~ubuntu-branches/ubuntu/oneiric/openvpn/oneiric

« back to all changes in this revision

Viewing changes to options.c

Committer: Bazaar Package Importer
Author(s): Chuck Short
Date: 2011-06-16 18:33:37 UTC
mfrom: (1.3.6 upstream)
mto: This revision was merged to the branch mainline in revision 46.
Revision ID: james.westby@ubuntu.com-20110616183337-etb3qgbwjkn8zniq

Tags: upstream-2.2.0

Import upstream version 2.2.0

files added:
configure_h.awk

configure_log.awk

contrib/OCSP_check

contrib/OCSP_check/OCSP_check.sh

management

management/management-notes.txt

sample-keys/ta.key

service-win32/msvc.mak

t_client.sh

t_client.sh.in

win/config.h.in

win/openvpn.nsi

win/setpath.nsi

files removed:
thread.c

thread.h

files modified:
ChangeLog

INSTALL

INSTALL-win32.txt

Makefile.am

Makefile.in

acinclude.m4

aclocal.m4

base64.c

base64.h

buffer.c

buffer.h

common.h

config.guess

config.h.in

config.sub

configure

configure.ac

contrib/pull-resolv-conf/client.down

contrib/pull-resolv-conf/client.up

crypto.c

cryptoapi.c

depcomp

easy-rsa/2.0/build-ca

easy-rsa/2.0/build-dh

easy-rsa/2.0/build-inter

easy-rsa/2.0/build-key

easy-rsa/2.0/build-key-pass

easy-rsa/2.0/build-key-pkcs12

easy-rsa/2.0/build-key-server

easy-rsa/2.0/build-req

easy-rsa/2.0/build-req-pass

easy-rsa/2.0/clean-all

easy-rsa/2.0/inherit-inter

easy-rsa/2.0/list-crl

easy-rsa/2.0/pkitool

easy-rsa/2.0/revoke-full

easy-rsa/2.0/sign-req

easy-rsa/Windows/build-ca-pass.bat

easy-rsa/Windows/build-key-pass.bat

easy-rsa/Windows/build-key-server-pass.bat

error.c

error.h

forward.c

httpdigest.c

httpdigest.h

ieproxy.c

images/Makefile.in

init.c

install-sh

install-win32/Makefile.in

install-win32/openssl/openssl097.patch

install-win32/openssl/openssl098.patch

list.c

list.h

mbuf.c

mbuf.h

misc.c

misc.h

missing

mroute.c

mroute.h

mtcp.c

mudp.c

multi.c

multi.h

openvpn-plugin.h

openvpn.8

openvpn.h

openvpn.spec

options.c

options.h

otime.c

otime.h

perf.c

pf.c

ping.c

pkcs11.c

plugin.c

plugin/auth-pam/auth-pam.c

pool.h

proxy.c

ps.c

push.c

reliable.c

route.c

sample-config-files/firewall.sh

sample-scripts/bridge-start

sample-scripts/bridge-stop

sample-scripts/openvpn.init

sample-scripts/verify-cn

schedule.c

schedule.h

service-win32/Makefile.in

service-win32/openvpnserv.c

sig.c

socket.c

socket.h

socks.c

socks.h

ssl.c

ssl.h

status.c

syshead.h

tap-win32/SOURCES.in

tap-win32/common.h

tap-win32/proto.h

tap-win32/tapdrvr.c

tap-win32/types.h

tun.c

version.m4

win/autodefs.h.in

win/build.py

win/build_all.py

win/build_ddk.py

win/build_exe.py

win/config.py

win/config_all.py

win/config_tap.py

win/config_ti.py

win/js.py

win/make_dist.py

win/msvc.mak.in

win/settings.in

win/show.py

win/sign.py

win/tap_span.py

win/wb.py

win32.c

win32.h

Show diffs side-by-side

added added

removed removed

options.c

* Additions for eurephia plugin done by:

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License version 2

* as published by the Free Software Foundation.

#include "pool.h"

#include "helper.h"

#include "manage.h"

#include "forward.h"

#include "configure.h"

#include <ctype.h>

#include "memdbg.h"

#ifdef PRODUCT_TAP_DEBUG

" [TAPDBG]"

#endif

#ifdef USE_PTHREAD

" [PTHREAD]"

#endif

#ifdef ENABLE_PKCS11

" [PKCS11]"

#endif

#ifdef ENABLE_EUREPHIA

" [eurephia]"

#endif

" built on " __DATE__

;

100

"--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"

101

"--proto p : Use protocol p for communicating with peer.\n"

102

" p = udp (default), tcp-server, or tcp-client\n"

103

"--proto-force p : only consider protocol p in list of connection profiles.\n"

104

"--connect-retry n : For --proto tcp-client, number of seconds to wait\n"

105

" between connection retries (default=%d).\n"

106

"--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"

119

126

" AGENT user-agent\n"

120

127

#endif

121

128

#ifdef ENABLE_SOCKS

122

"--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"

123

" s and port p (default port = 1080).\n"

129

"--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"

130

" address s and port p (default port = 1080).\n"

131

" If proxy authentication is required,\n"

132

" up is a file containing username/password on 2 lines, or\n"

133

" 'stdin' to prompt for console.\n"

124

134

"--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"

125

135

#endif

126

136

"--resolv-retry n: If hostname resolve fails for --remote, retry\n"

287

297

"--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"

288

298

"--writepid file : Write main process ID to file.\n"

289

299

"--nice n : Change process priority (>0 = lower, <0 = higher).\n"

290

#if 0

291

#ifdef USE_PTHREAD

292

"--nice-work n : Change thread priority of work thread. The work\n"

293

" thread is used for background processing such as\n"

294

" RSA key number crunching.\n"

295

#endif

296

#endif

297

300

"--echo [parms ...] : Echo parameters to log output.\n"

298

301

"--verb n : Set output verbosity to n (default=%d):\n"

299

302

" (Level 3 is recommended if you want a good summary\n"

409

412

"--client-disconnect cmd : Run script cmd on client disconnection.\n"

410

413

"--client-config-dir dir : Directory for custom client config files.\n"

411

414

"--ccd-exclusive : Refuse connection unless custom client config is found.\n"

412

"--tmp-dir dir : Temporary directory, used for --client-connect return file.\n"

415

"--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"

413

416

"--hash-size r v : Set the size of the real address hash table to r and the\n"

414

417

" virtual address table to v.\n"

415

418

"--bcast-buffers n : Allocate n broadcast buffers.\n"

503

506

"--key file : Local private key in .pem format.\n"

504

507

"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"

505

508

" and optionally the root CA certificate.\n"

509

#ifdef ENABLE_X509ALTUSERNAME

510

"--x509-username-field : Field used in x509 certificat to be username.\n"

511

" Default is CN.\n"

512

#endif

506

513

#ifdef WIN32

507

514

"--cryptoapicert select-string : Load the certificate and private key from the\n"

508

515

" Windows Certificate System Store.\n"

533

540

" tests of certification. cmd should return 0 to allow\n"

534

541

" TLS handshake to proceed, or 1 to fail. (cmd is\n"

535

542

" executed as 'cmd certificate_depth X509_NAME_oneline')\n"

543

"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"

544

" in an openvpn temporary file in [directory]. Peer cert is \n"

545

" stored before tls-verify script execution and deleted after.\n"

536

546

"--tls-remote x509name: Accept connections only from a host with X509 name\n"

537

547

" x509name. The remote host must also pass all other tests\n"

538

548

" of verification.\n"

693

703

o->route_delay_window = 30;

694

704

o->max_routes = MAX_ROUTES_DEFAULT;

695

705

o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;

706

o->proto_force = -1;

696

707

#ifdef ENABLE_OCC

697

708

o->occ = true;

698

709

#endif

721

732

o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */

722

733

o->route_method = ROUTE_METHOD_ADAPTIVE;

723

734

#endif

724

#ifdef USE_PTHREAD

725

o->n_threads = 1;

726

#endif

727

735

#if P2MP_SERVER

728

736

o->real_hash_size = 256;

729

737

o->virtual_hash_size = 256;

755

763

o->renegotiate_seconds = 3600;

756

764

o->handshake_window = 60;

757

765

o->transition_window = 3600;

758

#endif

759

#endif

766

#ifdef ENABLE_X509ALTUSERNAME

767

o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;

768

#endif

769

#endif /* USE_SSL */

770

#endif /* USE_CRYPTO */

760

771

#ifdef ENABLE_PKCS11

761

772

o->pkcs11_pin_cache_period = -1;

762

773

#endif /* ENABLE_PKCS11 */

774

775

/* Set default --tmp-dir */

776

#ifdef WIN32

777

/* On Windows, find temp dir via enviroment variables */

778

o->tmp_dir = win_get_tempdir();

779

#else

780

/* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */

781

o->tmp_dir = getenv("TMPDIR");

782

if( !o->tmp_dir ) {

783

o->tmp_dir = "/tmp";

784

}

785

#endif /* WIN32 */

763

786

}

764

787

765

788

void

872

895

|| o->persist_key

873

896

|| o->persist_local_ip

874

897

|| o->persist_remote_ip

875

#ifdef USE_PTHREAD

876

|| o->n_threads >= 2

877

#endif

878

898

;

879

899

}

880

900

1333

1353

#endif

1334

1354

SHOW_STR (cipher_list);

1335

1355

SHOW_STR (tls_verify);

1356

SHOW_STR (tls_export_cert);

1336

1357

SHOW_STR (tls_remote);

1337

1358

SHOW_STR (crl_file);

1338

1359

SHOW_INT (ns_cert_type);

1907

1928

msg (M_USAGE, "--client-connect requires --mode server");

1908

1929

if (options->client_disconnect_script)

1909

1930

msg (M_USAGE, "--client-disconnect requires --mode server");

1910

if (options->tmp_dir)

1911

msg (M_USAGE, "--tmp-dir requires --mode server");

1912

1931

if (options->client_config_dir || options->ccd_exclusive)

1913

1932

msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");

1914

1933

if (options->enable_c2c)

2061

2080

MUST_BE_UNDEF (pkcs12_file);

2062

2081

MUST_BE_UNDEF (cipher_list);

2063

2082

MUST_BE_UNDEF (tls_verify);

2083

MUST_BE_UNDEF (tls_export_cert);

2064

2084

MUST_BE_UNDEF (tls_remote);

2065

2085

MUST_BE_UNDEF (tls_timeout);

2066

2086

MUST_BE_UNDEF (renegotiate_bytes);

2129

2149

2130

2150

if (!ce->bind_local)

2131

2151

ce->local_port = 0;

2152

2153

/* if protocol forcing is enabled, disable all protocols except for the forced one */

2154

if (o->proto_force >= 0 && is_proto_tcp(o->proto_force) != is_proto_tcp(ce->proto))

2155

ce->flags |= CE_DISABLED;

2132

2156

}

2133

2157

2134

2158

static void

2903

2927

msg (M_INFO|M_NOPREFIX, "%s", title_string);

2904

2928

msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");

2905

2929

2930

#ifndef ENABLE_SMALL

2931

#ifdef CONFIGURE_CALL

2932

msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);

2933

#endif

2934

#ifdef CONFIGURE_DEFINES

2935

msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);

2936

#endif

2937

#endif

2906

2938

openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */

2907

2939

}

2908

2940

2937

2969

return i < 0 ? 0 : i;

2938

2970

}

2939

2971

2972

#ifdef WIN32 /* This function is only used when compiling on Windows */

2940

2973

static unsigned int

2941

2974

atou (const char *str)

2942

2975

{

2944

2977

sscanf (str, "%u", &val);

2945

2978

return val;

2946

2979

}

2980

#endif

2947

2981

2948

2982

static inline bool

2949

2983

space (unsigned char c)

3485

3519

}

3486

3520

3487

3521

static void

3522

warn_multiple_script (const char *script, const char *type) {

3523

if (script) {

3524

msg (M_WARN, "Multiple --%s scripts defined. "

3525

"The previously configured script is overridden.", type);

3526

}

3527

}

3528

3529

3530

static void

3488

3531

add_option (struct options *options,

3489

3532

char *p[],

3490

3533

const char *file,

3884

3927

VERIFY_PERMISSION (OPT_P_SCRIPT);

3885

3928

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

3886

3929

goto err;

3930

warn_multiple_script (options->ipchange, "ipchange");

3887

3931

options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);

3888

3932

}

3889

3933

else if (streq (p[0], "float"))

3930

3974

VERIFY_PERMISSION (OPT_P_SCRIPT);

3931

3975

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

3932

3976

goto err;

3977

warn_multiple_script (options->up_script, "up");

3933

3978

options->up_script = p[1];

3934

3979

}

3935

3980

else if (streq (p[0], "down") && p[1])

3937

3982

VERIFY_PERMISSION (OPT_P_SCRIPT);

3938

3983

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

3939

3984

goto err;

3985

warn_multiple_script (options->down_script, "down");

3940

3986

options->down_script = p[1];

3941

3987

}

3942

3988

else if (streq (p[0], "down-pre"))

3996

4042

{

3997

4043

if (options->inetd != -1)

3998

4044

{

3999

msg (msglevel, opterr);

4045

msg (msglevel, "%s", opterr);

4000

4046

goto err;

4001

4047

}

4002

4048

else

4006

4052

{

4007

4053

if (options->inetd != -1)

4008

4054

{

4009

msg (msglevel, opterr);

4055

msg (msglevel, "%s", opterr);

4010

4056

goto err;

4011

4057

}

4012

4058

else

4016

4062

{

4017

4063

if (name != NULL)

4018

4064

{

4019

msg (msglevel, opterr);

4065

msg (msglevel, "%s", opterr);

4020

4066

goto err;

4021

4067

}

4022

4068

name = p[z];

4192

4238

goto err;

4193

4239

#endif

4194

4240

}

4195

#ifdef USE_PTHREAD

4196

else if (streq (p[0], "nice-work") && p[1])

4197

{

4198

VERIFY_PERMISSION (OPT_P_NICE);

4199

options->nice_work = atoi (p[1]);

4200

}

4201

else if (streq (p[0], "threads") && p[1])

4202

{

4203

int n_threads;

4204

4205

VERIFY_PERMISSION (OPT_P_GENERAL);

4206

n_threads = positive_atoi (p[1]);

4207

if (n_threads < 1)

4208

{

4209

msg (msglevel, "--threads parameter must be at least 1");

4210

goto err;

4211

}

4212

options->n_threads = n_threads;

4213

}

4214

#endif

4215

4241

else if (streq (p[0], "shaper") && p[1])

4216

4242

{

4217

4243

#ifdef HAVE_GETTIMEOFDAY

4252

4278

4253

4279

VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);

4254

4280

port = atoi (p[1]);

4255

if (!legal_ipv4_port (port))

4281

if ((port != 0) && !legal_ipv4_port (port))

4256

4282

{

4257

4283

msg (msglevel, "Bad local port number: %s", p[1]);

4258

4284

goto err;

4311

4337

}

4312

4338

options->ce.proto = proto;

4313

4339

}

4340

else if (streq (p[0], "proto-force") && p[1])

4341

{

4342

int proto_force;

4343

VERIFY_PERMISSION (OPT_P_GENERAL);

4344

proto_force = ascii2proto (p[1]);

4345

if (proto_force < 0)

4346

{

4347

msg (msglevel, "Bad --proto-force protocol: '%s'", p[1]);

4348

goto err;

4349

}

4350

options->proto_force = proto_force;

4351

options->force_connection_list = true;

4352

}

4314

4353

#ifdef GENERAL_PROXY_SUPPORT

4315

4354

else if (streq (p[0], "auto-proxy"))

4316

4355

{

4452

4491

options->ce.socks_proxy_port = 1080;

4453

4492

}

4454

4493

options->ce.socks_proxy_server = p[1];

4494

options->ce.socks_proxy_authfile = p[3]; /* might be NULL */

4455

4495

}

4456

4496

else if (streq (p[0], "socks-proxy-retry"))

4457

4497

{

4605

4645

VERIFY_PERMISSION (OPT_P_SCRIPT);

4606

4646

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

4607

4647

goto err;

4648

warn_multiple_script (options->route_script, "route-up");

4608

4649

options->route_script = p[1];

4609

4650

}

4610

4651

else if (streq (p[0], "route-noexec"))

4934

4975

msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");

4935

4976

goto err;

4936

4977

}

4978

warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify");

4937

4979

options->auth_user_pass_verify_script = p[1];

4938

4980

}

4939

4981

else if (streq (p[0], "client-connect") && p[1])

4941

4983

VERIFY_PERMISSION (OPT_P_SCRIPT);

4942

4984

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

4943

4985

goto err;

4986

warn_multiple_script (options->client_connect_script, "client-connect");

4944

4987

options->client_connect_script = p[1];

4945

4988

}

4946

4989

else if (streq (p[0], "client-disconnect") && p[1])

4948

4991

VERIFY_PERMISSION (OPT_P_SCRIPT);

4949

4992

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

4950

4993

goto err;

4994

warn_multiple_script (options->client_disconnect_script, "client-disconnect");

4951

4995

options->client_disconnect_script = p[1];

4952

4996

}

4953

4997

else if (streq (p[0], "learn-address") && p[1])

4955

4999

VERIFY_PERMISSION (OPT_P_SCRIPT);

4956

5000

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

4957

5001

goto err;

5002

warn_multiple_script (options->learn_address_script, "learn-address");

4958

5003

options->learn_address_script = p[1];

4959

5004

}

4960

5005

else if (streq (p[0], "tmp-dir") && p[1])

5308

5353

VERIFY_PERMISSION (OPT_P_IPWIN32);

5309

5354

options->tuntap_options.register_dns = true;

5310

5355

}

5311

else if (streq (p[0], "rdns-internal")) /* standalone method for internal use */

5356

else if (streq (p[0], "rdns-internal"))

5357

/* standalone method for internal use

5358

5359

* (if --register-dns is set, openvpn needs to call itself in a

5360

* sub-process to execute the required functions in a non-blocking

5361

* way, and uses --rdns-internal to signal that to itself)

5362

5312

5363

{

5313

5364

VERIFY_PERMISSION (OPT_P_GENERAL);

5314

5365

set_debug_level (options->verbosity, SDL_CONSTRAIN);

5680

5731

{

5681

5732

VERIFY_PERMISSION (OPT_P_GENERAL);

5682

5733

options->pkcs12_file = p[1];

5734

#if ENABLE_INLINE_FILES

5735

if (streq (p[1], INLINE_FILE_TAG) && p[2])

5736

{

5737

options->pkcs12_file_inline = p[2];

5738

}

5739

#endif

5683

5740

}

5684

5741

else if (streq (p[0], "askpass"))

5685

5742

{

5728

5785

VERIFY_PERMISSION (OPT_P_SCRIPT);

5729

5786

if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))

5730

5787

goto err;

5788

warn_multiple_script (options->tls_verify, "tls-verify");

5731

5789

options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);

5732

5790

}

5791

else if (streq (p[0], "tls-export-cert") && p[1])

5792

{

5793

VERIFY_PERMISSION (OPT_P_GENERAL);

5794

options->tls_export_cert = p[1];

5795

}

5733

5796

else if (streq (p[0], "tls-remote") && p[1])

5734

5797

{

5735

5798

VERIFY_PERMISSION (OPT_P_GENERAL);

5855

5918

}

5856

5919

options->key_method = key_method;

5857

5920

}

5921

#ifdef ENABLE_X509ALTUSERNAME

5922

else if (streq (p[0], "x509-username-field") && p[1])

5923

{

5924

char *s = p[1];

5925

VERIFY_PERMISSION (OPT_P_GENERAL);

5926

while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */

5927

options->x509_username_field = p[1];

5928

}

5929

#endif /* ENABLE_X509ALTUSERNAME */

5858

5930

#endif /* USE_SSL */

5859

5931

#endif /* USE_CRYPTO */

5860

5932

#ifdef ENABLE_PKCS11

Older »