1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
37 #endif
38
39 #include "syshead.h"
40
41 #include "buffer.h"
42 #include "error.h"
43 #include "common.h"
44 #include "run_command.h"
45 #include "shaper.h"
46 #include "crypto.h"
47 #include "ssl.h"
48 #include "ssl_ncp.h"
49 #include "options.h"
50 #include "misc.h"
51 #include "socket.h"
52 #include "packet_id.h"
53 #include "pkcs11.h"
54 #include "win32.h"
55 #include "push.h"
56 #include "pool.h"
57 #include "proto.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include "ssl_verify.h"
62 #include "platform.h"
63 #include <ctype.h>
64
65 #include "memdbg.h"
66
67 const char title_string[] =
68 PACKAGE_STRING
69 #ifdef CONFIGURE_GIT_REVISION
70 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
71 #endif
72 " " TARGET_ALIAS
73 #if defined(ENABLE_CRYPTO_MBEDTLS)
74 " [SSL (mbed TLS)]"
75 #elif defined(ENABLE_CRYPTO_OPENSSL)
76 " [SSL (OpenSSL)]"
77 #else
78 " [SSL]"
79 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
80 #ifdef USE_COMP
81 #ifdef ENABLE_LZO
82 " [LZO]"
83 #endif
84 #ifdef ENABLE_LZ4
85 " [LZ4]"
86 #endif
87 #ifdef ENABLE_COMP_STUB
88 " [COMP_STUB]"
89 #endif
90 #endif /* USE_COMP */
91 #if EPOLL
92 " [EPOLL]"
93 #endif
94 #ifdef PRODUCT_TAP_DEBUG
95 " [TAPDBG]"
96 #endif
97 #ifdef ENABLE_PKCS11
98 " [PKCS11]"
99 #endif
100 #if ENABLE_IP_PKTINFO
101 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
102 " [MH/PKTINFO]"
103 #elif defined(IP_RECVDSTADDR)
104 " [MH/RECVDA]"
105 #endif
106 #endif
107 " [AEAD]"
108 " built on " __DATE__
109 ;
110
111 #ifndef ENABLE_SMALL
112
113 static const char usage_message[] =
114 "%s\n"
115 "\n"
116 "General Options:\n"
117 "--config file : Read configuration options from file.\n"
118 "--help : Show options.\n"
119 "--version : Show copyright and version information.\n"
120 "\n"
121 "Tunnel Options:\n"
122 "--local host : Local host name or ip address. Implies --bind.\n"
123 "--remote host [port] : Remote host name or ip address.\n"
124 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
125 "--remote-random-hostname : Add a random string to remote DNS name.\n"
126 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
127 "--proto p : Use protocol p for communicating with peer.\n"
128 " p = udp (default), tcp-server, or tcp-client\n"
129 "--proto-force p : only consider protocol p in list of connection profiles.\n"
130 " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
131 "--connect-retry n [m] : For client, number of seconds to wait between\n"
132 " connection retries (default=%d). On repeated retries\n"
133 " the wait time is exponentially increased to a maximum of m\n"
134 " (default=%d).\n"
135 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
136 "--http-proxy s p [up] [auth] : Connect to remote host\n"
137 " through an HTTP proxy at address s and port p.\n"
138 " If proxy authentication is required,\n"
139 " up is a file containing username/password on 2 lines, or\n"
140 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
141 " the proxy requires NTLM authentication.\n"
142 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
143 " determine auth method and query for username/password\n"
144 " if needed. auto-nct disables weak proxy auth methods.\n"
145 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
146 " Repeat to set multiple options.\n"
147 " VERSION version (default=1.0)\n"
148 " AGENT user-agent\n"
149 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
150 " address s and port p (default port = 1080).\n"
151 " If proxy authentication is required,\n"
152 " up is a file containing username/password on 2 lines, or\n"
153 " 'stdin' to prompt for console.\n"
154 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
155 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
156 " resolve for n seconds before failing (disabled by default).\n"
157 " Set n=\"infinite\" to retry indefinitely.\n"
158 "--float : Allow remote to change its IP address/port, such as through\n"
159 " DHCP (this is the default if --remote is not used).\n"
160 "--ipchange cmd : Run command cmd on remote ip address initial\n"
161 " setting or change -- execute as: cmd ip-address port#\n"
162 "--port port : TCP/UDP port # for both local and remote.\n"
163 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
164 "--rport port : TCP/UDP port # for remote (default=%s).\n"
165 "--bind : Bind to local address and port. (This is the default unless\n"
166 " --proto tcp-client"
167 " or --http-proxy"
168 " or --socks-proxy"
169 " is used).\n"
170 "--nobind : Do not bind to local address and port.\n"
171 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
172 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
173 " this option only if the tun/tap device used with --dev\n"
174 " does not begin with \"tun\" or \"tap\".\n"
175 "--dev-node node : Explicitly set the device node rather than using\n"
176 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
177 "--lladdr hw : Set the link layer address of the tap device.\n"
178 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
179 #ifdef ENABLE_IPROUTE
180 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
181 #endif
182 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
183 " endpoint and rn as a remote endpoint. l & rn should be\n"
184 " swapped on the other peer. l & rn must be private\n"
185 " addresses outside of the subnets used by either peer.\n"
186 " TAP: configure device to use IP address l as a local\n"
187 " endpoint and rn as a subnet mask.\n"
188 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
189 " endpoint (as a /64) and r as remote endpoint\n"
190 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
191 " pass --ifconfig parms by environment to scripts.\n"
192 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
193 " connection doesn't match the remote side.\n"
194 "--route network [netmask] [gateway] [metric] :\n"
195 " Add route to routing table after connection\n"
196 " is established. Multiple routes can be specified.\n"
197 " netmask default: 255.255.255.255\n"
198 " gateway default: taken from --route-gateway or --ifconfig\n"
199 " Specify default by leaving blank or setting to \"nil\".\n"
200 "--route-ipv6 network/bits [gateway] [metric] :\n"
201 " Add IPv6 route to routing table after connection\n"
202 " is established. Multiple routes can be specified.\n"
203 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
204 " in --ifconfig-ipv6\n"
205 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
206 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
207 "--route-metric m : Specify a default metric for use with --route.\n"
208 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
209 " adding routes (may be 0). If not specified, routes will\n"
210 " be added immediately after tun/tap open. On Windows, wait\n"
211 " up to w seconds for TUN/TAP adapter to come up.\n"
212 "--route-up cmd : Run command cmd after routes are added.\n"
213 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
214 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
215 " --route-up script using environmental variables.\n"
216 "--route-nopull : When used with --client or --pull, accept options pushed\n"
217 " by server EXCEPT for routes and dhcp options.\n"
218 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
219 " --ifconfig, --route, and --route-gateway.\n"
220 "--redirect-gateway [flags]: Automatically execute routing\n"
221 " commands to redirect all outgoing IP traffic through the\n"
222 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
223 " connected via a common subnet, such as with WiFi.\n"
224 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
225 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
226 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
227 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
228 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
229 " the default gateway. Useful when pushing private subnets.\n"
230 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
231 " ICMPv6 host unreachable messages on the client.\n"
232 " (Server) Instead of forwarding IPv6 packets send\n"
233 " ICMPv6 host unreachable packets to the client.\n"
234 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
235 "--push-peer-info : (client only) push client info to server.\n"
236 "--setenv name value : Set a custom environmental variable to pass to script.\n"
237 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
238 " directives for future OpenVPN versions to be ignored.\n"
239 "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
240 " these options to be ignored when unknown\n"
241 "--script-security level: Where level can be:\n"
242 " 0 -- strictly no calling of external programs\n"
243 " 1 -- (default) only call built-ins such as ifconfig\n"
244 " 2 -- allow calling of built-ins and scripts\n"
245 " 3 -- allow password to be passed to scripts via env\n"
246 "--shaper n : Restrict output to peer to n bytes per second.\n"
247 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
248 " ping once every n seconds, restart if ping not received\n"
249 " for m seconds.\n"
250 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
251 " produces a combined in/out byte count < bytes.\n"
252 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
253 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
254 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
255 " remote address.\n"
256 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
257 #if ENABLE_IP_PKTINFO
258 "--multihome : Configure a multi-homed UDP server.\n"
259 #endif
260 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
261 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
262 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
263 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
264 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
265 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
266 #if PASSTOS_CAPABILITY
267 "--passtos : TOS passthrough (applies to IPv4 only).\n"
268 #endif
269 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
270 " TCP/UDP MTU from it (default=%d).\n"
271 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
272 " as n bytes more than the tun-mtu size on read\n"
273 " (default TUN=0 TAP=%d).\n"
274 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
275 " from it.\n"
276 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
277 " 'no' -- Never send DF (Don't Fragment) frames\n"
278 " 'maybe' -- Use per-route hints\n"
279 " 'yes' -- Always DF (Don't Fragment)\n"
280 "--mtu-test : Empirically measure and report MTU.\n"
281 #ifdef ENABLE_FRAGMENT
282 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
283 " datagrams are sent which are larger than max bytes.\n"
284 " Adds 4 bytes of overhead per datagram.\n"
285 #endif
286 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
287 " or --fragment max value, whichever is lower.\n"
288 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
289 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
290 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
291 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
292 " can be matched in policy routing and packetfilter rules.\n"
293 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
294 " listening for connections. This allows sending encrypted packets\n"
295 " via a VRF present on the system.\n"
296 #endif
297 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
298 #ifdef ENABLE_MEMSTATS
299 "--memstats file : Write live usage stats to memory mapped binary file.\n"
300 #endif
301 "--mlock : Disable Paging -- ensures key material and tunnel\n"
302 " data will never be written to disk.\n"
303 "--up cmd : Run command cmd after successful tun device open.\n"
304 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
305 " ifconfig-local-ip ifconfig-remote-ip\n"
306 " (pre --user or --group UID/GID change)\n"
307 "--up-delay : Delay tun/tap open and possible --up script execution\n"
308 " until after TCP/UDP connection establishment with peer.\n"
309 "--down cmd : Run command cmd after tun device close.\n"
310 " (post --user/--group UID/GID change and/or --chroot)\n"
311 " (command parameters are same as --up option)\n"
312 "--down-pre : Run --down command before TUN/TAP close.\n"
313 "--up-restart : Run up/down commands for all restarts including those\n"
314 " caused by --ping-restart or SIGUSR1\n"
315 "--user user : Set UID to user after initialization.\n"
316 "--group group : Set GID to group after initialization.\n"
317 "--chroot dir : Chroot to this directory after initialization.\n"
318 #ifdef ENABLE_SELINUX
319 "--setcon context: Apply this SELinux context after initialization.\n"
320 #endif
321 "--cd dir : Change to this directory before initialization.\n"
322 "--daemon [name] : Become a daemon after initialization.\n"
323 " The optional 'name' parameter will be passed\n"
324 " as the program name to the system logger.\n"
325 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
326 " See --daemon above for a description of the 'name' parm.\n"
327 "--log file : Output log to file which is created/truncated on open.\n"
328 "--log-append file : Append log to file, or create file if nonexistent.\n"
329 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
330 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
331 "--writepid file : Write main process ID to file.\n"
332 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
333 "--echo [parms ...] : Echo parameters to log output.\n"
334 "--verb n : Set output verbosity to n (default=%d):\n"
335 " (Level 3 is recommended if you want a good summary\n"
336 " of what's happening without being swamped by output).\n"
337 " : 0 -- no output except fatal errors\n"
338 " : 1 -- startup info + connection initiated messages +\n"
339 " non-fatal encryption & net errors\n"
340 " : 2,3 -- show TLS negotiations & route info\n"
341 " : 4 -- show parameters\n"
342 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
343 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
344 " : 6 to 11 -- debug messages of increasing verbosity\n"
345 "--mute n : Log at most n consecutive messages in the same category.\n"
346 "--status file n : Write operational status to file every n seconds.\n"
347 "--status-version [n] : Choose the status file format version number.\n"
348 " Currently, n can be 1, 2, or 3 (default=1).\n"
349 "--disable-occ : Disable options consistency check between peers.\n"
350 #ifdef ENABLE_DEBUG
351 "--gremlin mask : Special stress testing mode (for debugging only).\n"
352 #endif
353 #if defined(USE_COMP)
354 "--compress alg : Use compression algorithm alg\n"
355 "--allow-compression: Specify whether compression should be allowed\n"
356 #if defined(ENABLE_LZO)
357 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
358 " packet for incompressible data.\n"
359 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
360 " is specified.\n"
361 #endif
362 #endif
363 #ifdef ENABLE_MANAGEMENT
364 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
365 " management functions. pass is a password file\n"
366 " or 'stdin' to prompt from console.\n"
367 #if UNIX_SOCK_SUPPORT
368 " To listen on a unix domain socket, specific the pathname\n"
369 " in place of ip and use 'unix' as the port number.\n"
370 #endif
371 "--management-client : Management interface will connect as a TCP client to\n"
372 " ip/port rather than listen as a TCP server.\n"
373 "--management-query-passwords : Query management channel for private key\n"
374 " and auth-user-pass passwords.\n"
375 "--management-query-proxy : Query management channel for proxy information.\n"
376 "--management-query-remote : Query management channel for --remote directive.\n"
377 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
378 " of the management interface explicitly starts it.\n"
379 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
380 "--management-forget-disconnect : Forget passwords when management disconnect\n"
381 " event occurs.\n"
382 "--management-up-down : Report tunnel up/down events to management interface.\n"
383 "--management-log-cache n : Cache n lines of log file history for usage\n"
384 " by the management channel.\n"
385 #if UNIX_SOCK_SUPPORT
386 "--management-client-user u : When management interface is a unix socket, only\n"
387 " allow connections from user u.\n"
388 "--management-client-group g : When management interface is a unix socket, only\n"
389 " allow connections from group g.\n"
390 #endif
391 "--management-client-auth : gives management interface client the responsibility\n"
392 " to authenticate clients after their client certificate\n"
393 " has been verified.\n"
394 #ifdef MANAGEMENT_PF
395 "--management-client-pf : management interface clients must specify a packet\n"
396 " filter file for each connecting client.\n"
397 #endif
398 #endif /* ifdef ENABLE_MANAGEMENT */
399 #ifdef ENABLE_PLUGIN
400 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
401 " to its initialization function.\n"
402 #endif
403 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
404 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
405 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
406 "\n"
407 "Multi-Client Server options (when --mode server is used):\n"
408 "--server network netmask : Helper option to easily configure server mode.\n"
409 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
410 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
411 " easily configure ethernet bridging server mode.\n"
412 "--push \"option\" : Push a config file option back to the peer for remote\n"
413 " execution. Peer must specify --pull in its config file.\n"
414 "--push-reset : Don't inherit global push list for specific\n"
415 " client instance.\n"
416 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
417 " to be dynamically allocated to connecting clients.\n"
418 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
419 " data to file, at seconds intervals (default=600).\n"
420 " If seconds=0, file will be treated as read-only.\n"
421 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
422 " to be dynamically allocated to connecting clients.\n"
423 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
424 " overrides --ifconfig-pool dynamic allocation.\n"
425 " Only valid in a client-specific config file.\n"
426 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
427 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
428 " Only valid in a client-specific config file.\n"
429 "--iroute network [netmask] : Route subnet to client.\n"
430 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
431 " Sets up internal routes only.\n"
432 " Only valid in a client-specific config file.\n"
433 "--disable : Client is disabled.\n"
434 " Only valid in a client-specific config file.\n"
435 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
436 " mandatory client certificate verification.\n"
437 " Default is to require the client to supply a certificate.\n"
438 "--username-as-common-name : For auth-user-pass authentication, use\n"
439 " the authenticated username as the common name,\n"
440 " rather than the common name from the client cert.\n"
441 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
442 " run command cmd to verify. If method='via-env', pass\n"
443 " user/pass via environment, if method='via-file', pass\n"
444 " user/pass via temporary file.\n"
445 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
446 " to each client, replacing the password. Useful when\n"
447 " OTP based two-factor auth mechanisms are in use and\n"
448 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
449 " for generated tokens can be set.\n"
450 "--opt-verify : Clients that connect with options that are incompatible\n"
451 " with those of the server will be disconnected.\n"
452 "--auth-user-pass-optional : Allow connections by clients that don't\n"
453 " specify a username/password.\n"
454 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
455 " any printable character.\n"
456 "--client-to-client : Internally route client-to-client traffic.\n"
457 "--duplicate-cn : Allow multiple clients with the same common name to\n"
458 " concurrently connect.\n"
459 "--client-connect cmd : Run command cmd on client connection.\n"
460 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
461 "--client-config-dir dir : Directory for custom client config files.\n"
462 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
463 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
464 "--hash-size r v : Set the size of the real address hash table to r and the\n"
465 " virtual address table to v.\n"
466 "--bcast-buffers n : Allocate n broadcast buffers.\n"
467 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
468 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
469 " as well as pushes it to connecting clients.\n"
470 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
471 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
472 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
473 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
474 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
475 " older than n seconds. Run this check every t\n"
476 " seconds (defaults to n).\n"
477 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
478 " clients. n = 1 - reconnect to same server,\n"
479 " 2 - advance to next server, default=1.\n"
480 #if PORT_SHARE
481 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
482 " sessions to a web server at host:port. dir specifies an\n"
483 " optional directory to write origin IP:port data.\n"
484 #endif
485 "\n"
486 "Client options (when connecting to a multi-client server):\n"
487 "--client : Helper option to easily configure client mode.\n"
488 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
489 " up is a file containing the username on the first line,\n"
490 " and a password on the second. If either the password or both\n"
491 " the username and the password are omitted OpenVPN will prompt\n"
492 " for them from console.\n"
493 "--pull : Accept certain config file options from the peer as if they\n"
494 " were part of the local config file. Must be specified\n"
495 " when connecting to a '--mode server' remote host.\n"
496 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
497 " server if it starts with the text t. The action flag accept,\n"
498 " ignore or reject causes the option to be allowed, removed or\n"
499 " rejected with error. May be specified multiple times, and\n"
500 " each filter is applied in the order of appearance.\n"
501 "--auth-retry t : How to handle auth failures. Set t to\n"
502 " none (default), interact, or nointeract.\n"
503 "--static-challenge t e : Enable static challenge/response protocol using\n"
504 " challenge text t, with e indicating echo flag (0|1)\n"
505 "--connect-timeout n : when polling possible remote servers to connect to\n"
506 " in a round-robin fashion, spend no more than n seconds\n"
507 " waiting for a response before trying the next server.\n"
508 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
509 " incoming tun packets with same destination as host.\n"
510 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
511 " server/remote. n = # of retries, default=1.\n"
512 "\n"
513 "Data Channel Encryption Options (must be compatible between peers):\n"
514 "(These options are meaningful for both Static Key & TLS-mode)\n"
515 "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
516 " Use shared secret file f, generate with --genkey.\n"
517 " The optional d parameter controls key directionality.\n"
518 " If d is specified, use separate keys for each\n"
519 " direction, set d=0 on one side of the connection,\n"
520 " and d=1 on the other side.\n"
521 "--auth alg : Authenticate packets with HMAC using message\n"
522 " digest algorithm alg (default=%s).\n"
523 " (usually adds 16 or 20 bytes per packet)\n"
524 " Set alg=none to disable authentication.\n"
525 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
526 " (default=%s).\n"
527 " Set alg=none to disable encryption.\n"
528 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
529 "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
530 "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
531 " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
532 #ifndef ENABLE_CRYPTO_MBEDTLS
533 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
534 #endif
535 "--no-replay : (DEPRECATED) Disable replay protection.\n"
536 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
537 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
538 " and a time window of t seconds.\n"
539 " Default n=%d t=%d\n"
540 "--replay-persist file : Persist replay-protection state across sessions\n"
541 " using file.\n"
542 "--test-crypto : Run a self-test of crypto features enabled.\n"
543 " For debugging only.\n"
544 #ifdef ENABLE_PREDICTION_RESISTANCE
545 "--use-prediction-resistance: Enable prediction resistance on the random\n"
546 " number generator.\n"
547 #endif
548 "\n"
549 "TLS Key Negotiation Options:\n"
550 "(These options are meaningful only for TLS-mode)\n"
551 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
552 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
553 "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
554 " number, such as 1 (default), 2, etc.\n"
555 "--ca file : Certificate authority file in .pem format containing\n"
556 " root certificate.\n"
557 #ifndef ENABLE_CRYPTO_MBEDTLS
558 "--capath dir : A directory of trusted certificates (CAs"
559 " and CRLs).\n"
560 #endif /* ENABLE_CRYPTO_MBEDTLS */
561 "--dh file : File containing Diffie Hellman parameters\n"
562 " in .pem format (for --tls-server only).\n"
563 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
564 "--cert file : Local certificate in .pem format -- must be signed\n"
565 " by a Certificate Authority in --ca file.\n"
566 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
567 "--key file : Local private key in .pem format.\n"
568 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
569 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
570 " is specified, require max TLS version supported by SSL implementation.\n"
571 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
572 #ifndef ENABLE_CRYPTO_MBEDTLS
573 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
574 " and optionally the root CA certificate.\n"
575 #endif
576 #ifdef ENABLE_X509ALTUSERNAME
577 "--x509-username-field : Field in x509 certificate containing the username.\n"
578 " Default is CN in the Subject field.\n"
579 #endif
580 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
581 " Valid algo flags are SHA1 and SHA256. \n"
582 #ifdef _WIN32
583 "--cryptoapicert select-string : Load the certificate and private key from the\n"
584 " Windows Certificate System Store.\n"
585 #endif
586 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
587 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
588 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
589 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
590 " (default=legacy).\n"
591 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
592 " if no ACK from remote within n seconds (default=%d).\n"
593 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
594 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
595 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
596 " and at least min (defaults to 90%% of max on servers and equal\n"
597 " to max on clients).\n"
598 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
599 " of handshake initiation by any peer (default=%d).\n"
600 "--tran-window n : Transition window -- old key can live this many seconds\n"
601 " after new key renegotiation begins (default=%d).\n"
602 "--single-session: Allow only one session (reset state on restart).\n"
603 "--tls-exit : Exit on TLS negotiation failure.\n"
604 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
605 " control channel to protect against attacks on the TLS stack\n"
606 " and DoS attacks.\n"
607 " f (required) is a shared-secret key file.\n"
608 " The optional d parameter controls key directionality,\n"
609 " see --secret option for more info.\n"
610 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
611 " of the TLS control channel to hide the TLS certificate,\n"
612 " provide basic post-quantum security and protect against\n"
613 " attacks on the TLS stack and DoS attacks.\n"
614 " key (required) provides the pre-shared key file.\n"
615 " see --secret option for more info.\n"
616 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
617 " For servers: use key to decrypt client-specific keys. For\n"
618 " key generation (--tls-crypt-v2-genkey): use key to\n"
619 " encrypt generated client-specific key. (See --tls-crypt.)\n"
620 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
621 " fresh tls-crypt-v2 client key, and store to\n"
622 " keyfile. If supplied, include metadata in wrapped key.\n"
623 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
624 " fresh tls-crypt-v2 server key, and store to keyfile\n"
625 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
626 " client-supplied tls-crypt-v2 client key\n"
627 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
628 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
629 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
630 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
631 " pending TLS connection that has otherwise passed all other\n"
632 " tests of certification. cmd should return 0 to allow\n"
633 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
634 " executed as 'cmd certificate_depth subject')\n"
635 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
636 " in an openvpn temporary file in [directory]. Peer cert is \n"
637 " stored before tls-verify script execution and deleted after.\n"
638 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
639 " DN name. The remote host must also pass all other tests\n"
640 " of verification.\n"
641 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
642 " an explicit nsCertType designation t = 'client' | 'server'.\n"
643 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
644 " plugins and management interface.\n"
645 #ifdef HAVE_EXPORT_KEYING_MATERIAL
646 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
647 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
648 #endif
649 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
650 " explicit key usage, you can specify more than one value.\n"
651 " value should be given in hex format.\n"
652 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
653 " explicit extended key usage. Extended key usage can be encoded\n"
654 " as an object identifier or OpenSSL string representation.\n"
655 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
656 " key usage and extended key usage based on RFC3280 TLS rules.\n"
657 " t = 'client' | 'server'.\n"
658 #ifdef ENABLE_PKCS11
659 "\n"
660 "PKCS#11 Options:\n"
661 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
662 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
663 " path. Set for each provider.\n"
664 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
665 " 0 : Try to determine automatically (default).\n"
666 " 1 : Use Sign.\n"
667 " 2 : Use SignRecover.\n"
668 " 4 : Use Decrypt.\n"
669 " 8 : Use Unwrap.\n"
670 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
671 " certificate can be accessed. Set for each provider.\n"
672 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
673 " cache until token is removed.\n"
674 "--pkcs11-id-management : Acquire identity from management interface.\n"
675 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
676 #endif /* ENABLE_PKCS11 */
677 "\n"
678 "SSL Library information:\n"
679 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
680 "--show-digests : Show message digest algorithms to use with --auth option.\n"
681 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
682 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
683 #ifdef _WIN32
684 "\n"
685 "Windows Specific:\n"
686 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
687 " from SystemRoot environment variable.\n"
688 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
689 " IP address using method = manual, netsh, ipapi,\n"
690 " dynamic, or adaptive (default = adaptive).\n"
691 " Dynamic method allows two optional parameters:\n"
692 " offset: DHCP server address offset (> -256 and < 256).\n"
693 " If 0, use network address, if >0, take nth\n"
694 " address forward from network address, if <0,\n"
695 " take nth address backward from broadcast\n"
696 " address.\n"
697 " Default is 0.\n"
698 " lease-time: Lease time in seconds.\n"
699 " Default is one year.\n"
700 "--route-method : Which method to use for adding routes on Windows?\n"
701 " adaptive (default) -- Try ipapi then fall back to exe.\n"
702 " ipapi -- Use IP helper API.\n"
703 " exe -- Call the route.exe shell command.\n"
704 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
705 " be used with --ip-win32 dynamic. For options\n"
706 " which allow multiple addresses,\n"
707 " --dhcp-option must be repeated.\n"
708 " DOMAIN name : Set DNS suffix\n"
709 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
710 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
711 " NTP : Set NTP server address(es)\n"
712 " NBDD : Set NBDD server address(es)\n"
713 " WINS addr : Set WINS server address(es)\n"
714 " NBT type : Set NetBIOS over TCP/IP Node type\n"
715 " 1: B, 2: P, 4: M, 8: H\n"
716 " NBS id : Set NetBIOS scope ID\n"
717 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
718 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
719 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
720 " startup.\n"
721 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
722 " on connection initiation.\n"
723 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
724 " attempting to set adapter properties.\n"
725 "--pause-exit : When run from a console window, pause before exiting.\n"
726 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
727 " service, and should not be used directly by end-users.\n"
728 " ex is the name of an event object which, when\n"
729 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
730 " optional parameter controls the initial state of ex.\n"
731 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
732 " after TAP adapter is up and routes have been added.\n"
733 "--windows-driver : Which tun driver to use?\n"
734 " tap-windows6 (default)\n"
735 " wintun\n"
736 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
737 "Windows Standalone Options:\n"
738 "\n"
739 "--show-adapters : Show all TAP-Windows adapters.\n"
740 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
741 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
742 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
743 " to access TAP adapter.\n"
744 #endif /* ifdef _WIN32 */
745 "\n"
746 "Generate a new key :\n"
747 "--genkey secret file : Generate a new random key of type and write to file\n"
748 " (for use with --secret, --tls-auth or --tls-crypt)."
749 #ifdef ENABLE_FEATURE_TUN_PERSIST
750 "\n"
751 "Tun/tap config mode (available with linux 2.4+):\n"
752 "--mktun : Create a persistent tunnel.\n"
753 "--rmtun : Remove a persistent tunnel.\n"
754 "--dev tunX|tapX : tun/tap device\n"
755 "--dev-type dt : Device type. See tunnel options above for details.\n"
756 "--user user : User to set privilege to.\n"
757 "--group group : Group to set privilege to.\n"
758 #endif
759 #ifdef ENABLE_PKCS11
760 "\n"
761 "PKCS#11 standalone options:\n"
762 #ifdef DEFAULT_PKCS11_MODULE
763 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
764 #else
765 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
766 #endif
767 " --verb option can be added *BEFORE* this.\n"
768 #endif /* ENABLE_PKCS11 */
769 "\n"
770 "General Standalone Options:\n"
771 #ifdef ENABLE_DEBUG
772 "--show-gateway : Show info about default gateway.\n"
773 #endif
774 ;
775
776 #endif /* !ENABLE_SMALL */
777
778 /*
779 * This is where the options defaults go.
780 * Any option not explicitly set here
781 * will be set to 0.
782 */
783 void
init_options(struct options * o,const bool init_gc)784 init_options(struct options *o, const bool init_gc)
785 {
786 CLEAR(*o);
787 if (init_gc)
788 {
789 gc_init(&o->gc);
790 o->gc_owned = true;
791 }
792 o->mode = MODE_POINT_TO_POINT;
793 o->topology = TOP_NET30;
794 o->ce.proto = PROTO_UDP;
795 o->ce.af = AF_UNSPEC;
796 o->ce.bind_ipv6_only = false;
797 o->ce.connect_retry_seconds = 5;
798 o->ce.connect_retry_seconds_max = 300;
799 o->ce.connect_timeout = 120;
800 o->connect_retry_max = 0;
801 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
802 o->verbosity = 1;
803 o->status_file_update_freq = 60;
804 o->status_file_version = 1;
805 o->ce.bind_local = true;
806 o->ce.tun_mtu = TUN_MTU_DEFAULT;
807 o->ce.link_mtu = LINK_MTU_DEFAULT;
808 o->ce.mtu_discover_type = -1;
809 o->ce.mssfix = MSSFIX_DEFAULT;
810 o->route_delay_window = 30;
811 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
812 o->resolve_in_advance = false;
813 o->proto_force = -1;
814 o->occ = true;
815 #ifdef ENABLE_MANAGEMENT
816 o->management_log_history_cache = 250;
817 o->management_echo_buffer_size = 100;
818 o->management_state_buffer_size = 100;
819 #endif
820 #ifdef ENABLE_FEATURE_TUN_PERSIST
821 o->persist_mode = 1;
822 #endif
823 #ifdef _WIN32
824 #if 0
825 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
826 #else
827 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
828 #endif
829 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
830 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
831 o->route_method = ROUTE_METHOD_ADAPTIVE;
832 o->block_outside_dns = false;
833 o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6;
834 #endif
835 o->vlan_accept = VLAN_ALL;
836 o->vlan_pvid = 1;
837 o->real_hash_size = 256;
838 o->virtual_hash_size = 256;
839 o->n_bcast_buf = 256;
840 o->tcp_queue_limit = 64;
841 o->max_clients = 1024;
842 o->max_routes_per_client = 256;
843 o->stale_routes_check_interval = 0;
844 o->ifconfig_pool_persist_refresh_freq = 600;
845 o->scheduled_exit_interval = 5;
846 o->ncp_enabled = true;
847 o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
848 o->authname = "SHA1";
849 o->prng_hash = "SHA1";
850 o->prng_nonce_secret_len = 16;
851 o->replay = true;
852 o->replay_window = DEFAULT_SEQ_BACKTRACK;
853 o->replay_time = DEFAULT_TIME_BACKTRACK;
854 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
855 #ifdef ENABLE_PREDICTION_RESISTANCE
856 o->use_prediction_resistance = false;
857 #endif
858 o->tls_timeout = 2;
859 o->renegotiate_bytes = -1;
860 o->renegotiate_seconds = 3600;
861 o->renegotiate_seconds_min = -1;
862 o->handshake_window = 60;
863 o->transition_window = 3600;
864 o->tls_cert_profile = NULL;
865 o->ecdh_curve = NULL;
866 #ifdef ENABLE_X509ALTUSERNAME
867 o->x509_username_field[0] = X509_USERNAME_FIELD_DEFAULT;
868 #endif
869 #ifdef ENABLE_PKCS11
870 o->pkcs11_pin_cache_period = -1;
871 #endif /* ENABLE_PKCS11 */
872
873 /* P2MP server context features */
874 o->auth_token_generate = false;
875
876 /* Set default --tmp-dir */
877 #ifdef _WIN32
878 /* On Windows, find temp dir via environment variables */
879 o->tmp_dir = win_get_tempdir();
880 #else
881 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
882 o->tmp_dir = getenv("TMPDIR");
883 if (!o->tmp_dir)
884 {
885 o->tmp_dir = "/tmp";
886 }
887 #endif /* _WIN32 */
888 o->allow_recursive_routing = false;
889 }
890
891 void
uninit_options(struct options * o)892 uninit_options(struct options *o)
893 {
894 if (o->gc_owned)
895 {
896 gc_free(&o->gc);
897 }
898 }
899
900 struct pull_filter
901 {
902 #define PUF_TYPE_UNDEF 0 /** undefined filter type */
903 #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
904 #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
905 #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
906 int type;
907 int size;
908 char *pattern;
909 struct pull_filter *next;
910 };
911
912 struct pull_filter_list
913 {
914 struct pull_filter *head;
915 struct pull_filter *tail;
916 };
917
918 static const char *
pull_filter_type_name(int type)919 pull_filter_type_name(int type)
920 {
921 if (type == PUF_TYPE_ACCEPT)
922 {
923 return "accept";
924 }
925 if (type == PUF_TYPE_IGNORE)
926 {
927 return "ignore";
928 }
929 if (type == PUF_TYPE_REJECT)
930 {
931 return "reject";
932 }
933 else
934 {
935 return "???";
936 }
937 }
938
939 #ifndef ENABLE_SMALL
940
941 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
942 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
943 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
944 o->var ## _inline ? "[INLINE]" : \
945 (o->var ? o->var : "[UNDEF]"), \
946 "'%s'")
947 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
948 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
949 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
950 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
951
952 #endif
953
954 static void
setenv_connection_entry(struct env_set * es,const struct connection_entry * e,const int i)955 setenv_connection_entry(struct env_set *es,
956 const struct connection_entry *e,
957 const int i)
958 {
959 setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
960 setenv_str_i(es, "local", e->local, i);
961 setenv_str_i(es, "local_port", e->local_port, i);
962 setenv_str_i(es, "remote", e->remote, i);
963 setenv_str_i(es, "remote_port", e->remote_port, i);
964
965 if (e->http_proxy_options)
966 {
967 setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
968 setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
969 }
970 if (e->socks_proxy_server)
971 {
972 setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
973 setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
974 }
975 }
976
977 void
setenv_settings(struct env_set * es,const struct options * o)978 setenv_settings(struct env_set *es, const struct options *o)
979 {
980 setenv_str(es, "config", o->config);
981 setenv_int(es, "verb", o->verbosity);
982 setenv_int(es, "daemon", o->daemon);
983 setenv_int(es, "daemon_log_redirect", o->log);
984 setenv_long_long(es, "daemon_start_time", time(NULL));
985 setenv_int(es, "daemon_pid", platform_getpid());
986
987 if (o->connection_list)
988 {
989 int i;
990 for (i = 0; i < o->connection_list->len; ++i)
991 {
992 setenv_connection_entry(es, o->connection_list->array[i], i+1);
993 }
994 }
995 else
996 {
997 setenv_connection_entry(es, &o->ce, 1);
998 }
999 }
1000
1001 static in_addr_t
get_ip_addr(const char * ip_string,int msglevel,bool * error)1002 get_ip_addr(const char *ip_string, int msglevel, bool *error)
1003 {
1004 unsigned int flags = GETADDR_HOST_ORDER;
1005 bool succeeded = false;
1006 in_addr_t ret;
1007
1008 if (msglevel & M_FATAL)
1009 {
1010 flags |= GETADDR_FATAL;
1011 }
1012
1013 ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
1014 if (!succeeded && error)
1015 {
1016 *error = true;
1017 }
1018 return ret;
1019 }
1020
1021 /**
1022 * Returns newly allocated string containing address part without "/nn".
1023 *
1024 * If gc != NULL, the allocated memory is registered in the supplied gc.
1025 */
1026 static char *
get_ipv6_addr_no_netbits(const char * addr,struct gc_arena * gc)1027 get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
1028 {
1029 const char *end = strchr(addr, '/');
1030 char *ret = NULL;
1031 if (NULL == end)
1032 {
1033 ret = string_alloc(addr, gc);
1034 }
1035 else
1036 {
1037 size_t len = end - addr;
1038 ret = gc_malloc(len + 1, true, gc);
1039 memcpy(ret, addr, len);
1040 }
1041 return ret;
1042 }
1043
1044 static bool
ipv6_addr_safe_hexplusbits(const char * ipv6_prefix_spec)1045 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
1046 {
1047 struct in6_addr t_addr;
1048 unsigned int t_bits;
1049
1050 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN );
1051 }
1052
1053 static char *
string_substitute(const char * src,int from,int to,struct gc_arena * gc)1054 string_substitute(const char *src, int from, int to, struct gc_arena *gc)
1055 {
1056 char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
1057 char *dest = ret;
1058 char c;
1059
1060 do
1061 {
1062 c = *src++;
1063 if (c == from)
1064 {
1065 c = to;
1066 }
1067 *dest++ = c;
1068 }
1069 while (c);
1070 return ret;
1071 }
1072
1073 /**
1074 * Parses a hexstring and checks if the string has the correct length. Return
1075 * a verify_hash_list containing the parsed hash string.
1076 *
1077 * @param str String to check/parse
1078 * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1)
1079 * @param msglevel message level to use when printing warnings/errors
1080 * @param gc The returned object will be allocated in this gc
1081 */
1082 static struct verify_hash_list *
parse_hash_fingerprint(const char * str,int nbytes,int msglevel,struct gc_arena * gc)1083 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1084 {
1085 int i = 0;
1086 const char *cp = str;
1087
1088 struct verify_hash_list *ret;
1089 ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc);
1090
1091 char term = 0;
1092 int byte;
1093
1094 while (*cp && i < nbytes)
1095 {
1096 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1097 if (!isxdigit(cp[0])
1098 || !isxdigit(cp[1])
1099 || (cp[2] != ':' && cp[2] != '\0')
1100 || sscanf(cp, "%x", &byte) != 1)
1101 {
1102 msg(msglevel, "format error in hash fingerprint: %s", str);
1103 break;
1104 }
1105
1106 ret->hash[i++] = (uint8_t)byte;
1107
1108 term = cp[2];
1109 if (term == '\0')
1110 {
1111 break;
1112 }
1113 cp += 3;
1114 }
1115 if (i < nbytes)
1116 {
1117 msg(msglevel, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes, i, str);
1118 }
1119 else if (term != '\0')
1120 {
1121 msg(msglevel, "hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1122 }
1123 return ret;
1124 }
1125
1126 /**
1127 * Parses a string consisting of multiple lines of hexstrings and checks if each
1128 * string has the correct length. Empty lines are ignored. Returns
1129 * a linked list of (possibly) multiple verify_hash_list objects.
1130 *
1131 * @param str String to check/parse
1132 * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1)
1133 * @param msglevel message level to use when printing warnings/errors
1134 * @param gc The returned list items will be allocated in this gc
1135 */
1136 static struct verify_hash_list *
parse_hash_fingerprint_multiline(const char * str,int nbytes,int msglevel,struct gc_arena * gc)1137 parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel,
1138 struct gc_arena *gc)
1139 {
1140 struct gc_arena gc_temp = gc_new();
1141 char *lines = string_alloc(str, &gc_temp);
1142
1143 struct verify_hash_list *ret = NULL;
1144
1145 const char *line;
1146 while ((line = strsep(&lines, "\n")))
1147 {
1148 /* ignore leading whitespace */
1149 while(isspace(*line))
1150 {
1151 line++;
1152 }
1153 /* skip empty lines and comment lines */
1154 if (strlen(line) == 0 || *line == '#' || *line == ';')
1155 {
1156 continue;
1157 }
1158
1159 struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes,
1160 msglevel, gc);
1161
1162 if (!hash)
1163 {
1164 gc_free(&gc_temp);
1165 return NULL;
1166 }
1167
1168 hash->next = ret;
1169 ret = hash;
1170 }
1171 gc_free(&gc_temp);
1172
1173 return ret;
1174 }
1175 #ifdef _WIN32
1176
1177 #ifndef ENABLE_SMALL
1178
1179 static void
show_dhcp_option_list(const char * name,const char * const * array,int len)1180 show_dhcp_option_list(const char *name, const char * const*array, int len)
1181 {
1182 int i;
1183 for (i = 0; i < len; ++i)
1184 {
1185 msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] );
1186 }
1187 }
1188
1189 static void
show_dhcp_option_addrs(const char * name,const in_addr_t * array,int len)1190 show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
1191 {
1192 struct gc_arena gc = gc_new();
1193 int i;
1194 for (i = 0; i < len; ++i)
1195 {
1196 msg(D_SHOW_PARMS, " %s[%d] = %s",
1197 name,
1198 i,
1199 print_in_addr_t(array[i], 0, &gc));
1200 }
1201 gc_free(&gc);
1202 }
1203
1204 static void
show_tuntap_options(const struct tuntap_options * o)1205 show_tuntap_options(const struct tuntap_options *o)
1206 {
1207 SHOW_BOOL(ip_win32_defined);
1208 SHOW_INT(ip_win32_type);
1209 SHOW_INT(dhcp_masq_offset);
1210 SHOW_INT(dhcp_lease_time);
1211 SHOW_INT(tap_sleep);
1212 SHOW_BOOL(dhcp_options);
1213 SHOW_BOOL(dhcp_renew);
1214 SHOW_BOOL(dhcp_pre_release);
1215 SHOW_STR(domain);
1216 SHOW_STR(netbios_scope);
1217 SHOW_INT(netbios_node_type);
1218 SHOW_BOOL(disable_nbt);
1219
1220 show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
1221 show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
1222 show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
1223 show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
1224 show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len);
1225 }
1226
1227 #endif /* ifndef ENABLE_SMALL */
1228 #endif /* ifdef _WIN32 */
1229
1230 #if defined(_WIN32) || defined(TARGET_ANDROID)
1231 static void
dhcp_option_dns6_parse(const char * parm,struct in6_addr * dns6_list,int * len,int msglevel)1232 dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
1233 {
1234 struct in6_addr addr;
1235 if (*len >= N_DHCP_ADDR)
1236 {
1237 msg(msglevel, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1238 N_DHCP_ADDR);
1239 }
1240 else if (get_ipv6_addr(parm, &addr, NULL, msglevel))
1241 {
1242 dns6_list[(*len)++] = addr;
1243 }
1244 }
1245 static void
dhcp_option_address_parse(const char * name,const char * parm,in_addr_t * array,int * len,int msglevel)1246 dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1247 {
1248 if (*len >= N_DHCP_ADDR)
1249 {
1250 msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1251 name,
1252 N_DHCP_ADDR,
1253 name);
1254 }
1255 else
1256 {
1257 if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
1258 {
1259 bool error = false;
1260 const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
1261 if (!error)
1262 {
1263 array[(*len)++] = addr;
1264 }
1265 }
1266 else
1267 {
1268 msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1269 }
1270 }
1271 }
1272
1273 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1274
1275 static const char *
print_vlan_accept(enum vlan_acceptable_frames mode)1276 print_vlan_accept(enum vlan_acceptable_frames mode)
1277 {
1278 switch (mode)
1279 {
1280 case VLAN_ONLY_TAGGED:
1281 return "tagged";
1282
1283 case VLAN_ONLY_UNTAGGED_OR_PRIORITY:
1284 return "untagged";
1285
1286 case VLAN_ALL:
1287 return "all";
1288 }
1289 return NULL;
1290 }
1291
1292 #ifndef ENABLE_SMALL
1293
1294 static void
show_p2mp_parms(const struct options * o)1295 show_p2mp_parms(const struct options *o)
1296 {
1297 struct gc_arena gc = gc_new();
1298
1299 msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
1300 msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
1301 msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
1302 SHOW_INT(server_netbits_ipv6);
1303 msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
1304 msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
1305 msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
1306 msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
1307 if (o->push_list.head)
1308 {
1309 const struct push_entry *e = o->push_list.head;
1310 while (e)
1311 {
1312 if (e->enable)
1313 {
1314 msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
1315 }
1316 e = e->next;
1317 }
1318 }
1319 SHOW_BOOL(ifconfig_pool_defined);
1320 msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
1321 msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
1322 msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
1323 SHOW_STR(ifconfig_pool_persist_filename);
1324 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1325 SHOW_BOOL(ifconfig_ipv6_pool_defined);
1326 msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
1327 SHOW_INT(ifconfig_ipv6_pool_netbits);
1328 SHOW_INT(n_bcast_buf);
1329 SHOW_INT(tcp_queue_limit);
1330 SHOW_INT(real_hash_size);
1331 SHOW_INT(virtual_hash_size);
1332 SHOW_STR(client_connect_script);
1333 SHOW_STR(learn_address_script);
1334 SHOW_STR(client_disconnect_script);
1335 SHOW_STR(client_config_dir);
1336 SHOW_BOOL(ccd_exclusive);
1337 SHOW_STR(tmp_dir);
1338 SHOW_BOOL(push_ifconfig_defined);
1339 msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
1340 msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
1341 SHOW_BOOL(push_ifconfig_ipv6_defined);
1342 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1343 msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
1344 SHOW_BOOL(enable_c2c);
1345 SHOW_BOOL(duplicate_cn);
1346 SHOW_INT(cf_max);
1347 SHOW_INT(cf_per);
1348 SHOW_INT(max_clients);
1349 SHOW_INT(max_routes_per_client);
1350 SHOW_STR(auth_user_pass_verify_script);
1351 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1352 SHOW_BOOL(auth_token_generate);
1353 SHOW_INT(auth_token_lifetime);
1354 SHOW_STR_INLINE(auth_token_secret_file);
1355 #if PORT_SHARE
1356 SHOW_STR(port_share_host);
1357 SHOW_STR(port_share_port);
1358 #endif
1359 SHOW_BOOL(vlan_tagging);
1360 msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept));
1361 SHOW_INT(vlan_pvid);
1362
1363 SHOW_BOOL(client);
1364 SHOW_BOOL(pull);
1365 SHOW_STR(auth_user_pass_file);
1366
1367 gc_free(&gc);
1368 }
1369
1370 #endif /* ! ENABLE_SMALL */
1371
1372 static void
option_iroute(struct options * o,const char * network_str,const char * netmask_str,int msglevel)1373 option_iroute(struct options *o,
1374 const char *network_str,
1375 const char *netmask_str,
1376 int msglevel)
1377 {
1378 struct iroute *ir;
1379
1380 ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
1381 ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1382 ir->netbits = -1;
1383
1384 if (netmask_str)
1385 {
1386 const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1387 if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
1388 {
1389 msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
1390 network_str,
1391 netmask_str);
1392 return;
1393 }
1394 }
1395
1396 ir->next = o->iroutes;
1397 o->iroutes = ir;
1398 }
1399
1400 static void
option_iroute_ipv6(struct options * o,const char * prefix_str,int msglevel)1401 option_iroute_ipv6(struct options *o,
1402 const char *prefix_str,
1403 int msglevel)
1404 {
1405 struct iroute_ipv6 *ir;
1406
1407 ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
1408
1409 if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
1410 {
1411 msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1412 prefix_str);
1413 return;
1414 }
1415
1416 ir->next = o->iroutes_ipv6;
1417 o->iroutes_ipv6 = ir;
1418 }
1419
1420 #ifndef ENABLE_SMALL
1421 static void
show_http_proxy_options(const struct http_proxy_options * o)1422 show_http_proxy_options(const struct http_proxy_options *o)
1423 {
1424 int i;
1425 msg(D_SHOW_PARMS, "BEGIN http_proxy");
1426 SHOW_STR(server);
1427 SHOW_STR(port);
1428 SHOW_STR(auth_method_string);
1429 SHOW_STR(auth_file);
1430 SHOW_STR(http_version);
1431 SHOW_STR(user_agent);
1432 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
1433 {
1434 if (o->custom_headers[i].content)
1435 {
1436 msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
1437 o->custom_headers[i].name, o->custom_headers[i].content);
1438 }
1439 else
1440 {
1441 msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
1442 o->custom_headers[i].name);
1443 }
1444 }
1445 msg(D_SHOW_PARMS, "END http_proxy");
1446 }
1447 #endif /* ifndef ENABLE_SMALL */
1448
1449 void
options_detach(struct options * o)1450 options_detach(struct options *o)
1451 {
1452 gc_detach(&o->gc);
1453 o->routes = NULL;
1454 o->client_nat = NULL;
1455 clone_push_list(o);
1456 }
1457
1458 void
rol_check_alloc(struct options * options)1459 rol_check_alloc(struct options *options)
1460 {
1461 if (!options->routes)
1462 {
1463 options->routes = new_route_option_list(&options->gc);
1464 }
1465 }
1466
1467 static void
rol6_check_alloc(struct options * options)1468 rol6_check_alloc(struct options *options)
1469 {
1470 if (!options->routes_ipv6)
1471 {
1472 options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
1473 }
1474 }
1475
1476 static void
cnol_check_alloc(struct options * options)1477 cnol_check_alloc(struct options *options)
1478 {
1479 if (!options->client_nat)
1480 {
1481 options->client_nat = new_client_nat_list(&options->gc);
1482 }
1483 }
1484
1485 #ifndef ENABLE_SMALL
1486 static void
show_connection_entry(const struct connection_entry * o)1487 show_connection_entry(const struct connection_entry *o)
1488 {
1489 msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
1490 SHOW_STR(local);
1491 SHOW_STR(local_port);
1492 SHOW_STR(remote);
1493 SHOW_STR(remote_port);
1494 SHOW_BOOL(remote_float);
1495 SHOW_BOOL(bind_defined);
1496 SHOW_BOOL(bind_local);
1497 SHOW_BOOL(bind_ipv6_only);
1498 SHOW_INT(connect_retry_seconds);
1499 SHOW_INT(connect_timeout);
1500
1501 if (o->http_proxy_options)
1502 {
1503 show_http_proxy_options(o->http_proxy_options);
1504 }
1505 SHOW_STR(socks_proxy_server);
1506 SHOW_STR(socks_proxy_port);
1507 SHOW_INT(tun_mtu);
1508 SHOW_BOOL(tun_mtu_defined);
1509 SHOW_INT(link_mtu);
1510 SHOW_BOOL(link_mtu_defined);
1511 SHOW_INT(tun_mtu_extra);
1512 SHOW_BOOL(tun_mtu_extra_defined);
1513
1514 SHOW_INT(mtu_discover_type);
1515
1516 #ifdef ENABLE_FRAGMENT
1517 SHOW_INT(fragment);
1518 #endif
1519 SHOW_INT(mssfix);
1520
1521 SHOW_INT(explicit_exit_notification);
1522
1523 SHOW_STR_INLINE(tls_auth_file);
1524 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true),
1525 "%s");
1526 SHOW_STR_INLINE(tls_crypt_file);
1527 SHOW_STR_INLINE(tls_crypt_v2_file);
1528 }
1529
1530
1531 static void
show_connection_entries(const struct options * o)1532 show_connection_entries(const struct options *o)
1533 {
1534 if (o->connection_list)
1535 {
1536 const struct connection_list *l = o->connection_list;
1537 int i;
1538 for (i = 0; i < l->len; ++i)
1539 {
1540 msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
1541 show_connection_entry(l->array[i]);
1542 }
1543 }
1544 else
1545 {
1546 msg(D_SHOW_PARMS, "Connection profiles [default]:");
1547 show_connection_entry(&o->ce);
1548 }
1549 msg(D_SHOW_PARMS, "Connection profiles END");
1550 }
1551
1552 static void
show_pull_filter_list(const struct pull_filter_list * l)1553 show_pull_filter_list(const struct pull_filter_list *l)
1554 {
1555 struct pull_filter *f;
1556 if (!l)
1557 {
1558 return;
1559 }
1560
1561 msg(D_SHOW_PARMS, " Pull filters:");
1562 for (f = l->head; f; f = f->next)
1563 {
1564 msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
1565 }
1566 }
1567
1568 #endif /* ifndef ENABLE_SMALL */
1569
1570 void
show_settings(const struct options * o)1571 show_settings(const struct options *o)
1572 {
1573 #ifndef ENABLE_SMALL
1574 msg(D_SHOW_PARMS, "Current Parameter Settings:");
1575
1576 SHOW_STR(config);
1577
1578 SHOW_INT(mode);
1579
1580 #ifdef ENABLE_FEATURE_TUN_PERSIST
1581 SHOW_BOOL(persist_config);
1582 SHOW_INT(persist_mode);
1583 #endif
1584
1585 SHOW_BOOL(show_ciphers);
1586 SHOW_BOOL(show_digests);
1587 SHOW_BOOL(show_engines);
1588 SHOW_BOOL(genkey);
1589 SHOW_STR(genkey_filename);
1590 SHOW_STR(key_pass_file);
1591 SHOW_BOOL(show_tls_ciphers);
1592
1593 SHOW_INT(connect_retry_max);
1594 show_connection_entries(o);
1595
1596 SHOW_BOOL(remote_random);
1597
1598 SHOW_STR(ipchange);
1599 SHOW_STR(dev);
1600 SHOW_STR(dev_type);
1601 SHOW_STR(dev_node);
1602 SHOW_STR(lladdr);
1603 SHOW_INT(topology);
1604 SHOW_STR(ifconfig_local);
1605 SHOW_STR(ifconfig_remote_netmask);
1606 SHOW_BOOL(ifconfig_noexec);
1607 SHOW_BOOL(ifconfig_nowarn);
1608 SHOW_STR(ifconfig_ipv6_local);
1609 SHOW_INT(ifconfig_ipv6_netbits);
1610 SHOW_STR(ifconfig_ipv6_remote);
1611
1612 SHOW_INT(shaper);
1613 SHOW_INT(mtu_test);
1614
1615 SHOW_BOOL(mlock);
1616
1617 SHOW_INT(keepalive_ping);
1618 SHOW_INT(keepalive_timeout);
1619 SHOW_INT(inactivity_timeout);
1620 SHOW_INT(ping_send_timeout);
1621 SHOW_INT(ping_rec_timeout);
1622 SHOW_INT(ping_rec_timeout_action);
1623 SHOW_BOOL(ping_timer_remote);
1624 SHOW_INT(remap_sigusr1);
1625 SHOW_BOOL(persist_tun);
1626 SHOW_BOOL(persist_local_ip);
1627 SHOW_BOOL(persist_remote_ip);
1628 SHOW_BOOL(persist_key);
1629
1630 #if PASSTOS_CAPABILITY
1631 SHOW_BOOL(passtos);
1632 #endif
1633
1634 SHOW_INT(resolve_retry_seconds);
1635 SHOW_BOOL(resolve_in_advance);
1636
1637 SHOW_STR(username);
1638 SHOW_STR(groupname);
1639 SHOW_STR(chroot_dir);
1640 SHOW_STR(cd_dir);
1641 #ifdef ENABLE_SELINUX
1642 SHOW_STR(selinux_context);
1643 #endif
1644 SHOW_STR(writepid);
1645 SHOW_STR(up_script);
1646 SHOW_STR(down_script);
1647 SHOW_BOOL(down_pre);
1648 SHOW_BOOL(up_restart);
1649 SHOW_BOOL(up_delay);
1650 SHOW_BOOL(daemon);
1651 SHOW_BOOL(log);
1652 SHOW_BOOL(suppress_timestamps);
1653 SHOW_BOOL(machine_readable_output);
1654 SHOW_INT(nice);
1655 SHOW_INT(verbosity);
1656 SHOW_INT(mute);
1657 #ifdef ENABLE_DEBUG
1658 SHOW_INT(gremlin);
1659 #endif
1660 SHOW_STR(status_file);
1661 SHOW_INT(status_file_version);
1662 SHOW_INT(status_file_update_freq);
1663
1664 SHOW_BOOL(occ);
1665 SHOW_INT(rcvbuf);
1666 SHOW_INT(sndbuf);
1667 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1668 SHOW_INT(mark);
1669 #endif
1670 SHOW_INT(sockflags);
1671
1672 SHOW_BOOL(fast_io);
1673
1674 #ifdef USE_COMP
1675 SHOW_INT(comp.alg);
1676 SHOW_INT(comp.flags);
1677 #endif
1678
1679 SHOW_STR(route_script);
1680 SHOW_STR(route_default_gateway);
1681 SHOW_INT(route_default_metric);
1682 SHOW_BOOL(route_noexec);
1683 SHOW_INT(route_delay);
1684 SHOW_INT(route_delay_window);
1685 SHOW_BOOL(route_delay_defined);
1686 SHOW_BOOL(route_nopull);
1687 SHOW_BOOL(route_gateway_via_dhcp);
1688 SHOW_BOOL(allow_pull_fqdn);
1689 show_pull_filter_list(o->pull_filter_list);
1690
1691 if (o->routes)
1692 {
1693 print_route_options(o->routes, D_SHOW_PARMS);
1694 }
1695
1696 if (o->client_nat)
1697 {
1698 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1699 }
1700
1701 #ifdef ENABLE_MANAGEMENT
1702 SHOW_STR(management_addr);
1703 SHOW_STR(management_port);
1704 SHOW_STR(management_user_pass);
1705 SHOW_INT(management_log_history_cache);
1706 SHOW_INT(management_echo_buffer_size);
1707 SHOW_STR(management_write_peer_info_file);
1708 SHOW_STR(management_client_user);
1709 SHOW_STR(management_client_group);
1710 SHOW_INT(management_flags);
1711 #endif
1712 #ifdef ENABLE_PLUGIN
1713 if (o->plugin_list)
1714 {
1715 plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
1716 }
1717 #endif
1718
1719 SHOW_STR_INLINE(shared_secret_file);
1720 SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s");
1721 SHOW_STR(ciphername);
1722 SHOW_BOOL(ncp_enabled);
1723 SHOW_STR(ncp_ciphers);
1724 SHOW_STR(authname);
1725 SHOW_STR(prng_hash);
1726 SHOW_INT(prng_nonce_secret_len);
1727 #ifndef ENABLE_CRYPTO_MBEDTLS
1728 SHOW_BOOL(engine);
1729 #endif /* ENABLE_CRYPTO_MBEDTLS */
1730 SHOW_BOOL(replay);
1731 SHOW_BOOL(mute_replay_warnings);
1732 SHOW_INT(replay_window);
1733 SHOW_INT(replay_time);
1734 SHOW_STR(packet_id_file);
1735 SHOW_BOOL(test_crypto);
1736 #ifdef ENABLE_PREDICTION_RESISTANCE
1737 SHOW_BOOL(use_prediction_resistance);
1738 #endif
1739
1740 SHOW_BOOL(tls_server);
1741 SHOW_BOOL(tls_client);
1742 SHOW_STR_INLINE(ca_file);
1743 SHOW_STR(ca_path);
1744 SHOW_STR_INLINE(dh_file);
1745 #ifdef ENABLE_MANAGEMENT
1746 if ((o->management_flags & MF_EXTERNAL_CERT))
1747 {
1748 SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
1749 }
1750 else
1751 #endif
1752 SHOW_STR_INLINE(cert_file);
1753 SHOW_STR_INLINE(extra_certs_file);
1754
1755 #ifdef ENABLE_MANAGEMENT
1756 if ((o->management_flags & MF_EXTERNAL_KEY))
1757 {
1758 SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1759 }
1760 else
1761 #endif
1762 SHOW_STR_INLINE(priv_key_file);
1763 #ifndef ENABLE_CRYPTO_MBEDTLS
1764 SHOW_STR_INLINE(pkcs12_file);
1765 #endif
1766 #ifdef ENABLE_CRYPTOAPI
1767 SHOW_STR(cryptoapi_cert);
1768 #endif
1769 SHOW_STR(cipher_list);
1770 SHOW_STR(cipher_list_tls13);
1771 SHOW_STR(tls_cert_profile);
1772 SHOW_STR(tls_verify);
1773 SHOW_STR(tls_export_cert);
1774 SHOW_INT(verify_x509_type);
1775 SHOW_STR(verify_x509_name);
1776 SHOW_STR_INLINE(crl_file);
1777 SHOW_INT(ns_cert_type);
1778 {
1779 int i;
1780 for (i = 0; i<MAX_PARMS; i++)
1781 {
1782 SHOW_INT(remote_cert_ku[i]);
1783 }
1784 }
1785 SHOW_STR(remote_cert_eku);
1786 if (o->verify_hash)
1787 {
1788 SHOW_INT(verify_hash_algo);
1789 SHOW_INT(verify_hash_depth);
1790 struct gc_arena gc = gc_new();
1791 struct verify_hash_list *hl = o->verify_hash;
1792 int digest_len = (o->verify_hash_algo == MD_SHA1) ? SHA_DIGEST_LENGTH :
1793 SHA256_DIGEST_LENGTH;
1794 while (hl)
1795 {
1796 char *s = format_hex_ex(hl->hash, digest_len, 0,
1797 1, ":", &gc);
1798 SHOW_PARM(verify_hash, s, "%s");
1799 hl = hl->next;
1800 }
1801 gc_free(&gc);
1802 }
1803 SHOW_INT(ssl_flags);
1804
1805 SHOW_INT(tls_timeout);
1806
1807 SHOW_INT(renegotiate_bytes);
1808 SHOW_INT(renegotiate_packets);
1809 SHOW_INT(renegotiate_seconds);
1810
1811 SHOW_INT(handshake_window);
1812 SHOW_INT(transition_window);
1813
1814 SHOW_BOOL(single_session);
1815 SHOW_BOOL(push_peer_info);
1816 SHOW_BOOL(tls_exit);
1817
1818 SHOW_STR(tls_crypt_v2_metadata);
1819
1820 #ifdef ENABLE_PKCS11
1821 {
1822 int i;
1823 for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
1824 {
1825 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
1826 }
1827 }
1828 {
1829 int i;
1830 for (i = 0; i<MAX_PARMS; i++)
1831 {
1832 SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1833 }
1834 }
1835 {
1836 int i;
1837 for (i = 0; i<MAX_PARMS; i++)
1838 {
1839 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1840 }
1841 }
1842 {
1843 int i;
1844 for (i = 0; i<MAX_PARMS; i++)
1845 {
1846 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1847 }
1848 }
1849 SHOW_INT(pkcs11_pin_cache_period);
1850 SHOW_STR(pkcs11_id);
1851 SHOW_BOOL(pkcs11_id_management);
1852 #endif /* ENABLE_PKCS11 */
1853
1854 show_p2mp_parms(o);
1855
1856 #ifdef _WIN32
1857 SHOW_BOOL(show_net_up);
1858 SHOW_INT(route_method);
1859 SHOW_BOOL(block_outside_dns);
1860 show_tuntap_options(&o->tuntap_options);
1861 #endif
1862 #endif /* ifndef ENABLE_SMALL */
1863 }
1864
1865 #undef SHOW_PARM
1866 #undef SHOW_STR
1867 #undef SHOW_INT
1868 #undef SHOW_BOOL
1869
1870 #ifdef ENABLE_MANAGEMENT
1871
1872 static struct http_proxy_options *
parse_http_proxy_override(const char * server,const char * port,const char * flags,const int msglevel,struct gc_arena * gc)1873 parse_http_proxy_override(const char *server,
1874 const char *port,
1875 const char *flags,
1876 const int msglevel,
1877 struct gc_arena *gc)
1878 {
1879 if (server && port)
1880 {
1881 struct http_proxy_options *ho;
1882 ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
1883 ho->server = string_alloc(server, gc);
1884 ho->port = port;
1885 if (flags && !strcmp(flags, "nct"))
1886 {
1887 ho->auth_retry = PAR_NCT;
1888 }
1889 else
1890 {
1891 ho->auth_retry = PAR_ALL;
1892 }
1893 ho->http_version = "1.0";
1894 ho->user_agent = "OpenVPN-Autoproxy/1.0";
1895 return ho;
1896 }
1897 else
1898 {
1899 return NULL;
1900 }
1901 }
1902
1903 static void
options_postprocess_http_proxy_override(struct options * o)1904 options_postprocess_http_proxy_override(struct options *o)
1905 {
1906 const struct connection_list *l = o->connection_list;
1907 int i;
1908 bool succeed = false;
1909 for (i = 0; i < l->len; ++i)
1910 {
1911 struct connection_entry *ce = l->array[i];
1912 if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
1913 {
1914 ce->http_proxy_options = o->http_proxy_override;
1915 succeed = true;
1916 }
1917 }
1918 if (succeed)
1919 {
1920 for (i = 0; i < l->len; ++i)
1921 {
1922 struct connection_entry *ce = l->array[i];
1923 if (ce->proto == PROTO_UDP)
1924 {
1925 ce->flags |= CE_DISABLED;
1926 }
1927 }
1928 }
1929 else
1930 {
1931 msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1932 }
1933 }
1934
1935 #endif /* ifdef ENABLE_MANAGEMENT */
1936
1937 static struct connection_list *
alloc_connection_list_if_undef(struct options * options)1938 alloc_connection_list_if_undef(struct options *options)
1939 {
1940 if (!options->connection_list)
1941 {
1942 ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
1943 }
1944 return options->connection_list;
1945 }
1946
1947 static struct connection_entry *
alloc_connection_entry(struct options * options,const int msglevel)1948 alloc_connection_entry(struct options *options, const int msglevel)
1949 {
1950 struct connection_list *l = alloc_connection_list_if_undef(options);
1951 struct connection_entry *e;
1952
1953 if (l->len >= CONNECTION_LIST_SIZE)
1954 {
1955 msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1956 return NULL;
1957 }
1958 ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
1959 l->array[l->len++] = e;
1960 return e;
1961 }
1962
1963 static struct remote_list *
alloc_remote_list_if_undef(struct options * options)1964 alloc_remote_list_if_undef(struct options *options)
1965 {
1966 if (!options->remote_list)
1967 {
1968 ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
1969 }
1970 return options->remote_list;
1971 }
1972
1973 static struct remote_entry *
alloc_remote_entry(struct options * options,const int msglevel)1974 alloc_remote_entry(struct options *options, const int msglevel)
1975 {
1976 struct remote_list *l = alloc_remote_list_if_undef(options);
1977 struct remote_entry *e;
1978
1979 if (l->len >= CONNECTION_LIST_SIZE)
1980 {
1981 msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1982 return NULL;
1983 }
1984 ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
1985 l->array[l->len++] = e;
1986 return e;
1987 }
1988
1989 static struct pull_filter_list *
alloc_pull_filter_list(struct options * o)1990 alloc_pull_filter_list(struct options *o)
1991 {
1992 if (!o->pull_filter_list)
1993 {
1994 ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
1995 }
1996 return o->pull_filter_list;
1997 }
1998
1999 static struct pull_filter *
alloc_pull_filter(struct options * o,const int msglevel)2000 alloc_pull_filter(struct options *o, const int msglevel)
2001 {
2002 struct pull_filter_list *l = alloc_pull_filter_list(o);
2003 struct pull_filter *f;
2004
2005 ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
2006 if (l->head)
2007 {
2008 ASSERT(l->tail);
2009 l->tail->next = f;
2010 }
2011 else
2012 {
2013 ASSERT(!l->tail);
2014 l->head = f;
2015 }
2016 l->tail = f;
2017 return f;
2018 }
2019
2020 static void
connection_entry_load_re(struct connection_entry * ce,const struct remote_entry * re)2021 connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
2022 {
2023 if (re->remote)
2024 {
2025 ce->remote = re->remote;
2026 }
2027 if (re->remote_port)
2028 {
2029 ce->remote_port = re->remote_port;
2030 }
2031 if (re->proto >= 0)
2032 {
2033 ce->proto = re->proto;
2034 }
2035 if (re->af > 0)
2036 {
2037 ce->af = re->af;
2038 }
2039 }
2040
2041 static void
connection_entry_preload_key(const char ** key_file,bool * key_inline,struct gc_arena * gc)2042 connection_entry_preload_key(const char **key_file, bool *key_inline,
2043 struct gc_arena *gc)
2044 {
2045 if (key_file && *key_file && !(*key_inline))
2046 {
2047 struct buffer in = buffer_read_from_file(*key_file, gc);
2048 if (!buf_valid(&in))
2049 {
2050 msg(M_FATAL, "Cannot pre-load keyfile (%s)", *key_file);
2051 }
2052
2053 *key_file = (const char *) in.data;
2054 *key_inline = true;
2055 }
2056 }
2057
2058 static void
check_ca_required(const struct options * options)2059 check_ca_required(const struct options *options)
2060 {
2061 if (options->verify_hash_no_ca
2062 || options->pkcs12_file
2063 || options->ca_file
2064 #ifndef ENABLE_CRYPTO_MBEDTLS
2065 || options->ca_path
2066 #endif
2067 )
2068 {
2069 return;
2070 }
2071
2072 msg(M_USAGE, "You must define CA file (--ca)"
2073 #ifndef ENABLE_CRYPTO_MBEDTLS
2074 " or CA path (--capath)"
2075 #endif
2076 " and/or peer fingeprint verification " "(--peer-fingerprint)");
2077 }
2078
2079 static void
options_postprocess_verify_ce(const struct options * options,const struct connection_entry * ce)2080 options_postprocess_verify_ce(const struct options *options,
2081 const struct connection_entry *ce)
2082 {
2083 struct options defaults;
2084 int dev = DEV_TYPE_UNDEF;
2085 bool pull = false;
2086
2087 init_options(&defaults, true);
2088
2089 if (options->test_crypto)
2090 {
2091 notnull(options->shared_secret_file, "key file (--secret)");
2092 }
2093 else
2094 {
2095 notnull(options->dev, "TUN/TAP device (--dev)");
2096 }
2097
2098 /*
2099 * Get tun/tap/null device type
2100 */
2101 dev = dev_type_enum(options->dev, options->dev_type);
2102
2103 /*
2104 * If "proto tcp" is specified, make sure we know whether it is
2105 * tcp-client or tcp-server.
2106 */
2107 if (ce->proto == PROTO_TCP)
2108 {
2109 msg(M_USAGE,
2110 "--proto tcp is ambiguous in this context. Please specify "
2111 "--proto tcp-server or --proto tcp-client");
2112 }
2113
2114 if (options->lladdr && dev != DEV_TYPE_TAP)
2115 {
2116 msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
2117 }
2118
2119 /*
2120 * Sanity check on MTU parameters
2121 */
2122 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
2123 {
2124 msg(M_USAGE,
2125 "only one of --tun-mtu or --link-mtu may be defined (note that "
2126 "--ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
2127 }
2128
2129 if (!proto_is_udp(ce->proto) && options->mtu_test)
2130 {
2131 msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
2132 }
2133
2134 /* will we be pulling options from server? */
2135 pull = options->pull;
2136
2137 /*
2138 * Sanity check on --local, --remote, and --ifconfig
2139 */
2140
2141 if (proto_is_net(ce->proto)
2142 && string_defined_equal(ce->local, ce->remote)
2143 && string_defined_equal(ce->local_port, ce->remote_port))
2144 {
2145 msg(M_USAGE, "--remote and --local addresses are the same");
2146 }
2147
2148 if (string_defined_equal(ce->remote, options->ifconfig_local)
2149 || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
2150 {
2151 msg(M_USAGE,
2152 "--local and --remote addresses must be distinct from --ifconfig "
2153 "addresses");
2154 }
2155
2156 if (string_defined_equal(ce->local, options->ifconfig_local)
2157 || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
2158 {
2159 msg(M_USAGE,
2160 "--local addresses must be distinct from --ifconfig addresses");
2161 }
2162
2163 if (string_defined_equal(options->ifconfig_local,
2164 options->ifconfig_remote_netmask))
2165 {
2166 msg(M_USAGE,
2167 "local and remote/netmask --ifconfig addresses must be different");
2168 }
2169
2170 if (ce->bind_defined && !ce->bind_local)
2171 {
2172 msg(M_USAGE, "--bind and --nobind can't be used together");
2173 }
2174
2175 if (ce->local && !ce->bind_local)
2176 {
2177 msg(M_USAGE,
2178 "--local and --nobind don't make sense when used together");
2179 }
2180
2181 if (ce->local_port_defined && !ce->bind_local)
2182 {
2183 msg(M_USAGE,
2184 "--lport and --nobind don't make sense when used together");
2185 }
2186
2187 if (!ce->remote && !ce->bind_local)
2188 {
2189 msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
2190 }
2191
2192 /*
2193 * Check for consistency of management options
2194 */
2195 #ifdef ENABLE_MANAGEMENT
2196 if (!options->management_addr
2197 && (options->management_flags
2198 || options->management_write_peer_info_file
2199 || options->management_log_history_cache != defaults.management_log_history_cache))
2200 {
2201 msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2202 }
2203
2204 if ((options->management_client_user || options->management_client_group)
2205 && !(options->management_flags & MF_UNIX_SOCK))
2206 {
2207 msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
2208 }
2209
2210 if (options->management_addr
2211 && !(options->management_flags & MF_UNIX_SOCK)
2212 && (!options->management_user_pass))
2213 {
2214 msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
2215 "passwords is STRONGLY discouraged and considered insecure");
2216 }
2217
2218 #endif /* ifdef ENABLE_MANAGEMENT */
2219
2220 #if defined(ENABLE_MANAGEMENT)
2221 if ((tls_version_max() >= TLS_VER_1_3)
2222 && (options->management_flags & MF_EXTERNAL_KEY)
2223 && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING))
2224 )
2225 {
2226 msg(M_ERR, "management-external-key with OpenSSL 1.1.1 requires "
2227 "the nopadding argument/support");
2228 }
2229 #endif
2230 /*
2231 * Windows-specific options.
2232 */
2233
2234 #ifdef _WIN32
2235 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2236 {
2237 msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
2238 }
2239
2240 if ((options->tuntap_options.ip_win32_defined)
2241 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
2242 {
2243 msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2244 }
2245
2246 if (options->tuntap_options.dhcp_options
2247 && options->windows_driver != WINDOWS_DRIVER_WINTUN
2248 && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
2249 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
2250 {
2251 msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
2252 }
2253
2254 if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
2255 {
2256 msg(M_USAGE, "--windows-driver wintun requires --dev tun");
2257 }
2258 #endif /* ifdef _WIN32 */
2259
2260 /*
2261 * Check that protocol options make sense.
2262 */
2263
2264 #ifdef ENABLE_FRAGMENT
2265 if (!proto_is_udp(ce->proto) && ce->fragment)
2266 {
2267 msg(M_USAGE, "--fragment can only be used with --proto udp");
2268 }
2269 #endif
2270
2271 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
2272 {
2273 msg(M_USAGE,
2274 "--explicit-exit-notify can only be used with --proto udp");
2275 }
2276
2277 if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
2278 {
2279 msg(M_USAGE, "--remote MUST be used in TCP Client mode");
2280 }
2281
2282 if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
2283 {
2284 msg(M_USAGE,
2285 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2286 "tcp-client)");
2287 }
2288
2289 if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
2290 {
2291 msg(M_USAGE,
2292 "--http-proxy not specified but other http proxy options present");
2293 }
2294
2295 if (ce->http_proxy_options && ce->socks_proxy_server)
2296 {
2297 msg(M_USAGE,
2298 "--http-proxy can not be used together with --socks-proxy");
2299 }
2300
2301 if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
2302 {
2303 msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
2304 }
2305
2306 if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
2307 {
2308 msg(M_USAGE, "TCP server mode allows at most one --remote address");
2309 }
2310
2311 /*
2312 * Check consistency of --mode server options.
2313 */
2314 if (options->mode == MODE_SERVER)
2315 {
2316 #ifdef TARGET_ANDROID
2317 msg(M_FATAL, "--mode server not supported on Android");
2318 #endif
2319 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2320 {
2321 msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
2322 }
2323 if (options->pull)
2324 {
2325 msg(M_USAGE, "--pull cannot be used with --mode server");
2326 }
2327 if (options->pull_filter_list)
2328 {
2329 msg(M_WARN, "--pull-filter ignored for --mode server");
2330 }
2331 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2332 {
2333 msg(M_USAGE, "--mode server currently only supports "
2334 "--proto udp or --proto tcp-server or proto tcp6-server");
2335 }
2336 #if PORT_SHARE
2337 if ((options->port_share_host || options->port_share_port)
2338 && (ce->proto != PROTO_TCP_SERVER))
2339 {
2340 msg(M_USAGE, "--port-share only works in TCP server mode "
2341 "(--proto tcp-server or tcp6-server)");
2342 }
2343 #endif
2344 if (!options->tls_server)
2345 {
2346 msg(M_USAGE, "--mode server requires --tls-server");
2347 }
2348 if (ce->remote)
2349 {
2350 msg(M_USAGE, "--remote cannot be used with --mode server");
2351 }
2352 if (!ce->bind_local)
2353 {
2354 msg(M_USAGE, "--nobind cannot be used with --mode server");
2355 }
2356 if (ce->http_proxy_options)
2357 {
2358 msg(M_USAGE, "--http-proxy cannot be used with --mode server");
2359 }
2360 if (ce->socks_proxy_server)
2361 {
2362 msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
2363 }
2364 /* <connection> blocks force to have a remote embedded, so we check
2365 * for the --remote and bail out if it is present
2366 */
2367 if (options->connection_list->len >1
2368 || options->connection_list->array[0]->remote)
2369 {
2370 msg(M_USAGE, "<connection> cannot be used with --mode server");
2371 }
2372
2373 if (options->shaper)
2374 {
2375 msg(M_USAGE, "--shaper cannot be used with --mode server");
2376 }
2377 if (options->ipchange)
2378 {
2379 msg(M_USAGE,
2380 "--ipchange cannot be used with --mode server (use "
2381 "--client-connect instead)");
2382 }
2383 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
2384 {
2385 msg(M_USAGE,
2386 "--mode server currently only supports --proto udp or --proto "
2387 "tcp-server or --proto tcp6-server");
2388 }
2389 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2390 {
2391 msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2392 }
2393 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2394 {
2395 msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2396 }
2397 if (options->routes && (options->routes->flags & RG_ENABLE))
2398 {
2399 msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2400 }
2401 if (options->route_delay_defined)
2402 {
2403 msg(M_USAGE, "--route-delay cannot be used with --mode server");
2404 }
2405 if (options->up_delay)
2406 {
2407 msg(M_USAGE, "--up-delay cannot be used with --mode server");
2408 }
2409 if (!options->ifconfig_pool_defined
2410 && !options->ifconfig_ipv6_pool_defined
2411 && options->ifconfig_pool_persist_filename)
2412 {
2413 msg(M_USAGE,
2414 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2415 }
2416 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
2417 {
2418 msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2419 }
2420 if (options->allow_recursive_routing)
2421 {
2422 msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
2423 }
2424 if (options->auth_user_pass_file)
2425 {
2426 msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2427 }
2428 if (options->ccd_exclusive && !options->client_config_dir)
2429 {
2430 msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2431 }
2432 if (options->auth_token_generate && !options->renegotiate_seconds)
2433 {
2434 msg(M_USAGE, "--auth-gen-token needs a non-infinite "
2435 "--renegotiate_seconds setting");
2436 }
2437 {
2438 const bool ccnr = (options->auth_user_pass_verify_script
2439 || PLUGIN_OPTION_LIST(options)
2440 || MAN_CLIENT_AUTH_ENABLED(options));
2441 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2442 if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
2443 {
2444 msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
2445 }
2446 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2447 {
2448 msg(M_USAGE, "--username-as-common-name %s", postfix);
2449 }
2450 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2451 {
2452 msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
2453 }
2454 }
2455
2456 if (options->vlan_tagging && dev != DEV_TYPE_TAP)
2457 {
2458 msg(M_USAGE, "--vlan-tagging must be used with --dev tap");
2459 }
2460 if (!options->vlan_tagging)
2461 {
2462 if (options->vlan_accept != defaults.vlan_accept)
2463 {
2464 msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
2465 }
2466 if (options->vlan_pvid != defaults.vlan_pvid)
2467 {
2468 msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
2469 }
2470 }
2471 }
2472 else
2473 {
2474 /*
2475 * When not in server mode, err if parameters are
2476 * specified which require --mode server.
2477 */
2478 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2479 {
2480 msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2481 }
2482 if (options->ifconfig_ipv6_pool_defined)
2483 {
2484 msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2485 }
2486 if (options->real_hash_size != defaults.real_hash_size
2487 || options->virtual_hash_size != defaults.virtual_hash_size)
2488 {
2489 msg(M_USAGE, "--hash-size requires --mode server");
2490 }
2491 if (options->learn_address_script)
2492 {
2493 msg(M_USAGE, "--learn-address requires --mode server");
2494 }
2495 if (options->client_connect_script)
2496 {
2497 msg(M_USAGE, "--client-connect requires --mode server");
2498 }
2499 if (options->client_disconnect_script)
2500 {
2501 msg(M_USAGE, "--client-disconnect requires --mode server");
2502 }
2503 if (options->client_config_dir || options->ccd_exclusive)
2504 {
2505 msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2506 }
2507 if (options->enable_c2c)
2508 {
2509 msg(M_USAGE, "--client-to-client requires --mode server");
2510 }
2511 if (options->duplicate_cn)
2512 {
2513 msg(M_USAGE, "--duplicate-cn requires --mode server");
2514 }
2515 if (options->cf_max || options->cf_per)
2516 {
2517 msg(M_USAGE, "--connect-freq requires --mode server");
2518 }
2519 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2520 {
2521 msg(M_USAGE, "--verify-client-cert requires --mode server");
2522 }
2523 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2524 {
2525 msg(M_USAGE, "--username-as-common-name requires --mode server");
2526 }
2527 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2528 {
2529 msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
2530 }
2531 if (options->ssl_flags & SSLF_OPT_VERIFY)
2532 {
2533 msg(M_USAGE, "--opt-verify requires --mode server");
2534 }
2535 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2536 {
2537 msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
2538 "affect the server. To have TCP_NODELAY in both direction use "
2539 "tcp-nodelay in the server configuration instead.");
2540 }
2541 if (options->auth_user_pass_verify_script)
2542 {
2543 msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
2544 }
2545 if (options->auth_token_generate)
2546 {
2547 msg(M_USAGE, "--auth-gen-token requires --mode server");
2548 }
2549 #if PORT_SHARE
2550 if (options->port_share_host || options->port_share_port)
2551 {
2552 msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2553 }
2554 #endif
2555
2556 if (options->stale_routes_check_interval)
2557 {
2558 msg(M_USAGE, "--stale-routes-check requires --mode server");
2559 }
2560
2561 if (options->vlan_tagging)
2562 {
2563 msg(M_USAGE, "--vlan-tagging requires --mode server");
2564 }
2565 }
2566
2567 /*
2568 * Check consistency of replay options
2569 */
2570 if (!options->replay
2571 && (options->replay_window != defaults.replay_window
2572 || options->replay_time != defaults.replay_time))
2573 {
2574 msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2575 }
2576
2577 /*
2578 * SSL/TLS mode sanity checks.
2579 */
2580 if (options->tls_server + options->tls_client
2581 +(options->shared_secret_file != NULL) > 1)
2582 {
2583 msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2584 }
2585
2586 if (!options->tls_server && !options->tls_client)
2587 {
2588 msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
2589 "configuration detected. OpenVPN 2.7 will remove the "
2590 "functionality to run a VPN without TLS. "
2591 "See the examples section in the manual page for "
2592 "examples of a similar quick setup with peer-fingerprint.");
2593 }
2594
2595 if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
2596 {
2597 msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
2598 "--verify-client-cert none|optional "
2599 "may accept clients which do not present a certificate");
2600 }
2601
2602 const int tls_version_max =
2603 (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
2604 & SSLF_TLS_VERSION_MAX_MASK;
2605 const int tls_version_min =
2606 (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
2607 & SSLF_TLS_VERSION_MIN_MASK;
2608
2609 if (tls_version_max > 0 && tls_version_max < tls_version_min)
2610 {
2611 msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
2612 }
2613
2614 if (options->tls_server || options->tls_client)
2615 {
2616 check_ca_required(options);
2617 #ifdef ENABLE_PKCS11
2618 if (options->pkcs11_providers[0])
2619 {
2620 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2621 {
2622 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2623 }
2624 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2625 {
2626 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2627 }
2628 if (options->cert_file)
2629 {
2630 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2631 }
2632 if (options->priv_key_file)
2633 {
2634 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2635 }
2636 #ifdef ENABLE_MANAGEMENT
2637 if (options->management_flags & MF_EXTERNAL_KEY)
2638 {
2639 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2640 }
2641 if (options->management_flags & MF_EXTERNAL_CERT)
2642 {
2643 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2644 }
2645 #endif
2646 if (options->pkcs12_file)
2647 {
2648 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2649 }
2650 #ifdef ENABLE_CRYPTOAPI
2651 if (options->cryptoapi_cert)
2652 {
2653 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2654 }
2655 #endif
2656 }
2657 else
2658 #endif /* ifdef ENABLE_PKCS11 */
2659 #ifdef ENABLE_MANAGEMENT
2660 if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2661 {
2662 msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
2663 }
2664 else if ((options->management_flags & MF_EXTERNAL_CERT))
2665 {
2666 if (options->cert_file)
2667 {
2668 msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
2669 }
2670 else if (!(options->management_flags & MF_EXTERNAL_KEY))
2671 {
2672 msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
2673 }
2674 }
2675 else
2676 #endif
2677 #ifdef ENABLE_CRYPTOAPI
2678 if (options->cryptoapi_cert)
2679 {
2680 if (options->cert_file)
2681 {
2682 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2683 }
2684 if (options->priv_key_file)
2685 {
2686 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2687 }
2688 if (options->pkcs12_file)
2689 {
2690 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2691 }
2692 #ifdef ENABLE_MANAGEMENT
2693 if (options->management_flags & MF_EXTERNAL_KEY)
2694 {
2695 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2696 }
2697 if (options->management_flags & MF_EXTERNAL_CERT)
2698 {
2699 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2700 }
2701 #endif
2702 }
2703 else
2704 #endif /* ifdef ENABLE_CRYPTOAPI */
2705 if (options->pkcs12_file)
2706 {
2707 #ifdef ENABLE_CRYPTO_MBEDTLS
2708 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2709 #else
2710 if (options->ca_path)
2711 {
2712 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2713 }
2714 if (options->cert_file)
2715 {
2716 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2717 }
2718 if (options->priv_key_file)
2719 {
2720 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2721 }
2722 #ifdef ENABLE_MANAGEMENT
2723 if (options->management_flags & MF_EXTERNAL_KEY)
2724 {
2725 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2726 }
2727 if (options->management_flags & MF_EXTERNAL_CERT)
2728 {
2729 msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2730 }
2731 #endif
2732 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2733 }
2734 else
2735 {
2736 #ifdef ENABLE_CRYPTO_MBEDTLS
2737 if (options->ca_path)
2738 {
2739 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2740 }
2741 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2742 if (pull)
2743 {
2744
2745 const int sum =
2746 #ifdef ENABLE_MANAGEMENT
2747 ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
2748 +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2749 #else
2750 (options->cert_file != NULL) + (options->priv_key_file != NULL);
2751 #endif
2752
2753 if (sum == 0)
2754 {
2755 if (!options->auth_user_pass_file)
2756 {
2757 msg(M_USAGE, "No client-side authentication method is "
2758 "specified. You must use either "
2759 "--cert/--key, --pkcs12, or "
2760 "--auth-user-pass");
2761 }
2762 }
2763 else if (sum == 2)
2764 {
2765 }
2766 else
2767 {
2768 msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
2769 }
2770 }
2771 else
2772 {
2773 #ifdef ENABLE_MANAGEMENT
2774 if (!(options->management_flags & MF_EXTERNAL_CERT))
2775 #endif
2776 notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2777 #ifdef ENABLE_MANAGEMENT
2778 if (!(options->management_flags & MF_EXTERNAL_KEY))
2779 #endif
2780 notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2781 }
2782 }
2783 if (ce->tls_auth_file && ce->tls_crypt_file)
2784 {
2785 msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
2786 }
2787 if (options->tls_client && ce->tls_crypt_v2_file
2788 && (ce->tls_auth_file || ce->tls_crypt_file))
2789 {
2790 msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2791 }
2792 }
2793 else
2794 {
2795 /*
2796 * Make sure user doesn't specify any TLS options
2797 * when in non-TLS mode.
2798 */
2799
2800 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
2801 }
2802
2803 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2804
2805 MUST_BE_UNDEF(ca_file);
2806 MUST_BE_UNDEF(ca_path);
2807 MUST_BE_UNDEF(dh_file);
2808 MUST_BE_UNDEF(cert_file);
2809 MUST_BE_UNDEF(priv_key_file);
2810 #ifndef ENABLE_CRYPTO_MBEDTLS
2811 MUST_BE_UNDEF(pkcs12_file);
2812 #endif
2813 MUST_BE_UNDEF(cipher_list);
2814 MUST_BE_UNDEF(cipher_list_tls13);
2815 MUST_BE_UNDEF(tls_cert_profile);
2816 MUST_BE_UNDEF(tls_verify);
2817 MUST_BE_UNDEF(tls_export_cert);
2818 MUST_BE_UNDEF(verify_x509_name);
2819 MUST_BE_UNDEF(tls_timeout);
2820 MUST_BE_UNDEF(renegotiate_bytes);
2821 MUST_BE_UNDEF(renegotiate_packets);
2822 MUST_BE_UNDEF(renegotiate_seconds);
2823 MUST_BE_UNDEF(handshake_window);
2824 MUST_BE_UNDEF(transition_window);
2825 MUST_BE_UNDEF(tls_auth_file);
2826 MUST_BE_UNDEF(tls_crypt_file);
2827 MUST_BE_UNDEF(tls_crypt_v2_file);
2828 MUST_BE_UNDEF(single_session);
2829 MUST_BE_UNDEF(push_peer_info);
2830 MUST_BE_UNDEF(tls_exit);
2831 MUST_BE_UNDEF(crl_file);
2832 MUST_BE_UNDEF(ns_cert_type);
2833 MUST_BE_UNDEF(remote_cert_ku[0]);
2834 MUST_BE_UNDEF(remote_cert_eku);
2835 #ifdef ENABLE_PKCS11
2836 MUST_BE_UNDEF(pkcs11_providers[0]);
2837 MUST_BE_UNDEF(pkcs11_private_mode[0]);
2838 MUST_BE_UNDEF(pkcs11_id);
2839 MUST_BE_UNDEF(pkcs11_id_management);
2840 #endif
2841
2842 if (pull)
2843 {
2844 msg(M_USAGE, err, "--pull");
2845 }
2846 }
2847 #undef MUST_BE_UNDEF
2848
2849 if (options->auth_user_pass_file && !options->pull)
2850 {
2851 msg(M_USAGE, "--auth-user-pass requires --pull");
2852 }
2853
2854 uninit_options(&defaults);
2855 }
2856
2857 static void
options_postprocess_mutate_ce(struct options * o,struct connection_entry * ce)2858 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
2859 {
2860 const int dev = dev_type_enum(o->dev, o->dev_type);
2861
2862 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2863 {
2864 if (ce->proto == PROTO_TCP)
2865 {
2866 ce->proto = PROTO_TCP_SERVER;
2867 }
2868 }
2869
2870 if (o->client)
2871 {
2872 if (ce->proto == PROTO_TCP)
2873 {
2874 ce->proto = PROTO_TCP_CLIENT;
2875 }
2876 }
2877
2878 if (ce->proto == PROTO_TCP_CLIENT && !ce->local
2879 && !ce->local_port_defined && !ce->bind_defined)
2880 {
2881 ce->bind_local = false;
2882 }
2883
2884 if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local
2885 && !ce->local_port_defined && !ce->bind_defined)
2886 {
2887 ce->bind_local = false;
2888 }
2889
2890 if (!ce->bind_local)
2891 {
2892 ce->local_port = NULL;
2893 }
2894
2895 /* if protocol forcing is enabled, disable all protocols
2896 * except for the forced one
2897 */
2898 if (o->proto_force >= 0 && o->proto_force != ce->proto)
2899 {
2900 ce->flags |= CE_DISABLED;
2901 }
2902
2903 /*
2904 * If --mssfix is supplied without a parameter, default
2905 * it to --fragment value, if --fragment is specified.
2906 */
2907 if (o->ce.mssfix_default)
2908 {
2909 #ifdef ENABLE_FRAGMENT
2910 if (ce->fragment)
2911 {
2912 ce->mssfix = ce->fragment;
2913 }
2914 #else
2915 msg(M_USAGE, "--mssfix must specify a parameter");
2916 #endif
2917 }
2918
2919 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
2920 * so fall back to IPv4-only (trac #1221)
2921 */
2922 if (ce->socks_proxy_server && proto_is_udp(ce->proto) && ce->af != AF_INET)
2923 {
2924 if (ce->af == AF_INET6)
2925 {
2926 msg(M_INFO, "WARNING: '--proto udp6' is not compatible with "
2927 "'--socks-proxy' today. Forcing IPv4 mode." );
2928 }
2929 else
2930 {
2931 msg(M_INFO, "NOTICE: dual-stack mode for '--proto udp' does not "
2932 "work correctly with '--socks-proxy' today. Forcing IPv4." );
2933 }
2934 ce->af = AF_INET;
2935 }
2936
2937 /*
2938 * Set MTU defaults
2939 */
2940 {
2941 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2942 {
2943 ce->tun_mtu_defined = true;
2944 }
2945 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2946 {
2947 ce->tun_mtu_extra_defined = true;
2948 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2949 }
2950 }
2951
2952 /*
2953 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
2954 *
2955 * At the end only one of these will be really set because the parser
2956 * logic prevents configurations where more are set.
2957 */
2958 if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file)
2959 {
2960 ce->tls_auth_file = o->tls_auth_file;
2961 ce->tls_auth_file_inline = o->tls_auth_file_inline;
2962 ce->key_direction = o->key_direction;
2963
2964 ce->tls_crypt_file = o->tls_crypt_file;
2965 ce->tls_crypt_file_inline = o->tls_crypt_file_inline;
2966
2967 ce->tls_crypt_v2_file = o->tls_crypt_v2_file;
2968 ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
2969 }
2970
2971 /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
2972 * keys were not already embedded in the config file.
2973 */
2974 if (o->persist_key)
2975 {
2976 connection_entry_preload_key(&ce->tls_auth_file,
2977 &ce->tls_auth_file_inline, &o->gc);
2978 connection_entry_preload_key(&ce->tls_crypt_file,
2979 &ce->tls_crypt_file_inline, &o->gc);
2980 connection_entry_preload_key(&ce->tls_crypt_v2_file,
2981 &ce->tls_crypt_v2_file_inline, &o->gc);
2982 }
2983 }
2984
2985 #ifdef _WIN32
2986 /* If iservice is in use, we need def1 method for redirect-gateway */
2987 static void
remap_redirect_gateway_flags(struct options * opt)2988 remap_redirect_gateway_flags(struct options *opt)
2989 {
2990 if (opt->routes
2991 && opt->route_method == ROUTE_METHOD_SERVICE
2992 && opt->routes->flags & RG_REROUTE_GW
2993 && !(opt->routes->flags & RG_DEF1))
2994 {
2995 msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
2996 opt->routes->flags |= RG_DEF1;
2997 }
2998 }
2999 #endif
3000
3001 static void
options_postprocess_mutate_invariant(struct options * options)3002 options_postprocess_mutate_invariant(struct options *options)
3003 {
3004 #ifdef _WIN32
3005 const int dev = dev_type_enum(options->dev, options->dev_type);
3006
3007 /* when using wintun, kernel doesn't send DHCP requests, so don't use it */
3008 if (options->windows_driver == WINDOWS_DRIVER_WINTUN
3009 && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
3010 {
3011 options->tuntap_options.ip_win32_type = IPW32_SET_NETSH;
3012 }
3013
3014 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
3015 {
3016 /* delay may only be necessary when we perform DHCP handshake */
3017 const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ)
3018 || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE);
3019 if ((options->mode == MODE_POINT_TO_POINT) && dhcp)
3020 {
3021 options->route_delay_defined = true;
3022 options->route_delay = 5; /* Vista sometimes has a race without this */
3023 }
3024 }
3025
3026 if (options->ifconfig_noexec)
3027 {
3028 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
3029 options->ifconfig_noexec = false;
3030 }
3031
3032 remap_redirect_gateway_flags(options);
3033
3034 /*
3035 * Check consistency of --mode server options.
3036 */
3037 if (options->mode == MODE_SERVER)
3038 {
3039 /*
3040 * We need to explicitly set --tap-sleep because
3041 * we do not schedule event timers in the top-level context.
3042 */
3043 options->tuntap_options.tap_sleep = 10;
3044 if (options->route_delay_defined && options->route_delay)
3045 {
3046 options->tuntap_options.tap_sleep = options->route_delay;
3047 }
3048 options->route_delay_defined = false;
3049 }
3050 #endif /* ifdef _WIN32 */
3051
3052 #ifdef DEFAULT_PKCS11_MODULE
3053 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3054 * by default if the user asks for PKCS#11 without otherwise specifying
3055 * the module to use. */
3056 if (!options->pkcs11_providers[0]
3057 && (options->pkcs11_id || options->pkcs11_id_management))
3058 {
3059 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3060 }
3061 #endif
3062 }
3063
3064 static void
options_postprocess_verify(const struct options * o)3065 options_postprocess_verify(const struct options *o)
3066 {
3067 if (o->connection_list)
3068 {
3069 int i;
3070 for (i = 0; i < o->connection_list->len; ++i)
3071 {
3072 options_postprocess_verify_ce(o, o->connection_list->array[i]);
3073 }
3074 }
3075 else
3076 {
3077 options_postprocess_verify_ce(o, &o->ce);
3078 }
3079 }
3080
3081 static void
options_postprocess_cipher(struct options * o)3082 options_postprocess_cipher(struct options *o)
3083 {
3084 if (!o->pull && !(o->mode == MODE_SERVER))
3085 {
3086 /* we are in the classic P2P mode */
3087 o->ncp_enabled = false;
3088 msg( M_WARN, "Cipher negotiation is disabled since neither "
3089 "P2MP client nor server mode is enabled");
3090
3091 /* If the cipher is not set, use the old default of BF-CBC. We will
3092 * warn that this is deprecated on cipher initialisation, no need
3093 * to warn here as well */
3094 if (!o->ciphername)
3095 {
3096 o->ciphername = "BF-CBC";
3097 }
3098 return;
3099 }
3100
3101 /* pull or P2MP mode */
3102 if (!o->ciphername)
3103 {
3104 if (!o->ncp_enabled)
3105 {
3106 msg(M_USAGE, "--ncp-disable needs an explicit --cipher or "
3107 "--data-ciphers-fallback config option");
3108 }
3109
3110 msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to "
3111 "BF-CBC as fallback when cipher negotiation failed in this case. "
3112 "If you need this fallback please add '--data-ciphers-fallback "
3113 "BF-CBC' to your configuration and/or add BF-CBC to "
3114 "--data-ciphers.");
3115
3116 /* We still need to set the ciphername to BF-CBC since various other
3117 * parts of OpenVPN assert that the ciphername is set */
3118 o->ciphername = "BF-CBC";
3119 }
3120 else if (!o->enable_ncp_fallback
3121 && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
3122 {
3123 msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in"
3124 " --data-ciphers (%s). Future OpenVPN version will "
3125 "ignore --cipher for cipher negotiations. "
3126 "Add '%s' to --data-ciphers or change --cipher '%s' to "
3127 "--data-ciphers-fallback '%s' to silence this warning.",
3128 o->ciphername, o->ncp_ciphers, o->ciphername,
3129 o->ciphername, o->ciphername);
3130 o->enable_ncp_fallback = true;
3131
3132 /* Append the --cipher to ncp_ciphers to allow it in NCP */
3133 size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(o->ciphername) + 1;
3134 char *ncp_ciphers = gc_malloc(newlen, false, &o->gc);
3135
3136 ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers,
3137 o->ciphername));
3138 o->ncp_ciphers = ncp_ciphers;
3139 }
3140 }
3141
3142 static void
options_postprocess_mutate(struct options * o)3143 options_postprocess_mutate(struct options *o)
3144 {
3145 int i;
3146 /*
3147 * Process helper-type options which map to other, more complex
3148 * sequences of options.
3149 */
3150 helper_client_server(o);
3151 helper_keepalive(o);
3152 helper_tcp_nodelay(o);
3153
3154 options_postprocess_cipher(o);
3155 options_postprocess_mutate_invariant(o);
3156
3157 if (o->ncp_enabled)
3158 {
3159 o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
3160 if (o->ncp_ciphers == NULL)
3161 {
3162 msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is too long.");
3163 }
3164 }
3165
3166 if (o->remote_list && !o->connection_list)
3167 {
3168 /*
3169 * Convert remotes into connection list
3170 */
3171 const struct remote_list *rl = o->remote_list;
3172 for (i = 0; i < rl->len; ++i)
3173 {
3174 const struct remote_entry *re = rl->array[i];
3175 struct connection_entry ce = o->ce;
3176 struct connection_entry *ace;
3177
3178 ASSERT(re->remote);
3179 connection_entry_load_re(&ce, re);
3180 ace = alloc_connection_entry(o, M_USAGE);
3181 ASSERT(ace);
3182 *ace = ce;
3183 }
3184 }
3185 else if (!o->remote_list && !o->connection_list)
3186 {
3187 struct connection_entry *ace;
3188 ace = alloc_connection_entry(o, M_USAGE);
3189 ASSERT(ace);
3190 *ace = o->ce;
3191 }
3192
3193 ASSERT(o->connection_list);
3194 for (i = 0; i < o->connection_list->len; ++i)
3195 {
3196 options_postprocess_mutate_ce(o, o->connection_list->array[i]);
3197 }
3198
3199 if (o->tls_server)
3200 {
3201 /* Check that DH file is specified, or explicitly disabled */
3202 notnull(o->dh_file, "DH file (--dh)");
3203 if (streq(o->dh_file, "none"))
3204 {
3205 o->dh_file = NULL;
3206 }
3207 }
3208 else if (o->dh_file)
3209 {
3210 /* DH file is only meaningful in a tls-server context. */
3211 msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3212 "include this in your server configuration");
3213 o->dh_file = NULL;
3214 }
3215 #if ENABLE_MANAGEMENT
3216 if (o->http_proxy_override)
3217 {
3218 options_postprocess_http_proxy_override(o);
3219 }
3220 #endif
3221 if (!o->ca_file && !o->ca_path && o->verify_hash
3222 && o->verify_hash_depth == 0)
3223 {
3224 msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
3225 "option set). ");
3226 o->verify_hash_no_ca = true;
3227 }
3228
3229 /*
3230 * Save certain parms before modifying options during connect, especially
3231 * when using --pull
3232 */
3233 pre_connect_save(o);
3234 }
3235
3236 /*
3237 * Check file/directory sanity
3238 *
3239 */
3240 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
3241
3242 #define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
3243 #define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
3244 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
3245 #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */
3246 #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */
3247
3248 static bool
check_file_access(const int type,const char * file,const int mode,const char * opt)3249 check_file_access(const int type, const char *file, const int mode, const char *opt)
3250 {
3251 int errcode = 0;
3252
3253 /* If no file configured, no errors to look for */
3254 if (!file)
3255 {
3256 return false;
3257 }
3258
3259 /* If stdin is allowed and the file name is 'stdin', then do no
3260 * further checks as stdin is always available
3261 */
3262 if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
3263 {
3264 return false;
3265 }
3266
3267 /* Is the directory path leading to the given file accessible? */
3268 if (type & CHKACC_DIRPATH)
3269 {
3270 char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */
3271 char *dirpath = dirname(fullpath);
3272
3273 if (platform_access(dirpath, mode|X_OK) != 0)
3274 {
3275 errcode = errno;
3276 }
3277 free(fullpath);
3278 }
3279
3280 /* Is the file itself accessible? */
3281 if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
3282 {
3283 errcode = errno;
3284 }
3285
3286 /* If the file exists and is accessible, is it writable? */
3287 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
3288 {
3289 if (platform_access(file, W_OK) != 0)
3290 {
3291 errcode = errno;
3292 }
3293 }
3294
3295 /* Warn if a given private file is group/others accessible. */
3296 if (type & CHKACC_PRIVATE)
3297 {
3298 platform_stat_t st;
3299 if (platform_stat(file, &st))
3300 {
3301 msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
3302 }
3303 #ifndef _WIN32
3304 else
3305 {
3306 if (st.st_mode & (S_IRWXG|S_IRWXO))
3307 {
3308 msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
3309 }
3310 }
3311 #endif
3312 }
3313
3314 /* Scream if an error is found */
3315 if (errcode > 0)
3316 {
3317 msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file);
3318 }
3319
3320 /* Return true if an error occurred */
3321 return (errcode != 0 ? true : false);
3322 }
3323
3324 /* A wrapper for check_file_access() which also takes a chroot directory.
3325 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3326 * otherwise it will look for the file inside the given chroot directory instead.
3327 */
3328 static bool
check_file_access_chroot(const char * chroot,const int type,const char * file,const int mode,const char * opt)3329 check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
3330 {
3331 bool ret = false;
3332
3333 /* If no file configured, no errors to look for */
3334 if (!file)
3335 {
3336 return false;
3337 }
3338
3339 /* If chroot is set, look for the file/directory inside the chroot */
3340 if (chroot)
3341 {
3342 struct gc_arena gc = gc_new();
3343 struct buffer chroot_file;
3344
3345 chroot_file = prepend_dir(chroot, file, &gc);
3346 ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
3347 gc_free(&gc);
3348 }
3349 else
3350 {
3351 /* No chroot in play, just call core file check function */
3352 ret = check_file_access(type, file, mode, opt);
3353 }
3354 return ret;
3355 }
3356
3357 /**
3358 * A wrapper for check_file_access_chroot() that returns false immediately if
3359 * the file is inline (and therefore there is no access to check)
3360 */
3361 static bool
check_file_access_chroot_inline(bool is_inline,const char * chroot,const int type,const char * file,const int mode,const char * opt)3362 check_file_access_chroot_inline(bool is_inline, const char *chroot,
3363 const int type, const char *file,
3364 const int mode, const char *opt)
3365 {
3366 if (is_inline)
3367 {
3368 return false;
3369 }
3370
3371 return check_file_access_chroot(chroot, type, file, mode, opt);
3372 }
3373
3374 /**
3375 * A wrapper for check_file_access() that returns false immediately if the file
3376 * is inline (and therefore there is no access to check)
3377 */
3378 static bool
check_file_access_inline(bool is_inline,const int type,const char * file,const int mode,const char * opt)3379 check_file_access_inline(bool is_inline, const int type, const char *file,
3380 const int mode, const char *opt)
3381 {
3382 if (is_inline)
3383 {
3384 return false;
3385 }
3386
3387 return check_file_access(type, file, mode, opt);
3388 }
3389
3390 /*
3391 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3392 * valid file with appropriate permissions.
3393 *
3394 * "command" consists of a path, optionally followed by a space, which may be
3395 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3396 * performed.
3397 *
3398 * The path and arguments in "command" may be single- or double-quoted or escaped.
3399 *
3400 * The path is extracted from "command", then check_file_access() is called to check it. The
3401 * arguments, if any, are ignored.
3402 *
3403 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3404 * check_file_access() arguments.
3405 */
3406 static bool
check_cmd_access(const char * command,const char * opt,const char * chroot)3407 check_cmd_access(const char *command, const char *opt, const char *chroot)
3408 {
3409 struct argv argv;
3410 bool return_code;
3411
3412 /* If no command was set, there are no errors to look for */
3413 if (!command)
3414 {
3415 return false;
3416 }
3417
3418 /* Extract executable path and arguments */
3419 argv = argv_new();
3420 argv_parse_cmd(&argv, command);
3421
3422 /* if an executable is specified then check it; otherwise, complain */
3423 if (argv.argv[0])
3424 {
3425 /* Scripts requires R_OK as well, but that might fail on binaries which
3426 * only requires X_OK to function on Unix - a scenario not unlikely to
3427 * be seen on suid binaries.
3428 */
3429 return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
3430 }
3431 else
3432 {
3433 msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
3434 opt, command);
3435 return_code = true;
3436 }
3437
3438 argv_free(&argv);
3439
3440 return return_code;
3441 }
3442
3443 /*
3444 * Sanity check of all file/dir options. Checks that file/dir
3445 * is accessible by OpenVPN
3446 */
3447 static void
options_postprocess_filechecks(struct options * options)3448 options_postprocess_filechecks(struct options *options)
3449 {
3450 bool errs = false;
3451
3452 /* ** SSL/TLS/crypto related files ** */
3453 errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
3454 options->dh_file, R_OK, "--dh");
3455
3456 if (!options->verify_hash_no_ca)
3457 {
3458 errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
3459 options->ca_file, R_OK, "--ca");
3460 }
3461
3462 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
3463 options->ca_path, R_OK, "--capath");
3464
3465 errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE,
3466 options->cert_file, R_OK, "--cert");
3467
3468 errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE,
3469 options->extra_certs_file, R_OK,
3470 "--extra-certs");
3471
3472 #ifdef ENABLE_MANAGMENT
3473 if (!(options->management_flags & MF_EXTERNAL_KEY))
3474 #endif
3475 {
3476 errs |= check_file_access_inline(options->priv_key_file_inline,
3477 CHKACC_FILE|CHKACC_PRIVATE,
3478 options->priv_key_file, R_OK, "--key");
3479 }
3480
3481 errs |= check_file_access_inline(options->pkcs12_file_inline,
3482 CHKACC_FILE|CHKACC_PRIVATE,
3483 options->pkcs12_file, R_OK, "--pkcs12");
3484
3485 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
3486 {
3487 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
3488 options->crl_file, R_OK|X_OK,
3489 "--crl-verify directory");
3490 }
3491 else
3492 {
3493 errs |= check_file_access_chroot_inline(options->crl_file_inline,
3494 options->chroot_dir,
3495 CHKACC_FILE, options->crl_file,
3496 R_OK, "--crl-verify");
3497 }
3498
3499 ASSERT(options->connection_list);
3500 for (int i = 0; i < options->connection_list->len; ++i)
3501 {
3502 struct connection_entry *ce = options->connection_list->array[i];
3503
3504 errs |= check_file_access_inline(ce->tls_auth_file_inline,
3505 CHKACC_FILE|CHKACC_PRIVATE,
3506 ce->tls_auth_file, R_OK,
3507 "--tls-auth");
3508 errs |= check_file_access_inline(ce->tls_crypt_file_inline,
3509 CHKACC_FILE|CHKACC_PRIVATE,
3510 ce->tls_crypt_file, R_OK,
3511 "--tls-crypt");
3512 errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline,
3513 CHKACC_FILE|CHKACC_PRIVATE,
3514 ce->tls_crypt_v2_file, R_OK,
3515 "--tls-crypt-v2");
3516 }
3517
3518 errs |= check_file_access_inline(options->shared_secret_file_inline,
3519 CHKACC_FILE|CHKACC_PRIVATE,
3520 options->shared_secret_file, R_OK,
3521 "--secret");
3522
3523 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
3524 options->packet_id_file, R_OK|W_OK, "--replay-persist");
3525
3526 /* ** Password files ** */
3527 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
3528 options->key_pass_file, R_OK, "--askpass");
3529 #ifdef ENABLE_MANAGEMENT
3530 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
3531 options->management_user_pass, R_OK,
3532 "--management user/password file");
3533 #endif /* ENABLE_MANAGEMENT */
3534 errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
3535 options->auth_user_pass_file, R_OK,
3536 "--auth-user-pass");
3537 /* ** System related ** */
3538 errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
3539 R_OK|X_OK, "--chroot directory");
3540 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
3541 R_OK|W_OK, "--writepid");
3542
3543 /* ** Log related ** */
3544 errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
3545 R_OK|W_OK, "--status");
3546
3547 /* ** Config related ** */
3548 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
3549 R_OK|W_OK|X_OK, "--tls-export-cert");
3550 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
3551 R_OK|X_OK, "--client-config-dir");
3552 errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
3553 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
3554
3555 if (errs)
3556 {
3557 msg(M_USAGE, "Please correct these errors.");
3558 }
3559 }
3560 #endif /* !ENABLE_SMALL */
3561
3562 /*
3563 * Sanity check on options.
3564 * Also set some options based on other
3565 * options.
3566 */
3567 void
options_postprocess(struct options * options)3568 options_postprocess(struct options *options)
3569 {
3570 options_postprocess_mutate(options);
3571 options_postprocess_verify(options);
3572 #ifndef ENABLE_SMALL
3573 options_postprocess_filechecks(options);
3574 #endif /* !ENABLE_SMALL */
3575 }
3576
3577 /*
3578 * Save/Restore certain option defaults before --pull is applied.
3579 */
3580
3581 void
pre_connect_save(struct options * o)3582 pre_connect_save(struct options *o)
3583 {
3584 ALLOC_OBJ_CLEAR_GC(o->pre_connect, struct options_pre_connect, &o->gc);
3585 o->pre_connect->tuntap_options = o->tuntap_options;
3586 o->pre_connect->tuntap_options_defined = true;
3587 o->pre_connect->foreign_option_index = o->foreign_option_index;
3588
3589 if (o->routes)
3590 {
3591 o->pre_connect->routes = clone_route_option_list(o->routes, &o->gc);
3592 o->pre_connect->routes_defined = true;
3593 }
3594 if (o->routes_ipv6)
3595 {
3596 o->pre_connect->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
3597 o->pre_connect->routes_ipv6_defined = true;
3598 }
3599 if (o->client_nat)
3600 {
3601 o->pre_connect->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
3602 o->pre_connect->client_nat_defined = true;
3603 }
3604
3605 o->pre_connect->route_default_gateway = o->route_default_gateway;
3606 o->pre_connect->route_ipv6_default_gateway = o->route_ipv6_default_gateway;
3607
3608 /* NCP related options that can be overwritten by a push */
3609 o->pre_connect->ciphername = o->ciphername;
3610 o->pre_connect->authname = o->authname;
3611
3612 /* Ping related options should be reset to the config values on reconnect */
3613 o->pre_connect->ping_rec_timeout = o->ping_rec_timeout;
3614 o->pre_connect->ping_rec_timeout_action = o->ping_rec_timeout_action;
3615 o->pre_connect->ping_send_timeout = o->ping_send_timeout;
3616
3617 /* Miscellaneous Options */
3618 #ifdef USE_COMP
3619 o->pre_connect->comp = o->comp;
3620 #endif
3621 }
3622
3623 void
pre_connect_restore(struct options * o,struct gc_arena * gc)3624 pre_connect_restore(struct options *o, struct gc_arena *gc)
3625 {
3626 const struct options_pre_connect *pp = o->pre_connect;
3627 if (pp)
3628 {
3629 CLEAR(o->tuntap_options);
3630 if (pp->tuntap_options_defined)
3631 {
3632 o->tuntap_options = pp->tuntap_options;
3633 }
3634
3635 if (pp->routes_defined)
3636 {
3637 rol_check_alloc(o);
3638 copy_route_option_list(o->routes, pp->routes, gc);
3639 }
3640 else
3641 {
3642 o->routes = NULL;
3643 }
3644
3645 if (pp->routes_ipv6_defined)
3646 {
3647 rol6_check_alloc(o);
3648 copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
3649 }
3650 else
3651 {
3652 o->routes_ipv6 = NULL;
3653 }
3654
3655 o->route_default_gateway = pp->route_default_gateway;
3656 o->route_ipv6_default_gateway = pp->route_ipv6_default_gateway;
3657
3658 if (pp->client_nat_defined)
3659 {
3660 cnol_check_alloc(o);
3661 copy_client_nat_option_list(o->client_nat, pp->client_nat);
3662 }
3663 else
3664 {
3665 o->client_nat = NULL;
3666 }
3667
3668 o->foreign_option_index = pp->foreign_option_index;
3669
3670 o->ciphername = pp->ciphername;
3671 o->authname = pp->authname;
3672
3673 o->ping_rec_timeout = pp->ping_rec_timeout;
3674 o->ping_rec_timeout_action = pp->ping_rec_timeout_action;
3675 o->ping_send_timeout = pp->ping_send_timeout;
3676
3677 /* Miscellaneous Options */
3678 #ifdef USE_COMP
3679 o->comp = pp->comp;
3680 #endif
3681 }
3682
3683 o->push_continuation = 0;
3684 o->push_option_types_found = 0;
3685 o->data_channel_crypto_flags = 0;
3686 }
3687
3688 /**
3689 * Calculate the link-mtu to advertise to our peer. The actual value is not
3690 * relevant, because we will possibly perform data channel cipher negotiation
3691 * after this, but older clients will log warnings if we do not supply them the
3692 * value they expect. This assumes that the traditional cipher/auth directives
3693 * in the config match the config of the peer.
3694 */
3695 static size_t
calc_options_string_link_mtu(const struct options * o,const struct frame * frame)3696 calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
3697 {
3698 size_t link_mtu = EXPANDED_SIZE(frame);
3699
3700 if (o->pull || o->mode == MODE_SERVER)
3701 {
3702 struct frame fake_frame = *frame;
3703 struct key_type fake_kt;
3704
3705 frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead());
3706
3707
3708 /* o->ciphername might be BF-CBC even though the underlying SSL library
3709 * does not support it. For this reason we workaround this corner case
3710 * by pretending to have no encryption enabled and by manually adding
3711 * the required packet overhead to the MTU computation.
3712 */
3713 const char* ciphername = o->ciphername;
3714
3715 if (strcmp(o->ciphername, "BF-CBC") == 0)
3716 {
3717 /* none has no overhead, so use this to later add only --auth
3718 * overhead */
3719
3720 /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
3721 frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
3722 }
3723
3724 init_key_type(&fake_kt, ciphername, o->authname, true, false);
3725
3726 crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay,
3727 cipher_kt_mode_ofb_cfb(fake_kt.cipher));
3728 frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
3729 o->ce.tun_mtu_defined, o->ce.tun_mtu);
3730 msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
3731 EXPANDED_SIZE(&fake_frame));
3732 link_mtu = EXPANDED_SIZE(&fake_frame);
3733 }
3734 return link_mtu;
3735 }
3736 /*
3737 * Build an options string to represent data channel encryption options.
3738 * This string must match exactly between peers. The keysize is checked
3739 * separately by read_key().
3740 *
3741 * The following options must match on both peers:
3742 *
3743 * Tunnel options:
3744 *
3745 * --dev tun|tap [unit number need not match]
3746 * --dev-type tun|tap
3747 * --link-mtu
3748 * --udp-mtu
3749 * --tun-mtu
3750 * --proto udp
3751 * --proto tcp-client [matched with --proto tcp-server
3752 * on the other end of the connection]
3753 * --proto tcp-server [matched with --proto tcp-client on
3754 * the other end of the connection]
3755 * --tun-ipv6
3756 * --ifconfig x y [matched with --ifconfig y x on
3757 * the other end of the connection]
3758 *
3759 * --comp-lzo
3760 * --compress alg
3761 * --fragment
3762 *
3763 * Crypto Options:
3764 *
3765 * --cipher
3766 * --auth
3767 * --keysize
3768 * --secret
3769 * --no-replay
3770 *
3771 * SSL Options:
3772 *
3773 * --tls-auth
3774 * --tls-client [matched with --tls-server on
3775 * the other end of the connection]
3776 * --tls-server [matched with --tls-client on
3777 * the other end of the connection]
3778 */
3779 char *
options_string(const struct options * o,const struct frame * frame,struct tuntap * tt,openvpn_net_ctx_t * ctx,bool remote,struct gc_arena * gc)3780 options_string(const struct options *o,
3781 const struct frame *frame,
3782 struct tuntap *tt,
3783 openvpn_net_ctx_t *ctx,
3784 bool remote,
3785 struct gc_arena *gc)
3786 {
3787 struct buffer out = alloc_buf(OPTION_LINE_SIZE);
3788 bool tt_local = false;
3789
3790 buf_printf(&out, "V4");
3791
3792 /*
3793 * Tunnel Options
3794 */
3795
3796 buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
3797 /* the link-mtu that we send has only a meaning if have a fixed
3798 * cipher (p2p) or have a fallback cipher configured for older non
3799 * ncp clients. But not sending it will make even 2.4 complain
3800 * about it being missing. So still send it. */
3801 buf_printf(&out, ",link-mtu %u",
3802 (unsigned int) calc_options_string_link_mtu(o, frame));
3803
3804 buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
3805 buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
3806
3807 bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o);
3808 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
3809 * is usually pushed by the server, triggering a non-helpful warning
3810 */
3811 if (o->ifconfig_ipv6_local && p2p_nopull)
3812 {
3813 buf_printf(&out, ",tun-ipv6");
3814 }
3815
3816 /*
3817 * Try to get ifconfig parameters into the options string.
3818 * If tt is undefined, make a temporary instantiation.
3819 */
3820 if (!tt)
3821 {
3822 tt = init_tun(o->dev,
3823 o->dev_type,
3824 o->topology,
3825 o->ifconfig_local,
3826 o->ifconfig_remote_netmask,
3827 o->ifconfig_ipv6_local,
3828 o->ifconfig_ipv6_netbits,
3829 o->ifconfig_ipv6_remote,
3830 NULL,
3831 NULL,
3832 false,
3833 NULL,
3834 ctx);
3835 if (tt)
3836 {
3837 tt_local = true;
3838 }
3839 }
3840
3841 if (tt && p2p_nopull)
3842 {
3843 const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
3844 if (ios && strlen(ios))
3845 {
3846 buf_printf(&out, ",ifconfig %s", ios);
3847 }
3848 }
3849 if (tt_local)
3850 {
3851 free(tt);
3852 tt = NULL;
3853 }
3854
3855 #ifdef USE_COMP
3856 if (o->comp.alg != COMP_ALG_UNDEF)
3857 {
3858 buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
3859 }
3860 #endif
3861
3862 #ifdef ENABLE_FRAGMENT
3863 if (o->ce.fragment)
3864 {
3865 buf_printf(&out, ",mtu-dynamic");
3866 }
3867 #endif
3868
3869 #define TLS_CLIENT (o->tls_client)
3870 #define TLS_SERVER (o->tls_server)
3871
3872 /*
3873 * Key direction
3874 */
3875 {
3876 const char *kd = keydirection2ascii(o->key_direction, remote, false);
3877 if (kd)
3878 {
3879 buf_printf(&out, ",keydir %s", kd);
3880 }
3881 }
3882
3883 /*
3884 * Crypto Options
3885 */
3886 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
3887 {
3888 struct key_type kt;
3889
3890 ASSERT((o->shared_secret_file != NULL)
3891 + (TLS_CLIENT == true)
3892 + (TLS_SERVER == true)
3893 <= 1);
3894
3895 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
3896 * to work here in the default configuration */
3897 const char *ciphername = o->ciphername;
3898 int keysize;
3899
3900 if (strcmp(o->ciphername, "BF-CBC") == 0)
3901 {
3902 init_key_type(&kt, "none", o->authname, true, false);
3903 keysize = 128;
3904 }
3905 else
3906 {
3907 init_key_type(&kt, o->ciphername, o->authname, true, false);
3908 ciphername = cipher_kt_name(kt.cipher);
3909 keysize = kt.cipher_length * 8;
3910 }
3911 /* Only announce the cipher to our peer if we are willing to
3912 * support it */
3913 if (p2p_nopull || !o->ncp_enabled
3914 || tls_item_in_cipher_list(ciphername, o->ncp_ciphers))
3915 {
3916 buf_printf(&out, ",cipher %s", ciphername);
3917 }
3918 buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
3919 buf_printf(&out, ",keysize %d", keysize);
3920 if (o->shared_secret_file)
3921 {
3922 buf_printf(&out, ",secret");
3923 }
3924 if (!o->replay)
3925 {
3926 buf_printf(&out, ",no-replay");
3927 }
3928
3929 #ifdef ENABLE_PREDICTION_RESISTANCE
3930 if (o->use_prediction_resistance)
3931 {
3932 buf_printf(&out, ",use-prediction-resistance");
3933 }
3934 #endif
3935 }
3936
3937 /*
3938 * SSL Options
3939 */
3940 {
3941 if (TLS_CLIENT || TLS_SERVER)
3942 {
3943 if (o->ce.tls_auth_file)
3944 {
3945 buf_printf(&out, ",tls-auth");
3946 }
3947 /* Not adding tls-crypt here, because we won't reach this code if
3948 * tls-auth/tls-crypt does not match. Removing tls-auth here would
3949 * break stuff, so leaving that in place. */
3950
3951 buf_printf(&out, ",key-method %d", KEY_METHOD_2);
3952 }
3953
3954 if (remote)
3955 {
3956 if (TLS_CLIENT)
3957 {
3958 buf_printf(&out, ",tls-server");
3959 }
3960 else if (TLS_SERVER)
3961 {
3962 buf_printf(&out, ",tls-client");
3963 }
3964 }
3965 else
3966 {
3967 if (TLS_CLIENT)
3968 {
3969 buf_printf(&out, ",tls-client");
3970 }
3971 else if (TLS_SERVER)
3972 {
3973 buf_printf(&out, ",tls-server");
3974 }
3975 }
3976 }
3977
3978 #undef TLS_CLIENT
3979 #undef TLS_SERVER
3980
3981 return BSTR(&out);
3982 }
3983
3984 /*
3985 * Compare option strings for equality.
3986 * If the first two chars of the strings differ, it means that
3987 * we are looking at different versions of the options string,
3988 * therefore don't compare them and return true.
3989 */
3990
3991 bool
options_cmp_equal(char * actual,const char * expected)3992 options_cmp_equal(char *actual, const char *expected)
3993 {
3994 return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
3995 }
3996
3997 void
options_warning(char * actual,const char * expected)3998 options_warning(char *actual, const char *expected)
3999 {
4000 options_warning_safe(actual, expected, strlen(actual) + 1);
4001 }
4002
4003 static const char *
options_warning_extract_parm1(const char * option_string,struct gc_arena * gc_ret)4004 options_warning_extract_parm1(const char *option_string,
4005 struct gc_arena *gc_ret)
4006 {
4007 struct gc_arena gc = gc_new();
4008 struct buffer b = string_alloc_buf(option_string, &gc);
4009 char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4010 const char *ret;
4011
4012 buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
4013 ret = string_alloc(p, gc_ret);
4014 gc_free(&gc);
4015 return ret;
4016 }
4017
4018 static void
options_warning_safe_scan2(const int msglevel,const int delim,const bool report_inconsistent,const char * p1,const struct buffer * b2_src,const char * b1_name,const char * b2_name)4019 options_warning_safe_scan2(const int msglevel,
4020 const int delim,
4021 const bool report_inconsistent,
4022 const char *p1,
4023 const struct buffer *b2_src,
4024 const char *b1_name,
4025 const char *b2_name)
4026 {
4027 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4028 * OCC in a future version (because it's not useful). To reduce questions
4029 * when interoperating, we no longer printing a warning about it.
4030 */
4031 if (strprefix(p1, "key-method ")
4032 || strprefix(p1, "keydir ")
4033 || strprefix(p1, "proto ")
4034 || streq(p1, "tls-auth")
4035 || strprefix(p1, "tun-ipv6")
4036 || strprefix(p1, "cipher "))
4037 {
4038 return;
4039 }
4040
4041 if (strlen(p1) > 0)
4042 {
4043 struct gc_arena gc = gc_new();
4044 struct buffer b2 = *b2_src;
4045 const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
4046 char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
4047
4048 while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
4049 {
4050 if (strlen(p2))
4051 {
4052 const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
4053
4054 if (!strcmp(p1, p2))
4055 {
4056 goto done;
4057 }
4058 if (!strcmp(p1_prefix, p2_prefix))
4059 {
4060 if (report_inconsistent)
4061 {
4062 msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4063 safe_print(p1_prefix, &gc),
4064 b1_name,
4065 safe_print(p1, &gc),
4066 b2_name,
4067 safe_print(p2, &gc));
4068 }
4069 goto done;
4070 }
4071 }
4072 }
4073
4074 msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4075 safe_print(p1_prefix, &gc),
4076 b1_name,
4077 b2_name,
4078 b1_name,
4079 safe_print(p1, &gc));
4080
4081 done:
4082 gc_free(&gc);
4083 }
4084 }
4085
4086 static void
options_warning_safe_scan1(const int msglevel,const int delim,const bool report_inconsistent,const struct buffer * b1_src,const struct buffer * b2_src,const char * b1_name,const char * b2_name)4087 options_warning_safe_scan1(const int msglevel,
4088 const int delim,
4089 const bool report_inconsistent,
4090 const struct buffer *b1_src,
4091 const struct buffer *b2_src,
4092 const char *b1_name,
4093 const char *b2_name)
4094 {
4095 struct gc_arena gc = gc_new();
4096 struct buffer b = *b1_src;
4097 char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
4098
4099 while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
4100 {
4101 options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
4102 }
4103
4104 gc_free(&gc);
4105 }
4106
4107 static void
options_warning_safe_ml(const int msglevel,char * actual,const char * expected,size_t actual_n)4108 options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
4109 {
4110 struct gc_arena gc = gc_new();
4111
4112 if (actual_n > 0)
4113 {
4114 struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4115 struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
4116 actual[actual_n - 1] = 0;
4117
4118 buf_printf(&local, "version %s", expected);
4119 buf_printf(&remote, "version %s", actual);
4120
4121 options_warning_safe_scan1(msglevel, ',', true,
4122 &local, &remote,
4123 "local", "remote");
4124
4125 options_warning_safe_scan1(msglevel, ',', false,
4126 &remote, &local,
4127 "remote", "local");
4128 }
4129
4130 gc_free(&gc);
4131 }
4132
4133 bool
options_cmp_equal_safe(char * actual,const char * expected,size_t actual_n)4134 options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
4135 {
4136 struct gc_arena gc = gc_new();
4137 bool ret = true;
4138
4139 if (actual_n > 0)
4140 {
4141 actual[actual_n - 1] = 0;
4142 #ifndef ENABLE_STRICT_OPTIONS_CHECK
4143 if (strncmp(actual, expected, 2))
4144 {
4145 msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
4146 options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
4147 }
4148 else
4149 #endif
4150 ret = !strcmp(actual, expected);
4151 }
4152 gc_free(&gc);
4153 return ret;
4154 }
4155
4156 void
options_warning_safe(char * actual,const char * expected,size_t actual_n)4157 options_warning_safe(char *actual, const char *expected, size_t actual_n)
4158 {
4159 options_warning_safe_ml(M_WARN, actual, expected, actual_n);
4160 }
4161
4162 const char *
options_string_version(const char * s,struct gc_arena * gc)4163 options_string_version(const char *s, struct gc_arena *gc)
4164 {
4165 struct buffer out = alloc_buf_gc(4, gc);
4166 strncpynt((char *) BPTR(&out), s, 3);
4167 return BSTR(&out);
4168 }
4169
4170 char *
options_string_extract_option(const char * options_string,const char * opt_name,struct gc_arena * gc)4171 options_string_extract_option(const char *options_string,const char *opt_name,
4172 struct gc_arena *gc)
4173 {
4174 char *ret = NULL;
4175 const size_t opt_name_len = strlen(opt_name);
4176
4177 const char *p = options_string;
4178 while (p)
4179 {
4180 if (0 == strncmp(p, opt_name, opt_name_len)
4181 && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
4182 {
4183 /* option found, extract value */
4184 const char *start = &p[opt_name_len+1];
4185 const char *end = strchr(p, ',');
4186 size_t val_len = end ? end - start : strlen(start);
4187 ret = gc_malloc(val_len+1, true, gc);
4188 memcpy(ret, start, val_len);
4189 break;
4190 }
4191 p = strchr(p, ',');
4192 if (p)
4193 {
4194 p++; /* skip delimiter */
4195 }
4196 }
4197 return ret;
4198 }
4199
4200 static void
foreign_option(struct options * o,char * argv[],int len,struct env_set * es)4201 foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
4202 {
4203 if (len > 0)
4204 {
4205 struct gc_arena gc = gc_new();
4206 struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4207 struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
4208 int i;
4209 bool first = true;
4210 bool good = true;
4211
4212 good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
4213 ++o->foreign_option_index;
4214 for (i = 0; i < len; ++i)
4215 {
4216 if (argv[i])
4217 {
4218 if (!first)
4219 {
4220 good &= buf_printf(&value, " ");
4221 }
4222 good &= buf_printf(&value, "%s", argv[i]);
4223 first = false;
4224 }
4225 }
4226 if (good)
4227 {
4228 setenv_str(es, BSTR(&name), BSTR(&value));
4229 }
4230 else
4231 {
4232 msg(M_WARN, "foreign_option: name/value overflow");
4233 }
4234 gc_free(&gc);
4235 }
4236 }
4237
4238 #ifdef _WIN32
4239 /**
4240 * Parses --windows-driver config option
4241 *
4242 * @param str value of --windows-driver option
4243 * @param msglevel msglevel to report parsing error
4244 * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value
4245 */
4246 static enum windows_driver_type
parse_windows_driver(const char * str,const int msglevel)4247 parse_windows_driver(const char *str, const int msglevel)
4248 {
4249 if (streq(str, "tap-windows6"))
4250 {
4251 return WINDOWS_DRIVER_TAP_WINDOWS6;
4252 }
4253 else if (streq(str, "wintun"))
4254 {
4255 return WINDOWS_DRIVER_WINTUN;
4256 }
4257 else
4258 {
4259 msg(msglevel, "--windows-driver must be tap-windows6 or wintun");
4260 return WINDOWS_DRIVER_UNSPECIFIED;
4261 }
4262 }
4263 #endif
4264
4265 /*
4266 * parse/print topology coding
4267 */
4268
4269 int
parse_topology(const char * str,const int msglevel)4270 parse_topology(const char *str, const int msglevel)
4271 {
4272 if (streq(str, "net30"))
4273 {
4274 return TOP_NET30;
4275 }
4276 else if (streq(str, "p2p"))
4277 {
4278 return TOP_P2P;
4279 }
4280 else if (streq(str, "subnet"))
4281 {
4282 return TOP_SUBNET;
4283 }
4284 else
4285 {
4286 msg(msglevel, "--topology must be net30, p2p, or subnet");
4287 return TOP_UNDEF;
4288 }
4289 }
4290
4291 const char *
print_topology(const int topology)4292 print_topology(const int topology)
4293 {
4294 switch (topology)
4295 {
4296 case TOP_UNDEF:
4297 return "undef";
4298
4299 case TOP_NET30:
4300 return "net30";
4301
4302 case TOP_P2P:
4303 return "p2p";
4304
4305 case TOP_SUBNET:
4306 return "subnet";
4307
4308 default:
4309 return "unknown";
4310 }
4311 }
4312
4313 /*
4314 * Manage auth-retry variable
4315 */
4316
4317 static int global_auth_retry; /* GLOBAL */
4318
4319 int
auth_retry_get(void)4320 auth_retry_get(void)
4321 {
4322 return global_auth_retry;
4323 }
4324
4325 bool
auth_retry_set(const int msglevel,const char * option)4326 auth_retry_set(const int msglevel, const char *option)
4327 {
4328 if (streq(option, "interact"))
4329 {
4330 global_auth_retry = AR_INTERACT;
4331 }
4332 else if (streq(option, "nointeract"))
4333 {
4334 global_auth_retry = AR_NOINTERACT;
4335 }
4336 else if (streq(option, "none"))
4337 {
4338 global_auth_retry = AR_NONE;
4339 }
4340 else
4341 {
4342 msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4343 return false;
4344 }
4345 return true;
4346 }
4347
4348 const char *
auth_retry_print(void)4349 auth_retry_print(void)
4350 {
4351 switch (global_auth_retry)
4352 {
4353 case AR_NONE:
4354 return "none";
4355
4356 case AR_NOINTERACT:
4357 return "nointeract";
4358
4359 case AR_INTERACT:
4360 return "interact";
4361
4362 default:
4363 return "???";
4364 }
4365 }
4366
4367 /*
4368 * Print the help message.
4369 */
4370 static void
usage(void)4371 usage(void)
4372 {
4373 FILE *fp = msg_fp(0);
4374
4375 #ifdef ENABLE_SMALL
4376
4377 fprintf(fp, "Usage message not available\n");
4378
4379 #else
4380
4381 struct options o;
4382 init_options(&o, true);
4383
4384 fprintf(fp, usage_message,
4385 title_string,
4386 o.ce.connect_retry_seconds,
4387 o.ce.connect_retry_seconds_max,
4388 o.ce.local_port, o.ce.remote_port,
4389 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
4390 o.verbosity,
4391 o.authname, o.ciphername,
4392 o.replay_window, o.replay_time,
4393 o.tls_timeout, o.renegotiate_seconds,
4394 o.handshake_window, o.transition_window);
4395 fflush(fp);
4396
4397 #endif /* ENABLE_SMALL */
4398
4399 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4400 }
4401
4402 void
usage_small(void)4403 usage_small(void)
4404 {
4405 msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
4406 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
4407 }
4408
4409 #ifdef _WIN32
4410 void
show_windows_version(const unsigned int flags)4411 show_windows_version(const unsigned int flags)
4412 {
4413 struct gc_arena gc = gc_new();
4414 msg(flags, "Windows version %s", win32_version_string(&gc, true));
4415 gc_free(&gc);
4416 }
4417 #endif
4418
4419 void
show_library_versions(const unsigned int flags)4420 show_library_versions(const unsigned int flags)
4421 {
4422 #ifdef ENABLE_LZO
4423 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4424 #else
4425 #define LZO_LIB_VER_STR "", ""
4426 #endif
4427
4428 msg(flags, "library versions: %s%s%s", get_ssl_library_version(),
4429 LZO_LIB_VER_STR);
4430
4431 #undef LZO_LIB_VER_STR
4432 }
4433
4434 static void
usage_version(void)4435 usage_version(void)
4436 {
4437 msg(M_INFO|M_NOPREFIX, "%s", title_string);
4438 show_library_versions( M_INFO|M_NOPREFIX );
4439 #ifdef _WIN32
4440 show_windows_version( M_INFO|M_NOPREFIX );
4441 #endif
4442 msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
4443 msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>");
4444 #ifndef ENABLE_SMALL
4445 #ifdef CONFIGURE_DEFINES
4446 msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
4447 #endif
4448 #ifdef CONFIGURE_SPECIAL_BUILD
4449 msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
4450 #endif
4451 #endif
4452 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD);
4453 }
4454
4455 void
notnull(const char * arg,const char * description)4456 notnull(const char *arg, const char *description)
4457 {
4458 if (!arg)
4459 {
4460 msg(M_USAGE, "You must define %s", description);
4461 }
4462 }
4463
4464 bool
string_defined_equal(const char * s1,const char * s2)4465 string_defined_equal(const char *s1, const char *s2)
4466 {
4467 if (s1 && s2)
4468 {
4469 return !strcmp(s1, s2);
4470 }
4471 else
4472 {
4473 return false;
4474 }
4475 }
4476
4477 #if 0
4478 static void
4479 ping_rec_err(int msglevel)
4480 {
4481 msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
4482 }
4483 #endif
4484
4485 static int
positive_atoi(const char * str)4486 positive_atoi(const char *str)
4487 {
4488 const int i = atoi(str);
4489 return i < 0 ? 0 : i;
4490 }
4491
4492 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4493 static unsigned int
atou(const char * str)4494 atou(const char *str)
4495 {
4496 unsigned int val = 0;
4497 sscanf(str, "%u", &val);
4498 return val;
4499 }
4500 #endif
4501
4502 static inline bool
space(unsigned char c)4503 space(unsigned char c)
4504 {
4505 return c == '\0' || isspace(c);
4506 }
4507
4508 int
parse_line(const char * line,char * p[],const int n,const char * file,const int line_num,int msglevel,struct gc_arena * gc)4509 parse_line(const char *line,
4510 char *p[],
4511 const int n,
4512 const char *file,
4513 const int line_num,
4514 int msglevel,
4515 struct gc_arena *gc)
4516 {
4517 const int STATE_INITIAL = 0;
4518 const int STATE_READING_QUOTED_PARM = 1;
4519 const int STATE_READING_UNQUOTED_PARM = 2;
4520 const int STATE_DONE = 3;
4521 const int STATE_READING_SQUOTED_PARM = 4;
4522
4523 const char *error_prefix = "";
4524
4525 int ret = 0;
4526 const char *c = line;
4527 int state = STATE_INITIAL;
4528 bool backslash = false;
4529 char in, out;
4530
4531 char parm[OPTION_PARM_SIZE];
4532 unsigned int parm_len = 0;
4533
4534 msglevel &= ~M_OPTERR;
4535
4536 if (msglevel & M_MSG_VIRT_OUT)
4537 {
4538 error_prefix = "ERROR: ";
4539 }
4540
4541 do
4542 {
4543 in = *c;
4544 out = 0;
4545
4546 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
4547 {
4548 backslash = true;
4549 }
4550 else
4551 {
4552 if (state == STATE_INITIAL)
4553 {
4554 if (!space(in))
4555 {
4556 if (in == ';' || in == '#') /* comment */
4557 {
4558 break;
4559 }
4560 if (!backslash && in == '\"')
4561 {
4562 state = STATE_READING_QUOTED_PARM;
4563 }
4564 else if (!backslash && in == '\'')
4565 {
4566 state = STATE_READING_SQUOTED_PARM;
4567 }
4568 else
4569 {
4570 out = in;
4571 state = STATE_READING_UNQUOTED_PARM;
4572 }
4573 }
4574 }
4575 else if (state == STATE_READING_UNQUOTED_PARM)
4576 {
4577 if (!backslash && space(in))
4578 {
4579 state = STATE_DONE;
4580 }
4581 else
4582 {
4583 out = in;
4584 }
4585 }
4586 else if (state == STATE_READING_QUOTED_PARM)
4587 {
4588 if (!backslash && in == '\"')
4589 {
4590 state = STATE_DONE;
4591 }
4592 else
4593 {
4594 out = in;
4595 }
4596 }
4597 else if (state == STATE_READING_SQUOTED_PARM)
4598 {
4599 if (in == '\'')
4600 {
4601 state = STATE_DONE;
4602 }
4603 else
4604 {
4605 out = in;
4606 }
4607 }
4608 if (state == STATE_DONE)
4609 {
4610 /* ASSERT (parm_len > 0); */
4611 p[ret] = gc_malloc(parm_len + 1, true, gc);
4612 memcpy(p[ret], parm, parm_len);
4613 p[ret][parm_len] = '\0';
4614 state = STATE_INITIAL;
4615 parm_len = 0;
4616 ++ret;
4617 }
4618
4619 if (backslash && out)
4620 {
4621 if (!(out == '\\' || out == '\"' || space(out)))
4622 {
4623 #ifdef ENABLE_SMALL
4624 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
4625 #else
4626 msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
4627 #endif
4628 return 0;
4629 }
4630 }
4631 backslash = false;
4632 }
4633
4634 /* store parameter character */
4635 if (out)
4636 {
4637 if (parm_len >= SIZE(parm))
4638 {
4639 parm[SIZE(parm) - 1] = 0;
4640 msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
4641 error_prefix, file, line_num, (int) SIZE(parm), parm);
4642 return 0;
4643 }
4644 parm[parm_len++] = out;
4645 }
4646
4647 /* avoid overflow if too many parms in one config file line */
4648 if (ret >= n)
4649 {
4650 break;
4651 }
4652
4653 } while (*c++ != '\0');
4654
4655 if (state == STATE_READING_QUOTED_PARM)
4656 {
4657 msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
4658 return 0;
4659 }
4660 if (state == STATE_READING_SQUOTED_PARM)
4661 {
4662 msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
4663 return 0;
4664 }
4665 if (state != STATE_INITIAL)
4666 {
4667 msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
4668 return 0;
4669 }
4670 #if 0
4671 {
4672 int i;
4673 for (i = 0; i < ret; ++i)
4674 {
4675 msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
4676 }
4677 }
4678 #endif
4679 return ret;
4680 }
4681
4682 static void
bypass_doubledash(char ** p)4683 bypass_doubledash(char **p)
4684 {
4685 if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
4686 {
4687 *p += 2;
4688 }
4689 }
4690
4691 struct in_src {
4692 #define IS_TYPE_FP 1
4693 #define IS_TYPE_BUF 2
4694 int type;
4695 union {
4696 FILE *fp;
4697 struct buffer *multiline;
4698 } u;
4699 };
4700
4701 static bool
in_src_get(const struct in_src * is,char * line,const int size)4702 in_src_get(const struct in_src *is, char *line, const int size)
4703 {
4704 if (is->type == IS_TYPE_FP)
4705 {
4706 return BOOL_CAST(fgets(line, size, is->u.fp));
4707 }
4708 else if (is->type == IS_TYPE_BUF)
4709 {
4710 bool status = buf_parse(is->u.multiline, '\n', line, size);
4711 if ((int) strlen(line) + 1 < size)
4712 {
4713 strcat(line, "\n");
4714 }
4715 return status;
4716 }
4717 else
4718 {
4719 ASSERT(0);
4720 return false;
4721 }
4722 }
4723
4724 static char *
read_inline_file(struct in_src * is,const char * close_tag,int * num_lines,struct gc_arena * gc)4725 read_inline_file(struct in_src *is, const char *close_tag,
4726 int *num_lines, struct gc_arena *gc)
4727 {
4728 char line[OPTION_LINE_SIZE];
4729 struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
4730 char *ret;
4731 bool endtagfound = false;
4732
4733 while (in_src_get(is, line, sizeof(line)))
4734 {
4735 (*num_lines)++;
4736 char *line_ptr = line;
4737 /* Remove leading spaces */
4738 while (isspace(*line_ptr))
4739 {
4740 line_ptr++;
4741 }
4742 if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
4743 {
4744 endtagfound = true;
4745 break;
4746 }
4747 if (!buf_safe(&buf, strlen(line)+1))
4748 {
4749 /* Increase buffer size */
4750 struct buffer buf2 = alloc_buf(buf.capacity * 2);
4751 ASSERT(buf_copy(&buf2, &buf));
4752 buf_clear(&buf);
4753 free_buf(&buf);
4754 buf = buf2;
4755 }
4756 buf_printf(&buf, "%s", line);
4757 }
4758 if (!endtagfound)
4759 {
4760 msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
4761 }
4762 ret = string_alloc(BSTR(&buf), gc);
4763 buf_clear(&buf);
4764 free_buf(&buf);
4765 secure_memzero(line, sizeof(line));
4766 return ret;
4767 }
4768
4769 static int
check_inline_file(struct in_src * is,char * p[],struct gc_arena * gc)4770 check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
4771 {
4772 int num_inline_lines = 0;
4773
4774 if (p[0] && !p[1])
4775 {
4776 char *arg = p[0];
4777 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
4778 {
4779 struct buffer close_tag;
4780
4781 arg[strlen(arg) - 1] = '\0';
4782 p[0] = string_alloc(arg + 1, gc);
4783 close_tag = alloc_buf(strlen(p[0]) + 4);
4784 buf_printf(&close_tag, "</%s>", p[0]);
4785 p[1] = read_inline_file(is, BSTR(&close_tag), &num_inline_lines, gc);
4786 p[2] = NULL;
4787 free_buf(&close_tag);
4788 }
4789 }
4790 return num_inline_lines;
4791 }
4792
4793 static int
check_inline_file_via_fp(FILE * fp,char * p[],struct gc_arena * gc)4794 check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
4795 {
4796 struct in_src is;
4797 is.type = IS_TYPE_FP;
4798 is.u.fp = fp;
4799 return check_inline_file(&is, p, gc);
4800 }
4801
4802 static int
check_inline_file_via_buf(struct buffer * multiline,char * p[],struct gc_arena * gc)4803 check_inline_file_via_buf(struct buffer *multiline, char *p[],
4804 struct gc_arena *gc)
4805 {
4806 struct in_src is;
4807 is.type = IS_TYPE_BUF;
4808 is.u.multiline = multiline;
4809 return check_inline_file(&is, p, gc);
4810 }
4811
4812 static void
4813 add_option(struct options *options,
4814 char *p[],
4815 bool is_inline,
4816 const char *file,
4817 int line,
4818 const int level,
4819 const int msglevel,
4820 const unsigned int permission_mask,
4821 unsigned int *option_types_found,
4822 struct env_set *es);
4823
4824 static void
read_config_file(struct options * options,const char * file,int level,const char * top_file,const int top_line,const int msglevel,const unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)4825 read_config_file(struct options *options,
4826 const char *file,
4827 int level,
4828 const char *top_file,
4829 const int top_line,
4830 const int msglevel,
4831 const unsigned int permission_mask,
4832 unsigned int *option_types_found,
4833 struct env_set *es)
4834 {
4835 const int max_recursive_levels = 10;
4836 FILE *fp;
4837 int line_num;
4838 char line[OPTION_LINE_SIZE+1];
4839 char *p[MAX_PARMS+1];
4840
4841 ++level;
4842 if (level <= max_recursive_levels)
4843 {
4844 if (streq(file, "stdin"))
4845 {
4846 fp = stdin;
4847 }
4848 else
4849 {
4850 fp = platform_fopen(file, "r");
4851 }
4852 if (fp)
4853 {
4854 line_num = 0;
4855 while (fgets(line, sizeof(line), fp))
4856 {
4857 int offset = 0;
4858 CLEAR(p);
4859 ++line_num;
4860 if (strlen(line) == OPTION_LINE_SIZE)
4861 {
4862 msg(msglevel, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
4863 file, line_num, OPTION_LINE_SIZE, line);
4864 }
4865
4866 /* Ignore UTF-8 BOM at start of stream */
4867 if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
4868 {
4869 offset = 3;
4870 }
4871 if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
4872 {
4873 bypass_doubledash(&p[0]);
4874 int lines_inline = check_inline_file_via_fp(fp, p, &options->gc);
4875 add_option(options, p, lines_inline, file, line_num, level,
4876 msglevel, permission_mask, option_types_found,
4877 es);
4878 line_num += lines_inline;
4879 }
4880 }
4881 if (fp != stdin)
4882 {
4883 fclose(fp);
4884 }
4885 }
4886 else
4887 {
4888 msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
4889 }
4890 }
4891 else
4892 {
4893 msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
4894 }
4895 secure_memzero(line, sizeof(line));
4896 CLEAR(p);
4897 }
4898
4899 static void
read_config_string(const char * prefix,struct options * options,const char * config,const int msglevel,const unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)4900 read_config_string(const char *prefix,
4901 struct options *options,
4902 const char *config,
4903 const int msglevel,
4904 const unsigned int permission_mask,
4905 unsigned int *option_types_found,
4906 struct env_set *es)
4907 {
4908 char line[OPTION_LINE_SIZE];
4909 struct buffer multiline;
4910 int line_num = 0;
4911
4912 buf_set_read(&multiline, (uint8_t *)config, strlen(config));
4913
4914 while (buf_parse(&multiline, '\n', line, sizeof(line)))
4915 {
4916 char *p[MAX_PARMS+1];
4917 CLEAR(p);
4918 ++line_num;
4919 if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
4920 {
4921 bypass_doubledash(&p[0]);
4922 int lines_inline = check_inline_file_via_buf(&multiline, p, &options->gc);
4923 add_option(options, p, lines_inline, prefix, line_num, 0, msglevel,
4924 permission_mask, option_types_found, es);
4925 line_num += lines_inline;
4926 }
4927 CLEAR(p);
4928 }
4929 secure_memzero(line, sizeof(line));
4930 }
4931
4932 void
parse_argv(struct options * options,const int argc,char * argv[],const int msglevel,const unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)4933 parse_argv(struct options *options,
4934 const int argc,
4935 char *argv[],
4936 const int msglevel,
4937 const unsigned int permission_mask,
4938 unsigned int *option_types_found,
4939 struct env_set *es)
4940 {
4941 int i, j;
4942
4943 /* usage message */
4944 if (argc <= 1)
4945 {
4946 usage();
4947 }
4948
4949 /* config filename specified only? */
4950 if (argc == 2 && strncmp(argv[1], "--", 2))
4951 {
4952 char *p[MAX_PARMS];
4953 CLEAR(p);
4954 p[0] = "config";
4955 p[1] = argv[1];
4956 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
4957 option_types_found, es);
4958 }
4959 else
4960 {
4961 /* parse command line */
4962 for (i = 1; i < argc; ++i)
4963 {
4964 char *p[MAX_PARMS];
4965 CLEAR(p);
4966 p[0] = argv[i];
4967 if (strncmp(p[0], "--", 2))
4968 {
4969 msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
4970 }
4971 else
4972 {
4973 p[0] += 2;
4974 }
4975
4976 for (j = 1; j < MAX_PARMS; ++j)
4977 {
4978 if (i + j < argc)
4979 {
4980 char *arg = argv[i + j];
4981 if (strncmp(arg, "--", 2))
4982 {
4983 p[j] = arg;
4984 }
4985 else
4986 {
4987 break;
4988 }
4989 }
4990 }
4991 add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask,
4992 option_types_found, es);
4993 i += j - 1;
4994 }
4995 }
4996 }
4997
4998 /**
4999 * Filter an option line by all pull filters.
5000 *
5001 * If a match is found, the line is modified depending on
5002 * the filter type, and returns true. If the filter type is
5003 * reject, SIGUSR1 is triggered and the return value is false.
5004 * In that case the caller must end the push processing.
5005 */
5006 static bool
apply_pull_filter(const struct options * o,char * line)5007 apply_pull_filter(const struct options *o, char *line)
5008 {
5009 struct pull_filter *f;
5010
5011 if (!o->pull_filter_list)
5012 {
5013 return true;
5014 }
5015
5016 for (f = o->pull_filter_list->head; f; f = f->next)
5017 {
5018 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
5019 {
5020 msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
5021 return true;
5022 }
5023 else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
5024 {
5025 msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
5026 *line = '\0';
5027 return true;
5028 }
5029 else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
5030 {
5031 msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
5032 *line = '\0';
5033 throw_signal_soft(SIGUSR1, "Offending option received from server");
5034 return false;
5035 }
5036 }
5037 return true;
5038 }
5039
5040 bool
apply_push_options(struct options * options,struct buffer * buf,unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)5041 apply_push_options(struct options *options,
5042 struct buffer *buf,
5043 unsigned int permission_mask,
5044 unsigned int *option_types_found,
5045 struct env_set *es)
5046 {
5047 char line[OPTION_PARM_SIZE];
5048 int line_num = 0;
5049 const char *file = "[PUSH-OPTIONS]";
5050 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
5051
5052 while (buf_parse(buf, ',', line, sizeof(line)))
5053 {
5054 char *p[MAX_PARMS+1];
5055 CLEAR(p);
5056 ++line_num;
5057 if (!apply_pull_filter(options, line))
5058 {
5059 return false; /* Cause push/pull error and stop push processing */
5060 }
5061 if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
5062 {
5063 add_option(options, p, false, file, line_num, 0, msglevel,
5064 permission_mask, option_types_found, es);
5065 }
5066 }
5067 return true;
5068 }
5069
5070 void
options_server_import(struct options * o,const char * filename,int msglevel,unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)5071 options_server_import(struct options *o,
5072 const char *filename,
5073 int msglevel,
5074 unsigned int permission_mask,
5075 unsigned int *option_types_found,
5076 struct env_set *es)
5077 {
5078 msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
5079 read_config_file(o,
5080 filename,
5081 0,
5082 filename,
5083 0,
5084 msglevel,
5085 permission_mask,
5086 option_types_found,
5087 es);
5088 }
5089
5090 void
options_string_import(struct options * options,const char * config,const int msglevel,const unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)5091 options_string_import(struct options *options,
5092 const char *config,
5093 const int msglevel,
5094 const unsigned int permission_mask,
5095 unsigned int *option_types_found,
5096 struct env_set *es)
5097 {
5098 read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
5099 }
5100
5101 #define VERIFY_PERMISSION(mask) { \
5102 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5103 option_types_found, msglevel, options, is_inline)) \
5104 { \
5105 goto err; \
5106 } \
5107 }
5108
5109 static bool
verify_permission(const char * name,const char * file,int line,const unsigned int type,const unsigned int allowed,unsigned int * found,const int msglevel,struct options * options,bool is_inline)5110 verify_permission(const char *name,
5111 const char *file,
5112 int line,
5113 const unsigned int type,
5114 const unsigned int allowed,
5115 unsigned int *found,
5116 const int msglevel,
5117 struct options *options,
5118 bool is_inline)
5119 {
5120 if (!(type & allowed))
5121 {
5122 msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
5123 return false;
5124 }
5125
5126 if (is_inline && !(type & OPT_P_INLINE))
5127 {
5128 msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name,
5129 file, line);
5130 return false;
5131 }
5132
5133 if (found)
5134 {
5135 *found |= type;
5136 }
5137
5138 #ifndef ENABLE_SMALL
5139 /* Check if this options is allowed in connection block,
5140 * but we are currently not in a connection block
5141 * unless this is a pushed option.
5142 * Parsing a connection block uses a temporary options struct without
5143 * connection_list
5144 */
5145
5146 if ((type & OPT_P_CONNECTION) && options->connection_list
5147 && !(allowed & OPT_P_PULL_MODE))
5148 {
5149 if (file)
5150 {
5151 msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
5152 }
5153 else
5154 {
5155 msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
5156 }
5157 }
5158 #endif
5159 return true;
5160 }
5161
5162 /*
5163 * Check that an option doesn't have too
5164 * many parameters.
5165 */
5166
5167 #define NM_QUOTE_HINT (1<<0)
5168
5169 static bool
no_more_than_n_args(const int msglevel,char * p[],const int max,const unsigned int flags)5170 no_more_than_n_args(const int msglevel,
5171 char *p[],
5172 const int max,
5173 const unsigned int flags)
5174 {
5175 const int len = string_array_len((const char **)p);
5176
5177 if (!len)
5178 {
5179 return false;
5180 }
5181
5182 if (len > max)
5183 {
5184 msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
5185 p[0],
5186 max - 1,
5187 max >= 3 ? "s" : "",
5188 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5189 return false;
5190 }
5191 else
5192 {
5193 return true;
5194 }
5195 }
5196
5197 static inline int
msglevel_forward_compatible(struct options * options,const int msglevel)5198 msglevel_forward_compatible(struct options *options, const int msglevel)
5199 {
5200 return options->forward_compatible ? M_WARN : msglevel;
5201 }
5202
5203 static void
set_user_script(struct options * options,const char ** script,const char * new_script,const char * type,bool in_chroot)5204 set_user_script(struct options *options,
5205 const char **script,
5206 const char *new_script,
5207 const char *type,
5208 bool in_chroot)
5209 {
5210 if (*script)
5211 {
5212 msg(M_WARN, "Multiple --%s scripts defined. "
5213 "The previously configured script is overridden.", type);
5214 }
5215 *script = new_script;
5216 options->user_script_used = true;
5217
5218 #ifndef ENABLE_SMALL
5219 {
5220 char script_name[100];
5221 openvpn_snprintf(script_name, sizeof(script_name),
5222 "--%s script", type);
5223
5224 if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
5225 {
5226 msg(M_USAGE, "Please correct this error.");
5227 }
5228
5229 }
5230 #endif
5231 }
5232
5233 #ifdef USE_COMP
5234 static void
show_compression_warning(struct compress_options * info)5235 show_compression_warning(struct compress_options *info)
5236 {
5237 if (comp_non_stub_enabled(info))
5238 {
5239 /*
5240 * Check if already displayed the strong warning and enabled full
5241 * compression
5242 */
5243 if (!(info->flags & COMP_F_ALLOW_COMPRESS))
5244 {
5245 msg(M_WARN, "WARNING: Compression for receiving enabled. "
5246 "Compression has been used in the past to break encryption. "
5247 "Sent packets are not compressed unless \"allow-compression yes\" "
5248 "is also set.");
5249 }
5250 }
5251 }
5252 #endif
5253
5254 static void
add_option(struct options * options,char * p[],bool is_inline,const char * file,int line,const int level,const int msglevel,const unsigned int permission_mask,unsigned int * option_types_found,struct env_set * es)5255 add_option(struct options *options,
5256 char *p[],
5257 bool is_inline,
5258 const char *file,
5259 int line,
5260 const int level,
5261 const int msglevel,
5262 const unsigned int permission_mask,
5263 unsigned int *option_types_found,
5264 struct env_set *es)
5265 {
5266 struct gc_arena gc = gc_new();
5267 const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
5268 int msglevel_fc = msglevel_forward_compatible(options, msglevel);
5269
5270 ASSERT(MAX_PARMS >= 7);
5271
5272 /*
5273 * If directive begins with "setenv opt" prefix, don't raise an error if
5274 * directive is unrecognized.
5275 */
5276 if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
5277 {
5278 if (!p[2])
5279 {
5280 p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5281 }
5282 p += 2;
5283 msglevel_fc = M_WARN;
5284 }
5285
5286 if (!file)
5287 {
5288 file = "[CMD-LINE]";
5289 line = 1;
5290 }
5291 if (streq(p[0], "help"))
5292 {
5293 VERIFY_PERMISSION(OPT_P_GENERAL);
5294 usage();
5295 if (p[1])
5296 {
5297 msg(msglevel, "--help does not accept any parameters");
5298 goto err;
5299 }
5300 }
5301 if (streq(p[0], "version") && !p[1])
5302 {
5303 VERIFY_PERMISSION(OPT_P_GENERAL);
5304 usage_version();
5305 }
5306 else if (streq(p[0], "config") && p[1] && !p[2])
5307 {
5308 VERIFY_PERMISSION(OPT_P_CONFIG);
5309
5310 /* save first config file only in options */
5311 if (!options->config)
5312 {
5313 options->config = p[1];
5314 }
5315
5316 read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
5317 }
5318 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5319 else if (streq(p[0], "show-gateway") && !p[2])
5320 {
5321 struct route_gateway_info rgi;
5322 struct route_ipv6_gateway_info rgi6;
5323 struct in6_addr remote = IN6ADDR_ANY_INIT;
5324 openvpn_net_ctx_t net_ctx;
5325 VERIFY_PERMISSION(OPT_P_GENERAL);
5326 if (p[1])
5327 {
5328 get_ipv6_addr(p[1], &remote, NULL, M_WARN);
5329 }
5330 net_ctx_init(NULL, &net_ctx);
5331 get_default_gateway(&rgi, &net_ctx);
5332 get_default_gateway_ipv6(&rgi6, &remote, &net_ctx);
5333 print_default_gateway(M_INFO, &rgi, &rgi6);
5334 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5335 }
5336 #endif
5337 #if 0
5338 else if (streq(p[0], "foreign-option") && p[1])
5339 {
5340 VERIFY_PERMISSION(OPT_P_IPWIN32);
5341 foreign_option(options, p, 3, es);
5342 }
5343 #endif
5344 else if (streq(p[0], "echo") || streq(p[0], "parameter"))
5345 {
5346 struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
5347 int j;
5348 bool good = true;
5349
5350 VERIFY_PERMISSION(OPT_P_ECHO);
5351
5352 for (j = 1; j < MAX_PARMS; ++j)
5353 {
5354 if (!p[j])
5355 {
5356 break;
5357 }
5358 if (j > 1)
5359 {
5360 good &= buf_printf(&string, " ");
5361 }
5362 good &= buf_printf(&string, "%s", p[j]);
5363 }
5364 if (good)
5365 {
5366 /* only message-related ECHO are logged, since other ECHOs
5367 * can potentially include security-sensitive strings */
5368 if (p[1] && strncmp(p[1], "msg", 3) == 0)
5369 {
5370 msg(M_INFO, "%s:%s",
5371 pull_mode ? "ECHO-PULL" : "ECHO",
5372 BSTR(&string));
5373 }
5374 #ifdef ENABLE_MANAGEMENT
5375 if (management)
5376 {
5377 management_echo(management, BSTR(&string), pull_mode);
5378 }
5379 #endif
5380 }
5381 else
5382 {
5383 msg(M_WARN, "echo/parameter option overflow");
5384 }
5385 }
5386 #ifdef ENABLE_MANAGEMENT
5387 else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
5388 {
5389 VERIFY_PERMISSION(OPT_P_GENERAL);
5390 if (streq(p[2], "unix"))
5391 {
5392 #if UNIX_SOCK_SUPPORT
5393 options->management_flags |= MF_UNIX_SOCK;
5394 #else
5395 msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
5396 goto err;
5397 #endif
5398 }
5399
5400 options->management_addr = p[1];
5401 options->management_port = p[2];
5402 if (p[3])
5403 {
5404 options->management_user_pass = p[3];
5405 }
5406 }
5407 else if (streq(p[0], "management-client-user") && p[1] && !p[2])
5408 {
5409 VERIFY_PERMISSION(OPT_P_GENERAL);
5410 options->management_client_user = p[1];
5411 }
5412 else if (streq(p[0], "management-client-group") && p[1] && !p[2])
5413 {
5414 VERIFY_PERMISSION(OPT_P_GENERAL);
5415 options->management_client_group = p[1];
5416 }
5417 else if (streq(p[0], "management-query-passwords") && !p[1])
5418 {
5419 VERIFY_PERMISSION(OPT_P_GENERAL);
5420 options->management_flags |= MF_QUERY_PASSWORDS;
5421 }
5422 else if (streq(p[0], "management-query-remote") && !p[1])
5423 {
5424 VERIFY_PERMISSION(OPT_P_GENERAL);
5425 options->management_flags |= MF_QUERY_REMOTE;
5426 }
5427 else if (streq(p[0], "management-query-proxy") && !p[1])
5428 {
5429 VERIFY_PERMISSION(OPT_P_GENERAL);
5430 options->management_flags |= MF_QUERY_PROXY;
5431 }
5432 else if (streq(p[0], "management-hold") && !p[1])
5433 {
5434 VERIFY_PERMISSION(OPT_P_GENERAL);
5435 options->management_flags |= MF_HOLD;
5436 }
5437 else if (streq(p[0], "management-signal") && !p[1])
5438 {
5439 VERIFY_PERMISSION(OPT_P_GENERAL);
5440 options->management_flags |= MF_SIGNAL;
5441 }
5442 else if (streq(p[0], "management-forget-disconnect") && !p[1])
5443 {
5444 VERIFY_PERMISSION(OPT_P_GENERAL);
5445 options->management_flags |= MF_FORGET_DISCONNECT;
5446 }
5447 else if (streq(p[0], "management-up-down") && !p[1])
5448 {
5449 VERIFY_PERMISSION(OPT_P_GENERAL);
5450 options->management_flags |= MF_UP_DOWN;
5451 }
5452 else if (streq(p[0], "management-client") && !p[2])
5453 {
5454 VERIFY_PERMISSION(OPT_P_GENERAL);
5455 options->management_flags |= MF_CONNECT_AS_CLIENT;
5456 options->management_write_peer_info_file = p[1];
5457 }
5458 #ifdef ENABLE_MANAGEMENT
5459 else if (streq(p[0], "management-external-key"))
5460 {
5461 VERIFY_PERMISSION(OPT_P_GENERAL);
5462 for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5463 {
5464 if (streq(p[j], "nopadding"))
5465 {
5466 options->management_flags |= MF_EXTERNAL_KEY_NOPADDING;
5467 }
5468 else if (streq(p[j], "pkcs1"))
5469 {
5470 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5471 }
5472 else
5473 {
5474 msg(msglevel, "Unknown management-external-key flag: %s", p[j]);
5475 }
5476 }
5477 /*
5478 * When no option is present, assume that only PKCS1
5479 * padding is supported
5480 */
5481 if (!(options->management_flags
5482 &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD)))
5483 {
5484 options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD;
5485 }
5486 options->management_flags |= MF_EXTERNAL_KEY;
5487 }
5488 else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
5489 {
5490 VERIFY_PERMISSION(OPT_P_GENERAL);
5491 options->management_flags |= MF_EXTERNAL_CERT;
5492 options->management_certificate = p[1];
5493 }
5494 else if (streq(p[0], "management-client-auth") && !p[1])
5495 {
5496 VERIFY_PERMISSION(OPT_P_GENERAL);
5497 options->management_flags |= MF_CLIENT_AUTH;
5498 }
5499 #endif /* ifdef ENABLE_MANAGEMENT */
5500 #ifdef MANAGEMENT_PF
5501 else if (streq(p[0], "management-client-pf") && !p[1])
5502 {
5503 VERIFY_PERMISSION(OPT_P_GENERAL);
5504 options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
5505 }
5506 #endif
5507 else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
5508 {
5509 int cache;
5510
5511 VERIFY_PERMISSION(OPT_P_GENERAL);
5512 cache = atoi(p[1]);
5513 if (cache < 1)
5514 {
5515 msg(msglevel, "--management-log-cache parameter is out of range");
5516 goto err;
5517 }
5518 options->management_log_history_cache = cache;
5519 }
5520 #endif /* ifdef ENABLE_MANAGEMENT */
5521 #ifdef ENABLE_PLUGIN
5522 else if (streq(p[0], "plugin") && p[1])
5523 {
5524 VERIFY_PERMISSION(OPT_P_PLUGIN);
5525 if (!options->plugin_list)
5526 {
5527 options->plugin_list = plugin_option_list_new(&options->gc);
5528 }
5529 if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
5530 {
5531 msg(msglevel, "plugin add failed: %s", p[1]);
5532 goto err;
5533 }
5534 }
5535 #endif
5536 else if (streq(p[0], "mode") && p[1] && !p[2])
5537 {
5538 VERIFY_PERMISSION(OPT_P_GENERAL);
5539 if (streq(p[1], "p2p"))
5540 {
5541 options->mode = MODE_POINT_TO_POINT;
5542 }
5543 else if (streq(p[1], "server"))
5544 {
5545 options->mode = MODE_SERVER;
5546 }
5547 else
5548 {
5549 msg(msglevel, "Bad --mode parameter: %s", p[1]);
5550 goto err;
5551 }
5552 }
5553 else if (streq(p[0], "dev") && p[1] && !p[2])
5554 {
5555 VERIFY_PERMISSION(OPT_P_GENERAL);
5556 options->dev = p[1];
5557 }
5558 else if (streq(p[0], "dev-type") && p[1] && !p[2])
5559 {
5560 VERIFY_PERMISSION(OPT_P_GENERAL);
5561 options->dev_type = p[1];
5562 }
5563 #ifdef _WIN32
5564 else if (streq(p[0], "windows-driver") && p[1] && !p[2])
5565 {
5566 VERIFY_PERMISSION(OPT_P_GENERAL);
5567 options->windows_driver = parse_windows_driver(p[1], M_FATAL);
5568 }
5569 #endif
5570 else if (streq(p[0], "dev-node") && p[1] && !p[2])
5571 {
5572 VERIFY_PERMISSION(OPT_P_GENERAL);
5573 options->dev_node = p[1];
5574 }
5575 else if (streq(p[0], "lladdr") && p[1] && !p[2])
5576 {
5577 VERIFY_PERMISSION(OPT_P_UP);
5578 if (mac_addr_safe(p[1])) /* MAC address only */
5579 {
5580 options->lladdr = p[1];
5581 }
5582 else
5583 {
5584 msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
5585 goto err;
5586 }
5587 }
5588 else if (streq(p[0], "topology") && p[1] && !p[2])
5589 {
5590 VERIFY_PERMISSION(OPT_P_UP);
5591 options->topology = parse_topology(p[1], msglevel);
5592 }
5593 else if (streq(p[0], "tun-ipv6") && !p[1])
5594 {
5595 if (!pull_mode)
5596 {
5597 msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
5598 }
5599 }
5600 #ifdef ENABLE_IPROUTE
5601 else if (streq(p[0], "iproute") && p[1] && !p[2])
5602 {
5603 VERIFY_PERMISSION(OPT_P_GENERAL);
5604 iproute_path = p[1];
5605 }
5606 #endif
5607 else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
5608 {
5609 VERIFY_PERMISSION(OPT_P_UP);
5610 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
5611 {
5612 options->ifconfig_local = p[1];
5613 options->ifconfig_remote_netmask = p[2];
5614 }
5615 else
5616 {
5617 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5618 goto err;
5619 }
5620 }
5621 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
5622 {
5623 unsigned int netbits;
5624
5625 VERIFY_PERMISSION(OPT_P_UP);
5626 if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
5627 && ipv6_addr_safe( p[2] ) )
5628 {
5629 if (netbits < 64 || netbits > 124)
5630 {
5631 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
5632 goto err;
5633 }
5634
5635 options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
5636 options->ifconfig_ipv6_netbits = netbits;
5637 options->ifconfig_ipv6_remote = p[2];
5638 }
5639 else
5640 {
5641 msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
5642 goto err;
5643 }
5644 }
5645 else if (streq(p[0], "ifconfig-noexec") && !p[1])
5646 {
5647 VERIFY_PERMISSION(OPT_P_UP);
5648 options->ifconfig_noexec = true;
5649 }
5650 else if (streq(p[0], "ifconfig-nowarn") && !p[1])
5651 {
5652 VERIFY_PERMISSION(OPT_P_UP);
5653 options->ifconfig_nowarn = true;
5654 }
5655 else if (streq(p[0], "local") && p[1] && !p[2])
5656 {
5657 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5658 options->ce.local = p[1];
5659 }
5660 else if (streq(p[0], "remote-random") && !p[1])
5661 {
5662 VERIFY_PERMISSION(OPT_P_GENERAL);
5663 options->remote_random = true;
5664 }
5665 else if (streq(p[0], "connection") && p[1] && !p[3])
5666 {
5667 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
5668 if (is_inline)
5669 {
5670 struct options sub;
5671 struct connection_entry *e;
5672
5673 init_options(&sub, true);
5674 sub.ce = options->ce;
5675 read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel,
5676 OPT_P_CONNECTION, option_types_found, es);
5677 if (!sub.ce.remote)
5678 {
5679 msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
5680 uninit_options(&sub);
5681 goto err;
5682 }
5683
5684 e = alloc_connection_entry(options, msglevel);
5685 if (!e)
5686 {
5687 uninit_options(&sub);
5688 goto err;
5689 }
5690 *e = sub.ce;
5691 gc_transfer(&options->gc, &sub.gc);
5692 uninit_options(&sub);
5693 }
5694 }
5695 else if (streq(p[0], "ignore-unknown-option") && p[1])
5696 {
5697 int i;
5698 int j;
5699 int numignored = 0;
5700 const char **ignore;
5701
5702 VERIFY_PERMISSION(OPT_P_GENERAL);
5703 /* Find out how many options to be ignored */
5704 for (i = 1; p[i]; i++)
5705 {
5706 numignored++;
5707 }
5708
5709 /* add number of options already ignored */
5710 for (i = 0; options->ignore_unknown_option
5711 && options->ignore_unknown_option[i]; i++)
5712 {
5713 numignored++;
5714 }
5715
5716 /* Allocate array */
5717 ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
5718 for (i = 0; options->ignore_unknown_option
5719 && options->ignore_unknown_option[i]; i++)
5720 {
5721 ignore[i] = options->ignore_unknown_option[i];
5722 }
5723
5724 options->ignore_unknown_option = ignore;
5725
5726 for (j = 1; p[j]; j++)
5727 {
5728 /* Allow the user to specify ignore-unknown-option --opt too */
5729 if (p[j][0]=='-' && p[j][1]=='-')
5730 {
5731 options->ignore_unknown_option[i] = (p[j]+2);
5732 }
5733 else
5734 {
5735 options->ignore_unknown_option[i] = p[j];
5736 }
5737 i++;
5738 }
5739
5740 options->ignore_unknown_option[i] = NULL;
5741 }
5742 #if ENABLE_MANAGEMENT
5743 else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
5744 {
5745 VERIFY_PERMISSION(OPT_P_GENERAL);
5746 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
5747 if (!options->http_proxy_override)
5748 {
5749 goto err;
5750 }
5751 }
5752 #endif
5753 else if (streq(p[0], "remote") && p[1] && !p[4])
5754 {
5755 struct remote_entry re;
5756 re.remote = re.remote_port = NULL;
5757 re.proto = -1;
5758 re.af = 0;
5759
5760 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5761 re.remote = p[1];
5762 if (p[2])
5763 {
5764 re.remote_port = p[2];
5765 if (p[3])
5766 {
5767 const int proto = ascii2proto(p[3]);
5768 const sa_family_t af = ascii2af(p[3]);
5769 if (proto < 0)
5770 {
5771 msg(msglevel,
5772 "remote: bad protocol associated with host %s: '%s'",
5773 p[1], p[3]);
5774 goto err;
5775 }
5776 re.proto = proto;
5777 re.af = af;
5778 }
5779 }
5780 if (permission_mask & OPT_P_GENERAL)
5781 {
5782 struct remote_entry *e = alloc_remote_entry(options, msglevel);
5783 if (!e)
5784 {
5785 goto err;
5786 }
5787 *e = re;
5788 }
5789 else if (permission_mask & OPT_P_CONNECTION)
5790 {
5791 connection_entry_load_re(&options->ce, &re);
5792 }
5793 }
5794 else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
5795 {
5796 VERIFY_PERMISSION(OPT_P_GENERAL);
5797 if (streq(p[1], "infinite"))
5798 {
5799 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
5800 }
5801 else
5802 {
5803 options->resolve_retry_seconds = positive_atoi(p[1]);
5804 }
5805 }
5806 else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
5807 {
5808 VERIFY_PERMISSION(OPT_P_GENERAL);
5809 options->resolve_in_advance = true;
5810 /* Note the ip-remote-hint and the argument p[1] are for
5811 * backward compatibility */
5812 if (p[1])
5813 {
5814 options->ip_remote_hint = p[1];
5815 }
5816 }
5817 else if (streq(p[0], "connect-retry") && p[1] && !p[3])
5818 {
5819 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5820 options->ce.connect_retry_seconds = positive_atoi(p[1]);
5821 /*
5822 * Limit the base value of retry wait interval to 16 bits to avoid
5823 * overflow when scaled up for exponential backoff
5824 */
5825 if (options->ce.connect_retry_seconds > 0xFFFF)
5826 {
5827 options->ce.connect_retry_seconds = 0xFFFF;
5828 msg(M_WARN, "connect retry wait interval truncated to %d",
5829 options->ce.connect_retry_seconds);
5830 }
5831
5832 if (p[2])
5833 {
5834 options->ce.connect_retry_seconds_max =
5835 max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
5836 }
5837 }
5838 else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
5839 && p[1] && !p[2])
5840 {
5841 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5842 options->ce.connect_timeout = positive_atoi(p[1]);
5843 }
5844 else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
5845 {
5846 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5847 options->connect_retry_max = positive_atoi(p[1]);
5848 }
5849 else if (streq(p[0], "ipchange") && p[1])
5850 {
5851 VERIFY_PERMISSION(OPT_P_SCRIPT);
5852 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5853 {
5854 goto err;
5855 }
5856 set_user_script(options,
5857 &options->ipchange,
5858 string_substitute(p[1], ',', ' ', &options->gc),
5859 "ipchange", true);
5860 }
5861 else if (streq(p[0], "float") && !p[1])
5862 {
5863 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
5864 options->ce.remote_float = true;
5865 }
5866 #ifdef ENABLE_DEBUG
5867 else if (streq(p[0], "gremlin") && p[1] && !p[2])
5868 {
5869 VERIFY_PERMISSION(OPT_P_GENERAL);
5870 options->gremlin = positive_atoi(p[1]);
5871 }
5872 #endif
5873 else if (streq(p[0], "chroot") && p[1] && !p[2])
5874 {
5875 VERIFY_PERMISSION(OPT_P_GENERAL);
5876 options->chroot_dir = p[1];
5877 }
5878 else if (streq(p[0], "cd") && p[1] && !p[2])
5879 {
5880 VERIFY_PERMISSION(OPT_P_GENERAL);
5881 if (platform_chdir(p[1]))
5882 {
5883 msg(M_ERR, "cd to '%s' failed", p[1]);
5884 goto err;
5885 }
5886 options->cd_dir = p[1];
5887 }
5888 #ifdef ENABLE_SELINUX
5889 else if (streq(p[0], "setcon") && p[1] && !p[2])
5890 {
5891 VERIFY_PERMISSION(OPT_P_GENERAL);
5892 options->selinux_context = p[1];
5893 }
5894 #endif
5895 else if (streq(p[0], "writepid") && p[1] && !p[2])
5896 {
5897 VERIFY_PERMISSION(OPT_P_GENERAL);
5898 options->writepid = p[1];
5899 }
5900 else if (streq(p[0], "up") && p[1])
5901 {
5902 VERIFY_PERMISSION(OPT_P_SCRIPT);
5903 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5904 {
5905 goto err;
5906 }
5907 set_user_script(options, &options->up_script, p[1], "up", false);
5908 }
5909 else if (streq(p[0], "down") && p[1])
5910 {
5911 VERIFY_PERMISSION(OPT_P_SCRIPT);
5912 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
5913 {
5914 goto err;
5915 }
5916 set_user_script(options, &options->down_script, p[1], "down", true);
5917 }
5918 else if (streq(p[0], "down-pre") && !p[1])
5919 {
5920 VERIFY_PERMISSION(OPT_P_GENERAL);
5921 options->down_pre = true;
5922 }
5923 else if (streq(p[0], "up-delay") && !p[1])
5924 {
5925 VERIFY_PERMISSION(OPT_P_GENERAL);
5926 options->up_delay = true;
5927 }
5928 else if (streq(p[0], "up-restart") && !p[1])
5929 {
5930 VERIFY_PERMISSION(OPT_P_GENERAL);
5931 options->up_restart = true;
5932 }
5933 else if (streq(p[0], "syslog") && !p[2])
5934 {
5935 VERIFY_PERMISSION(OPT_P_GENERAL);
5936 open_syslog(p[1], false);
5937 }
5938 else if (streq(p[0], "daemon") && !p[2])
5939 {
5940 bool didit = false;
5941 VERIFY_PERMISSION(OPT_P_GENERAL);
5942 if (!options->daemon)
5943 {
5944 options->daemon = didit = true;
5945 open_syslog(p[1], false);
5946 }
5947 if (p[1])
5948 {
5949 if (!didit)
5950 {
5951 msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
5952 goto err;
5953 }
5954 }
5955 }
5956 else if (streq(p[0], "log") && p[1] && !p[2])
5957 {
5958 VERIFY_PERMISSION(OPT_P_GENERAL);
5959 options->log = true;
5960 redirect_stdout_stderr(p[1], false);
5961 }
5962 else if (streq(p[0], "suppress-timestamps") && !p[1])
5963 {
5964 VERIFY_PERMISSION(OPT_P_GENERAL);
5965 options->suppress_timestamps = true;
5966 set_suppress_timestamps(true);
5967 }
5968 else if (streq(p[0], "machine-readable-output") && !p[1])
5969 {
5970 VERIFY_PERMISSION(OPT_P_GENERAL);
5971 options->machine_readable_output = true;
5972 set_machine_readable_output(true);
5973 }
5974 else if (streq(p[0], "log-append") && p[1] && !p[2])
5975 {
5976 VERIFY_PERMISSION(OPT_P_GENERAL);
5977 options->log = true;
5978 redirect_stdout_stderr(p[1], true);
5979 }
5980 #ifdef ENABLE_MEMSTATS
5981 else if (streq(p[0], "memstats") && p[1] && !p[2])
5982 {
5983 VERIFY_PERMISSION(OPT_P_GENERAL);
5984 options->memstats_fn = p[1];
5985 }
5986 #endif
5987 else if (streq(p[0], "mlock") && !p[1])
5988 {
5989 VERIFY_PERMISSION(OPT_P_GENERAL);
5990 options->mlock = true;
5991 }
5992 #if ENABLE_IP_PKTINFO
5993 else if (streq(p[0], "multihome") && !p[1])
5994 {
5995 VERIFY_PERMISSION(OPT_P_GENERAL);
5996 options->sockflags |= SF_USE_IP_PKTINFO;
5997 }
5998 #endif
5999 else if (streq(p[0], "verb") && p[1] && !p[2])
6000 {
6001 VERIFY_PERMISSION(OPT_P_MESSAGES);
6002 options->verbosity = positive_atoi(p[1]);
6003 if (options->verbosity >= (D_TLS_DEBUG_MED & M_DEBUG_LEVEL))
6004 {
6005 /* We pass this flag to the SSL library to avoid
6006 * mbed TLS always generating debug level logging */
6007 options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
6008 }
6009 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6010 /* Warn when a debug verbosity is supplied when built without debug support */
6011 if (options->verbosity >= 7)
6012 {
6013 msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6014 options->verbosity);
6015 }
6016 #endif
6017 }
6018 else if (streq(p[0], "mute") && p[1] && !p[2])
6019 {
6020 VERIFY_PERMISSION(OPT_P_MESSAGES);
6021 options->mute = positive_atoi(p[1]);
6022 }
6023 else if (streq(p[0], "errors-to-stderr") && !p[1])
6024 {
6025 VERIFY_PERMISSION(OPT_P_MESSAGES);
6026 errors_to_stderr();
6027 }
6028 else if (streq(p[0], "status") && p[1] && !p[3])
6029 {
6030 VERIFY_PERMISSION(OPT_P_GENERAL);
6031 options->status_file = p[1];
6032 if (p[2])
6033 {
6034 options->status_file_update_freq = positive_atoi(p[2]);
6035 }
6036 }
6037 else if (streq(p[0], "status-version") && p[1] && !p[2])
6038 {
6039 int version;
6040
6041 VERIFY_PERMISSION(OPT_P_GENERAL);
6042 version = atoi(p[1]);
6043 if (version < 1 || version > 3)
6044 {
6045 msg(msglevel, "--status-version must be 1 to 3");
6046 goto err;
6047 }
6048 options->status_file_version = version;
6049 }
6050 else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
6051 {
6052 VERIFY_PERMISSION(OPT_P_GENERAL);
6053 if (streq(p[1], "SIGHUP"))
6054 {
6055 options->remap_sigusr1 = SIGHUP;
6056 }
6057 else if (streq(p[1], "SIGTERM"))
6058 {
6059 options->remap_sigusr1 = SIGTERM;
6060 }
6061 else
6062 {
6063 msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6064 goto err;
6065 }
6066 }
6067 else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
6068 {
6069 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6070 options->ce.link_mtu = positive_atoi(p[1]);
6071 options->ce.link_mtu_defined = true;
6072 }
6073 else if (streq(p[0], "tun-mtu") && p[1] && !p[2])
6074 {
6075 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6076 options->ce.tun_mtu = positive_atoi(p[1]);
6077 options->ce.tun_mtu_defined = true;
6078 }
6079 else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
6080 {
6081 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6082 options->ce.tun_mtu_extra = positive_atoi(p[1]);
6083 options->ce.tun_mtu_extra_defined = true;
6084 }
6085 #ifdef ENABLE_FRAGMENT
6086 else if (streq(p[0], "mtu-dynamic"))
6087 {
6088 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6089 msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
6090 goto err;
6091 }
6092 else if (streq(p[0], "fragment") && p[1] && !p[2])
6093 {
6094 /* VERIFY_PERMISSION (OPT_P_MTU); */
6095 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6096 options->ce.fragment = positive_atoi(p[1]);
6097 }
6098 #endif
6099 else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
6100 {
6101 VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
6102 options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
6103 }
6104 else if (streq(p[0], "mtu-test") && !p[1])
6105 {
6106 VERIFY_PERMISSION(OPT_P_GENERAL);
6107 options->mtu_test = true;
6108 }
6109 else if (streq(p[0], "nice") && p[1] && !p[2])
6110 {
6111 VERIFY_PERMISSION(OPT_P_NICE);
6112 options->nice = atoi(p[1]);
6113 }
6114 else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
6115 {
6116 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6117 options->rcvbuf = positive_atoi(p[1]);
6118 }
6119 else if (streq(p[0], "sndbuf") && p[1] && !p[2])
6120 {
6121 VERIFY_PERMISSION(OPT_P_SOCKBUF);
6122 options->sndbuf = positive_atoi(p[1]);
6123 }
6124 else if (streq(p[0], "mark") && p[1] && !p[2])
6125 {
6126 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6127 VERIFY_PERMISSION(OPT_P_GENERAL);
6128 options->mark = atoi(p[1]);
6129 #endif
6130 }
6131 else if (streq(p[0], "socket-flags"))
6132 {
6133 int j;
6134 VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
6135 for (j = 1; j < MAX_PARMS && p[j]; ++j)
6136 {
6137 if (streq(p[j], "TCP_NODELAY"))
6138 {
6139 options->sockflags |= SF_TCP_NODELAY;
6140 }
6141 else
6142 {
6143 msg(msglevel, "unknown socket flag: %s", p[j]);
6144 }
6145 }
6146 }
6147 #ifdef TARGET_LINUX
6148 else if (streq (p[0], "bind-dev") && p[1])
6149 {
6150 VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
6151 options->bind_dev = p[1];
6152 }
6153 #endif
6154 else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
6155 {
6156 VERIFY_PERMISSION(OPT_P_GENERAL);
6157 #ifdef TARGET_LINUX
6158 options->tuntap_options.txqueuelen = positive_atoi(p[1]);
6159 #else
6160 msg(msglevel, "--txqueuelen not supported on this OS");
6161 goto err;
6162 #endif
6163 }
6164 else if (streq(p[0], "shaper") && p[1] && !p[2])
6165 {
6166 int shaper;
6167
6168 VERIFY_PERMISSION(OPT_P_SHAPER);
6169 shaper = atoi(p[1]);
6170 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
6171 {
6172 msg(msglevel, "Bad shaper value, must be between %d and %d",
6173 SHAPER_MIN, SHAPER_MAX);
6174 goto err;
6175 }
6176 options->shaper = shaper;
6177 }
6178 else if (streq(p[0], "port") && p[1] && !p[2])
6179 {
6180 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6181 options->ce.local_port = options->ce.remote_port = p[1];
6182 }
6183 else if (streq(p[0], "lport") && p[1] && !p[2])
6184 {
6185 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6186 options->ce.local_port_defined = true;
6187 options->ce.local_port = p[1];
6188 }
6189 else if (streq(p[0], "rport") && p[1] && !p[2])
6190 {
6191 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6192 options->ce.remote_port = p[1];
6193 }
6194 else if (streq(p[0], "bind") && !p[2])
6195 {
6196 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6197 options->ce.bind_defined = true;
6198 if (p[1] && streq(p[1], "ipv6only"))
6199 {
6200 options->ce.bind_ipv6_only = true;
6201 }
6202
6203 }
6204 else if (streq(p[0], "nobind") && !p[1])
6205 {
6206 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6207 options->ce.bind_local = false;
6208 }
6209 else if (streq(p[0], "fast-io") && !p[1])
6210 {
6211 VERIFY_PERMISSION(OPT_P_GENERAL);
6212 options->fast_io = true;
6213 }
6214 else if (streq(p[0], "inactive") && p[1] && !p[3])
6215 {
6216 VERIFY_PERMISSION(OPT_P_TIMER);
6217 options->inactivity_timeout = positive_atoi(p[1]);
6218 if (p[2])
6219 {
6220 options->inactivity_minimum_bytes = positive_atoi(p[2]);
6221 }
6222 }
6223 else if (streq(p[0], "proto") && p[1] && !p[2])
6224 {
6225 int proto;
6226 sa_family_t af;
6227 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6228 proto = ascii2proto(p[1]);
6229 af = ascii2af(p[1]);
6230 if (proto < 0)
6231 {
6232 msg(msglevel,
6233 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6234 p[1],
6235 proto2ascii_all(&gc));
6236 goto err;
6237 }
6238 options->ce.proto = proto;
6239 options->ce.af = af;
6240 }
6241 else if (streq(p[0], "proto-force") && p[1] && !p[2])
6242 {
6243 int proto_force;
6244 VERIFY_PERMISSION(OPT_P_GENERAL);
6245 proto_force = ascii2proto(p[1]);
6246 if (proto_force < 0)
6247 {
6248 msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
6249 goto err;
6250 }
6251 options->proto_force = proto_force;
6252 }
6253 else if (streq(p[0], "http-proxy") && p[1] && !p[5])
6254 {
6255 struct http_proxy_options *ho;
6256
6257 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6258
6259 {
6260 if (!p[2])
6261 {
6262 msg(msglevel, "http-proxy port number not defined");
6263 goto err;
6264 }
6265
6266 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6267
6268 ho->server = p[1];
6269 ho->port = p[2];
6270 }
6271
6272 if (p[3])
6273 {
6274 /* auto -- try to figure out proxy addr, port, and type automatically */
6275 /* semiauto -- given proxy addr:port, try to figure out type automatically */
6276 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6277 if (streq(p[3], "auto"))
6278 {
6279 ho->auth_retry = PAR_ALL;
6280 }
6281 else if (streq(p[3], "auto-nct"))
6282 {
6283 ho->auth_retry = PAR_NCT;
6284 }
6285 else
6286 {
6287 ho->auth_method_string = "basic";
6288 ho->auth_file = p[3];
6289
6290 if (p[4])
6291 {
6292 ho->auth_method_string = p[4];
6293 }
6294 }
6295 }
6296 else
6297 {
6298 ho->auth_method_string = "none";
6299 }
6300 }
6301 else if (streq(p[0], "http-proxy-user-pass") && p[1])
6302 {
6303 struct http_proxy_options *ho;
6304 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
6305 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6306 ho->auth_file = p[1];
6307 ho->inline_creds = is_inline;
6308 }
6309 else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
6310 {
6311 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6312 msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6313 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6314 "Use connect-retry-max 1 to get a similar behavior as before.");
6315 }
6316 else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
6317 {
6318 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6319 msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6320 "server is established is managed with a single timeout set by connect-timeout");
6321 }
6322 else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
6323 {
6324 struct http_proxy_options *ho;
6325
6326 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6327 ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
6328
6329 if (streq(p[1], "VERSION") && p[2] && !p[3])
6330 {
6331 ho->http_version = p[2];
6332 }
6333 else if (streq(p[1], "AGENT") && p[2] && !p[3])
6334 {
6335 ho->user_agent = p[2];
6336 }
6337 else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
6338 && p[2])
6339 {
6340 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6341 * with either two argument or one */
6342
6343 struct http_custom_header *custom_header = NULL;
6344 int i;
6345 /* Find the first free header */
6346 for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
6347 {
6348 if (!ho->custom_headers[i].name)
6349 {
6350 custom_header = &ho->custom_headers[i];
6351 break;
6352 }
6353 }
6354 if (!custom_header)
6355 {
6356 msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
6357 }
6358 else
6359 {
6360 /* We will save p[2] and p[3], the proxy code will detect if
6361 * p[3] is NULL */
6362 custom_header->name = p[2];
6363 custom_header->content = p[3];
6364 }
6365 }
6366 else
6367 {
6368 msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
6369 }
6370 }
6371 else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
6372 {
6373 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6374
6375 if (p[2])
6376 {
6377 options->ce.socks_proxy_port = p[2];
6378 }
6379 else
6380 {
6381 options->ce.socks_proxy_port = "1080";
6382 }
6383 options->ce.socks_proxy_server = p[1];
6384 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
6385 }
6386 else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
6387 {
6388 VERIFY_PERMISSION(OPT_P_GENERAL);
6389 options->keepalive_ping = atoi(p[1]);
6390 options->keepalive_timeout = atoi(p[2]);
6391 }
6392 else if (streq(p[0], "ping") && p[1] && !p[2])
6393 {
6394 VERIFY_PERMISSION(OPT_P_TIMER);
6395 options->ping_send_timeout = positive_atoi(p[1]);
6396 }
6397 else if (streq(p[0], "ping-exit") && p[1] && !p[2])
6398 {
6399 VERIFY_PERMISSION(OPT_P_TIMER);
6400 options->ping_rec_timeout = positive_atoi(p[1]);
6401 options->ping_rec_timeout_action = PING_EXIT;
6402 }
6403 else if (streq(p[0], "ping-restart") && p[1] && !p[2])
6404 {
6405 VERIFY_PERMISSION(OPT_P_TIMER);
6406 options->ping_rec_timeout = positive_atoi(p[1]);
6407 options->ping_rec_timeout_action = PING_RESTART;
6408 }
6409 else if (streq(p[0], "ping-timer-rem") && !p[1])
6410 {
6411 VERIFY_PERMISSION(OPT_P_TIMER);
6412 options->ping_timer_remote = true;
6413 }
6414 else if (streq(p[0], "explicit-exit-notify") && !p[2])
6415 {
6416 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
6417 if (p[1])
6418 {
6419 options->ce.explicit_exit_notification = positive_atoi(p[1]);
6420 }
6421 else
6422 {
6423 options->ce.explicit_exit_notification = 1;
6424 }
6425 }
6426 else if (streq(p[0], "persist-tun") && !p[1])
6427 {
6428 VERIFY_PERMISSION(OPT_P_PERSIST);
6429 options->persist_tun = true;
6430 }
6431 else if (streq(p[0], "persist-key") && !p[1])
6432 {
6433 VERIFY_PERMISSION(OPT_P_PERSIST);
6434 options->persist_key = true;
6435 }
6436 else if (streq(p[0], "persist-local-ip") && !p[1])
6437 {
6438 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6439 options->persist_local_ip = true;
6440 }
6441 else if (streq(p[0], "persist-remote-ip") && !p[1])
6442 {
6443 VERIFY_PERMISSION(OPT_P_PERSIST_IP);
6444 options->persist_remote_ip = true;
6445 }
6446 else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
6447 {
6448 VERIFY_PERMISSION(OPT_P_ROUTE);
6449 cnol_check_alloc(options);
6450 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
6451 }
6452 else if (streq(p[0], "route") && p[1] && !p[5])
6453 {
6454 VERIFY_PERMISSION(OPT_P_ROUTE);
6455 rol_check_alloc(options);
6456 if (pull_mode)
6457 {
6458 if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
6459 {
6460 msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
6461 goto err;
6462 }
6463 if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
6464 {
6465 msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
6466 goto err;
6467 }
6468 if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
6469 {
6470 msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
6471 goto err;
6472 }
6473 }
6474 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
6475 }
6476 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
6477 {
6478 VERIFY_PERMISSION(OPT_P_ROUTE);
6479 rol6_check_alloc(options);
6480 if (pull_mode)
6481 {
6482 if (!ipv6_addr_safe_hexplusbits(p[1]))
6483 {
6484 msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
6485 goto err;
6486 }
6487 if (p[2] && !ipv6_addr_safe(p[2]))
6488 {
6489 msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
6490 goto err;
6491 }
6492 /* p[3] is metric, if present */
6493 }
6494 add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
6495 }
6496 else if (streq(p[0], "max-routes") && !p[2])
6497 {
6498 msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
6499 "The number of routes is unlimited as of OpenVPN 2.4. "
6500 "This option will be removed in a future version, "
6501 "please remove it from your configuration.");
6502 }
6503 else if (streq(p[0], "route-gateway") && p[1] && !p[2])
6504 {
6505 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6506 if (streq(p[1], "dhcp"))
6507 {
6508 options->route_gateway_via_dhcp = true;
6509 }
6510 else
6511 {
6512 if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
6513 {
6514 options->route_default_gateway = p[1];
6515 }
6516 else
6517 {
6518 msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
6519 goto err;
6520 }
6521 }
6522 }
6523 else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2])
6524 {
6525 if (ipv6_addr_safe(p[1]))
6526 {
6527 options->route_ipv6_default_gateway = p[1];
6528 }
6529 else
6530 {
6531 msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]);
6532 goto err;
6533 }
6534 }
6535 else if (streq(p[0], "route-metric") && p[1] && !p[2])
6536 {
6537 VERIFY_PERMISSION(OPT_P_ROUTE);
6538 options->route_default_metric = positive_atoi(p[1]);
6539 }
6540 else if (streq(p[0], "route-delay") && !p[3])
6541 {
6542 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
6543 options->route_delay_defined = true;
6544 if (p[1])
6545 {
6546 options->route_delay = positive_atoi(p[1]);
6547 if (p[2])
6548 {
6549 options->route_delay_window = positive_atoi(p[2]);
6550 }
6551 }
6552 else
6553 {
6554 options->route_delay = 0;
6555 }
6556 }
6557 else if (streq(p[0], "route-up") && p[1])
6558 {
6559 VERIFY_PERMISSION(OPT_P_SCRIPT);
6560 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6561 {
6562 goto err;
6563 }
6564 set_user_script(options, &options->route_script, p[1], "route-up", false);
6565 }
6566 else if (streq(p[0], "route-pre-down") && p[1])
6567 {
6568 VERIFY_PERMISSION(OPT_P_SCRIPT);
6569 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
6570 {
6571 goto err;
6572 }
6573 set_user_script(options,
6574 &options->route_predown_script,
6575 p[1],
6576 "route-pre-down", true);
6577 }
6578 else if (streq(p[0], "route-noexec") && !p[1])
6579 {
6580 VERIFY_PERMISSION(OPT_P_SCRIPT);
6581 options->route_noexec = true;
6582 }
6583 else if (streq(p[0], "route-nopull") && !p[1])
6584 {
6585 VERIFY_PERMISSION(OPT_P_GENERAL);
6586 options->route_nopull = true;
6587 }
6588 else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
6589 {
6590 struct pull_filter *f;
6591 VERIFY_PERMISSION(OPT_P_GENERAL)
6592 f = alloc_pull_filter(options, msglevel);
6593
6594 if (strcmp("accept", p[1]) == 0)
6595 {
6596 f->type = PUF_TYPE_ACCEPT;
6597 }
6598 else if (strcmp("ignore", p[1]) == 0)
6599 {
6600 f->type = PUF_TYPE_IGNORE;
6601 }
6602 else if (strcmp("reject", p[1]) == 0)
6603 {
6604 f->type = PUF_TYPE_REJECT;
6605 }
6606 else
6607 {
6608 msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
6609 goto err;
6610 }
6611 f->pattern = p[2];
6612 f->size = strlen(p[2]);
6613 }
6614 else if (streq(p[0], "allow-pull-fqdn") && !p[1])
6615 {
6616 VERIFY_PERMISSION(OPT_P_GENERAL);
6617 options->allow_pull_fqdn = true;
6618 }
6619 else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
6620 {
6621 int j;
6622 VERIFY_PERMISSION(OPT_P_ROUTE);
6623 rol_check_alloc(options);
6624
6625 if (options->routes->flags & RG_ENABLE)
6626 {
6627 msg(M_WARN,
6628 "WARNING: You have specified redirect-gateway and "
6629 "redirect-private at the same time (or the same option "
6630 "multiple times). This is not well supported and may lead to "
6631 "unexpected results");
6632 }
6633
6634 options->routes->flags |= RG_ENABLE;
6635
6636 if (streq(p[0], "redirect-gateway"))
6637 {
6638 options->routes->flags |= RG_REROUTE_GW;
6639 }
6640 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6641 {
6642 if (streq(p[j], "local"))
6643 {
6644 options->routes->flags |= RG_LOCAL;
6645 }
6646 else if (streq(p[j], "autolocal"))
6647 {
6648 options->routes->flags |= RG_AUTO_LOCAL;
6649 }
6650 else if (streq(p[j], "def1"))
6651 {
6652 options->routes->flags |= RG_DEF1;
6653 }
6654 else if (streq(p[j], "bypass-dhcp"))
6655 {
6656 options->routes->flags |= RG_BYPASS_DHCP;
6657 }
6658 else if (streq(p[j], "bypass-dns"))
6659 {
6660 options->routes->flags |= RG_BYPASS_DNS;
6661 }
6662 else if (streq(p[j], "block-local"))
6663 {
6664 options->routes->flags |= RG_BLOCK_LOCAL;
6665 }
6666 else if (streq(p[j], "ipv6"))
6667 {
6668 rol6_check_alloc(options);
6669 options->routes_ipv6->flags |= RG_REROUTE_GW;
6670 }
6671 else if (streq(p[j], "!ipv4"))
6672 {
6673 options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE);
6674 }
6675 else
6676 {
6677 msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
6678 goto err;
6679 }
6680 }
6681 #ifdef _WIN32
6682 /* we need this here to handle pushed --redirect-gateway */
6683 remap_redirect_gateway_flags(options);
6684 #endif
6685 }
6686 else if (streq(p[0], "block-ipv6") && !p[1])
6687 {
6688 VERIFY_PERMISSION(OPT_P_ROUTE);
6689 options->block_ipv6 = true;
6690 }
6691 else if (streq(p[0], "remote-random-hostname") && !p[1])
6692 {
6693 VERIFY_PERMISSION(OPT_P_GENERAL);
6694 options->sockflags |= SF_HOST_RANDOMIZE;
6695 }
6696 else if (streq(p[0], "setenv") && p[1] && !p[3])
6697 {
6698 VERIFY_PERMISSION(OPT_P_GENERAL);
6699 if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
6700 {
6701 options->sockflags |= SF_HOST_RANDOMIZE;
6702 }
6703 else if (streq(p[1], "GENERIC_CONFIG"))
6704 {
6705 msg(msglevel, "this is a generic configuration and cannot directly be used");
6706 goto err;
6707 }
6708 else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
6709 {
6710 options->push_peer_info = true;
6711 }
6712 else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
6713 {
6714 options->ce.connect_timeout = positive_atoi(p[2]);
6715 }
6716 else
6717 {
6718 if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
6719 {
6720 options->forward_compatible = true;
6721 msglevel_fc = msglevel_forward_compatible(options, msglevel);
6722 }
6723 setenv_str(es, p[1], p[2] ? p[2] : "");
6724 }
6725 }
6726 else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
6727 {
6728 VERIFY_PERMISSION(OPT_P_SETENV);
6729 setenv_str_safe(es, p[1], p[2] ? p[2] : "");
6730 }
6731 else if (streq(p[0], "script-security") && p[1] && !p[2])
6732 {
6733 VERIFY_PERMISSION(OPT_P_GENERAL);
6734 script_security_set(atoi(p[1]));
6735 }
6736 else if (streq(p[0], "mssfix") && !p[2])
6737 {
6738 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
6739 if (p[1])
6740 {
6741 options->ce.mssfix = positive_atoi(p[1]);
6742 }
6743 else
6744 {
6745 options->ce.mssfix_default = true;
6746 }
6747
6748 }
6749 else if (streq(p[0], "disable-occ") && !p[1])
6750 {
6751 VERIFY_PERMISSION(OPT_P_GENERAL);
6752 options->occ = false;
6753 }
6754 else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
6755 {
6756 const int lev = M_WARN;
6757 bool error = false;
6758 in_addr_t network, netmask;
6759
6760 VERIFY_PERMISSION(OPT_P_GENERAL);
6761 network = get_ip_addr(p[1], lev, &error);
6762 netmask = get_ip_addr(p[2], lev, &error);
6763 if (error || !network || !netmask)
6764 {
6765 msg(msglevel, "error parsing --server parameters");
6766 goto err;
6767 }
6768 options->server_defined = true;
6769 options->server_network = network;
6770 options->server_netmask = netmask;
6771
6772 if (p[3])
6773 {
6774 if (streq(p[3], "nopool"))
6775 {
6776 options->server_flags |= SF_NOPOOL;
6777 }
6778 else
6779 {
6780 msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
6781 goto err;
6782 }
6783 }
6784 }
6785 else if (streq(p[0], "server-ipv6") && p[1] && !p[3])
6786 {
6787 const int lev = M_WARN;
6788 struct in6_addr network;
6789 unsigned int netbits = 0;
6790
6791 VERIFY_PERMISSION(OPT_P_GENERAL);
6792 if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
6793 {
6794 msg(msglevel, "error parsing --server-ipv6 parameter");
6795 goto err;
6796 }
6797 if (netbits < 64 || netbits > 124)
6798 {
6799 msg(msglevel,
6800 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
6801 netbits);
6802
6803 goto err;
6804 }
6805 options->server_ipv6_defined = true;
6806 options->server_network_ipv6 = network;
6807 options->server_netbits_ipv6 = netbits;
6808
6809 if (p[2]) /* no "nopool" options or similar for IPv6 */
6810 {
6811 msg(msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]);
6812 goto err;
6813 }
6814 }
6815 else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
6816 {
6817 const int lev = M_WARN;
6818 bool error = false;
6819 in_addr_t ip, netmask, pool_start, pool_end;
6820
6821 VERIFY_PERMISSION(OPT_P_GENERAL);
6822 ip = get_ip_addr(p[1], lev, &error);
6823 netmask = get_ip_addr(p[2], lev, &error);
6824 pool_start = get_ip_addr(p[3], lev, &error);
6825 pool_end = get_ip_addr(p[4], lev, &error);
6826 if (error || !ip || !netmask || !pool_start || !pool_end)
6827 {
6828 msg(msglevel, "error parsing --server-bridge parameters");
6829 goto err;
6830 }
6831 options->server_bridge_defined = true;
6832 options->server_bridge_ip = ip;
6833 options->server_bridge_netmask = netmask;
6834 options->server_bridge_pool_start = pool_start;
6835 options->server_bridge_pool_end = pool_end;
6836 }
6837 else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
6838 {
6839 VERIFY_PERMISSION(OPT_P_GENERAL);
6840 options->server_bridge_proxy_dhcp = true;
6841 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
6842 }
6843 else if (streq(p[0], "server-bridge") && !p[1])
6844 {
6845 VERIFY_PERMISSION(OPT_P_GENERAL);
6846 options->server_bridge_proxy_dhcp = true;
6847 }
6848 else if (streq(p[0], "push") && p[1] && !p[2])
6849 {
6850 VERIFY_PERMISSION(OPT_P_PUSH);
6851 push_options(options, &p[1], msglevel, &options->gc);
6852 }
6853 else if (streq(p[0], "push-reset") && !p[1])
6854 {
6855 VERIFY_PERMISSION(OPT_P_INSTANCE);
6856 push_reset(options);
6857 }
6858 else if (streq(p[0], "push-remove") && p[1] && !p[2])
6859 {
6860 VERIFY_PERMISSION(OPT_P_INSTANCE);
6861 msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
6862 push_remove_option(options,p[1]);
6863 }
6864 else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
6865 {
6866 const int lev = M_WARN;
6867 bool error = false;
6868 in_addr_t start, end, netmask = 0;
6869
6870 VERIFY_PERMISSION(OPT_P_GENERAL);
6871 start = get_ip_addr(p[1], lev, &error);
6872 end = get_ip_addr(p[2], lev, &error);
6873 if (p[3])
6874 {
6875 netmask = get_ip_addr(p[3], lev, &error);
6876 }
6877 if (error)
6878 {
6879 msg(msglevel, "error parsing --ifconfig-pool parameters");
6880 goto err;
6881 }
6882 if (!ifconfig_pool_verify_range(msglevel, start, end))
6883 {
6884 goto err;
6885 }
6886
6887 options->ifconfig_pool_defined = true;
6888 options->ifconfig_pool_start = start;
6889 options->ifconfig_pool_end = end;
6890 if (netmask)
6891 {
6892 options->ifconfig_pool_netmask = netmask;
6893 }
6894 }
6895 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
6896 {
6897 VERIFY_PERMISSION(OPT_P_GENERAL);
6898 options->ifconfig_pool_persist_filename = p[1];
6899 if (p[2])
6900 {
6901 options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
6902 }
6903 }
6904 else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
6905 {
6906 const int lev = M_WARN;
6907 struct in6_addr network;
6908 unsigned int netbits = 0;
6909
6910 VERIFY_PERMISSION(OPT_P_GENERAL);
6911 if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
6912 {
6913 msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
6914 goto err;
6915 }
6916 if (netbits < 64 || netbits > 124)
6917 {
6918 msg(msglevel,
6919 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
6920 netbits);
6921 goto err;
6922 }
6923
6924 options->ifconfig_ipv6_pool_defined = true;
6925 options->ifconfig_ipv6_pool_base = network;
6926 options->ifconfig_ipv6_pool_netbits = netbits;
6927 }
6928 else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
6929 {
6930 int real, virtual;
6931
6932 VERIFY_PERMISSION(OPT_P_GENERAL);
6933 real = atoi(p[1]);
6934 virtual = atoi(p[2]);
6935 if (real < 1 || virtual < 1)
6936 {
6937 msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
6938 goto err;
6939 }
6940 options->real_hash_size = real;
6941 options->virtual_hash_size = real;
6942 }
6943 else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
6944 {
6945 int cf_max, cf_per;
6946
6947 VERIFY_PERMISSION(OPT_P_GENERAL);
6948 cf_max = atoi(p[1]);
6949 cf_per = atoi(p[2]);
6950 if (cf_max < 0 || cf_per < 0)
6951 {
6952 msg(msglevel, "--connect-freq parms must be > 0");
6953 goto err;
6954 }
6955 options->cf_max = cf_max;
6956 options->cf_per = cf_per;
6957 }
6958 else if (streq(p[0], "max-clients") && p[1] && !p[2])
6959 {
6960 int max_clients;
6961
6962 VERIFY_PERMISSION(OPT_P_GENERAL);
6963 max_clients = atoi(p[1]);
6964 if (max_clients < 0)
6965 {
6966 msg(msglevel, "--max-clients must be at least 1");
6967 goto err;
6968 }
6969 if (max_clients >= MAX_PEER_ID) /* max peer-id value */
6970 {
6971 msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
6972 goto err;
6973 }
6974 options->max_clients = max_clients;
6975 }
6976 else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
6977 {
6978 VERIFY_PERMISSION(OPT_P_INHERIT);
6979 options->max_routes_per_client = max_int(atoi(p[1]), 1);
6980 }
6981 else if (streq(p[0], "client-cert-not-required") && !p[1])
6982 {
6983 VERIFY_PERMISSION(OPT_P_GENERAL);
6984 msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
6985 }
6986 else if (streq(p[0], "verify-client-cert") && !p[2])
6987 {
6988 VERIFY_PERMISSION(OPT_P_GENERAL);
6989
6990 /* Reset any existing flags */
6991 options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
6992 options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
6993 if (p[1])
6994 {
6995 if (streq(p[1], "none"))
6996 {
6997 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
6998 }
6999 else if (streq(p[1], "optional"))
7000 {
7001 options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
7002 }
7003 else if (!streq(p[1], "require"))
7004 {
7005 msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7006 goto err;
7007 }
7008 }
7009 }
7010 else if (streq(p[0], "username-as-common-name") && !p[1])
7011 {
7012 VERIFY_PERMISSION(OPT_P_GENERAL);
7013 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
7014 }
7015 else if (streq(p[0], "auth-user-pass-optional") && !p[1])
7016 {
7017 VERIFY_PERMISSION(OPT_P_GENERAL);
7018 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
7019 }
7020 else if (streq(p[0], "opt-verify") && !p[1])
7021 {
7022 VERIFY_PERMISSION(OPT_P_GENERAL);
7023 options->ssl_flags |= SSLF_OPT_VERIFY;
7024 }
7025 else if (streq(p[0], "auth-user-pass-verify") && p[1])
7026 {
7027 VERIFY_PERMISSION(OPT_P_SCRIPT);
7028 if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
7029 {
7030 goto err;
7031 }
7032 if (p[2])
7033 {
7034 if (streq(p[2], "via-env"))
7035 {
7036 options->auth_user_pass_verify_script_via_file = false;
7037 }
7038 else if (streq(p[2], "via-file"))
7039 {
7040 options->auth_user_pass_verify_script_via_file = true;
7041 }
7042 else
7043 {
7044 msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7045 goto err;
7046 }
7047 }
7048 else
7049 {
7050 msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7051 goto err;
7052 }
7053 set_user_script(options,
7054 &options->auth_user_pass_verify_script,
7055 p[1], "auth-user-pass-verify", true);
7056 }
7057 else if (streq(p[0], "auth-gen-token") && !p[3])
7058 {
7059 VERIFY_PERMISSION(OPT_P_GENERAL);
7060 options->auth_token_generate = true;
7061 options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
7062 if (p[2])
7063 {
7064 if (streq(p[2], "external-auth"))
7065 {
7066 options->auth_token_call_auth = true;
7067 }
7068 else
7069 {
7070 msg(msglevel, "Invalid argument to auth-gen-token: %s", p[2]);
7071 }
7072 }
7073
7074 }
7075 else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2])
7076 {
7077 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7078 options->auth_token_secret_file = p[1];
7079 options->auth_token_secret_file_inline = is_inline;
7080
7081 }
7082 else if (streq(p[0], "client-connect") && p[1])
7083 {
7084 VERIFY_PERMISSION(OPT_P_SCRIPT);
7085 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7086 {
7087 goto err;
7088 }
7089 set_user_script(options, &options->client_connect_script,
7090 p[1], "client-connect", true);
7091 }
7092 else if (streq(p[0], "client-disconnect") && p[1])
7093 {
7094 VERIFY_PERMISSION(OPT_P_SCRIPT);
7095 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7096 {
7097 goto err;
7098 }
7099 set_user_script(options, &options->client_disconnect_script,
7100 p[1], "client-disconnect", true);
7101 }
7102 else if (streq(p[0], "learn-address") && p[1])
7103 {
7104 VERIFY_PERMISSION(OPT_P_SCRIPT);
7105 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
7106 {
7107 goto err;
7108 }
7109 set_user_script(options, &options->learn_address_script,
7110 p[1], "learn-address", true);
7111 }
7112 else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
7113 {
7114 VERIFY_PERMISSION(OPT_P_GENERAL);
7115 options->tmp_dir = p[1];
7116 }
7117 else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
7118 {
7119 VERIFY_PERMISSION(OPT_P_GENERAL);
7120 options->client_config_dir = p[1];
7121 }
7122 else if (streq(p[0], "ccd-exclusive") && !p[1])
7123 {
7124 VERIFY_PERMISSION(OPT_P_GENERAL);
7125 options->ccd_exclusive = true;
7126 }
7127 else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
7128 {
7129 int n_bcast_buf;
7130
7131 VERIFY_PERMISSION(OPT_P_GENERAL);
7132 n_bcast_buf = atoi(p[1]);
7133 if (n_bcast_buf < 1)
7134 {
7135 msg(msglevel, "--bcast-buffers parameter must be > 0");
7136 }
7137 options->n_bcast_buf = n_bcast_buf;
7138 }
7139 else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
7140 {
7141 int tcp_queue_limit;
7142
7143 VERIFY_PERMISSION(OPT_P_GENERAL);
7144 tcp_queue_limit = atoi(p[1]);
7145 if (tcp_queue_limit < 1)
7146 {
7147 msg(msglevel, "--tcp-queue-limit parameter must be > 0");
7148 }
7149 options->tcp_queue_limit = tcp_queue_limit;
7150 }
7151 #if PORT_SHARE
7152 else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
7153 {
7154 VERIFY_PERMISSION(OPT_P_GENERAL);
7155 options->port_share_host = p[1];
7156 options->port_share_port = p[2];
7157 options->port_share_journal_dir = p[3];
7158 }
7159 #endif
7160 else if (streq(p[0], "client-to-client") && !p[1])
7161 {
7162 VERIFY_PERMISSION(OPT_P_GENERAL);
7163 options->enable_c2c = true;
7164 }
7165 else if (streq(p[0], "duplicate-cn") && !p[1])
7166 {
7167 VERIFY_PERMISSION(OPT_P_GENERAL);
7168 options->duplicate_cn = true;
7169 }
7170 else if (streq(p[0], "iroute") && p[1] && !p[3])
7171 {
7172 const char *netmask = NULL;
7173
7174 VERIFY_PERMISSION(OPT_P_INSTANCE);
7175 if (p[2])
7176 {
7177 netmask = p[2];
7178 }
7179 option_iroute(options, p[1], netmask, msglevel);
7180 }
7181 else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
7182 {
7183 VERIFY_PERMISSION(OPT_P_INSTANCE);
7184 option_iroute_ipv6(options, p[1], msglevel);
7185 }
7186 else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
7187 {
7188 in_addr_t local, remote_netmask;
7189
7190 VERIFY_PERMISSION(OPT_P_INSTANCE);
7191 local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7192 remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
7193 if (local && remote_netmask)
7194 {
7195 options->push_ifconfig_defined = true;
7196 options->push_ifconfig_local = local;
7197 options->push_ifconfig_remote_netmask = remote_netmask;
7198 if (p[3])
7199 {
7200 options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
7201 }
7202 }
7203 else
7204 {
7205 msg(msglevel, "cannot parse --ifconfig-push addresses");
7206 goto err;
7207 }
7208 }
7209 else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
7210 {
7211 in_addr_t network, netmask;
7212
7213 VERIFY_PERMISSION(OPT_P_GENERAL);
7214 network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
7215 netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
7216 if (network && netmask)
7217 {
7218 options->push_ifconfig_constraint_defined = true;
7219 options->push_ifconfig_constraint_network = network;
7220 options->push_ifconfig_constraint_netmask = netmask;
7221 }
7222 else
7223 {
7224 msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
7225 goto err;
7226 }
7227 }
7228 else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
7229 {
7230 struct in6_addr local, remote;
7231 unsigned int netbits;
7232
7233 VERIFY_PERMISSION(OPT_P_INSTANCE);
7234
7235 if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
7236 {
7237 msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7238 goto err;
7239 }
7240
7241 if (p[2])
7242 {
7243 if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
7244 {
7245 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
7246 goto err;
7247 }
7248 }
7249 else
7250 {
7251 if (!options->ifconfig_ipv6_local
7252 || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
7253 NULL, msglevel ) )
7254 {
7255 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7256 goto err;
7257 }
7258 }
7259
7260 options->push_ifconfig_ipv6_defined = true;
7261 options->push_ifconfig_ipv6_local = local;
7262 options->push_ifconfig_ipv6_netbits = netbits;
7263 options->push_ifconfig_ipv6_remote = remote;
7264 options->push_ifconfig_ipv6_blocked = false;
7265 }
7266 else if (streq(p[0], "disable") && !p[1])
7267 {
7268 VERIFY_PERMISSION(OPT_P_INSTANCE);
7269 options->disable = true;
7270 }
7271 else if (streq(p[0], "tcp-nodelay") && !p[1])
7272 {
7273 VERIFY_PERMISSION(OPT_P_GENERAL);
7274 options->server_flags |= SF_TCP_NODELAY_HELPER;
7275 }
7276 else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
7277 {
7278 int ageing_time, check_interval;
7279
7280 VERIFY_PERMISSION(OPT_P_GENERAL);
7281 ageing_time = atoi(p[1]);
7282 if (p[2])
7283 {
7284 check_interval = atoi(p[2]);
7285 }
7286 else
7287 {
7288 check_interval = ageing_time;
7289 }
7290
7291 if (ageing_time < 1 || check_interval < 1)
7292 {
7293 msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
7294 goto err;
7295 }
7296 options->stale_routes_ageing_time = ageing_time;
7297 options->stale_routes_check_interval = check_interval;
7298 }
7299
7300 else if (streq(p[0], "client") && !p[1])
7301 {
7302 VERIFY_PERMISSION(OPT_P_GENERAL);
7303 options->client = true;
7304 }
7305 else if (streq(p[0], "pull") && !p[1])
7306 {
7307 VERIFY_PERMISSION(OPT_P_GENERAL);
7308 options->pull = true;
7309 }
7310 else if (streq(p[0], "push-continuation") && p[1] && !p[2])
7311 {
7312 VERIFY_PERMISSION(OPT_P_PULL_MODE);
7313 options->push_continuation = atoi(p[1]);
7314 }
7315 else if (streq(p[0], "auth-user-pass") && !p[2])
7316 {
7317 VERIFY_PERMISSION(OPT_P_GENERAL);
7318 if (p[1])
7319 {
7320 options->auth_user_pass_file = p[1];
7321 }
7322 else
7323 {
7324 options->auth_user_pass_file = "stdin";
7325 }
7326 }
7327 else if (streq(p[0], "auth-retry") && p[1] && !p[2])
7328 {
7329 VERIFY_PERMISSION(OPT_P_GENERAL);
7330 auth_retry_set(msglevel, p[1]);
7331 }
7332 #ifdef ENABLE_MANAGEMENT
7333 else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
7334 {
7335 VERIFY_PERMISSION(OPT_P_GENERAL);
7336 options->sc_info.challenge_text = p[1];
7337 if (atoi(p[2]))
7338 {
7339 options->sc_info.flags |= SC_ECHO;
7340 }
7341 }
7342 #endif
7343 else if (streq(p[0], "msg-channel") && p[1])
7344 {
7345 #ifdef _WIN32
7346 VERIFY_PERMISSION(OPT_P_GENERAL);
7347 HANDLE process = GetCurrentProcess();
7348 HANDLE handle = (HANDLE) atoll(p[1]);
7349 if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
7350 FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
7351 {
7352 msg(msglevel, "could not duplicate service pipe handle");
7353 goto err;
7354 }
7355 options->route_method = ROUTE_METHOD_SERVICE;
7356 #else /* ifdef _WIN32 */
7357 msg(msglevel, "--msg-channel is only supported on Windows");
7358 goto err;
7359 #endif
7360 }
7361 #ifdef _WIN32
7362 else if (streq(p[0], "win-sys") && p[1] && !p[2])
7363 {
7364 VERIFY_PERMISSION(OPT_P_GENERAL);
7365 if (streq(p[1], "env"))
7366 {
7367 msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7368 "This entry will now be ignored. "
7369 "Please remove this entry from your configuration file.");
7370 }
7371 else
7372 {
7373 set_win_sys_path(p[1], es);
7374 }
7375 }
7376 else if (streq(p[0], "route-method") && p[1] && !p[2])
7377 {
7378 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7379 if (streq(p[1], "adaptive"))
7380 {
7381 options->route_method = ROUTE_METHOD_ADAPTIVE;
7382 }
7383 else if (streq(p[1], "ipapi"))
7384 {
7385 options->route_method = ROUTE_METHOD_IPAPI;
7386 }
7387 else if (streq(p[1], "exe"))
7388 {
7389 options->route_method = ROUTE_METHOD_EXE;
7390 }
7391 else
7392 {
7393 msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7394 goto err;
7395 }
7396 }
7397 else if (streq(p[0], "ip-win32") && p[1] && !p[4])
7398 {
7399 const int index = ascii2ipset(p[1]);
7400 struct tuntap_options *to = &options->tuntap_options;
7401
7402 VERIFY_PERMISSION(OPT_P_IPWIN32);
7403
7404 if (index < 0)
7405 {
7406 msg(msglevel,
7407 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
7408 p[1],
7409 ipset2ascii_all(&gc));
7410 goto err;
7411 }
7412
7413 if (index == IPW32_SET_ADAPTIVE)
7414 {
7415 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
7416 }
7417
7418 if (index == IPW32_SET_DHCP_MASQ)
7419 {
7420 if (p[2])
7421 {
7422 if (!streq(p[2], "default"))
7423 {
7424 int offset = atoi(p[2]);
7425
7426 if (!(offset > -256 && offset < 256))
7427 {
7428 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
7429 goto err;
7430 }
7431
7432 to->dhcp_masq_custom_offset = true;
7433 to->dhcp_masq_offset = offset;
7434 }
7435
7436 if (p[3])
7437 {
7438 const int min_lease = 30;
7439 int lease_time;
7440 lease_time = atoi(p[3]);
7441 if (lease_time < min_lease)
7442 {
7443 msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
7444 goto err;
7445 }
7446 to->dhcp_lease_time = lease_time;
7447 }
7448 }
7449 }
7450 to->ip_win32_type = index;
7451 to->ip_win32_defined = true;
7452 }
7453 #endif /* ifdef _WIN32 */
7454 #if defined(_WIN32) || defined(TARGET_ANDROID)
7455 else if (streq(p[0], "dhcp-option") && p[1])
7456 {
7457 struct tuntap_options *o = &options->tuntap_options;
7458 VERIFY_PERMISSION(OPT_P_IPWIN32);
7459 bool ipv6dns = false;
7460
7461 if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
7462 && p[2] && !p[3])
7463 {
7464 o->domain = p[2];
7465 }
7466 else if (streq(p[1], "NBS") && p[2] && !p[3])
7467 {
7468 o->netbios_scope = p[2];
7469 }
7470 else if (streq(p[1], "NBT") && p[2] && !p[3])
7471 {
7472 int t;
7473 t = atoi(p[2]);
7474 if (!(t == 1 || t == 2 || t == 4 || t == 8))
7475 {
7476 msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
7477 goto err;
7478 }
7479 o->netbios_node_type = t;
7480 }
7481 else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
7482 && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
7483 {
7484 if (strstr(p[2], ":"))
7485 {
7486 ipv6dns = true;
7487 foreign_option(options, p, 3, es);
7488 dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
7489 }
7490 else
7491 {
7492 dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
7493 }
7494 }
7495 else if (streq(p[1], "WINS") && p[2] && !p[3])
7496 {
7497 dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
7498 }
7499 else if (streq(p[1], "NTP") && p[2] && !p[3])
7500 {
7501 dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
7502 }
7503 else if (streq(p[1], "NBDD") && p[2] && !p[3])
7504 {
7505 dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
7506 }
7507 else if (streq(p[1], "DOMAIN-SEARCH") && p[2] && !p[3])
7508 {
7509 if (o->domain_search_list_len < N_SEARCH_LIST_LEN)
7510 {
7511 o->domain_search_list[o->domain_search_list_len++] = p[2];
7512 }
7513 else
7514 {
7515 msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified",
7516 p[1], N_SEARCH_LIST_LEN);
7517 }
7518 }
7519 else if (streq(p[1], "DISABLE-NBT") && !p[2])
7520 {
7521 o->disable_nbt = 1;
7522 }
7523 #if defined(TARGET_ANDROID)
7524 else if (streq(p[1], "PROXY_HTTP") && p[3] && !p[4])
7525 {
7526 o->http_proxy_port = atoi(p[3]);
7527 o->http_proxy = p[2];
7528 }
7529 #endif
7530 else
7531 {
7532 msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
7533 goto err;
7534 }
7535
7536 /* flag that we have options to give to the TAP driver's DHCPv4 server
7537 * - skipped for "DNS6", as that's not a DHCPv4 option
7538 */
7539 if (!ipv6dns)
7540 {
7541 o->dhcp_options = true;
7542 }
7543 }
7544 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
7545 #ifdef _WIN32
7546 else if (streq(p[0], "show-adapters") && !p[1])
7547 {
7548 VERIFY_PERMISSION(OPT_P_GENERAL);
7549 show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
7550 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
7551 }
7552 else if (streq(p[0], "show-net") && !p[1])
7553 {
7554 VERIFY_PERMISSION(OPT_P_GENERAL);
7555 show_routes(M_INFO|M_NOPREFIX);
7556 show_adapters(M_INFO|M_NOPREFIX);
7557 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
7558 }
7559 else if (streq(p[0], "show-net-up") && !p[1])
7560 {
7561 VERIFY_PERMISSION(OPT_P_UP);
7562 options->show_net_up = true;
7563 }
7564 else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
7565 {
7566 int s;
7567 VERIFY_PERMISSION(OPT_P_IPWIN32);
7568 s = atoi(p[1]);
7569 if (s < 0 || s >= 256)
7570 {
7571 msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
7572 goto err;
7573 }
7574 options->tuntap_options.tap_sleep = s;
7575 }
7576 else if (streq(p[0], "dhcp-renew") && !p[1])
7577 {
7578 VERIFY_PERMISSION(OPT_P_IPWIN32);
7579 options->tuntap_options.dhcp_renew = true;
7580 }
7581 else if (streq(p[0], "dhcp-pre-release") && !p[1])
7582 {
7583 VERIFY_PERMISSION(OPT_P_IPWIN32);
7584 options->tuntap_options.dhcp_pre_release = true;
7585 options->tuntap_options.dhcp_renew = true;
7586 }
7587 else if (streq(p[0], "dhcp-release") && !p[1])
7588 {
7589 msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
7590 }
7591 else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
7592 {
7593 unsigned int adapter_index;
7594 VERIFY_PERMISSION(OPT_P_GENERAL);
7595 set_debug_level(options->verbosity, SDL_CONSTRAIN);
7596 adapter_index = atou(p[1]);
7597 sleep(options->tuntap_options.tap_sleep);
7598 if (options->tuntap_options.dhcp_pre_release)
7599 {
7600 dhcp_release_by_adapter_index(adapter_index);
7601 }
7602 if (options->tuntap_options.dhcp_renew)
7603 {
7604 dhcp_renew_by_adapter_index(adapter_index);
7605 }
7606 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
7607 }
7608 else if (streq(p[0], "register-dns") && !p[1])
7609 {
7610 VERIFY_PERMISSION(OPT_P_IPWIN32);
7611 options->tuntap_options.register_dns = true;
7612 }
7613 else if (streq(p[0], "block-outside-dns") && !p[1])
7614 {
7615 VERIFY_PERMISSION(OPT_P_IPWIN32);
7616 options->block_outside_dns = true;
7617 }
7618 else if (streq(p[0], "rdns-internal") && !p[1])
7619 /* standalone method for internal use
7620 *
7621 * (if --register-dns is set, openvpn needs to call itself in a
7622 * sub-process to execute the required functions in a non-blocking
7623 * way, and uses --rdns-internal to signal that to itself)
7624 */
7625 {
7626 VERIFY_PERMISSION(OPT_P_GENERAL);
7627 set_debug_level(options->verbosity, SDL_CONSTRAIN);
7628 if (options->tuntap_options.register_dns)
7629 {
7630 ipconfig_register_dns(NULL);
7631 }
7632 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
7633 }
7634 else if (streq(p[0], "show-valid-subnets") && !p[1])
7635 {
7636 VERIFY_PERMISSION(OPT_P_GENERAL);
7637 show_valid_win32_tun_subnets();
7638 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
7639 }
7640 else if (streq(p[0], "pause-exit") && !p[1])
7641 {
7642 VERIFY_PERMISSION(OPT_P_GENERAL);
7643 set_pause_exit_win32();
7644 }
7645 else if (streq(p[0], "service") && p[1] && !p[3])
7646 {
7647 VERIFY_PERMISSION(OPT_P_GENERAL);
7648 options->exit_event_name = p[1];
7649 if (p[2])
7650 {
7651 options->exit_event_initial_state = (atoi(p[2]) != 0);
7652 }
7653 }
7654 else if (streq(p[0], "allow-nonadmin") && !p[2])
7655 {
7656 VERIFY_PERMISSION(OPT_P_GENERAL);
7657 tap_allow_nonadmin_access(p[1]);
7658 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
7659 }
7660 else if (streq(p[0], "user") && p[1] && !p[2])
7661 {
7662 VERIFY_PERMISSION(OPT_P_GENERAL);
7663 msg(M_WARN, "NOTE: --user option is not implemented on Windows");
7664 }
7665 else if (streq(p[0], "group") && p[1] && !p[2])
7666 {
7667 VERIFY_PERMISSION(OPT_P_GENERAL);
7668 msg(M_WARN, "NOTE: --group option is not implemented on Windows");
7669 }
7670 #else /* ifdef _WIN32 */
7671 else if (streq(p[0], "user") && p[1] && !p[2])
7672 {
7673 VERIFY_PERMISSION(OPT_P_GENERAL);
7674 options->username = p[1];
7675 }
7676 else if (streq(p[0], "group") && p[1] && !p[2])
7677 {
7678 VERIFY_PERMISSION(OPT_P_GENERAL);
7679 options->groupname = p[1];
7680 }
7681 else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
7682 {
7683 VERIFY_PERMISSION(OPT_P_IPWIN32);
7684 foreign_option(options, p, 3, es);
7685 }
7686 else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
7687 {
7688 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
7689 }
7690 #endif /* ifdef _WIN32 */
7691 #if PASSTOS_CAPABILITY
7692 else if (streq(p[0], "passtos") && !p[1])
7693 {
7694 VERIFY_PERMISSION(OPT_P_GENERAL);
7695 options->passtos = true;
7696 }
7697 #endif
7698 #if defined(USE_COMP)
7699 else if (streq(p[0], "allow-compression") && p[1] && !p[2])
7700 {
7701 VERIFY_PERMISSION(OPT_P_GENERAL);
7702
7703 if (streq(p[1], "no"))
7704 {
7705 options->comp.flags =
7706 COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY;
7707 if (comp_non_stub_enabled(&options->comp))
7708 {
7709 msg(msglevel, "'--allow-compression no' conflicts with "
7710 " enabling compression");
7711 }
7712 }
7713 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
7714 {
7715 /* Also printed on a push to hint at configuration problems */
7716 msg(msglevel, "Cannot set allow-compression to '%s' "
7717 "after set to 'no'", p[1]);
7718 goto err;
7719 }
7720 else if (streq(p[1], "asym"))
7721 {
7722 options->comp.flags &= ~COMP_F_ALLOW_COMPRESS;
7723 }
7724 else if (streq(p[1], "yes"))
7725 {
7726 msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has "
7727 "been used in the past to break encryption. Allowing compression allows "
7728 "attacks that break encryption. Using \"--allow-compression yes\" is "
7729 "strongly discouraged for common usage. See --compress in the manual "
7730 "page for more information ");
7731
7732 options->comp.flags |= COMP_F_ALLOW_COMPRESS;
7733 }
7734 else
7735 {
7736 msg(msglevel, "bad allow-compression option: %s -- "
7737 "must be 'yes', 'no', or 'asym'", p[1]);
7738 goto err;
7739 }
7740 }
7741 else if (streq(p[0], "comp-lzo") && !p[2])
7742 {
7743 VERIFY_PERMISSION(OPT_P_COMP);
7744
7745 /* All lzo variants do not use swap */
7746 options->comp.flags &= ~COMP_F_SWAP;
7747 #if defined(ENABLE_LZO)
7748 if (p[1] && streq(p[1], "no"))
7749 #endif
7750 {
7751 options->comp.alg = COMP_ALG_STUB;
7752 options->comp.flags &= ~COMP_F_ADAPTIVE;
7753 }
7754 #if defined(ENABLE_LZO)
7755 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
7756 {
7757 /* Also printed on a push to hint at configuration problems */
7758 msg(msglevel, "Cannot set comp-lzo to '%s', "
7759 "allow-compression is set to 'no'", p[1]);
7760 goto err;
7761 }
7762 else if (p[1])
7763 {
7764 if (streq(p[1], "yes"))
7765 {
7766 options->comp.alg = COMP_ALG_LZO;
7767 options->comp.flags &= ~COMP_F_ADAPTIVE;
7768 }
7769 else if (streq(p[1], "adaptive"))
7770 {
7771 options->comp.alg = COMP_ALG_LZO;
7772 options->comp.flags |= COMP_F_ADAPTIVE;
7773 }
7774 else
7775 {
7776 msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
7777 goto err;
7778 }
7779 }
7780 else
7781 {
7782 options->comp.alg = COMP_ALG_LZO;
7783 options->comp.flags |= COMP_F_ADAPTIVE;
7784 }
7785 show_compression_warning(&options->comp);
7786 #endif /* if defined(ENABLE_LZO) */
7787 }
7788 else if (streq(p[0], "comp-noadapt") && !p[1])
7789 {
7790 /*
7791 * We do not need to check here if we allow compression since
7792 * it only modifies a flag if compression is enabled
7793 */
7794 VERIFY_PERMISSION(OPT_P_COMP);
7795 options->comp.flags &= ~COMP_F_ADAPTIVE;
7796 }
7797 else if (streq(p[0], "compress") && !p[2])
7798 {
7799 VERIFY_PERMISSION(OPT_P_COMP);
7800 if (p[1])
7801 {
7802 if (streq(p[1], "stub"))
7803 {
7804 options->comp.alg = COMP_ALG_STUB;
7805 options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
7806 }
7807 else if (streq(p[1], "stub-v2"))
7808 {
7809 options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
7810 options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY;
7811 }
7812 else if (streq(p[1], "migrate"))
7813 {
7814 options->comp.alg = COMP_ALG_UNDEF;
7815 options->comp.flags = COMP_F_MIGRATE;
7816
7817 }
7818 else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY)
7819 {
7820 /* Also printed on a push to hint at configuration problems */
7821 msg(msglevel, "Cannot set compress to '%s', "
7822 "allow-compression is set to 'no'", p[1]);
7823 goto err;
7824 }
7825 #if defined(ENABLE_LZO)
7826 else if (streq(p[1], "lzo"))
7827 {
7828 options->comp.alg = COMP_ALG_LZO;
7829 options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP);
7830 }
7831 #endif
7832 #if defined(ENABLE_LZ4)
7833 else if (streq(p[1], "lz4"))
7834 {
7835 options->comp.alg = COMP_ALG_LZ4;
7836 options->comp.flags |= COMP_F_SWAP;
7837 }
7838 else if (streq(p[1], "lz4-v2"))
7839 {
7840 options->comp.alg = COMP_ALGV2_LZ4;
7841 }
7842 #endif
7843 else
7844 {
7845 msg(msglevel, "bad comp option: %s", p[1]);
7846 goto err;
7847 }
7848 }
7849 else
7850 {
7851 options->comp.alg = COMP_ALG_STUB;
7852 options->comp.flags |= COMP_F_SWAP;
7853 }
7854 show_compression_warning(&options->comp);
7855 }
7856 #endif /* USE_COMP */
7857 else if (streq(p[0], "show-ciphers") && !p[1])
7858 {
7859 VERIFY_PERMISSION(OPT_P_GENERAL);
7860 options->show_ciphers = true;
7861 }
7862 else if (streq(p[0], "show-digests") && !p[1])
7863 {
7864 VERIFY_PERMISSION(OPT_P_GENERAL);
7865 options->show_digests = true;
7866 }
7867 else if (streq(p[0], "show-engines") && !p[1])
7868 {
7869 VERIFY_PERMISSION(OPT_P_GENERAL);
7870 options->show_engines = true;
7871 }
7872 else if (streq(p[0], "key-direction") && p[1] && !p[2])
7873 {
7874 int key_direction;
7875
7876 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
7877
7878 key_direction = ascii2keydirection(msglevel, p[1]);
7879 if (key_direction >= 0)
7880 {
7881 if (permission_mask & OPT_P_GENERAL)
7882 {
7883 options->key_direction = key_direction;
7884 }
7885 else if (permission_mask & OPT_P_CONNECTION)
7886 {
7887 options->ce.key_direction = key_direction;
7888 }
7889 }
7890 else
7891 {
7892 goto err;
7893 }
7894 }
7895 else if (streq(p[0], "secret") && p[1] && !p[3])
7896 {
7897 msg(M_WARN, "DEPRECATED OPTION: The option --secret is deprecated.");
7898 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
7899 options->shared_secret_file = p[1];
7900 options->shared_secret_file_inline = is_inline;
7901 if (!is_inline && p[2])
7902 {
7903 int key_direction;
7904
7905 key_direction = ascii2keydirection(msglevel, p[2]);
7906 if (key_direction >= 0)
7907 {
7908 options->key_direction = key_direction;
7909 }
7910 else
7911 {
7912 goto err;
7913 }
7914 }
7915 }
7916 else if (streq(p[0], "genkey") && !p[4])
7917 {
7918 VERIFY_PERMISSION(OPT_P_GENERAL);
7919 options->genkey = true;
7920 if (!p[1])
7921 {
7922 options->genkey_type = GENKEY_SECRET;
7923 }
7924 else
7925 {
7926 if (streq(p[1], "secret") || streq(p[1], "tls-auth")
7927 || streq(p[1], "tls-crypt"))
7928 {
7929 options->genkey_type = GENKEY_SECRET;
7930 }
7931 else if (streq(p[1], "tls-crypt-v2-server"))
7932 {
7933 options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER;
7934 }
7935 else if (streq(p[1], "tls-crypt-v2-client"))
7936 {
7937 options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT;
7938 if (p[3])
7939 {
7940 options->genkey_extra_data = p[3];
7941 }
7942 }
7943 else if (streq(p[1], "auth-token"))
7944 {
7945 options->genkey_type = GENKEY_AUTH_TOKEN;
7946 }
7947 else
7948 {
7949 msg(msglevel, "unknown --genkey type: %s", p[1]);
7950 }
7951
7952 }
7953 if (p[2])
7954 {
7955 options->genkey_filename = p[2];
7956 }
7957 }
7958 else if (streq(p[0], "auth") && p[1] && !p[2])
7959 {
7960 VERIFY_PERMISSION(OPT_P_GENERAL);
7961 options->authname = p[1];
7962 }
7963 else if (streq(p[0], "cipher") && p[1] && !p[2])
7964 {
7965 VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
7966 options->ciphername = p[1];
7967 }
7968 else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2])
7969 {
7970 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
7971 options->ciphername = p[1];
7972 options->enable_ncp_fallback = true;
7973 }
7974 else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
7975 && p[1] && !p[2])
7976 {
7977 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
7978 if (streq(p[0], "ncp-ciphers"))
7979 {
7980 msg(M_INFO, "Note: Treating option '--ncp-ciphers' as "
7981 " '--data-ciphers' (renamed in OpenVPN 2.5).");
7982 }
7983 options->ncp_ciphers = p[1];
7984 }
7985 else if (streq(p[0], "key-derivation") && p[1])
7986 {
7987 VERIFY_PERMISSION(OPT_P_NCP)
7988 #ifdef HAVE_EXPORT_KEYING_MATERIAL
7989 if (streq(p[1], "tls-ekm"))
7990 {
7991 options->data_channel_crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
7992 }
7993 else
7994 #endif
7995 {
7996 msg(msglevel, "Unknown key-derivation method %s", p[1]);
7997 }
7998 }
7999 else if (streq(p[0], "ncp-disable") && !p[1])
8000 {
8001 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8002 options->ncp_enabled = false;
8003 msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling "
8004 "cipher negotiation is a deprecated debug feature that "
8005 "will be removed in OpenVPN 2.6");
8006 }
8007 else if (streq(p[0], "prng") && p[1] && !p[3])
8008 {
8009 VERIFY_PERMISSION(OPT_P_GENERAL);
8010 if (streq(p[1], "none"))
8011 {
8012 options->prng_hash = NULL;
8013 }
8014 else
8015 {
8016 options->prng_hash = p[1];
8017 }
8018 if (p[2])
8019 {
8020 const int sl = atoi(p[2]);
8021 if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
8022 {
8023 options->prng_nonce_secret_len = sl;
8024 }
8025 else
8026 {
8027 msg(msglevel, "prng parameter nonce_secret_len must be between %d and %d",
8028 NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
8029 goto err;
8030 }
8031 }
8032 }
8033 else if (streq(p[0], "no-replay") && !p[1])
8034 {
8035 VERIFY_PERMISSION(OPT_P_GENERAL);
8036 options->replay = false;
8037 }
8038 else if (streq(p[0], "replay-window") && !p[3])
8039 {
8040 VERIFY_PERMISSION(OPT_P_GENERAL);
8041 if (p[1])
8042 {
8043 int replay_window;
8044
8045 replay_window = atoi(p[1]);
8046 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
8047 {
8048 msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
8049 replay_window,
8050 MIN_SEQ_BACKTRACK,
8051 MAX_SEQ_BACKTRACK);
8052 goto err;
8053 }
8054 options->replay_window = replay_window;
8055
8056 if (p[2])
8057 {
8058 int replay_time;
8059
8060 replay_time = atoi(p[2]);
8061 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
8062 {
8063 msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
8064 replay_time,
8065 MIN_TIME_BACKTRACK,
8066 MAX_TIME_BACKTRACK);
8067 goto err;
8068 }
8069 options->replay_time = replay_time;
8070 }
8071 }
8072 else
8073 {
8074 msg(msglevel, "replay-window option is missing window size parameter");
8075 goto err;
8076 }
8077 }
8078 else if (streq(p[0], "mute-replay-warnings") && !p[1])
8079 {
8080 VERIFY_PERMISSION(OPT_P_GENERAL);
8081 options->mute_replay_warnings = true;
8082 }
8083 else if (streq(p[0], "replay-persist") && p[1] && !p[2])
8084 {
8085 VERIFY_PERMISSION(OPT_P_GENERAL);
8086 options->packet_id_file = p[1];
8087 }
8088 else if (streq(p[0], "test-crypto") && !p[1])
8089 {
8090 VERIFY_PERMISSION(OPT_P_GENERAL);
8091 options->test_crypto = true;
8092 }
8093 #ifndef ENABLE_CRYPTO_MBEDTLS
8094 else if (streq(p[0], "engine") && !p[2])
8095 {
8096 VERIFY_PERMISSION(OPT_P_GENERAL);
8097 if (p[1])
8098 {
8099 options->engine = p[1];
8100 }
8101 else
8102 {
8103 options->engine = "auto";
8104 }
8105 }
8106 #endif /* ENABLE_CRYPTO_MBEDTLS */
8107 #ifdef ENABLE_PREDICTION_RESISTANCE
8108 else if (streq(p[0], "use-prediction-resistance") && !p[1])
8109 {
8110 VERIFY_PERMISSION(OPT_P_GENERAL);
8111 options->use_prediction_resistance = true;
8112 }
8113 #endif
8114 else if (streq(p[0], "show-tls") && !p[1])
8115 {
8116 VERIFY_PERMISSION(OPT_P_GENERAL);
8117 options->show_tls_ciphers = true;
8118 }
8119 else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1])
8120 {
8121 VERIFY_PERMISSION(OPT_P_GENERAL);
8122 options->show_curves = true;
8123 }
8124 else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
8125 {
8126 VERIFY_PERMISSION(OPT_P_GENERAL);
8127 msg(M_WARN, "Consider setting groups/curves preference with "
8128 "tls-groups instead of forcing a specific curve with "
8129 "ecdh-curve.");
8130 options->ecdh_curve = p[1];
8131 }
8132 else if (streq(p[0], "tls-server") && !p[1])
8133 {
8134 VERIFY_PERMISSION(OPT_P_GENERAL);
8135 options->tls_server = true;
8136 }
8137 else if (streq(p[0], "tls-client") && !p[1])
8138 {
8139 VERIFY_PERMISSION(OPT_P_GENERAL);
8140 options->tls_client = true;
8141 }
8142 else if (streq(p[0], "ca") && p[1] && !p[2])
8143 {
8144 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8145 options->ca_file = p[1];
8146 options->ca_file_inline = is_inline;
8147 }
8148 #ifndef ENABLE_CRYPTO_MBEDTLS
8149 else if (streq(p[0], "capath") && p[1] && !p[2])
8150 {
8151 VERIFY_PERMISSION(OPT_P_GENERAL);
8152 options->ca_path = p[1];
8153 }
8154 #endif /* ENABLE_CRYPTO_MBEDTLS */
8155 else if (streq(p[0], "dh") && p[1] && !p[2])
8156 {
8157 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8158 options->dh_file = p[1];
8159 options->dh_file_inline = is_inline;
8160 }
8161 else if (streq(p[0], "cert") && p[1] && !p[2])
8162 {
8163 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8164 options->cert_file = p[1];
8165 options->cert_file_inline = is_inline;
8166 }
8167 else if (streq(p[0], "extra-certs") && p[1] && !p[2])
8168 {
8169 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8170 options->extra_certs_file = p[1];
8171 options->extra_certs_file_inline = is_inline;
8172 }
8173 else if ((streq(p[0], "verify-hash") && p[1] && !p[3])
8174 || (streq(p[0], "peer-fingerprint") && p[1] && !p[2]))
8175 {
8176 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8177
8178 int verify_hash_depth = 0;
8179 if (streq(p[0], "verify-hash"))
8180 {
8181 msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8182 "You should switch to the either use the level 1 certificate as "
8183 "--ca option, use --tls-verify or use --peer-fingerprint");
8184 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8185 verify_hash_depth = 1;
8186 }
8187
8188 options->verify_hash_algo = MD_SHA256;
8189
8190 int digest_len = SHA256_DIGEST_LENGTH;
8191
8192 if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
8193 {
8194 msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
8195 " --peer-fingerprint are mutually exclusive", p[0]);
8196 goto err;
8197 }
8198
8199 if (streq(p[0], "verify-hash"))
8200 {
8201 if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1")))
8202 {
8203 options->verify_hash_algo = MD_SHA1;
8204 digest_len = SHA_DIGEST_LENGTH;
8205 }
8206 else if (p[2] && !streq(p[2], "SHA256"))
8207 {
8208 msg(msglevel, "invalid or unsupported hashing algorithm: %s "
8209 "(only SHA1 and SHA256 are supported)", p[2]);
8210 goto err;
8211 }
8212 }
8213
8214 struct verify_hash_list *newlist;
8215 newlist = parse_hash_fingerprint_multiline(p[1], digest_len,
8216 msglevel, &options->gc);
8217
8218 /* Append the new list to the end of our current list */
8219 if (!options->verify_hash)
8220 {
8221 options->verify_hash = newlist;
8222 options->verify_hash_depth = verify_hash_depth;
8223 }
8224 else
8225 {
8226 /* since both the old and new list can have multiple entries
8227 * we need to go to the end of one of them to concatenate them */
8228 struct verify_hash_list *listend = options->verify_hash;
8229 while (listend->next)
8230 {
8231 listend = listend->next;
8232 }
8233 listend->next = newlist;
8234 }
8235 }
8236 #ifdef ENABLE_CRYPTOAPI
8237 else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
8238 {
8239 VERIFY_PERMISSION(OPT_P_GENERAL);
8240 options->cryptoapi_cert = p[1];
8241 }
8242 #endif
8243 else if (streq(p[0], "key") && p[1] && !p[2])
8244 {
8245 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8246 options->priv_key_file = p[1];
8247 options->priv_key_file_inline = is_inline;
8248 }
8249 else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
8250 {
8251 int ver;
8252 VERIFY_PERMISSION(OPT_P_GENERAL);
8253 ver = tls_version_parse(p[1], p[2]);
8254 if (ver == TLS_VER_BAD)
8255 {
8256 msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
8257 goto err;
8258 }
8259 options->ssl_flags &=
8260 ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
8261 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
8262 }
8263 else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
8264 {
8265 int ver;
8266 VERIFY_PERMISSION(OPT_P_GENERAL);
8267 ver = tls_version_parse(p[1], NULL);
8268 if (ver == TLS_VER_BAD)
8269 {
8270 msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
8271 goto err;
8272 }
8273 options->ssl_flags &=
8274 ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
8275 options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
8276 }
8277 #ifndef ENABLE_CRYPTO_MBEDTLS
8278 else if (streq(p[0], "pkcs12") && p[1] && !p[2])
8279 {
8280 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8281 options->pkcs12_file = p[1];
8282 options->pkcs12_file_inline = is_inline;
8283 }
8284 #endif /* ENABLE_CRYPTO_MBEDTLS */
8285 else if (streq(p[0], "askpass") && !p[2])
8286 {
8287 VERIFY_PERMISSION(OPT_P_GENERAL);
8288 if (p[1])
8289 {
8290 options->key_pass_file = p[1];
8291 }
8292 else
8293 {
8294 options->key_pass_file = "stdin";
8295 }
8296 }
8297 else if (streq(p[0], "auth-nocache") && !p[1])
8298 {
8299 VERIFY_PERMISSION(OPT_P_GENERAL);
8300 ssl_set_auth_nocache();
8301 }
8302 else if (streq(p[0], "auth-token") && p[1] && !p[2])
8303 {
8304 VERIFY_PERMISSION(OPT_P_ECHO);
8305 ssl_set_auth_token(p[1]);
8306 #ifdef ENABLE_MANAGEMENT
8307 if (management)
8308 {
8309 management_auth_token(management, p[1]);
8310 }
8311 #endif
8312 }
8313 else if (streq(p[0], "single-session") && !p[1])
8314 {
8315 VERIFY_PERMISSION(OPT_P_GENERAL);
8316 options->single_session = true;
8317 }
8318 else if (streq(p[0], "push-peer-info") && !p[1])
8319 {
8320 VERIFY_PERMISSION(OPT_P_GENERAL);
8321 options->push_peer_info = true;
8322 }
8323 else if (streq(p[0], "tls-exit") && !p[1])
8324 {
8325 VERIFY_PERMISSION(OPT_P_GENERAL);
8326 options->tls_exit = true;
8327 }
8328 else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
8329 {
8330 VERIFY_PERMISSION(OPT_P_GENERAL);
8331 options->cipher_list = p[1];
8332 }
8333 else if (streq(p[0], "tls-cert-profile") && p[1] && !p[2])
8334 {
8335 VERIFY_PERMISSION(OPT_P_GENERAL);
8336 options->tls_cert_profile = p[1];
8337 }
8338 else if (streq(p[0], "tls-ciphersuites") && p[1] && !p[2])
8339 {
8340 VERIFY_PERMISSION(OPT_P_GENERAL);
8341 options->cipher_list_tls13 = p[1];
8342 }
8343 else if (streq(p[0], "tls-groups") && p[1] && !p[2])
8344 {
8345 VERIFY_PERMISSION(OPT_P_GENERAL);
8346 options->tls_groups = p[1];
8347 }
8348 else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
8349 || !p[2]))
8350 {
8351 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE);
8352 if (p[2] && streq(p[2], "dir"))
8353 {
8354 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
8355 }
8356 options->crl_file = p[1];
8357 options->crl_file_inline = is_inline;
8358 }
8359 else if (streq(p[0], "tls-verify") && p[1])
8360 {
8361 VERIFY_PERMISSION(OPT_P_SCRIPT);
8362 if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
8363 {
8364 goto err;
8365 }
8366 set_user_script(options, &options->tls_verify,
8367 string_substitute(p[1], ',', ' ', &options->gc),
8368 "tls-verify", true);
8369 }
8370 #ifndef ENABLE_CRYPTO_MBEDTLS
8371 else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
8372 {
8373 VERIFY_PERMISSION(OPT_P_GENERAL);
8374 options->tls_export_cert = p[1];
8375 }
8376 #endif
8377 else if (streq(p[0], "compat-names"))
8378 {
8379 VERIFY_PERMISSION(OPT_P_GENERAL);
8380 msg(msglevel, "--compat-names was removed in OpenVPN 2.5. "
8381 "Update your configuration.");
8382 goto err;
8383 }
8384 else if (streq(p[0], "no-name-remapping") && !p[1])
8385 {
8386 VERIFY_PERMISSION(OPT_P_GENERAL);
8387 msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. "
8388 "Update your configuration.");
8389 goto err;
8390 }
8391 else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
8392 {
8393 int type = VERIFY_X509_SUBJECT_DN;
8394 VERIFY_PERMISSION(OPT_P_GENERAL);
8395 if (p[2])
8396 {
8397 if (streq(p[2], "subject"))
8398 {
8399 type = VERIFY_X509_SUBJECT_DN;
8400 }
8401 else if (streq(p[2], "name"))
8402 {
8403 type = VERIFY_X509_SUBJECT_RDN;
8404 }
8405 else if (streq(p[2], "name-prefix"))
8406 {
8407 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
8408 }
8409 else
8410 {
8411 msg(msglevel, "unknown X.509 name type: %s", p[2]);
8412 goto err;
8413 }
8414 }
8415 options->verify_x509_type = type;
8416 options->verify_x509_name = p[1];
8417 }
8418 else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
8419 {
8420 VERIFY_PERMISSION(OPT_P_GENERAL);
8421 if (streq(p[1], "server"))
8422 {
8423 options->ns_cert_type = NS_CERT_CHECK_SERVER;
8424 }
8425 else if (streq(p[1], "client"))
8426 {
8427 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
8428 }
8429 else
8430 {
8431 msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
8432 goto err;
8433 }
8434 }
8435 else if (streq(p[0], "remote-cert-ku"))
8436 {
8437 VERIFY_PERMISSION(OPT_P_GENERAL);
8438
8439 size_t j;
8440 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8441 {
8442 sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
8443 }
8444 if (j == 1)
8445 {
8446 /* No specific KU required, but require KU to be present */
8447 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8448 }
8449 }
8450 else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
8451 {
8452 VERIFY_PERMISSION(OPT_P_GENERAL);
8453 options->remote_cert_eku = p[1];
8454 }
8455 else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
8456 {
8457 VERIFY_PERMISSION(OPT_P_GENERAL);
8458
8459 if (streq(p[1], "server"))
8460 {
8461 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8462 options->remote_cert_eku = "TLS Web Server Authentication";
8463 }
8464 else if (streq(p[1], "client"))
8465 {
8466 options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
8467 options->remote_cert_eku = "TLS Web Client Authentication";
8468 }
8469 else
8470 {
8471 msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
8472 goto err;
8473 }
8474 }
8475 else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
8476 {
8477 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8478 options->tls_timeout = positive_atoi(p[1]);
8479 }
8480 else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
8481 {
8482 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8483 options->renegotiate_bytes = positive_atoi(p[1]);
8484 }
8485 else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
8486 {
8487 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8488 options->renegotiate_packets = positive_atoi(p[1]);
8489 }
8490 else if (streq(p[0], "reneg-sec") && p[1] && !p[3])
8491 {
8492 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8493 options->renegotiate_seconds = positive_atoi(p[1]);
8494 if (p[2])
8495 {
8496 options->renegotiate_seconds_min = positive_atoi(p[2]);
8497 }
8498 }
8499 else if (streq(p[0], "hand-window") && p[1] && !p[2])
8500 {
8501 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8502 options->handshake_window = positive_atoi(p[1]);
8503 }
8504 else if (streq(p[0], "tran-window") && p[1] && !p[2])
8505 {
8506 VERIFY_PERMISSION(OPT_P_TLS_PARMS);
8507 options->transition_window = positive_atoi(p[1]);
8508 }
8509 else if (streq(p[0], "tls-auth") && p[1] && !p[3])
8510 {
8511 int key_direction = -1;
8512
8513 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
8514
8515 if (permission_mask & OPT_P_GENERAL)
8516 {
8517 options->tls_auth_file = p[1];
8518 options->tls_auth_file_inline = is_inline;
8519
8520 if (!is_inline && p[2])
8521 {
8522 key_direction = ascii2keydirection(msglevel, p[2]);
8523 if (key_direction < 0)
8524 {
8525 goto err;
8526 }
8527 options->key_direction = key_direction;
8528 }
8529
8530 }
8531 else if (permission_mask & OPT_P_CONNECTION)
8532 {
8533 options->ce.tls_auth_file = p[1];
8534 options->ce.tls_auth_file_inline = is_inline;
8535 options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL;
8536
8537 if (!is_inline && p[2])
8538 {
8539 key_direction = ascii2keydirection(msglevel, p[2]);
8540 if (key_direction < 0)
8541 {
8542 goto err;
8543 }
8544 options->ce.key_direction = key_direction;
8545 }
8546 }
8547 }
8548 else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
8549 {
8550 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
8551 if (permission_mask & OPT_P_GENERAL)
8552 {
8553 options->tls_crypt_file = p[1];
8554 options->tls_crypt_file_inline = is_inline;
8555 }
8556 else if (permission_mask & OPT_P_CONNECTION)
8557 {
8558 options->ce.tls_crypt_file = p[1];
8559 options->ce.tls_crypt_file_inline = is_inline;
8560 }
8561 }
8562 else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3])
8563 {
8564 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE);
8565 if (permission_mask & OPT_P_GENERAL)
8566 {
8567 options->tls_crypt_v2_file = p[1];
8568 options->tls_crypt_v2_file_inline = is_inline;
8569 }
8570 else if (permission_mask & OPT_P_CONNECTION)
8571 {
8572 options->ce.tls_crypt_v2_file = p[1];
8573 options->ce.tls_crypt_v2_file_inline = is_inline;
8574 }
8575 }
8576 else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2])
8577 {
8578 VERIFY_PERMISSION(OPT_P_GENERAL);
8579 options->tls_crypt_v2_verify_script = p[1];
8580 }
8581 else if (streq(p[0], "x509-track") && p[1] && !p[2])
8582 {
8583 VERIFY_PERMISSION(OPT_P_GENERAL);
8584 x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
8585 }
8586 #ifdef ENABLE_X509ALTUSERNAME
8587 else if (streq(p[0], "x509-username-field") && p[1])
8588 {
8589 /* This option used to automatically upcase the fieldnames passed as the
8590 * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
8591 * fine-tuned by only upcasing Subject field attribute names which consist
8592 * of all lower-case characters. Mixed-case attributes such as
8593 * "emailAddress" are left as-is. An option parameter having the "ext:"
8594 * prefix for matching X.509v3 extended fields will also remain unchanged.
8595 */
8596 VERIFY_PERMISSION(OPT_P_GENERAL);
8597 for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8598 {
8599 char *s = p[j];
8600
8601 if (strncmp("ext:", s, 4) != 0)
8602 {
8603 size_t i = 0;
8604 while (s[i] && !isupper(s[i]))
8605 {
8606 i++;
8607 }
8608 if (strlen(s) == i)
8609 {
8610 while ((*s = toupper(*s)) != '\0')
8611 {
8612 s++;
8613 }
8614 msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
8615 "--x509-username-field parameter to '%s'; please update your"
8616 "configuration", p[j]);
8617 }
8618 }
8619 else if (!x509_username_field_ext_supported(s+4))
8620 {
8621 msg(msglevel, "Unsupported x509-username-field extension: %s", s);
8622 }
8623 options->x509_username_field[j-1] = p[j];
8624 }
8625 }
8626 #endif /* ENABLE_X509ALTUSERNAME */
8627 #ifdef ENABLE_PKCS11
8628 else if (streq(p[0], "show-pkcs11-ids") && !p[3])
8629 {
8630 char *provider = p[1];
8631 bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
8632
8633 #ifdef DEFAULT_PKCS11_MODULE
8634 if (!provider)
8635 {
8636 provider = DEFAULT_PKCS11_MODULE;
8637 }
8638 else if (!p[2])
8639 {
8640 char *endp = NULL;
8641 int i = strtol(provider, &endp, 10);
8642
8643 if (*endp == 0)
8644 {
8645 /* There was one argument, and it was purely numeric.
8646 * Interpret it as the cert_private argument */
8647 provider = DEFAULT_PKCS11_MODULE;
8648 cert_private = i;
8649 }
8650 }
8651 #else /* ifdef DEFAULT_PKCS11_MODULE */
8652 if (!provider)
8653 {
8654 msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
8655 goto err;
8656 }
8657 #endif /* ifdef DEFAULT_PKCS11_MODULE */
8658 VERIFY_PERMISSION(OPT_P_GENERAL);
8659
8660 set_debug_level(options->verbosity, SDL_CONSTRAIN);
8661 show_pkcs11_ids(provider, cert_private);
8662 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
8663 }
8664 else if (streq(p[0], "pkcs11-providers") && p[1])
8665 {
8666 int j;
8667
8668 VERIFY_PERMISSION(OPT_P_GENERAL);
8669
8670 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8671 {
8672 options->pkcs11_providers[j-1] = p[j];
8673 }
8674 }
8675 else if (streq(p[0], "pkcs11-protected-authentication"))
8676 {
8677 int j;
8678
8679 VERIFY_PERMISSION(OPT_P_GENERAL);
8680
8681 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8682 {
8683 options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
8684 }
8685 }
8686 else if (streq(p[0], "pkcs11-private-mode") && p[1])
8687 {
8688 int j;
8689
8690 VERIFY_PERMISSION(OPT_P_GENERAL);
8691
8692 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8693 {
8694 sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
8695 }
8696 }
8697 else if (streq(p[0], "pkcs11-cert-private"))
8698 {
8699 int j;
8700
8701 VERIFY_PERMISSION(OPT_P_GENERAL);
8702
8703 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
8704 {
8705 options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
8706 }
8707 }
8708 else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
8709 {
8710 VERIFY_PERMISSION(OPT_P_GENERAL);
8711 options->pkcs11_pin_cache_period = atoi(p[1]);
8712 }
8713 else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
8714 {
8715 VERIFY_PERMISSION(OPT_P_GENERAL);
8716 options->pkcs11_id = p[1];
8717 }
8718 else if (streq(p[0], "pkcs11-id-management") && !p[1])
8719 {
8720 VERIFY_PERMISSION(OPT_P_GENERAL);
8721 options->pkcs11_id_management = true;
8722 }
8723 #endif /* ifdef ENABLE_PKCS11 */
8724 else if (streq(p[0], "rmtun") && !p[1])
8725 {
8726 VERIFY_PERMISSION(OPT_P_GENERAL);
8727 options->persist_config = true;
8728 options->persist_mode = 0;
8729 }
8730 else if (streq(p[0], "mktun") && !p[1])
8731 {
8732 VERIFY_PERMISSION(OPT_P_GENERAL);
8733 options->persist_config = true;
8734 options->persist_mode = 1;
8735 }
8736 else if (streq(p[0], "peer-id") && p[1] && !p[2])
8737 {
8738 VERIFY_PERMISSION(OPT_P_PEER_ID);
8739 options->use_peer_id = true;
8740 options->peer_id = atoi(p[1]);
8741 }
8742 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8743 else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
8744 {
8745 int ekm_length = positive_atoi(p[2]);
8746
8747 VERIFY_PERMISSION(OPT_P_GENERAL);
8748
8749 if (strncmp(p[1], "EXPORTER", 8))
8750 {
8751 msg(msglevel, "Keying material exporter label must begin with "
8752 "\"EXPORTER\"");
8753 goto err;
8754 }
8755 if (streq(p[1], EXPORT_KEY_DATA_LABEL))
8756 {
8757 msg(msglevel, "Keying material exporter label must not be '"
8758 EXPORT_KEY_DATA_LABEL "'.");
8759 }
8760 if (ekm_length < 16 || ekm_length > 4095)
8761 {
8762 msg(msglevel, "Invalid keying material exporter length");
8763 goto err;
8764 }
8765
8766 options->keying_material_exporter_label = p[1];
8767 options->keying_material_exporter_length = ekm_length;
8768 }
8769 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
8770 else if (streq(p[0], "allow-recursive-routing") && !p[1])
8771 {
8772 VERIFY_PERMISSION(OPT_P_GENERAL);
8773 options->allow_recursive_routing = true;
8774 }
8775 else if (streq(p[0], "vlan-tagging") && !p[1])
8776 {
8777 VERIFY_PERMISSION(OPT_P_GENERAL);
8778 options->vlan_tagging = true;
8779 }
8780 else if (streq(p[0], "vlan-accept") && p[1] && !p[2])
8781 {
8782 VERIFY_PERMISSION(OPT_P_GENERAL);
8783 if (streq(p[1], "tagged"))
8784 {
8785 options->vlan_accept = VLAN_ONLY_TAGGED;
8786 }
8787 else if (streq(p[1], "untagged"))
8788 {
8789 options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY;
8790 }
8791 else if (streq(p[1], "all"))
8792 {
8793 options->vlan_accept = VLAN_ALL;
8794 }
8795 else
8796 {
8797 msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
8798 goto err;
8799 }
8800 }
8801 else if (streq(p[0], "vlan-pvid") && p[1] && !p[2])
8802 {
8803 VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
8804 options->vlan_pvid = positive_atoi(p[1]);
8805 if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID
8806 || options->vlan_pvid > OPENVPN_8021Q_MAX_VID)
8807 {
8808 msg(msglevel,
8809 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
8810 OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID);
8811 goto err;
8812 }
8813 }
8814 else
8815 {
8816 int i;
8817 int msglevel = msglevel_fc;
8818 /* Check if an option is in --ignore-unknown-option and
8819 * set warning level to non fatal */
8820 for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
8821 {
8822 if (streq(p[0], options->ignore_unknown_option[i]))
8823 {
8824 msglevel = M_WARN;
8825 break;
8826 }
8827 }
8828 if (file)
8829 {
8830 msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
8831 }
8832 else
8833 {
8834 msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
8835 }
8836 }
8837 err:
8838 gc_free(&gc);
8839 }
8840