8212  if (strstr(p[2], ":"))
8213  {
8214  dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
8215  }
8216  else
8217  {
8218  dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
8219  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8220  }
8221  }
8222  else if (streq(p[1], "WINS") && p[2] && !p[3])
8223  {
8224  dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8225  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8226  }
8227  else if (streq(p[1], "NTP") && p[2] && !p[3])
8228  {
8229  dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8230  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8231  }
8232  else if (streq(p[1], "NBDD") && p[2] && !p[3])
8233  {
8234  dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8235  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8236  }
8237  else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
8238  {
8239  if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
8240  {
8241  o->domain_search_list[o->domain_search_list_len++] = p[2];
8242  }
8243  else
8244  {
8245  msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
8246  p[1], N_SEARCH_LIST_LEN);
8247  }
8248  o->dhcp_options |= DHCP_OPTIONS_DHCP_OPTIONAL;
8249  }
8250  else if (streq(p[1], "DISABLE-NBT") && !p[2])
8251  {
8252  o->disable_nbt = 1;
8253  o->dhcp_options |= DHCP_OPTIONS_DHCP_REQUIRED;
8254  }
8255 #if defined(TARGET_ANDROID)
8256  else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8257  {
8258  o->http_proxy_port = positive_atoi(p[3], msglevel);
8259  o->http_proxy = p[2];
8260  }
8261 #endif
8262  else
8263  {
8264  msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
8265  goto err;
8266  }
8267  }
8268 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8269 #ifdef _WIN32
8270  else if (streq(p[0], "show-adapters") && !p[1])
8271  {
8272  VERIFY_PERMISSION(OPT_P_GENERAL);
8273  show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
8274  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8275  }
8276  else if (streq(p[0], "show-net") && !p[1])
8277  {
8278  VERIFY_PERMISSION(OPT_P_GENERAL);
8279  show_routes(M_INFO|M_NOPREFIX);
8280  show_adapters(M_INFO|M_NOPREFIX);
8281  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8282  }
8283  else if (streq(p[0], "show-net-up") && !p[1])
8284  {
8285  VERIFY_PERMISSION(OPT_P_UP);
8286  options->show_net_up = true;
8287  }
8288  else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8289  {
8290  int s;
8291  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8292  s = atoi_warn(p[1], msglevel);
8293  if (s < 0 || s >= 256)
8294  {
8295  msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
8296  goto err;
8297  }
8298  options->tuntap_options.tap_sleep = s;
8299  }
8300  else if (streq(p[0], "dhcp-renew") && !p[1])
8301  {
8302  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8303  options->tuntap_options.dhcp_renew = true;
8304  }
8305  else if (streq(p[0], "dhcp-pre-release") && !p[1])
8306  {
8307  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8308  options->tuntap_options.dhcp_pre_release = true;
8309  options->tuntap_options.dhcp_renew = true;
8310  }
8311  else if (streq(p[0], "dhcp-release") && !p[1])
8312  {
8313  msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8314  }
8315  else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8316  {
8317  unsigned int adapter_index;
8318  VERIFY_PERMISSION(OPT_P_GENERAL);
8319  set_debug_level(options->verbosity, SDL_CONSTRAIN);
8320  adapter_index = atou(p[1]);
8321  sleep(options->tuntap_options.tap_sleep);
8322  if (options->tuntap_options.dhcp_pre_release)
8323  {
8324  dhcp_release_by_adapter_index(adapter_index);
8325  }
8326  if (options->tuntap_options.dhcp_renew)
8327  {
8328  dhcp_renew_by_adapter_index(adapter_index);
8329  }
8330  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8331  }
8332  else if (streq(p[0], "register-dns") && !p[1])
8333  {
8334  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8335  options->tuntap_options.register_dns = true;
8336  }
8337  else if (streq(p[0], "block-outside-dns") && !p[1])
8338  {
8339  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8340  options->block_outside_dns = true;
8341  }
8342  else if (streq(p[0], "rdns-internal") && !p[1])
8343  /* standalone method for internal use
8344  *
8345  * (if --register-dns is set, openvpn needs to call itself in a
8346  * sub-process to execute the required functions in a non-blocking
8347  * way, and uses --rdns-internal to signal that to itself)
8348  */
8349  {
8350  VERIFY_PERMISSION(OPT_P_GENERAL);
8351  set_debug_level(options->verbosity, SDL_CONSTRAIN);
8352  if (options->tuntap_options.register_dns)
8353  {
8354  ipconfig_register_dns(NULL);
8355  }
8356  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8357  }
8358  else if (streq(p[0], "show-valid-subnets") && !p[1])
8359  {
8360  VERIFY_PERMISSION(OPT_P_GENERAL);
8361  show_valid_win32_tun_subnets();
8362  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8363  }
8364  else if (streq(p[0], "pause-exit") && !p[1])
8365  {
8366  VERIFY_PERMISSION(OPT_P_GENERAL);
8367  set_pause_exit_win32();
8368  }
8369  else if (streq(p[0], "service") && p[1] && !p[3])
8370  {
8371  VERIFY_PERMISSION(OPT_P_GENERAL);
8372  options->exit_event_name = p[1];
8373  if (p[2])
8374  {
8375  options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8376  }
8377  }
8378  else if (streq(p[0], "allow-nonadmin") && !p[2])
8379  {
8380  VERIFY_PERMISSION(OPT_P_GENERAL);
8381  tap_allow_nonadmin_access(p[1]);
8382  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8383  }
8384  else if (streq(p[0], "user") && p[1] && !p[2])
8385  {
8386  VERIFY_PERMISSION(OPT_P_GENERAL);
8387  msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8388  }
8389  else if (streq(p[0], "group") && p[1] && !p[2])
8390  {
8391  VERIFY_PERMISSION(OPT_P_GENERAL);
8392  msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8393  }
8394 #else /* ifdef _WIN32 */
8395  else if (streq(p[0], "user") && p[1] && !p[2])
8396  {
8397  VERIFY_PERMISSION(OPT_P_GENERAL);
8398  options->username = p[1];
8399  }
8400  else if (streq(p[0], "group") && p[1] && !p[2])
8401  {
8402  VERIFY_PERMISSION(OPT_P_GENERAL);
8403  options->groupname = p[1];
8404  }
8405  else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8406  {
8407  VERIFY_PERMISSION(OPT_P_DHCPDNS);
8408  setenv_foreign_option(options, (const char **)p, 3, es);
8409  }
8410  else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
8411  {
8412  VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
8413  }
8414 #endif /* ifdef _WIN32 */
8415 #if PASSTOS_CAPABILITY
8416  else if (streq(p[0], "passtos") && !p[1])
8417  {
8418  VERIFY_PERMISSION(OPT_P_GENERAL);
8419  options->passtos = true;
8420  }
8421 #endif
8422  else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8423  {
8424  VERIFY_PERMISSION(OPT_P_GENERAL);
8425 
8426  if (streq(p[1], "no"))
8427  {
8428  options->comp.flags =
8429  COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
8430  if (comp_non_stub_enabled(&options->comp))
8431  {
8432  msg(msglevel, "'--allow-compression no' conflicts with "
8433  " enabling compression");
8434  }
8435  }
8436  else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
8437  {
8438  /* Also printed on a push to hint at configuration problems */
8439  msg(msglevel, "Cannot set allow-compression to '%s' "
8440  "after set to 'no'", p[1]);
8441  goto err;
8442  }
8443  else if (streq(p[1], "asym"))
8444  {
8445  options->comp.flags |= COMP_F_ALLOW_ASYM;
8446  }
8447  else if (streq(p[1], "yes"))
8448  {
8449  msg(M_WARN, "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8450  "We will use \"asym\" mode instead. See the manual page for more information.");
8451 
8452  options->comp.flags |= COMP_F_ALLOW_ASYM;
8453  }
8454  else
8455  {
8456  msg(msglevel, "bad allow-compression option: %s -- "
8457  "must be 'yes', 'no', or 'asym'", p[1]);
8458  goto err;
8459  }
8460  }
8461  else if (streq(p[0], "comp-lzo") && !p[2])
8462  {
8463  VERIFY_PERMISSION(OPT_P_COMP);
8464 
8465  /* All lzo variants do not use swap */
8466  options->comp.flags &= ~COMP_F_SWAP;
8467  options->comp.alg = COMP_ALG_LZO;
8468 
8469  if (p[1])
8470  {
8471  if (streq(p[1], "no"))
8472  {
8473  options->comp.alg = COMP_ALG_STUB;
8474  }
8475  /* There is no actual difference anymore between these variants.
8476  * We never compress. On the server side we replace this with
8477  * --compress migrate later anyway.
8478  */
8479  else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8480  {
8481  msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
8482  goto err;
8483  }
8484  }
8485  show_compression_warning(&options->comp);
8486  }
8487  else if (streq(p[0], "comp-noadapt") && !p[1])
8488  {
8489  /* NO-OP since we never compress anymore */
8490  }
8491  else if (streq(p[0], "compress") && !p[2])
8492  {
8493  VERIFY_PERMISSION(OPT_P_COMP);
8494  const char *alg = "stub";
8495  if (p[1])
8496  {
8497  alg = p[1];
8498  }
8499 
8500  if (streq(alg, "stub"))
8501  {
8502  options->comp.alg = COMP_ALG_STUB;
8503  options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
8504  }
8505  else if (streq(alg, "stub-v2"))
8506  {
8507  options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
8508  options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
8509  }
8510  else if (streq(alg, "migrate"))
8511  {
8512  options->comp.alg = COMP_ALG_UNDEF;
8513  options->comp.flags = COMP_F_MIGRATE;
8514  }
8515  else if (streq(alg, "lzo"))
8516  {
8517  options->comp.alg = COMP_ALG_LZO;
8518  options->comp.flags &= ~COMP_F_SWAP;
8519  }
8520  else if (streq(alg, "lz4"))
8521  {
8522  options->comp.alg = COMP_ALG_LZ4;
8523  options->comp.flags |= COMP_F_SWAP;
8524  }
8525  else if (streq(alg, "lz4-v2"))
8526  {
8527  options->comp.alg = COMP_ALGV2_LZ4;
8528  }
8529  else
8530  {
8531  msg(msglevel, "bad comp option: %s", alg);
8532  goto err;
8533  }
8534 
8535  show_compression_warning(&options->comp);
8536  }
8537  else if (streq(p[0], "show-ciphers") && !p[1])
8538  {
8539  VERIFY_PERMISSION(OPT_P_GENERAL);
8540  options->show_ciphers = true;
8541  }
8542  else if (streq(p[0], "show-digests") && !p[1])
8543  {
8544  VERIFY_PERMISSION(OPT_P_GENERAL);
8545  options->show_digests = true;
8546  }
8547  else if (streq(p[0], "show-engines") && !p[1])
8548  {
8549  VERIFY_PERMISSION(OPT_P_GENERAL);
8550  options->show_engines = true;
8551  }
8552  else if (streq(p[0], "key-direction") && p[1] && !p[2])
8553  {
8554  int key_direction;
8555 
8556  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
8557 
8558  key_direction = ascii2keydirection(msglevel, p[1]);
8559  if (key_direction >= 0)
8560  {
8561  if (permission_mask & OPT_P_GENERAL)
8562  {
8563  options->key_direction = key_direction;
8564  }
8565  else if (permission_mask & OPT_P_CONNECTION)
8566  {
8567  options->ce.key_direction = key_direction;
8568  }
8569  }
8570  else
8571  {
8572  goto err;
8573  }
8574  }
8575  else if (streq(p[0], "secret") && p[1] && !p[3])
8576  {
8577  msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8578  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8579  options->shared_secret_file = p[1];
8580  options->shared_secret_file_inline = is_inline;
8581  if (!is_inline && p[2])
8582  {
8583  int key_direction;
8584 
8585  key_direction = ascii2keydirection(msglevel, p[2]);
8586  if (key_direction >= 0)
8587  {
8588  options->key_direction = key_direction;
8589  }
8590  else
8591  {
8592  goto err;
8593  }
8594  }
8595  }
8596  else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8597  {
8598  VERIFY_PERMISSION(OPT_P_GENERAL);
8599  options->allow_deprecated_insecure_static_crypto = true;
8600 
8601  }
8602  else if (streq(p[0], "genkey") && !p[4])
8603  {
8604  VERIFY_PERMISSION(OPT_P_GENERAL);
8605  options->genkey = true;
8606  if (!p[1])
8607  {
8608  options->genkey_type = GENKEY_SECRET;
8609  }
8610  else
8611  {
8612  if (streq(p[1], "secret") || streq(p[1], "tls-auth")
8613  || streq(p[1], "tls-crypt"))
8614  {
8615  options->genkey_type = GENKEY_SECRET;
8616  }
8617  else if (streq(p[1], "tls-crypt-v2-server"))
8618  {
8619  options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
8620  }
8621  else if (streq(p[1], "tls-crypt-v2-client"))
8622  {
8623  options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
8624  if (p[3])
8625  {
8626  options->genkey_extra_data = p[3];
8627  }
8628  }
8629  else if (streq(p[1], "auth-token"))
8630  {
8631  options->genkey_type = GENKEY_AUTH_TOKEN;
8632  }
8633  else
8634  {
8635  msg(msglevel, "unknown --genkey type: %s", p[1]);
8636  }
8637 
8638  }
8639  if (p[2])
8640  {
8641  options->genkey_filename = p[2];
8642  }
8643  }
8644  else if (streq(p[0], "auth") && p[1] && !p[2])
8645  {
8646  VERIFY_PERMISSION(OPT_P_GENERAL);
8647  options->authname = p[1];
8648  }
8649  else if (streq(p[0], "cipher") && p[1] && !p[2])
8650  {
8651  VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
8652  options->ciphername = p[1];
8653  }
8654  else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8655  {
8656  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8657  options->ciphername = p[1];
8658  options->enable_ncp_fallback = true;
8659  }
8660  else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
8661  && p[1] && !p[2])
8662  {
8663  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8664  if (streq(p[0], "ncp-ciphers"))
8665  {
8666  msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8667  " '--data-ciphers' (renamed in OpenVPN 2.5).");
8668  }
8669  options->ncp_ciphers = p[1];
8670  }
8671  else if (streq(p[0], "key-derivation") && p[1])
8672  {
8673  /* NCP only option that is pushed by the server to enable EKM,
8674  * should not be used by normal users in config files*/
8675  VERIFY_PERMISSION(OPT_P_NCP)
8676 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8677  if (streq(p[1], "tls-ekm"))
8678  {
8679  options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8680  }
8681  else
8682 #endif
8683  {
8684  msg(msglevel, "Unknown key-derivation method %s", p[1]);
8685  }
8686  }
8687  else if (streq(p[0], "protocol-flags") && p[1])
8688  {
8689  /* NCP only option that is pushed by the server to enable protocol
8690  * features that are negotiated, should not be used by normal users
8691  * in config files */
8692  VERIFY_PERMISSION(OPT_P_NCP)
8693  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8694  {
8695  if (streq(p[j], "cc-exit"))
8696  {
8697  options->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY;
8698  }
8699 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8700  else if (streq(p[j], "tls-ekm"))
8701  {
8702  options->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
8703  }
8704  else if (streq(p[j], "dyn-tls-crypt"))
8705  {
8706  options->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
8707  }
8708 #endif
8709  else if (streq(p[j], "aead-epoch"))
8710  {
8711  options->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT;
8712  }
8713  else
8714  {
8715  msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8716  }
8717  }
8718  }
8719  else if (streq(p[0], "force-tls-key-material-export"))
8720  {
8721  VERIFY_PERMISSION(OPT_P_GENERAL);
8722  options->force_key_material_export = true;
8723  }
8724  else if (streq(p[0], "prng") && p[1] && !p[3])
8725  {
8726  msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8727  }
8728  else if (streq(p[0], "no-replay") && !p[1])
8729  {
8730  VERIFY_PERMISSION(OPT_P_GENERAL);
8731  /* always error out, this breaks the connection */
8732  msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8733  "Update your configuration.");
8734  }
8735  else if (streq(p[0], "replay-window") && !p[3])
8736  {
8737  VERIFY_PERMISSION(OPT_P_GENERAL);
8738  if (p[1])
8739  {
8740  int replay_window;
8741 
8742  replay_window = atoi_warn(p[1], msglevel);
8743  if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8744  {
8745  msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8746  replay_window,
8747  MIN_SEQ_BACKTRACK,
8748  MAX_SEQ_BACKTRACK);
8749  goto err;
8750  }
8751  options->replay_window = replay_window;
8752 
8753  if (p[2])
8754  {
8755  int replay_time;
8756 
8757  replay_time = atoi_warn(p[2], msglevel);
8758  if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8759  {
8760  msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8761  replay_time,
8762  MIN_TIME_BACKTRACK,
8763  MAX_TIME_BACKTRACK);
8764  goto err;
8765  }
8766  options->replay_time = replay_time;
8767  }
8768  }
8769  else
8770  {
8771  msg(msglevel, "replay-window option is missing window size parameter");
8772  goto err;
8773  }
8774  }
8775  else if (streq(p[0], "mute-replay-warnings") && !p[1])
8776  {
8777  VERIFY_PERMISSION(OPT_P_GENERAL);
8778  options->mute_replay_warnings = true;
8779  }
8780  else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8781  {
8782  VERIFY_PERMISSION(OPT_P_GENERAL);
8783  options->packet_id_file = p[1];
8784  }
8785  else if (streq(p[0], "test-crypto") && !p[1])
8786  {
8787  VERIFY_PERMISSION(OPT_P_GENERAL);
8788  options->test_crypto = true;
8789  }
8790 #ifndef ENABLE_CRYPTO_MBEDTLS
8791  else if (streq(p[0], "engine") && !p[2])
8792  {
8793  VERIFY_PERMISSION(OPT_P_GENERAL);
8794  if (p[1])
8795  {
8796  options->engine = p[1];
8797  }
8798  else
8799  {
8800  options->engine = "auto";
8801  }
8802  }
8803 #endif /* ENABLE_CRYPTO_MBEDTLS */
8804  else if (streq(p[0], "providers") && p[1])
8805  {
8806  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8807  {
8808  options->providers.names[j] = p[j];
8809  }
8810  }
8811 #ifdef ENABLE_PREDICTION_RESISTANCE
8812  else if (streq(p[0], "use-prediction-resistance") && !p[1])
8813  {
8814  VERIFY_PERMISSION(OPT_P_GENERAL);
8815  options->use_prediction_resistance = true;
8816  }
8817 #endif
8818  else if (streq(p[0], "show-tls") && !p[1])
8819  {
8820  VERIFY_PERMISSION(OPT_P_GENERAL);
8821  options->show_tls_ciphers = true;
8822  }
8823  else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8824  {
8825  VERIFY_PERMISSION(OPT_P_GENERAL);
8826  options->show_curves = true;
8827  }
8828  else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8829  {
8830  VERIFY_PERMISSION(OPT_P_GENERAL);
8831  msg(M_WARN, "Consider setting groups/curves preference with "
8832  "tls-groups instead of forcing a specific curve with "
8833  "ecdh-curve.");
8834  options->ecdh_curve = p[1];
8835  }
8836  else if (streq(p[0], "tls-server") && !p[1])
8837  {
8838  VERIFY_PERMISSION(OPT_P_GENERAL);
8839  options->tls_server = true;
8840  }
8841  else if (streq(p[0], "tls-client") && !p[1])
8842  {
8843  VERIFY_PERMISSION(OPT_P_GENERAL);
8844  options->tls_client = true;
8845  }
8846  else if (streq(p[0], "ca") && p[1] && !p[2])
8847  {
8848  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8849  options->ca_file = p[1];
8850  options->ca_file_inline = is_inline;
8851  }
8852 #ifndef ENABLE_CRYPTO_MBEDTLS
8853  else if (streq(p[0], "capath") && p[1] && !p[2])
8854  {
8855  VERIFY_PERMISSION(OPT_P_GENERAL);
8856  options->ca_path = p[1];
8857  }
8858 #endif /* ENABLE_CRYPTO_MBEDTLS */
8859  else if (streq(p[0], "dh") && p[1] && !p[2])
8860  {
8861  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8862  options->dh_file = p[1];
8863  options->dh_file_inline = is_inline;
8864  }
8865  else if (streq(p[0], "cert") && p[1] && !p[2])
8866  {
8867  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8868  options->cert_file = p[1];
8869  options->cert_file_inline = is_inline;
8870  }
8871  else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8872  {
8873  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8874  options->extra_certs_file = p[1];
8875  options->extra_certs_file_inline = is_inline;
8876  }
8877  else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8878  || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8879  {
8880  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8881 
8882  int verify_hash_depth = 0;
8883  if (streq(p[0], "verify-hash"))
8884  {
8885  msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8886  "You should switch to the either use the level 1 certificate as "
8887  "--ca option, use --tls-verify or use --peer-fingerprint");
8888  /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8889  verify_hash_depth = 1;
8890  }
8891 
8892  options->verify_hash_algo = MD_SHA256;
8893 
8894  int digest_len = SHA256_DIGEST_LENGTH;
8895 
8896  if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8897  {
8898  msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8899  " --peer-fingerprint are mutually exclusive", p[0]);
8900  goto err;
8901  }
8902 
8903  if (streq(p[0], "verify-hash"))
8904  {
8905  if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8906  {
8907  options->verify_hash_algo = MD_SHA1;
8908  digest_len = SHA_DIGEST_LENGTH;
8909  }
8910  else if (p[2] && !streq(p[2], "SHA256"))
8911  {
8912  msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8913  "(only SHA1 and SHA256 are supported)", p[2]);
8914  goto err;
8915  }
8916  }
8917 
8918  struct verify_hash_list *newlist;
8919  newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8920  msglevel, &options->gc);
8921 
8922  /* Append the new list to the end of our current list */
8923  if (!options->verify_hash)
8924  {
8925  options->verify_hash = newlist;
8926  options->verify_hash_depth = verify_hash_depth;
8927  }
8928  else
8929  {
8930  /* since both the old and new list can have multiple entries
8931  * we need to go to the end of one of them to concatenate them */
8932  struct verify_hash_list *listend = options->verify_hash;
8933  while (listend->next)
8934  {
8935  listend = listend->next;
8936  }
8937  listend->next = newlist;
8938  }
8939  }
8940 #if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8941  else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8942  {
8943  VERIFY_PERMISSION(OPT_P_GENERAL);
8944  options->cryptoapi_cert = p[1];
8945  }
8946 #endif
8947  else if (streq(p[0], "key") && p[1] && !p[2])
8948  {
8949  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8950  options->priv_key_file = p[1];
8951  options->priv_key_file_inline = is_inline;
8952  }
8953  else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8954  {
8955  int ver;
8956  VERIFY_PERMISSION(OPT_P_GENERAL);
8957  ver = tls_version_parse(p[1], p[2]);
8958  if (ver == TLS_VER_BAD)
8959  {
8960  msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8961  goto err;
8962  }
8963 
8964 #ifdef ENABLE_CRYPTO_MBEDTLS
8965  if (ver < TLS_VER_1_2)
8966  {
8967  msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
8968  ver = TLS_VER_1_2;
8969  }
8970 #endif
8971 
8972  options->ssl_flags &=
8973  ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8974  options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8975  }
8976  else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8977  {
8978  int ver;
8979  VERIFY_PERMISSION(OPT_P_GENERAL);
8980  ver = tls_version_parse(p[1], NULL);
8981  if (ver == TLS_VER_BAD)
8982  {
8983  msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8984  goto err;
8985  }
8986  options->ssl_flags &=
8987  ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8988  options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8989  }
8990 #ifndef ENABLE_CRYPTO_MBEDTLS
8991  else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8992  {
8993  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8994  options->pkcs12_file = p[1];
8995  options->pkcs12_file_inline = is_inline;
8996  }
8997 #endif /* ENABLE_CRYPTO_MBEDTLS */
8998  else if (streq(p[0], "askpass") && !p[2])
8999  {
9000  VERIFY_PERMISSION(OPT_P_GENERAL);
9001  if (p[1])
9002  {
9003  options->key_pass_file = p[1];
9004  }
9005  else
9006  {
9007  options->key_pass_file = "stdin";
9008  }
9009  }
9010  else if (streq(p[0], "auth-nocache") && !p[1])
9011  {
9012  VERIFY_PERMISSION(OPT_P_GENERAL);
9013  ssl_set_auth_nocache();
9014  }
9015  else if (streq(p[0], "auth-token") && p[1] && !p[2])
9016  {
9017  VERIFY_PERMISSION(OPT_P_ECHO);
9018  ssl_set_auth_token(p[1]);
9019 #ifdef ENABLE_MANAGEMENT
9020  if (management)
9021  {
9022  management_auth_token(management, p[1]);
9023  }
9024 #endif
9025  }
9026  else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
9027  {
9028  VERIFY_PERMISSION(OPT_P_ECHO);
9029  ssl_set_auth_token_user(p[1]);
9030  }
9031  else if (streq(p[0], "single-session") && !p[1])
9032  {
9033  VERIFY_PERMISSION(OPT_P_GENERAL);
9034  options->single_session = true;
9035  }
9036  else if (streq(p[0], "push-peer-info") && !p[1])
9037  {
9038  VERIFY_PERMISSION(OPT_P_GENERAL);
9039  options->push_peer_info = true;
9040  }
9041  else if (streq(p[0], "tls-exit") && !p[1])
9042  {
9043  VERIFY_PERMISSION(OPT_P_GENERAL);
9044  options->tls_exit = true;
9045  }
9046  else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
9047  {
9048  VERIFY_PERMISSION(OPT_P_GENERAL);
9049  options->cipher_list = p[1];
9050  }
9051  else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
9052  {
9053  VERIFY_PERMISSION(OPT_P_GENERAL);
9054  options->tls_cert_profile = p[1];
9055  }
9056  else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
9057  {
9058  VERIFY_PERMISSION(OPT_P_GENERAL);
9059  options->cipher_list_tls13 = p[1];
9060  }
9061  else if (streq(p[0], "tls-groups") && p[1] && !p[2])
9062  {
9063  VERIFY_PERMISSION(OPT_P_GENERAL);
9064  options->tls_groups = p[1];
9065  }
9066  else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
9067  || !p[2]))
9068  {
9069  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
9070  if (p[2] && streq(p[2], "dir"))
9071  {
9072  options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
9073  }
9074  options->crl_file = p[1];
9075  options->crl_file_inline = is_inline;
9076  }
9077  else if (streq(p[0], "tls-verify") && p[1])
9078  {
9079  VERIFY_PERMISSION(OPT_P_SCRIPT);
9080  if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
9081  {
9082  goto err;
9083  }
9084  set_user_script(options, &options->tls_verify,
9085  string_substitute(p[1], ',', ' ', &options->gc),
9086  "tls-verify", true);
9087  }
9088  else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
9089  {
9090  VERIFY_PERMISSION(OPT_P_SCRIPT);
9091  options->tls_export_peer_cert_dir = p[1];
9092  }
9093  else if (streq(p[0], "compat-names"))
9094  {
9095  VERIFY_PERMISSION(OPT_P_GENERAL);
9096  msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
9097  "Update your configuration.");
9098  goto err;
9099  }
9100  else if (streq(p[0], "no-name-remapping") && !p[1])
9101  {
9102  VERIFY_PERMISSION(OPT_P_GENERAL);
9103  msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
9104  "Update your configuration.");
9105  goto err;
9106  }
9107  else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9108  {
9109  int type = VERIFY_X509_SUBJECT_DN;
9110  VERIFY_PERMISSION(OPT_P_GENERAL);
9111  if (p[2])
9112  {
9113  if (streq(p[2], "subject"))
9114  {
9115  type = VERIFY_X509_SUBJECT_DN;
9116  }
9117  else if (streq(p[2], "name"))
9118  {
9119  type = VERIFY_X509_SUBJECT_RDN;
9120  }
9121  else if (streq(p[2], "name-prefix"))
9122  {
9123  type = VERIFY_X509_SUBJECT_RDN_PREFIX;
9124  }
9125  else
9126  {
9127  msg(msglevel, "unknown X.509 name type: %s", p[2]);
9128  goto err;
9129  }
9130  }
9131  options->verify_x509_type = type;
9132  options->verify_x509_name = p[1];
9133  }
9134  else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
9135  {
9136 #ifdef ENABLE_CRYPTO_MBEDTLS
9137  msg(msglevel, "--ns-cert-type is not available with mbedtls.");
9138  goto err;
9139 #else
9140  VERIFY_PERMISSION(OPT_P_GENERAL);
9141  if (streq(p[1], "server"))
9142  {
9143  options->ns_cert_type = NS_CERT_CHECK_SERVER;
9144  }
9145  else if (streq(p[1], "client"))
9146  {
9147  options->ns_cert_type = NS_CERT_CHECK_CLIENT;
9148  }
9149  else
9150  {
9151  msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
9152  goto err;
9153  }
9154 #endif /* ENABLE_CRYPTO_MBEDTLS */
9155  }
9156  else if (streq(p[0], "remote-cert-ku"))
9157  {
9158  VERIFY_PERMISSION(OPT_P_GENERAL);
9159 
9160  size_t j;
9161  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9162  {
9163  sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
9164  }
9165  if (j == 1)
9166  {
9167  /* No specific KU required, but require KU to be present */
9168  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9169  }
9170  }
9171  else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
9172  {
9173  VERIFY_PERMISSION(OPT_P_GENERAL);
9174  options->remote_cert_eku = p[1];
9175  }
9176  else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
9177  {
9178  VERIFY_PERMISSION(OPT_P_GENERAL);
9179 
9180  if (streq(p[1], "server"))
9181  {
9182  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9183  options->remote_cert_eku = "TLS Web Server Authentication";
9184  }
9185  else if (streq(p[1], "client"))
9186  {
9187  options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
9188  options->remote_cert_eku = "TLS Web Client Authentication";
9189  }
9190  else
9191  {
9192  msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
9193  goto err;
9194  }
9195  }
9196  else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
9197  {
9198  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9199  options->tls_timeout = positive_atoi(p[1], msglevel);
9200  }
9201  else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
9202  {
9203  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9204  char *end;
9205  long long reneg_bytes = strtoll(p[1], &end, 10);
9206  if (*end != '\0' || reneg_bytes < 0)
9207  {
9208  msg(msglevel, "--reneg-bytes parameter must be an integer and >= 0");
9209  goto err;
9210  }
9211  options->renegotiate_bytes = reneg_bytes;
9212  }
9213  else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
9214  {
9215  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9216  char *end;
9217  long long pkt_max = strtoll(p[1], &end, 10);
9218  if (*end != '\0' || pkt_max < 0)
9219  {
9220  msg(msglevel, "--reneg-pkts parameter must be an integer and >= 0");
9221  goto err;
9222  }
9223  options->renegotiate_packets = pkt_max;
9224  }
9225  else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
9226  {
9227  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9228  options->renegotiate_seconds = positive_atoi(p[1], msglevel);
9229  if (p[2])
9230  {
9231  options->renegotiate_seconds_min = positive_atoi(p[2], msglevel);
9232  }
9233  }
9234  else if (streq(p[0], "hand-window") && p[1] && !p[2])
9235  {
9236  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9237  options->handshake_window = positive_atoi(p[1], msglevel);
9238  }
9239  else if (streq(p[0], "tran-window") && p[1] && !p[2])
9240  {
9241  VERIFY_PERMISSION(OPT_P_TLS_PARMS);
9242  options->transition_window = positive_atoi(p[1], msglevel);
9243  }
9244  else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9245  {
9246  int key_direction = -1;
9247 
9248  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9249 
9250  if (permission_mask & OPT_P_GENERAL)
9251  {
9252  options->tls_auth_file = p[1];
9253  options->tls_auth_file_inline = is_inline;
9254 
9255  if (!is_inline && p[2])
9256  {
9257  key_direction = ascii2keydirection(msglevel, p[2]);
9258  if (key_direction < 0)
9259  {
9260  goto err;
9261  }
9262  options->key_direction = key_direction;
9263  }
9264 
9265  }
9266  else if (permission_mask & OPT_P_CONNECTION)
9267  {
9268  options->ce.tls_auth_file = p[1];
9269  options->ce.tls_auth_file_inline = is_inline;
9270  options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
9271 
9272  if (!is_inline && p[2])
9273  {
9274  key_direction = ascii2keydirection(msglevel, p[2]);
9275  if (key_direction < 0)
9276  {
9277  goto err;
9278  }
9279  options->ce.key_direction = key_direction;
9280  }
9281  }
9282  }
9283  else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9284  {
9285  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9286  if (permission_mask & OPT_P_GENERAL)
9287  {
9288  options->tls_crypt_file = p[1];
9289  options->tls_crypt_file_inline = is_inline;
9290  }
9291  else if (permission_mask & OPT_P_CONNECTION)
9292  {
9293  options->ce.tls_crypt_file = p[1];
9294  options->ce.tls_crypt_file_inline = is_inline;
9295  }
9296  }
9297  else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9298  {
9299  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
9300  if (permission_mask & OPT_P_GENERAL)
9301  {
9302  options->tls_crypt_v2_file = p[1];
9303  options->tls_crypt_v2_file_inline = is_inline;
9304  }
9305  else if (permission_mask & OPT_P_CONNECTION)
9306  {
9307  options->ce.tls_crypt_v2_file = p[1];
9308  options->ce.tls_crypt_v2_file_inline = is_inline;
9309  }
9310 
9311  if (p[2] && streq(p[2], "force-cookie"))
9312  {
9313  options->ce.tls_crypt_v2_force_cookie = true;
9314  }
9315  else if (p[2] && streq(p[2], "allow-noncookie"))
9316  {
9317  options->ce.tls_crypt_v2_force_cookie = false;
9318  }
9319  else if (p[2])
9320  {
9321  msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9322  }
9323  }
9324  else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9325  {
9326  VERIFY_PERMISSION(OPT_P_GENERAL);
9327  options->tls_crypt_v2_verify_script = p[1];
9328  }
9329  else if (streq(p[0], "x509-track") && p[1] && !p[2])
9330  {
9331  VERIFY_PERMISSION(OPT_P_GENERAL);
9332  x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9333  }
9334 #ifdef ENABLE_X509ALTUSERNAME
9335  else if (streq(p[0], "x509-username-field") && p[1])
9336  {
9337  VERIFY_PERMISSION(OPT_P_GENERAL);
9338  for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9339  {
9340  char *s = p[j];
9341 
9342  if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s+4))
9343  {
9344  msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9345  }
9346  options->x509_username_field[j-1] = p[j];
9347  }
9348  }
9349 #endif /* ENABLE_X509ALTUSERNAME */
9350 #ifdef ENABLE_PKCS11
9351  else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9352  {
9353  char *provider = p[1];
9354  bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0 ));
9355 
9356 #ifdef DEFAULT_PKCS11_MODULE
9357  if (!provider)
9358  {
9359  provider = DEFAULT_PKCS11_MODULE;
9360  }
9361  else if (!p[2])
9362  {
9363  char *endp = NULL;
9364  int i = strtol(provider, &endp, 10);
9365 
9366  if (*endp == 0)
9367  {
9368  /* There was one argument, and it was purely numeric.
9369  * Interpret it as the cert_private argument */
9370  provider = DEFAULT_PKCS11_MODULE;
9371  cert_private = i;
9372  }
9373  }
9374 #else /* ifdef DEFAULT_PKCS11_MODULE */
9375  if (!provider)
9376  {
9377  msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9378  goto err;
9379  }
9380 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9381  VERIFY_PERMISSION(OPT_P_GENERAL);
9382 
9383  set_debug_level(options->verbosity, SDL_CONSTRAIN);
9384  show_pkcs11_ids(provider, cert_private);
9385  openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9386  }
9387  else if (streq(p[0], "pkcs11-providers") && p[1])
9388  {
9389  int j;
9390 
9391  VERIFY_PERMISSION(OPT_P_GENERAL);
9392 
9393  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9394  {
9395  options->pkcs11_providers[j-1] = p[j];
9396  }
9397  }
9398  else if (streq(p[0], "pkcs11-protected-authentication"))
9399  {
9400  int j;
9401 
9402  VERIFY_PERMISSION(OPT_P_GENERAL);
9403 
9404  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9405  {
9406  options->pkcs11_protected_authentication[j-1] = atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9407  }
9408  }
9409  else if (streq(p[0], "pkcs11-private-mode") && p[1])
9410  {
9411  int j;
9412 
9413  VERIFY_PERMISSION(OPT_P_GENERAL);
9414 
9415  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9416  {
9417  sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
9418  }
9419  }
9420  else if (streq(p[0], "pkcs11-cert-private"))
9421  {
9422  int j;
9423 
9424  VERIFY_PERMISSION(OPT_P_GENERAL);
9425 
9426  for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9427  {
9428  options->pkcs11_cert_private[j-1] = (bool) (atoi_warn(p[j], msglevel));
9429  }
9430  }
9431  else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9432  {
9433  VERIFY_PERMISSION(OPT_P_GENERAL);
9434  options->pkcs11_pin_cache_period = atoi_warn(p[1], msglevel);
9435  }
9436  else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9437  {
9438  VERIFY_PERMISSION(OPT_P_GENERAL);
9439  options->pkcs11_id = p[1];
9440  }
9441  else if (streq(p[0], "pkcs11-id-management") && !p[1])
9442  {
9443  VERIFY_PERMISSION(OPT_P_GENERAL);
9444  options->pkcs11_id_management = true;
9445  }
9446 #endif /* ifdef ENABLE_PKCS11 */
9447  else if (streq(p[0], "rmtun") && !p[1])
9448  {
9449  VERIFY_PERMISSION(OPT_P_GENERAL);
9450  options->persist_config = true;
9451  options->persist_mode = 0;
9452  }
9453  else if (streq(p[0], "mktun") && !p[1])
9454  {
9455  VERIFY_PERMISSION(OPT_P_GENERAL);
9456  options->persist_config = true;
9457  options->persist_mode = 1;
9458  }
9459  else if (streq(p[0], "peer-id") && p[1] && !p[2])
9460  {
9461  VERIFY_PERMISSION(OPT_P_PEER_ID);
9462  options->use_peer_id = true;
9463  options->peer_id = atoi_warn(p[1], msglevel);
9464  }
9465 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9466  else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9467  {
9468  int ekm_length = positive_atoi(p[2], msglevel);
9469 
9470  VERIFY_PERMISSION(OPT_P_GENERAL);
9471 
9472  if (strncmp(p[1], "EXPORTER", 8))
9473  {
9474  msg(msglevel, "Keying material exporter label must begin with "
9475  "\"EXPORTER\"");
9476  goto err;
9477  }
9478  if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9479  {
9480  msg(msglevel, "Keying material exporter label must not be '"
9481  EXPORT_KEY_DATA_LABEL "'.");
9482  }
9483  if (ekm_length < 16 || ekm_length > 4095)
9484  {
9485  msg(msglevel, "Invalid keying material exporter length");
9486  goto err;
9487  }
9488 
9489  options->keying_material_exporter_label = p[1];
9490  options->keying_material_exporter_length = ekm_length;
9491  }
9492 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9493  else if (streq(p[0], "allow-recursive-routing") && !p[1])
9494  {
9495  VERIFY_PERMISSION(OPT_P_GENERAL);
9496  options->allow_recursive_routing = true;
9497  }
9498  else if (streq(p[0], "vlan-tagging") && !p[1])
9499  {
9500  VERIFY_PERMISSION(OPT_P_GENERAL);
9501  options->vlan_tagging = true;
9502  }
9503  else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9504  {
9505  VERIFY_PERMISSION(OPT_P_GENERAL);
9506  if (streq(p[1], "tagged"))
9507  {
9508  options->vlan_accept = VLAN_ONLY_TAGGED;
9509  }
9510  else if (streq(p[1], "untagged"))
9511  {
9512  options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
9513  }
9514  else if (streq(p[1], "all"))
9515  {
9516  options->vlan_accept = VLAN_ALL;
9517  }
9518  else
9519  {
9520  msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9521  goto err;
9522  }
9523  }
9524  else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9525  {
9526  VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
9527  options->vlan_pvid = positive_atoi(p[1], msglevel);
9528  if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
9529  || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
9530  {
9531  msg(msglevel,
9532  "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9533  OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
9534  goto err;
9535  }
9536  }
9537  else
9538  {
9539  int i;
9540  int msglevel_unknown = msglevel_fc;
9541  /* Check if an option is in --ignore-unknown-option and
9542  * set warning level to non fatal */
9543  for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
9544  {
9545  if (streq(p[0], options->ignore_unknown_option[i]))
9546  {
9547  msglevel_unknown = M_WARN;
9548  break;
9549  }
9550  }
9551  if (file)
9552  {
9553  msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
9554  }
9555  else
9556  {
9557  msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
9558  }
9559  }
9560 err:
9561  gc_free(&gc);
9562 }
9563 
9564 bool
9565 has_udp_in_local_list(const struct options *options)
9566 {
9567  if (options->ce.local_list)
9568  {
9569  for (int i = 0; i < options->ce.local_list->len; i++)
9570  {
9571  if (proto_is_dgram(options->ce.local_list->array[i]->proto))
9572  {
9573  return true;
9574  }
9575  }
9576  }
9577 
9578  return false;
9579 }
9580 
9581 bool
9582 has_tcp_in_local_list(const struct options *options)
9583 {
9584  if (options->ce.local_list)
9585  {
9586  for (int i = 0; i < options->ce.local_list->len; i++)
9587  {
9588  if (!proto_is_dgram(options->ce.local_list->array[i]->proto))
9589  {
9590  return true;
9591  }
9592  }
9593  }
9594 
9595  return false;
9596 }
connection_entry::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:167
options::keepalive_timeout
int keepalive_timeout
Definition: options.h:341
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition: ssl_common.h:421
options::server_network_ipv6
struct in6_addr server_network_ipv6
Definition: options.h:471
set_win_sys_path
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition: win32.c:1120
init_tun
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition: tun.c:816
alloc_connection_list_if_undef
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition: options.c:2235
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:520
MSSFIX_DEFAULT
#define MSSFIX_DEFAULT
Definition: mtu.h:80
option_iroute
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
Definition: options.c:1623
local_list::len
int len
Definition: options.h:191
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:173
buffer_read_from_file
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition: buffer.c:1358
OPT_P_PUSH
#define OPT_P_PUSH
Definition: options.h:747
options::disable_dco
bool disable_dco
Definition: options.h:372
options::replay_time
int replay_time
Definition: options.h:584
options_pre_connect::dns_options
struct dns_options dns_options
Definition: options.h:80
GENKEY_AUTH_TOKEN
@ GENKEY_AUTH_TOKEN
Definition: options.h:237
print_vlan_accept
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition: options.c:1524
options::genkey_type
enum genkey_type genkey_type
Definition: options.h:282
CHKACC_FILEXSTWR
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition: options.c:3824
dhcp_renew_by_adapter_index
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition: tun.c:5225
options::vlan_tagging
bool vlan_tagging
Definition: options.h:712
tuntap_options::dhcp_masq_custom_offset
bool dhcp_masq_custom_offset
Definition: tun.h:94
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition: ssl.c:1947
options::show_engines
bool show_engines
Definition: options.h:278
tuntap_options::dns
in_addr_t dns[N_DHCP_ADDR]
Definition: tun.h:114
local_entry::port
const char * port
Definition: options.h:100
TLS_USERNAME_LEN
#define TLS_USERNAME_LEN
Maximum length of common name.
Definition: ssl_verify.h:55
MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_PSSPAD
Definition: manage.h:44
dco_check_option
static bool dco_check_option(int msglevel, const struct options *o)
Definition: dco.h:282
comp_non_stub_enabled
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition: comp.h:73
string_defined_equal
bool string_defined_equal(const char *s1, const char *s2)
Definition: options.c:4911
helper_setdefault_topology
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition: helper.c:144
options::ssl_flags
unsigned int ssl_flags
Definition: options.h:626
options_warning_safe_scan1
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition: options.c:4554
SHOW_INT64
#define SHOW_INT64(var)
Definition: options.c:993
options::verbosity
int verbosity
Definition: options.h:397
iroute
Definition: route.h:241
connection_entry::mtu_discover_type
int mtu_discover_type
Definition: options.h:137
tuntap_options::domain_search_list
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition: tun.h:132
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:4459
options::verify_hash
struct verify_hash_list * verify_hash
Definition: options.h:622
connection_entry::mssfix_encap
bool mssfix_encap
Definition: options.h:144
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2886
http_proxy_options::auth_file
const char * auth_file
Definition: proxy.h:54
M_INFO
#define M_INFO
Definition: errlevel.h:55
connection_entry::mssfix
int mssfix
Definition: options.h:142
management_auth_token
void management_auth_token(struct management *man, const char *token)
Definition: manage.c:3105
helper_client_server
void helper_client_server(struct options *o)
Definition: helper.c:172
compress_options
Definition: comp.h:66
compress_options::alg
int alg
Definition: comp.h:68
tuntap_options::dhcp_renew
bool dhcp_renew
Definition: tun.h:138
options::show_digests
bool show_digests
Definition: options.h:277
pull_filter_list
Definition: options.c:956
connection_entry::link_mtu
int link_mtu
Definition: options.h:132
route_ipv6_option_list::flags
unsigned int flags
Definition: route.h:107
MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition: manage.h:39
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition: route.h:91
push_list::head
struct push_entry * head
Definition: pushlist.h:36
options::use_peer_id
bool use_peer_id
Definition: options.h:701
error.h
notnull
void notnull(const char *arg, const char *description)
Definition: options.c:4902
is_special_addr
bool is_special_addr(const char *addr_str)
Definition: route.c:306
M_OPTERR
#define M_OPTERR
Definition: error.h:100
options::sc_info
struct static_challenge_info sc_info
Definition: options.h:566
options::client_connect_script
const char * client_connect_script
Definition: options.h:501
SHOW_STR
#define SHOW_STR(var)
Definition: options.c:986
MF_EXTERNAL_KEY_NOPADDING
#define MF_EXTERNAL_KEY_NOPADDING
Definition: manage.h:38
options::tcp_queue_limit
int tcp_queue_limit
Definition: options.h:510
dhcp_option_address_parse
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
Definition: options.c:1351
options::enable_ncp_fallback
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:574
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:528
KEY_DIRECTION_BIDIRECTIONAL
#define KEY_DIRECTION_BIDIRECTIONAL
Definition: crypto.h:230
SF_NO_PUSH_ROUTE_GATEWAY
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition: options.h:476
pull_filter::pattern
char * pattern
Definition: options.c:952
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:164
GENKEY_SECRET
@ GENKEY_SECRET
Definition: options.h:234
VLAN_ONLY_UNTAGGED_OR_PRIORITY
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition: options.h:221
options::nice
int nice
Definition: options.h:396
options::cf_initial_per
int cf_initial_per
Definition: options.h:533
string_array_len
int string_array_len(const char **array)
Definition: buffer.c:703
run_command.h
M_ERRNO
#define M_ERRNO
Definition: error.h:94
SF_TCP_NODELAY_HELPER
#define SF_TCP_NODELAY_HELPER
Definition: options.h:475
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition: proto.h:36
push_remove_option
void push_remove_option(struct options *o, const char *p)
Definition: push.c:939
VERIFY_X509_SUBJECT_RDN_PREFIX
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition: ssl_verify.h:70
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition: ssl_common.h:424
connection_entry::connect_retry_seconds
int connect_retry_seconds
Definition: options.h:117
connection_entry::explicit_exit_notification
int explicit_exit_notification
Definition: options.h:148
VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_DN
Definition: ssl_verify.h:68
CHKACC_ACPTSTDIN
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition: options.c:3825
forward.h
tuntap_options::register_dns
bool register_dns
Definition: tun.h:141
options::route_gateway_via_dhcp
bool route_gateway_via_dhcp
Definition: options.h:438
ipv6_addr_safe
bool ipv6_addr_safe(const char *ipv6_text_addr)
Definition: socket.c:787
http_proxy_options::http_version
const char * http_version
Definition: proxy.h:56
PACKAGE_NAME
#define PACKAGE_NAME
Definition: config.h:492
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition: ssl.c:372
read_config_file
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5264
options_server_import
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5515
options::up_script
const char * up_script
Definition: options.h:383
usage_small
void usage_small(void)
Definition: options.c:4838
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
OPT_P_PUSH_MTU
#define OPT_P_PUSH_MTU
Definition: options.h:761
proto2ascii_all
const char * proto2ascii_all(struct gc_arena *gc)
Definition: socket.c:3234
tuntap_options::nbdd
in_addr_t nbdd[N_DHCP_ADDR]
Definition: tun.h:126
options::keepalive_ping
int keepalive_ping
Definition: options.h:340
options::push_list
struct push_list push_list
Definition: options.h:487
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:121
dns_options_postprocess_pull
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition: dns.c:271
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition: misc.c:793
dns_domain::next
struct dns_domain * next
Definition: dns.h:45
M_FATAL
#define M_FATAL
Definition: error.h:89
options_pre_connect::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:75
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:210
tuntap_options::tap_sleep
int tap_sleep
Definition: tun.h:99
win32.h
SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH
Definition: crypto_mbedtls.h:78
cipher_defined
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
Definition: crypto_backend.h:219
MAX_SEQ_BACKTRACK
#define MAX_SEQ_BACKTRACK
Definition: packet_id.h:86
options::server_flags
unsigned int server_flags
Definition: options.h:477
http_custom_header::name
const char * name
Definition: proxy.h:39
options::auth_token_secret_file
const char * auth_token_secret_file
Definition: options.h:546
DNS_SECURITY_OPTIONAL
@ DNS_SECURITY_OPTIONAL
Definition: dns.h:34
setenv_str_i
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition: env_set.c:404
options_string
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition: options.c:4240
options::ipchange
const char * ipchange
Definition: options.h:315
push_entry
Definition: pushlist.h:29
pull_filter_type_name
static const char * pull_filter_type_name(int type)
Definition: options.c:965
route_gateway_info
Definition: route.h:146
options::show_ciphers
bool show_ciphers
Definition: options.h:276
dco_version_string
const char * dco_version_string(struct gc_arena *gc)
Definition: dco_win.c:628
argv
Definition: argv.h:35
tuntap_options::domain_search_list_len
int domain_search_list_len
Definition: tun.h:133
options::enable_c2c
bool enable_c2c
Definition: options.h:526
options::duplicate_cn
bool duplicate_cn
Definition: options.h:527
options_cmp_equal_safe
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:4601
connection_entry::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:168
streq
#define streq(x, y)
Definition: options.h:726
DHCP_OPTIONS_DHCP_REQUIRED
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition: tun.h:75
proto2ascii
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
Definition: socket.c:3213
options::server_network
in_addr_t server_network
Definition: options.h:468
ascii2ipset
int ascii2ipset(const char *name)
Definition: tun.c:7031
options::inactivity_minimum_bytes
int64_t inactivity_minimum_bytes
Definition: options.h:344
manage.h
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition: route.h:43
options::ca_path
const char * ca_path
Definition: options.h:596
show_pull_filter_list
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition: options.c:1820
connection_entry::remote_port
const char * remote_port
Definition: options.h:111
script_security_set
void script_security_set(int level)
Definition: run_command.c:49
VERIFY_X509_SUBJECT_RDN
#define VERIFY_X509_SUBJECT_RDN
Definition: ssl_verify.h:69
options::forward_compatible
bool forward_compatible
Definition: options.h:263
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition: route.h:88
parse_hash_fingerprint
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition: options.c:1188
dhcp_renew
static bool dhcp_renew(const struct tuntap *tt)
Definition: tun.c:5251
show_dhcp_option_addrs
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
Definition: options.c:1295
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:155
options::cert_file
const char * cert_file
Definition: options.h:599
es
struct env_set * es
Definition: test_pkcs11.c:141
hash
Definition: list.h:56
options::route_nopull
bool route_nopull
Definition: options.h:437
options::server_bridge_ip
in_addr_t server_bridge_ip
Definition: options.h:482
http_proxy_options::auth_file_up
const char * auth_file_up
Definition: proxy.h:55
options_set_backwards_compatible_options
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition: options.c:3526
connection_entry::tun_mtu_defined
bool tun_mtu_defined
Definition: options.h:129
tuntap_options::netbios_node_type
int netbios_node_type
Definition: tun.h:109
options::key_direction
int key_direction
Definition: options.h:572
options::topology
int topology
Definition: options.h:320
verify_hash_list::next
struct verify_hash_list * next
Definition: options.h:245
BSTR
#define BSTR(buf)
Definition: buffer.h:129
options::authname
const char * authname
Definition: options.h:579
options::dev_type
const char * dev_type
Definition: options.h:317
SSLF_USERNAME_AS_COMMON_NAME
#define SSLF_USERNAME_AS_COMMON_NAME
Definition: ssl_common.h:417
dns_server_get
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition: dns.c:175
AR_NONE
#define AR_NONE
Definition: options.h:903
MAX_TIME_BACKTRACK
#define MAX_TIME_BACKTRACK
Definition: packet_id.h:95
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2646
platform_getpid
unsigned int platform_getpid(void)
Definition: platform.c:333
options::iroutes
struct iroute * iroutes
Definition: options.h:511
proto_remote
const char * proto_remote(int proto, bool remote)
Definition: socket.c:3274
options::status_file_update_freq
int status_file_update_freq
Definition: options.h:406
push_options
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
Definition: push.c:907
http_proxy_options::auth_method_string
const char * auth_method_string
Definition: proxy.h:53
options::tls_client
bool tls_client
Definition: options.h:593
OPENVPN_EXIT_STATUS_GOOD
#define OPENVPN_EXIT_STATUS_GOOD
Definition: error.h:53
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:569
keydirection2ascii
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition: crypto.c:1676
dns_domain_list_append
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
Definition: dns.c:141
buffer::capacity
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition: options.h:602
connection_entry::tls_crypt_v2_force_cookie
bool tls_crypt_v2_force_cookie
Definition: options.h:176
ip_addr_dotted_quad_safe
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
Definition: socket.c:737
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
setenv_local_entry
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition: options.c:1020
connection_entry::connect_timeout
int connect_timeout
Definition: options.h:119
TARGET_ALIAS
#define TARGET_ALIAS
Definition: config.h:558
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:102
options::server_defined
bool server_defined
Definition: options.h:467
X509_USERNAME_FIELD_DEFAULT
#define X509_USERNAME_FIELD_DEFAULT
Definition: ssl.h:117
route_ipv6_gateway_info
Definition: route.h:181
set_debug_level
bool set_debug_level(const int level, const unsigned int flags)
Definition: error.c:105
dns_options_verify
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition: dns.c:197
GENKEY_TLS_CRYPTV2_CLIENT
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition: options.h:235
get_ipv6_addr_no_netbits
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition: options.c:1132
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition: common.h:82
OPT_P_PLUGIN
#define OPT_P_PLUGIN
Definition: options.h:755
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition: crypto.h:376
pull_filter_list::head
struct pull_filter * head
Definition: options.c:958
dev_type_string
const char * dev_type_string(const char *dev, const char *dev_type)
Definition: tun.c:508
options::cipher_list
const char * cipher_list
Definition: options.h:607
TAP_MTU_EXTRA_DEFAULT
#define TAP_MTU_EXTRA_DEFAULT
Definition: mtu.h:75
vlan_acceptable_frames
vlan_acceptable_frames
Definition: options.h:218
options::mode
int mode
Definition: options.h:260
options::session_timeout
int session_timeout
Definition: options.h:346
read_config_string
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5339
tap_allow_nonadmin_access
void tap_allow_nonadmin_access(const char *dev_node)
Definition: tun.c:5083
options_postprocess_mutate
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition: options.c:3620
mutate_ncp_cipher_list
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition: ssl_ncp.c:98
LINK_MTU_DEFAULT
#define LINK_MTU_DEFAULT
Definition: mtu.h:65
xkey_common.h
bind_local
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition: socket.c:1140
options::mute
int mute
Definition: options.h:398
safe_print
const char * safe_print(const char *str, struct gc_arena *gc)
Definition: misc.c:557
VLAN_ONLY_TAGGED
@ VLAN_ONLY_TAGGED
Definition: options.h:220
parse_line
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
Definition: options.c:4948
MF_HOLD
#define MF_HOLD
Definition: manage.h:30
PACKAGE_VERSION
#define PACKAGE_VERSION
Definition: config.h:504
MAX_PARMS
#define MAX_PARMS
Definition: options.h:52
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
connection_entry::link_mtu_defined
bool link_mtu_defined
Definition: options.h:133
fragment
Structure for reassembling one incoming fragmented packet.
Definition: fragment.h:65
tls_verify
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
Definition: keyingmaterialexporter.c:166
options::push_ifconfig_ipv6_local
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:522
learn_address_script
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:95
options_warning_safe
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:4624
tuntap_options::netbios_scope
const char * netbios_scope
Definition: tun.h:107
in_src::type
int type
Definition: options.c:5133
options::ce
struct connection_entry ce
Definition: options.h:288
options::msg_channel
HANDLE msg_channel
Definition: options.h:692
MUST_BE_FALSE
#define MUST_BE_FALSE(condition, parm_name)
Definition: options.c:2400
dns_server::dnssec
enum dns_security dnssec
Definition: dns.h:65
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition: route.c:130
tuntap_options::ntp_len
int ntp_len
Definition: tun.h:123
ip_or_dns_addr_safe
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
Definition: socket.c:823
MF_QUERY_REMOTE
#define MF_QUERY_REMOTE
Definition: manage.h:41
read_inline_file
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
Definition: options.c:5164
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:712
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:483
iroute::netbits
int netbits
Definition: route.h:243
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:418
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition: route.h:41
options::n_bcast_buf
int n_bcast_buf
Definition: options.h:509
ascii2keydirection
int ascii2keydirection(int msglevel, const char *str)
Definition: crypto.c:1653
options::ifconfig_ipv6_pool_defined
bool ifconfig_ipv6_pool_defined
Definition: options.h:495
verify_hash_list
Definition: options.h:240
options::verify_hash_algo
hash_algo_type verify_hash_algo
Definition: options.h:623
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition: networking.h:28
D_LOW
#define D_LOW
Definition: errlevel.h:97
dns_server::transport
enum dns_server_transport transport
Definition: dns.h:66
PACKAGE
#define PACKAGE
Definition: config.h:486
options::genkey_extra_data
const char * genkey_extra_data
Definition: options.h:284
M_NOPREFIX
#define M_NOPREFIX
Definition: error.h:97
SF_TCP_NODELAY
#define SF_TCP_NODELAY
Definition: socket.h:222
TOP_SUBNET
#define TOP_SUBNET
Definition: proto.h:44
M_DEBUG_LEVEL
#define M_DEBUG_LEVEL
Definition: error.h:87
remote_entry::remote
const char * remote
Definition: options.h:181
argv_parse_cmd
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:483
options_pre_connect::foreign_option_index
int foreign_option_index
Definition: options.h:89
connection_list::capacity
int capacity
Definition: options.h:197
proto_is_dgram
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
Definition: socket.h:597
atou
static unsigned int atou(const char *str)
Definition: options.c:4933
options_pre_connect::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:87
options_postprocess_mutate_ce
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition: options.c:3061
pull_filter_list::tail
struct pull_filter * tail
Definition: options.c:959
has_udp_in_local_list
bool has_udp_in_local_list(const struct options *options)
Definition: options.c:9565
options::shaper
int shaper
Definition: options.h:328
options.h
cnol_check_alloc
static void cnol_check_alloc(struct options *options)
Definition: options.c:1732
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition: crypto_openssl.c:660
IPROUTE_PATH
#define IPROUTE_PATH
Definition: config.h:468
connection_entry::local_list
struct local_list * local_list
Definition: options.h:106
clone_client_nat_option_list
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition: clinat.c:83
options::tls_export_peer_cert_dir
const char * tls_export_peer_cert_dir
Definition: options.h:613
dns_options::gc
struct gc_arena gc
Definition: dns.h:74
TLS_VER_1_0
#define TLS_VER_1_0
Definition: ssl_backend.h:106
options::cd_dir
const char * cd_dir
Definition: options.h:378
MODE_SERVER
#define MODE_SERVER
Definition: options.h:259
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition: route.c:4139
print_client_nat_list
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
Definition: clinat.c:52
options::remote_random
bool remote_random
Definition: options.h:314
options::ifconfig_noexec
bool ifconfig_noexec
Definition: options.h:326
frame
Packet geometry parameters.
Definition: mtu.h:98
options::push_continuation
int push_continuation
Definition: options.h:557
options_postprocess_filechecks
static void options_postprocess_filechecks(struct options *options)
Definition: options.c:4044
push_entry::option
const char * option
Definition: pushlist.h:32
MAX_PEER_ID
#define MAX_PEER_ID
Definition: openvpn.h:546
MF_CLIENT_AUTH
#define MF_CLIENT_AUTH
Definition: manage.h:34
plugin_option_list_print
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
Definition: plugin.c:189
PROTO_TCP_SERVER
@ PROTO_TCP_SERVER
Definition: socket.h:570
local_list
Definition: options.h:189
connection_entry::fragment_encap
bool fragment_encap
Definition: options.h:140
options::allow_deprecated_insecure_static_crypto
bool allow_deprecated_insecure_static_crypto
Definition: options.h:571
options::tls_server
bool tls_server
Definition: options.h:592
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:267
parse_hash_fingerprint_multiline
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition: options.c:1242
options::auth_token_renewal
int auth_token_renewal
Definition: options.h:545
options_pre_connect::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:72
connection_entry::bind_local
bool bind_local
Definition: options.h:116
http_custom_header
Definition: proxy.h:38
provider_list::names
const char * names[MAX_PARMS]
Definition: options.h:213
shaper.h
throw_signal_soft
void throw_signal_soft(const int signum, const char *signal_text)
Throw a soft global signal.
Definition: sig.c:206
dns_options::servers
struct dns_server * servers
Definition: dns.h:73
connection_entry
Definition: options.h:104
remote_entry::af
sa_family_t af
Definition: options.h:184
N_SEARCH_LIST_LEN
#define N_SEARCH_LIST_LEN
Definition: tun.h:129
iroute_ipv6::network
struct in6_addr network
Definition: route.h:248
push_reset
void push_reset(struct options *o)
Definition: push.c:933
usage_message
static const char usage_message[]
Definition: options.c:120
SHOW_INT
#define SHOW_INT(var)
Definition: options.c:991
WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_UNSPECIFIED
Definition: tun.h:46
http_proxy_options::inline_creds
bool inline_creds
Definition: proxy.h:59
options::allow_recursive_routing
bool allow_recursive_routing
Definition: options.h:720
net_ctx_init
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition: networking.h:48
translate_mtu_discover_type_name
int translate_mtu_discover_type_name(const char *name)
Definition: mtu.c:261
sleep
#define sleep(x)
Definition: syshead.h:43
options::routes_ipv6
struct route_ipv6_option_list * routes_ipv6
Definition: options.h:435
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:510
OPT_P_SETENV
#define OPT_P_SETENV
Definition: options.h:736
iroute::next
struct iroute * next
Definition: route.h:244
options::tls_exit
bool tls_exit
Definition: options.h:684
SHOW_UNSIGNED
#define SHOW_UNSIGNED(var)
Definition: options.c:994
options::route_noexec
bool route_noexec
Definition: options.h:430
MF_QUERY_PROXY
#define MF_QUERY_PROXY
Definition: manage.h:42
options::tls_cert_profile
const char * tls_cert_profile
Definition: options.h:610
management_echo
void management_echo(struct management *man, const char *string, const bool pull)
Definition: manage.c:3027
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition: route.h:42
CHKACC_ACCEPT_URI
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition: options.c:3827
KEY_METHOD_2
#define KEY_METHOD_2
Definition: ssl.h:119
sa_family_t
unsigned short sa_family_t
Definition: syshead.h:395
options::renegotiate_seconds
int renegotiate_seconds
Definition: options.h:647
options::windows_driver
enum tun_driver_type windows_driver
Definition: options.h:698
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:431
PING_RESTART
#define PING_RESTART
Definition: options.h:354
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition: route.h:90
RG_LOCAL
#define RG_LOCAL
Definition: route.h:85
connection_entry_load_re
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition: options.c:2332
options::persist_local_ip
bool persist_local_ip
Definition: options.h:358
MD_SHA256
@ MD_SHA256
Definition: crypto_backend.h:54
http_proxy_options::nocache
bool nocache
Definition: proxy.h:61
test_crypto
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition: crypto.c:1229
CLEAR
#define CLEAR(x)
Definition: basic.h:33
DNS_TRANSPORT_HTTPS
@ DNS_TRANSPORT_HTTPS
Definition: dns.h:40
valid_integer
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
Definition: options_util.c:103
options::verify_hash_depth
int verify_hash_depth
Definition: options.h:624
options::ignore_unknown_option
const char ** ignore_unknown_option
Definition: options.h:269
OPT_P_SOCKBUF
#define OPT_P_SOCKBUF
Definition: options.h:756
options_util.h
dns_server::priority
long priority
Definition: dns.h:61
options::ecdh_curve
const char * ecdh_curve
Definition: options.h:611
iroute::network
in_addr_t network
Definition: route.h:242
ipconfig_register_dns
void ipconfig_register_dns(const struct env_set *es)
Definition: tun.c:5291
pull_filter::size
int size
Definition: options.c:951
options::show_curves
bool show_curves
Definition: options.h:280
connection_list::len
int len
Definition: options.h:198
SF_NOPOOL
#define SF_NOPOOL
Definition: options.h:474
options::http_proxy_override
struct http_proxy_options * http_proxy_override
Definition: options.h:307
options::cipher_list_tls13
const char * cipher_list_tls13
Definition: options.h:608
PUF_TYPE_IGNORE
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition: options.c:948
options_postprocess_pull
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition: options.c:4182
N_DHCP_ADDR
#define N_DHCP_ADDR
Definition: tun.h:111
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:195
options::up_delay
bool up_delay
Definition: options.h:387
options::writepid
const char * writepid
Definition: options.h:382
options_pre_connect::tuntap_options_defined
bool tuntap_options_defined
Definition: options.h:65
options::ncp_ciphers_conf
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition: options.h:577
tuntap_options::ip_win32_defined
bool ip_win32_defined
Definition: tun.h:79
options_pre_connect::ciphername
const char * ciphername
Definition: options.h:82
show_connection_entries
static void show_connection_entries(const struct options *o)
Definition: options.c:1799
options::max_clients
int max_clients
Definition: options.h:535
platform_stat_t
struct _stat platform_stat_t
Definition: platform.h:142
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:649
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:414
options::disable
bool disable
Definition: options.h:507
SC_ECHO
#define SC_ECHO
Definition: misc.h:94
connection_entry::socks_proxy_port
const char * socks_proxy_port
Definition: options.h:122
options::dh_file
const char * dh_file
Definition: options.h:597
options::resolve_in_advance
bool resolve_in_advance
Definition: options.h:366
IS_TYPE_FP
#define IS_TYPE_FP
Definition: options.c:5131
ssl_verify.h
options::ifconfig_nowarn
bool ifconfig_nowarn
Definition: options.h:327
options::dev
const char * dev
Definition: options.h:316
ASSERT
#define ASSERT(x)
Definition: error.h:195
local_list::array
struct local_entry * array[CONNECTION_LIST_SIZE]
Definition: options.h:192
options::management_port
const char * management_port
Definition: options.h:447
helper_tcp_nodelay
void helper_tcp_nodelay(struct options *o)
Definition: helper.c:600
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3011
OPENVPN_PORT
#define OPENVPN_PORT
Definition: socket.h:42
options::groupname
const char * groupname
Definition: options.h:376
D_SHOW_OCC
#define D_SHOW_OCC
Definition: errlevel.h:151
connection_entry::connect_retry_seconds_max
int connect_retry_seconds_max
Definition: options.h:118
iroute_ipv6::netbits
unsigned int netbits
Definition: route.h:249
print_topology
const char * print_topology(const int topology)
Definition: options.c:4727
show_tuntap_options
static void show_tuntap_options(const struct tuntap_options *o)
Definition: options.c:1310
options::ip_remote_hint
const char * ip_remote_hint
Definition: options.h:367
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:571
mac_addr_safe
bool mac_addr_safe(const char *mac_addr)
Definition: socket.c:840
options::single_session
bool single_session
Definition: options.h:680
options::dns_options
struct dns_options dns_options
Definition: options.h:312
options::auth_user_pass_file
const char * auth_user_pass_file
Definition: options.h:559
show_dhcp_option_list
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
Definition: options.c:1285
PULL_DEFINED
#define PULL_DEFINED(opt)
Definition: options.h:765
options::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:440
local_entry
Definition: options.h:97
OPTION_PARM_SIZE
#define OPTION_PARM_SIZE
Definition: options.h:57
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition: ssl.c:357
set_machine_readable_output
void set_machine_readable_output(bool parsable)
Definition: error.c:155
D_DCO
#define D_DCO
Definition: errlevel.h:94
options_pre_connect::routes
struct route_option_list * routes
Definition: options.h:69
options::server_netmask
in_addr_t server_netmask
Definition: options.h:469
bypass_doubledash
static void bypass_doubledash(char **p)
Definition: options.c:5122
alloc_local_entry
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
Definition: options.c:2213
option_iroute_ipv6
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
Definition: options.c:1653
connection_list
Definition: options.h:195
set_suppress_timestamps
void set_suppress_timestamps(bool suppressed)
Definition: error.c:149
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition: ssl_common.h:422
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition: route.h:89
options::cf_initial_max
int cf_initial_max
Definition: options.h:532
md_kt_name
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
Definition: crypto_openssl.c:1071
options::ping_send_timeout
int ping_send_timeout
Definition: options.h:348
argv::argv
char ** argv
Definition: argv.h:39
remote_entry::remote_port
const char * remote_port
Definition: options.h:182
dns_server_addr_parse
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition: dns.c:55
MAX_CUSTOM_HTTP_HEADER
#define MAX_CUSTOM_HTTP_HEADER
Definition: proxy.h:43
http_proxy_options::user_agent
const char * user_agent
Definition: proxy.h:57
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition: route.h:40
ipv6_addr_safe_hexplusbits
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition: options.c:1150
options::x509_track
const struct x509_track * x509_track
Definition: options.h:686
options::client
bool client
Definition: options.h:555
need_compatibility_before
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition: options.c:3516
http_proxy_options::auth_retry
int auth_retry
Definition: proxy.h:51
MF_EXTERNAL_KEY_DIGEST
#define MF_EXTERNAL_KEY_DIGEST
Definition: manage.h:45
options::shared_secret_file_inline
bool shared_secret_file_inline
Definition: options.h:570
options::pre_connect
struct options_pre_connect * pre_connect
Definition: options.h:561
TLS_MTU_DEFAULT
#define TLS_MTU_DEFAULT
Definition: mtu.h:85
tuntap_options::ip_win32_type
int ip_win32_type
Definition: tun.h:87
connection_entry::bind_defined
bool bind_defined
Definition: options.h:114
options::management_client_group
const char * management_client_group
Definition: options.h:454
COMP_ALG_LZ4
#define COMP_ALG_LZ4
Definition: comp.h:51
SC_CONCAT
#define SC_CONCAT
Definition: misc.h:95
verify_permission
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
Definition: options.c:5554
packet_id.h
options::test_crypto
bool test_crypto
Definition: options.h:586
options::verify_hash_no_ca
bool verify_hash_no_ca
Definition: options.h:625
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition: comp.h:42
msglevel_forward_compatible
static int msglevel_forward_compatible(struct options *options, const int msglevel)
Definition: options.c:5642
options::block_outside_dns
bool block_outside_dns
Definition: options.h:697
options_pre_connect::route_default_gateway
const char * route_default_gateway
Definition: options.h:74
OPT_P_MESSAGES
#define OPT_P_MESSAGES
Definition: options.h:742
remap_redirect_gateway_flags
static void remap_redirect_gateway_flags(struct options *opt)
Definition: options.c:3239
proto.h
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:419
options::ifconfig_ipv6_netbits
int ifconfig_ipv6_netbits
Definition: options.h:324
options::ncp_ciphers
const char * ncp_ciphers
Definition: options.h:578
options::push_ifconfig_ipv6_defined
bool push_ifconfig_ipv6_defined
Definition: options.h:521
options::tls_crypt_file
const char * tls_crypt_file
Definition: options.h:667
connection_entry::mssfix_fixed
bool mssfix_fixed
Definition: options.h:146
OPTION_LINE_SIZE
#define OPTION_LINE_SIZE
Definition: options.h:58
OPT_P_PULL_MODE
#define OPT_P_PULL_MODE
Definition: options.h:754
SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_DEBUG_ENABLED
Definition: ssl_common.h:425
OPT_P_DHCPDNS
#define OPT_P_DHCPDNS
Definition: options.h:734
key_type::digest
const char * digest
Message digest static parameters.
Definition: crypto.h:143
RESOLV_RETRY_INFINITE
#define RESOLV_RETRY_INFINITE
Definition: socket.h:48
dns_domain::name
const char * name
Definition: dns.h:46
options::comp
struct compress_options comp
Definition: options.h:411
options::persist_config
bool persist_config
Definition: options.h:272
options_pre_connect::routes_ipv6_defined
bool routes_ipv6_defined
Definition: options.h:71
clone_push_list
void clone_push_list(struct options *o)
Definition: push.c:891
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition: options.h:723
dns_server_addr::in
union dns_server_addr::@0 in
options_postprocess_cipher
static void options_postprocess_cipher(struct options *o)
Definition: options.c:3459
OPT_P_NCP
#define OPT_P_NCP
Negotiable crypto parameters.
Definition: options.h:743
options::auth_token_lifetime
int auth_token_lifetime
Definition: options.h:544
ascii2proto
int ascii2proto(const char *proto_name)
Definition: socket.c:3187
OPT_P_INLINE
#define OPT_P_INLINE
Definition: options.h:760
print_route_options
void print_route_options(const struct route_option_list *rol, int level)
Definition: route.c:1319
show_compression_warning
static void show_compression_warning(struct compress_options *info)
Definition: options.c:5678
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition: mtu.c:152
options::push_peer_info
bool push_peer_info
Definition: options.h:682
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:420
dns_server
Definition: dns.h:59
OPT_P_TLS_PARMS
#define OPT_P_TLS_PARMS
Definition: options.h:744
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4638
string_substitute
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
Definition: options.c:1159
OPENVPN_8021Q_MAX_VID
#define OPENVPN_8021Q_MAX_VID
Definition: proto.h:312
options::allow_pull_fqdn
bool allow_pull_fqdn
Definition: options.h:439
MF_QUERY_PASSWORDS
#define MF_QUERY_PASSWORDS
Definition: manage.h:29
options::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:672
COMP_F_ADVERTISE_STUBS_ONLY
#define COMP_F_ADVERTISE_STUBS_ONLY
Definition: comp.h:40
misc.h
options::push_ifconfig_ipv6_blocked
bool push_ifconfig_ipv6_blocked
Definition: options.h:525
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition: route.h:87
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition: ssl.c:366
push.h
in_src
Definition: options.c:5130
options::management_state_buffer_size
int management_state_buffer_size
Definition: options.h:451
positive_atoi
int positive_atoi(const char *str, int msglevel)
Converts a str to a positive number if the string represents a postive integer number.
Definition: options_util.c:119
M_WARN
#define M_WARN
Definition: error.h:91
dns_options_preprocess_pull
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition: dns.c:264
options::push_ifconfig_defined
bool push_ifconfig_defined
Definition: options.h:513
options::persist_tun
bool persist_tun
Definition: options.h:357
PACKAGE_STRING
#define PACKAGE_STRING
Definition: config.h:495
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition: comp.h:47
connection_entry::tls_auth_file
const char * tls_auth_file
Definition: options.h:162
options::backwards_compatible
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition: options.h:266
CONFIGURE_DEFINES
#define CONFIGURE_DEFINES
Definition: config.h:5
OPT_P_SHAPER
#define OPT_P_SHAPER
Definition: options.h:737
options::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:673
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1097
options::proto_force
int proto_force
Definition: options.h:330
check_inline_file_via_buf
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
Definition: options.c:5242
VERIFY_PERMISSION
#define VERIFY_PERMISSION(mask)
Definition: options.c:5545
msg_fp
FILE * msg_fp(const unsigned int flags)
Definition: error.c:194
options::tls_auth_file
const char * tls_auth_file
Definition: options.h:663
in_src::multiline
struct buffer * multiline
Definition: options.c:5136
connection_entry::tls_crypt_v2_file_inline
bool tls_crypt_v2_file_inline
Definition: options.h:173
options::route_predown_script
const char * route_predown_script
Definition: options.h:426
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition: ssl_openssl.c:207
COMP_ALGV2_UNCOMPRESSED
#define COMP_ALGV2_UNCOMPRESSED
Definition: comp.h:55
options::push_ifconfig_constraint_defined
bool push_ifconfig_constraint_defined
Definition: options.h:517
OPT_P_INSTANCE
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition: options.h:748
connection_entry::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:163
plugin_option_list_new
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition: plugin.c:160
options::auth_token_secret_file_inline
bool auth_token_secret_file_inline
Definition: options.h:547
options::server_netbits_ipv6
unsigned int server_netbits_ipv6
Definition: options.h:472
NM_QUOTE_HINT
#define NM_QUOTE_HINT
Definition: options.c:5611
CHKACC_FILE
#define CHKACC_FILE
Check for a file/directory presence.
Definition: options.c:3822
connection_entry::tls_crypt_v2_file
const char * tls_crypt_v2_file
Definition: options.h:172
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition: options.h:606
space
static bool space(unsigned char c)
Definition: options.c:4942
http_proxy_options::port
const char * port
Definition: proxy.h:46
options::verify_x509_type
int verify_x509_type
Definition: options.h:614
options
Definition: options.h:249
pool.h
options::auth_user_pass_file_inline
bool auth_user_pass_file_inline
Definition: options.h:560
RG_ENABLE
#define RG_ENABLE
Definition: route.h:84
connection_entry::key_direction
int key_direction
Definition: options.h:164
options::providers
struct provider_list providers
Definition: options.h:581
crypto.h
dns_server::domains
struct dns_domain * domains
Definition: dns.h:64
IPW32_SET_NETSH
#define IPW32_SET_NETSH
Definition: tun.h:82
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition: socket.h:517
options::log
bool log
Definition: options.h:393
alloc_remote_entry
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
Definition: options.c:2278
show_valid_win32_tun_subnets
void show_valid_win32_tun_subnets(void)
Definition: tun.c:4146
TLS_CLIENT
#define TLS_CLIENT
static_challenge_info::flags
unsigned int flags
Definition: misc.h:96
options::gc
struct gc_arena gc
Definition: options.h:251
OPT_P_COMP
#define OPT_P_COMP
Definition: options.h:741
DNS_SECURITY_NO
@ DNS_SECURITY_NO
Definition: dns.h:32
WINDOWS_DRIVER_TAP_WINDOWS6
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition: tun.h:47
options_string_import
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5535
options::mlock
bool mlock
Definition: options.h:338
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition: manage.h:37
options_pre_connect::ping_send_timeout
int ping_send_timeout
Definition: options.h:85
M_ERR
#define M_ERR
Definition: error.h:105
options::tls_timeout
int tls_timeout
Definition: options.h:642
options::management_addr
const char * management_addr
Definition: options.h:446
options::tls_verify
const char * tls_verify
Definition: options.h:612
COMP_F_SWAP
#define COMP_F_SWAP
Definition: comp.h:39
options::down_script
const char * down_script
Definition: options.h:384
connection_entry::tun_mtu_extra
int tun_mtu_extra
Definition: options.h:130
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition: ssl_common.h:415
OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_USAGE
Definition: error.h:55
check_ca_required
static void check_ca_required(const struct options *options)
Definition: options.c:2370
gc_transfer
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition: buffer.c:460
SDL_CONSTRAIN
#define SDL_CONSTRAIN
Definition: error.h:177
options_warning_safe_scan2
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition: options.c:4486
buf_valid
static bool buf_valid(const struct buffer *buf)
Definition: buffer.h:234
helper_keepalive
void helper_keepalive(struct options *o)
Definition: helper.c:541
dns_domain
Definition: dns.h:44
tuntap_options
Definition: tun.h:77
gc_detach
static void gc_detach(struct gc_arena *a)
Definition: buffer.h:1019
MF_FORGET_DISCONNECT
#define MF_FORGET_DISCONNECT
Definition: manage.h:32
ipset2ascii_all
const char * ipset2ascii_all(struct gc_arena *gc)
Definition: tun.c:7060
options::virtual_hash_size
int virtual_hash_size
Definition: options.h:500
auth_retry_get
int auth_retry_get(void)
Definition: options.c:4755
add_option
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5705
options_postprocess
void options_postprocess(struct options *options, struct env_set *es)
Definition: options.c:4168
options::ifconfig_pool_netmask
in_addr_t ifconfig_pool_netmask
Definition: options.h:491
dns_options::search_domains
struct dns_domain * search_domains
Definition: dns.h:71
dns_server::addr_count
size_t addr_count
Definition: dns.h:62
DNS_TRANSPORT_PLAIN
@ DNS_TRANSPORT_PLAIN
Definition: dns.h:39
copy_client_nat_option_list
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition: clinat.c:92
ifconfig_options_string
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition: tun.c:675
options::server_ipv6_defined
bool server_ipv6_defined
Definition: options.h:470
set_pause_exit_win32
void set_pause_exit_win32(void)
Definition: win32.c:146
compress_options::flags
unsigned int flags
Definition: comp.h:69
connection_entry::local_port_defined
bool local_port_defined
Definition: options.h:110
options::show_tls_ciphers
bool show_tls_ciphers
Definition: options.h:279
parse_topology
int parse_topology(const char *str, const int msglevel)
Definition: options.c:4705
check_file_access_chroot
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition: options.c:3925
TOP_UNDEF
#define TOP_UNDEF
Definition: proto.h:41
options::push_ifconfig_ipv6_netbits
int push_ifconfig_ipv6_netbits
Definition: options.h:523
tuntap_options_copy_dns
static void tuntap_options_copy_dns(struct options *o)
Definition: options.c:1384
options::tls_crypt_file_inline
bool tls_crypt_file_inline
Definition: options.h:668
OPT_P_ECHO
#define OPT_P_ECHO
Definition: options.h:751
options::renegotiate_seconds_min
int renegotiate_seconds_min
Definition: options.h:648
static_challenge_info::challenge_text
const char * challenge_text
Definition: misc.h:98
dns_server::addr
struct dns_server_addr addr[8]
Definition: dns.h:63
open_syslog
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition: error.c:467
alloc_remote_list_if_undef
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition: options.c:2268
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition: proto.h:37
options::persist_remote_ip
bool persist_remote_ip
Definition: options.h:359
options::ccd_exclusive
bool ccd_exclusive
Definition: options.h:506
options::stale_routes_check_interval
int stale_routes_check_interval
Definition: options.h:537
options::scheduled_exit_interval
int scheduled_exit_interval
Definition: options.h:563
options_pre_connect::client_nat
struct client_nat_option_list * client_nat
Definition: options.h:78
options::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:349
options::pkcs12_file
const char * pkcs12_file
Definition: options.h:605
OPT_P_PERSIST_IP
#define OPT_P_PERSIST_IP
Definition: options.h:740
options::client_crresponse_script
const char * client_crresponse_script
Definition: options.h:504
IPW32_SET_ADAPTIVE
#define IPW32_SET_ADAPTIVE
Definition: tun.h:85
SIZE
#define SIZE(x)
Definition: basic.h:30
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_SERVER
Definition: options.h:236
errors_to_stderr
void errors_to_stderr(void)
Definition: error.c:185
proto_is_udp
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
Definition: socket.h:586
options::genkey
bool genkey
Definition: options.h:281
options::verify_x509_name
const char * verify_x509_name
Definition: options.h:615
options::replay_window
int replay_window
Definition: options.h:583
PAR_ALL
#define PAR_ALL
Definition: proxy.h:49
SHAPER_MIN
#define SHAPER_MIN
Definition: shaper.h:40
options::route_ipv6_default_gateway
const char * route_ipv6_default_gateway
Definition: options.h:428
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition: errlevel.h:67
options::foreign_option_index
int foreign_option_index
Definition: options.h:689
http_proxy_options::server
const char * server
Definition: proxy.h:45
global_auth_retry
static int global_auth_retry
Definition: options.c:4752
options::exit_event_name
const char * exit_event_name
Definition: options.h:693
openvpn_exit
void openvpn_exit(const int status)
Definition: error.c:735
connection_entry_preload_key
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition: options.c:2353
options::push_ifconfig_ipv6_remote
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:524
options::management_certificate
const char * management_certificate
Definition: options.h:456
show_windows_version
void show_windows_version(const unsigned int flags)
Definition: options.c:4846
options_pre_connect::comp
struct compress_options comp
Definition: options.h:90
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition: crypto.h:372
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
set_user_script
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition: options.c:5648
options::route_delay_defined
bool route_delay_defined
Definition: options.h:433
key_type
Definition: crypto.h:140
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition: route.c:139
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2991
options::handshake_window
int handshake_window
Definition: options.h:652
options::remote_cert_ku
unsigned remote_cert_ku[MAX_PARMS]
Definition: options.h:620
suppress_timestamps
static bool suppress_timestamps
Definition: error.c:81
options_postprocess_http_proxy_override
static void options_postprocess_http_proxy_override(struct options *o)
Definition: options.c:2169
connection_entry::occ_mtu
int occ_mtu
Definition: options.h:126
options::ping_timer_remote
bool ping_timer_remote
Definition: options.h:350
options::crl_file_inline
bool crl_file_inline
Definition: options.h:617
options::status_file_version
int status_file_version
Definition: options.h:405
MAN_CLIENT_AUTH_ENABLED
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition: options.h:791
TLS_VER_1_2
#define TLS_VER_1_2
Definition: ssl_backend.h:108
verify_hash_list::hash
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition: options.h:244
options::route_default_metric
int route_default_metric
Definition: options.h:429
ssl.h
PROTO_NONE
@ PROTO_NONE
Definition: socket.h:567
options::override_username
const char * override_username
Definition: options.h:508
OPT_P_PERSIST
#define OPT_P_PERSIST
Definition: options.h:739
show_tap_win_adapters
void show_tap_win_adapters(int msglev, int warnlev)
Definition: tun.c:4179
options::sndbuf
int sndbuf
Definition: options.h:415
init_http_proxy_options_once
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition: proxy.c:46
options::block_ipv6
bool block_ipv6
Definition: options.h:436
show_adapters
void show_adapters(int msglev)
Definition: tun.c:5034
buffer.h
check_inline_file_via_fp
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
Definition: options.c:5233
options::fast_io
bool fast_io
Definition: options.h:409
options::force_key_material_export
bool force_key_material_export
Definition: options.h:710
options::server_bridge_proxy_dhcp
bool server_bridge_proxy_dhcp
Definition: options.h:479
OPT_P_GENERAL
#define OPT_P_GENERAL
Definition: options.h:731
tuntap_options::wins_len
int wins_len
Definition: tun.h:119
syshead.h
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:501
options::dh_file_inline
bool dh_file_inline
Definition: options.h:598
BPTR
#define BPTR(buf)
Definition: buffer.h:124
pkcs11.h
options::management_flags
unsigned int management_flags
Definition: options.h:459
options::route_method
int route_method
Definition: options.h:696
no_more_than_n_args
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
Definition: options.c:5614
auth_retry_print
const char * auth_retry_print(void)
Definition: options.c:4784
options::cert_file_inline
bool cert_file_inline
Definition: options.h:600
platform.h
options::server_bridge_pool_start
in_addr_t server_bridge_pool_start
Definition: options.h:484
options::management_echo_buffer_size
int management_echo_buffer_size
Definition: options.h:450
proto_is_net
static bool proto_is_net(int proto)
Definition: socket.h:576
connection_list::array
struct connection_entry ** array
Definition: options.h:200
OPT_P_ROUTE
#define OPT_P_ROUTE
Definition: options.h:733
D_PUSH
#define D_PUSH
Definition: errlevel.h:83
shaper
Definition: shaper.h:47
show_routes
void show_routes(int msglev)
Definition: route.c:3308
PUF_TYPE_REJECT
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition: options.c:949
print_tun_backend_driver
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition: tun.c:59
options::client_config_dir
const char * client_config_dir
Definition: options.h:505
in_src_get
static bool in_src_get(const struct in_src *is, char *line, const int size)
Definition: options.c:5141
dco_check_startup_option
static bool dco_check_startup_option(int msglevel, const struct options *o)
Definition: dco.h:288
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition: ssl_common.h:423
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
add_client_nat_to_option_list
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
Definition: clinat.c:106
options::status_file
const char * status_file
Definition: options.h:404
options::genkey_filename
const char * genkey_filename
Definition: options.h:283
COMP_F_ALLOW_NOCOMP_ONLY
#define COMP_F_ALLOW_NOCOMP_ONLY
Definition: comp.h:44
iroute_ipv6::next
struct iroute_ipv6 * next
Definition: route.h:250
key_is_external
bool key_is_external(const struct options *options)
Definition: options.c:5690
options::renegotiate_packets
int64_t renegotiate_packets
Definition: options.h:646
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:283
MODE_POINT_TO_POINT
#define MODE_POINT_TO_POINT
Definition: options.h:258
tuntap_options::nbdd_len
int nbdd_len
Definition: tun.h:127
check_file_access_inline
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition: options.c:3975
DNS_TRANSPORT_TLS
@ DNS_TRANSPORT_TLS
Definition: dns.h:41
key_type::cipher
const char * cipher
const name of the cipher
Definition: crypto.h:142
daemon
int daemon(int nochdir, int noclose)
Definition: compat-daemon.c:51
pull_filter
Definition: options.c:944
options::auth_token_call_auth
bool auth_token_call_auth
Definition: options.h:543
remote_list::array
struct remote_entry ** array
Definition: options.h:207
PUF_TYPE_ACCEPT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition: options.c:947
options::vlan_pvid
uint16_t vlan_pvid
Definition: options.h:714
options::resolve_retry_seconds
int resolve_retry_seconds
Definition: options.h:365
options_postprocess_mutate_le
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition: options.c:3221
LZO_LIB_VER_STR
#define LZO_LIB_VER_STR
check_compression_settings_valid
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
Definition: comp.c:163
connection_entry::http_proxy_options
struct http_proxy_options * http_proxy_options
Definition: options.h:120
options::ca_file
const char * ca_file
Definition: options.h:594
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition: ssl_backend.h:391
check_file_access_chroot_inline
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition: options.c:3958
show_library_versions
void show_library_versions(const unsigned int flags)
Definition: options.c:4865
tuntap_options::dhcp_masq_offset
int dhcp_masq_offset
Definition: tun.h:95
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
win32_version_string
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1424
env_set
Definition: env_set.h:42
plugin_option_list_add
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition: plugin.c:168
OPT_P_TIMER
#define OPT_P_TIMER
Definition: options.h:738
options_process_mutate_prf
static void options_process_mutate_prf(struct options *o)
Definition: options.c:3596
options::server_bridge_netmask
in_addr_t server_bridge_netmask
Definition: options.h:483
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:180
OPT_P_CONNECTION
#define OPT_P_CONNECTION
Definition: options.h:758
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:527
MIN_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
Definition: packet_id.h:94
MF_SIGNAL
#define MF_SIGNAL
Definition: manage.h:31
options::config
const char * config
Definition: options.h:255
usage
static void usage(void)
Definition: options.c:4806
new_client_nat_list
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition: clinat.c:75
cipher_kt_key_size
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
Definition: crypto_openssl.c:680
options::plugin_list
struct plugin_option_list * plugin_list
Definition: options.h:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:88
options::priv_key_file_inline
bool priv_key_file_inline
Definition: options.h:604
TOP_P2P
#define TOP_P2P
Definition: proto.h:43
SHAPER_MAX
#define SHAPER_MAX
Definition: shaper.h:41
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition: options.h:930
pull_filter::type
int type
Definition: options.c:950
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
connection_entry::flags
unsigned int flags
Definition: options.h:159
tuntap_options::disable_nbt
bool disable_nbt
Definition: tun.h:136
uninit_options
void uninit_options(struct options *o)
Definition: options.c:927
tuntap_options::dns6_len
int dns6_len
Definition: tun.h:144
dco.h
atoi_warn
int atoi_warn(const char *str, int msglevel)
Converts a str to an integer if the string can be represented as an integer number.
Definition: options_util.c:135
common.h
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition: ssl.c:347
options::connect_retry_max
int connect_retry_max
Definition: options.h:287
PING_EXIT
#define PING_EXIT
Definition: options.h:353
has_tcp_in_local_list
bool has_tcp_in_local_list(const struct options *options)
Definition: options.c:9582
options::tls_auth_file_inline
bool tls_auth_file_inline
Definition: options.h:664
strprefix
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition: buffer.h:977
machine_readable_output
static bool machine_readable_output
Definition: error.c:78
options::management_log_history_cache
int management_log_history_cache
Definition: options.h:449
show_dco_version
void show_dco_version(const unsigned int flags)
Definition: options.c:4855
D_SHOW_PARMS
#define D_SHOW_PARMS
Definition: errlevel.h:96
options_detach
void options_detach(struct options *o)
Definition: options.c:1705
DNS_SECURITY_YES
@ DNS_SECURITY_YES
Definition: dns.h:33
rol_check_alloc
void rol_check_alloc(struct options *options)
Definition: options.c:1714
redirect_stdout_stderr
void redirect_stdout_stderr(const char *file, bool append)
Definition: error.c:515
options::daemon
bool daemon
Definition: options.h:389
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:226
connection_entry::socks_proxy_authfile
const char * socks_proxy_authfile
Definition: options.h:123
options_pre_connect::routes_defined
bool routes_defined
Definition: options.h:68
VLAN_ALL
@ VLAN_ALL
Definition: options.h:222
options::ifconfig_pool_end
in_addr_t ifconfig_pool_end
Definition: options.h:490
COMP_ALG_STUB
#define COMP_ALG_STUB
Definition: comp.h:48
options::tls_groups
const char * tls_groups
Definition: options.h:609
options::gc_owned
bool gc_owned
Definition: options.h:252
CHKACC_DIRPATH
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition: options.c:3823
options::rcvbuf
int rcvbuf
Definition: options.h:414
alloc_connection_entry
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
Definition: options.c:2245
check_cmd_access
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition: options.c:4003
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition: socket.h:519
options::remap_sigusr1
int remap_sigusr1
Definition: options.h:391
dns_server_addr::family
sa_family_t family
Definition: dns.h:55
options::exit_event_initial_state
bool exit_event_initial_state
Definition: options.h:694
tuntap_options::dhcp_pre_release
bool dhcp_pre_release
Definition: tun.h:139
options_pre_connect::client_nat_defined
bool client_nat_defined
Definition: options.h:77
in_src::fp
FILE * fp
Definition: options.c:5135
PLUGIN_OPTION_LIST
#define PLUGIN_OPTION_LIST(opt)
Definition: options.h:785
rol6_check_alloc
static void rol6_check_alloc(struct options *options)
Definition: options.c:1723
options::peer_id
uint32_t peer_id
Definition: options.h:702
options_pre_connect
Definition: options.h:63
tuntap_options::wins
in_addr_t wins[N_DHCP_ADDR]
Definition: tun.h:118
setenv_dns_options
void setenv_dns_options(const struct dns_options *o, struct env_set *es)
Puts the DNS options into an environment set.
Definition: dns.c:370
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: crypto_mbedtls.h:79
options::ifconfig_pool_defined
bool ifconfig_pool_defined
Definition: options.h:488
MF_CONNECT_AS_CLIENT
#define MF_CONNECT_AS_CLIENT
Definition: manage.h:33
ascii2af
sa_family_t ascii2af(const char *proto_name)
Definition: socket.c:3200
get_ip_addr
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
Definition: options.c:1107
IPW32_SET_DHCP_MASQ
#define IPW32_SET_DHCP_MASQ
Definition: tun.h:84
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:336
max_int
static int max_int(int x, int y)
Definition: integer.h:89
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition: errlevel.h:157
connection_entry::remote_float
bool remote_float
Definition: options.h:113
connection_entry::remote
const char * remote
Definition: options.h:112
init_options
void init_options(struct options *o, const bool init_gc)
Definition: options.c:805
options::machine_readable_output
bool machine_readable_output
Definition: options.h:395
MF_UNIX_SOCK
#define MF_UNIX_SOCK
Definition: manage.h:36
options::tls_crypt_v2_verify_script
const char * tls_crypt_v2_verify_script
Definition: options.h:677
options::key_pass_file
const char * key_pass_file
Definition: options.h:275
tun_driver_type
tun_driver_type
Definition: tun.h:45
iroute_ipv6
Definition: route.h:247
IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition: tun.h:70
DHCP_OPTIONS_DHCP_OPTIONAL
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition: tun.h:74
show_http_proxy_options
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition: options.c:1674
OPT_P_SOCKFLAGS
#define OPT_P_SOCKFLAGS
Definition: options.h:757
usage_version
static void usage_version(void)
Definition: options.c:4880
status
static SERVICE_STATUS status
Definition: interactive.c:53
show_connection_entry
static void show_connection_entry(const struct connection_entry *o)
Definition: options.c:1742
connection_entry::tun_mtu_extra_defined
bool tun_mtu_extra_defined
Definition: options.h:131
options::ns_cert_type
int ns_cert_type
Definition: options.h:619
OPT_P_INHERIT
#define OPT_P_INHERIT
Definition: options.h:752
parse_http_proxy_override
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition: options.c:2139
options::packet_id_file
const char * packet_id_file
Definition: options.h:585
remote_entry::proto
int proto
Definition: options.h:183
options::push_ifconfig_remote_netmask
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:515
management
Definition: manage.h:335
show_settings
void show_settings(const struct options *o)
Definition: options.c:1838
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
tuntap_options::dns6
struct in6_addr dns6[N_DHCP_ADDR]
Definition: tun.h:143
show_dns_options
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition: dns.c:432
dns_options
Definition: dns.h:70
dirname
char * dirname(char *path)
Definition: compat-dirname.c:62
tuntap_options::domain
const char * domain
Definition: tun.h:105
alloc_pull_filter_list
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition: options.c:2301
CHKACC_PRIVATE
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition: options.c:3826
options::connection_list
struct connection_list * connection_list
Definition: options.h:289
options::cf_per
int cf_per
Definition: options.h:530
win_get_tempdir
const char * win_get_tempdir(void)
Definition: win32-util.c:152
options::ifconfig_remote_netmask
const char * ifconfig_remote_netmask
Definition: options.h:322
string_alloc_buf
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition: buffer.c:752
options::routes
struct route_option_list * routes
Definition: options.h:434
options::chroot_dir
const char * chroot_dir
Definition: options.h:377
WINDOWS_DRIVER_WINTUN
@ WINDOWS_DRIVER_WINTUN
Definition: tun.h:48
options::down_pre
bool down_pre
Definition: options.h:386
tuntap
Definition: tun.h:180
local_entry::local
const char * local
Definition: options.h:99
TLS_VER_1_3
#define TLS_VER_1_3
Definition: ssl_backend.h:109
socket.h
options::ifconfig_ipv6_pool_netbits
int ifconfig_ipv6_pool_netbits
Definition: options.h:497
options::mark
int mark
Definition: options.h:418
options::max_routes_per_client
int max_routes_per_client
Definition: options.h:536
options::cryptoapi_cert
const char * cryptoapi_cert
Definition: options.h:639
tuntap_options::dhcp_lease_time
int dhcp_lease_time
Definition: tun.h:96
show_p2mp_parms
static void show_p2mp_parms(const struct options *o)
Definition: options.c:1541
M_MSG_VIRT_OUT
#define M_MSG_VIRT_OUT
Definition: error.h:99
OPT_P_SCRIPT
#define OPT_P_SCRIPT
Definition: options.h:735
DRIVER_DCO
@ DRIVER_DCO
Definition: tun.h:55
options::server_bridge_pool_end
in_addr_t server_bridge_pool_end
Definition: options.h:485
options::sockflags
unsigned int sockflags
Definition: options.h:422
options::username
const char * username
Definition: options.h:375
connection_entry::mssfix_default
bool mssfix_default
Definition: options.h:143
dns_server::sni
const char * sni
Definition: dns.h:67
append_cipher_to_ncp_list
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition: ssl_ncp.c:198
strsep
char * strsep(char **stringp, const char *delim)
Definition: compat-strsep.c:36
options_warning_extract_parm1
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition: options.c:4471
platform_chdir
int platform_chdir(const char *dir)
Definition: platform.c:393
AR_INTERACT
#define AR_INTERACT
Definition: options.h:904
OPT_P_NICE
#define OPT_P_NICE
Definition: options.h:746
IS_TYPE_BUF
#define IS_TYPE_BUF
Definition: options.c:5132
TOP_NET30
#define TOP_NET30
Definition: proto.h:42
config.h
options::ifconfig_pool_start
in_addr_t ifconfig_pool_start
Definition: options.h:489
setenv_settings
void setenv_settings(struct env_set *es, const struct options *o)
Definition: options.c:1030
USAGE_VALID_SERVER_PROTOS
#define USAGE_VALID_SERVER_PROTOS
http_proxy_options
Definition: proxy.h:44
DEFAULT_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
Definition: packet_id.h:87
options::extra_certs_file
const char * extra_certs_file
Definition: options.h:601
ssl_ncp.h
connection_entry::bind_ipv6_only
bool bind_ipv6_only
Definition: options.h:115
MUST_BE_UNDEF
#define MUST_BE_UNDEF(parm, parm_name)
Definition: options.c:2398
dns_server::next
struct dns_server * next
Definition: dns.h:60
check_inline_file
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
Definition: options.c:5209
connection_entry::fragment
int fragment
Definition: options.h:139
tuntap_options::dns_len
int dns_len
Definition: tun.h:115
setenv_connection_entry
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition: options.c:1000
options::up_restart
bool up_restart
Definition: options.h:388
MD_SHA1
@ MD_SHA1
Definition: crypto_backend.h:53
check_file_access
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition: options.c:3830
gc_init
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1012
options::ifconfig_pool_persist_filename
const char * ifconfig_pool_persist_filename
Definition: options.h:492
options_postprocess_verify_ce
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition: options.c:2404
connection_entry::tls_mtu
int tls_mtu
Definition: options.h:134
OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MIN_VID
Definition: proto.h:311
options::auth_user_pass_verify_script_via_file
bool auth_user_pass_verify_script_via_file
Definition: options.h:541
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition: route.c:2785
route_option_list::flags
unsigned int flags
Definition: route.h:94
options::transition_window
int transition_window
Definition: options.h:660
SHOW_STR_INLINE
#define SHOW_STR_INLINE(var)
Definition: options.c:987
parse_argv
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5372
tuntap_options::dhcp_options
int dhcp_options
Definition: tun.h:103
options_string_version
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition: options.c:4630
connection_entry::proto
int proto
Definition: options.h:107
dns_server_addr::a6
struct in6_addr a6
Definition: dns.h:53
SHOW_PARM
#define SHOW_PARM(name, value, format)
Definition: options.c:985
options_postprocess_setdefault_ncpciphers
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition: ssl_ncp.c:591
options::mute_replay_warnings
bool mute_replay_warnings
Definition: options.h:582
options::ifconfig_ipv6_pool_base
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:496
options::auth_token_generate
bool auth_token_generate
Definition: options.h:542
options::ifconfig_ipv6_local
const char * ifconfig_ipv6_local
Definition: options.h:323
OPT_P_CONFIG
#define OPT_P_CONFIG
Definition: options.h:749
options::engine
const char * engine
Definition: options.h:580
push_entry::next
struct push_entry * next
Definition: pushlist.h:30
options::real_hash_size
int real_hash_size
Definition: options.h:499
options::priv_key_file
const char * priv_key_file
Definition: options.h:603
AR_NOINTERACT
#define AR_NOINTERACT
Definition: options.h:905
OPT_P_UP
#define OPT_P_UP
Definition: options.h:732
options::client_disconnect_script
const char * client_disconnect_script
Definition: options.h:502
remote_entry
Definition: options.h:179
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:893
options::push_option_types_found
unsigned int push_option_types_found
Definition: options.h:558
pre_connect_restore
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition: options.c:3299
options::stale_routes_ageing_time
int stale_routes_ageing_time
Definition: options.h:538
options::show_net_up
bool show_net_up
Definition: options.h:695
in_src::u
union in_src::@9 u
RG_DEF1
#define RG_DEF1
Definition: route.h:86
options::tmp_dir
const char * tmp_dir
Definition: options.h:466
options::cf_max
int cf_max
Definition: options.h:529
options::crl_file
const char * crl_file
Definition: options.h:616
apply_push_options
bool apply_push_options(struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:5485
options::iroutes_ipv6
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:512
helper.h
options_pre_connect::authname
const char * authname
Definition: options.h:83
remote_list::len
int len
Definition: options.h:206
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:115
SF_HOST_RANDOMIZE
#define SF_HOST_RANDOMIZE
Definition: socket.h:224
COMP_F_ALLOW_ASYM
#define COMP_F_ALLOW_ASYM
Definition: comp.h:43
apply_pull_filter
static bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
Definition: options.c:5445
options::route_delay_window
int route_delay_window
Definition: options.h:432
PAR_NCT
#define PAR_NCT
Definition: proxy.h:50
dhcp_release_by_adapter_index
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition: tun.c:5185
OPT_P_ROUTE_EXTRAS
#define OPT_P_ROUTE_EXTRAS
Definition: options.h:753
CE_DISABLED
#define CE_DISABLED
Definition: options.h:150
SF_USE_IP_PKTINFO
#define SF_USE_IP_PKTINFO
Definition: socket.h:221
platform_access
int platform_access(const char *path, int mode)
Definition: platform.c:458
options::occ
bool occ
Definition: options.h:443
options::persist_mode
int persist_mode
Definition: options.h:273
options_postprocess_verify
static void options_postprocess_verify(const struct options *o)
Definition: options.c:3433
options::remote_list
struct remote_list * remote_list
Definition: options.h:291
OPENVPN_KU_REQUIRED
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition: ssl_verify.h:248
options_pre_connect::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:66
options::pull_filter_list
struct pull_filter_list * pull_filter_list
Definition: options.h:716
options::push_ifconfig_local_alias
in_addr_t push_ifconfig_local_alias
Definition: options.h:516
connection_entry::af
sa_family_t af
Definition: options.h:108
options::push_ifconfig_constraint_network
in_addr_t push_ifconfig_constraint_network
Definition: options.h:518
http_custom_header::content
const char * content
Definition: proxy.h:40
dns_server_addr::a4
struct in_addr a4
Definition: dns.h:52
COMP_ALG_LZO
#define COMP_ALG_LZO
Definition: comp.h:49
MIN_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
Definition: packet_id.h:85
IPW32_SET_MANUAL
#define IPW32_SET_MANUAL
Definition: tun.h:81
options::route_script
const char * route_script
Definition: options.h:425
x509_track_add
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:424
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:356
ifconfig_pool_verify_range
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition: pool.c:121
options::tuntap_options
struct tuntap_options tuntap_options
Definition: options.h:369
TUN_MTU_DEFAULT
#define TUN_MTU_DEFAULT
Definition: mtu.h:70
options::renegotiate_bytes
int64_t renegotiate_bytes
Definition: options.h:645
options_postprocess_mutate_invariant
static void options_postprocess_mutate_invariant(struct options *options)
Definition: options.c:3368
options::vlan_accept
enum vlan_acceptable_frames vlan_accept
Definition: options.h:713
alloc_buf
struct buffer alloc_buf(size_t size)
Definition: buffer.c:62
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:104
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:328
options::route_delay
int route_delay
Definition: options.h:431
options::ifconfig_local
const char * ifconfig_local
Definition: options.h:321
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:125
options::push_ifconfig_local
in_addr_t push_ifconfig_local
Definition: options.h:514
memdbg.h
dns_server_priority_parse
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition: dns.c:160
options::user_script_used
bool user_script_used
Definition: options.h:385
options::learn_address_script
const char * learn_address_script
Definition: options.h:503
connection_entry::tun_mtu_max
int tun_mtu_max
Definition: options.h:127
DEFAULT_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
Definition: packet_id.h:96
options::ping_rec_timeout_action
int ping_rec_timeout_action
Definition: options.h:355
auth_retry_set
bool auth_retry_set(const int msglevel, const char *option)
Definition: options.c:4761
DEV_TYPE_UNDEF
#define DEV_TYPE_UNDEF
Definition: proto.h:35
options::bind_dev
char * bind_dev
Definition: options.h:419
alloc_pull_filter
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition: options.c:2311
options::mtu_test
bool mtu_test
Definition: options.h:332
options::management_client_user
const char * management_client_user
Definition: options.h:453
options::ciphername
const char * ciphername
Definition: options.h:573
options::inactivity_timeout
int inactivity_timeout
Definition: options.h:343
options::suppress_timestamps
bool suppress_timestamps
Definition: options.h:394
OPT_P_EXPLICIT_NOTIFY
#define OPT_P_EXPLICIT_NOTIFY
Definition: options.h:750
title_string
const char title_string[]
Definition: options.c:69
COMP_ALGV2_LZ4
#define COMP_ALGV2_LZ4
Definition: comp.h:56
connection_entry::local_port
const char * local_port
Definition: options.h:109
M_USAGE
#define M_USAGE
Definition: error.h:106
setenv_str_safe
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:289
CO_USE_CC_EXIT_NOTIFY
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition: crypto.h:368
options::dev_node
const char * dev_node
Definition: options.h:318
msg
#define msg(flags,...)
Definition: error.h:144
env_set_get
const char * env_set_get(const struct env_set *es, const char *name)
Definition: env_set.c:201
pkcs11_id_management
static bool pkcs11_id_management
Definition: test_pkcs11.c:136
OPT_P_MTU
#define OPT_P_MTU
Definition: options.h:745
http_proxy_options::custom_headers
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition: proxy.h:58
options::auth_user_pass_verify_script
const char * auth_user_pass_verify_script
Definition: options.h:540
OPT_P_PEER_ID
#define OPT_P_PEER_ID
Definition: options.h:759
gc_realloc
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition: buffer.c:370
push_entry::enable
bool enable
Definition: pushlist.h:31
pull_filter::next
struct pull_filter * next
Definition: options.c:953
parse_windows_driver
static enum tun_driver_type parse_windows_driver(const char *str, const int msglevel)
Parses –windows-driver config option.
Definition: options.c:4676
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition: mtu.h:131
options_pre_connect::ping_rec_timeout
int ping_rec_timeout
Definition: options.h:86
options::ifconfig_pool_persist_refresh_freq
int ifconfig_pool_persist_refresh_freq
Definition: options.h:493
setenv_long_long
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:275
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition: ssl_common.h:416
alloc_local_list_if_undef
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition: options.c:2203
remote_list
Definition: options.h:203
options::ifconfig_ipv6_remote
const char * ifconfig_ipv6_remote
Definition: options.h:325
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition: manage.h:43
http-client.f
string f
Definition: http-client.py:6
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:69
MF_UP_DOWN
#define MF_UP_DOWN
Definition: manage.h:40
options::lladdr
const char * lladdr
Definition: options.h:319
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:240
options::server_bridge_defined
bool server_bridge_defined
Definition: options.h:481
dhcp
Definition: dhcp.h:53
ALLOC_ARRAY_GC
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition: buffer.h:1071
remote_list::capacity
int capacity
Definition: options.h:205
SHOW_BOOL
#define SHOW_BOOL(var)
Definition: options.c:995
pre_connect_save
static void pre_connect_save(struct options *o)
Definition: options.c:3257
CONNECTION_LIST_SIZE
#define CONNECTION_LIST_SIZE
Definition: options.h:187
BOOL_CAST
#define BOOL_CAST(x)
Definition: basic.h:27
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:348
options_warning
void options_warning(char *actual, const char *expected)
Definition: options.c:4465
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1092
options::ca_file_inline
bool ca_file_inline
Definition: options.h:595
options::management_user_pass
const char * management_user_pass
Definition: options.h:448
NS_CERT_CHECK_SERVER
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:243
options::push_ifconfig_constraint_netmask
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:519
options::remote_cert_eku
const char * remote_cert_eku
Definition: options.h:621
options::pull
bool pull
Definition: options.h:556
print_default_gateway
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1335
NS_CERT_CHECK_CLIENT
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition: ssl_verify.h:245
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:568
TLS_SERVER
#define TLS_SERVER
GETADDR_FATAL
#define GETADDR_FATAL
Definition: socket.h:518
PROTO_TCP
@ PROTO_TCP
Definition: socket.h:569
tuntap_options::ntp
in_addr_t ntp[N_DHCP_ADDR]
Definition: tun.h:122
clone_dns_options
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition: dns.c:251
COMP_F_ALLOW_STUB_ONLY
#define COMP_F_ALLOW_STUB_ONLY
Definition: comp.h:41
options_warning_safe_ml
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
Definition: options.c:4575
dev_type_enum
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:489
gc
struct gc_arena gc
Definition: test_ssl.c:155
dhcp_option_dns6_parse
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
Definition: options.c:1337
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
buf_parse
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition: buffer.c:825
options::route_default_gateway
const char * route_default_gateway
Definition: options.h:427
check_tls_prf_working
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition: crypto.c:1941
local_entry::proto
int proto
Definition: options.h:101
Generated by   doxygen 1.8.17