search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update to OpenVPN 2.1rc17
[tomato.git] / release / src / router / openvpn / options.c
bloba83c6a2e1018c4b70a3404627a2bba4c5e997ebd
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 /*
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
28 */
29
30 #include "syshead.h"
31
32 #include "buffer.h"
33 #include "error.h"
34 #include "common.h"
35 #include "shaper.h"
36 #include "crypto.h"
37 #include "ssl.h"
38 #include "options.h"
39 #include "misc.h"
40 #include "socket.h"
41 #include "packet_id.h"
42 #include "pkcs11.h"
43 #include "win32.h"
44 #include "push.h"
45 #include "pool.h"
46 #include "helper.h"
47 #include "manage.h"
48
49 #include "memdbg.h"
50
51 const char title_string[] =
52 PACKAGE_STRING
53 " " TARGET_ALIAS
54 #ifdef USE_CRYPTO
55 #ifdef USE_SSL
56 " [SSL]"
57 #else
58 " [CRYPTO]"
59 #endif
60 #endif
61 #ifdef USE_LZO
62 " [LZO" LZO_VERSION_NUM "]"
63 #endif
64 #if EPOLL
65 " [EPOLL]"
66 #endif
67 #ifdef PRODUCT_TAP_DEBUG
68 " [TAPDBG]"
69 #endif
70 #ifdef USE_PTHREAD
71 " [PTHREAD]"
72 #endif
73 #ifdef ENABLE_PKCS11
74 " [PKCS11]"
75 #endif
76 " built on " __DATE__
77 ;
78
79 #ifndef ENABLE_SMALL
80
81 static const char usage_message[] =
82 "%s\n"
83 "\n"
84 "General Options:\n"
85 "--config file : Read configuration options from file.\n"
86 "--help : Show options.\n"
87 "--version : Show copyright and version information.\n"
88 "\n"
89 "Tunnel Options:\n"
90 "--local host : Local host name or ip address. Implies --bind.\n"
91 "--remote host [port] : Remote host name or ip address.\n"
92 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
93 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
94 "--proto p : Use protocol p for communicating with peer.\n"
95 " p = udp (default), tcp-server, or tcp-client\n"
96 "--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
97 " between connection retries (default=%d).\n"
98 "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
99 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
100 #ifdef GENERAL_PROXY_SUPPORT
101 "--auto-proxy : Try to sense proxy settings (or lack thereof) automatically.\n"
102 #endif
103 #ifdef ENABLE_HTTP_PROXY
104 "--http-proxy s p [up] [auth] : Connect to remote host\n"
105 " through an HTTP proxy at address s and port p.\n"
106 " If proxy authentication is required,\n"
107 " up is a file containing username/password on 2 lines, or\n"
108 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
109 " the proxy requires NTLM authentication.\n"
110 "--http-proxy s p 'auto': Like the above directive, but automatically determine\n"
111 " auth method and query for username/password if needed.\n"
112 "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
113 "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
114 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
115 " Repeat to set multiple options.\n"
116 " VERSION version (default=1.0)\n"
117 " AGENT user-agent\n"
118 #endif
119 #ifdef ENABLE_SOCKS
120 "--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"
121 " s and port p (default port = 1080).\n"
122 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
123 #endif
124 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
125 " resolve for n seconds before failing (disabled by default).\n"
126 " Set n=\"infinite\" to retry indefinitely.\n"
127 "--float : Allow remote to change its IP address/port, such as through\n"
128 " DHCP (this is the default if --remote is not used).\n"
129 "--ipchange cmd : Execute shell command cmd on remote ip address initial\n"
130 " setting or change -- execute as: cmd ip-address port#\n"
131 "--port port : TCP/UDP port # for both local and remote.\n"
132 "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
133 "--rport port : TCP/UDP port # for remote (default=%d).\n"
134 "--bind : Bind to local address and port. (This is the default unless\n"
135 " --proto tcp-client"
136 #ifdef ENABLE_HTTP_PROXY
137 " or --http-proxy"
138 #endif
139 #ifdef ENABLE_SOCKS
140 " or --socks-proxy"
141 #endif
142 " is used).\n"
143 "--nobind : Do not bind to local address and port.\n"
144 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
145 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
146 " this option only if the tun/tap device used with --dev\n"
147 " does not begin with \"tun\" or \"tap\".\n"
148 "--dev-node node : Explicitly set the device node rather than using\n"
149 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
150 "--lladdr hw : Set the link layer address of the tap device.\n"
151 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
152 "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
153 #ifdef CONFIG_FEATURE_IPROUTE
154 "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
155 #endif
156 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
157 " endpoint and rn as a remote endpoint. l & rn should be\n"
158 " swapped on the other peer. l & rn must be private\n"
159 " addresses outside of the subnets used by either peer.\n"
160 " TAP: configure device to use IP address l as a local\n"
161 " endpoint and rn as a subnet mask.\n"
162 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
163 " pass --ifconfig parms by environment to scripts.\n"
164 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
165 " connection doesn't match the remote side.\n"
166 "--route network [netmask] [gateway] [metric] :\n"
167 " Add route to routing table after connection\n"
168 " is established. Multiple routes can be specified.\n"
169 " netmask default: 255.255.255.255\n"
170 " gateway default: taken from --route-gateway or --ifconfig\n"
171 " Specify default by leaving blank or setting to \"nil\".\n"
172 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
173 "--route-metric m : Specify a default metric for use with --route.\n"
174 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
175 " adding routes (may be 0). If not specified, routes will\n"
176 " be added immediately after tun/tap open. On Windows, wait\n"
177 " up to w seconds for TUN/TAP adapter to come up.\n"
178 "--route-up cmd : Execute shell cmd after routes are added.\n"
179 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
180 " --route-up script using environmental variables.\n"
181 "--route-nopull : When used with --client or --pull, accept options pushed\n"
182 " by server EXCEPT for routes.\n"
183 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
184 " --ifconfig, --route, and --route-gateway.\n"
185 "--redirect-gateway [flags]: Automatically execute routing\n"
186 " commands to redirect all outgoing IP traffic through the\n"
187 " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
188 " connected via a common subnet, such as with WiFi.\n"
189 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
190 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
191 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
192 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
193 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
194 " the default gateway. Useful when pushing private subnets.\n"
195 "--setenv name value : Set a custom environmental variable to pass to script.\n"
196 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
197 " directives for future OpenVPN versions to be ignored.\n"
198 "--script-security level mode : mode='execve' (default) or 'system', level=\n"
199 " 0 -- strictly no calling of external programs\n"
200 " 1 -- (default) only call built-ins such as ifconfig\n"
201 " 2 -- allow calling of built-ins and scripts\n"
202 " 3 -- allow password to be passed to scripts via env\n"
203 "--shaper n : Restrict output to peer to n bytes per second.\n"
204 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
205 " ping once every n seconds, restart if ping not received\n"
206 " for m seconds.\n"
207 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
208 " produces a combined in/out byte count < bytes.\n"
209 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
210 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
211 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
212 " remote address.\n"
213 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
214 #if ENABLE_IP_PKTINFO
215 "--multihome : Configure a multi-homed UDP server.\n"
216 #endif
217 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
218 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
219 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
220 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
221 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
222 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
223 #if PASSTOS_CAPABILITY
224 "--passtos : TOS passthrough (applies to IPv4 only).\n"
225 #endif
226 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
227 " TCP/UDP MTU from it (default=%d).\n"
228 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
229 " as n bytes more than the tun-mtu size on read\n"
230 " (default TUN=0 TAP=%d).\n"
231 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
232 " from it.\n"
233 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
234 " 'no' -- Never send DF (Don't Fragment) frames\n"
235 " 'maybe' -- Use per-route hints\n"
236 " 'yes' -- Always DF (Don't Fragment)\n"
237 #ifdef ENABLE_OCC
238 "--mtu-test : Empirically measure and report MTU.\n"
239 #endif
240 #ifdef ENABLE_FRAGMENT
241 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
242 " datagrams are sent which are larger than max bytes.\n"
243 " Adds 4 bytes of overhead per datagram.\n"
244 #endif
245 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
246 " or --fragment max value, whichever is lower.\n"
247 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
248 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
249 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
250 "--mlock : Disable Paging -- ensures key material and tunnel\n"
251 " data will never be written to disk.\n"
252 "--up cmd : Shell cmd to execute after successful tun device open.\n"
253 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
254 " ifconfig-local-ip ifconfig-remote-ip\n"
255 " (pre --user or --group UID/GID change)\n"
256 "--up-delay : Delay tun/tap open and possible --up script execution\n"
257 " until after TCP/UDP connection establishment with peer.\n"
258 "--down cmd : Shell cmd to run after tun device close.\n"
259 " (post --user/--group UID/GID change and/or --chroot)\n"
260 " (script parameters are same as --up option)\n"
261 "--down-pre : Call --down cmd/script before TUN/TAP close.\n"
262 "--up-restart : Run up/down scripts for all restarts including those\n"
263 " caused by --ping-restart or SIGUSR1\n"
264 "--user user : Set UID to user after initialization.\n"
265 "--group group : Set GID to group after initialization.\n"
266 "--chroot dir : Chroot to this directory after initialization.\n"
267 "--cd dir : Change to this directory before initialization.\n"
268 "--daemon [name] : Become a daemon after initialization.\n"
269 " The optional 'name' parameter will be passed\n"
270 " as the program name to the system logger.\n"
271 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
272 " See --daemon above for a description of the 'name' parm.\n"
273 "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
274 " See --daemon above for a description of the 'name' parm.\n"
275 "--log file : Output log to file which is created/truncated on open.\n"
276 "--log-append file : Append log to file, or create file if nonexistent.\n"
277 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
278 "--writepid file : Write main process ID to file.\n"
279 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
280 #if 0
281 #ifdef USE_PTHREAD
282 "--nice-work n : Change thread priority of work thread. The work\n"
283 " thread is used for background processing such as\n"
284 " RSA key number crunching.\n"
285 #endif
286 #endif
287 "--echo [parms ...] : Echo parameters to log output.\n"
288 "--verb n : Set output verbosity to n (default=%d):\n"
289 " (Level 3 is recommended if you want a good summary\n"
290 " of what's happening without being swamped by output).\n"
291 " : 0 -- no output except fatal errors\n"
292 " : 1 -- startup info + connection initiated messages +\n"
293 " non-fatal encryption & net errors\n"
294 " : 2,3 -- show TLS negotiations & route info\n"
295 " : 4 -- show parameters\n"
296 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
297 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
298 " : 6 to 11 -- debug messages of increasing verbosity\n"
299 "--mute n : Log at most n consecutive messages in the same category.\n"
300 "--status file n : Write operational status to file every n seconds.\n"
301 "--status-version [n] : Choose the status file format version number.\n"
302 " Currently, n can be 1, 2, or 3 (default=1).\n"
303 #ifdef ENABLE_OCC
304 "--disable-occ : Disable options consistency check between peers.\n"
305 #endif
306 #ifdef ENABLE_DEBUG
307 "--gremlin mask : Special stress testing mode (for debugging only).\n"
308 #endif
309 #ifdef USE_LZO
310 "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
311 " packet for uncompressible data.\n"
312 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
313 " is specified.\n"
314 #endif
315 #ifdef ENABLE_MANAGEMENT
316 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
317 " management functions. pass is a password file\n"
318 " or 'stdin' to prompt from console.\n"
319 #if UNIX_SOCK_SUPPORT
320 " To listen on a unix domain socket, specific the pathname\n"
321 " in place of ip and use 'unix' as the port number.\n"
322 #endif
323 "--management-client : Management interface will connect as a TCP client to\n"
324 " ip/port rather than listen as a TCP server.\n"
325 "--management-query-passwords : Query management channel for private key\n"
326 " and auth-user-pass passwords.\n"
327 "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
328 " of the management interface explicitly starts it.\n"
329 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
330 "--management-forget-disconnect : Forget passwords when management disconnect\n"
331 " event occurs.\n"
332 "--management-log-cache n : Cache n lines of log file history for usage\n"
333 " by the management channel.\n"
334 #if UNIX_SOCK_SUPPORT
335 "--management-client-user u : When management interface is a unix socket, only\n"
336 " allow connections from user u.\n"
337 "--management-client-group g : When management interface is a unix socket, only\n"
338 " allow connections from group g.\n"
339 #endif
340 #ifdef MANAGEMENT_DEF_AUTH
341 "--management-client-auth : gives management interface client the responsibility\n"
342 " to authenticate clients after their client certificate\n"
343 " has been verified.\n"
344 #endif
345 #ifdef MANAGEMENT_PF
346 "--management-client-pf : management interface clients must specify a packet\n"
347 " filter file for each connecting client.\n"
348 #endif
349 #endif
350 #ifdef ENABLE_PLUGIN
351 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
352 " to its initialization function.\n"
353 #endif
354 #if P2MP
355 #if P2MP_SERVER
356 "\n"
357 "Multi-Client Server options (when --mode server is used):\n"
358 "--server network netmask : Helper option to easily configure server mode.\n"
359 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
360 " easily configure ethernet bridging server mode.\n"
361 "--push \"option\" : Push a config file option back to the peer for remote\n"
362 " execution. Peer must specify --pull in its config file.\n"
363 "--push-reset : Don't inherit global push list for specific\n"
364 " client instance.\n"
365 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
366 " to be dynamically allocated to connecting clients.\n"
367 "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
368 " in tun mode. Not compatible with Windows clients.\n"
369 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
370 " data to file, at seconds intervals (default=600).\n"
371 " If seconds=0, file will be treated as read-only.\n"
372 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
373 " overrides --ifconfig-pool dynamic allocation.\n"
374 " Only valid in a client-specific config file.\n"
375 "--iroute network [netmask] : Route subnet to client.\n"
376 " Sets up internal routes only.\n"
377 " Only valid in a client-specific config file.\n"
378 "--disable : Client is disabled.\n"
379 " Only valid in a client-specific config file.\n"
380 "--client-cert-not-required : Don't require client certificate, client\n"
381 " will authenticate using username/password.\n"
382 "--username-as-common-name : For auth-user-pass authentication, use\n"
383 " the authenticated username as the common name,\n"
384 " rather than the common name from the client cert.\n"
385 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
386 " run script cmd to verify. If method='via-env', pass\n"
387 " user/pass via environment, if method='via-file', pass\n"
388 " user/pass via temporary file.\n"
389 "--opt-verify : Clients that connect with options that are incompatible\n"
390 " with those of the server will be disconnected.\n"
391 "--auth-user-pass-optional : Allow connections by clients that don't\n"
392 " specify a username/password.\n"
393 "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
394 " any printable character.\n"
395 "--client-to-client : Internally route client-to-client traffic.\n"
396 "--duplicate-cn : Allow multiple clients with the same common name to\n"
397 " concurrently connect.\n"
398 "--client-connect cmd : Run script cmd on client connection.\n"
399 "--client-disconnect cmd : Run script cmd on client disconnection.\n"
400 "--client-config-dir dir : Directory for custom client config files.\n"
401 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
402 "--tmp-dir dir : Temporary directory, used for --client-connect return file.\n"
403 "--hash-size r v : Set the size of the real address hash table to r and the\n"
404 " virtual address table to v.\n"
405 "--bcast-buffers n : Allocate n broadcast buffers.\n"
406 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
407 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
408 " as well as pushes it to connecting clients.\n"
409 "--learn-address cmd : Run script cmd to validate client virtual addresses.\n"
410 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
411 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
412 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
413 #if PORT_SHARE
414 "--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions\n"
415 " to a web server at host:port.\n"
416 #endif
417 #endif
418 "\n"
419 "Client options (when connecting to a multi-client server):\n"
420 "--client : Helper option to easily configure client mode.\n"
421 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
422 " up is a file containing username/password on 2 lines,\n"
423 " or omit to prompt from console.\n"
424 "--pull : Accept certain config file options from the peer as if they\n"
425 " were part of the local config file. Must be specified\n"
426 " when connecting to a '--mode server' remote host.\n"
427 "--auth-retry t : How to handle auth failures. Set t to\n"
428 " none (default), interact, or nointeract.\n"
429 #endif
430 #ifdef ENABLE_OCC
431 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
432 " server/remote. n = # of retries, default=1.\n"
433 #endif
434 #ifdef USE_CRYPTO
435 "\n"
436 "Data Channel Encryption Options (must be compatible between peers):\n"
437 "(These options are meaningful for both Static Key & TLS-mode)\n"
438 "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
439 " Use shared secret file f, generate with --genkey.\n"
440 " The optional d parameter controls key directionality.\n"
441 " If d is specified, use separate keys for each\n"
442 " direction, set d=0 on one side of the connection,\n"
443 " and d=1 on the other side.\n"
444 "--auth alg : Authenticate packets with HMAC using message\n"
445 " digest algorithm alg (default=%s).\n"
446 " (usually adds 16 or 20 bytes per packet)\n"
447 " Set alg=none to disable authentication.\n"
448 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
449 " (default=%s).\n"
450 " Set alg=none to disable encryption.\n"
451 "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
452 " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
453 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
454 "--keysize n : Size of cipher key in bits (optional).\n"
455 " If unspecified, defaults to cipher-specific default.\n"
456 #endif
457 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
458 "--no-replay : Disable replay protection.\n"
459 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
460 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
461 " and a time window of t seconds.\n"
462 " Default n=%d t=%d\n"
463 "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
464 "--replay-persist file : Persist replay-protection state across sessions\n"
465 " using file.\n"
466 "--test-crypto : Run a self-test of crypto features enabled.\n"
467 " For debugging only.\n"
468 #ifdef USE_SSL
469 "\n"
470 "TLS Key Negotiation Options:\n"
471 "(These options are meaningful only for TLS-mode)\n"
472 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
473 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
474 "--key-method m : Data channel key exchange method. m should be a method\n"
475 " number, such as 1 (default), 2, etc.\n"
476 "--ca file : Certificate authority file in .pem format containing\n"
477 " root certificate.\n"
478 "--capath dir : A directory of trusted certificates (CAs"
479 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
480 " and CRLs).\n"
481 #else
482 ").\n"
483 " WARNING: no support of CRL available with this version.\n"
484 #endif
485 "--dh file : File containing Diffie Hellman parameters\n"
486 " in .pem format (for --tls-server only).\n"
487 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
488 "--cert file : Local certificate in .pem format -- must be signed\n"
489 " by a Certificate Authority in --ca file.\n"
490 "--key file : Local private key in .pem format.\n"
491 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
492 " and optionally the root CA certificate.\n"
493 #ifdef WIN32
494 "--cryptoapicert select-string : Load the certificate and private key from the\n"
495 " Windows Certificate System Store.\n"
496 #endif
497 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
498 " : Use --show-tls to see a list of supported TLS ciphers.\n"
499 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
500 " if no ACK from remote within n seconds (default=%d).\n"
501 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
502 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
503 "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
504 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
505 " of handshake initiation by any peer (default=%d).\n"
506 "--tran-window n : Transition window -- old key can live this many seconds\n"
507 " after new key renegotiation begins (default=%d).\n"
508 "--single-session: Allow only one session (reset state on restart).\n"
509 "--tls-exit : Exit on TLS negotiation failure.\n"
510 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
511 " control channel to protect against DoS attacks.\n"
512 " f (required) is a shared-secret passphrase file.\n"
513 " The optional d parameter controls key directionality,\n"
514 " see --secret option for more info.\n"
515 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
516 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
517 "--crl-verify crl: Check peer certificate against a CRL.\n"
518 "--tls-verify cmd: Execute shell command cmd to verify the X509 name of a\n"
519 " pending TLS connection that has otherwise passed all other\n"
520 " tests of certification. cmd should return 0 to allow\n"
521 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
522 " executed as 'cmd certificate_depth X509_NAME_oneline')\n"
523 "--tls-remote x509name: Accept connections only from a host with X509 name\n"
524 " x509name. The remote host must also pass all other tests\n"
525 " of verification.\n"
526 "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
527 " nsCertType designation t = 'client' | 'server'.\n"
528 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
529 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
530 " explicit key usage, you can specify more than one value.\n"
531 " value should be given in hex format.\n"
532 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
533 " explicit extended key usage. Extended key usage can be encoded\n"
534 " as an object identifier or OpenSSL string representation.\n"
535 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
536 " key usage and extended key usage based on RFC3280 TLS rules.\n"
537 " t = 'client' | 'server'.\n"
538 #endif /* OPENSSL_VERSION_NUMBER */
539 #endif /* USE_SSL */
540 #ifdef ENABLE_PKCS11
541 "\n"
542 "PKCS#11 Options:\n"
543 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
544 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
545 " path. Set for each provider.\n"
546 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
547 " 0 : Try to determind automatically (default).\n"
548 " 1 : Use Sign.\n"
549 " 2 : Use SignRecover.\n"
550 " 4 : Use Decrypt.\n"
551 " 8 : Use Unwrap.\n"
552 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
553 " certificate can be accessed. Set for each provider.\n"
554 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
555 " cache until token is removed.\n"
556 "--pkcs11-id-management : Acquire identity from management interface.\n"
557 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
558 #endif /* ENABLE_PKCS11 */
559 "\n"
560 "SSL Library information:\n"
561 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
562 "--show-digests : Show message digest algorithms to use with --auth option.\n"
563 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
564 #ifdef USE_SSL
565 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
566 #endif
567 #ifdef WIN32
568 "\n"
569 "Windows Specific:\n"
570 "--win-sys path|'env' : Pathname of Windows system directory, C:\\WINDOWS by default.\n"
571 " If specified as 'env', read the pathname from SystemRoot env var.\n"
572 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Win32 adapter\n"
573 " IP address using method = manual, netsh, ipapi,\n"
574 " dynamic, or adaptive (default = adaptive).\n"
575 " Dynamic method allows two optional parameters:\n"
576 " offset: DHCP server address offset (> -256 and < 256).\n"
577 " If 0, use network address, if >0, take nth\n"
578 " address forward from network address, if <0,\n"
579 " take nth address backward from broadcast\n"
580 " address.\n"
581 " Default is 0.\n"
582 " lease-time: Lease time in seconds.\n"
583 " Default is one year.\n"
584 "--route-method : Which method to use for adding routes on Windows?\n"
585 " adaptive (default) -- Try ipapi then fall back to exe.\n"
586 " ipapi -- Use IP helper API.\n"
587 " exe -- Call the route.exe shell command.\n"
588 "--dhcp-option type [parm] : Set extended TAP-Win32 properties, must\n"
589 " be used with --ip-win32 dynamic. For options\n"
590 " which allow multiple addresses,\n"
591 " --dhcp-option must be repeated.\n"
592 " DOMAIN name : Set DNS suffix\n"
593 " DNS addr : Set domain name server address(es)\n"
594 " NTP : Set NTP server address(es)\n"
595 " NBDD : Set NBDD server address(es)\n"
596 " WINS addr : Set WINS server address(es)\n"
597 " NBT type : Set NetBIOS over TCP/IP Node type\n"
598 " 1: B, 2: P, 4: M, 8: H\n"
599 " NBS id : Set NetBIOS scope ID\n"
600 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
601 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
602 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
603 " startup.\n"
604 "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
605 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
606 " attempting to set adapter properties.\n"
607 "--pause-exit : When run from a console window, pause before exiting.\n"
608 "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
609 " service, and should not be used directly by end-users.\n"
610 " ex is the name of an event object which, when\n"
611 " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
612 " optional parameter controls the initial state of ex.\n"
613 "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
614 " after TAP adapter is up and routes have been added.\n"
615 "Windows Standalone Options:\n"
616 "\n"
617 "--show-adapters : Show all TAP-Win32 adapters.\n"
618 "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
619 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
620 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
621 " to access TAP adapter.\n"
622 #endif
623 "\n"
624 "Generate a random key (only for non-TLS static key encryption mode):\n"
625 "--genkey : Generate a random key to be used as a shared secret,\n"
626 " for use with the --secret option.\n"
627 "--secret file : Write key to file.\n"
628 #endif /* USE_CRYPTO */
629 #ifdef TUNSETPERSIST
630 "\n"
631 "Tun/tap config mode (available with linux 2.4+):\n"
632 "--mktun : Create a persistent tunnel.\n"
633 "--rmtun : Remove a persistent tunnel.\n"
634 "--dev tunX|tapX : tun/tap device\n"
635 "--dev-type dt : Device type. See tunnel options above for details.\n"
636 "--user user : User to set privilege to.\n"
637 "--group group : Group to set privilege to.\n"
638 #endif
639 #ifdef ENABLE_PKCS11
640 "\n"
641 "PKCS#11 standalone options:\n"
642 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
643 " --verb option can be added *BEFORE* this.\n"
644 #endif /* ENABLE_PKCS11 */
645 ;
646
647 #endif /* !ENABLE_SMALL */
648
649 /*
650 * This is where the options defaults go.
651 * Any option not explicitly set here
652 * will be set to 0.
653 */
654 void
655 init_options (struct options *o, const bool init_gc)
656 {
657 CLEAR (*o);
658 if (init_gc)
659 {
660 gc_init (&o->gc);
661 o->gc_owned = true;
662 }
663 o->mode = MODE_POINT_TO_POINT;
664 o->topology = TOP_NET30;
665 o->ce.proto = PROTO_UDPv4;
666 o->ce.connect_retry_seconds = 5;
667 o->ce.connect_timeout = 10;
668 o->ce.connect_retry_max = 0;
669 o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
670 o->verbosity = 1;
671 o->status_file_update_freq = 60;
672 o->status_file_version = 1;
673 o->ce.bind_local = true;
674 o->tun_mtu = TUN_MTU_DEFAULT;
675 o->link_mtu = LINK_MTU_DEFAULT;
676 o->mtu_discover_type = -1;
677 o->mssfix = MSSFIX_DEFAULT;
678 o->route_delay_window = 30;
679 o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
680 #ifdef ENABLE_OCC
681 o->occ = true;
682 #endif
683 #ifdef ENABLE_MANAGEMENT
684 o->management_log_history_cache = 250;
685 o->management_echo_buffer_size = 100;
686 o->management_state_buffer_size = 100;
687 #endif
688 #ifdef TUNSETPERSIST
689 o->persist_mode = 1;
690 #endif
691 #ifndef WIN32
692 o->rcvbuf = 65536;
693 o->sndbuf = 65536;
694 #endif
695 #ifdef TARGET_LINUX
696 o->tuntap_options.txqueuelen = 100;
697 #endif
698 #ifdef WIN32
699 #if 0
700 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
701 #else
702 o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
703 #endif
704 o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
705 o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
706 o->route_method = ROUTE_METHOD_ADAPTIVE;
707 #endif
708 #ifdef USE_PTHREAD
709 o->n_threads = 1;
710 #endif
711 #if P2MP_SERVER
712 o->real_hash_size = 256;
713 o->virtual_hash_size = 256;
714 o->n_bcast_buf = 256;
715 o->tcp_queue_limit = 64;
716 o->max_clients = 1024;
717 o->max_routes_per_client = 256;
718 o->ifconfig_pool_persist_refresh_freq = 600;
719 #endif
720 #if P2MP
721 o->scheduled_exit_interval = 5;
722 #endif
723 #ifdef USE_CRYPTO
724 o->ciphername = "BF-CBC";
725 o->ciphername_defined = true;
726 o->authname = "SHA1";
727 o->authname_defined = true;
728 o->prng_hash = "SHA1";
729 o->prng_nonce_secret_len = 16;
730 o->replay = true;
731 o->replay_window = DEFAULT_SEQ_BACKTRACK;
732 o->replay_time = DEFAULT_TIME_BACKTRACK;
733 o->use_iv = true;
734 o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
735 #ifdef USE_SSL
736 o->key_method = 2;
737 o->tls_timeout = 2;
738 o->renegotiate_seconds = 3600;
739 o->handshake_window = 60;
740 o->transition_window = 3600;
741 #endif
742 #endif
743 #ifdef ENABLE_PKCS11
744 o->pkcs11_pin_cache_period = -1;
745 #endif /* ENABLE_PKCS11 */
746 }
747
748 void
749 uninit_options (struct options *o)
750 {
751 if (o->gc_owned)
752 gc_free (&o->gc);
753 }
754
755 #ifdef ENABLE_DEBUG
756
757 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
758 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
759 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
760 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
761 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
762 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
763
764 #endif
765
766 void
767 setenv_connection_entry (struct env_set *es,
768 const struct connection_entry *e,
769 const int i)
770 {
771 setenv_str_i (es, "proto", proto2ascii (e->proto, false), i);
772 setenv_str_i (es, "local", e->local, i);
773 setenv_int_i (es, "local_port", e->local_port, i);
774 setenv_str_i (es, "remote", e->remote, i);
775 setenv_int_i (es, "remote_port", e->remote_port, i);
776
777 #ifdef ENABLE_HTTP_PROXY
778 if (e->http_proxy_options)
779 {
780 setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i);
781 setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i);
782 }
783 #endif
784 #ifdef ENABLE_SOCKS
785 if (e->socks_proxy_server)
786 {
787 setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i);
788 setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i);
789 }
790 #endif
791 }
792
793 void
794 setenv_settings (struct env_set *es, const struct options *o)
795 {
796 setenv_str (es, "config", o->config);
797 setenv_int (es, "verb", o->verbosity);
798 setenv_int (es, "daemon", o->daemon);
799 setenv_int (es, "daemon_log_redirect", o->log);
800 setenv_unsigned (es, "daemon_start_time", time(NULL));
801 setenv_int (es, "daemon_pid", openvpn_getpid());
802
803 #ifdef ENABLE_CONNECTION
804 if (o->connection_list)
805 {
806 int i;
807 for (i = 0; i < o->connection_list->len; ++i)
808 setenv_connection_entry (es, o->connection_list->array[i], i+1);
809 }
810 else
811 #endif
812 setenv_connection_entry (es, &o->ce, 1);
813 }
814
815 static in_addr_t
816 get_ip_addr (const char *ip_string, int msglevel, bool *error)
817 {
818 unsigned int flags = GETADDR_HOST_ORDER;
819 bool succeeded = false;
820 in_addr_t ret;
821
822 if (msglevel & M_FATAL)
823 flags |= GETADDR_FATAL;
824
825 ret = getaddr (flags, ip_string, 0, &succeeded, NULL);
826 if (!succeeded && error)
827 *error = true;
828 return ret;
829 }
830
831 static char *
832 string_substitute (const char *src, int from, int to, struct gc_arena *gc)
833 {
834 char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc);
835 char *dest = ret;
836 char c;
837
838 do
839 {
840 c = *src++;
841 if (c == from)
842 c = to;
843 *dest++ = c;
844 }
845 while (c);
846 return ret;
847 }
848
849 bool
850 is_persist_option (const struct options *o)
851 {
852 return o->persist_tun
853 || o->persist_key
854 || o->persist_local_ip
855 || o->persist_remote_ip
856 #ifdef USE_PTHREAD
857 || o->n_threads >= 2
858 #endif
859 ;
860 }
861
862 bool
863 is_stateful_restart (const struct options *o)
864 {
865 return is_persist_option (o) || connection_list_defined (o);
866 }
867
868 #ifdef WIN32
869
870 #ifdef ENABLE_DEBUG
871
872 static void
873 show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
874 {
875 struct gc_arena gc = gc_new ();
876 int i;
877 for (i = 0; i < len; ++i)
878 {
879 msg (D_SHOW_PARMS, " %s[%d] = %s",
880 name,
881 i,
882 print_in_addr_t (array[i], 0, &gc));
883 }
884 gc_free (&gc);
885 }
886
887 static void
888 show_tuntap_options (const struct tuntap_options *o)
889 {
890 SHOW_BOOL (ip_win32_defined);
891 SHOW_INT (ip_win32_type);
892 SHOW_INT (dhcp_masq_offset);
893 SHOW_INT (dhcp_lease_time);
894 SHOW_INT (tap_sleep);
895 SHOW_BOOL (dhcp_options);
896 SHOW_BOOL (dhcp_renew);
897 SHOW_BOOL (dhcp_pre_release);
898 SHOW_BOOL (dhcp_release);
899 SHOW_STR (domain);
900 SHOW_STR (netbios_scope);
901 SHOW_INT (netbios_node_type);
902 SHOW_BOOL (disable_nbt);
903
904 show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
905 show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
906 show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
907 show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
908 }
909
910 #endif
911
912 static void
913 dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
914 {
915 if (*len >= N_DHCP_ADDR)
916 {
917 msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
918 name,
919 N_DHCP_ADDR,
920 name);
921 }
922 else
923 {
924 if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
925 {
926 bool error = false;
927 const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
928 if (!error)
929 array[(*len)++] = addr;
930 }
931 else
932 {
933 msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
934 }
935 }
936 }
937
938 #endif
939
940 #if P2MP
941
942 #ifdef ENABLE_DEBUG
943
944 static void
945 show_p2mp_parms (const struct options *o)
946 {
947 struct gc_arena gc = gc_new ();
948
949 #if P2MP_SERVER
950 msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
951 msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc));
952 msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
953 msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
954 msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
955 msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc));
956 if (o->push_list)
957 {
958 const struct push_list *l = o->push_list;
959 const char *printable_push_list = l->options;
960 msg (D_SHOW_PARMS, " push_list = '%s'", printable_push_list);
961 }
962 SHOW_BOOL (ifconfig_pool_defined);
963 msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
964 msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc));
965 msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
966 SHOW_STR (ifconfig_pool_persist_filename);
967 SHOW_INT (ifconfig_pool_persist_refresh_freq);
968 SHOW_INT (n_bcast_buf);
969 SHOW_INT (tcp_queue_limit);
970 SHOW_INT (real_hash_size);
971 SHOW_INT (virtual_hash_size);
972 SHOW_STR (client_connect_script);
973 SHOW_STR (learn_address_script);
974 SHOW_STR (client_disconnect_script);
975 SHOW_STR (client_config_dir);
976 SHOW_BOOL (ccd_exclusive);
977 SHOW_STR (tmp_dir);
978 SHOW_BOOL (push_ifconfig_defined);
979 msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
980 msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc));
981 SHOW_BOOL (enable_c2c);
982 SHOW_BOOL (duplicate_cn);
983 SHOW_INT (cf_max);
984 SHOW_INT (cf_per);
985 SHOW_INT (max_clients);
986 SHOW_INT (max_routes_per_client);
987 SHOW_STR (auth_user_pass_verify_script);
988 SHOW_BOOL (auth_user_pass_verify_script_via_file);
989 SHOW_INT (ssl_flags);
990 #if PORT_SHARE
991 SHOW_STR (port_share_host);
992 SHOW_INT (port_share_port);
993 #endif
994 #endif /* P2MP_SERVER */
995
996 SHOW_BOOL (client);
997 SHOW_BOOL (pull);
998 SHOW_STR (auth_user_pass_file);
999
1000 gc_free (&gc);
1001 }
1002
1003 #endif /* ENABLE_DEBUG */
1004
1005 #if P2MP_SERVER
1006
1007 static void
1008 option_iroute (struct options *o,
1009 const char *network_str,
1010 const char *netmask_str,
1011 int msglevel)
1012 {
1013 struct iroute *ir;
1014
1015 ALLOC_OBJ_GC (ir, struct iroute, &o->gc);
1016 ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1017 ir->netbits = -1;
1018
1019 if (netmask_str)
1020 {
1021 const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1022 if (!netmask_to_netbits (ir->network, netmask, &ir->netbits))
1023 {
1024 msg (msglevel, "in --iroute %s %s : Bad network/subnet specification",
1025 network_str,
1026 netmask_str);
1027 return;
1028 }
1029 }
1030
1031 ir->next = o->iroutes;
1032 o->iroutes = ir;
1033 }
1034
1035 #endif /* P2MP_SERVER */
1036 #endif /* P2MP */
1037
1038 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG)
1039 static void
1040 show_http_proxy_options (const struct http_proxy_options *o)
1041 {
1042 msg (D_SHOW_PARMS, "BEGIN http_proxy");
1043 SHOW_STR (server);
1044 SHOW_INT (port);
1045 SHOW_STR (auth_method_string);
1046 SHOW_STR (auth_file);
1047 SHOW_BOOL (retry);
1048 SHOW_INT (timeout);
1049 SHOW_STR (http_version);
1050 SHOW_STR (user_agent);
1051 msg (D_SHOW_PARMS, "END http_proxy");
1052 }
1053 #endif
1054
1055 void
1056 options_detach (struct options *o)
1057 {
1058 gc_detach (&o->gc);
1059 o->routes = NULL;
1060 #if P2MP_SERVER
1061 if (o->push_list) /* clone push_list */
1062 {
1063 const struct push_list *old = o->push_list;
1064 ALLOC_OBJ_GC (o->push_list, struct push_list, &o->gc);
1065 strcpy (o->push_list->options, old->options);
1066 }
1067 #endif
1068 }
1069
1070 void
1071 rol_check_alloc (struct options *options)
1072 {
1073 if (!options->routes)
1074 options->routes = new_route_option_list (&options->gc);
1075 }
1076
1077 #ifdef ENABLE_DEBUG
1078 static void
1079 show_connection_entry (const struct connection_entry *o)
1080 {
1081 msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false));
1082 SHOW_STR (local);
1083 SHOW_INT (local_port);
1084 SHOW_STR (remote);
1085 SHOW_INT (remote_port);
1086 SHOW_BOOL (remote_float);
1087 SHOW_BOOL (bind_defined);
1088 SHOW_BOOL (bind_local);
1089 SHOW_INT (connect_retry_seconds);
1090 SHOW_INT (connect_timeout);
1091 SHOW_INT (connect_retry_max);
1092
1093 #ifdef ENABLE_HTTP_PROXY
1094 if (o->http_proxy_options)
1095 show_http_proxy_options (o->http_proxy_options);
1096 #endif
1097 #ifdef ENABLE_SOCKS
1098 SHOW_STR (socks_proxy_server);
1099 SHOW_INT (socks_proxy_port);
1100 SHOW_BOOL (socks_proxy_retry);
1101 #endif
1102 }
1103
1104 static void
1105 show_connection_entries (const struct options *o)
1106 {
1107 msg (D_SHOW_PARMS, "Connection profiles [default]:");
1108 show_connection_entry (&o->ce);
1109 #ifdef ENABLE_CONNECTION
1110 if (o->connection_list)
1111 {
1112 const struct connection_list *l = o->connection_list;
1113 int i;
1114 for (i = 0; i < l->len; ++i)
1115 {
1116 msg (D_SHOW_PARMS, "Connection profiles [%d]:", i);
1117 show_connection_entry (l->array[i]);
1118 }
1119 }
1120 #endif
1121 msg (D_SHOW_PARMS, "Connection profiles END");
1122 }
1123
1124 #endif
1125
1126 void
1127 show_settings (const struct options *o)
1128 {
1129 #ifdef ENABLE_DEBUG
1130 msg (D_SHOW_PARMS, "Current Parameter Settings:");
1131
1132 SHOW_STR (config);
1133
1134 SHOW_INT (mode);
1135
1136 #ifdef TUNSETPERSIST
1137 SHOW_BOOL (persist_config);
1138 SHOW_INT (persist_mode);
1139 #endif
1140
1141 #ifdef USE_CRYPTO
1142 SHOW_BOOL (show_ciphers);
1143 SHOW_BOOL (show_digests);
1144 SHOW_BOOL (show_engines);
1145 SHOW_BOOL (genkey);
1146 #ifdef USE_SSL
1147 SHOW_STR (key_pass_file);
1148 SHOW_BOOL (show_tls_ciphers);
1149 #endif
1150 #endif
1151
1152 show_connection_entries (o);
1153
1154 SHOW_BOOL (remote_random);
1155
1156 SHOW_STR (ipchange);
1157 SHOW_STR (dev);
1158 SHOW_STR (dev_type);
1159 SHOW_STR (dev_node);
1160 SHOW_STR (lladdr);
1161 SHOW_INT (topology);
1162 SHOW_BOOL (tun_ipv6);
1163 SHOW_STR (ifconfig_local);
1164 SHOW_STR (ifconfig_remote_netmask);
1165 SHOW_BOOL (ifconfig_noexec);
1166 SHOW_BOOL (ifconfig_nowarn);
1167
1168 #ifdef HAVE_GETTIMEOFDAY
1169 SHOW_INT (shaper);
1170 #endif
1171 SHOW_INT (tun_mtu);
1172 SHOW_BOOL (tun_mtu_defined);
1173 SHOW_INT (link_mtu);
1174 SHOW_BOOL (link_mtu_defined);
1175 SHOW_INT (tun_mtu_extra);
1176 SHOW_BOOL (tun_mtu_extra_defined);
1177
1178 #ifdef ENABLE_FRAGMENT
1179 SHOW_INT (fragment);
1180 #endif
1181
1182 SHOW_INT (mtu_discover_type);
1183
1184 #ifdef ENABLE_OCC
1185 SHOW_INT (mtu_test);
1186 #endif
1187
1188 SHOW_BOOL (mlock);
1189
1190 SHOW_INT (keepalive_ping);
1191 SHOW_INT (keepalive_timeout);
1192 SHOW_INT (inactivity_timeout);
1193 SHOW_INT (ping_send_timeout);
1194 SHOW_INT (ping_rec_timeout);
1195 SHOW_INT (ping_rec_timeout_action);
1196 SHOW_BOOL (ping_timer_remote);
1197 SHOW_INT (remap_sigusr1);
1198 #ifdef ENABLE_OCC
1199 SHOW_INT (explicit_exit_notification);
1200 #endif
1201 SHOW_BOOL (persist_tun);
1202 SHOW_BOOL (persist_local_ip);
1203 SHOW_BOOL (persist_remote_ip);
1204 SHOW_BOOL (persist_key);
1205
1206 SHOW_INT (mssfix);
1207
1208 #if PASSTOS_CAPABILITY
1209 SHOW_BOOL (passtos);
1210 #endif
1211
1212 SHOW_INT (resolve_retry_seconds);
1213
1214 SHOW_STR (username);
1215 SHOW_STR (groupname);
1216 SHOW_STR (chroot_dir);
1217 SHOW_STR (cd_dir);
1218 SHOW_STR (writepid);
1219 SHOW_STR (up_script);
1220 SHOW_STR (down_script);
1221 SHOW_BOOL (down_pre);
1222 SHOW_BOOL (up_restart);
1223 SHOW_BOOL (up_delay);
1224 SHOW_BOOL (daemon);
1225 SHOW_INT (inetd);
1226 SHOW_BOOL (log);
1227 SHOW_BOOL (suppress_timestamps);
1228 SHOW_INT (nice);
1229 SHOW_INT (verbosity);
1230 SHOW_INT (mute);
1231 #ifdef ENABLE_DEBUG
1232 SHOW_INT (gremlin);
1233 #endif
1234 SHOW_STR (status_file);
1235 SHOW_INT (status_file_version);
1236 SHOW_INT (status_file_update_freq);
1237
1238 #ifdef ENABLE_OCC
1239 SHOW_BOOL (occ);
1240 #endif
1241 SHOW_INT (rcvbuf);
1242 SHOW_INT (sndbuf);
1243 SHOW_INT (sockflags);
1244
1245 SHOW_BOOL (fast_io);
1246
1247 #ifdef USE_LZO
1248 SHOW_INT (lzo);
1249 #endif
1250
1251 SHOW_STR (route_script);
1252 SHOW_STR (route_default_gateway);
1253 SHOW_INT (route_default_metric);
1254 SHOW_BOOL (route_noexec);
1255 SHOW_INT (route_delay);
1256 SHOW_INT (route_delay_window);
1257 SHOW_BOOL (route_delay_defined);
1258 SHOW_BOOL (route_nopull);
1259 SHOW_BOOL (route_gateway_via_dhcp);
1260 SHOW_BOOL (allow_pull_fqdn);
1261 if (o->routes)
1262 print_route_options (o->routes, D_SHOW_PARMS);
1263
1264 #ifdef ENABLE_MANAGEMENT
1265 SHOW_STR (management_addr);
1266 SHOW_INT (management_port);
1267 SHOW_STR (management_user_pass);
1268 SHOW_INT (management_log_history_cache);
1269 SHOW_INT (management_echo_buffer_size);
1270 SHOW_STR (management_write_peer_info_file);
1271 SHOW_STR (management_client_user);
1272 SHOW_STR (management_client_group);
1273 SHOW_INT (management_flags);
1274 #endif
1275 #ifdef ENABLE_PLUGIN
1276 if (o->plugin_list)
1277 plugin_option_list_print (o->plugin_list, D_SHOW_PARMS);
1278 #endif
1279
1280 #ifdef USE_CRYPTO
1281 SHOW_STR (shared_secret_file);
1282 SHOW_INT (key_direction);
1283 SHOW_BOOL (ciphername_defined);
1284 SHOW_STR (ciphername);
1285 SHOW_BOOL (authname_defined);
1286 SHOW_STR (authname);
1287 SHOW_STR (prng_hash);
1288 SHOW_INT (prng_nonce_secret_len);
1289 SHOW_INT (keysize);
1290 SHOW_BOOL (engine);
1291 SHOW_BOOL (replay);
1292 SHOW_BOOL (mute_replay_warnings);
1293 SHOW_INT (replay_window);
1294 SHOW_INT (replay_time);
1295 SHOW_STR (packet_id_file);
1296 SHOW_BOOL (use_iv);
1297 SHOW_BOOL (test_crypto);
1298
1299 #ifdef USE_SSL
1300 SHOW_BOOL (tls_server);
1301 SHOW_BOOL (tls_client);
1302 SHOW_INT (key_method);
1303 SHOW_STR (ca_file);
1304 SHOW_STR (ca_path);
1305 SHOW_STR (dh_file);
1306 SHOW_STR (cert_file);
1307 SHOW_STR (priv_key_file);
1308 SHOW_STR (pkcs12_file);
1309 #ifdef WIN32
1310 SHOW_STR (cryptoapi_cert);
1311 #endif
1312 SHOW_STR (cipher_list);
1313 SHOW_STR (tls_verify);
1314 SHOW_STR (tls_remote);
1315 SHOW_STR (crl_file);
1316 SHOW_INT (ns_cert_type);
1317 {
1318 int i;
1319 for (i=0;i<MAX_PARMS;i++)
1320 SHOW_INT (remote_cert_ku[i]);
1321 }
1322 SHOW_STR (remote_cert_eku);
1323
1324 SHOW_INT (tls_timeout);
1325
1326 SHOW_INT (renegotiate_bytes);
1327 SHOW_INT (renegotiate_packets);
1328 SHOW_INT (renegotiate_seconds);
1329
1330 SHOW_INT (handshake_window);
1331 SHOW_INT (transition_window);
1332
1333 SHOW_BOOL (single_session);
1334 SHOW_BOOL (tls_exit);
1335
1336 SHOW_STR (tls_auth_file);
1337 #endif
1338 #endif
1339
1340 #ifdef ENABLE_PKCS11
1341 {
1342 int i;
1343 for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
1344 SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
1345 }
1346 {
1347 int i;
1348 for (i=0;i<MAX_PARMS;i++)
1349 SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1350 }
1351 {
1352 int i;
1353 for (i=0;i<MAX_PARMS;i++)
1354 SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1355 }
1356 {
1357 int i;
1358 for (i=0;i<MAX_PARMS;i++)
1359 SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1360 }
1361 SHOW_INT (pkcs11_pin_cache_period);
1362 SHOW_STR (pkcs11_id);
1363 SHOW_BOOL (pkcs11_id_management);
1364 #endif /* ENABLE_PKCS11 */
1365
1366 #if P2MP
1367 show_p2mp_parms (o);
1368 #endif
1369
1370 #ifdef WIN32
1371 SHOW_BOOL (show_net_up);
1372 SHOW_INT (route_method);
1373 show_tuntap_options (&o->tuntap_options);
1374 #endif
1375 #endif
1376 }
1377
1378 #undef SHOW_PARM
1379 #undef SHOW_STR
1380 #undef SHOW_INT
1381 #undef SHOW_BOOL
1382
1383 #ifdef ENABLE_HTTP_PROXY
1384
1385 struct http_proxy_options *
1386 init_http_options_if_undefined (struct options *o)
1387 {
1388 if (!o->ce.http_proxy_options)
1389 {
1390 ALLOC_OBJ_CLEAR_GC (o->ce.http_proxy_options, struct http_proxy_options, &o->gc);
1391 /* http proxy defaults */
1392 o->ce.http_proxy_options->timeout = 5;
1393 o->ce.http_proxy_options->http_version = "1.0";
1394 }
1395 return o->ce.http_proxy_options;
1396 }
1397
1398 #endif
1399
1400 #if ENABLE_CONNECTION
1401
1402 static struct connection_list *
1403 alloc_connection_list_if_undef (struct options *options)
1404 {
1405 if (!options->connection_list)
1406 ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc);
1407 return options->connection_list;
1408 }
1409
1410 static struct connection_entry *
1411 alloc_connection_entry (struct options *options, const int msglevel)
1412 {
1413 struct connection_list *l = alloc_connection_list_if_undef (options);
1414 struct connection_entry *e;
1415
1416 if (l->len >= CONNECTION_LIST_SIZE)
1417 {
1418 msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1419 return NULL;
1420 }
1421 ALLOC_OBJ_GC (e, struct connection_entry, &options->gc);
1422 l->array[l->len++] = e;
1423 return e;
1424 }
1425
1426 static struct remote_list *
1427 alloc_remote_list_if_undef (struct options *options)
1428 {
1429 if (!options->remote_list)
1430 ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc);
1431 return options->remote_list;
1432 }
1433
1434 static struct remote_entry *
1435 alloc_remote_entry (struct options *options, const int msglevel)
1436 {
1437 struct remote_list *l = alloc_remote_list_if_undef (options);
1438 struct remote_entry *e;
1439
1440 if (l->len >= CONNECTION_LIST_SIZE)
1441 {
1442 msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1443 return NULL;
1444 }
1445 ALLOC_OBJ_GC (e, struct remote_entry, &options->gc);
1446 l->array[l->len++] = e;
1447 return e;
1448 }
1449
1450 #endif
1451
1452 void
1453 connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
1454 {
1455 if (re->remote)
1456 ce->remote = re->remote;
1457 if (re->remote_port >= 0)
1458 ce->remote_port = re->remote_port;
1459 if (re->proto >= 0)
1460 ce->proto = re->proto;
1461 }
1462
1463 static void
1464 options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce)
1465 {
1466 struct options defaults;
1467 int dev = DEV_TYPE_UNDEF;
1468 bool pull = false;
1469
1470 init_options (&defaults, true);
1471
1472 #ifdef USE_CRYPTO
1473 if (options->test_crypto)
1474 {
1475 notnull (options->shared_secret_file, "key file (--secret)");
1476 }
1477 else
1478 #endif
1479 notnull (options->dev, "TUN/TAP device (--dev)");
1480
1481 /*
1482 * Get tun/tap/null device type
1483 */
1484 dev = dev_type_enum (options->dev, options->dev_type);
1485
1486 /*
1487 * If "proto tcp" is specified, make sure we know whether it is
1488 * tcp-client or tcp-server.
1489 */
1490 if (ce->proto == PROTO_TCPv4)
1491 msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1492
1493 /*
1494 * Sanity check on daemon/inetd modes
1495 */
1496
1497 if (options->daemon && options->inetd)
1498 msg (M_USAGE, "only one of --daemon or --inetd may be specified");
1499
1500 if (options->inetd && (ce->local || ce->remote))
1501 msg (M_USAGE, "--local or --remote cannot be used with --inetd");
1502
1503 if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT)
1504 msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
1505
1506 if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER)
1507 msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
1508
1509 if (options->inetd == INETD_NOWAIT
1510 #if defined(USE_CRYPTO) && defined(USE_SSL)
1511 && !(options->tls_server || options->tls_client)
1512 #endif
1513 )
1514 msg (M_USAGE, "--inetd nowait can only be used in TLS mode");
1515
1516 if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
1517 msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
1518
1519
1520 if (options->lladdr && dev != DEV_TYPE_TAP)
1521 msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
1522
1523 /*
1524 * Sanity check on TCP mode options
1525 */
1526
1527 if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT)
1528 msg (M_USAGE, "--connect-retry doesn't make sense unless also used with --proto tcp-client");
1529
1530 if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT)
1531 msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with --proto tcp-client");
1532
1533 /*
1534 * Sanity check on MTU parameters
1535 */
1536 if (options->tun_mtu_defined && options->link_mtu_defined)
1537 msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
1538
1539 #ifdef ENABLE_OCC
1540 if (ce->proto != PROTO_UDPv4 && options->mtu_test)
1541 msg (M_USAGE, "--mtu-test only makes sense with --proto udp");
1542 #endif
1543
1544 /* will we be pulling options from server? */
1545 #if P2MP
1546 pull = options->pull;
1547 #endif
1548
1549 /*
1550 * Sanity check on --local, --remote, and --ifconfig
1551 */
1552
1553 if (string_defined_equal (ce->local, ce->remote)
1554 && ce->local_port == ce->remote_port)
1555 msg (M_USAGE, "--remote and --local addresses are the same");
1556
1557 if (string_defined_equal (ce->remote, options->ifconfig_local)
1558 || string_defined_equal (ce->remote, options->ifconfig_remote_netmask))
1559 msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
1560
1561 if (string_defined_equal (ce->local, options->ifconfig_local)
1562 || string_defined_equal (ce->local, options->ifconfig_remote_netmask))
1563 msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
1564
1565 if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
1566 msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
1567
1568 if (ce->bind_defined && !ce->bind_local)
1569 msg (M_USAGE, "--bind and --nobind can't be used together");
1570
1571 if (ce->local && !ce->bind_local)
1572 msg (M_USAGE, "--local and --nobind don't make sense when used together");
1573
1574 if (ce->local_port_defined && !ce->bind_local)
1575 msg (M_USAGE, "--lport and --nobind don't make sense when used together");
1576
1577 if (!ce->remote && !ce->bind_local)
1578 msg (M_USAGE, "--nobind doesn't make sense unless used with --remote");
1579
1580 /*
1581 * Check for consistency of management options
1582 */
1583 #ifdef ENABLE_MANAGEMENT
1584 if (!options->management_addr &&
1585 (options->management_flags
1586 || options->management_write_peer_info_file
1587 || options->management_log_history_cache != defaults.management_log_history_cache))
1588 msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
1589
1590 if ((options->management_client_user || options->management_client_group)
1591 && !(options->management_flags & MF_UNIX_SOCK))
1592 msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
1593 #endif
1594
1595 /*
1596 * Windows-specific options.
1597 */
1598
1599 #ifdef WIN32
1600 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1601 msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
1602
1603 if ((options->tuntap_options.ip_win32_defined)
1604 && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1605 msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
1606
1607 if (options->tuntap_options.dhcp_options
1608 && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
1609 && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
1610 msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
1611 #endif
1612
1613 /*
1614 * Check that protocol options make sense.
1615 */
1616
1617 #ifdef ENABLE_FRAGMENT
1618 if (ce->proto != PROTO_UDPv4 && options->fragment)
1619 msg (M_USAGE, "--fragment can only be used with --proto udp");
1620 #endif
1621
1622 #ifdef ENABLE_OCC
1623 if (ce->proto != PROTO_UDPv4 && options->explicit_exit_notification)
1624 msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
1625 #endif
1626
1627 if (!ce->remote && ce->proto == PROTO_TCPv4_CLIENT)
1628 msg (M_USAGE, "--remote MUST be used in TCP Client mode");
1629
1630 #ifdef ENABLE_HTTP_PROXY
1631 if ((ce->http_proxy_options || options->auto_proxy_info) && ce->proto != PROTO_TCPv4_CLIENT)
1632 msg (M_USAGE, "--http-proxy or --auto-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
1633 #endif
1634
1635 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
1636 if (ce->http_proxy_options && ce->socks_proxy_server)
1637 msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
1638 #endif
1639
1640 #ifdef ENABLE_SOCKS
1641 if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER)
1642 msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
1643 #endif
1644
1645 if (ce->proto == PROTO_TCPv4_SERVER && connection_list_defined (options))
1646 msg (M_USAGE, "TCP server mode allows at most one --remote address");
1647
1648 #if P2MP_SERVER
1649
1650 /*
1651 * Check consistency of --mode server options.
1652 */
1653 if (options->mode == MODE_SERVER)
1654 {
1655 if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
1656 msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
1657 if (options->pull)
1658 msg (M_USAGE, "--pull cannot be used with --mode server");
1659 if (!(ce->proto == PROTO_UDPv4 || ce->proto == PROTO_TCPv4_SERVER))
1660 msg (M_USAGE, "--mode server currently only supports --proto udp or --proto tcp-server");
1661 #if PORT_SHARE
1662 if ((options->port_share_host || options->port_share_port) && ce->proto != PROTO_TCPv4_SERVER)
1663 msg (M_USAGE, "--port-share only works in TCP server mode (--proto tcp-server)");
1664 #endif
1665 if (!options->tls_server)
1666 msg (M_USAGE, "--mode server requires --tls-server");
1667 if (ce->remote)
1668 msg (M_USAGE, "--remote cannot be used with --mode server");
1669 if (!ce->bind_local)
1670 msg (M_USAGE, "--nobind cannot be used with --mode server");
1671 #ifdef ENABLE_HTTP_PROXY
1672 if (ce->http_proxy_options)
1673 msg (M_USAGE, "--http-proxy cannot be used with --mode server");
1674 #endif
1675 #ifdef ENABLE_SOCKS
1676 if (ce->socks_proxy_server)
1677 msg (M_USAGE, "--socks-proxy cannot be used with --mode server");
1678 #endif
1679 #ifdef ENABLE_CONNECTION
1680 if (options->connection_list)
1681 msg (M_USAGE, "<connection> cannot be used with --mode server");
1682 #endif
1683 if (options->tun_ipv6)
1684 msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");
1685 if (options->shaper)
1686 msg (M_USAGE, "--shaper cannot be used with --mode server");
1687 if (options->inetd)
1688 msg (M_USAGE, "--inetd cannot be used with --mode server");
1689 if (options->ipchange)
1690 msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
1691 if (!(ce->proto == PROTO_UDPv4 || ce->proto == PROTO_TCPv4_SERVER))
1692 msg (M_USAGE, "--mode server currently only supports --proto udp or --proto tcp-server");
1693 if (ce->proto != PROTO_UDPv4 && (options->cf_max || options->cf_per))
1694 msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
1695 if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
1696 msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
1697 #ifdef ENABLE_OCC
1698 if (options->explicit_exit_notification)
1699 msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server");
1700 #endif
1701 if (options->routes && (options->routes->flags & RG_ENABLE))
1702 msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
1703 if (options->route_delay_defined)
1704 msg (M_USAGE, "--route-delay cannot be used with --mode server");
1705 if (options->up_delay)
1706 msg (M_USAGE, "--up-delay cannot be used with --mode server");
1707 if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
1708 msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
1709 if (options->auth_user_pass_file)
1710 msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
1711 if (options->ccd_exclusive && !options->client_config_dir)
1712 msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
1713 if (options->key_method != 2)
1714 msg (M_USAGE, "--mode server requires --key-method 2");
1715
1716 {
1717 const bool ccnr = (options->auth_user_pass_verify_script
1718 || PLUGIN_OPTION_LIST (options)
1719 || MAN_CLIENT_AUTH_ENABLED (options));
1720 const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
1721 if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
1722 msg (M_USAGE, "--client-cert-not-required %s", postfix);
1723 if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
1724 msg (M_USAGE, "--username-as-common-name %s", postfix);
1725 if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
1726 msg (M_USAGE, "--auth-user-pass-optional %s", postfix);
1727 }
1728
1729 if ((options->ssl_flags & SSLF_NO_NAME_REMAPPING) && script_method == SM_SYSTEM)
1730 msg (M_USAGE, "--script-security method='system' cannot be combined with --no-name-remapping");
1731 }
1732 else
1733 {
1734 /*
1735 * When not in server mode, err if parameters are
1736 * specified which require --mode server.
1737 */
1738 if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
1739 msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
1740 if (options->real_hash_size != defaults.real_hash_size
1741 || options->virtual_hash_size != defaults.virtual_hash_size)
1742 msg (M_USAGE, "--hash-size requires --mode server");
1743 if (options->learn_address_script)
1744 msg (M_USAGE, "--learn-address requires --mode server");
1745 if (options->client_connect_script)
1746 msg (M_USAGE, "--client-connect requires --mode server");
1747 if (options->client_disconnect_script)
1748 msg (M_USAGE, "--client-disconnect requires --mode server");
1749 if (options->tmp_dir)
1750 msg (M_USAGE, "--tmp-dir requires --mode server");
1751 if (options->client_config_dir || options->ccd_exclusive)
1752 msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
1753 if (options->enable_c2c)
1754 msg (M_USAGE, "--client-to-client requires --mode server");
1755 if (options->duplicate_cn)
1756 msg (M_USAGE, "--duplicate-cn requires --mode server");
1757 if (options->cf_max || options->cf_per)
1758 msg (M_USAGE, "--connect-freq requires --mode server");
1759 if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
1760 msg (M_USAGE, "--client-cert-not-required requires --mode server");
1761 if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
1762 msg (M_USAGE, "--username-as-common-name requires --mode server");
1763 if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
1764 msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
1765 if (options->ssl_flags & SSLF_NO_NAME_REMAPPING)
1766 msg (M_USAGE, "--no-name-remapping requires --mode server");
1767 if (options->ssl_flags & SSLF_OPT_VERIFY)
1768 msg (M_USAGE, "--opt-verify requires --mode server");
1769 if (options->server_flags & SF_TCP_NODELAY_HELPER)
1770 msg (M_USAGE, "--tcp-nodelay requires --mode server");
1771 if (options->auth_user_pass_verify_script)
1772 msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
1773 #if PORT_SHARE
1774 if (options->port_share_host || options->port_share_port)
1775 msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
1776 #endif
1777
1778 }
1779 #endif /* P2MP_SERVER */
1780
1781 #ifdef USE_CRYPTO
1782
1783 /*
1784 * Check consistency of replay options
1785 */
1786 if ((ce->proto != PROTO_UDPv4)
1787 && (options->replay_window != defaults.replay_window
1788 || options->replay_time != defaults.replay_time))
1789 msg (M_USAGE, "--replay-window only makes sense with --proto udp");
1790
1791 if (!options->replay
1792 && (options->replay_window != defaults.replay_window
1793 || options->replay_time != defaults.replay_time))
1794 msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
1795
1796 /*
1797 * SSL/TLS mode sanity checks.
1798 */
1799
1800 #ifdef USE_SSL
1801 if (options->tls_server + options->tls_client +
1802 (options->shared_secret_file != NULL) > 1)
1803 msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
1804
1805 if (options->tls_server)
1806 {
1807 notnull (options->dh_file, "DH file (--dh)");
1808 }
1809 if (options->tls_server || options->tls_client)
1810 {
1811 #ifdef ENABLE_PKCS11
1812 if (options->pkcs11_providers[0])
1813 {
1814 notnull (options->ca_file, "CA file (--ca)");
1815
1816 if (options->pkcs11_id_management && options->pkcs11_id != NULL)
1817 msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
1818 if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
1819 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
1820 if (options->cert_file)
1821 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
1822 if (options->priv_key_file)
1823 msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
1824 if (options->pkcs12_file)
1825 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
1826 #ifdef WIN32
1827 if (options->cryptoapi_cert)
1828 msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
1829 #endif
1830 }
1831 else
1832 #endif
1833 #ifdef WIN32
1834 if (options->cryptoapi_cert)
1835 {
1836 if ((!(options->ca_file)) && (!(options->ca_path)))
1837 msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
1838 if (options->cert_file)
1839 msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
1840 if (options->priv_key_file)
1841 msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
1842 if (options->pkcs12_file)
1843 msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
1844 }
1845 else
1846 #endif
1847 if (options->pkcs12_file)
1848 {
1849 if (options->ca_path)
1850 msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
1851 if (options->cert_file)
1852 msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
1853 if (options->priv_key_file)
1854 msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
1855 }
1856 else
1857 {
1858 if ((!(options->ca_file)) && (!(options->ca_path)))
1859 msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
1860 if (pull)
1861 {
1862 const int sum = (options->cert_file != NULL) + (options->priv_key_file != NULL);
1863 if (sum == 0)
1864 {
1865 #if P2MP
1866 if (!options->auth_user_pass_file)
1867 #endif
1868 msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
1869 }
1870 else if (sum == 2)
1871 ;
1872 else
1873 {
1874 msg (M_USAGE, "If you use one of --cert or --key, you must use them both");
1875 }
1876 }
1877 else
1878 {
1879 notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
1880 notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
1881 }
1882 }
1883 }
1884 else
1885 {
1886 /*
1887 * Make sure user doesn't specify any TLS options
1888 * when in non-TLS mode.
1889 */
1890
1891 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
1892
1893 const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
1894
1895 MUST_BE_UNDEF (ca_file);
1896 MUST_BE_UNDEF (ca_path);
1897 MUST_BE_UNDEF (dh_file);
1898 MUST_BE_UNDEF (cert_file);
1899 MUST_BE_UNDEF (priv_key_file);
1900 MUST_BE_UNDEF (pkcs12_file);
1901 MUST_BE_UNDEF (cipher_list);
1902 MUST_BE_UNDEF (tls_verify);
1903 MUST_BE_UNDEF (tls_remote);
1904 MUST_BE_UNDEF (tls_timeout);
1905 MUST_BE_UNDEF (renegotiate_bytes);
1906 MUST_BE_UNDEF (renegotiate_packets);
1907 MUST_BE_UNDEF (renegotiate_seconds);
1908 MUST_BE_UNDEF (handshake_window);
1909 MUST_BE_UNDEF (transition_window);
1910 MUST_BE_UNDEF (tls_auth_file);
1911 MUST_BE_UNDEF (single_session);
1912 MUST_BE_UNDEF (tls_exit);
1913 MUST_BE_UNDEF (crl_file);
1914 MUST_BE_UNDEF (key_method);
1915 MUST_BE_UNDEF (ns_cert_type);
1916 MUST_BE_UNDEF (remote_cert_ku[0]);
1917 MUST_BE_UNDEF (remote_cert_eku);
1918 #ifdef ENABLE_PKCS11
1919 MUST_BE_UNDEF (pkcs11_providers[0]);
1920 MUST_BE_UNDEF (pkcs11_private_mode[0]);
1921 MUST_BE_UNDEF (pkcs11_id);
1922 MUST_BE_UNDEF (pkcs11_id_management);
1923 #endif
1924
1925 if (pull)
1926 msg (M_USAGE, err, "--pull");
1927 }
1928 #undef MUST_BE_UNDEF
1929 #endif /* USE_CRYPTO */
1930 #endif /* USE_SSL */
1931
1932 #if P2MP
1933 if (options->auth_user_pass_file && !options->pull)
1934 msg (M_USAGE, "--auth-user-pass requires --pull");
1935 #endif
1936
1937 uninit_options (&defaults);
1938 }
1939
1940 static void
1941 options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
1942 {
1943 #if P2MP_SERVER
1944 if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
1945 {
1946 if (ce->proto == PROTO_TCPv4)
1947 ce->proto = PROTO_TCPv4_SERVER;
1948 }
1949 #endif
1950 #if P2MP
1951 if (o->client)
1952 {
1953 if (ce->proto == PROTO_TCPv4)
1954 ce->proto = PROTO_TCPv4_CLIENT;
1955 }
1956 #endif
1957
1958 if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
1959 ce->bind_local = false;
1960
1961 #ifdef ENABLE_SOCKS
1962 if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
1963 ce->bind_local = false;
1964 #endif
1965
1966 if (!ce->bind_local)
1967 ce->local_port = 0;
1968 }
1969
1970 static void
1971 options_postprocess_mutate_invariant (struct options *options)
1972 {
1973 const int dev = dev_type_enum (options->dev, options->dev_type);
1974
1975 /*
1976 * If --mssfix is supplied without a parameter, default
1977 * it to --fragment value, if --fragment is specified.
1978 */
1979 if (options->mssfix_default)
1980 {
1981 #ifdef ENABLE_FRAGMENT
1982 if (options->fragment)
1983 options->mssfix = options->fragment;
1984 #else
1985 msg (M_USAGE, "--mssfix must specify a parameter");
1986 #endif
1987 }
1988
1989 /*
1990 * In forking TCP server mode, you don't need to ifconfig
1991 * the tap device (the assumption is that it will be bridged).
1992 */
1993 if (options->inetd == INETD_NOWAIT)
1994 options->ifconfig_noexec = true;
1995
1996 /*
1997 * Set MTU defaults
1998 */
1999 {
2000 if (!options->tun_mtu_defined && !options->link_mtu_defined)
2001 {
2002 options->tun_mtu_defined = true;
2003 }
2004 if ((dev == DEV_TYPE_TAP) && !options->tun_mtu_extra_defined)
2005 {
2006 options->tun_mtu_extra_defined = true;
2007 options->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2008 }
2009 }
2010
2011 #ifdef WIN32
2012 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2013 {
2014 if (options->mode == MODE_POINT_TO_POINT)
2015 {
2016 options->route_delay_defined = true;
2017 options->route_delay = 5; /* Vista sometimes has a race without this */
2018 }
2019 }
2020
2021 if (options->ifconfig_noexec)
2022 {
2023 options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
2024 options->ifconfig_noexec = false;
2025 }
2026 #endif
2027
2028 #if P2MP_SERVER
2029 /*
2030 * Check consistency of --mode server options.
2031 */
2032 if (options->mode == MODE_SERVER)
2033 {
2034 #ifdef WIN32
2035 /*
2036 * We need to explicitly set --tap-sleep because
2037 * we do not schedule event timers in the top-level context.
2038 */
2039 options->tuntap_options.tap_sleep = 10;
2040 if (options->route_delay_defined && options->route_delay)
2041 options->tuntap_options.tap_sleep = options->route_delay;
2042 options->route_delay_defined = false;
2043 #endif
2044 }
2045 #endif
2046 }
2047
2048 static void
2049 options_postprocess_verify (const struct options *o)
2050 {
2051 #ifdef ENABLE_CONNECTION
2052 if (o->connection_list)
2053 {
2054 int i;
2055 for (i = 0; i < o->connection_list->len; ++i)
2056 options_postprocess_verify_ce (o, o->connection_list->array[i]);
2057 }
2058 else
2059 #endif
2060 options_postprocess_verify_ce (o, &o->ce);
2061 }
2062
2063 static void
2064 options_postprocess_mutate (struct options *o)
2065 {
2066 /*
2067 * Process helper-type options which map to other, more complex
2068 * sequences of options.
2069 */
2070 helper_client_server (o);
2071 helper_keepalive (o);
2072 helper_tcp_nodelay (o);
2073
2074 options_postprocess_mutate_invariant (o);
2075
2076 #ifdef ENABLE_CONNECTION
2077 if (o->remote_list && !o->connection_list)
2078 {
2079 /*
2080 * For compatibility with 2.0.x, map multiple --remote options
2081 * into connection list (connection lists added in 2.1).
2082 */
2083 if (o->remote_list->len > 1)
2084 {
2085 const struct remote_list *rl = o->remote_list;
2086 int i;
2087 for (i = 0; i < rl->len; ++i)
2088 {
2089 const struct remote_entry *re = rl->array[i];
2090 struct connection_entry ce = o->ce;
2091 struct connection_entry *ace;
2092
2093 ASSERT (re->remote);
2094 connection_entry_load_re (&ce, re);
2095 ace = alloc_connection_entry (o, M_USAGE);
2096 ASSERT (ace);
2097 *ace = ce;
2098 }
2099 }
2100 else if (o->remote_list->len == 1) /* one --remote option specfied */
2101 {
2102 connection_entry_load_re (&o->ce, o->remote_list->array[0]);
2103 }
2104 else
2105 {
2106 ASSERT (0);
2107 }
2108 }
2109 if (o->connection_list)
2110 {
2111 int i;
2112 for (i = 0; i < o->connection_list->len; ++i)
2113 options_postprocess_mutate_ce (o, o->connection_list->array[i]);
2114 }
2115 else
2116 #endif
2117 options_postprocess_mutate_ce (o, &o->ce);
2118
2119 #if P2MP
2120 /*
2121 * Save certain parms before modifying options via --pull
2122 */
2123 pre_pull_save (o);
2124 #endif
2125 }
2126
2127 /*
2128 * Sanity check on options.
2129 * Also set some options based on other
2130 * options.
2131 */
2132 void
2133 options_postprocess (struct options *options)
2134 {
2135 options_postprocess_mutate (options);
2136 options_postprocess_verify (options);
2137 }
2138
2139 #if P2MP
2140
2141 /*
2142 * Save/Restore certain option defaults before --pull is applied.
2143 */
2144
2145 void
2146 pre_pull_save (struct options *o)
2147 {
2148 if (o->pull)
2149 {
2150 ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
2151 o->pre_pull->tuntap_options = o->tuntap_options;
2152 o->pre_pull->tuntap_options_defined = true;
2153 o->pre_pull->foreign_option_index = o->foreign_option_index;
2154 if (o->routes)
2155 {
2156 o->pre_pull->routes = *o->routes;
2157 o->pre_pull->routes_defined = true;
2158 }
2159 }
2160 }
2161
2162 void
2163 pre_pull_restore (struct options *o)
2164 {
2165 const struct options_pre_pull *pp = o->pre_pull;
2166 if (pp)
2167 {
2168 CLEAR (o->tuntap_options);
2169 if (pp->tuntap_options_defined)
2170 o->tuntap_options = pp->tuntap_options;
2171
2172 if (pp->routes_defined)
2173 {
2174 rol_check_alloc (o);
2175 *o->routes = pp->routes;
2176 }
2177 else
2178 o->routes = NULL;
2179
2180 o->foreign_option_index = pp->foreign_option_index;
2181 }
2182 }
2183
2184 #endif
2185
2186 #ifdef ENABLE_OCC
2187
2188 /*
2189 * Build an options string to represent data channel encryption options.
2190 * This string must match exactly between peers. The keysize is checked
2191 * separately by read_key().
2192 *
2193 * The following options must match on both peers:
2194 *
2195 * Tunnel options:
2196 *
2197 * --dev tun|tap [unit number need not match]
2198 * --dev-type tun|tap
2199 * --link-mtu
2200 * --udp-mtu
2201 * --tun-mtu
2202 * --proto udp
2203 * --proto tcp-client [matched with --proto tcp-server
2204 * on the other end of the connection]
2205 * --proto tcp-server [matched with --proto tcp-client on
2206 * the other end of the connection]
2207 * --tun-ipv6
2208 * --ifconfig x y [matched with --ifconfig y x on
2209 * the other end of the connection]
2210 *
2211 * --comp-lzo
2212 * --fragment
2213 *
2214 * Crypto Options:
2215 *
2216 * --cipher
2217 * --auth
2218 * --keysize
2219 * --secret
2220 * --no-replay
2221 * --no-iv
2222 *
2223 * SSL Options:
2224 *
2225 * --tls-auth
2226 * --tls-client [matched with --tls-server on
2227 * the other end of the connection]
2228 * --tls-server [matched with --tls-client on
2229 * the other end of the connection]
2230 */
2231
2232 char *
2233 options_string (const struct options *o,
2234 const struct frame *frame,
2235 struct tuntap *tt,
2236 bool remote,
2237 struct gc_arena *gc)
2238 {
2239 struct buffer out = alloc_buf (OPTION_LINE_SIZE);
2240 bool tt_local = false;
2241
2242 buf_printf (&out, "V4");
2243
2244 /*
2245 * Tunnel Options
2246 */
2247
2248 buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type));
2249 buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame));
2250 buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame));
2251 buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true));
2252 if (o->tun_ipv6)
2253 buf_printf (&out, ",tun-ipv6");
2254
2255 /*
2256 * Try to get ifconfig parameters into the options string.
2257 * If tt is undefined, make a temporary instantiation.
2258 */
2259 if (!tt)
2260 {
2261 tt = init_tun (o->dev,
2262 o->dev_type,
2263 o->topology,
2264 o->ifconfig_local,
2265 o->ifconfig_remote_netmask,
2266 (in_addr_t)0,
2267 (in_addr_t)0,
2268 false,
2269 NULL);
2270 if (tt)
2271 tt_local = true;
2272 }
2273
2274 if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
2275 {
2276 const char *ios = ifconfig_options_string (tt, remote, o->ifconfig_nowarn, gc);
2277 if (ios && strlen (ios))
2278 buf_printf (&out, ",ifconfig %s", ios);
2279 }
2280 if (tt_local)
2281 {
2282 free (tt);
2283 tt = NULL;
2284 }
2285
2286 #ifdef USE_LZO
2287 if (o->lzo & LZO_SELECTED)
2288 buf_printf (&out, ",comp-lzo");
2289 #endif
2290
2291 #ifdef ENABLE_FRAGMENT
2292 if (o->fragment)
2293 buf_printf (&out, ",mtu-dynamic");
2294 #endif
2295
2296 #ifdef USE_CRYPTO
2297
2298 #ifdef USE_SSL
2299 #define TLS_CLIENT (o->tls_client)
2300 #define TLS_SERVER (o->tls_server)
2301 #else
2302 #define TLS_CLIENT (false)
2303 #define TLS_SERVER (false)
2304 #endif
2305
2306 /*
2307 * Key direction
2308 */
2309 {
2310 const char *kd = keydirection2ascii (o->key_direction, remote);
2311 if (kd)
2312 buf_printf (&out, ",keydir %s", kd);
2313 }
2314
2315 /*
2316 * Crypto Options
2317 */
2318 if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
2319 {
2320 struct key_type kt;
2321
2322 ASSERT ((o->shared_secret_file != NULL)
2323 + (TLS_CLIENT == true)
2324 + (TLS_SERVER == true)
2325 <= 1);
2326
2327 init_key_type (&kt, o->ciphername, o->ciphername_defined,
2328 o->authname, o->authname_defined,
2329 o->keysize, true, false);
2330
2331 buf_printf (&out, ",cipher %s", kt_cipher_name (&kt));
2332 buf_printf (&out, ",auth %s", kt_digest_name (&kt));
2333 buf_printf (&out, ",keysize %d", kt_key_size (&kt));
2334 if (o->shared_secret_file)
2335 buf_printf (&out, ",secret");
2336 if (!o->replay)
2337 buf_printf (&out, ",no-replay");
2338 if (!o->use_iv)
2339 buf_printf (&out, ",no-iv");
2340 }
2341
2342 #ifdef USE_SSL
2343 /*
2344 * SSL Options
2345 */
2346 {
2347 if (TLS_CLIENT || TLS_SERVER)
2348 {
2349 if (o->tls_auth_file)
2350 buf_printf (&out, ",tls-auth");
2351
2352 if (o->key_method > 1)
2353 buf_printf (&out, ",key-method %d", o->key_method);
2354 }
2355
2356 if (remote)
2357 {
2358 if (TLS_CLIENT)
2359 buf_printf (&out, ",tls-server");
2360 else if (TLS_SERVER)
2361 buf_printf (&out, ",tls-client");
2362 }
2363 else
2364 {
2365 if (TLS_CLIENT)
2366 buf_printf (&out, ",tls-client");
2367 else if (TLS_SERVER)
2368 buf_printf (&out, ",tls-server");
2369 }
2370 }
2371 #endif /* USE_SSL */
2372
2373 #undef TLS_CLIENT
2374 #undef TLS_SERVER
2375
2376 #endif /* USE_CRYPTO */
2377
2378 return BSTR (&out);
2379 }
2380
2381 /*
2382 * Compare option strings for equality.
2383 * If the first two chars of the strings differ, it means that
2384 * we are looking at different versions of the options string,
2385 * therefore don't compare them and return true.
2386 */
2387
2388 bool
2389 options_cmp_equal (char *actual, const char *expected)
2390 {
2391 return options_cmp_equal_safe (actual, expected, strlen (actual) + 1);
2392 }
2393
2394 void
2395 options_warning (char *actual, const char *expected)
2396 {
2397 options_warning_safe (actual, expected, strlen (actual) + 1);
2398 }
2399
2400 static const char *
2401 options_warning_extract_parm1 (const char *option_string,
2402 struct gc_arena *gc_ret)
2403 {
2404 struct gc_arena gc = gc_new ();
2405 struct buffer b = string_alloc_buf (option_string, &gc);
2406 char *p = gc_malloc (OPTION_PARM_SIZE, false, &gc);
2407 const char *ret;
2408
2409 buf_parse (&b, ' ', p, OPTION_PARM_SIZE);
2410 ret = string_alloc (p, gc_ret);
2411 gc_free (&gc);
2412 return ret;
2413 }
2414
2415 static void
2416 options_warning_safe_scan2 (const int msglevel,
2417 const int delim,
2418 const bool report_inconsistent,
2419 const char *p1,
2420 const struct buffer *b2_src,
2421 const char *b1_name,
2422 const char *b2_name)
2423 {
2424 if (strlen (p1) > 0)
2425 {
2426 struct gc_arena gc = gc_new ();
2427 struct buffer b2 = *b2_src;
2428 const char *p1_prefix = options_warning_extract_parm1 (p1, &gc);
2429 char *p2 = gc_malloc (OPTION_PARM_SIZE, false, &gc);
2430
2431 while (buf_parse (&b2, delim, p2, OPTION_PARM_SIZE))
2432 {
2433 if (strlen (p2))
2434 {
2435 const char *p2_prefix = options_warning_extract_parm1 (p2, &gc);
2436
2437 if (!strcmp (p1, p2))
2438 goto done;
2439 if (!strcmp (p1_prefix, p2_prefix))
2440 {
2441 if (report_inconsistent)
2442 msg (msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
2443 safe_print (p1_prefix, &gc),
2444 b1_name,
2445 safe_print (p1, &gc),
2446 b2_name,
2447 safe_print (p2, &gc));
2448 goto done;
2449 }
2450 }
2451 }
2452
2453 msg (msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
2454 safe_print (p1_prefix, &gc),
2455 b1_name,
2456 b2_name,
2457 b1_name,
2458 safe_print (p1, &gc));
2459
2460 done:
2461 gc_free (&gc);
2462 }
2463 }
2464
2465 static void
2466 options_warning_safe_scan1 (const int msglevel,
2467 const int delim,
2468 const bool report_inconsistent,
2469 const struct buffer *b1_src,
2470 const struct buffer *b2_src,
2471 const char *b1_name,
2472 const char *b2_name)
2473 {
2474 struct gc_arena gc = gc_new ();
2475 struct buffer b = *b1_src;
2476 char *p = gc_malloc (OPTION_PARM_SIZE, true, &gc);
2477
2478 while (buf_parse (&b, delim, p, OPTION_PARM_SIZE))
2479 options_warning_safe_scan2 (msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
2480
2481 gc_free (&gc);
2482 }
2483
2484 static void
2485 options_warning_safe_ml (const int msglevel, char *actual, const char *expected, size_t actual_n)
2486 {
2487 struct gc_arena gc = gc_new ();
2488
2489 if (actual_n > 0)
2490 {
2491 struct buffer local = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
2492 struct buffer remote = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
2493 actual[actual_n - 1] = 0;
2494
2495 buf_printf (&local, "version %s", expected);
2496 buf_printf (&remote, "version %s", actual);
2497
2498 options_warning_safe_scan1 (msglevel, ',', true,
2499 &local, &remote,
2500 "local", "remote");
2501
2502 options_warning_safe_scan1 (msglevel, ',', false,
2503 &remote, &local,
2504 "remote", "local");
2505 }
2506
2507 gc_free (&gc);
2508 }
2509
2510 bool
2511 options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n)
2512 {
2513 struct gc_arena gc = gc_new ();
2514 bool ret = true;
2515
2516 if (actual_n > 0)
2517 {
2518 actual[actual_n - 1] = 0;
2519 #ifndef STRICT_OPTIONS_CHECK
2520 if (strncmp (actual, expected, 2))
2521 {
2522 msg (D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
2523 options_warning_safe_ml (D_SHOW_OCC, actual, expected, actual_n);
2524 }
2525 else
2526 #endif
2527 ret = !strcmp (actual, expected);
2528 }
2529 gc_free (&gc);
2530 return ret;
2531 }
2532
2533 void
2534 options_warning_safe (char *actual, const char *expected, size_t actual_n)
2535 {
2536 options_warning_safe_ml (M_WARN, actual, expected, actual_n);
2537 }
2538
2539 const char *
2540 options_string_version (const char* s, struct gc_arena *gc)
2541 {
2542 struct buffer out = alloc_buf_gc (4, gc);
2543 strncpynt ((char *) BPTR (&out), s, 3);
2544 return BSTR (&out);
2545 }
2546
2547 #endif /* ENABLE_OCC */
2548
2549 static void
2550 foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
2551 {
2552 if (len > 0)
2553 {
2554 struct gc_arena gc = gc_new();
2555 struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
2556 struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
2557 int i;
2558 bool first = true;
2559 bool good = true;
2560
2561 good &= buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1);
2562 ++o->foreign_option_index;
2563 for (i = 0; i < len; ++i)
2564 {
2565 if (argv[i])
2566 {
2567 if (!first)
2568 good &= buf_printf (&value, " ");
2569 good &= buf_printf (&value, "%s", argv[i]);
2570 first = false;
2571 }
2572 }
2573 if (good)
2574 setenv_str (es, BSTR(&name), BSTR(&value));
2575 else
2576 msg (M_WARN, "foreign_option: name/value overflow");
2577 gc_free (&gc);
2578 }
2579 }
2580
2581 /*
2582 * parse/print topology coding
2583 */
2584
2585 int
2586 parse_topology (const char *str, const int msglevel)
2587 {
2588 if (streq (str, "net30"))
2589 return TOP_NET30;
2590 else if (streq (str, "p2p"))
2591 return TOP_P2P;
2592 else if (streq (str, "subnet"))
2593 return TOP_SUBNET;
2594 else
2595 {
2596 msg (msglevel, "--topology must be net30, p2p, or subnet");
2597 return TOP_UNDEF;
2598 }
2599 }
2600
2601 const char *
2602 print_topology (const int topology)
2603 {
2604 switch (topology)
2605 {
2606 case TOP_UNDEF:
2607 return "undef";
2608 case TOP_NET30:
2609 return "net30";
2610 case TOP_P2P:
2611 return "p2p";
2612 case TOP_SUBNET:
2613 return "subnet";
2614 default:
2615 return "unknown";
2616 }
2617 }
2618
2619 #if P2MP
2620
2621 /*
2622 * Manage auth-retry variable
2623 */
2624
2625 static int global_auth_retry; /* GLOBAL */
2626
2627 int
2628 auth_retry_get (void)
2629 {
2630 return global_auth_retry;
2631 }
2632
2633 bool
2634 auth_retry_set (const int msglevel, const char *option)
2635 {
2636 if (streq (option, "interact"))
2637 global_auth_retry = AR_INTERACT;
2638 else if (streq (option, "nointeract"))
2639 global_auth_retry = AR_NOINTERACT;
2640 else if (streq (option, "none"))
2641 global_auth_retry = AR_NONE;
2642 else
2643 {
2644 msg (msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
2645 return false;
2646 }
2647 return true;
2648 }
2649
2650 const char *
2651 auth_retry_print (void)
2652 {
2653 switch (global_auth_retry)
2654 {
2655 case AR_NONE:
2656 return "none";
2657 case AR_NOINTERACT:
2658 return "nointeract";
2659 case AR_INTERACT:
2660 return "interact";
2661 default:
2662 return "???";
2663 }
2664 }
2665
2666 #endif
2667
2668 /*
2669 * Print the help message.
2670 */
2671 static void
2672 usage (void)
2673 {
2674 FILE *fp = msg_fp(0);
2675
2676 #ifdef ENABLE_SMALL
2677
2678 fprintf (fp, "Usage message not available\n");
2679
2680 #else
2681
2682 struct options o;
2683 init_options (&o, true);
2684
2685 #if defined(USE_CRYPTO) && defined(USE_SSL)
2686 fprintf (fp, usage_message,
2687 title_string,
2688 o.ce.connect_retry_seconds,
2689 o.ce.local_port, o.ce.remote_port,
2690 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2691 o.verbosity,
2692 o.authname, o.ciphername,
2693 o.replay_window, o.replay_time,
2694 o.tls_timeout, o.renegotiate_seconds,
2695 o.handshake_window, o.transition_window);
2696 #elif defined(USE_CRYPTO)
2697 fprintf (fp, usage_message,
2698 title_string,
2699 o.ce.connect_retry_seconds,
2700 o.ce.local_port, o.ce.remote_port,
2701 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2702 o.verbosity,
2703 o.authname, o.ciphername,
2704 o.replay_window, o.replay_time);
2705 #else
2706 fprintf (fp, usage_message,
2707 title_string,
2708 o.ce.connect_retry_seconds,
2709 o.ce.local_port, o.ce.remote_port,
2710 TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2711 o.verbosity);
2712 #endif
2713 fflush(fp);
2714
2715 #endif /* ENABLE_SMALL */
2716
2717 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2718 }
2719
2720 void
2721 usage_small (void)
2722 {
2723 msg (M_WARN|M_NOPREFIX, "Use --help for more information.");
2724 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2725 }
2726
2727 static void
2728 usage_version (void)
2729 {
2730 msg (M_INFO|M_NOPREFIX, "%s", title_string);
2731 msg (M_INFO|M_NOPREFIX, "Developed by James Yonan");
2732 msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>");
2733 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2734 }
2735
2736 void
2737 notnull (const char *arg, const char *description)
2738 {
2739 if (!arg)
2740 msg (M_USAGE, "You must define %s", description);
2741 }
2742
2743 bool
2744 string_defined_equal (const char *s1, const char *s2)
2745 {
2746 if (s1 && s2)
2747 return !strcmp (s1, s2);
2748 else
2749 return false;
2750 }
2751
2752 #if 0
2753 static void
2754 ping_rec_err (int msglevel)
2755 {
2756 msg (msglevel, "only one of --ping-exit or --ping-restart options may be specified");
2757 }
2758 #endif
2759
2760 static int
2761 positive_atoi (const char *str)
2762 {
2763 const int i = atoi (str);
2764 return i < 0 ? 0 : i;
2765 }
2766
2767 static inline bool
2768 space (unsigned char c)
2769 {
2770 return c == '\0' || isspace (c);
2771 }
2772
2773 int
2774 parse_line (const char *line,
2775 char *p[],
2776 const int n,
2777 const char *file,
2778 const int line_num,
2779 int msglevel,
2780 struct gc_arena *gc)
2781 {
2782 const int STATE_INITIAL = 0;
2783 const int STATE_READING_QUOTED_PARM = 1;
2784 const int STATE_READING_UNQUOTED_PARM = 2;
2785 const int STATE_DONE = 3;
2786 const int STATE_READING_SQUOTED_PARM = 4;
2787
2788 const char *error_prefix = "";
2789
2790 int ret = 0;
2791 const char *c = line;
2792 int state = STATE_INITIAL;
2793 bool backslash = false;
2794 char in, out;
2795
2796 char parm[OPTION_PARM_SIZE];
2797 unsigned int parm_len = 0;
2798
2799 msglevel &= ~M_OPTERR;
2800
2801 if (msglevel & M_MSG_VIRT_OUT)
2802 error_prefix = "ERROR: ";
2803
2804 do
2805 {
2806 in = *c;
2807 out = 0;
2808
2809 if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
2810 {
2811 backslash = true;
2812 }
2813 else
2814 {
2815 if (state == STATE_INITIAL)
2816 {
2817 if (!space (in))
2818 {
2819 if (in == ';' || in == '#') /* comment */
2820 break;
2821 if (!backslash && in == '\"')
2822 state = STATE_READING_QUOTED_PARM;
2823 else if (!backslash && in == '\'')
2824 state = STATE_READING_SQUOTED_PARM;
2825 else
2826 {
2827 out = in;
2828 state = STATE_READING_UNQUOTED_PARM;
2829 }
2830 }
2831 }
2832 else if (state == STATE_READING_UNQUOTED_PARM)
2833 {
2834 if (!backslash && space (in))
2835 state = STATE_DONE;
2836 else
2837 out = in;
2838 }
2839 else if (state == STATE_READING_QUOTED_PARM)
2840 {
2841 if (!backslash && in == '\"')
2842 state = STATE_DONE;
2843 else
2844 out = in;
2845 }
2846 else if (state == STATE_READING_SQUOTED_PARM)
2847 {
2848 if (in == '\'')
2849 state = STATE_DONE;
2850 else
2851 out = in;
2852 }
2853 if (state == STATE_DONE)
2854 {
2855 /* ASSERT (parm_len > 0); */
2856 p[ret] = gc_malloc (parm_len + 1, true, gc);
2857 memcpy (p[ret], parm, parm_len);
2858 p[ret][parm_len] = '\0';
2859 state = STATE_INITIAL;
2860 parm_len = 0;
2861 ++ret;
2862 }
2863
2864 if (backslash && out)
2865 {
2866 if (!(out == '\\' || out == '\"' || space (out)))
2867 {
2868 #ifdef ENABLE_SMALL
2869 msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
2870 #else
2871 msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
2872 #endif
2873 return 0;
2874 }
2875 }
2876 backslash = false;
2877 }
2878
2879 /* store parameter character */
2880 if (out)
2881 {
2882 if (parm_len >= SIZE (parm))
2883 {
2884 parm[SIZE (parm) - 1] = 0;
2885 msg (msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
2886 error_prefix, file, line_num, (int) SIZE (parm), parm);
2887 return 0;
2888 }
2889 parm[parm_len++] = out;
2890 }
2891
2892 /* avoid overflow if too many parms in one config file line */
2893 if (ret >= n)
2894 break;
2895
2896 } while (*c++ != '\0');
2897
2898 if (state == STATE_READING_QUOTED_PARM)
2899 {
2900 msg (msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
2901 return 0;
2902 }
2903 if (state == STATE_READING_SQUOTED_PARM)
2904 {
2905 msg (msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
2906 return 0;
2907 }
2908 if (state != STATE_INITIAL)
2909 {
2910 msg (msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
2911 return 0;
2912 }
2913 #if 0
2914 {
2915 int i;
2916 for (i = 0; i < ret; ++i)
2917 {
2918 msg (M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
2919 }
2920 }
2921 #endif
2922 return ret;
2923 }
2924
2925 static void
2926 bypass_doubledash (char **p)
2927 {
2928 if (strlen (*p) >= 3 && !strncmp (*p, "--", 2))
2929 *p += 2;
2930 }
2931
2932 #if ENABLE_INLINE_FILES
2933
2934 struct in_src {
2935 # define IS_TYPE_FP 1
2936 # define IS_TYPE_BUF 2
2937 int type;
2938 union {
2939 FILE *fp;
2940 struct buffer *multiline;
2941 } u;
2942 };
2943
2944 static bool
2945 in_src_get (const struct in_src *is, char *line, const int size)
2946 {
2947 if (is->type == IS_TYPE_FP)
2948 {
2949 return BOOL_CAST (fgets (line, size, is->u.fp));
2950 }
2951 else if (is->type == IS_TYPE_BUF)
2952 {
2953 bool status = buf_parse (is->u.multiline, '\n', line, size);
2954 if ((int) strlen (line) + 1 < size)
2955 strcat (line, "\n");
2956 return status;
2957 }
2958 else
2959 {
2960 ASSERT (0);
2961 return false;
2962 }
2963 }
2964
2965 static char *
2966 read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
2967 {
2968 char line[OPTION_LINE_SIZE];
2969 struct buffer buf = alloc_buf (10000);
2970 char *ret;
2971 while (in_src_get (is, line, sizeof (line)))
2972 {
2973 if (!strncmp (line, close_tag, strlen (close_tag)))
2974 break;
2975 buf_printf (&buf, "%s", line);
2976 }
2977 ret = string_alloc (BSTR (&buf), gc);
2978 buf_clear (&buf);
2979 free_buf (&buf);
2980 CLEAR (line);
2981 return ret;
2982 }
2983
2984 static bool
2985 check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
2986 {
2987 bool ret = false;
2988 if (p[0] && !p[1])
2989 {
2990 char *arg = p[0];
2991 if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
2992 {
2993 struct buffer close_tag;
2994 arg[strlen(arg)-1] = '\0';
2995 p[0] = string_alloc (arg+1, gc);
2996 p[1] = string_alloc (INLINE_FILE_TAG, gc);
2997 close_tag = alloc_buf (strlen(p[0]) + 4);
2998 buf_printf (&close_tag, "</%s>", p[0]);
2999 p[2] = read_inline_file (is, BSTR (&close_tag), gc);
3000 p[3] = NULL;
3001 free_buf (&close_tag);
3002 ret = true;
3003 }
3004 }
3005 return ret;
3006 }
3007
3008 static bool
3009 check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
3010 {
3011 struct in_src is;
3012 is.type = IS_TYPE_FP;
3013 is.u.fp = fp;
3014 return check_inline_file (&is, p, gc);
3015 }
3016
3017 static bool
3018 check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
3019 {
3020 struct in_src is;
3021 is.type = IS_TYPE_BUF;
3022 is.u.multiline = multiline;
3023 return check_inline_file (&is, p, gc);
3024 }
3025
3026 #endif
3027
3028 static void
3029 add_option (struct options *options,
3030 char *p[],
3031 const char *file,
3032 int line,
3033 const int level,
3034 const int msglevel,
3035 const unsigned int permission_mask,
3036 unsigned int *option_types_found,
3037 struct env_set *es);
3038
3039 static void
3040 read_config_file (struct options *options,
3041 const char *file,
3042 int level,
3043 const char *top_file,
3044 const int top_line,
3045 const int msglevel,
3046 const unsigned int permission_mask,
3047 unsigned int *option_types_found,
3048 struct env_set *es)
3049 {
3050 const int max_recursive_levels = 10;
3051 FILE *fp;
3052 int line_num;
3053 char line[OPTION_LINE_SIZE];
3054 char *p[MAX_PARMS];
3055
3056 ++level;
3057 if (level <= max_recursive_levels)
3058 {
3059 if (streq (file, "stdin"))
3060 fp = stdin;
3061 else
3062 fp = fopen (file, "r");
3063 if (fp)
3064 {
3065 line_num = 0;
3066 while (fgets(line, sizeof (line), fp))
3067 {
3068 CLEAR (p);
3069 ++line_num;
3070 if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3071 {
3072 bypass_doubledash (&p[0]);
3073 #if ENABLE_INLINE_FILES
3074 check_inline_file_via_fp (fp, p, &options->gc);
3075 #endif
3076 add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
3077 }
3078 }
3079 if (fp != stdin)
3080 fclose (fp);
3081 }
3082 else
3083 {
3084 msg (msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
3085 }
3086 }
3087 else
3088 {
3089 msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
3090 }
3091 CLEAR (line);
3092 CLEAR (p);
3093 }
3094
3095 static void
3096 read_config_string (const char *prefix,
3097 struct options *options,
3098 const char *config,
3099 const int msglevel,
3100 const unsigned int permission_mask,
3101 unsigned int *option_types_found,
3102 struct env_set *es)
3103 {
3104 char line[OPTION_LINE_SIZE];
3105 struct buffer multiline;
3106 int line_num = 0;
3107
3108 buf_set_read (&multiline, (uint8_t*)config, strlen (config));
3109
3110 while (buf_parse (&multiline, '\n', line, sizeof (line)))
3111 {
3112 char *p[MAX_PARMS];
3113 CLEAR (p);
3114 ++line_num;
3115 if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc))
3116 {
3117 bypass_doubledash (&p[0]);
3118 #if ENABLE_INLINE_FILES
3119 check_inline_file_via_buf (&multiline, p, &options->gc);
3120 #endif
3121 add_option (options, p, NULL, line_num, 0, msglevel, permission_mask, option_types_found, es);
3122 }
3123 CLEAR (p);
3124 }
3125 CLEAR (line);
3126 }
3127
3128 void
3129 parse_argv (struct options *options,
3130 const int argc,
3131 char *argv[],
3132 const int msglevel,
3133 const unsigned int permission_mask,
3134 unsigned int *option_types_found,
3135 struct env_set *es)
3136 {
3137 int i, j;
3138
3139 /* usage message */
3140 if (argc <= 1)
3141 usage ();
3142
3143 /* config filename specified only? */
3144 if (argc == 2 && strncmp (argv[1], "--", 2))
3145 {
3146 char *p[MAX_PARMS];
3147 CLEAR (p);
3148 p[0] = "config";
3149 p[1] = argv[1];
3150 add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3151 }
3152 else
3153 {
3154 /* parse command line */
3155 for (i = 1; i < argc; ++i)
3156 {
3157 char *p[MAX_PARMS];
3158 CLEAR (p);
3159 p[0] = argv[i];
3160 if (strncmp(p[0], "--", 2))
3161 {
3162 msg (msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
3163 }
3164 else
3165 p[0] += 2;
3166
3167 for (j = 1; j < MAX_PARMS; ++j)
3168 {
3169 if (i + j < argc)
3170 {
3171 char *arg = argv[i + j];
3172 if (strncmp (arg, "--", 2))
3173 p[j] = arg;
3174 else
3175 break;
3176 }
3177 }
3178 add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3179 i += j - 1;
3180 }
3181 }
3182 }
3183
3184 bool
3185 apply_push_options (struct options *options,
3186 struct buffer *buf,
3187 unsigned int permission_mask,
3188 unsigned int *option_types_found,
3189 struct env_set *es)
3190 {
3191 char line[OPTION_PARM_SIZE];
3192 int line_num = 0;
3193 const char *file = "[PUSH-OPTIONS]";
3194 const int msglevel = D_PUSH_ERRORS|M_OPTERR;
3195
3196 while (buf_parse (buf, ',', line, sizeof (line)))
3197 {
3198 char *p[MAX_PARMS];
3199 CLEAR (p);
3200 ++line_num;
3201 if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3202 {
3203 add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
3204 }
3205 }
3206 return true;
3207 }
3208
3209 void
3210 options_server_import (struct options *o,
3211 const char *filename,
3212 int msglevel,
3213 unsigned int permission_mask,
3214 unsigned int *option_types_found,
3215 struct env_set *es)
3216 {
3217 msg (D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
3218 read_config_file (o,
3219 filename,
3220 0,
3221 filename,
3222 0,
3223 msglevel,
3224 permission_mask,
3225 option_types_found,
3226 es);
3227 }
3228
3229 void options_string_import (struct options *options,
3230 const char *config,
3231 const int msglevel,
3232 const unsigned int permission_mask,
3233 unsigned int *option_types_found,
3234 struct env_set *es)
3235 {
3236 read_config_string ("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
3237 }
3238
3239 #if P2MP
3240
3241 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], (mask), permission_mask, option_types_found, msglevel)) goto err; }
3242
3243 static bool
3244 verify_permission (const char *name,
3245 const unsigned int type,
3246 const unsigned int allowed,
3247 unsigned int *found,
3248 const int msglevel)
3249 {
3250 if (!(type & allowed))
3251 {
3252 msg (msglevel, "option '%s' cannot be used in this context", name);
3253 return false;
3254 }
3255 else
3256 {
3257 if (found)
3258 *found |= type;
3259 return true;
3260 }
3261 }
3262
3263 #else
3264
3265 #define VERIFY_PERMISSION(mask)
3266
3267 #endif
3268
3269 /*
3270 * Check that an option doesn't have too
3271 * many parameters.
3272 */
3273
3274 #define NM_QUOTE_HINT (1<<0)
3275
3276 static bool
3277 no_more_than_n_args (const int msglevel,
3278 char *p[],
3279 const int max,
3280 const unsigned int flags)
3281 {
3282 const int len = string_array_len ((const char **)p);
3283
3284 if (!len)
3285 return false;
3286
3287 if (len > max)
3288 {
3289 msg (msglevel, "the --%s directive should have at most %d parameter%s.%s",
3290 p[0],
3291 max - 1,
3292 max >= 3 ? "s" : "",
3293 (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
3294 return false;
3295 }
3296 else
3297 return true;
3298 }
3299
3300 static inline int
3301 msglevel_forward_compatible (struct options *options, const int msglevel)
3302 {
3303 return options->forward_compatible ? M_WARN : msglevel;
3304 }
3305
3306 static void
3307 add_option (struct options *options,
3308 char *p[],
3309 const char *file,
3310 int line,
3311 const int level,
3312 const int msglevel,
3313 const unsigned int permission_mask,
3314 unsigned int *option_types_found,
3315 struct env_set *es)
3316 {
3317 struct gc_arena gc = gc_new ();
3318 const bool pull_mode = BOOL_CAST (permission_mask & OPT_P_PULL_MODE);
3319 int msglevel_fc = msglevel_forward_compatible (options, msglevel);
3320
3321 ASSERT (MAX_PARMS >= 5);
3322 if (!file)
3323 {
3324 file = "[CMD-LINE]";
3325 line = 1;
3326 }
3327 if (streq (p[0], "help"))
3328 {
3329 VERIFY_PERMISSION (OPT_P_GENERAL);
3330 usage ();
3331 }
3332 if (streq (p[0], "version"))
3333 {
3334 VERIFY_PERMISSION (OPT_P_GENERAL);
3335 usage_version ();
3336 }
3337 else if (streq (p[0], "config") && p[1])
3338 {
3339 VERIFY_PERMISSION (OPT_P_CONFIG);
3340
3341 /* save first config file only in options */
3342 if (!options->config)
3343 options->config = p[1];
3344
3345 read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
3346 }
3347 #if 0
3348 else if (streq (p[0], "foreign-option") && p[1])
3349 {
3350 VERIFY_PERMISSION (OPT_P_IPWIN32);
3351 foreign_option (options, p, 3, es);
3352 }
3353 #endif
3354 else if (streq (p[0], "echo") || streq (p[0], "parameter"))
3355 {
3356 struct buffer string = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
3357 int j;
3358 bool good = true;
3359
3360 VERIFY_PERMISSION (OPT_P_ECHO);
3361
3362 for (j = 1; j < MAX_PARMS; ++j)
3363 {
3364 if (!p[j])
3365 break;
3366 if (j > 1)
3367 good &= buf_printf (&string, " ");
3368 good &= buf_printf (&string, "%s", p[j]);
3369 }
3370 if (good)
3371 {
3372 msg (M_INFO, "%s:%s",
3373 pull_mode ? "ECHO-PULL" : "ECHO",
3374 BSTR (&string));
3375 #ifdef ENABLE_MANAGEMENT
3376 if (management)
3377 management_echo (management, BSTR (&string), pull_mode);
3378 #endif
3379 }
3380 else
3381 msg (M_WARN, "echo/parameter option overflow");
3382 }
3383 #ifdef ENABLE_MANAGEMENT
3384 else if (streq (p[0], "management") && p[1] && p[2])
3385 {
3386 int port = 0;
3387
3388 VERIFY_PERMISSION (OPT_P_GENERAL);
3389 if (streq (p[2], "unix"))
3390 {
3391 #if UNIX_SOCK_SUPPORT
3392 options->management_flags |= MF_UNIX_SOCK;
3393 #else
3394 msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
3395 goto err;
3396 #endif
3397 }
3398 else
3399 {
3400 port = atoi (p[2]);
3401 if (!legal_ipv4_port (port))
3402 {
3403 msg (msglevel, "port number associated with --management directive is out of range");
3404 goto err;
3405 }
3406 }
3407
3408 options->management_addr = p[1];
3409 options->management_port = port;
3410 if (p[3])
3411 {
3412 options->management_user_pass = p[3];
3413 }
3414 }
3415 else if (streq (p[0], "management-client-user") && p[1])
3416 {
3417 VERIFY_PERMISSION (OPT_P_GENERAL);
3418 options->management_client_user = p[1];
3419 }
3420 else if (streq (p[0], "management-client-group") && p[1])
3421 {
3422 VERIFY_PERMISSION (OPT_P_GENERAL);
3423 options->management_client_group = p[1];
3424 }
3425 else if (streq (p[0], "management-query-passwords"))
3426 {
3427 VERIFY_PERMISSION (OPT_P_GENERAL);
3428 options->management_flags |= MF_QUERY_PASSWORDS;
3429 }
3430 else if (streq (p[0], "management-hold"))
3431 {
3432 VERIFY_PERMISSION (OPT_P_GENERAL);
3433 options->management_flags |= MF_HOLD;
3434 }
3435 else if (streq (p[0], "management-signal"))
3436 {
3437 VERIFY_PERMISSION (OPT_P_GENERAL);
3438 options->management_flags |= MF_SIGNAL;
3439 }
3440 else if (streq (p[0], "management-forget-disconnect"))
3441 {
3442 VERIFY_PERMISSION (OPT_P_GENERAL);
3443 options->management_flags |= MF_FORGET_DISCONNECT;
3444 }
3445 else if (streq (p[0], "management-client"))
3446 {
3447 VERIFY_PERMISSION (OPT_P_GENERAL);
3448 options->management_flags |= MF_CONNECT_AS_CLIENT;
3449 options->management_write_peer_info_file = p[1];
3450 }
3451 #ifdef MANAGEMENT_DEF_AUTH
3452 else if (streq (p[0], "management-client-auth"))
3453 {
3454 VERIFY_PERMISSION (OPT_P_GENERAL);
3455 options->management_flags |= MF_CLIENT_AUTH;
3456 }
3457 #endif
3458 #ifdef MANAGEMENT_PF
3459 else if (streq (p[0], "management-client-pf"))
3460 {
3461 VERIFY_PERMISSION (OPT_P_GENERAL);
3462 options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
3463 }
3464 #endif
3465 else if (streq (p[0], "management-log-cache") && p[1])
3466 {
3467 int cache;
3468
3469 VERIFY_PERMISSION (OPT_P_GENERAL);
3470 cache = atoi (p[1]);
3471 if (cache < 1)
3472 {
3473 msg (msglevel, "--management-log-cache parameter is out of range");
3474 goto err;
3475 }
3476 options->management_log_history_cache = cache;
3477 }
3478 #endif
3479 #ifdef ENABLE_PLUGIN
3480 else if (streq (p[0], "plugin") && p[1])
3481 {
3482 VERIFY_PERMISSION (OPT_P_PLUGIN);
3483 if (!options->plugin_list)
3484 options->plugin_list = plugin_option_list_new (&options->gc);
3485 if (!plugin_option_list_add (options->plugin_list, &p[1], &options->gc))
3486 {
3487 msg (msglevel, "plugin add failed: %s", p[1]);
3488 goto err;
3489 }
3490 }
3491 #endif
3492 else if (streq (p[0], "mode") && p[1])
3493 {
3494 VERIFY_PERMISSION (OPT_P_GENERAL);
3495 if (streq (p[1], "p2p"))
3496 options->mode = MODE_POINT_TO_POINT;
3497 #if P2MP_SERVER
3498 else if (streq (p[1], "server"))
3499 options->mode = MODE_SERVER;
3500 #endif
3501 else
3502 {
3503 msg (msglevel, "Bad --mode parameter: %s", p[1]);
3504 goto err;
3505 }
3506 }
3507 else if (streq (p[0], "dev") && p[1])
3508 {
3509 VERIFY_PERMISSION (OPT_P_GENERAL);
3510 options->dev = p[1];
3511 }
3512 else if (streq (p[0], "dev-type") && p[1])
3513 {
3514 VERIFY_PERMISSION (OPT_P_GENERAL);
3515 options->dev_type = p[1];
3516 }
3517 else if (streq (p[0], "dev-node") && p[1])
3518 {
3519 VERIFY_PERMISSION (OPT_P_GENERAL);
3520 options->dev_node = p[1];
3521 }
3522 else if (streq (p[0], "lladdr") && p[1])
3523 {
3524 VERIFY_PERMISSION (OPT_P_UP);
3525 if (mac_addr_safe (p[1])) /* MAC address only */
3526 options->lladdr = p[1];
3527 else
3528 {
3529 msg (msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
3530 goto err;
3531 }
3532 }
3533 else if (streq (p[0], "topology") && p[1])
3534 {
3535 VERIFY_PERMISSION (OPT_P_UP);
3536 options->topology = parse_topology (p[1], msglevel);
3537 }
3538 else if (streq (p[0], "tun-ipv6"))
3539 {
3540 VERIFY_PERMISSION (OPT_P_UP);
3541 options->tun_ipv6 = true;
3542 }
3543 #ifdef CONFIG_FEATURE_IPROUTE
3544 else if (streq (p[0], "iproute") && p[1])
3545 {
3546 VERIFY_PERMISSION (OPT_P_GENERAL);
3547 iproute_path = p[1];
3548 }
3549 #endif
3550 else if (streq (p[0], "ifconfig") && p[1] && p[2])
3551 {
3552 VERIFY_PERMISSION (OPT_P_UP);
3553 if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
3554 {
3555 options->ifconfig_local = p[1];
3556 options->ifconfig_remote_netmask = p[2];
3557 }
3558 else
3559 {
3560 msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
3561 goto err;
3562 }
3563 }
3564 else if (streq (p[0], "ifconfig-noexec"))
3565 {
3566 VERIFY_PERMISSION (OPT_P_UP);
3567 options->ifconfig_noexec = true;
3568 }
3569 else if (streq (p[0], "ifconfig-nowarn"))
3570 {
3571 VERIFY_PERMISSION (OPT_P_UP);
3572 options->ifconfig_nowarn = true;
3573 }
3574 else if (streq (p[0], "local") && p[1])
3575 {
3576 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3577 options->ce.local = p[1];
3578 }
3579 else if (streq (p[0], "remote-random"))
3580 {
3581 VERIFY_PERMISSION (OPT_P_GENERAL);
3582 options->remote_random = true;
3583 }
3584 #if ENABLE_CONNECTION
3585 else if (streq (p[0], "connection") && p[1])
3586 {
3587 VERIFY_PERMISSION (OPT_P_GENERAL);
3588 if (streq (p[1], INLINE_FILE_TAG) && p[2])
3589 {
3590 struct options sub;
3591 struct connection_entry *e;
3592
3593 init_options (&sub, true);
3594 sub.ce = options->ce;
3595 read_config_string ("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
3596 if (!sub.ce.remote)
3597 {
3598 msg (msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
3599 goto err;
3600 }
3601
3602 e = alloc_connection_entry (options, msglevel);
3603 if (!e)
3604 goto err;
3605 *e = sub.ce;
3606 gc_transfer (&options->gc, &sub.gc);
3607 uninit_options (&sub);
3608 }
3609 }
3610 #endif
3611 else if (streq (p[0], "remote") && p[1])
3612 {
3613 struct remote_entry re;
3614 re.remote = NULL;
3615 re.remote_port = re.proto = -1;
3616
3617 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3618 re.remote = p[1];
3619 if (p[2])
3620 {
3621 const int port = atoi (p[2]);
3622 if (!legal_ipv4_port (port))
3623 {
3624 msg (msglevel, "remote: port number associated with host %s is out of range", p[1]);
3625 goto err;
3626 }
3627 re.remote_port = port;
3628 if (p[3])
3629 {
3630 const int proto = ascii2proto (p[3]);
3631 if (proto < 0)
3632 {
3633 msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
3634 goto err;
3635 }
3636 re.proto = proto;
3637 }
3638 }
3639 #ifdef ENABLE_CONNECTION
3640 if (permission_mask & OPT_P_GENERAL)
3641 {
3642 struct remote_entry *e = alloc_remote_entry (options, msglevel);
3643 if (!e)
3644 goto err;
3645 *e = re;
3646 }
3647 else if (permission_mask & OPT_P_CONNECTION)
3648 #endif
3649 {
3650 connection_entry_load_re (&options->ce, &re);
3651 }
3652 }
3653 else if (streq (p[0], "resolv-retry") && p[1])
3654 {
3655 VERIFY_PERMISSION (OPT_P_GENERAL);
3656 if (streq (p[1], "infinite"))
3657 options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
3658 else
3659 options->resolve_retry_seconds = positive_atoi (p[1]);
3660 }
3661 else if (streq (p[0], "connect-retry") && p[1])
3662 {
3663 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3664 options->ce.connect_retry_seconds = positive_atoi (p[1]);
3665 options->ce.connect_retry_defined = true;
3666 }
3667 else if (streq (p[0], "connect-timeout") && p[1])
3668 {
3669 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3670 options->ce.connect_timeout = positive_atoi (p[1]);
3671 options->ce.connect_timeout_defined = true;
3672 }
3673 else if (streq (p[0], "connect-retry-max") && p[1])
3674 {
3675 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3676 options->ce.connect_retry_max = positive_atoi (p[1]);
3677 }
3678 else if (streq (p[0], "ipchange") && p[1])
3679 {
3680 VERIFY_PERMISSION (OPT_P_SCRIPT);
3681 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3682 goto err;
3683 options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);
3684 }
3685 else if (streq (p[0], "float"))
3686 {
3687 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3688 options->ce.remote_float = true;
3689 }
3690 #ifdef ENABLE_DEBUG
3691 else if (streq (p[0], "gremlin") && p[1])
3692 {
3693 VERIFY_PERMISSION (OPT_P_GENERAL);
3694 options->gremlin = positive_atoi (p[1]);
3695 }
3696 #endif
3697 else if (streq (p[0], "chroot") && p[1])
3698 {
3699 VERIFY_PERMISSION (OPT_P_GENERAL);
3700 options->chroot_dir = p[1];
3701 }
3702 else if (streq (p[0], "cd") && p[1])
3703 {
3704 VERIFY_PERMISSION (OPT_P_GENERAL);
3705 if (openvpn_chdir (p[1]))
3706 {
3707 msg (M_ERR, "cd to '%s' failed", p[1]);
3708 goto err;
3709 }
3710 options->cd_dir = p[1];
3711 }
3712 else if (streq (p[0], "writepid") && p[1])
3713 {
3714 VERIFY_PERMISSION (OPT_P_GENERAL);
3715 options->writepid = p[1];
3716 }
3717 else if (streq (p[0], "up") && p[1])
3718 {
3719 VERIFY_PERMISSION (OPT_P_SCRIPT);
3720 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3721 goto err;
3722 options->up_script = p[1];
3723 }
3724 else if (streq (p[0], "down") && p[1])
3725 {
3726 VERIFY_PERMISSION (OPT_P_SCRIPT);
3727 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3728 goto err;
3729 options->down_script = p[1];
3730 }
3731 else if (streq (p[0], "down-pre"))
3732 {
3733 VERIFY_PERMISSION (OPT_P_GENERAL);
3734 options->down_pre = true;
3735 }
3736 else if (streq (p[0], "up-delay"))
3737 {
3738 VERIFY_PERMISSION (OPT_P_GENERAL);
3739 options->up_delay = true;
3740 }
3741 else if (streq (p[0], "up-restart"))
3742 {
3743 VERIFY_PERMISSION (OPT_P_GENERAL);
3744 options->up_restart = true;
3745 }
3746 else if (streq (p[0], "syslog"))
3747 {
3748 VERIFY_PERMISSION (OPT_P_GENERAL);
3749 open_syslog (p[1], false);
3750 }
3751 else if (streq (p[0], "daemon"))
3752 {
3753 bool didit = false;
3754 VERIFY_PERMISSION (OPT_P_GENERAL);
3755 if (!options->daemon)
3756 {
3757 options->daemon = didit = true;
3758 open_syslog (p[1], false);
3759 }
3760 if (p[1])
3761 {
3762 if (!didit)
3763 {
3764 msg (M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
3765 goto err;
3766 }
3767 }
3768 }
3769 else if (streq (p[0], "inetd"))
3770 {
3771 VERIFY_PERMISSION (OPT_P_GENERAL);
3772 if (!options->inetd)
3773 {
3774 int z;
3775 const char *name = NULL;
3776 const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
3777
3778 options->inetd = -1;
3779
3780 for (z = 1; z <= 2; ++z)
3781 {
3782 if (p[z])
3783 {
3784 if (streq (p[z], "wait"))
3785 {
3786 if (options->inetd != -1)
3787 {
3788 msg (msglevel, opterr);
3789 goto err;
3790 }
3791 else
3792 options->inetd = INETD_WAIT;
3793 }
3794 else if (streq (p[z], "nowait"))
3795 {
3796 if (options->inetd != -1)
3797 {
3798 msg (msglevel, opterr);
3799 goto err;
3800 }
3801 else
3802 options->inetd = INETD_NOWAIT;
3803 }
3804 else
3805 {
3806 if (name != NULL)
3807 {
3808 msg (msglevel, opterr);
3809 goto err;
3810 }
3811 name = p[z];
3812 }
3813 }
3814 }
3815
3816 /* default */
3817 if (options->inetd == -1)
3818 options->inetd = INETD_WAIT;
3819
3820 save_inetd_socket_descriptor ();
3821 open_syslog (name, true);
3822 }
3823 }
3824 else if (streq (p[0], "log") && p[1])
3825 {
3826 VERIFY_PERMISSION (OPT_P_GENERAL);
3827 options->log = true;
3828 redirect_stdout_stderr (p[1], false);
3829 }
3830 else if (streq (p[0], "suppress-timestamps"))
3831 {
3832 VERIFY_PERMISSION (OPT_P_GENERAL);
3833 options->suppress_timestamps = true;
3834 set_suppress_timestamps(true);
3835 }
3836 else if (streq (p[0], "log-append") && p[1])
3837 {
3838 VERIFY_PERMISSION (OPT_P_GENERAL);
3839 options->log = true;
3840 redirect_stdout_stderr (p[1], true);
3841 }
3842 else if (streq (p[0], "mlock"))
3843 {
3844 VERIFY_PERMISSION (OPT_P_GENERAL);
3845 options->mlock = true;
3846 }
3847 #if ENABLE_IP_PKTINFO
3848 else if (streq (p[0], "multihome"))
3849 {
3850 VERIFY_PERMISSION (OPT_P_GENERAL);
3851 options->sockflags |= SF_USE_IP_PKTINFO;
3852 }
3853 #endif
3854 else if (streq (p[0], "verb") && p[1])
3855 {
3856 VERIFY_PERMISSION (OPT_P_MESSAGES);
3857 options->verbosity = positive_atoi (p[1]);
3858 }
3859 else if (streq (p[0], "mute") && p[1])
3860 {
3861 VERIFY_PERMISSION (OPT_P_MESSAGES);
3862 options->mute = positive_atoi (p[1]);
3863 }
3864 else if (streq (p[0], "errors-to-stderr"))
3865 {
3866 VERIFY_PERMISSION (OPT_P_MESSAGES);
3867 errors_to_stderr();
3868 }
3869 else if (streq (p[0], "status") && p[1])
3870 {
3871 VERIFY_PERMISSION (OPT_P_GENERAL);
3872 options->status_file = p[1];
3873 if (p[2])
3874 {
3875 options->status_file_update_freq = positive_atoi (p[2]);
3876 }
3877 }
3878 else if (streq (p[0], "status-version") && p[1])
3879 {
3880 int version;
3881
3882 VERIFY_PERMISSION (OPT_P_GENERAL);
3883 version = atoi (p[1]);
3884 if (version < 1 || version > 3)
3885 {
3886 msg (msglevel, "--status-version must be 1 to 3");
3887 goto err;
3888 }
3889 options->status_file_version = version;
3890 }
3891 else if (streq (p[0], "remap-usr1") && p[1])
3892 {
3893 VERIFY_PERMISSION (OPT_P_GENERAL);
3894 if (streq (p[1], "SIGHUP"))
3895 options->remap_sigusr1 = SIGHUP;
3896 else if (streq (p[1], "SIGTERM"))
3897 options->remap_sigusr1 = SIGTERM;
3898 else
3899 {
3900 msg (msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
3901 goto err;
3902 }
3903 }
3904 else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1])
3905 {
3906 VERIFY_PERMISSION (OPT_P_MTU);
3907 options->link_mtu = positive_atoi (p[1]);
3908 options->link_mtu_defined = true;
3909 }
3910 else if (streq (p[0], "tun-mtu") && p[1])
3911 {
3912 VERIFY_PERMISSION (OPT_P_MTU);
3913 options->tun_mtu = positive_atoi (p[1]);
3914 options->tun_mtu_defined = true;
3915 }
3916 else if (streq (p[0], "tun-mtu-extra") && p[1])
3917 {
3918 VERIFY_PERMISSION (OPT_P_MTU);
3919 options->tun_mtu_extra = positive_atoi (p[1]);
3920 options->tun_mtu_extra_defined = true;
3921 }
3922 #ifdef ENABLE_FRAGMENT
3923 else if (streq (p[0], "mtu-dynamic"))
3924 {
3925 VERIFY_PERMISSION (OPT_P_GENERAL);
3926 msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
3927 goto err;
3928 }
3929 else if (streq (p[0], "fragment") && p[1])
3930 {
3931 VERIFY_PERMISSION (OPT_P_MTU);
3932 options->fragment = positive_atoi (p[1]);
3933 }
3934 #endif
3935 else if (streq (p[0], "mtu-disc") && p[1])
3936 {
3937 VERIFY_PERMISSION (OPT_P_MTU);
3938 options->mtu_discover_type = translate_mtu_discover_type_name (p[1]);
3939 }
3940 #ifdef ENABLE_OCC
3941 else if (streq (p[0], "mtu-test"))
3942 {
3943 VERIFY_PERMISSION (OPT_P_GENERAL);
3944 options->mtu_test = true;
3945 }
3946 #endif
3947 else if (streq (p[0], "nice") && p[1])
3948 {
3949 VERIFY_PERMISSION (OPT_P_NICE);
3950 options->nice = atoi (p[1]);
3951 }
3952 else if (streq (p[0], "rcvbuf") && p[1])
3953 {
3954 VERIFY_PERMISSION (OPT_P_SOCKBUF);
3955 options->rcvbuf = positive_atoi (p[1]);
3956 }
3957 else if (streq (p[0], "sndbuf") && p[1])
3958 {
3959 VERIFY_PERMISSION (OPT_P_SOCKBUF);
3960 options->sndbuf = positive_atoi (p[1]);
3961 }
3962 else if (streq (p[0], "socket-flags"))
3963 {
3964 int j;
3965 VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
3966 for (j = 1; j < MAX_PARMS && p[j]; ++j)
3967 {
3968 if (streq (p[j], "TCP_NODELAY"))
3969 options->sockflags |= SF_TCP_NODELAY;
3970 else
3971 msg (msglevel, "unknown socket flag: %s", p[j]);
3972 }
3973 }
3974 else if (streq (p[0], "txqueuelen") && p[1])
3975 {
3976 VERIFY_PERMISSION (OPT_P_GENERAL);
3977 #ifdef TARGET_LINUX
3978 options->tuntap_options.txqueuelen = positive_atoi (p[1]);
3979 #else
3980 msg (msglevel, "--txqueuelen not supported on this OS");
3981 goto err;
3982 #endif
3983 }
3984 #ifdef USE_PTHREAD
3985 else if (streq (p[0], "nice-work") && p[1])
3986 {
3987 VERIFY_PERMISSION (OPT_P_NICE);
3988 options->nice_work = atoi (p[1]);
3989 }
3990 else if (streq (p[0], "threads") && p[1])
3991 {
3992 int n_threads;
3993
3994 VERIFY_PERMISSION (OPT_P_GENERAL);
3995 n_threads = positive_atoi (p[1]);
3996 if (n_threads < 1)
3997 {
3998 msg (msglevel, "--threads parameter must be at least 1");
3999 goto err;
4000 }
4001 options->n_threads = n_threads;
4002 }
4003 #endif
4004 else if (streq (p[0], "shaper") && p[1])
4005 {
4006 #ifdef HAVE_GETTIMEOFDAY
4007 int shaper;
4008
4009 VERIFY_PERMISSION (OPT_P_SHAPER);
4010 shaper = atoi (p[1]);
4011 if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
4012 {
4013 msg (msglevel, "Bad shaper value, must be between %d and %d",
4014 SHAPER_MIN, SHAPER_MAX);
4015 goto err;
4016 }
4017 options->shaper = shaper;
4018 #else /* HAVE_GETTIMEOFDAY */
4019 VERIFY_PERMISSION (OPT_P_GENERAL);
4020 msg (msglevel, "--shaper requires the gettimeofday() function which is missing");
4021 goto err;
4022 #endif /* HAVE_GETTIMEOFDAY */
4023 }
4024 else if (streq (p[0], "port") && p[1])
4025 {
4026 int port;
4027
4028 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4029 port = atoi (p[1]);
4030 if (!legal_ipv4_port (port))
4031 {
4032 msg (msglevel, "Bad port number: %s", p[1]);
4033 goto err;
4034 }
4035 options->ce.port_option_used = true;
4036 options->ce.local_port = options->ce.remote_port = port;
4037 }
4038 else if (streq (p[0], "lport") && p[1])
4039 {
4040 int port;
4041
4042 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4043 port = atoi (p[1]);
4044 if (!legal_ipv4_port (port))
4045 {
4046 msg (msglevel, "Bad local port number: %s", p[1]);
4047 goto err;
4048 }
4049 options->ce.local_port_defined = true;
4050 options->ce.port_option_used = true;
4051 options->ce.local_port = port;
4052 }
4053 else if (streq (p[0], "rport") && p[1])
4054 {
4055 int port;
4056
4057 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4058 port = atoi (p[1]);
4059 if (!legal_ipv4_port (port))
4060 {
4061 msg (msglevel, "Bad remote port number: %s", p[1]);
4062 goto err;
4063 }
4064 options->ce.port_option_used = true;
4065 options->ce.remote_port = port;
4066 }
4067 else if (streq (p[0], "bind"))
4068 {
4069 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4070 options->ce.bind_defined = true;
4071 }
4072 else if (streq (p[0], "nobind"))
4073 {
4074 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4075 options->ce.bind_local = false;
4076 }
4077 else if (streq (p[0], "fast-io"))
4078 {
4079 VERIFY_PERMISSION (OPT_P_GENERAL);
4080 options->fast_io = true;
4081 }
4082 else if (streq (p[0], "inactive") && p[1])
4083 {
4084 VERIFY_PERMISSION (OPT_P_TIMER);
4085 options->inactivity_timeout = positive_atoi (p[1]);
4086 if (p[2])
4087 options->inactivity_minimum_bytes = positive_atoi (p[2]);
4088 }
4089 else if (streq (p[0], "proto") && p[1])
4090 {
4091 int proto;
4092 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4093 proto = ascii2proto (p[1]);
4094 if (proto < 0)
4095 {
4096 msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
4097 p[1],
4098 proto2ascii_all (&gc));
4099 goto err;
4100 }
4101 options->ce.proto = proto;
4102 }
4103 #ifdef GENERAL_PROXY_SUPPORT
4104 else if (streq (p[0], "auto-proxy"))
4105 {
4106 char *error = NULL;
4107
4108 VERIFY_PERMISSION (OPT_P_GENERAL);
4109 options->auto_proxy_info = get_proxy_settings (&error, &options->gc);
4110 if (error)
4111 msg (M_WARN, "PROXY: %s", error);
4112 }
4113 else if (streq (p[0], "show-proxy-settings"))
4114 {
4115 struct auto_proxy_info *pi;
4116 char *error = NULL;
4117
4118 VERIFY_PERMISSION (OPT_P_GENERAL);
4119 pi = get_proxy_settings (&error, &options->gc);
4120 if (pi)
4121 {
4122 msg (M_INFO|M_NOPREFIX, "HTTP Server: %s", np(pi->http.server));
4123 msg (M_INFO|M_NOPREFIX, "HTTP Port: %d", pi->http.port);
4124 msg (M_INFO|M_NOPREFIX, "SOCKS Server: %s", np(pi->socks.server));
4125 msg (M_INFO|M_NOPREFIX, "SOCKS Port: %d", pi->socks.port);
4126 }
4127 if (error)
4128 msg (msglevel, "Proxy error: %s", error);
4129 #ifdef WIN32
4130 show_win_proxy_settings (M_INFO|M_NOPREFIX);
4131 #endif
4132 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4133 }
4134 #endif /* GENERAL_PROXY_SUPPORT */
4135 #ifdef ENABLE_HTTP_PROXY
4136 else if (streq (p[0], "http-proxy") && p[1])
4137 {
4138 struct http_proxy_options *ho;
4139
4140 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4141
4142 {
4143 int port;
4144 if (!p[2])
4145 {
4146 msg (msglevel, "http-proxy port number not defined");
4147 goto err;
4148 }
4149 port = atoi (p[2]);
4150 if (!legal_ipv4_port (port))
4151 {
4152 msg (msglevel, "Bad http-proxy port number: %s", p[2]);
4153 goto err;
4154 }
4155
4156 ho = init_http_options_if_undefined (options);
4157
4158 ho->server = p[1];
4159 ho->port = port;
4160 }
4161
4162 if (p[3])
4163 {
4164 if (streq (p[3], "auto"))
4165 ho->auth_retry = true;
4166 else
4167 {
4168 ho->auth_method_string = "basic";
4169 ho->auth_file = p[3];
4170
4171 if (p[4])
4172 {
4173 ho->auth_method_string = p[4];
4174 }
4175 }
4176 }
4177 else
4178 {
4179 ho->auth_method_string = "none";
4180 }
4181 }
4182 else if (streq (p[0], "http-proxy-retry"))
4183 {
4184 struct http_proxy_options *ho;
4185 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4186 ho = init_http_options_if_undefined (options);
4187 ho->retry = true;
4188 }
4189 else if (streq (p[0], "http-proxy-timeout") && p[1])
4190 {
4191 struct http_proxy_options *ho;
4192
4193 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4194 ho = init_http_options_if_undefined (options);
4195 ho->timeout = positive_atoi (p[1]);
4196 }
4197 else if (streq (p[0], "http-proxy-option") && p[1])
4198 {
4199 struct http_proxy_options *ho;
4200
4201 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4202 ho = init_http_options_if_undefined (options);
4203
4204 if (streq (p[1], "VERSION") && p[2])
4205 {
4206 ho->http_version = p[2];
4207 }
4208 else if (streq (p[1], "AGENT") && p[2])
4209 {
4210 ho->user_agent = p[2];
4211 }
4212 else
4213 {
4214 msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]);
4215 }
4216 }
4217 #endif
4218 #ifdef ENABLE_SOCKS
4219 else if (streq (p[0], "socks-proxy") && p[1])
4220 {
4221 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4222
4223 if (p[2])
4224 {
4225 int port;
4226 port = atoi (p[2]);
4227 if (!legal_ipv4_port (port))
4228 {
4229 msg (msglevel, "Bad socks-proxy port number: %s", p[2]);
4230 goto err;
4231 }
4232 options->ce.socks_proxy_port = port;
4233 }
4234 else
4235 {
4236 options->ce.socks_proxy_port = 1080;
4237 }
4238 options->ce.socks_proxy_server = p[1];
4239 }
4240 else if (streq (p[0], "socks-proxy-retry"))
4241 {
4242 VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4243 options->ce.socks_proxy_retry = true;
4244 }
4245 #endif
4246 else if (streq (p[0], "keepalive") && p[1] && p[2])
4247 {
4248 VERIFY_PERMISSION (OPT_P_GENERAL);
4249 options->keepalive_ping = atoi (p[1]);
4250 options->keepalive_timeout = atoi (p[2]);
4251 }
4252 else if (streq (p[0], "ping") && p[1])
4253 {
4254 VERIFY_PERMISSION (OPT_P_TIMER);
4255 options->ping_send_timeout = positive_atoi (p[1]);
4256 }
4257 else if (streq (p[0], "ping-exit") && p[1])
4258 {
4259 VERIFY_PERMISSION (OPT_P_TIMER);
4260 options->ping_rec_timeout = positive_atoi (p[1]);
4261 options->ping_rec_timeout_action = PING_EXIT;
4262 }
4263 else if (streq (p[0], "ping-restart") && p[1])
4264 {
4265 VERIFY_PERMISSION (OPT_P_TIMER);
4266 options->ping_rec_timeout = positive_atoi (p[1]);
4267 options->ping_rec_timeout_action = PING_RESTART;
4268 }
4269 else if (streq (p[0], "ping-timer-rem"))
4270 {
4271 VERIFY_PERMISSION (OPT_P_TIMER);
4272 options->ping_timer_remote = true;
4273 }
4274 #ifdef ENABLE_OCC
4275 else if (streq (p[0], "explicit-exit-notify"))
4276 {
4277 VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY);
4278 if (p[1])
4279 {
4280 options->explicit_exit_notification = positive_atoi (p[1]);
4281 }
4282 else
4283 {
4284 options->explicit_exit_notification = 1;
4285 }
4286 }
4287 #endif
4288 else if (streq (p[0], "persist-tun"))
4289 {
4290 VERIFY_PERMISSION (OPT_P_PERSIST);
4291 options->persist_tun = true;
4292 }
4293 else if (streq (p[0], "persist-key"))
4294 {
4295 VERIFY_PERMISSION (OPT_P_PERSIST);
4296 options->persist_key = true;
4297 }
4298 else if (streq (p[0], "persist-local-ip"))
4299 {
4300 VERIFY_PERMISSION (OPT_P_PERSIST_IP);
4301 options->persist_local_ip = true;
4302 }
4303 else if (streq (p[0], "persist-remote-ip"))
4304 {
4305 VERIFY_PERMISSION (OPT_P_PERSIST_IP);
4306 options->persist_remote_ip = true;
4307 }
4308 else if (streq (p[0], "route") && p[1])
4309 {
4310 VERIFY_PERMISSION (OPT_P_ROUTE);
4311 rol_check_alloc (options);
4312 if (pull_mode)
4313 {
4314 if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
4315 {
4316 msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
4317 goto err;
4318 }
4319 if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
4320 {
4321 msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
4322 goto err;
4323 }
4324 if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
4325 {
4326 msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
4327 goto err;
4328 }
4329 }
4330 add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
4331 }
4332 else if (streq (p[0], "route-gateway") && p[1])
4333 {
4334 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4335 if (streq (p[1], "dhcp"))
4336 {
4337 options->route_gateway_via_dhcp = true;
4338 }
4339 else
4340 {
4341 if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
4342 {
4343 options->route_default_gateway = p[1];
4344 }
4345 else
4346 {
4347 msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
4348 goto err;
4349 }
4350 }
4351 }
4352 else if (streq (p[0], "route-metric") && p[1])
4353 {
4354 VERIFY_PERMISSION (OPT_P_ROUTE);
4355 options->route_default_metric = positive_atoi (p[1]);
4356 }
4357 else if (streq (p[0], "route-delay"))
4358 {
4359 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4360 options->route_delay_defined = true;
4361 if (p[1])
4362 {
4363 options->route_delay = positive_atoi (p[1]);
4364 if (p[2])
4365 {
4366 options->route_delay_window = positive_atoi (p[2]);
4367 }
4368 }
4369 else
4370 {
4371 options->route_delay = 0;
4372 }
4373 }
4374 else if (streq (p[0], "route-up") && p[1])
4375 {
4376 VERIFY_PERMISSION (OPT_P_SCRIPT);
4377 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4378 goto err;
4379 options->route_script = p[1];
4380 }
4381 else if (streq (p[0], "route-noexec"))
4382 {
4383 VERIFY_PERMISSION (OPT_P_SCRIPT);
4384 options->route_noexec = true;
4385 }
4386 else if (streq (p[0], "route-nopull"))
4387 {
4388 VERIFY_PERMISSION (OPT_P_GENERAL);
4389 options->route_nopull = true;
4390 }
4391 else if (streq (p[0], "allow-pull-fqdn"))
4392 {
4393 VERIFY_PERMISSION (OPT_P_GENERAL);
4394 options->allow_pull_fqdn = true;
4395 }
4396 else if (streq (p[0], "redirect-gateway") || streq (p[0], "redirect-private"))
4397 {
4398 int j;
4399 VERIFY_PERMISSION (OPT_P_ROUTE);
4400 rol_check_alloc (options);
4401 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
4402 {
4403 if (streq (p[0], "redirect-gateway"))
4404 options->routes->flags |= RG_REROUTE_GW;
4405 if (streq (p[j], "local"))
4406 options->routes->flags |= RG_LOCAL;
4407 else if (streq (p[j], "autolocal"))
4408 options->routes->flags |= RG_AUTO_LOCAL;
4409 else if (streq (p[j], "def1"))
4410 options->routes->flags |= RG_DEF1;
4411 else if (streq (p[j], "bypass-dhcp"))
4412 options->routes->flags |= RG_BYPASS_DHCP;
4413 else if (streq (p[j], "bypass-dns"))
4414 options->routes->flags |= RG_BYPASS_DNS;
4415 else
4416 {
4417 msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
4418 goto err;
4419 }
4420 }
4421 options->routes->flags |= RG_ENABLE;
4422 }
4423 else if (streq (p[0], "setenv") && p[1])
4424 {
4425 VERIFY_PERMISSION (OPT_P_GENERAL);
4426 if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
4427 {
4428 options->forward_compatible = true;
4429 msglevel_fc = msglevel_forward_compatible (options, msglevel);
4430 }
4431 setenv_str (es, p[1], p[2] ? p[2] : "");
4432 }
4433 else if (streq (p[0], "setenv-safe") && p[1])
4434 {
4435 VERIFY_PERMISSION (OPT_P_SETENV);
4436 setenv_str_safe (es, p[1], p[2] ? p[2] : "");
4437 }
4438 else if (streq (p[0], "script-security") && p[1])
4439 {
4440 VERIFY_PERMISSION (OPT_P_GENERAL);
4441 script_security = atoi (p[1]);
4442 if (p[2])
4443 {
4444 if (streq (p[2], "execve"))
4445 script_method = SM_EXECVE;
4446 else if (streq (p[2], "system"))
4447 script_method = SM_SYSTEM;
4448 else
4449 {
4450 msg (msglevel, "unknown --script-security method: %s", p[2]);
4451 goto err;
4452 }
4453 }
4454 else
4455 script_method = SM_EXECVE;
4456 }
4457 else if (streq (p[0], "mssfix"))
4458 {
4459 VERIFY_PERMISSION (OPT_P_GENERAL);
4460 if (p[1])
4461 {
4462 options->mssfix = positive_atoi (p[1]);
4463 }
4464 else
4465 options->mssfix_default = true;
4466
4467 }
4468 #ifdef ENABLE_OCC
4469 else if (streq (p[0], "disable-occ"))
4470 {
4471 VERIFY_PERMISSION (OPT_P_GENERAL);
4472 options->occ = false;
4473 }
4474 #endif
4475 #if P2MP
4476 #if P2MP_SERVER
4477 else if (streq (p[0], "server") && p[1] && p[2])
4478 {
4479 const int lev = M_WARN;
4480 bool error = false;
4481 in_addr_t network, netmask;
4482
4483 VERIFY_PERMISSION (OPT_P_GENERAL);
4484 network = get_ip_addr (p[1], lev, &error);
4485 netmask = get_ip_addr (p[2], lev, &error);
4486 if (error || !network || !netmask)
4487 {
4488 msg (msglevel, "error parsing --server parameters");
4489 goto err;
4490 }
4491 options->server_defined = true;
4492 options->server_network = network;
4493 options->server_netmask = netmask;
4494
4495 if (p[3])
4496 {
4497 if (streq (p[3], "nopool"))
4498 options->server_flags |= SF_NOPOOL;
4499 else
4500 {
4501 msg (msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
4502 goto err;
4503 }
4504 }
4505 }
4506 else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4])
4507 {
4508 const int lev = M_WARN;
4509 bool error = false;
4510 in_addr_t ip, netmask, pool_start, pool_end;
4511
4512 VERIFY_PERMISSION (OPT_P_GENERAL);
4513 ip = get_ip_addr (p[1], lev, &error);
4514 netmask = get_ip_addr (p[2], lev, &error);
4515 pool_start = get_ip_addr (p[3], lev, &error);
4516 pool_end = get_ip_addr (p[4], lev, &error);
4517 if (error || !ip || !netmask || !pool_start || !pool_end)
4518 {
4519 msg (msglevel, "error parsing --server-bridge parameters");
4520 goto err;
4521 }
4522 options->server_bridge_defined = true;
4523 options->server_bridge_ip = ip;
4524 options->server_bridge_netmask = netmask;
4525 options->server_bridge_pool_start = pool_start;
4526 options->server_bridge_pool_end = pool_end;
4527 }
4528 else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw"))
4529 {
4530 VERIFY_PERMISSION (OPT_P_GENERAL);
4531 options->server_bridge_proxy_dhcp = true;
4532 options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
4533 }
4534 else if (streq (p[0], "server-bridge") && !p[1])
4535 {
4536 VERIFY_PERMISSION (OPT_P_GENERAL);
4537 options->server_bridge_proxy_dhcp = true;
4538 }
4539 else if (streq (p[0], "push") && p[1])
4540 {
4541 VERIFY_PERMISSION (OPT_P_PUSH);
4542 push_options (options, &p[1], msglevel, &options->gc);
4543 }
4544 else if (streq (p[0], "push-reset"))
4545 {
4546 VERIFY_PERMISSION (OPT_P_INSTANCE);
4547 push_reset (options);
4548 }
4549 else if (streq (p[0], "ifconfig-pool") && p[1] && p[2])
4550 {
4551 const int lev = M_WARN;
4552 bool error = false;
4553 in_addr_t start, end, netmask=0;
4554
4555 VERIFY_PERMISSION (OPT_P_GENERAL);
4556 start = get_ip_addr (p[1], lev, &error);
4557 end = get_ip_addr (p[2], lev, &error);
4558 if (p[3])
4559 {
4560 netmask = get_ip_addr (p[3], lev, &error);
4561 }
4562 if (error)
4563 {
4564 msg (msglevel, "error parsing --ifconfig-pool parameters");
4565 goto err;
4566 }
4567 if (!ifconfig_pool_verify_range (msglevel, start, end))
4568 goto err;
4569
4570 options->ifconfig_pool_defined = true;
4571 options->ifconfig_pool_start = start;
4572 options->ifconfig_pool_end = end;
4573 if (netmask)
4574 options->ifconfig_pool_netmask = netmask;
4575 }
4576 else if (streq (p[0], "ifconfig-pool-persist") && p[1])
4577 {
4578 VERIFY_PERMISSION (OPT_P_GENERAL);
4579 options->ifconfig_pool_persist_filename = p[1];
4580 if (p[2])
4581 {
4582 options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
4583 }
4584 }
4585 else if (streq (p[0], "ifconfig-pool-linear"))
4586 {
4587 VERIFY_PERMISSION (OPT_P_GENERAL);
4588 options->topology = TOP_P2P;
4589 }
4590 else if (streq (p[0], "hash-size") && p[1] && p[2])
4591 {
4592 int real, virtual;
4593
4594 VERIFY_PERMISSION (OPT_P_GENERAL);
4595 real = atoi (p[1]);
4596 virtual = atoi (p[2]);
4597 if (real < 1 || virtual < 1)
4598 {
4599 msg (msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
4600 goto err;
4601 }
4602 options->real_hash_size = real;
4603 options->virtual_hash_size = real;
4604 }
4605 else if (streq (p[0], "connect-freq") && p[1] && p[2])
4606 {
4607 int cf_max, cf_per;
4608
4609 VERIFY_PERMISSION (OPT_P_GENERAL);
4610 cf_max = atoi (p[1]);
4611 cf_per = atoi (p[2]);
4612 if (cf_max < 0 || cf_per < 0)
4613 {
4614 msg (msglevel, "--connect-freq parms must be > 0");
4615 goto err;
4616 }
4617 options->cf_max = cf_max;
4618 options->cf_per = cf_per;
4619 }
4620 else if (streq (p[0], "max-clients") && p[1])
4621 {
4622 int max_clients;
4623
4624 VERIFY_PERMISSION (OPT_P_GENERAL);
4625 max_clients = atoi (p[1]);
4626 if (max_clients < 0)
4627 {
4628 msg (msglevel, "--max-clients must be at least 1");
4629 goto err;
4630 }
4631 options->max_clients = max_clients;
4632 }
4633 else if (streq (p[0], "max-routes-per-client") && p[1])
4634 {
4635 VERIFY_PERMISSION (OPT_P_INHERIT);
4636 options->max_routes_per_client = max_int (atoi (p[1]), 1);
4637 }
4638 else if (streq (p[0], "client-cert-not-required"))
4639 {
4640 VERIFY_PERMISSION (OPT_P_GENERAL);
4641 options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
4642 }
4643 else if (streq (p[0], "username-as-common-name"))
4644 {
4645 VERIFY_PERMISSION (OPT_P_GENERAL);
4646 options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
4647 }
4648 else if (streq (p[0], "auth-user-pass-optional"))
4649 {
4650 VERIFY_PERMISSION (OPT_P_GENERAL);
4651 options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
4652 }
4653 else if (streq (p[0], "no-name-remapping"))
4654 {
4655 VERIFY_PERMISSION (OPT_P_GENERAL);
4656 options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
4657 }
4658 else if (streq (p[0], "opt-verify"))
4659 {
4660 VERIFY_PERMISSION (OPT_P_GENERAL);
4661 options->ssl_flags |= SSLF_OPT_VERIFY;
4662 }
4663 else if (streq (p[0], "auth-user-pass-verify") && p[1])
4664 {
4665 VERIFY_PERMISSION (OPT_P_SCRIPT);
4666 if (!no_more_than_n_args (msglevel, p, 3, NM_QUOTE_HINT))
4667 goto err;
4668 if (p[2])
4669 {
4670 if (streq (p[2], "via-env"))
4671 options->auth_user_pass_verify_script_via_file = false;
4672 else if (streq (p[2], "via-file"))
4673 options->auth_user_pass_verify_script_via_file = true;
4674 else
4675 {
4676 msg (msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
4677 goto err;
4678 }
4679 }
4680 else
4681 {
4682 msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
4683 goto err;
4684 }
4685 options->auth_user_pass_verify_script = p[1];
4686 }
4687 else if (streq (p[0], "client-connect") && p[1])
4688 {
4689 VERIFY_PERMISSION (OPT_P_SCRIPT);
4690 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4691 goto err;
4692 options->client_connect_script = p[1];
4693 }
4694 else if (streq (p[0], "client-disconnect") && p[1])
4695 {
4696 VERIFY_PERMISSION (OPT_P_SCRIPT);
4697 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4698 goto err;
4699 options->client_disconnect_script = p[1];
4700 }
4701 else if (streq (p[0], "learn-address") && p[1])
4702 {
4703 VERIFY_PERMISSION (OPT_P_SCRIPT);
4704 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4705 goto err;
4706 options->learn_address_script = p[1];
4707 }
4708 else if (streq (p[0], "tmp-dir") && p[1])
4709 {
4710 VERIFY_PERMISSION (OPT_P_GENERAL);
4711 options->tmp_dir = p[1];
4712 }
4713 else if (streq (p[0], "client-config-dir") && p[1])
4714 {
4715 VERIFY_PERMISSION (OPT_P_GENERAL);
4716 options->client_config_dir = p[1];
4717 }
4718 else if (streq (p[0], "ccd-exclusive"))
4719 {
4720 VERIFY_PERMISSION (OPT_P_GENERAL);
4721 options->ccd_exclusive = true;
4722 }
4723 else if (streq (p[0], "bcast-buffers") && p[1])
4724 {
4725 int n_bcast_buf;
4726
4727 VERIFY_PERMISSION (OPT_P_GENERAL);
4728 n_bcast_buf = atoi (p[1]);
4729 if (n_bcast_buf < 1)
4730 msg (msglevel, "--bcast-buffers parameter must be > 0");
4731 options->n_bcast_buf = n_bcast_buf;
4732 }
4733 else if (streq (p[0], "tcp-queue-limit") && p[1])
4734 {
4735 int tcp_queue_limit;
4736
4737 VERIFY_PERMISSION (OPT_P_GENERAL);
4738 tcp_queue_limit = atoi (p[1]);
4739 if (tcp_queue_limit < 1)
4740 msg (msglevel, "--tcp-queue-limit parameter must be > 0");
4741 options->tcp_queue_limit = tcp_queue_limit;
4742 }
4743 #if PORT_SHARE
4744 else if (streq (p[0], "port-share") && p[1] && p[2])
4745 {
4746 int port;
4747
4748 VERIFY_PERMISSION (OPT_P_GENERAL);
4749 port = atoi (p[2]);
4750 if (!legal_ipv4_port (port))
4751 {
4752 msg (msglevel, "port number associated with --port-share directive is out of range");
4753 goto err;
4754 }
4755
4756 options->port_share_host = p[1];
4757 options->port_share_port = port;
4758 }
4759 #endif
4760 else if (streq (p[0], "client-to-client"))
4761 {
4762 VERIFY_PERMISSION (OPT_P_GENERAL);
4763 options->enable_c2c = true;
4764 }
4765 else if (streq (p[0], "duplicate-cn"))
4766 {
4767 VERIFY_PERMISSION (OPT_P_GENERAL);
4768 options->duplicate_cn = true;
4769 }
4770 else if (streq (p[0], "iroute") && p[1])
4771 {
4772 const char *netmask = NULL;
4773
4774 VERIFY_PERMISSION (OPT_P_INSTANCE);
4775 if (p[2])
4776 {
4777 netmask = p[2];
4778 }
4779 option_iroute (options, p[1], netmask, msglevel);
4780 }
4781 else if (streq (p[0], "ifconfig-push") && p[1] && p[2])
4782 {
4783 in_addr_t local, remote_netmask;
4784
4785 VERIFY_PERMISSION (OPT_P_INSTANCE);
4786 local = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
4787 remote_netmask = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
4788 if (local && remote_netmask)
4789 {
4790 options->push_ifconfig_defined = true;
4791 options->push_ifconfig_local = local;
4792 options->push_ifconfig_remote_netmask = remote_netmask;
4793 }
4794 else
4795 {
4796 msg (msglevel, "cannot parse --ifconfig-push addresses");
4797 goto err;
4798 }
4799 }
4800 else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2])
4801 {
4802 in_addr_t network, netmask;
4803
4804 VERIFY_PERMISSION (OPT_P_GENERAL);
4805 network = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
4806 netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
4807 if (network && netmask)
4808 {
4809 options->push_ifconfig_constraint_defined = true;
4810 options->push_ifconfig_constraint_network = network;
4811 options->push_ifconfig_constraint_netmask = netmask;
4812 }
4813 else
4814 {
4815 msg (msglevel, "cannot parse --ifconfig-push-constraint addresses");
4816 goto err;
4817 }
4818 }
4819 else if (streq (p[0], "disable"))
4820 {
4821 VERIFY_PERMISSION (OPT_P_INSTANCE);
4822 options->disable = true;
4823 }
4824 else if (streq (p[0], "tcp-nodelay"))
4825 {
4826 VERIFY_PERMISSION (OPT_P_GENERAL);
4827 options->server_flags |= SF_TCP_NODELAY_HELPER;
4828 }
4829 #endif /* P2MP_SERVER */
4830
4831 else if (streq (p[0], "client"))
4832 {
4833 VERIFY_PERMISSION (OPT_P_GENERAL);
4834 options->client = true;
4835 }
4836 else if (streq (p[0], "pull"))
4837 {
4838 VERIFY_PERMISSION (OPT_P_GENERAL);
4839 options->pull = true;
4840 }
4841 else if (streq (p[0], "auth-user-pass"))
4842 {
4843 VERIFY_PERMISSION (OPT_P_GENERAL);
4844 if (p[1])
4845 {
4846 options->auth_user_pass_file = p[1];
4847 }
4848 else
4849 options->auth_user_pass_file = "stdin";
4850 }
4851 else if (streq (p[0], "auth-retry") && p[1])
4852 {
4853 VERIFY_PERMISSION (OPT_P_GENERAL);
4854 auth_retry_set (msglevel, p[1]);
4855 }
4856 #endif
4857 #ifdef WIN32
4858 else if (streq (p[0], "win-sys") && p[1])
4859 {
4860 VERIFY_PERMISSION (OPT_P_GENERAL);
4861 if (streq (p[1], "env"))
4862 set_win_sys_path_via_env (es);
4863 else
4864 set_win_sys_path (p[1], es);
4865 }
4866 else if (streq (p[0], "route-method") && p[1])
4867 {
4868 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4869 if (streq (p[1], "adaptive"))
4870 options->route_method = ROUTE_METHOD_ADAPTIVE;
4871 else if (streq (p[1], "ipapi"))
4872 options->route_method = ROUTE_METHOD_IPAPI;
4873 else if (streq (p[1], "exe"))
4874 options->route_method = ROUTE_METHOD_EXE;
4875 else
4876 {
4877 msg (msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
4878 goto err;
4879 }
4880 }
4881 else if (streq (p[0], "ip-win32") && p[1])
4882 {
4883 const int index = ascii2ipset (p[1]);
4884 struct tuntap_options *to = &options->tuntap_options;
4885
4886 VERIFY_PERMISSION (OPT_P_IPWIN32);
4887
4888 if (index < 0)
4889 {
4890 msg (msglevel,
4891 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
4892 p[1],
4893 ipset2ascii_all (&gc));
4894 goto err;
4895 }
4896
4897 if (index == IPW32_SET_ADAPTIVE)
4898 options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
4899
4900 if (index == IPW32_SET_DHCP_MASQ)
4901 {
4902 if (p[2])
4903 {
4904 if (!streq (p[2], "default"))
4905 {
4906 int offset = atoi (p[2]);
4907
4908 if (!(offset > -256 && offset < 256))
4909 {
4910 msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
4911 goto err;
4912 }
4913
4914 to->dhcp_masq_custom_offset = true;
4915 to->dhcp_masq_offset = offset;
4916 }
4917
4918 if (p[3])
4919 {
4920 const int min_lease = 30;
4921 int lease_time;
4922 lease_time = atoi (p[3]);
4923 if (lease_time < min_lease)
4924 {
4925 msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
4926 goto err;
4927 }
4928 to->dhcp_lease_time = lease_time;
4929 }
4930 }
4931 }
4932 to->ip_win32_type = index;
4933 to->ip_win32_defined = true;
4934 }
4935 else if (streq (p[0], "dhcp-option") && p[1])
4936 {
4937 struct tuntap_options *o = &options->tuntap_options;
4938 VERIFY_PERMISSION (OPT_P_IPWIN32);
4939
4940 if (streq (p[1], "DOMAIN") && p[2])
4941 {
4942 o->domain = p[2];
4943 }
4944 else if (streq (p[1], "NBS") && p[2])
4945 {
4946 o->netbios_scope = p[2];
4947 }
4948 else if (streq (p[1], "NBT") && p[2])
4949 {
4950 int t;
4951 t = atoi (p[2]);
4952 if (!(t == 1 || t == 2 || t == 4 || t == 8))
4953 {
4954 msg (msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
4955 goto err;
4956 }
4957 o->netbios_node_type = t;
4958 }
4959 else if (streq (p[1], "DNS") && p[2])
4960 {
4961 dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel);
4962 }
4963 else if (streq (p[1], "WINS") && p[2])
4964 {
4965 dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel);
4966 }
4967 else if (streq (p[1], "NTP") && p[2])
4968 {
4969 dhcp_option_address_parse ("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
4970 }
4971 else if (streq (p[1], "NBDD") && p[2])
4972 {
4973 dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
4974 }
4975 else if (streq (p[1], "DISABLE-NBT"))
4976 {
4977 o->disable_nbt = 1;
4978 }
4979 else
4980 {
4981 msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]);
4982 goto err;
4983 }
4984 o->dhcp_options = true;
4985 }
4986 else if (streq (p[0], "show-adapters"))
4987 {
4988 VERIFY_PERMISSION (OPT_P_GENERAL);
4989 show_tap_win32_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
4990 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4991 }
4992 else if (streq (p[0], "show-net"))
4993 {
4994 VERIFY_PERMISSION (OPT_P_GENERAL);
4995 show_routes (M_INFO|M_NOPREFIX);
4996 show_adapters (M_INFO|M_NOPREFIX);
4997 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4998 }
4999 else if (streq (p[0], "show-net-up"))
5000 {
5001 VERIFY_PERMISSION (OPT_P_UP);
5002 options->show_net_up = true;
5003 }
5004 else if (streq (p[0], "tap-sleep") && p[1])
5005 {
5006 int s;
5007 VERIFY_PERMISSION (OPT_P_IPWIN32);
5008 s = atoi (p[1]);
5009 if (s < 0 || s >= 256)
5010 {
5011 msg (msglevel, "--tap-sleep parameter must be between 0 and 255");
5012 goto err;
5013 }
5014 options->tuntap_options.tap_sleep = s;
5015 }
5016 else if (streq (p[0], "dhcp-renew"))
5017 {
5018 VERIFY_PERMISSION (OPT_P_IPWIN32);
5019 options->tuntap_options.dhcp_renew = true;
5020 }
5021 else if (streq (p[0], "dhcp-pre-release"))
5022 {
5023 VERIFY_PERMISSION (OPT_P_IPWIN32);
5024 options->tuntap_options.dhcp_pre_release = true;
5025 }
5026 else if (streq (p[0], "dhcp-release"))
5027 {
5028 VERIFY_PERMISSION (OPT_P_IPWIN32);
5029 options->tuntap_options.dhcp_release = true;
5030 }
5031 else if (streq (p[0], "show-valid-subnets"))
5032 {
5033 VERIFY_PERMISSION (OPT_P_GENERAL);
5034 show_valid_win32_tun_subnets ();
5035 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
5036 }
5037 else if (streq (p[0], "pause-exit"))
5038 {
5039 VERIFY_PERMISSION (OPT_P_GENERAL);
5040 set_pause_exit_win32 ();
5041 }
5042 else if (streq (p[0], "service") && p[1])
5043 {
5044 VERIFY_PERMISSION (OPT_P_GENERAL);
5045 options->exit_event_name = p[1];
5046 if (p[2])
5047 {
5048 options->exit_event_initial_state = (atoi(p[2]) != 0);
5049 }
5050 }
5051 else if (streq (p[0], "allow-nonadmin"))
5052 {
5053 VERIFY_PERMISSION (OPT_P_GENERAL);
5054 tap_allow_nonadmin_access (p[1]);
5055 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5056 }
5057 else if (streq (p[0], "user") && p[1])
5058 {
5059 VERIFY_PERMISSION (OPT_P_GENERAL);
5060 msg (M_WARN, "NOTE: --user option is not implemented on Windows");
5061 }
5062 else if (streq (p[0], "group") && p[1])
5063 {
5064 VERIFY_PERMISSION (OPT_P_GENERAL);
5065 msg (M_WARN, "NOTE: --group option is not implemented on Windows");
5066 }
5067 #else
5068 else if (streq (p[0], "user") && p[1])
5069 {
5070 VERIFY_PERMISSION (OPT_P_GENERAL);
5071 options->username = p[1];
5072 }
5073 else if (streq (p[0], "group") && p[1])
5074 {
5075 VERIFY_PERMISSION (OPT_P_GENERAL);
5076 options->groupname = p[1];
5077 }
5078 else if (streq (p[0], "dhcp-option") && p[1])
5079 {
5080 VERIFY_PERMISSION (OPT_P_IPWIN32);
5081 foreign_option (options, p, 3, es);
5082 }
5083 else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */
5084 {
5085 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5086 }
5087 #endif
5088 #if PASSTOS_CAPABILITY
5089 else if (streq (p[0], "passtos"))
5090 {
5091 VERIFY_PERMISSION (OPT_P_GENERAL);
5092 options->passtos = true;
5093 }
5094 #endif
5095 #ifdef USE_LZO
5096 else if (streq (p[0], "comp-lzo"))
5097 {
5098 VERIFY_PERMISSION (OPT_P_COMP);
5099 if (p[1])
5100 {
5101 if (streq (p[1], "yes"))
5102 options->lzo = LZO_SELECTED|LZO_ON;
5103 else if (streq (p[1], "no"))
5104 options->lzo = LZO_SELECTED;
5105 else if (streq (p[1], "adaptive"))
5106 options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
5107 else
5108 {
5109 msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
5110 goto err;
5111 }
5112 }
5113 else
5114 options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
5115 }
5116 else if (streq (p[0], "comp-noadapt"))
5117 {
5118 VERIFY_PERMISSION (OPT_P_COMP);
5119 options->lzo &= ~LZO_ADAPTIVE;
5120 }
5121 #endif /* USE_LZO */
5122 #ifdef USE_CRYPTO
5123 else if (streq (p[0], "show-ciphers"))
5124 {
5125 VERIFY_PERMISSION (OPT_P_GENERAL);
5126 options->show_ciphers = true;
5127 }
5128 else if (streq (p[0], "show-digests"))
5129 {
5130 VERIFY_PERMISSION (OPT_P_GENERAL);
5131 options->show_digests = true;
5132 }
5133 else if (streq (p[0], "show-engines"))
5134 {
5135 VERIFY_PERMISSION (OPT_P_GENERAL);
5136 options->show_engines = true;
5137 }
5138 else if (streq (p[0], "key-direction") && p[1])
5139 {
5140 int key_direction;
5141
5142 key_direction = ascii2keydirection (msglevel, p[1]);
5143 if (key_direction >= 0)
5144 options->key_direction = key_direction;
5145 else
5146 goto err;
5147 }
5148 else if (streq (p[0], "secret") && p[1])
5149 {
5150 VERIFY_PERMISSION (OPT_P_GENERAL);
5151 #if ENABLE_INLINE_FILES
5152 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5153 {
5154 options->shared_secret_file_inline = p[2];
5155 }
5156 else
5157 #endif
5158 if (p[2])
5159 {
5160 int key_direction;
5161
5162 key_direction = ascii2keydirection (msglevel, p[2]);
5163 if (key_direction >= 0)
5164 options->key_direction = key_direction;
5165 else
5166 goto err;
5167 }
5168 options->shared_secret_file = p[1];
5169 }
5170 else if (streq (p[0], "genkey"))
5171 {
5172 VERIFY_PERMISSION (OPT_P_GENERAL);
5173 options->genkey = true;
5174 }
5175 else if (streq (p[0], "auth") && p[1])
5176 {
5177 VERIFY_PERMISSION (OPT_P_CRYPTO);
5178 options->authname_defined = true;
5179 options->authname = p[1];
5180 if (streq (options->authname, "none"))
5181 {
5182 options->authname_defined = false;
5183 options->authname = NULL;
5184 }
5185 }
5186 else if (streq (p[0], "auth"))
5187 {
5188 VERIFY_PERMISSION (OPT_P_CRYPTO);
5189 options->authname_defined = true;
5190 }
5191 else if (streq (p[0], "cipher") && p[1])
5192 {
5193 VERIFY_PERMISSION (OPT_P_CRYPTO);
5194 options->ciphername_defined = true;
5195 options->ciphername = p[1];
5196 if (streq (options->ciphername, "none"))
5197 {
5198 options->ciphername_defined = false;
5199 options->ciphername = NULL;
5200 }
5201 }
5202 else if (streq (p[0], "cipher"))
5203 {
5204 VERIFY_PERMISSION (OPT_P_CRYPTO);
5205 options->ciphername_defined = true;
5206 }
5207 else if (streq (p[0], "prng") && p[1])
5208 {
5209 VERIFY_PERMISSION (OPT_P_CRYPTO);
5210 if (streq (p[1], "none"))
5211 options->prng_hash = NULL;
5212 else
5213 options->prng_hash = p[1];
5214 if (p[2])
5215 {
5216 const int sl = atoi (p[2]);
5217 if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
5218 {
5219 options->prng_nonce_secret_len = sl;
5220 }
5221 else
5222 {
5223 msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d",
5224 NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
5225 goto err;
5226 }
5227 }
5228 }
5229 else if (streq (p[0], "no-replay"))
5230 {
5231 VERIFY_PERMISSION (OPT_P_CRYPTO);
5232 options->replay = false;
5233 }
5234 else if (streq (p[0], "replay-window"))
5235 {
5236 VERIFY_PERMISSION (OPT_P_CRYPTO);
5237 if (p[1])
5238 {
5239 int replay_window;
5240
5241 replay_window = atoi (p[1]);
5242 if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
5243 {
5244 msg (msglevel, "replay-window window size parameter (%d) must be between %d and %d",
5245 replay_window,
5246 MIN_SEQ_BACKTRACK,
5247 MAX_SEQ_BACKTRACK);
5248 goto err;
5249 }
5250 options->replay_window = replay_window;
5251
5252 if (p[2])
5253 {
5254 int replay_time;
5255
5256 replay_time = atoi (p[2]);
5257 if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
5258 {
5259 msg (msglevel, "replay-window time window parameter (%d) must be between %d and %d",
5260 replay_time,
5261 MIN_TIME_BACKTRACK,
5262 MAX_TIME_BACKTRACK);
5263 goto err;
5264 }
5265 options->replay_time = replay_time;
5266 }
5267 }
5268 else
5269 {
5270 msg (msglevel, "replay-window option is missing window size parameter");
5271 goto err;
5272 }
5273 }
5274 else if (streq (p[0], "mute-replay-warnings"))
5275 {
5276 VERIFY_PERMISSION (OPT_P_CRYPTO);
5277 options->mute_replay_warnings = true;
5278 }
5279 else if (streq (p[0], "no-iv"))
5280 {
5281 VERIFY_PERMISSION (OPT_P_CRYPTO);
5282 options->use_iv = false;
5283 }
5284 else if (streq (p[0], "replay-persist") && p[1])
5285 {
5286 VERIFY_PERMISSION (OPT_P_GENERAL);
5287 options->packet_id_file = p[1];
5288 }
5289 else if (streq (p[0], "test-crypto"))
5290 {
5291 VERIFY_PERMISSION (OPT_P_GENERAL);
5292 options->test_crypto = true;
5293 }
5294 else if (streq (p[0], "engine"))
5295 {
5296 VERIFY_PERMISSION (OPT_P_GENERAL);
5297 if (p[1])
5298 {
5299 options->engine = p[1];
5300 }
5301 else
5302 options->engine = "auto";
5303 }
5304 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
5305 else if (streq (p[0], "keysize") && p[1])
5306 {
5307 int keysize;
5308
5309 VERIFY_PERMISSION (OPT_P_CRYPTO);
5310 keysize = atoi (p[1]) / 8;
5311 if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
5312 {
5313 msg (msglevel, "Bad keysize: %s", p[1]);
5314 goto err;
5315 }
5316 options->keysize = keysize;
5317 }
5318 #endif
5319 #ifdef USE_SSL
5320 else if (streq (p[0], "show-tls"))
5321 {
5322 VERIFY_PERMISSION (OPT_P_GENERAL);
5323 options->show_tls_ciphers = true;
5324 }
5325 else if (streq (p[0], "tls-server"))
5326 {
5327 VERIFY_PERMISSION (OPT_P_GENERAL);
5328 options->tls_server = true;
5329 }
5330 else if (streq (p[0], "tls-client"))
5331 {
5332 VERIFY_PERMISSION (OPT_P_GENERAL);
5333 options->tls_client = true;
5334 }
5335 else if (streq (p[0], "ca") && p[1])
5336 {
5337 VERIFY_PERMISSION (OPT_P_GENERAL);
5338 options->ca_file = p[1];
5339 #if ENABLE_INLINE_FILES
5340 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5341 {
5342 options->ca_file_inline = p[2];
5343 }
5344 #endif
5345 }
5346 else if (streq (p[0], "capath") && p[1])
5347 {
5348 VERIFY_PERMISSION (OPT_P_GENERAL);
5349 options->ca_path = p[1];
5350 }
5351 else if (streq (p[0], "dh") && p[1])
5352 {
5353 VERIFY_PERMISSION (OPT_P_GENERAL);
5354 options->dh_file = p[1];
5355 #if ENABLE_INLINE_FILES
5356 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5357 {
5358 options->dh_file_inline = p[2];
5359 }
5360 #endif
5361 }
5362 else if (streq (p[0], "cert") && p[1])
5363 {
5364 VERIFY_PERMISSION (OPT_P_GENERAL);
5365 options->cert_file = p[1];
5366 #if ENABLE_INLINE_FILES
5367 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5368 {
5369 options->cert_file_inline = p[2];
5370 }
5371 #endif
5372 }
5373 #ifdef WIN32
5374 else if (streq (p[0], "cryptoapicert") && p[1])
5375 {
5376 VERIFY_PERMISSION (OPT_P_GENERAL);
5377 options->cryptoapi_cert = p[1];
5378 }
5379 #endif
5380 else if (streq (p[0], "key") && p[1])
5381 {
5382 VERIFY_PERMISSION (OPT_P_GENERAL);
5383 options->priv_key_file = p[1];
5384 #if ENABLE_INLINE_FILES
5385 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5386 {
5387 options->priv_key_file_inline = p[2];
5388 }
5389 #endif
5390 }
5391 else if (streq (p[0], "pkcs12") && p[1])
5392 {
5393 VERIFY_PERMISSION (OPT_P_GENERAL);
5394 options->pkcs12_file = p[1];
5395 }
5396 else if (streq (p[0], "askpass"))
5397 {
5398 VERIFY_PERMISSION (OPT_P_GENERAL);
5399 if (p[1])
5400 {
5401 options->key_pass_file = p[1];
5402 }
5403 else
5404 options->key_pass_file = "stdin";
5405 }
5406 else if (streq (p[0], "auth-nocache"))
5407 {
5408 VERIFY_PERMISSION (OPT_P_GENERAL);
5409 ssl_set_auth_nocache ();
5410 }
5411 else if (streq (p[0], "single-session"))
5412 {
5413 VERIFY_PERMISSION (OPT_P_GENERAL);
5414 options->single_session = true;
5415 }
5416 else if (streq (p[0], "tls-exit"))
5417 {
5418 VERIFY_PERMISSION (OPT_P_GENERAL);
5419 options->tls_exit = true;
5420 }
5421 else if (streq (p[0], "tls-cipher") && p[1])
5422 {
5423 VERIFY_PERMISSION (OPT_P_GENERAL);
5424 options->cipher_list = p[1];
5425 }
5426 else if (streq (p[0], "crl-verify") && p[1])
5427 {
5428 VERIFY_PERMISSION (OPT_P_GENERAL);
5429 options->crl_file = p[1];
5430 }
5431 else if (streq (p[0], "tls-verify") && p[1])
5432 {
5433 VERIFY_PERMISSION (OPT_P_SCRIPT);
5434 if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5435 goto err;
5436 options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
5437 }
5438 else if (streq (p[0], "tls-remote") && p[1])
5439 {
5440 VERIFY_PERMISSION (OPT_P_GENERAL);
5441 options->tls_remote = p[1];
5442 }
5443 else if (streq (p[0], "ns-cert-type") && p[1])
5444 {
5445 VERIFY_PERMISSION (OPT_P_GENERAL);
5446 if (streq (p[1], "server"))
5447 options->ns_cert_type = NS_SSL_SERVER;
5448 else if (streq (p[1], "client"))
5449 options->ns_cert_type = NS_SSL_CLIENT;
5450 else
5451 {
5452 msg (msglevel, "--ns-cert-type must be 'client' or 'server'");
5453 goto err;
5454 }
5455 }
5456 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
5457 else if (streq (p[0], "remote-cert-ku"))
5458 {
5459 int j;
5460
5461 VERIFY_PERMISSION (OPT_P_GENERAL);
5462
5463 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5464 sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
5465 }
5466 else if (streq (p[0], "remote-cert-eku") && p[1])
5467 {
5468 VERIFY_PERMISSION (OPT_P_GENERAL);
5469 options->remote_cert_eku = p[1];
5470 }
5471 else if (streq (p[0], "remote-cert-tls") && p[1])
5472 {
5473 VERIFY_PERMISSION (OPT_P_GENERAL);
5474
5475 if (streq (p[1], "server"))
5476 {
5477 options->remote_cert_ku[0] = 0xa0;
5478 options->remote_cert_ku[1] = 0x88;
5479 options->remote_cert_eku = "TLS Web Server Authentication";
5480 }
5481 else if (streq (p[1], "client"))
5482 {
5483 options->remote_cert_ku[0] = 0x80;
5484 options->remote_cert_ku[1] = 0x08;
5485 options->remote_cert_ku[2] = 0x88;
5486 options->remote_cert_eku = "TLS Web Client Authentication";
5487 }
5488 else
5489 {
5490 msg (msglevel, "--remote-cert-tls must be 'client' or 'server'");
5491 goto err;
5492 }
5493 }
5494 #endif /* OPENSSL_VERSION_NUMBER */
5495 else if (streq (p[0], "tls-timeout") && p[1])
5496 {
5497 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5498 options->tls_timeout = positive_atoi (p[1]);
5499 }
5500 else if (streq (p[0], "reneg-bytes") && p[1])
5501 {
5502 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5503 options->renegotiate_bytes = positive_atoi (p[1]);
5504 }
5505 else if (streq (p[0], "reneg-pkts") && p[1])
5506 {
5507 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5508 options->renegotiate_packets = positive_atoi (p[1]);
5509 }
5510 else if (streq (p[0], "reneg-sec") && p[1])
5511 {
5512 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5513 options->renegotiate_seconds = positive_atoi (p[1]);
5514 }
5515 else if (streq (p[0], "hand-window") && p[1])
5516 {
5517 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5518 options->handshake_window = positive_atoi (p[1]);
5519 }
5520 else if (streq (p[0], "tran-window") && p[1])
5521 {
5522 VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5523 options->transition_window = positive_atoi (p[1]);
5524 }
5525 else if (streq (p[0], "tls-auth") && p[1])
5526 {
5527 VERIFY_PERMISSION (OPT_P_GENERAL);
5528 #if ENABLE_INLINE_FILES
5529 if (streq (p[1], INLINE_FILE_TAG) && p[2])
5530 {
5531 options->tls_auth_file_inline = p[2];
5532 }
5533 else
5534 #endif
5535 if (p[2])
5536 {
5537 int key_direction;
5538
5539 key_direction = ascii2keydirection (msglevel, p[2]);
5540 if (key_direction >= 0)
5541 options->key_direction = key_direction;
5542 else
5543 goto err;
5544 }
5545 options->tls_auth_file = p[1];
5546 }
5547 else if (streq (p[0], "key-method") && p[1])
5548 {
5549 int key_method;
5550
5551 VERIFY_PERMISSION (OPT_P_GENERAL);
5552 key_method = atoi (p[1]);
5553 if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
5554 {
5555 msg (msglevel, "key_method parameter (%d) must be >= %d and <= %d",
5556 key_method,
5557 KEY_METHOD_MIN,
5558 KEY_METHOD_MAX);
5559 goto err;
5560 }
5561 options->key_method = key_method;
5562 }
5563 #endif /* USE_SSL */
5564 #endif /* USE_CRYPTO */
5565 #ifdef ENABLE_PKCS11
5566 else if (streq (p[0], "show-pkcs11-ids") && p[1])
5567 {
5568 char *provider = p[1];
5569 bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
5570
5571 VERIFY_PERMISSION (OPT_P_GENERAL);
5572
5573 set_debug_level (options->verbosity, SDL_CONSTRAIN);
5574 show_pkcs11_ids (provider, cert_private);
5575 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5576 }
5577 else if (streq (p[0], "pkcs11-providers") && p[1])
5578 {
5579 int j;
5580
5581 VERIFY_PERMISSION (OPT_P_GENERAL);
5582
5583 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5584 options->pkcs11_providers[j-1] = p[j];
5585 }
5586 else if (streq (p[0], "pkcs11-protected-authentication"))
5587 {
5588 int j;
5589
5590 VERIFY_PERMISSION (OPT_P_GENERAL);
5591
5592 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5593 options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
5594 }
5595 else if (streq (p[0], "pkcs11-private-mode") && p[1])
5596 {
5597 int j;
5598
5599 VERIFY_PERMISSION (OPT_P_GENERAL);
5600
5601 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5602 sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1]));
5603 }
5604 else if (streq (p[0], "pkcs11-cert-private"))
5605 {
5606 int j;
5607
5608 VERIFY_PERMISSION (OPT_P_GENERAL);
5609
5610 for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5611 options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
5612 }
5613 else if (streq (p[0], "pkcs11-pin-cache") && p[1])
5614 {
5615 VERIFY_PERMISSION (OPT_P_GENERAL);
5616 options->pkcs11_pin_cache_period = atoi (p[1]);
5617 }
5618 else if (streq (p[0], "pkcs11-id") && p[1])
5619 {
5620 VERIFY_PERMISSION (OPT_P_GENERAL);
5621 options->pkcs11_id = p[1];
5622 }
5623 else if (streq (p[0], "pkcs11-id-management"))
5624 {
5625 VERIFY_PERMISSION (OPT_P_GENERAL);
5626 options->pkcs11_id_management = true;
5627 }
5628 #endif
5629 #ifdef TUNSETPERSIST
5630 else if (streq (p[0], "rmtun"))
5631 {
5632 VERIFY_PERMISSION (OPT_P_GENERAL);
5633 options->persist_config = true;
5634 options->persist_mode = 0;
5635 }
5636 else if (streq (p[0], "mktun"))
5637 {
5638 VERIFY_PERMISSION (OPT_P_GENERAL);
5639 options->persist_config = true;
5640 options->persist_mode = 1;
5641 }
5642 #endif
5643 else
5644 {
5645 if (file)
5646 msg (msglevel_fc, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
5647 else
5648 msg (msglevel_fc, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
5649 }
5650 err:
5651 gc_free (&gc);
5652 }
Tomato firmware and modifications.