search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
OpenVPN: Update to version 2.3.2. Solves TLS security bug.
[tomato.git] / release / src / router / openvpn / src / openvpn / options.c
blob23af2720cfa48973c2b0d06b89cb9c0a29029026
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 * Additions for eurephia plugin done by:
11 * David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2009
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2
15 * as published by the Free Software Foundation.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program (see the file COPYING included with this
24 * distribution); if not, write to the Free Software Foundation, Inc.,
25 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 */
27
28 /*
29 * 2004-01-28: Added Socks5 proxy support
30 * (Christof Meerwald, http://cmeerw.org)
31 */
32
33 #ifdef HAVE_CONFIG_H
34 #include "config.h"
35 #elif defined(_MSC_VER)
36 #include "config-msvc.h"
37 #endif
38 #ifdef HAVE_CONFIG_VERSION_H
39 #include "config-version.h"
40 #endif
41
42 #include "syshead.h"
43
44 #include "buffer.h"
45 #include "error.h"
46 #include "common.h"
47 #include "shaper.h"
48 #include "crypto.h"
49 #include "ssl.h"
50 #include "options.h"
51 #include "misc.h"
52 #include "socket.h"
53 #include "packet_id.h"
54 #include "pkcs11.h"
55 #include "win32.h"
56 #include "push.h"
57 #include "pool.h"
58 #include "helper.h"
59 #include "manage.h"
60 #include "forward.h"
61 #include <ctype.h>
62
63 #include "memdbg.h"
64
65 const char title_string[] =
66 PACKAGE_STRING
67 " " TARGET_ALIAS
68 #ifdef ENABLE_CRYPTO
69 #ifdef ENABLE_SSL
70 #if defined(ENABLE_CRYPTO_POLARSSL)
71 " [SSL (PolarSSL)]"
72 #elif defined(ENABLE_CRYPTO_OPENSSL)
73 " [SSL (OpenSSL)]"
74 #else
75 " [SSL]"
76 #endif /* defined(ENABLE_CRYPTO_POLARSSL) */
77 #else /* ! ENABLE_SSL */
78 #if defined(ENABLE_CRYPTO_POLARSSL)
79 " [CRYPTO (PolarSSL)]"
80 #elif defined(ENABLE_CRYPTO_OPENSSL)
81 " [CRYPTO (OpenSSL)]"
82 #else
83 " [CRYPTO]"
84 #endif /* defined(ENABLE_CRYPTO_POLARSSL) */
85 #endif /* ENABLE_SSL */
86 #endif /* ENABLE_CRYPTO */
87 #ifdef ENABLE_LZO
88 #ifdef ENABLE_LZO_STUB
89 " [LZO (STUB)]"
90 #else
91 " [LZO]"
92 #endif
93 #endif
94 #if EPOLL
95 " [EPOLL]"
96 #endif
97 #ifdef PRODUCT_TAP_DEBUG
98 " [TAPDBG]"
99 #endif
100 #ifdef ENABLE_PKCS11
101 " [PKCS11]"
102 #endif
103 #ifdef ENABLE_EUREPHIA
104 " [eurephia]"
105 #endif
106 #if ENABLE_IP_PKTINFO
107 " [MH]"
108 #endif
109 " [IPv6]"
110 " built on " __DATE__
111 ;
112
113 #ifndef ENABLE_SMALL
114
115 static const char usage_message[] =
116 "%s\n"
117 "\n"
118 "General Options:\n"
119 "--config file : Read configuration options from file.\n"
120 "--help : Show options.\n"
121 "--version : Show copyright and version information.\n"
122 "\n"
123 "Tunnel Options:\n"
124 "--local host : Local host name or ip address. Implies --bind.\n"
125 "--remote host [port] : Remote host name or ip address.\n"
126 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
127 "--remote-random-hostname : Add a random string to remote DNS name.\n"
128 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
129 "--proto p : Use protocol p for communicating with peer.\n"
130 " p = udp (default), tcp-server, or tcp-client\n"
131 "--proto-force p : only consider protocol p in list of connection profiles.\n"
132 " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
133 "--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
134 " between connection retries (default=%d).\n"
135 "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
136 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
137 #ifdef ENABLE_HTTP_PROXY
138 "--http-proxy s p [up] [auth] : Connect to remote host\n"
139 " through an HTTP proxy at address s and port p.\n"
140 " If proxy authentication is required,\n"
141 " up is a file containing username/password on 2 lines, or\n"
142 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
143 " the proxy requires NTLM authentication.\n"
144 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
145 " determine auth method and query for username/password\n"
146 " if needed. auto-nct disables weak proxy auth methods.\n"
147 "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
148 "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
149 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
150 " Repeat to set multiple options.\n"
151 " VERSION version (default=1.0)\n"
152 " AGENT user-agent\n"
153 #endif
154 #ifdef ENABLE_SOCKS
155 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
156 " address s and port p (default port = 1080).\n"
157 " If proxy authentication is required,\n"
158 " up is a file containing username/password on 2 lines, or\n"
159 " 'stdin' to prompt for console.\n"
160 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
161 #endif
162 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
163 " resolve for n seconds before failing (disabled by default).\n"
164 " Set n=\"infinite\" to retry indefinitely.\n"
165 "--float : Allow remote to change its IP address/port, such as through\n"
166 " DHCP (this is the default if --remote is not used).\n"
167 "--ipchange cmd : Run command cmd on remote ip address initial\n"
168 " setting or change -- execute as: cmd ip-address port#\n"
169 "--port port : TCP/UDP port # for both local and remote.\n"
170 "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
171 "--rport port : TCP/UDP port # for remote (default=%d).\n"
172 "--bind : Bind to local address and port. (This is the default unless\n"
173 " --proto tcp-client"
174 #ifdef ENABLE_HTTP_PROXY
175 " or --http-proxy"
176 #endif
177 #ifdef ENABLE_SOCKS
178 " or --socks-proxy"
179 #endif
180 " is used).\n"
181 "--nobind : Do not bind to local address and port.\n"
182 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
183 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
184 " this option only if the tun/tap device used with --dev\n"
185 " does not begin with \"tun\" or \"tap\".\n"
186 "--dev-node node : Explicitly set the device node rather than using\n"
187 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
188 "--lladdr hw : Set the link layer address of the tap device.\n"
189 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
190 "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
191 #ifdef ENABLE_IPROUTE
192 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
193 #endif
194 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
195 " endpoint and rn as a remote endpoint. l & rn should be\n"
196 " swapped on the other peer. l & rn must be private\n"
197 " addresses outside of the subnets used by either peer.\n"
198 " TAP: configure device to use IP address l as a local\n"
199 " endpoint and rn as a subnet mask.\n"
200 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
201 " endpoint (as a /64) and r as remote endpoint\n"
202 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
203 " pass --ifconfig parms by environment to scripts.\n"
204 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
205 " connection doesn't match the remote side.\n"
206 "--route network [netmask] [gateway] [metric] :\n"
207 " Add route to routing table after connection\n"
208 " is established. Multiple routes can be specified.\n"
209 " netmask default: 255.255.255.255\n"
210 " gateway default: taken from --route-gateway or --ifconfig\n"
211 " Specify default by leaving blank or setting to \"nil\".\n"
212 "--route-ipv6 network/bits [gateway] [metric] :\n"
213 " Add IPv6 route to routing table after connection\n"
214 " is established. Multiple routes can be specified.\n"
215 " gateway default: taken from --route-ipv6-gateway or --ifconfig\n"
216 "--max-routes n : Specify the maximum number of routes that may be defined\n"
217 " or pulled from a server.\n"
218 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
219 "--route-metric m : Specify a default metric for use with --route.\n"
220 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
221 " adding routes (may be 0). If not specified, routes will\n"
222 " be added immediately after tun/tap open. On Windows, wait\n"
223 " up to w seconds for TUN/TAP adapter to come up.\n"
224 "--route-up cmd : Run command cmd after routes are added.\n"
225 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
226 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
227 " --route-up script using environmental variables.\n"
228 "--route-nopull : When used with --client or --pull, accept options pushed\n"
229 " by server EXCEPT for routes and dhcp options.\n"
230 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
231 " --ifconfig, --route, and --route-gateway.\n"
232 "--redirect-gateway [flags]: Automatically execute routing\n"
233 " commands to redirect all outgoing IP traffic through the\n"
234 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
235 " connected via a common subnet, such as with WiFi.\n"
236 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
237 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
238 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
239 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
240 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
241 " the default gateway. Useful when pushing private subnets.\n"
242 #ifdef ENABLE_CLIENT_NAT
243 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
244 #endif
245 #ifdef ENABLE_PUSH_PEER_INFO
246 "--push-peer-info : (client only) push client info to server.\n"
247 #endif
248 "--setenv name value : Set a custom environmental variable to pass to script.\n"
249 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
250 " directives for future OpenVPN versions to be ignored.\n"
251 "--script-security level: Where level can be:\n"
252 " 0 -- strictly no calling of external programs\n"
253 " 1 -- (default) only call built-ins such as ifconfig\n"
254 " 2 -- allow calling of built-ins and scripts\n"
255 " 3 -- allow password to be passed to scripts via env\n"
256 "--shaper n : Restrict output to peer to n bytes per second.\n"
257 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
258 " ping once every n seconds, restart if ping not received\n"
259 " for m seconds.\n"
260 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
261 " produces a combined in/out byte count < bytes.\n"
262 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
263 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
264 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
265 " remote address.\n"
266 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
267 #if ENABLE_IP_PKTINFO
268 "--multihome : Configure a multi-homed UDP server.\n"
269 #endif
270 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
271 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
272 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
273 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
274 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
275 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
276 #if PASSTOS_CAPABILITY
277 "--passtos : TOS passthrough (applies to IPv4 only).\n"
278 #endif
279 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
280 " TCP/UDP MTU from it (default=%d).\n"
281 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
282 " as n bytes more than the tun-mtu size on read\n"
283 " (default TUN=0 TAP=%d).\n"
284 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
285 " from it.\n"
286 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
287 " 'no' -- Never send DF (Don't Fragment) frames\n"
288 " 'maybe' -- Use per-route hints\n"
289 " 'yes' -- Always DF (Don't Fragment)\n"
290 #ifdef ENABLE_OCC
291 "--mtu-test : Empirically measure and report MTU.\n"
292 #endif
293 #ifdef ENABLE_FRAGMENT
294 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
295 " datagrams are sent which are larger than max bytes.\n"
296 " Adds 4 bytes of overhead per datagram.\n"
297 #endif
298 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
299 " or --fragment max value, whichever is lower.\n"
300 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
301 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
302 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
303 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
304 " can be matched in policy routing and packetfilter rules.\n"
305 #endif
306 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
307 #ifdef ENABLE_MEMSTATS
308 "--memstats file : Write live usage stats to memory mapped binary file.\n"
309 #endif
310 "--mlock : Disable Paging -- ensures key material and tunnel\n"
311 " data will never be written to disk.\n"
312 "--up cmd : Run command cmd after successful tun device open.\n"
313 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
314 " ifconfig-local-ip ifconfig-remote-ip\n"
315 " (pre --user or --group UID/GID change)\n"
316 "--up-delay : Delay tun/tap open and possible --up script execution\n"
317 " until after TCP/UDP connection establishment with peer.\n"
318 "--down cmd : Run command cmd after tun device close.\n"
319 " (post --user/--group UID/GID change and/or --chroot)\n"
320 " (command parameters are same as --up option)\n"
321 "--down-pre : Run --down command before TUN/TAP close.\n"
322 "--up-restart : Run up/down commands for all restarts including those\n"
323 " caused by --ping-restart or SIGUSR1\n"
324 "--user user : Set UID to user after initialization.\n"
325 "--group group : Set GID to group after initialization.\n"
326 "--chroot dir : Chroot to this directory after initialization.\n"
327 #ifdef ENABLE_SELINUX
328 "--setcon context: Apply this SELinux context after initialization.\n"
329 #endif
330 "--cd dir : Change to this directory before initialization.\n"
331 "--daemon [name] : Become a daemon after initialization.\n"
332 " The optional 'name' parameter will be passed\n"
333 " as the program name to the system logger.\n"
334 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
335 " See --daemon above for a description of the 'name' parm.\n"
336 "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
337 " See --daemon above for a description of the 'name' parm.\n"
338 "--log file : Output log to file which is created/truncated on open.\n"
339 "--log-append file : Append log to file, or create file if nonexistent.\n"
340 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
341 "--writepid file : Write main process ID to file.\n"
342 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
343 "--echo [parms ...] : Echo parameters to log output.\n"
344 "--verb n : Set output verbosity to n (default=%d):\n"
345 " (Level 3 is recommended if you want a good summary\n"
346 " of what's happening without being swamped by output).\n"
347 " : 0 -- no output except fatal errors\n"
348 " : 1 -- startup info + connection initiated messages +\n"
349 " non-fatal encryption & net errors\n"
350 " : 2,3 -- show TLS negotiations & route info\n"
351 " : 4 -- show parameters\n"
352 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
353 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
354 " : 6 to 11 -- debug messages of increasing verbosity\n"
355 "--mute n : Log at most n consecutive messages in the same category.\n"
356 "--status file n : Write operational status to file every n seconds.\n"
357 "--status-version [n] : Choose the status file format version number.\n"
358 " Currently, n can be 1, 2, or 3 (default=1).\n"
359 #ifdef ENABLE_OCC
360 "--disable-occ : Disable options consistency check between peers.\n"
361 #endif
362 #ifdef ENABLE_DEBUG
363 "--gremlin mask : Special stress testing mode (for debugging only).\n"
364 #endif
365 #ifdef ENABLE_LZO
366 "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
367 " packet for uncompressible data.\n"
368 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
369 " is specified.\n"
370 #endif
371 #ifdef ENABLE_MANAGEMENT
372 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
373 " management functions. pass is a password file\n"
374 " or 'stdin' to prompt from console.\n"
375 #if UNIX_SOCK_SUPPORT
376 " To listen on a unix domain socket, specific the pathname\n"
377 " in place of ip and use 'unix' as the port number.\n"
378 #endif
379 "--management-client : Management interface will connect as a TCP client to\n"
380 " ip/port rather than listen as a TCP server.\n"
381 "--management-query-passwords : Query management channel for private key\n"
382 " and auth-user-pass passwords.\n"
383 "--management-query-proxy : Query management channel for proxy information.\n"
384 "--management-query-remote : Query management channel for --remote directive.\n"
385 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
386 " of the management interface explicitly starts it.\n"
387 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
388 "--management-forget-disconnect : Forget passwords when management disconnect\n"
389 " event occurs.\n"
390 "--management-up-down : Report tunnel up/down events to management interface.\n"
391 "--management-log-cache n : Cache n lines of log file history for usage\n"
392 " by the management channel.\n"
393 #if UNIX_SOCK_SUPPORT
394 "--management-client-user u : When management interface is a unix socket, only\n"
395 " allow connections from user u.\n"
396 "--management-client-group g : When management interface is a unix socket, only\n"
397 " allow connections from group g.\n"
398 #endif
399 #ifdef MANAGEMENT_DEF_AUTH
400 "--management-client-auth : gives management interface client the responsibility\n"
401 " to authenticate clients after their client certificate\n"
402 " has been verified.\n"
403 #endif
404 #ifdef MANAGEMENT_PF
405 "--management-client-pf : management interface clients must specify a packet\n"
406 " filter file for each connecting client.\n"
407 #endif
408 #endif
409 #ifdef ENABLE_PLUGIN
410 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
411 " to its initialization function.\n"
412 #endif
413 #if P2MP
414 #if P2MP_SERVER
415 "\n"
416 "Multi-Client Server options (when --mode server is used):\n"
417 "--server network netmask : Helper option to easily configure server mode.\n"
418 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
419 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
420 " easily configure ethernet bridging server mode.\n"
421 "--push \"option\" : Push a config file option back to the peer for remote\n"
422 " execution. Peer must specify --pull in its config file.\n"
423 "--push-reset : Don't inherit global push list for specific\n"
424 " client instance.\n"
425 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
426 " to be dynamically allocated to connecting clients.\n"
427 "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
428 " in tun mode. Not compatible with Windows clients.\n"
429 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
430 " data to file, at seconds intervals (default=600).\n"
431 " If seconds=0, file will be treated as read-only.\n"
432 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
433 " to be dynamically allocated to connecting clients.\n"
434 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
435 " overrides --ifconfig-pool dynamic allocation.\n"
436 " Only valid in a client-specific config file.\n"
437 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
438 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
439 " Only valid in a client-specific config file.\n"
440 "--iroute network [netmask] : Route subnet to client.\n"
441 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
442 " Sets up internal routes only.\n"
443 " Only valid in a client-specific config file.\n"
444 "--disable : Client is disabled.\n"
445 " Only valid in a client-specific config file.\n"
446 "--client-cert-not-required : Don't require client certificate, client\n"
447 " will authenticate using username/password.\n"
448 "--username-as-common-name : For auth-user-pass authentication, use\n"
449 " the authenticated username as the common name,\n"
450 " rather than the common name from the client cert.\n"
451 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
452 " run command cmd to verify. If method='via-env', pass\n"
453 " user/pass via environment, if method='via-file', pass\n"
454 " user/pass via temporary file.\n"
455 "--opt-verify : Clients that connect with options that are incompatible\n"
456 " with those of the server will be disconnected.\n"
457 "--auth-user-pass-optional : Allow connections by clients that don't\n"
458 " specify a username/password.\n"
459 "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
460 " any printable character.\n"
461 "--client-to-client : Internally route client-to-client traffic.\n"
462 "--duplicate-cn : Allow multiple clients with the same common name to\n"
463 " concurrently connect.\n"
464 "--client-connect cmd : Run command cmd on client connection.\n"
465 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
466 "--client-config-dir dir : Directory for custom client config files.\n"
467 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
468 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
469 "--hash-size r v : Set the size of the real address hash table to r and the\n"
470 " virtual address table to v.\n"
471 "--bcast-buffers n : Allocate n broadcast buffers.\n"
472 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
473 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
474 " as well as pushes it to connecting clients.\n"
475 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
476 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
477 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
478 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
479 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
480 " older than n seconds. Run this check every t\n"
481 " seconds (defaults to n).\n"
482 #if PORT_SHARE
483 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
484 " sessions to a web server at host:port. dir specifies an\n"
485 " optional directory to write origin IP:port data.\n"
486 #endif
487 #endif
488 "\n"
489 "Client options (when connecting to a multi-client server):\n"
490 "--client : Helper option to easily configure client mode.\n"
491 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
492 " up is a file containing username/password on 2 lines,\n"
493 " or omit to prompt from console.\n"
494 "--pull : Accept certain config file options from the peer as if they\n"
495 " were part of the local config file. Must be specified\n"
496 " when connecting to a '--mode server' remote host.\n"
497 "--auth-retry t : How to handle auth failures. Set t to\n"
498 " none (default), interact, or nointeract.\n"
499 "--static-challenge t e : Enable static challenge/response protocol using\n"
500 " challenge text t, with e indicating echo flag (0|1)\n"
501 "--server-poll-timeout n : when polling possible remote servers to connect to\n"
502 " in a round-robin fashion, spend no more than n seconds\n"
503 " waiting for a response before trying the next server.\n"
504 #endif
505 #ifdef ENABLE_OCC
506 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
507 " server/remote. n = # of retries, default=1.\n"
508 #endif
509 #ifdef ENABLE_CRYPTO
510 "\n"
511 "Data Channel Encryption Options (must be compatible between peers):\n"
512 "(These options are meaningful for both Static Key & TLS-mode)\n"
513 "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
514 " Use shared secret file f, generate with --genkey.\n"
515 " The optional d parameter controls key directionality.\n"
516 " If d is specified, use separate keys for each\n"
517 " direction, set d=0 on one side of the connection,\n"
518 " and d=1 on the other side.\n"
519 "--auth alg : Authenticate packets with HMAC using message\n"
520 " digest algorithm alg (default=%s).\n"
521 " (usually adds 16 or 20 bytes per packet)\n"
522 " Set alg=none to disable authentication.\n"
523 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
524 " (default=%s).\n"
525 " Set alg=none to disable encryption.\n"
526 "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
527 " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
528 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
529 "--keysize n : Size of cipher key in bits (optional).\n"
530 " If unspecified, defaults to cipher-specific default.\n"
531 #endif
532 #ifndef ENABLE_CRYPTO_POLARSSL
533 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
534 #endif
535 "--no-replay : Disable replay protection.\n"
536 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
537 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
538 " and a time window of t seconds.\n"
539 " Default n=%d t=%d\n"
540 "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
541 "--replay-persist file : Persist replay-protection state across sessions\n"
542 " using file.\n"
543 "--test-crypto : Run a self-test of crypto features enabled.\n"
544 " For debugging only.\n"
545 #ifdef ENABLE_PREDICTION_RESISTANCE
546 "--use-prediction-resistance: Enable prediction resistance on the random\n"
547 " number generator.\n"
548 #endif
549 #ifdef ENABLE_SSL
550 "\n"
551 "TLS Key Negotiation Options:\n"
552 "(These options are meaningful only for TLS-mode)\n"
553 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
554 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
555 "--key-method m : Data channel key exchange method. m should be a method\n"
556 " number, such as 1 (default), 2, etc.\n"
557 "--ca file : Certificate authority file in .pem format containing\n"
558 " root certificate.\n"
559 #ifndef ENABLE_CRYPTO_POLARSSL
560 "--capath dir : A directory of trusted certificates (CAs"
561 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
562 " and CRLs).\n"
563 #else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
564 ").\n"
565 " WARNING: no support of CRL available with this version.\n"
566 #endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
567 #endif /* ENABLE_CRYPTO_POLARSSL */
568 "--dh file : File containing Diffie Hellman parameters\n"
569 " in .pem format (for --tls-server only).\n"
570 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
571 "--cert file : Local certificate in .pem format -- must be signed\n"
572 " by a Certificate Authority in --ca file.\n"
573 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
574 "--key file : Local private key in .pem format.\n"
575 #ifndef ENABLE_CRYPTO_POLARSSL
576 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
577 " and optionally the root CA certificate.\n"
578 #endif
579 #ifdef ENABLE_X509ALTUSERNAME
580 "--x509-username-field : Field used in x509 certificate to be username.\n"
581 " Default is CN.\n"
582 #endif
583 "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
584 #ifdef WIN32
585 "--cryptoapicert select-string : Load the certificate and private key from the\n"
586 " Windows Certificate System Store.\n"
587 #endif
588 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
589 " : Use --show-tls to see a list of supported TLS ciphers.\n"
590 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
591 " if no ACK from remote within n seconds (default=%d).\n"
592 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
593 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
594 "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
595 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
596 " of handshake initiation by any peer (default=%d).\n"
597 "--tran-window n : Transition window -- old key can live this many seconds\n"
598 " after new key renegotiation begins (default=%d).\n"
599 "--single-session: Allow only one session (reset state on restart).\n"
600 "--tls-exit : Exit on TLS negotiation failure.\n"
601 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
602 " control channel to protect against DoS attacks.\n"
603 " f (required) is a shared-secret passphrase file.\n"
604 " The optional d parameter controls key directionality,\n"
605 " see --secret option for more info.\n"
606 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
607 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
608 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
609 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
610 " pending TLS connection that has otherwise passed all other\n"
611 " tests of certification. cmd should return 0 to allow\n"
612 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
613 " executed as 'cmd certificate_depth subject')\n"
614 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
615 " in an openvpn temporary file in [directory]. Peer cert is \n"
616 " stored before tls-verify script execution and deleted after.\n"
617 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
618 " DN name. The remote host must also pass all other tests\n"
619 " of verification.\n"
620 "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
621 " nsCertType designation t = 'client' | 'server'.\n"
622 #ifdef ENABLE_X509_TRACK
623 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
624 " plugins and management interface.\n"
625 #endif
626 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
627 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
628 " explicit key usage, you can specify more than one value.\n"
629 " value should be given in hex format.\n"
630 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
631 " explicit extended key usage. Extended key usage can be encoded\n"
632 " as an object identifier or OpenSSL string representation.\n"
633 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
634 " key usage and extended key usage based on RFC3280 TLS rules.\n"
635 " t = 'client' | 'server'.\n"
636 #endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */
637 #endif /* ENABLE_SSL */
638 #ifdef ENABLE_PKCS11
639 "\n"
640 "PKCS#11 Options:\n"
641 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
642 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
643 " path. Set for each provider.\n"
644 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
645 " 0 : Try to determind automatically (default).\n"
646 " 1 : Use Sign.\n"
647 " 2 : Use SignRecover.\n"
648 " 4 : Use Decrypt.\n"
649 " 8 : Use Unwrap.\n"
650 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
651 " certificate can be accessed. Set for each provider.\n"
652 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
653 " cache until token is removed.\n"
654 "--pkcs11-id-management : Acquire identity from management interface.\n"
655 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
656 #endif /* ENABLE_PKCS11 */
657 "\n"
658 "SSL Library information:\n"
659 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
660 "--show-digests : Show message digest algorithms to use with --auth option.\n"
661 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
662 #ifdef ENABLE_SSL
663 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
664 #endif
665 #ifdef WIN32
666 "\n"
667 "Windows Specific:\n"
668 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
669 " from SystemRoot environment variable.\n"
670 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
671 " IP address using method = manual, netsh, ipapi,\n"
672 " dynamic, or adaptive (default = adaptive).\n"
673 " Dynamic method allows two optional parameters:\n"
674 " offset: DHCP server address offset (> -256 and < 256).\n"
675 " If 0, use network address, if >0, take nth\n"
676 " address forward from network address, if <0,\n"
677 " take nth address backward from broadcast\n"
678 " address.\n"
679 " Default is 0.\n"
680 " lease-time: Lease time in seconds.\n"
681 " Default is one year.\n"
682 "--route-method : Which method to use for adding routes on Windows?\n"
683 " adaptive (default) -- Try ipapi then fall back to exe.\n"
684 " ipapi -- Use IP helper API.\n"
685 " exe -- Call the route.exe shell command.\n"
686 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
687 " be used with --ip-win32 dynamic. For options\n"
688 " which allow multiple addresses,\n"
689 " --dhcp-option must be repeated.\n"
690 " DOMAIN name : Set DNS suffix\n"
691 " DNS addr : Set domain name server address(es)\n"
692 " NTP : Set NTP server address(es)\n"
693 " NBDD : Set NBDD server address(es)\n"
694 " WINS addr : Set WINS server address(es)\n"
695 " NBT type : Set NetBIOS over TCP/IP Node type\n"
696 " 1: B, 2: P, 4: M, 8: H\n"
697 " NBS id : Set NetBIOS scope ID\n"
698 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
699 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
700 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
701 " startup.\n"
702 "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
703 "--register-dns : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n"
704 " and ipconfig /registerdns on connection initiation.\n"
705 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
706 " attempting to set adapter properties.\n"
707 "--pause-exit : When run from a console window, pause before exiting.\n"
708 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
709 " service, and should not be used directly by end-users.\n"
710 " ex is the name of an event object which, when\n"
711 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
712 " optional parameter controls the initial state of ex.\n"
713 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
714 " after TAP adapter is up and routes have been added.\n"
715 "Windows Standalone Options:\n"
716 "\n"
717 "--show-adapters : Show all TAP-Windows adapters.\n"
718 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
719 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
720 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
721 " to access TAP adapter.\n"
722 #endif
723 "\n"
724 "Generate a random key (only for non-TLS static key encryption mode):\n"
725 "--genkey : Generate a random key to be used as a shared secret,\n"
726 " for use with the --secret option.\n"
727 "--secret file : Write key to file.\n"
728 #endif /* ENABLE_CRYPTO */
729 #ifdef ENABLE_FEATURE_TUN_PERSIST
730 "\n"
731 "Tun/tap config mode (available with linux 2.4+):\n"
732 "--mktun : Create a persistent tunnel.\n"
733 "--rmtun : Remove a persistent tunnel.\n"
734 "--dev tunX|tapX : tun/tap device\n"
735 "--dev-type dt : Device type. See tunnel options above for details.\n"
736 "--user user : User to set privilege to.\n"
737 "--group group : Group to set privilege to.\n"
738 #endif
739 #ifdef ENABLE_PKCS11
740 "\n"
741 "PKCS#11 standalone options:\n"
742 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
743 " --verb option can be added *BEFORE* this.\n"
744 #endif /* ENABLE_PKCS11 */
745 "\n"
746 "General Standalone Options:\n"
747 #ifdef ENABLE_DEBUG
748 "--show-gateway : Show info about default gateway.\n"
749 #endif
750 ;
751
752 #endif /* !ENABLE_SMALL */
753
754 /*
755 * This is where the options defaults go.
756 * Any option not explicitly set here
757 * will be set to 0.
758 */
759 void
760 init_options (struct options *o, const bool init_gc)
761 {
762 CLEAR (*o);
763 if (init_gc)
764 {
765 gc_init (&o->gc);
766 o->gc_owned = true;
767 }
768 o->mode = MODE_POINT_TO_POINT;
769 o->topology = TOP_NET30;
770 o->ce.proto = PROTO_UDPv4;
771 o->ce.connect_retry_seconds = 5;
772 o->ce.connect_timeout = 10;
773 o->ce.connect_retry_max = 0;
774 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
775 o->verbosity = 1;
776 o->status_file_update_freq = 60;
777 o->status_file_version = 1;
778 o->ce.bind_local = true;
779 o->ce.tun_mtu = TUN_MTU_DEFAULT;
780 o->ce.link_mtu = LINK_MTU_DEFAULT;
781 o->ce.mtu_discover_type = -1;
782 o->ce.mssfix = MSSFIX_DEFAULT;
783 o->route_delay_window = 30;
784 o->max_routes = MAX_ROUTES_DEFAULT;
785 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
786 o->proto_force = -1;
787 #ifdef ENABLE_OCC
788 o->occ = true;
789 #endif
790 #ifdef ENABLE_MANAGEMENT
791 o->management_log_history_cache = 250;
792 o->management_echo_buffer_size = 100;
793 o->management_state_buffer_size = 100;
794 #endif
795 #ifdef ENABLE_FEATURE_TUN_PERSIST
796 o->persist_mode = 1;
797 #endif
798 #ifndef WIN32
799 o->rcvbuf = 65536;
800 o->sndbuf = 65536;
801 #endif
802 #ifdef TARGET_LINUX
803 o->tuntap_options.txqueuelen = 100;
804 #endif
805 #ifdef WIN32
806 #if 0
807 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
808 #else
809 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
810 #endif
811 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
812 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
813 o->route_method = ROUTE_METHOD_ADAPTIVE;
814 #endif
815 #if P2MP_SERVER
816 o->real_hash_size = 256;
817 o->virtual_hash_size = 256;
818 o->n_bcast_buf = 256;
819 o->tcp_queue_limit = 64;
820 o->max_clients = 1024;
821 o->max_routes_per_client = 256;
822 o->stale_routes_check_interval = 0;
823 o->ifconfig_pool_persist_refresh_freq = 600;
824 #endif
825 #if P2MP
826 o->scheduled_exit_interval = 5;
827 o->server_poll_timeout = 0;
828 #endif
829 #ifdef ENABLE_CRYPTO
830 o->ciphername = "BF-CBC";
831 o->ciphername_defined = true;
832 o->authname = "SHA1";
833 o->authname_defined = true;
834 o->prng_hash = "SHA1";
835 o->prng_nonce_secret_len = 16;
836 o->replay = true;
837 o->replay_window = DEFAULT_SEQ_BACKTRACK;
838 o->replay_time = DEFAULT_TIME_BACKTRACK;
839 o->use_iv = true;
840 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
841 #ifdef ENABLE_PREDICTION_RESISTANCE
842 o->use_prediction_resistance = false;
843 #endif
844 #ifdef ENABLE_SSL
845 o->key_method = 2;
846 o->tls_timeout = 2;
847 o->renegotiate_seconds = 3600;
848 o->handshake_window = 60;
849 o->transition_window = 3600;
850 #ifdef ENABLE_X509ALTUSERNAME
851 o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
852 #endif
853 #endif /* ENABLE_SSL */
854 #endif /* ENABLE_CRYPTO */
855 #ifdef ENABLE_PKCS11
856 o->pkcs11_pin_cache_period = -1;
857 #endif /* ENABLE_PKCS11 */
858
859 /* tmp is only used in P2MP server context */
860 #if P2MP_SERVER
861 /* Set default --tmp-dir */
862 #ifdef WIN32
863 /* On Windows, find temp dir via enviroment variables */
864 o->tmp_dir = win_get_tempdir();
865 #else
866 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
867 o->tmp_dir = getenv("TMPDIR");
868 if( !o->tmp_dir ) {
869 o->tmp_dir = "/tmp";
870 }
871 #endif /* WIN32 */
872 #endif /* P2MP_SERVER */
873 }
874
875 void
876 uninit_options (struct options *o)
877 {
878 if (o->gc_owned)
879 {
880 gc_free (&o->gc);
881 }
882 }
883
884 #ifndef ENABLE_SMALL
885
886 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
887 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
888 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
889 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
890 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
891 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
892
893 #endif
894
895 void
896 setenv_connection_entry (struct env_set *es,
897 const struct connection_entry *e,
898 const int i)
899 {
900 setenv_str_i (es, "proto", proto2ascii (e->proto, false), i);
901 setenv_str_i (es, "local", e->local, i);
902 setenv_int_i (es, "local_port", e->local_port, i);
903 setenv_str_i (es, "remote", e->remote, i);
904 setenv_int_i (es, "remote_port", e->remote_port, i);
905
906 #ifdef ENABLE_HTTP_PROXY
907 if (e->http_proxy_options)
908 {
909 setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i);
910 setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i);
911 }
912 #endif
913 #ifdef ENABLE_SOCKS
914 if (e->socks_proxy_server)
915 {
916 setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i);
917 setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i);
918 }
919 #endif
920 }
921
922 void
923 setenv_settings (struct env_set *es, const struct options *o)
924 {
925 setenv_str (es, "config", o->config);
926 setenv_int (es, "verb", o->verbosity);
927 setenv_int (es, "daemon", o->daemon);
928 setenv_int (es, "daemon_log_redirect", o->log);
929 setenv_unsigned (es, "daemon_start_time", time(NULL));
930 setenv_int (es, "daemon_pid", platform_getpid());
931
932 if (o->connection_list)
933 {
934 int i;
935 for (i = 0; i < o->connection_list->len; ++i)
936 setenv_connection_entry (es, o->connection_list->array[i], i+1);
937 }
938 else
939 setenv_connection_entry (es, &o->ce, 1);
940 }
941
942 static in_addr_t
943 get_ip_addr (const char *ip_string, int msglevel, bool *error)
944 {
945 unsigned int flags = GETADDR_HOST_ORDER;
946 bool succeeded = false;
947 in_addr_t ret;
948
949 if (msglevel & M_FATAL)
950 flags |= GETADDR_FATAL;
951
952 ret = getaddr (flags, ip_string, 0, &succeeded, NULL);
953 if (!succeeded && error)
954 *error = true;
955 return ret;
956 }
957
958 /* helper: parse a text string containing an IPv6 address + netbits
959 * in "standard format" (2001:dba::/32)
960 * "/nn" is optional, default to /64 if missing
961 *
962 * return true if parsing succeeded, modify *network and *netbits
963 * return address part without "/nn" in *printable_ipv6 (if != NULL)
964 */
965 bool
966 get_ipv6_addr( const char * prefix_str, struct in6_addr *network,
967 unsigned int * netbits, char ** printable_ipv6, int msglevel )
968 {
969 int rc;
970 char * sep, * endp;
971 int bits;
972 struct in6_addr t_network;
973
974 sep = strchr( prefix_str, '/' );
975 if ( sep == NULL )
976 {
977 bits = 64;
978 }
979 else
980 {
981 bits = strtol( sep+1, &endp, 10 );
982 if ( *endp != '\0' || bits < 0 || bits > 128 )
983 {
984 msg (msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
985 return false;
986 }
987 }
988
989 /* temporary replace '/' in caller-provided string with '\0', otherwise
990 * inet_pton() will refuse prefix string
991 * (alternative would be to strncpy() the prefix to temporary buffer)
992 */
993
994 if ( sep != NULL ) *sep = '\0';
995
996 rc = inet_pton( AF_INET6, prefix_str, &t_network );
997
998 if ( rc == 1 && printable_ipv6 != NULL )
999 {
1000 *printable_ipv6 = string_alloc( prefix_str, NULL );
1001 }
1002
1003 if ( sep != NULL ) *sep = '/';
1004
1005 if ( rc != 1 )
1006 {
1007 msg (msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
1008 return false;
1009 }
1010
1011 if ( netbits != NULL )
1012 {
1013 *netbits = bits;
1014 }
1015 if ( network != NULL )
1016 {
1017 *network = t_network;
1018 }
1019 return true; /* parsing OK, values set */
1020 }
1021
1022 static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec )
1023 {
1024 struct in6_addr t_addr;
1025 unsigned int t_bits;
1026
1027 return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, NULL, M_WARN );
1028 }
1029
1030 static char *
1031 string_substitute (const char *src, int from, int to, struct gc_arena *gc)
1032 {
1033 char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc);
1034 char *dest = ret;
1035 char c;
1036
1037 do
1038 {
1039 c = *src++;
1040 if (c == from)
1041 c = to;
1042 *dest++ = c;
1043 }
1044 while (c);
1045 return ret;
1046 }
1047
1048 #ifdef ENABLE_SSL
1049 static uint8_t *
1050 parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
1051 {
1052 int i;
1053 const char *cp = str;
1054 uint8_t *ret = (uint8_t *) gc_malloc (nbytes, true, gc);
1055 char term = 1;
1056 int byte;
1057 char bs[3];
1058
1059 for (i = 0; i < nbytes; ++i)
1060 {
1061 if (strlen(cp) < 2)
1062 msg (msglevel, "format error in hash fingerprint: %s", str);
1063 bs[0] = *cp++;
1064 bs[1] = *cp++;
1065 bs[2] = 0;
1066 byte = 0;
1067 if (sscanf(bs, "%x", &byte) != 1)
1068 msg (msglevel, "format error in hash fingerprint hex byte: %s", str);
1069 ret[i] = (uint8_t)byte;
1070 term = *cp++;
1071 if (term != ':' && term != 0)
1072 msg (msglevel, "format error in hash fingerprint delimiter: %s", str);
1073 if (term == 0)
1074 break;
1075 }
1076 if (term != 0 || i != nbytes-1)
1077 msg (msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
1078 return ret;
1079 }
1080 #endif
1081
1082 #ifdef WIN32
1083
1084 #ifndef ENABLE_SMALL
1085
1086 static void
1087 show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
1088 {
1089 struct gc_arena gc = gc_new ();
1090 int i;
1091 for (i = 0; i < len; ++i)
1092 {
1093 msg (D_SHOW_PARMS, " %s[%d] = %s",
1094 name,
1095 i,
1096 print_in_addr_t (array[i], 0, &gc));
1097 }
1098 gc_free (&gc);
1099 }
1100
1101 static void
1102 show_tuntap_options (const struct tuntap_options *o)
1103 {
1104 SHOW_BOOL (ip_win32_defined);
1105 SHOW_INT (ip_win32_type);
1106 SHOW_INT (dhcp_masq_offset);
1107 SHOW_INT (dhcp_lease_time);
1108 SHOW_INT (tap_sleep);
1109 SHOW_BOOL (dhcp_options);
1110 SHOW_BOOL (dhcp_renew);
1111 SHOW_BOOL (dhcp_pre_release);
1112 SHOW_BOOL (dhcp_release);
1113 SHOW_STR (domain);
1114 SHOW_STR (netbios_scope);
1115 SHOW_INT (netbios_node_type);
1116 SHOW_BOOL (disable_nbt);
1117
1118 show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
1119 show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
1120 show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
1121 show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
1122 }
1123
1124 #endif
1125
1126 static void
1127 dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
1128 {
1129 if (*len >= N_DHCP_ADDR)
1130 {
1131 msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
1132 name,
1133 N_DHCP_ADDR,
1134 name);
1135 }
1136 else
1137 {
1138 if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
1139 {
1140 bool error = false;
1141 const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
1142 if (!error)
1143 array[(*len)++] = addr;
1144 }
1145 else
1146 {
1147 msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
1148 }
1149 }
1150 }
1151
1152 #endif
1153
1154 #if P2MP
1155
1156 #ifndef ENABLE_SMALL
1157
1158 static void
1159 show_p2mp_parms (const struct options *o)
1160 {
1161 struct gc_arena gc = gc_new ();
1162
1163 #if P2MP_SERVER
1164 msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
1165 msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc));
1166 msg (D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr (o->server_network_ipv6, 0, &gc) );
1167 SHOW_INT (server_netbits_ipv6);
1168 msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
1169 msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
1170 msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
1171 msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc));
1172 if (o->push_list.head)
1173 {
1174 const struct push_entry *e = o->push_list.head;
1175 while (e)
1176 {
1177 if (e->enable)
1178 msg (D_SHOW_PARMS, " push_entry = '%s'", e->option);
1179 e = e->next;
1180 }
1181 }
1182 SHOW_BOOL (ifconfig_pool_defined);
1183 msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
1184 msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc));
1185 msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
1186 SHOW_STR (ifconfig_pool_persist_filename);
1187 SHOW_INT (ifconfig_pool_persist_refresh_freq);
1188 SHOW_BOOL (ifconfig_ipv6_pool_defined);
1189 msg (D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr (o->ifconfig_ipv6_pool_base, 0, &gc));
1190 SHOW_INT (ifconfig_ipv6_pool_netbits);
1191 SHOW_INT (n_bcast_buf);
1192 SHOW_INT (tcp_queue_limit);
1193 SHOW_INT (real_hash_size);
1194 SHOW_INT (virtual_hash_size);
1195 SHOW_STR (client_connect_script);
1196 SHOW_STR (learn_address_script);
1197 SHOW_STR (client_disconnect_script);
1198 SHOW_STR (client_config_dir);
1199 SHOW_BOOL (ccd_exclusive);
1200 SHOW_STR (tmp_dir);
1201 SHOW_BOOL (push_ifconfig_defined);
1202 msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
1203 msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc));
1204 SHOW_BOOL (push_ifconfig_ipv6_defined);
1205 msg (D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr (o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
1206 msg (D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr (o->push_ifconfig_ipv6_remote, 0, &gc));
1207 SHOW_BOOL (enable_c2c);
1208 SHOW_BOOL (duplicate_cn);
1209 SHOW_INT (cf_max);
1210 SHOW_INT (cf_per);
1211 SHOW_INT (max_clients);
1212 SHOW_INT (max_routes_per_client);
1213 SHOW_STR (auth_user_pass_verify_script);
1214 SHOW_BOOL (auth_user_pass_verify_script_via_file);
1215 #if PORT_SHARE
1216 SHOW_STR (port_share_host);
1217 SHOW_INT (port_share_port);
1218 #endif
1219 #endif /* P2MP_SERVER */
1220
1221 SHOW_BOOL (client);
1222 SHOW_BOOL (pull);
1223 SHOW_STR (auth_user_pass_file);
1224
1225 gc_free (&gc);
1226 }
1227
1228 #endif /* ! ENABLE_SMALL */
1229
1230 #if P2MP_SERVER
1231
1232 static void
1233 option_iroute (struct options *o,
1234 const char *network_str,
1235 const char *netmask_str,
1236 int msglevel)
1237 {
1238 struct iroute *ir;
1239
1240 ALLOC_OBJ_GC (ir, struct iroute, &o->gc);
1241 ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1242 ir->netbits = -1;
1243
1244 if (netmask_str)
1245 {
1246 const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1247 if (!netmask_to_netbits (ir->network, netmask, &ir->netbits))
1248 {
1249 msg (msglevel, "in --iroute %s %s : Bad network/subnet specification",
1250 network_str,
1251 netmask_str);
1252 return;
1253 }
1254 }
1255
1256 ir->next = o->iroutes;
1257 o->iroutes = ir;
1258 }
1259
1260 static void
1261 option_iroute_ipv6 (struct options *o,
1262 const char *prefix_str,
1263 int msglevel)
1264 {
1265 struct iroute_ipv6 *ir;
1266
1267 ALLOC_OBJ_GC (ir, struct iroute_ipv6, &o->gc);
1268
1269 if ( get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, NULL, msglevel ) < 0 )
1270 {
1271 msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1272 prefix_str);
1273 return;
1274 }
1275
1276 ir->next = o->iroutes_ipv6;
1277 o->iroutes_ipv6 = ir;
1278 }
1279 #endif /* P2MP_SERVER */
1280 #endif /* P2MP */
1281
1282 #if defined(ENABLE_HTTP_PROXY) && !defined(ENABLE_SMALL)
1283 static void
1284 show_http_proxy_options (const struct http_proxy_options *o)
1285 {
1286 msg (D_SHOW_PARMS, "BEGIN http_proxy");
1287 SHOW_STR (server);
1288 SHOW_INT (port);
1289 SHOW_STR (auth_method_string);
1290 SHOW_STR (auth_file);
1291 SHOW_BOOL (retry);
1292 SHOW_INT (timeout);
1293 SHOW_STR (http_version);
1294 SHOW_STR (user_agent);
1295 msg (D_SHOW_PARMS, "END http_proxy");
1296 }
1297 #endif
1298
1299 void
1300 options_detach (struct options *o)
1301 {
1302 gc_detach (&o->gc);
1303 o->routes = NULL;
1304 #ifdef ENABLE_CLIENT_NAT
1305 o->client_nat = NULL;
1306 #endif
1307 #if P2MP_SERVER
1308 clone_push_list(o);
1309 #endif
1310 }
1311
1312 void
1313 rol_check_alloc (struct options *options)
1314 {
1315 if (!options->routes)
1316 options->routes = new_route_option_list (options->max_routes, &options->gc);
1317 }
1318
1319 void
1320 rol6_check_alloc (struct options *options)
1321 {
1322 if (!options->routes_ipv6)
1323 options->routes_ipv6 = new_route_ipv6_option_list (options->max_routes, &options->gc);
1324 }
1325
1326 #ifdef ENABLE_CLIENT_NAT
1327 static void
1328 cnol_check_alloc (struct options *options)
1329 {
1330 if (!options->client_nat)
1331 options->client_nat = new_client_nat_list (&options->gc);
1332 }
1333 #endif
1334
1335 #ifndef ENABLE_SMALL
1336 static void
1337 show_connection_entry (const struct connection_entry *o)
1338 {
1339 msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false));
1340 SHOW_STR (local);
1341 SHOW_INT (local_port);
1342 SHOW_STR (remote);
1343 SHOW_INT (remote_port);
1344 SHOW_BOOL (remote_float);
1345 SHOW_BOOL (bind_defined);
1346 SHOW_BOOL (bind_local);
1347 SHOW_INT (connect_retry_seconds);
1348 SHOW_INT (connect_timeout);
1349 SHOW_INT (connect_retry_max);
1350
1351 #ifdef ENABLE_HTTP_PROXY
1352 if (o->http_proxy_options)
1353 show_http_proxy_options (o->http_proxy_options);
1354 #endif
1355 #ifdef ENABLE_SOCKS
1356 SHOW_STR (socks_proxy_server);
1357 SHOW_INT (socks_proxy_port);
1358 SHOW_BOOL (socks_proxy_retry);
1359 #endif
1360 SHOW_INT (tun_mtu);
1361 SHOW_BOOL (tun_mtu_defined);
1362 SHOW_INT (link_mtu);
1363 SHOW_BOOL (link_mtu_defined);
1364 SHOW_INT (tun_mtu_extra);
1365 SHOW_BOOL (tun_mtu_extra_defined);
1366
1367 SHOW_INT (mtu_discover_type);
1368
1369 #ifdef ENABLE_FRAGMENT
1370 SHOW_INT (fragment);
1371 #endif
1372 SHOW_INT (mssfix);
1373
1374 #ifdef ENABLE_OCC
1375 SHOW_INT (explicit_exit_notification);
1376 #endif
1377 }
1378
1379
1380 static void
1381 show_connection_entries (const struct options *o)
1382 {
1383 msg (D_SHOW_PARMS, "Connection profiles [default]:");
1384 show_connection_entry (&o->ce);
1385 if (o->connection_list)
1386 {
1387 const struct connection_list *l = o->connection_list;
1388 int i;
1389 for (i = 0; i < l->len; ++i)
1390 {
1391 msg (D_SHOW_PARMS, "Connection profiles [%d]:", i);
1392 show_connection_entry (l->array[i]);
1393 }
1394 }
1395 msg (D_SHOW_PARMS, "Connection profiles END");
1396 }
1397
1398 #endif
1399
1400 void
1401 show_settings (const struct options *o)
1402 {
1403 #ifndef ENABLE_SMALL
1404 msg (D_SHOW_PARMS, "Current Parameter Settings:");
1405
1406 SHOW_STR (config);
1407
1408 SHOW_INT (mode);
1409
1410 #ifdef ENABLE_FEATURE_TUN_PERSIST
1411 SHOW_BOOL (persist_config);
1412 SHOW_INT (persist_mode);
1413 #endif
1414
1415 #ifdef ENABLE_CRYPTO
1416 SHOW_BOOL (show_ciphers);
1417 SHOW_BOOL (show_digests);
1418 SHOW_BOOL (show_engines);
1419 SHOW_BOOL (genkey);
1420 #ifdef ENABLE_SSL
1421 SHOW_STR (key_pass_file);
1422 SHOW_BOOL (show_tls_ciphers);
1423 #endif
1424 #endif
1425
1426 show_connection_entries (o);
1427
1428 SHOW_BOOL (remote_random);
1429
1430 SHOW_STR (ipchange);
1431 SHOW_STR (dev);
1432 SHOW_STR (dev_type);
1433 SHOW_STR (dev_node);
1434 SHOW_STR (lladdr);
1435 SHOW_INT (topology);
1436 SHOW_BOOL (tun_ipv6);
1437 SHOW_STR (ifconfig_local);
1438 SHOW_STR (ifconfig_remote_netmask);
1439 SHOW_BOOL (ifconfig_noexec);
1440 SHOW_BOOL (ifconfig_nowarn);
1441 SHOW_STR (ifconfig_ipv6_local);
1442 SHOW_INT (ifconfig_ipv6_netbits);
1443 SHOW_STR (ifconfig_ipv6_remote);
1444
1445 #ifdef ENABLE_FEATURE_SHAPER
1446 SHOW_INT (shaper);
1447 #endif
1448 #ifdef ENABLE_OCC
1449 SHOW_INT (mtu_test);
1450 #endif
1451
1452 SHOW_BOOL (mlock);
1453
1454 SHOW_INT (keepalive_ping);
1455 SHOW_INT (keepalive_timeout);
1456 SHOW_INT (inactivity_timeout);
1457 SHOW_INT (ping_send_timeout);
1458 SHOW_INT (ping_rec_timeout);
1459 SHOW_INT (ping_rec_timeout_action);
1460 SHOW_BOOL (ping_timer_remote);
1461 SHOW_INT (remap_sigusr1);
1462 SHOW_BOOL (persist_tun);
1463 SHOW_BOOL (persist_local_ip);
1464 SHOW_BOOL (persist_remote_ip);
1465 SHOW_BOOL (persist_key);
1466
1467 #if PASSTOS_CAPABILITY
1468 SHOW_BOOL (passtos);
1469 #endif
1470
1471 SHOW_INT (resolve_retry_seconds);
1472
1473 SHOW_STR (username);
1474 SHOW_STR (groupname);
1475 SHOW_STR (chroot_dir);
1476 SHOW_STR (cd_dir);
1477 #ifdef ENABLE_SELINUX
1478 SHOW_STR (selinux_context);
1479 #endif
1480 SHOW_STR (writepid);
1481 SHOW_STR (up_script);
1482 SHOW_STR (down_script);
1483 SHOW_BOOL (down_pre);
1484 SHOW_BOOL (up_restart);
1485 SHOW_BOOL (up_delay);
1486 SHOW_BOOL (daemon);
1487 SHOW_INT (inetd);
1488 SHOW_BOOL (log);
1489 SHOW_BOOL (suppress_timestamps);
1490 SHOW_INT (nice);
1491 SHOW_INT (verbosity);
1492 SHOW_INT (mute);
1493 #ifdef ENABLE_DEBUG
1494 SHOW_INT (gremlin);
1495 #endif
1496 SHOW_STR (status_file);
1497 SHOW_INT (status_file_version);
1498 SHOW_INT (status_file_update_freq);
1499
1500 #ifdef ENABLE_OCC
1501 SHOW_BOOL (occ);
1502 #endif
1503 SHOW_INT (rcvbuf);
1504 SHOW_INT (sndbuf);
1505 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1506 SHOW_INT (mark);
1507 #endif
1508 SHOW_INT (sockflags);
1509
1510 SHOW_BOOL (fast_io);
1511
1512 #ifdef ENABLE_LZO
1513 SHOW_INT (lzo);
1514 #endif
1515
1516 SHOW_STR (route_script);
1517 SHOW_STR (route_default_gateway);
1518 SHOW_INT (route_default_metric);
1519 SHOW_BOOL (route_noexec);
1520 SHOW_INT (route_delay);
1521 SHOW_INT (route_delay_window);
1522 SHOW_BOOL (route_delay_defined);
1523 SHOW_BOOL (route_nopull);
1524 SHOW_BOOL (route_gateway_via_dhcp);
1525 SHOW_INT (max_routes);
1526 SHOW_BOOL (allow_pull_fqdn);
1527 if (o->routes)
1528 print_route_options (o->routes, D_SHOW_PARMS);
1529
1530 #ifdef ENABLE_CLIENT_NAT
1531 if (o->client_nat)
1532 print_client_nat_list(o->client_nat, D_SHOW_PARMS);
1533 #endif
1534
1535 #ifdef ENABLE_MANAGEMENT
1536 SHOW_STR (management_addr);
1537 SHOW_INT (management_port);
1538 SHOW_STR (management_user_pass);
1539 SHOW_INT (management_log_history_cache);
1540 SHOW_INT (management_echo_buffer_size);
1541 SHOW_STR (management_write_peer_info_file);
1542 SHOW_STR (management_client_user);
1543 SHOW_STR (management_client_group);
1544 SHOW_INT (management_flags);
1545 #endif
1546 #ifdef ENABLE_PLUGIN
1547 if (o->plugin_list)
1548 plugin_option_list_print (o->plugin_list, D_SHOW_PARMS);
1549 #endif
1550
1551 #ifdef ENABLE_CRYPTO
1552 SHOW_STR (shared_secret_file);
1553 SHOW_INT (key_direction);
1554 SHOW_BOOL (ciphername_defined);
1555 SHOW_STR (ciphername);
1556 SHOW_BOOL (authname_defined);
1557 SHOW_STR (authname);
1558 SHOW_STR (prng_hash);
1559 SHOW_INT (prng_nonce_secret_len);
1560 SHOW_INT (keysize);
1561 #ifndef ENABLE_CRYPTO_POLARSSL
1562 SHOW_BOOL (engine);
1563 #endif /* ENABLE_CRYPTO_POLARSSL */
1564 SHOW_BOOL (replay);
1565 SHOW_BOOL (mute_replay_warnings);
1566 SHOW_INT (replay_window);
1567 SHOW_INT (replay_time);
1568 SHOW_STR (packet_id_file);
1569 SHOW_BOOL (use_iv);
1570 SHOW_BOOL (test_crypto);
1571 #ifdef ENABLE_PREDICTION_RESISTANCE
1572 SHOW_BOOL (use_prediction_resistance);
1573 #endif
1574
1575 #ifdef ENABLE_SSL
1576 SHOW_BOOL (tls_server);
1577 SHOW_BOOL (tls_client);
1578 SHOW_INT (key_method);
1579 SHOW_STR (ca_file);
1580 SHOW_STR (ca_path);
1581 SHOW_STR (dh_file);
1582 SHOW_STR (cert_file);
1583
1584 #ifdef MANAGMENT_EXTERNAL_KEY
1585 if((o->management_flags & MF_EXTERNAL_KEY))
1586 SHOW_PARM ("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1587 else
1588 #endif
1589 SHOW_STR (priv_key_file);
1590 #ifndef ENABLE_CRYPTO_POLARSSL
1591 SHOW_STR (pkcs12_file);
1592 #endif
1593 #ifdef ENABLE_CRYPTOAPI
1594 SHOW_STR (cryptoapi_cert);
1595 #endif
1596 SHOW_STR (cipher_list);
1597 SHOW_STR (tls_verify);
1598 SHOW_STR (tls_export_cert);
1599 SHOW_INT (verify_x509_type);
1600 SHOW_STR (verify_x509_name);
1601 SHOW_STR (crl_file);
1602 SHOW_INT (ns_cert_type);
1603 {
1604 int i;
1605 for (i=0;i<MAX_PARMS;i++)
1606 SHOW_INT (remote_cert_ku[i]);
1607 }
1608 SHOW_STR (remote_cert_eku);
1609 SHOW_INT (ssl_flags);
1610
1611 SHOW_INT (tls_timeout);
1612
1613 SHOW_INT (renegotiate_bytes);
1614 SHOW_INT (renegotiate_packets);
1615 SHOW_INT (renegotiate_seconds);
1616
1617 SHOW_INT (handshake_window);
1618 SHOW_INT (transition_window);
1619
1620 SHOW_BOOL (single_session);
1621 #ifdef ENABLE_PUSH_PEER_INFO
1622 SHOW_BOOL (push_peer_info);
1623 #endif
1624 SHOW_BOOL (tls_exit);
1625
1626 SHOW_STR (tls_auth_file);
1627 #endif
1628 #endif
1629
1630 #ifdef ENABLE_PKCS11
1631 {
1632 int i;
1633 for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
1634 SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
1635 }
1636 {
1637 int i;
1638 for (i=0;i<MAX_PARMS;i++)
1639 SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1640 }
1641 {
1642 int i;
1643 for (i=0;i<MAX_PARMS;i++)
1644 SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1645 }
1646 {
1647 int i;
1648 for (i=0;i<MAX_PARMS;i++)
1649 SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1650 }
1651 SHOW_INT (pkcs11_pin_cache_period);
1652 SHOW_STR (pkcs11_id);
1653 SHOW_BOOL (pkcs11_id_management);
1654 #endif /* ENABLE_PKCS11 */
1655
1656 #if P2MP
1657 show_p2mp_parms (o);
1658 #endif
1659
1660 #ifdef WIN32
1661 SHOW_BOOL (show_net_up);
1662 SHOW_INT (route_method);
1663 show_tuntap_options (&o->tuntap_options);
1664 #endif
1665 #endif
1666 }
1667
1668 #undef SHOW_PARM
1669 #undef SHOW_STR
1670 #undef SHOW_INT
1671 #undef SHOW_BOOL
1672
1673 #if HTTP_PROXY_OVERRIDE
1674
1675 static struct http_proxy_options *
1676 parse_http_proxy_override (const char *server,
1677 const char *port,
1678 const char *flags,
1679 const int msglevel,
1680 struct gc_arena *gc)
1681 {
1682 if (server && port)
1683 {
1684 struct http_proxy_options *ho;
1685 const int int_port = atoi(port);
1686
1687 if (!legal_ipv4_port (int_port))
1688 {
1689 msg (msglevel, "Bad http-proxy port number: %s", port);
1690 return NULL;
1691 }
1692
1693 ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc);
1694 ho->server = string_alloc(server, gc);
1695 ho->port = int_port;
1696 ho->retry = true;
1697 ho->timeout = 5;
1698 if (flags && !strcmp(flags, "nct"))
1699 ho->auth_retry = PAR_NCT;
1700 else
1701 ho->auth_retry = PAR_ALL;
1702 ho->http_version = "1.0";
1703 ho->user_agent = "OpenVPN-Autoproxy/1.0";
1704 return ho;
1705 }
1706 else
1707 return NULL;
1708 }
1709
1710 void
1711 options_postprocess_http_proxy_override (struct options *o)
1712 {
1713 const struct connection_list *l = o->connection_list;
1714 if (l)
1715 {
1716 int i;
1717 bool succeed = false;
1718 for (i = 0; i < l->len; ++i)
1719 {
1720 struct connection_entry *ce = l->array[i];
1721 if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4)
1722 {
1723 ce->http_proxy_options = o->http_proxy_override;
1724 succeed = true;
1725 }
1726 }
1727 if (succeed)
1728 {
1729 for (i = 0; i < l->len; ++i)
1730 {
1731 struct connection_entry *ce = l->array[i];
1732 if (ce->proto == PROTO_UDPv4)
1733 {
1734 ce->flags |= CE_DISABLED;
1735 }
1736 }
1737 }
1738 else
1739 msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1740 }
1741 }
1742
1743 #endif
1744
1745 static struct connection_list *
1746 alloc_connection_list_if_undef (struct options *options)
1747 {
1748 if (!options->connection_list)
1749 ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc);
1750 return options->connection_list;
1751 }
1752
1753 static struct connection_entry *
1754 alloc_connection_entry (struct options *options, const int msglevel)
1755 {
1756 struct connection_list *l = alloc_connection_list_if_undef (options);
1757 struct connection_entry *e;
1758
1759 if (l->len >= CONNECTION_LIST_SIZE)
1760 {
1761 msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1762 return NULL;
1763 }
1764 ALLOC_OBJ_GC (e, struct connection_entry, &options->gc);
1765 l->array[l->len++] = e;
1766 return e;
1767 }
1768
1769 static struct remote_list *
1770 alloc_remote_list_if_undef (struct options *options)
1771 {
1772 if (!options->remote_list)
1773 ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc);
1774 return options->remote_list;
1775 }
1776
1777 static struct remote_entry *
1778 alloc_remote_entry (struct options *options, const int msglevel)
1779 {
1780 struct remote_list *l = alloc_remote_list_if_undef (options);
1781 struct remote_entry *e;
1782
1783 if (l->len >= CONNECTION_LIST_SIZE)
1784 {
1785 msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1786 return NULL;
1787 }
1788 ALLOC_OBJ_GC (e, struct remote_entry, &options->gc);
1789 l->array[l->len++] = e;
1790 return e;
1791 }
1792
1793 void
1794 connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
1795 {
1796 if (re->remote)
1797 ce->remote = re->remote;
1798 if (re->remote_port >= 0)
1799 ce->remote_port = re->remote_port;
1800 if (re->proto >= 0)
1801 ce->proto = re->proto;
1802 }
1803
1804 static void
1805 options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce)
1806 {
1807 struct options defaults;
1808 int dev = DEV_TYPE_UNDEF;
1809 bool pull = false;
1810
1811 init_options (&defaults, true);
1812
1813 #ifdef ENABLE_CRYPTO
1814 if (options->test_crypto)
1815 {
1816 notnull (options->shared_secret_file, "key file (--secret)");
1817 }
1818 else
1819 #endif
1820 notnull (options->dev, "TUN/TAP device (--dev)");
1821
1822 /*
1823 * Get tun/tap/null device type
1824 */
1825 dev = dev_type_enum (options->dev, options->dev_type);
1826
1827 /*
1828 * If "proto tcp" is specified, make sure we know whether it is
1829 * tcp-client or tcp-server.
1830 */
1831 if (ce->proto == PROTO_TCPv4)
1832 msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1833 if (ce->proto == PROTO_TCPv6)
1834 msg (M_USAGE, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client");
1835
1836 /*
1837 * Sanity check on daemon/inetd modes
1838 */
1839
1840 if (options->daemon && options->inetd)
1841 msg (M_USAGE, "only one of --daemon or --inetd may be specified");
1842
1843 if (options->inetd && (ce->local || ce->remote))
1844 msg (M_USAGE, "--local or --remote cannot be used with --inetd");
1845
1846 if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT)
1847 msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
1848
1849 if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER)
1850 msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
1851
1852 if (options->inetd == INETD_NOWAIT
1853 #if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
1854 && !(options->tls_server || options->tls_client)
1855 #endif
1856 )
1857 msg (M_USAGE, "--inetd nowait can only be used in TLS mode");
1858
1859 if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
1860 msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
1861
1862
1863 if (options->lladdr && dev != DEV_TYPE_TAP)
1864 msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
1865
1866 /*
1867 * Sanity check on TCP mode options
1868 */
1869
1870 if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT
1871 && ce->proto != PROTO_TCPv6_CLIENT)
1872 msg (M_USAGE, "--connect-retry doesn't make sense unless also used with "
1873 "--proto tcp-client or tcp6-client");
1874
1875 if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT
1876 && ce->proto != PROTO_TCPv6_CLIENT)
1877 msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with "
1878 "--proto tcp-client or tcp6-client");
1879
1880 /*
1881 * Sanity check on MTU parameters
1882 */
1883 if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
1884 msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
1885
1886 #ifdef ENABLE_OCC
1887 if (!proto_is_udp(ce->proto) && options->mtu_test)
1888 msg (M_USAGE, "--mtu-test only makes sense with --proto udp");
1889 #endif
1890
1891 /* will we be pulling options from server? */
1892 #if P2MP
1893 pull = options->pull;
1894 #endif
1895
1896 /*
1897 * Sanity check on --local, --remote, and --ifconfig
1898 */
1899
1900 if (proto_is_net(ce->proto)
1901 && string_defined_equal (ce->local, ce->remote)
1902 && ce->local_port == ce->remote_port)
1903 msg (M_USAGE, "--remote and --local addresses are the same");
1904
1905 if (string_defined_equal (ce->remote, options->ifconfig_local)
1906 || string_defined_equal (ce->remote, options->ifconfig_remote_netmask))
1907 msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
1908
1909 if (string_defined_equal (ce->local, options->ifconfig_local)
1910 || string_defined_equal (ce->local, options->ifconfig_remote_netmask))
1911 msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
1912
1913 if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
1914 msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
1915
1916 if (ce->bind_defined && !ce->bind_local)
1917 msg (M_USAGE, "--bind and --nobind can't be used together");
1918
1919 if (ce->local && !ce->bind_local)
1920 msg (M_USAGE, "--local and --nobind don't make sense when used together");
1921
1922 if (ce->local_port_defined && !ce->bind_local)
1923 msg (M_USAGE, "--lport and --nobind don't make sense when used together");
1924
1925 if (!ce->remote && !ce->bind_local)
1926 msg (M_USAGE, "--nobind doesn't make sense unless used with --remote");
1927
1928 /*
1929 * Check for consistency of management options
1930 */
1931 #ifdef ENABLE_MANAGEMENT
1932 if (!options->management_addr &&
1933 (options->management_flags
1934 || options->management_write_peer_info_file
1935 || options->management_log_history_cache != defaults.management_log_history_cache))
1936 msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
1937
1938 if ((options->management_client_user || options->management_client_group)
1939 && !(options->management_flags & MF_UNIX_SOCK))
1940 msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
1941 #endif
1942
1943 /*
1944 * Windows-specific options.
1945 */
1946
1947 #ifdef WIN32
1948 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1949 msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
1950
1951 if ((options->tuntap_options.ip_win32_defined)
1952 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1953 msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
1954
1955 if (options->tuntap_options.dhcp_options
1956 && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
1957 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
1958 msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
1959 #endif
1960
1961 /*
1962 * Check that protocol options make sense.
1963 */
1964
1965 #ifdef ENABLE_FRAGMENT
1966 if (!proto_is_udp(ce->proto) && ce->fragment)
1967 msg (M_USAGE, "--fragment can only be used with --proto udp");
1968 #endif
1969
1970 #ifdef ENABLE_OCC
1971 if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
1972 msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
1973 #endif
1974
1975 if (!ce->remote && (ce->proto == PROTO_TCPv4_CLIENT
1976 || ce->proto == PROTO_TCPv6_CLIENT))
1977 msg (M_USAGE, "--remote MUST be used in TCP Client mode");
1978
1979 #ifdef ENABLE_HTTP_PROXY
1980 if ((ce->http_proxy_options) && ce->proto != PROTO_TCPv4_CLIENT)
1981 msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
1982 #endif
1983
1984 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
1985 if (ce->http_proxy_options && ce->socks_proxy_server)
1986 msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
1987 #endif
1988
1989 #ifdef ENABLE_SOCKS
1990 if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER)
1991 msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
1992 #endif
1993
1994 if ((ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER)
1995 && connection_list_defined (options))
1996 msg (M_USAGE, "TCP server mode allows at most one --remote address");
1997
1998 #if P2MP_SERVER
1999
2000 /*
2001 * Check consistency of --mode server options.
2002 */
2003 if (options->mode == MODE_SERVER)
2004 {
2005 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
2006 msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
2007 if (options->pull)
2008 msg (M_USAGE, "--pull cannot be used with --mode server");
2009 if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCPv4_SERVER
2010 || ce->proto == PROTO_TCPv6_SERVER))
2011 msg (M_USAGE, "--mode server currently only supports "
2012 "--proto udp or --proto tcp-server or proto tcp6-server");
2013 #if PORT_SHARE
2014 if ((options->port_share_host || options->port_share_port) &&
2015 (ce->proto != PROTO_TCPv4_SERVER && ce->proto != PROTO_TCPv6_SERVER))
2016 msg (M_USAGE, "--port-share only works in TCP server mode "
2017 "(--proto tcp-server or tcp6-server)");
2018 #endif
2019 if (!options->tls_server)
2020 msg (M_USAGE, "--mode server requires --tls-server");
2021 if (ce->remote)
2022 msg (M_USAGE, "--remote cannot be used with --mode server");
2023 if (!ce->bind_local)
2024 msg (M_USAGE, "--nobind cannot be used with --mode server");
2025 #ifdef ENABLE_HTTP_PROXY
2026 if (ce->http_proxy_options)
2027 msg (M_USAGE, "--http-proxy cannot be used with --mode server");
2028 #endif
2029 #ifdef ENABLE_SOCKS
2030 if (ce->socks_proxy_server)
2031 msg (M_USAGE, "--socks-proxy cannot be used with --mode server");
2032 #endif
2033 if (options->connection_list)
2034 msg (M_USAGE, "<connection> cannot be used with --mode server");
2035 #if 0
2036 if (options->tun_ipv6)
2037 msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");
2038 #endif
2039 if (options->shaper)
2040 msg (M_USAGE, "--shaper cannot be used with --mode server");
2041 if (options->inetd)
2042 msg (M_USAGE, "--inetd cannot be used with --mode server");
2043 if (options->ipchange)
2044 msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
2045 if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCPv4_SERVER
2046 || ce->proto == PROTO_TCPv6_SERVER))
2047 msg (M_USAGE, "--mode server currently only supports "
2048 "--proto udp or --proto tcp-server or --proto tcp6-server");
2049 if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
2050 msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2051 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
2052 msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2053 #ifdef ENABLE_OCC
2054 if (ce->explicit_exit_notification)
2055 msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server");
2056 #endif
2057 if (options->routes && (options->routes->flags & RG_ENABLE))
2058 msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2059 if (options->route_delay_defined)
2060 msg (M_USAGE, "--route-delay cannot be used with --mode server");
2061 if (options->up_delay)
2062 msg (M_USAGE, "--up-delay cannot be used with --mode server");
2063 if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
2064 msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2065 if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local )
2066 msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2067 if (options->ifconfig_ipv6_local && !options->tun_ipv6 )
2068 msg (M_INFO, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6");
2069
2070 if (options->auth_user_pass_file)
2071 msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2072 if (options->ccd_exclusive && !options->client_config_dir)
2073 msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
2074 if (options->key_method != 2)
2075 msg (M_USAGE, "--mode server requires --key-method 2");
2076
2077 {
2078 const bool ccnr = (options->auth_user_pass_verify_script
2079 || PLUGIN_OPTION_LIST (options)
2080 || MAN_CLIENT_AUTH_ENABLED (options));
2081 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2082 if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
2083 msg (M_USAGE, "--client-cert-not-required %s", postfix);
2084 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
2085 msg (M_USAGE, "--username-as-common-name %s", postfix);
2086 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
2087 msg (M_USAGE, "--auth-user-pass-optional %s", postfix);
2088 }
2089 }
2090 else
2091 {
2092 /*
2093 * When not in server mode, err if parameters are
2094 * specified which require --mode server.
2095 */
2096 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
2097 msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2098 if (options->ifconfig_ipv6_pool_defined)
2099 msg (M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
2100 if (options->real_hash_size != defaults.real_hash_size
2101 || options->virtual_hash_size != defaults.virtual_hash_size)
2102 msg (M_USAGE, "--hash-size requires --mode server");
2103 if (options->learn_address_script)
2104 msg (M_USAGE, "--learn-address requires --mode server");
2105 if (options->client_connect_script)
2106 msg (M_USAGE, "--client-connect requires --mode server");
2107 if (options->client_disconnect_script)
2108 msg (M_USAGE, "--client-disconnect requires --mode server");
2109 if (options->client_config_dir || options->ccd_exclusive)
2110 msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
2111 if (options->enable_c2c)
2112 msg (M_USAGE, "--client-to-client requires --mode server");
2113 if (options->duplicate_cn)
2114 msg (M_USAGE, "--duplicate-cn requires --mode server");
2115 if (options->cf_max || options->cf_per)
2116 msg (M_USAGE, "--connect-freq requires --mode server");
2117 if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
2118 msg (M_USAGE, "--client-cert-not-required requires --mode server");
2119 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
2120 msg (M_USAGE, "--username-as-common-name requires --mode server");
2121 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
2122 msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
2123 if (options->ssl_flags & SSLF_OPT_VERIFY)
2124 msg (M_USAGE, "--opt-verify requires --mode server");
2125 if (options->server_flags & SF_TCP_NODELAY_HELPER)
2126 msg (M_USAGE, "--tcp-nodelay requires --mode server");
2127 if (options->auth_user_pass_verify_script)
2128 msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
2129 #if PORT_SHARE
2130 if (options->port_share_host || options->port_share_port)
2131 msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2132 #endif
2133
2134 if (options->stale_routes_check_interval)
2135 msg (M_USAGE, "--stale-routes-check requires --mode server");
2136 if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING))
2137 msg (M_USAGE, "--compat-x509-names no-remapping requires --mode server");
2138 }
2139 #endif /* P2MP_SERVER */
2140
2141 #ifdef ENABLE_CRYPTO
2142
2143 /*
2144 * Check consistency of replay options
2145 */
2146 if ((!proto_is_udp(ce->proto))
2147 && (options->replay_window != defaults.replay_window
2148 || options->replay_time != defaults.replay_time))
2149 msg (M_USAGE, "--replay-window only makes sense with --proto udp");
2150
2151 if (!options->replay
2152 && (options->replay_window != defaults.replay_window
2153 || options->replay_time != defaults.replay_time))
2154 msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2155
2156 /*
2157 * SSL/TLS mode sanity checks.
2158 */
2159
2160 #ifdef ENABLE_SSL
2161 if (options->tls_server + options->tls_client +
2162 (options->shared_secret_file != NULL) > 1)
2163 msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
2164
2165 if (options->tls_server)
2166 {
2167 notnull (options->dh_file, "DH file (--dh)");
2168 }
2169 if (options->tls_server || options->tls_client)
2170 {
2171 #ifdef ENABLE_PKCS11
2172 if (options->pkcs11_providers[0])
2173 {
2174 notnull (options->ca_file, "CA file (--ca)");
2175
2176 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
2177 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2178 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2179 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2180 if (options->cert_file)
2181 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2182 if (options->priv_key_file)
2183 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2184 #ifdef MANAGMENT_EXTERNAL_KEY
2185 if (options->management_flags & MF_EXTERNAL_KEY)
2186 msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2187 #endif
2188 if (options->pkcs12_file)
2189 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2190 #ifdef ENABLE_CRYPTOAPI
2191 if (options->cryptoapi_cert)
2192 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2193 #endif
2194 }
2195 else
2196 #endif
2197 #ifdef MANAGMENT_EXTERNAL_KEY
2198 if((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
2199 {
2200 msg (M_USAGE, "--key and --management-external-key are mutually exclusive");
2201 }
2202 else
2203 #endif
2204 #ifdef ENABLE_CRYPTOAPI
2205 if (options->cryptoapi_cert)
2206 {
2207 if ((!(options->ca_file)) && (!(options->ca_path)))
2208 msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2209 if (options->cert_file)
2210 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2211 if (options->priv_key_file)
2212 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2213 if (options->pkcs12_file)
2214 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2215 #ifdef MANAGMENT_EXTERNAL_KEY
2216 if (options->management_flags & MF_EXTERNAL_KEY)
2217 msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2218 #endif
2219 }
2220 else
2221 #endif
2222 if (options->pkcs12_file)
2223 {
2224 #ifdef ENABLE_CRYPTO_POLARSSL
2225 msg(M_USAGE, "Parameter --pkcs12 cannot be used with the PolarSSL version version of OpenVPN.");
2226 #else
2227 if (options->ca_path)
2228 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2229 if (options->cert_file)
2230 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2231 if (options->priv_key_file)
2232 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2233 #ifdef MANAGMENT_EXTERNAL_KEY
2234 if (options->management_flags & MF_EXTERNAL_KEY)
2235 msg(M_USAGE, "Parameter --external-management-key cannot be used when --pkcs12 is also specified.");
2236 #endif
2237 #endif
2238 }
2239 else
2240 {
2241 #ifdef ENABLE_CRYPTO_POLARSSL
2242 if (!(options->ca_file))
2243 msg(M_USAGE, "You must define CA file (--ca)");
2244 if (options->ca_path)
2245 msg(M_USAGE, "Parameter --capath cannot be used with the PolarSSL version version of OpenVPN.");
2246 #else
2247 if ((!(options->ca_file)) && (!(options->ca_path)))
2248 msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2249 #endif
2250 if (pull)
2251 {
2252
2253 const int sum = (options->cert_file != NULL) +
2254 #ifdef MANAGMENT_EXTERNAL_KEY
2255 ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
2256 #else
2257 (options->priv_key_file != NULL);
2258 #endif
2259
2260
2261 if (sum == 0)
2262 {
2263 #if P2MP
2264 if (!options->auth_user_pass_file)
2265 #endif
2266 msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2267 }
2268 else if (sum == 2)
2269 ;
2270 else
2271 {
2272 msg (M_USAGE, "If you use one of --cert or --key, you must use them both");
2273 }
2274 }
2275 else
2276 {
2277 notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2278 #ifdef MANAGMENT_EXTERNAL_KEY
2279 if (!(options->management_flags & MF_EXTERNAL_KEY))
2280 #endif
2281 notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2282 }
2283 }
2284 }
2285 else
2286 {
2287 /*
2288 * Make sure user doesn't specify any TLS options
2289 * when in non-TLS mode.
2290 */
2291
2292 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
2293
2294 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2295
2296 MUST_BE_UNDEF (ca_file);
2297 MUST_BE_UNDEF (ca_path);
2298 MUST_BE_UNDEF (dh_file);
2299 MUST_BE_UNDEF (cert_file);
2300 MUST_BE_UNDEF (priv_key_file);
2301 #ifndef ENABLE_CRYPTO_POLARSSL
2302 MUST_BE_UNDEF (pkcs12_file);
2303 #endif
2304 MUST_BE_UNDEF (cipher_list);
2305 MUST_BE_UNDEF (tls_verify);
2306 MUST_BE_UNDEF (tls_export_cert);
2307 MUST_BE_UNDEF (verify_x509_name);
2308 MUST_BE_UNDEF (tls_timeout);
2309 MUST_BE_UNDEF (renegotiate_bytes);
2310 MUST_BE_UNDEF (renegotiate_packets);
2311 MUST_BE_UNDEF (renegotiate_seconds);
2312 MUST_BE_UNDEF (handshake_window);
2313 MUST_BE_UNDEF (transition_window);
2314 MUST_BE_UNDEF (tls_auth_file);
2315 MUST_BE_UNDEF (single_session);
2316 #ifdef ENABLE_PUSH_PEER_INFO
2317 MUST_BE_UNDEF (push_peer_info);
2318 #endif
2319 MUST_BE_UNDEF (tls_exit);
2320 MUST_BE_UNDEF (crl_file);
2321 MUST_BE_UNDEF (key_method);
2322 MUST_BE_UNDEF (ns_cert_type);
2323 MUST_BE_UNDEF (remote_cert_ku[0]);
2324 MUST_BE_UNDEF (remote_cert_eku);
2325 #ifdef ENABLE_PKCS11
2326 MUST_BE_UNDEF (pkcs11_providers[0]);
2327 MUST_BE_UNDEF (pkcs11_private_mode[0]);
2328 MUST_BE_UNDEF (pkcs11_id);
2329 MUST_BE_UNDEF (pkcs11_id_management);
2330 #endif
2331
2332 if (pull)
2333 msg (M_USAGE, err, "--pull");
2334 }
2335 #undef MUST_BE_UNDEF
2336 #endif /* ENABLE_CRYPTO */
2337 #endif /* ENABLE_SSL */
2338
2339 #if P2MP
2340 if (options->auth_user_pass_file && !options->pull)
2341 msg (M_USAGE, "--auth-user-pass requires --pull");
2342 #endif
2343
2344 uninit_options (&defaults);
2345 }
2346
2347 static void
2348 options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
2349 {
2350 const int dev = dev_type_enum (o->dev, o->dev_type);
2351
2352 #if P2MP_SERVER
2353 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2354 {
2355 if (ce->proto == PROTO_TCPv4)
2356 ce->proto = PROTO_TCPv4_SERVER;
2357 else if (ce->proto == PROTO_TCPv6)
2358 ce->proto = PROTO_TCPv6_SERVER;
2359 }
2360 #endif
2361 #if P2MP
2362 if (o->client)
2363 {
2364 if (ce->proto == PROTO_TCPv4)
2365 ce->proto = PROTO_TCPv4_CLIENT;
2366 else if (ce->proto == PROTO_TCPv6)
2367 ce->proto = PROTO_TCPv6_CLIENT;
2368 }
2369 #endif
2370
2371 if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2372 ce->bind_local = false;
2373
2374 #ifdef ENABLE_SOCKS
2375 if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2376 ce->bind_local = false;
2377 #endif
2378
2379 if (!ce->bind_local)
2380 ce->local_port = 0;
2381
2382 /* if protocol forcing is enabled, disable all protocols except for the forced one */
2383 if (o->proto_force >= 0 && proto_is_tcp(o->proto_force) != proto_is_tcp(ce->proto))
2384 ce->flags |= CE_DISABLED;
2385
2386 /*
2387 * If --mssfix is supplied without a parameter, default
2388 * it to --fragment value, if --fragment is specified.
2389 */
2390 if (o->ce.mssfix_default)
2391 {
2392 #ifdef ENABLE_FRAGMENT
2393 if (ce->fragment)
2394 o->ce.mssfix = ce->fragment;
2395 #else
2396 msg (M_USAGE, "--mssfix must specify a parameter");
2397 #endif
2398 }
2399
2400 /*
2401 * Set MTU defaults
2402 */
2403 {
2404 if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
2405 {
2406 ce->tun_mtu_defined = true;
2407 }
2408 if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
2409 {
2410 ce->tun_mtu_extra_defined = true;
2411 ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2412 }
2413 }
2414
2415 }
2416
2417 static void
2418 options_postprocess_mutate_invariant (struct options *options)
2419 {
2420 const int dev = dev_type_enum (options->dev, options->dev_type);
2421
2422 /*
2423 * In forking TCP server mode, you don't need to ifconfig
2424 * the tap device (the assumption is that it will be bridged).
2425 */
2426 if (options->inetd == INETD_NOWAIT)
2427 options->ifconfig_noexec = true;
2428
2429 #ifdef WIN32
2430 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2431 {
2432 if (options->mode == MODE_POINT_TO_POINT)
2433 {
2434 options->route_delay_defined = true;
2435 options->route_delay = 5; /* Vista sometimes has a race without this */
2436 }
2437 }
2438
2439 if (options->ifconfig_noexec)
2440 {
2441 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
2442 options->ifconfig_noexec = false;
2443 }
2444 #endif
2445
2446 #if P2MP_SERVER
2447 /*
2448 * Check consistency of --mode server options.
2449 */
2450 if (options->mode == MODE_SERVER)
2451 {
2452 #ifdef WIN32
2453 /*
2454 * We need to explicitly set --tap-sleep because
2455 * we do not schedule event timers in the top-level context.
2456 */
2457 options->tuntap_options.tap_sleep = 10;
2458 if (options->route_delay_defined && options->route_delay)
2459 options->tuntap_options.tap_sleep = options->route_delay;
2460 options->route_delay_defined = false;
2461 #endif
2462 }
2463 #endif
2464 }
2465
2466 static void
2467 options_postprocess_verify (const struct options *o)
2468 {
2469 if (o->connection_list)
2470 {
2471 int i;
2472 for (i = 0; i < o->connection_list->len; ++i)
2473 options_postprocess_verify_ce (o, o->connection_list->array[i]);
2474 }
2475 else
2476 options_postprocess_verify_ce (o, &o->ce);
2477 }
2478
2479 static void
2480 options_postprocess_mutate (struct options *o)
2481 {
2482 /*
2483 * Process helper-type options which map to other, more complex
2484 * sequences of options.
2485 */
2486 helper_client_server (o);
2487 helper_keepalive (o);
2488 helper_tcp_nodelay (o);
2489
2490 options_postprocess_mutate_invariant (o);
2491
2492 if (o->remote_list && !o->connection_list)
2493 {
2494 /*
2495 * For compatibility with 2.0.x, map multiple --remote options
2496 * into connection list (connection lists added in 2.1).
2497 */
2498 if (o->remote_list->len > 1 || o->force_connection_list)
2499 {
2500 const struct remote_list *rl = o->remote_list;
2501 int i;
2502 for (i = 0; i < rl->len; ++i)
2503 {
2504 const struct remote_entry *re = rl->array[i];
2505 struct connection_entry ce = o->ce;
2506 struct connection_entry *ace;
2507
2508 ASSERT (re->remote);
2509 connection_entry_load_re (&ce, re);
2510 ace = alloc_connection_entry (o, M_USAGE);
2511 ASSERT (ace);
2512 *ace = ce;
2513 }
2514 }
2515 else if (o->remote_list->len == 1) /* one --remote option specified */
2516 {
2517 connection_entry_load_re (&o->ce, o->remote_list->array[0]);
2518 }
2519 else
2520 {
2521 ASSERT (0);
2522 }
2523 }
2524 if (o->connection_list)
2525 {
2526 int i;
2527 for (i = 0; i < o->connection_list->len; ++i)
2528 options_postprocess_mutate_ce (o, o->connection_list->array[i]);
2529
2530 #if HTTP_PROXY_OVERRIDE
2531 if (o->http_proxy_override)
2532 options_postprocess_http_proxy_override(o);
2533 #endif
2534 }
2535 else
2536 options_postprocess_mutate_ce (o, &o->ce);
2537
2538 #if P2MP
2539 /*
2540 * Save certain parms before modifying options via --pull
2541 */
2542 pre_pull_save (o);
2543 #endif
2544 }
2545
2546 /*
2547 * Check file/directory sanity
2548 *
2549 */
2550 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
2551
2552 #define CHKACC_FILE (1<<0) /** Check for a file/directory precense */
2553 #define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */
2554 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
2555 #define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */
2556 #define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */
2557
2558 static bool
2559 check_file_access(const int type, const char *file, const int mode, const char *opt)
2560 {
2561 int errcode = 0;
2562
2563 /* If no file configured, no errors to look for */
2564 if (!file)
2565 return false;
2566
2567 /* If this may be an inline file, and the proper inline "filename" is set - no issues */
2568 if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
2569 return false;
2570
2571 /* If stdin is allowed and the file name is 'stdin', then do no
2572 * further checks as stdin is always available
2573 */
2574 if( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
2575 return false;
2576
2577 /* Is the directory path leading to the given file accessible? */
2578 if (type & CHKACC_DIRPATH)
2579 {
2580 char *fullpath = strdup(file); /* POSIX dirname() implementaion may modify its arguments */
2581 char *dirpath = dirname(fullpath);
2582
2583 if (platform_access (dirpath, mode|X_OK) != 0)
2584 errcode = errno;
2585 free(fullpath);
2586 }
2587
2588 /* Is the file itself accessible? */
2589 if (!errcode && (type & CHKACC_FILE) && (platform_access (file, mode) != 0) )
2590 errcode = errno;
2591
2592 /* If the file exists and is accessible, is it writable? */
2593 if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access (file, F_OK) == 0) )
2594 if (platform_access (file, W_OK) != 0)
2595 errcode = errno;
2596
2597 /* Scream if an error is found */
2598 if( errcode > 0 )
2599 msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s",
2600 opt, file, strerror(errno));
2601
2602 /* Return true if an error occured */
2603 return (errcode != 0 ? true : false);
2604 }
2605
2606 /*
2607 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
2608 * valid file with appropriate permissions.
2609 *
2610 * "command" consists of a path, optionally followed by a space, which may be
2611 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
2612 * performed.
2613 *
2614 * The path and arguments in "command" may be single- or double-quoted or escaped.
2615 *
2616 * The path is extracted from "command", then check_file_access() is called to check it. The
2617 * arguments, if any, are ignored.
2618 *
2619 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
2620 * check_file_access() arguments.
2621 */
2622 static bool
2623 check_cmd_access(const char *command, const char *opt)
2624 {
2625 struct argv argv;
2626 bool return_code;
2627
2628 /* If no command was set, there are no errors to look for */
2629 if (! command)
2630 return false;
2631
2632 /* Extract executable path and arguments */
2633 argv = argv_new ();
2634 argv_printf (&argv, "%sc", command);
2635
2636 /* if an executable is specified then check it; otherwise, complain */
2637 if (argv.argv[0])
2638 /* Scripts requires R_OK as well, but that might fail on binaries which
2639 * only requires X_OK to function on Unix - a scenario not unlikely to
2640 * be seen on suid binaries.
2641 */
2642 return_code = check_file_access(CHKACC_FILE, argv.argv[0], X_OK, opt);
2643 else
2644 {
2645 msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
2646 opt, command);
2647 return_code = true;
2648 }
2649
2650 argv_reset (&argv);
2651
2652 return return_code;
2653 }
2654
2655 /*
2656 * Sanity check of all file/dir options. Checks that file/dir
2657 * is accessible by OpenVPN
2658 */
2659 static void
2660 options_postprocess_filechecks (struct options *options)
2661 {
2662 bool errs = false;
2663
2664 /* ** SSL/TLS/crypto related files ** */
2665 #ifdef ENABLE_SSL
2666 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
2667 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
2668 errs |= check_file_access (CHKACC_FILE, options->ca_path, R_OK, "--capath");
2669 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
2670 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK,
2671 "--extra-certs");
2672 #ifdef MANAGMENT_EXTERNAL_KEY
2673 if(!(options->management_flags & MF_EXTERNAL_KEY))
2674 #endif
2675 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->priv_key_file, R_OK,
2676 "--key");
2677 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->pkcs12_file, R_OK,
2678 "--pkcs12");
2679
2680 if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
2681 errs |= check_file_access (CHKACC_FILE, options->crl_file, R_OK|X_OK,
2682 "--crl-verify directory");
2683 else
2684 errs |= check_file_access (CHKACC_FILE, options->crl_file, R_OK,
2685 "--crl-verify");
2686
2687 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK,
2688 "--tls-auth");
2689 #endif /* ENABLE_SSL */
2690 #ifdef ENABLE_CRYPTO
2691 errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->shared_secret_file, R_OK,
2692 "--secret");
2693 errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR,
2694 options->packet_id_file, R_OK|W_OK, "--replay-persist");
2695 #endif /* ENABLE_CRYPTO */
2696
2697
2698 /* ** Password files ** */
2699 #ifdef ENABLE_SSL
2700 errs |= check_file_access (CHKACC_FILE, options->key_pass_file, R_OK,
2701 "--askpass");
2702 #endif /* ENABLE_SSL */
2703 #ifdef ENABLE_MANAGEMENT
2704 errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
2705 options->management_user_pass, R_OK,
2706 "--management user/password file");
2707 #endif /* ENABLE_MANAGEMENT */
2708 #if P2MP
2709 errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
2710 options->auth_user_pass_file, R_OK,
2711 "--auth-user-pass");
2712 #endif /* P2MP */
2713
2714 /* ** System related ** */
2715 errs |= check_file_access (CHKACC_FILE, options->chroot_dir,
2716 R_OK|X_OK, "--chroot directory");
2717 errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
2718 R_OK|W_OK, "--writepid");
2719
2720 /* ** Log related ** */
2721 errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
2722 R_OK|W_OK, "--status");
2723
2724 /* ** Config related ** */
2725 #ifdef ENABLE_SSL
2726 errs |= check_file_access (CHKACC_FILE, options->tls_export_cert,
2727 R_OK|W_OK|X_OK, "--tls-export-cert");
2728 #endif /* ENABLE_SSL */
2729 #if P2MP_SERVER
2730 errs |= check_file_access (CHKACC_FILE, options->client_config_dir,
2731 R_OK|X_OK, "--client-config-dir");
2732 errs |= check_file_access (CHKACC_FILE, options->tmp_dir,
2733 R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
2734
2735 #endif /* P2MP_SERVER */
2736
2737 if (errs)
2738 msg (M_USAGE, "Please correct these errors.");
2739 }
2740 #endif /* !ENABLE_SMALL */
2741
2742 /*
2743 * Sanity check on options.
2744 * Also set some options based on other
2745 * options.
2746 */
2747 void
2748 options_postprocess (struct options *options)
2749 {
2750 options_postprocess_mutate (options);
2751 options_postprocess_verify (options);
2752 #ifndef ENABLE_SMALL
2753 options_postprocess_filechecks (options);
2754 #endif /* !ENABLE_SMALL */
2755 }
2756
2757 #if P2MP
2758
2759 /*
2760 * Save/Restore certain option defaults before --pull is applied.
2761 */
2762
2763 void
2764 pre_pull_save (struct options *o)
2765 {
2766 if (o->pull)
2767 {
2768 ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
2769 o->pre_pull->tuntap_options = o->tuntap_options;
2770 o->pre_pull->tuntap_options_defined = true;
2771 o->pre_pull->foreign_option_index = o->foreign_option_index;
2772 if (o->routes)
2773 {
2774 o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc);
2775 o->pre_pull->routes_defined = true;
2776 }
2777 if (o->routes_ipv6)
2778 {
2779 o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
2780 o->pre_pull->routes_ipv6_defined = true;
2781 }
2782 #ifdef ENABLE_CLIENT_NAT
2783 if (o->client_nat)
2784 {
2785 o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
2786 o->pre_pull->client_nat_defined = true;
2787 }
2788 #endif
2789 }
2790 }
2791
2792 void
2793 pre_pull_restore (struct options *o)
2794 {
2795 const struct options_pre_pull *pp = o->pre_pull;
2796 if (pp)
2797 {
2798 CLEAR (o->tuntap_options);
2799 if (pp->tuntap_options_defined)
2800 o->tuntap_options = pp->tuntap_options;
2801
2802 if (pp->routes_defined)
2803 {
2804 rol_check_alloc (o);
2805 copy_route_option_list (o->routes, pp->routes);
2806 }
2807 else
2808 o->routes = NULL;
2809
2810 if (pp->routes_ipv6_defined)
2811 {
2812 rol6_check_alloc (o);
2813 copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6);
2814 }
2815 else
2816 o->routes_ipv6 = NULL;
2817
2818 #ifdef ENABLE_CLIENT_NAT
2819 if (pp->client_nat_defined)
2820 {
2821 cnol_check_alloc (o);
2822 copy_client_nat_option_list (o->client_nat, pp->client_nat);
2823 }
2824 else
2825 o->client_nat = NULL;
2826 #endif
2827
2828 o->foreign_option_index = pp->foreign_option_index;
2829 }
2830
2831 o->push_continuation = 0;
2832 }
2833
2834 #endif
2835
2836 #ifdef ENABLE_OCC
2837
2838 /*
2839 * Build an options string to represent data channel encryption options.
2840 * This string must match exactly between peers. The keysize is checked
2841 * separately by read_key().
2842 *
2843 * The following options must match on both peers:
2844 *
2845 * Tunnel options:
2846 *
2847 * --dev tun|tap [unit number need not match]
2848 * --dev-type tun|tap
2849 * --link-mtu
2850 * --udp-mtu
2851 * --tun-mtu
2852 * --proto udp
2853 * --proto tcp-client [matched with --proto tcp-server
2854 * on the other end of the connection]
2855 * --proto tcp-server [matched with --proto tcp-client on
2856 * the other end of the connection]
2857 * --tun-ipv6
2858 * --ifconfig x y [matched with --ifconfig y x on
2859 * the other end of the connection]
2860 *
2861 * --comp-lzo
2862 * --fragment
2863 *
2864 * Crypto Options:
2865 *
2866 * --cipher
2867 * --auth
2868 * --keysize
2869 * --secret
2870 * --no-replay
2871 * --no-iv
2872 *
2873 * SSL Options:
2874 *
2875 * --tls-auth
2876 * --tls-client [matched with --tls-server on
2877 * the other end of the connection]
2878 * --tls-server [matched with --tls-client on
2879 * the other end of the connection]
2880 */
2881
2882 char *
2883 options_string (const struct options *o,
2884 const struct frame *frame,
2885 struct tuntap *tt,
2886 bool remote,
2887 struct gc_arena *gc)
2888 {
2889 struct buffer out = alloc_buf (OPTION_LINE_SIZE);
2890 bool tt_local = false;
2891
2892 buf_printf (&out, "V4");
2893
2894 /*
2895 * Tunnel Options
2896 */
2897
2898 buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type));
2899 buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame));
2900 buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame));
2901 buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true));
2902
2903 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
2904 * is usually pushed by the server, triggering a non-helpful warning
2905 */
2906 if (o->tun_ipv6 && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
2907 buf_printf (&out, ",tun-ipv6");
2908
2909 /*
2910 * Try to get ifconfig parameters into the options string.
2911 * If tt is undefined, make a temporary instantiation.
2912 */
2913 if (!tt)
2914 {
2915 tt = init_tun (o->dev,
2916 o->dev_type,
2917 o->topology,
2918 o->ifconfig_local,
2919 o->ifconfig_remote_netmask,
2920 o->ifconfig_ipv6_local,
2921 o->ifconfig_ipv6_netbits,
2922 o->ifconfig_ipv6_remote,
2923 (in_addr_t)0,
2924 (in_addr_t)0,
2925 false,
2926 NULL);
2927 if (tt)
2928 tt_local = true;
2929 }
2930
2931 if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
2932 {
2933 const char *ios = ifconfig_options_string (tt, remote, o->ifconfig_nowarn, gc);
2934 if (ios && strlen (ios))
2935 buf_printf (&out, ",ifconfig %s", ios);
2936 }
2937 if (tt_local)
2938 {
2939 free (tt);
2940 tt = NULL;
2941 }
2942
2943 #ifdef ENABLE_LZO
2944 if (o->lzo & LZO_SELECTED)
2945 buf_printf (&out, ",comp-lzo");
2946 #endif
2947
2948 #ifdef ENABLE_FRAGMENT
2949 if (o->ce.fragment)
2950 buf_printf (&out, ",mtu-dynamic");
2951 #endif
2952
2953 #ifdef ENABLE_CRYPTO
2954
2955 #ifdef ENABLE_SSL
2956 #define TLS_CLIENT (o->tls_client)
2957 #define TLS_SERVER (o->tls_server)
2958 #else
2959 #define TLS_CLIENT (false)
2960 #define TLS_SERVER (false)
2961 #endif
2962
2963 /*
2964 * Key direction
2965 */
2966 {
2967 const char *kd = keydirection2ascii (o->key_direction, remote);
2968 if (kd)
2969 buf_printf (&out, ",keydir %s", kd);
2970 }
2971
2972 /*
2973 * Crypto Options
2974 */
2975 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
2976 {
2977 struct key_type kt;
2978
2979 ASSERT ((o->shared_secret_file != NULL)
2980 + (TLS_CLIENT == true)
2981 + (TLS_SERVER == true)
2982 <= 1);
2983
2984 init_key_type (&kt, o->ciphername, o->ciphername_defined,
2985 o->authname, o->authname_defined,
2986 o->keysize, true, false);
2987
2988 buf_printf (&out, ",cipher %s", cipher_kt_name (kt.cipher));
2989 buf_printf (&out, ",auth %s", md_kt_name (kt.digest));
2990 buf_printf (&out, ",keysize %d", kt.cipher_length * 8);
2991 if (o->shared_secret_file)
2992 buf_printf (&out, ",secret");
2993 if (!o->replay)
2994 buf_printf (&out, ",no-replay");
2995 if (!o->use_iv)
2996 buf_printf (&out, ",no-iv");
2997
2998 #ifdef ENABLE_PREDICTION_RESISTANCE
2999 if (o->use_prediction_resistance)
3000 buf_printf (&out, ",use-prediction-resistance");
3001 #endif
3002 }
3003
3004 #ifdef ENABLE_SSL
3005 /*
3006 * SSL Options
3007 */
3008 {
3009 if (TLS_CLIENT || TLS_SERVER)
3010 {
3011 if (o->tls_auth_file)
3012 buf_printf (&out, ",tls-auth");
3013
3014 if (o->key_method > 1)
3015 buf_printf (&out, ",key-method %d", o->key_method);
3016 }
3017
3018 if (remote)
3019 {
3020 if (TLS_CLIENT)
3021 buf_printf (&out, ",tls-server");
3022 else if (TLS_SERVER)
3023 buf_printf (&out, ",tls-client");
3024 }
3025 else
3026 {
3027 if (TLS_CLIENT)
3028 buf_printf (&out, ",tls-client");
3029 else if (TLS_SERVER)
3030 buf_printf (&out, ",tls-server");
3031 }
3032 }
3033 #endif /* ENABLE_SSL */
3034
3035 #undef TLS_CLIENT
3036 #undef TLS_SERVER
3037
3038 #endif /* ENABLE_CRYPTO */
3039
3040 return BSTR (&out);
3041 }
3042
3043 /*
3044 * Compare option strings for equality.
3045 * If the first two chars of the strings differ, it means that
3046 * we are looking at different versions of the options string,
3047 * therefore don't compare them and return true.
3048 */
3049
3050 bool
3051 options_cmp_equal (char *actual, const char *expected)
3052 {
3053 return options_cmp_equal_safe (actual, expected, strlen (actual) + 1);
3054 }
3055
3056 void
3057 options_warning (char *actual, const char *expected)
3058 {
3059 options_warning_safe (actual, expected, strlen (actual) + 1);
3060 }
3061
3062 static const char *
3063 options_warning_extract_parm1 (const char *option_string,
3064 struct gc_arena *gc_ret)
3065 {
3066 struct gc_arena gc = gc_new ();
3067 struct buffer b = string_alloc_buf (option_string, &gc);
3068 char *p = gc_malloc (OPTION_PARM_SIZE, false, &gc);
3069 const char *ret;
3070
3071 buf_parse (&b, ' ', p, OPTION_PARM_SIZE);
3072 ret = string_alloc (p, gc_ret);
3073 gc_free (&gc);
3074 return ret;
3075 }
3076
3077 static void
3078 options_warning_safe_scan2 (const int msglevel,
3079 const int delim,
3080 const bool report_inconsistent,
3081 const char *p1,
3082 const struct buffer *b2_src,
3083 const char *b1_name,
3084 const char *b2_name)
3085 {
3086 /* we will stop sending 'proto xxx' in OCC in a future version
3087 * (because it's not useful), and to reduce questions when
3088 * interoperating, we start not-printing a warning about it today
3089 */
3090 if (strncmp(p1, "proto ", 6) == 0 )
3091 {
3092 return;
3093 }
3094
3095 if (strlen (p1) > 0)
3096 {
3097 struct gc_arena gc = gc_new ();
3098 struct buffer b2 = *b2_src;
3099 const char *p1_prefix = options_warning_extract_parm1 (p1, &gc);
3100 char *p2 = gc_malloc (OPTION_PARM_SIZE, false, &gc);
3101
3102 while (buf_parse (&b2, delim, p2, OPTION_PARM_SIZE))
3103 {
3104 if (strlen (p2))
3105 {
3106 const char *p2_prefix = options_warning_extract_parm1 (p2, &gc);
3107
3108 if (!strcmp (p1, p2))
3109 goto done;
3110 if (!strcmp (p1_prefix, p2_prefix))
3111 {
3112 if (report_inconsistent)
3113 msg (msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
3114 safe_print (p1_prefix, &gc),
3115 b1_name,
3116 safe_print (p1, &gc),
3117 b2_name,
3118 safe_print (p2, &gc));
3119 goto done;
3120 }
3121 }
3122 }
3123
3124 msg (msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
3125 safe_print (p1_prefix, &gc),
3126 b1_name,
3127 b2_name,
3128 b1_name,
3129 safe_print (p1, &gc));
3130
3131 done:
3132 gc_free (&gc);
3133 }
3134 }
3135
3136 static void
3137 options_warning_safe_scan1 (const int msglevel,
3138 const int delim,
3139 const bool report_inconsistent,
3140 const struct buffer *b1_src,
3141 const struct buffer *b2_src,
3142 const char *b1_name,
3143 const char *b2_name)
3144 {
3145 struct gc_arena gc = gc_new ();
3146 struct buffer b = *b1_src;
3147 char *p = gc_malloc (OPTION_PARM_SIZE, true, &gc);
3148
3149 while (buf_parse (&b, delim, p, OPTION_PARM_SIZE))
3150 options_warning_safe_scan2 (msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
3151
3152 gc_free (&gc);
3153 }
3154
3155 static void
3156 options_warning_safe_ml (const int msglevel, char *actual, const char *expected, size_t actual_n)
3157 {
3158 struct gc_arena gc = gc_new ();
3159
3160 if (actual_n > 0)
3161 {
3162 struct buffer local = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
3163 struct buffer remote = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
3164 actual[actual_n - 1] = 0;
3165
3166 buf_printf (&local, "version %s", expected);
3167 buf_printf (&remote, "version %s", actual);
3168
3169 options_warning_safe_scan1 (msglevel, ',', true,
3170 &local, &remote,
3171 "local", "remote");
3172
3173 options_warning_safe_scan1 (msglevel, ',', false,
3174 &remote, &local,
3175 "remote", "local");
3176 }
3177
3178 gc_free (&gc);
3179 }
3180
3181 bool
3182 options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n)
3183 {
3184 struct gc_arena gc = gc_new ();
3185 bool ret = true;
3186
3187 if (actual_n > 0)
3188 {
3189 actual[actual_n - 1] = 0;
3190 #ifndef ENABLE_STRICT_OPTIONS_CHECK
3191 if (strncmp (actual, expected, 2))
3192 {
3193 msg (D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
3194 options_warning_safe_ml (D_SHOW_OCC, actual, expected, actual_n);
3195 }
3196 else
3197 #endif
3198 ret = !strcmp (actual, expected);
3199 }
3200 gc_free (&gc);
3201 return ret;
3202 }
3203
3204 void
3205 options_warning_safe (char *actual, const char *expected, size_t actual_n)
3206 {
3207 options_warning_safe_ml (M_WARN, actual, expected, actual_n);
3208 }
3209
3210 const char *
3211 options_string_version (const char* s, struct gc_arena *gc)
3212 {
3213 struct buffer out = alloc_buf_gc (4, gc);
3214 strncpynt ((char *) BPTR (&out), s, 3);
3215 return BSTR (&out);
3216 }
3217
3218 #endif /* ENABLE_OCC */
3219
3220 static void
3221 foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
3222 {
3223 if (len > 0)
3224 {
3225 struct gc_arena gc = gc_new();
3226 struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
3227 struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
3228 int i;
3229 bool first = true;
3230 bool good = true;
3231
3232 good &= buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1);
3233 ++o->foreign_option_index;
3234 for (i = 0; i < len; ++i)
3235 {
3236 if (argv[i])
3237 {
3238 if (!first)
3239 good &= buf_printf (&value, " ");
3240 good &= buf_printf (&value, "%s", argv[i]);
3241 first = false;
3242 }
3243 }
3244 if (good)
3245 setenv_str (es, BSTR(&name), BSTR(&value));
3246 else
3247 msg (M_WARN, "foreign_option: name/value overflow");
3248 gc_free (&gc);
3249 }
3250 }
3251
3252 /*
3253 * parse/print topology coding
3254 */
3255
3256 int
3257 parse_topology (const char *str, const int msglevel)
3258 {
3259 if (streq (str, "net30"))
3260 return TOP_NET30;
3261 else if (streq (str, "p2p"))
3262 return TOP_P2P;
3263 else if (streq (str, "subnet"))
3264 return TOP_SUBNET;
3265 else
3266 {
3267 msg (msglevel, "--topology must be net30, p2p, or subnet");
3268 return TOP_UNDEF;
3269 }
3270 }
3271
3272 const char *
3273 print_topology (const int topology)
3274 {
3275 switch (topology)
3276 {
3277 case TOP_UNDEF:
3278 return "undef";
3279 case TOP_NET30:
3280 return "net30";
3281 case TOP_P2P:
3282 return "p2p";
3283 case TOP_SUBNET:
3284 return "subnet";
3285 default:
3286 return "unknown";
3287 }
3288 }
3289
3290 #if P2MP
3291
3292 /*
3293 * Manage auth-retry variable
3294 */
3295
3296 static int global_auth_retry; /* GLOBAL */
3297
3298 int
3299 auth_retry_get (void)
3300 {
3301 return global_auth_retry;
3302 }
3303
3304 bool
3305 auth_retry_set (const int msglevel, const char *option)
3306 {
3307 if (streq (option, "interact"))
3308 global_auth_retry = AR_INTERACT;
3309 else if (streq (option, "nointeract"))
3310 global_auth_retry = AR_NOINTERACT;
3311 else if (streq (option, "none"))
3312 global_auth_retry = AR_NONE;
3313 else
3314 {
3315 msg (msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
3316 return false;
3317 }
3318 return true;
3319 }
3320
3321 const char *
3322 auth_retry_print (void)
3323 {
3324 switch (global_auth_retry)
3325 {
3326 case AR_NONE:
3327 return "none";
3328 case AR_NOINTERACT:
3329 return "nointeract";
3330 case AR_INTERACT:
3331 return "interact";
3332 default:
3333 return "???";
3334 }
3335 }
3336
3337 #endif
3338
3339 /*
3340 * Print the help message.
3341 */
3342 static void
3343 usage (void)
3344 {
3345 FILE *fp = msg_fp(0);
3346
3347 #ifdef ENABLE_SMALL
3348
3349 fprintf (fp, "Usage message not available\n");
3350
3351 #else
3352
3353 struct options o;
3354 init_options (&o, true);
3355
3356 #if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
3357 fprintf (fp, usage_message,
3358 title_string,
3359 o.ce.connect_retry_seconds,
3360 o.ce.local_port, o.ce.remote_port,
3361 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
3362 o.verbosity,
3363 o.authname, o.ciphername,
3364 o.replay_window, o.replay_time,
3365 o.tls_timeout, o.renegotiate_seconds,
3366 o.handshake_window, o.transition_window);
3367 #elif defined(ENABLE_CRYPTO)
3368 fprintf (fp, usage_message,
3369 title_string,
3370 o.ce.connect_retry_seconds,
3371 o.ce.local_port, o.ce.remote_port,
3372 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
3373 o.verbosity,
3374 o.authname, o.ciphername,
3375 o.replay_window, o.replay_time);
3376 #else
3377 fprintf (fp, usage_message,
3378 title_string,
3379 o.ce.connect_retry_seconds,
3380 o.ce.local_port, o.ce.remote_port,
3381 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
3382 o.verbosity);
3383 #endif
3384 fflush(fp);
3385
3386 #endif /* ENABLE_SMALL */
3387
3388 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
3389 }
3390
3391 void
3392 usage_small (void)
3393 {
3394 msg (M_WARN|M_NOPREFIX, "Use --help for more information.");
3395 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
3396 }
3397
3398 static void
3399 usage_version (void)
3400 {
3401 msg (M_INFO|M_NOPREFIX, "%s", title_string);
3402 msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
3403 msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>");
3404 #ifndef ENABLE_SMALL
3405 #ifdef CONFIGURE_DEFINES
3406 msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
3407 #endif
3408 #ifdef CONFIGURE_SPECIAL_BUILD
3409 msg (M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
3410 #endif
3411 #ifdef CONFIGURE_GIT_REVISION
3412 msg (M_INFO|M_NOPREFIX, "git revision: %s", CONFIGURE_GIT_REVISION);
3413 #endif
3414 #endif
3415 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
3416 }
3417
3418 void
3419 notnull (const char *arg, const char *description)
3420 {
3421 if (!arg)
3422 msg (M_USAGE, "You must define %s", description);
3423 }
3424
3425 bool
3426 string_defined_equal (const char *s1, const char *s2)
3427 {
3428 if (s1 && s2)
3429 return !strcmp (s1, s2);
3430 else
3431 return false;
3432 }
3433
3434 #if 0
3435 static void
3436 ping_rec_err (int msglevel)
3437 {
3438 msg (msglevel, "only one of --ping-exit or --ping-restart options may be specified");
3439 }
3440 #endif
3441
3442 static int
3443 positive_atoi (const char *str)
3444 {
3445 const int i = atoi (str);
3446 return i < 0 ? 0 : i;
3447 }
3448
3449 #ifdef WIN32 /* This function is only used when compiling on Windows */
3450 static unsigned int
3451 atou (const char *str)
3452 {
3453 unsigned int val = 0;
3454 sscanf (str, "%u", &val);
3455 return val;
3456 }
3457 #endif
3458
3459 static inline bool
3460 space (unsigned char c)
3461 {
3462 return c == '\0' || isspace (c);
3463 }
3464
3465 int
3466 parse_line (const char *line,
3467 char *p[],
3468 const int n,
3469 const char *file,
3470 const int line_num,
3471 int msglevel,
3472 struct gc_arena *gc)
3473 {
3474 const int STATE_INITIAL = 0;
3475 const int STATE_READING_QUOTED_PARM = 1;
3476 const int STATE_READING_UNQUOTED_PARM = 2;
3477 const int STATE_DONE = 3;
3478 const int STATE_READING_SQUOTED_PARM = 4;
3479
3480 const char *error_prefix = "";
3481
3482 int ret = 0;
3483 const char *c = line;
3484 int state = STATE_INITIAL;
3485 bool backslash = false;
3486 char in, out;
3487
3488 char parm[OPTION_PARM_SIZE];
3489 unsigned int parm_len = 0;
3490
3491 msglevel &= ~M_OPTERR;
3492
3493 if (msglevel & M_MSG_VIRT_OUT)
3494 error_prefix = "ERROR: ";
3495
3496 do
3497 {
3498 in = *c;
3499 out = 0;
3500
3501 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
3502 {
3503 backslash = true;
3504 }
3505 else
3506 {
3507 if (state == STATE_INITIAL)
3508 {
3509 if (!space (in))
3510 {
3511 if (in == ';' || in == '#') /* comment */
3512 break;
3513 if (!backslash && in == '\"')
3514 state = STATE_READING_QUOTED_PARM;
3515 else if (!backslash && in == '\'')
3516 state = STATE_READING_SQUOTED_PARM;
3517 else
3518 {
3519 out = in;
3520 state = STATE_READING_UNQUOTED_PARM;
3521 }
3522 }
3523 }
3524 else if (state == STATE_READING_UNQUOTED_PARM)
3525 {
3526 if (!backslash && space (in))
3527 state = STATE_DONE;
3528 else
3529 out = in;
3530 }
3531 else if (state == STATE_READING_QUOTED_PARM)
3532 {
3533 if (!backslash && in == '\"')
3534 state = STATE_DONE;
3535 else
3536 out = in;
3537 }
3538 else if (state == STATE_READING_SQUOTED_PARM)
3539 {
3540 if (in == '\'')
3541 state = STATE_DONE;
3542 else
3543 out = in;
3544 }
3545 if (state == STATE_DONE)
3546 {
3547 /* ASSERT (parm_len > 0); */
3548 p[ret] = gc_malloc (parm_len + 1, true, gc);
3549 memcpy (p[ret], parm, parm_len);
3550 p[ret][parm_len] = '\0';
3551 state = STATE_INITIAL;
3552 parm_len = 0;
3553 ++ret;
3554 }
3555
3556 if (backslash && out)
3557 {
3558 if (!(out == '\\' || out == '\"' || space (out)))
3559 {
3560 #ifdef ENABLE_SMALL
3561 msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
3562 #else
3563 msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
3564 #endif
3565 return 0;
3566 }
3567 }
3568 backslash = false;
3569 }
3570
3571 /* store parameter character */
3572 if (out)
3573 {
3574 if (parm_len >= SIZE (parm))
3575 {
3576 parm[SIZE (parm) - 1] = 0;
3577 msg (msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
3578 error_prefix, file, line_num, (int) SIZE (parm), parm);
3579 return 0;
3580 }
3581 parm[parm_len++] = out;
3582 }
3583
3584 /* avoid overflow if too many parms in one config file line */
3585 if (ret >= n)
3586 break;
3587
3588 } while (*c++ != '\0');
3589
3590 if (state == STATE_READING_QUOTED_PARM)
3591 {
3592 msg (msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
3593 return 0;
3594 }
3595 if (state == STATE_READING_SQUOTED_PARM)
3596 {
3597 msg (msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
3598 return 0;
3599 }
3600 if (state != STATE_INITIAL)
3601 {
3602 msg (msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
3603 return 0;
3604 }
3605 #if 0
3606 {
3607 int i;
3608 for (i = 0; i < ret; ++i)
3609 {
3610 msg (M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
3611 }
3612 }
3613 #endif
3614 return ret;
3615 }
3616
3617 static void
3618 bypass_doubledash (char **p)
3619 {
3620 if (strlen (*p) >= 3 && !strncmp (*p, "--", 2))
3621 *p += 2;
3622 }
3623
3624 struct in_src {
3625 # define IS_TYPE_FP 1
3626 # define IS_TYPE_BUF 2
3627 int type;
3628 union {
3629 FILE *fp;
3630 struct buffer *multiline;
3631 } u;
3632 };
3633
3634 static bool
3635 in_src_get (const struct in_src *is, char *line, const int size)
3636 {
3637 if (is->type == IS_TYPE_FP)
3638 {
3639 return BOOL_CAST (fgets (line, size, is->u.fp));
3640 }
3641 else if (is->type == IS_TYPE_BUF)
3642 {
3643 bool status = buf_parse (is->u.multiline, '\n', line, size);
3644 if ((int) strlen (line) + 1 < size)
3645 strcat (line, "\n");
3646 return status;
3647 }
3648 else
3649 {
3650 ASSERT (0);
3651 return false;
3652 }
3653 }
3654
3655 static char *
3656 read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
3657 {
3658 char line[OPTION_LINE_SIZE];
3659 struct buffer buf = alloc_buf (10000);
3660 char *ret;
3661 while (in_src_get (is, line, sizeof (line)))
3662 {
3663 if (!strncmp (line, close_tag, strlen (close_tag)))
3664 break;
3665 buf_printf (&buf, "%s", line);
3666 }
3667 ret = string_alloc (BSTR (&buf), gc);
3668 buf_clear (&buf);
3669 free_buf (&buf);
3670 CLEAR (line);
3671 return ret;
3672 }
3673
3674 static bool
3675 check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
3676 {
3677 bool ret = false;
3678 if (p[0] && !p[1])
3679 {
3680 char *arg = p[0];
3681 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
3682 {
3683 struct buffer close_tag;
3684 arg[strlen(arg)-1] = '\0';
3685 p[0] = string_alloc (arg+1, gc);
3686 p[1] = string_alloc (INLINE_FILE_TAG, gc);
3687 close_tag = alloc_buf (strlen(p[0]) + 4);
3688 buf_printf (&close_tag, "</%s>", p[0]);
3689 p[2] = read_inline_file (is, BSTR (&close_tag), gc);
3690 p[3] = NULL;
3691 free_buf (&close_tag);
3692 ret = true;
3693 }
3694 }
3695 return ret;
3696 }
3697
3698 static bool
3699 check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
3700 {
3701 struct in_src is;
3702 is.type = IS_TYPE_FP;
3703 is.u.fp = fp;
3704 return check_inline_file (&is, p, gc);
3705 }
3706
3707 static bool
3708 check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
3709 {
3710 struct in_src is;
3711 is.type = IS_TYPE_BUF;
3712 is.u.multiline = multiline;
3713 return check_inline_file (&is, p, gc);
3714 }
3715
3716 static void
3717 add_option (struct options *options,
3718 char *p[],
3719 const char *file,
3720 int line,
3721 const int level,
3722 const int msglevel,
3723 const unsigned int permission_mask,
3724 unsigned int *option_types_found,
3725 struct env_set *es);
3726
3727 static void
3728 read_config_file (struct options *options,
3729 const char *file,
3730 int level,
3731 const char *top_file,
3732 const int top_line,
3733 const int msglevel,
3734 const unsigned int permission_mask,
3735 unsigned int *option_types_found,
3736 struct env_set *es)
3737 {
3738 const int max_recursive_levels = 10;
3739 FILE *fp;
3740 int line_num;
3741 char line[OPTION_LINE_SIZE];
3742 char *p[MAX_PARMS];
3743
3744 ++level;
3745 if (level <= max_recursive_levels)
3746 {
3747 if (streq (file, "stdin"))
3748 fp = stdin;
3749 else
3750 fp = platform_fopen (file, "r");
3751 if (fp)
3752 {
3753 line_num = 0;
3754 while (fgets(line, sizeof (line), fp))
3755 {
3756 int offset = 0;
3757 CLEAR (p);
3758 ++line_num;
3759 /* Ignore UTF-8 BOM at start of stream */
3760 if (line_num == 1 && strncmp (line, "\xEF\xBB\xBF", 3) == 0)
3761 offset = 3;
3762 if (parse_line (line + offset, p, SIZE (p), file, line_num, msglevel, &options->gc))
3763 {
3764 bypass_doubledash (&p[0]);
3765 check_inline_file_via_fp (fp, p, &options->gc);
3766 add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
3767 }
3768 }
3769 if (fp != stdin)
3770 fclose (fp);
3771 }
3772 else
3773 {
3774 msg (msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
3775 }
3776 }
3777 else
3778 {
3779 msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
3780 }
3781 CLEAR (line);
3782 CLEAR (p);
3783 }
3784
3785 static void
3786 read_config_string (const char *prefix,
3787 struct options *options,
3788 const char *config,
3789 const int msglevel,
3790 const unsigned int permission_mask,
3791 unsigned int *option_types_found,
3792 struct env_set *es)
3793 {
3794 char line[OPTION_LINE_SIZE];
3795 struct buffer multiline;
3796 int line_num = 0;
3797
3798 buf_set_read (&multiline, (uint8_t*)config, strlen (config));
3799
3800 while (buf_parse (&multiline, '\n', line, sizeof (line)))
3801 {
3802 char *p[MAX_PARMS];
3803 CLEAR (p);
3804 ++line_num;
3805 if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc))
3806 {
3807 bypass_doubledash (&p[0]);
3808 check_inline_file_via_buf (&multiline, p, &options->gc);
3809 add_option (options, p, NULL, line_num, 0, msglevel, permission_mask, option_types_found, es);
3810 }
3811 CLEAR (p);
3812 }
3813 CLEAR (line);
3814 }
3815
3816 void
3817 parse_argv (struct options *options,
3818 const int argc,
3819 char *argv[],
3820 const int msglevel,
3821 const unsigned int permission_mask,
3822 unsigned int *option_types_found,
3823 struct env_set *es)
3824 {
3825 int i, j;
3826
3827 /* usage message */
3828 if (argc <= 1)
3829 usage ();
3830
3831 /* config filename specified only? */
3832 if (argc == 2 && strncmp (argv[1], "--", 2))
3833 {
3834 char *p[MAX_PARMS];
3835 CLEAR (p);
3836 p[0] = "config";
3837 p[1] = argv[1];
3838 add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3839 }
3840 else
3841 {
3842 /* parse command line */
3843 for (i = 1; i < argc; ++i)
3844 {
3845 char *p[MAX_PARMS];
3846 CLEAR (p);
3847 p[0] = argv[i];
3848 if (strncmp(p[0], "--", 2))
3849 {
3850 msg (msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
3851 }
3852 else
3853 p[0] += 2;
3854
3855 for (j = 1; j < MAX_PARMS; ++j)
3856 {
3857 if (i + j < argc)
3858 {
3859 char *arg = argv[i + j];
3860 if (strncmp (arg, "--", 2))
3861 p[j] = arg;
3862 else
3863 break;
3864 }
3865 }
3866 add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3867 i += j - 1;
3868 }
3869 }
3870 }
3871
3872 bool
3873 apply_push_options (struct options *options,
3874 struct buffer *buf,
3875 unsigned int permission_mask,
3876 unsigned int *option_types_found,
3877 struct env_set *es)
3878 {
3879 char line[OPTION_PARM_SIZE];
3880 int line_num = 0;
3881 const char *file = "[PUSH-OPTIONS]";
3882 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
3883
3884 while (buf_parse (buf, ',', line, sizeof (line)))
3885 {
3886 char *p[MAX_PARMS];
3887 CLEAR (p);
3888 ++line_num;
3889 if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3890 {
3891 add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
3892 }
3893 }
3894 return true;
3895 }
3896
3897 void
3898 options_server_import (struct options *o,
3899 const char *filename,
3900 int msglevel,
3901 unsigned int permission_mask,
3902 unsigned int *option_types_found,
3903 struct env_set *es)
3904 {
3905 msg (D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
3906 read_config_file (o,
3907 filename,
3908 0,
3909 filename,
3910 0,
3911 msglevel,
3912 permission_mask,
3913 option_types_found,
3914 es);
3915 }
3916
3917 void options_string_import (struct options *options,
3918 const char *config,
3919 const int msglevel,
3920 const unsigned int permission_mask,
3921 unsigned int *option_types_found,
3922 struct env_set *es)
3923 {
3924 read_config_string ("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
3925 }
3926
3927 #if P2MP
3928
3929 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, (mask), permission_mask, option_types_found, msglevel)) goto err; }
3930
3931 static bool
3932 verify_permission (const char *name,
3933 const char* file,
3934 const unsigned int type,
3935 const unsigned int allowed,
3936 unsigned int *found,
3937 const int msglevel)
3938 {
3939 if (!(type & allowed))
3940 {
3941 msg (msglevel, "option '%s' cannot be used in this context (%s)", name, file);
3942 return false;
3943 }
3944 else
3945 {
3946 if (found)
3947 *found |= type;
3948 return true;
3949 }
3950 }
3951
3952 #else
3953
3954 #define VERIFY_PERMISSION(mask)
3955
3956 #endif
3957
3958 /*
3959 * Check that an option doesn't have too
3960 * many parameters.
3961 */
3962
3963 #define NM_QUOTE_HINT (1<<0)
3964
3965 static bool
3966 no_more_than_n_args (const int msglevel,
3967 char *p[],
3968 const int max,
3969 const unsigned int flags)
3970 {
3971 const int len = string_array_len ((const char **)p);
3972
3973 if (!len)
3974 return false;
3975
3976 if (len > max)
3977 {
3978 msg (msglevel, "the --%s directive should have at most %d parameter%s.%s",
3979 p[0],
3980 max - 1,
3981 max >= 3 ? "s" : "",
3982 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
3983 return false;
3984 }
3985 else
3986 return true;
3987 }
3988
3989 static inline int
3990 msglevel_forward_compatible (struct options *options, const int msglevel)
3991 {
3992 return options->forward_compatible ? M_WARN : msglevel;
3993 }
3994
3995 static void
3996 set_user_script (struct options *options,
3997 const char **script,
3998 const char *new_script,
3999 const char *type)
4000 {
4001 if (*script) {
4002 msg (M_WARN, "Multiple --%s scripts defined. "
4003 "The previously configured script is overridden.", type);
4004 }
4005 *script = new_script;
4006 options->user_script_used = true;
4007
4008 #ifndef ENABLE_SMALL
4009 {
4010 char script_name[100];
4011 openvpn_snprintf (script_name, sizeof(script_name),
4012 "--%s script", type);
4013
4014 if (check_cmd_access (*script, script_name))
4015 msg (M_USAGE, "Please correct this error.");
4016 }
4017 #endif
4018 }
4019
4020
4021 static void
4022 add_option (struct options *options,
4023 char *p[],
4024 const char *file,
4025 int line,
4026 const int level,
4027 const int msglevel,
4028 const unsigned int permission_mask,
4029 unsigned int *option_types_found,
4030 struct env_set *es)
4031 {
4032 struct gc_arena gc = gc_new ();
4033 const bool pull_mode = BOOL_CAST (permission_mask & OPT_P_PULL_MODE);
4034 int msglevel_fc = msglevel_forward_compatible (options, msglevel);
4035
4036 ASSERT (MAX_PARMS >= 5);
4037 if (!file)
4038 {
4039 file = "[CMD-LINE]";
4040 line = 1;
4041 }
4042 if (streq (p[0], "help"))
4043 {
4044 VERIFY_PERMISSION (OPT_P_GENERAL);
4045 usage ();
4046 }
4047 if (streq (p[0], "version"))
4048 {
4049 VERIFY_PERMISSION (OPT_P_GENERAL);
4050 usage_version ();
4051 }
4052 else if (streq (p[0], "config") && p[1])
4053 {
4054 VERIFY_PERMISSION (OPT_P_CONFIG);
4055
4056 /* save first config file only in options */
4057 if (!options->config)
4058 options->config = p[1];
4059
4060 read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
4061 }
4062 #ifdef ENABLE_DEBUG
4063 else if (streq (p[0], "show-gateway"))
4064 {
4065 struct route_gateway_info rgi;
4066 VERIFY_PERMISSION (OPT_P_GENERAL);
4067 get_default_gateway(&rgi);
4068 print_default_gateway(M_INFO, &rgi);
4069 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4070 }
4071 #endif
4072 #if 0
4073 else if (streq (p[0], "foreign-option") && p[1])
4074 {
4075 VERIFY_PERMISSION (OPT_P_IPWIN32);
4076 foreign_option (options, p, 3, es);
4077 }
4078 #endif
4079 else if (streq (p[0], "echo") || streq (p[0], "parameter"))
4080 {
4081 struct buffer string = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
4082 int j;
4083 bool good = true;
4084
4085 VERIFY_PERMISSION (OPT_P_ECHO);
4086
4087 for (j = 1; j < MAX_PARMS; ++j)
4088 {
4089 if (!p[j])
4090 break;
4091 if (j > 1)
4092 good &= buf_printf (&string, " ");
4093 good &= buf_printf (&string, "%s", p[j]);
4094 }
4095 if (good)
4096 {
4097 #if 0
4098 /* removed for now since ECHO can potentially include
4099 security-sensitive strings */
4100 msg (M_INFO, "%s:%s",
4101 pull_mode ? "ECHO-PULL" : "ECHO",
4102 BSTR (&string));
4103 #endif
4104 #ifdef ENABLE_MANAGEMENT
4105 if (management)
4106 management_echo (management, BSTR (&string), pull_mode);
4107 #endif
4108 }
4109 else
4110 msg (M_WARN, "echo/parameter option overflow");
4111 }
4112 #ifdef ENABLE_MANAGEMENT
4113 else if (streq (p[0], "management") && p[1] && p[2])
4114 {
4115 int port = 0;
4116
4117 VERIFY_PERMISSION (OPT_P_GENERAL);
4118 if (streq (p[2], "unix"))
4119 {
4120 #if UNIX_SOCK_SUPPORT
4121 options->management_flags |= MF_UNIX_SOCK;
4122 #else
4123 msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
4124 goto err;
4125 #endif
4126 }
4127 else
4128 {
4129 port = atoi (p[2]);
4130 if (!legal_ipv4_port (port))
4131 {
4132 msg (msglevel, "port number associated with --management directive is out of range");
4133 goto err;
4134 }
4135 }
4136
4137 options->management_addr = p[1];
4138 options->management_port = port;
4139 if (p[3])
4140 {
4141 options->management_user_pass = p[3];
4142 }
4143 }
4144 else if (streq (p[0], "management-client-user") && p[1])
4145 {
4146 VERIFY_PERMISSION (OPT_P_GENERAL);
4147 options->management_client_user = p[1];
4148 }
4149 else if (streq (p[0], "management-client-group") && p[1])
4150 {
4151 VERIFY_PERMISSION (OPT_P_GENERAL);
4152 options->management_client_group = p[1];
4153 }
4154 else if (streq (p[0], "management-query-passwords"))
4155 {
4156 VERIFY_PERMISSION (OPT_P_GENERAL);
4157 options->management_flags |= MF_QUERY_PASSWORDS;
4158 }
4159 else if (streq (p[0], "management-query-remote"))
4160 {
4161 VERIFY_PERMISSION (OPT_P_GENERAL);
4162 options->management_flags |= MF_QUERY_REMOTE;
4163 }
4164 else if (streq (p[0], "management-query-proxy"))
4165 {
4166 VERIFY_PERMISSION (OPT_P_GENERAL);
4167 options->management_flags |= MF_QUERY_PROXY;
4168 options->force_connection_list = true;
4169 }
4170 else if (streq (p[0], "management-hold"))
4171 {
4172 VERIFY_PERMISSION (OPT_P_GENERAL);
4173 options->management_flags |= MF_HOLD;
4174 }
4175 else if (streq (p[0], "management-signal"))
4176 {
4177 VERIFY_PERMISSION (OPT_P_GENERAL);
4178 options->management_flags |= MF_SIGNAL;
4179 }
4180 else if (streq (p[0], "management-forget-disconnect"))
4181 {
4182 VERIFY_PERMISSION (OPT_P_GENERAL);
4183 options->management_flags |= MF_FORGET_DISCONNECT;
4184 }
4185 else if (streq (p[0], "management-up-down"))
4186 {
4187 VERIFY_PERMISSION (OPT_P_GENERAL);
4188 options->management_flags |= MF_UP_DOWN;
4189 }
4190 else if (streq (p[0], "management-client"))
4191 {
4192 VERIFY_PERMISSION (OPT_P_GENERAL);
4193 options->management_flags |= MF_CONNECT_AS_CLIENT;
4194 options->management_write_peer_info_file = p[1];
4195 }
4196 #ifdef MANAGMENT_EXTERNAL_KEY
4197 else if (streq (p[0], "management-external-key"))
4198 {
4199 VERIFY_PERMISSION (OPT_P_GENERAL);
4200 options->management_flags |= MF_EXTERNAL_KEY;
4201 }
4202 #endif
4203 #ifdef MANAGEMENT_DEF_AUTH
4204 else if (streq (p[0], "management-client-auth"))
4205 {
4206 VERIFY_PERMISSION (OPT_P_GENERAL);
4207 options->management_flags |= MF_CLIENT_AUTH;
4208 }
4209 #endif
4210 #ifdef ENABLE_X509_TRACK
4211 else if (streq (p[0], "x509-track") && p[1])
4212 {
4213 VERIFY_PERMISSION (OPT_P_GENERAL);
4214 x509_track_add (&options->x509_track, p[1], msglevel, &options->gc);
4215 }
4216 #endif
4217 #ifdef MANAGEMENT_PF
4218 else if (streq (p[0], "management-client-pf"))
4219 {
4220 VERIFY_PERMISSION (OPT_P_GENERAL);
4221 options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
4222 }
4223 #endif
4224 else if (streq (p[0], "management-log-cache") && p[1])
4225 {
4226 int cache;
4227
4228 VERIFY_PERMISSION (OPT_P_GENERAL);
4229 cache = atoi (p[1]);
4230 if (cache < 1)
4231 {
4232 msg (msglevel, "--management-log-cache parameter is out of range");
4233 goto err;
4234 }
4235 options->management_log_history_cache = cache;
4236 }
4237 #endif
4238 #ifdef ENABLE_PLUGIN
4239 else if (streq (p[0], "plugin") && p[1])
4240 {
4241 VERIFY_PERMISSION (OPT_P_PLUGIN);
4242 if (!options->plugin_list)
4243 options->plugin_list = plugin_option_list_new (&options->gc);
4244 if (!plugin_option_list_add (options->plugin_list, &p[1], &options->gc))
4245 {
4246 msg (msglevel, "plugin add failed: %s", p[1]);
4247 goto err;
4248 }
4249 }
4250 #endif
4251 else if (streq (p[0], "mode") && p[1])
4252 {
4253 VERIFY_PERMISSION (OPT_P_GENERAL);
4254 if (streq (p[1], "p2p"))
4255 options->mode = MODE_POINT_TO_POINT;
4256 #if P2MP_SERVER
4257 else if (streq (p[1], "server"))
4258 options->mode = MODE_SERVER;
4259 #endif
4260 else
4261 {
4262 msg (msglevel, "Bad --mode parameter: %s", p[1]);
4263 goto err;
4264 }
4265 }
4266 else if (streq (p[0], "dev") && p[1])
4267 {
4268 VERIFY_PERMISSION (OPT_P_GENERAL);
4269 options->dev = p[1];
4270 }
4271 else if (streq (p[0], "dev-type") && p[1])
4272 {
4273 VERIFY_PERMISSION (OPT_P_GENERAL);
4274 options->dev_type = p[1];
4275 }
4276 else if (streq (p[0], "dev-node") && p[1])
4277 {
4278 VERIFY_PERMISSION (OPT_P_GENERAL);
4279 options->dev_node = p[1];
4280 }
4281 else if (streq (p[0], "lladdr") && p[1])
4282 {
4283 VERIFY_PERMISSION (OPT_P_UP);
4284 if (mac_addr_safe (p[1])) /* MAC address only */
4285 options->lladdr = p[1];
4286 else
4287 {
4288 msg (msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
4289 goto err;
4290 }
4291 }
4292 else if (streq (p[0], "topology") && p[1])
4293 {
4294 VERIFY_PERMISSION (OPT_P_UP);
4295 options->topology = parse_topology (p[1], msglevel);
4296 }
4297 else if (streq (p[0], "tun-ipv6"))
4298 {
4299 VERIFY_PERMISSION (OPT_P_UP);
4300 options->tun_ipv6 = true;
4301 }
4302 #ifdef ENABLE_IPROUTE
4303 else if (streq (p[0], "iproute") && p[1])
4304 {
4305 VERIFY_PERMISSION (OPT_P_GENERAL);
4306 iproute_path = p[1];
4307 }
4308 #endif
4309 else if (streq (p[0], "ifconfig") && p[1] && p[2])
4310 {
4311 VERIFY_PERMISSION (OPT_P_UP);
4312 if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
4313 {
4314 options->ifconfig_local = p[1];
4315 options->ifconfig_remote_netmask = p[2];
4316 }
4317 else
4318 {
4319 msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
4320 goto err;
4321 }
4322 }
4323 else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] )
4324 {
4325 unsigned int netbits;
4326 char * ipv6_local;
4327
4328 VERIFY_PERMISSION (OPT_P_UP);
4329 if ( get_ipv6_addr( p[1], NULL, &netbits, &ipv6_local, msglevel ) &&
4330 ipv6_addr_safe( p[2] ) )
4331 {
4332 if ( netbits < 64 || netbits > 124 )
4333 {
4334 msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
4335 goto err;
4336 }
4337
4338 if (options->ifconfig_ipv6_local)
4339 /* explicitly ignoring this is a const char */
4340 free ((char *) options->ifconfig_ipv6_local);
4341
4342 options->ifconfig_ipv6_local = ipv6_local;
4343 options->ifconfig_ipv6_netbits = netbits;
4344 options->ifconfig_ipv6_remote = p[2];
4345 }
4346 else
4347 {
4348 msg (msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
4349 goto err;
4350 }
4351 }
4352 else if (streq (p[0], "ifconfig-noexec"))
4353 {
4354 VERIFY_PERMISSION (OPT_P_UP);
4355 options->ifconfig_noexec = true;
4356 }
4357 else if (streq (p[0], "ifconfig-nowarn"))
4358 {
4359 VERIFY_PERMISSION (OPT_P_UP);
4360 options->ifconfig_nowarn = true;
4361 }
4362 else if (streq (p[0], "local") && p[1])
4363 {
4364 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4365 options->ce.local = p[1];
4366 }
4367 else if (streq (p[0], "remote-random"))
4368 {
4369 VERIFY_PERMISSION (OPT_P_GENERAL);
4370 options->remote_random = true;
4371 }
4372 else if (streq (p[0], "connection") && p[1])
4373 {
4374 VERIFY_PERMISSION (OPT_P_GENERAL);
4375 if (streq (p[1], INLINE_FILE_TAG) && p[2])
4376 {
4377 struct options sub;
4378 struct connection_entry *e;
4379
4380 init_options (&sub, true);
4381 sub.ce = options->ce;
4382 read_config_string ("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
4383 if (!sub.ce.remote)
4384 {
4385 msg (msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
4386 goto err;
4387 }
4388
4389 e = alloc_connection_entry (options, msglevel);
4390 if (!e)
4391 goto err;
4392 *e = sub.ce;
4393 gc_transfer (&options->gc, &sub.gc);
4394 uninit_options (&sub);
4395 }
4396 }
4397 else if (streq (p[0], "remote-ip-hint") && p[1])
4398 {
4399 VERIFY_PERMISSION (OPT_P_GENERAL);
4400 options->remote_ip_hint = p[1];
4401 }
4402 #if HTTP_PROXY_OVERRIDE
4403 else if (streq (p[0], "http-proxy-override") && p[1] && p[2])
4404 {
4405 VERIFY_PERMISSION (OPT_P_GENERAL);
4406 options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
4407 if (!options->http_proxy_override)
4408 goto err;
4409 options->force_connection_list = true;
4410 }
4411 #endif
4412 else if (streq (p[0], "remote") && p[1])
4413 {
4414 struct remote_entry re;
4415 re.remote = NULL;
4416 re.remote_port = re.proto = -1;
4417
4418 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4419 re.remote = p[1];
4420 if (p[2])
4421 {
4422 const int port = atoi (p[2]);
4423 if (!legal_ipv4_port (port))
4424 {
4425 msg (msglevel, "remote: port number associated with host %s is out of range", p[1]);
4426 goto err;
4427 }
4428 re.remote_port = port;
4429 if (p[3])
4430 {
4431 const int proto = ascii2proto (p[3]);
4432 if (proto < 0)
4433 {
4434 msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
4435 goto err;
4436 }
4437 re.proto = proto;
4438 }
4439 }
4440 if (permission_mask & OPT_P_GENERAL)
4441 {
4442 struct remote_entry *e = alloc_remote_entry (options, msglevel);
4443 if (!e)
4444 goto err;
4445 *e = re;
4446 }
4447 else if (permission_mask & OPT_P_CONNECTION)
4448 {
4449 connection_entry_load_re (&options->ce, &re);
4450 }
4451 }
4452 else if (streq (p[0], "resolv-retry") && p[1])
4453 {
4454 VERIFY_PERMISSION (OPT_P_GENERAL);
4455 if (streq (p[1], "infinite"))
4456 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
4457 else
4458 options->resolve_retry_seconds = positive_atoi (p[1]);
4459 }
4460 else if (streq (p[0], "connect-retry") && p[1])
4461 {
4462 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4463 options->ce.connect_retry_seconds = positive_atoi (p[1]);
4464 options->ce.connect_retry_defined = true;
4465 }
4466 else if (streq (p[0], "connect-timeout") && p[1])
4467 {
4468 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4469 options->ce.connect_timeout = positive_atoi (p[1]);
4470 options->ce.connect_timeout_defined = true;
4471 }
4472 else if (streq (p[0], "connect-retry-max") && p[1])
4473 {
4474 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4475 options->ce.connect_retry_max = positive_atoi (p[1]);
4476 }
4477 else if (streq (p[0], "ipchange") && p[1])
4478 {
4479 VERIFY_PERMISSION (OPT_P_SCRIPT);
4480 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4481 goto err;
4482 set_user_script (options,
4483 &options->ipchange,
4484 string_substitute (p[1], ',', ' ', &options->gc),
4485 "ipchange");
4486 }
4487 else if (streq (p[0], "float"))
4488 {
4489 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4490 options->ce.remote_float = true;
4491 }
4492 #ifdef ENABLE_DEBUG
4493 else if (streq (p[0], "gremlin") && p[1])
4494 {
4495 VERIFY_PERMISSION (OPT_P_GENERAL);
4496 options->gremlin = positive_atoi (p[1]);
4497 }
4498 #endif
4499 else if (streq (p[0], "chroot") && p[1])
4500 {
4501 VERIFY_PERMISSION (OPT_P_GENERAL);
4502 options->chroot_dir = p[1];
4503 }
4504 else if (streq (p[0], "cd") && p[1])
4505 {
4506 VERIFY_PERMISSION (OPT_P_GENERAL);
4507 if (platform_chdir (p[1]))
4508 {
4509 msg (M_ERR, "cd to '%s' failed", p[1]);
4510 goto err;
4511 }
4512 options->cd_dir = p[1];
4513 }
4514 #ifdef ENABLE_SELINUX
4515 else if (streq (p[0], "setcon") && p[1])
4516 {
4517 VERIFY_PERMISSION (OPT_P_GENERAL);
4518 options->selinux_context = p[1];
4519 }
4520 #endif
4521 else if (streq (p[0], "writepid") && p[1])
4522 {
4523 VERIFY_PERMISSION (OPT_P_GENERAL);
4524 options->writepid = p[1];
4525 }
4526 else if (streq (p[0], "up") && p[1])
4527 {
4528 VERIFY_PERMISSION (OPT_P_SCRIPT);
4529 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4530 goto err;
4531 set_user_script (options, &options->up_script, p[1], "up");
4532 }
4533 else if (streq (p[0], "down") && p[1])
4534 {
4535 VERIFY_PERMISSION (OPT_P_SCRIPT);
4536 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4537 goto err;
4538 set_user_script (options, &options->down_script, p[1], "down");
4539 }
4540 else if (streq (p[0], "down-pre"))
4541 {
4542 VERIFY_PERMISSION (OPT_P_GENERAL);
4543 options->down_pre = true;
4544 }
4545 else if (streq (p[0], "up-delay"))
4546 {
4547 VERIFY_PERMISSION (OPT_P_GENERAL);
4548 options->up_delay = true;
4549 }
4550 else if (streq (p[0], "up-restart"))
4551 {
4552 VERIFY_PERMISSION (OPT_P_GENERAL);
4553 options->up_restart = true;
4554 }
4555 else if (streq (p[0], "syslog"))
4556 {
4557 VERIFY_PERMISSION (OPT_P_GENERAL);
4558 open_syslog (p[1], false);
4559 }
4560 else if (streq (p[0], "daemon"))
4561 {
4562 bool didit = false;
4563 VERIFY_PERMISSION (OPT_P_GENERAL);
4564 if (!options->daemon)
4565 {
4566 options->daemon = didit = true;
4567 open_syslog (p[1], false);
4568 }
4569 if (p[1])
4570 {
4571 if (!didit)
4572 {
4573 msg (M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
4574 goto err;
4575 }
4576 }
4577 }
4578 else if (streq (p[0], "inetd"))
4579 {
4580 VERIFY_PERMISSION (OPT_P_GENERAL);
4581 if (!options->inetd)
4582 {
4583 int z;
4584 const char *name = NULL;
4585 const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
4586
4587 options->inetd = -1;
4588
4589 for (z = 1; z <= 2; ++z)
4590 {
4591 if (p[z])
4592 {
4593 if (streq (p[z], "wait"))
4594 {
4595 if (options->inetd != -1)
4596 {
4597 msg (msglevel, "%s", opterr);
4598 goto err;
4599 }
4600 else
4601 options->inetd = INETD_WAIT;
4602 }
4603 else if (streq (p[z], "nowait"))
4604 {
4605 if (options->inetd != -1)
4606 {
4607 msg (msglevel, "%s", opterr);
4608 goto err;
4609 }
4610 else
4611 options->inetd = INETD_NOWAIT;
4612 }
4613 else
4614 {
4615 if (name != NULL)
4616 {
4617 msg (msglevel, "%s", opterr);
4618 goto err;
4619 }
4620 name = p[z];
4621 }
4622 }
4623 }
4624
4625 /* default */
4626 if (options->inetd == -1)
4627 options->inetd = INETD_WAIT;
4628
4629 save_inetd_socket_descriptor ();
4630 open_syslog (name, true);
4631 }
4632 }
4633 else if (streq (p[0], "log") && p[1])
4634 {
4635 VERIFY_PERMISSION (OPT_P_GENERAL);
4636 options->log = true;
4637 redirect_stdout_stderr (p[1], false);
4638 }
4639 else if (streq (p[0], "suppress-timestamps"))
4640 {
4641 VERIFY_PERMISSION (OPT_P_GENERAL);
4642 options->suppress_timestamps = true;
4643 set_suppress_timestamps(true);
4644 }
4645 else if (streq (p[0], "log-append") && p[1])
4646 {
4647 VERIFY_PERMISSION (OPT_P_GENERAL);
4648 options->log = true;
4649 redirect_stdout_stderr (p[1], true);
4650 }
4651 #ifdef ENABLE_MEMSTATS
4652 else if (streq (p[0], "memstats") && p[1])
4653 {
4654 VERIFY_PERMISSION (OPT_P_GENERAL);
4655 options->memstats_fn = p[1];
4656 }
4657 #endif
4658 else if (streq (p[0], "mlock"))
4659 {
4660 VERIFY_PERMISSION (OPT_P_GENERAL);
4661 options->mlock = true;
4662 }
4663 #if ENABLE_IP_PKTINFO
4664 else if (streq (p[0], "multihome"))
4665 {
4666 VERIFY_PERMISSION (OPT_P_GENERAL);
4667 options->sockflags |= SF_USE_IP_PKTINFO;
4668 }
4669 #endif
4670 else if (streq (p[0], "verb") && p[1])
4671 {
4672 VERIFY_PERMISSION (OPT_P_MESSAGES);
4673 options->verbosity = positive_atoi (p[1]);
4674 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
4675 /* Warn when a debug verbosity is supplied when built without debug support */
4676 if (options->verbosity >= 7)
4677 msg (M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
4678 options->verbosity);
4679 #endif
4680 }
4681 else if (streq (p[0], "mute") && p[1])
4682 {
4683 VERIFY_PERMISSION (OPT_P_MESSAGES);
4684 options->mute = positive_atoi (p[1]);
4685 }
4686 else if (streq (p[0], "errors-to-stderr"))
4687 {
4688 VERIFY_PERMISSION (OPT_P_MESSAGES);
4689 errors_to_stderr();
4690 }
4691 else if (streq (p[0], "status") && p[1])
4692 {
4693 VERIFY_PERMISSION (OPT_P_GENERAL);
4694 options->status_file = p[1];
4695 if (p[2])
4696 {
4697 options->status_file_update_freq = positive_atoi (p[2]);
4698 }
4699 }
4700 else if (streq (p[0], "status-version") && p[1])
4701 {
4702 int version;
4703
4704 VERIFY_PERMISSION (OPT_P_GENERAL);
4705 version = atoi (p[1]);
4706 if (version < 1 || version > 3)
4707 {
4708 msg (msglevel, "--status-version must be 1 to 3");
4709 goto err;
4710 }
4711 options->status_file_version = version;
4712 }
4713 else if (streq (p[0], "remap-usr1") && p[1])
4714 {
4715 VERIFY_PERMISSION (OPT_P_GENERAL);
4716 if (streq (p[1], "SIGHUP"))
4717 options->remap_sigusr1 = SIGHUP;
4718 else if (streq (p[1], "SIGTERM"))
4719 options->remap_sigusr1 = SIGTERM;
4720 else
4721 {
4722 msg (msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
4723 goto err;
4724 }
4725 }
4726 else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1])
4727 {
4728 VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
4729 options->ce.link_mtu = positive_atoi (p[1]);
4730 options->ce.link_mtu_defined = true;
4731 }
4732 else if (streq (p[0], "tun-mtu") && p[1])
4733 {
4734 VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
4735 options->ce.tun_mtu = positive_atoi (p[1]);
4736 options->ce.tun_mtu_defined = true;
4737 }
4738 else if (streq (p[0], "tun-mtu-extra") && p[1])
4739 {
4740 VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
4741 options->ce.tun_mtu_extra = positive_atoi (p[1]);
4742 options->ce.tun_mtu_extra_defined = true;
4743 }
4744 #ifdef ENABLE_FRAGMENT
4745 else if (streq (p[0], "mtu-dynamic"))
4746 {
4747 VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
4748 msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
4749 goto err;
4750 }
4751 else if (streq (p[0], "fragment") && p[1])
4752 {
4753 /* VERIFY_PERMISSION (OPT_P_MTU); */
4754 VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
4755 options->ce.fragment = positive_atoi (p[1]);
4756 }
4757 #endif
4758 else if (streq (p[0], "mtu-disc") && p[1])
4759 {
4760 VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
4761 options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]);
4762 }
4763 #ifdef ENABLE_OCC
4764 else if (streq (p[0], "mtu-test"))
4765 {
4766 VERIFY_PERMISSION (OPT_P_GENERAL);
4767 options->mtu_test = true;
4768 }
4769 #endif
4770 else if (streq (p[0], "nice") && p[1])
4771 {
4772 VERIFY_PERMISSION (OPT_P_NICE);
4773 options->nice = atoi (p[1]);
4774 }
4775 else if (streq (p[0], "rcvbuf") && p[1])
4776 {
4777 VERIFY_PERMISSION (OPT_P_SOCKBUF);
4778 options->rcvbuf = positive_atoi (p[1]);
4779 }
4780 else if (streq (p[0], "sndbuf") && p[1])
4781 {
4782 VERIFY_PERMISSION (OPT_P_SOCKBUF);
4783 options->sndbuf = positive_atoi (p[1]);
4784 }
4785 else if (streq (p[0], "mark") && p[1])
4786 {
4787 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
4788 VERIFY_PERMISSION (OPT_P_GENERAL);
4789 options->mark = atoi(p[1]);
4790 #endif
4791 }
4792 else if (streq (p[0], "socket-flags"))
4793 {
4794 int j;
4795 VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
4796 for (j = 1; j < MAX_PARMS && p[j]; ++j)
4797 {
4798 if (streq (p[j], "TCP_NODELAY"))
4799 options->sockflags |= SF_TCP_NODELAY;
4800 else
4801 msg (msglevel, "unknown socket flag: %s", p[j]);
4802 }
4803 }
4804 else if (streq (p[0], "txqueuelen") && p[1])
4805 {
4806 VERIFY_PERMISSION (OPT_P_GENERAL);
4807 #ifdef TARGET_LINUX
4808 options->tuntap_options.txqueuelen = positive_atoi (p[1]);
4809 #else
4810 msg (msglevel, "--txqueuelen not supported on this OS");
4811 goto err;
4812 #endif
4813 }
4814 else if (streq (p[0], "shaper") && p[1])
4815 {
4816 #ifdef ENABLE_FEATURE_SHAPER
4817 int shaper;
4818
4819 VERIFY_PERMISSION (OPT_P_SHAPER);
4820 shaper = atoi (p[1]);
4821 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
4822 {
4823 msg (msglevel, "Bad shaper value, must be between %d and %d",
4824 SHAPER_MIN, SHAPER_MAX);
4825 goto err;
4826 }
4827 options->shaper = shaper;
4828 #else /* ENABLE_FEATURE_SHAPER */
4829 VERIFY_PERMISSION (OPT_P_GENERAL);
4830 msg (msglevel, "--shaper requires the gettimeofday() function which is missing");
4831 goto err;
4832 #endif /* ENABLE_FEATURE_SHAPER */
4833 }
4834 else if (streq (p[0], "port") && p[1])
4835 {
4836 int port;
4837
4838 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4839 port = atoi (p[1]);
4840 if (!legal_ipv4_port (port))
4841 {
4842 msg (msglevel, "Bad port number: %s", p[1]);
4843 goto err;
4844 }
4845 options->ce.local_port = options->ce.remote_port = port;
4846 }
4847 else if (streq (p[0], "lport") && p[1])
4848 {
4849 int port;
4850
4851 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4852 port = atoi (p[1]);
4853 if ((port != 0) && !legal_ipv4_port (port))
4854 {
4855 msg (msglevel, "Bad local port number: %s", p[1]);
4856 goto err;
4857 }
4858 options->ce.local_port_defined = true;
4859 options->ce.local_port = port;
4860 }
4861 else if (streq (p[0], "rport") && p[1])
4862 {
4863 int port;
4864
4865 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4866 port = atoi (p[1]);
4867 if (!legal_ipv4_port (port))
4868 {
4869 msg (msglevel, "Bad remote port number: %s", p[1]);
4870 goto err;
4871 }
4872 options->ce.remote_port = port;
4873 }
4874 else if (streq (p[0], "bind"))
4875 {
4876 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4877 options->ce.bind_defined = true;
4878 }
4879 else if (streq (p[0], "nobind"))
4880 {
4881 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4882 options->ce.bind_local = false;
4883 }
4884 else if (streq (p[0], "fast-io"))
4885 {
4886 VERIFY_PERMISSION (OPT_P_GENERAL);
4887 options->fast_io = true;
4888 }
4889 else if (streq (p[0], "inactive") && p[1])
4890 {
4891 VERIFY_PERMISSION (OPT_P_TIMER);
4892 options->inactivity_timeout = positive_atoi (p[1]);
4893 if (p[2])
4894 options->inactivity_minimum_bytes = positive_atoi (p[2]);
4895 }
4896 else if (streq (p[0], "proto") && p[1])
4897 {
4898 int proto;
4899 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4900 proto = ascii2proto (p[1]);
4901 if (proto < 0)
4902 {
4903 msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
4904 p[1],
4905 proto2ascii_all (&gc));
4906 goto err;
4907 }
4908 options->ce.proto = proto;
4909 }
4910 else if (streq (p[0], "proto-force") && p[1])
4911 {
4912 int proto_force;
4913 VERIFY_PERMISSION (OPT_P_GENERAL);
4914 proto_force = ascii2proto (p[1]);
4915 if (proto_force < 0)
4916 {
4917 msg (msglevel, "Bad --proto-force protocol: '%s'", p[1]);
4918 goto err;
4919 }
4920 options->proto_force = proto_force;
4921 options->force_connection_list = true;
4922 }
4923 #ifdef ENABLE_HTTP_PROXY
4924 else if (streq (p[0], "http-proxy") && p[1])
4925 {
4926 struct http_proxy_options *ho;
4927
4928 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4929
4930 {
4931 int port;
4932 if (!p[2])
4933 {
4934 msg (msglevel, "http-proxy port number not defined");
4935 goto err;
4936 }
4937 port = atoi (p[2]);
4938 if (!legal_ipv4_port (port))
4939 {
4940 msg (msglevel, "Bad http-proxy port number: %s", p[2]);
4941 goto err;
4942 }
4943
4944 ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
4945
4946 ho->server = p[1];
4947 ho->port = port;
4948 }
4949
4950 if (p[3])
4951 {
4952 /* auto -- try to figure out proxy addr, port, and type automatically */
4953 /* semiauto -- given proxy addr:port, try to figure out type automatically */
4954 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
4955 if (streq (p[3], "auto"))
4956 ho->auth_retry = PAR_ALL;
4957 else if (streq (p[3], "auto-nct"))
4958 ho->auth_retry = PAR_NCT;
4959 else
4960 {
4961 ho->auth_method_string = "basic";
4962 ho->auth_file = p[3];
4963
4964 if (p[4])
4965 {
4966 ho->auth_method_string = p[4];
4967 }
4968 }
4969 }
4970 else
4971 {
4972 ho->auth_method_string = "none";
4973 }
4974 }
4975 else if (streq (p[0], "http-proxy-retry"))
4976 {
4977 struct http_proxy_options *ho;
4978 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4979 ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
4980 ho->retry = true;
4981 }
4982 else if (streq (p[0], "http-proxy-timeout") && p[1])
4983 {
4984 struct http_proxy_options *ho;
4985
4986 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4987 ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
4988 ho->timeout = positive_atoi (p[1]);
4989 }
4990 else if (streq (p[0], "http-proxy-option") && p[1])
4991 {
4992 struct http_proxy_options *ho;
4993
4994 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4995 ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
4996
4997 if (streq (p[1], "VERSION") && p[2])
4998 {
4999 ho->http_version = p[2];
5000 }
5001 else if (streq (p[1], "AGENT") && p[2])
5002 {
5003 ho->user_agent = p[2];
5004 }
5005 else
5006 {
5007 msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]);
5008 }
5009 }
5010 #endif
5011 #ifdef ENABLE_SOCKS
5012 else if (streq (p[0], "socks-proxy") && p[1])
5013 {
5014 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
5015
5016 if (p[2])
5017 {
5018 int port;
5019 port = atoi (p[2]);
5020 if (!legal_ipv4_port (port))
5021 {
5022 msg (msglevel, "Bad socks-proxy port number: %s", p[2]);
5023 goto err;
5024 }
5025 options->ce.socks_proxy_port = port;
5026 }
5027 else
5028 {
5029 options->ce.socks_proxy_port = 1080;
5030 }
5031 options->ce.socks_proxy_server = p[1];
5032 options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
5033 }
5034 else if (streq (p[0], "socks-proxy-retry"))
5035 {
5036 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
5037 options->ce.socks_proxy_retry = true;
5038 }
5039 #endif
5040 else if (streq (p[0], "keepalive") && p[1] && p[2])
5041 {
5042 VERIFY_PERMISSION (OPT_P_GENERAL);
5043 options->keepalive_ping = atoi (p[1]);
5044 options->keepalive_timeout = atoi (p[2]);
5045 }
5046 else if (streq (p[0], "ping") && p[1])
5047 {
5048 VERIFY_PERMISSION (OPT_P_TIMER);
5049 options->ping_send_timeout = positive_atoi (p[1]);
5050 }
5051 else if (streq (p[0], "ping-exit") && p[1])
5052 {
5053 VERIFY_PERMISSION (OPT_P_TIMER);
5054 options->ping_rec_timeout = positive_atoi (p[1]);
5055 options->ping_rec_timeout_action = PING_EXIT;
5056 }
5057 else if (streq (p[0], "ping-restart") && p[1])
5058 {
5059 VERIFY_PERMISSION (OPT_P_TIMER);
5060 options->ping_rec_timeout = positive_atoi (p[1]);
5061 options->ping_rec_timeout_action = PING_RESTART;
5062 }
5063 else if (streq (p[0], "ping-timer-rem"))
5064 {
5065 VERIFY_PERMISSION (OPT_P_TIMER);
5066 options->ping_timer_remote = true;
5067 }
5068 #ifdef ENABLE_OCC
5069 else if (streq (p[0], "explicit-exit-notify"))
5070 {
5071 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
5072 if (p[1])
5073 {
5074 options->ce.explicit_exit_notification = positive_atoi (p[1]);
5075 }
5076 else
5077 {
5078 options->ce.explicit_exit_notification = 1;
5079 }
5080 }
5081 #endif
5082 else if (streq (p[0], "persist-tun"))
5083 {
5084 VERIFY_PERMISSION (OPT_P_PERSIST);
5085 options->persist_tun = true;
5086 }
5087 else if (streq (p[0], "persist-key"))
5088 {
5089 VERIFY_PERMISSION (OPT_P_PERSIST);
5090 options->persist_key = true;
5091 }
5092 else if (streq (p[0], "persist-local-ip"))
5093 {
5094 VERIFY_PERMISSION (OPT_P_PERSIST_IP);
5095 options->persist_local_ip = true;
5096 }
5097 else if (streq (p[0], "persist-remote-ip"))
5098 {
5099 VERIFY_PERMISSION (OPT_P_PERSIST_IP);
5100 options->persist_remote_ip = true;
5101 }
5102 #ifdef ENABLE_CLIENT_NAT
5103 else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4])
5104 {
5105 VERIFY_PERMISSION (OPT_P_ROUTE);
5106 cnol_check_alloc (options);
5107 add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
5108 }
5109 #endif
5110 else if (streq (p[0], "route") && p[1])
5111 {
5112 VERIFY_PERMISSION (OPT_P_ROUTE);
5113 rol_check_alloc (options);
5114 if (pull_mode)
5115 {
5116 if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
5117 {
5118 msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
5119 goto err;
5120 }
5121 if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
5122 {
5123 msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
5124 goto err;
5125 }
5126 if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
5127 {
5128 msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
5129 goto err;
5130 }
5131 }
5132 add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
5133 }
5134 else if (streq (p[0], "route-ipv6") && p[1])
5135 {
5136 VERIFY_PERMISSION (OPT_P_ROUTE);
5137 rol6_check_alloc (options);
5138 if (pull_mode)
5139 {
5140 if (!ipv6_addr_safe_hexplusbits (p[1]))
5141 {
5142 msg (msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5143 goto err;
5144 }
5145 if (p[2] && !ipv6_addr_safe (p[2]))
5146 {
5147 msg (msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5148 goto err;
5149 }
5150 /* p[3] is metric, if present */
5151 }
5152 add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]);
5153 }
5154 else if (streq (p[0], "max-routes") && p[1])
5155 {
5156 int max_routes;
5157
5158 VERIFY_PERMISSION (OPT_P_GENERAL);
5159 max_routes = atoi (p[1]);
5160 if (max_routes < 0 || max_routes > 100000000)
5161 {
5162 msg (msglevel, "--max-routes parameter is out of range");
5163 goto err;
5164 }
5165 if (options->routes || options->routes_ipv6)
5166 {
5167 msg (msglevel, "--max-routes must to be specifed before any route/route-ipv6/redirect-gateway option");
5168 goto err;
5169 }
5170 options->max_routes = max_routes;
5171 }
5172 else if (streq (p[0], "route-gateway") && p[1])
5173 {
5174 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5175 if (streq (p[1], "dhcp"))
5176 {
5177 options->route_gateway_via_dhcp = true;
5178 }
5179 else
5180 {
5181 if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
5182 {
5183 options->route_default_gateway = p[1];
5184 }
5185 else
5186 {
5187 msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
5188 goto err;
5189 }
5190 }
5191 }
5192 else if (streq (p[0], "route-metric") && p[1])
5193 {
5194 VERIFY_PERMISSION (OPT_P_ROUTE);
5195 options->route_default_metric = positive_atoi (p[1]);
5196 }
5197 else if (streq (p[0], "route-delay"))
5198 {
5199 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5200 options->route_delay_defined = true;
5201 if (p[1])
5202 {
5203 options->route_delay = positive_atoi (p[1]);
5204 if (p[2])
5205 {
5206 options->route_delay_window = positive_atoi (p[2]);
5207 }
5208 }
5209 else
5210 {
5211 options->route_delay = 0;
5212 }
5213 }
5214 else if (streq (p[0], "route-up") && p[1])
5215 {
5216 VERIFY_PERMISSION (OPT_P_SCRIPT);
5217 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5218 goto err;
5219 set_user_script (options, &options->route_script, p[1], "route-up");
5220 }
5221 else if (streq (p[0], "route-pre-down") && p[1])
5222 {
5223 VERIFY_PERMISSION (OPT_P_SCRIPT);
5224 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5225 goto err;
5226 set_user_script (options,
5227 &options->route_predown_script,
5228 p[1],
5229 "route-pre-down");
5230 }
5231 else if (streq (p[0], "route-noexec"))
5232 {
5233 VERIFY_PERMISSION (OPT_P_SCRIPT);
5234 options->route_noexec = true;
5235 }
5236 else if (streq (p[0], "route-nopull"))
5237 {
5238 VERIFY_PERMISSION (OPT_P_GENERAL);
5239 options->route_nopull = true;
5240 }
5241 else if (streq (p[0], "allow-pull-fqdn"))
5242 {
5243 VERIFY_PERMISSION (OPT_P_GENERAL);
5244 options->allow_pull_fqdn = true;
5245 }
5246 else if (streq (p[0], "redirect-gateway") || streq (p[0], "redirect-private"))
5247 {
5248 int j;
5249 VERIFY_PERMISSION (OPT_P_ROUTE);
5250 rol_check_alloc (options);
5251 if (streq (p[0], "redirect-gateway"))
5252 options->routes->flags |= RG_REROUTE_GW;
5253 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5254 {
5255 if (streq (p[j], "local"))
5256 options->routes->flags |= RG_LOCAL;
5257 else if (streq (p[j], "autolocal"))
5258 options->routes->flags |= RG_AUTO_LOCAL;
5259 else if (streq (p[j], "def1"))
5260 options->routes->flags |= RG_DEF1;
5261 else if (streq (p[j], "bypass-dhcp"))
5262 options->routes->flags |= RG_BYPASS_DHCP;
5263 else if (streq (p[j], "bypass-dns"))
5264 options->routes->flags |= RG_BYPASS_DNS;
5265 else if (streq (p[j], "block-local"))
5266 options->routes->flags |= RG_BLOCK_LOCAL;
5267 else
5268 {
5269 msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
5270 goto err;
5271 }
5272 }
5273 options->routes->flags |= RG_ENABLE;
5274 }
5275 else if (streq (p[0], "remote-random-hostname"))
5276 {
5277 VERIFY_PERMISSION (OPT_P_GENERAL);
5278 options->sockflags |= SF_HOST_RANDOMIZE;
5279 }
5280 else if (streq (p[0], "setenv") && p[1])
5281 {
5282 VERIFY_PERMISSION (OPT_P_GENERAL);
5283 if (streq (p[1], "REMOTE_RANDOM_HOSTNAME"))
5284 {
5285 options->sockflags |= SF_HOST_RANDOMIZE;
5286 }
5287 else if (streq (p[1], "GENERIC_CONFIG"))
5288 {
5289 msg (msglevel, "this is a generic configuration and cannot directly be used");
5290 goto err;
5291 }
5292 #ifdef ENABLE_PUSH_PEER_INFO
5293 else if (streq (p[1], "PUSH_PEER_INFO"))
5294 {
5295 options->push_peer_info = true;
5296 }
5297 #endif
5298 #if P2MP
5299 else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
5300 {
5301 options->server_poll_timeout = positive_atoi(p[2]);
5302 }
5303 #endif
5304 else
5305 {
5306 if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
5307 {
5308 options->forward_compatible = true;
5309 msglevel_fc = msglevel_forward_compatible (options, msglevel);
5310 }
5311 setenv_str (es, p[1], p[2] ? p[2] : "");
5312 }
5313 }
5314 else if (streq (p[0], "setenv-safe") && p[1])
5315 {
5316 VERIFY_PERMISSION (OPT_P_SETENV);
5317 setenv_str_safe (es, p[1], p[2] ? p[2] : "");
5318 }
5319 else if (streq (p[0], "script-security") && p[1])
5320 {
5321 VERIFY_PERMISSION (OPT_P_GENERAL);
5322 script_security = atoi (p[1]);
5323 }
5324 else if (streq (p[0], "mssfix"))
5325 {
5326 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
5327 if (p[1])
5328 {
5329 options->ce.mssfix = positive_atoi (p[1]);
5330 }
5331 else
5332 options->ce.mssfix_default = true;
5333
5334 }
5335 #ifdef ENABLE_OCC
5336 else if (streq (p[0], "disable-occ"))
5337 {
5338 VERIFY_PERMISSION (OPT_P_GENERAL);
5339 options->occ = false;
5340 }
5341 #endif
5342 #if P2MP
5343 #if P2MP_SERVER
5344 else if (streq (p[0], "server") && p[1] && p[2])
5345 {
5346 const int lev = M_WARN;
5347 bool error = false;
5348 in_addr_t network, netmask;
5349
5350 VERIFY_PERMISSION (OPT_P_GENERAL);
5351 network = get_ip_addr (p[1], lev, &error);
5352 netmask = get_ip_addr (p[2], lev, &error);
5353 if (error || !network || !netmask)
5354 {
5355 msg (msglevel, "error parsing --server parameters");
5356 goto err;
5357 }
5358 options->server_defined = true;
5359 options->server_network = network;
5360 options->server_netmask = netmask;
5361
5362 if (p[3])
5363 {
5364 if (streq (p[3], "nopool"))
5365 options->server_flags |= SF_NOPOOL;
5366 else
5367 {
5368 msg (msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
5369 goto err;
5370 }
5371 }
5372 }
5373 else if (streq (p[0], "server-ipv6") && p[1] )
5374 {
5375 const int lev = M_WARN;
5376 struct in6_addr network;
5377 unsigned int netbits = 0;
5378
5379 VERIFY_PERMISSION (OPT_P_GENERAL);
5380 if ( ! get_ipv6_addr (p[1], &network, &netbits, NULL, lev) )
5381 {
5382 msg (msglevel, "error parsing --server-ipv6 parameter");
5383 goto err;
5384 }
5385 if ( netbits < 64 || netbits > 112 )
5386 {
5387 msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits );
5388 goto err;
5389 }
5390 options->server_ipv6_defined = true;
5391 options->server_network_ipv6 = network;
5392 options->server_netbits_ipv6 = netbits;
5393
5394 if (p[2]) /* no "nopool" options or similar for IPv6 */
5395 {
5396 msg (msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]);
5397 goto err;
5398 }
5399 }
5400 else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4])
5401 {
5402 const int lev = M_WARN;
5403 bool error = false;
5404 in_addr_t ip, netmask, pool_start, pool_end;
5405
5406 VERIFY_PERMISSION (OPT_P_GENERAL);
5407 ip = get_ip_addr (p[1], lev, &error);
5408 netmask = get_ip_addr (p[2], lev, &error);
5409 pool_start = get_ip_addr (p[3], lev, &error);
5410 pool_end = get_ip_addr (p[4], lev, &error);
5411 if (error || !ip || !netmask || !pool_start || !pool_end)
5412 {
5413 msg (msglevel, "error parsing --server-bridge parameters");
5414 goto err;
5415 }
5416 options->server_bridge_defined = true;
5417 options->server_bridge_ip = ip;
5418 options->server_bridge_netmask = netmask;
5419 options->server_bridge_pool_start = pool_start;
5420 options->server_bridge_pool_end = pool_end;
5421 }
5422 else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw"))
5423 {
5424 VERIFY_PERMISSION (OPT_P_GENERAL);
5425 options->server_bridge_proxy_dhcp = true;
5426 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
5427 }
5428 else if (streq (p[0], "server-bridge") && !p[1])
5429 {
5430 VERIFY_PERMISSION (OPT_P_GENERAL);
5431 options->server_bridge_proxy_dhcp = true;
5432 }
5433 else if (streq (p[0], "push") && p[1])
5434 {
5435 VERIFY_PERMISSION (OPT_P_PUSH);
5436 push_options (options, &p[1], msglevel, &options->gc);
5437 }
5438 else if (streq (p[0], "push-reset"))
5439 {
5440 VERIFY_PERMISSION (OPT_P_INSTANCE);
5441 push_reset (options);
5442 }
5443 else if (streq (p[0], "ifconfig-pool") && p[1] && p[2])
5444 {
5445 const int lev = M_WARN;
5446 bool error = false;
5447 in_addr_t start, end, netmask=0;
5448
5449 VERIFY_PERMISSION (OPT_P_GENERAL);
5450 start = get_ip_addr (p[1], lev, &error);
5451 end = get_ip_addr (p[2], lev, &error);
5452 if (p[3])
5453 {
5454 netmask = get_ip_addr (p[3], lev, &error);
5455 }
5456 if (error)
5457 {
5458 msg (msglevel, "error parsing --ifconfig-pool parameters");
5459 goto err;
5460 }
5461 if (!ifconfig_pool_verify_range (msglevel, start, end))
5462 goto err;
5463
5464 options->ifconfig_pool_defined = true;
5465 options->ifconfig_pool_start = start;
5466 options->ifconfig_pool_end = end;
5467 if (netmask)
5468 options->ifconfig_pool_netmask = netmask;
5469 }
5470 else if (streq (p[0], "ifconfig-pool-persist") && p[1])
5471 {
5472 VERIFY_PERMISSION (OPT_P_GENERAL);
5473 options->ifconfig_pool_persist_filename = p[1];
5474 if (p[2])
5475 {
5476 options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
5477 }
5478 }
5479 else if (streq (p[0], "ifconfig-pool-linear"))
5480 {
5481 VERIFY_PERMISSION (OPT_P_GENERAL);
5482 options->topology = TOP_P2P;
5483 }
5484 else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] )
5485 {
5486 const int lev = M_WARN;
5487 struct in6_addr network;
5488 unsigned int netbits = 0;
5489
5490 VERIFY_PERMISSION (OPT_P_GENERAL);
5491 if ( ! get_ipv6_addr (p[1], &network, &netbits, NULL, lev ) )
5492 {
5493 msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");
5494 goto err;
5495 }
5496 if ( netbits < 64 || netbits > 112 )
5497 {
5498 msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );
5499 goto err;
5500 }
5501
5502 options->ifconfig_ipv6_pool_defined = true;
5503 options->ifconfig_ipv6_pool_base = network;
5504 options->ifconfig_ipv6_pool_netbits = netbits;
5505 }
5506 else if (streq (p[0], "hash-size") && p[1] && p[2])
5507 {
5508 int real, virtual;
5509
5510 VERIFY_PERMISSION (OPT_P_GENERAL);
5511 real = atoi (p[1]);
5512 virtual = atoi (p[2]);
5513 if (real < 1 || virtual < 1)
5514 {
5515 msg (msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
5516 goto err;
5517 }
5518 options->real_hash_size = real;
5519 options->virtual_hash_size = real;
5520 }
5521 else if (streq (p[0], "connect-freq") && p[1] && p[2])
5522 {
5523 int cf_max, cf_per;
5524
5525 VERIFY_PERMISSION (OPT_P_GENERAL);
5526 cf_max = atoi (p[1]);
5527 cf_per = atoi (p[2]);
5528 if (cf_max < 0 || cf_per < 0)
5529 {
5530 msg (msglevel, "--connect-freq parms must be > 0");
5531 goto err;
5532 }
5533 options->cf_max = cf_max;
5534 options->cf_per = cf_per;
5535 }
5536 else if (streq (p[0], "max-clients") && p[1])
5537 {
5538 int max_clients;
5539
5540 VERIFY_PERMISSION (OPT_P_GENERAL);
5541 max_clients = atoi (p[1]);
5542 if (max_clients < 0)
5543 {
5544 msg (msglevel, "--max-clients must be at least 1");
5545 goto err;
5546 }
5547 options->max_clients = max_clients;
5548 }
5549 else if (streq (p[0], "max-routes-per-client") && p[1])
5550 {
5551 VERIFY_PERMISSION (OPT_P_INHERIT);
5552 options->max_routes_per_client = max_int (atoi (p[1]), 1);
5553 }
5554 else if (streq (p[0], "client-cert-not-required"))
5555 {
5556 VERIFY_PERMISSION (OPT_P_GENERAL);
5557 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
5558 }
5559 else if (streq (p[0], "username-as-common-name"))
5560 {
5561 VERIFY_PERMISSION (OPT_P_GENERAL);
5562 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
5563 }
5564 else if (streq (p[0], "auth-user-pass-optional"))
5565 {
5566 VERIFY_PERMISSION (OPT_P_GENERAL);
5567 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
5568 }
5569 else if (streq (p[0], "opt-verify"))
5570 {
5571 VERIFY_PERMISSION (OPT_P_GENERAL);
5572 options->ssl_flags |= SSLF_OPT_VERIFY;
5573 }
5574 else if (streq (p[0], "auth-user-pass-verify") && p[1])
5575 {
5576 VERIFY_PERMISSION (OPT_P_SCRIPT);
5577 if (!no_more_than_n_args (msglevel, p, 3, NM_QUOTE_HINT))
5578 goto err;
5579 if (p[2])
5580 {
5581 if (streq (p[2], "via-env"))
5582 options->auth_user_pass_verify_script_via_file = false;
5583 else if (streq (p[2], "via-file"))
5584 options->auth_user_pass_verify_script_via_file = true;
5585 else
5586 {
5587 msg (msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
5588 goto err;
5589 }
5590 }
5591 else
5592 {
5593 msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
5594 goto err;
5595 }
5596 set_user_script (options,
5597 &options->auth_user_pass_verify_script,
5598 p[1], "auth-user-pass-verify");
5599 }
5600 else if (streq (p[0], "client-connect") && p[1])
5601 {
5602 VERIFY_PERMISSION (OPT_P_SCRIPT);
5603 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5604 goto err;
5605 set_user_script (options, &options->client_connect_script,
5606 p[1], "client-connect");
5607 }
5608 else if (streq (p[0], "client-disconnect") && p[1])
5609 {
5610 VERIFY_PERMISSION (OPT_P_SCRIPT);
5611 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5612 goto err;
5613 set_user_script (options, &options->client_disconnect_script,
5614 p[1], "client-disconnect");
5615 }
5616 else if (streq (p[0], "learn-address") && p[1])
5617 {
5618 VERIFY_PERMISSION (OPT_P_SCRIPT);
5619 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5620 goto err;
5621 set_user_script (options, &options->learn_address_script,
5622 p[1], "learn-address");
5623 }
5624 else if (streq (p[0], "tmp-dir") && p[1])
5625 {
5626 VERIFY_PERMISSION (OPT_P_GENERAL);
5627 options->tmp_dir = p[1];
5628 }
5629 else if (streq (p[0], "client-config-dir") && p[1])
5630 {
5631 VERIFY_PERMISSION (OPT_P_GENERAL);
5632 options->client_config_dir = p[1];
5633 }
5634 else if (streq (p[0], "ccd-exclusive"))
5635 {
5636 VERIFY_PERMISSION (OPT_P_GENERAL);
5637 options->ccd_exclusive = true;
5638 }
5639 else if (streq (p[0], "bcast-buffers") && p[1])
5640 {
5641 int n_bcast_buf;
5642
5643 VERIFY_PERMISSION (OPT_P_GENERAL);
5644 n_bcast_buf = atoi (p[1]);
5645 if (n_bcast_buf < 1)
5646 msg (msglevel, "--bcast-buffers parameter must be > 0");
5647 options->n_bcast_buf = n_bcast_buf;
5648 }
5649 else if (streq (p[0], "tcp-queue-limit") && p[1])
5650 {
5651 int tcp_queue_limit;
5652
5653 VERIFY_PERMISSION (OPT_P_GENERAL);
5654 tcp_queue_limit = atoi (p[1]);
5655 if (tcp_queue_limit < 1)
5656 msg (msglevel, "--tcp-queue-limit parameter must be > 0");
5657 options->tcp_queue_limit = tcp_queue_limit;
5658 }
5659 #if PORT_SHARE
5660 else if (streq (p[0], "port-share") && p[1] && p[2])
5661 {
5662 int port;
5663
5664 VERIFY_PERMISSION (OPT_P_GENERAL);
5665 port = atoi (p[2]);
5666 if (!legal_ipv4_port (port))
5667 {
5668 msg (msglevel, "port number associated with --port-share directive is out of range");
5669 goto err;
5670 }
5671
5672 options->port_share_host = p[1];
5673 options->port_share_port = port;
5674 options->port_share_journal_dir = p[3];
5675 }
5676 #endif
5677 else if (streq (p[0], "client-to-client"))
5678 {
5679 VERIFY_PERMISSION (OPT_P_GENERAL);
5680 options->enable_c2c = true;
5681 }
5682 else if (streq (p[0], "duplicate-cn"))
5683 {
5684 VERIFY_PERMISSION (OPT_P_GENERAL);
5685 options->duplicate_cn = true;
5686 }
5687 else if (streq (p[0], "iroute") && p[1])
5688 {
5689 const char *netmask = NULL;
5690
5691 VERIFY_PERMISSION (OPT_P_INSTANCE);
5692 if (p[2])
5693 {
5694 netmask = p[2];
5695 }
5696 option_iroute (options, p[1], netmask, msglevel);
5697 }
5698 else if (streq (p[0], "iroute-ipv6") && p[1])
5699 {
5700 VERIFY_PERMISSION (OPT_P_INSTANCE);
5701 option_iroute_ipv6 (options, p[1], msglevel);
5702 }
5703 else if (streq (p[0], "ifconfig-push") && p[1] && p[2])
5704 {
5705 in_addr_t local, remote_netmask;
5706
5707 VERIFY_PERMISSION (OPT_P_INSTANCE);
5708 local = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
5709 remote_netmask = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
5710 if (local && remote_netmask)
5711 {
5712 options->push_ifconfig_defined = true;
5713 options->push_ifconfig_local = local;
5714 options->push_ifconfig_remote_netmask = remote_netmask;
5715 #ifdef ENABLE_CLIENT_NAT
5716 if (p[3])
5717 options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
5718 #endif
5719 }
5720 else
5721 {
5722 msg (msglevel, "cannot parse --ifconfig-push addresses");
5723 goto err;
5724 }
5725 }
5726 else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2])
5727 {
5728 in_addr_t network, netmask;
5729
5730 VERIFY_PERMISSION (OPT_P_GENERAL);
5731 network = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
5732 netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
5733 if (network && netmask)
5734 {
5735 options->push_ifconfig_constraint_defined = true;
5736 options->push_ifconfig_constraint_network = network;
5737 options->push_ifconfig_constraint_netmask = netmask;
5738 }
5739 else
5740 {
5741 msg (msglevel, "cannot parse --ifconfig-push-constraint addresses");
5742 goto err;
5743 }
5744 }
5745 else if (streq (p[0], "ifconfig-ipv6-push") && p[1] )
5746 {
5747 struct in6_addr local, remote;
5748 unsigned int netbits;
5749
5750 VERIFY_PERMISSION (OPT_P_INSTANCE);
5751
5752 if ( ! get_ipv6_addr( p[1], &local, &netbits, NULL, msglevel ) )
5753 {
5754 msg (msglevel, "cannot parse --ifconfig-ipv6-push addresses");
5755 goto err;
5756 }
5757
5758 if ( p[2] )
5759 {
5760 if ( !get_ipv6_addr( p[2], &remote, NULL, NULL, msglevel ) )
5761 {
5762 msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
5763 goto err;
5764 }
5765 }
5766 else
5767 {
5768 if ( ! options->ifconfig_ipv6_local ||
5769 ! get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
5770 NULL, NULL, msglevel ) )
5771 {
5772 msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
5773 goto err;
5774 }
5775 }
5776
5777 options->push_ifconfig_ipv6_defined = true;
5778 options->push_ifconfig_ipv6_local = local;
5779 options->push_ifconfig_ipv6_netbits = netbits;
5780 options->push_ifconfig_ipv6_remote = remote;
5781 }
5782 else if (streq (p[0], "disable"))
5783 {
5784 VERIFY_PERMISSION (OPT_P_INSTANCE);
5785 options->disable = true;
5786 }
5787 else if (streq (p[0], "tcp-nodelay"))
5788 {
5789 VERIFY_PERMISSION (OPT_P_GENERAL);
5790 options->server_flags |= SF_TCP_NODELAY_HELPER;
5791 }
5792 else if (streq (p[0], "stale-routes-check") && p[1])
5793 {
5794 int ageing_time, check_interval;
5795
5796 VERIFY_PERMISSION (OPT_P_GENERAL);
5797 ageing_time = atoi (p[1]);
5798 if (p[2])
5799 check_interval = atoi (p[2]);
5800 else
5801 check_interval = ageing_time;
5802
5803 if (ageing_time < 1 || check_interval < 1)
5804 {
5805 msg (msglevel, "--stale-routes-check aging time and check interval must be >= 1");
5806 goto err;
5807 }
5808 options->stale_routes_ageing_time = ageing_time;
5809 options->stale_routes_check_interval = check_interval;
5810 }
5811 #endif /* P2MP_SERVER */
5812
5813 else if (streq (p[0], "client"))
5814 {
5815 VERIFY_PERMISSION (OPT_P_GENERAL);
5816 options->client = true;
5817 }
5818 else if (streq (p[0], "pull"))
5819 {
5820 VERIFY_PERMISSION (OPT_P_GENERAL);
5821 options->pull = true;
5822 }
5823 else if (streq (p[0], "push-continuation") && p[1])
5824 {
5825 VERIFY_PERMISSION (OPT_P_PULL_MODE);
5826 options->push_continuation = atoi(p[1]);
5827 }
5828 else if (streq (p[0], "server-poll-timeout") && p[1])
5829 {
5830 VERIFY_PERMISSION (OPT_P_GENERAL);
5831 options->server_poll_timeout = positive_atoi(p[1]);
5832 }
5833 else if (streq (p[0], "auth-user-pass"))
5834 {
5835 VERIFY_PERMISSION (OPT_P_GENERAL);
5836 if (p[1])
5837 {
5838 options->auth_user_pass_file = p[1];
5839 }
5840 else
5841 options->auth_user_pass_file = "stdin";
5842 }
5843 else if (streq (p[0], "auth-retry") && p[1])
5844 {
5845 VERIFY_PERMISSION (OPT_P_GENERAL);
5846 auth_retry_set (msglevel, p[1]);
5847 }
5848 #ifdef ENABLE_CLIENT_CR
5849 else if (streq (p[0], "static-challenge") && p[1] && p[2])
5850 {
5851 VERIFY_PERMISSION (OPT_P_GENERAL);
5852 options->sc_info.challenge_text = p[1];
5853 if (atoi(p[2]))
5854 options->sc_info.flags |= SC_ECHO;
5855 }
5856 #endif
5857 #endif
5858 #ifdef WIN32
5859 else if (streq (p[0], "win-sys") && p[1])
5860 {
5861 VERIFY_PERMISSION (OPT_P_GENERAL);
5862 if (streq (p[1], "env"))
5863 msg (M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. "
5864 "This entry will now be ignored. "
5865 "Please remove this entry from your configuration file.");
5866 else
5867 set_win_sys_path (p[1], es);
5868 }
5869 else if (streq (p[0], "route-method") && p[1])
5870 {
5871 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5872 if (streq (p[1], "adaptive"))
5873 options->route_method = ROUTE_METHOD_ADAPTIVE;
5874 else if (streq (p[1], "ipapi"))
5875 options->route_method = ROUTE_METHOD_IPAPI;
5876 else if (streq (p[1], "exe"))
5877 options->route_method = ROUTE_METHOD_EXE;
5878 else
5879 {
5880 msg (msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
5881 goto err;
5882 }
5883 }
5884 else if (streq (p[0], "ip-win32") && p[1])
5885 {
5886 const int index = ascii2ipset (p[1]);
5887 struct tuntap_options *to = &options->tuntap_options;
5888
5889 VERIFY_PERMISSION (OPT_P_IPWIN32);
5890
5891 if (index < 0)
5892 {
5893 msg (msglevel,
5894 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
5895 p[1],
5896 ipset2ascii_all (&gc));
5897 goto err;
5898 }
5899
5900 if (index == IPW32_SET_ADAPTIVE)
5901 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
5902
5903 if (index == IPW32_SET_DHCP_MASQ)
5904 {
5905 if (p[2])
5906 {
5907 if (!streq (p[2], "default"))
5908 {
5909 int offset = atoi (p[2]);
5910
5911 if (!(offset > -256 && offset < 256))
5912 {
5913 msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
5914 goto err;
5915 }
5916
5917 to->dhcp_masq_custom_offset = true;
5918 to->dhcp_masq_offset = offset;
5919 }
5920
5921 if (p[3])
5922 {
5923 const int min_lease = 30;
5924 int lease_time;
5925 lease_time = atoi (p[3]);
5926 if (lease_time < min_lease)
5927 {
5928 msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
5929 goto err;
5930 }
5931 to->dhcp_lease_time = lease_time;
5932 }
5933 }
5934 }
5935 to->ip_win32_type = index;
5936 to->ip_win32_defined = true;
5937 }
5938 else if (streq (p[0], "dhcp-option") && p[1])
5939 {
5940 struct tuntap_options *o = &options->tuntap_options;
5941 VERIFY_PERMISSION (OPT_P_IPWIN32);
5942
5943 if (streq (p[1], "DOMAIN") && p[2])
5944 {
5945 o->domain = p[2];
5946 }
5947 else if (streq (p[1], "NBS") && p[2])
5948 {
5949 o->netbios_scope = p[2];
5950 }
5951 else if (streq (p[1], "NBT") && p[2])
5952 {
5953 int t;
5954 t = atoi (p[2]);
5955 if (!(t == 1 || t == 2 || t == 4 || t == 8))
5956 {
5957 msg (msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
5958 goto err;
5959 }
5960 o->netbios_node_type = t;
5961 }
5962 else if (streq (p[1], "DNS") && p[2])
5963 {
5964 dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel);
5965 }
5966 else if (streq (p[1], "WINS") && p[2])
5967 {
5968 dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel);
5969 }
5970 else if (streq (p[1], "NTP") && p[2])
5971 {
5972 dhcp_option_address_parse ("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
5973 }
5974 else if (streq (p[1], "NBDD") && p[2])
5975 {
5976 dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
5977 }
5978 else if (streq (p[1], "DISABLE-NBT"))
5979 {
5980 o->disable_nbt = 1;
5981 }
5982 else
5983 {
5984 msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]);
5985 goto err;
5986 }
5987 o->dhcp_options = true;
5988 }
5989 else if (streq (p[0], "show-adapters"))
5990 {
5991 VERIFY_PERMISSION (OPT_P_GENERAL);
5992 show_tap_win_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
5993 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5994 }
5995 else if (streq (p[0], "show-net"))
5996 {
5997 VERIFY_PERMISSION (OPT_P_GENERAL);
5998 show_routes (M_INFO|M_NOPREFIX);
5999 show_adapters (M_INFO|M_NOPREFIX);
6000 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6001 }
6002 else if (streq (p[0], "show-net-up"))
6003 {
6004 VERIFY_PERMISSION (OPT_P_UP);
6005 options->show_net_up = true;
6006 }
6007 else if (streq (p[0], "tap-sleep") && p[1])
6008 {
6009 int s;
6010 VERIFY_PERMISSION (OPT_P_IPWIN32);
6011 s = atoi (p[1]);
6012 if (s < 0 || s >= 256)
6013 {
6014 msg (msglevel, "--tap-sleep parameter must be between 0 and 255");
6015 goto err;
6016 }
6017 options->tuntap_options.tap_sleep = s;
6018 }
6019 else if (streq (p[0], "dhcp-renew"))
6020 {
6021 VERIFY_PERMISSION (OPT_P_IPWIN32);
6022 options->tuntap_options.dhcp_renew = true;
6023 }
6024 else if (streq (p[0], "dhcp-pre-release"))
6025 {
6026 VERIFY_PERMISSION (OPT_P_IPWIN32);
6027 options->tuntap_options.dhcp_pre_release = true;
6028 }
6029 else if (streq (p[0], "dhcp-release"))
6030 {
6031 VERIFY_PERMISSION (OPT_P_IPWIN32);
6032 options->tuntap_options.dhcp_release = true;
6033 }
6034 else if (streq (p[0], "dhcp-internal") && p[1]) /* standalone method for internal use */
6035 {
6036 unsigned int adapter_index;
6037 VERIFY_PERMISSION (OPT_P_GENERAL);
6038 set_debug_level (options->verbosity, SDL_CONSTRAIN);
6039 adapter_index = atou (p[1]);
6040 sleep (options->tuntap_options.tap_sleep);
6041 if (options->tuntap_options.dhcp_pre_release)
6042 dhcp_release_by_adapter_index (adapter_index);
6043 if (options->tuntap_options.dhcp_renew)
6044 dhcp_renew_by_adapter_index (adapter_index);
6045 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6046 }
6047 else if (streq (p[0], "register-dns"))
6048 {
6049 VERIFY_PERMISSION (OPT_P_IPWIN32);
6050 options->tuntap_options.register_dns = true;
6051 }
6052 else if (streq (p[0], "rdns-internal"))
6053 /* standalone method for internal use
6054 *
6055 * (if --register-dns is set, openvpn needs to call itself in a
6056 * sub-process to execute the required functions in a non-blocking
6057 * way, and uses --rdns-internal to signal that to itself)
6058 */
6059 {
6060 VERIFY_PERMISSION (OPT_P_GENERAL);
6061 set_debug_level (options->verbosity, SDL_CONSTRAIN);
6062 if (options->tuntap_options.register_dns)
6063 ipconfig_register_dns (NULL);
6064 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6065 }
6066 else if (streq (p[0], "show-valid-subnets"))
6067 {
6068 VERIFY_PERMISSION (OPT_P_GENERAL);
6069 show_valid_win32_tun_subnets ();
6070 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6071 }
6072 else if (streq (p[0], "pause-exit"))
6073 {
6074 VERIFY_PERMISSION (OPT_P_GENERAL);
6075 set_pause_exit_win32 ();
6076 }
6077 else if (streq (p[0], "service") && p[1])
6078 {
6079 VERIFY_PERMISSION (OPT_P_GENERAL);
6080 options->exit_event_name = p[1];
6081 if (p[2])
6082 {
6083 options->exit_event_initial_state = (atoi(p[2]) != 0);
6084 }
6085 }
6086 else if (streq (p[0], "allow-nonadmin"))
6087 {
6088 VERIFY_PERMISSION (OPT_P_GENERAL);
6089 tap_allow_nonadmin_access (p[1]);
6090 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6091 }
6092 else if (streq (p[0], "user") && p[1])
6093 {
6094 VERIFY_PERMISSION (OPT_P_GENERAL);
6095 msg (M_WARN, "NOTE: --user option is not implemented on Windows");
6096 }
6097 else if (streq (p[0], "group") && p[1])
6098 {
6099 VERIFY_PERMISSION (OPT_P_GENERAL);
6100 msg (M_WARN, "NOTE: --group option is not implemented on Windows");
6101 }
6102 #else
6103 else if (streq (p[0], "user") && p[1])
6104 {
6105 VERIFY_PERMISSION (OPT_P_GENERAL);
6106 options->username = p[1];
6107 }
6108 else if (streq (p[0], "group") && p[1])
6109 {
6110 VERIFY_PERMISSION (OPT_P_GENERAL);
6111 options->groupname = p[1];
6112 }
6113 else if (streq (p[0], "dhcp-option") && p[1])
6114 {
6115 VERIFY_PERMISSION (OPT_P_IPWIN32);
6116 foreign_option (options, p, 3, es);
6117 }
6118 else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */
6119 {
6120 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
6121 }
6122 #endif
6123 #if PASSTOS_CAPABILITY
6124 else if (streq (p[0], "passtos"))
6125 {
6126 VERIFY_PERMISSION (OPT_P_GENERAL);
6127 options->passtos = true;
6128 }
6129 #endif
6130 #ifdef ENABLE_LZO
6131 else if (streq (p[0], "comp-lzo"))
6132 {
6133 VERIFY_PERMISSION (OPT_P_COMP);
6134 if (p[1])
6135 {
6136 if (streq (p[1], "yes"))
6137 options->lzo = LZO_SELECTED|LZO_ON;
6138 else if (streq (p[1], "no"))
6139 options->lzo = LZO_SELECTED;
6140 else if (streq (p[1], "adaptive"))
6141 options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
6142 else
6143 {
6144 msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
6145 goto err;
6146 }
6147 }
6148 else
6149 options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
6150 }
6151 else if (streq (p[0], "comp-noadapt"))
6152 {
6153 VERIFY_PERMISSION (OPT_P_COMP);
6154 options->lzo &= ~LZO_ADAPTIVE;
6155 }
6156 #endif /* ENABLE_LZO */
6157 #ifdef ENABLE_CRYPTO
6158 else if (streq (p[0], "show-ciphers"))
6159 {
6160 VERIFY_PERMISSION (OPT_P_GENERAL);
6161 options->show_ciphers = true;
6162 }
6163 else if (streq (p[0], "show-digests"))
6164 {
6165 VERIFY_PERMISSION (OPT_P_GENERAL);
6166 options->show_digests = true;
6167 }
6168 else if (streq (p[0], "show-engines"))
6169 {
6170 VERIFY_PERMISSION (OPT_P_GENERAL);
6171 options->show_engines = true;
6172 }
6173 else if (streq (p[0], "key-direction") && p[1])
6174 {
6175 int key_direction;
6176
6177 key_direction = ascii2keydirection (msglevel, p[1]);
6178 if (key_direction >= 0)
6179 options->key_direction = key_direction;
6180 else
6181 goto err;
6182 }
6183 else if (streq (p[0], "secret") && p[1])
6184 {
6185 VERIFY_PERMISSION (OPT_P_GENERAL);
6186 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6187 {
6188 options->shared_secret_file_inline = p[2];
6189 }
6190 else
6191 if (p[2])
6192 {
6193 int key_direction;
6194
6195 key_direction = ascii2keydirection (msglevel, p[2]);
6196 if (key_direction >= 0)
6197 options->key_direction = key_direction;
6198 else
6199 goto err;
6200 }
6201 options->shared_secret_file = p[1];
6202 }
6203 else if (streq (p[0], "genkey"))
6204 {
6205 VERIFY_PERMISSION (OPT_P_GENERAL);
6206 options->genkey = true;
6207 }
6208 else if (streq (p[0], "auth") && p[1])
6209 {
6210 VERIFY_PERMISSION (OPT_P_CRYPTO);
6211 options->authname_defined = true;
6212 options->authname = p[1];
6213 if (streq (options->authname, "none"))
6214 {
6215 options->authname_defined = false;
6216 options->authname = NULL;
6217 }
6218 }
6219 else if (streq (p[0], "auth"))
6220 {
6221 VERIFY_PERMISSION (OPT_P_CRYPTO);
6222 options->authname_defined = true;
6223 }
6224 else if (streq (p[0], "cipher") && p[1])
6225 {
6226 VERIFY_PERMISSION (OPT_P_CRYPTO);
6227 options->ciphername_defined = true;
6228 options->ciphername = p[1];
6229 if (streq (options->ciphername, "none"))
6230 {
6231 options->ciphername_defined = false;
6232 options->ciphername = NULL;
6233 }
6234 }
6235 else if (streq (p[0], "cipher"))
6236 {
6237 VERIFY_PERMISSION (OPT_P_CRYPTO);
6238 options->ciphername_defined = true;
6239 }
6240 else if (streq (p[0], "prng") && p[1])
6241 {
6242 VERIFY_PERMISSION (OPT_P_CRYPTO);
6243 if (streq (p[1], "none"))
6244 options->prng_hash = NULL;
6245 else
6246 options->prng_hash = p[1];
6247 if (p[2])
6248 {
6249 const int sl = atoi (p[2]);
6250 if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
6251 {
6252 options->prng_nonce_secret_len = sl;
6253 }
6254 else
6255 {
6256 msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d",
6257 NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
6258 goto err;
6259 }
6260 }
6261 }
6262 else if (streq (p[0], "no-replay"))
6263 {
6264 VERIFY_PERMISSION (OPT_P_CRYPTO);
6265 options->replay = false;
6266 }
6267 else if (streq (p[0], "replay-window"))
6268 {
6269 VERIFY_PERMISSION (OPT_P_CRYPTO);
6270 if (p[1])
6271 {
6272 int replay_window;
6273
6274 replay_window = atoi (p[1]);
6275 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
6276 {
6277 msg (msglevel, "replay-window window size parameter (%d) must be between %d and %d",
6278 replay_window,
6279 MIN_SEQ_BACKTRACK,
6280 MAX_SEQ_BACKTRACK);
6281 goto err;
6282 }
6283 options->replay_window = replay_window;
6284
6285 if (p[2])
6286 {
6287 int replay_time;
6288
6289 replay_time = atoi (p[2]);
6290 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
6291 {
6292 msg (msglevel, "replay-window time window parameter (%d) must be between %d and %d",
6293 replay_time,
6294 MIN_TIME_BACKTRACK,
6295 MAX_TIME_BACKTRACK);
6296 goto err;
6297 }
6298 options->replay_time = replay_time;
6299 }
6300 }
6301 else
6302 {
6303 msg (msglevel, "replay-window option is missing window size parameter");
6304 goto err;
6305 }
6306 }
6307 else if (streq (p[0], "mute-replay-warnings"))
6308 {
6309 VERIFY_PERMISSION (OPT_P_CRYPTO);
6310 options->mute_replay_warnings = true;
6311 }
6312 else if (streq (p[0], "no-iv"))
6313 {
6314 VERIFY_PERMISSION (OPT_P_CRYPTO);
6315 options->use_iv = false;
6316 }
6317 else if (streq (p[0], "replay-persist") && p[1])
6318 {
6319 VERIFY_PERMISSION (OPT_P_GENERAL);
6320 options->packet_id_file = p[1];
6321 }
6322 else if (streq (p[0], "test-crypto"))
6323 {
6324 VERIFY_PERMISSION (OPT_P_GENERAL);
6325 options->test_crypto = true;
6326 }
6327 #ifndef ENABLE_CRYPTO_POLARSSL
6328 else if (streq (p[0], "engine"))
6329 {
6330 VERIFY_PERMISSION (OPT_P_GENERAL);
6331 if (p[1])
6332 {
6333 options->engine = p[1];
6334 }
6335 else
6336 options->engine = "auto";
6337 }
6338 #endif /* ENABLE_CRYPTO_POLARSSL */
6339 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
6340 else if (streq (p[0], "keysize") && p[1])
6341 {
6342 int keysize;
6343
6344 VERIFY_PERMISSION (OPT_P_CRYPTO);
6345 keysize = atoi (p[1]) / 8;
6346 if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
6347 {
6348 msg (msglevel, "Bad keysize: %s", p[1]);
6349 goto err;
6350 }
6351 options->keysize = keysize;
6352 }
6353 #endif
6354 #ifdef ENABLE_PREDICTION_RESISTANCE
6355 else if (streq (p[0], "use-prediction-resistance"))
6356 {
6357 VERIFY_PERMISSION (OPT_P_GENERAL);
6358 options->use_prediction_resistance = true;
6359 }
6360 #endif
6361 #ifdef ENABLE_SSL
6362 else if (streq (p[0], "show-tls"))
6363 {
6364 VERIFY_PERMISSION (OPT_P_GENERAL);
6365 options->show_tls_ciphers = true;
6366 }
6367 else if (streq (p[0], "tls-server"))
6368 {
6369 VERIFY_PERMISSION (OPT_P_GENERAL);
6370 options->tls_server = true;
6371 }
6372 else if (streq (p[0], "tls-client"))
6373 {
6374 VERIFY_PERMISSION (OPT_P_GENERAL);
6375 options->tls_client = true;
6376 }
6377 else if (streq (p[0], "ca") && p[1])
6378 {
6379 VERIFY_PERMISSION (OPT_P_GENERAL);
6380 options->ca_file = p[1];
6381 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6382 {
6383 options->ca_file_inline = p[2];
6384 }
6385 }
6386 #ifndef ENABLE_CRYPTO_POLARSSL
6387 else if (streq (p[0], "capath") && p[1])
6388 {
6389 VERIFY_PERMISSION (OPT_P_GENERAL);
6390 options->ca_path = p[1];
6391 }
6392 #endif /* ENABLE_CRYPTO_POLARSSL */
6393 else if (streq (p[0], "dh") && p[1])
6394 {
6395 VERIFY_PERMISSION (OPT_P_GENERAL);
6396 options->dh_file = p[1];
6397 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6398 {
6399 options->dh_file_inline = p[2];
6400 }
6401 }
6402 else if (streq (p[0], "cert") && p[1])
6403 {
6404 VERIFY_PERMISSION (OPT_P_GENERAL);
6405 options->cert_file = p[1];
6406 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6407 {
6408 options->cert_file_inline = p[2];
6409 }
6410 }
6411 else if (streq (p[0], "extra-certs") && p[1])
6412 {
6413 VERIFY_PERMISSION (OPT_P_GENERAL);
6414 options->extra_certs_file = p[1];
6415 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6416 {
6417 options->extra_certs_file_inline = p[2];
6418 }
6419 }
6420 else if (streq (p[0], "verify-hash") && p[1])
6421 {
6422 VERIFY_PERMISSION (OPT_P_GENERAL);
6423 options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
6424 }
6425 #ifdef ENABLE_CRYPTOAPI
6426 else if (streq (p[0], "cryptoapicert") && p[1])
6427 {
6428 VERIFY_PERMISSION (OPT_P_GENERAL);
6429 options->cryptoapi_cert = p[1];
6430 }
6431 #endif
6432 else if (streq (p[0], "key") && p[1])
6433 {
6434 VERIFY_PERMISSION (OPT_P_GENERAL);
6435 options->priv_key_file = p[1];
6436 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6437 {
6438 options->priv_key_file_inline = p[2];
6439 }
6440 }
6441 #ifndef ENABLE_CRYPTO_POLARSSL
6442 else if (streq (p[0], "pkcs12") && p[1])
6443 {
6444 VERIFY_PERMISSION (OPT_P_GENERAL);
6445 options->pkcs12_file = p[1];
6446 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6447 {
6448 options->pkcs12_file_inline = p[2];
6449 }
6450 }
6451 #endif /* ENABLE_CRYPTO_POLARSSL */
6452 else if (streq (p[0], "askpass"))
6453 {
6454 VERIFY_PERMISSION (OPT_P_GENERAL);
6455 if (p[1])
6456 {
6457 options->key_pass_file = p[1];
6458 }
6459 else
6460 options->key_pass_file = "stdin";
6461 }
6462 else if (streq (p[0], "auth-nocache"))
6463 {
6464 VERIFY_PERMISSION (OPT_P_GENERAL);
6465 ssl_set_auth_nocache ();
6466 }
6467 else if (streq (p[0], "auth-token") && p[1])
6468 {
6469 VERIFY_PERMISSION (OPT_P_ECHO);
6470 ssl_set_auth_token(p[1]);
6471 #ifdef ENABLE_MANAGEMENT
6472 if (management)
6473 management_auth_token (management, p[1]);
6474 #endif
6475 }
6476 else if (streq (p[0], "single-session"))
6477 {
6478 VERIFY_PERMISSION (OPT_P_GENERAL);
6479 options->single_session = true;
6480 }
6481 #ifdef ENABLE_PUSH_PEER_INFO
6482 else if (streq (p[0], "push-peer-info"))
6483 {
6484 VERIFY_PERMISSION (OPT_P_GENERAL);
6485 options->push_peer_info = true;
6486 }
6487 #endif
6488 else if (streq (p[0], "tls-exit"))
6489 {
6490 VERIFY_PERMISSION (OPT_P_GENERAL);
6491 options->tls_exit = true;
6492 }
6493 else if (streq (p[0], "tls-cipher") && p[1])
6494 {
6495 VERIFY_PERMISSION (OPT_P_GENERAL);
6496 options->cipher_list = p[1];
6497 }
6498 else if (streq (p[0], "crl-verify") && p[1])
6499 {
6500 VERIFY_PERMISSION (OPT_P_GENERAL);
6501 if (p[2] && streq(p[2], "dir"))
6502 options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
6503 options->crl_file = p[1];
6504 }
6505 else if (streq (p[0], "tls-verify") && p[1])
6506 {
6507 VERIFY_PERMISSION (OPT_P_SCRIPT);
6508 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
6509 goto err;
6510 set_user_script (options, &options->tls_verify,
6511 string_substitute (p[1], ',', ' ', &options->gc),
6512 "tls-verify");
6513 }
6514 #ifndef ENABLE_CRYPTO_POLARSSL
6515 else if (streq (p[0], "tls-export-cert") && p[1])
6516 {
6517 VERIFY_PERMISSION (OPT_P_GENERAL);
6518 options->tls_export_cert = p[1];
6519 }
6520 #endif
6521 else if (streq (p[0], "compat-names"))
6522 {
6523 VERIFY_PERMISSION (OPT_P_GENERAL);
6524 if (options->verify_x509_type != VERIFY_X509_NONE &&
6525 options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
6526 options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
6527 {
6528 msg (msglevel, "you cannot use --compat-names with --verify-x509-name");
6529 goto err;
6530 }
6531 msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration");
6532 compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
6533 #if P2MP_SERVER
6534 if (p[1] && streq (p[1], "no-remapping"))
6535 compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
6536 }
6537 else if (streq (p[0], "no-name-remapping"))
6538 {
6539 VERIFY_PERMISSION (OPT_P_GENERAL);
6540 if (options->verify_x509_type != VERIFY_X509_NONE &&
6541 options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
6542 options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
6543 {
6544 msg (msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
6545 goto err;
6546 }
6547 msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration");
6548 compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
6549 compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
6550 #endif
6551 }
6552 else if (streq (p[0], "tls-remote") && p[1])
6553 {
6554 VERIFY_PERMISSION (OPT_P_GENERAL);
6555
6556 if (options->verify_x509_type != VERIFY_X509_NONE &&
6557 options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
6558 options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
6559 {
6560 msg (msglevel, "you cannot use --tls-remote with --verify-x509-name");
6561 goto err;
6562 }
6563 msg (M_WARN, "DEPRECATED OPTION: --tls-remote, please update your configuration");
6564
6565 if (strlen (p[1]))
6566 {
6567 int is_username = (!strchr (p[1], '=') || !strstr (p[1], ", "));
6568 int type = TLS_REMOTE_SUBJECT_DN;
6569 if (p[1][0] != '/' && is_username)
6570 type = TLS_REMOTE_SUBJECT_RDN_PREFIX;
6571
6572 /*
6573 * Enable legacy openvpn format for DNs that have not been converted
6574 * yet and --x509-username-field (not containing an '=' or ', ')
6575 */
6576 if (p[1][0] == '/' || is_username)
6577 compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
6578
6579 options->verify_x509_type = type;
6580 options->verify_x509_name = p[1];
6581 }
6582 }
6583 else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]))
6584 {
6585 int type = VERIFY_X509_SUBJECT_DN;
6586 VERIFY_PERMISSION (OPT_P_GENERAL);
6587 if (options->verify_x509_type == TLS_REMOTE_SUBJECT_DN ||
6588 options->verify_x509_type == TLS_REMOTE_SUBJECT_RDN_PREFIX)
6589 {
6590 msg (msglevel, "you cannot use --verify-x509-name with --tls-remote");
6591 goto err;
6592 }
6593 if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES))
6594 {
6595 msg (msglevel, "you cannot use --verify-x509-name with "
6596 "--compat-names or --no-name-remapping");
6597 goto err;
6598 }
6599 if (p[2])
6600 {
6601 if (streq (p[2], "subject"))
6602 type = VERIFY_X509_SUBJECT_DN;
6603 else if (streq (p[2], "name"))
6604 type = VERIFY_X509_SUBJECT_RDN;
6605 else if (streq (p[2], "name-prefix"))
6606 type = VERIFY_X509_SUBJECT_RDN_PREFIX;
6607 else
6608 {
6609 msg (msglevel, "unknown X.509 name type: %s", p[2]);
6610 goto err;
6611 }
6612 }
6613 options->verify_x509_type = type;
6614 options->verify_x509_name = p[1];
6615 }
6616 else if (streq (p[0], "ns-cert-type") && p[1])
6617 {
6618 VERIFY_PERMISSION (OPT_P_GENERAL);
6619 if (streq (p[1], "server"))
6620 options->ns_cert_type = NS_CERT_CHECK_SERVER;
6621 else if (streq (p[1], "client"))
6622 options->ns_cert_type = NS_CERT_CHECK_CLIENT;
6623 else
6624 {
6625 msg (msglevel, "--ns-cert-type must be 'client' or 'server'");
6626 goto err;
6627 }
6628 }
6629 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
6630 else if (streq (p[0], "remote-cert-ku"))
6631 {
6632 int j;
6633
6634 VERIFY_PERMISSION (OPT_P_GENERAL);
6635
6636 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6637 sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
6638 }
6639 else if (streq (p[0], "remote-cert-eku") && p[1])
6640 {
6641 VERIFY_PERMISSION (OPT_P_GENERAL);
6642 options->remote_cert_eku = p[1];
6643 }
6644 else if (streq (p[0], "remote-cert-tls") && p[1])
6645 {
6646 VERIFY_PERMISSION (OPT_P_GENERAL);
6647
6648 if (streq (p[1], "server"))
6649 {
6650 options->remote_cert_ku[0] = 0xa0;
6651 options->remote_cert_ku[1] = 0x88;
6652 options->remote_cert_eku = "TLS Web Server Authentication";
6653 }
6654 else if (streq (p[1], "client"))
6655 {
6656 options->remote_cert_ku[0] = 0x80;
6657 options->remote_cert_ku[1] = 0x08;
6658 options->remote_cert_ku[2] = 0x88;
6659 options->remote_cert_eku = "TLS Web Client Authentication";
6660 }
6661 else
6662 {
6663 msg (msglevel, "--remote-cert-tls must be 'client' or 'server'");
6664 goto err;
6665 }
6666 }
6667 #endif /* OPENSSL_VERSION_NUMBER */
6668 else if (streq (p[0], "tls-timeout") && p[1])
6669 {
6670 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
6671 options->tls_timeout = positive_atoi (p[1]);
6672 }
6673 else if (streq (p[0], "reneg-bytes") && p[1])
6674 {
6675 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
6676 options->renegotiate_bytes = positive_atoi (p[1]);
6677 }
6678 else if (streq (p[0], "reneg-pkts") && p[1])
6679 {
6680 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
6681 options->renegotiate_packets = positive_atoi (p[1]);
6682 }
6683 else if (streq (p[0], "reneg-sec") && p[1])
6684 {
6685 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
6686 options->renegotiate_seconds = positive_atoi (p[1]);
6687 }
6688 else if (streq (p[0], "hand-window") && p[1])
6689 {
6690 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
6691 options->handshake_window = positive_atoi (p[1]);
6692 }
6693 else if (streq (p[0], "tran-window") && p[1])
6694 {
6695 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
6696 options->transition_window = positive_atoi (p[1]);
6697 }
6698 else if (streq (p[0], "tls-auth") && p[1])
6699 {
6700 VERIFY_PERMISSION (OPT_P_GENERAL);
6701 if (streq (p[1], INLINE_FILE_TAG) && p[2])
6702 {
6703 options->tls_auth_file_inline = p[2];
6704 }
6705 else
6706 if (p[2])
6707 {
6708 int key_direction;
6709
6710 key_direction = ascii2keydirection (msglevel, p[2]);
6711 if (key_direction >= 0)
6712 options->key_direction = key_direction;
6713 else
6714 goto err;
6715 }
6716 options->tls_auth_file = p[1];
6717 }
6718 else if (streq (p[0], "key-method") && p[1])
6719 {
6720 int key_method;
6721
6722 VERIFY_PERMISSION (OPT_P_GENERAL);
6723 key_method = atoi (p[1]);
6724 if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
6725 {
6726 msg (msglevel, "key_method parameter (%d) must be >= %d and <= %d",
6727 key_method,
6728 KEY_METHOD_MIN,
6729 KEY_METHOD_MAX);
6730 goto err;
6731 }
6732 options->key_method = key_method;
6733 }
6734 #ifdef ENABLE_X509ALTUSERNAME
6735 else if (streq (p[0], "x509-username-field") && p[1])
6736 {
6737 char *s = p[1];
6738 VERIFY_PERMISSION (OPT_P_GENERAL);
6739 if( strncmp ("ext:",s,4) != 0 )
6740 while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
6741 options->x509_username_field = p[1];
6742 }
6743 #endif /* ENABLE_X509ALTUSERNAME */
6744 #endif /* ENABLE_SSL */
6745 #endif /* ENABLE_CRYPTO */
6746 #ifdef ENABLE_PKCS11
6747 else if (streq (p[0], "show-pkcs11-ids") && p[1])
6748 {
6749 char *provider = p[1];
6750 bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
6751
6752 VERIFY_PERMISSION (OPT_P_GENERAL);
6753
6754 set_debug_level (options->verbosity, SDL_CONSTRAIN);
6755 show_pkcs11_ids (provider, cert_private);
6756 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
6757 }
6758 else if (streq (p[0], "pkcs11-providers") && p[1])
6759 {
6760 int j;
6761
6762 VERIFY_PERMISSION (OPT_P_GENERAL);
6763
6764 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6765 options->pkcs11_providers[j-1] = p[j];
6766 }
6767 else if (streq (p[0], "pkcs11-protected-authentication"))
6768 {
6769 int j;
6770
6771 VERIFY_PERMISSION (OPT_P_GENERAL);
6772
6773 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6774 options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
6775 }
6776 else if (streq (p[0], "pkcs11-private-mode") && p[1])
6777 {
6778 int j;
6779
6780 VERIFY_PERMISSION (OPT_P_GENERAL);
6781
6782 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6783 sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1]));
6784 }
6785 else if (streq (p[0], "pkcs11-cert-private"))
6786 {
6787 int j;
6788
6789 VERIFY_PERMISSION (OPT_P_GENERAL);
6790
6791 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
6792 options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
6793 }
6794 else if (streq (p[0], "pkcs11-pin-cache") && p[1])
6795 {
6796 VERIFY_PERMISSION (OPT_P_GENERAL);
6797 options->pkcs11_pin_cache_period = atoi (p[1]);
6798 }
6799 else if (streq (p[0], "pkcs11-id") && p[1])
6800 {
6801 VERIFY_PERMISSION (OPT_P_GENERAL);
6802 options->pkcs11_id = p[1];
6803 }
6804 else if (streq (p[0], "pkcs11-id-management"))
6805 {
6806 VERIFY_PERMISSION (OPT_P_GENERAL);
6807 options->pkcs11_id_management = true;
6808 }
6809 #endif
6810 #ifdef ENABLE_FEATURE_TUN_PERSIST
6811 else if (streq (p[0], "rmtun"))
6812 {
6813 VERIFY_PERMISSION (OPT_P_GENERAL);
6814 options->persist_config = true;
6815 options->persist_mode = 0;
6816 }
6817 else if (streq (p[0], "mktun"))
6818 {
6819 VERIFY_PERMISSION (OPT_P_GENERAL);
6820 options->persist_config = true;
6821 options->persist_mode = 1;
6822 }
6823 #endif
6824 else
6825 {
6826 if (file)
6827 msg (msglevel_fc, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
6828 else
6829 msg (msglevel_fc, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
6830 }
6831 err:
6832 gc_free (&gc);
6833 }
Tomato firmware and modifications.