search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Upgrade to OpenVPN 2.1.0
[tomato.git] / release / src / router / openvpn / options.c
blobc5ca8b67d5c3ebbf41b58f05b105bc97692e9e66
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #include "syshead.h"
31
32 #include "buffer.h"
33 #include "error.h"
34 #include "common.h"
35 #include "shaper.h"
36 #include "crypto.h"
37 #include "ssl.h"
38 #include "options.h"
39 #include "misc.h"
40 #include "socket.h"
41 #include "packet_id.h"
42 #include "pkcs11.h"
43 #include "win32.h"
44 #include "push.h"
45 #include "pool.h"
46 #include "helper.h"
47 #include "manage.h"
48
49 #include "memdbg.h"
50
51 const char title_string[] =
52 PACKAGE_STRING
53 " " TARGET_ALIAS
54 #ifdef USE_CRYPTO
55 #ifdef USE_SSL
56 " [SSL]"
57 #else
58 " [CRYPTO]"
59 #endif
60 #endif
61 #ifdef USE_LZO
62 " [LZO" LZO_VERSION_NUM "]"
63 #endif
64 #if EPOLL
65 " [EPOLL]"
66 #endif
67 #ifdef PRODUCT_TAP_DEBUG
68 " [TAPDBG]"
69 #endif
70 #ifdef USE_PTHREAD
71 " [PTHREAD]"
72 #endif
73 #ifdef ENABLE_PKCS11
74 " [PKCS11]"
75 #endif
76 " built on " __DATE__
77 ;
78
79 #ifndef ENABLE_SMALL
80
81 static const char usage_message[] =
82 "%s\n"
83 "\n"
84 "General Options:\n"
85 "--config file : Read configuration options from file.\n"
86 "--help : Show options.\n"
87 "--version : Show copyright and version information.\n"
88 "\n"
89 "Tunnel Options:\n"
90 "--local host : Local host name or ip address. Implies --bind.\n"
91 "--remote host [port] : Remote host name or ip address.\n"
92 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
93 "--remote-random-hostname : Add a random string to remote DNS name.\n"
94 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
95 "--proto p : Use protocol p for communicating with peer.\n"
96 " p = udp (default), tcp-server, or tcp-client\n"
97 "--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
98 " between connection retries (default=%d).\n"
99 "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
100 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
101 #ifdef GENERAL_PROXY_SUPPORT
102 "--auto-proxy : Try to sense proxy settings (or lack thereof) automatically.\n"
103 #endif
104 #ifdef ENABLE_HTTP_PROXY
105 "--http-proxy s p [up] [auth] : Connect to remote host\n"
106 " through an HTTP proxy at address s and port p.\n"
107 " If proxy authentication is required,\n"
108 " up is a file containing username/password on 2 lines, or\n"
109 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
110 " the proxy requires NTLM authentication.\n"
111 "--http-proxy s p 'auto': Like the above directive, but automatically determine\n"
112 " auth method and query for username/password if needed.\n"
113 "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
114 "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
115 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
116 " Repeat to set multiple options.\n"
117 " VERSION version (default=1.0)\n"
118 " AGENT user-agent\n"
119 #endif
120 #ifdef ENABLE_SOCKS
121 "--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"
122 " s and port p (default port = 1080).\n"
123 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
124 #endif
125 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
126 " resolve for n seconds before failing (disabled by default).\n"
127 " Set n=\"infinite\" to retry indefinitely.\n"
128 "--float : Allow remote to change its IP address/port, such as through\n"
129 " DHCP (this is the default if --remote is not used).\n"
130 "--ipchange cmd : Execute shell command cmd on remote ip address initial\n"
131 " setting or change -- execute as: cmd ip-address port#\n"
132 "--port port : TCP/UDP port # for both local and remote.\n"
133 "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
134 "--rport port : TCP/UDP port # for remote (default=%d).\n"
135 "--bind : Bind to local address and port. (This is the default unless\n"
136 " --proto tcp-client"
137 #ifdef ENABLE_HTTP_PROXY
138 " or --http-proxy"
139 #endif
140 #ifdef ENABLE_SOCKS
141 " or --socks-proxy"
142 #endif
143 " is used).\n"
144 "--nobind : Do not bind to local address and port.\n"
145 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
146 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
147 " this option only if the tun/tap device used with --dev\n"
148 " does not begin with \"tun\" or \"tap\".\n"
149 "--dev-node node : Explicitly set the device node rather than using\n"
150 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
151 "--lladdr hw : Set the link layer address of the tap device.\n"
152 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
153 "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
154 #ifdef CONFIG_FEATURE_IPROUTE
155 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
156 #endif
157 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
158 " endpoint and rn as a remote endpoint. l & rn should be\n"
159 " swapped on the other peer. l & rn must be private\n"
160 " addresses outside of the subnets used by either peer.\n"
161 " TAP: configure device to use IP address l as a local\n"
162 " endpoint and rn as a subnet mask.\n"
163 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
164 " pass --ifconfig parms by environment to scripts.\n"
165 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
166 " connection doesn't match the remote side.\n"
167 "--route network [netmask] [gateway] [metric] :\n"
168 " Add route to routing table after connection\n"
169 " is established. Multiple routes can be specified.\n"
170 " netmask default: 255.255.255.255\n"
171 " gateway default: taken from --route-gateway or --ifconfig\n"
172 " Specify default by leaving blank or setting to \"nil\".\n"
173 "--max-routes n : Specify the maximum number of routes that may be defined\n"
174 " or pulled from a server.\n"
175 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
176 "--route-metric m : Specify a default metric for use with --route.\n"
177 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
178 " adding routes (may be 0). If not specified, routes will\n"
179 " be added immediately after tun/tap open. On Windows, wait\n"
180 " up to w seconds for TUN/TAP adapter to come up.\n"
181 "--route-up cmd : Execute shell cmd after routes are added.\n"
182 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
183 " --route-up script using environmental variables.\n"
184 "--route-nopull : When used with --client or --pull, accept options pushed\n"
185 " by server EXCEPT for routes.\n"
186 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
187 " --ifconfig, --route, and --route-gateway.\n"
188 "--redirect-gateway [flags]: Automatically execute routing\n"
189 " commands to redirect all outgoing IP traffic through the\n"
190 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
191 " connected via a common subnet, such as with WiFi.\n"
192 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
193 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
194 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
195 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
196 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
197 " the default gateway. Useful when pushing private subnets.\n"
198 "--setenv name value : Set a custom environmental variable to pass to script.\n"
199 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
200 " directives for future OpenVPN versions to be ignored.\n"
201 "--script-security level mode : mode='execve' (default) or 'system', level=\n"
202 " 0 -- strictly no calling of external programs\n"
203 " 1 -- (default) only call built-ins such as ifconfig\n"
204 " 2 -- allow calling of built-ins and scripts\n"
205 " 3 -- allow password to be passed to scripts via env\n"
206 "--shaper n : Restrict output to peer to n bytes per second.\n"
207 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
208 " ping once every n seconds, restart if ping not received\n"
209 " for m seconds.\n"
210 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
211 " produces a combined in/out byte count < bytes.\n"
212 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
213 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
214 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
215 " remote address.\n"
216 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
217 #if ENABLE_IP_PKTINFO
218 "--multihome : Configure a multi-homed UDP server.\n"
219 #endif
220 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
221 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
222 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
223 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
224 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
225 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
226 #if PASSTOS_CAPABILITY
227 "--passtos : TOS passthrough (applies to IPv4 only).\n"
228 #endif
229 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
230 " TCP/UDP MTU from it (default=%d).\n"
231 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
232 " as n bytes more than the tun-mtu size on read\n"
233 " (default TUN=0 TAP=%d).\n"
234 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
235 " from it.\n"
236 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
237 " 'no' -- Never send DF (Don't Fragment) frames\n"
238 " 'maybe' -- Use per-route hints\n"
239 " 'yes' -- Always DF (Don't Fragment)\n"
240 #ifdef ENABLE_OCC
241 "--mtu-test : Empirically measure and report MTU.\n"
242 #endif
243 #ifdef ENABLE_FRAGMENT
244 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
245 " datagrams are sent which are larger than max bytes.\n"
246 " Adds 4 bytes of overhead per datagram.\n"
247 #endif
248 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
249 " or --fragment max value, whichever is lower.\n"
250 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
251 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
252 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
253 "--mlock : Disable Paging -- ensures key material and tunnel\n"
254 " data will never be written to disk.\n"
255 "--up cmd : Shell cmd to execute after successful tun device open.\n"
256 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
257 " ifconfig-local-ip ifconfig-remote-ip\n"
258 " (pre --user or --group UID/GID change)\n"
259 "--up-delay : Delay tun/tap open and possible --up script execution\n"
260 " until after TCP/UDP connection establishment with peer.\n"
261 "--down cmd : Shell cmd to run after tun device close.\n"
262 " (post --user/--group UID/GID change and/or --chroot)\n"
263 " (script parameters are same as --up option)\n"
264 "--down-pre : Call --down cmd/script before TUN/TAP close.\n"
265 "--up-restart : Run up/down scripts for all restarts including those\n"
266 " caused by --ping-restart or SIGUSR1\n"
267 "--user user : Set UID to user after initialization.\n"
268 "--group group : Set GID to group after initialization.\n"
269 "--chroot dir : Chroot to this directory after initialization.\n"
270 #ifdef HAVE_SETCON
271 "--setcon context: Apply this SELinux context after initialization.\n"
272 #endif
273 "--cd dir : Change to this directory before initialization.\n"
274 "--daemon [name] : Become a daemon after initialization.\n"
275 " The optional 'name' parameter will be passed\n"
276 " as the program name to the system logger.\n"
277 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
278 " See --daemon above for a description of the 'name' parm.\n"
279 "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
280 " See --daemon above for a description of the 'name' parm.\n"
281 "--log file : Output log to file which is created/truncated on open.\n"
282 "--log-append file : Append log to file, or create file if nonexistent.\n"
283 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
284 "--writepid file : Write main process ID to file.\n"
285 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
286 #if 0
287 #ifdef USE_PTHREAD
288 "--nice-work n : Change thread priority of work thread. The work\n"
289 " thread is used for background processing such as\n"
290 " RSA key number crunching.\n"
291 #endif
292 #endif
293 "--echo [parms ...] : Echo parameters to log output.\n"
294 "--verb n : Set output verbosity to n (default=%d):\n"
295 " (Level 3 is recommended if you want a good summary\n"
296 " of what's happening without being swamped by output).\n"
297 " : 0 -- no output except fatal errors\n"
298 " : 1 -- startup info + connection initiated messages +\n"
299 " non-fatal encryption & net errors\n"
300 " : 2,3 -- show TLS negotiations & route info\n"
301 " : 4 -- show parameters\n"
302 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
303 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
304 " : 6 to 11 -- debug messages of increasing verbosity\n"
305 "--mute n : Log at most n consecutive messages in the same category.\n"
306 "--status file n : Write operational status to file every n seconds.\n"
307 "--status-version [n] : Choose the status file format version number.\n"
308 " Currently, n can be 1, 2, or 3 (default=1).\n"
309 #ifdef ENABLE_OCC
310 "--disable-occ : Disable options consistency check between peers.\n"
311 #endif
312 #ifdef ENABLE_DEBUG
313 "--gremlin mask : Special stress testing mode (for debugging only).\n"
314 #endif
315 #ifdef USE_LZO
316 "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
317 " packet for uncompressible data.\n"
318 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
319 " is specified.\n"
320 #endif
321 #ifdef ENABLE_MANAGEMENT
322 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
323 " management functions. pass is a password file\n"
324 " or 'stdin' to prompt from console.\n"
325 #if UNIX_SOCK_SUPPORT
326 " To listen on a unix domain socket, specific the pathname\n"
327 " in place of ip and use 'unix' as the port number.\n"
328 #endif
329 "--management-client : Management interface will connect as a TCP client to\n"
330 " ip/port rather than listen as a TCP server.\n"
331 "--management-query-passwords : Query management channel for private key\n"
332 " and auth-user-pass passwords.\n"
333 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
334 " of the management interface explicitly starts it.\n"
335 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
336 "--management-forget-disconnect : Forget passwords when management disconnect\n"
337 " event occurs.\n"
338 "--management-log-cache n : Cache n lines of log file history for usage\n"
339 " by the management channel.\n"
340 #if UNIX_SOCK_SUPPORT
341 "--management-client-user u : When management interface is a unix socket, only\n"
342 " allow connections from user u.\n"
343 "--management-client-group g : When management interface is a unix socket, only\n"
344 " allow connections from group g.\n"
345 #endif
346 #ifdef MANAGEMENT_DEF_AUTH
347 "--management-client-auth : gives management interface client the responsibility\n"
348 " to authenticate clients after their client certificate\n"
349 " has been verified.\n"
350 #endif
351 #ifdef MANAGEMENT_PF
352 "--management-client-pf : management interface clients must specify a packet\n"
353 " filter file for each connecting client.\n"
354 #endif
355 #endif
356 #ifdef ENABLE_PLUGIN
357 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
358 " to its initialization function.\n"
359 #endif
360 #if P2MP
361 #if P2MP_SERVER
362 "\n"
363 "Multi-Client Server options (when --mode server is used):\n"
364 "--server network netmask : Helper option to easily configure server mode.\n"
365 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
366 " easily configure ethernet bridging server mode.\n"
367 "--push \"option\" : Push a config file option back to the peer for remote\n"
368 " execution. Peer must specify --pull in its config file.\n"
369 "--push-reset : Don't inherit global push list for specific\n"
370 " client instance.\n"
371 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
372 " to be dynamically allocated to connecting clients.\n"
373 "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
374 " in tun mode. Not compatible with Windows clients.\n"
375 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
376 " data to file, at seconds intervals (default=600).\n"
377 " If seconds=0, file will be treated as read-only.\n"
378 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
379 " overrides --ifconfig-pool dynamic allocation.\n"
380 " Only valid in a client-specific config file.\n"
381 "--iroute network [netmask] : Route subnet to client.\n"
382 " Sets up internal routes only.\n"
383 " Only valid in a client-specific config file.\n"
384 "--disable : Client is disabled.\n"
385 " Only valid in a client-specific config file.\n"
386 "--client-cert-not-required : Don't require client certificate, client\n"
387 " will authenticate using username/password.\n"
388 "--username-as-common-name : For auth-user-pass authentication, use\n"
389 " the authenticated username as the common name,\n"
390 " rather than the common name from the client cert.\n"
391 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
392 " run script cmd to verify. If method='via-env', pass\n"
393 " user/pass via environment, if method='via-file', pass\n"
394 " user/pass via temporary file.\n"
395 "--opt-verify : Clients that connect with options that are incompatible\n"
396 " with those of the server will be disconnected.\n"
397 "--auth-user-pass-optional : Allow connections by clients that don't\n"
398 " specify a username/password.\n"
399 "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
400 " any printable character.\n"
401 "--client-to-client : Internally route client-to-client traffic.\n"
402 "--duplicate-cn : Allow multiple clients with the same common name to\n"
403 " concurrently connect.\n"
404 "--client-connect cmd : Run script cmd on client connection.\n"
405 "--client-disconnect cmd : Run script cmd on client disconnection.\n"
406 "--client-config-dir dir : Directory for custom client config files.\n"
407 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
408 "--tmp-dir dir : Temporary directory, used for --client-connect return file.\n"
409 "--hash-size r v : Set the size of the real address hash table to r and the\n"
410 " virtual address table to v.\n"
411 "--bcast-buffers n : Allocate n broadcast buffers.\n"
412 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
413 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
414 " as well as pushes it to connecting clients.\n"
415 "--learn-address cmd : Run script cmd to validate client virtual addresses.\n"
416 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
417 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
418 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
419 #if PORT_SHARE
420 "--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions\n"
421 " to a web server at host:port.\n"
422 #endif
423 #endif
424 "\n"
425 "Client options (when connecting to a multi-client server):\n"
426 "--client : Helper option to easily configure client mode.\n"
427 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
428 " up is a file containing username/password on 2 lines,\n"
429 " or omit to prompt from console.\n"
430 "--pull : Accept certain config file options from the peer as if they\n"
431 " were part of the local config file. Must be specified\n"
432 " when connecting to a '--mode server' remote host.\n"
433 "--auth-retry t : How to handle auth failures. Set t to\n"
434 " none (default), interact, or nointeract.\n"
435 "--server-poll-timeout n : when polling possible remote servers to connect to\n"
436 " in a round-robin fashion, spend no more than n seconds\n"
437 " waiting for a response before trying the next server.\n"
438 #endif
439 #ifdef ENABLE_OCC
440 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
441 " server/remote. n = # of retries, default=1.\n"
442 #endif
443 #ifdef USE_CRYPTO
444 "\n"
445 "Data Channel Encryption Options (must be compatible between peers):\n"
446 "(These options are meaningful for both Static Key & TLS-mode)\n"
447 "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
448 " Use shared secret file f, generate with --genkey.\n"
449 " The optional d parameter controls key directionality.\n"
450 " If d is specified, use separate keys for each\n"
451 " direction, set d=0 on one side of the connection,\n"
452 " and d=1 on the other side.\n"
453 "--auth alg : Authenticate packets with HMAC using message\n"
454 " digest algorithm alg (default=%s).\n"
455 " (usually adds 16 or 20 bytes per packet)\n"
456 " Set alg=none to disable authentication.\n"
457 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
458 " (default=%s).\n"
459 " Set alg=none to disable encryption.\n"
460 "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
461 " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
462 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
463 "--keysize n : Size of cipher key in bits (optional).\n"
464 " If unspecified, defaults to cipher-specific default.\n"
465 #endif
466 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
467 "--no-replay : Disable replay protection.\n"
468 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
469 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
470 " and a time window of t seconds.\n"
471 " Default n=%d t=%d\n"
472 "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
473 "--replay-persist file : Persist replay-protection state across sessions\n"
474 " using file.\n"
475 "--test-crypto : Run a self-test of crypto features enabled.\n"
476 " For debugging only.\n"
477 #ifdef USE_SSL
478 "\n"
479 "TLS Key Negotiation Options:\n"
480 "(These options are meaningful only for TLS-mode)\n"
481 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
482 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
483 "--key-method m : Data channel key exchange method. m should be a method\n"
484 " number, such as 1 (default), 2, etc.\n"
485 "--ca file : Certificate authority file in .pem format containing\n"
486 " root certificate.\n"
487 "--capath dir : A directory of trusted certificates (CAs"
488 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
489 " and CRLs).\n"
490 #else
491 ").\n"
492 " WARNING: no support of CRL available with this version.\n"
493 #endif
494 "--dh file : File containing Diffie Hellman parameters\n"
495 " in .pem format (for --tls-server only).\n"
496 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
497 "--cert file : Local certificate in .pem format -- must be signed\n"
498 " by a Certificate Authority in --ca file.\n"
499 "--key file : Local private key in .pem format.\n"
500 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
501 " and optionally the root CA certificate.\n"
502 #ifdef WIN32
503 "--cryptoapicert select-string : Load the certificate and private key from the\n"
504 " Windows Certificate System Store.\n"
505 #endif
506 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
507 " : Use --show-tls to see a list of supported TLS ciphers.\n"
508 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
509 " if no ACK from remote within n seconds (default=%d).\n"
510 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
511 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
512 "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
513 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
514 " of handshake initiation by any peer (default=%d).\n"
515 "--tran-window n : Transition window -- old key can live this many seconds\n"
516 " after new key renegotiation begins (default=%d).\n"
517 "--single-session: Allow only one session (reset state on restart).\n"
518 "--tls-exit : Exit on TLS negotiation failure.\n"
519 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
520 " control channel to protect against DoS attacks.\n"
521 " f (required) is a shared-secret passphrase file.\n"
522 " The optional d parameter controls key directionality,\n"
523 " see --secret option for more info.\n"
524 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
525 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
526 "--crl-verify crl: Check peer certificate against a CRL.\n"
527 "--tls-verify cmd: Execute shell command cmd to verify the X509 name of a\n"
528 " pending TLS connection that has otherwise passed all other\n"
529 " tests of certification. cmd should return 0 to allow\n"
530 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
531 " executed as 'cmd certificate_depth X509_NAME_oneline')\n"
532 "--tls-remote x509name: Accept connections only from a host with X509 name\n"
533 " x509name. The remote host must also pass all other tests\n"
534 " of verification.\n"
535 "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
536 " nsCertType designation t = 'client' | 'server'.\n"
537 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
538 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
539 " explicit key usage, you can specify more than one value.\n"
540 " value should be given in hex format.\n"
541 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
542 " explicit extended key usage. Extended key usage can be encoded\n"
543 " as an object identifier or OpenSSL string representation.\n"
544 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
545 " key usage and extended key usage based on RFC3280 TLS rules.\n"
546 " t = 'client' | 'server'.\n"
547 #endif /* OPENSSL_VERSION_NUMBER */
548 #endif /* USE_SSL */
549 #ifdef ENABLE_PKCS11
550 "\n"
551 "PKCS#11 Options:\n"
552 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
553 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
554 " path. Set for each provider.\n"
555 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
556 " 0 : Try to determind automatically (default).\n"
557 " 1 : Use Sign.\n"
558 " 2 : Use SignRecover.\n"
559 " 4 : Use Decrypt.\n"
560 " 8 : Use Unwrap.\n"
561 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
562 " certificate can be accessed. Set for each provider.\n"
563 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
564 " cache until token is removed.\n"
565 "--pkcs11-id-management : Acquire identity from management interface.\n"
566 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
567 #endif /* ENABLE_PKCS11 */
568 "\n"
569 "SSL Library information:\n"
570 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
571 "--show-digests : Show message digest algorithms to use with --auth option.\n"
572 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
573 #ifdef USE_SSL
574 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
575 #endif
576 #ifdef WIN32
577 "\n"
578 "Windows Specific:\n"
579 "--win-sys path|'env' : Pathname of Windows system directory, C:\\WINDOWS by default.\n"
580 " If specified as 'env', read the pathname from SystemRoot env var.\n"
581 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Win32 adapter\n"
582 " IP address using method = manual, netsh, ipapi,\n"
583 " dynamic, or adaptive (default = adaptive).\n"
584 " Dynamic method allows two optional parameters:\n"
585 " offset: DHCP server address offset (> -256 and < 256).\n"
586 " If 0, use network address, if >0, take nth\n"
587 " address forward from network address, if <0,\n"
588 " take nth address backward from broadcast\n"
589 " address.\n"
590 " Default is 0.\n"
591 " lease-time: Lease time in seconds.\n"
592 " Default is one year.\n"
593 "--route-method : Which method to use for adding routes on Windows?\n"
594 " adaptive (default) -- Try ipapi then fall back to exe.\n"
595 " ipapi -- Use IP helper API.\n"
596 " exe -- Call the route.exe shell command.\n"
597 "--dhcp-option type [parm] : Set extended TAP-Win32 properties, must\n"
598 " be used with --ip-win32 dynamic. For options\n"
599 " which allow multiple addresses,\n"
600 " --dhcp-option must be repeated.\n"
601 " DOMAIN name : Set DNS suffix\n"
602 " DNS addr : Set domain name server address(es)\n"
603 " NTP : Set NTP server address(es)\n"
604 " NBDD : Set NBDD server address(es)\n"
605 " WINS addr : Set WINS server address(es)\n"
606 " NBT type : Set NetBIOS over TCP/IP Node type\n"
607 " 1: B, 2: P, 4: M, 8: H\n"
608 " NBS id : Set NetBIOS scope ID\n"
609 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
610 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
611 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
612 " startup.\n"
613 "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
614 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
615 " attempting to set adapter properties.\n"
616 "--pause-exit : When run from a console window, pause before exiting.\n"
617 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
618 " service, and should not be used directly by end-users.\n"
619 " ex is the name of an event object which, when\n"
620 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
621 " optional parameter controls the initial state of ex.\n"
622 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
623 " after TAP adapter is up and routes have been added.\n"
624 "Windows Standalone Options:\n"
625 "\n"
626 "--show-adapters : Show all TAP-Win32 adapters.\n"
627 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
628 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
629 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
630 " to access TAP adapter.\n"
631 #endif
632 "\n"
633 "Generate a random key (only for non-TLS static key encryption mode):\n"
634 "--genkey : Generate a random key to be used as a shared secret,\n"
635 " for use with the --secret option.\n"
636 "--secret file : Write key to file.\n"
637 #endif /* USE_CRYPTO */
638 #ifdef TUNSETPERSIST
639 "\n"
640 "Tun/tap config mode (available with linux 2.4+):\n"
641 "--mktun : Create a persistent tunnel.\n"
642 "--rmtun : Remove a persistent tunnel.\n"
643 "--dev tunX|tapX : tun/tap device\n"
644 "--dev-type dt : Device type. See tunnel options above for details.\n"
645 "--user user : User to set privilege to.\n"
646 "--group group : Group to set privilege to.\n"
647 #endif
648 #ifdef ENABLE_PKCS11
649 "\n"
650 "PKCS#11 standalone options:\n"
651 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
652 " --verb option can be added *BEFORE* this.\n"
653 #endif /* ENABLE_PKCS11 */
654 ;
655
656 #endif /* !ENABLE_SMALL */
657
658 /*
659 * This is where the options defaults go.
660 * Any option not explicitly set here
661 * will be set to 0.
662 */
663 void
664 init_options (struct options *o, const bool init_gc)
665 {
666 CLEAR (*o);
667 if (init_gc)
668 {
669 gc_init (&o->gc);
670 o->gc_owned = true;
671 }
672 o->mode = MODE_POINT_TO_POINT;
673 o->topology = TOP_NET30;
674 o->ce.proto = PROTO_UDPv4;
675 o->ce.connect_retry_seconds = 5;
676 o->ce.connect_timeout = 10;
677 o->ce.connect_retry_max = 0;
678 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
679 o->verbosity = 1;
680 o->status_file_update_freq = 60;
681 o->status_file_version = 1;
682 o->ce.bind_local = true;
683 o->tun_mtu = TUN_MTU_DEFAULT;
684 o->link_mtu = LINK_MTU_DEFAULT;
685 o->mtu_discover_type = -1;
686 o->mssfix = MSSFIX_DEFAULT;
687 o->route_delay_window = 30;
688 o->max_routes = MAX_ROUTES_DEFAULT;
689 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
690 #ifdef ENABLE_OCC
691 o->occ = true;
692 #endif
693 #ifdef ENABLE_MANAGEMENT
694 o->management_log_history_cache = 250;
695 o->management_echo_buffer_size = 100;
696 o->management_state_buffer_size = 100;
697 #endif
698 #ifdef TUNSETPERSIST
699 o->persist_mode = 1;
700 #endif
701 #ifndef WIN32
702 o->rcvbuf = 65536;
703 o->sndbuf = 65536;
704 #endif
705 #ifdef TARGET_LINUX
706 o->tuntap_options.txqueuelen = 100;
707 #endif
708 #ifdef WIN32
709 #if 0
710 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
711 #else
712 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
713 #endif
714 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
715 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
716 o->route_method = ROUTE_METHOD_ADAPTIVE;
717 #endif
718 #ifdef USE_PTHREAD
719 o->n_threads = 1;
720 #endif
721 #if P2MP_SERVER
722 o->real_hash_size = 256;
723 o->virtual_hash_size = 256;
724 o->n_bcast_buf = 256;
725 o->tcp_queue_limit = 64;
726 o->max_clients = 1024;
727 o->max_routes_per_client = 256;
728 o->ifconfig_pool_persist_refresh_freq = 600;
729 #endif
730 #if P2MP
731 o->scheduled_exit_interval = 5;
732 o->server_poll_timeout = 0;
733 #endif
734 #ifdef USE_CRYPTO
735 o->ciphername = "BF-CBC";
736 o->ciphername_defined = true;
737 o->authname = "SHA1";
738 o->authname_defined = true;
739 o->prng_hash = "SHA1";
740 o->prng_nonce_secret_len = 16;
741 o->replay = true;
742 o->replay_window = DEFAULT_SEQ_BACKTRACK;
743 o->replay_time = DEFAULT_TIME_BACKTRACK;
744 o->use_iv = true;
745 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
746 #ifdef USE_SSL
747 o->key_method = 2;
748 o->tls_timeout = 2;
749 o->renegotiate_seconds = 3600;
750 o->handshake_window = 60;
751 o->transition_window = 3600;
752 #endif
753 #endif
754 #ifdef ENABLE_PKCS11
755 o->pkcs11_pin_cache_period = -1;
756 #endif /* ENABLE_PKCS11 */
757 }
758
759 void
760 uninit_options (struct options *o)
761 {
762 if (o->gc_owned)
763 gc_free (&o->gc);
764 }
765
766 #ifdef ENABLE_DEBUG
767
768 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
769 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
770 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
771 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
772 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
773 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
774
775 #endif
776
777 void
778 setenv_connection_entry (struct env_set *es,
779 const struct connection_entry *e,
780 const int i)
781 {
782 setenv_str_i (es, "proto", proto2ascii (e->proto, false), i);
783 setenv_str_i (es, "local", e->local, i);
784 setenv_int_i (es, "local_port", e->local_port, i);
785 setenv_str_i (es, "remote", e->remote, i);
786 setenv_int_i (es, "remote_port", e->remote_port, i);
787
788 #ifdef ENABLE_HTTP_PROXY
789 if (e->http_proxy_options)
790 {
791 setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i);
792 setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i);
793 }
794 #endif
795 #ifdef ENABLE_SOCKS
796 if (e->socks_proxy_server)
797 {
798 setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i);
799 setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i);
800 }
801 #endif
802 }
803
804 void
805 setenv_settings (struct env_set *es, const struct options *o)
806 {
807 setenv_str (es, "config", o->config);
808 setenv_int (es, "verb", o->verbosity);
809 setenv_int (es, "daemon", o->daemon);
810 setenv_int (es, "daemon_log_redirect", o->log);
811 setenv_unsigned (es, "daemon_start_time", time(NULL));
812 setenv_int (es, "daemon_pid", openvpn_getpid());
813
814 #ifdef ENABLE_CONNECTION
815 if (o->connection_list)
816 {
817 int i;
818 for (i = 0; i < o->connection_list->len; ++i)
819 setenv_connection_entry (es, o->connection_list->array[i], i+1);
820 }
821 else
822 #endif
823 setenv_connection_entry (es, &o->ce, 1);
824 }
825
826 static in_addr_t
827 get_ip_addr (const char *ip_string, int msglevel, bool *error)
828 {
829 unsigned int flags = GETADDR_HOST_ORDER;
830 bool succeeded = false;
831 in_addr_t ret;
832
833 if (msglevel & M_FATAL)
834 flags |= GETADDR_FATAL;
835
836 ret = getaddr (flags, ip_string, 0, &succeeded, NULL);
837 if (!succeeded && error)
838 *error = true;
839 return ret;
840 }
841
842 static char *
843 string_substitute (const char *src, int from, int to, struct gc_arena *gc)
844 {
845 char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc);
846 char *dest = ret;
847 char c;
848
849 do
850 {
851 c = *src++;
852 if (c == from)
853 c = to;
854 *dest++ = c;
855 }
856 while (c);
857 return ret;
858 }
859
860 bool
861 is_persist_option (const struct options *o)
862 {
863 return o->persist_tun
864 || o->persist_key
865 || o->persist_local_ip
866 || o->persist_remote_ip
867 #ifdef USE_PTHREAD
868 || o->n_threads >= 2
869 #endif
870 ;
871 }
872
873 bool
874 is_stateful_restart (const struct options *o)
875 {
876 return is_persist_option (o) || connection_list_defined (o);
877 }
878
879 #ifdef WIN32
880
881 #ifdef ENABLE_DEBUG
882
883 static void
884 show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
885 {
886 struct gc_arena gc = gc_new ();
887 int i;
888 for (i = 0; i < len; ++i)
889 {
890 msg (D_SHOW_PARMS, " %s[%d] = %s",
891 name,
892 i,
893 print_in_addr_t (array[i], 0, &gc));
894 }
895 gc_free (&gc);
896 }
897
898 static void
899 show_tuntap_options (const struct tuntap_options *o)
900 {
901 SHOW_BOOL (ip_win32_defined);
902 SHOW_INT (ip_win32_type);
903 SHOW_INT (dhcp_masq_offset);
904 SHOW_INT (dhcp_lease_time);
905 SHOW_INT (tap_sleep);
906 SHOW_BOOL (dhcp_options);
907 SHOW_BOOL (dhcp_renew);
908 SHOW_BOOL (dhcp_pre_release);
909 SHOW_BOOL (dhcp_release);
910 SHOW_STR (domain);
911 SHOW_STR (netbios_scope);
912 SHOW_INT (netbios_node_type);
913 SHOW_BOOL (disable_nbt);
914
915 show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
916 show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
917 show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
918 show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
919 }
920
921 #endif
922
923 static void
924 dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
925 {
926 if (*len >= N_DHCP_ADDR)
927 {
928 msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
929 name,
930 N_DHCP_ADDR,
931 name);
932 }
933 else
934 {
935 if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
936 {
937 bool error = false;
938 const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
939 if (!error)
940 array[(*len)++] = addr;
941 }
942 else
943 {
944 msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
945 }
946 }
947 }
948
949 #endif
950
951 #if P2MP
952
953 #ifdef ENABLE_DEBUG
954
955 static void
956 show_p2mp_parms (const struct options *o)
957 {
958 struct gc_arena gc = gc_new ();
959
960 #if P2MP_SERVER
961 msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
962 msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc));
963 msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
964 msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
965 msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
966 msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc));
967 if (o->push_list.head)
968 {
969 const struct push_entry *e = o->push_list.head;
970 while (e)
971 {
972 if (e->enable)
973 msg (D_SHOW_PARMS, " push_entry = '%s'", e->option);
974 e = e->next;
975 }
976 }
977 SHOW_BOOL (ifconfig_pool_defined);
978 msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
979 msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc));
980 msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
981 SHOW_STR (ifconfig_pool_persist_filename);
982 SHOW_INT (ifconfig_pool_persist_refresh_freq);
983 SHOW_INT (n_bcast_buf);
984 SHOW_INT (tcp_queue_limit);
985 SHOW_INT (real_hash_size);
986 SHOW_INT (virtual_hash_size);
987 SHOW_STR (client_connect_script);
988 SHOW_STR (learn_address_script);
989 SHOW_STR (client_disconnect_script);
990 SHOW_STR (client_config_dir);
991 SHOW_BOOL (ccd_exclusive);
992 SHOW_STR (tmp_dir);
993 SHOW_BOOL (push_ifconfig_defined);
994 msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
995 msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc));
996 SHOW_BOOL (enable_c2c);
997 SHOW_BOOL (duplicate_cn);
998 SHOW_INT (cf_max);
999 SHOW_INT (cf_per);
1000 SHOW_INT (max_clients);
1001 SHOW_INT (max_routes_per_client);
1002 SHOW_STR (auth_user_pass_verify_script);
1003 SHOW_BOOL (auth_user_pass_verify_script_via_file);
1004 SHOW_INT (ssl_flags);
1005 #if PORT_SHARE
1006 SHOW_STR (port_share_host);
1007 SHOW_INT (port_share_port);
1008 #endif
1009 #endif /* P2MP_SERVER */
1010
1011 SHOW_BOOL (client);
1012 SHOW_BOOL (pull);
1013 SHOW_STR (auth_user_pass_file);
1014
1015 gc_free (&gc);
1016 }
1017
1018 #endif /* ENABLE_DEBUG */
1019
1020 #if P2MP_SERVER
1021
1022 static void
1023 option_iroute (struct options *o,
1024 const char *network_str,
1025 const char *netmask_str,
1026 int msglevel)
1027 {
1028 struct iroute *ir;
1029
1030 ALLOC_OBJ_GC (ir, struct iroute, &o->gc);
1031 ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1032 ir->netbits = -1;
1033
1034 if (netmask_str)
1035 {
1036 const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1037 if (!netmask_to_netbits (ir->network, netmask, &ir->netbits))
1038 {
1039 msg (msglevel, "in --iroute %s %s : Bad network/subnet specification",
1040 network_str,
1041 netmask_str);
1042 return;
1043 }
1044 }
1045
1046 ir->next = o->iroutes;
1047 o->iroutes = ir;
1048 }
1049
1050 #endif /* P2MP_SERVER */
1051 #endif /* P2MP */
1052
1053 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG)
1054 static void
1055 show_http_proxy_options (const struct http_proxy_options *o)
1056 {
1057 msg (D_SHOW_PARMS, "BEGIN http_proxy");
1058 SHOW_STR (server);
1059 SHOW_INT (port);
1060 SHOW_STR (auth_method_string);
1061 SHOW_STR (auth_file);
1062 SHOW_BOOL (retry);
1063 SHOW_INT (timeout);
1064 SHOW_STR (http_version);
1065 SHOW_STR (user_agent);
1066 msg (D_SHOW_PARMS, "END http_proxy");
1067 }
1068 #endif
1069
1070 void
1071 options_detach (struct options *o)
1072 {
1073 gc_detach (&o->gc);
1074 o->routes = NULL;
1075 #if P2MP_SERVER
1076 clone_push_list(o);
1077 #endif
1078 }
1079
1080 void
1081 rol_check_alloc (struct options *options)
1082 {
1083 if (!options->routes)
1084 options->routes = new_route_option_list (options->max_routes, &options->gc);
1085 }
1086
1087 #ifdef ENABLE_DEBUG
1088 static void
1089 show_connection_entry (const struct connection_entry *o)
1090 {
1091 msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false));
1092 SHOW_STR (local);
1093 SHOW_INT (local_port);
1094 SHOW_STR (remote);
1095 SHOW_INT (remote_port);
1096 SHOW_BOOL (remote_float);
1097 SHOW_BOOL (bind_defined);
1098 SHOW_BOOL (bind_local);
1099 SHOW_INT (connect_retry_seconds);
1100 SHOW_INT (connect_timeout);
1101 SHOW_INT (connect_retry_max);
1102
1103 #ifdef ENABLE_HTTP_PROXY
1104 if (o->http_proxy_options)
1105 show_http_proxy_options (o->http_proxy_options);
1106 #endif
1107 #ifdef ENABLE_SOCKS
1108 SHOW_STR (socks_proxy_server);
1109 SHOW_INT (socks_proxy_port);
1110 SHOW_BOOL (socks_proxy_retry);
1111 #endif
1112 }
1113
1114 static void
1115 show_connection_entries (const struct options *o)
1116 {
1117 msg (D_SHOW_PARMS, "Connection profiles [default]:");
1118 show_connection_entry (&o->ce);
1119 #ifdef ENABLE_CONNECTION
1120 if (o->connection_list)
1121 {
1122 const struct connection_list *l = o->connection_list;
1123 int i;
1124 for (i = 0; i < l->len; ++i)
1125 {
1126 msg (D_SHOW_PARMS, "Connection profiles [%d]:", i);
1127 show_connection_entry (l->array[i]);
1128 }
1129 }
1130 #endif
1131 msg (D_SHOW_PARMS, "Connection profiles END");
1132 }
1133
1134 #endif
1135
1136 void
1137 show_settings (const struct options *o)
1138 {
1139 #ifdef ENABLE_DEBUG
1140 msg (D_SHOW_PARMS, "Current Parameter Settings:");
1141
1142 SHOW_STR (config);
1143
1144 SHOW_INT (mode);
1145
1146 #ifdef TUNSETPERSIST
1147 SHOW_BOOL (persist_config);
1148 SHOW_INT (persist_mode);
1149 #endif
1150
1151 #ifdef USE_CRYPTO
1152 SHOW_BOOL (show_ciphers);
1153 SHOW_BOOL (show_digests);
1154 SHOW_BOOL (show_engines);
1155 SHOW_BOOL (genkey);
1156 #ifdef USE_SSL
1157 SHOW_STR (key_pass_file);
1158 SHOW_BOOL (show_tls_ciphers);
1159 #endif
1160 #endif
1161
1162 show_connection_entries (o);
1163
1164 SHOW_BOOL (remote_random);
1165
1166 SHOW_STR (ipchange);
1167 SHOW_STR (dev);
1168 SHOW_STR (dev_type);
1169 SHOW_STR (dev_node);
1170 SHOW_STR (lladdr);
1171 SHOW_INT (topology);
1172 SHOW_BOOL (tun_ipv6);
1173 SHOW_STR (ifconfig_local);
1174 SHOW_STR (ifconfig_remote_netmask);
1175 SHOW_BOOL (ifconfig_noexec);
1176 SHOW_BOOL (ifconfig_nowarn);
1177
1178 #ifdef HAVE_GETTIMEOFDAY
1179 SHOW_INT (shaper);
1180 #endif
1181 SHOW_INT (tun_mtu);
1182 SHOW_BOOL (tun_mtu_defined);
1183 SHOW_INT (link_mtu);
1184 SHOW_BOOL (link_mtu_defined);
1185 SHOW_INT (tun_mtu_extra);
1186 SHOW_BOOL (tun_mtu_extra_defined);
1187
1188 #ifdef ENABLE_FRAGMENT
1189 SHOW_INT (fragment);
1190 #endif
1191
1192 SHOW_INT (mtu_discover_type);
1193
1194 #ifdef ENABLE_OCC
1195 SHOW_INT (mtu_test);
1196 #endif
1197
1198 SHOW_BOOL (mlock);
1199
1200 SHOW_INT (keepalive_ping);
1201 SHOW_INT (keepalive_timeout);
1202 SHOW_INT (inactivity_timeout);
1203 SHOW_INT (ping_send_timeout);
1204 SHOW_INT (ping_rec_timeout);
1205 SHOW_INT (ping_rec_timeout_action);
1206 SHOW_BOOL (ping_timer_remote);
1207 SHOW_INT (remap_sigusr1);
1208 #ifdef ENABLE_OCC
1209 SHOW_INT (explicit_exit_notification);
1210 #endif
1211 SHOW_BOOL (persist_tun);
1212 SHOW_BOOL (persist_local_ip);
1213 SHOW_BOOL (persist_remote_ip);
1214 SHOW_BOOL (persist_key);
1215
1216 SHOW_INT (mssfix);
1217
1218 #if PASSTOS_CAPABILITY
1219 SHOW_BOOL (passtos);
1220 #endif
1221
1222 SHOW_INT (resolve_retry_seconds);
1223
1224 SHOW_STR (username);
1225 SHOW_STR (groupname);
1226 SHOW_STR (chroot_dir);
1227 SHOW_STR (cd_dir);
1228 #ifdef HAVE_SETCON
1229 SHOW_STR (selinux_context);
1230 #endif
1231 SHOW_STR (writepid);
1232 SHOW_STR (up_script);
1233 SHOW_STR (down_script);
1234 SHOW_BOOL (down_pre);
1235 SHOW_BOOL (up_restart);
1236 SHOW_BOOL (up_delay);
1237 SHOW_BOOL (daemon);
1238 SHOW_INT (inetd);
1239 SHOW_BOOL (log);
1240 SHOW_BOOL (suppress_timestamps);
1241 SHOW_INT (nice);
1242 SHOW_INT (verbosity);
1243 SHOW_INT (mute);
1244 #ifdef ENABLE_DEBUG
1245 SHOW_INT (gremlin);
1246 #endif
1247 SHOW_STR (status_file);
1248 SHOW_INT (status_file_version);
1249 SHOW_INT (status_file_update_freq);
1250
1251 #ifdef ENABLE_OCC
1252 SHOW_BOOL (occ);
1253 #endif
1254 SHOW_INT (rcvbuf);
1255 SHOW_INT (sndbuf);
1256 SHOW_INT (sockflags);
1257
1258 SHOW_BOOL (fast_io);
1259
1260 #ifdef USE_LZO
1261 SHOW_INT (lzo);
1262 #endif
1263
1264 SHOW_STR (route_script);
1265 SHOW_STR (route_default_gateway);
1266 SHOW_INT (route_default_metric);
1267 SHOW_BOOL (route_noexec);
1268 SHOW_INT (route_delay);
1269 SHOW_INT (route_delay_window);
1270 SHOW_BOOL (route_delay_defined);
1271 SHOW_BOOL (route_nopull);
1272 SHOW_BOOL (route_gateway_via_dhcp);
1273 SHOW_INT (max_routes);
1274 SHOW_BOOL (allow_pull_fqdn);
1275 if (o->routes)
1276 print_route_options (o->routes, D_SHOW_PARMS);
1277
1278 #ifdef ENABLE_MANAGEMENT
1279 SHOW_STR (management_addr);
1280 SHOW_INT (management_port);
1281 SHOW_STR (management_user_pass);
1282 SHOW_INT (management_log_history_cache);
1283 SHOW_INT (management_echo_buffer_size);
1284 SHOW_STR (management_write_peer_info_file);
1285 SHOW_STR (management_client_user);
1286 SHOW_STR (management_client_group);
1287 SHOW_INT (management_flags);
1288 #endif
1289 #ifdef ENABLE_PLUGIN
1290 if (o->plugin_list)
1291 plugin_option_list_print (o->plugin_list, D_SHOW_PARMS);
1292 #endif
1293
1294 #ifdef USE_CRYPTO
1295 SHOW_STR (shared_secret_file);
1296 SHOW_INT (key_direction);
1297 SHOW_BOOL (ciphername_defined);
1298 SHOW_STR (ciphername);
1299 SHOW_BOOL (authname_defined);
1300 SHOW_STR (authname);
1301 SHOW_STR (prng_hash);
1302 SHOW_INT (prng_nonce_secret_len);
1303 SHOW_INT (keysize);
1304 SHOW_BOOL (engine);
1305 SHOW_BOOL (replay);
1306 SHOW_BOOL (mute_replay_warnings);
1307 SHOW_INT (replay_window);
1308 SHOW_INT (replay_time);
1309 SHOW_STR (packet_id_file);
1310 SHOW_BOOL (use_iv);
1311 SHOW_BOOL (test_crypto);
1312
1313 #ifdef USE_SSL
1314 SHOW_BOOL (tls_server);
1315 SHOW_BOOL (tls_client);
1316 SHOW_INT (key_method);
1317 SHOW_STR (ca_file);
1318 SHOW_STR (ca_path);
1319 SHOW_STR (dh_file);
1320 SHOW_STR (cert_file);
1321 SHOW_STR (priv_key_file);
1322 SHOW_STR (pkcs12_file);
1323 #ifdef WIN32
1324 SHOW_STR (cryptoapi_cert);
1325 #endif
1326 SHOW_STR (cipher_list);
1327 SHOW_STR (tls_verify);
1328 SHOW_STR (tls_remote);
1329 SHOW_STR (crl_file);
1330 SHOW_INT (ns_cert_type);
1331 {
1332 int i;
1333 for (i=0;i<MAX_PARMS;i++)
1334 SHOW_INT (remote_cert_ku[i]);
1335 }
1336 SHOW_STR (remote_cert_eku);
1337
1338 SHOW_INT (tls_timeout);
1339
1340 SHOW_INT (renegotiate_bytes);
1341 SHOW_INT (renegotiate_packets);
1342 SHOW_INT (renegotiate_seconds);
1343
1344 SHOW_INT (handshake_window);
1345 SHOW_INT (transition_window);
1346
1347 SHOW_BOOL (single_session);
1348 SHOW_BOOL (tls_exit);
1349
1350 SHOW_STR (tls_auth_file);
1351 #endif
1352 #endif
1353
1354 #ifdef ENABLE_PKCS11
1355 {
1356 int i;
1357 for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
1358 SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
1359 }
1360 {
1361 int i;
1362 for (i=0;i<MAX_PARMS;i++)
1363 SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1364 }
1365 {
1366 int i;
1367 for (i=0;i<MAX_PARMS;i++)
1368 SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1369 }
1370 {
1371 int i;
1372 for (i=0;i<MAX_PARMS;i++)
1373 SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1374 }
1375 SHOW_INT (pkcs11_pin_cache_period);
1376 SHOW_STR (pkcs11_id);
1377 SHOW_BOOL (pkcs11_id_management);
1378 #endif /* ENABLE_PKCS11 */
1379
1380 #if P2MP
1381 show_p2mp_parms (o);
1382 #endif
1383
1384 #ifdef WIN32
1385 SHOW_BOOL (show_net_up);
1386 SHOW_INT (route_method);
1387 show_tuntap_options (&o->tuntap_options);
1388 #endif
1389 #endif
1390 }
1391
1392 #undef SHOW_PARM
1393 #undef SHOW_STR
1394 #undef SHOW_INT
1395 #undef SHOW_BOOL
1396
1397 #ifdef ENABLE_HTTP_PROXY
1398
1399 struct http_proxy_options *
1400 init_http_options_if_undefined (struct options *o)
1401 {
1402 if (!o->ce.http_proxy_options)
1403 {
1404 ALLOC_OBJ_CLEAR_GC (o->ce.http_proxy_options, struct http_proxy_options, &o->gc);
1405 /* http proxy defaults */
1406 o->ce.http_proxy_options->timeout = 5;
1407 o->ce.http_proxy_options->http_version = "1.0";
1408 }
1409 return o->ce.http_proxy_options;
1410 }
1411
1412 #endif
1413
1414 #if ENABLE_CONNECTION
1415
1416 static struct connection_list *
1417 alloc_connection_list_if_undef (struct options *options)
1418 {
1419 if (!options->connection_list)
1420 ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc);
1421 return options->connection_list;
1422 }
1423
1424 static struct connection_entry *
1425 alloc_connection_entry (struct options *options, const int msglevel)
1426 {
1427 struct connection_list *l = alloc_connection_list_if_undef (options);
1428 struct connection_entry *e;
1429
1430 if (l->len >= CONNECTION_LIST_SIZE)
1431 {
1432 msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1433 return NULL;
1434 }
1435 ALLOC_OBJ_GC (e, struct connection_entry, &options->gc);
1436 l->array[l->len++] = e;
1437 return e;
1438 }
1439
1440 static struct remote_list *
1441 alloc_remote_list_if_undef (struct options *options)
1442 {
1443 if (!options->remote_list)
1444 ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc);
1445 return options->remote_list;
1446 }
1447
1448 static struct remote_entry *
1449 alloc_remote_entry (struct options *options, const int msglevel)
1450 {
1451 struct remote_list *l = alloc_remote_list_if_undef (options);
1452 struct remote_entry *e;
1453
1454 if (l->len >= CONNECTION_LIST_SIZE)
1455 {
1456 msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1457 return NULL;
1458 }
1459 ALLOC_OBJ_GC (e, struct remote_entry, &options->gc);
1460 l->array[l->len++] = e;
1461 return e;
1462 }
1463
1464 #endif
1465
1466 void
1467 connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
1468 {
1469 if (re->remote)
1470 ce->remote = re->remote;
1471 if (re->remote_port >= 0)
1472 ce->remote_port = re->remote_port;
1473 if (re->proto >= 0)
1474 ce->proto = re->proto;
1475 }
1476
1477 static void
1478 options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce)
1479 {
1480 struct options defaults;
1481 int dev = DEV_TYPE_UNDEF;
1482 bool pull = false;
1483
1484 init_options (&defaults, true);
1485
1486 #ifdef USE_CRYPTO
1487 if (options->test_crypto)
1488 {
1489 notnull (options->shared_secret_file, "key file (--secret)");
1490 }
1491 else
1492 #endif
1493 notnull (options->dev, "TUN/TAP device (--dev)");
1494
1495 /*
1496 * Get tun/tap/null device type
1497 */
1498 dev = dev_type_enum (options->dev, options->dev_type);
1499
1500 /*
1501 * If "proto tcp" is specified, make sure we know whether it is
1502 * tcp-client or tcp-server.
1503 */
1504 if (ce->proto == PROTO_TCPv4)
1505 msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1506
1507 /*
1508 * Sanity check on daemon/inetd modes
1509 */
1510
1511 if (options->daemon && options->inetd)
1512 msg (M_USAGE, "only one of --daemon or --inetd may be specified");
1513
1514 if (options->inetd && (ce->local || ce->remote))
1515 msg (M_USAGE, "--local or --remote cannot be used with --inetd");
1516
1517 if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT)
1518 msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
1519
1520 if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER)
1521 msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
1522
1523 if (options->inetd == INETD_NOWAIT
1524 #if defined(USE_CRYPTO) && defined(USE_SSL)
1525 && !(options->tls_server || options->tls_client)
1526 #endif
1527 )
1528 msg (M_USAGE, "--inetd nowait can only be used in TLS mode");
1529
1530 if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
1531 msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
1532
1533
1534 if (options->lladdr && dev != DEV_TYPE_TAP)
1535 msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
1536
1537 /*
1538 * Sanity check on TCP mode options
1539 */
1540
1541 if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT)
1542 msg (M_USAGE, "--connect-retry doesn't make sense unless also used with --proto tcp-client");
1543
1544 if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT)
1545 msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with --proto tcp-client");
1546
1547 /*
1548 * Sanity check on MTU parameters
1549 */
1550 if (options->tun_mtu_defined && options->link_mtu_defined)
1551 msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
1552
1553 #ifdef ENABLE_OCC
1554 if (ce->proto != PROTO_UDPv4 && options->mtu_test)
1555 msg (M_USAGE, "--mtu-test only makes sense with --proto udp");
1556 #endif
1557
1558 /* will we be pulling options from server? */
1559 #if P2MP
1560 pull = options->pull;
1561 #endif
1562
1563 /*
1564 * Sanity check on --local, --remote, and --ifconfig
1565 */
1566
1567 if (string_defined_equal (ce->local, ce->remote)
1568 && ce->local_port == ce->remote_port)
1569 msg (M_USAGE, "--remote and --local addresses are the same");
1570
1571 if (string_defined_equal (ce->remote, options->ifconfig_local)
1572 || string_defined_equal (ce->remote, options->ifconfig_remote_netmask))
1573 msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
1574
1575 if (string_defined_equal (ce->local, options->ifconfig_local)
1576 || string_defined_equal (ce->local, options->ifconfig_remote_netmask))
1577 msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
1578
1579 if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
1580 msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
1581
1582 if (ce->bind_defined && !ce->bind_local)
1583 msg (M_USAGE, "--bind and --nobind can't be used together");
1584
1585 if (ce->local && !ce->bind_local)
1586 msg (M_USAGE, "--local and --nobind don't make sense when used together");
1587
1588 if (ce->local_port_defined && !ce->bind_local)
1589 msg (M_USAGE, "--lport and --nobind don't make sense when used together");
1590
1591 if (!ce->remote && !ce->bind_local)
1592 msg (M_USAGE, "--nobind doesn't make sense unless used with --remote");
1593
1594 /*
1595 * Check for consistency of management options
1596 */
1597 #ifdef ENABLE_MANAGEMENT
1598 if (!options->management_addr &&
1599 (options->management_flags
1600 || options->management_write_peer_info_file
1601 || options->management_log_history_cache != defaults.management_log_history_cache))
1602 msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
1603
1604 if ((options->management_client_user || options->management_client_group)
1605 && !(options->management_flags & MF_UNIX_SOCK))
1606 msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
1607 #endif
1608
1609 /*
1610 * Windows-specific options.
1611 */
1612
1613 #ifdef WIN32
1614 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1615 msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
1616
1617 if ((options->tuntap_options.ip_win32_defined)
1618 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1619 msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
1620
1621 if (options->tuntap_options.dhcp_options
1622 && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
1623 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
1624 msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
1625 #endif
1626
1627 /*
1628 * Check that protocol options make sense.
1629 */
1630
1631 #ifdef ENABLE_FRAGMENT
1632 if (ce->proto != PROTO_UDPv4 && options->fragment)
1633 msg (M_USAGE, "--fragment can only be used with --proto udp");
1634 #endif
1635
1636 #ifdef ENABLE_OCC
1637 if (ce->proto != PROTO_UDPv4 && options->explicit_exit_notification)
1638 msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
1639 #endif
1640
1641 if (!ce->remote && ce->proto == PROTO_TCPv4_CLIENT)
1642 msg (M_USAGE, "--remote MUST be used in TCP Client mode");
1643
1644 #ifdef ENABLE_HTTP_PROXY
1645 if ((ce->http_proxy_options || options->auto_proxy_info) && ce->proto != PROTO_TCPv4_CLIENT)
1646 msg (M_USAGE, "--http-proxy or --auto-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
1647 #endif
1648
1649 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
1650 if (ce->http_proxy_options && ce->socks_proxy_server)
1651 msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
1652 #endif
1653
1654 #ifdef ENABLE_SOCKS
1655 if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER)
1656 msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
1657 #endif
1658
1659 if (ce->proto == PROTO_TCPv4_SERVER && connection_list_defined (options))
1660 msg (M_USAGE, "TCP server mode allows at most one --remote address");
1661
1662 #if P2MP_SERVER
1663
1664 /*
1665 * Check consistency of --mode server options.
1666 */
1667 if (options->mode == MODE_SERVER)
1668 {
1669 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
1670 msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
1671 if (options->pull)
1672 msg (M_USAGE, "--pull cannot be used with --mode server");
1673 if (!(ce->proto == PROTO_UDPv4 || ce->proto == PROTO_TCPv4_SERVER))
1674 msg (M_USAGE, "--mode server currently only supports --proto udp or --proto tcp-server");
1675 #if PORT_SHARE
1676 if ((options->port_share_host || options->port_share_port) && ce->proto != PROTO_TCPv4_SERVER)
1677 msg (M_USAGE, "--port-share only works in TCP server mode (--proto tcp-server)");
1678 #endif
1679 if (!options->tls_server)
1680 msg (M_USAGE, "--mode server requires --tls-server");
1681 if (ce->remote)
1682 msg (M_USAGE, "--remote cannot be used with --mode server");
1683 if (!ce->bind_local)
1684 msg (M_USAGE, "--nobind cannot be used with --mode server");
1685 #ifdef ENABLE_HTTP_PROXY
1686 if (ce->http_proxy_options)
1687 msg (M_USAGE, "--http-proxy cannot be used with --mode server");
1688 #endif
1689 #ifdef ENABLE_SOCKS
1690 if (ce->socks_proxy_server)
1691 msg (M_USAGE, "--socks-proxy cannot be used with --mode server");
1692 #endif
1693 #ifdef ENABLE_CONNECTION
1694 if (options->connection_list)
1695 msg (M_USAGE, "<connection> cannot be used with --mode server");
1696 #endif
1697 if (options->tun_ipv6)
1698 msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");
1699 if (options->shaper)
1700 msg (M_USAGE, "--shaper cannot be used with --mode server");
1701 if (options->inetd)
1702 msg (M_USAGE, "--inetd cannot be used with --mode server");
1703 if (options->ipchange)
1704 msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
1705 if (!(ce->proto == PROTO_UDPv4 || ce->proto == PROTO_TCPv4_SERVER))
1706 msg (M_USAGE, "--mode server currently only supports --proto udp or --proto tcp-server");
1707 if (ce->proto != PROTO_UDPv4 && (options->cf_max || options->cf_per))
1708 msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
1709 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
1710 msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
1711 #ifdef ENABLE_OCC
1712 if (options->explicit_exit_notification)
1713 msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server");
1714 #endif
1715 if (options->routes && (options->routes->flags & RG_ENABLE))
1716 msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
1717 if (options->route_delay_defined)
1718 msg (M_USAGE, "--route-delay cannot be used with --mode server");
1719 if (options->up_delay)
1720 msg (M_USAGE, "--up-delay cannot be used with --mode server");
1721 if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
1722 msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
1723 if (options->auth_user_pass_file)
1724 msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
1725 if (options->ccd_exclusive && !options->client_config_dir)
1726 msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
1727 if (options->key_method != 2)
1728 msg (M_USAGE, "--mode server requires --key-method 2");
1729
1730 {
1731 const bool ccnr = (options->auth_user_pass_verify_script
1732 || PLUGIN_OPTION_LIST (options)
1733 || MAN_CLIENT_AUTH_ENABLED (options));
1734 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
1735 if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
1736 msg (M_USAGE, "--client-cert-not-required %s", postfix);
1737 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
1738 msg (M_USAGE, "--username-as-common-name %s", postfix);
1739 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
1740 msg (M_USAGE, "--auth-user-pass-optional %s", postfix);
1741 }
1742
1743 if ((options->ssl_flags & SSLF_NO_NAME_REMAPPING) && script_method == SM_SYSTEM)
1744 msg (M_USAGE, "--script-security method='system' cannot be combined with --no-name-remapping");
1745 }
1746 else
1747 {
1748 /*
1749 * When not in server mode, err if parameters are
1750 * specified which require --mode server.
1751 */
1752 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
1753 msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
1754 if (options->real_hash_size != defaults.real_hash_size
1755 || options->virtual_hash_size != defaults.virtual_hash_size)
1756 msg (M_USAGE, "--hash-size requires --mode server");
1757 if (options->learn_address_script)
1758 msg (M_USAGE, "--learn-address requires --mode server");
1759 if (options->client_connect_script)
1760 msg (M_USAGE, "--client-connect requires --mode server");
1761 if (options->client_disconnect_script)
1762 msg (M_USAGE, "--client-disconnect requires --mode server");
1763 if (options->tmp_dir)
1764 msg (M_USAGE, "--tmp-dir requires --mode server");
1765 if (options->client_config_dir || options->ccd_exclusive)
1766 msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
1767 if (options->enable_c2c)
1768 msg (M_USAGE, "--client-to-client requires --mode server");
1769 if (options->duplicate_cn)
1770 msg (M_USAGE, "--duplicate-cn requires --mode server");
1771 if (options->cf_max || options->cf_per)
1772 msg (M_USAGE, "--connect-freq requires --mode server");
1773 if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
1774 msg (M_USAGE, "--client-cert-not-required requires --mode server");
1775 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
1776 msg (M_USAGE, "--username-as-common-name requires --mode server");
1777 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
1778 msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
1779 if (options->ssl_flags & SSLF_NO_NAME_REMAPPING)
1780 msg (M_USAGE, "--no-name-remapping requires --mode server");
1781 if (options->ssl_flags & SSLF_OPT_VERIFY)
1782 msg (M_USAGE, "--opt-verify requires --mode server");
1783 if (options->server_flags & SF_TCP_NODELAY_HELPER)
1784 msg (M_USAGE, "--tcp-nodelay requires --mode server");
1785 if (options->auth_user_pass_verify_script)
1786 msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
1787 #if PORT_SHARE
1788 if (options->port_share_host || options->port_share_port)
1789 msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
1790 #endif
1791
1792 }
1793 #endif /* P2MP_SERVER */
1794
1795 #ifdef USE_CRYPTO
1796
1797 /*
1798 * Check consistency of replay options
1799 */
1800 if ((ce->proto != PROTO_UDPv4)
1801 && (options->replay_window != defaults.replay_window
1802 || options->replay_time != defaults.replay_time))
1803 msg (M_USAGE, "--replay-window only makes sense with --proto udp");
1804
1805 if (!options->replay
1806 && (options->replay_window != defaults.replay_window
1807 || options->replay_time != defaults.replay_time))
1808 msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
1809
1810 /*
1811 * SSL/TLS mode sanity checks.
1812 */
1813
1814 #ifdef USE_SSL
1815 if (options->tls_server + options->tls_client +
1816 (options->shared_secret_file != NULL) > 1)
1817 msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
1818
1819 if (options->tls_server)
1820 {
1821 notnull (options->dh_file, "DH file (--dh)");
1822 }
1823 if (options->tls_server || options->tls_client)
1824 {
1825 #ifdef ENABLE_PKCS11
1826 if (options->pkcs11_providers[0])
1827 {
1828 notnull (options->ca_file, "CA file (--ca)");
1829
1830 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
1831 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
1832 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
1833 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
1834 if (options->cert_file)
1835 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
1836 if (options->priv_key_file)
1837 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
1838 if (options->pkcs12_file)
1839 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
1840 #ifdef WIN32
1841 if (options->cryptoapi_cert)
1842 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
1843 #endif
1844 }
1845 else
1846 #endif
1847 #ifdef WIN32
1848 if (options->cryptoapi_cert)
1849 {
1850 if ((!(options->ca_file)) && (!(options->ca_path)))
1851 msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
1852 if (options->cert_file)
1853 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
1854 if (options->priv_key_file)
1855 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
1856 if (options->pkcs12_file)
1857 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
1858 }
1859 else
1860 #endif
1861 if (options->pkcs12_file)
1862 {
1863 if (options->ca_path)
1864 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
1865 if (options->cert_file)
1866 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
1867 if (options->priv_key_file)
1868 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
1869 }
1870 else
1871 {
1872 if ((!(options->ca_file)) && (!(options->ca_path)))
1873 msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
1874 if (pull)
1875 {
1876 const int sum = (options->cert_file != NULL) + (options->priv_key_file != NULL);
1877 if (sum == 0)
1878 {
1879 #if P2MP
1880 if (!options->auth_user_pass_file)
1881 #endif
1882 msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
1883 }
1884 else if (sum == 2)
1885 ;
1886 else
1887 {
1888 msg (M_USAGE, "If you use one of --cert or --key, you must use them both");
1889 }
1890 }
1891 else
1892 {
1893 notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
1894 notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
1895 }
1896 }
1897 }
1898 else
1899 {
1900 /*
1901 * Make sure user doesn't specify any TLS options
1902 * when in non-TLS mode.
1903 */
1904
1905 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
1906
1907 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
1908
1909 MUST_BE_UNDEF (ca_file);
1910 MUST_BE_UNDEF (ca_path);
1911 MUST_BE_UNDEF (dh_file);
1912 MUST_BE_UNDEF (cert_file);
1913 MUST_BE_UNDEF (priv_key_file);
1914 MUST_BE_UNDEF (pkcs12_file);
1915 MUST_BE_UNDEF (cipher_list);
1916 MUST_BE_UNDEF (tls_verify);
1917 MUST_BE_UNDEF (tls_remote);
1918 MUST_BE_UNDEF (tls_timeout);
1919 MUST_BE_UNDEF (renegotiate_bytes);
1920 MUST_BE_UNDEF (renegotiate_packets);
1921 MUST_BE_UNDEF (renegotiate_seconds);
1922 MUST_BE_UNDEF (handshake_window);
1923 MUST_BE_UNDEF (transition_window);
1924 MUST_BE_UNDEF (tls_auth_file);
1925 MUST_BE_UNDEF (single_session);
1926 MUST_BE_UNDEF (tls_exit);
1927 MUST_BE_UNDEF (crl_file);
1928 MUST_BE_UNDEF (key_method);
1929 MUST_BE_UNDEF (ns_cert_type);
1930 MUST_BE_UNDEF (remote_cert_ku[0]);
1931 MUST_BE_UNDEF (remote_cert_eku);
1932 #ifdef ENABLE_PKCS11
1933 MUST_BE_UNDEF (pkcs11_providers[0]);
1934 MUST_BE_UNDEF (pkcs11_private_mode[0]);
1935 MUST_BE_UNDEF (pkcs11_id);
1936 MUST_BE_UNDEF (pkcs11_id_management);
1937 #endif
1938
1939 if (pull)
1940 msg (M_USAGE, err, "--pull");
1941 }
1942 #undef MUST_BE_UNDEF
1943 #endif /* USE_CRYPTO */
1944 #endif /* USE_SSL */
1945
1946 #if P2MP
1947 if (options->auth_user_pass_file && !options->pull)
1948 msg (M_USAGE, "--auth-user-pass requires --pull");
1949 #endif
1950
1951 uninit_options (&defaults);
1952 }
1953
1954 static void
1955 options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
1956 {
1957 #if P2MP_SERVER
1958 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
1959 {
1960 if (ce->proto == PROTO_TCPv4)
1961 ce->proto = PROTO_TCPv4_SERVER;
1962 }
1963 #endif
1964 #if P2MP
1965 if (o->client)
1966 {
1967 if (ce->proto == PROTO_TCPv4)
1968 ce->proto = PROTO_TCPv4_CLIENT;
1969 }
1970 #endif
1971
1972 if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
1973 ce->bind_local = false;
1974
1975 #ifdef ENABLE_SOCKS
1976 if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
1977 ce->bind_local = false;
1978 #endif
1979
1980 if (!ce->bind_local)
1981 ce->local_port = 0;
1982 }
1983
1984 static void
1985 options_postprocess_mutate_invariant (struct options *options)
1986 {
1987 const int dev = dev_type_enum (options->dev, options->dev_type);
1988
1989 /*
1990 * If --mssfix is supplied without a parameter, default
1991 * it to --fragment value, if --fragment is specified.
1992 */
1993 if (options->mssfix_default)
1994 {
1995 #ifdef ENABLE_FRAGMENT
1996 if (options->fragment)
1997 options->mssfix = options->fragment;
1998 #else
1999 msg (M_USAGE, "--mssfix must specify a parameter");
2000 #endif
2001 }
2002
2003 /*
2004 * In forking TCP server mode, you don't need to ifconfig
2005 * the tap device (the assumption is that it will be bridged).
2006 */
2007 if (options->inetd == INETD_NOWAIT)
2008 options->ifconfig_noexec = true;
2009
2010 /*
2011 * Set MTU defaults
2012 */
2013 {
2014 if (!options->tun_mtu_defined && !options->link_mtu_defined)
2015 {
2016 options->tun_mtu_defined = true;
2017 }
2018 if ((dev == DEV_TYPE_TAP) && !options->tun_mtu_extra_defined)
2019 {
2020 options->tun_mtu_extra_defined = true;
2021 options->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2022 }
2023 }
2024
2025 #ifdef WIN32
2026 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2027 {
2028 if (options->mode == MODE_POINT_TO_POINT)
2029 {
2030 options->route_delay_defined = true;
2031 options->route_delay = 5; /* Vista sometimes has a race without this */
2032 }
2033 }
2034
2035 if (options->ifconfig_noexec)
2036 {
2037 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
2038 options->ifconfig_noexec = false;
2039 }
2040 #endif
2041
2042 #if P2MP_SERVER
2043 /*
2044 * Check consistency of --mode server options.
2045 */
2046 if (options->mode == MODE_SERVER)
2047 {
2048 #ifdef WIN32
2049 /*
2050 * We need to explicitly set --tap-sleep because
2051 * we do not schedule event timers in the top-level context.
2052 */
2053 options->tuntap_options.tap_sleep = 10;
2054 if (options->route_delay_defined && options->route_delay)
2055 options->tuntap_options.tap_sleep = options->route_delay;
2056 options->route_delay_defined = false;
2057 #endif
2058 }
2059 #endif
2060 }
2061
2062 static void
2063 options_postprocess_verify (const struct options *o)
2064 {
2065 #ifdef ENABLE_CONNECTION
2066 if (o->connection_list)
2067 {
2068 int i;
2069 for (i = 0; i < o->connection_list->len; ++i)
2070 options_postprocess_verify_ce (o, o->connection_list->array[i]);
2071 }
2072 else
2073 #endif
2074 options_postprocess_verify_ce (o, &o->ce);
2075 }
2076
2077 static void
2078 options_postprocess_mutate (struct options *o)
2079 {
2080 /*
2081 * Process helper-type options which map to other, more complex
2082 * sequences of options.
2083 */
2084 helper_client_server (o);
2085 helper_keepalive (o);
2086 helper_tcp_nodelay (o);
2087
2088 options_postprocess_mutate_invariant (o);
2089
2090 #ifdef ENABLE_CONNECTION
2091 if (o->remote_list && !o->connection_list)
2092 {
2093 /*
2094 * For compatibility with 2.0.x, map multiple --remote options
2095 * into connection list (connection lists added in 2.1).
2096 */
2097 if (o->remote_list->len > 1)
2098 {
2099 const struct remote_list *rl = o->remote_list;
2100 int i;
2101 for (i = 0; i < rl->len; ++i)
2102 {
2103 const struct remote_entry *re = rl->array[i];
2104 struct connection_entry ce = o->ce;
2105 struct connection_entry *ace;
2106
2107 ASSERT (re->remote);
2108 connection_entry_load_re (&ce, re);
2109 ace = alloc_connection_entry (o, M_USAGE);
2110 ASSERT (ace);
2111 *ace = ce;
2112 }
2113 }
2114 else if (o->remote_list->len == 1) /* one --remote option specfied */
2115 {
2116 connection_entry_load_re (&o->ce, o->remote_list->array[0]);
2117 }
2118 else
2119 {
2120 ASSERT (0);
2121 }
2122 }
2123 if (o->connection_list)
2124 {
2125 int i;
2126 for (i = 0; i < o->connection_list->len; ++i)
2127 options_postprocess_mutate_ce (o, o->connection_list->array[i]);
2128 }
2129 else
2130 #endif
2131 options_postprocess_mutate_ce (o, &o->ce);
2132
2133 #if P2MP
2134 /*
2135 * Save certain parms before modifying options via --pull
2136 */
2137 pre_pull_save (o);
2138 #endif
2139 }
2140
2141 /*
2142 * Sanity check on options.
2143 * Also set some options based on other
2144 * options.
2145 */
2146 void
2147 options_postprocess (struct options *options)
2148 {
2149 options_postprocess_mutate (options);
2150 options_postprocess_verify (options);
2151 }
2152
2153 #if P2MP
2154
2155 /*
2156 * Save/Restore certain option defaults before --pull is applied.
2157 */
2158
2159 void
2160 pre_pull_save (struct options *o)
2161 {
2162 if (o->pull)
2163 {
2164 ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
2165 o->pre_pull->tuntap_options = o->tuntap_options;
2166 o->pre_pull->tuntap_options_defined = true;
2167 o->pre_pull->foreign_option_index = o->foreign_option_index;
2168 if (o->routes)
2169 {
2170 o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc);
2171 o->pre_pull->routes_defined = true;
2172 }
2173 }
2174 }
2175
2176 void
2177 pre_pull_restore (struct options *o)
2178 {
2179 const struct options_pre_pull *pp = o->pre_pull;
2180 if (pp)
2181 {
2182 CLEAR (o->tuntap_options);
2183 if (pp->tuntap_options_defined)
2184 o->tuntap_options = pp->tuntap_options;
2185
2186 if (pp->routes_defined)
2187 {
2188 rol_check_alloc (o);
2189 copy_route_option_list (o->routes, pp->routes);
2190 }
2191 else
2192 o->routes = NULL;
2193
2194 o->foreign_option_index = pp->foreign_option_index;
2195 }
2196
2197 o->push_continuation = 0;
2198 }
2199
2200 #endif
2201
2202 #ifdef ENABLE_OCC
2203
2204 /*
2205 * Build an options string to represent data channel encryption options.
2206 * This string must match exactly between peers. The keysize is checked
2207 * separately by read_key().
2208 *
2209 * The following options must match on both peers:
2210 *
2211 * Tunnel options:
2212 *
2213 * --dev tun|tap [unit number need not match]
2214 * --dev-type tun|tap
2215 * --link-mtu
2216 * --udp-mtu
2217 * --tun-mtu
2218 * --proto udp
2219 * --proto tcp-client [matched with --proto tcp-server
2220 * on the other end of the connection]
2221 * --proto tcp-server [matched with --proto tcp-client on
2222 * the other end of the connection]
2223 * --tun-ipv6
2224 * --ifconfig x y [matched with --ifconfig y x on
2225 * the other end of the connection]
2226 *
2227 * --comp-lzo
2228 * --fragment
2229 *
2230 * Crypto Options:
2231 *
2232 * --cipher
2233 * --auth
2234 * --keysize
2235 * --secret
2236 * --no-replay
2237 * --no-iv
2238 *
2239 * SSL Options:
2240 *
2241 * --tls-auth
2242 * --tls-client [matched with --tls-server on
2243 * the other end of the connection]
2244 * --tls-server [matched with --tls-client on
2245 * the other end of the connection]
2246 */
2247
2248 char *
2249 options_string (const struct options *o,
2250 const struct frame *frame,
2251 struct tuntap *tt,
2252 bool remote,
2253 struct gc_arena *gc)
2254 {
2255 struct buffer out = alloc_buf (OPTION_LINE_SIZE);
2256 bool tt_local = false;
2257
2258 buf_printf (&out, "V4");
2259
2260 /*
2261 * Tunnel Options
2262 */
2263
2264 buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type));
2265 buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame));
2266 buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame));
2267 buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true));
2268 if (o->tun_ipv6)
2269 buf_printf (&out, ",tun-ipv6");
2270
2271 /*
2272 * Try to get ifconfig parameters into the options string.
2273 * If tt is undefined, make a temporary instantiation.
2274 */
2275 if (!tt)
2276 {
2277 tt = init_tun (o->dev,
2278 o->dev_type,
2279 o->topology,
2280 o->ifconfig_local,
2281 o->ifconfig_remote_netmask,
2282 (in_addr_t)0,
2283 (in_addr_t)0,
2284 false,
2285 NULL);
2286 if (tt)
2287 tt_local = true;
2288 }
2289
2290 if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
2291 {
2292 const char *ios = ifconfig_options_string (tt, remote, o->ifconfig_nowarn, gc);
2293 if (ios && strlen (ios))
2294 buf_printf (&out, ",ifconfig %s", ios);
2295 }
2296 if (tt_local)
2297 {
2298 free (tt);
2299 tt = NULL;
2300 }
2301
2302 #ifdef USE_LZO
2303 if (o->lzo & LZO_SELECTED)
2304 buf_printf (&out, ",comp-lzo");
2305 #endif
2306
2307 #ifdef ENABLE_FRAGMENT
2308 if (o->fragment)
2309 buf_printf (&out, ",mtu-dynamic");
2310 #endif
2311
2312 #ifdef USE_CRYPTO
2313
2314 #ifdef USE_SSL
2315 #define TLS_CLIENT (o->tls_client)
2316 #define TLS_SERVER (o->tls_server)
2317 #else
2318 #define TLS_CLIENT (false)
2319 #define TLS_SERVER (false)
2320 #endif
2321
2322 /*
2323 * Key direction
2324 */
2325 {
2326 const char *kd = keydirection2ascii (o->key_direction, remote);
2327 if (kd)
2328 buf_printf (&out, ",keydir %s", kd);
2329 }
2330
2331 /*
2332 * Crypto Options
2333 */
2334 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
2335 {
2336 struct key_type kt;
2337
2338 ASSERT ((o->shared_secret_file != NULL)
2339 + (TLS_CLIENT == true)
2340 + (TLS_SERVER == true)
2341 <= 1);
2342
2343 init_key_type (&kt, o->ciphername, o->ciphername_defined,
2344 o->authname, o->authname_defined,
2345 o->keysize, true, false);
2346
2347 buf_printf (&out, ",cipher %s", kt_cipher_name (&kt));
2348 buf_printf (&out, ",auth %s", kt_digest_name (&kt));
2349 buf_printf (&out, ",keysize %d", kt_key_size (&kt));
2350 if (o->shared_secret_file)
2351 buf_printf (&out, ",secret");
2352 if (!o->replay)
2353 buf_printf (&out, ",no-replay");
2354 if (!o->use_iv)
2355 buf_printf (&out, ",no-iv");
2356 }
2357
2358 #ifdef USE_SSL
2359 /*
2360 * SSL Options
2361 */
2362 {
2363 if (TLS_CLIENT || TLS_SERVER)
2364 {
2365 if (o->tls_auth_file)
2366 buf_printf (&out, ",tls-auth");
2367
2368 if (o->key_method > 1)
2369 buf_printf (&out, ",key-method %d", o->key_method);
2370 }
2371
2372 if (remote)
2373 {
2374 if (TLS_CLIENT)
2375 buf_printf (&out, ",tls-server");
2376 else if (TLS_SERVER)
2377 buf_printf (&out, ",tls-client");
2378 }
2379 else
2380 {
2381 if (TLS_CLIENT)
2382 buf_printf (&out, ",tls-client");
2383 else if (TLS_SERVER)
2384 buf_printf (&out, ",tls-server");
2385 }
2386 }
2387 #endif /* USE_SSL */
2388
2389 #undef TLS_CLIENT
2390 #undef TLS_SERVER
2391
2392 #endif /* USE_CRYPTO */
2393
2394 return BSTR (&out);
2395 }
2396
2397 /*
2398 * Compare option strings for equality.
2399 * If the first two chars of the strings differ, it means that
2400 * we are looking at different versions of the options string,
2401 * therefore don't compare them and return true.
2402 */
2403
2404 bool
2405 options_cmp_equal (char *actual, const char *expected)
2406 {
2407 return options_cmp_equal_safe (actual, expected, strlen (actual) + 1);
2408 }
2409
2410 void
2411 options_warning (char *actual, const char *expected)
2412 {
2413 options_warning_safe (actual, expected, strlen (actual) + 1);
2414 }
2415
2416 static const char *
2417 options_warning_extract_parm1 (const char *option_string,
2418 struct gc_arena *gc_ret)
2419 {
2420 struct gc_arena gc = gc_new ();
2421 struct buffer b = string_alloc_buf (option_string, &gc);
2422 char *p = gc_malloc (OPTION_PARM_SIZE, false, &gc);
2423 const char *ret;
2424
2425 buf_parse (&b, ' ', p, OPTION_PARM_SIZE);
2426 ret = string_alloc (p, gc_ret);
2427 gc_free (&gc);
2428 return ret;
2429 }
2430
2431 static void
2432 options_warning_safe_scan2 (const int msglevel,
2433 const int delim,
2434 const bool report_inconsistent,
2435 const char *p1,
2436 const struct buffer *b2_src,
2437 const char *b1_name,
2438 const char *b2_name)
2439 {
2440 if (strlen (p1) > 0)
2441 {
2442 struct gc_arena gc = gc_new ();
2443 struct buffer b2 = *b2_src;
2444 const char *p1_prefix = options_warning_extract_parm1 (p1, &gc);
2445 char *p2 = gc_malloc (OPTION_PARM_SIZE, false, &gc);
2446
2447 while (buf_parse (&b2, delim, p2, OPTION_PARM_SIZE))
2448 {
2449 if (strlen (p2))
2450 {
2451 const char *p2_prefix = options_warning_extract_parm1 (p2, &gc);
2452
2453 if (!strcmp (p1, p2))
2454 goto done;
2455 if (!strcmp (p1_prefix, p2_prefix))
2456 {
2457 if (report_inconsistent)
2458 msg (msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
2459 safe_print (p1_prefix, &gc),
2460 b1_name,
2461 safe_print (p1, &gc),
2462 b2_name,
2463 safe_print (p2, &gc));
2464 goto done;
2465 }
2466 }
2467 }
2468
2469 msg (msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
2470 safe_print (p1_prefix, &gc),
2471 b1_name,
2472 b2_name,
2473 b1_name,
2474 safe_print (p1, &gc));
2475
2476 done:
2477 gc_free (&gc);
2478 }
2479 }
2480
2481 static void
2482 options_warning_safe_scan1 (const int msglevel,
2483 const int delim,
2484 const bool report_inconsistent,
2485 const struct buffer *b1_src,
2486 const struct buffer *b2_src,
2487 const char *b1_name,
2488 const char *b2_name)
2489 {
2490 struct gc_arena gc = gc_new ();
2491 struct buffer b = *b1_src;
2492 char *p = gc_malloc (OPTION_PARM_SIZE, true, &gc);
2493
2494 while (buf_parse (&b, delim, p, OPTION_PARM_SIZE))
2495 options_warning_safe_scan2 (msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
2496
2497 gc_free (&gc);
2498 }
2499
2500 static void
2501 options_warning_safe_ml (const int msglevel, char *actual, const char *expected, size_t actual_n)
2502 {
2503 struct gc_arena gc = gc_new ();
2504
2505 if (actual_n > 0)
2506 {
2507 struct buffer local = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
2508 struct buffer remote = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
2509 actual[actual_n - 1] = 0;
2510
2511 buf_printf (&local, "version %s", expected);
2512 buf_printf (&remote, "version %s", actual);
2513
2514 options_warning_safe_scan1 (msglevel, ',', true,
2515 &local, &remote,
2516 "local", "remote");
2517
2518 options_warning_safe_scan1 (msglevel, ',', false,
2519 &remote, &local,
2520 "remote", "local");
2521 }
2522
2523 gc_free (&gc);
2524 }
2525
2526 bool
2527 options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n)
2528 {
2529 struct gc_arena gc = gc_new ();
2530 bool ret = true;
2531
2532 if (actual_n > 0)
2533 {
2534 actual[actual_n - 1] = 0;
2535 #ifndef STRICT_OPTIONS_CHECK
2536 if (strncmp (actual, expected, 2))
2537 {
2538 msg (D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
2539 options_warning_safe_ml (D_SHOW_OCC, actual, expected, actual_n);
2540 }
2541 else
2542 #endif
2543 ret = !strcmp (actual, expected);
2544 }
2545 gc_free (&gc);
2546 return ret;
2547 }
2548
2549 void
2550 options_warning_safe (char *actual, const char *expected, size_t actual_n)
2551 {
2552 options_warning_safe_ml (M_WARN, actual, expected, actual_n);
2553 }
2554
2555 const char *
2556 options_string_version (const char* s, struct gc_arena *gc)
2557 {
2558 struct buffer out = alloc_buf_gc (4, gc);
2559 strncpynt ((char *) BPTR (&out), s, 3);
2560 return BSTR (&out);
2561 }
2562
2563 #endif /* ENABLE_OCC */
2564
2565 static void
2566 foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
2567 {
2568 if (len > 0)
2569 {
2570 struct gc_arena gc = gc_new();
2571 struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
2572 struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
2573 int i;
2574 bool first = true;
2575 bool good = true;
2576
2577 good &= buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1);
2578 ++o->foreign_option_index;
2579 for (i = 0; i < len; ++i)
2580 {
2581 if (argv[i])
2582 {
2583 if (!first)
2584 good &= buf_printf (&value, " ");
2585 good &= buf_printf (&value, "%s", argv[i]);
2586 first = false;
2587 }
2588 }
2589 if (good)
2590 setenv_str (es, BSTR(&name), BSTR(&value));
2591 else
2592 msg (M_WARN, "foreign_option: name/value overflow");
2593 gc_free (&gc);
2594 }
2595 }
2596
2597 /*
2598 * parse/print topology coding
2599 */
2600
2601 int
2602 parse_topology (const char *str, const int msglevel)
2603 {
2604 if (streq (str, "net30"))
2605 return TOP_NET30;
2606 else if (streq (str, "p2p"))
2607 return TOP_P2P;
2608 else if (streq (str, "subnet"))
2609 return TOP_SUBNET;
2610 else
2611 {
2612 msg (msglevel, "--topology must be net30, p2p, or subnet");
2613 return TOP_UNDEF;
2614 }
2615 }
2616
2617 const char *
2618 print_topology (const int topology)
2619 {
2620 switch (topology)
2621 {
2622 case TOP_UNDEF:
2623 return "undef";
2624 case TOP_NET30:
2625 return "net30";
2626 case TOP_P2P:
2627 return "p2p";
2628 case TOP_SUBNET:
2629 return "subnet";
2630 default:
2631 return "unknown";
2632 }
2633 }
2634
2635 #if P2MP
2636
2637 /*
2638 * Manage auth-retry variable
2639 */
2640
2641 static int global_auth_retry; /* GLOBAL */
2642
2643 int
2644 auth_retry_get (void)
2645 {
2646 return global_auth_retry;
2647 }
2648
2649 bool
2650 auth_retry_set (const int msglevel, const char *option)
2651 {
2652 if (streq (option, "interact"))
2653 global_auth_retry = AR_INTERACT;
2654 else if (streq (option, "nointeract"))
2655 global_auth_retry = AR_NOINTERACT;
2656 else if (streq (option, "none"))
2657 global_auth_retry = AR_NONE;
2658 else
2659 {
2660 msg (msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
2661 return false;
2662 }
2663 return true;
2664 }
2665
2666 const char *
2667 auth_retry_print (void)
2668 {
2669 switch (global_auth_retry)
2670 {
2671 case AR_NONE:
2672 return "none";
2673 case AR_NOINTERACT:
2674 return "nointeract";
2675 case AR_INTERACT:
2676 return "interact";
2677 default:
2678 return "???";
2679 }
2680 }
2681
2682 #endif
2683
2684 /*
2685 * Print the help message.
2686 */
2687 static void
2688 usage (void)
2689 {
2690 FILE *fp = msg_fp(0);
2691
2692 #ifdef ENABLE_SMALL
2693
2694 fprintf (fp, "Usage message not available\n");
2695
2696 #else
2697
2698 struct options o;
2699 init_options (&o, true);
2700
2701 #if defined(USE_CRYPTO) && defined(USE_SSL)
2702 fprintf (fp, usage_message,
2703 title_string,
2704 o.ce.connect_retry_seconds,
2705 o.ce.local_port, o.ce.remote_port,
2706 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2707 o.verbosity,
2708 o.authname, o.ciphername,
2709 o.replay_window, o.replay_time,
2710 o.tls_timeout, o.renegotiate_seconds,
2711 o.handshake_window, o.transition_window);
2712 #elif defined(USE_CRYPTO)
2713 fprintf (fp, usage_message,
2714 title_string,
2715 o.ce.connect_retry_seconds,
2716 o.ce.local_port, o.ce.remote_port,
2717 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2718 o.verbosity,
2719 o.authname, o.ciphername,
2720 o.replay_window, o.replay_time);
2721 #else
2722 fprintf (fp, usage_message,
2723 title_string,
2724 o.ce.connect_retry_seconds,
2725 o.ce.local_port, o.ce.remote_port,
2726 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2727 o.verbosity);
2728 #endif
2729 fflush(fp);
2730
2731 #endif /* ENABLE_SMALL */
2732
2733 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2734 }
2735
2736 void
2737 usage_small (void)
2738 {
2739 msg (M_WARN|M_NOPREFIX, "Use --help for more information.");
2740 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2741 }
2742
2743 static void
2744 usage_version (void)
2745 {
2746 msg (M_INFO|M_NOPREFIX, "%s", title_string);
2747 msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
2748 msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>");
2749 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2750 }
2751
2752 void
2753 notnull (const char *arg, const char *description)
2754 {
2755 if (!arg)
2756 msg (M_USAGE, "You must define %s", description);
2757 }
2758
2759 bool
2760 string_defined_equal (const char *s1, const char *s2)
2761 {
2762 if (s1 && s2)
2763 return !strcmp (s1, s2);
2764 else
2765 return false;
2766 }
2767
2768 #if 0
2769 static void
2770 ping_rec_err (int msglevel)
2771 {
2772 msg (msglevel, "only one of --ping-exit or --ping-restart options may be specified");
2773 }
2774 #endif
2775
2776 static int
2777 positive_atoi (const char *str)
2778 {
2779 const int i = atoi (str);
2780 return i < 0 ? 0 : i;
2781 }
2782
2783 static unsigned int
2784 atou (const char *str)
2785 {
2786 unsigned int val = 0;
2787 sscanf (str, "%u", &val);
2788 return val;
2789 }
2790
2791 static inline bool
2792 space (unsigned char c)
2793 {
2794 return c == '\0' || isspace (c);
2795 }
2796
2797 int
2798 parse_line (const char *line,
2799 char *p[],
2800 const int n,
2801 const char *file,
2802 const int line_num,
2803 int msglevel,
2804 struct gc_arena *gc)
2805 {
2806 const int STATE_INITIAL = 0;
2807 const int STATE_READING_QUOTED_PARM = 1;
2808 const int STATE_READING_UNQUOTED_PARM = 2;
2809 const int STATE_DONE = 3;
2810 const int STATE_READING_SQUOTED_PARM = 4;
2811
2812 const char *error_prefix = "";
2813
2814 int ret = 0;
2815 const char *c = line;
2816 int state = STATE_INITIAL;
2817 bool backslash = false;
2818 char in, out;
2819
2820 char parm[OPTION_PARM_SIZE];
2821 unsigned int parm_len = 0;
2822
2823 msglevel &= ~M_OPTERR;
2824
2825 if (msglevel & M_MSG_VIRT_OUT)
2826 error_prefix = "ERROR: ";
2827
2828 do
2829 {
2830 in = *c;
2831 out = 0;
2832
2833 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
2834 {
2835 backslash = true;
2836 }
2837 else
2838 {
2839 if (state == STATE_INITIAL)
2840 {
2841 if (!space (in))
2842 {
2843 if (in == ';' || in == '#') /* comment */
2844 break;
2845 if (!backslash && in == '\"')
2846 state = STATE_READING_QUOTED_PARM;
2847 else if (!backslash && in == '\'')
2848 state = STATE_READING_SQUOTED_PARM;
2849 else
2850 {
2851 out = in;
2852 state = STATE_READING_UNQUOTED_PARM;
2853 }
2854 }
2855 }
2856 else if (state == STATE_READING_UNQUOTED_PARM)
2857 {
2858 if (!backslash && space (in))
2859 state = STATE_DONE;
2860 else
2861 out = in;
2862 }
2863 else if (state == STATE_READING_QUOTED_PARM)
2864 {
2865 if (!backslash && in == '\"')
2866 state = STATE_DONE;
2867 else
2868 out = in;
2869 }
2870 else if (state == STATE_READING_SQUOTED_PARM)
2871 {
2872 if (in == '\'')
2873 state = STATE_DONE;
2874 else
2875 out = in;
2876 }
2877 if (state == STATE_DONE)
2878 {
2879 /* ASSERT (parm_len > 0); */
2880 p[ret] = gc_malloc (parm_len + 1, true, gc);
2881 memcpy (p[ret], parm, parm_len);
2882 p[ret][parm_len] = '\0';
2883 state = STATE_INITIAL;
2884 parm_len = 0;
2885 ++ret;
2886 }
2887
2888 if (backslash && out)
2889 {
2890 if (!(out == '\\' || out == '\"' || space (out)))
2891 {
2892 #ifdef ENABLE_SMALL
2893 msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
2894 #else
2895 msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
2896 #endif
2897 return 0;
2898 }
2899 }
2900 backslash = false;
2901 }
2902
2903 /* store parameter character */
2904 if (out)
2905 {
2906 if (parm_len >= SIZE (parm))
2907 {
2908 parm[SIZE (parm) - 1] = 0;
2909 msg (msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
2910 error_prefix, file, line_num, (int) SIZE (parm), parm);
2911 return 0;
2912 }
2913 parm[parm_len++] = out;
2914 }
2915
2916 /* avoid overflow if too many parms in one config file line */
2917 if (ret >= n)
2918 break;
2919
2920 } while (*c++ != '\0');
2921
2922 if (state == STATE_READING_QUOTED_PARM)
2923 {
2924 msg (msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
2925 return 0;
2926 }
2927 if (state == STATE_READING_SQUOTED_PARM)
2928 {
2929 msg (msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
2930 return 0;
2931 }
2932 if (state != STATE_INITIAL)
2933 {
2934 msg (msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
2935 return 0;
2936 }
2937 #if 0
2938 {
2939 int i;
2940 for (i = 0; i < ret; ++i)
2941 {
2942 msg (M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
2943 }
2944 }
2945 #endif
2946 return ret;
2947 }
2948
2949 static void
2950 bypass_doubledash (char **p)
2951 {
2952 if (strlen (*p) >= 3 && !strncmp (*p, "--", 2))
2953 *p += 2;
2954 }
2955
2956 #if ENABLE_INLINE_FILES
2957
2958 struct in_src {
2959 # define IS_TYPE_FP 1
2960 # define IS_TYPE_BUF 2
2961 int type;
2962 union {
2963 FILE *fp;
2964 struct buffer *multiline;
2965 } u;
2966 };
2967
2968 static bool
2969 in_src_get (const struct in_src *is, char *line, const int size)
2970 {
2971 if (is->type == IS_TYPE_FP)
2972 {
2973 return BOOL_CAST (fgets (line, size, is->u.fp));
2974 }
2975 else if (is->type == IS_TYPE_BUF)
2976 {
2977 bool status = buf_parse (is->u.multiline, '\n', line, size);
2978 if ((int) strlen (line) + 1 < size)
2979 strcat (line, "\n");
2980 return status;
2981 }
2982 else
2983 {
2984 ASSERT (0);
2985 return false;
2986 }
2987 }
2988
2989 static char *
2990 read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
2991 {
2992 char line[OPTION_LINE_SIZE];
2993 struct buffer buf = alloc_buf (10000);
2994 char *ret;
2995 while (in_src_get (is, line, sizeof (line)))
2996 {
2997 if (!strncmp (line, close_tag, strlen (close_tag)))
2998 break;
2999 buf_printf (&buf, "%s", line);
3000 }
3001 ret = string_alloc (BSTR (&buf), gc);
3002 buf_clear (&buf);
3003 free_buf (&buf);
3004 CLEAR (line);
3005 return ret;
3006 }
3007
3008 static bool
3009 check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
3010 {
3011 bool ret = false;
3012 if (p[0] && !p[1])
3013 {
3014 char *arg = p[0];
3015 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
3016 {
3017 struct buffer close_tag;
3018 arg[strlen(arg)-1] = '\0';
3019 p[0] = string_alloc (arg+1, gc);
3020 p[1] = string_alloc (INLINE_FILE_TAG, gc);
3021 close_tag = alloc_buf (strlen(p[0]) + 4);
3022 buf_printf (&close_tag, "</%s>", p[0]);
3023 p[2] = read_inline_file (is, BSTR (&close_tag), gc);
3024 p[3] = NULL;
3025 free_buf (&close_tag);
3026 ret = true;
3027 }
3028 }
3029 return ret;
3030 }
3031
3032 static bool
3033 check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
3034 {
3035 struct in_src is;
3036 is.type = IS_TYPE_FP;
3037 is.u.fp = fp;
3038 return check_inline_file (&is, p, gc);
3039 }
3040
3041 static bool
3042 check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
3043 {
3044 struct in_src is;
3045 is.type = IS_TYPE_BUF;
3046 is.u.multiline = multiline;
3047 return check_inline_file (&is, p, gc);
3048 }
3049
3050 #endif
3051
3052 static void
3053 add_option (struct options *options,
3054 char *p[],
3055 const char *file,
3056 int line,
3057 const int level,
3058 const int msglevel,
3059 const unsigned int permission_mask,
3060 unsigned int *option_types_found,
3061 struct env_set *es);
3062
3063 static void
3064 read_config_file (struct options *options,
3065 const char *file,
3066 int level,
3067 const char *top_file,
3068 const int top_line,
3069 const int msglevel,
3070 const unsigned int permission_mask,
3071 unsigned int *option_types_found,
3072 struct env_set *es)
3073 {
3074 const int max_recursive_levels = 10;
3075 FILE *fp;
3076 int line_num;
3077 char line[OPTION_LINE_SIZE];
3078 char *p[MAX_PARMS];
3079
3080 ++level;
3081 if (level <= max_recursive_levels)
3082 {
3083 if (streq (file, "stdin"))
3084 fp = stdin;
3085 else
3086 fp = fopen (file, "r");
3087 if (fp)
3088 {
3089 line_num = 0;
3090 while (fgets(line, sizeof (line), fp))
3091 {
3092 CLEAR (p);
3093 ++line_num;
3094 if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3095 {
3096 bypass_doubledash (&p[0]);
3097 #if ENABLE_INLINE_FILES
3098 check_inline_file_via_fp (fp, p, &options->gc);
3099 #endif
3100 add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
3101 }
3102 }
3103 if (fp != stdin)
3104 fclose (fp);
3105 }
3106 else
3107 {
3108 msg (msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
3109 }
3110 }
3111 else
3112 {
3113 msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
3114 }
3115 CLEAR (line);
3116 CLEAR (p);
3117 }
3118
3119 static void
3120 read_config_string (const char *prefix,
3121 struct options *options,
3122 const char *config,
3123 const int msglevel,
3124 const unsigned int permission_mask,
3125 unsigned int *option_types_found,
3126 struct env_set *es)
3127 {
3128 char line[OPTION_LINE_SIZE];
3129 struct buffer multiline;
3130 int line_num = 0;
3131
3132 buf_set_read (&multiline, (uint8_t*)config, strlen (config));
3133
3134 while (buf_parse (&multiline, '\n', line, sizeof (line)))
3135 {
3136 char *p[MAX_PARMS];
3137 CLEAR (p);
3138 ++line_num;
3139 if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc))
3140 {
3141 bypass_doubledash (&p[0]);
3142 #if ENABLE_INLINE_FILES
3143 check_inline_file_via_buf (&multiline, p, &options->gc);
3144 #endif
3145 add_option (options, p, NULL, line_num, 0, msglevel, permission_mask, option_types_found, es);
3146 }
3147 CLEAR (p);
3148 }
3149 CLEAR (line);
3150 }
3151
3152 void
3153 parse_argv (struct options *options,
3154 const int argc,
3155 char *argv[],
3156 const int msglevel,
3157 const unsigned int permission_mask,
3158 unsigned int *option_types_found,
3159 struct env_set *es)
3160 {
3161 int i, j;
3162
3163 /* usage message */
3164 if (argc <= 1)
3165 usage ();
3166
3167 /* config filename specified only? */
3168 if (argc == 2 && strncmp (argv[1], "--", 2))
3169 {
3170 char *p[MAX_PARMS];
3171 CLEAR (p);
3172 p[0] = "config";
3173 p[1] = argv[1];
3174 add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3175 }
3176 else
3177 {
3178 /* parse command line */
3179 for (i = 1; i < argc; ++i)
3180 {
3181 char *p[MAX_PARMS];
3182 CLEAR (p);
3183 p[0] = argv[i];
3184 if (strncmp(p[0], "--", 2))
3185 {
3186 msg (msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
3187 }
3188 else
3189 p[0] += 2;
3190
3191 for (j = 1; j < MAX_PARMS; ++j)
3192 {
3193 if (i + j < argc)
3194 {
3195 char *arg = argv[i + j];
3196 if (strncmp (arg, "--", 2))
3197 p[j] = arg;
3198 else
3199 break;
3200 }
3201 }
3202 add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3203 i += j - 1;
3204 }
3205 }
3206 }
3207
3208 bool
3209 apply_push_options (struct options *options,
3210 struct buffer *buf,
3211 unsigned int permission_mask,
3212 unsigned int *option_types_found,
3213 struct env_set *es)
3214 {
3215 char line[OPTION_PARM_SIZE];
3216 int line_num = 0;
3217 const char *file = "[PUSH-OPTIONS]";
3218 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
3219
3220 while (buf_parse (buf, ',', line, sizeof (line)))
3221 {
3222 char *p[MAX_PARMS];
3223 CLEAR (p);
3224 ++line_num;
3225 if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3226 {
3227 add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
3228 }
3229 }
3230 return true;
3231 }
3232
3233 void
3234 options_server_import (struct options *o,
3235 const char *filename,
3236 int msglevel,
3237 unsigned int permission_mask,
3238 unsigned int *option_types_found,
3239 struct env_set *es)
3240 {
3241 msg (D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
3242 read_config_file (o,
3243 filename,
3244 0,
3245 filename,
3246 0,
3247 msglevel,
3248 permission_mask,
3249 option_types_found,
3250 es);
3251 }
3252
3253 void options_string_import (struct options *options,
3254 const char *config,
3255 const int msglevel,
3256 const unsigned int permission_mask,
3257 unsigned int *option_types_found,
3258 struct env_set *es)
3259 {
3260 read_config_string ("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
3261 }
3262
3263 #if P2MP
3264
3265 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], (mask), permission_mask, option_types_found, msglevel)) goto err; }
3266
3267 static bool
3268 verify_permission (const char *name,
3269 const unsigned int type,
3270 const unsigned int allowed,
3271 unsigned int *found,
3272 const int msglevel)
3273 {
3274 if (!(type & allowed))
3275 {
3276 msg (msglevel, "option '%s' cannot be used in this context", name);
3277 return false;
3278 }
3279 else
3280 {
3281 if (found)
3282 *found |= type;
3283 return true;
3284 }
3285 }
3286
3287 #else
3288
3289 #define VERIFY_PERMISSION(mask)
3290
3291 #endif
3292
3293 /*
3294 * Check that an option doesn't have too
3295 * many parameters.
3296 */
3297
3298 #define NM_QUOTE_HINT (1<<0)
3299
3300 static bool
3301 no_more_than_n_args (const int msglevel,
3302 char *p[],
3303 const int max,
3304 const unsigned int flags)
3305 {
3306 const int len = string_array_len ((const char **)p);
3307
3308 if (!len)
3309 return false;
3310
3311 if (len > max)
3312 {
3313 msg (msglevel, "the --%s directive should have at most %d parameter%s.%s",
3314 p[0],
3315 max - 1,
3316 max >= 3 ? "s" : "",
3317 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
3318 return false;
3319 }
3320 else
3321 return true;
3322 }
3323
3324 static inline int
3325 msglevel_forward_compatible (struct options *options, const int msglevel)
3326 {
3327 return options->forward_compatible ? M_WARN : msglevel;
3328 }
3329
3330 static void
3331 add_option (struct options *options,
3332 char *p[],
3333 const char *file,
3334 int line,
3335 const int level,
3336 const int msglevel,
3337 const unsigned int permission_mask,
3338 unsigned int *option_types_found,
3339 struct env_set *es)
3340 {
3341 struct gc_arena gc = gc_new ();
3342 const bool pull_mode = BOOL_CAST (permission_mask & OPT_P_PULL_MODE);
3343 int msglevel_fc = msglevel_forward_compatible (options, msglevel);
3344
3345 ASSERT (MAX_PARMS >= 5);
3346 if (!file)
3347 {
3348 file = "[CMD-LINE]";
3349 line = 1;
3350 }
3351 if (streq (p[0], "help"))
3352 {
3353 VERIFY_PERMISSION (OPT_P_GENERAL);
3354 usage ();
3355 }
3356 if (streq (p[0], "version"))
3357 {
3358 VERIFY_PERMISSION (OPT_P_GENERAL);
3359 usage_version ();
3360 }
3361 else if (streq (p[0], "config") && p[1])
3362 {
3363 VERIFY_PERMISSION (OPT_P_CONFIG);
3364
3365 /* save first config file only in options */
3366 if (!options->config)
3367 options->config = p[1];
3368
3369 read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
3370 }
3371 #if 0
3372 else if (streq (p[0], "foreign-option") && p[1])
3373 {
3374 VERIFY_PERMISSION (OPT_P_IPWIN32);
3375 foreign_option (options, p, 3, es);
3376 }
3377 #endif
3378 else if (streq (p[0], "echo") || streq (p[0], "parameter"))
3379 {
3380 struct buffer string = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
3381 int j;
3382 bool good = true;
3383
3384 VERIFY_PERMISSION (OPT_P_ECHO);
3385
3386 for (j = 1; j < MAX_PARMS; ++j)
3387 {
3388 if (!p[j])
3389 break;
3390 if (j > 1)
3391 good &= buf_printf (&string, " ");
3392 good &= buf_printf (&string, "%s", p[j]);
3393 }
3394 if (good)
3395 {
3396 msg (M_INFO, "%s:%s",
3397 pull_mode ? "ECHO-PULL" : "ECHO",
3398 BSTR (&string));
3399 #ifdef ENABLE_MANAGEMENT
3400 if (management)
3401 management_echo (management, BSTR (&string), pull_mode);
3402 #endif
3403 }
3404 else
3405 msg (M_WARN, "echo/parameter option overflow");
3406 }
3407 #ifdef ENABLE_MANAGEMENT
3408 else if (streq (p[0], "management") && p[1] && p[2])
3409 {
3410 int port = 0;
3411
3412 VERIFY_PERMISSION (OPT_P_GENERAL);
3413 if (streq (p[2], "unix"))
3414 {
3415 #if UNIX_SOCK_SUPPORT
3416 options->management_flags |= MF_UNIX_SOCK;
3417 #else
3418 msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
3419 goto err;
3420 #endif
3421 }
3422 else
3423 {
3424 port = atoi (p[2]);
3425 if (!legal_ipv4_port (port))
3426 {
3427 msg (msglevel, "port number associated with --management directive is out of range");
3428 goto err;
3429 }
3430 }
3431
3432 options->management_addr = p[1];
3433 options->management_port = port;
3434 if (p[3])
3435 {
3436 options->management_user_pass = p[3];
3437 }
3438 }
3439 else if (streq (p[0], "management-client-user") && p[1])
3440 {
3441 VERIFY_PERMISSION (OPT_P_GENERAL);
3442 options->management_client_user = p[1];
3443 }
3444 else if (streq (p[0], "management-client-group") && p[1])
3445 {
3446 VERIFY_PERMISSION (OPT_P_GENERAL);
3447 options->management_client_group = p[1];
3448 }
3449 else if (streq (p[0], "management-query-passwords"))
3450 {
3451 VERIFY_PERMISSION (OPT_P_GENERAL);
3452 options->management_flags |= MF_QUERY_PASSWORDS;
3453 }
3454 else if (streq (p[0], "management-hold"))
3455 {
3456 VERIFY_PERMISSION (OPT_P_GENERAL);
3457 options->management_flags |= MF_HOLD;
3458 }
3459 else if (streq (p[0], "management-signal"))
3460 {
3461 VERIFY_PERMISSION (OPT_P_GENERAL);
3462 options->management_flags |= MF_SIGNAL;
3463 }
3464 else if (streq (p[0], "management-forget-disconnect"))
3465 {
3466 VERIFY_PERMISSION (OPT_P_GENERAL);
3467 options->management_flags |= MF_FORGET_DISCONNECT;
3468 }
3469 else if (streq (p[0], "management-client"))
3470 {
3471 VERIFY_PERMISSION (OPT_P_GENERAL);
3472 options->management_flags |= MF_CONNECT_AS_CLIENT;
3473 options->management_write_peer_info_file = p[1];
3474 }
3475 #ifdef MANAGEMENT_DEF_AUTH
3476 else if (streq (p[0], "management-client-auth"))
3477 {
3478 VERIFY_PERMISSION (OPT_P_GENERAL);
3479 options->management_flags |= MF_CLIENT_AUTH;
3480 }
3481 #endif
3482 #ifdef MANAGEMENT_PF
3483 else if (streq (p[0], "management-client-pf"))
3484 {
3485 VERIFY_PERMISSION (OPT_P_GENERAL);
3486 options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
3487 }
3488 #endif
3489 else if (streq (p[0], "management-log-cache") && p[1])
3490 {
3491 int cache;
3492
3493 VERIFY_PERMISSION (OPT_P_GENERAL);
3494 cache = atoi (p[1]);
3495 if (cache < 1)
3496 {
3497 msg (msglevel, "--management-log-cache parameter is out of range");
3498 goto err;
3499 }
3500 options->management_log_history_cache = cache;
3501 }
3502 #endif
3503 #ifdef ENABLE_PLUGIN
3504 else if (streq (p[0], "plugin") && p[1])
3505 {
3506 VERIFY_PERMISSION (OPT_P_PLUGIN);
3507 if (!options->plugin_list)
3508 options->plugin_list = plugin_option_list_new (&options->gc);
3509 if (!plugin_option_list_add (options->plugin_list, &p[1], &options->gc))
3510 {
3511 msg (msglevel, "plugin add failed: %s", p[1]);
3512 goto err;
3513 }
3514 }
3515 #endif
3516 else if (streq (p[0], "mode") && p[1])
3517 {
3518 VERIFY_PERMISSION (OPT_P_GENERAL);
3519 if (streq (p[1], "p2p"))
3520 options->mode = MODE_POINT_TO_POINT;
3521 #if P2MP_SERVER
3522 else if (streq (p[1], "server"))
3523 options->mode = MODE_SERVER;
3524 #endif
3525 else
3526 {
3527 msg (msglevel, "Bad --mode parameter: %s", p[1]);
3528 goto err;
3529 }
3530 }
3531 else if (streq (p[0], "dev") && p[1])
3532 {
3533 VERIFY_PERMISSION (OPT_P_GENERAL);
3534 options->dev = p[1];
3535 }
3536 else if (streq (p[0], "dev-type") && p[1])
3537 {
3538 VERIFY_PERMISSION (OPT_P_GENERAL);
3539 options->dev_type = p[1];
3540 }
3541 else if (streq (p[0], "dev-node") && p[1])
3542 {
3543 VERIFY_PERMISSION (OPT_P_GENERAL);
3544 options->dev_node = p[1];
3545 }
3546 else if (streq (p[0], "lladdr") && p[1])
3547 {
3548 VERIFY_PERMISSION (OPT_P_UP);
3549 if (mac_addr_safe (p[1])) /* MAC address only */
3550 options->lladdr = p[1];
3551 else
3552 {
3553 msg (msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
3554 goto err;
3555 }
3556 }
3557 else if (streq (p[0], "topology") && p[1])
3558 {
3559 VERIFY_PERMISSION (OPT_P_UP);
3560 options->topology = parse_topology (p[1], msglevel);
3561 }
3562 else if (streq (p[0], "tun-ipv6"))
3563 {
3564 VERIFY_PERMISSION (OPT_P_UP);
3565 options->tun_ipv6 = true;
3566 }
3567 #ifdef CONFIG_FEATURE_IPROUTE
3568 else if (streq (p[0], "iproute") && p[1])
3569 {
3570 VERIFY_PERMISSION (OPT_P_GENERAL);
3571 iproute_path = p[1];
3572 }
3573 #endif
3574 else if (streq (p[0], "ifconfig") && p[1] && p[2])
3575 {
3576 VERIFY_PERMISSION (OPT_P_UP);
3577 if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
3578 {
3579 options->ifconfig_local = p[1];
3580 options->ifconfig_remote_netmask = p[2];
3581 }
3582 else
3583 {
3584 msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
3585 goto err;
3586 }
3587 }
3588 else if (streq (p[0], "ifconfig-noexec"))
3589 {
3590 VERIFY_PERMISSION (OPT_P_UP);
3591 options->ifconfig_noexec = true;
3592 }
3593 else if (streq (p[0], "ifconfig-nowarn"))
3594 {
3595 VERIFY_PERMISSION (OPT_P_UP);
3596 options->ifconfig_nowarn = true;
3597 }
3598 else if (streq (p[0], "local") && p[1])
3599 {
3600 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3601 options->ce.local = p[1];
3602 }
3603 else if (streq (p[0], "remote-random"))
3604 {
3605 VERIFY_PERMISSION (OPT_P_GENERAL);
3606 options->remote_random = true;
3607 }
3608 #if ENABLE_CONNECTION
3609 else if (streq (p[0], "connection") && p[1])
3610 {
3611 VERIFY_PERMISSION (OPT_P_GENERAL);
3612 if (streq (p[1], INLINE_FILE_TAG) && p[2])
3613 {
3614 struct options sub;
3615 struct connection_entry *e;
3616
3617 init_options (&sub, true);
3618 sub.ce = options->ce;
3619 read_config_string ("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
3620 if (!sub.ce.remote)
3621 {
3622 msg (msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
3623 goto err;
3624 }
3625
3626 e = alloc_connection_entry (options, msglevel);
3627 if (!e)
3628 goto err;
3629 *e = sub.ce;
3630 gc_transfer (&options->gc, &sub.gc);
3631 uninit_options (&sub);
3632 }
3633 }
3634 #endif
3635 else if (streq (p[0], "remote") && p[1])
3636 {
3637 struct remote_entry re;
3638 re.remote = NULL;
3639 re.remote_port = re.proto = -1;
3640
3641 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3642 re.remote = p[1];
3643 if (p[2])
3644 {
3645 const int port = atoi (p[2]);
3646 if (!legal_ipv4_port (port))
3647 {
3648 msg (msglevel, "remote: port number associated with host %s is out of range", p[1]);
3649 goto err;
3650 }
3651 re.remote_port = port;
3652 if (p[3])
3653 {
3654 const int proto = ascii2proto (p[3]);
3655 if (proto < 0)
3656 {
3657 msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
3658 goto err;
3659 }
3660 re.proto = proto;
3661 }
3662 }
3663 #ifdef ENABLE_CONNECTION
3664 if (permission_mask & OPT_P_GENERAL)
3665 {
3666 struct remote_entry *e = alloc_remote_entry (options, msglevel);
3667 if (!e)
3668 goto err;
3669 *e = re;
3670 }
3671 else if (permission_mask & OPT_P_CONNECTION)
3672 #endif
3673 {
3674 connection_entry_load_re (&options->ce, &re);
3675 }
3676 }
3677 else if (streq (p[0], "resolv-retry") && p[1])
3678 {
3679 VERIFY_PERMISSION (OPT_P_GENERAL);
3680 if (streq (p[1], "infinite"))
3681 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
3682 else
3683 options->resolve_retry_seconds = positive_atoi (p[1]);
3684 }
3685 else if (streq (p[0], "connect-retry") && p[1])
3686 {
3687 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3688 options->ce.connect_retry_seconds = positive_atoi (p[1]);
3689 options->ce.connect_retry_defined = true;
3690 }
3691 else if (streq (p[0], "connect-timeout") && p[1])
3692 {
3693 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3694 options->ce.connect_timeout = positive_atoi (p[1]);
3695 options->ce.connect_timeout_defined = true;
3696 }
3697 else if (streq (p[0], "connect-retry-max") && p[1])
3698 {
3699 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3700 options->ce.connect_retry_max = positive_atoi (p[1]);
3701 }
3702 else if (streq (p[0], "ipchange") && p[1])
3703 {
3704 VERIFY_PERMISSION (OPT_P_SCRIPT);
3705 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3706 goto err;
3707 options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);
3708 }
3709 else if (streq (p[0], "float"))
3710 {
3711 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3712 options->ce.remote_float = true;
3713 }
3714 #ifdef ENABLE_DEBUG
3715 else if (streq (p[0], "gremlin") && p[1])
3716 {
3717 VERIFY_PERMISSION (OPT_P_GENERAL);
3718 options->gremlin = positive_atoi (p[1]);
3719 }
3720 #endif
3721 else if (streq (p[0], "chroot") && p[1])
3722 {
3723 VERIFY_PERMISSION (OPT_P_GENERAL);
3724 options->chroot_dir = p[1];
3725 }
3726 else if (streq (p[0], "cd") && p[1])
3727 {
3728 VERIFY_PERMISSION (OPT_P_GENERAL);
3729 if (openvpn_chdir (p[1]))
3730 {
3731 msg (M_ERR, "cd to '%s' failed", p[1]);
3732 goto err;
3733 }
3734 options->cd_dir = p[1];
3735 }
3736 #ifdef HAVE_SETCON
3737 else if (streq (p[0], "setcon") && p[1])
3738 {
3739 VERIFY_PERMISSION (OPT_P_GENERAL);
3740 options->selinux_context = p[1];
3741 }
3742 #endif
3743 else if (streq (p[0], "writepid") && p[1])
3744 {
3745 VERIFY_PERMISSION (OPT_P_GENERAL);
3746 options->writepid = p[1];
3747 }
3748 else if (streq (p[0], "up") && p[1])
3749 {
3750 VERIFY_PERMISSION (OPT_P_SCRIPT);
3751 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3752 goto err;
3753 options->up_script = p[1];
3754 }
3755 else if (streq (p[0], "down") && p[1])
3756 {
3757 VERIFY_PERMISSION (OPT_P_SCRIPT);
3758 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3759 goto err;
3760 options->down_script = p[1];
3761 }
3762 else if (streq (p[0], "down-pre"))
3763 {
3764 VERIFY_PERMISSION (OPT_P_GENERAL);
3765 options->down_pre = true;
3766 }
3767 else if (streq (p[0], "up-delay"))
3768 {
3769 VERIFY_PERMISSION (OPT_P_GENERAL);
3770 options->up_delay = true;
3771 }
3772 else if (streq (p[0], "up-restart"))
3773 {
3774 VERIFY_PERMISSION (OPT_P_GENERAL);
3775 options->up_restart = true;
3776 }
3777 else if (streq (p[0], "syslog"))
3778 {
3779 VERIFY_PERMISSION (OPT_P_GENERAL);
3780 open_syslog (p[1], false);
3781 }
3782 else if (streq (p[0], "daemon"))
3783 {
3784 bool didit = false;
3785 VERIFY_PERMISSION (OPT_P_GENERAL);
3786 if (!options->daemon)
3787 {
3788 options->daemon = didit = true;
3789 open_syslog (p[1], false);
3790 }
3791 if (p[1])
3792 {
3793 if (!didit)
3794 {
3795 msg (M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
3796 goto err;
3797 }
3798 }
3799 }
3800 else if (streq (p[0], "inetd"))
3801 {
3802 VERIFY_PERMISSION (OPT_P_GENERAL);
3803 if (!options->inetd)
3804 {
3805 int z;
3806 const char *name = NULL;
3807 const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
3808
3809 options->inetd = -1;
3810
3811 for (z = 1; z <= 2; ++z)
3812 {
3813 if (p[z])
3814 {
3815 if (streq (p[z], "wait"))
3816 {
3817 if (options->inetd != -1)
3818 {
3819 msg (msglevel, opterr);
3820 goto err;
3821 }
3822 else
3823 options->inetd = INETD_WAIT;
3824 }
3825 else if (streq (p[z], "nowait"))
3826 {
3827 if (options->inetd != -1)
3828 {
3829 msg (msglevel, opterr);
3830 goto err;
3831 }
3832 else
3833 options->inetd = INETD_NOWAIT;
3834 }
3835 else
3836 {
3837 if (name != NULL)
3838 {
3839 msg (msglevel, opterr);
3840 goto err;
3841 }
3842 name = p[z];
3843 }
3844 }
3845 }
3846
3847 /* default */
3848 if (options->inetd == -1)
3849 options->inetd = INETD_WAIT;
3850
3851 save_inetd_socket_descriptor ();
3852 open_syslog (name, true);
3853 }
3854 }
3855 else if (streq (p[0], "log") && p[1])
3856 {
3857 VERIFY_PERMISSION (OPT_P_GENERAL);
3858 options->log = true;
3859 redirect_stdout_stderr (p[1], false);
3860 }
3861 else if (streq (p[0], "suppress-timestamps"))
3862 {
3863 VERIFY_PERMISSION (OPT_P_GENERAL);
3864 options->suppress_timestamps = true;
3865 set_suppress_timestamps(true);
3866 }
3867 else if (streq (p[0], "log-append") && p[1])
3868 {
3869 VERIFY_PERMISSION (OPT_P_GENERAL);
3870 options->log = true;
3871 redirect_stdout_stderr (p[1], true);
3872 }
3873 else if (streq (p[0], "mlock"))
3874 {
3875 VERIFY_PERMISSION (OPT_P_GENERAL);
3876 options->mlock = true;
3877 }
3878 #if ENABLE_IP_PKTINFO
3879 else if (streq (p[0], "multihome"))
3880 {
3881 VERIFY_PERMISSION (OPT_P_GENERAL);
3882 options->sockflags |= SF_USE_IP_PKTINFO;
3883 }
3884 #endif
3885 else if (streq (p[0], "verb") && p[1])
3886 {
3887 VERIFY_PERMISSION (OPT_P_MESSAGES);
3888 options->verbosity = positive_atoi (p[1]);
3889 }
3890 else if (streq (p[0], "mute") && p[1])
3891 {
3892 VERIFY_PERMISSION (OPT_P_MESSAGES);
3893 options->mute = positive_atoi (p[1]);
3894 }
3895 else if (streq (p[0], "errors-to-stderr"))
3896 {
3897 VERIFY_PERMISSION (OPT_P_MESSAGES);
3898 errors_to_stderr();
3899 }
3900 else if (streq (p[0], "status") && p[1])
3901 {
3902 VERIFY_PERMISSION (OPT_P_GENERAL);
3903 options->status_file = p[1];
3904 if (p[2])
3905 {
3906 options->status_file_update_freq = positive_atoi (p[2]);
3907 }
3908 }
3909 else if (streq (p[0], "status-version") && p[1])
3910 {
3911 int version;
3912
3913 VERIFY_PERMISSION (OPT_P_GENERAL);
3914 version = atoi (p[1]);
3915 if (version < 1 || version > 3)
3916 {
3917 msg (msglevel, "--status-version must be 1 to 3");
3918 goto err;
3919 }
3920 options->status_file_version = version;
3921 }
3922 else if (streq (p[0], "remap-usr1") && p[1])
3923 {
3924 VERIFY_PERMISSION (OPT_P_GENERAL);
3925 if (streq (p[1], "SIGHUP"))
3926 options->remap_sigusr1 = SIGHUP;
3927 else if (streq (p[1], "SIGTERM"))
3928 options->remap_sigusr1 = SIGTERM;
3929 else
3930 {
3931 msg (msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
3932 goto err;
3933 }
3934 }
3935 else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1])
3936 {
3937 VERIFY_PERMISSION (OPT_P_MTU);
3938 options->link_mtu = positive_atoi (p[1]);
3939 options->link_mtu_defined = true;
3940 }
3941 else if (streq (p[0], "tun-mtu") && p[1])
3942 {
3943 VERIFY_PERMISSION (OPT_P_MTU);
3944 options->tun_mtu = positive_atoi (p[1]);
3945 options->tun_mtu_defined = true;
3946 }
3947 else if (streq (p[0], "tun-mtu-extra") && p[1])
3948 {
3949 VERIFY_PERMISSION (OPT_P_MTU);
3950 options->tun_mtu_extra = positive_atoi (p[1]);
3951 options->tun_mtu_extra_defined = true;
3952 }
3953 #ifdef ENABLE_FRAGMENT
3954 else if (streq (p[0], "mtu-dynamic"))
3955 {
3956 VERIFY_PERMISSION (OPT_P_GENERAL);
3957 msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
3958 goto err;
3959 }
3960 else if (streq (p[0], "fragment") && p[1])
3961 {
3962 VERIFY_PERMISSION (OPT_P_MTU);
3963 options->fragment = positive_atoi (p[1]);
3964 }
3965 #endif
3966 else if (streq (p[0], "mtu-disc") && p[1])
3967 {
3968 VERIFY_PERMISSION (OPT_P_MTU);
3969 options->mtu_discover_type = translate_mtu_discover_type_name (p[1]);
3970 }
3971 #ifdef ENABLE_OCC
3972 else if (streq (p[0], "mtu-test"))
3973 {
3974 VERIFY_PERMISSION (OPT_P_GENERAL);
3975 options->mtu_test = true;
3976 }
3977 #endif
3978 else if (streq (p[0], "nice") && p[1])
3979 {
3980 VERIFY_PERMISSION (OPT_P_NICE);
3981 options->nice = atoi (p[1]);
3982 }
3983 else if (streq (p[0], "rcvbuf") && p[1])
3984 {
3985 VERIFY_PERMISSION (OPT_P_SOCKBUF);
3986 options->rcvbuf = positive_atoi (p[1]);
3987 }
3988 else if (streq (p[0], "sndbuf") && p[1])
3989 {
3990 VERIFY_PERMISSION (OPT_P_SOCKBUF);
3991 options->sndbuf = positive_atoi (p[1]);
3992 }
3993 else if (streq (p[0], "socket-flags"))
3994 {
3995 int j;
3996 VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
3997 for (j = 1; j < MAX_PARMS && p[j]; ++j)
3998 {
3999 if (streq (p[j], "TCP_NODELAY"))
4000 options->sockflags |= SF_TCP_NODELAY;
4001 else
4002 msg (msglevel, "unknown socket flag: %s", p[j]);
4003 }
4004 }
4005 else if (streq (p[0], "txqueuelen") && p[1])
4006 {
4007 VERIFY_PERMISSION (OPT_P_GENERAL);
4008 #ifdef TARGET_LINUX
4009 options->tuntap_options.txqueuelen = positive_atoi (p[1]);
4010 #else
4011 msg (msglevel, "--txqueuelen not supported on this OS");
4012 goto err;
4013 #endif
4014 }
4015 #ifdef USE_PTHREAD
4016 else if (streq (p[0], "nice-work") && p[1])
4017 {
4018 VERIFY_PERMISSION (OPT_P_NICE);
4019 options->nice_work = atoi (p[1]);
4020 }
4021 else if (streq (p[0], "threads") && p[1])
4022 {
4023 int n_threads;
4024
4025 VERIFY_PERMISSION (OPT_P_GENERAL);
4026 n_threads = positive_atoi (p[1]);
4027 if (n_threads < 1)
4028 {
4029 msg (msglevel, "--threads parameter must be at least 1");
4030 goto err;
4031 }
4032 options->n_threads = n_threads;
4033 }
4034 #endif
4035 else if (streq (p[0], "shaper") && p[1])
4036 {
4037 #ifdef HAVE_GETTIMEOFDAY
4038 int shaper;
4039
4040 VERIFY_PERMISSION (OPT_P_SHAPER);
4041 shaper = atoi (p[1]);
4042 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
4043 {
4044 msg (msglevel, "Bad shaper value, must be between %d and %d",
4045 SHAPER_MIN, SHAPER_MAX);
4046 goto err;
4047 }
4048 options->shaper = shaper;
4049 #else /* HAVE_GETTIMEOFDAY */
4050 VERIFY_PERMISSION (OPT_P_GENERAL);
4051 msg (msglevel, "--shaper requires the gettimeofday() function which is missing");
4052 goto err;
4053 #endif /* HAVE_GETTIMEOFDAY */
4054 }
4055 else if (streq (p[0], "port") && p[1])
4056 {
4057 int port;
4058
4059 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4060 port = atoi (p[1]);
4061 if (!legal_ipv4_port (port))
4062 {
4063 msg (msglevel, "Bad port number: %s", p[1]);
4064 goto err;
4065 }
4066 options->ce.port_option_used = true;
4067 options->ce.local_port = options->ce.remote_port = port;
4068 }
4069 else if (streq (p[0], "lport") && p[1])
4070 {
4071 int port;
4072
4073 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4074 port = atoi (p[1]);
4075 if (!legal_ipv4_port (port))
4076 {
4077 msg (msglevel, "Bad local port number: %s", p[1]);
4078 goto err;
4079 }
4080 options->ce.local_port_defined = true;
4081 options->ce.port_option_used = true;
4082 options->ce.local_port = port;
4083 }
4084 else if (streq (p[0], "rport") && p[1])
4085 {
4086 int port;
4087
4088 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4089 port = atoi (p[1]);
4090 if (!legal_ipv4_port (port))
4091 {
4092 msg (msglevel, "Bad remote port number: %s", p[1]);
4093 goto err;
4094 }
4095 options->ce.port_option_used = true;
4096 options->ce.remote_port = port;
4097 }
4098 else if (streq (p[0], "bind"))
4099 {
4100 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4101 options->ce.bind_defined = true;
4102 }
4103 else if (streq (p[0], "nobind"))
4104 {
4105 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4106 options->ce.bind_local = false;
4107 }
4108 else if (streq (p[0], "fast-io"))
4109 {
4110 VERIFY_PERMISSION (OPT_P_GENERAL);
4111 options->fast_io = true;
4112 }
4113 else if (streq (p[0], "inactive") && p[1])
4114 {
4115 VERIFY_PERMISSION (OPT_P_TIMER);
4116 options->inactivity_timeout = positive_atoi (p[1]);
4117 if (p[2])
4118 options->inactivity_minimum_bytes = positive_atoi (p[2]);
4119 }
4120 else if (streq (p[0], "proto") && p[1])
4121 {
4122 int proto;
4123 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4124 proto = ascii2proto (p[1]);
4125 if (proto < 0)
4126 {
4127 msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
4128 p[1],
4129 proto2ascii_all (&gc));
4130 goto err;
4131 }
4132 options->ce.proto = proto;
4133 }
4134 #ifdef GENERAL_PROXY_SUPPORT
4135 else if (streq (p[0], "auto-proxy"))
4136 {
4137 char *error = NULL;
4138
4139 VERIFY_PERMISSION (OPT_P_GENERAL);
4140 options->auto_proxy_info = get_proxy_settings (&error, &options->gc);
4141 if (error)
4142 msg (M_WARN, "PROXY: %s", error);
4143 }
4144 else if (streq (p[0], "show-proxy-settings"))
4145 {
4146 struct auto_proxy_info *pi;
4147 char *error = NULL;
4148
4149 VERIFY_PERMISSION (OPT_P_GENERAL);
4150 pi = get_proxy_settings (&error, &options->gc);
4151 if (pi)
4152 {
4153 msg (M_INFO|M_NOPREFIX, "HTTP Server: %s", np(pi->http.server));
4154 msg (M_INFO|M_NOPREFIX, "HTTP Port: %d", pi->http.port);
4155 msg (M_INFO|M_NOPREFIX, "SOCKS Server: %s", np(pi->socks.server));
4156 msg (M_INFO|M_NOPREFIX, "SOCKS Port: %d", pi->socks.port);
4157 }
4158 if (error)
4159 msg (msglevel, "Proxy error: %s", error);
4160 #ifdef WIN32
4161 show_win_proxy_settings (M_INFO|M_NOPREFIX);
4162 #endif
4163 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4164 }
4165 #endif /* GENERAL_PROXY_SUPPORT */
4166 #ifdef ENABLE_HTTP_PROXY
4167 else if (streq (p[0], "http-proxy") && p[1])
4168 {
4169 struct http_proxy_options *ho;
4170
4171 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4172
4173 {
4174 int port;
4175 if (!p[2])
4176 {
4177 msg (msglevel, "http-proxy port number not defined");
4178 goto err;
4179 }
4180 port = atoi (p[2]);
4181 if (!legal_ipv4_port (port))
4182 {
4183 msg (msglevel, "Bad http-proxy port number: %s", p[2]);
4184 goto err;
4185 }
4186
4187 ho = init_http_options_if_undefined (options);
4188
4189 ho->server = p[1];
4190 ho->port = port;
4191 }
4192
4193 if (p[3])
4194 {
4195 if (streq (p[3], "auto"))
4196 ho->auth_retry = true;
4197 else
4198 {
4199 ho->auth_method_string = "basic";
4200 ho->auth_file = p[3];
4201
4202 if (p[4])
4203 {
4204 ho->auth_method_string = p[4];
4205 }
4206 }
4207 }
4208 else
4209 {
4210 ho->auth_method_string = "none";
4211 }
4212 }
4213 else if (streq (p[0], "http-proxy-retry"))
4214 {
4215 struct http_proxy_options *ho;
4216 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4217 ho = init_http_options_if_undefined (options);
4218 ho->retry = true;
4219 }
4220 else if (streq (p[0], "http-proxy-timeout") && p[1])
4221 {
4222 struct http_proxy_options *ho;
4223
4224 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4225 ho = init_http_options_if_undefined (options);
4226 ho->timeout = positive_atoi (p[1]);
4227 }
4228 else if (streq (p[0], "http-proxy-option") && p[1])
4229 {
4230 struct http_proxy_options *ho;
4231
4232 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4233 ho = init_http_options_if_undefined (options);
4234
4235 if (streq (p[1], "VERSION") && p[2])
4236 {
4237 ho->http_version = p[2];
4238 }
4239 else if (streq (p[1], "AGENT") && p[2])
4240 {
4241 ho->user_agent = p[2];
4242 }
4243 else
4244 {
4245 msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]);
4246 }
4247 }
4248 #endif
4249 #ifdef ENABLE_SOCKS
4250 else if (streq (p[0], "socks-proxy") && p[1])
4251 {
4252 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4253
4254 if (p[2])
4255 {
4256 int port;
4257 port = atoi (p[2]);
4258 if (!legal_ipv4_port (port))
4259 {
4260 msg (msglevel, "Bad socks-proxy port number: %s", p[2]);
4261 goto err;
4262 }
4263 options->ce.socks_proxy_port = port;
4264 }
4265 else
4266 {
4267 options->ce.socks_proxy_port = 1080;
4268 }
4269 options->ce.socks_proxy_server = p[1];
4270 }
4271 else if (streq (p[0], "socks-proxy-retry"))
4272 {
4273 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4274 options->ce.socks_proxy_retry = true;
4275 }
4276 #endif
4277 else if (streq (p[0], "keepalive") && p[1] && p[2])
4278 {
4279 VERIFY_PERMISSION (OPT_P_GENERAL);
4280 options->keepalive_ping = atoi (p[1]);
4281 options->keepalive_timeout = atoi (p[2]);
4282 }
4283 else if (streq (p[0], "ping") && p[1])
4284 {
4285 VERIFY_PERMISSION (OPT_P_TIMER);
4286 options->ping_send_timeout = positive_atoi (p[1]);
4287 }
4288 else if (streq (p[0], "ping-exit") && p[1])
4289 {
4290 VERIFY_PERMISSION (OPT_P_TIMER);
4291 options->ping_rec_timeout = positive_atoi (p[1]);
4292 options->ping_rec_timeout_action = PING_EXIT;
4293 }
4294 else if (streq (p[0], "ping-restart") && p[1])
4295 {
4296 VERIFY_PERMISSION (OPT_P_TIMER);
4297 options->ping_rec_timeout = positive_atoi (p[1]);
4298 options->ping_rec_timeout_action = PING_RESTART;
4299 }
4300 else if (streq (p[0], "ping-timer-rem"))
4301 {
4302 VERIFY_PERMISSION (OPT_P_TIMER);
4303 options->ping_timer_remote = true;
4304 }
4305 #ifdef ENABLE_OCC
4306 else if (streq (p[0], "explicit-exit-notify"))
4307 {
4308 VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY);
4309 if (p[1])
4310 {
4311 options->explicit_exit_notification = positive_atoi (p[1]);
4312 }
4313 else
4314 {
4315 options->explicit_exit_notification = 1;
4316 }
4317 }
4318 #endif
4319 else if (streq (p[0], "persist-tun"))
4320 {
4321 VERIFY_PERMISSION (OPT_P_PERSIST);
4322 options->persist_tun = true;
4323 }
4324 else if (streq (p[0], "persist-key"))
4325 {
4326 VERIFY_PERMISSION (OPT_P_PERSIST);
4327 options->persist_key = true;
4328 }
4329 else if (streq (p[0], "persist-local-ip"))
4330 {
4331 VERIFY_PERMISSION (OPT_P_PERSIST_IP);
4332 options->persist_local_ip = true;
4333 }
4334 else if (streq (p[0], "persist-remote-ip"))
4335 {
4336 VERIFY_PERMISSION (OPT_P_PERSIST_IP);
4337 options->persist_remote_ip = true;
4338 }
4339 else if (streq (p[0], "route") && p[1])
4340 {
4341 VERIFY_PERMISSION (OPT_P_ROUTE);
4342 rol_check_alloc (options);
4343 if (pull_mode)
4344 {
4345 if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
4346 {
4347 msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
4348 goto err;
4349 }
4350 if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
4351 {
4352 msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
4353 goto err;
4354 }
4355 if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
4356 {
4357 msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
4358 goto err;
4359 }
4360 }
4361 add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
4362 }
4363 else if (streq (p[0], "max-routes") && p[1])
4364 {
4365 int max_routes;
4366
4367 VERIFY_PERMISSION (OPT_P_GENERAL);
4368 max_routes = atoi (p[1]);
4369 if (max_routes < 0 || max_routes > 100000000)
4370 {
4371 msg (msglevel, "--max-routes parameter is out of range");
4372 goto err;
4373 }
4374 options->max_routes = max_routes;
4375 }
4376 else if (streq (p[0], "route-gateway") && p[1])
4377 {
4378 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4379 if (streq (p[1], "dhcp"))
4380 {
4381 options->route_gateway_via_dhcp = true;
4382 }
4383 else
4384 {
4385 if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
4386 {
4387 options->route_default_gateway = p[1];
4388 }
4389 else
4390 {
4391 msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
4392 goto err;
4393 }
4394 }
4395 }
4396 else if (streq (p[0], "route-metric") && p[1])
4397 {
4398 VERIFY_PERMISSION (OPT_P_ROUTE);
4399 options->route_default_metric = positive_atoi (p[1]);
4400 }
4401 else if (streq (p[0], "route-delay"))
4402 {
4403 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4404 options->route_delay_defined = true;
4405 if (p[1])
4406 {
4407 options->route_delay = positive_atoi (p[1]);
4408 if (p[2])
4409 {
4410 options->route_delay_window = positive_atoi (p[2]);
4411 }
4412 }
4413 else
4414 {
4415 options->route_delay = 0;
4416 }
4417 }
4418 else if (streq (p[0], "route-up") && p[1])
4419 {
4420 VERIFY_PERMISSION (OPT_P_SCRIPT);
4421 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4422 goto err;
4423 options->route_script = p[1];
4424 }
4425 else if (streq (p[0], "route-noexec"))
4426 {
4427 VERIFY_PERMISSION (OPT_P_SCRIPT);
4428 options->route_noexec = true;
4429 }
4430 else if (streq (p[0], "route-nopull"))
4431 {
4432 VERIFY_PERMISSION (OPT_P_GENERAL);
4433 options->route_nopull = true;
4434 }
4435 else if (streq (p[0], "allow-pull-fqdn"))
4436 {
4437 VERIFY_PERMISSION (OPT_P_GENERAL);
4438 options->allow_pull_fqdn = true;
4439 }
4440 else if (streq (p[0], "redirect-gateway") || streq (p[0], "redirect-private"))
4441 {
4442 int j;
4443 VERIFY_PERMISSION (OPT_P_ROUTE);
4444 rol_check_alloc (options);
4445 if (streq (p[0], "redirect-gateway"))
4446 options->routes->flags |= RG_REROUTE_GW;
4447 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
4448 {
4449 if (streq (p[j], "local"))
4450 options->routes->flags |= RG_LOCAL;
4451 else if (streq (p[j], "autolocal"))
4452 options->routes->flags |= RG_AUTO_LOCAL;
4453 else if (streq (p[j], "def1"))
4454 options->routes->flags |= RG_DEF1;
4455 else if (streq (p[j], "bypass-dhcp"))
4456 options->routes->flags |= RG_BYPASS_DHCP;
4457 else if (streq (p[j], "bypass-dns"))
4458 options->routes->flags |= RG_BYPASS_DNS;
4459 else
4460 {
4461 msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
4462 goto err;
4463 }
4464 }
4465 options->routes->flags |= RG_ENABLE;
4466 }
4467 else if (streq (p[0], "remote-random-hostname"))
4468 {
4469 VERIFY_PERMISSION (OPT_P_GENERAL);
4470 options->sockflags |= SF_HOST_RANDOMIZE;
4471 }
4472 else if (streq (p[0], "setenv") && p[1])
4473 {
4474 VERIFY_PERMISSION (OPT_P_GENERAL);
4475 if (streq (p[1], "REMOTE_RANDOM_HOSTNAME"))
4476 {
4477 options->sockflags |= SF_HOST_RANDOMIZE;
4478 }
4479 else if (streq (p[1], "GENERIC_CONFIG"))
4480 {
4481 msg (msglevel, "this is a generic configuration and cannot directly be used");
4482 goto err;
4483 }
4484 #if P2MP
4485 else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
4486 {
4487 options->server_poll_timeout = positive_atoi(p[2]);
4488 }
4489 #endif
4490 else
4491 {
4492 if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
4493 {
4494 options->forward_compatible = true;
4495 msglevel_fc = msglevel_forward_compatible (options, msglevel);
4496 }
4497 setenv_str (es, p[1], p[2] ? p[2] : "");
4498 }
4499 }
4500 else if (streq (p[0], "setenv-safe") && p[1])
4501 {
4502 VERIFY_PERMISSION (OPT_P_SETENV);
4503 setenv_str_safe (es, p[1], p[2] ? p[2] : "");
4504 }
4505 else if (streq (p[0], "script-security") && p[1])
4506 {
4507 VERIFY_PERMISSION (OPT_P_GENERAL);
4508 script_security = atoi (p[1]);
4509 if (p[2])
4510 {
4511 if (streq (p[2], "execve"))
4512 script_method = SM_EXECVE;
4513 else if (streq (p[2], "system"))
4514 script_method = SM_SYSTEM;
4515 else
4516 {
4517 msg (msglevel, "unknown --script-security method: %s", p[2]);
4518 goto err;
4519 }
4520 }
4521 else
4522 script_method = SM_EXECVE;
4523 }
4524 else if (streq (p[0], "mssfix"))
4525 {
4526 VERIFY_PERMISSION (OPT_P_GENERAL);
4527 if (p[1])
4528 {
4529 options->mssfix = positive_atoi (p[1]);
4530 }
4531 else
4532 options->mssfix_default = true;
4533
4534 }
4535 #ifdef ENABLE_OCC
4536 else if (streq (p[0], "disable-occ"))
4537 {
4538 VERIFY_PERMISSION (OPT_P_GENERAL);
4539 options->occ = false;
4540 }
4541 #endif
4542 #if P2MP
4543 #if P2MP_SERVER
4544 else if (streq (p[0], "server") && p[1] && p[2])
4545 {
4546 const int lev = M_WARN;
4547 bool error = false;
4548 in_addr_t network, netmask;
4549
4550 VERIFY_PERMISSION (OPT_P_GENERAL);
4551 network = get_ip_addr (p[1], lev, &error);
4552 netmask = get_ip_addr (p[2], lev, &error);
4553 if (error || !network || !netmask)
4554 {
4555 msg (msglevel, "error parsing --server parameters");
4556 goto err;
4557 }
4558 options->server_defined = true;
4559 options->server_network = network;
4560 options->server_netmask = netmask;
4561
4562 if (p[3])
4563 {
4564 if (streq (p[3], "nopool"))
4565 options->server_flags |= SF_NOPOOL;
4566 else
4567 {
4568 msg (msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
4569 goto err;
4570 }
4571 }
4572 }
4573 else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4])
4574 {
4575 const int lev = M_WARN;
4576 bool error = false;
4577 in_addr_t ip, netmask, pool_start, pool_end;
4578
4579 VERIFY_PERMISSION (OPT_P_GENERAL);
4580 ip = get_ip_addr (p[1], lev, &error);
4581 netmask = get_ip_addr (p[2], lev, &error);
4582 pool_start = get_ip_addr (p[3], lev, &error);
4583 pool_end = get_ip_addr (p[4], lev, &error);
4584 if (error || !ip || !netmask || !pool_start || !pool_end)
4585 {
4586 msg (msglevel, "error parsing --server-bridge parameters");
4587 goto err;
4588 }
4589 options->server_bridge_defined = true;
4590 options->server_bridge_ip = ip;
4591 options->server_bridge_netmask = netmask;
4592 options->server_bridge_pool_start = pool_start;
4593 options->server_bridge_pool_end = pool_end;
4594 }
4595 else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw"))
4596 {
4597 VERIFY_PERMISSION (OPT_P_GENERAL);
4598 options->server_bridge_proxy_dhcp = true;
4599 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
4600 }
4601 else if (streq (p[0], "server-bridge") && !p[1])
4602 {
4603 VERIFY_PERMISSION (OPT_P_GENERAL);
4604 options->server_bridge_proxy_dhcp = true;
4605 }
4606 else if (streq (p[0], "push") && p[1])
4607 {
4608 VERIFY_PERMISSION (OPT_P_PUSH);
4609 push_options (options, &p[1], msglevel, &options->gc);
4610 }
4611 else if (streq (p[0], "push-reset"))
4612 {
4613 VERIFY_PERMISSION (OPT_P_INSTANCE);
4614 push_reset (options);
4615 }
4616 else if (streq (p[0], "ifconfig-pool") && p[1] && p[2])
4617 {
4618 const int lev = M_WARN;
4619 bool error = false;
4620 in_addr_t start, end, netmask=0;
4621
4622 VERIFY_PERMISSION (OPT_P_GENERAL);
4623 start = get_ip_addr (p[1], lev, &error);
4624 end = get_ip_addr (p[2], lev, &error);
4625 if (p[3])
4626 {
4627 netmask = get_ip_addr (p[3], lev, &error);
4628 }
4629 if (error)
4630 {
4631 msg (msglevel, "error parsing --ifconfig-pool parameters");
4632 goto err;
4633 }
4634 if (!ifconfig_pool_verify_range (msglevel, start, end))
4635 goto err;
4636
4637 options->ifconfig_pool_defined = true;
4638 options->ifconfig_pool_start = start;
4639 options->ifconfig_pool_end = end;
4640 if (netmask)
4641 options->ifconfig_pool_netmask = netmask;
4642 }
4643 else if (streq (p[0], "ifconfig-pool-persist") && p[1])
4644 {
4645 VERIFY_PERMISSION (OPT_P_GENERAL);
4646 options->ifconfig_pool_persist_filename = p[1];
4647 if (p[2])
4648 {
4649 options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
4650 }
4651 }
4652 else if (streq (p[0], "ifconfig-pool-linear"))
4653 {
4654 VERIFY_PERMISSION (OPT_P_GENERAL);
4655 options->topology = TOP_P2P;
4656 }
4657 else if (streq (p[0], "hash-size") && p[1] && p[2])
4658 {
4659 int real, virtual;
4660
4661 VERIFY_PERMISSION (OPT_P_GENERAL);
4662 real = atoi (p[1]);
4663 virtual = atoi (p[2]);
4664 if (real < 1 || virtual < 1)
4665 {
4666 msg (msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
4667 goto err;
4668 }
4669 options->real_hash_size = real;
4670 options->virtual_hash_size = real;
4671 }
4672 else if (streq (p[0], "connect-freq") && p[1] && p[2])
4673 {
4674 int cf_max, cf_per;
4675
4676 VERIFY_PERMISSION (OPT_P_GENERAL);
4677 cf_max = atoi (p[1]);
4678 cf_per = atoi (p[2]);
4679 if (cf_max < 0 || cf_per < 0)
4680 {
4681 msg (msglevel, "--connect-freq parms must be > 0");
4682 goto err;
4683 }
4684 options->cf_max = cf_max;
4685 options->cf_per = cf_per;
4686 }
4687 else if (streq (p[0], "max-clients") && p[1])
4688 {
4689 int max_clients;
4690
4691 VERIFY_PERMISSION (OPT_P_GENERAL);
4692 max_clients = atoi (p[1]);
4693 if (max_clients < 0)
4694 {
4695 msg (msglevel, "--max-clients must be at least 1");
4696 goto err;
4697 }
4698 options->max_clients = max_clients;
4699 }
4700 else if (streq (p[0], "max-routes-per-client") && p[1])
4701 {
4702 VERIFY_PERMISSION (OPT_P_INHERIT);
4703 options->max_routes_per_client = max_int (atoi (p[1]), 1);
4704 }
4705 else if (streq (p[0], "client-cert-not-required"))
4706 {
4707 VERIFY_PERMISSION (OPT_P_GENERAL);
4708 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
4709 }
4710 else if (streq (p[0], "username-as-common-name"))
4711 {
4712 VERIFY_PERMISSION (OPT_P_GENERAL);
4713 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
4714 }
4715 else if (streq (p[0], "auth-user-pass-optional"))
4716 {
4717 VERIFY_PERMISSION (OPT_P_GENERAL);
4718 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
4719 }
4720 else if (streq (p[0], "no-name-remapping"))
4721 {
4722 VERIFY_PERMISSION (OPT_P_GENERAL);
4723 options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
4724 }
4725 else if (streq (p[0], "opt-verify"))
4726 {
4727 VERIFY_PERMISSION (OPT_P_GENERAL);
4728 options->ssl_flags |= SSLF_OPT_VERIFY;
4729 }
4730 else if (streq (p[0], "auth-user-pass-verify") && p[1])
4731 {
4732 VERIFY_PERMISSION (OPT_P_SCRIPT);
4733 if (!no_more_than_n_args (msglevel, p, 3, NM_QUOTE_HINT))
4734 goto err;
4735 if (p[2])
4736 {
4737 if (streq (p[2], "via-env"))
4738 options->auth_user_pass_verify_script_via_file = false;
4739 else if (streq (p[2], "via-file"))
4740 options->auth_user_pass_verify_script_via_file = true;
4741 else
4742 {
4743 msg (msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
4744 goto err;
4745 }
4746 }
4747 else
4748 {
4749 msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
4750 goto err;
4751 }
4752 options->auth_user_pass_verify_script = p[1];
4753 }
4754 else if (streq (p[0], "client-connect") && p[1])
4755 {
4756 VERIFY_PERMISSION (OPT_P_SCRIPT);
4757 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4758 goto err;
4759 options->client_connect_script = p[1];
4760 }
4761 else if (streq (p[0], "client-disconnect") && p[1])
4762 {
4763 VERIFY_PERMISSION (OPT_P_SCRIPT);
4764 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4765 goto err;
4766 options->client_disconnect_script = p[1];
4767 }
4768 else if (streq (p[0], "learn-address") && p[1])
4769 {
4770 VERIFY_PERMISSION (OPT_P_SCRIPT);
4771 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4772 goto err;
4773 options->learn_address_script = p[1];
4774 }
4775 else if (streq (p[0], "tmp-dir") && p[1])
4776 {
4777 VERIFY_PERMISSION (OPT_P_GENERAL);
4778 options->tmp_dir = p[1];
4779 }
4780 else if (streq (p[0], "client-config-dir") && p[1])
4781 {
4782 VERIFY_PERMISSION (OPT_P_GENERAL);
4783 options->client_config_dir = p[1];
4784 }
4785 else if (streq (p[0], "ccd-exclusive"))
4786 {
4787 VERIFY_PERMISSION (OPT_P_GENERAL);
4788 options->ccd_exclusive = true;
4789 }
4790 else if (streq (p[0], "bcast-buffers") && p[1])
4791 {
4792 int n_bcast_buf;
4793
4794 VERIFY_PERMISSION (OPT_P_GENERAL);
4795 n_bcast_buf = atoi (p[1]);
4796 if (n_bcast_buf < 1)
4797 msg (msglevel, "--bcast-buffers parameter must be > 0");
4798 options->n_bcast_buf = n_bcast_buf;
4799 }
4800 else if (streq (p[0], "tcp-queue-limit") && p[1])
4801 {
4802 int tcp_queue_limit;
4803
4804 VERIFY_PERMISSION (OPT_P_GENERAL);
4805 tcp_queue_limit = atoi (p[1]);
4806 if (tcp_queue_limit < 1)
4807 msg (msglevel, "--tcp-queue-limit parameter must be > 0");
4808 options->tcp_queue_limit = tcp_queue_limit;
4809 }
4810 #if PORT_SHARE
4811 else if (streq (p[0], "port-share") && p[1] && p[2])
4812 {
4813 int port;
4814
4815 VERIFY_PERMISSION (OPT_P_GENERAL);
4816 port = atoi (p[2]);
4817 if (!legal_ipv4_port (port))
4818 {
4819 msg (msglevel, "port number associated with --port-share directive is out of range");
4820 goto err;
4821 }
4822
4823 options->port_share_host = p[1];
4824 options->port_share_port = port;
4825 }
4826 #endif
4827 else if (streq (p[0], "client-to-client"))
4828 {
4829 VERIFY_PERMISSION (OPT_P_GENERAL);
4830 options->enable_c2c = true;
4831 }
4832 else if (streq (p[0], "duplicate-cn"))
4833 {
4834 VERIFY_PERMISSION (OPT_P_GENERAL);
4835 options->duplicate_cn = true;
4836 }
4837 else if (streq (p[0], "iroute") && p[1])
4838 {
4839 const char *netmask = NULL;
4840
4841 VERIFY_PERMISSION (OPT_P_INSTANCE);
4842 if (p[2])
4843 {
4844 netmask = p[2];
4845 }
4846 option_iroute (options, p[1], netmask, msglevel);
4847 }
4848 else if (streq (p[0], "ifconfig-push") && p[1] && p[2])
4849 {
4850 in_addr_t local, remote_netmask;
4851
4852 VERIFY_PERMISSION (OPT_P_INSTANCE);
4853 local = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
4854 remote_netmask = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
4855 if (local && remote_netmask)
4856 {
4857 options->push_ifconfig_defined = true;
4858 options->push_ifconfig_local = local;
4859 options->push_ifconfig_remote_netmask = remote_netmask;
4860 }
4861 else
4862 {
4863 msg (msglevel, "cannot parse --ifconfig-push addresses");
4864 goto err;
4865 }
4866 }
4867 else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2])
4868 {
4869 in_addr_t network, netmask;
4870
4871 VERIFY_PERMISSION (OPT_P_GENERAL);
4872 network = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
4873 netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
4874 if (network && netmask)
4875 {
4876 options->push_ifconfig_constraint_defined = true;
4877 options->push_ifconfig_constraint_network = network;
4878 options->push_ifconfig_constraint_netmask = netmask;
4879 }
4880 else
4881 {
4882 msg (msglevel, "cannot parse --ifconfig-push-constraint addresses");
4883 goto err;
4884 }
4885 }
4886 else if (streq (p[0], "disable"))
4887 {
4888 VERIFY_PERMISSION (OPT_P_INSTANCE);
4889 options->disable = true;
4890 }
4891 else if (streq (p[0], "tcp-nodelay"))
4892 {
4893 VERIFY_PERMISSION (OPT_P_GENERAL);
4894 options->server_flags |= SF_TCP_NODELAY_HELPER;
4895 }
4896 #endif /* P2MP_SERVER */
4897
4898 else if (streq (p[0], "client"))
4899 {
4900 VERIFY_PERMISSION (OPT_P_GENERAL);
4901 options->client = true;
4902 }
4903 else if (streq (p[0], "pull"))
4904 {
4905 VERIFY_PERMISSION (OPT_P_GENERAL);
4906 options->pull = true;
4907 }
4908 else if (streq (p[0], "push-continuation") && p[1])
4909 {
4910 VERIFY_PERMISSION (OPT_P_PULL_MODE);
4911 options->push_continuation = atoi(p[1]);
4912 }
4913 else if (streq (p[0], "server-poll-timeout") && p[1])
4914 {
4915 VERIFY_PERMISSION (OPT_P_GENERAL);
4916 options->server_poll_timeout = positive_atoi(p[1]);
4917 }
4918 else if (streq (p[0], "auth-user-pass"))
4919 {
4920 VERIFY_PERMISSION (OPT_P_GENERAL);
4921 if (p[1])
4922 {
4923 options->auth_user_pass_file = p[1];
4924 }
4925 else
4926 options->auth_user_pass_file = "stdin";
4927 }
4928 else if (streq (p[0], "auth-retry") && p[1])
4929 {
4930 VERIFY_PERMISSION (OPT_P_GENERAL);
4931 auth_retry_set (msglevel, p[1]);
4932 }
4933 #endif
4934 #ifdef WIN32
4935 else if (streq (p[0], "win-sys") && p[1])
4936 {
4937 VERIFY_PERMISSION (OPT_P_GENERAL);
4938 if (streq (p[1], "env"))
4939 set_win_sys_path_via_env (es);
4940 else
4941 set_win_sys_path (p[1], es);
4942 }
4943 else if (streq (p[0], "route-method") && p[1])
4944 {
4945 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4946 if (streq (p[1], "adaptive"))
4947 options->route_method = ROUTE_METHOD_ADAPTIVE;
4948 else if (streq (p[1], "ipapi"))
4949 options->route_method = ROUTE_METHOD_IPAPI;
4950 else if (streq (p[1], "exe"))
4951 options->route_method = ROUTE_METHOD_EXE;
4952 else
4953 {
4954 msg (msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
4955 goto err;
4956 }
4957 }
4958 else if (streq (p[0], "ip-win32") && p[1])
4959 {
4960 const int index = ascii2ipset (p[1]);
4961 struct tuntap_options *to = &options->tuntap_options;
4962
4963 VERIFY_PERMISSION (OPT_P_IPWIN32);
4964
4965 if (index < 0)
4966 {
4967 msg (msglevel,
4968 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
4969 p[1],
4970 ipset2ascii_all (&gc));
4971 goto err;
4972 }
4973
4974 if (index == IPW32_SET_ADAPTIVE)
4975 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
4976
4977 if (index == IPW32_SET_DHCP_MASQ)
4978 {
4979 if (p[2])
4980 {
4981 if (!streq (p[2], "default"))
4982 {
4983 int offset = atoi (p[2]);
4984
4985 if (!(offset > -256 && offset < 256))
4986 {
4987 msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
4988 goto err;
4989 }
4990
4991 to->dhcp_masq_custom_offset = true;
4992 to->dhcp_masq_offset = offset;
4993 }
4994
4995 if (p[3])
4996 {
4997 const int min_lease = 30;
4998 int lease_time;
4999 lease_time = atoi (p[3]);
5000 if (lease_time < min_lease)
5001 {
5002 msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
5003 goto err;
5004 }
5005 to->dhcp_lease_time = lease_time;
5006 }
5007 }
5008 }
5009 to->ip_win32_type = index;
5010 to->ip_win32_defined = true;
5011 }
5012 else if (streq (p[0], "dhcp-option") && p[1])
5013 {
5014 struct tuntap_options *o = &options->tuntap_options;
5015 VERIFY_PERMISSION (OPT_P_IPWIN32);
5016
5017 if (streq (p[1], "DOMAIN") && p[2])
5018 {
5019 o->domain = p[2];
5020 }
5021 else if (streq (p[1], "NBS") && p[2])
5022 {
5023 o->netbios_scope = p[2];
5024 }
5025 else if (streq (p[1], "NBT") && p[2])
5026 {
5027 int t;
5028 t = atoi (p[2]);
5029 if (!(t == 1 || t == 2 || t == 4 || t == 8))
5030 {
5031 msg (msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
5032 goto err;
5033 }
5034 o->netbios_node_type = t;
5035 }
5036 else if (streq (p[1], "DNS") && p[2])
5037 {
5038 dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel);
5039 }
5040 else if (streq (p[1], "WINS") && p[2])
5041 {
5042 dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel);
5043 }
5044 else if (streq (p[1], "NTP") && p[2])
5045 {
5046 dhcp_option_address_parse ("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
5047 }
5048 else if (streq (p[1], "NBDD") && p[2])
5049 {
5050 dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
5051 }
5052 else if (streq (p[1], "DISABLE-NBT"))
5053 {
5054 o->disable_nbt = 1;
5055 }
5056 else
5057 {
5058 msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]);
5059 goto err;
5060 }
5061 o->dhcp_options = true;
5062 }
5063 else if (streq (p[0], "show-adapters"))
5064 {
5065 VERIFY_PERMISSION (OPT_P_GENERAL);
5066 show_tap_win32_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
5067 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5068 }
5069 else if (streq (p[0], "show-net"))
5070 {
5071 VERIFY_PERMISSION (OPT_P_GENERAL);
5072 show_routes (M_INFO|M_NOPREFIX);
5073 show_adapters (M_INFO|M_NOPREFIX);
5074 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5075 }
5076 else if (streq (p[0], "show-net-up"))
5077 {
5078 VERIFY_PERMISSION (OPT_P_UP);
5079 options->show_net_up = true;
5080 }
5081 else if (streq (p[0], "tap-sleep") && p[1])
5082 {
5083 int s;
5084 VERIFY_PERMISSION (OPT_P_IPWIN32);
5085 s = atoi (p[1]);
5086 if (s < 0 || s >= 256)
5087 {
5088 msg (msglevel, "--tap-sleep parameter must be between 0 and 255");
5089 goto err;
5090 }
5091 options->tuntap_options.tap_sleep = s;
5092 }
5093 else if (streq (p[0], "dhcp-renew"))
5094 {
5095 VERIFY_PERMISSION (OPT_P_IPWIN32);
5096 options->tuntap_options.dhcp_renew = true;
5097 }
5098 else if (streq (p[0], "dhcp-pre-release"))
5099 {
5100 VERIFY_PERMISSION (OPT_P_IPWIN32);
5101 options->tuntap_options.dhcp_pre_release = true;
5102 }
5103 else if (streq (p[0], "dhcp-release"))
5104 {
5105 VERIFY_PERMISSION (OPT_P_IPWIN32);
5106 options->tuntap_options.dhcp_release = true;
5107 }
5108 else if (streq (p[0], "dhcp-rr") && p[1]) /* standalone method for internal use */
5109 {
5110 unsigned int adapter_index;
5111 VERIFY_PERMISSION (OPT_P_GENERAL);
5112 set_debug_level (options->verbosity, SDL_CONSTRAIN);
5113 adapter_index = atou (p[1]);
5114 sleep (options->tuntap_options.tap_sleep);
5115 if (options->tuntap_options.dhcp_pre_release)
5116 dhcp_release_by_adapter_index (adapter_index);
5117 if (options->tuntap_options.dhcp_renew)
5118 dhcp_renew_by_adapter_index (adapter_index);
5119 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
5120 }
5121 else if (streq (p[0], "show-valid-subnets"))
5122 {
5123 VERIFY_PERMISSION (OPT_P_GENERAL);
5124 show_valid_win32_tun_subnets ();
5125 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
5126 }
5127 else if (streq (p[0], "pause-exit"))
5128 {
5129 VERIFY_PERMISSION (OPT_P_GENERAL);
5130 set_pause_exit_win32 ();
5131 }
5132 else if (streq (p[0], "service") && p[1])
5133 {
5134 VERIFY_PERMISSION (OPT_P_GENERAL);
5135 options->exit_event_name = p[1];
5136 if (p[2])
5137 {
5138 options->exit_event_initial_state = (atoi(p[2]) != 0);
5139 }
5140 }
5141 else if (streq (p[0], "allow-nonadmin"))
5142 {
5143 VERIFY_PERMISSION (OPT_P_GENERAL);
5144 tap_allow_nonadmin_access (p[1]);
5145 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5146 }
5147 else if (streq (p[0], "user") && p[1])
5148 {
5149 VERIFY_PERMISSION (OPT_P_GENERAL);
5150 msg (M_WARN, "NOTE: --user option is not implemented on Windows");
5151 }
5152 else if (streq (p[0], "group") && p[1])
5153 {
5154 VERIFY_PERMISSION (OPT_P_GENERAL);
5155 msg (M_WARN, "NOTE: --group option is not implemented on Windows");
5156 }
5157 #else
5158 else if (streq (p[0], "user") && p[1])
5159 {
5160 VERIFY_PERMISSION (OPT_P_GENERAL);
5161 options->username = p[1];
5162 }
5163 else if (streq (p[0], "group") && p[1])
5164 {
5165 VERIFY_PERMISSION (OPT_P_GENERAL);
5166 options->groupname = p[1];
5167 }
5168 else if (streq (p[0], "dhcp-option") && p[1])
5169 {
5170 VERIFY_PERMISSION (OPT_P_IPWIN32);
5171 foreign_option (options, p, 3, es);
5172 }
5173 else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */
5174 {
5175 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5176 }
5177 #endif
5178 #if PASSTOS_CAPABILITY
5179 else if (streq (p[0], "passtos"))
5180 {
5181 VERIFY_PERMISSION (OPT_P_GENERAL);
5182 options->passtos = true;
5183 }
5184 #endif
5185 #ifdef USE_LZO
5186 else if (streq (p[0], "comp-lzo"))
5187 {
5188 VERIFY_PERMISSION (OPT_P_COMP);
5189 if (p[1])
5190 {
5191 if (streq (p[1], "yes"))
5192 options->lzo = LZO_SELECTED|LZO_ON;
5193 else if (streq (p[1], "no"))
5194 options->lzo = LZO_SELECTED;
5195 else if (streq (p[1], "adaptive"))
5196 options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
5197 else
5198 {
5199 msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
5200 goto err;
5201 }
5202 }
5203 else
5204 options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
5205 }
5206 else if (streq (p[0], "comp-noadapt"))
5207 {
5208 VERIFY_PERMISSION (OPT_P_COMP);
5209 options->lzo &= ~LZO_ADAPTIVE;
5210 }
5211 #endif /* USE_LZO */
5212 #ifdef USE_CRYPTO
5213 else if (streq (p[0], "show-ciphers"))
5214 {
5215 VERIFY_PERMISSION (OPT_P_GENERAL);
5216 options->show_ciphers = true;
5217 }
5218 else if (streq (p[0], "show-digests"))
5219 {
5220 VERIFY_PERMISSION (OPT_P_GENERAL);
5221 options->show_digests = true;
5222 }
5223 else if (streq (p[0], "show-engines"))
5224 {
5225 VERIFY_PERMISSION (OPT_P_GENERAL);
5226 options->show_engines = true;
5227 }
5228 else if (streq (p[0], "key-direction") && p[1])
5229 {
5230 int key_direction;
5231
5232 key_direction = ascii2keydirection (msglevel, p[1]);
5233 if (key_direction >= 0)
5234 options->key_direction = key_direction;
5235 else
5236 goto err;
5237 }
5238 else if (streq (p[0], "secret") && p[1])
5239 {
5240 VERIFY_PERMISSION (OPT_P_GENERAL);
5241 #if ENABLE_INLINE_FILES
5242 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5243 {
5244 options->shared_secret_file_inline = p[2];
5245 }
5246 else
5247 #endif
5248 if (p[2])
5249 {
5250 int key_direction;
5251
5252 key_direction = ascii2keydirection (msglevel, p[2]);
5253 if (key_direction >= 0)
5254 options->key_direction = key_direction;
5255 else
5256 goto err;
5257 }
5258 options->shared_secret_file = p[1];
5259 }
5260 else if (streq (p[0], "genkey"))
5261 {
5262 VERIFY_PERMISSION (OPT_P_GENERAL);
5263 options->genkey = true;
5264 }
5265 else if (streq (p[0], "auth") && p[1])
5266 {
5267 VERIFY_PERMISSION (OPT_P_CRYPTO);
5268 options->authname_defined = true;
5269 options->authname = p[1];
5270 if (streq (options->authname, "none"))
5271 {
5272 options->authname_defined = false;
5273 options->authname = NULL;
5274 }
5275 }
5276 else if (streq (p[0], "auth"))
5277 {
5278 VERIFY_PERMISSION (OPT_P_CRYPTO);
5279 options->authname_defined = true;
5280 }
5281 else if (streq (p[0], "cipher") && p[1])
5282 {
5283 VERIFY_PERMISSION (OPT_P_CRYPTO);
5284 options->ciphername_defined = true;
5285 options->ciphername = p[1];
5286 if (streq (options->ciphername, "none"))
5287 {
5288 options->ciphername_defined = false;
5289 options->ciphername = NULL;
5290 }
5291 }
5292 else if (streq (p[0], "cipher"))
5293 {
5294 VERIFY_PERMISSION (OPT_P_CRYPTO);
5295 options->ciphername_defined = true;
5296 }
5297 else if (streq (p[0], "prng") && p[1])
5298 {
5299 VERIFY_PERMISSION (OPT_P_CRYPTO);
5300 if (streq (p[1], "none"))
5301 options->prng_hash = NULL;
5302 else
5303 options->prng_hash = p[1];
5304 if (p[2])
5305 {
5306 const int sl = atoi (p[2]);
5307 if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
5308 {
5309 options->prng_nonce_secret_len = sl;
5310 }
5311 else
5312 {
5313 msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d",
5314 NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
5315 goto err;
5316 }
5317 }
5318 }
5319 else if (streq (p[0], "no-replay"))
5320 {
5321 VERIFY_PERMISSION (OPT_P_CRYPTO);
5322 options->replay = false;
5323 }
5324 else if (streq (p[0], "replay-window"))
5325 {
5326 VERIFY_PERMISSION (OPT_P_CRYPTO);
5327 if (p[1])
5328 {
5329 int replay_window;
5330
5331 replay_window = atoi (p[1]);
5332 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
5333 {
5334 msg (msglevel, "replay-window window size parameter (%d) must be between %d and %d",
5335 replay_window,
5336 MIN_SEQ_BACKTRACK,
5337 MAX_SEQ_BACKTRACK);
5338 goto err;
5339 }
5340 options->replay_window = replay_window;
5341
5342 if (p[2])
5343 {
5344 int replay_time;
5345
5346 replay_time = atoi (p[2]);
5347 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
5348 {
5349 msg (msglevel, "replay-window time window parameter (%d) must be between %d and %d",
5350 replay_time,
5351 MIN_TIME_BACKTRACK,
5352 MAX_TIME_BACKTRACK);
5353 goto err;
5354 }
5355 options->replay_time = replay_time;
5356 }
5357 }
5358 else
5359 {
5360 msg (msglevel, "replay-window option is missing window size parameter");
5361 goto err;
5362 }
5363 }
5364 else if (streq (p[0], "mute-replay-warnings"))
5365 {
5366 VERIFY_PERMISSION (OPT_P_CRYPTO);
5367 options->mute_replay_warnings = true;
5368 }
5369 else if (streq (p[0], "no-iv"))
5370 {
5371 VERIFY_PERMISSION (OPT_P_CRYPTO);
5372 options->use_iv = false;
5373 }
5374 else if (streq (p[0], "replay-persist") && p[1])
5375 {
5376 VERIFY_PERMISSION (OPT_P_GENERAL);
5377 options->packet_id_file = p[1];
5378 }
5379 else if (streq (p[0], "test-crypto"))
5380 {
5381 VERIFY_PERMISSION (OPT_P_GENERAL);
5382 options->test_crypto = true;
5383 }
5384 else if (streq (p[0], "engine"))
5385 {
5386 VERIFY_PERMISSION (OPT_P_GENERAL);
5387 if (p[1])
5388 {
5389 options->engine = p[1];
5390 }
5391 else
5392 options->engine = "auto";
5393 }
5394 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
5395 else if (streq (p[0], "keysize") && p[1])
5396 {
5397 int keysize;
5398
5399 VERIFY_PERMISSION (OPT_P_CRYPTO);
5400 keysize = atoi (p[1]) / 8;
5401 if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
5402 {
5403 msg (msglevel, "Bad keysize: %s", p[1]);
5404 goto err;
5405 }
5406 options->keysize = keysize;
5407 }
5408 #endif
5409 #ifdef USE_SSL
5410 else if (streq (p[0], "show-tls"))
5411 {
5412 VERIFY_PERMISSION (OPT_P_GENERAL);
5413 options->show_tls_ciphers = true;
5414 }
5415 else if (streq (p[0], "tls-server"))
5416 {
5417 VERIFY_PERMISSION (OPT_P_GENERAL);
5418 options->tls_server = true;
5419 }
5420 else if (streq (p[0], "tls-client"))
5421 {
5422 VERIFY_PERMISSION (OPT_P_GENERAL);
5423 options->tls_client = true;
5424 }
5425 else if (streq (p[0], "ca") && p[1])
5426 {
5427 VERIFY_PERMISSION (OPT_P_GENERAL);
5428 options->ca_file = p[1];
5429 #if ENABLE_INLINE_FILES
5430 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5431 {
5432 options->ca_file_inline = p[2];
5433 }
5434 #endif
5435 }
5436 else if (streq (p[0], "capath") && p[1])
5437 {
5438 VERIFY_PERMISSION (OPT_P_GENERAL);
5439 options->ca_path = p[1];
5440 }
5441 else if (streq (p[0], "dh") && p[1])
5442 {
5443 VERIFY_PERMISSION (OPT_P_GENERAL);
5444 options->dh_file = p[1];
5445 #if ENABLE_INLINE_FILES
5446 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5447 {
5448 options->dh_file_inline = p[2];
5449 }
5450 #endif
5451 }
5452 else if (streq (p[0], "cert") && p[1])
5453 {
5454 VERIFY_PERMISSION (OPT_P_GENERAL);
5455 options->cert_file = p[1];
5456 #if ENABLE_INLINE_FILES
5457 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5458 {
5459 options->cert_file_inline = p[2];
5460 }
5461 #endif
5462 }
5463 #ifdef WIN32
5464 else if (streq (p[0], "cryptoapicert") && p[1])
5465 {
5466 VERIFY_PERMISSION (OPT_P_GENERAL);
5467 options->cryptoapi_cert = p[1];
5468 }
5469 #endif
5470 else if (streq (p[0], "key") && p[1])
5471 {
5472 VERIFY_PERMISSION (OPT_P_GENERAL);
5473 options->priv_key_file = p[1];
5474 #if ENABLE_INLINE_FILES
5475 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5476 {
5477 options->priv_key_file_inline = p[2];
5478 }
5479 #endif
5480 }
5481 else if (streq (p[0], "pkcs12") && p[1])
5482 {
5483 VERIFY_PERMISSION (OPT_P_GENERAL);
5484 options->pkcs12_file = p[1];
5485 }
5486 else if (streq (p[0], "askpass"))
5487 {
5488 VERIFY_PERMISSION (OPT_P_GENERAL);
5489 if (p[1])
5490 {
5491 options->key_pass_file = p[1];
5492 }
5493 else
5494 options->key_pass_file = "stdin";
5495 }
5496 else if (streq (p[0], "auth-nocache"))
5497 {
5498 VERIFY_PERMISSION (OPT_P_GENERAL);
5499 ssl_set_auth_nocache ();
5500 }
5501 else if (streq (p[0], "single-session"))
5502 {
5503 VERIFY_PERMISSION (OPT_P_GENERAL);
5504 options->single_session = true;
5505 }
5506 else if (streq (p[0], "tls-exit"))
5507 {
5508 VERIFY_PERMISSION (OPT_P_GENERAL);
5509 options->tls_exit = true;
5510 }
5511 else if (streq (p[0], "tls-cipher") && p[1])
5512 {
5513 VERIFY_PERMISSION (OPT_P_GENERAL);
5514 options->cipher_list = p[1];
5515 }
5516 else if (streq (p[0], "crl-verify") && p[1])
5517 {
5518 VERIFY_PERMISSION (OPT_P_GENERAL);
5519 options->crl_file = p[1];
5520 }
5521 else if (streq (p[0], "tls-verify") && p[1])
5522 {
5523 VERIFY_PERMISSION (OPT_P_SCRIPT);
5524 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5525 goto err;
5526 options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
5527 }
5528 else if (streq (p[0], "tls-remote") && p[1])
5529 {
5530 VERIFY_PERMISSION (OPT_P_GENERAL);
5531 options->tls_remote = p[1];
5532 }
5533 else if (streq (p[0], "ns-cert-type") && p[1])
5534 {
5535 VERIFY_PERMISSION (OPT_P_GENERAL);
5536 if (streq (p[1], "server"))
5537 options->ns_cert_type = NS_SSL_SERVER;
5538 else if (streq (p[1], "client"))
5539 options->ns_cert_type = NS_SSL_CLIENT;
5540 else
5541 {
5542 msg (msglevel, "--ns-cert-type must be 'client' or 'server'");
5543 goto err;
5544 }
5545 }
5546 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
5547 else if (streq (p[0], "remote-cert-ku"))
5548 {
5549 int j;
5550
5551 VERIFY_PERMISSION (OPT_P_GENERAL);
5552
5553 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5554 sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
5555 }
5556 else if (streq (p[0], "remote-cert-eku") && p[1])
5557 {
5558 VERIFY_PERMISSION (OPT_P_GENERAL);
5559 options->remote_cert_eku = p[1];
5560 }
5561 else if (streq (p[0], "remote-cert-tls") && p[1])
5562 {
5563 VERIFY_PERMISSION (OPT_P_GENERAL);
5564
5565 if (streq (p[1], "server"))
5566 {
5567 options->remote_cert_ku[0] = 0xa0;
5568 options->remote_cert_ku[1] = 0x88;
5569 options->remote_cert_eku = "TLS Web Server Authentication";
5570 }
5571 else if (streq (p[1], "client"))
5572 {
5573 options->remote_cert_ku[0] = 0x80;
5574 options->remote_cert_ku[1] = 0x08;
5575 options->remote_cert_ku[2] = 0x88;
5576 options->remote_cert_eku = "TLS Web Client Authentication";
5577 }
5578 else
5579 {
5580 msg (msglevel, "--remote-cert-tls must be 'client' or 'server'");
5581 goto err;
5582 }
5583 }
5584 #endif /* OPENSSL_VERSION_NUMBER */
5585 else if (streq (p[0], "tls-timeout") && p[1])
5586 {
5587 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5588 options->tls_timeout = positive_atoi (p[1]);
5589 }
5590 else if (streq (p[0], "reneg-bytes") && p[1])
5591 {
5592 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5593 options->renegotiate_bytes = positive_atoi (p[1]);
5594 }
5595 else if (streq (p[0], "reneg-pkts") && p[1])
5596 {
5597 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5598 options->renegotiate_packets = positive_atoi (p[1]);
5599 }
5600 else if (streq (p[0], "reneg-sec") && p[1])
5601 {
5602 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5603 options->renegotiate_seconds = positive_atoi (p[1]);
5604 }
5605 else if (streq (p[0], "hand-window") && p[1])
5606 {
5607 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5608 options->handshake_window = positive_atoi (p[1]);
5609 }
5610 else if (streq (p[0], "tran-window") && p[1])
5611 {
5612 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5613 options->transition_window = positive_atoi (p[1]);
5614 }
5615 else if (streq (p[0], "tls-auth") && p[1])
5616 {
5617 VERIFY_PERMISSION (OPT_P_GENERAL);
5618 #if ENABLE_INLINE_FILES
5619 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5620 {
5621 options->tls_auth_file_inline = p[2];
5622 }
5623 else
5624 #endif
5625 if (p[2])
5626 {
5627 int key_direction;
5628
5629 key_direction = ascii2keydirection (msglevel, p[2]);
5630 if (key_direction >= 0)
5631 options->key_direction = key_direction;
5632 else
5633 goto err;
5634 }
5635 options->tls_auth_file = p[1];
5636 }
5637 else if (streq (p[0], "key-method") && p[1])
5638 {
5639 int key_method;
5640
5641 VERIFY_PERMISSION (OPT_P_GENERAL);
5642 key_method = atoi (p[1]);
5643 if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
5644 {
5645 msg (msglevel, "key_method parameter (%d) must be >= %d and <= %d",
5646 key_method,
5647 KEY_METHOD_MIN,
5648 KEY_METHOD_MAX);
5649 goto err;
5650 }
5651 options->key_method = key_method;
5652 }
5653 #endif /* USE_SSL */
5654 #endif /* USE_CRYPTO */
5655 #ifdef ENABLE_PKCS11
5656 else if (streq (p[0], "show-pkcs11-ids") && p[1])
5657 {
5658 char *provider = p[1];
5659 bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
5660
5661 VERIFY_PERMISSION (OPT_P_GENERAL);
5662
5663 set_debug_level (options->verbosity, SDL_CONSTRAIN);
5664 show_pkcs11_ids (provider, cert_private);
5665 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5666 }
5667 else if (streq (p[0], "pkcs11-providers") && p[1])
5668 {
5669 int j;
5670
5671 VERIFY_PERMISSION (OPT_P_GENERAL);
5672
5673 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5674 options->pkcs11_providers[j-1] = p[j];
5675 }
5676 else if (streq (p[0], "pkcs11-protected-authentication"))
5677 {
5678 int j;
5679
5680 VERIFY_PERMISSION (OPT_P_GENERAL);
5681
5682 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5683 options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
5684 }
5685 else if (streq (p[0], "pkcs11-private-mode") && p[1])
5686 {
5687 int j;
5688
5689 VERIFY_PERMISSION (OPT_P_GENERAL);
5690
5691 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5692 sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1]));
5693 }
5694 else if (streq (p[0], "pkcs11-cert-private"))
5695 {
5696 int j;
5697
5698 VERIFY_PERMISSION (OPT_P_GENERAL);
5699
5700 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5701 options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
5702 }
5703 else if (streq (p[0], "pkcs11-pin-cache") && p[1])
5704 {
5705 VERIFY_PERMISSION (OPT_P_GENERAL);
5706 options->pkcs11_pin_cache_period = atoi (p[1]);
5707 }
5708 else if (streq (p[0], "pkcs11-id") && p[1])
5709 {
5710 VERIFY_PERMISSION (OPT_P_GENERAL);
5711 options->pkcs11_id = p[1];
5712 }
5713 else if (streq (p[0], "pkcs11-id-management"))
5714 {
5715 VERIFY_PERMISSION (OPT_P_GENERAL);
5716 options->pkcs11_id_management = true;
5717 }
5718 #endif
5719 #ifdef TUNSETPERSIST
5720 else if (streq (p[0], "rmtun"))
5721 {
5722 VERIFY_PERMISSION (OPT_P_GENERAL);
5723 options->persist_config = true;
5724 options->persist_mode = 0;
5725 }
5726 else if (streq (p[0], "mktun"))
5727 {
5728 VERIFY_PERMISSION (OPT_P_GENERAL);
5729 options->persist_config = true;
5730 options->persist_mode = 1;
5731 }
5732 #endif
5733 else
5734 {
5735 if (file)
5736 msg (msglevel_fc, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
5737 else
5738 msg (msglevel_fc, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
5739 }
5740 err:
5741 gc_free (&gc);
5742 }
Tomato firmware and modifications.