OpenVPN
options.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2026 David Sommerseth <dazo@eurephia.org>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
24/*
25 * 2004-01-28: Added Socks5 proxy support
26 * (Christof Meerwald, https://cmeerw.org)
27 */
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32#ifdef HAVE_CONFIG_VERSION_H
33#include "config-version.h"
34#endif
35
36#include "syshead.h"
37
38#include "buffer.h"
39#include "error.h"
40#include "common.h"
41#include "run_command.h"
42#include "shaper.h"
43#include "crypto.h"
44#include "ssl.h"
45#include "ssl_ncp.h"
46#include "options.h"
47#include "misc.h"
48#include "socket_util.h"
49#include "packet_id.h"
50#include "pkcs11.h"
51#include "win32.h"
52#include "push.h"
53#include "pool.h"
54#include "proto.h"
55#include "helper.h"
56#include "manage.h"
57#include "forward.h"
58#include "ssl_verify.h"
59#include "platform.h"
60#include "xkey_common.h"
61#include "dco.h"
62#include "options_util.h"
63#include "tun_afunix.h"
64#include "domain_helper.h"
65#include "mbuf.h"
66
67#include <ctype.h>
68
69#include "memdbg.h"
70#include "options_util.h"
71
73#ifdef CONFIGURE_GIT_REVISION
74 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
75#endif
76 " " TARGET_ALIAS
77#if defined(ENABLE_CRYPTO_MBEDTLS)
78 " [SSL (mbed TLS)]"
79#elif defined(ENABLE_CRYPTO_OPENSSL)
80 " [SSL (OpenSSL)]"
81#else
82 " [SSL]"
83#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
84#ifdef USE_COMP
85#ifdef ENABLE_LZO
86 " [LZO]"
87#endif
88#ifdef ENABLE_LZ4
89 " [LZ4]"
90#endif
91#ifdef ENABLE_COMP_STUB
92 " [COMP_STUB]"
93#endif
94#endif /* USE_COMP */
95#if EPOLL
96 " [EPOLL]"
97#endif
98#ifdef PRODUCT_TAP_DEBUG
99 " [TAPDBG]"
100#endif
101#ifdef ENABLE_PKCS11
102 " [PKCS11]"
103#endif
104#if ENABLE_IP_PKTINFO
105#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
106 " [MH/PKTINFO]"
107#elif defined(IP_RECVDSTADDR)
108 " [MH/RECVDA]"
109#endif
110#endif
111 " [AEAD]"
112#ifdef ENABLE_DCO
113 " [DCO]"
114#endif
115#ifdef CONFIGURE_GIT_REVISION
116 " built on " __DATE__
117#endif
118 ;
119
120#ifndef ENABLE_SMALL
121
122static const char usage_message[] =
123 "%s\n"
124 "\n"
125 "General Options:\n"
126 "--config file : Read configuration options from file.\n"
127 "--help : Show options.\n"
128 "--version : Show copyright and version information.\n"
129 "\n"
130 "Tunnel Options:\n"
131 "--local host|* [port]: Local host name or IP address and port for bind.\n"
132 " If specified, OpenVPN will bindto this address. If unspecified,\n"
133 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
134 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
135 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
136 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
137 " to open multiple listening sockets on different addresses and/or different ports.\n"
138 " In order to specify multiple listen ports without specifying an address, use '*'\n"
139 " to signal 'use what the operating system gives you as default', for\n"
140 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
141 " ``--local`` implies ``--bind``.\n"
142 "--remote host [port] : Remote host name or ip address.\n"
143 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
144 "--remote-random-hostname : Add a random string to remote DNS name.\n"
145 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
146 "--proto p : Use protocol p for communicating with peer.\n"
147 " p = udp (default), tcp-server, tcp-client\n"
148 " udp4, tcp4-server, tcp4-client\n"
149 " udp6, tcp6-server, tcp6-client\n"
150 "--proto-force p : only consider protocol p in list of connection profiles.\n"
151 " p = udp or tcp\n"
152 "--connect-retry n [m] : For client, number of seconds to wait between\n"
153 " connection retries (default=%d). On repeated retries\n"
154 " the wait time is exponentially increased to a maximum of m\n"
155 " (default=%d).\n"
156 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
157 "--http-proxy s p [up] [auth] : Connect to remote host\n"
158 " through an HTTP proxy at address s and port p.\n"
159 " If proxy authentication is required,\n"
160 " up is a file containing username/password on 2 lines, or\n"
161 " 'stdin' to prompt from console.\n"
162 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
163 " determine auth method and query for username/password\n"
164 " if needed. auto-nct disables weak proxy auth methods.\n"
165 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
166 " Repeat to set multiple options.\n"
167 " VERSION version (default=1.0)\n"
168 " AGENT user-agent\n"
169 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
170 " address s and port p (default port = 1080).\n"
171 " If proxy authentication is required,\n"
172 " up is a file containing username/password on 2 lines, or\n"
173 " 'stdin' to prompt for console.\n"
174 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
175 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
176 " resolve for n seconds before failing (disabled by default).\n"
177 " Set n=\"infinite\" to retry indefinitely.\n"
178 "--preresolve : Resolve configured --remote, --local, and proxy hostnames at startup.\n"
179 "--float : Allow remote to change its IP address/port, such as through\n"
180 " DHCP (this is the default if --remote is not used).\n"
181 "--ipchange cmd : Run command cmd on remote ip address initial\n"
182 " setting or change -- execute as: cmd ip-address port#\n"
183 "--port port : TCP/UDP port # for both local and remote.\n"
184 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
185 "--rport port : TCP/UDP port # for remote (default=%s).\n"
186 "--bind : Bind to local address and port. (This is the default unless\n"
187 " --proto tcp-client"
188 " or --http-proxy"
189 " or --socks-proxy"
190 " is used).\n"
191 "--nobind : Do not bind to local address and port.\n"
192 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
193 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
194 " this option only if the tun/tap device used with --dev\n"
195 " does not begin with \"tun\" or \"tap\".\n"
196 "--dev-node node : Explicitly set the device node rather than using\n"
197 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
198#if defined(ENABLE_DCO)
199 "--disable-dco : Do not attempt using Data Channel Offload.\n"
200#endif
201 "--lladdr hw : Set the link layer address of the tap device.\n"
202 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
203#ifdef ENABLE_IPROUTE
204 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
205#endif
206 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
207 " endpoint and rn as a remote endpoint. l & rn should be\n"
208 " swapped on the other peer. l & rn must be private\n"
209 " addresses outside of the subnets used by either peer.\n"
210 " TAP: configure device to use IP address l as a local\n"
211 " endpoint and rn as a subnet mask.\n"
212 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
213 " endpoint (as a /64) and r as remote endpoint\n"
214 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
215 " pass --ifconfig parms by environment to scripts.\n"
216 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
217 " connection doesn't match the remote side.\n"
218#ifdef TARGET_LINUX
219 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
220 " If not specified, the id of the default routing table will be used.\n"
221#endif
222 "--route network [netmask] [gateway] [metric] :\n"
223 " Add route to routing table after connection\n"
224 " is established. Multiple routes can be specified.\n"
225 " netmask default: 255.255.255.255\n"
226 " gateway default: taken from --route-gateway or --ifconfig\n"
227 " Specify default by leaving blank or setting to \"default\".\n"
228 "--route-ipv6 network/bits [gateway] [metric] :\n"
229 " Add IPv6 route to routing table after connection\n"
230 " is established. Multiple routes can be specified.\n"
231 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
232 " in --ifconfig-ipv6\n"
233 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
234 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
235 "--route-metric m : Specify a default metric for use with --route.\n"
236 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
237 " adding routes (may be 0). If not specified, routes will\n"
238 " be added immediately after tun/tap open. On Windows, wait\n"
239 " up to w seconds for TUN/TAP adapter to come up.\n"
240 "--route-up cmd : Run command cmd after routes are added.\n"
241 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
242 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
243 " --route-up script using environmental variables.\n"
244 "--route-nopull : When used with --client or --pull, accept options pushed\n"
245 " by server EXCEPT for routes, dns, and dhcp options.\n"
246 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
247 " --ifconfig, --route, and --route-gateway.\n"
248 "--redirect-gateway [flags]: Automatically execute routing\n"
249 " commands to redirect all outgoing IP traffic through the\n"
250 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
251 " connected via a common subnet, such as with WiFi.\n"
252 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
253 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
254 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
255 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
256 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
257 " the default gateway. Useful when pushing private subnets.\n"
258 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
259 " ICMPv6 host unreachable messages on the client.\n"
260 " (Server) Instead of forwarding IPv6 packets send\n"
261 " ICMPv6 host unreachable packets to the client.\n"
262 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
263 "--push-peer-info : (client only) push client info to server.\n"
264 "--setenv name value : Set a custom environmental variable to pass to script.\n"
265 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
266 " directives for future OpenVPN versions to be ignored.\n"
267 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
268 " these options to be ignored when unknown\n"
269 "--script-security level: Where level can be:\n"
270 " 0 -- strictly no calling of external programs\n"
271 " 1 -- (default) only call built-ins such as ifconfig\n"
272 " 2 -- allow calling of built-ins and scripts\n"
273 " 3 -- allow password to be passed to scripts via env\n"
274 "--shaper n : Restrict output to peer to n bytes per second.\n"
275 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
276 " ping once every n seconds, restart if ping not received\n"
277 " for m seconds.\n"
278 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
279 " produces a combined in/out byte count < bytes.\n"
280 "--session-timeout n: Limit connection time to n seconds.\n"
281 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
282 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
283 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
284 " remote address.\n"
285 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
286#if ENABLE_IP_PKTINFO
287 "--multihome : Configure a multi-homed UDP server.\n"
288#endif
289 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
290 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
291 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
292 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
293#if PASSTOS_CAPABILITY
294 "--passtos : TOS passthrough (applies to IPv4 only).\n"
295#endif
296 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
297 " TCP/UDP MTU from it (default=%d).\n"
298 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
299 " as n bytes more than the tun-mtu size on read\n"
300 " (default TUN=0 TAP=%d).\n"
301 "--tun-mtu-max n : Maximum pushable MTU (default and minimum=%d).\n"
302 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
303 " from it.\n"
304 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
305 " 'no' -- Never send DF (Don't Fragment) frames\n"
306 " 'maybe' -- Use per-route hints\n"
307 " 'yes' -- Always DF (Don't Fragment)\n"
308 "--mtu-test : Empirically measure and report MTU.\n"
309#ifdef ENABLE_FRAGMENT
310 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
311 " datagrams are sent which are larger than max bytes.\n"
312 " Adds 4 bytes of overhead per datagram.\n"
313#endif
314 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
315 " or --fragment max value, whichever is lower.\n"
316 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
317 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
318#if defined(TARGET_LINUX)
319 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
320 " can be matched in policy routing and packetfilter rules.\n"
321 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
322 " listening for connections. This allows sending encrypted packets\n"
323 " via a VRF present on the system.\n"
324#endif
325 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
326 "--mlock : Disable Paging -- ensures key material and tunnel\n"
327 " data will never be written to disk.\n"
328 "--up cmd : Run command cmd after successful tun device open.\n"
329 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
330 " ifconfig-local-ip ifconfig-remote-ip\n"
331 " (pre --user or --group UID/GID change)\n"
332 "--up-delay : Delay tun/tap open and possible --up script execution\n"
333 " until after TCP/UDP connection establishment with peer.\n"
334 "--down cmd : Run command cmd after tun device close.\n"
335 " (post --user/--group UID/GID change and/or --chroot)\n"
336 " (command parameters are same as --up option)\n"
337 "--down-pre : Run --down command before TUN/TAP close.\n"
338 "--up-restart : Run up/down commands for all restarts including those\n"
339 " caused by --ping-restart or SIGUSR1\n"
340 "--user user : Set UID to user after initialization.\n"
341 "--group group : Set GID to group after initialization.\n"
342 "--chroot dir : Chroot to this directory after initialization.\n"
343#ifdef ENABLE_SELINUX
344 "--setcon context: Apply this SELinux context after initialization.\n"
345#endif
346 "--cd dir : Change to this directory before initialization.\n"
347 "--daemon [name] : Become a daemon after initialization.\n"
348 " The optional 'name' parameter will be passed\n"
349 " as the program name to the system logger.\n"
350 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
351 " See --daemon above for a description of the 'name' parm.\n"
352 "--log file : Output log to file which is created/truncated on open.\n"
353 "--log-append file : Append log to file, or create file if nonexistent.\n"
354 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
355 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
356 "--writepid file : Write main process ID to file.\n"
357 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
358 "--echo [parms ...] : Echo parameters to log output.\n"
359 "--verb n : Set output verbosity to n (default=%d):\n"
360 " (Level 3 is recommended if you want a good summary\n"
361 " of what's happening without being swamped by output).\n"
362 " : 0 -- no output except fatal errors\n"
363 " : 1 -- startup info + connection initiated messages +\n"
364 " non-fatal encryption & net errors\n"
365 " : 2,3 -- show TLS negotiations & route info\n"
366 " : 4 -- show parameters\n"
367 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
368 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
369 " : 6 to 11 -- debug messages of increasing verbosity\n"
370 "--mute n : Log at most n consecutive messages in the same category.\n"
371 "--status file [n] : Write operational status to file every n seconds.\n"
372 "--status-version [n] : Choose the status file format version number.\n"
373 " Currently, n can be 1, 2, or 3 (default=1).\n"
374 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
375#ifdef ENABLE_DEBUG
376 "--gremlin mask : Special stress testing mode (for debugging only).\n"
377#endif
378#if defined(USE_COMP)
379 "--compress alg : Use compression algorithm alg\n"
380 "--allow-compression: Specify whether compression should be allowed\n"
381#if defined(ENABLE_LZO)
382 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
383 " packet for incompressible data.\n"
384 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
385 " is specified.\n"
386#endif
387#endif
388#ifdef ENABLE_MANAGEMENT
389 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
390 " management functions. pass is a password file\n"
391 " or 'stdin' to prompt from console.\n"
392#if UNIX_SOCK_SUPPORT
393 " To listen on a unix domain socket, specific the pathname\n"
394 " in place of ip and use 'unix' as the port number.\n"
395#endif
396 "--management-client : Management interface will connect as a TCP client to\n"
397 " ip/port rather than listen as a TCP server.\n"
398 "--management-query-passwords : Query management channel for private key\n"
399 " and auth-user-pass passwords.\n"
400 "--management-query-proxy : Query management channel for proxy information.\n"
401 "--management-query-remote : Query management channel for --remote directive.\n"
402 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
403 " of the management interface explicitly starts it.\n"
404 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
405 "--management-forget-disconnect : Forget passwords when management disconnect\n"
406 " event occurs.\n"
407 "--management-up-down : Report tunnel up/down events to management interface.\n"
408 "--management-log-cache n : Cache n lines of log file history for usage\n"
409 " by the management channel.\n"
410#if UNIX_SOCK_SUPPORT
411 "--management-client-user u : When management interface is a unix socket, only\n"
412 " allow connections from user u.\n"
413 "--management-client-group g : When management interface is a unix socket, only\n"
414 " allow connections from group g.\n"
415#endif
416 "--management-client-auth : gives management interface client the responsibility\n"
417 " to authenticate clients after their client certificate\n"
418 " has been verified.\n"
419#endif /* ifdef ENABLE_MANAGEMENT */
420#ifdef ENABLE_PLUGIN
421 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
422 " to its initialization function.\n"
423#endif
424 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
425 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
426 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
427 "\n"
428 "Multi-Client Server options (when --mode server is used):\n"
429 "--server network netmask : Helper option to easily configure server mode.\n"
430 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
431 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
432 " easily configure ethernet bridging server mode.\n"
433 "--push \"option\" : Push a config file option back to the peer for remote\n"
434 " execution. Peer must specify --pull in its config file.\n"
435 "--push-reset : Don't inherit global push list for specific\n"
436 " client instance.\n"
437 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
438 " a specific client instance.\n"
439 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
440 " to be dynamically allocated to connecting clients.\n"
441 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
442 " data to file, at seconds intervals (default=600).\n"
443 " If seconds=0, file will be treated as read-only.\n"
444 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
445 " to be dynamically allocated to connecting clients.\n"
446 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
447 " overrides --ifconfig-pool dynamic allocation.\n"
448 " Only valid in a client-specific config file.\n"
449 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
450 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
451 " Only valid in a client-specific config file.\n"
452 "--iroute network [netmask] : Route subnet to client.\n"
453 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
454 " Sets up internal routes only.\n"
455 " Only valid in a client-specific config file.\n"
456 "--disable : Client is disabled.\n"
457 " Only valid in a client-specific config file.\n"
458 "--override-username: Overrides the client-specific username to be used.\n"
459 " Only valid in a client-specific config file.\n"
460 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
461 " mandatory client certificate verification.\n"
462 " Default is to require the client to supply a certificate.\n"
463 "--username-as-common-name : For auth-user-pass authentication, use\n"
464 " the authenticated username as the common name,\n"
465 " rather than the common name from the client cert.\n"
466 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
467 " run command cmd to verify. If method='via-env', pass\n"
468 " user/pass via environment, if method='via-file', pass\n"
469 " user/pass via temporary file.\n"
470 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
471 " to each client, replacing the password. Useful when\n"
472 " OTP based two-factor auth mechanisms are in use and\n"
473 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
474 " for generated tokens can be set.\n"
475 "--auth-user-pass-optional : Allow connections by clients that don't\n"
476 " specify a username/password.\n"
477 "--client-to-client : Internally route client-to-client traffic.\n"
478 "--duplicate-cn : Allow multiple clients with the same common name to\n"
479 " concurrently connect.\n"
480 "--client-connect cmd : Run command cmd on client connection.\n"
481 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
482 "--client-config-dir dir : Directory for custom client config files.\n"
483 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
484 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
485 "--hash-size r v : Set the size of the real address hash table to r and the\n"
486 " virtual address table to v.\n"
487 "--bcast-buffers n : Allocate n broadcast buffers.\n"
488 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
489 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
490 " as well as pushes it to connecting clients.\n"
491 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
492 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
493 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
494 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
495 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
496 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
497 " older than n seconds. Run this check every t\n"
498 " seconds (defaults to n).\n"
499 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
500 " clients. n = 1 - reconnect to same server,\n"
501 " 2 - advance to next server, default=1.\n"
502#if PORT_SHARE
503 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
504 " sessions to a web server at host:port. dir specifies an\n"
505 " optional directory to write origin IP:port data.\n"
506#endif
507 "\n"
508 "Client options (when connecting to a multi-client server):\n"
509 "--client : Helper option to easily configure client mode.\n"
510 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
511 " up is a file containing the username on the first line,\n"
512 " and a password on the second. If either the password or both\n"
513 " the username and the password are omitted OpenVPN will prompt\n"
514 " for them from console. If [up] is 'username-only', only username\n"
515 " will be prompted for from console or management interface.\n"
516 "--pull : Accept certain config file options from the peer as if they\n"
517 " were part of the local config file. Must be specified\n"
518 " when connecting to a '--mode server' remote host.\n"
519 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
520 " server if it starts with the text t. The action flag accept,\n"
521 " ignore or reject causes the option to be allowed, removed or\n"
522 " rejected with error. May be specified multiple times, and\n"
523 " each filter is applied in the order of appearance.\n"
524 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
525 " Valid options are :\n"
526 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
527 " resolve-domains <domain> [domain ...] : split domains\n"
528 " dnssec <yes|no|optional> : option to use DNSSEC\n"
529 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
530 " sni <domain> : DNS server name indication\n"
531 "--dns search-domains <domain> [domain ...]:\n"
532 " Add domains to DNS domain search list\n"
533 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
534 " force running the default script or disable running it.\n"
535 "--auth-retry t : How to handle auth failures. Set t to\n"
536 " none (default), interact, or nointeract.\n"
537 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
538 " challenge text t, with e indicating echo flag (0|1)\n"
539 " and optional argument scrv1 or concat to use SCRV1 protocol or"
540 " concatenate response with password. Default is scrv1.\n"
541 "--connect-timeout n : when polling possible remote servers to connect to\n"
542 " in a round-robin fashion, spend no more than n seconds\n"
543 " waiting for a response before trying the next server.\n"
544 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
545 " incoming tun packets with same destination as host.\n"
546 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
547 " server/remote. n = # of retries, default=1.\n"
548 "\n"
549 "Data Channel Encryption Options (must be compatible between peers):\n"
550 "(These options are meaningful for both Static Key & TLS-mode)\n"
551 "--auth alg : Authenticate packets with HMAC using message\n"
552 " digest algorithm alg (default=%s).\n"
553 " (usually adds 16 or 20 bytes per packet)\n"
554 " Set alg=none to disable authentication.\n"
555 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
556 " You should usually use --data-ciphers instead.\n"
557 " Set alg=none to disable encryption.\n"
558 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
559#ifndef ENABLE_CRYPTO_MBEDTLS
560 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
561#endif
562 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
563 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
564 " and a time window of t seconds.\n"
565 " Default n=%d t=%d\n"
566 "--replay-persist file : Persist replay-protection state across sessions\n"
567 " using file.\n"
568 "--test-crypto : Run a self-test of crypto features enabled.\n"
569 " For debugging only.\n"
570 "\n"
571 "TLS Key Negotiation Options:\n"
572 "(These options are meaningful only for TLS-mode)\n"
573 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
574 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
575 "--ca file : Certificate authority file in .pem format containing\n"
576 " root certificate.\n"
577#ifndef ENABLE_CRYPTO_MBEDTLS
578 "--capath dir : A directory of trusted certificates (CAs"
579 " and CRLs).\n"
580#endif /* ENABLE_CRYPTO_MBEDTLS */
581 "--dh file : File containing Diffie Hellman parameters\n"
582 " in .pem format (for --tls-server only).\n"
583 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
584 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
585 " by a Certificate Authority in --ca file used by the peer.\n"
586 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
587 "--key file : Local private key in .pem format or a URI.\n"
588 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
589 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
590 " is specified, require max TLS version supported by SSL implementation.\n"
591 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
592#ifndef ENABLE_CRYPTO_MBEDTLS
593 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
594 " and optionally the root CA certificate.\n"
595 "--x509-username-field : Field in x509 certificate containing the username.\n"
596 " Default is CN in the Subject field.\n"
597#endif
598 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
599 " Valid algo flags are SHA1 and SHA256. \n"
600#ifdef _WIN32
601 "--cryptoapicert select-string : Load the certificate and private key from the\n"
602 " Windows Certificate System Store.\n"
603#endif
604 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
605 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
606 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
607 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
608 " (default=legacy).\n"
609 "--providers l : A list l of OpenSSL providers to load.\n"
610 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
611 " if no ACK from remote within n seconds (default=%d).\n"
612 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
613 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
614 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
615 " and at least min (defaults to 90%% of max on servers and equal\n"
616 " to max on clients).\n"
617 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
618 " of handshake initiation by any peer (default=%d).\n"
619 "--tran-window n : Transition window -- old key can live this many seconds\n"
620 " after new key renegotiation begins (default=%d).\n"
621 "--single-session: Allow only one session (reset state on restart).\n"
622 "--tls-exit : Exit on TLS negotiation failure.\n"
623 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
624 " control channel to protect against attacks on the TLS stack\n"
625 " and DoS attacks.\n"
626 " f (required) is a shared-secret key file.\n"
627 " The optional d parameter controls key directionality.\n"
628 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
629 " of the TLS control channel to hide the TLS certificate,\n"
630 " provide basic post-quantum security and protect against\n"
631 " attacks on the TLS stack and DoS attacks.\n"
632 " key (required) provides the pre-shared key file.\n"
633 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
634 " For servers: use key to decrypt client-specific keys. For\n"
635 " key generation (--genkey tls-crypt-v2-client): use key to\n"
636 " encrypt generated client-specific key. (See --tls-crypt.)\n"
637 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
638 " fresh tls-crypt-v2 client key, and store to\n"
639 " keyfile. If supplied, include metadata in wrapped key.\n"
640 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
641 " fresh tls-crypt-v2 server key, and store to keyfile\n"
642 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
643 " client-supplied tls-crypt-v2 client key\n"
644 "--tls-crypt-v2-max-age n : Only accept tls-crypt-v2 client keys that have a\n"
645 " timestamp which is at most n days old.\n"
646 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
647 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
648 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
649 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
650 " pending TLS connection that has otherwise passed all other\n"
651 " tests of certification. cmd should return 0 to allow\n"
652 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
653 " executed as 'cmd certificate_depth subject')\n"
654 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
655 " DN name. The remote host must also pass all other tests\n"
656 " of verification.\n"
657#ifndef ENABLE_CRYPTO_MBEDTLS
658 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
659 " an explicit nsCertType designation t = 'client' | 'server'.\n"
660#endif
661 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
662 " plugins and management interface.\n"
663 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
664 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
665 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
666 " explicit key usage, you can specify more than one value.\n"
667 " value should be given in hex format.\n"
668 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
669 " explicit extended key usage. Extended key usage can be encoded\n"
670 " as an object identifier or OpenSSL string representation.\n"
671 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
672 " key usage and extended key usage based on RFC3280 TLS rules.\n"
673 " t = 'client' | 'server'.\n"
674#ifdef ENABLE_PKCS11
675 "\n"
676 "PKCS#11 Options:\n"
677 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
678 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
679 " path. Set for each provider.\n"
680 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
681 " 0 : Try to determine automatically (default).\n"
682 " 1 : Use Sign.\n"
683 " 2 : Use SignRecover.\n"
684 " 4 : Use Decrypt.\n"
685 " 8 : Use Unwrap.\n"
686 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
687 " certificate can be accessed. Set for each provider.\n"
688 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
689 " cache until token is removed.\n"
690 "--pkcs11-id-management : Acquire identity from management interface.\n"
691 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
692#endif /* ENABLE_PKCS11 */
693 "\n"
694 "SSL Library information:\n"
695 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
696 "--show-digests : Show message digest algorithms to use with --auth option.\n"
697 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
698 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
699#ifdef _WIN32
700 "\n"
701 "Windows Specific:\n"
702 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
703 " from SystemRoot environment variable.\n"
704 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
705 " IP address using method = manual, netsh, ipapi,\n"
706 " dynamic, or adaptive (default = adaptive).\n"
707 " Dynamic method allows two optional parameters:\n"
708 " offset: DHCP server address offset (> -256 and < 256).\n"
709 " If 0, use network address, if >0, take nth\n"
710 " address forward from network address, if <0,\n"
711 " take nth address backward from broadcast\n"
712 " address.\n"
713 " Default is 0.\n"
714 " lease-time: Lease time in seconds.\n"
715 " Default is one year.\n"
716 "--route-method : Which method to use for adding routes on Windows?\n"
717 " adaptive (default) -- Try ipapi then fall back to exe.\n"
718 " ipapi -- Use IP helper API.\n"
719 " exe -- Call the route.exe shell command.\n"
720 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
721 " be used with --ip-win32 dynamic. For options\n"
722 " which allow multiple addresses,\n"
723 " --dhcp-option must be repeated.\n"
724 " DOMAIN name : Set DNS suffix\n"
725 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
726 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
727 " NTP : Set NTP server address(es)\n"
728 " NBDD : Set NBDD server address(es)\n"
729 " WINS addr : Set WINS server address(es)\n"
730 " NBT type : Set NetBIOS over TCP/IP Node type\n"
731 " 1: B, 2: P, 4: M, 8: H\n"
732 " NBS id : Set NetBIOS scope ID\n"
733 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
734 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
735 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
736 " startup.\n"
737 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
738 " on connection initiation.\n"
739 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
740 " attempting to set adapter properties.\n"
741 "--pause-exit : When run from a console window, pause before exiting.\n"
742 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
743 " service, and should not be used directly by end-users.\n"
744 " ex is the name of an event object which, when\n"
745 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
746 " optional parameter controls the initial state of ex.\n"
747 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
748 " after TAP adapter is up and routes have been added.\n"
749 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
750 "Windows Standalone Options:\n"
751 "\n"
752 "--show-adapters : Show all TAP-Windows adapters.\n"
753 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
754 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
755 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
756 " to access TAP adapter.\n"
757#endif /* ifdef _WIN32 */
758 "\n"
759 "Generate a new key :\n"
760 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
761 " (for use with --tls-auth or --tls-crypt)."
762#ifdef ENABLE_FEATURE_TUN_PERSIST
763 "\n"
764 "Tun/tap config mode:\n"
765 "--mktun : Create a persistent tunnel.\n"
766 "--rmtun : Remove a persistent tunnel.\n"
767 "--dev tunX|tapX : tun/tap device\n"
768 "--dev-type dt : Device type. See tunnel options above for details.\n"
769 "--user user : User to set privilege to.\n"
770 "--group group : Group to set privilege to.\n"
771#endif
772#ifdef ENABLE_PKCS11
773 "\n"
774 "PKCS#11 standalone options:\n"
775#ifdef DEFAULT_PKCS11_MODULE
776 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
777#else
778 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
779#endif
780 " --verb option can be added *BEFORE* this.\n"
781#endif /* ENABLE_PKCS11 */
782 "\n"
783 "General Standalone Options:\n"
784#ifdef ENABLE_DEBUG
785 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
786#endif
787 ;
788
789#endif /* !ENABLE_SMALL */
790
791/*
792 * This is where the options defaults go.
793 * Any option not explicitly set here
794 * will be set to 0.
795 */
796void
798{
799 CLEAR(*o);
800 gc_init(&o->gc);
802
804 o->topology = TOP_UNDEF;
805 o->ce.proto = PROTO_UDP;
806 o->ce.af = AF_UNSPEC;
807 o->ce.bind_ipv6_only = false;
810 o->ce.connect_timeout = 120;
811 o->connect_retry_max = 0;
813 o->verbosity = 1;
815 o->status_file_version = 1;
816 o->ce.bind_local = true;
818 o->ce.occ_mtu = 0;
821 o->ce.mtu_discover_type = -1;
822 o->ce.mssfix = 0;
823 o->ce.mssfix_default = true;
824 o->ce.mssfix_encap = true;
826 o->route_delay_window = 30;
828 o->resolve_in_advance = false;
829 o->proto_force = -1;
830 o->occ = true;
831#ifdef ENABLE_MANAGEMENT
835#endif
836#ifdef ENABLE_FEATURE_TUN_PERSIST
837 o->persist_mode = 1;
838#endif
839#ifdef _WIN32
840#if 0
842#else
844#endif
845 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
846 /* use network address as internal DHCP server address */
849 o->block_outside_dns = false;
851#endif
853 o->vlan_pvid = 1;
854 o->n_bcast_buf = 256;
855 o->tcp_queue_limit = 64;
856 o->max_clients = 1024;
857 o->cf_initial_per = 10;
858 o->cf_initial_max = 100;
859 o->max_routes_per_client = 256;
863 o->authname = "SHA1";
867 o->tls_timeout = 2;
868 o->renegotiate_bytes = -1;
869 o->renegotiate_seconds = 3600;
871 o->handshake_window = 60;
872 o->transition_window = 3600;
873 o->tls_cert_profile = NULL;
874 o->ecdh_curve = NULL;
876#ifdef ENABLE_PKCS11
877 o->pkcs11_pin_cache_period = -1;
878#endif /* ENABLE_PKCS11 */
879
880 /* P2MP server context features */
881 o->auth_token_generate = false;
882
883 /* Set default --tmp-dir */
884#ifdef _WIN32
885 /* On Windows, find temp dir via environment variables */
887
888 if (!o->tmp_dir)
889 {
890 /* Error out if we can't find a valid temporary directory, which should
891 * be very unlikely. */
892 msg(M_USAGE, "Could not find a suitable temporary directory."
893 " (GetTempPath() failed). Consider using --tmp-dir");
894 }
895#else /* ifdef _WIN32 */
896 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
897 o->tmp_dir = getenv("TMPDIR");
898 if (!o->tmp_dir)
899 {
900 o->tmp_dir = "/tmp";
901 }
902#endif /* _WIN32 */
903 o->allow_recursive_routing = false;
904
905#ifndef ENABLE_DCO
906 o->disable_dco = true;
907#endif /* ENABLE_DCO */
908
909#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
910 o->dns_options.updown = DEFAULT_DNS_UPDOWN;
911#endif /* ENABLE_DNS_UPDOWN_BY_DEFAULT */
912}
913
914void
916{
917 if (o->connection_list)
918 {
920 }
921 if (o->remote_list)
922 {
923 CLEAR(*o->remote_list);
924 }
925
926 gc_free(&o->gc);
928}
929
930#ifndef ENABLE_SMALL
931
932static const char *
934{
935 if (type == PUF_TYPE_ACCEPT)
936 {
937 return "accept";
938 }
939 if (type == PUF_TYPE_IGNORE)
940 {
941 return "ignore";
942 }
943 if (type == PUF_TYPE_REJECT)
944 {
945 return "reject";
946 }
947 else
948 {
949 return "???";
950 }
951}
952
953#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
954#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
955#define SHOW_STR_INLINE(var) \
956 SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
957#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
958#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
959#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
960#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
961#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
962
963#endif /* ifndef ENABLE_SMALL */
964
965static void
966setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
967{
968 setenv_str_i(es, "remote", e->remote, i);
969 setenv_str_i(es, "remote_port", e->remote_port, i);
970
971 if (e->http_proxy_options)
972 {
973 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
974 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
975 }
976 if (e->socks_proxy_server)
977 {
978 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
979 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
980 }
981}
982
983static void
984setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
985{
986 setenv_str_i(es, "proto", proto2ascii(e->proto, AF_UNSPEC, false), i);
987 setenv_str_i(es, "local", e->local, i);
988 setenv_str_i(es, "local_port", e->port, i);
989}
990
991void
992setenv_settings(struct env_set *es, const struct options *o)
993{
994 setenv_str(es, "config", o->config);
995 setenv_int(es, "verb", o->verbosity);
996 setenv_int(es, "daemon", o->daemon);
997 setenv_int(es, "daemon_log_redirect", o->log);
998 setenv_long_long(es, "daemon_start_time", time(NULL));
999 setenv_int(es, "daemon_pid", platform_getpid());
1000
1001 if (o->connection_list)
1002 {
1003 int i;
1004 for (i = 0; i < o->connection_list->len; ++i)
1005 {
1007 }
1008 }
1009 else
1010 {
1011 setenv_connection_entry(es, &o->ce, 1);
1012 }
1013
1014 if (o->ce.local_list)
1015 {
1016 for (int i = 0; i < o->ce.local_list->len; i++)
1017 {
1018 setenv_local_entry(es, o->ce.local_list->array[i], i + 1);
1019 }
1020 }
1021}
1022
1023#ifndef _WIN32
1024static void
1025setenv_foreign_option(struct options *o, const char *option, const char *value, struct env_set *es)
1026{
1027 struct gc_arena gc = gc_new();
1030 bool good = true;
1031
1032 good &= buf_printf(&env_name, "foreign_option_%d", o->foreign_option_index + 1);
1033 if (value)
1034 {
1035 good &= buf_printf(&env_value, "dhcp-option %s %s", option, value);
1036 }
1037 else
1038 {
1039 good &= buf_printf(&env_value, "dhcp-option %s", option);
1040 }
1041 if (good)
1042 {
1044 ++o->foreign_option_index;
1045 }
1046 else
1047 {
1048 msg(M_WARN, "foreign_option: name/value overflow");
1049 }
1050 gc_free(&gc);
1051}
1052
1053static void
1054delete_all_dhcp_fo(struct options *o, struct env_item **list)
1055{
1056 struct env_item *current, *prev;
1057
1058 ASSERT(list);
1059
1060 for (current = *list, prev = NULL; current != NULL; current = current->next)
1061 {
1062 char *tmp_value = NULL;
1063 if (!strncmp(current->string, "foreign_option_", sizeof("foreign_option_") - 1))
1064 {
1065 tmp_value = strchr(current->string, '=');
1066 if (tmp_value && ++tmp_value)
1067 {
1068 if (!strncmp(tmp_value, "dhcp-option ", sizeof("dhcp-option ") - 1))
1069 {
1070 if (prev)
1071 {
1072 prev->next = current->next;
1073 }
1074 else
1075 {
1076 *list = current->next;
1077 }
1079 }
1080 }
1081 }
1082 prev = current;
1083 }
1084}
1085
1086#endif /* ifndef _WIN32 */
1087
1088static in_addr_t
1089get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
1090{
1091 unsigned int flags = GETADDR_HOST_ORDER;
1092 bool succeeded = false;
1093 in_addr_t ret;
1094
1095 if (msglevel & M_FATAL)
1096 {
1097 flags |= GETADDR_FATAL;
1098 }
1099
1100 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1101 if (!succeeded && error)
1102 {
1103 *error = true;
1104 }
1105 return ret;
1106}
1107
1113static char *
1114get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1115{
1116 const char *end = strchr(addr, '/');
1117 char *ret = NULL;
1118 if (NULL == end)
1119 {
1120 ret = string_alloc(addr, gc);
1121 }
1122 else
1123 {
1124 size_t len = end - addr;
1125 ret = gc_malloc(len + 1, true, gc);
1126 memcpy(ret, addr, len);
1127 }
1128 return ret;
1129}
1130
1131static bool
1132ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
1133{
1134 return get_ipv6_addr(ipv6_prefix_spec, NULL, NULL, M_WARN);
1135}
1136
1137static char *
1138string_substitute(const char *src, char from, char to, struct gc_arena *gc)
1139{
1140 char *ret = (char *)gc_malloc(strlen(src) + 1, true, gc);
1141 char *dest = ret;
1142 char c;
1143
1144 do
1145 {
1146 c = *src++;
1147 if (c == from)
1148 {
1149 c = to;
1150 }
1151 *dest++ = c;
1152 } while (c);
1153 return ret;
1154}
1155
1165static struct verify_hash_list *
1166parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
1167{
1168 int i = 0;
1169 const char *cp = str;
1170
1171 struct verify_hash_list *ret;
1173
1174 char term = 0;
1175 unsigned int byte;
1176
1177 while (*cp && i < nbytes)
1178 {
1179 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1180 if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] != ':' && cp[2] != '\0')
1181 || sscanf(cp, "%x", &byte) != 1)
1182 {
1183 msg(msglevel, "format error in hash fingerprint: %s", str);
1184 break;
1185 }
1186
1187 ret->hash[i++] = (uint8_t)byte;
1188
1189 term = cp[2];
1190 if (term == '\0')
1191 {
1192 break;
1193 }
1194 cp += 3;
1195 }
1196 if (i < nbytes)
1197 {
1198 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i,
1199 str);
1200 }
1201 else if (term != '\0')
1202 {
1203 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1204 }
1205 return ret;
1206}
1207
1218static struct verify_hash_list *
1219parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel,
1220 struct gc_arena *gc)
1221{
1222 struct gc_arena gc_temp = gc_new();
1223 char *lines = string_alloc(str, &gc_temp);
1224
1225 struct verify_hash_list *ret = NULL;
1226
1227 const char *line;
1228 while ((line = strsep(&lines, "\n")))
1229 {
1230 /* ignore leading whitespace */
1231 while (isspace(*line))
1232 {
1233 line++;
1234 }
1235 /* skip empty lines and comment lines */
1236 if (strlen(line) == 0 || *line == '#' || *line == ';')
1237 {
1238 continue;
1239 }
1240
1241 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, msglevel, gc);
1242
1243 if (!hash)
1244 {
1245 gc_free(&gc_temp);
1246 return NULL;
1247 }
1248
1249 hash->next = ret;
1250 ret = hash;
1251 }
1252 gc_free(&gc_temp);
1253
1254 return ret;
1255}
1256#ifdef _WIN32
1257
1258#ifndef ENABLE_SMALL
1259
1260static void
1261show_dhcp_option_list(const char *name, const char *const *array, unsigned int len)
1262{
1263 for (unsigned int i = 0; i < len; ++i)
1264 {
1265 msg(D_SHOW_PARMS, " %s[%u] = %s", name, i, array[i]);
1266 }
1267}
1268
1269static void
1270show_dhcp_option_addrs(const char *name, const in_addr_t *array, unsigned int len)
1271{
1272 struct gc_arena gc = gc_new();
1273 for (unsigned int i = 0; i < len; ++i)
1274 {
1275 msg(D_SHOW_PARMS, " %s[%u] = %s", name, i, print_in_addr_t(array[i], 0, &gc));
1276 }
1277 gc_free(&gc);
1278}
1279
1280static void
1282{
1283 SHOW_BOOL(ip_win32_defined);
1284 SHOW_INT(ip_win32_type);
1285 SHOW_INT(dhcp_masq_offset);
1286 SHOW_INT(dhcp_lease_time);
1287 SHOW_INT(tap_sleep);
1290 SHOW_BOOL(dhcp_pre_release);
1291 SHOW_STR(domain);
1292 SHOW_STR(netbios_scope);
1293 SHOW_UNSIGNED(netbios_node_type);
1294 SHOW_BOOL(disable_nbt);
1295
1296 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1297 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1298 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1299 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1301}
1302
1303#endif /* ifndef ENABLE_SMALL */
1304#endif /* ifdef _WIN32 */
1305
1306static void
1307dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, unsigned int *len, msglvl_t msglevel)
1308{
1309 struct in6_addr addr;
1310 if (*len >= N_DHCP_ADDR)
1311 {
1312 msg(msglevel, "--dhcp-option DNS: maximum of %u IPv6 dns servers can be specified",
1313 N_DHCP_ADDR);
1314 }
1315 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1316 {
1317 dns6_list[(*len)++] = addr;
1318 }
1319}
1320static void
1321dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, unsigned int *len,
1322 msglvl_t msglevel)
1323{
1324 if (*len >= N_DHCP_ADDR)
1325 {
1326 msg(msglevel, "--dhcp-option %s: maximum of %u %s servers can be specified", name,
1327 N_DHCP_ADDR, name);
1328 }
1329 else
1330 {
1331 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1332 {
1333 bool error = false;
1334 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1335 if (!error)
1336 {
1337 array[(*len)++] = addr;
1338 }
1339 }
1340 else
1341 {
1342 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1343 }
1344 }
1345}
1346
1347#ifndef ENABLE_SMALL
1348static const char *
1350{
1351 switch (mode)
1352 {
1353 case VLAN_ONLY_TAGGED:
1354 return "tagged";
1355
1357 return "untagged";
1358
1359 case VLAN_ALL:
1360 return "all";
1361 }
1362 return NULL;
1363}
1364
1365static void
1366show_p2mp_parms(const struct options *o)
1367{
1368 struct gc_arena gc = gc_new();
1369
1370 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1371 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1372 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc));
1373 SHOW_INT(server_netbits_ipv6);
1374 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1375 msg(D_SHOW_PARMS, " server_bridge_netmask = %s",
1377 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s",
1379 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s",
1381 if (o->push_list.head)
1382 {
1383 const struct push_entry *e = o->push_list.head;
1384 while (e)
1385 {
1386 if (e->enable)
1387 {
1388 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1389 }
1390 e = e->next;
1391 }
1392 }
1393 SHOW_BOOL(ifconfig_pool_defined);
1394 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s",
1396 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1397 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s",
1399 SHOW_STR(ifconfig_pool_persist_filename);
1400 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1401 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1402 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s",
1404 SHOW_INT(ifconfig_ipv6_pool_netbits);
1405 SHOW_INT(n_bcast_buf);
1406 SHOW_INT(tcp_queue_limit);
1407 SHOW_INT(real_hash_size);
1408 SHOW_INT(virtual_hash_size);
1409 SHOW_STR(client_connect_script);
1411 SHOW_STR(client_disconnect_script);
1412 SHOW_STR(client_crresponse_script);
1413 SHOW_STR(client_config_dir);
1414 SHOW_BOOL(ccd_exclusive);
1415 SHOW_STR(tmp_dir);
1416 SHOW_BOOL(push_ifconfig_defined);
1417 msg(D_SHOW_PARMS, " push_ifconfig_local = %s",
1419 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s",
1421 SHOW_BOOL(push_ifconfig_ipv6_defined);
1422 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d",
1424 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s",
1426 SHOW_BOOL(enable_c2c);
1427 SHOW_BOOL(duplicate_cn);
1428 SHOW_INT(cf_max);
1429 SHOW_INT(cf_per);
1430 SHOW_INT(cf_initial_max);
1431 SHOW_INT(cf_initial_per);
1432 SHOW_UINT(max_clients);
1433 SHOW_INT(max_routes_per_client);
1434 SHOW_STR(auth_user_pass_verify_script);
1435 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1436 SHOW_BOOL(auth_token_generate);
1437 SHOW_BOOL(force_key_material_export);
1438 SHOW_INT(auth_token_lifetime);
1439 SHOW_STR_INLINE(auth_token_secret_file);
1440#if PORT_SHARE
1441 SHOW_STR(port_share_host);
1442 SHOW_STR(port_share_port);
1443#endif
1444 SHOW_BOOL(vlan_tagging);
1445 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1446 SHOW_INT(vlan_pvid);
1447
1448 SHOW_BOOL(client);
1449 SHOW_BOOL(pull);
1450 SHOW_STR_INLINE(auth_user_pass_file);
1451
1452 gc_free(&gc);
1453}
1454
1455#endif /* ! ENABLE_SMALL */
1456
1457static void
1458option_iroute(struct options *o, const char *network_str, const char *netmask_str,
1459 msglvl_t msglevel)
1460{
1461 struct iroute *ir;
1462
1463 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1464 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1465 ir->netbits = 32; /* host route if no netmask given */
1466
1467 if (netmask_str)
1468 {
1469 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1470 ir->netbits = netmask_to_netbits2(netmask);
1471
1472 if (ir->netbits < 0)
1473 {
1474 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str,
1475 netmask_str);
1476 return;
1477 }
1478 }
1479
1480 ir->next = o->iroutes;
1481 o->iroutes = ir;
1482}
1483
1484static void
1485option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
1486{
1487 struct iroute_ipv6 *ir;
1488
1489 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1490
1491 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel))
1492 {
1493 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
1494 return;
1495 }
1496
1497 ir->next = o->iroutes_ipv6;
1498 o->iroutes_ipv6 = ir;
1499}
1500
1501#ifndef ENABLE_SMALL
1502static void
1504{
1505 int i;
1506 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1507 SHOW_STR(server);
1508 SHOW_STR(port);
1509 SHOW_STR(auth_method_string);
1510 SHOW_STR(auth_file);
1511 SHOW_STR(auth_file_up);
1512 SHOW_BOOL(inline_creds);
1513 SHOW_BOOL(nocache);
1514 SHOW_STR(http_version);
1515 SHOW_STR(user_agent);
1516 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1517 {
1518 if (o->custom_headers[i].content)
1519 {
1520 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i, o->custom_headers[i].name,
1521 o->custom_headers[i].content);
1522 }
1523 else
1524 {
1525 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i, o->custom_headers[i].name);
1526 }
1527 }
1528 msg(D_SHOW_PARMS, "END http_proxy");
1529}
1530#endif /* ifndef ENABLE_SMALL */
1531
1532void
1534{
1535 /* The options struct carries two gc_arena's (one generic and one specific
1536 * to the DNS settings), which the by-value options
1537 * copy in inherit_context_child()/inherit_context_top() shares with the
1538 * source.
1539 *
1540 * Detach both (i.e. re-initialize them), otherwise child's call of
1541 * gc_free() (or context teardown) would free allocations the source
1542 * context still references, leading to a use-after-free (and subsequent
1543 * double-free).
1544 */
1545 gc_detach(&o->gc);
1547 o->routes = NULL;
1548 o->client_nat = NULL;
1549 clone_push_list(o);
1550}
1551
1552void
1554{
1555 if (!options->routes)
1556 {
1558 }
1559}
1560
1561static void
1569
1570static void
1572{
1573 if (!options->client_nat)
1574 {
1576 }
1577}
1578
1579#ifndef ENABLE_SMALL
1580static void
1582{
1583 /* Display the global proto only in client mode or with no '--local'*/
1584 if (o->local_list->len == 1)
1585 {
1586 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1587 }
1588
1589 msg(D_SHOW_PARMS, " Local Sockets:");
1590 for (int i = 0; i < o->local_list->len; i++)
1591 {
1592 msg(D_SHOW_PARMS, " [%s]:%s-%s", o->local_list->array[i]->local,
1593 o->local_list->array[i]->port,
1594 proto2ascii(o->local_list->array[i]->proto, o->af, false));
1595 }
1596 SHOW_STR(remote);
1597 SHOW_STR(remote_port);
1598 SHOW_BOOL(remote_float);
1599 SHOW_BOOL(bind_defined);
1601 SHOW_BOOL(bind_ipv6_only);
1602 SHOW_INT(connect_retry_seconds);
1603 SHOW_INT(connect_timeout);
1604
1605 if (o->http_proxy_options)
1606 {
1608 }
1609 SHOW_STR(socks_proxy_server);
1610 SHOW_STR(socks_proxy_port);
1611 SHOW_INT(tun_mtu);
1612 SHOW_BOOL(tun_mtu_defined);
1613 SHOW_INT(link_mtu);
1614 SHOW_BOOL(link_mtu_defined);
1615 SHOW_INT(tun_mtu_extra);
1616 SHOW_BOOL(tun_mtu_extra_defined);
1617 SHOW_INT(tls_mtu);
1618
1619 SHOW_INT(mtu_discover_type);
1620
1621#ifdef ENABLE_FRAGMENT
1623#endif
1624 SHOW_INT(mssfix);
1625 SHOW_BOOL(mssfix_encap);
1626 SHOW_BOOL(mssfix_fixed);
1627
1628 SHOW_INT(explicit_exit_notification);
1629
1630 SHOW_STR_INLINE(tls_auth_file);
1631 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1632 SHOW_STR_INLINE(tls_crypt_file);
1633 SHOW_STR_INLINE(tls_crypt_v2_file);
1634}
1635
1636
1637static void
1639{
1640 if (o->connection_list)
1641 {
1642 const struct connection_list *l = o->connection_list;
1643 int i;
1644 for (i = 0; i < l->len; ++i)
1645 {
1646 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1647 show_connection_entry(l->array[i]);
1648 }
1649 }
1650 else
1651 {
1652 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1654 }
1655 msg(D_SHOW_PARMS, "Connection profiles END");
1656}
1657
1658static void
1660{
1661 struct pull_filter *f;
1662 if (!l)
1663 {
1664 return;
1665 }
1666
1667 msg(D_SHOW_PARMS, " Pull filters:");
1668 for (f = l->head; f; f = f->next)
1669 {
1670 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1671 }
1672}
1673
1674#endif /* ifndef ENABLE_SMALL */
1675
1676void
1677show_settings(const struct options *o)
1678{
1679#ifndef ENABLE_SMALL
1680 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1681
1682 SHOW_STR(config);
1683
1684 SHOW_INT(mode);
1685
1686#ifdef ENABLE_FEATURE_TUN_PERSIST
1687 SHOW_BOOL(persist_config);
1688 SHOW_INT(persist_mode);
1689#endif
1690
1691 SHOW_BOOL(show_ciphers);
1692 SHOW_BOOL(show_digests);
1693 SHOW_BOOL(show_engines);
1694 SHOW_BOOL(genkey);
1695 SHOW_STR(genkey_filename);
1696 SHOW_STR(key_pass_file);
1697 SHOW_BOOL(show_tls_ciphers);
1698
1699 SHOW_INT(connect_retry_max);
1701
1702 SHOW_BOOL(remote_random);
1703
1704 SHOW_STR(ipchange);
1705 SHOW_STR(dev);
1706 SHOW_STR(dev_type);
1707 SHOW_STR(dev_node);
1708#if defined(ENABLE_DCO)
1709 SHOW_BOOL(disable_dco);
1710#endif
1711 SHOW_STR(lladdr);
1712 SHOW_INT(topology);
1713 SHOW_STR(ifconfig_local);
1714 SHOW_STR(ifconfig_remote_netmask);
1715 SHOW_BOOL(ifconfig_noexec);
1716 SHOW_BOOL(ifconfig_nowarn);
1717 SHOW_STR(ifconfig_ipv6_local);
1718 SHOW_INT(ifconfig_ipv6_netbits);
1719 SHOW_STR(ifconfig_ipv6_remote);
1720
1722 SHOW_INT(mtu_test);
1723
1724 SHOW_BOOL(mlock);
1725
1726 SHOW_INT(keepalive_ping);
1727 SHOW_INT(keepalive_timeout);
1728 SHOW_INT(inactivity_timeout);
1729 SHOW_INT(session_timeout);
1730 SHOW_INT64(inactivity_minimum_bytes);
1731 SHOW_INT(ping_send_timeout);
1732 SHOW_INT(ping_rec_timeout);
1733 SHOW_INT(ping_rec_timeout_action);
1734 SHOW_BOOL(ping_timer_remote);
1735 SHOW_INT(remap_sigusr1);
1736 SHOW_BOOL(persist_tun);
1737 SHOW_BOOL(persist_local_ip);
1738 SHOW_BOOL(persist_remote_ip);
1739
1740#if PASSTOS_CAPABILITY
1741 SHOW_BOOL(passtos);
1742#endif
1743
1744 SHOW_INT(resolve_retry_seconds);
1745 SHOW_BOOL(resolve_in_advance);
1746
1747 SHOW_STR(username);
1748 SHOW_STR(groupname);
1749 SHOW_STR(chroot_dir);
1750 SHOW_STR(cd_dir);
1751#ifdef ENABLE_SELINUX
1752 SHOW_STR(selinux_context);
1753#endif
1754 SHOW_STR(writepid);
1755 SHOW_STR(up_script);
1756 SHOW_STR(down_script);
1757 SHOW_BOOL(down_pre);
1758 SHOW_BOOL(up_restart);
1759 SHOW_BOOL(up_delay);
1761 SHOW_BOOL(log);
1764 SHOW_INT(nice);
1765 SHOW_INT(verbosity);
1766 SHOW_INT(mute);
1767#ifdef ENABLE_DEBUG
1768 SHOW_INT(gremlin);
1769#endif
1770 SHOW_STR(status_file);
1771 SHOW_INT(status_file_version);
1772 SHOW_INT(status_file_update_freq);
1773
1774 SHOW_BOOL(occ);
1775 SHOW_INT(rcvbuf);
1776 SHOW_INT(sndbuf);
1777#if defined(TARGET_LINUX)
1778 SHOW_INT(mark);
1779#endif
1780 SHOW_INT(sockflags);
1781
1782 SHOW_INT(comp.alg);
1783 SHOW_INT(comp.flags);
1784
1785 SHOW_STR(route_script);
1786 SHOW_STR(route_default_gateway);
1787 SHOW_INT(route_default_metric);
1788 SHOW_INT(route_default_table_id);
1789 SHOW_BOOL(route_noexec);
1790 SHOW_INT(route_delay);
1791 SHOW_INT(route_delay_window);
1792 SHOW_BOOL(route_delay_defined);
1793 SHOW_BOOL(route_nopull);
1794 SHOW_BOOL(route_gateway_via_dhcp);
1795 SHOW_BOOL(allow_pull_fqdn);
1797
1798 if (o->routes)
1799 {
1801 }
1802
1803 if (o->client_nat)
1804 {
1806 }
1807
1809
1810#ifdef ENABLE_MANAGEMENT
1811 SHOW_STR(management_addr);
1812 SHOW_STR(management_port);
1813 SHOW_STR(management_user_pass);
1814 SHOW_INT(management_log_history_cache);
1815 SHOW_INT(management_echo_buffer_size);
1816 SHOW_STR(management_client_user);
1817 SHOW_STR(management_client_group);
1818 SHOW_INT(management_flags);
1819#endif
1820#ifdef ENABLE_PLUGIN
1821 if (o->plugin_list)
1822 {
1824 }
1825#endif
1826
1827 SHOW_STR_INLINE(shared_secret_file);
1828 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1829 SHOW_STR(ciphername);
1830 SHOW_STR(ncp_ciphers);
1831 SHOW_STR(authname);
1832#ifndef ENABLE_CRYPTO_MBEDTLS
1833 SHOW_BOOL(engine);
1834#endif /* ENABLE_CRYPTO_MBEDTLS */
1835 SHOW_BOOL(mute_replay_warnings);
1836 SHOW_INT(replay_window);
1837 SHOW_INT(replay_time);
1838 SHOW_STR(packet_id_file);
1840
1841 SHOW_BOOL(tls_server);
1842 SHOW_BOOL(tls_client);
1843 SHOW_STR_INLINE(ca_file);
1844 SHOW_STR(ca_path);
1845 SHOW_STR_INLINE(dh_file);
1847 {
1848 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1849 }
1850 else
1851 {
1852 SHOW_STR_INLINE(cert_file);
1853 }
1854 SHOW_STR_INLINE(extra_certs_file);
1855
1857 {
1858 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1859 }
1860 else
1861 {
1862 SHOW_STR_INLINE(priv_key_file);
1863 }
1864#ifndef ENABLE_CRYPTO_MBEDTLS
1865 SHOW_STR_INLINE(pkcs12_file);
1866#endif
1867#ifdef ENABLE_CRYPTOAPI
1868 SHOW_STR(cryptoapi_cert);
1869#endif
1870 SHOW_STR(cipher_list);
1871 SHOW_STR(cipher_list_tls13);
1872 SHOW_STR(tls_cert_profile);
1874 SHOW_STR(tls_export_peer_cert_dir);
1875 SHOW_INT(verify_x509_type);
1876 SHOW_STR(verify_x509_name);
1877 SHOW_STR_INLINE(crl_file);
1878 SHOW_INT(ns_cert_type);
1879 {
1880 int i;
1881 for (i = 0; i < MAX_PARMS; i++)
1882 {
1883 SHOW_INT(remote_cert_ku[i]);
1884 }
1885 }
1886 SHOW_STR(remote_cert_eku);
1887 if (o->verify_hash)
1888 {
1889 SHOW_INT(verify_hash_algo);
1890 SHOW_INT(verify_hash_depth);
1891 struct gc_arena gc = gc_new();
1892 struct verify_hash_list *hl = o->verify_hash;
1893 int digest_len =
1895 while (hl)
1896 {
1897 char *s = format_hex_ex(hl->hash, digest_len, 0, 1, ":", &gc);
1898 SHOW_PARM(verify_hash, s, "%s");
1899 hl = hl->next;
1900 }
1901 gc_free(&gc);
1902 }
1903 SHOW_INT(ssl_flags);
1904
1905 SHOW_INT(tls_timeout);
1906
1907 SHOW_INT64(renegotiate_bytes);
1908 SHOW_INT64(renegotiate_packets);
1909 SHOW_INT(renegotiate_seconds);
1910
1911 SHOW_INT(handshake_window);
1912 SHOW_INT(transition_window);
1913
1914 SHOW_BOOL(single_session);
1916 SHOW_BOOL(tls_exit);
1917
1918 SHOW_STR(tls_crypt_v2_metadata);
1919
1920#ifdef ENABLE_PKCS11
1921 {
1922 int i;
1923 for (i = 0; i < MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1924 {
1925 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1926 }
1927 }
1928 {
1929 int i;
1930 for (i = 0; i < MAX_PARMS; i++)
1931 {
1932 SHOW_PARM(pkcs11_protected_authentication,
1933 o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1934 }
1935 }
1936 {
1937 int i;
1938 for (i = 0; i < MAX_PARMS; i++)
1939 {
1940 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1941 }
1942 }
1943 {
1944 int i;
1945 for (i = 0; i < MAX_PARMS; i++)
1946 {
1947 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED",
1948 "%s");
1949 }
1950 }
1951 SHOW_INT(pkcs11_pin_cache_period);
1952 SHOW_STR(pkcs11_id);
1954#endif /* ENABLE_PKCS11 */
1955
1956 show_p2mp_parms(o);
1957
1958#ifdef _WIN32
1959 SHOW_BOOL(show_net_up);
1960 SHOW_INT(route_method);
1961 SHOW_BOOL(block_outside_dns);
1963#endif
1964#endif /* ifndef ENABLE_SMALL */
1965}
1966
1967#undef SHOW_PARM
1968#undef SHOW_STR
1969#undef SHOW_INT
1970#undef SHOW_BOOL
1971
1972#ifdef ENABLE_MANAGEMENT
1973
1974static struct http_proxy_options *
1975parse_http_proxy_override(const char *server, const char *port, const char *flags,
1976 struct gc_arena *gc)
1977{
1978 if (server && port)
1979 {
1980 struct http_proxy_options *ho;
1982 ho->server = string_alloc(server, gc);
1983 ho->port = port;
1984 if (flags && !strcmp(flags, "nct"))
1985 {
1986 ho->auth_retry = PAR_NCT;
1987 }
1988 else
1989 {
1990 ho->auth_retry = PAR_ALL;
1991 }
1992 ho->http_version = "1.0";
1993 ho->user_agent = "OpenVPN-Autoproxy/1.0";
1994 return ho;
1995 }
1996 else
1997 {
1998 return NULL;
1999 }
2000}
2001
2002static void
2004{
2005 const struct connection_list *l = o->connection_list;
2006 int i;
2007 bool succeed = false;
2008 for (i = 0; i < l->len; ++i)
2009 {
2010 struct connection_entry *ce = l->array[i];
2011 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
2012 {
2014 succeed = true;
2015 }
2016 }
2017 if (succeed)
2018 {
2019 for (i = 0; i < l->len; ++i)
2020 {
2021 struct connection_entry *ce = l->array[i];
2022 if (ce->proto == PROTO_UDP)
2023 {
2024 ce->flags |= CE_DISABLED;
2025 }
2026 }
2027 }
2028 else
2029 {
2030 msg(M_WARN,
2031 "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2032 }
2033}
2034
2035#endif /* ifdef ENABLE_MANAGEMENT */
2036
2037static struct local_list *
2039{
2040 if (!ce->local_list)
2041 {
2043 }
2044 return ce->local_list;
2045}
2046
2047static struct local_entry *
2048alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
2049{
2051 struct local_entry *e;
2052
2053 if (l->len >= l->capacity)
2054 {
2055 const int new_cap = l->capacity + 1;
2056 const size_t elem_size = sizeof(*l->array);
2057
2058 struct local_entry **new_array = gc_realloc(l->array, new_cap * elem_size, gc);
2059 if (!new_array)
2060 {
2061 msg(msglevel,
2062 "Unable to process more local options: out of memory. Number of entries = %d",
2063 l->len);
2064 return NULL;
2065 }
2066
2067 l->array = new_array;
2068 l->capacity = new_cap;
2069 }
2070
2071 ALLOC_OBJ_CLEAR_GC(e, struct local_entry, gc);
2072 e->proto = PROTO_NONE;
2073 l->array[l->len++] = e;
2074
2075 return e;
2076}
2077
2078static struct connection_list *
2087
2088static struct connection_entry *
2090{
2092 struct connection_entry *e;
2093
2094 if (l->len == l->capacity)
2095 {
2096 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2097 struct connection_entry **ce =
2098 gc_realloc(l->array, capacity * sizeof(struct connection_entry *), &options->gc);
2099 if (ce == NULL)
2100 {
2101 msg(msglevel,
2102 "Unable to process more connection options: out of memory. Number of entries = %d",
2103 l->len);
2104 return NULL;
2105 }
2106 l->array = ce;
2107 l->capacity = capacity;
2108 }
2110 l->array[l->len++] = e;
2111 return e;
2112}
2113
2114static struct remote_list *
2116{
2117 if (!options->remote_list)
2118 {
2120 }
2121 return options->remote_list;
2122}
2123
2124static struct remote_entry *
2126{
2128 struct remote_entry *e;
2129
2130 if (l->len == l->capacity)
2131 {
2132 int capacity = l->capacity + CONNECTION_LIST_SIZE;
2133 struct remote_entry **re =
2134 gc_realloc(l->array, capacity * sizeof(struct remote_entry *), &options->gc);
2135 if (re == NULL)
2136 {
2137 msg(msglevel,
2138 "Unable to process more remote options: out of memory. Number of entries = %d",
2139 l->len);
2140 return NULL;
2141 }
2142 l->array = re;
2143 l->capacity = capacity;
2144 }
2145 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
2146 l->array[l->len++] = e;
2147 return e;
2148}
2149
2150static struct pull_filter_list *
2152{
2153 if (!o->pull_filter_list)
2154 {
2156 }
2157 return o->pull_filter_list;
2158}
2159
2160static struct pull_filter *
2162{
2164 struct pull_filter *f;
2165
2166 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2167 if (l->head)
2168 {
2169 ASSERT(l->tail);
2170 l->tail->next = f;
2171 }
2172 else
2173 {
2174 ASSERT(!l->tail);
2175 l->head = f;
2176 }
2177 l->tail = f;
2178 return f;
2179}
2180
2181static void
2183{
2184 if (re->remote)
2185 {
2186 ce->remote = re->remote;
2187 }
2188 if (re->remote_port)
2189 {
2190 ce->remote_port = re->remote_port;
2191 }
2192 if (re->proto >= 0)
2193 {
2194 ce->proto = re->proto;
2195 }
2196 if (re->af > 0)
2197 {
2198 ce->af = re->af;
2199 }
2200}
2201
2202static void
2203connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
2204{
2205 if (key_file && *key_file && !(*key_inline))
2206 {
2207 struct buffer in = buffer_read_from_file(*key_file, gc);
2208 if (!buf_valid(&in))
2209 {
2210 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2211 }
2212
2213 *key_file = (const char *)in.data;
2214 *key_inline = true;
2215 }
2216}
2217
2218static void
2220{
2221#ifdef ENABLE_CRYPTO_MBEDTLS
2222 if (options->ca_path)
2223 {
2224 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2225 }
2226#endif
2227
2230 || options->ca_path
2231#endif
2232 )
2233 {
2234 return;
2235 }
2236
2237 const char *const str = "You must define CA file (--ca)"
2238#ifndef ENABLE_CRYPTO_MBEDTLS
2239 " or CA path (--capath)"
2240#endif
2241 " and/or peer fingerprint verification (--peer-fingerprint)";
2242 msg(M_USAGE, "%s", str);
2243}
2244
2245#define MUST_BE_UNDEF(parm, parm_name) \
2246 if (options->parm != defaults.parm) \
2247 { \
2248 msg(M_USAGE, use_err, parm_name); \
2249 }
2250#define MUST_BE_FALSE(condition, parm_name) \
2251 if (condition) \
2252 { \
2253 msg(M_USAGE, use_err, parm_name); \
2254 }
2255
2256static void
2258{
2259 struct options defaults;
2260 int dev = DEV_TYPE_UNDEF;
2261 bool pull = false;
2262
2263 init_options(&defaults);
2264
2265 if (!options->test_crypto)
2266 {
2267 notnull(options->dev, "TUN/TAP device (--dev)");
2268 }
2269
2270 /*
2271 * Get tun/tap/null device type
2272 */
2274
2275 /*
2276 * If "proto tcp" is specified, make sure we know whether it is
2277 * tcp-client or tcp-server.
2278 */
2279 if (ce->proto == PROTO_TCP)
2280 {
2281 msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify "
2282 "--proto tcp-server or --proto tcp-client");
2283 }
2284
2285 /*
2286 * Sanity check on Client mode
2287 */
2288
2289 if (options->mode != MODE_SERVER && ce->local_list->len > 1)
2290 {
2291 msg(M_USAGE, "multiple --local statements only allowed in --server mode");
2292 }
2293
2294 if (options->lladdr && dev != DEV_TYPE_TAP)
2295 {
2296 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2297 }
2298
2299 /*
2300 * Sanity check on MTU parameters
2301 */
2303 {
2304 msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined");
2305 }
2306
2308 {
2309 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2310 }
2311
2312 /* will we be pulling options from server? */
2313 pull = options->pull;
2314
2315 /*
2316 * Sanity check on --local, --remote, and --ifconfig
2317 */
2318
2321 {
2322 msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig "
2323 "addresses");
2324 }
2325
2327 {
2328 msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
2329 }
2330
2331 if (ce->bind_defined && !ce->bind_local)
2332 {
2333 msg(M_USAGE, "--bind and --nobind can't be used together");
2334 }
2335
2337 {
2338 msg(M_USAGE, "--lport and --nobind don't make sense when used together");
2339 }
2340
2341 if (!ce->remote && !ce->bind_local)
2342 {
2343 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2344 }
2345
2346 for (int i = 0; i < ce->local_list->len; i++)
2347 {
2348 struct local_entry *le = ce->local_list->array[i];
2349
2350 if (proto_is_net(le->proto) && string_defined_equal(le->local, ce->remote)
2352 {
2353 msg(M_USAGE, "--remote and one of the --local addresses are the same");
2354 }
2355
2358 {
2359 msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
2360 }
2361
2362 if (le->local && !ce->bind_local)
2363 {
2364 msg(M_USAGE, "--local and --nobind don't make sense when used together");
2365 }
2366 }
2367
2368 /*
2369 * Check for consistency of management options
2370 */
2371#ifdef ENABLE_MANAGEMENT
2375 {
2376 msg(M_USAGE,
2377 "--management is not specified, however one or more options which modify the behavior of --management were specified");
2378 }
2379
2382 {
2383 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2384 }
2385
2388 {
2389 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2390 "passwords is STRONGLY discouraged and considered insecure");
2391 }
2392
2393#endif /* ifdef ENABLE_MANAGEMENT */
2394
2395#if !defined(HAVE_XKEY_PROVIDER)
2398 {
2399 msg(M_FATAL, "management-external-key with TLS 1.3 or later requires "
2400 "nopadding argument/support");
2401 }
2402#endif
2403 /*
2404 * Windows-specific options.
2405 */
2406
2407#ifdef _WIN32
2408 if (dev == DEV_TYPE_TUN
2410 {
2411 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2412 }
2413
2416 {
2417 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2418 }
2419
2421 {
2422 const char *prefix = "Some --dhcp-option or --dns options require DHCP server";
2424 {
2425 msg(M_USAGE, "%s, which is not supported by the selected %s driver", prefix,
2427 }
2430 {
2431 msg(M_USAGE, "%s, which requires --ip-win32 dynamic or adaptive", prefix);
2432 }
2433 }
2434#endif /* ifdef _WIN32 */
2435
2436 /*
2437 * Check that protocol options make sense.
2438 */
2439
2440#ifdef ENABLE_FRAGMENT
2441 if (!proto_is_udp(ce->proto) && ce->fragment)
2442 {
2443 msg(M_USAGE, "--fragment can only be used with --proto udp");
2444 }
2445#endif
2446
2447 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2448 {
2449 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2450 }
2451
2452 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2453 {
2454 msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2455 "tcp-client)");
2456 }
2457
2458 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2459 {
2460 msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
2461 }
2462
2464 {
2465 msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
2466 }
2467
2468 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2469 {
2470 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2471 }
2472
2473 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2474 {
2475 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2476 }
2477
2478 /*
2479 * Check consistency of --mode server options.
2480 */
2481 if (options->mode == MODE_SERVER)
2482 {
2483 const char use_err[] = "--%s cannot be used with --mode server.";
2484
2485#define USAGE_VALID_SERVER_PROTOS \
2486 "--mode server currently only supports " \
2487 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2488#ifdef TARGET_ANDROID
2489 msg(M_FATAL, "--mode server not supported on Android");
2490#endif
2491 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2492 {
2493 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2494 }
2495 MUST_BE_UNDEF(pull, "pull");
2497 {
2498 msg(M_WARN, "--pull-filter ignored for --mode server");
2499 }
2500 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2501 {
2503 }
2504#if PORT_SHARE
2505 bool has_tcp = false;
2506 for (int i = 0; i < ce->local_list->len && !has_tcp; i++)
2507 {
2508 has_tcp = (ce->local_list->array[i]->proto == PROTO_TCP_SERVER);
2509 }
2510 if ((options->port_share_host || options->port_share_port)
2511 && !has_tcp)
2512 {
2513 msg(M_USAGE, "--port-share only works in TCP server mode "
2514 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2515 }
2516#endif
2517 if (!options->tls_server)
2518 {
2519 msg(M_USAGE, "--mode server requires --tls-server");
2520 }
2521 MUST_BE_FALSE(ce->remote, "remote");
2522 MUST_BE_FALSE(!ce->bind_local, "nobind");
2523 MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
2524 MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
2525 /* <connection> blocks force to have a remote embedded, so we check
2526 * for the --remote and bail out if it is present
2527 */
2529 {
2530 msg(M_USAGE, "<connection> cannot be used with --mode server");
2531 }
2532
2533 MUST_BE_UNDEF(shaper, "shaper");
2534 if (options->ipchange)
2535 {
2536 msg(M_USAGE, "--ipchange cannot be used with --mode server (use "
2537 "--client-connect instead)");
2538 }
2539 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2540 {
2542 }
2543 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2544 {
2545 msg(M_USAGE,
2546 "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2547 }
2548 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET))
2550 {
2551 msg(M_USAGE,
2552 "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2553 }
2555 {
2556 msg(M_USAGE,
2557 "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2558 }
2559 MUST_BE_UNDEF(route_delay_defined, "route-delay");
2560 MUST_BE_UNDEF(up_delay, "up-delay");
2563 {
2564 msg(M_USAGE,
2565 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2566 }
2568 {
2569 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2570 }
2571 MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
2573 {
2574 msg(M_USAGE,
2575 "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2576 }
2578 {
2579 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2580 }
2582 {
2583 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2584 "--renegotiate_seconds setting");
2585 }
2588 {
2589 msg(M_USAGE,
2590 "--auth-gen-token renewal time needs to be at least "
2591 " two times --hand-window (%d).",
2593 }
2596 {
2597 const char *use_err =
2598 "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2599
2602 "verify-client-cert none|optional");
2604 "username-as-common-name");
2606 "auth-user-pass-optional");
2607 }
2608
2609 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2610 {
2611 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2612 }
2613 if (!options->vlan_tagging)
2614 {
2615 const char use_err[] = "--%s requires --vlan-tagging";
2616 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2617 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2618 }
2619 }
2620 else
2621 {
2622 const char use_err[] = "--%s requires --mode server";
2623 /*
2624 * When not in server mode, err if parameters are
2625 * specified which require --mode server.
2626 */
2627 MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
2628 MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
2629 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
2630 MUST_BE_UNDEF(real_hash_size, "hash-size");
2631 MUST_BE_UNDEF(virtual_hash_size, "hash-size");
2632 MUST_BE_UNDEF(learn_address_script, "learn-address");
2633 MUST_BE_UNDEF(client_connect_script, "client-connect");
2634 MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
2635 MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
2636 MUST_BE_UNDEF(client_config_dir, "client-config-dir");
2637 MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
2638 MUST_BE_UNDEF(enable_c2c, "client-to-client");
2639 MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
2640 MUST_BE_UNDEF(cf_max, "connect-freq");
2641 MUST_BE_UNDEF(cf_per, "connect-freq");
2644 "verify-client-cert");
2645 MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
2646 MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
2648 {
2649 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2650 "affect the server. To have TCP_NODELAY in both direction use "
2651 "tcp-nodelay in the server configuration instead.");
2652 }
2653 MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
2654 MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
2655#if PORT_SHARE
2656 if (options->port_share_host || options->port_share_port)
2657 {
2658 msg(M_USAGE,
2659 "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2660 }
2661#endif
2662 MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
2663 MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
2664 MUST_BE_UNDEF(vlan_accept, "vlan-accept");
2665 MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
2666 MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
2667
2668 if (options->push_list.head)
2669 {
2670 msg(M_WARN, "Note: Using --push without --mode server is an "
2671 "unsupported configuration. Negotiation of OpenVPN "
2672 "features is expected to fail.");
2673 }
2674 }
2675
2676 /*
2677 * SSL/TLS mode sanity checks.
2678 */
2680 {
2681 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2682 }
2683
2685 {
2686 msglvl_t msglevel = M_USAGE;
2688 {
2689 msglevel = M_INFO;
2690 }
2691
2692 msg(msglevel, "DEPRECATION: No tls-client or tls-server option in "
2693 "configuration detected. OpenVPN 2.8 will remove the "
2694 "functionality to run a VPN without TLS. "
2695 "See the examples section in the manual page for "
2696 "examples of a similar quick setup with peer-fingerprint. "
2697 "OpenVPN 2.7 allows using this configuration when using "
2698 "--allow-deprecated-insecure-static-crypto but you should move "
2699 "to a proper configuration using TLS as soon as possible.");
2700 }
2701
2703 {
2704 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2705 "--verify-client-cert none|optional "
2706 "may accept clients which do not present a certificate");
2707 }
2708
2709 const unsigned int tls_version_max =
2711 const unsigned int tls_version_min =
2713
2714 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2715 {
2716 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2717 }
2718
2720 {
2722#ifdef ENABLE_PKCS11
2723 if (!options->pkcs11_providers[0] && options->pkcs11_id)
2724 {
2725 msg(M_WARN, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2726 }
2727 else if (!options->pkcs11_providers[0] && options->pkcs11_id_management)
2728 {
2729 msg(M_WARN,
2730 "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2731 }
2732
2733 if (options->pkcs11_providers[0])
2734 {
2735 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2736 {
2737 msg(M_USAGE,
2738 "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2739 }
2740 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2741 {
2742 msg(M_USAGE,
2743 "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2744 }
2745 const char use_err[] =
2746 "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2747 MUST_BE_UNDEF(cert_file, "cert");
2748 MUST_BE_UNDEF(priv_key_file, "key");
2749 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2750 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2751 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2752#ifdef ENABLE_CRYPTOAPI
2753 MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
2754#endif
2755 }
2756 else
2757#endif /* ifdef ENABLE_PKCS11 */
2758#ifdef ENABLE_CRYPTOAPI
2760 {
2761 const char use_err[] =
2762 "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2763 MUST_BE_UNDEF(cert_file, "cert");
2764 MUST_BE_UNDEF(priv_key_file, "key");
2765 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2766 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2767 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2768 }
2769 else
2770#endif
2771 if (options->pkcs12_file)
2772 {
2773#ifdef ENABLE_CRYPTO_MBEDTLS
2774 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2775#else
2776 const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
2777 MUST_BE_UNDEF(ca_path, "capath");
2778 MUST_BE_UNDEF(cert_file, "cert");
2779 MUST_BE_UNDEF(priv_key_file, "key");
2780 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
2781 MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
2782#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2783 }
2784 else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
2785 {
2787 {
2788 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2789 }
2791 {
2792 if (options->cert_file)
2793 {
2794 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2795 }
2797 {
2798 msg(M_USAGE,
2799 "--management-external-cert must be used with --management-external-key");
2800 }
2801 }
2802 if (pull)
2803 {
2804 const int sum =
2806 + ((options->priv_key_file != NULL)
2808
2809 if (sum == 0)
2810 {
2812 {
2813 msg(M_USAGE, "No client-side authentication method is "
2814 "specified. You must use either "
2815 "--cert/--key, --pkcs12, or "
2816 "--auth-user-pass");
2817 }
2818 }
2819 else if (sum != 2)
2820 {
2821 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2822 }
2823 }
2824 else
2825 {
2827 {
2829 "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2830 }
2832 {
2834 "private key file (--key) or PKCS#12 file (--pkcs12)");
2835 }
2836 }
2837 }
2838 if (ce->tls_auth_file && ce->tls_crypt_file)
2839 {
2840 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2841 }
2843 && (ce->tls_auth_file || ce->tls_crypt_file))
2844 {
2845 msg(M_USAGE,
2846 "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2847 }
2848 }
2849 else
2850 {
2851 /*
2852 * Make sure user doesn't specify any TLS options
2853 * when in non-TLS mode.
2854 */
2855
2856 const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
2857 "i.e. where --tls-server or --tls-client is also specified.";
2858
2859 MUST_BE_UNDEF(ca_file, "ca");
2860 MUST_BE_UNDEF(ca_path, "capath");
2861 MUST_BE_UNDEF(dh_file, "dh");
2862 MUST_BE_UNDEF(cert_file, "cert");
2863 MUST_BE_UNDEF(priv_key_file, "key");
2864#ifndef ENABLE_CRYPTO_MBEDTLS
2865 MUST_BE_UNDEF(pkcs12_file, "pkcs12");
2866#endif
2867 MUST_BE_UNDEF(cipher_list, "tls-cipher");
2868 MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
2869 MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
2870 MUST_BE_UNDEF(tls_verify, "tls-verify");
2871 MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
2872 MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
2873 MUST_BE_UNDEF(tls_timeout, "tls-timeout");
2874 MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
2875 MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
2876 MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
2877 MUST_BE_UNDEF(handshake_window, "hand-window");
2878 MUST_BE_UNDEF(transition_window, "tran-window");
2879 MUST_BE_UNDEF(tls_auth_file, "tls-auth");
2880 MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
2881 MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
2882 MUST_BE_UNDEF(single_session, "single-session");
2883 MUST_BE_UNDEF(push_peer_info, "push-peer-info");
2884 MUST_BE_UNDEF(tls_exit, "tls-exit");
2885 MUST_BE_UNDEF(crl_file, "crl-verify");
2886 MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
2887 MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
2888 MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
2889#ifdef ENABLE_PKCS11
2890 MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
2891 MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
2892 MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
2893 MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
2894#endif
2895
2896 if (pull)
2897 {
2898 msg(M_USAGE, use_err, "--pull");
2899 }
2900 }
2902 {
2903 msg(M_USAGE, "--auth-user-pass requires --pull");
2904 }
2905
2906 uninit_options(&defaults);
2907}
2908
2909#undef MUST_BE_UNDEF
2910#undef MUST_BE_FALSE
2911
2912static void
2914{
2915 const int dev = dev_type_enum(o->dev, o->dev_type);
2916
2918 {
2919 if (ce->proto == PROTO_TCP)
2920 {
2921 ce->proto = PROTO_TCP_SERVER;
2922 o->ce.proto = ce->proto;
2923 }
2924 }
2925
2926 if (o->mode != MODE_SERVER)
2927 {
2928 if (ce->proto == PROTO_TCP)
2929 {
2930 ce->proto = PROTO_TCP_CLIENT;
2931 o->ce.proto = ce->proto;
2932 }
2933 }
2934
2935 /* an option is present that requires local bind to enabled */
2936 bool need_bind = ce->local_port_defined || ce->bind_defined || ce->local_list;
2937
2938 /* socks proxy is enabled */
2939 bool uses_socks = ce->proto == PROTO_UDP && ce->socks_proxy_server;
2940
2941 /* If binding is not forced by an explicit option and we have (at least)
2942 * one of --tcp-client, --pull (or --client), or socks we do not bind
2943 * locally to have "normal" IP client behaviour of a random source port */
2944 if (!need_bind && (ce->proto == PROTO_TCP_CLIENT || uses_socks || o->pull))
2945 {
2946 ce->bind_local = false;
2947 }
2948
2949 if (!ce->bind_local)
2950 {
2951 ce->local_port = NULL;
2952 }
2953
2954 /* if protocol forcing is enabled, disable all protocols
2955 * except for the forced one
2956 */
2957 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2958 {
2959 ce->flags |= CE_DISABLED;
2960 }
2961
2962 if (ce->http_proxy_options)
2963 {
2965 }
2966
2967 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2968 * so fall back to IPv4-only (trac #1221)
2969 */
2970 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2971 {
2972 if (ce->af == AF_INET6)
2973 {
2974 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2975 "'--socks-proxy' today. Forcing IPv4 mode.");
2976 }
2977 else
2978 {
2979 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2980 "work correctly with '--socks-proxy' today. Forcing IPv4.");
2981 }
2982 ce->af = AF_INET;
2983 }
2984
2985 /*
2986 * Set MTU defaults
2987 */
2988 {
2989 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2990 {
2991 ce->tun_mtu_defined = true;
2992 }
2993 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2994 {
2995 ce->tun_mtu_extra_defined = true;
2997 }
2998 }
2999
3000 /*
3001 * If --mssfix is supplied without a parameter or not specified at all,
3002 * default it to --fragment value, if --fragment is specified and otherwise
3003 * to the default if tun-mtu is 1500
3004 */
3005 if (o->ce.mssfix_default)
3006 {
3007#ifdef ENABLE_FRAGMENT
3008 if (ce->fragment)
3009 {
3010 ce->mssfix = ce->fragment;
3011 }
3012 else
3013#endif
3014 if (ce->tun_mtu_defined)
3015 {
3016 if (o->ce.tun_mtu == TUN_MTU_DEFAULT)
3017 {
3018 /* We want to only set mssfix default value if we use a default
3019 * MTU Size, otherwise the different size of tun should either
3020 * already solve the problem or mssfix might artifically make the
3021 * payload packets smaller without mssfix 0 */
3022 ce->mssfix = MSSFIX_DEFAULT;
3023 ce->mssfix_encap = true;
3024 }
3025 else
3026 {
3027 /* We still apply the mssfix value but only adjust it to the
3028 * size of the tun interface. */
3029 ce->mssfix = ce->tun_mtu;
3030 ce->mssfix_fixed = true;
3031 }
3032 }
3033 }
3034
3035 /*
3036 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3037 *
3038 * At the end only one of these will be really set because the parser
3039 * logic prevents configurations where more are set.
3040 */
3041 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
3042 {
3046
3049
3052 }
3053
3054 /* Pre-cache tls-auth/crypt(-v2) key file if
3055 * keys were not already embedded in the config file.
3056 */
3060
3061
3063 {
3064 msg(M_WARN, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3066 }
3067}
3068
3069static void
3071{
3072 /* use the global port if none is specified */
3073 if (!le->port)
3074 {
3075 le->port = ce->local_port;
3076 }
3077 /* use the global proto if none is specified and
3078 * allow proto bindings on server mode only */
3079 if (!le->proto || mode == MODE_POINT_TO_POINT)
3080 {
3081 le->proto = ce->proto;
3082 }
3083}
3084
3085#ifdef _WIN32
3086/* If iservice is in use, we need def1 method for redirect-gateway */
3087static void
3089{
3090 if (opt->routes && opt->route_method == ROUTE_METHOD_SERVICE
3091 && opt->routes->flags & RG_REROUTE_GW && !(opt->routes->flags & RG_DEF1))
3092 {
3093 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3094 opt->routes->flags |= RG_DEF1;
3095 }
3096}
3097#endif /* ifdef _WIN32 */
3098
3099/*
3100 * Save/Restore certain option defaults before --pull is applied.
3101 */
3102
3103static void
3105{
3110
3111 if (o->routes)
3112 {
3114 o->pre_connect->routes_defined = true;
3115 }
3116 if (o->routes_ipv6)
3117 {
3120 }
3121 if (o->client_nat)
3122 {
3125 }
3126
3129
3132
3134
3135 /* NCP related options that can be overwritten by a push */
3137 o->pre_connect->authname = o->authname;
3138
3139 /* Ping related options should be reset to the config values on reconnect */
3143
3144 /* Miscellaneous Options */
3145 o->pre_connect->comp = o->comp;
3146}
3147
3148void
3150{
3151 const struct options_pre_connect *pp = o->pre_connect;
3152 if (pp)
3153 {
3155 if (pp->tuntap_options_defined)
3156 {
3158 }
3159
3160 if (pp->routes_defined)
3161 {
3162 rol_check_alloc(o);
3164 }
3165 else
3166 {
3167 o->routes = NULL;
3168 }
3169
3170 if (pp->routes_ipv6_defined)
3171 {
3174 }
3175 else
3176 {
3177 o->routes_ipv6 = NULL;
3178 }
3179
3182
3185
3186 /* Free DNS options and reset them to pre-pull state */
3187 gc_free(&o->dns_options.gc);
3188 struct gc_arena dns_gc = gc_new();
3189 o->dns_options = clone_dns_options(&pp->dns_options, &dns_gc);
3190 o->dns_options.gc = dns_gc;
3191
3192 if (pp->client_nat_defined)
3193 {
3196 }
3197 else
3198 {
3199 o->client_nat = NULL;
3200 }
3201
3203
3204 o->ciphername = pp->ciphername;
3205 o->authname = pp->authname;
3206
3210
3211 /* Miscellaneous Options */
3212 o->comp = pp->comp;
3213 }
3214
3215 o->push_continuation = 0;
3219}
3220
3221static void
3223{
3224#ifdef _WIN32
3225 const int dev = dev_type_enum(options->dev, options->dev_type);
3226
3227 /* when using ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3231 {
3233 }
3234
3235 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3236 {
3237 /* delay may only be necessary when we perform DHCP handshake */
3240 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3241 {
3243 options->route_delay = 5; /* Vista sometimes has a race without this */
3244 }
3245 }
3246
3248 {
3250 options->ifconfig_noexec = false;
3251 }
3252
3254
3255 /*
3256 * Check consistency of --mode server options.
3257 */
3258 if (options->mode == MODE_SERVER)
3259 {
3260 /*
3261 * We need to explicitly set --tap-sleep because
3262 * we do not schedule event timers in the top-level context.
3263 */
3266 {
3268 }
3270 }
3271#endif /* ifdef _WIN32 */
3272
3273#ifdef DEFAULT_PKCS11_MODULE
3274 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3275 * by default if the user asks for PKCS#11 without otherwise specifying
3276 * the module to use. */
3277 if (!options->pkcs11_providers[0] && (options->pkcs11_id || options->pkcs11_id_management))
3278 {
3279 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3280 }
3281#endif
3282}
3283
3284static void
3286{
3287 if (o->connection_list)
3288 {
3289 int i;
3290 for (i = 0; i < o->connection_list->len; ++i)
3291 {
3293 }
3294 }
3295 else
3296 {
3298 }
3299
3301
3302 if (dco_enabled(o))
3303 {
3304 if (o->enable_c2c)
3305 {
3306 msg(M_WARN, "Note: --client-to-client has no effect when using data "
3307 "channel offload: packets are always sent to the VPN "
3308 "interface and then routed based on the system routing table");
3309 }
3310
3311 if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
3312 {
3313 msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported "
3314 "by data channel offload; automatic key renegotiation "
3315 "mechanisms are sufficient for modern ciphers. "
3316 "Ignoring these options.");
3317 }
3318 }
3319}
3320
3321static void
3323{
3324 if (!o->pull && !(o->mode == MODE_SERVER))
3325 {
3326 /* If the cipher is not set, use the old default of BF-CBC. We will
3327 * warn that this is deprecated on cipher initialisation, no need
3328 * to warn here as well */
3329 if (!o->ciphername)
3330 {
3331 o->ciphername = "BF-CBC";
3332 }
3333 else
3334 {
3335 o->enable_ncp_fallback = true;
3336 }
3337 return;
3338 }
3339
3340 /* pull or P2MP mode */
3341 if (!o->ciphername)
3342 {
3343 /* We still need to set the ciphername to BF-CBC since various other
3344 * parts of OpenVPN assert that the ciphername is set */
3345 o->ciphername = "BF-CBC";
3346
3347 msg(M_INFO,
3348 "Note: --cipher is not set. OpenVPN versions before 2.5 "
3349 "defaulted to BF-CBC as fallback when cipher negotiation "
3350 "failed in this case. If you need this fallback please add "
3351 "'--data-ciphers-fallback BF-CBC' to your configuration "
3352 "and/or add BF-CBC to --data-ciphers. E.g. "
3353 "--data-ciphers %s:BF-CBC",
3354 o->ncp_ciphers_conf);
3355 }
3357 {
3358 msg(M_WARN,
3359 "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3360 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3361 "negotiations. ",
3363 }
3364}
3365
3381static bool
3382need_compatibility_before(const struct options *o, unsigned int version)
3383{
3384 return o->backwards_compatible != 0 && o->backwards_compatible < version;
3385}
3386
3391static void
3393{
3394 /* TLS min version is not set */
3395 unsigned int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK;
3396 if (tls_ver_min == 0)
3397 {
3398 unsigned int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK;
3399 if (need_compatibility_before(o, 20307))
3400 {
3401 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3403 }
3404 else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2)
3405 {
3406 /* Use TLS 1.2 as proper default */
3408 }
3409 else
3410 {
3411 /* Maximize the minimum version */
3412 o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT);
3413 }
3414 }
3415
3416 if (need_compatibility_before(o, 20400))
3417 {
3418 if (!o->ciphername)
3419 {
3420 /* If ciphername is not set default to BF-CBC when targeting these
3421 * old versions that do not have NCP */
3422 o->ciphername = "BF-CBC";
3423 }
3424 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3425 * not have OCC strings required for "poor man's NCP" */
3426 o->enable_ncp_fallback = true;
3427 }
3428
3429 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3430 * Version 2.4 probably does not need it but NCP was not so
3431 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3432 * Only do this iff --cipher is set (explicitly or by compat mode
3433 * < 2.4.0, see above). This is not 100% correct backwards compatible
3434 * behaviour but 2.5 already behaved like this */
3435 if (o->ciphername && need_compatibility_before(o, 20500)
3437 {
3439 }
3440
3441#ifdef USE_COMP
3442 /* Compression is deprecated and we do not want to announce support for it
3443 * by default anymore, additionally DCO breaks with compression.
3444 *
3445 * Disable compression by default starting with 2.6.0 if no other
3446 * compression related option has been explicitly set */
3447 if (!need_compatibility_before(o, 20600) && (o->comp.flags == 0))
3448 {
3449 if (!comp_non_stub_enabled(&o->comp))
3450 {
3452 }
3453 }
3454#else /* ifdef USE_COMP */
3456#endif
3457}
3458
3459static void
3461{
3462 if (!check_tls_prf_working())
3463 {
3464 msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
3465 "supported by the TLS library. Your system does not support this "
3466 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3467 "forbids it. Connections will only work with peers running "
3468 "OpenVPN 2.6.0 or higher)");
3469 if (o->mode == MODE_SERVER)
3470 {
3471 msg(M_WARN, "Automatically enabling option "
3472 "--force-tls-key-material-export");
3473 o->force_key_material_export = true;
3474 }
3475 }
3476}
3477
3478#if defined(_WIN32) || defined(TARGET_ANDROID)
3487static void
3489{
3490 struct dns_options *dns = &o->dns_options;
3491 struct tuntap_options *tt = &o->tuntap_options;
3492 if (!dns->servers)
3493 {
3494 /* Copy --dhcp-options to tuntap_options */
3495 struct dhcp_options *dhcp = &dns->from_dhcp;
3496 ASSERT(sizeof(dhcp->dns) == sizeof(tt->dns));
3497 ASSERT(sizeof(dhcp->dns6) == sizeof(tt->dns6));
3498 ASSERT(sizeof(dhcp->domain_search_list) == sizeof(tt->domain_search_list));
3499
3500 tt->domain = dhcp->domain;
3501 tt->dns_len = dhcp->dns_len;
3502 tt->dns6_len = dhcp->dns6_len;
3503
3504 memcpy(tt->dns, dhcp->dns, sizeof(tt->dns));
3505 memcpy(tt->dns6, dhcp->dns6, sizeof(tt->dns6));
3506
3507 tt->domain_search_list_len = dhcp->domain_search_list_len;
3508 for (size_t i = 0; i < SIZE(tt->domain_search_list); ++i)
3509 {
3510 tt->domain_search_list[i] = dhcp->domain_search_list[i];
3511 }
3512
3513 return;
3514 }
3515
3516#if defined(_WIN32)
3518 {
3519 return; /* Not in DHCP mode */
3520 }
3521#endif /* if defined(_WIN32) */
3522
3523 /* Copy --dns options to tuntap_options */
3524
3525 const struct dns_domain *d = dns->search_domains;
3526 if (d)
3527 {
3528 tt->domain_search_list_len = 0;
3529 }
3530
3531 while (d && tt->domain_search_list_len + 1 < N_SEARCH_LIST_LEN)
3532 {
3534 d = d->next;
3535 }
3536 if (d)
3537 {
3538 msg(M_WARN, "WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3539 }
3540
3541 tt->dns_len = 0;
3542 tt->dns6_len = 0;
3543
3544 const struct dns_server *s = dns->servers;
3545 while (s)
3546 {
3547 bool non_standard_server_port = false;
3548 for (size_t i = 0; i < s->addr_count; ++i)
3549 {
3550 if (s->addr[i].port && s->addr[i].port != 53)
3551 {
3552 non_standard_server_port = true;
3553 break;
3554 }
3555 }
3556 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3557 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3558 {
3559 /* Skip servers requiring unsupported config to be set */
3560 s = s->next;
3561 }
3562 else
3563 {
3564 bool overflow = false;
3565 for (size_t i = 0; i < s->addr_count; ++i)
3566 {
3567 if (s->addr[i].family == AF_INET && tt->dns_len + 1 < N_DHCP_ADDR)
3568 {
3569 tt->dns[tt->dns_len++] = ntohl(s->addr[i].in.a4.s_addr);
3570 }
3571 else if (tt->dns6_len + 1 < N_DHCP_ADDR)
3572 {
3573 tt->dns6[tt->dns6_len++] = s->addr[i].in.a6;
3574 }
3575 else
3576 {
3577 overflow = true;
3578 }
3579 }
3580 if (overflow)
3581 {
3582 msg(M_WARN, "WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3583 }
3585 return;
3586 }
3587 }
3588}
3589
3590#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3591
3602static void
3603dhcp_options_postprocess_dns(struct options *o, struct env_set *es)
3604{
3605 struct gc_arena gc = gc_new();
3606 struct dns_options *dns = &o->dns_options;
3607
3608 if (is_tun_afunix(o->dev_node))
3609 {
3610 /* Disable running dns-updown script with lwipovpn */
3612 dns->updown = NULL;
3613 }
3614
3615 if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
3616 {
3617 /* Clean up env from --dhcp-option DNS config */
3618 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3619 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
3620
3621 const int fo_count = o->foreign_option_index;
3622 o->foreign_option_index = 0;
3623
3624 for (int i = 1; i <= fo_count; ++i)
3625 {
3626 buf_clear(&name);
3627 buf_printf(&name, "foreign_option_%d", i);
3628 const char *env_str = env_set_get(es, BSTR(&name));
3629 const char *item_val = strchr(env_str, '=') + 1;
3630 buf_clear(&value);
3631 buf_printf(&value, "%s", item_val);
3632
3633 /* Remove foreign option item from env set */
3634 env_set_del(es, BSTR(&name));
3635
3636 item_val = BSTR(&value);
3637 if (strncmp(item_val, "dhcp-option ", 12) != 0
3638 || (strncmp(item_val + 12, "ADAPTER-DOMAIN-SUFFIX ", 22) != 0
3639 && strncmp(item_val + 12, "DOMAIN-SEARCH ", 14) != 0
3640 && strncmp(item_val + 12, "DOMAIN ", 7) != 0
3641 && strncmp(item_val + 12, "DNS6 ", 5) != 0
3642 && strncmp(item_val + 12, "DNS ", 4) != 0))
3643 {
3644 /* Re-set the item with potentially updated name */
3645 buf_clear(&name);
3646 buf_printf(&name, "foreign_option_%d", ++o->foreign_option_index);
3647 setenv_str(es, BSTR(&name), BSTR(&value));
3648 }
3649 }
3650 }
3651
3652 if (!dns->servers)
3653 {
3654 /* Copy --dhcp-options to dns_options */
3655 struct dhcp_options *dhcp = &dns->from_dhcp;
3656
3657 if (dhcp->dns_len || dhcp->dns6_len)
3658 {
3659 struct dns_domain **entry = &dns->search_domains;
3660 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3661 struct dns_domain *new = *entry;
3662 new->name = dhcp->domain;
3663 entry = &new->next;
3664
3665 for (unsigned int i = 0; i < dhcp->domain_search_list_len; ++i)
3666 {
3667 ALLOC_OBJ_CLEAR_GC(*entry, struct dns_domain, &dns->gc);
3668 struct dns_domain *new = *entry;
3669 new->name = dhcp->domain_search_list[i];
3670 entry = &new->next;
3671 }
3672
3673 struct dns_server *server = dns_server_get(&dns->servers, 0, &dns->gc);
3674 const size_t max_addrs = SIZE(server->addr);
3675 for (unsigned int i = 0; i < dhcp->dns_len && server->addr_count < max_addrs; ++i)
3676 {
3677 server->addr[server->addr_count].in.a4.s_addr = htonl(dhcp->dns[i]);
3678 server->addr[server->addr_count].family = AF_INET;
3679 server->addr_count += 1;
3680 }
3681 for (unsigned int i = 0; i < dhcp->dns6_len && server->addr_count < max_addrs; ++i)
3682 {
3683 server->addr[server->addr_count].in.a6 = dhcp->dns6[i];
3684 server->addr[server->addr_count].family = AF_INET6;
3685 server->addr_count += 1;
3686 }
3687 }
3688 }
3689 else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
3690 {
3691 /* Set foreign option env vars from --dns config */
3692 const struct dns_domain *d = dns->search_domains;
3693 while (d)
3694 {
3695 setenv_foreign_option(o, "DOMAIN", d->name, es);
3696 d = d->next;
3697 }
3698
3699 const struct dns_server *s = dns->servers;
3700 while (s)
3701 {
3702 bool non_standard_server_port = false;
3703 for (size_t i = 0; i < s->addr_count; ++i)
3704 {
3705 if (s->addr[i].port && s->addr[i].port != 53)
3706 {
3707 non_standard_server_port = true;
3708 break;
3709 }
3710 }
3711 if ((s->transport && s->transport != DNS_TRANSPORT_PLAIN)
3712 || (s->dnssec && s->dnssec != DNS_SECURITY_NO) || non_standard_server_port)
3713 {
3714 /* Skip servers requiring unsupported config to be set */
3715 s = s->next;
3716 }
3717 else
3718 {
3719 for (size_t i = 0; i < s->addr_count; ++i)
3720 {
3721 const char *option;
3722 const char *value;
3723 if (s->addr[i].family == AF_INET)
3724 {
3725 option = "DNS";
3726 value = print_in_addr_t(s->addr[i].in.a4.s_addr, IA_NET_ORDER, &gc);
3727 }
3728 else
3729 {
3730 option = "DNS6";
3731 value = print_in6_addr(s->addr[i].in.a6, 0, &gc);
3732 }
3733 setenv_foreign_option(o, option, value, es);
3734 }
3735 break;
3736 }
3737 }
3738 }
3739
3740 gc_free(&gc);
3741}
3742#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
3747static void
3749{
3750 if (!o->real_hash_size)
3751 {
3752 o->real_hash_size = 4 * o->max_clients;
3753 }
3754 if (!o->virtual_hash_size)
3755 {
3756 o->virtual_hash_size = 4 * o->max_clients;
3757 }
3758}
3759
3760static void
3762{
3763 int i;
3764 /*
3765 * Process helper-type options which map to other, more complex
3766 * sequences of options.
3767 */
3769 /* must be called after helpers that might set --mode */
3773
3774 if (o->mode == MODE_SERVER)
3775 {
3777 }
3778
3782
3785 if (o->ncp_ciphers == NULL)
3786 {
3787 msg(M_USAGE, "--data-ciphers list contains unsupported ciphers or is too long.");
3788 }
3789
3790 if (o->remote_list && !o->connection_list)
3791 {
3792 /*
3793 * Convert remotes into connection list
3794 */
3795 const struct remote_list *rl = o->remote_list;
3796 for (i = 0; i < rl->len; ++i)
3797 {
3798 const struct remote_entry *re = rl->array[i];
3799 struct connection_entry ce = o->ce;
3800 struct connection_entry *ace;
3801
3802 ASSERT(re->remote);
3803 connection_entry_load_re(&ce, re);
3805 ASSERT(ace);
3806 *ace = ce;
3807 }
3808 }
3809 else if (!o->remote_list && !o->connection_list)
3810 {
3811 struct connection_entry *ace;
3813 ASSERT(ace);
3814 *ace = o->ce;
3815 }
3816
3818 for (i = 0; i < o->connection_list->len; ++i)
3819 {
3821 }
3822
3823 if (o->ce.local_list)
3824 {
3825 for (i = 0; i < o->ce.local_list->len; i++)
3826 {
3828 }
3829
3830 for (int i = 0; i < o->ce.local_list->len; i++)
3831 {
3832 if (o->ce.local_list->array[i]->proto == PROTO_TCP)
3833 {
3835 }
3836 else if (o->ce.local_list->array[i]->proto == PROTO_NONE)
3837 {
3838 o->ce.local_list->array[i]->proto = o->ce.proto;
3839 }
3840 }
3841 }
3842 else
3843 {
3844 /* if no 'local' directive was specified, convert the global port
3845 * setting to a listen entry */
3846 struct local_entry *e = alloc_local_entry(&o->ce, M_USAGE, &o->gc);
3847 ASSERT(e);
3848 e->port = o->ce.local_port;
3849 e->proto = o->ce.proto;
3850 }
3851
3852 /* use the same listen list for every outgoing connection */
3853 for (i = 0; i < o->connection_list->len; ++i)
3854 {
3856 }
3857
3858 if (o->tls_server)
3859 {
3860 if (o->dh_file && streq(o->dh_file, "none"))
3861 {
3862 o->dh_file = NULL;
3863 }
3864 }
3865 else if (o->dh_file)
3866 {
3867 /* DH file is only meaningful in a tls-server context. */
3868 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3869 "include this in your server configuration");
3870 o->dh_file = NULL;
3871 }
3872#if ENABLE_MANAGEMENT
3873 if (o->http_proxy_override)
3874 {
3876 }
3877#endif
3878 if (!o->ca_file && !o->ca_path && o->verify_hash && o->verify_hash_depth == 0)
3879 {
3880 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3881 "option set). ");
3882 o->verify_hash_no_ca = true;
3883 }
3884
3885 if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
3886 {
3887 msg(M_USAGE, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3888 "incompatible with each other.");
3889 }
3890
3891 if (dco_enabled(o))
3892 {
3893 /* check if any option should force disabling DCO */
3895 }
3896#ifdef USE_COMP
3897 if (dco_enabled(o))
3898 {
3900 }
3901#endif
3902
3903#ifdef _WIN32
3904 if (dco_enabled(o))
3905 {
3907 }
3908 else
3909 {
3911 }
3912#else /* _WIN32 */
3913 if (dco_enabled(o) && o->dev_node)
3914 {
3915 msg(M_WARN, "Note: ignoring --dev-node as it has no effect when using "
3916 "data channel offload");
3917 o->dev_node = NULL;
3918 }
3919#endif /* _WIN32 */
3920
3921 /* this depends on o->windows_driver, which is set above */
3923
3924 /* check that compression settings in the options are okay */
3926
3927 /*
3928 * Save certain parms before modifying options during connect, especially
3929 * when using --pull
3930 */
3931 if (o->pull)
3932 {
3934 }
3935 else
3936 {
3937#if defined(_WIN32) || defined(TARGET_ANDROID)
3939#else
3940 dhcp_options_postprocess_dns(o, es);
3941#endif
3942 }
3944 {
3946 }
3947#if ENABLE_MANAGEMENT
3949 {
3950 msg(M_USAGE, "'auth-user-pass username-only' cannot be used with static challenge");
3951 }
3952#endif
3954}
3955
3956/*
3957 * Check file/directory sanity
3958 *
3959 */
3960/* Expect people using the stripped down version to know what they do */
3961#ifndef ENABLE_SMALL
3962
3963#define CHKACC_FILE (1 << 0)
3964#define CHKACC_DIRPATH (1 << 1)
3965#define CHKACC_FILEXSTWR (1 << 2)
3966#define CHKACC_ACPTSTDIN (1 << 3)
3967#define CHKACC_PRIVATE (1 << 4)
3968#define CHKACC_ACCEPT_URI (1 << 5)
3970static bool
3971check_file_access(const int type, const char *file, const int mode, const char *opt)
3972{
3973 int errcode = 0;
3974
3975 /* If no file configured, no errors to look for */
3976 if (!file)
3977 {
3978 return false;
3979 }
3980
3981 /* If stdin is allowed and the file name is 'stdin', then do no
3982 * further checks as stdin is always available
3983 */
3984 if ((type & CHKACC_ACPTSTDIN) && streq(file, "stdin"))
3985 {
3986 return false;
3987 }
3988
3989 /* file name is a URI if its first segment has ":" (i.e., before any "/")
3990 * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:"
3991 */
3992 if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':'))
3993 {
3994 if (!strncmp(file, "file:", 5))
3995 {
3996 file += 5;
3997 }
3998 else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':'))
3999 {
4000 return false;
4001 }
4002 }
4003
4004 /* Is the directory path leading to the given file accessible? */
4005 if (type & CHKACC_DIRPATH)
4006 {
4007 char *fullpath =
4008 string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
4009 char *dirpath = dirname(fullpath);
4010
4011 if (platform_access(dirpath, mode | X_OK) != 0)
4012 {
4013 errcode = errno;
4014 }
4015 free(fullpath);
4016 }
4017
4018 /* Is the file itself accessible? */
4019 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0))
4020 {
4021 errcode = errno;
4022 }
4023
4024 /* If the file exists and is accessible, is it writable? */
4025 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0))
4026 {
4027 if (platform_access(file, W_OK) != 0)
4028 {
4029 errcode = errno;
4030 }
4031 }
4032
4033 /* Warn if a given private file is group/others accessible. */
4034 if (type & CHKACC_PRIVATE)
4035 {
4036 platform_stat_t st;
4037 if (platform_stat(file, &st))
4038 {
4039 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
4040 }
4041#ifndef _WIN32
4042 else
4043 {
4044 if (st.st_mode & (S_IRWXG | S_IRWXO))
4045 {
4046 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
4047 }
4048 }
4049#endif
4050 }
4051
4052 /* Scream if an error is found */
4053 if (errcode > 0)
4054 {
4055 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
4056 }
4057
4058 /* Return true if an error occurred */
4059 return (errcode != 0 ? true : false);
4060}
4061
4062/* A wrapper for check_file_access() which also takes a chroot directory.
4063 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
4064 * otherwise it will look for the file inside the given chroot directory instead.
4065 */
4066static bool
4067check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode,
4068 const char *opt)
4069{
4070 bool ret = false;
4071
4072 /* If no file configured, no errors to look for */
4073 if (!file)
4074 {
4075 return false;
4076 }
4077
4078 /* If chroot is set, look for the file/directory inside the chroot */
4079 if (chroot)
4080 {
4081 struct gc_arena gc = gc_new();
4082 struct buffer chroot_file;
4083
4084 chroot_file = prepend_dir(chroot, file, &gc);
4085 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
4086 gc_free(&gc);
4087 }
4088 else
4089 {
4090 /* No chroot in play, just call core file check function */
4091 ret = check_file_access(type, file, mode, opt);
4092 }
4093 return ret;
4094}
4095
4100static bool
4101check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type,
4102 const char *file, const int mode, const char *opt)
4103{
4104 if (is_inline)
4105 {
4106 return false;
4107 }
4108
4109 return check_file_access_chroot(chroot, type, file, mode, opt);
4110}
4111
4116static bool
4117check_file_access_inline(bool is_inline, const int type, const char *file, const int mode,
4118 const char *opt)
4119{
4120 if (is_inline)
4121 {
4122 return false;
4123 }
4124
4125 return check_file_access(type, file, mode, opt);
4126}
4127
4128/*
4129 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
4130 * valid file with appropriate permissions.
4131 *
4132 * "command" consists of a path, optionally followed by a space, which may be
4133 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
4134 * performed.
4135 *
4136 * The path and arguments in "command" may be single- or double-quoted or escaped.
4137 *
4138 * The path is extracted from "command", then check_file_access() is called to check it. The
4139 * arguments, if any, are ignored.
4140 *
4141 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
4142 * check_file_access() arguments.
4143 */
4144static bool
4145check_cmd_access(const char *command, const char *opt, const char *chroot)
4146{
4147 struct argv argv;
4148 bool return_code;
4149
4150 /* If no command was set, there are no errors to look for */
4151 if (!command)
4152 {
4153 return false;
4154 }
4155
4156 /* Extract executable path and arguments */
4157 argv = argv_new();
4158 argv_parse_cmd(&argv, command);
4159
4160 /* if an executable is specified then check it; otherwise, complain */
4161 if (argv.argv[0])
4162 {
4163 /* Scripts requires R_OK as well, but that might fail on binaries which
4164 * only requires X_OK to function on Unix - a scenario not unlikely to
4165 * be seen on suid binaries.
4166 */
4167 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
4168 }
4169 else
4170 {
4171 msg(M_NOPREFIX | M_OPTERR, "%s fails with '%s': No path to executable.", opt, command);
4172 return_code = true;
4173 }
4174
4175 argv_free(&argv);
4176
4177 return return_code;
4178}
4179
4180/*
4181 * Sanity check of all file/dir options. Checks that file/dir
4182 * is accessible by OpenVPN
4183 */
4184static void
4186{
4187 bool errs = false;
4188
4189 /* ** SSL/TLS/crypto related files ** */
4191 "--dh");
4192
4194 {
4196 R_OK, "--ca");
4197 }
4198
4200 "--capath");
4201
4203 options->cert_file, R_OK, "--cert");
4204
4206 options->extra_certs_file, R_OK, "--extra-certs");
4207
4209 {
4212 options->priv_key_file, R_OK, "--key");
4213 }
4214
4216 options->pkcs12_file, R_OK, "--pkcs12");
4217
4219 {
4221 R_OK | X_OK, "--crl-verify directory");
4222 }
4223 else
4224 {
4225 errs |=
4227 CHKACC_FILE, options->crl_file, R_OK, "--crl-verify");
4228 }
4229
4231 {
4232 errs |=
4234 options->tls_export_peer_cert_dir, W_OK, "--tls-export-cert");
4235 }
4236
4238 for (int i = 0; i < options->connection_list->len; ++i)
4239 {
4241
4243 ce->tls_auth_file, R_OK, "--tls-auth");
4245 ce->tls_crypt_file, R_OK, "--tls-crypt");
4247 ce->tls_crypt_v2_file, R_OK, "--tls-crypt-v2");
4248 }
4249
4250 errs |=
4252 options->shared_secret_file, R_OK, "--secret");
4253
4255 R_OK | W_OK, "--replay-persist");
4256
4257 /* ** Password files ** */
4259 options->key_pass_file, R_OK, "--askpass");
4260#ifdef ENABLE_MANAGEMENT
4261 errs |=
4263 options->management_user_pass, R_OK, "--management user/password file");
4264#endif /* ENABLE_MANAGEMENT */
4267 options->auth_user_pass_file, R_OK, "--auth-user-pass");
4268 /* ** System related ** */
4269 errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK | X_OK, "--chroot directory");
4271 "--writepid");
4272
4273 /* ** Log related ** */
4275 "--status");
4276
4277 /* ** Config related ** */
4279 R_OK | X_OK, "--client-config-dir");
4281 R_OK | W_OK | X_OK, "Temporary directory (--tmp-dir)");
4282
4283 if (errs)
4284 {
4285 msg(M_USAGE, "Please correct these errors.");
4286 }
4287}
4288#endif /* !ENABLE_SMALL */
4289
4290/*
4291 * Sanity check on options.
4292 * Also set some options based on other
4293 * options.
4294 */
4295void
4297{
4300#ifndef ENABLE_SMALL
4302#endif /* !ENABLE_SMALL */
4303}
4304
4305/*
4306 * Sanity check on options after more options were pulled from server.
4307 * Also time to modify some options based on other options.
4308 */
4309bool
4311{
4312 bool success = dns_options_verify(D_PUSH_ERRORS, &o->dns_options);
4313 if (success)
4314 {
4316#if defined(_WIN32) || defined(TARGET_ANDROID)
4318#else
4319 dhcp_options_postprocess_dns(o, es);
4320#endif
4321 }
4322 return success;
4323}
4324
4325/*
4326 * Build an options string to represent data channel encryption options.
4327 * This string must match exactly between peers. The keysize is checked
4328 * separately by read_key().
4329 *
4330 * The following options must match on both peers:
4331 *
4332 * Tunnel options:
4333 *
4334 * --dev tun|tap [unit number need not match]
4335 * --dev-type tun|tap
4336 * --link-mtu
4337 * --udp-mtu
4338 * --tun-mtu
4339 * --proto udp
4340 * --proto tcp-client [matched with --proto tcp-server
4341 * on the other end of the connection]
4342 * --proto tcp-server [matched with --proto tcp-client on
4343 * the other end of the connection]
4344 * --tun-ipv6
4345 * --ifconfig x y [matched with --ifconfig y x on
4346 * the other end of the connection]
4347 *
4348 * --comp-lzo
4349 * --compress alg
4350 * --fragment
4351 *
4352 * Crypto Options:
4353 *
4354 * --cipher
4355 * --auth
4356 * --secret
4357 *
4358 * SSL Options:
4359 *
4360 * --tls-auth
4361 * --tls-client [matched with --tls-server on
4362 * the other end of the connection]
4363 * --tls-server [matched with --tls-client on
4364 * the other end of the connection]
4365 */
4366char *
4367options_string(const struct options *o, const struct frame *frame, struct tuntap *tt,
4368 openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
4369{
4370 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
4371 bool tt_local = false;
4372
4373 buf_printf(&out, "V4");
4374
4375 /*
4376 * Tunnel Options
4377 */
4378
4379 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
4380 /* the link-mtu that we send has only a meaning if have a fixed
4381 * cipher (p2p) or have a fallback cipher configured for older non
4382 * ncp clients. But not sending it will make even 2.4 complain
4383 * about it being missing. So still send it. */
4384 buf_printf(&out, ",link-mtu %u", (unsigned int)calc_options_string_link_mtu(o, frame));
4385
4386 if (o->ce.occ_mtu != 0)
4387 {
4388 buf_printf(&out, ",tun-mtu %d", o->ce.occ_mtu);
4389 }
4390 else
4391 {
4392 buf_printf(&out, ",tun-mtu %d", frame->tun_mtu);
4393 }
4394
4395 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
4396
4397 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
4398 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4399 * is usually pushed by the server, triggering a non-helpful warning
4400 */
4401 if (o->ifconfig_ipv6_local && p2p_nopull)
4402 {
4403 buf_printf(&out, ",tun-ipv6");
4404 }
4405
4406 /*
4407 * Try to get ifconfig parameters into the options string.
4408 * If tt is undefined, make a temporary instantiation.
4409 */
4410 if (!tt)
4411 {
4412 tt = init_tun(o->dev, o->dev_type, o->topology, o->ifconfig_local,
4413 o->ifconfig_remote_netmask, o->ifconfig_ipv6_local, o->ifconfig_ipv6_netbits,
4414 o->ifconfig_ipv6_remote, NULL, NULL, false, NULL, ctx, NULL);
4415 if (tt)
4416 {
4417 tt_local = true;
4418 }
4419 }
4420
4421 if (tt && p2p_nopull)
4422 {
4423 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
4424 if (ios && strlen(ios))
4425 {
4426 buf_printf(&out, ",ifconfig %s", ios);
4427 }
4428 }
4429 if (tt_local)
4430 {
4431 free(tt);
4432 tt = NULL;
4433 }
4434
4435#ifdef USE_COMP
4436 if (o->comp.alg != COMP_ALG_UNDEF)
4437 {
4438 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression
4439 context is active, not necessarily LZO per-se */
4440 }
4441#endif
4442
4443#ifdef ENABLE_FRAGMENT
4444 if (o->ce.fragment)
4445 {
4446 buf_printf(&out, ",mtu-dynamic");
4447 }
4448#endif
4449
4450#define TLS_CLIENT (o->tls_client)
4451#define TLS_SERVER (o->tls_server)
4452
4453 /*
4454 * Key direction
4455 */
4456 {
4457 const char *kd = keydirection2ascii(o->key_direction, remote, false);
4458 if (kd)
4459 {
4460 buf_printf(&out, ",keydir %s", kd);
4461 }
4462 }
4463
4464 /*
4465 * Crypto Options
4466 */
4467 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
4468 {
4469 struct key_type kt;
4470
4471 ASSERT((o->shared_secret_file != NULL) + (TLS_CLIENT == true) + (TLS_SERVER == true) <= 1);
4472
4473 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4474 * to work here in the default configuration */
4475 const char *ciphername = o->ciphername;
4476 size_t keysize = 0;
4477
4478 if (strcmp(o->ciphername, "BF-CBC") == 0)
4479 {
4480 init_key_type(&kt, "none", o->authname, true, false);
4481 keysize = 128;
4482 }
4483 else
4484 {
4485 init_key_type(&kt, o->ciphername, o->authname, true, false);
4486 ciphername = cipher_kt_name(kt.cipher);
4487 if (cipher_defined(o->ciphername))
4488 {
4489 keysize = cipher_kt_key_size(kt.cipher) * 8;
4490 }
4491 }
4492 /* Only announce the cipher to our peer if we are willing to
4493 * support it */
4494 if (p2p_nopull || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
4495 {
4496 buf_printf(&out, ",cipher %s", ciphername);
4497 }
4498 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
4499 buf_printf(&out, ",keysize %zu", keysize);
4500 if (o->shared_secret_file)
4501 {
4502 buf_printf(&out, ",secret");
4503 }
4504 }
4505
4506 /*
4507 * SSL Options
4508 */
4509 {
4510 if (TLS_CLIENT || TLS_SERVER)
4511 {
4512 if (o->ce.tls_auth_file)
4513 {
4514 buf_printf(&out, ",tls-auth");
4515 }
4516 /* Not adding tls-crypt here, because we won't reach this code if
4517 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4518 * break stuff, so leaving that in place. */
4519
4520 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
4521 }
4522
4523 if (remote)
4524 {
4525 if (TLS_CLIENT)
4526 {
4527 buf_printf(&out, ",tls-server");
4528 }
4529 else if (TLS_SERVER)
4530 {
4531 buf_printf(&out, ",tls-client");
4532 }
4533 }
4534 else
4535 {
4536 if (TLS_CLIENT)
4537 {
4538 buf_printf(&out, ",tls-client");
4539 }
4540 else if (TLS_SERVER)
4541 {
4542 buf_printf(&out, ",tls-server");
4543 }
4544 }
4545 }
4546
4547#undef TLS_CLIENT
4548#undef TLS_SERVER
4549
4550 return BSTR(&out);
4551}
4552
4553/*
4554 * Compare option strings for equality.
4555 * If the first two chars of the strings differ, it means that
4556 * we are looking at different versions of the options string,
4557 * therefore don't compare them and return true.
4558 */
4559
4560bool
4561options_cmp_equal(char *actual, const char *expected)
4562{
4563 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
4564}
4565
4566void
4567options_warning(char *actual, const char *expected)
4568{
4569 options_warning_safe(actual, expected, strlen(actual) + 1);
4570}
4571
4572static const char *
4573options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
4574{
4575 struct gc_arena gc = gc_new();
4577 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4578 const char *ret;
4579
4580 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4582 gc_free(&gc);
4583 return ret;
4584}
4585
4586static void
4588 const bool report_inconsistent, const char *p1,
4589 const struct buffer *b2_src, const char *b1_name,
4590 const char *b2_name)
4591{
4592 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4593 * OCC in a future version (because it's not useful). To reduce questions
4594 * when interoperating, we no longer printing a warning about it.
4595 */
4596 if (strprefix(p1, "key-method ") || strprefix(p1, "keydir ") || strprefix(p1, "proto ")
4597 || streq(p1, "tls-auth") || strprefix(p1, "tun-ipv6") || strprefix(p1, "cipher "))
4598 {
4599 return;
4600 }
4601
4602 if (strlen(p1) > 0)
4603 {
4604 struct gc_arena gc = gc_new();
4605 struct buffer b2 = *b2_src;
4607 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4608
4609 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4610 {
4611 if (strlen(p2))
4612 {
4614
4615 if (!strcmp(p1, p2))
4616 {
4617 goto done;
4618 }
4619 if (!strcmp(p1_prefix, p2_prefix))
4620 {
4622 {
4623 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4625 safe_print(p2, &gc));
4626 }
4627 goto done;
4628 }
4629 }
4630 }
4631
4632 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4634
4635done:
4636 gc_free(&gc);
4637 }
4638}
4639
4640static void
4642 const bool report_inconsistent, const struct buffer *b1_src,
4643 const struct buffer *b2_src, const char *b1_name, const char *b2_name)
4644{
4645 struct gc_arena gc = gc_new();
4646 struct buffer b = *b1_src;
4647 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4648
4649 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4650 {
4652 b2_name);
4653 }
4654
4655 gc_free(&gc);
4656}
4657
4658static void
4659options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
4660{
4661 struct gc_arena gc = gc_new();
4662
4663 if (actual_n > 0)
4664 {
4665 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4666 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4667 actual[actual_n - 1] = 0;
4668
4669 buf_printf(&local, "version %s", expected);
4670 buf_printf(&remote, "version %s", actual);
4671
4672 options_warning_safe_scan1(msglevel, ',', true, &local, &remote, "local", "remote");
4673
4674 options_warning_safe_scan1(msglevel, ',', false, &remote, &local, "remote", "local");
4675 }
4676
4677 gc_free(&gc);
4678}
4679
4680bool
4681options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4682{
4683 struct gc_arena gc = gc_new();
4684 bool ret = true;
4685
4686 if (actual_n > 0)
4687 {
4688 actual[actual_n - 1] = 0;
4689 if (strncmp(actual, expected, 2))
4690 {
4691 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4692 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4693 }
4694 else
4695 {
4696 ret = !strcmp(actual, expected);
4697 }
4698 }
4699 gc_free(&gc);
4700 return ret;
4701}
4702
4703void
4704options_warning_safe(char *actual, const char *expected, size_t actual_n)
4705{
4706 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4707}
4708
4709const char *
4710options_string_version(const char *s, struct gc_arena *gc)
4711{
4712 struct buffer out = alloc_buf_gc(4, gc);
4713 strncpynt((char *)BPTR(&out), s, 3);
4714 return BSTR(&out);
4715}
4716
4717#if defined(__GNUC__) || defined(__clang__)
4718#pragma GCC diagnostic push
4719#pragma GCC diagnostic ignored "-Wsign-compare"
4720#endif
4721
4722char *
4724{
4725 char *ret = NULL;
4726 const size_t opt_name_len = strlen(opt_name);
4727
4728 const char *p = options_string;
4729 while (p)
4730 {
4731 if (0 == strncmp(p, opt_name, opt_name_len) && strlen(p) > (opt_name_len + 1)
4732 && p[opt_name_len] == ' ')
4733 {
4734 /* option found, extract value */
4735 const char *start = &p[opt_name_len + 1];
4736 const char *end = strchr(p, ',');
4737 size_t val_len = end ? end - start : strlen(start);
4738 ret = gc_malloc(val_len + 1, true, gc);
4739 memcpy(ret, start, val_len);
4740 break;
4741 }
4742 p = strchr(p, ',');
4743 if (p)
4744 {
4745 p++; /* skip delimiter */
4746 }
4747 }
4748 return ret;
4749}
4750
4751#if defined(__GNUC__) || defined(__clang__)
4752#pragma GCC diagnostic pop
4753#endif
4754
4755/*
4756 * parse/print topology coding
4757 */
4758
4759int
4760parse_topology(const char *str, const msglvl_t msglevel)
4761{
4762 if (streq(str, "net30"))
4763 {
4764 return TOP_NET30;
4765 }
4766 else if (streq(str, "p2p"))
4767 {
4768 return TOP_P2P;
4769 }
4770 else if (streq(str, "subnet"))
4771 {
4772 return TOP_SUBNET;
4773 }
4774 else
4775 {
4776 msg(msglevel, "--topology must be net30, p2p, or subnet");
4777 return TOP_UNDEF;
4778 }
4779}
4780
4781const char *
4782print_topology(const int topology)
4783{
4784 switch (topology)
4785 {
4786 case TOP_UNDEF:
4787 return "undef";
4788
4789 case TOP_NET30:
4790 return "net30";
4791
4792 case TOP_P2P:
4793 return "p2p";
4794
4795 case TOP_SUBNET:
4796 return "subnet";
4797
4798 default:
4799 return "unknown";
4800 }
4801}
4802
4803/*
4804 * Manage auth-retry variable
4805 */
4806
4807static int global_auth_retry; /* GLOBAL */
4808
4809int
4811{
4812 return global_auth_retry;
4813}
4814
4815bool
4816auth_retry_set(const msglvl_t msglevel, const char *option)
4817{
4818 if (streq(option, "interact"))
4819 {
4821 }
4822 else if (streq(option, "nointeract"))
4823 {
4825 }
4826 else if (streq(option, "none"))
4827 {
4829 }
4830 else
4831 {
4832 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4833 return false;
4834 }
4835 return true;
4836}
4837
4838const char *
4840{
4841 switch (global_auth_retry)
4842 {
4843 case AR_NONE:
4844 return "none";
4845
4846 case AR_NOINTERACT:
4847 return "nointeract";
4848
4849 case AR_INTERACT:
4850 return "interact";
4851
4852 default:
4853 return "???";
4854 }
4855}
4856
4857/*
4858 * Print the help message.
4859 */
4860void
4862{
4863 FILE *fp = msg_fp(0);
4864
4865#ifdef ENABLE_SMALL
4866
4867 fprintf(fp, "Usage message not available\n");
4868
4869#else
4870
4871 struct options o;
4872 init_options(&o);
4873
4879 fflush(fp);
4880
4881#endif /* ENABLE_SMALL */
4882
4883 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4884}
4885
4886void
4888{
4889 msg(M_WARN | M_NOPREFIX, "Use --help for more information.");
4890 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4891}
4892
4893#ifdef _WIN32
4894void
4895show_windows_version(const unsigned int flags)
4896{
4897 struct gc_arena gc = gc_new();
4898 msg(flags, "Windows version: %s", win32_version_string(&gc));
4899 gc_free(&gc);
4900}
4901#endif
4902
4903void
4904show_dco_version(const unsigned int flags)
4905{
4906#ifdef ENABLE_DCO
4907 struct gc_arena gc = gc_new();
4908 msg(flags, "DCO version: %s", dco_version_string(&gc));
4909 gc_free(&gc);
4910#endif
4911}
4912
4913void
4914show_library_versions(const unsigned int flags)
4915{
4916#ifdef ENABLE_LZO
4917#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4918#else
4919#define LZO_LIB_VER_STR "", ""
4920#endif
4921
4922 msg(flags, "library versions: %s%s%s", get_ssl_library_version(), LZO_LIB_VER_STR);
4923
4924#undef LZO_LIB_VER_STR
4925}
4926
4927static void
4929{
4932#ifdef _WIN32
4934#endif
4936 msg(M_INFO | M_NOPREFIX, "Originally developed by James Yonan");
4937 msg(M_INFO | M_NOPREFIX, "Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>");
4938#ifndef ENABLE_SMALL
4939#ifdef CONFIGURE_DEFINES
4940 msg(M_INFO | M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4941#endif
4942#ifdef CONFIGURE_SPECIAL_BUILD
4943 msg(M_INFO | M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4944#endif
4945#endif
4947}
4948
4949void
4950notnull(const char *arg, const char *description)
4951{
4952 if (!arg)
4953 {
4954 msg(M_USAGE, "You must define %s", description);
4955 }
4956}
4957
4958bool
4959string_defined_equal(const char *s1, const char *s2)
4960{
4961 if (s1 && s2)
4962 {
4963 return !strcmp(s1, s2);
4964 }
4965 else
4966 {
4967 return false;
4968 }
4969}
4970
4971#if 0
4972static void
4973ping_rec_err(msglvl_t msglevel)
4974{
4975 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4976}
4977#endif
4978
4979#ifdef _WIN32 /* This function is only used when compiling on Windows */
4980static unsigned int
4981atou(const char *str)
4982{
4983 unsigned int val = 0;
4984 sscanf(str, "%u", &val);
4985 return val;
4986}
4987#endif
4988
4989#define VERIFY_PERMISSION(mask) \
4990 { \
4991 if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
4992 msglevel, options, is_inline)) \
4993 { \
4994 goto err; \
4995 } \
4996 }
4997
4998static bool
4999verify_permission(const char *name, const char *file, int line, const uint64_t type,
5000 const uint64_t allowed, uint64_t *found, const msglvl_t msglevel,
5001 struct options *options, bool is_inline)
5002{
5003 if (!(type & allowed))
5004 {
5005 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5006 return false;
5007 }
5008
5009 if (is_inline && !(type & OPT_P_INLINE))
5010 {
5011 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, file, line);
5012 return false;
5013 }
5014
5015 if (found)
5016 {
5017 *found |= type;
5018 }
5019
5020#ifndef ENABLE_SMALL
5021 /* Check if this options is allowed in connection block,
5022 * but we are currently not in a connection block
5023 * unless this is a pushed option.
5024 * Parsing a connection block uses a temporary options struct without
5025 * connection_list
5026 */
5027
5028 if ((type & OPT_P_CONNECTION) && options->connection_list && !(allowed & OPT_P_PULL_MODE))
5029 {
5030 if (file)
5031 {
5032 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
5033 file, line);
5034 }
5035 else
5036 {
5037 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5038 }
5039 }
5040#endif
5041 return true;
5042}
5043
5044/*
5045 * Check that an option doesn't have too
5046 * many parameters.
5047 */
5048
5049#define NM_QUOTE_HINT (1 << 0)
5050
5051static bool
5052no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
5053{
5054 const int len = string_array_len((const char **)p);
5055
5056 if (!len)
5057 {
5058 return false;
5059 }
5060
5061 if (len > max)
5062 {
5063 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s", p[0], max - 1,
5064 max >= 3 ? "s" : "",
5065 (flags & NM_QUOTE_HINT)
5066 ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
5067 : "");
5068 return false;
5069 }
5070 else
5071 {
5072 return true;
5073 }
5074}
5075
5076static inline msglvl_t
5078{
5079 return options->forward_compatible ? M_WARN : msglevel;
5080}
5081
5082#define RESET_OPTION_ROUTES(option_ptr, field) \
5083 if (option_ptr) \
5084 { \
5085 option_ptr->field = NULL; \
5086 option_ptr->flags = 0; \
5087 }
5088
5089void
5090remove_option(struct context *c, struct options *options, char *p[], bool is_inline,
5091 const char *file, int line, const msglvl_t msglevel,
5092 const uint64_t permission_mask, uint64_t *option_types_found,
5093 struct env_set *es)
5094{
5095 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5096
5097 if (streq(p[0], "ifconfig") && !p[1])
5098 {
5100 options->ifconfig_local = NULL;
5102 }
5103 else if (streq(p[0], "ifconfig-ipv6") && !p[1])
5104 {
5109 }
5110 else if (streq(p[0], "route") && !p[1])
5111 {
5113 if (c->c1.route_list)
5114 {
5116 &c->net_ctx);
5118 }
5119 }
5120 else if (streq(p[0], "route-ipv6") && !p[1])
5121 {
5123 if (c->c1.route_ipv6_list)
5124 {
5126 es, &c->net_ctx);
5128 }
5129 }
5130 else if (streq(p[0], "route-gateway") && !p[1])
5131 {
5135 }
5136 else if (streq(p[0], "route-metric") && !p[1])
5137 {
5140 }
5141 else if (streq(p[0], "push-continuation") && !p[1])
5142 {
5145 }
5146 else if ((streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private")) && !p[1])
5147 {
5149 if (options->routes)
5150 {
5151 options->routes->flags = 0;
5152 }
5153 if (options->routes_ipv6)
5154 {
5156 }
5157 env_set_del(es, "route_redirect_gateway_ipv4");
5158 env_set_del(es, "route_redirect_gateway_ipv6");
5159 }
5160 else if (streq(p[0], "dns") && !p[1])
5161 {
5165 }
5166 else if (streq(p[0], "topology") && !p[1])
5167 {
5171 }
5172 else if (streq(p[0], "tun-mtu") && !p[1])
5173 {
5176 options->ce.tun_mtu_defined = false;
5177 options->ce.occ_mtu = 0;
5178 }
5179 else if (streq(p[0], "block-ipv6") && !p[1])
5180 {
5182 options->block_ipv6 = false;
5183 }
5184#if defined(_WIN32) || defined(TARGET_ANDROID)
5185 else if (streq(p[0], "dhcp-option") && !p[1])
5186 {
5189
5190 o->domain = NULL;
5191 o->netbios_scope = NULL;
5192 o->netbios_node_type = 0;
5193 o->dns6_len = 0;
5194 memset(o->dns6, 0, sizeof(o->dns6));
5195 o->dns_len = 0;
5196 memset(o->dns, 0, sizeof(o->dns));
5197 o->wins_len = 0;
5198 memset(o->wins, 0, sizeof(o->wins));
5199 o->ntp_len = 0;
5200 memset(o->ntp, 0, sizeof(o->ntp));
5201 o->nbdd_len = 0;
5202 memset(o->nbdd, 0, sizeof(o->nbdd));
5203 while (o->domain_search_list_len-- > 0)
5204 {
5206 }
5207 o->disable_nbt = 0;
5208 o->dhcp_options = 0;
5209#if defined(TARGET_ANDROID)
5210 o->http_proxy_port = 0;
5211 o->http_proxy = NULL;
5212#endif
5213 }
5214#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5215#ifdef _WIN32
5216 else if (streq(p[0], "block-outside-dns") && !p[1])
5217 {
5219 options->block_outside_dns = false;
5220 }
5221#else /* ifdef _WIN32 */
5222 else if (streq(p[0], "dhcp-option") && !p[1])
5223 {
5225 delete_all_dhcp_fo(options, &es->list);
5226 }
5227#endif
5228 else
5229 {
5230 msglvl_t msglevel_unknown = msglevel_fc;
5231 /* Check if an option is in --ignore-unknown-option and
5232 * set warning level to non fatal */
5233 for (int i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
5234 {
5235 if (streq(p[0], options->ignore_unknown_option[i]))
5236 {
5237 msglevel_unknown = M_WARN;
5238 break;
5239 }
5240 }
5241 msg(msglevel_unknown,
5242 "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
5243 p[0], PACKAGE_VERSION);
5244 }
5245 return;
5246err:
5247 msg(msglevel, "Error occurred trying to remove %s option", p[0]);
5248}
5249
5250
5251static bool
5252check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5253{
5255 if (pull_mode)
5256 {
5258 && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
5259 {
5260 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
5261 return false;
5262 }
5263 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
5264 {
5265 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
5266 return false;
5267 }
5268 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn)
5269 && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
5270 {
5271 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
5272 return false;
5273 }
5274 }
5275 return true;
5276}
5277
5278
5279static bool
5280check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5281{
5283 if (pull_mode)
5284 {
5285 if (!ipv6_addr_safe_hexplusbits(p[1]))
5286 {
5287 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5288 return false;
5289 }
5290 if (p[2] && !ipv6_addr_safe(p[2]))
5291 {
5292 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5293 return false;
5294 }
5295 /* p[3] is metric, if present */
5296 }
5297 return true;
5298}
5299
5300static bool
5301check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
5302{
5303 if (streq(p[1], "search-domains") && p[2])
5304 {
5307 {
5308 msg(msglevel, "--dns %s contain invalid characters", p[1]);
5309 return false;
5310 }
5311 }
5312 else if (streq(p[1], "server") && p[2] && p[3] && p[4])
5313 {
5314 long priority;
5315 if (!dns_server_priority_parse(&priority, p[2], pull_mode))
5316 {
5317 msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
5318 return false;
5319 }
5320
5321 struct dns_server *server =
5323
5324 if (streq(p[3], "address"))
5325 {
5326 for (int i = 4; p[i]; ++i)
5327 {
5328 if (!dns_server_addr_parse(server, p[i]))
5329 {
5330 msg(msglevel, "--dns server %ld: malformed address or maximum exceeded '%s'",
5331 priority, p[i]);
5332 return false;
5333 }
5334 }
5335 }
5336 else if (streq(p[3], "resolve-domains"))
5337 {
5338 if (!dns_domain_list_append(&server->domains, &p[4], &options->dns_options.gc))
5339 {
5340 msg(msglevel, "--dns server %ld: %s contain invalid characters", priority, p[3]);
5341 return false;
5342 }
5343 }
5344 else if (streq(p[3], "dnssec") && !p[5])
5345 {
5346 if (streq(p[4], "yes"))
5347 {
5348 server->dnssec = DNS_SECURITY_YES;
5349 }
5350 else if (streq(p[4], "no"))
5351 {
5352 server->dnssec = DNS_SECURITY_NO;
5353 }
5354 else if (streq(p[4], "optional"))
5355 {
5356 server->dnssec = DNS_SECURITY_OPTIONAL;
5357 }
5358 else
5359 {
5360 msg(msglevel, "--dns server %ld: malformed dnssec value '%s'", priority, p[4]);
5361 return false;
5362 }
5363 }
5364 else if (streq(p[3], "transport") && !p[5])
5365 {
5366 if (streq(p[4], "plain"))
5367 {
5369 }
5370 else if (streq(p[4], "DoH"))
5371 {
5373 }
5374 else if (streq(p[4], "DoT"))
5375 {
5376 server->transport = DNS_TRANSPORT_TLS;
5377 }
5378 else
5379 {
5380 msg(msglevel, "--dns server %ld: malformed transport value '%s'", priority, p[4]);
5381 return false;
5382 }
5383 }
5384 else if (streq(p[3], "sni") && !p[5])
5385 {
5386 if (!validate_domain(p[4]))
5387 {
5388 msg(msglevel, "--dns server %ld: %s contains invalid characters", priority, p[3]);
5389 return false;
5390 }
5391 server->sni = p[4];
5392 }
5393 else
5394 {
5395 msg(msglevel,
5396 "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
5397 priority, p[3]);
5398 return false;
5399 }
5400 }
5401 else
5402 {
5403 msg(msglevel, "--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
5404 return false;
5405 }
5406 return true;
5407}
5408
5409void
5410update_option(struct context *c, struct options *options, char *p[], bool is_inline,
5411 const char *file, int line, const int level, const msglvl_t msglevel,
5412 const uint64_t permission_mask, uint64_t *option_types_found,
5413 struct env_set *es)
5414{
5415 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5416 ASSERT(MAX_PARMS >= 7);
5417
5418 if (streq(p[0], "route") && p[1] && !p[5])
5419 {
5421 {
5423 if (!check_route_option(options, p, msglevel, pull_mode))
5424 {
5425 goto err;
5426 }
5427 if (c->c1.route_list)
5428 {
5430 es, &c->net_ctx);
5432 }
5434 }
5435 }
5436 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
5437 {
5439 {
5441 if (!check_route6_option(options, p, msglevel, pull_mode))
5442 {
5443 goto err;
5444 }
5445 if (c->c1.route_ipv6_list)
5446 {
5450 }
5452 }
5453 }
5454 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
5455 {
5457 {
5459 if (options->routes)
5460 {
5461 options->routes->flags = 0;
5462 }
5463 if (options->routes_ipv6)
5464 {
5466 }
5467 env_set_del(es, "route_redirect_gateway_ipv4");
5468 env_set_del(es, "route_redirect_gateway_ipv6");
5470 }
5471 }
5472 else if (streq(p[0], "dns") && p[1])
5473 {
5475 {
5477 if (!check_dns_option(options, p, msglevel, pull_mode))
5478 {
5479 goto err;
5480 }
5484 }
5485 }
5486#if defined(_WIN32) || defined(TARGET_ANDROID)
5487 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
5488 {
5490 {
5493
5494 o->domain = NULL;
5495 o->netbios_scope = NULL;
5496 o->netbios_node_type = 0;
5497 o->dns6_len = 0;
5498 CLEAR(o->dns6);
5499 o->dns_len = 0;
5500 CLEAR(o->dns);
5501 o->wins_len = 0;
5502 CLEAR(o->wins);
5503 o->ntp_len = 0;
5504 CLEAR(o->ntp);
5505 o->nbdd_len = 0;
5506 CLEAR(o->nbdd);
5507 while (o->domain_search_list_len-- > 0)
5508 {
5510 }
5511 o->disable_nbt = 0;
5512 o->dhcp_options = 0;
5513
5515#if defined(TARGET_ANDROID)
5516 o->http_proxy_port = 0;
5517 o->http_proxy = NULL;
5518#endif
5520 }
5521 }
5522#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5523 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
5524 {
5526 {
5528 delete_all_dhcp_fo(options, &es->list);
5530 }
5531 }
5532#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
5533 add_option(options, p, is_inline, file, line, level, msglevel, permission_mask,
5534 option_types_found, es);
5535 return;
5536err:
5537 msg(msglevel, "Error occurred trying to update %s option", p[0]);
5538}
5539
5540static void
5541set_user_script(struct options *options, const char **script, const char *new_script,
5542 const char *type, bool in_chroot)
5543{
5544 if (*script)
5545 {
5546 msg(M_WARN,
5547 "Multiple --%s scripts defined. "
5548 "The previously configured script is overridden.",
5549 type);
5550 }
5551 *script = new_script;
5552 options->user_script_used = true;
5553
5554#ifndef ENABLE_SMALL
5555 {
5556 char script_name[100];
5557 snprintf(script_name, sizeof(script_name), "--%s script", type);
5558
5559 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5560 {
5561 msg(M_USAGE, "Please correct this error.");
5562 }
5563 }
5564#endif
5565}
5566
5567static void
5569{
5570 if (comp_non_stub_enabled(info))
5571 {
5572 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5573 "Compression has been used in the past to break encryption. "
5574 "Compression support is deprecated and we recommend to disable "
5575 "it completely.");
5576 }
5577}
5578
5579bool
5581{
5582 bool ret = false;
5583 ret = ret || (options->management_flags & MF_EXTERNAL_KEY);
5584#ifdef ENABLE_PKCS11
5585 ret = ret || (options->pkcs11_providers[0] != NULL);
5586#endif
5587#ifdef ENABLE_CRYPTOAPI
5588 ret = ret || options->cryptoapi_cert;
5589#endif
5590
5591 return ret;
5592}
5593
5594#if defined(__GNUC__) || defined(__clang__)
5595#pragma GCC diagnostic push
5596#pragma GCC diagnostic ignored "-Wsign-compare"
5597#endif
5598
5599void
5600add_option(struct options *options, char *p[], bool is_inline, const char *file, int line,
5601 const int level, const msglvl_t msglevel, const uint64_t permission_mask,
5602 uint64_t *option_types_found, struct env_set *es)
5603{
5604 struct gc_arena gc = gc_new();
5605 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5606 msglvl_t msglevel_fc = msglevel_forward_compatible(options, msglevel);
5607
5608 ASSERT(MAX_PARMS >= 7);
5609
5610 /*
5611 * If directive begins with "setenv opt" prefix, don't raise an error if
5612 * directive is unrecognized.
5613 */
5614 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5615 {
5616 if (!p[2])
5617 {
5618 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5619 }
5620 p += 2;
5621 msglevel_fc = M_WARN;
5622 }
5623
5624 if (!file)
5625 {
5626 file = "[CMD-LINE]";
5627 line = 1;
5628 }
5629 if (streq(p[0], "help"))
5630 {
5632 usage();
5633 if (p[1])
5634 {
5635 msg(msglevel, "--help does not accept any parameters");
5636 goto err;
5637 }
5638 }
5639 if (streq(p[0], "version") && !p[1])
5640 {
5642 usage_version();
5643 }
5644 else if (streq(p[0], "config") && p[1] && !p[2])
5645 {
5647
5648 /* save first config file only in options */
5649 if (!options->config)
5650 {
5651 options->config = p[1];
5652 }
5653
5654 read_config_file(options, p[1], level, file, line, msglevel, permission_mask,
5655 option_types_found, es);
5656 }
5657#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5658 else if (streq(p[0], "show-gateway") && !p[2])
5659 {
5660 struct route_gateway_info rgi;
5661 struct route_ipv6_gateway_info rgi6;
5662 in_addr_t remote_ipv4 = 0;
5663 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
5664 openvpn_net_ctx_t net_ctx;
5666 if (p[1])
5667 {
5668 /* try parsing the argument as a v4 or v6 address - if
5669 * possible, the output will show the exact route there, and
5670 * "the default route" for the other protocol
5671 */
5672 remote_ipv4 = get_ip_addr(p[1], M_WARN, NULL);
5673 get_ipv6_addr(p[1], &remote_ipv6, NULL, M_WARN);
5674 }
5675 net_ctx_init(NULL, &net_ctx);
5676 get_default_gateway(&rgi, remote_ipv4, &net_ctx);
5677 get_default_gateway_ipv6(&rgi6, &remote_ipv6, &net_ctx);
5678 print_default_gateway(M_INFO, &rgi, &rgi6);
5679 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5680 }
5681#endif
5682 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5683 {
5684 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5685 int j;
5686 bool good = true;
5687
5689
5690 for (j = 1; j < MAX_PARMS; ++j)
5691 {
5692 if (!p[j])
5693 {
5694 break;
5695 }
5696 if (j > 1)
5697 {
5698 good &= buf_printf(&string, " ");
5699 }
5700 good &= buf_printf(&string, "%s", p[j]);
5701 }
5702 if (good)
5703 {
5704 /* only message-related ECHO are logged, since other ECHOs
5705 * can potentially include security-sensitive strings */
5706 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5707 {
5708 msg(M_INFO, "%s:%s", pull_mode ? "ECHO-PULL" : "ECHO", BSTR(&string));
5709 }
5710#ifdef ENABLE_MANAGEMENT
5711 if (management)
5712 {
5714 }
5715#endif
5716 }
5717 else
5718 {
5719 msg(M_WARN, "echo/parameter option overflow");
5720 }
5721 }
5722#ifdef ENABLE_MANAGEMENT
5723 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5724 {
5726 if (streq(p[2], "unix"))
5727 {
5728#if UNIX_SOCK_SUPPORT
5730#else
5731 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5732 goto err;
5733#endif
5734 }
5735
5738 if (p[3])
5739 {
5741 }
5742 }
5743 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5744 {
5747 }
5748 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5749 {
5752 }
5753 else if (streq(p[0], "management-query-passwords") && !p[1])
5754 {
5757 }
5758 else if (streq(p[0], "management-query-remote") && !p[1])
5759 {
5762 }
5763 else if (streq(p[0], "management-query-proxy") && !p[1])
5764 {
5767 }
5768 else if (streq(p[0], "management-hold") && !p[1])
5769 {
5772 }
5773 else if (streq(p[0], "management-signal") && !p[1])
5774 {
5777 }
5778 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5779 {
5782 }
5783 else if (streq(p[0], "management-up-down") && !p[1])
5784 {
5787 }
5788 else if (streq(p[0], "management-client") && !p[1])
5789 {
5792 }
5793 else if (streq(p[0], "management-external-key"))
5794 {
5796 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5797 {
5798 if (streq(p[j], "nopadding"))
5799 {
5801 }
5802 else if (streq(p[j], "pkcs1"))
5803 {
5805 }
5806 else if (streq(p[j], "pss"))
5807 {
5809 }
5810 else if (streq(p[j], "digest"))
5811 {
5813 }
5814 else
5815 {
5816 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5817 }
5818 }
5819 /*
5820 * When no option is present, assume that only PKCS1
5821 * padding is supported
5822 */
5824 {
5826 }
5828 }
5829 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5830 {
5834 }
5835 else if (streq(p[0], "management-client-auth") && !p[1])
5836 {
5839 }
5840 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5841 {
5844 p[0], 1, INT_MAX, msglevel))
5845 {
5846 goto err;
5847 }
5848 }
5849#endif /* ifdef ENABLE_MANAGEMENT */
5850#ifdef ENABLE_PLUGIN
5851 else if (streq(p[0], "plugin") && p[1])
5852 {
5854 if (!options->plugin_list)
5855 {
5857 }
5859 {
5860 msg(msglevel, "plugin add failed: %s", p[1]);
5861 goto err;
5862 }
5863 }
5864#endif
5865 else if (streq(p[0], "mode") && p[1] && !p[2])
5866 {
5868 if (streq(p[1], "p2p"))
5869 {
5871 }
5872 else if (streq(p[1], "server"))
5873 {
5875 }
5876 else
5877 {
5878 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5879 goto err;
5880 }
5881 }
5882 else if (streq(p[0], "dev") && p[1] && !p[2])
5883 {
5885 options->dev = p[1];
5886 }
5887 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5888 {
5890 options->dev_type = p[1];
5891 }
5892#ifdef _WIN32
5893 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5894 {
5896 msg(M_WARN,
5897 "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
5898 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
5899 }
5900#endif
5901 else if (streq(p[0], "disable-dco"))
5902 {
5903 options->disable_dco = true;
5904 }
5905 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5906 {
5908 options->dev_node = p[1];
5909 }
5910 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5911 {
5913 if (mac_addr_safe(p[1])) /* MAC address only */
5914 {
5915 options->lladdr = p[1];
5916 }
5917 else
5918 {
5919 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5920 goto err;
5921 }
5922 }
5923 else if (streq(p[0], "topology") && p[1] && !p[2])
5924 {
5926 options->topology = parse_topology(p[1], msglevel);
5927 }
5928 else if (streq(p[0], "tun-ipv6") && !p[1])
5929 {
5930 if (!pull_mode)
5931 {
5932 msg(M_WARN,
5933 "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5934 }
5935 }
5936#ifdef ENABLE_IPROUTE
5937 else if (streq(p[0], "iproute") && p[1] && !p[2])
5938 {
5940 iproute_path = p[1];
5941 }
5942#endif
5943 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5944 {
5947 && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5948 {
5949 options->ifconfig_local = p[1];
5951 }
5952 else
5953 {
5954 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5955 goto err;
5956 }
5957 }
5958 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5959 {
5960 unsigned int netbits;
5961
5963 if (get_ipv6_addr(p[1], NULL, &netbits, msglevel) && ipv6_addr_safe(p[2]))
5964 {
5966 {
5967 msg(msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
5968 netbits);
5969 goto err;
5970 }
5971
5973 options->ifconfig_ipv6_netbits = netbits;
5975 }
5976 else
5977 {
5978 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5979 goto err;
5980 }
5981 }
5982 else if (streq(p[0], "ifconfig-noexec") && !p[1])
5983 {
5985 options->ifconfig_noexec = true;
5986 }
5987 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5988 {
5990 options->ifconfig_nowarn = true;
5991 }
5992 else if (streq(p[0], "local") && p[1] && !p[4])
5993 {
5994 struct local_entry *e;
5995
5997
5999 ASSERT(e);
6000
6001 /* '*' is treated as 'ask the system to get some socket',
6002 * therefore force binding on a particular address only when
6003 * actually specified. */
6004 if (strcmp(p[1], "*") != 0)
6005 {
6006 e->local = p[1];
6007 }
6008
6009 if (p[2])
6010 {
6011 e->port = p[2];
6012 }
6013
6014 if (p[3])
6015 {
6016 e->proto = ascii2proto(p[3]);
6017 }
6018 }
6019 else if (streq(p[0], "remote-random") && !p[1])
6020 {
6022 options->remote_random = true;
6023 }
6024 else if (streq(p[0], "connection") && p[1] && !p[3])
6025 {
6027 if (is_inline)
6028 {
6029 struct options sub;
6030 struct connection_entry *e;
6031
6032 init_options(&sub);
6033 sub.ce = options->ce;
6034 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, OPT_P_CONNECTION,
6035 option_types_found, es);
6036 if (!sub.ce.remote)
6037 {
6038 msg(msglevel,
6039 "Each 'connection' block must contain exactly one 'remote' directive");
6040 uninit_options(&sub);
6041 goto err;
6042 }
6043
6044 e = alloc_connection_entry(options, msglevel);
6045 if (!e)
6046 {
6047 uninit_options(&sub);
6048 goto err;
6049 }
6050 *e = sub.ce;
6051 gc_transfer(&options->gc, &sub.gc);
6052 uninit_options(&sub);
6053 }
6054 }
6055 else if (streq(p[0], "ignore-unknown-option") && p[1])
6056 {
6057 int i;
6058 int j;
6059 int numignored = 0;
6060 const char **ignore;
6061
6063 /* Find out how many options to be ignored */
6064 for (i = 1; p[i]; i++)
6065 {
6066 numignored++;
6067 }
6068
6069 /* add number of options already ignored */
6071 {
6072 numignored++;
6073 }
6074
6075 /* Allocate array */
6076 ALLOC_ARRAY_GC(ignore, const char *, numignored + 1, &options->gc);
6078 {
6079 ignore[i] = options->ignore_unknown_option[i];
6080 }
6081
6083
6084 for (j = 1; p[j]; j++)
6085 {
6086 /* Allow the user to specify ignore-unknown-option --opt too */
6087 if (p[j][0] == '-' && p[j][1] == '-')
6088 {
6089 options->ignore_unknown_option[i] = (p[j] + 2);
6090 }
6091 else
6092 {
6093 options->ignore_unknown_option[i] = p[j];
6094 }
6095 i++;
6096 }
6097
6098 options->ignore_unknown_option[i] = NULL;
6099 }
6100#if ENABLE_MANAGEMENT
6101 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
6102 {
6106 {
6107 goto err;
6108 }
6109 }
6110#endif
6111 else if (streq(p[0], "remote") && p[1] && !p[4])
6112 {
6113 struct remote_entry re;
6114 re.remote = re.remote_port = NULL;
6115 re.proto = -1;
6116 re.af = 0;
6117
6119 re.remote = p[1];
6120 if (p[2])
6121 {
6122 re.remote_port = p[2];
6123 if (p[3])
6124 {
6125 const int proto = ascii2proto(p[3]);
6126 const sa_family_t af = ascii2af(p[3]);
6127 if (proto < 0)
6128 {
6129 msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
6130 goto err;
6131 }
6132 re.proto = proto;
6133 re.af = af;
6134 }
6135 }
6136 if (permission_mask & OPT_P_GENERAL)
6137 {
6138 struct remote_entry *e = alloc_remote_entry(options, msglevel);
6139 if (!e)
6140 {
6141 goto err;
6142 }
6143 *e = re;
6144 }
6145 else if (permission_mask & OPT_P_CONNECTION)
6146 {
6148 }
6149 }
6150 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
6151 {
6153 if (streq(p[1], "infinite"))
6154 {
6156 }
6157 else
6158 {
6159 options->resolve_retry_seconds = positive_atoi(p[1], msglevel);
6160 }
6161 }
6162 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
6163 {
6166 /* Note the ip-remote-hint and the argument p[1] are for
6167 * backward compatibility */
6168 if (p[1])
6169 {
6170 options->ip_remote_hint = p[1];
6171 }
6172 }
6173 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
6174 {
6176 options->ce.connect_retry_seconds = positive_atoi(p[1], msglevel);
6177 /*
6178 * Limit the base value of retry wait interval to 16 bits to avoid
6179 * overflow when scaled up for exponential backoff
6180 */
6181 if (options->ce.connect_retry_seconds > 0xFFFF)
6182 {
6184 msg(M_WARN, "connect retry wait interval truncated to %d",
6186 }
6187
6188 if (p[2])
6189 {
6192 }
6193 }
6194 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout")) && p[1]
6195 && !p[2])
6196 {
6198 options->ce.connect_timeout = positive_atoi(p[1], msglevel);
6199 }
6200 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
6201 {
6203 options->connect_retry_max = positive_atoi(p[1], msglevel);
6204 }
6205 else if (streq(p[0], "ipchange") && p[1])
6206 {
6208 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6209 {
6210 goto err;
6211 }
6213 string_substitute(p[1], ',', ' ', &options->gc), "ipchange", true);
6214 }
6215 else if (streq(p[0], "float") && !p[1])
6216 {
6218 options->ce.remote_float = true;
6219 }
6220#ifdef ENABLE_DEBUG
6221 else if (streq(p[0], "gremlin") && p[1] && !p[2])
6222 {
6224 options->gremlin = positive_atoi(p[1], msglevel);
6225 }
6226#endif
6227 else if (streq(p[0], "chroot") && p[1] && !p[2])
6228 {
6230 options->chroot_dir = p[1];
6231 }
6232 else if (streq(p[0], "cd") && p[1] && !p[2])
6233 {
6235 if (platform_chdir(p[1]))
6236 {
6237 msg(M_ERR, "cd to '%s' failed", p[1]);
6238 goto err;
6239 }
6240 options->cd_dir = p[1];
6241 }
6242#ifdef ENABLE_SELINUX
6243 else if (streq(p[0], "setcon") && p[1] && !p[2])
6244 {
6246 options->selinux_context = p[1];
6247 }
6248#endif
6249 else if (streq(p[0], "writepid") && p[1] && !p[2])
6250 {
6252 options->writepid = p[1];
6253 }
6254 else if (streq(p[0], "up") && p[1])
6255 {
6257 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6258 {
6259 goto err;
6260 }
6261 set_user_script(options, &options->up_script, p[1], "up", false);
6262 }
6263 else if (streq(p[0], "down") && p[1])
6264 {
6266 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6267 {
6268 goto err;
6269 }
6270 set_user_script(options, &options->down_script, p[1], "down", true);
6271 }
6272 else if (streq(p[0], "down-pre") && !p[1])
6273 {
6275 options->down_pre = true;
6276 }
6277 else if (streq(p[0], "up-delay") && !p[1])
6278 {
6280 options->up_delay = true;
6281 }
6282 else if (streq(p[0], "up-restart") && !p[1])
6283 {
6285 options->up_restart = true;
6286 }
6287 else if (streq(p[0], "syslog") && !p[2])
6288 {
6290 open_syslog(p[1], false);
6291 }
6292 else if (streq(p[0], "daemon") && !p[2])
6293 {
6294 bool didit = false;
6296 if (!options->daemon)
6297 {
6298 options->daemon = didit = true;
6299 open_syslog(p[1], false);
6300 }
6301 if (p[1])
6302 {
6303 if (!didit)
6304 {
6305 msg(M_WARN,
6306 "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
6307 p[1]);
6308 goto err;
6309 }
6310 }
6311 }
6312 else if (streq(p[0], "log") && p[1] && !p[2])
6313 {
6315 options->log = true;
6316 redirect_stdout_stderr(p[1], false);
6317 }
6318 else if (streq(p[0], "suppress-timestamps") && !p[1])
6319 {
6323 }
6324 else if (streq(p[0], "machine-readable-output") && !p[1])
6325 {
6329 }
6330 else if (streq(p[0], "log-append") && p[1] && !p[2])
6331 {
6333 options->log = true;
6334 redirect_stdout_stderr(p[1], true);
6335 }
6336 else if (streq(p[0], "mlock") && !p[1])
6337 {
6339 options->mlock = true;
6340 }
6341#if ENABLE_IP_PKTINFO
6342 else if (streq(p[0], "multihome") && !p[2])
6343 {
6346 if (p[1] && streq(p[1], "same-interface"))
6347 {
6349 }
6350 else if (p[1])
6351 {
6352 msg(msglevel, "Unknown parameter to --multihome: %s", p[1]);
6353 }
6354 }
6355#endif
6356 else if (streq(p[0], "verb") && p[1] && !p[2])
6357 {
6359 options->verbosity = positive_atoi(p[1], msglevel);
6361 {
6362 /* We pass this flag to the SSL library to avoid
6363 * mbed TLS always generating debug level logging */
6365 }
6366#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6367 /* Warn when a debug verbosity is supplied when built without debug support */
6368 if (options->verbosity >= 7)
6369 {
6370 msg(M_WARN,
6371 "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6373 }
6374#endif
6375 }
6376 else if (streq(p[0], "mute") && p[1] && !p[2])
6377 {
6379 options->mute = positive_atoi(p[1], msglevel);
6380 }
6381 else if (streq(p[0], "errors-to-stderr") && !p[1])
6382 {
6385 }
6386 else if (streq(p[0], "status") && p[1] && !p[3])
6387 {
6389 options->status_file = p[1];
6390 if (p[2])
6391 {
6393 }
6394 }
6395 else if (streq(p[0], "status-version") && p[1] && !p[2])
6396 {
6398 if (!atoi_constrained(p[1], &options->status_file_version, p[0], 1, 3, msglevel))
6399 {
6400 goto err;
6401 }
6402 }
6403 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6404 {
6406 if (streq(p[1], "SIGHUP"))
6407 {
6409 }
6410 else if (streq(p[1], "SIGTERM"))
6411 {
6413 }
6414 else
6415 {
6416 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6417 goto err;
6418 }
6419 }
6420 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6421 {
6423 options->ce.link_mtu = positive_atoi(p[1], msglevel);
6424 options->ce.link_mtu_defined = true;
6425 }
6426 else if (streq(p[0], "tun-mtu") && p[1] && !p[3])
6427 {
6429 if (atoi_constrained(p[1], &options->ce.tun_mtu, "tun-mtu", TUN_MTU_MIN, TUN_MTU_MAX, msglevel))
6430 {
6431 options->ce.tun_mtu_defined = true;
6432 if (p[2])
6433 {
6434 atoi_constrained(p[2], &options->ce.occ_mtu, "tun-mtu occ-mtu", TUN_MTU_MIN, TUN_MTU_MAX, msglevel);
6435 }
6436 else
6437 {
6438 options->ce.occ_mtu = 0;
6439 }
6440 }
6441 }
6442 else if (streq(p[0], "tun-mtu-max") && p[1] && !p[2])
6443 {
6446 }
6447 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6448 {
6450 if (atoi_constrained(p[1], &options->ce.tun_mtu_extra, p[0], 0, TUN_MTU_MAX, msglevel))
6451 {
6453 }
6454 }
6455 else if (streq(p[0], "max-packet-size") && p[1] && !p[2])
6456 {
6458 int maxmtu = positive_atoi(p[1], msglevel);
6460
6461 if (maxmtu < TLS_CHANNEL_MTU_MIN || maxmtu > TLS_CHANNEL_BUF_SIZE)
6462 {
6463 msg(M_WARN,
6464 "Note: max-packet-size value outside of allowed "
6465 "control channel packet size (%d to %d), will use %d "
6466 "instead.",
6468 }
6469
6470 /* also set mssfix maxmtu mtu */
6471 options->ce.mssfix = maxmtu;
6472 options->ce.mssfix_default = false;
6473 options->ce.mssfix_encap = true;
6474 }
6475#ifdef ENABLE_FRAGMENT
6476 else if (streq(p[0], "mtu-dynamic"))
6477 {
6479 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6480 goto err;
6481 }
6482 else if (streq(p[0], "fragment") && p[1] && !p[3])
6483 {
6485 if (!atoi_constrained(p[1], &options->ce.fragment, p[0], 68, INT_MAX, msglevel))
6486 {
6487 goto err;
6488 }
6489
6490 if (p[2] && streq(p[2], "mtu"))
6491 {
6492 options->ce.fragment_encap = true;
6493 }
6494 else if (p[2])
6495 {
6496 msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
6497 }
6498 }
6499#endif /* ifdef ENABLE_FRAGMENT */
6500 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6501 {
6504 }
6505 else if (streq(p[0], "mtu-test") && !p[1])
6506 {
6508 options->mtu_test = true;
6509 }
6510 else if (streq(p[0], "nice") && p[1] && !p[2])
6511 {
6513 options->nice = atoi_warn(p[1], msglevel);
6514 }
6515 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6516 {
6518 options->rcvbuf = positive_atoi(p[1], msglevel);
6519 }
6520 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6521 {
6523 options->sndbuf = positive_atoi(p[1], msglevel);
6524 }
6525 else if (streq(p[0], "mark") && p[1] && !p[2])
6526 {
6527#if defined(TARGET_LINUX)
6529 options->mark = atoi_warn(p[1], msglevel);
6530#endif
6531 }
6532 else if (streq(p[0], "socket-flags"))
6533 {
6534 int j;
6536 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6537 {
6538 if (streq(p[j], "TCP_NODELAY"))
6539 {
6541 }
6542 else
6543 {
6544 msg(msglevel, "unknown socket flag: %s", p[j]);
6545 }
6546 }
6547 }
6548#ifdef TARGET_LINUX
6549 else if (streq(p[0], "bind-dev") && p[1])
6550 {
6552 options->bind_dev = p[1];
6553 }
6554#endif
6555 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6556 {
6558#ifdef TARGET_LINUX
6559 options->tuntap_options.txqueuelen = positive_atoi(p[1], msglevel);
6560#else
6561 msg(msglevel, "--txqueuelen not supported on this OS");
6562 goto err;
6563#endif
6564 }
6565 else if (streq(p[0], "shaper") && p[1] && !p[2])
6566 {
6568 if (!atoi_constrained(p[1], &options->shaper, p[0], SHAPER_MIN, SHAPER_MAX, msglevel))
6569 {
6570 goto err;
6571 }
6572 }
6573 else if (streq(p[0], "port") && p[1] && !p[2])
6574 {
6577 }
6578 else if (streq(p[0], "lport") && p[1] && !p[2])
6579 {
6581
6582 /* only trigger bind() if port is not 0 (or --local is used) */
6583 if (!streq(p[1], "0"))
6584 {
6586 }
6587 options->ce.local_port = p[1];
6588 }
6589 else if (streq(p[0], "rport") && p[1] && !p[2])
6590 {
6592 options->ce.remote_port = p[1];
6593 }
6594 else if (streq(p[0], "bind") && !p[2])
6595 {
6597 options->ce.bind_defined = true;
6598 if (p[1] && streq(p[1], "ipv6only"))
6599 {
6600 options->ce.bind_ipv6_only = true;
6601 }
6602 }
6603 else if (streq(p[0], "nobind") && !p[1])
6604 {
6606 options->ce.bind_local = false;
6607 }
6608 else if (streq(p[0], "fast-io") && !p[1])
6609 {
6611 msg(M_WARN, "DEPRECATED OPTION: --fast-io option ignored.");
6612 }
6613 else if (streq(p[0], "inactive") && p[1] && !p[3])
6614 {
6616 options->inactivity_timeout = positive_atoi(p[1], msglevel);
6617 if (p[2])
6618 {
6619 positive_atoll(p[2], &options->inactivity_minimum_bytes, p[0], msglevel);
6620 if (options->inactivity_minimum_bytes > INT_MAX)
6621 {
6622 msg(M_WARN,
6623 "WARNING: '--inactive' with a 'bytes' value"
6624 " >2 Gbyte was silently ignored in older versions. If "
6625 " your VPN exits unexpectedly with 'Inactivity timeout'"
6626 " in %d seconds, revisit this value.",
6628 }
6629 }
6630 }
6631 else if (streq(p[0], "session-timeout") && p[1] && !p[2])
6632 {
6634 options->session_timeout = positive_atoi(p[1], msglevel);
6635 }
6636 else if (streq(p[0], "proto") && p[1] && !p[2])
6637 {
6638 int proto;
6641 proto = ascii2proto(p[1]);
6642 af = ascii2af(p[1]);
6643 if (proto < 0)
6644 {
6645 msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
6647 goto err;
6648 }
6649 options->ce.proto = proto;
6650 options->ce.af = af;
6651 }
6652 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6653 {
6654 int proto_force;
6656 proto_force = ascii2proto(p[1]);
6657 if (proto_force < 0)
6658 {
6659 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6660 goto err;
6661 }
6662 options->proto_force = proto_force;
6663 }
6664 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6665 {
6666 struct http_proxy_options *ho;
6667
6669
6670 {
6671 if (!p[2])
6672 {
6673 msg(msglevel, "http-proxy port number not defined");
6674 goto err;
6675 }
6676
6678
6679 ho->server = p[1];
6680 ho->port = p[2];
6681 }
6682
6683 if (p[3])
6684 {
6685 /* auto -- try to figure out proxy addr, port, and type automatically */
6686 /* auto-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6687 if (streq(p[3], "auto"))
6688 {
6689 ho->auth_retry = PAR_ALL;
6690 }
6691 else if (streq(p[3], "auto-nct"))
6692 {
6693 ho->auth_retry = PAR_NCT;
6694 }
6695 else
6696 {
6697 ho->auth_method_string = "basic";
6698 ho->auth_file = p[3];
6699
6700 if (p[4])
6701 {
6702 ho->auth_method_string = p[4];
6703 }
6704 }
6705 }
6706 else
6707 {
6708 ho->auth_method_string = "none";
6709 }
6710 }
6711 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6712 {
6713 struct http_proxy_options *ho;
6716 ho->auth_file_up = p[1];
6717 ho->inline_creds = is_inline;
6718 }
6719 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry") || streq(p[0], "http-proxy-timeout"))
6720 {
6722 msg(M_WARN, "DEPRECATED OPTION: %s option ignored.", p[0]);
6723 }
6724 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6725 {
6726 struct http_proxy_options *ho;
6727
6730
6731 if (streq(p[1], "VERSION") && p[2] && !p[3])
6732 {
6733 ho->http_version = p[2];
6734 }
6735 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6736 {
6737 ho->user_agent = p[2];
6738 }
6739 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6740 && p[2])
6741 {
6742 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6743 * with either two argument or one */
6744
6745 struct http_custom_header *custom_header = NULL;
6746 int i;
6747 /* Find the first free header */
6748 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6749 {
6750 if (!ho->custom_headers[i].name)
6751 {
6752 custom_header = &ho->custom_headers[i];
6753 break;
6754 }
6755 }
6756 if (!custom_header)
6757 {
6758 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
6760 }
6761 else
6762 {
6763 /* We will save p[2] and p[3], the proxy code will detect if
6764 * p[3] is NULL */
6765 custom_header->name = p[2];
6766 custom_header->content = p[3];
6767 }
6768 }
6769 else
6770 {
6771 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6772 }
6773 }
6774 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6775 {
6777
6778 if (p[2])
6779 {
6780 options->ce.socks_proxy_port = p[2];
6781 }
6782 else
6783 {
6784 options->ce.socks_proxy_port = "1080";
6785 }
6787 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6788 }
6789 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6790 {
6792 atoi_constrained(p[1], &options->keepalive_ping, "keepalive ping", 1, INT_MAX, msglevel);
6793 atoi_constrained(p[2], &options->keepalive_timeout, "keepalive timeout", 1, INT_MAX, msglevel);
6794 }
6795 else if (streq(p[0], "ping") && p[1] && !p[2])
6796 {
6798 options->ping_send_timeout = positive_atoi(p[1], msglevel);
6799 }
6800 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6801 {
6803 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6805 }
6806 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6807 {
6809 options->ping_rec_timeout = positive_atoi(p[1], msglevel);
6811 }
6812 else if (streq(p[0], "ping-timer-rem") && !p[1])
6813 {
6815 options->ping_timer_remote = true;
6816 }
6817 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6818 {
6820 if (p[1])
6821 {
6823 }
6824 else
6825 {
6827 }
6828 }
6829 else if (streq(p[0], "persist-tun") && !p[1])
6830 {
6832 options->persist_tun = true;
6833 }
6834 else if (streq(p[0], "persist-key") && !p[1])
6835 {
6837 msg(M_WARN, "DEPRECATED OPTION: --persist-key option ignored. "
6838 "Keys are now always persisted across restarts. ");
6839 }
6840 else if (streq(p[0], "persist-local-ip") && !p[1])
6841 {
6843 options->persist_local_ip = true;
6844 }
6845 else if (streq(p[0], "persist-remote-ip") && !p[1])
6846 {
6848 options->persist_remote_ip = true;
6849 }
6850 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6851 {
6854 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6855 }
6856 else if (streq(p[0], "route-table") && p[1] && !p[2])
6857 {
6858#ifndef ENABLE_SITNL
6859 msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL is built-in");
6860#endif
6862 options->route_default_table_id = positive_atoi(p[1], msglevel);
6863 }
6864 else if (streq(p[0], "route") && p[1] && !p[5])
6865 {
6867 if (!check_route_option(options, p, msglevel, pull_mode))
6868 {
6869 goto err;
6870 }
6871 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
6873 }
6874 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6875 {
6877 if (!check_route6_option(options, p, msglevel, pull_mode))
6878 {
6879 goto err;
6880 }
6883 }
6884 else if (streq(p[0], "max-routes") && !p[2])
6885 {
6886 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored.");
6887 }
6888 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6889 {
6891 if (streq(p[1], "dhcp"))
6892 {
6894 }
6895 else
6896 {
6898 || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6899 {
6901 }
6902 else
6903 {
6904 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6905 goto err;
6906 }
6907 }
6908 }
6909 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
6910 {
6911 if (ipv6_addr_safe(p[1]))
6912 {
6914 }
6915 else
6916 {
6917 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
6918 goto err;
6919 }
6920 }
6921 else if (streq(p[0], "route-metric") && p[1] && !p[2])
6922 {
6924 options->route_default_metric = positive_atoi(p[1], msglevel);
6925 }
6926 else if (streq(p[0], "route-delay") && !p[3])
6927 {
6930 if (p[1])
6931 {
6932 options->route_delay = positive_atoi(p[1], msglevel);
6933 if (p[2])
6934 {
6935 options->route_delay_window = positive_atoi(p[2], msglevel);
6936 }
6937 }
6938 else
6939 {
6940 options->route_delay = 0;
6941 }
6942 }
6943 else if (streq(p[0], "route-up") && p[1])
6944 {
6946 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6947 {
6948 goto err;
6949 }
6950 set_user_script(options, &options->route_script, p[1], "route-up", false);
6951 }
6952 else if (streq(p[0], "route-pre-down") && p[1])
6953 {
6955 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6956 {
6957 goto err;
6958 }
6959 set_user_script(options, &options->route_predown_script, p[1], "route-pre-down", true);
6960 }
6961 else if (streq(p[0], "route-noexec") && !p[1])
6962 {
6964 options->route_noexec = true;
6965 }
6966 else if (streq(p[0], "route-nopull") && !p[1])
6967 {
6969 options->route_nopull = true;
6970 }
6971 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
6972 {
6973 struct pull_filter *f;
6976
6977 if (strcmp("accept", p[1]) == 0)
6978 {
6979 f->type = PUF_TYPE_ACCEPT;
6980 }
6981 else if (strcmp("ignore", p[1]) == 0)
6982 {
6983 f->type = PUF_TYPE_IGNORE;
6984 }
6985 else if (strcmp("reject", p[1]) == 0)
6986 {
6987 f->type = PUF_TYPE_REJECT;
6988 }
6989 else
6990 {
6991 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
6992 goto err;
6993 }
6994 f->pattern = p[2];
6995 f->size = strlen(p[2]);
6996 }
6997 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
6998 {
7000 options->allow_pull_fqdn = true;
7001 }
7002 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
7003 {
7004 int j;
7007
7008 if (options->routes->flags & RG_ENABLE)
7009 {
7010 msg(M_WARN, "WARNING: You have specified redirect-gateway and "
7011 "redirect-private at the same time (or the same option "
7012 "multiple times). This is not well supported and may lead to "
7013 "unexpected results");
7014 }
7015
7017
7018 if (streq(p[0], "redirect-gateway"))
7019 {
7021 }
7022 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
7023 {
7024 if (streq(p[j], "local"))
7025 {
7027 }
7028 else if (streq(p[j], "autolocal"))
7029 {
7031 }
7032 else if (streq(p[j], "def1"))
7033 {
7035 }
7036 else if (streq(p[j], "bypass-dhcp"))
7037 {
7039 }
7040 else if (streq(p[j], "bypass-dns"))
7041 {
7043 }
7044 else if (streq(p[j], "block-local"))
7045 {
7047 }
7048 else if (streq(p[j], "ipv6"))
7049 {
7052 }
7053 else if (streq(p[j], "!ipv4"))
7054 {
7056 }
7057 else
7058 {
7059 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
7060 goto err;
7061 }
7062 }
7064 {
7065 setenv_int(es, "route_redirect_gateway_ipv4",
7066 (options->routes->flags & RG_BLOCK_LOCAL) ? 2 : 1);
7067 }
7069 {
7070 setenv_int(es, "route_redirect_gateway_ipv6",
7071 (options->routes->flags & RG_BLOCK_LOCAL) ? 2 : 1);
7072 }
7073#ifdef _WIN32
7074 /* we need this here to handle pushed --redirect-gateway */
7076#endif
7077 }
7078 else if (streq(p[0], "block-ipv6") && !p[1])
7079 {
7081 options->block_ipv6 = true;
7082 }
7083 else if (streq(p[0], "remote-random-hostname") && !p[1])
7084 {
7087 }
7088 else if (streq(p[0], "setenv") && p[1] && !p[3])
7089 {
7091 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
7092 {
7094 }
7095 else if (streq(p[1], "GENERIC_CONFIG"))
7096 {
7097 msg(msglevel, "this is a generic configuration and cannot directly be used");
7098 goto err;
7099 }
7100 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
7101 {
7102 options->push_peer_info = true;
7103 }
7104 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
7105 {
7106 options->ce.connect_timeout = positive_atoi(p[2], msglevel);
7107 }
7108 else
7109 {
7110 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
7111 {
7113 msglevel_fc = msglevel_forward_compatible(options, msglevel);
7114 }
7115 setenv_str(es, p[1], p[2] ? p[2] : "");
7116 }
7117 }
7118 else if (streq(p[0], "compat-mode") && p[1] && !p[3])
7119 {
7120 unsigned int major, minor, patch;
7121 if (!(sscanf(p[1], "%u.%u.%u", &major, &minor, &patch) == 3))
7122 {
7123 msg(msglevel, "cannot parse version number for --compat-mode: %s", p[1]);
7124 goto err;
7125 }
7126
7127 options->backwards_compatible = major * 10000 + minor * 100 + patch;
7128 }
7129 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
7130 {
7132 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
7133 }
7134 else if (streq(p[0], "script-security") && p[1] && !p[2])
7135 {
7137 int security;
7138 if (atoi_constrained(p[1], &security, p[0], SSEC_NONE, SSEC_PW_ENV, msglevel))
7139 {
7140 script_security_set(security);
7141 }
7142 }
7143 else if (streq(p[0], "mssfix") && !p[3])
7144 {
7146 if (p[1])
7147 {
7148 int mssfix;
7149 if (!atoi_constrained(p[1], &mssfix, p[0], 0, UINT16_MAX, msglevel))
7150 {
7151 goto err;
7152 }
7153 if (mssfix != 0 && mssfix < TLS_CHANNEL_MTU_MIN)
7154 {
7155 msg(msglevel, "mssfix needs to be >= %d, not %d", TLS_CHANNEL_MTU_MIN, mssfix);
7156 goto err;
7157 }
7158
7159 /* value specified, assume encapsulation is not
7160 * included unless "mtu" follows later */
7161 options->ce.mssfix = mssfix;
7162 options->ce.mssfix_encap = false;
7163 options->ce.mssfix_default = false;
7164 }
7165 else
7166 {
7167 /* Set MTU to default values */
7168 options->ce.mssfix_default = true;
7169 options->ce.mssfix_encap = true;
7170 options->ce.mssfix_fixed = false;
7171 }
7172
7173 if (p[2] && streq(p[2], "mtu"))
7174 {
7175 options->ce.mssfix_encap = true;
7176 }
7177 else if (p[2] && streq(p[2], "fixed"))
7178 {
7179 options->ce.mssfix_fixed = true;
7180 }
7181 else if (p[2])
7182 {
7183 msg(msglevel, "Unknown parameter to --mssfix: %s", p[2]);
7184 }
7185 }
7186 else if (streq(p[0], "disable-occ") && !p[1])
7187 {
7189 options->occ = false;
7190 }
7191 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
7192 {
7193 const int lev = M_WARN;
7194 bool error = false;
7195 in_addr_t network, netmask;
7196
7198 network = get_ip_addr(p[1], lev, &error);
7199 netmask = get_ip_addr(p[2], lev, &error);
7200 if (error || !network || !netmask)
7201 {
7202 msg(msglevel, "error parsing --server parameters");
7203 goto err;
7204 }
7205 options->server_defined = true;
7206 options->server_network = network;
7207 options->server_netmask = netmask;
7208
7209 if (p[3])
7210 {
7211 if (streq(p[3], "nopool"))
7212 {
7214 }
7215 else
7216 {
7217 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
7218 goto err;
7219 }
7220 }
7221 }
7222 else if (streq(p[0], "server-ipv6") && p[1] && !p[2])
7223 {
7224 const int lev = M_WARN;
7225 struct in6_addr network;
7226 unsigned int netbits = 0;
7227
7229 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7230 {
7231 msg(msglevel, "error parsing --server-ipv6 parameter");
7232 goto err;
7233 }
7234 if (netbits < 64 || netbits > 124)
7235 {
7236 msg(msglevel, "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7237 netbits);
7238
7239 goto err;
7240 }
7242 options->server_network_ipv6 = network;
7243 options->server_netbits_ipv6 = netbits;
7244 }
7245 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7246 {
7247 const int lev = M_WARN;
7248 bool error = false;
7249 in_addr_t ip, netmask, pool_start, pool_end;
7250
7252 ip = get_ip_addr(p[1], lev, &error);
7253 netmask = get_ip_addr(p[2], lev, &error);
7254 pool_start = get_ip_addr(p[3], lev, &error);
7255 pool_end = get_ip_addr(p[4], lev, &error);
7256 if (error || !ip || !netmask || !pool_start || !pool_end)
7257 {
7258 msg(msglevel, "error parsing --server-bridge parameters");
7259 goto err;
7260 }
7263 options->server_bridge_netmask = netmask;
7264 options->server_bridge_pool_start = pool_start;
7265 options->server_bridge_pool_end = pool_end;
7266 }
7267 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
7268 {
7272 }
7273 else if (streq(p[0], "server-bridge") && !p[1])
7274 {
7277 }
7278 else if (streq(p[0], "push") && p[1] && !p[2])
7279 {
7281 push_options(options, &p[1], msglevel, &options->gc);
7282 }
7283 else if (streq(p[0], "push-reset") && !p[1])
7284 {
7287 }
7288 else if (streq(p[0], "push-remove") && p[1] && !p[2])
7289 {
7291 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
7293 }
7294 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
7295 {
7296 const int lev = M_WARN;
7297 bool error = false;
7298 in_addr_t start, end, netmask = 0;
7299
7301 start = get_ip_addr(p[1], lev, &error);
7302 end = get_ip_addr(p[2], lev, &error);
7303 if (p[3])
7304 {
7305 netmask = get_ip_addr(p[3], lev, &error);
7306 }
7307 if (error)
7308 {
7309 msg(msglevel, "error parsing --ifconfig-pool parameters");
7310 goto err;
7311 }
7312 if (!ifconfig_pool_verify_range(msglevel, start, end))
7313 {
7314 goto err;
7315 }
7316
7320 if (netmask)
7321 {
7322 options->ifconfig_pool_netmask = netmask;
7323 }
7324 }
7325 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
7326 {
7329 if (p[2])
7330 {
7332 }
7333 }
7334 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
7335 {
7336 const int lev = M_WARN;
7337 struct in6_addr network;
7338 unsigned int netbits = 0;
7339
7341 if (!get_ipv6_addr(p[1], &network, &netbits, lev))
7342 {
7343 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
7344 goto err;
7345 }
7346 if (netbits < 64 || netbits > 124)
7347 {
7348 msg(msglevel,
7349 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7350 netbits);
7351 goto err;
7352 }
7353
7357 }
7358 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
7359 {
7360 int real, virtual;
7361
7363 if (!atoi_constrained(p[1], &real, "hash-size real", 1, INT_MAX, msglevel)
7364 || !atoi_constrained(p[2], &virtual, "hash-size virtual", 1, INT_MAX, msglevel))
7365 {
7366 goto err;
7367 }
7368 options->real_hash_size = (uint32_t)real;
7369 options->virtual_hash_size = (uint32_t)virtual;
7370 }
7371 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
7372 {
7373 int cf_max, cf_per;
7374
7376 if (!atoi_constrained(p[1], &cf_max, "connect-freq n", 1, INT_MAX, msglevel)
7377 || !atoi_constrained(p[2], &cf_per, "connect-freq seconds", 1, INT_MAX, msglevel))
7378 {
7379 goto err;
7380 }
7381 options->cf_max = cf_max;
7382 options->cf_per = cf_per;
7383 }
7384 else if (streq(p[0], "connect-freq-initial") && p[1] && p[2] && !p[3])
7385 {
7386 int cf_max, cf_per;
7387
7389 if (!atoi_constrained(p[1], &cf_max, "connect-freq-initial n", 1, INT_MAX, msglevel)
7390 || !atoi_constrained(p[2], &cf_per, "connect-freq-initial seconds", 1, INT_MAX, msglevel))
7391 {
7392 goto err;
7393 }
7394 options->cf_initial_max = cf_max;
7395 options->cf_initial_per = cf_per;
7396 }
7397 else if (streq(p[0], "max-clients") && p[1] && !p[2])
7398 {
7400 if (!atoi_constrained(p[1], (int *)&options->max_clients, p[0], 1, MAX_PEER_ID - 1, msglevel))
7401 {
7402 goto err;
7403 }
7404 }
7405 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
7406 {
7408 atoi_constrained(p[1], &options->max_routes_per_client, p[0], 1, INT_MAX, msglevel);
7409 }
7410 else if (streq(p[0], "client-cert-not-required") && !p[1])
7411 {
7413 msg(M_FATAL,
7414 "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7415 }
7416 else if (streq(p[0], "verify-client-cert") && !p[2])
7417 {
7419
7420 /* Reset any existing flags */
7421 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
7422 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
7423 if (p[1])
7424 {
7425 if (streq(p[1], "none"))
7426 {
7428 }
7429 else if (streq(p[1], "optional"))
7430 {
7432 }
7433 else if (!streq(p[1], "require"))
7434 {
7435 msg(msglevel,
7436 "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7437 goto err;
7438 }
7439 }
7440 }
7441 else if (streq(p[0], "username-as-common-name") && !p[1])
7442 {
7445 }
7446 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7447 {
7450 }
7451 else if (streq(p[0], "opt-verify") && !p[1])
7452 {
7454 msg(M_INFO, "DEPRECATED OPTION: --opt-verify was removed in OpenVPN 2.7.");
7455 }
7456 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7457 {
7459 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7460 {
7461 goto err;
7462 }
7463 if (p[2])
7464 {
7465 if (streq(p[2], "via-env"))
7466 {
7468 }
7469 else if (streq(p[2], "via-file"))
7470 {
7472 }
7473 else
7474 {
7475 msg(msglevel,
7476 "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7477 goto err;
7478 }
7479 }
7480 else
7481 {
7482 msg(msglevel,
7483 "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7484 goto err;
7485 }
7487 "auth-user-pass-verify", true);
7488 }
7489 else if (streq(p[0], "auth-gen-token"))
7490 {
7493 options->auth_token_lifetime = p[1] ? positive_atoi(p[1], msglevel) : 0;
7494
7495 for (int i = 2; i < MAX_PARMS && p[i] != NULL; i++)
7496 {
7497 /* the second parameter can be the renewal time */
7498 if (i == 2 && valid_integer(p[i], true))
7499 {
7500 options->auth_token_renewal = positive_atoi(p[i], msglevel);
7501 }
7502 else if (streq(p[i], "external-auth"))
7503 {
7505 }
7506 else
7507 {
7508 msg(msglevel, "Invalid argument to auth-gen-token: %s (%d)", p[i], i);
7509 }
7510 }
7511 }
7512 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7513 {
7517 }
7518 else if (streq(p[0], "client-connect") && p[1])
7519 {
7521 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7522 {
7523 goto err;
7524 }
7525 set_user_script(options, &options->client_connect_script, p[1], "client-connect", true);
7526 }
7527 else if (streq(p[0], "client-crresponse") && p[1])
7528 {
7530 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7531 {
7532 goto err;
7533 }
7534 set_user_script(options, &options->client_crresponse_script, p[1], "client-crresponse",
7535 true);
7536 }
7537 else if (streq(p[0], "client-disconnect") && p[1])
7538 {
7540 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7541 {
7542 goto err;
7543 }
7544 set_user_script(options, &options->client_disconnect_script, p[1], "client-disconnect",
7545 true);
7546 }
7547 else if (streq(p[0], "learn-address") && p[1])
7548 {
7550 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7551 {
7552 goto err;
7553 }
7554 set_user_script(options, &options->learn_address_script, p[1], "learn-address", true);
7555 }
7556 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7557 {
7559 options->tmp_dir = p[1];
7560 }
7561 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7562 {
7564 options->client_config_dir = p[1];
7565 }
7566 else if (streq(p[0], "ccd-exclusive") && !p[1])
7567 {
7569 options->ccd_exclusive = true;
7570 }
7571 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7572 {
7574 atoi_constrained(p[1], &options->n_bcast_buf, p[0], 1, MBUF_SIZE_MAX, msglevel);
7575 }
7576 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7577 {
7579 atoi_constrained(p[1], &options->tcp_queue_limit, p[0], 1, INT_MAX, msglevel);
7580 }
7581#if PORT_SHARE
7582 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7583 {
7585 options->port_share_host = p[1];
7586 options->port_share_port = p[2];
7587 options->port_share_journal_dir = p[3];
7588 }
7589#endif
7590 else if (streq(p[0], "client-to-client") && !p[1])
7591 {
7593 options->enable_c2c = true;
7594 }
7595 else if (streq(p[0], "duplicate-cn") && !p[1])
7596 {
7598 options->duplicate_cn = true;
7599 }
7600 else if (streq(p[0], "iroute") && p[1] && !p[3])
7601 {
7603 option_iroute(options, p[1], p[2], msglevel);
7604 }
7605 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7606 {
7608 option_iroute_ipv6(options, p[1], msglevel);
7609 }
7610 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7611 {
7612 in_addr_t local, remote_netmask;
7613
7615 local = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7616 remote_netmask = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7617 if (local && remote_netmask)
7618 {
7621 options->push_ifconfig_remote_netmask = remote_netmask;
7622 if (p[3])
7623 {
7625 getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7626 }
7627 }
7628 else
7629 {
7630 msg(msglevel, "cannot parse --ifconfig-push addresses");
7631 goto err;
7632 }
7633 }
7634 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7635 {
7636 in_addr_t network, netmask;
7637
7639 network = getaddr(GETADDR_HOST_ORDER | GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7640 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7641 if (network && netmask)
7642 {
7646 }
7647 else
7648 {
7649 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7650 goto err;
7651 }
7652 }
7653 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7654 {
7655 struct in6_addr local, remote;
7656 unsigned int netbits;
7657
7659
7660 if (!get_ipv6_addr(p[1], &local, &netbits, msglevel))
7661 {
7662 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7663 goto err;
7664 }
7665
7666 if (p[2])
7667 {
7668 if (!get_ipv6_addr(p[2], &remote, NULL, msglevel))
7669 {
7670 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7671 goto err;
7672 }
7673 }
7674 else
7675 {
7677 || !get_ipv6_addr(options->ifconfig_ipv6_local, &remote, NULL, msglevel))
7678 {
7679 msg(msglevel,
7680 "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7681 goto err;
7682 }
7683 }
7684
7690 }
7691 else if (streq(p[0], "disable") && !p[1])
7692 {
7694 options->disable = true;
7695 }
7696 else if (streq(p[0], "override-username") && p[1] && !p[2])
7697 {
7699 if (strlen(p[1]) > USER_PASS_LEN)
7700 {
7701 msg(msglevel,
7702 "override-username exceeds the maximum length of %d "
7703 "characters",
7705
7706 /* disable the connection since ignoring the request to
7707 * set another username might cause serious problems */
7708 options->disable = true;
7709 }
7710 else
7711 {
7712 options->override_username = p[1];
7713 }
7714 }
7715 else if (streq(p[0], "tcp-nodelay") && !p[1])
7716 {
7719 }
7720 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7721 {
7722 int ageing_time, check_interval;
7723
7725 if (!atoi_constrained(p[1], &ageing_time, "stale-routes-check age", 1, INT_MAX, msglevel))
7726 {
7727 goto err;
7728 }
7729
7730 if (p[2])
7731 {
7732 if (!atoi_constrained(p[2], &check_interval,
7733 "stale-routes-check interval", 1, INT_MAX, msglevel))
7734 {
7735 goto err;
7736 }
7737 }
7738 else
7739 {
7740 check_interval = ageing_time;
7741 }
7742
7743 options->stale_routes_ageing_time = ageing_time;
7744 options->stale_routes_check_interval = check_interval;
7745 }
7746
7747 else if (streq(p[0], "client") && !p[1])
7748 {
7750 options->client = true;
7751 }
7752 else if (streq(p[0], "pull") && !p[1])
7753 {
7755 options->pull = true;
7756 }
7757 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7758 {
7760 atoi_constrained(p[1], &options->push_continuation, p[0], 0, 2, msglevel);
7761 }
7762 else if (streq(p[0], "auth-user-pass") && !p[2])
7763 {
7766 if (p[1] && streq(p[1], "username-only"))
7767 {
7769 options->auth_user_pass_file = "stdin";
7770 }
7771 else if (p[1])
7772 {
7775 }
7776 else
7777 {
7778 options->auth_user_pass_file = "stdin";
7779 }
7780 }
7781 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7782 {
7784 auth_retry_set(msglevel, p[1]);
7785 }
7786#ifdef ENABLE_MANAGEMENT
7787 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[4])
7788 {
7791 if (atoi_warn(p[2], msglevel))
7792 {
7794 }
7795 if (p[3] && streq(p[3], "concat"))
7796 {
7798 }
7799 else if (p[3] && !streq(p[3], "scrv1"))
7800 {
7801 msg(msglevel, "--static-challenge: unknown format indicator '%s'", p[3]);
7802 goto err;
7803 }
7804 }
7805#endif
7806 else if (streq(p[0], "msg-channel") && p[1])
7807 {
7808#ifdef _WIN32
7810 HANDLE process = GetCurrentProcess();
7811 HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
7812 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE,
7813 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7814 {
7815 msg(msglevel, "could not duplicate service pipe handle");
7816 goto err;
7817 }
7819#else /* ifdef _WIN32 */
7820 msg(msglevel, "--msg-channel is only supported on Windows");
7821 goto err;
7822#endif
7823 }
7824#ifdef _WIN32
7825 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7826 {
7828 if (streq(p[1], "env"))
7829 {
7830 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7831 "This entry will now be ignored. "
7832 "Please remove this entry from your configuration file.");
7833 }
7834 else
7835 {
7836 set_win_sys_path(p[1], es);
7837 }
7838 }
7839 else if (streq(p[0], "route-method") && p[1] && !p[2])
7840 {
7842 if (streq(p[1], "adaptive"))
7843 {
7845 }
7846 else if (streq(p[1], "ipapi"))
7847 {
7849 }
7850 else if (streq(p[1], "exe"))
7851 {
7853 }
7854 else
7855 {
7856 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7857 goto err;
7858 }
7859 }
7860 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7861 {
7862 const int index = ascii2ipset(p[1]);
7863 struct tuntap_options *to = &options->tuntap_options;
7864
7866
7867 if (index < 0)
7868 {
7869 msg(msglevel, "Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
7871 goto err;
7872 }
7873
7874 if (index == IPW32_SET_ADAPTIVE)
7875 {
7877 }
7878
7879 if (index == IPW32_SET_DHCP_MASQ)
7880 {
7881 if (p[2])
7882 {
7883 if (!streq(p[2], "default"))
7884 {
7885 int offset;
7886
7887 if (!atoi_constrained(p[2], &offset, "ip-win32 offset", -256, 256, msglevel))
7888 {
7889 goto err;
7890 }
7891 to->dhcp_masq_custom_offset = true;
7892 to->dhcp_masq_offset = offset;
7893 }
7894
7895 if (p[3])
7896 {
7897 if (!atoi_constrained(p[3], &to->dhcp_lease_time,
7898 "ip-win32 lease time", 30, INT_MAX, msglevel))
7899 {
7900 goto err;
7901 }
7902 }
7903 }
7904 }
7905 to->ip_win32_type = index;
7906 to->ip_win32_defined = true;
7907 }
7908#endif /* ifdef _WIN32 */
7909 else if (streq(p[0], "dns-updown") && p[1])
7910 {
7912 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7913 {
7914 goto err;
7915 }
7916 struct dns_options *dns = &options->dns_options;
7917 if (streq(p[1], "disable"))
7918 {
7919 dns->updown = NULL;
7921 }
7922 else if (streq(p[1], "force"))
7923 {
7924 /* force dns-updown run, even if a --up script is defined */
7925 if (!dns_updown_user_set(dns))
7926 {
7927 dns->updown = DEFAULT_DNS_UPDOWN;
7929 }
7930 }
7931 else
7932 {
7933 if (dns->updown && streq(dns->updown, DEFAULT_DNS_UPDOWN))
7934 {
7935 /* Unset the default command to prevent warnings */
7936 dns->updown = NULL;
7937 }
7938 set_user_script(options, &dns->updown, p[1], p[0], false);
7940 }
7941 }
7942 else if (streq(p[0], "dns") && p[1])
7943 {
7945 if (!check_dns_option(options, p, msglevel, pull_mode))
7946 {
7947 goto err;
7948 }
7949 }
7950 else if (streq(p[0], "dhcp-option") && p[1])
7951 {
7953#if defined(_WIN32) || defined(TARGET_ANDROID)
7955#endif
7957
7958 bool dhcp_optional = false;
7959
7960 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
7961 {
7962 if (!validate_domain(p[2]))
7963 {
7964 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
7965 goto err;
7966 }
7967
7968 dhcp->domain = p[2];
7969 dhcp_optional = true;
7970 }
7971 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
7972 {
7973 if (!validate_domain(p[2]))
7974 {
7975 msg(msglevel, "--dhcp-option %s contains invalid characters", p[1]);
7976 goto err;
7977 }
7978
7979 if (dhcp->domain_search_list_len < N_SEARCH_LIST_LEN)
7980 {
7981 dhcp->domain_search_list[dhcp->domain_search_list_len++] = p[2];
7982 }
7983 else
7984 {
7985 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
7986 p[1], N_SEARCH_LIST_LEN);
7987 }
7988 dhcp_optional = true;
7989 }
7990 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
7991 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
7992 {
7993 if (strstr(p[2], ":"))
7994 {
7995 dhcp_option_dns6_parse(p[2], dhcp->dns6, &dhcp->dns6_len, msglevel);
7996 }
7997 else
7998 {
7999 dhcp_option_address_parse("DNS", p[2], dhcp->dns, &dhcp->dns_len, msglevel);
8000 dhcp_optional = true;
8001 }
8002 }
8003#if defined(_WIN32) || defined(TARGET_ANDROID)
8004 else if (streq(p[1], "NBS") && p[2] && !p[3])
8005 {
8006 o->netbios_scope = p[2];
8008 }
8009 else if (streq(p[1], "NBT") && p[2] && !p[3])
8010 {
8011 int t = atoi_warn(p[2], msglevel);
8012 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8013 {
8014 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8015 goto err;
8016 }
8017 o->netbios_node_type = (uint8_t)t;
8019 }
8020 else if (streq(p[1], "WINS") && p[2] && !p[3])
8021 {
8022 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
8024 }
8025 else if (streq(p[1], "NTP") && p[2] && !p[3])
8026 {
8027 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
8029 }
8030 else if (streq(p[1], "NBDD") && p[2] && !p[3])
8031 {
8032 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
8034 }
8035 else if (streq(p[1], "DISABLE-NBT") && !p[2])
8036 {
8037 o->disable_nbt = 1;
8039 }
8040#if defined(TARGET_ANDROID)
8041 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
8042 {
8043 o->http_proxy_port = positive_atoi(p[3], msglevel);
8044 o->http_proxy = p[2];
8045 }
8046#endif
8047 else
8048 {
8049 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter",
8050 p[1]);
8051 goto err;
8052 }
8053#else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8054 setenv_foreign_option(options, p[1], p[2], es);
8055#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8056
8057 if (dhcp_optional)
8058 {
8059#if defined(_WIN32) || defined(TARGET_ANDROID)
8061#endif
8062 }
8063 }
8064#ifdef _WIN32
8065 else if (streq(p[0], "show-adapters") && !p[1])
8066 {
8069 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8070 }
8071 else if (streq(p[0], "show-net") && !p[1])
8072 {
8076 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8077 }
8078 else if (streq(p[0], "show-net-up") && !p[1])
8079 {
8081 options->show_net_up = true;
8082 }
8083 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
8084 {
8086 if (!atoi_constrained(p[1], &options->tuntap_options.tap_sleep, p[0], 0, 255, msglevel))
8087 {
8088 goto err;
8089 }
8090 }
8091 else if (streq(p[0], "dhcp-renew") && !p[1])
8092 {
8095 }
8096 else if (streq(p[0], "dhcp-pre-release") && !p[1])
8097 {
8101 }
8102 else if (streq(p[0], "dhcp-release") && !p[1])
8103 {
8104 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
8105 }
8106 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
8107 {
8108 unsigned int adapter_index;
8111 adapter_index = atou(p[1]);
8114 {
8115 dhcp_release_by_adapter_index(adapter_index);
8116 }
8118 {
8119 dhcp_renew_by_adapter_index(adapter_index);
8120 }
8121 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8122 }
8123 else if (streq(p[0], "register-dns") && !p[1])
8124 {
8127 }
8128 else if (streq(p[0], "block-outside-dns") && !p[1])
8129 {
8131 options->block_outside_dns = true;
8132 }
8133 else if (streq(p[0], "rdns-internal") && !p[1])
8134 /* standalone method for internal use
8135 *
8136 * (if --register-dns is set, openvpn needs to call itself in a
8137 * sub-process to execute the required functions in a non-blocking
8138 * way, and uses --rdns-internal to signal that to itself)
8139 */
8140 {
8144 {
8146 }
8147 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8148 }
8149 else if (streq(p[0], "show-valid-subnets") && !p[1])
8150 {
8153 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8154 }
8155 else if (streq(p[0], "pause-exit") && !p[1])
8156 {
8159 }
8160 else if (streq(p[0], "service") && p[1] && !p[3])
8161 {
8163 options->exit_event_name = p[1];
8164 if (p[2])
8165 {
8166 options->exit_event_initial_state = (atoi_warn(p[2], msglevel) != 0);
8167 }
8168 }
8169 else if (streq(p[0], "allow-nonadmin") && !p[2])
8170 {
8173 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8174 }
8175 else if (streq(p[0], "user") && p[1] && !p[2])
8176 {
8178 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
8179 }
8180 else if (streq(p[0], "group") && p[1] && !p[2])
8181 {
8183 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
8184 }
8185#else /* ifdef _WIN32 */
8186 else if (streq(p[0], "user") && p[1] && !p[2])
8187 {
8189 options->username = p[1];
8190 }
8191 else if (streq(p[0], "group") && p[1] && !p[2])
8192 {
8194 options->groupname = p[1];
8195 }
8196 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
8197 {
8199 setenv_foreign_option(options, p[1], p[2], es);
8200 }
8201 else if (streq(p[0], "route-method") && p[1] && !p[2])
8202 {
8204 /* ignore when pushed to non-Windows OS */
8205 }
8206#endif /* ifdef _WIN32 */
8207#if PASSTOS_CAPABILITY
8208 else if (streq(p[0], "passtos") && !p[1])
8209 {
8211 options->passtos = true;
8212 }
8213#endif
8214 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
8215 {
8217
8218 if (streq(p[1], "no"))
8219 {
8222 {
8223 msg(msglevel, "'--allow-compression no' conflicts with "
8224 " enabling compression");
8225 }
8226 }
8228 {
8229 /* Also printed on a push to hint at configuration problems */
8230 msg(msglevel,
8231 "Cannot set allow-compression to '%s' "
8232 "after set to 'no'",
8233 p[1]);
8234 goto err;
8235 }
8236 else if (streq(p[1], "asym"))
8237 {
8239 }
8240 else if (streq(p[1], "yes"))
8241 {
8242 msg(M_WARN,
8243 "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8244 "We will use \"asym\" mode instead. See the manual page for more information.");
8245
8247 }
8248 else
8249 {
8250 msg(msglevel,
8251 "bad allow-compression option: %s -- "
8252 "must be 'yes', 'no', or 'asym'",
8253 p[1]);
8254 goto err;
8255 }
8256 }
8257 else if (streq(p[0], "comp-lzo") && !p[2])
8258 {
8260
8261 /* All lzo variants do not use swap */
8262 options->comp.flags &= ~COMP_F_SWAP;
8264
8265 if (p[1])
8266 {
8267 if (streq(p[1], "no"))
8268 {
8270 }
8271 /* There is no actual difference anymore between these variants.
8272 * We never compress. On the server side we replace this with
8273 * --compress migrate later anyway.
8274 */
8275 else if (!(streq(p[1], "yes") || streq(p[1], "adaptive")))
8276 {
8277 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
8278 p[1]);
8279 goto err;
8280 }
8281 }
8283 }
8284 else if (streq(p[0], "comp-noadapt") && !p[1])
8285 {
8286 /* NO-OP since we never compress anymore */
8287 }
8288 else if (streq(p[0], "compress") && !p[2])
8289 {
8291 const char *alg = "stub";
8292 if (p[1])
8293 {
8294 alg = p[1];
8295 }
8296
8297 if (streq(alg, "stub"))
8298 {
8301 }
8302 else if (streq(alg, "stub-v2"))
8303 {
8306 }
8307 else if (streq(alg, "migrate"))
8308 {
8311 }
8312 else if (streq(alg, "lzo"))
8313 {
8315 options->comp.flags &= ~COMP_F_SWAP;
8316 }
8317 else if (streq(alg, "lz4"))
8318 {
8321 }
8322 else if (streq(alg, "lz4-v2"))
8323 {
8325 }
8326 else
8327 {
8328 msg(msglevel, "bad comp option: %s", alg);
8329 goto err;
8330 }
8331
8333 }
8334 else if (streq(p[0], "show-ciphers") && !p[1])
8335 {
8337 options->show_ciphers = true;
8338 }
8339 else if (streq(p[0], "show-digests") && !p[1])
8340 {
8342 options->show_digests = true;
8343 }
8344 else if (streq(p[0], "show-engines") && !p[1])
8345 {
8347 options->show_engines = true;
8348 }
8349 else if (streq(p[0], "key-direction") && p[1] && !p[2])
8350 {
8351 int key_direction;
8352
8354
8355 key_direction = ascii2keydirection(msglevel, p[1]);
8356 if (key_direction >= 0)
8357 {
8358 if (permission_mask & OPT_P_GENERAL)
8359 {
8360 options->key_direction = key_direction;
8361 }
8362 else if (permission_mask & OPT_P_CONNECTION)
8363 {
8364 options->ce.key_direction = key_direction;
8365 }
8366 }
8367 else
8368 {
8369 goto err;
8370 }
8371 }
8372 else if (streq(p[0], "secret") && p[1] && !p[3])
8373 {
8374 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
8378 if (!is_inline && p[2])
8379 {
8380 int key_direction;
8381
8382 key_direction = ascii2keydirection(msglevel, p[2]);
8383 if (key_direction >= 0)
8384 {
8385 options->key_direction = key_direction;
8386 }
8387 else
8388 {
8389 goto err;
8390 }
8391 }
8392 }
8393 else if (streq(p[0], "allow-deprecated-insecure-static-crypto"))
8394 {
8397 }
8398 else if (streq(p[0], "genkey") && !p[4])
8399 {
8401 options->genkey = true;
8402 if (!p[1])
8403 {
8405 }
8406 else
8407 {
8408 if (streq(p[1], "secret") || streq(p[1], "tls-auth") || streq(p[1], "tls-crypt"))
8409 {
8411 }
8412 else if (streq(p[1], "tls-crypt-v2-server"))
8413 {
8415 }
8416 else if (streq(p[1], "tls-crypt-v2-client"))
8417 {
8419 if (p[3])
8420 {
8421 options->genkey_extra_data = p[3];
8422 }
8423 }
8424 else if (streq(p[1], "auth-token"))
8425 {
8427 }
8428 else
8429 {
8430 msg(msglevel, "unknown --genkey type: %s", p[1]);
8431 }
8432 }
8433 if (p[2])
8434 {
8435 options->genkey_filename = p[2];
8436 }
8437 }
8438 else if (streq(p[0], "auth") && p[1] && !p[2])
8439 {
8441 options->authname = p[1];
8442 }
8443 else if (streq(p[0], "cipher") && p[1] && !p[2])
8444 {
8446 options->ciphername = p[1];
8447 }
8448 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
8449 {
8451 options->ciphername = p[1];
8453 }
8454 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) && p[1] && !p[2])
8455 {
8457 if (streq(p[0], "ncp-ciphers"))
8458 {
8459 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
8460 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8461 }
8462 options->ncp_ciphers = p[1];
8463 }
8464 else if (streq(p[0], "key-derivation") && p[1])
8465 {
8466 /* NCP only option that is pushed by the server to enable EKM,
8467 * should not be used by normal users in config files*/
8469 if (streq(p[1], "tls-ekm"))
8470 {
8472 }
8473 else
8474 {
8475 msg(msglevel, "Unknown key-derivation method %s", p[1]);
8476 }
8477 }
8478 else if (streq(p[0], "protocol-flags") && p[1])
8479 {
8480 /* NCP only option that is pushed by the server to enable protocol
8481 * features that are negotiated, should not be used by normal users
8482 * in config files */
8484 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8485 {
8486 if (streq(p[j], "cc-exit"))
8487 {
8489 }
8490 else if (streq(p[j], "tls-ekm"))
8491 {
8493 }
8494 else if (streq(p[j], "dyn-tls-crypt"))
8495 {
8497 }
8498 else if (streq(p[j], "aead-epoch"))
8499 {
8501 }
8502 else
8503 {
8504 msg(msglevel, "Unknown protocol-flags flag: %s", p[j]);
8505 }
8506 }
8507 }
8508 else if (streq(p[0], "force-tls-key-material-export"))
8509 {
8512 }
8513 else if (streq(p[0], "prng") && p[1] && !p[3])
8514 {
8515 msg(M_WARN, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8516 }
8517 else if (streq(p[0], "no-replay") && !p[1])
8518 {
8520 /* always error out, this breaks the connection */
8521 msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. "
8522 "Update your configuration.");
8523 }
8524 else if (streq(p[0], "replay-window") && !p[3])
8525 {
8527 if (p[1])
8528 {
8529 if (!atoi_constrained(p[1], &options->replay_window, "replay-window windows size",
8531 {
8532 goto err;
8533 }
8534
8535 if (p[2])
8536 {
8537 if (!atoi_constrained(p[2], &options->replay_time, "replay-window time window",
8539 {
8540 goto err;
8541 }
8542 }
8543 }
8544 else
8545 {
8546 msg(msglevel, "replay-window option is missing window size parameter");
8547 goto err;
8548 }
8549 }
8550 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8551 {
8554 }
8555 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8556 {
8558 options->packet_id_file = p[1];
8559 }
8560 else if (streq(p[0], "test-crypto") && !p[1])
8561 {
8563 options->test_crypto = true;
8564 }
8565#ifndef ENABLE_CRYPTO_MBEDTLS
8566 else if (streq(p[0], "engine") && !p[2])
8567 {
8569 if (p[1])
8570 {
8571 options->engine = p[1];
8572 }
8573 else
8574 {
8575 options->engine = "auto";
8576 }
8577 }
8578#endif /* ENABLE_CRYPTO_MBEDTLS */
8579 else if (streq(p[0], "providers") && p[1])
8580 {
8581 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
8582 {
8583 options->providers.names[j] = p[j];
8584 }
8585 }
8586 else if (streq(p[0], "show-tls") && !p[1])
8587 {
8589 options->show_tls_ciphers = true;
8590 }
8591 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8592 {
8594 options->show_curves = true;
8595 }
8596 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8597 {
8599 msg(M_WARN, "Consider setting groups/curves preference with "
8600 "tls-groups instead of forcing a specific curve with "
8601 "ecdh-curve.");
8602 options->ecdh_curve = p[1];
8603 }
8604 else if (streq(p[0], "tls-server") && !p[1])
8605 {
8607 options->tls_server = true;
8608 }
8609 else if (streq(p[0], "tls-client") && !p[1])
8610 {
8612 options->tls_client = true;
8613 }
8614 else if (streq(p[0], "ca") && p[1] && !p[2])
8615 {
8617 options->ca_file = p[1];
8618 options->ca_file_inline = is_inline;
8619 }
8620#ifndef ENABLE_CRYPTO_MBEDTLS
8621 else if (streq(p[0], "capath") && p[1] && !p[2])
8622 {
8624 options->ca_path = p[1];
8625 }
8626#endif /* ENABLE_CRYPTO_MBEDTLS */
8627 else if (streq(p[0], "dh") && p[1] && !p[2])
8628 {
8630 options->dh_file = p[1];
8631 options->dh_file_inline = is_inline;
8632 }
8633 else if (streq(p[0], "cert") && p[1] && !p[2])
8634 {
8636 options->cert_file = p[1];
8637 options->cert_file_inline = is_inline;
8638 }
8639 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8640 {
8642 options->extra_certs_file = p[1];
8643 options->extra_certs_file_inline = is_inline;
8644 }
8645 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8646 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8647 {
8649
8650 int verify_hash_depth = 0;
8651 if (streq(p[0], "verify-hash"))
8652 {
8653 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8654 "You should switch to the either use the level 1 certificate as "
8655 "--ca option, use --tls-verify or use --peer-fingerprint");
8656 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8657 verify_hash_depth = 1;
8658 }
8659
8661
8662 int digest_len = SHA256_DIGEST_LENGTH;
8663
8664 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8665 {
8666 msg(msglevel,
8667 "ERROR: Setting %s not allowed. --verify-hash and"
8668 " --peer-fingerprint are mutually exclusive",
8669 p[0]);
8670 goto err;
8671 }
8672
8673 if (streq(p[0], "verify-hash"))
8674 {
8675 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8676 {
8678 digest_len = SHA_DIGEST_LENGTH;
8679 }
8680 else if (p[2] && !streq(p[2], "SHA256"))
8681 {
8682 msg(msglevel,
8683 "invalid or unsupported hashing algorithm: %s "
8684 "(only SHA1 and SHA256 are supported)",
8685 p[2]);
8686 goto err;
8687 }
8688 }
8689
8690 struct verify_hash_list *newlist;
8691 newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, &options->gc);
8692
8693 /* Append the new list to the end of our current list */
8694 if (!options->verify_hash)
8695 {
8696 options->verify_hash = newlist;
8697 options->verify_hash_depth = verify_hash_depth;
8698 }
8699 else
8700 {
8701 /* since both the old and new list can have multiple entries
8702 * we need to go to the end of one of them to concatenate them */
8703 struct verify_hash_list *listend = options->verify_hash;
8704 while (listend->next)
8705 {
8706 listend = listend->next;
8707 }
8708 listend->next = newlist;
8709 }
8710 }
8711#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
8712 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8713 {
8715 options->cryptoapi_cert = p[1];
8716 }
8717#endif
8718 else if (streq(p[0], "key") && p[1] && !p[2])
8719 {
8721 options->priv_key_file = p[1];
8722 options->priv_key_file_inline = is_inline;
8723 }
8724 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8725 {
8727 int ver = tls_version_parse(p[1], p[2]);
8728 if (ver == TLS_VER_BAD)
8729 {
8730 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8731 goto err;
8732 }
8733
8734#ifdef ENABLE_CRYPTO_MBEDTLS
8735 if (ver < TLS_VER_1_2)
8736 {
8737 msg(M_WARN, "--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
8738 ver = TLS_VER_1_2;
8739 }
8740#endif
8741
8743 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MIN_SHIFT);
8744 }
8745 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8746 {
8748 int ver = tls_version_parse(p[1], NULL);
8749 if (ver == TLS_VER_BAD)
8750 {
8751 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8752 goto err;
8753 }
8755 options->ssl_flags |= ((unsigned int)ver << SSLF_TLS_VERSION_MAX_SHIFT);
8756 }
8757#ifndef ENABLE_CRYPTO_MBEDTLS
8758 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8759 {
8761 options->pkcs12_file = p[1];
8762 options->pkcs12_file_inline = is_inline;
8763 }
8764#endif /* ENABLE_CRYPTO_MBEDTLS */
8765 else if (streq(p[0], "askpass") && !p[2])
8766 {
8768 if (p[1])
8769 {
8770 options->key_pass_file = p[1];
8771 }
8772 else
8773 {
8774 options->key_pass_file = "stdin";
8775 }
8776 }
8777 else if (streq(p[0], "auth-nocache") && !p[1])
8778 {
8781 }
8782 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8783 {
8785 ssl_set_auth_token(p[1]);
8786#ifdef ENABLE_MANAGEMENT
8787 if (management)
8788 {
8790 }
8791#endif
8792 }
8793 else if (streq(p[0], "auth-token-user") && p[1] && !p[2])
8794 {
8797 }
8798 else if (streq(p[0], "single-session") && !p[1])
8799 {
8801 options->single_session = true;
8802 }
8803 else if (streq(p[0], "push-peer-info") && !p[1])
8804 {
8806 options->push_peer_info = true;
8807 }
8808 else if (streq(p[0], "tls-exit") && !p[1])
8809 {
8811 options->tls_exit = true;
8812 }
8813 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8814 {
8816 options->cipher_list = p[1];
8817 }
8818 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8819 {
8821 options->tls_cert_profile = p[1];
8822 }
8823 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8824 {
8826 options->cipher_list_tls13 = p[1];
8827 }
8828 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8829 {
8831 options->tls_groups = p[1];
8832 }
8833 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]))
8834 {
8836 if (p[2] && streq(p[2], "dir"))
8837 {
8839 }
8840 options->crl_file = p[1];
8841 options->crl_file_inline = is_inline;
8842 }
8843 else if (streq(p[0], "tls-verify") && p[1])
8844 {
8846 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8847 {
8848 goto err;
8849 }
8851 string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true);
8852 }
8853 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8854 {
8857 }
8858 else if (streq(p[0], "compat-names"))
8859 {
8861 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
8862 "Update your configuration.");
8863 goto err;
8864 }
8865 else if (streq(p[0], "no-name-remapping") && !p[1])
8866 {
8868 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
8869 "Update your configuration.");
8870 goto err;
8871 }
8872 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
8873 {
8874 int type = VERIFY_X509_SUBJECT_DN;
8876 if (p[2])
8877 {
8878 if (streq(p[2], "subject"))
8879 {
8881 }
8882 else if (streq(p[2], "name"))
8883 {
8885 }
8886 else if (streq(p[2], "name-prefix"))
8887 {
8889 }
8890 else
8891 {
8892 msg(msglevel, "unknown X.509 name type: %s", p[2]);
8893 goto err;
8894 }
8895 }
8896 options->verify_x509_type = type;
8897 options->verify_x509_name = p[1];
8898 }
8899 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
8900 {
8901#ifdef ENABLE_CRYPTO_MBEDTLS
8902 msg(msglevel, "--ns-cert-type is not available with mbedtls.");
8903 goto err;
8904#else
8906 if (streq(p[1], "server"))
8907 {
8909 }
8910 else if (streq(p[1], "client"))
8911 {
8913 }
8914 else
8915 {
8916 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
8917 goto err;
8918 }
8919#endif /* ENABLE_CRYPTO_MBEDTLS */
8920 }
8921 else if (streq(p[0], "remote-cert-ku"))
8922 {
8924
8925 size_t j;
8926 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8927 {
8928 sscanf(p[j], "%x", &(options->remote_cert_ku[j - 1]));
8929 }
8930 if (j == 1)
8931 {
8932 /* No specific KU required, but require KU to be present */
8934 }
8935 }
8936 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
8937 {
8939 options->remote_cert_eku = p[1];
8940 }
8941 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
8942 {
8944
8945 if (streq(p[1], "server"))
8946 {
8948 options->remote_cert_eku = "TLS Web Server Authentication";
8949 }
8950 else if (streq(p[1], "client"))
8951 {
8953 options->remote_cert_eku = "TLS Web Client Authentication";
8954 }
8955 else
8956 {
8957 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
8958 goto err;
8959 }
8960 }
8961 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
8962 {
8964 options->tls_timeout = positive_atoi(p[1], msglevel);
8965 }
8966 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
8967 {
8969 if (!positive_atoll(p[1], &options->renegotiate_bytes, p[0], msglevel))
8970 {
8971 goto err;
8972 }
8973 }
8974 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
8975 {
8977 if (!positive_atoll(p[1], &options->renegotiate_packets, p[0], msglevel))
8978 {
8979 goto err;
8980 }
8981 }
8982 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
8983 {
8985 options->renegotiate_seconds = positive_atoi(p[1], msglevel);
8986 if (p[2])
8987 {
8989 }
8990 }
8991 else if (streq(p[0], "hand-window") && p[1] && !p[2])
8992 {
8994 options->handshake_window = positive_atoi(p[1], msglevel);
8995 }
8996 else if (streq(p[0], "tran-window") && p[1] && !p[2])
8997 {
8999 options->transition_window = positive_atoi(p[1], msglevel);
9000 }
9001 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
9002 {
9003 int key_direction = -1;
9004
9006
9007 if (permission_mask & OPT_P_GENERAL)
9008 {
9009 options->tls_auth_file = p[1];
9010 options->tls_auth_file_inline = is_inline;
9011
9012 if (!is_inline && p[2])
9013 {
9014 key_direction = ascii2keydirection(msglevel, p[2]);
9015 if (key_direction < 0)
9016 {
9017 goto err;
9018 }
9019 options->key_direction = key_direction;
9020 }
9021 }
9022 else if (permission_mask & OPT_P_CONNECTION)
9023 {
9024 options->ce.tls_auth_file = p[1];
9025 options->ce.tls_auth_file_inline = is_inline;
9027
9028 if (!is_inline && p[2])
9029 {
9030 key_direction = ascii2keydirection(msglevel, p[2]);
9031 if (key_direction < 0)
9032 {
9033 goto err;
9034 }
9035 options->ce.key_direction = key_direction;
9036 }
9037 }
9038 }
9039 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
9040 {
9042 if (permission_mask & OPT_P_GENERAL)
9043 {
9044 options->tls_crypt_file = p[1];
9045 options->tls_crypt_file_inline = is_inline;
9046 }
9047 else if (permission_mask & OPT_P_CONNECTION)
9048 {
9049 options->ce.tls_crypt_file = p[1];
9050 options->ce.tls_crypt_file_inline = is_inline;
9051 }
9052 }
9053 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
9054 {
9056 if (permission_mask & OPT_P_GENERAL)
9057 {
9058 options->tls_crypt_v2_file = p[1];
9059 options->tls_crypt_v2_file_inline = is_inline;
9060 }
9061 else if (permission_mask & OPT_P_CONNECTION)
9062 {
9064 options->ce.tls_crypt_v2_file_inline = is_inline;
9065 }
9066
9067 if (p[2] && streq(p[2], "force-cookie"))
9068 {
9070 }
9071 else if (p[2] && streq(p[2], "allow-noncookie"))
9072 {
9074 }
9075 else if (p[2])
9076 {
9077 msg(msglevel, "Unsupported tls-crypt-v2 argument: %s", p[2]);
9078 }
9079 }
9080 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
9081 {
9084 }
9085 else if (streq(p[0], "tls-crypt-v2-max-age") && p[1])
9086 {
9088 if (!atoi_constrained(p[1], &options->tls_crypt_v2_max_age, "tls-crypt-v2-max-age", 1, INT_MAX, msglevel))
9089 {
9090 goto err;
9091 }
9092 }
9093 else if (streq(p[0], "x509-track") && p[1] && !p[2])
9094 {
9096 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
9097 }
9098 else if (streq(p[0], "x509-username-field") && p[1])
9099 {
9101 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9102 {
9103 char *s = p[j];
9104
9105 if (strncmp("ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
9106 {
9107 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
9108 }
9109 options->x509_username_field[j - 1] = p[j];
9110 }
9111 }
9112#ifdef ENABLE_PKCS11
9113 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
9114 {
9115 char *provider = p[1];
9116 bool cert_private = (p[2] == NULL ? false : (atoi_warn(p[2], msglevel) != 0));
9117
9118#ifdef DEFAULT_PKCS11_MODULE
9119 if (!provider)
9120 {
9121 provider = DEFAULT_PKCS11_MODULE;
9122 }
9123 else if (!p[2])
9124 {
9125 char *endp = NULL;
9126 long i = strtol(provider, &endp, 10);
9127
9128 if (*endp == 0)
9129 {
9130 /* There was one argument, and it was purely numeric.
9131 * Interpret it as the cert_private argument */
9132 provider = DEFAULT_PKCS11_MODULE;
9133 cert_private = i;
9134 }
9135 }
9136#else /* ifdef DEFAULT_PKCS11_MODULE */
9137 if (!provider)
9138 {
9139 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
9140 goto err;
9141 }
9142#endif /* ifdef DEFAULT_PKCS11_MODULE */
9144
9146 show_pkcs11_ids(provider, cert_private);
9147 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
9148 }
9149 else if (streq(p[0], "pkcs11-providers") && p[1])
9150 {
9151 int j;
9152
9154
9155 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9156 {
9157 options->pkcs11_providers[j - 1] = p[j];
9158 }
9159 }
9160 else if (streq(p[0], "pkcs11-protected-authentication"))
9161 {
9162 int j;
9163
9165
9166 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9167 {
9168 options->pkcs11_protected_authentication[j - 1] =
9169 atoi_warn(p[j], msglevel) != 0 ? 1 : 0;
9170 }
9171 }
9172 else if (streq(p[0], "pkcs11-private-mode") && p[1])
9173 {
9174 int j;
9175
9177
9178 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9179 {
9180 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j - 1]));
9181 }
9182 }
9183 else if (streq(p[0], "pkcs11-cert-private"))
9184 {
9185 int j;
9186
9188
9189 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
9190 {
9191 options->pkcs11_cert_private[j - 1] = (bool)(atoi_warn(p[j], msglevel));
9192 }
9193 }
9194 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
9195 {
9197 options->pkcs11_pin_cache_period = positive_atoi(p[1], msglevel);
9198 }
9199 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
9200 {
9202 options->pkcs11_id = p[1];
9203 }
9204 else if (streq(p[0], "pkcs11-id-management") && !p[1])
9205 {
9207 options->pkcs11_id_management = true;
9208 }
9209#endif /* ifdef ENABLE_PKCS11 */
9210 else if (streq(p[0], "rmtun") && !p[1])
9211 {
9213 options->persist_config = true;
9214 options->persist_mode = 0;
9215 }
9216 else if (streq(p[0], "mktun") && !p[1])
9217 {
9219 options->persist_config = true;
9220 options->persist_mode = 1;
9221 }
9222 else if (streq(p[0], "peer-id") && p[1] && !p[2])
9223 {
9225 options->use_peer_id = true;
9226 options->peer_id = atoi_warn(p[1], msglevel);
9227 }
9228 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
9229 {
9231
9232 if (strncmp(p[1], "EXPORTER", 8))
9233 {
9234 msg(msglevel, "Keying material exporter label must begin with "
9235 "\"EXPORTER\"");
9236 goto err;
9237 }
9238 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
9239 {
9240 msg(msglevel,
9241 "Keying material exporter label must not be '" EXPORT_KEY_DATA_LABEL "'.");
9242 }
9243
9245 p[0], 16, 4095, msglevel))
9246 {
9247 goto err;
9248 }
9249
9251 }
9252 else if (streq(p[0], "allow-recursive-routing") && !p[1])
9253 {
9256 }
9257 else if (streq(p[0], "vlan-tagging") && !p[1])
9258 {
9260 options->vlan_tagging = true;
9261 }
9262 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
9263 {
9265 if (streq(p[1], "tagged"))
9266 {
9268 }
9269 else if (streq(p[1], "untagged"))
9270 {
9272 }
9273 else if (streq(p[1], "all"))
9274 {
9276 }
9277 else
9278 {
9279 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9280 goto err;
9281 }
9282 }
9283 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
9284 {
9285 int vlan_pvid;
9287 if (!atoi_constrained(p[1], &vlan_pvid, p[0],
9289 {
9290 goto err;
9291 }
9292 options->vlan_pvid = (uint16_t)vlan_pvid;
9293 }
9294 else
9295 {
9296 int i;
9297 msglvl_t msglevel_unknown = msglevel_fc;
9298 /* Check if an option is in --ignore-unknown-option and
9299 * set warning level to non fatal */
9301 {
9302 if (streq(p[0], options->ignore_unknown_option[i]))
9303 {
9304 msglevel_unknown = M_WARN;
9305 break;
9306 }
9307 }
9308 if (file)
9309 {
9310 msg(msglevel_unknown,
9311 "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
9312 line, p[0], PACKAGE_VERSION);
9313 }
9314 else
9315 {
9316 msg(msglevel_unknown, "Unrecognized option or missing or extra parameter(s): --%s (%s)",
9317 p[0], PACKAGE_VERSION);
9318 }
9319 }
9320err:
9321 gc_free(&gc);
9322}
9323
9324#if defined(__GNUC__) || defined(__clang__)
9325#pragma GCC diagnostic pop
9326#endif
9327
9328bool
9330{
9331 if (options->ce.local_list)
9332 {
9333 for (int i = 0; i < options->ce.local_list->len; i++)
9334 {
9336 {
9337 return true;
9338 }
9339 }
9340 }
9341
9342 return false;
9343}
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition argv.c:481
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
void buf_clear(struct buffer *buf)
Definition buffer.c:168
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:246
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
Definition buffer.c:465
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
Definition buffer.c:375
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:341
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:488
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
int string_array_len(const char **array)
Definition buffer.c:707
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
Definition buffer.c:1378
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
Definition buffer.c:829
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:653
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
Definition buffer.c:756
static void gc_detach(struct gc_arena *a)
Definition buffer.h:1035
#define BSTR(buf)
Definition buffer.h:129
#define BPTR(buf)
Definition buffer.h:123
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
Definition buffer.h:1099
static bool buf_valid(const struct buffer *buf)
Definition buffer.h:235
static void gc_init(struct gc_arena *a)
Definition buffer.h:1028
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1125
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1120
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:362
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
Definition buffer.h:970
static struct gc_arena gc_new(void)
Definition buffer.h:1041
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, msglvl_t msglevel)
Definition clinat.c:102
void print_client_nat_list(const struct client_nat_option_list *list, msglvl_t msglevel)
Definition clinat.c:50
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
Definition clinat.c:71
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
Definition clinat.c:79
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
Definition clinat.c:88
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:70
#define TLS_CHANNEL_MTU_MIN
Definition common.h:83
bool check_compression_settings_valid(struct compress_options *info, msglvl_t msglevel)
Checks if the compression settings are valid.
Definition comp.c:162
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
Definition comp.h:45
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
Definition comp.h:40
#define COMP_ALG_LZ4
LZ4 algorithm.
Definition comp.h:59
#define COMP_ALGV2_LZ4
Definition comp.h:64
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
Definition comp.h:51
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
Definition comp.h:49
#define COMP_ALGV2_UNCOMPRESSED
Definition comp.h:63
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
Definition comp.h:56
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
Definition comp.h:42
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
static bool comp_non_stub_enabled(const struct compress_options *info)
Definition comp.h:81
#define COMP_ALG_UNDEF
Definition comp.h:54
int daemon(int nochdir, int noclose)
char * dirname(char *path)
char * strsep(char **stringp, const char *delim)
#define PACKAGE_NAME
Definition config.h:492
#define IPROUTE_PATH
Definition config.h:468
#define PACKAGE_VERSION
Definition config.h:504
#define CONFIGURE_DEFINES
Definition config.h:5
#define PACKAGE_STRING
Definition config.h:495
#define TARGET_ALIAS
Definition config.h:558
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:875
int ascii2keydirection(msglvl_t msglevel, const char *str)
Definition crypto.c:1632
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition crypto.c:1655
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
Definition crypto.c:1916
void test_crypto(struct crypto_options *co, struct frame *frame)
Definition crypto.c:1199
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:375
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:379
#define KEY_DIRECTION_BIDIRECTIONAL
Definition crypto.h:231
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
Definition crypto.h:371
@ MD_SHA256
@ MD_SHA1
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
unsigned int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
#define SHA_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
static bool dco_check_startup_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:280
static bool dco_check_option(msglvl_t msglevel, const struct options *o)
Definition dco.h:274
static const char * dco_version_string(struct gc_arena *gc)
Definition dco.h:268
bool dns_options_verify(msglvl_t msglevel, const struct dns_options *o)
Checks validity of DNS options.
Definition dns.c:212
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
Definition dns.c:289
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
Definition dns.c:62
bool dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends safe DNS domain parameters to a linked list.
Definition dns.c:148
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
Definition dns.c:190
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
Definition dns.c:175
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
Definition dns.c:266
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
Definition dns.c:779
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
Definition dns.c:282
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
Definition dns.h:218
@ DNS_UPDOWN_FORCED
Definition dns.h:50
@ DNS_UPDOWN_NO_FLAGS
Definition dns.h:48
@ DNS_UPDOWN_USER_SET
Definition dns.h:49
@ DNS_SECURITY_NO
Definition dns.h:33
@ DNS_SECURITY_YES
Definition dns.h:34
@ DNS_SECURITY_OPTIONAL
Definition dns.h:35
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
Definition dns.h:229
@ DNS_TRANSPORT_PLAIN
Definition dns.h:41
@ DNS_TRANSPORT_TLS
Definition dns.h:43
@ DNS_TRANSPORT_HTTPS
Definition dns.h:42
static bool validate_domain(const char *domain)
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
Definition env_set.c:423
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
const char * env_set_get(const struct env_set *es, const char *name)
Definition env_set.c:201
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
Definition env_set.c:313
bool env_set_del(struct env_set *es, const char *str)
Definition env_set.c:183
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition env_set.c:299
#define D_SHOW_OCC
Definition errlevel.h:150
#define D_PUSH
Definition errlevel.h:82
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
#define D_DCO
Definition errlevel.h:93
#define D_SHOW_PARMS
Definition errlevel.h:95
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_TLS_ERRORS
Definition errlevel.h:58
#define M_INFO
Definition errlevel.h:54
Interface functions to the internal and external multiplexers.
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
Definition helper.c:137
void helper_tcp_nodelay(struct options *o)
Definition helper.c:604
void helper_client_server(struct options *o)
Definition helper.c:165
void helper_keepalive(struct options *o)
Definition helper.c:548
static int max_int(int x, int y)
Definition integer.h:92
static int constrain_int(int x, int min, int max)
Definition integer.h:118
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
void management_auth_token(struct management *man, const char *token)
Definition manage.c:3225
void management_echo(struct management *man, const char *string, const bool pull)
Definition manage.c:3146
#define MF_FORGET_DISCONNECT
Definition manage.h:31
#define MF_EXTERNAL_KEY_PKCS1PAD
Definition manage.h:38
#define MF_CLIENT_AUTH
Definition manage.h:33
#define MF_EXTERNAL_KEY_PSSPAD
Definition manage.h:43
#define MF_EXTERNAL_KEY_NOPADDING
Definition manage.h:37
#define MF_QUERY_PROXY
Definition manage.h:41
#define MF_EXTERNAL_KEY
Definition manage.h:36
#define MF_QUERY_REMOTE
Definition manage.h:40
#define MF_QUERY_PASSWORDS
Definition manage.h:28
#define MF_EXTERNAL_CERT
Definition manage.h:42
#define MF_EXTERNAL_KEY_DIGEST
Definition manage.h:44
#define MF_UP_DOWN
Definition manage.h:39
#define MF_HOLD
Definition manage.h:29
#define MF_SIGNAL
Definition manage.h:30
#define MF_UNIX_SOCK
Definition manage.h:35
#define MF_CONNECT_AS_CLIENT
Definition manage.h:32
#define MBUF_SIZE_MAX
Definition mbuf.h:40
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:781
const char * safe_print(const char *str, struct gc_arena *gc)
Definition misc.c:547
#define USER_PASS_LEN
Definition misc.h:67
#define SC_CONCAT
Definition misc.h:95
#define SC_ECHO
Definition misc.h:94
int translate_mtu_discover_type_name(const char *name)
Definition mtu.c:253
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:147
#define MSSFIX_DEFAULT
Definition mtu.h:89
#define TUN_MTU_MAX_MIN
Definition mtu.h:79
#define TAP_MTU_EXTRA_DEFAULT
Definition mtu.h:84
#define LINK_MTU_DEFAULT
Definition mtu.h:64
#define TUN_MTU_DEFAULT
Definition mtu.h:69
#define TUN_MTU_MAX
Maximum MTU we accept for MTU related options.
Definition mtu.h:74
#define TUN_MTU_MIN
Definition mtu.h:59
#define TLS_MTU_DEFAULT
Definition mtu.h:94
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition multi.c:83
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
Definition networking.h:47
void * openvpn_net_ctx_t
Definition networking.h:38
#define BOOL_CAST(x)
Definition basic.h:26
#define CLEAR(x)
Definition basic.h:32
#define SIZE(x)
Definition basic.h:29
void errors_to_stderr(void)
Definition error.c:179
void open_syslog(const char *pgmname, bool stdio_to_null)
Definition error.c:442
void redirect_stdout_stderr(const char *file, bool append)
Definition error.c:491
void openvpn_exit(const int status)
Definition error.c:707
static bool machine_readable_output
Definition error.c:74
void set_suppress_timestamps(bool suppressed)
Definition error.c:143
void set_machine_readable_output(bool parsable)
Definition error.c:149
FILE * msg_fp(const msglvl_t flags)
Definition error.c:188
bool set_debug_level(const int level, const unsigned int flags)
Definition error.c:101
static bool suppress_timestamps
Definition error.c:77
#define M_OPTERR
Definition error.h:101
#define SDL_CONSTRAIN
Definition error.h:201
#define M_NOPREFIX
Definition error.h:98
#define M_DEBUG_LEVEL
Definition error.h:88
#define M_USAGE
Definition error.h:107
#define OPENVPN_EXIT_STATUS_USAGE
Definition error.h:54
#define OPENVPN_EXIT_STATUS_GOOD
Definition error.h:52
#define M_FATAL
Definition error.h:90
#define M_ERR
Definition error.h:106
#define msg(flags,...)
Definition error.h:152
unsigned int msglvl_t
Definition error.h:77
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define M_ERRNO
Definition error.h:95
#define MAX_PEER_ID
Definition openvpn.h:550
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4561
#define RESET_OPTION_ROUTES(option_ptr, field)
Definition options.c:5082
static void rol6_check_alloc(struct options *options)
Definition options.c:1562
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
Definition options.c:3967
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
Definition options.c:4101
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
Definition options.c:4067
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
Definition options.c:2257
#define NM_QUOTE_HINT
Definition options.c:5049
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
Definition options.c:2913
static void usage_version(void)
Definition options.c:4928
static in_addr_t get_ip_addr(const char *ip_string, msglvl_t msglevel, bool *error)
Definition options.c:1089
static struct pull_filter * alloc_pull_filter(struct options *o)
Definition options.c:2161
#define USAGE_VALID_SERVER_PROTOS
#define SHOW_BOOL(var)
Definition options.c:961
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
Definition options.c:3964
static void pre_connect_save(struct options *o)
Definition options.c:3104
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
Definition options.c:3966
#define TLS_CLIENT
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
Definition options.c:966
static int global_auth_retry
Definition options.c:4807
bool options_postprocess_pull(struct options *o, struct env_set *es)
Definition options.c:4310
void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const msglvl_t msglevel, const uint64_t permission_mask, uint64_t *option_types_found, struct env_set *es)
Resets options found in the PUSH_UPDATE message that are preceded by the - flag.
Definition options.c:5090
void uninit_options(struct options *o)
Definition options.c:915
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
Definition options.c:2182
#define SHOW_STR(var)
Definition options.c:954
int parse_topology(const char *str, const msglvl_t msglevel)
Definition options.c:4760
void show_windows_version(const unsigned int flags)
Definition options.c:4895
#define VERIFY_PERMISSION(mask)
Definition options.c:4989
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
Definition options.c:4573
bool key_is_external(const struct options *options)
Definition options.c:5580
static char * string_substitute(const char *src, char from, char to, struct gc_arena *gc)
Definition options.c:1138
static void show_dhcp_option_list(const char *name, const char *const *array, unsigned int len)
Definition options.c:1261
static void check_ca_required(const struct options *options)
Definition options.c:2219
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
Definition options.c:1975
void init_options(struct options *o)
Definition options.c:797
#define CHKACC_FILEXSTWR
If file exists, is it writable?
Definition options.c:3965
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
Definition options.c:3488
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, unsigned int *len, msglvl_t msglevel)
Definition options.c:1307
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
Definition options.c:1114
static void option_iroute_ipv6(struct options *o, const char *prefix_str, msglvl_t msglevel)
Definition options.c:1485
static bool check_route_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5252
void show_dco_version(const unsigned int flags)
Definition options.c:4904
void rol_check_alloc(struct options *options)
Definition options.c:1553
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
Definition options.c:2038
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, unsigned int *len, msglvl_t msglevel)
Definition options.c:1321
static void helper_hashmap_sizes(struct options *o)
Sets the internal hash maps sizes according to the max_clients.
Definition options.c:3748
#define SHOW_UNSIGNED(var)
Definition options.c:960
void show_settings(const struct options *o)
Definition options.c:1677
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
Definition options.c:5541
void update_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const uint64_t permission_mask, uint64_t *option_types_found, struct env_set *es)
Processes an option to update.
Definition options.c:5410
static bool verify_permission(const char *name, const char *file, int line, const uint64_t type, const uint64_t allowed, uint64_t *found, const msglvl_t msglevel, struct options *options, bool is_inline)
Definition options.c:4999
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
Definition options.c:1219
#define LZO_LIB_VER_STR
static bool no_more_than_n_args(const msglvl_t msglevel, char *p[], const int max, const unsigned int flags)
Definition options.c:5052
static void show_connection_entries(const struct options *o)
Definition options.c:1638
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
Definition options.c:3070
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, unsigned int len)
Definition options.c:1270
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4681
bool string_defined_equal(const char *s1, const char *s2)
Definition options.c:4959
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
Definition options.c:4117
void options_postprocess(struct options *options, struct env_set *es)
Definition options.c:4296
#define SHOW_UINT(var)
Definition options.c:958
void usage_small(void)
Definition options.c:4887
const char * auth_retry_print(void)
Definition options.c:4839
static void show_http_proxy_options(const struct http_proxy_options *o)
Definition options.c:1503
static void options_postprocess_filechecks(struct options *options)
Definition options.c:4185
static struct remote_entry * alloc_remote_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2125
static void show_connection_entry(const struct connection_entry *o)
Definition options.c:1581
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition options.c:4704
void show_library_versions(const unsigned int flags)
Definition options.c:4914
void setenv_settings(struct env_set *es, const struct options *o)
Definition options.c:992
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
Definition options.c:3968
static const char usage_message[]
Definition options.c:122
static void options_warning_safe_scan1(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4641
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
Definition options.c:2079
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
Definition options.c:4145
#define SHOW_INT64(var)
Definition options.c:959
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
Definition options.c:3971
static void show_p2mp_parms(const struct options *o)
Definition options.c:1366
static const char * pull_filter_type_name(int type)
Definition options.c:933
static void cnol_check_alloc(struct options *options)
Definition options.c:1571
static void options_postprocess_mutate(struct options *o, struct env_set *es)
Definition options.c:3761
void options_detach(struct options *o)
Definition options.c:1533
static void options_warning_safe_ml(const msglvl_t msglevel, char *actual, const char *expected, size_t actual_n)
Definition options.c:4659
static unsigned int atou(const char *str)
Definition options.c:4981
void pre_connect_restore(struct options *o, struct gc_arena *gc)
Definition options.c:3149
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
Definition options.c:2151
const char * print_topology(const int topology)
Definition options.c:4782
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4723
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, msglvl_t msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
Definition options.c:1166
static bool check_dns_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5301
#define SHOW_STR_INLINE(var)
Definition options.c:955
static void options_warning_safe_scan2(const msglvl_t msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
Definition options.c:4587
static void options_postprocess_cipher(struct options *o)
Definition options.c:3322
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
Definition options.c:3392
static void show_tuntap_options(const struct tuntap_options *o)
Definition options.c:1281
#define MUST_BE_FALSE(condition, parm_name)
Definition options.c:2250
#define MUST_BE_UNDEF(parm, parm_name)
Definition options.c:2245
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
Definition options.c:1349
#define SHOW_PARM(name, value, format)
Definition options.c:953
static void options_postprocess_http_proxy_override(struct options *o)
Definition options.c:2003
void options_warning(char *actual, const char *expected)
Definition options.c:4567
static void show_pull_filter_list(const struct pull_filter_list *l)
Definition options.c:1659
#define CHKACC_FILE
Check for a file/directory presence.
Definition options.c:3963
const char * options_string_version(const char *s, struct gc_arena *gc)
Definition options.c:4710
static void options_postprocess_mutate_invariant(struct options *options)
Definition options.c:3222
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
Definition options.c:1132
const char title_string[]
Definition options.c:72
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
Definition options.c:984
static void remap_redirect_gateway_flags(struct options *opt)
Definition options.c:3088
#define TLS_SERVER
static msglvl_t msglevel_forward_compatible(struct options *options, const msglvl_t msglevel)
Definition options.c:5077
bool auth_retry_set(const msglvl_t msglevel, const char *option)
Definition options.c:4816
int auth_retry_get(void)
Definition options.c:4810
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
Definition options.c:2115
static bool check_route6_option(struct options *options, char *p[], const msglvl_t msglevel, bool pull_mode)
Definition options.c:5280
void notnull(const char *arg, const char *description)
Definition options.c:4950
void usage(void)
Definition options.c:4861
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const msglvl_t msglevel, struct gc_arena *gc)
Definition options.c:2048
static void show_compression_warning(struct compress_options *info)
Definition options.c:5568
static void options_process_mutate_prf(struct options *o)
Definition options.c:3460
void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const msglvl_t msglevel, const uint64_t permission_mask, uint64_t *option_types_found, struct env_set *es)
Definition options.c:5600
bool has_udp_in_local_list(const struct options *options)
Definition options.c:9329
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
Definition options.c:4367
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, msglvl_t msglevel)
Definition options.c:1458
static void options_postprocess_verify(const struct options *o)
Definition options.c:3285
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
Definition options.c:2203
static struct connection_entry * alloc_connection_entry(struct options *options, const msglvl_t msglevel)
Definition options.c:2089
#define SHOW_INT(var)
Definition options.c:957
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
Definition options.c:3382
#define MODE_POINT_TO_POINT
Definition options.h:262
#define OPT_P_SCRIPT
Definition options.h:730
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
Definition options.h:795
#define OPT_P_PUSH
Definition options.h:742
#define SF_TCP_NODELAY_HELPER
Definition options.h:473
#define OPT_P_UP
Definition options.h:727
#define OPT_P_CONNECTION
Definition options.h:753
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
Definition options.h:743
#define OPT_P_NCP
Negotiable crypto parameters.
Definition options.h:738
#define OPT_P_ECHO
Definition options.h:746
#define OPT_P_ROUTE_TABLE
Definition options.h:757
#define OPT_P_CONFIG
Definition options.h:744
#define MODE_SERVER
Definition options.h:263
#define CONNECTION_LIST_SIZE
Definition options.h:190
#define streq(x, y)
Definition options.h:721
#define OPT_P_U_REDIR_GATEWAY
Definition options.h:790
#define OPT_P_EXPLICIT_NOTIFY
Definition options.h:745
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
Definition options.h:796
#define AR_INTERACT
Definition options.h:966
#define OPT_P_SHAPER
Definition options.h:732
#define OPT_P_U_ROUTE6
Definition options.h:787
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:987
#define OPT_P_SOCKFLAGS
Definition options.h:752
#define SF_NOPOOL
Definition options.h:472
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
Definition options.h:797
#define OPT_P_MESSAGES
Definition options.h:737
#define OPT_P_SETENV
Definition options.h:731
#define OPT_P_SOCKBUF
Definition options.h:751
#define OPT_P_PLUGIN
Definition options.h:750
#define OPTION_PARM_SIZE
Definition options.h:56
#define OPT_P_TIMER
Definition options.h:733
#define OPT_P_GENERAL
Definition options.h:726
void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const msglvl_t msglevel, const uint64_t permission_mask, uint64_t *option_types_found, struct env_set *es)
#define PING_RESTART
Definition options.h:354
#define OPT_P_DHCPDNS
Definition options.h:729
#define OPT_P_PULL_MODE
Definition options.h:749
@ GENKEY_AUTH_TOKEN
Definition options.h:242
@ GENKEY_SECRET
Definition options.h:239
@ GENKEY_TLS_CRYPTV2_SERVER
Definition options.h:241
@ GENKEY_TLS_CRYPTV2_CLIENT
Definition options.h:240
#define OPT_P_PUSH_MTU
Definition options.h:756
#define AR_NONE
Definition options.h:965
#define AR_NOINTERACT
Definition options.h:967
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition options.h:474
#define OPT_P_PERSIST
Definition options.h:734
#define MAX_PARMS
Definition options.h:51
#define PULL_DEFINED(opt)
Definition options.h:761
#define OPT_P_U_DNS
Definition options.h:788
#define PLUGIN_OPTION_LIST(opt)
Definition options.h:772
#define ROUTE_OPTION_FLAGS(o)
Definition options.h:764
#define OPTION_LINE_SIZE
Definition options.h:57
#define OPT_P_U_ROUTE
Definition options.h:786
#define PING_EXIT
Definition options.h:353
#define OPT_P_COMP
Definition options.h:736
#define OPT_P_PERSIST_IP
Definition options.h:735
#define OPT_P_MTU
Definition options.h:740
#define OPT_P_ROUTE_EXTRAS
Definition options.h:748
#define OPT_P_U_DHCP
Definition options.h:789
#define OPT_P_NICE
Definition options.h:741
#define OPT_P_PEER_ID
Definition options.h:754
#define OPT_P_INHERIT
Definition options.h:747
#define OPT_P_TLS_PARMS
Definition options.h:739
#define OPT_P_ROUTE
Definition options.h:728
void read_config_string(const char *prefix, struct options *options, const char *config, const msglvl_t msglevel, const uint64_t permission_mask, uint64_t *option_types_found, struct env_set *es)
#define MAN_CLIENT_AUTH_ENABLED(opt)
Definition options.h:778
#define CE_DISABLED
Definition options.h:153
#define OPT_P_INLINE
Definition options.h:755
vlan_acceptable_frames
Definition options.h:223
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
Definition options.h:225
@ VLAN_ALL
Definition options.h:226
@ VLAN_ONLY_TAGGED
Definition options.h:224
int atoi_warn(const char *str, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number.
int positive_atoi(const char *str, msglvl_t msglevel)
Converts a str to a positive number if the string represents a postive integer number.
bool positive_atoll(const char *str, int64_t *value, const char *name, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is >= 0.
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
bool atoi_constrained(const char *str, int *value, const char *name, int min, int max, msglvl_t msglevel)
Converts a str to an integer if the string can be represented as an integer number and is between min...
#define MAX_SEQ_BACKTRACK
Definition packet_id.h:85
#define MIN_SEQ_BACKTRACK
Definition packet_id.h:84
#define DEFAULT_SEQ_BACKTRACK
Definition packet_id.h:86
#define MAX_TIME_BACKTRACK
Definition packet_id.h:94
#define DEFAULT_TIME_BACKTRACK
Definition packet_id.h:95
#define MIN_TIME_BACKTRACK
Definition packet_id.h:93
unsigned int platform_getpid(void)
Definition platform.c:333
int platform_access(const char *path, int mode)
Definition platform.c:457
int platform_chdir(const char *dir)
Definition platform.c:392
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:526
struct _stat platform_stat_t
Definition platform.h:118
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
Definition plugin.c:159
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
Definition plugin.c:167
void plugin_option_list_print(const struct plugin_option_list *list, msglvl_t msglevel)
Definition plugin.c:187
bool ifconfig_pool_verify_range(const msglvl_t msglevel, const in_addr_t start, const in_addr_t end)
Definition pool.c:117
#define OPENVPN_8021Q_MIN_VID
Definition proto.h:316
#define OPENVPN_8021Q_MAX_VID
Definition proto.h:317
#define DEV_TYPE_TAP
Definition proto.h:36
#define TOP_UNDEF
Definition proto.h:40
#define DEV_TYPE_UNDEF
Definition proto.h:34
#define TOP_NET30
Definition proto.h:41
#define DEV_TYPE_TUN
Definition proto.h:35
#define TOP_P2P
Definition proto.h:42
#define TOP_SUBNET
Definition proto.h:43
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
Definition proxy.c:44
#define PAR_NCT
Definition proxy.h:51
#define MAX_CUSTOM_HTTP_HEADER
Definition proxy.h:43
#define PAR_ALL
Definition proxy.h:50
void push_reset(struct options *o)
Definition push.c:944
void push_options(struct options *o, char **p, msglvl_t msglevel, struct gc_arena *gc)
Definition push.c:918
void clone_push_list(struct options *o)
Definition push.c:903
void push_remove_option(struct options *o, const char *p)
Definition push.c:950
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1240
bool is_special_addr(const char *addr_str)
Definition route.c:301
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:155
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3889
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:139
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1198
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2662
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:509
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:173
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:181
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1254
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2565
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:164
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:130
void show_routes(msglvl_t msglevel)
Definition route.c:3065
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1176
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:494
#define RG_LOCAL
Definition route.h:87
#define RG_BYPASS_DHCP
Definition route.h:89
#define ROUTE_METHOD_SERVICE
Definition route.h:42
#define ROUTE_METHOD_IPAPI
Definition route.h:40
#define ROUTE_METHOD_EXE
Definition route.h:41
#define RG_DEF1
Definition route.h:88
#define RG_BYPASS_DNS
Definition route.h:90
#define RG_ENABLE
Definition route.h:86
#define RG_REROUTE_GW
Definition route.h:91
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
#define RG_AUTO_LOCAL
Definition route.h:92
#define RG_BLOCK_LOCAL
Definition route.h:93
void script_security_set(int level)
Definition run_command.c:48
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
Definition run_command.h:38
#define SSEC_NONE
strictly no calling of external programs
Definition run_command.h:31
#define SHAPER_MAX
Definition shaper.h:40
#define SHAPER_MIN
Definition shaper.h:39
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
Definition socket.c:650
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:222
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
#define SF_TCP_NODELAY
Definition socket.h:210
#define RESOLV_RETRY_INFINITE
Definition socket.h:48
#define OPENVPN_PORT
Definition socket.h:42
#define SF_USE_IP_PKTINFO
Definition socket.h:209
#define SF_HOST_RANDOMIZE
Definition socket.h:212
#define SF_PKTINFO_COPY_IIF
Definition socket.h:216
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
bool mac_addr_safe(const char *mac_addr)
const char * proto2ascii_all(struct gc_arena *gc)
sa_family_t ascii2af(const char *proto_name)
const char * proto_remote(int proto, bool remote)
bool ipv6_addr_safe(const char *ipv6_text_addr)
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
int ascii2proto(const char *proto_name)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
static bool proto_is_net(int proto)
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
#define GETADDR_FATAL
@ PROTO_NONE
@ PROTO_UDP
@ PROTO_TCP
@ PROTO_TCP_CLIENT
@ PROTO_TCP_SERVER
#define GETADDR_HOST_ORDER
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
#define GETADDR_RESOLVE
#define IA_NET_ORDER
Definition socket_util.h:90
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:366
void ssl_set_auth_nocache(void)
Definition ssl.c:341
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:425
void ssl_set_auth_token(const char *token)
Definition ssl.c:360
bool ssl_get_auth_nocache(void)
Definition ssl.c:351
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1877
Control Channel SSL/Data channel negotiation module.
#define X509_USERNAME_FIELD_DEFAULT
Definition ssl.h:120
#define KEY_METHOD_2
Definition ssl.h:122
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
#define TLS_VER_BAD
Parse a TLS version specifier.
#define TLS_VER_1_0
#define EXPORT_KEY_DATA_LABEL
#define TLS_VER_1_2
#define TLS_VER_1_3
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:431
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:424
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:426
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:423
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:428
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:433
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:432
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:429
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:430
#define SSLF_USERNAME_AS_COMMON_NAME
Definition ssl_common.h:425
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
Definition ssl_ncp.c:576
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
Definition ssl_ncp.c:195
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Definition ssl_ncp.c:96
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
Control Channel Verification Module.
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
Definition ssl_verify.h:257
#define VERIFY_X509_SUBJECT_DN
Definition ssl_verify.h:69
#define VERIFY_X509_SUBJECT_RDN
Definition ssl_verify.h:70
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:254
#define VERIFY_X509_SUBJECT_RDN_PREFIX
Definition ssl_verify.h:71
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
Definition ssl_verify.h:252
bool x509_username_field_ext_supported(const char *extname)
Return true iff the supplied extension field is supported by the –x509-username-field option.
void x509_track_add(const struct x509_track **ll_head, const char *name, msglvl_t msglevel, struct gc_arena *gc)
Definition argv.h:35
char ** argv
Definition argv.h:39
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
unsigned int flags
Definition comp.h:77
Definition options.h:107
struct local_list * local_list
Definition options.h:108
int tun_mtu_max
Definition options.h:129
int connect_retry_seconds
Definition options.h:119
bool tls_crypt_v2_force_cookie
Definition options.h:179
int link_mtu
Definition options.h:134
bool link_mtu_defined
Definition options.h:135
int tun_mtu_extra
Definition options.h:132
int connect_retry_seconds_max
Definition options.h:120
bool bind_local
Definition options.h:118
int mssfix
Definition options.h:144
const char * tls_crypt_file
Definition options.h:170
const char * tls_crypt_v2_file
Definition options.h:175
bool tun_mtu_extra_defined
Definition options.h:133
const char * remote
Definition options.h:114
int connect_timeout
Definition options.h:121
const char * socks_proxy_port
Definition options.h:124
bool mssfix_default
Definition options.h:145
bool mssfix_encap
Definition options.h:146
int occ_mtu
Definition options.h:128
struct http_proxy_options * http_proxy_options
Definition options.h:122
bool tls_crypt_file_inline
Definition options.h:171
bool tls_auth_file_inline
Definition options.h:166
bool bind_ipv6_only
Definition options.h:117
bool tun_mtu_defined
Definition options.h:131
bool remote_float
Definition options.h:115
int tls_mtu
Definition options.h:136
int explicit_exit_notification
Definition options.h:150
const char * socks_proxy_authfile
Definition options.h:125
const char * remote_port
Definition options.h:113
bool fragment_encap
Definition options.h:142
const char * socks_proxy_server
Definition options.h:123
int fragment
Definition options.h:141
int mtu_discover_type
Definition options.h:139
int proto
Definition options.h:109
sa_family_t af
Definition options.h:110
const char * tls_auth_file
Definition options.h:165
bool local_port_defined
Definition options.h:112
int tun_mtu
Definition options.h:127
bool bind_defined
Definition options.h:116
const char * local_port
Definition options.h:111
int key_direction
Definition options.h:167
bool tls_crypt_v2_file_inline
Definition options.h:176
unsigned int flags
Definition options.h:162
bool mssfix_fixed
Definition options.h:148
struct connection_entry ** array
Definition options.h:204
struct route_list * route_list
List of routing information.
Definition openvpn.h:177
struct route_ipv6_list * route_ipv6_list
Definition openvpn.h:182
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition openvpn.h:172
Contains all state information for one tunnel.
Definition openvpn.h:471
openvpn_net_ctx_t net_ctx
Networking API opaque context.
Definition openvpn.h:498
struct options options
Options loaded from command line or configuration file.
Definition openvpn.h:472
struct context_1 c1
Level 1 context.
Definition openvpn.h:513
in_addr_t dns[N_DHCP_ADDR]
Definition dns.h:101
Definition dhcp.h:62
struct dns_domain * next
Definition dns.h:55
const char * name
Definition dns.h:56
struct dns_server * servers
Definition dns.h:117
const char * updown
Definition dns.h:119
struct dhcp_options from_dhcp
Definition dns.h:114
struct gc_arena gc
Definition dns.h:118
enum dns_updown_flags updown_flags
Definition dns.h:120
struct dns_domain * search_domains
Definition dns.h:115
struct in_addr a4
Definition dns.h:63
union dns_server_addr::@0 in
sa_family_t family
Definition dns.h:66
struct in6_addr a6
Definition dns.h:64
in_port_t port
Definition dns.h:67
struct dns_server_addr addr[8]
Definition dns.h:75
enum dns_security dnssec
Definition dns.h:77
struct dns_server * next
Definition dns.h:72
long priority
Definition dns.h:73
size_t addr_count
Definition dns.h:74
struct dns_domain * domains
Definition dns.h:76
enum dns_server_transport transport
Definition dns.h:78
const char * sni
Definition dns.h:79
char * string
Definition env_set.h:38
struct env_item * next
Definition env_set.h:39
struct env_item * list
Definition env_set.h:45
Structure for reassembling one incoming fragmented packet.
Definition fragment.h:65
Packet geometry parameters.
Definition mtu.h:113
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:147
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Definition list.h:53
const char * name
Definition proxy.h:39
const char * content
Definition proxy.h:40
const char * auth_file
Definition proxy.h:55
const char * http_version
Definition proxy.h:57
const char * port
Definition proxy.h:47
bool inline_creds
Definition proxy.h:60
const char * user_agent
Definition proxy.h:58
const char * auth_method_string
Definition proxy.h:54
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
Definition proxy.h:59
const char * auth_file_up
Definition proxy.h:56
const char * server
Definition proxy.h:46
struct iroute_ipv6 * next
Definition route.h:271
unsigned int netbits
Definition route.h:270
struct in6_addr network
Definition route.h:269
in_addr_t network
Definition route.h:262
int netbits
Definition route.h:263
struct iroute * next
Definition route.h:264
const char * cipher
const name of the cipher
Definition crypto.h:142
const char * digest
Message digest static parameters.
Definition crypto.h:143
Definition options.h:100
const char * port
Definition options.h:102
int proto
Definition options.h:103
const char * local
Definition options.h:101
struct local_entry ** array
Definition options.h:196
int capacity
Definition options.h:194
struct tuntap_options tuntap_options
Definition options.h:65
int ping_rec_timeout_action
Definition options.h:89
bool tuntap_options_defined
Definition options.h:64
bool routes_ipv6_defined
Definition options.h:73
struct route_option_list * routes
Definition options.h:71
struct compress_options comp
Definition options.h:92
const char * ciphername
Definition options.h:84
const char * ifconfig_local
Definition options.h:67
struct dns_options dns_options
Definition options.h:82
const char * route_default_gateway
Definition options.h:76
const char * ifconfig_ipv6_local
Definition options.h:68
const char * authname
Definition options.h:85
struct route_ipv6_option_list * routes_ipv6
Definition options.h:74
bool client_nat_defined
Definition options.h:79
struct client_nat_option_list * client_nat
Definition options.h:80
const char * route_ipv6_default_gateway
Definition options.h:77
int resolve_retry_seconds
Definition options.h:365
int rcvbuf
Definition options.h:411
bool resolve_in_advance
Definition options.h:366
bool route_nopull
Definition options.h:435
const char * genkey_extra_data
Definition options.h:288
struct compress_options comp
Definition options.h:408
struct http_proxy_options * http_proxy_override
Definition options.h:311
int push_ifconfig_ipv6_netbits
Definition options.h:521
int proto_force
Definition options.h:334
bool persist_config
Definition options.h:276
struct connection_list * connection_list
Definition options.h:293
const char * management_port
Definition options.h:445
bool tls_crypt_file_inline
Definition options.h:663
const char * ifconfig_ipv6_remote
Definition options.h:329
int max_routes_per_client
Definition options.h:534
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
Definition options.h:577
int status_file_version
Definition options.h:405
enum vlan_acceptable_frames vlan_accept
Definition options.h:708
int auth_token_renewal
Definition options.h:543
in_addr_t push_ifconfig_constraint_network
Definition options.h:516
const char * tmp_dir
Definition options.h:464
bool push_peer_info
Definition options.h:679
bool daemon
Definition options.h:389
struct options_pre_connect * pre_connect
Definition options.h:561
int route_default_metric
Definition options.h:427
int renegotiate_seconds_min
Definition options.h:645
const char * auth_token_secret_file
Definition options.h:544
unsigned int imported_protocol_flags
Definition options.h:718
const char * tls_export_peer_cert_dir
Definition options.h:610
bool crl_file_inline
Definition options.h:614
const char * cryptoapi_cert
Definition options.h:636
const char * down_script
Definition options.h:384
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
Definition options.h:270
hash_algo_type verify_hash_algo
Definition options.h:620
int scheduled_exit_interval
Definition options.h:563
int stale_routes_ageing_time
Definition options.h:536
bool pkcs12_file_inline
Definition options.h:603
int replay_time
Definition options.h:584
int management_state_buffer_size
Definition options.h:449
const char * ca_file
Definition options.h:591
const char * tls_auth_file
Definition options.h:658
struct provider_list providers
Definition options.h:581
bool duplicate_cn
Definition options.h:525
struct in6_addr server_network_ipv6
Definition options.h:469
int shaper
Definition options.h:332
int management_echo_buffer_size
Definition options.h:448
in_addr_t server_network
Definition options.h:466
uint32_t real_hash_size
Definition options.h:497
bool show_net_up
Definition options.h:692
bool verify_hash_no_ca
Definition options.h:622
bool allow_pull_fqdn
Definition options.h:437
bool use_peer_id
Definition options.h:698
unsigned remote_cert_ku[MAX_PARMS]
Definition options.h:617
bool server_bridge_defined
Definition options.h:479
const char * keying_material_exporter_label
Definition options.h:702
const char * status_file
Definition options.h:404
unsigned int ssl_flags
Definition options.h:623
bool route_noexec
Definition options.h:428
bool ifconfig_nowarn
Definition options.h:331
const char * remote_cert_eku
Definition options.h:618
in_addr_t ifconfig_pool_netmask
Definition options.h:489
in_addr_t server_netmask
Definition options.h:467
int tls_timeout
Definition options.h:639
bool test_crypto
Definition options.h:586
bool up_delay
Definition options.h:387
bool server_bridge_proxy_dhcp
Definition options.h:477
bool allow_recursive_routing
Definition options.h:715
const char * authname
Definition options.h:579
const char * exit_event_name
Definition options.h:690
const char * ifconfig_ipv6_local
Definition options.h:327
int cf_max
Definition options.h:527
bool dh_file_inline
Definition options.h:595
int replay_window
Definition options.h:583
bool disable
Definition options.h:505
int mute
Definition options.h:398
bool auth_user_pass_verify_script_via_file
Definition options.h:539
const char * dev_type
Definition options.h:321
int persist_mode
Definition options.h:277
int ifconfig_pool_persist_refresh_freq
Definition options.h:491
bool show_digests
Definition options.h:281
const char * up_script
Definition options.h:383
uint64_t push_option_types_found
Definition options.h:556
bool single_session
Definition options.h:677
bool push_ifconfig_defined
Definition options.h:511
bool ifconfig_pool_defined
Definition options.h:486
int verify_hash_depth
Definition options.h:621
bool route_delay_defined
Definition options.h:431
const char * packet_id_file
Definition options.h:585
const char * tls_crypt_v2_file
Definition options.h:667
int management_log_history_cache
Definition options.h:447
in_addr_t server_bridge_netmask
Definition options.h:481
const char * ip_remote_hint
Definition options.h:367
bool vlan_tagging
Definition options.h:707
uint32_t peer_id
Definition options.h:699
struct route_option_list * routes
Definition options.h:432
in_addr_t ifconfig_pool_end
Definition options.h:488
int keepalive_timeout
Definition options.h:341
const char * writepid
Definition options.h:382
int64_t inactivity_minimum_bytes
Definition options.h:344
bool ifconfig_ipv6_pool_defined
Definition options.h:493
unsigned int server_flags
Definition options.h:475
uint32_t max_clients
Definition options.h:533
bool block_outside_dns
Definition options.h:694
bool push_ifconfig_ipv6_blocked
Definition options.h:523
bool tls_exit
Definition options.h:681
const char * pkcs12_file
Definition options.h:602
const char * client_disconnect_script
Definition options.h:500
bool show_engines
Definition options.h:282
struct remote_list * remote_list
Definition options.h:295
HANDLE msg_channel
Definition options.h:689
const char * key_pass_file
Definition options.h:279
bool mute_replay_warnings
Definition options.h:582
const char * tls_crypt_file
Definition options.h:662
int inactivity_timeout
Definition options.h:343
int n_bcast_buf
Definition options.h:507
int handshake_window
Definition options.h:649
bool server_defined
Definition options.h:465
const char * ifconfig_local
Definition options.h:325
char * x509_username_field[MAX_PARMS]
Definition options.h:652
struct connection_entry ce
Definition options.h:292
struct iroute_ipv6 * iroutes_ipv6
Definition options.h:510
struct push_list push_list
Definition options.h:485
bool user_script_used
Definition options.h:385
const char * tls_groups
Definition options.h:606
bool show_tls_ciphers
Definition options.h:283
struct tuntap_options tuntap_options
Definition options.h:369
int route_method
Definition options.h:693
struct verify_hash_list * verify_hash
Definition options.h:619
const char * tls_cert_profile
Definition options.h:607
int64_t renegotiate_packets
Definition options.h:643
unsigned int management_flags
Definition options.h:457
int push_continuation
Definition options.h:555
const char * route_default_gateway
Definition options.h:424
in_addr_t push_ifconfig_local_alias
Definition options.h:514
struct dns_options dns_options
Definition options.h:316
bool exit_event_initial_state
Definition options.h:691
struct static_challenge_info sc_info
Definition options.h:566
bool auth_token_call_auth
Definition options.h:541
const char * ipchange
Definition options.h:319
int topology
Definition options.h:324
bool disable_dco
Definition options.h:372
const char * ncp_ciphers
Definition options.h:578
bool genkey
Definition options.h:285
uint32_t virtual_hash_size
Definition options.h:498
const char * learn_address_script
Definition options.h:501
const char * ciphername
Definition options.h:573
const char * auth_user_pass_file
Definition options.h:558
int tls_crypt_v2_max_age
Definition options.h:674
bool forward_compatible
Definition options.h:267
const char * username
Definition options.h:375
int cf_initial_max
Definition options.h:530
int stale_routes_check_interval
Definition options.h:535
struct plugin_option_list * plugin_list
Definition options.h:460
int auth_token_lifetime
Definition options.h:542
uint16_t vlan_pvid
Definition options.h:709
int ns_cert_type
Definition options.h:616
const char * tls_crypt_v2_verify_script
Definition options.h:672
int mode
Definition options.h:264
bool tls_server
Definition options.h:589
const char * auth_user_pass_verify_script
Definition options.h:538
int connect_retry_max
Definition options.h:291
char * bind_dev
Definition options.h:416
const char * extra_certs_file
Definition options.h:598
bool client
Definition options.h:553
bool pull
Definition options.h:554
int ifconfig_ipv6_pool_netbits
Definition options.h:495
in_addr_t push_ifconfig_constraint_netmask
Definition options.h:517
bool show_curves
Definition options.h:284
const char * route_ipv6_default_gateway
Definition options.h:425
bool tls_client
Definition options.h:590
bool ping_timer_remote
Definition options.h:350
bool auth_token_generate
Definition options.h:540
bool priv_key_file_inline
Definition options.h:601
const char * tls_verify
Definition options.h:609
const char * crl_file
Definition options.h:613
int ping_rec_timeout_action
Definition options.h:355
bool auth_user_pass_file_inline
Definition options.h:559
bool show_ciphers
Definition options.h:280
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition options.h:574
const char * route_predown_script
Definition options.h:423
const char * dh_file
Definition options.h:594
int route_delay_window
Definition options.h:430
in_addr_t push_ifconfig_local
Definition options.h:512
bool mlock
Definition options.h:338
const char ** ignore_unknown_option
Definition options.h:273
int sndbuf
Definition options.h:412
int foreign_option_index
Definition options.h:686
struct gc_arena gc
Definition options.h:256
bool down_pre
Definition options.h:386
bool persist_tun
Definition options.h:357
int route_default_table_id
Definition options.h:426
bool ca_file_inline
Definition options.h:592
bool auth_token_secret_file_inline
Definition options.h:545
bool block_ipv6
Definition options.h:434
const char * config
Definition options.h:259
bool extra_certs_file_inline
Definition options.h:599
bool push_ifconfig_constraint_defined
Definition options.h:515
int mark
Definition options.h:415
int cf_initial_per
Definition options.h:531
int keying_material_exporter_length
Definition options.h:703
bool suppress_timestamps
Definition options.h:394
bool force_key_material_export
Definition options.h:705
bool mtu_test
Definition options.h:336
struct iroute * iroutes
Definition options.h:509
int verify_x509_type
Definition options.h:611
const char * cipher_list_tls13
Definition options.h:605
const char * ecdh_curve
Definition options.h:608
int status_file_update_freq
Definition options.h:406
const char * management_client_user
Definition options.h:451
const char * cipher_list
Definition options.h:604
bool ccd_exclusive
Definition options.h:504
bool allow_deprecated_insecure_static_crypto
Definition options.h:571
struct pull_filter_list * pull_filter_list
Definition options.h:711
const char * management_certificate
Definition options.h:454
const char * genkey_filename
Definition options.h:287
const struct x509_track * x509_track
Definition options.h:683
const char * chroot_dir
Definition options.h:377
bool auth_user_pass_username_only
Definition options.h:560
bool log
Definition options.h:393
bool shared_secret_file_inline
Definition options.h:570
struct in6_addr push_ifconfig_ipv6_remote
Definition options.h:522
const char * ca_path
Definition options.h:593
int renegotiate_seconds
Definition options.h:644
int ping_rec_timeout
Definition options.h:349
unsigned int sockflags
Definition options.h:419
const char * engine
Definition options.h:580
const char * management_addr
Definition options.h:444
const char * client_connect_script
Definition options.h:499
const char * verify_x509_name
Definition options.h:612
int ping_send_timeout
Definition options.h:348
bool route_gateway_via_dhcp
Definition options.h:436
bool remote_random
Definition options.h:318
bool push_ifconfig_ipv6_defined
Definition options.h:519
int tcp_queue_limit
Definition options.h:508
int route_delay
Definition options.h:429
const char * dev_node
Definition options.h:322
const char * override_username
Definition options.h:506
const char * client_crresponse_script
Definition options.h:502
struct route_ipv6_option_list * routes_ipv6
Definition options.h:433
bool machine_readable_output
Definition options.h:395
int key_direction
Definition options.h:572
bool server_ipv6_defined
Definition options.h:468
const char * priv_key_file
Definition options.h:600
bool persist_remote_ip
Definition options.h:359
bool up_restart
Definition options.h:388
int keepalive_ping
Definition options.h:340
bool tls_auth_file_inline
Definition options.h:659
bool tls_crypt_v2_file_inline
Definition options.h:668
const char * groupname
Definition options.h:376
in_addr_t server_bridge_pool_start
Definition options.h:482
const char * cd_dir
Definition options.h:378
struct client_nat_option_list * client_nat
Definition options.h:438
struct in6_addr push_ifconfig_ipv6_local
Definition options.h:520
int nice
Definition options.h:396
uint64_t push_update_options_found
Definition options.h:557
int transition_window
Definition options.h:655
const char * ifconfig_remote_netmask
Definition options.h:326
const char * lladdr
Definition options.h:323
int verbosity
Definition options.h:397
int session_timeout
Definition options.h:346
const char * cert_file
Definition options.h:596
bool enable_c2c
Definition options.h:524
in_addr_t server_bridge_pool_end
Definition options.h:483
int cf_per
Definition options.h:528
enum tun_driver_type windows_driver
Definition options.h:695
bool cert_file_inline
Definition options.h:597
int remap_sigusr1
Definition options.h:391
int64_t renegotiate_bytes
Definition options.h:642
const char * route_script
Definition options.h:422
in_addr_t ifconfig_pool_start
Definition options.h:487
const char * management_user_pass
Definition options.h:446
unsigned int server_netbits_ipv6
Definition options.h:470
in_addr_t push_ifconfig_remote_netmask
Definition options.h:513
bool occ
Definition options.h:441
in_addr_t server_bridge_ip
Definition options.h:480
const char * shared_secret_file
Definition options.h:569
bool ifconfig_noexec
Definition options.h:330
const char * dev
Definition options.h:320
const char * management_client_group
Definition options.h:452
struct in6_addr ifconfig_ipv6_pool_base
Definition options.h:494
const char * client_config_dir
Definition options.h:503
enum genkey_type genkey_type
Definition options.h:286
const char * ifconfig_pool_persist_filename
Definition options.h:490
int ifconfig_ipv6_netbits
Definition options.h:328
bool persist_local_ip
Definition options.h:358
const char * names[MAX_PARMS]
Definition options.h:217
struct pull_filter * tail
Definition options.h:807
struct pull_filter * head
Definition options.h:806
struct pull_filter * next
Definition options.h:801
Definition pushlist.h:29
struct push_entry * next
Definition pushlist.h:30
bool enable
Definition pushlist.h:31
const char * option
Definition pushlist.h:32
struct push_entry * head
Definition pushlist.h:37
Definition options.h:183
int proto
Definition options.h:186
const char * remote
Definition options.h:184
const char * remote_port
Definition options.h:185
sa_family_t af
Definition options.h:187
struct remote_entry ** array
Definition options.h:211
int capacity
Definition options.h:209
unsigned int flags
Definition route.h:113
unsigned int flags
Definition route.h:97
unsigned int flags
Definition misc.h:96
const char * challenge_text
Definition misc.h:98
struct in6_addr dns6[N_DHCP_ADDR]
Definition tun.h:140
in_addr_t nbdd[N_DHCP_ADDR]
Definition tun.h:123
unsigned int dns6_len
Definition tun.h:141
in_addr_t ntp[N_DHCP_ADDR]
Definition tun.h:119
unsigned int ntp_len
Definition tun.h:120
in_addr_t wins[N_DHCP_ADDR]
Definition tun.h:115
int tap_sleep
Definition tun.h:95
uint8_t netbios_node_type
Definition tun.h:105
unsigned int dns_len
Definition tun.h:112
int dhcp_lease_time
Definition tun.h:92
in_addr_t dns[N_DHCP_ADDR]
Definition tun.h:111
const char * netbios_scope
Definition tun.h:103
bool ip_win32_defined
Definition tun.h:75
unsigned int domain_search_list_len
Definition tun.h:130
bool dhcp_masq_custom_offset
Definition tun.h:90
const char * domain
Definition tun.h:101
bool dhcp_renew
Definition tun.h:135
const char * domain_search_list[N_SEARCH_LIST_LEN]
Definition tun.h:129
int dhcp_masq_offset
Definition tun.h:91
int ip_win32_type
Definition tun.h:83
unsigned int nbdd_len
Definition tun.h:124
bool dhcp_pre_release
Definition tun.h:136
bool register_dns
Definition tun.h:138
bool disable_nbt
Definition tun.h:133
unsigned int wins_len
Definition tun.h:116
int dhcp_options
Definition tun.h:99
Definition tun.h:181
struct verify_hash_list * next
Definition options.h:250
uint8_t hash[SHA256_DIGEST_LENGTH]
Definition options.h:249
#define SIGHUP
Definition syshead.h:55
unsigned short sa_family_t
Definition syshead.h:409
#define SIGTERM
Definition syshead.h:59
#define sleep(x)
Definition syshead.h:42
uint32_t in_addr_t
Definition syshead.h:52
struct env_set * es
static bool pkcs11_id_management
struct gc_arena gc
Definition test_ssl.c:133
void ipconfig_register_dns(const struct env_set *es)
Definition tun.c:4889
int dev_type_enum(const char *dev, const char *dev_type)
Definition tun.c:521
void show_tap_win_adapters(msglvl_t msglevel, msglvl_t warnlevel)
Definition tun.c:3815
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
Definition tun.c:4822
int ascii2ipset(const char *name)
Definition tun.c:6246
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
Definition tun.c:830
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
Definition tun.c:4781
const char * dev_type_string(const char *dev, const char *dev_type)
Definition tun.c:540
void tap_allow_nonadmin_access(const char *dev_node)
Definition tun.c:4701
void show_adapters(msglvl_t msglevel)
Definition tun.c:4652
static bool dhcp_renew(const struct tuntap *tt)
Definition tun.c:4848
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
Definition tun.c:694
const char * ipset2ascii_all(struct gc_arena *gc)
Definition tun.c:6275
void show_valid_win32_tun_subnets(void)
Definition tun.c:3782
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
Definition tun.c:59
#define IPW32_SET_NETSH
Definition tun.h:78
#define IPW32_SET_ADAPTIVE
Definition tun.h:81
#define DHCP_OPTIONS_DHCP_REQUIRED
Definition tun.h:70
#define N_SEARCH_LIST_LEN
Definition tun.h:126
#define IPW32_SET_DHCP_MASQ
Definition tun.h:80
#define IPW32_SET_MANUAL
Definition tun.h:77
@ WINDOWS_DRIVER_UNSPECIFIED
Definition tun.h:45
@ WINDOWS_DRIVER_TAP_WINDOWS6
Definition tun.h:46
@ DRIVER_DCO
Definition tun.h:53
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
Definition tun.h:65
#define N_DHCP_ADDR
Definition tun.h:108
#define DHCP_OPTIONS_DHCP_OPTIONAL
Definition tun.h:69
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
Definition tun_afunix.h:61
const char * win_get_tempdir(void)
Definition win32-util.c:150
void set_win_sys_path(const char *newpath, struct env_set *es)
Definition win32.c:1115
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1380
void set_pause_exit_win32(void)
Definition win32.c:144