~ubuntu-branches/ubuntu/saucy/openvpn/saucy-proposed
» Revision
53
: .pc/openvpn-pkcs11warn.patch/options.c
« back to all changes in this revision
Viewing changes to .pc/openvpn-pkcs11warn.patch/options.c
- browse files at revision 53
- compare with another revision
- download diff
- download tarball
- view history from revision 53
- Committer: Package Import Robot
- Author(s): Stéphane Graber
- Date: 2013-05-24 17:42:45 UTC
- mfrom: (1.1.19) (10.2.22 sid)
- Revision ID: package-import@ubuntu.com-20130524174245-g9y6wlforycufqy5
Tags: 2.3.1-2ubuntu1
* Merge from Debian unstable. Remaining changes:
- debian/openvpn.init.d:
+ Do not use start-stop-daemon and </dev/null to avoid blocking boot.
+ Show per-VPN result messages.
+ Add "--script-security 2" by default for backwards compatabliity.
- debian/openvpn.init.d:
+ Do not use start-stop-daemon and </dev/null to avoid blocking boot.
+ Show per-VPN result messages.
+ Add "--script-security 2" by default for backwards compatabliity.
- files added:
- .gitattributes
- .pc/accommodate_typo.patch/src
- .pc/accommodate_typo.patch/src/openvpn
- .pc/auth-pam_libpam_so_filename.patch/src
- .pc/auth-pam_libpam_so_filename.patch/src/plugins
- .pc/auth-pam_libpam_so_filename.patch/src/plugins/auth-pam
- .pc/close_socket_before_scripts.patch/src
- .pc/close_socket_before_scripts.patch/src/openvpn
- .pc/debian_nogroup_for_sample_files.patch/sample
- .pc/debian_nogroup_for_sample_files.patch/sample/sample-config-files
- .pc/kfreebsd_support.patch/src
- .pc/kfreebsd_support.patch/src/openvpn
- .pc/manpage_fixes.patch/doc
- .pc/openvpn-pkcs11warn.patch/src
- .pc/openvpn-pkcs11warn.patch/src/openvpn
- .pc/route_default_nil.patch/doc
- build
- build/msvc
- build/msvc/msvc-generate
- distro
- distro/rpm
- doc
- include
- m4
- sample
- sample/sample-config-files
- sample/sample-keys
- sample/sample-plugins
- sample/sample-plugins/defer
- sample/sample-plugins/log
- sample/sample-plugins/simple
- sample/sample-scripts
- sample/sample-windows
- src
- src/compat
- src/openvpn
- src/openvpnserv
- src/plugins
- src/plugins/auth-pam
- src/plugins/down-root
- tests
- files removed:
- .pc/accommodate_typo.patch/occ.c
- .pc/auth-pam_libpam_so_filename.patch/plugin
- .pc/auth-pam_libpam_so_filename.patch/plugin/auth-pam
- .pc/debian_nogroup_for_sample_files.patch/sample-config-files
- .pc/ipv6-payload.patch
- .pc/jjo-ipv6-support.patch
- .pc/use-dpkg-buildflags.patch
- .pc/use-dpkg-buildflags.patch/plugin
- .pc/use-dpkg-buildflags.patch/plugin/auth-pam
- .pc/use-dpkg-buildflags.patch/plugin/down-root
- easy-rsa
- easy-rsa/1.0
- easy-rsa/2.0
- easy-rsa/2.0/tmp
- easy-rsa/Windows
- images
- install-win32
- install-win32/openssl
- management
- plugin
- plugin/auth-pam
- plugin/defer
- plugin/down-root
- plugin/examples
- sample-config-files
- sample-keys
- sample-scripts
- service-win32
- suse
- tap-win32
- tap-win32/i386
- win
- files modified:
- .pc/applied-patches
added
removed
.pc/openvpn-pkcs11warn.patch/options.c
1
/*
2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
6
* packet compression.
7
*
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9
*
10
* Additions for eurephia plugin done by:
11
* David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2009
12
*
13
* This program is free software; you can redistribute it and/or modify
14
* it under the terms of the GNU General Public License version 2
15
* as published by the Free Software Foundation.
16
*
17
* This program is distributed in the hope that it will be useful,
18
* but WITHOUT ANY WARRANTY; without even the implied warranty of
19
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20
* GNU General Public License for more details.
21
*
22
* You should have received a copy of the GNU General Public License
23
* along with this program (see the file COPYING included with this
24
* distribution); if not, write to the Free Software Foundation, Inc.,
25
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26
*/
27
28
/*
29
* 2004-01-28: Added Socks5 proxy support
30
* (Christof Meerwald, http://cmeerw.org)
31
*/
32
33
#include "syshead.h"
34
35
#include "buffer.h"
36
#include "error.h"
37
#include "common.h"
38
#include "shaper.h"
39
#include "crypto.h"
40
#include "ssl.h"
41
#include "options.h"
42
#include "misc.h"
43
#include "socket.h"
44
#include "packet_id.h"
45
#include "pkcs11.h"
46
#include "win32.h"
47
#include "push.h"
48
#include "pool.h"
49
#include "helper.h"
50
#include "manage.h"
51
#include "forward.h"
52
#include "configure.h"
53
#include <ctype.h>
54
55
#include "memdbg.h"
56
57
const char title_string[] =
58
PACKAGE_STRING
59
" " TARGET_ALIAS
60
#ifdef USE_CRYPTO
61
#ifdef USE_SSL
62
" [SSL]"
63
#else
64
" [CRYPTO]"
65
#endif
66
#endif
67
#ifdef USE_LZO
68
" [LZO" LZO_VERSION_NUM "]"
69
#endif
70
#if EPOLL
71
" [EPOLL]"
72
#endif
73
#ifdef PRODUCT_TAP_DEBUG
74
" [TAPDBG]"
75
#endif
76
#ifdef ENABLE_PKCS11
77
" [PKCS11]"
78
#endif
79
#ifdef ENABLE_EUREPHIA
80
" [eurephia]"
81
#endif
82
" built on " __DATE__
83
;
84
85
#ifndef ENABLE_SMALL
86
87
static const char usage_message[] =
88
"%s\n"
89
"\n"
90
"General Options:\n"
91
"--config file : Read configuration options from file.\n"
92
"--help : Show options.\n"
93
"--version : Show copyright and version information.\n"
94
"\n"
95
"Tunnel Options:\n"
96
"--local host : Local host name or ip address. Implies --bind.\n"
97
"--remote host [port] : Remote host name or ip address.\n"
98
"--remote-random : If multiple --remote options specified, choose one randomly.\n"
99
"--remote-random-hostname : Add a random string to remote DNS name.\n"
100
"--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
101
"--proto p : Use protocol p for communicating with peer.\n"
102
" p = udp (default), tcp-server, or tcp-client\n"
103
"--proto-force p : only consider protocol p in list of connection profiles.\n"
104
"--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
105
" between connection retries (default=%d).\n"
106
"--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
107
"--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
108
#ifdef GENERAL_PROXY_SUPPORT
109
"--auto-proxy : Try to sense proxy settings (or lack thereof) automatically.\n"
110
"--show-proxy-settings : Show sensed proxy settings.\n"
111
#endif
112
#ifdef ENABLE_HTTP_PROXY
113
"--http-proxy s p [up] [auth] : Connect to remote host\n"
114
" through an HTTP proxy at address s and port p.\n"
115
" If proxy authentication is required,\n"
116
" up is a file containing username/password on 2 lines, or\n"
117
" 'stdin' to prompt from console. Add auth='ntlm' if\n"
118
" the proxy requires NTLM authentication.\n"
119
"--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
120
" determine auth method and query for username/password\n"
121
" if needed. auto-nct disables weak proxy auth methods.\n"
122
"--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
123
"--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
124
"--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
125
" Repeat to set multiple options.\n"
126
" VERSION version (default=1.0)\n"
127
" AGENT user-agent\n"
128
#endif
129
#ifdef ENABLE_SOCKS
130
"--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
131
" address s and port p (default port = 1080).\n"
132
" If proxy authentication is required,\n"
133
" up is a file containing username/password on 2 lines, or\n"
134
" 'stdin' to prompt for console.\n"
135
"--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
136
#endif
137
"--resolv-retry n: If hostname resolve fails for --remote, retry\n"
138
" resolve for n seconds before failing (disabled by default).\n"
139
" Set n=\"infinite\" to retry indefinitely.\n"
140
"--float : Allow remote to change its IP address/port, such as through\n"
141
" DHCP (this is the default if --remote is not used).\n"
142
"--ipchange cmd : Execute shell command cmd on remote ip address initial\n"
143
" setting or change -- execute as: cmd ip-address port#\n"
144
"--port port : TCP/UDP port # for both local and remote.\n"
145
"--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
146
"--rport port : TCP/UDP port # for remote (default=%d).\n"
147
"--bind : Bind to local address and port. (This is the default unless\n"
148
" --proto tcp-client"
149
#ifdef ENABLE_HTTP_PROXY
150
" or --http-proxy"
151
#endif
152
#ifdef ENABLE_SOCKS
153
" or --socks-proxy"
154
#endif
155
" is used).\n"
156
"--nobind : Do not bind to local address and port.\n"
157
"--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
158
"--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
159
" this option only if the tun/tap device used with --dev\n"
160
" does not begin with \"tun\" or \"tap\".\n"
161
"--dev-node node : Explicitly set the device node rather than using\n"
162
" /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
163
"--lladdr hw : Set the link layer address of the tap device.\n"
164
"--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
165
"--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
166
#ifdef CONFIG_FEATURE_IPROUTE
167
"--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
168
#endif
169
"--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
170
" endpoint and rn as a remote endpoint. l & rn should be\n"
171
" swapped on the other peer. l & rn must be private\n"
172
" addresses outside of the subnets used by either peer.\n"
173
" TAP: configure device to use IP address l as a local\n"
174
" endpoint and rn as a subnet mask.\n"
175
"--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
176
" pass --ifconfig parms by environment to scripts.\n"
177
"--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
178
" connection doesn't match the remote side.\n"
179
"--route network [netmask] [gateway] [metric] :\n"
180
" Add route to routing table after connection\n"
181
" is established. Multiple routes can be specified.\n"
182
" netmask default: 255.255.255.255\n"
183
" gateway default: taken from --route-gateway or --ifconfig\n"
184
" Specify default by leaving blank or setting to \"nil\".\n"
185
"--max-routes n : Specify the maximum number of routes that may be defined\n"
186
" or pulled from a server.\n"
187
"--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
188
"--route-metric m : Specify a default metric for use with --route.\n"
189
"--route-delay n [w] : Delay n seconds after connection initiation before\n"
190
" adding routes (may be 0). If not specified, routes will\n"
191
" be added immediately after tun/tap open. On Windows, wait\n"
192
" up to w seconds for TUN/TAP adapter to come up.\n"
193
"--route-up cmd : Execute shell cmd after routes are added.\n"
194
"--route-noexec : Don't add routes automatically. Instead pass routes to\n"
195
" --route-up script using environmental variables.\n"
196
"--route-nopull : When used with --client or --pull, accept options pushed\n"
197
" by server EXCEPT for routes.\n"
198
"--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
199
" --ifconfig, --route, and --route-gateway.\n"
200
"--redirect-gateway [flags]: Automatically execute routing\n"
201
" commands to redirect all outgoing IP traffic through the\n"
202
" VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
203
" connected via a common subnet, such as with WiFi.\n"
204
" Add 'def1' flag to set default route using using 0.0.0.0/1\n"
205
" and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
206
" flag to add a direct route to DHCP server, bypassing tunnel.\n"
207
" Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
208
"--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
209
" the default gateway. Useful when pushing private subnets.\n"
210
#ifdef ENABLE_PUSH_PEER_INFO
211
"--push-peer-info : (client only) push client info to server.\n"
212
#endif
213
"--setenv name value : Set a custom environmental variable to pass to script.\n"
214
"--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
215
" directives for future OpenVPN versions to be ignored.\n"
216
"--script-security level mode : mode='execve' (default) or 'system', level=\n"
217
" 0 -- strictly no calling of external programs\n"
218
" 1 -- (default) only call built-ins such as ifconfig\n"
219
" 2 -- allow calling of built-ins and scripts\n"
220
" 3 -- allow password to be passed to scripts via env\n"
221
"--shaper n : Restrict output to peer to n bytes per second.\n"
222
"--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
223
" ping once every n seconds, restart if ping not received\n"
224
" for m seconds.\n"
225
"--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
226
" produces a combined in/out byte count < bytes.\n"
227
"--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
228
"--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
229
"--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
230
" remote address.\n"
231
"--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
232
#if ENABLE_IP_PKTINFO
233
"--multihome : Configure a multi-homed UDP server.\n"
234
#endif
235
"--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
236
"--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
237
"--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
238
"--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
239
"--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
240
"--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
241
#if PASSTOS_CAPABILITY
242
"--passtos : TOS passthrough (applies to IPv4 only).\n"
243
#endif
244
"--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
245
" TCP/UDP MTU from it (default=%d).\n"
246
"--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
247
" as n bytes more than the tun-mtu size on read\n"
248
" (default TUN=0 TAP=%d).\n"
249
"--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
250
" from it.\n"
251
"--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
252
" 'no' -- Never send DF (Don't Fragment) frames\n"
253
" 'maybe' -- Use per-route hints\n"
254
" 'yes' -- Always DF (Don't Fragment)\n"
255
#ifdef ENABLE_OCC
256
"--mtu-test : Empirically measure and report MTU.\n"
257
#endif
258
#ifdef ENABLE_FRAGMENT
259
"--fragment max : Enable internal datagram fragmentation so that no UDP\n"
260
" datagrams are sent which are larger than max bytes.\n"
261
" Adds 4 bytes of overhead per datagram.\n"
262
#endif
263
"--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
264
" or --fragment max value, whichever is lower.\n"
265
"--sndbuf size : Set the TCP/UDP send buffer size.\n"
266
"--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
267
"--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
268
"--mlock : Disable Paging -- ensures key material and tunnel\n"
269
" data will never be written to disk.\n"
270
"--up cmd : Shell cmd to execute after successful tun device open.\n"
271
" Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
272
" ifconfig-local-ip ifconfig-remote-ip\n"
273
" (pre --user or --group UID/GID change)\n"
274
"--up-delay : Delay tun/tap open and possible --up script execution\n"
275
" until after TCP/UDP connection establishment with peer.\n"
276
"--down cmd : Shell cmd to run after tun device close.\n"
277
" (post --user/--group UID/GID change and/or --chroot)\n"
278
" (script parameters are same as --up option)\n"
279
"--down-pre : Call --down cmd/script before TUN/TAP close.\n"
280
"--up-restart : Run up/down scripts for all restarts including those\n"
281
" caused by --ping-restart or SIGUSR1\n"
282
"--user user : Set UID to user after initialization.\n"
283
"--group group : Set GID to group after initialization.\n"
284
"--chroot dir : Chroot to this directory after initialization.\n"
285
#ifdef HAVE_SETCON
286
"--setcon context: Apply this SELinux context after initialization.\n"
287
#endif
288
"--cd dir : Change to this directory before initialization.\n"
289
"--daemon [name] : Become a daemon after initialization.\n"
290
" The optional 'name' parameter will be passed\n"
291
" as the program name to the system logger.\n"
292
"--syslog [name] : Output to syslog, but do not become a daemon.\n"
293
" See --daemon above for a description of the 'name' parm.\n"
294
"--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
295
" See --daemon above for a description of the 'name' parm.\n"
296
"--log file : Output log to file which is created/truncated on open.\n"
297
"--log-append file : Append log to file, or create file if nonexistent.\n"
298
"--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
299
"--writepid file : Write main process ID to file.\n"
300
"--nice n : Change process priority (>0 = lower, <0 = higher).\n"
301
"--echo [parms ...] : Echo parameters to log output.\n"
302
"--verb n : Set output verbosity to n (default=%d):\n"
303
" (Level 3 is recommended if you want a good summary\n"
304
" of what's happening without being swamped by output).\n"
305
" : 0 -- no output except fatal errors\n"
306
" : 1 -- startup info + connection initiated messages +\n"
307
" non-fatal encryption & net errors\n"
308
" : 2,3 -- show TLS negotiations & route info\n"
309
" : 4 -- show parameters\n"
310
" : 5 -- show 'RrWw' chars on console for each packet sent\n"
311
" and received from TCP/UDP (caps) or tun/tap (lc)\n"
312
" : 6 to 11 -- debug messages of increasing verbosity\n"
313
"--mute n : Log at most n consecutive messages in the same category.\n"
314
"--status file n : Write operational status to file every n seconds.\n"
315
"--status-version [n] : Choose the status file format version number.\n"
316
" Currently, n can be 1, 2, or 3 (default=1).\n"
317
#ifdef ENABLE_OCC
318
"--disable-occ : Disable options consistency check between peers.\n"
319
#endif
320
#ifdef ENABLE_DEBUG
321
"--gremlin mask : Special stress testing mode (for debugging only).\n"
322
#endif
323
#ifdef USE_LZO
324
"--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
325
" packet for uncompressible data.\n"
326
"--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
327
" is specified.\n"
328
#endif
329
#ifdef ENABLE_MANAGEMENT
330
"--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
331
" management functions. pass is a password file\n"
332
" or 'stdin' to prompt from console.\n"
333
#if UNIX_SOCK_SUPPORT
334
" To listen on a unix domain socket, specific the pathname\n"
335
" in place of ip and use 'unix' as the port number.\n"
336
#endif
337
"--management-client : Management interface will connect as a TCP client to\n"
338
" ip/port rather than listen as a TCP server.\n"
339
"--management-query-passwords : Query management channel for private key\n"
340
" and auth-user-pass passwords.\n"
341
"--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
342
" of the management interface explicitly starts it.\n"
343
"--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
344
"--management-forget-disconnect : Forget passwords when management disconnect\n"
345
" event occurs.\n"
346
"--management-log-cache n : Cache n lines of log file history for usage\n"
347
" by the management channel.\n"
348
#if UNIX_SOCK_SUPPORT
349
"--management-client-user u : When management interface is a unix socket, only\n"
350
" allow connections from user u.\n"
351
"--management-client-group g : When management interface is a unix socket, only\n"
352
" allow connections from group g.\n"
353
#endif
354
#ifdef MANAGEMENT_DEF_AUTH
355
"--management-client-auth : gives management interface client the responsibility\n"
356
" to authenticate clients after their client certificate\n"
357
" has been verified.\n"
358
#endif
359
#ifdef MANAGEMENT_PF
360
"--management-client-pf : management interface clients must specify a packet\n"
361
" filter file for each connecting client.\n"
362
#endif
363
#endif
364
#ifdef ENABLE_PLUGIN
365
"--plugin m [str]: Load plug-in module m passing str as an argument\n"
366
" to its initialization function.\n"
367
#endif
368
#if P2MP
369
#if P2MP_SERVER
370
"\n"
371
"Multi-Client Server options (when --mode server is used):\n"
372
"--server network netmask : Helper option to easily configure server mode.\n"
373
"--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
374
" easily configure ethernet bridging server mode.\n"
375
"--push \"option\" : Push a config file option back to the peer for remote\n"
376
" execution. Peer must specify --pull in its config file.\n"
377
"--push-reset : Don't inherit global push list for specific\n"
378
" client instance.\n"
379
"--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
380
" to be dynamically allocated to connecting clients.\n"
381
"--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
382
" in tun mode. Not compatible with Windows clients.\n"
383
"--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
384
" data to file, at seconds intervals (default=600).\n"
385
" If seconds=0, file will be treated as read-only.\n"
386
"--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
387
" overrides --ifconfig-pool dynamic allocation.\n"
388
" Only valid in a client-specific config file.\n"
389
"--iroute network [netmask] : Route subnet to client.\n"
390
" Sets up internal routes only.\n"
391
" Only valid in a client-specific config file.\n"
392
"--disable : Client is disabled.\n"
393
" Only valid in a client-specific config file.\n"
394
"--client-cert-not-required : Don't require client certificate, client\n"
395
" will authenticate using username/password.\n"
396
"--username-as-common-name : For auth-user-pass authentication, use\n"
397
" the authenticated username as the common name,\n"
398
" rather than the common name from the client cert.\n"
399
"--auth-user-pass-verify cmd method: Query client for username/password and\n"
400
" run script cmd to verify. If method='via-env', pass\n"
401
" user/pass via environment, if method='via-file', pass\n"
402
" user/pass via temporary file.\n"
403
"--opt-verify : Clients that connect with options that are incompatible\n"
404
" with those of the server will be disconnected.\n"
405
"--auth-user-pass-optional : Allow connections by clients that don't\n"
406
" specify a username/password.\n"
407
"--no-name-remapping : Allow Common Name and X509 Subject to include\n"
408
" any printable character.\n"
409
"--client-to-client : Internally route client-to-client traffic.\n"
410
"--duplicate-cn : Allow multiple clients with the same common name to\n"
411
" concurrently connect.\n"
412
"--client-connect cmd : Run script cmd on client connection.\n"
413
"--client-disconnect cmd : Run script cmd on client disconnection.\n"
414
"--client-config-dir dir : Directory for custom client config files.\n"
415
"--ccd-exclusive : Refuse connection unless custom client config is found.\n"
416
"--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
417
"--hash-size r v : Set the size of the real address hash table to r and the\n"
418
" virtual address table to v.\n"
419
"--bcast-buffers n : Allocate n broadcast buffers.\n"
420
"--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
421
"--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
422
" as well as pushes it to connecting clients.\n"
423
"--learn-address cmd : Run script cmd to validate client virtual addresses.\n"
424
"--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
425
"--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
426
"--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
427
#if PORT_SHARE
428
"--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions\n"
429
" to a web server at host:port.\n"
430
#endif
431
#endif
432
"\n"
433
"Client options (when connecting to a multi-client server):\n"
434
"--client : Helper option to easily configure client mode.\n"
435
"--auth-user-pass [up] : Authenticate with server using username/password.\n"
436
" up is a file containing username/password on 2 lines,\n"
437
" or omit to prompt from console.\n"
438
"--pull : Accept certain config file options from the peer as if they\n"
439
" were part of the local config file. Must be specified\n"
440
" when connecting to a '--mode server' remote host.\n"
441
"--auth-retry t : How to handle auth failures. Set t to\n"
442
" none (default), interact, or nointeract.\n"
443
"--server-poll-timeout n : when polling possible remote servers to connect to\n"
444
" in a round-robin fashion, spend no more than n seconds\n"
445
" waiting for a response before trying the next server.\n"
446
#endif
447
#ifdef ENABLE_OCC
448
"--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
449
" server/remote. n = # of retries, default=1.\n"
450
#endif
451
#ifdef USE_CRYPTO
452
"\n"
453
"Data Channel Encryption Options (must be compatible between peers):\n"
454
"(These options are meaningful for both Static Key & TLS-mode)\n"
455
"--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
456
" Use shared secret file f, generate with --genkey.\n"
457
" The optional d parameter controls key directionality.\n"
458
" If d is specified, use separate keys for each\n"
459
" direction, set d=0 on one side of the connection,\n"
460
" and d=1 on the other side.\n"
461
"--auth alg : Authenticate packets with HMAC using message\n"
462
" digest algorithm alg (default=%s).\n"
463
" (usually adds 16 or 20 bytes per packet)\n"
464
" Set alg=none to disable authentication.\n"
465
"--cipher alg : Encrypt packets with cipher algorithm alg\n"
466
" (default=%s).\n"
467
" Set alg=none to disable encryption.\n"
468
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
469
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
470
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
471
"--keysize n : Size of cipher key in bits (optional).\n"
472
" If unspecified, defaults to cipher-specific default.\n"
473
#endif
474
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
475
"--no-replay : Disable replay protection.\n"
476
"--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
477
"--replay-window n [t] : Use a replay protection sliding window of size n\n"
478
" and a time window of t seconds.\n"
479
" Default n=%d t=%d\n"
480
"--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
481
"--replay-persist file : Persist replay-protection state across sessions\n"
482
" using file.\n"
483
"--test-crypto : Run a self-test of crypto features enabled.\n"
484
" For debugging only.\n"
485
#ifdef USE_SSL
486
"\n"
487
"TLS Key Negotiation Options:\n"
488
"(These options are meaningful only for TLS-mode)\n"
489
"--tls-server : Enable TLS and assume server role during TLS handshake.\n"
490
"--tls-client : Enable TLS and assume client role during TLS handshake.\n"
491
"--key-method m : Data channel key exchange method. m should be a method\n"
492
" number, such as 1 (default), 2, etc.\n"
493
"--ca file : Certificate authority file in .pem format containing\n"
494
" root certificate.\n"
495
"--capath dir : A directory of trusted certificates (CAs"
496
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
497
" and CRLs).\n"
498
#else
499
").\n"
500
" WARNING: no support of CRL available with this version.\n"
501
#endif
502
"--dh file : File containing Diffie Hellman parameters\n"
503
" in .pem format (for --tls-server only).\n"
504
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
505
"--cert file : Local certificate in .pem format -- must be signed\n"
506
" by a Certificate Authority in --ca file.\n"
507
"--key file : Local private key in .pem format.\n"
508
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
509
" and optionally the root CA certificate.\n"
510
#ifdef ENABLE_X509ALTUSERNAME
511
"--x509-username-field : Field used in x509 certificate to be username.\n"
512
" Default is CN.\n"
513
#endif
514
#ifdef WIN32
515
"--cryptoapicert select-string : Load the certificate and private key from the\n"
516
" Windows Certificate System Store.\n"
517
#endif
518
"--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
519
" : Use --show-tls to see a list of supported TLS ciphers.\n"
520
"--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
521
" if no ACK from remote within n seconds (default=%d).\n"
522
"--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
523
"--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
524
"--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
525
"--hand-window n : Data channel key exchange must finalize within n seconds\n"
526
" of handshake initiation by any peer (default=%d).\n"
527
"--tran-window n : Transition window -- old key can live this many seconds\n"
528
" after new key renegotiation begins (default=%d).\n"
529
"--single-session: Allow only one session (reset state on restart).\n"
530
"--tls-exit : Exit on TLS negotiation failure.\n"
531
"--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
532
" control channel to protect against DoS attacks.\n"
533
" f (required) is a shared-secret passphrase file.\n"
534
" The optional d parameter controls key directionality,\n"
535
" see --secret option for more info.\n"
536
"--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
537
"--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
538
"--crl-verify crl: Check peer certificate against a CRL.\n"
539
"--tls-verify cmd: Execute shell command cmd to verify the X509 name of a\n"
540
" pending TLS connection that has otherwise passed all other\n"
541
" tests of certification. cmd should return 0 to allow\n"
542
" TLS handshake to proceed, or 1 to fail. (cmd is\n"
543
" executed as 'cmd certificate_depth X509_NAME_oneline')\n"
544
"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
545
" in an openvpn temporary file in [directory]. Peer cert is \n"
546
" stored before tls-verify script execution and deleted after.\n"
547
"--tls-remote x509name: Accept connections only from a host with X509 name\n"
548
" x509name. The remote host must also pass all other tests\n"
549
" of verification.\n"
550
"--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
551
" nsCertType designation t = 'client' | 'server'.\n"
552
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
553
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
554
" explicit key usage, you can specify more than one value.\n"
555
" value should be given in hex format.\n"
556
"--remote-cert-eku oid : Require that the peer certificate was signed with\n"
557
" explicit extended key usage. Extended key usage can be encoded\n"
558
" as an object identifier or OpenSSL string representation.\n"
559
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
560
" key usage and extended key usage based on RFC3280 TLS rules.\n"
561
" t = 'client' | 'server'.\n"
562
#endif /* OPENSSL_VERSION_NUMBER */
563
#endif /* USE_SSL */
564
#ifdef ENABLE_PKCS11
565
"\n"
566
"PKCS#11 Options:\n"
567
"--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
568
"--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
569
" path. Set for each provider.\n"
570
"--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
571
" 0 : Try to determind automatically (default).\n"
572
" 1 : Use Sign.\n"
573
" 2 : Use SignRecover.\n"
574
" 4 : Use Decrypt.\n"
575
" 8 : Use Unwrap.\n"
576
"--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
577
" certificate can be accessed. Set for each provider.\n"
578
"--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
579
" cache until token is removed.\n"
580
"--pkcs11-id-management : Acquire identity from management interface.\n"
581
"--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
582
#endif /* ENABLE_PKCS11 */
583
"\n"
584
"SSL Library information:\n"
585
"--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
586
"--show-digests : Show message digest algorithms to use with --auth option.\n"
587
"--show-engines : Show hardware crypto accelerator engines (if available).\n"
588
#ifdef USE_SSL
589
"--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
590
#endif
591
#ifdef WIN32
592
"\n"
593
"Windows Specific:\n"
594
"--win-sys path|'env' : Pathname of Windows system directory, C:\\WINDOWS by default.\n"
595
" If specified as 'env', read the pathname from SystemRoot env var.\n"
596
"--ip-win32 method : When using --ifconfig on Windows, set TAP-Win32 adapter\n"
597
" IP address using method = manual, netsh, ipapi,\n"
598
" dynamic, or adaptive (default = adaptive).\n"
599
" Dynamic method allows two optional parameters:\n"
600
" offset: DHCP server address offset (> -256 and < 256).\n"
601
" If 0, use network address, if >0, take nth\n"
602
" address forward from network address, if <0,\n"
603
" take nth address backward from broadcast\n"
604
" address.\n"
605
" Default is 0.\n"
606
" lease-time: Lease time in seconds.\n"
607
" Default is one year.\n"
608
"--route-method : Which method to use for adding routes on Windows?\n"
609
" adaptive (default) -- Try ipapi then fall back to exe.\n"
610
" ipapi -- Use IP helper API.\n"
611
" exe -- Call the route.exe shell command.\n"
612
"--dhcp-option type [parm] : Set extended TAP-Win32 properties, must\n"
613
" be used with --ip-win32 dynamic. For options\n"
614
" which allow multiple addresses,\n"
615
" --dhcp-option must be repeated.\n"
616
" DOMAIN name : Set DNS suffix\n"
617
" DNS addr : Set domain name server address(es)\n"
618
" NTP : Set NTP server address(es)\n"
619
" NBDD : Set NBDD server address(es)\n"
620
" WINS addr : Set WINS server address(es)\n"
621
" NBT type : Set NetBIOS over TCP/IP Node type\n"
622
" 1: B, 2: P, 4: M, 8: H\n"
623
" NBS id : Set NetBIOS scope ID\n"
624
" DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
625
"--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
626
"--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
627
" startup.\n"
628
"--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
629
"--register-dns : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n"
630
" and ipconfig /registerdns on connection initiation.\n"
631
"--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
632
" attempting to set adapter properties.\n"
633
"--pause-exit : When run from a console window, pause before exiting.\n"
634
"--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
635
" service, and should not be used directly by end-users.\n"
636
" ex is the name of an event object which, when\n"
637
" signaled, will cause " PACKAGE_NAME " to exit. A second\n"
638
" optional parameter controls the initial state of ex.\n"
639
"--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
640
" after TAP adapter is up and routes have been added.\n"
641
"Windows Standalone Options:\n"
642
"\n"
643
"--show-adapters : Show all TAP-Win32 adapters.\n"
644
"--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
645
"--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
646
"--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
647
" to access TAP adapter.\n"
648
#endif
649
"\n"
650
"Generate a random key (only for non-TLS static key encryption mode):\n"
651
"--genkey : Generate a random key to be used as a shared secret,\n"
652
" for use with the --secret option.\n"
653
"--secret file : Write key to file.\n"
654
#endif /* USE_CRYPTO */
655
#ifdef TUNSETPERSIST
656
"\n"
657
"Tun/tap config mode (available with linux 2.4+):\n"
658
"--mktun : Create a persistent tunnel.\n"
659
"--rmtun : Remove a persistent tunnel.\n"
660
"--dev tunX|tapX : tun/tap device\n"
661
"--dev-type dt : Device type. See tunnel options above for details.\n"
662
"--user user : User to set privilege to.\n"
663
"--group group : Group to set privilege to.\n"
664
#endif
665
#ifdef ENABLE_PKCS11
666
"\n"
667
"PKCS#11 standalone options:\n"
668
"--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
669
" --verb option can be added *BEFORE* this.\n"
670
#endif /* ENABLE_PKCS11 */
671
;
672
673
#endif /* !ENABLE_SMALL */
674
675
/*
676
* This is where the options defaults go.
677
* Any option not explicitly set here
678
* will be set to 0.
679
*/
680
void
681
init_options (struct options *o, const bool init_gc)
682
{
683
CLEAR (*o);
684
if (init_gc)
685
{
686
gc_init (&o->gc);
687
o->gc_owned = true;
688
}
689
o->mode = MODE_POINT_TO_POINT;
690
o->topology = TOP_NET30;
691
o->ce.proto = PROTO_UDPv4;
692
o->ce.connect_retry_seconds = 5;
693
o->ce.connect_timeout = 10;
694
o->ce.connect_retry_max = 0;
695
o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
696
o->verbosity = 1;
697
o->status_file_update_freq = 60;
698
o->status_file_version = 1;
699
o->ce.bind_local = true;
700
o->tun_mtu = TUN_MTU_DEFAULT;
701
o->link_mtu = LINK_MTU_DEFAULT;
702
o->mtu_discover_type = -1;
703
o->mssfix = MSSFIX_DEFAULT;
704
o->route_delay_window = 30;
705
o->max_routes = MAX_ROUTES_DEFAULT;
706
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
707
o->proto_force = -1;
708
#ifdef ENABLE_OCC
709
o->occ = true;
710
#endif
711
#ifdef ENABLE_MANAGEMENT
712
o->management_log_history_cache = 250;
713
o->management_echo_buffer_size = 100;
714
o->management_state_buffer_size = 100;
715
#endif
716
#ifdef TUNSETPERSIST
717
o->persist_mode = 1;
718
#endif
719
#ifndef WIN32
720
o->rcvbuf = 65536;
721
o->sndbuf = 65536;
722
#endif
723
#ifdef TARGET_LINUX
724
o->tuntap_options.txqueuelen = 100;
725
#endif
726
#ifdef WIN32
727
#if 0
728
o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
729
#else
730
o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
731
#endif
732
o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
733
o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
734
o->route_method = ROUTE_METHOD_ADAPTIVE;
735
#endif
736
#if P2MP_SERVER
737
o->real_hash_size = 256;
738
o->virtual_hash_size = 256;
739
o->n_bcast_buf = 256;
740
o->tcp_queue_limit = 64;
741
o->max_clients = 1024;
742
o->max_routes_per_client = 256;
743
o->ifconfig_pool_persist_refresh_freq = 600;
744
#endif
745
#if P2MP
746
o->scheduled_exit_interval = 5;
747
o->server_poll_timeout = 0;
748
#endif
749
#ifdef USE_CRYPTO
750
o->ciphername = "BF-CBC";
751
o->ciphername_defined = true;
752
o->authname = "SHA1";
753
o->authname_defined = true;
754
o->prng_hash = "SHA1";
755
o->prng_nonce_secret_len = 16;
756
o->replay = true;
757
o->replay_window = DEFAULT_SEQ_BACKTRACK;
758
o->replay_time = DEFAULT_TIME_BACKTRACK;
759
o->use_iv = true;
760
o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
761
#ifdef USE_SSL
762
o->key_method = 2;
763
o->tls_timeout = 2;
764
o->renegotiate_seconds = 3600;
765
o->handshake_window = 60;
766
o->transition_window = 3600;
767
#ifdef ENABLE_X509ALTUSERNAME
768
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
769
#endif
770
#endif /* USE_SSL */
771
#endif /* USE_CRYPTO */
772
#ifdef ENABLE_PKCS11
773
o->pkcs11_pin_cache_period = -1;
774
#endif /* ENABLE_PKCS11 */
775
776
/* Set default --tmp-dir */
777
#ifdef WIN32
778
/* On Windows, find temp dir via enviroment variables */
779
o->tmp_dir = win_get_tempdir();
780
#else
781
/* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
782
o->tmp_dir = getenv("TMPDIR");
783
if( !o->tmp_dir ) {
784
o->tmp_dir = "/tmp";
785
}
786
#endif /* WIN32 */
787
}
788
789
void
790
uninit_options (struct options *o)
791
{
792
if (o->gc_owned)
793
{
794
gc_free (&o->gc);
795
}
796
}
797
798
#ifdef ENABLE_DEBUG
799
800
#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
801
#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
802
#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
803
#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
804
#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
805
#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
806
807
#endif
808
809
void
810
setenv_connection_entry (struct env_set *es,
811
const struct connection_entry *e,
812
const int i)
813
{
814
setenv_str_i (es, "proto", proto2ascii (e->proto, false), i);
815
setenv_str_i (es, "local", e->local, i);
816
setenv_int_i (es, "local_port", e->local_port, i);
817
setenv_str_i (es, "remote", e->remote, i);
818
setenv_int_i (es, "remote_port", e->remote_port, i);
819
820
#ifdef ENABLE_HTTP_PROXY
821
if (e->http_proxy_options)
822
{
823
setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i);
824
setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i);
825
}
826
#endif
827
#ifdef ENABLE_SOCKS
828
if (e->socks_proxy_server)
829
{
830
setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i);
831
setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i);
832
}
833
#endif
834
}
835
836
void
837
setenv_settings (struct env_set *es, const struct options *o)
838
{
839
setenv_str (es, "config", o->config);
840
setenv_int (es, "verb", o->verbosity);
841
setenv_int (es, "daemon", o->daemon);
842
setenv_int (es, "daemon_log_redirect", o->log);
843
setenv_unsigned (es, "daemon_start_time", time(NULL));
844
setenv_int (es, "daemon_pid", openvpn_getpid());
845
846
#ifdef ENABLE_CONNECTION
847
if (o->connection_list)
848
{
849
int i;
850
for (i = 0; i < o->connection_list->len; ++i)
851
setenv_connection_entry (es, o->connection_list->array[i], i+1);
852
}
853
else
854
#endif
855
setenv_connection_entry (es, &o->ce, 1);
856
}
857
858
static in_addr_t
859
get_ip_addr (const char *ip_string, int msglevel, bool *error)
860
{
861
unsigned int flags = GETADDR_HOST_ORDER;
862
bool succeeded = false;
863
in_addr_t ret;
864
865
if (msglevel & M_FATAL)
866
flags |= GETADDR_FATAL;
867
868
ret = getaddr (flags, ip_string, 0, &succeeded, NULL);
869
if (!succeeded && error)
870
*error = true;
871
return ret;
872
}
873
874
static char *
875
string_substitute (const char *src, int from, int to, struct gc_arena *gc)
876
{
877
char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc);
878
char *dest = ret;
879
char c;
880
881
do
882
{
883
c = *src++;
884
if (c == from)
885
c = to;
886
*dest++ = c;
887
}
888
while (c);
889
return ret;
890
}
891
892
bool
893
is_persist_option (const struct options *o)
894
{
895
return o->persist_tun
896
|| o->persist_key
897
|| o->persist_local_ip
898
|| o->persist_remote_ip
899
;
900
}
901
902
bool
903
is_stateful_restart (const struct options *o)
904
{
905
return is_persist_option (o) || connection_list_defined (o);
906
}
907
908
#ifdef WIN32
909
910
#ifdef ENABLE_DEBUG
911
912
static void
913
show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
914
{
915
struct gc_arena gc = gc_new ();
916
int i;
917
for (i = 0; i < len; ++i)
918
{
919
msg (D_SHOW_PARMS, " %s[%d] = %s",
920
name,
921
i,
922
print_in_addr_t (array[i], 0, &gc));
923
}
924
gc_free (&gc);
925
}
926
927
static void
928
show_tuntap_options (const struct tuntap_options *o)
929
{
930
SHOW_BOOL (ip_win32_defined);
931
SHOW_INT (ip_win32_type);
932
SHOW_INT (dhcp_masq_offset);
933
SHOW_INT (dhcp_lease_time);
934
SHOW_INT (tap_sleep);
935
SHOW_BOOL (dhcp_options);
936
SHOW_BOOL (dhcp_renew);
937
SHOW_BOOL (dhcp_pre_release);
938
SHOW_BOOL (dhcp_release);
939
SHOW_STR (domain);
940
SHOW_STR (netbios_scope);
941
SHOW_INT (netbios_node_type);
942
SHOW_BOOL (disable_nbt);
943
944
show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
945
show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
946
show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
947
show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
948
}
949
950
#endif
951
952
static void
953
dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
954
{
955
if (*len >= N_DHCP_ADDR)
956
{
957
msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
958
name,
959
N_DHCP_ADDR,
960
name);
961
}
962
else
963
{
964
if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
965
{
966
bool error = false;
967
const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
968
if (!error)
969
array[(*len)++] = addr;
970
}
971
else
972
{
973
msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
974
}
975
}
976
}
977
978
#endif
979
980
#if P2MP
981
982
#ifdef ENABLE_DEBUG
983
984
static void
985
show_p2mp_parms (const struct options *o)
986
{
987
struct gc_arena gc = gc_new ();
988
989
#if P2MP_SERVER
990
msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
991
msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc));
992
msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
993
msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
994
msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
995
msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc));
996
if (o->push_list.head)
997
{
998
const struct push_entry *e = o->push_list.head;
999
while (e)
1000
{
1001
if (e->enable)
1002
msg (D_SHOW_PARMS, " push_entry = '%s'", e->option);
1003
e = e->next;
1004
}
1005
}
1006
SHOW_BOOL (ifconfig_pool_defined);
1007
msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
1008
msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc));
1009
msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
1010
SHOW_STR (ifconfig_pool_persist_filename);
1011
SHOW_INT (ifconfig_pool_persist_refresh_freq);
1012
SHOW_INT (n_bcast_buf);
1013
SHOW_INT (tcp_queue_limit);
1014
SHOW_INT (real_hash_size);
1015
SHOW_INT (virtual_hash_size);
1016
SHOW_STR (client_connect_script);
1017
SHOW_STR (learn_address_script);
1018
SHOW_STR (client_disconnect_script);
1019
SHOW_STR (client_config_dir);
1020
SHOW_BOOL (ccd_exclusive);
1021
SHOW_STR (tmp_dir);
1022
SHOW_BOOL (push_ifconfig_defined);
1023
msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
1024
msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc));
1025
SHOW_BOOL (enable_c2c);
1026
SHOW_BOOL (duplicate_cn);
1027
SHOW_INT (cf_max);
1028
SHOW_INT (cf_per);
1029
SHOW_INT (max_clients);
1030
SHOW_INT (max_routes_per_client);
1031
SHOW_STR (auth_user_pass_verify_script);
1032
SHOW_BOOL (auth_user_pass_verify_script_via_file);
1033
SHOW_INT (ssl_flags);
1034
#if PORT_SHARE
1035
SHOW_STR (port_share_host);
1036
SHOW_INT (port_share_port);
1037
#endif
1038
#endif /* P2MP_SERVER */
1039
1040
SHOW_BOOL (client);
1041
SHOW_BOOL (pull);
1042
SHOW_STR (auth_user_pass_file);
1043
1044
gc_free (&gc);
1045
}
1046
1047
#endif /* ENABLE_DEBUG */
1048
1049
#if P2MP_SERVER
1050
1051
static void
1052
option_iroute (struct options *o,
1053
const char *network_str,
1054
const char *netmask_str,
1055
int msglevel)
1056
{
1057
struct iroute *ir;
1058
1059
ALLOC_OBJ_GC (ir, struct iroute, &o->gc);
1060
ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
1061
ir->netbits = -1;
1062
1063
if (netmask_str)
1064
{
1065
const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
1066
if (!netmask_to_netbits (ir->network, netmask, &ir->netbits))
1067
{
1068
msg (msglevel, "in --iroute %s %s : Bad network/subnet specification",
1069
network_str,
1070
netmask_str);
1071
return;
1072
}
1073
}
1074
1075
ir->next = o->iroutes;
1076
o->iroutes = ir;
1077
}
1078
1079
#endif /* P2MP_SERVER */
1080
#endif /* P2MP */
1081
1082
#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG)
1083
static void
1084
show_http_proxy_options (const struct http_proxy_options *o)
1085
{
1086
msg (D_SHOW_PARMS, "BEGIN http_proxy");
1087
SHOW_STR (server);
1088
SHOW_INT (port);
1089
SHOW_STR (auth_method_string);
1090
SHOW_STR (auth_file);
1091
SHOW_BOOL (retry);
1092
SHOW_INT (timeout);
1093
SHOW_STR (http_version);
1094
SHOW_STR (user_agent);
1095
msg (D_SHOW_PARMS, "END http_proxy");
1096
}
1097
#endif
1098
1099
void
1100
options_detach (struct options *o)
1101
{
1102
gc_detach (&o->gc);
1103
o->routes = NULL;
1104
#if P2MP_SERVER
1105
clone_push_list(o);
1106
#endif
1107
}
1108
1109
void
1110
rol_check_alloc (struct options *options)
1111
{
1112
if (!options->routes)
1113
options->routes = new_route_option_list (options->max_routes, &options->gc);
1114
}
1115
1116
#ifdef ENABLE_DEBUG
1117
static void
1118
show_connection_entry (const struct connection_entry *o)
1119
{
1120
msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false));
1121
SHOW_STR (local);
1122
SHOW_INT (local_port);
1123
SHOW_STR (remote);
1124
SHOW_INT (remote_port);
1125
SHOW_BOOL (remote_float);
1126
SHOW_BOOL (bind_defined);
1127
SHOW_BOOL (bind_local);
1128
SHOW_INT (connect_retry_seconds);
1129
SHOW_INT (connect_timeout);
1130
SHOW_INT (connect_retry_max);
1131
1132
#ifdef ENABLE_HTTP_PROXY
1133
if (o->http_proxy_options)
1134
show_http_proxy_options (o->http_proxy_options);
1135
#endif
1136
#ifdef ENABLE_SOCKS
1137
SHOW_STR (socks_proxy_server);
1138
SHOW_INT (socks_proxy_port);
1139
SHOW_BOOL (socks_proxy_retry);
1140
#endif
1141
}
1142
1143
static void
1144
show_connection_entries (const struct options *o)
1145
{
1146
msg (D_SHOW_PARMS, "Connection profiles [default]:");
1147
show_connection_entry (&o->ce);
1148
#ifdef ENABLE_CONNECTION
1149
if (o->connection_list)
1150
{
1151
const struct connection_list *l = o->connection_list;
1152
int i;
1153
for (i = 0; i < l->len; ++i)
1154
{
1155
msg (D_SHOW_PARMS, "Connection profiles [%d]:", i);
1156
show_connection_entry (l->array[i]);
1157
}
1158
}
1159
#endif
1160
msg (D_SHOW_PARMS, "Connection profiles END");
1161
}
1162
1163
#endif
1164
1165
void
1166
show_settings (const struct options *o)
1167
{
1168
#ifdef ENABLE_DEBUG
1169
msg (D_SHOW_PARMS, "Current Parameter Settings:");
1170
1171
SHOW_STR (config);
1172
1173
SHOW_INT (mode);
1174
1175
#ifdef TUNSETPERSIST
1176
SHOW_BOOL (persist_config);
1177
SHOW_INT (persist_mode);
1178
#endif
1179
1180
#ifdef USE_CRYPTO
1181
SHOW_BOOL (show_ciphers);
1182
SHOW_BOOL (show_digests);
1183
SHOW_BOOL (show_engines);
1184
SHOW_BOOL (genkey);
1185
#ifdef USE_SSL
1186
SHOW_STR (key_pass_file);
1187
SHOW_BOOL (show_tls_ciphers);
1188
#endif
1189
#endif
1190
1191
show_connection_entries (o);
1192
1193
SHOW_BOOL (remote_random);
1194
1195
SHOW_STR (ipchange);
1196
SHOW_STR (dev);
1197
SHOW_STR (dev_type);
1198
SHOW_STR (dev_node);
1199
SHOW_STR (lladdr);
1200
SHOW_INT (topology);
1201
SHOW_BOOL (tun_ipv6);
1202
SHOW_STR (ifconfig_local);
1203
SHOW_STR (ifconfig_remote_netmask);
1204
SHOW_BOOL (ifconfig_noexec);
1205
SHOW_BOOL (ifconfig_nowarn);
1206
1207
#ifdef HAVE_GETTIMEOFDAY
1208
SHOW_INT (shaper);
1209
#endif
1210
SHOW_INT (tun_mtu);
1211
SHOW_BOOL (tun_mtu_defined);
1212
SHOW_INT (link_mtu);
1213
SHOW_BOOL (link_mtu_defined);
1214
SHOW_INT (tun_mtu_extra);
1215
SHOW_BOOL (tun_mtu_extra_defined);
1216
1217
#ifdef ENABLE_FRAGMENT
1218
SHOW_INT (fragment);
1219
#endif
1220
1221
SHOW_INT (mtu_discover_type);
1222
1223
#ifdef ENABLE_OCC
1224
SHOW_INT (mtu_test);
1225
#endif
1226
1227
SHOW_BOOL (mlock);
1228
1229
SHOW_INT (keepalive_ping);
1230
SHOW_INT (keepalive_timeout);
1231
SHOW_INT (inactivity_timeout);
1232
SHOW_INT (ping_send_timeout);
1233
SHOW_INT (ping_rec_timeout);
1234
SHOW_INT (ping_rec_timeout_action);
1235
SHOW_BOOL (ping_timer_remote);
1236
SHOW_INT (remap_sigusr1);
1237
#ifdef ENABLE_OCC
1238
SHOW_INT (explicit_exit_notification);
1239
#endif
1240
SHOW_BOOL (persist_tun);
1241
SHOW_BOOL (persist_local_ip);
1242
SHOW_BOOL (persist_remote_ip);
1243
SHOW_BOOL (persist_key);
1244
1245
SHOW_INT (mssfix);
1246
1247
#if PASSTOS_CAPABILITY
1248
SHOW_BOOL (passtos);
1249
#endif
1250
1251
SHOW_INT (resolve_retry_seconds);
1252
1253
SHOW_STR (username);
1254
SHOW_STR (groupname);
1255
SHOW_STR (chroot_dir);
1256
SHOW_STR (cd_dir);
1257
#ifdef HAVE_SETCON
1258
SHOW_STR (selinux_context);
1259
#endif
1260
SHOW_STR (writepid);
1261
SHOW_STR (up_script);
1262
SHOW_STR (down_script);
1263
SHOW_BOOL (down_pre);
1264
SHOW_BOOL (up_restart);
1265
SHOW_BOOL (up_delay);
1266
SHOW_BOOL (daemon);
1267
SHOW_INT (inetd);
1268
SHOW_BOOL (log);
1269
SHOW_BOOL (suppress_timestamps);
1270
SHOW_INT (nice);
1271
SHOW_INT (verbosity);
1272
SHOW_INT (mute);
1273
#ifdef ENABLE_DEBUG
1274
SHOW_INT (gremlin);
1275
#endif
1276
SHOW_STR (status_file);
1277
SHOW_INT (status_file_version);
1278
SHOW_INT (status_file_update_freq);
1279
1280
#ifdef ENABLE_OCC
1281
SHOW_BOOL (occ);
1282
#endif
1283
SHOW_INT (rcvbuf);
1284
SHOW_INT (sndbuf);
1285
SHOW_INT (sockflags);
1286
1287
SHOW_BOOL (fast_io);
1288
1289
#ifdef USE_LZO
1290
SHOW_INT (lzo);
1291
#endif
1292
1293
SHOW_STR (route_script);
1294
SHOW_STR (route_default_gateway);
1295
SHOW_INT (route_default_metric);
1296
SHOW_BOOL (route_noexec);
1297
SHOW_INT (route_delay);
1298
SHOW_INT (route_delay_window);
1299
SHOW_BOOL (route_delay_defined);
1300
SHOW_BOOL (route_nopull);
1301
SHOW_BOOL (route_gateway_via_dhcp);
1302
SHOW_INT (max_routes);
1303
SHOW_BOOL (allow_pull_fqdn);
1304
if (o->routes)
1305
print_route_options (o->routes, D_SHOW_PARMS);
1306
1307
#ifdef ENABLE_MANAGEMENT
1308
SHOW_STR (management_addr);
1309
SHOW_INT (management_port);
1310
SHOW_STR (management_user_pass);
1311
SHOW_INT (management_log_history_cache);
1312
SHOW_INT (management_echo_buffer_size);
1313
SHOW_STR (management_write_peer_info_file);
1314
SHOW_STR (management_client_user);
1315
SHOW_STR (management_client_group);
1316
SHOW_INT (management_flags);
1317
#endif
1318
#ifdef ENABLE_PLUGIN
1319
if (o->plugin_list)
1320
plugin_option_list_print (o->plugin_list, D_SHOW_PARMS);
1321
#endif
1322
1323
#ifdef USE_CRYPTO
1324
SHOW_STR (shared_secret_file);
1325
SHOW_INT (key_direction);
1326
SHOW_BOOL (ciphername_defined);
1327
SHOW_STR (ciphername);
1328
SHOW_BOOL (authname_defined);
1329
SHOW_STR (authname);
1330
SHOW_STR (prng_hash);
1331
SHOW_INT (prng_nonce_secret_len);
1332
SHOW_INT (keysize);
1333
SHOW_BOOL (engine);
1334
SHOW_BOOL (replay);
1335
SHOW_BOOL (mute_replay_warnings);
1336
SHOW_INT (replay_window);
1337
SHOW_INT (replay_time);
1338
SHOW_STR (packet_id_file);
1339
SHOW_BOOL (use_iv);
1340
SHOW_BOOL (test_crypto);
1341
1342
#ifdef USE_SSL
1343
SHOW_BOOL (tls_server);
1344
SHOW_BOOL (tls_client);
1345
SHOW_INT (key_method);
1346
SHOW_STR (ca_file);
1347
SHOW_STR (ca_path);
1348
SHOW_STR (dh_file);
1349
SHOW_STR (cert_file);
1350
SHOW_STR (priv_key_file);
1351
SHOW_STR (pkcs12_file);
1352
#ifdef WIN32
1353
SHOW_STR (cryptoapi_cert);
1354
#endif
1355
SHOW_STR (cipher_list);
1356
SHOW_STR (tls_verify);
1357
SHOW_STR (tls_export_cert);
1358
SHOW_STR (tls_remote);
1359
SHOW_STR (crl_file);
1360
SHOW_INT (ns_cert_type);
1361
{
1362
int i;
1363
for (i=0;i<MAX_PARMS;i++)
1364
SHOW_INT (remote_cert_ku[i]);
1365
}
1366
SHOW_STR (remote_cert_eku);
1367
1368
SHOW_INT (tls_timeout);
1369
1370
SHOW_INT (renegotiate_bytes);
1371
SHOW_INT (renegotiate_packets);
1372
SHOW_INT (renegotiate_seconds);
1373
1374
SHOW_INT (handshake_window);
1375
SHOW_INT (transition_window);
1376
1377
SHOW_BOOL (single_session);
1378
#ifdef ENABLE_PUSH_PEER_INFO
1379
SHOW_BOOL (push_peer_info);
1380
#endif
1381
SHOW_BOOL (tls_exit);
1382
1383
SHOW_STR (tls_auth_file);
1384
#endif
1385
#endif
1386
1387
#ifdef ENABLE_PKCS11
1388
{
1389
int i;
1390
for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
1391
SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
1392
}
1393
{
1394
int i;
1395
for (i=0;i<MAX_PARMS;i++)
1396
SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
1397
}
1398
{
1399
int i;
1400
for (i=0;i<MAX_PARMS;i++)
1401
SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
1402
}
1403
{
1404
int i;
1405
for (i=0;i<MAX_PARMS;i++)
1406
SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
1407
}
1408
SHOW_INT (pkcs11_pin_cache_period);
1409
SHOW_STR (pkcs11_id);
1410
SHOW_BOOL (pkcs11_id_management);
1411
#endif /* ENABLE_PKCS11 */
1412
1413
#if P2MP
1414
show_p2mp_parms (o);
1415
#endif
1416
1417
#ifdef WIN32
1418
SHOW_BOOL (show_net_up);
1419
SHOW_INT (route_method);
1420
show_tuntap_options (&o->tuntap_options);
1421
#endif
1422
#endif
1423
}
1424
1425
#undef SHOW_PARM
1426
#undef SHOW_STR
1427
#undef SHOW_INT
1428
#undef SHOW_BOOL
1429
1430
#ifdef ENABLE_HTTP_PROXY
1431
1432
struct http_proxy_options *
1433
init_http_options_if_undefined (struct options *o)
1434
{
1435
if (!o->ce.http_proxy_options)
1436
{
1437
ALLOC_OBJ_CLEAR_GC (o->ce.http_proxy_options, struct http_proxy_options, &o->gc);
1438
/* http proxy defaults */
1439
o->ce.http_proxy_options->timeout = 5;
1440
o->ce.http_proxy_options->http_version = "1.0";
1441
}
1442
return o->ce.http_proxy_options;
1443
}
1444
1445
#endif
1446
1447
#if HTTP_PROXY_FALLBACK
1448
1449
static struct http_proxy_options *
1450
parse_http_proxy_override (const char *server,
1451
const char *port,
1452
const char *flags,
1453
const int msglevel,
1454
struct gc_arena *gc)
1455
{
1456
if (server && port)
1457
{
1458
struct http_proxy_options *ho;
1459
const int int_port = atoi(port);
1460
1461
if (!legal_ipv4_port (int_port))
1462
{
1463
msg (msglevel, "Bad http-proxy port number: %s", port);
1464
return NULL;
1465
}
1466
1467
ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc);
1468
ho->server = string_alloc(server, gc);
1469
ho->port = int_port;
1470
ho->retry = true;
1471
ho->timeout = 5;
1472
if (flags && !strcmp(flags, "nct"))
1473
ho->auth_retry = PAR_NCT;
1474
else
1475
ho->auth_retry = PAR_ALL;
1476
ho->http_version = "1.0";
1477
ho->user_agent = "OpenVPN-Autoproxy/1.0";
1478
return ho;
1479
}
1480
else
1481
return NULL;
1482
}
1483
1484
struct http_proxy_options *
1485
parse_http_proxy_fallback (struct context *c,
1486
const char *server,
1487
const char *port,
1488
const char *flags,
1489
const int msglevel)
1490
{
1491
struct gc_arena gc = gc_new ();
1492
struct http_proxy_options *ret = NULL;
1493
struct http_proxy_options *hp = parse_http_proxy_override(server, port, flags, msglevel, &gc);
1494
if (hp)
1495
{
1496
struct hpo_store *hpos = c->options.hpo_store;
1497
if (!hpos)
1498
{
1499
ALLOC_OBJ_CLEAR_GC (hpos, struct hpo_store, &c->options.gc);
1500
c->options.hpo_store = hpos;
1501
}
1502
hpos->hpo = *hp;
1503
hpos->hpo.server = hpos->server;
1504
strncpynt(hpos->server, hp->server, sizeof(hpos->server));
1505
ret = &hpos->hpo;
1506
}
1507
gc_free (&gc);
1508
return ret;
1509
}
1510
1511
static void
1512
http_proxy_warn(const char *name)
1513
{
1514
msg (M_WARN, "Note: option %s ignored because no TCP-based connection profiles are defined", name);
1515
}
1516
1517
void
1518
options_postprocess_http_proxy_fallback (struct options *o)
1519
{
1520
struct connection_list *l = o->connection_list;
1521
if (l)
1522
{
1523
int i;
1524
for (i = 0; i < l->len; ++i)
1525
{
1526
struct connection_entry *ce = l->array[i];
1527
if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4)
1528
{
1529
if (l->len < CONNECTION_LIST_SIZE)
1530
{
1531
struct connection_entry *newce;
1532
ALLOC_OBJ_GC (newce, struct connection_entry, &o->gc);
1533
*newce = *ce;
1534
newce->flags |= CE_HTTP_PROXY_FALLBACK;
1535
newce->http_proxy_options = NULL;
1536
newce->ce_http_proxy_fallback_timestamp = 0;
1537
l->array[l->len++] = newce;
1538
}
1539
return;
1540
}
1541
}
1542
}
1543
http_proxy_warn("http-proxy-fallback");
1544
}
1545
1546
void
1547
options_postprocess_http_proxy_override (struct options *o)
1548
{
1549
const struct connection_list *l = o->connection_list;
1550
if (l)
1551
{
1552
int i;
1553
bool succeed = false;
1554
for (i = 0; i < l->len; ++i)
1555
{
1556
struct connection_entry *ce = l->array[i];
1557
if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4)
1558
{
1559
ce->http_proxy_options = o->http_proxy_override;
1560
succeed = true;
1561
}
1562
}
1563
if (succeed)
1564
{
1565
for (i = 0; i < l->len; ++i)
1566
{
1567
struct connection_entry *ce = l->array[i];
1568
if (ce->proto == PROTO_UDPv4)
1569
{
1570
ce->flags |= CE_DISABLED;
1571
}
1572
}
1573
}
1574
else
1575
{
1576
http_proxy_warn("http-proxy-override");
1577
}
1578
}
1579
}
1580
1581
#endif
1582
1583
#if ENABLE_CONNECTION
1584
1585
static struct connection_list *
1586
alloc_connection_list_if_undef (struct options *options)
1587
{
1588
if (!options->connection_list)
1589
ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc);
1590
return options->connection_list;
1591
}
1592
1593
static struct connection_entry *
1594
alloc_connection_entry (struct options *options, const int msglevel)
1595
{
1596
struct connection_list *l = alloc_connection_list_if_undef (options);
1597
struct connection_entry *e;
1598
1599
if (l->len >= CONNECTION_LIST_SIZE)
1600
{
1601
msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
1602
return NULL;
1603
}
1604
ALLOC_OBJ_GC (e, struct connection_entry, &options->gc);
1605
l->array[l->len++] = e;
1606
return e;
1607
}
1608
1609
static struct remote_list *
1610
alloc_remote_list_if_undef (struct options *options)
1611
{
1612
if (!options->remote_list)
1613
ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc);
1614
return options->remote_list;
1615
}
1616
1617
static struct remote_entry *
1618
alloc_remote_entry (struct options *options, const int msglevel)
1619
{
1620
struct remote_list *l = alloc_remote_list_if_undef (options);
1621
struct remote_entry *e;
1622
1623
if (l->len >= CONNECTION_LIST_SIZE)
1624
{
1625
msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
1626
return NULL;
1627
}
1628
ALLOC_OBJ_GC (e, struct remote_entry, &options->gc);
1629
l->array[l->len++] = e;
1630
return e;
1631
}
1632
1633
#endif
1634
1635
void
1636
connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
1637
{
1638
if (re->remote)
1639
ce->remote = re->remote;
1640
if (re->remote_port >= 0)
1641
ce->remote_port = re->remote_port;
1642
if (re->proto >= 0)
1643
ce->proto = re->proto;
1644
}
1645
1646
static void
1647
options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce)
1648
{
1649
struct options defaults;
1650
int dev = DEV_TYPE_UNDEF;
1651
bool pull = false;
1652
1653
init_options (&defaults, true);
1654
1655
#ifdef USE_CRYPTO
1656
if (options->test_crypto)
1657
{
1658
notnull (options->shared_secret_file, "key file (--secret)");
1659
}
1660
else
1661
#endif
1662
notnull (options->dev, "TUN/TAP device (--dev)");
1663
1664
/*
1665
* Get tun/tap/null device type
1666
*/
1667
dev = dev_type_enum (options->dev, options->dev_type);
1668
1669
/*
1670
* If "proto tcp" is specified, make sure we know whether it is
1671
* tcp-client or tcp-server.
1672
*/
1673
if (ce->proto == PROTO_TCPv4)
1674
msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1675
1676
/*
1677
* Sanity check on daemon/inetd modes
1678
*/
1679
1680
if (options->daemon && options->inetd)
1681
msg (M_USAGE, "only one of --daemon or --inetd may be specified");
1682
1683
if (options->inetd && (ce->local || ce->remote))
1684
msg (M_USAGE, "--local or --remote cannot be used with --inetd");
1685
1686
if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT)
1687
msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
1688
1689
if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER)
1690
msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
1691
1692
if (options->inetd == INETD_NOWAIT
1693
#if defined(USE_CRYPTO) && defined(USE_SSL)
1694
&& !(options->tls_server || options->tls_client)
1695
#endif
1696
)
1697
msg (M_USAGE, "--inetd nowait can only be used in TLS mode");
1698
1699
if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
1700
msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
1701
1702
1703
if (options->lladdr && dev != DEV_TYPE_TAP)
1704
msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
1705
1706
/*
1707
* Sanity check on TCP mode options
1708
*/
1709
1710
if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT)
1711
msg (M_USAGE, "--connect-retry doesn't make sense unless also used with --proto tcp-client");
1712
1713
if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT)
1714
msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with --proto tcp-client");
1715
1716
/*
1717
* Sanity check on MTU parameters
1718
*/
1719
if (options->tun_mtu_defined && options->link_mtu_defined)
1720
msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
1721
1722
#ifdef ENABLE_OCC
1723
if (ce->proto != PROTO_UDPv4 && options->mtu_test)
1724
msg (M_USAGE, "--mtu-test only makes sense with --proto udp");
1725
#endif
1726
1727
/* will we be pulling options from server? */
1728
#if P2MP
1729
pull = options->pull;
1730
#endif
1731
1732
/*
1733
* Sanity check on --local, --remote, and --ifconfig
1734
*/
1735
1736
if (string_defined_equal (ce->local, ce->remote)
1737
&& ce->local_port == ce->remote_port)
1738
msg (M_USAGE, "--remote and --local addresses are the same");
1739
1740
if (string_defined_equal (ce->remote, options->ifconfig_local)
1741
|| string_defined_equal (ce->remote, options->ifconfig_remote_netmask))
1742
msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
1743
1744
if (string_defined_equal (ce->local, options->ifconfig_local)
1745
|| string_defined_equal (ce->local, options->ifconfig_remote_netmask))
1746
msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
1747
1748
if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
1749
msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
1750
1751
if (ce->bind_defined && !ce->bind_local)
1752
msg (M_USAGE, "--bind and --nobind can't be used together");
1753
1754
if (ce->local && !ce->bind_local)
1755
msg (M_USAGE, "--local and --nobind don't make sense when used together");
1756
1757
if (ce->local_port_defined && !ce->bind_local)
1758
msg (M_USAGE, "--lport and --nobind don't make sense when used together");
1759
1760
if (!ce->remote && !ce->bind_local)
1761
msg (M_USAGE, "--nobind doesn't make sense unless used with --remote");
1762
1763
/*
1764
* Check for consistency of management options
1765
*/
1766
#ifdef ENABLE_MANAGEMENT
1767
if (!options->management_addr &&
1768
(options->management_flags
1769
|| options->management_write_peer_info_file
1770
|| options->management_log_history_cache != defaults.management_log_history_cache))
1771
msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
1772
1773
if ((options->management_client_user || options->management_client_group)
1774
&& !(options->management_flags & MF_UNIX_SOCK))
1775
msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
1776
#endif
1777
1778
/*
1779
* Windows-specific options.
1780
*/
1781
1782
#ifdef WIN32
1783
if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1784
msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
1785
1786
if ((options->tuntap_options.ip_win32_defined)
1787
&& !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
1788
msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
1789
1790
if (options->tuntap_options.dhcp_options
1791
&& options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
1792
&& options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
1793
msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
1794
#endif
1795
1796
/*
1797
* Check that protocol options make sense.
1798
*/
1799
1800
#ifdef ENABLE_FRAGMENT
1801
if (ce->proto != PROTO_UDPv4 && options->fragment)
1802
msg (M_USAGE, "--fragment can only be used with --proto udp");
1803
#endif
1804
1805
#ifdef ENABLE_OCC
1806
if (ce->proto != PROTO_UDPv4 && options->explicit_exit_notification)
1807
msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
1808
#endif
1809
1810
if (!ce->remote && ce->proto == PROTO_TCPv4_CLIENT)
1811
msg (M_USAGE, "--remote MUST be used in TCP Client mode");
1812
1813
#ifdef ENABLE_HTTP_PROXY
1814
if ((ce->http_proxy_options || options->auto_proxy_info) && ce->proto != PROTO_TCPv4_CLIENT)
1815
msg (M_USAGE, "--http-proxy or --auto-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
1816
#endif
1817
1818
#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
1819
if (ce->http_proxy_options && ce->socks_proxy_server)
1820
msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
1821
#endif
1822
1823
#ifdef ENABLE_SOCKS
1824
if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER)
1825
msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
1826
#endif
1827
1828
if (ce->proto == PROTO_TCPv4_SERVER && connection_list_defined (options))
1829
msg (M_USAGE, "TCP server mode allows at most one --remote address");
1830
1831
#if P2MP_SERVER
1832
1833
/*
1834
* Check consistency of --mode server options.
1835
*/
1836
if (options->mode == MODE_SERVER)
1837
{
1838
if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
1839
msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
1840
if (options->pull)
1841
msg (M_USAGE, "--pull cannot be used with --mode server");
1842
if (!(ce->proto == PROTO_UDPv4 || ce->proto == PROTO_TCPv4_SERVER))
1843
msg (M_USAGE, "--mode server currently only supports --proto udp or --proto tcp-server");
1844
#if PORT_SHARE
1845
if ((options->port_share_host || options->port_share_port) && ce->proto != PROTO_TCPv4_SERVER)
1846
msg (M_USAGE, "--port-share only works in TCP server mode (--proto tcp-server)");
1847
#endif
1848
if (!options->tls_server)
1849
msg (M_USAGE, "--mode server requires --tls-server");
1850
if (ce->remote)
1851
msg (M_USAGE, "--remote cannot be used with --mode server");
1852
if (!ce->bind_local)
1853
msg (M_USAGE, "--nobind cannot be used with --mode server");
1854
#ifdef ENABLE_HTTP_PROXY
1855
if (ce->http_proxy_options)
1856
msg (M_USAGE, "--http-proxy cannot be used with --mode server");
1857
#endif
1858
#ifdef ENABLE_SOCKS
1859
if (ce->socks_proxy_server)
1860
msg (M_USAGE, "--socks-proxy cannot be used with --mode server");
1861
#endif
1862
#ifdef ENABLE_CONNECTION
1863
if (options->connection_list)
1864
msg (M_USAGE, "<connection> cannot be used with --mode server");
1865
#endif
1866
if (options->tun_ipv6)
1867
msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");
1868
if (options->shaper)
1869
msg (M_USAGE, "--shaper cannot be used with --mode server");
1870
if (options->inetd)
1871
msg (M_USAGE, "--inetd cannot be used with --mode server");
1872
if (options->ipchange)
1873
msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
1874
if (!(ce->proto == PROTO_UDPv4 || ce->proto == PROTO_TCPv4_SERVER))
1875
msg (M_USAGE, "--mode server currently only supports --proto udp or --proto tcp-server");
1876
if (ce->proto != PROTO_UDPv4 && (options->cf_max || options->cf_per))
1877
msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
1878
if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
1879
msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
1880
#ifdef ENABLE_OCC
1881
if (options->explicit_exit_notification)
1882
msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server");
1883
#endif
1884
if (options->routes && (options->routes->flags & RG_ENABLE))
1885
msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
1886
if (options->route_delay_defined)
1887
msg (M_USAGE, "--route-delay cannot be used with --mode server");
1888
if (options->up_delay)
1889
msg (M_USAGE, "--up-delay cannot be used with --mode server");
1890
if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
1891
msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
1892
if (options->auth_user_pass_file)
1893
msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
1894
if (options->ccd_exclusive && !options->client_config_dir)
1895
msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
1896
if (options->key_method != 2)
1897
msg (M_USAGE, "--mode server requires --key-method 2");
1898
1899
{
1900
const bool ccnr = (options->auth_user_pass_verify_script
1901
|| PLUGIN_OPTION_LIST (options)
1902
|| MAN_CLIENT_AUTH_ENABLED (options));
1903
const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
1904
if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
1905
msg (M_USAGE, "--client-cert-not-required %s", postfix);
1906
if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
1907
msg (M_USAGE, "--username-as-common-name %s", postfix);
1908
if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
1909
msg (M_USAGE, "--auth-user-pass-optional %s", postfix);
1910
}
1911
1912
if ((options->ssl_flags & SSLF_NO_NAME_REMAPPING) && script_method == SM_SYSTEM)
1913
msg (M_USAGE, "--script-security method='system' cannot be combined with --no-name-remapping");
1914
}
1915
else
1916
{
1917
/*
1918
* When not in server mode, err if parameters are
1919
* specified which require --mode server.
1920
*/
1921
if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
1922
msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
1923
if (options->real_hash_size != defaults.real_hash_size
1924
|| options->virtual_hash_size != defaults.virtual_hash_size)
1925
msg (M_USAGE, "--hash-size requires --mode server");
1926
if (options->learn_address_script)
1927
msg (M_USAGE, "--learn-address requires --mode server");
1928
if (options->client_connect_script)
1929
msg (M_USAGE, "--client-connect requires --mode server");
1930
if (options->client_disconnect_script)
1931
msg (M_USAGE, "--client-disconnect requires --mode server");
1932
if (options->client_config_dir || options->ccd_exclusive)
1933
msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
1934
if (options->enable_c2c)
1935
msg (M_USAGE, "--client-to-client requires --mode server");
1936
if (options->duplicate_cn)
1937
msg (M_USAGE, "--duplicate-cn requires --mode server");
1938
if (options->cf_max || options->cf_per)
1939
msg (M_USAGE, "--connect-freq requires --mode server");
1940
if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
1941
msg (M_USAGE, "--client-cert-not-required requires --mode server");
1942
if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
1943
msg (M_USAGE, "--username-as-common-name requires --mode server");
1944
if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
1945
msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
1946
if (options->ssl_flags & SSLF_NO_NAME_REMAPPING)
1947
msg (M_USAGE, "--no-name-remapping requires --mode server");
1948
if (options->ssl_flags & SSLF_OPT_VERIFY)
1949
msg (M_USAGE, "--opt-verify requires --mode server");
1950
if (options->server_flags & SF_TCP_NODELAY_HELPER)
1951
msg (M_USAGE, "--tcp-nodelay requires --mode server");
1952
if (options->auth_user_pass_verify_script)
1953
msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
1954
#if PORT_SHARE
1955
if (options->port_share_host || options->port_share_port)
1956
msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
1957
#endif
1958
1959
}
1960
#endif /* P2MP_SERVER */
1961
1962
#ifdef USE_CRYPTO
1963
1964
/*
1965
* Check consistency of replay options
1966
*/
1967
if ((ce->proto != PROTO_UDPv4)
1968
&& (options->replay_window != defaults.replay_window
1969
|| options->replay_time != defaults.replay_time))
1970
msg (M_USAGE, "--replay-window only makes sense with --proto udp");
1971
1972
if (!options->replay
1973
&& (options->replay_window != defaults.replay_window
1974
|| options->replay_time != defaults.replay_time))
1975
msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
1976
1977
/*
1978
* SSL/TLS mode sanity checks.
1979
*/
1980
1981
#ifdef USE_SSL
1982
if (options->tls_server + options->tls_client +
1983
(options->shared_secret_file != NULL) > 1)
1984
msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
1985
1986
if (options->tls_server)
1987
{
1988
notnull (options->dh_file, "DH file (--dh)");
1989
}
1990
if (options->tls_server || options->tls_client)
1991
{
1992
#ifdef ENABLE_PKCS11
1993
if (options->pkcs11_providers[0])
1994
{
1995
notnull (options->ca_file, "CA file (--ca)");
1996
1997
if (options->pkcs11_id_management && options->pkcs11_id != NULL)
1998
msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
1999
if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
2000
msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2001
if (options->cert_file)
2002
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2003
if (options->priv_key_file)
2004
msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2005
if (options->pkcs12_file)
2006
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2007
#ifdef WIN32
2008
if (options->cryptoapi_cert)
2009
msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2010
#endif
2011
}
2012
else
2013
#endif
2014
#ifdef WIN32
2015
if (options->cryptoapi_cert)
2016
{
2017
if ((!(options->ca_file)) && (!(options->ca_path)))
2018
msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2019
if (options->cert_file)
2020
msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2021
if (options->priv_key_file)
2022
msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2023
if (options->pkcs12_file)
2024
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2025
}
2026
else
2027
#endif
2028
if (options->pkcs12_file)
2029
{
2030
if (options->ca_path)
2031
msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2032
if (options->cert_file)
2033
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2034
if (options->priv_key_file)
2035
msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
2036
}
2037
else
2038
{
2039
if ((!(options->ca_file)) && (!(options->ca_path)))
2040
msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
2041
if (pull)
2042
{
2043
const int sum = (options->cert_file != NULL) + (options->priv_key_file != NULL);
2044
if (sum == 0)
2045
{
2046
#if P2MP
2047
if (!options->auth_user_pass_file)
2048
#endif
2049
msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2050
}
2051
else if (sum == 2)
2052
;
2053
else
2054
{
2055
msg (M_USAGE, "If you use one of --cert or --key, you must use them both");
2056
}
2057
}
2058
else
2059
{
2060
notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2061
notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
2062
}
2063
}
2064
}
2065
else
2066
{
2067
/*
2068
* Make sure user doesn't specify any TLS options
2069
* when in non-TLS mode.
2070
*/
2071
2072
#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
2073
2074
const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2075
2076
MUST_BE_UNDEF (ca_file);
2077
MUST_BE_UNDEF (ca_path);
2078
MUST_BE_UNDEF (dh_file);
2079
MUST_BE_UNDEF (cert_file);
2080
MUST_BE_UNDEF (priv_key_file);
2081
MUST_BE_UNDEF (pkcs12_file);
2082
MUST_BE_UNDEF (cipher_list);
2083
MUST_BE_UNDEF (tls_verify);
2084
MUST_BE_UNDEF (tls_export_cert);
2085
MUST_BE_UNDEF (tls_remote);
2086
MUST_BE_UNDEF (tls_timeout);
2087
MUST_BE_UNDEF (renegotiate_bytes);
2088
MUST_BE_UNDEF (renegotiate_packets);
2089
MUST_BE_UNDEF (renegotiate_seconds);
2090
MUST_BE_UNDEF (handshake_window);
2091
MUST_BE_UNDEF (transition_window);
2092
MUST_BE_UNDEF (tls_auth_file);
2093
MUST_BE_UNDEF (single_session);
2094
#ifdef ENABLE_PUSH_PEER_INFO
2095
MUST_BE_UNDEF (push_peer_info);
2096
#endif
2097
MUST_BE_UNDEF (tls_exit);
2098
MUST_BE_UNDEF (crl_file);
2099
MUST_BE_UNDEF (key_method);
2100
MUST_BE_UNDEF (ns_cert_type);
2101
MUST_BE_UNDEF (remote_cert_ku[0]);
2102
MUST_BE_UNDEF (remote_cert_eku);
2103
#ifdef ENABLE_PKCS11
2104
MUST_BE_UNDEF (pkcs11_providers[0]);
2105
MUST_BE_UNDEF (pkcs11_private_mode[0]);
2106
MUST_BE_UNDEF (pkcs11_id);
2107
MUST_BE_UNDEF (pkcs11_id_management);
2108
#endif
2109
2110
if (pull)
2111
msg (M_USAGE, err, "--pull");
2112
}
2113
#undef MUST_BE_UNDEF
2114
#endif /* USE_CRYPTO */
2115
#endif /* USE_SSL */
2116
2117
#if P2MP
2118
if (options->auth_user_pass_file && !options->pull)
2119
msg (M_USAGE, "--auth-user-pass requires --pull");
2120
#endif
2121
2122
uninit_options (&defaults);
2123
}
2124
2125
static void
2126
options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
2127
{
2128
#if P2MP_SERVER
2129
if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
2130
{
2131
if (ce->proto == PROTO_TCPv4)
2132
ce->proto = PROTO_TCPv4_SERVER;
2133
}
2134
#endif
2135
#if P2MP
2136
if (o->client)
2137
{
2138
if (ce->proto == PROTO_TCPv4)
2139
ce->proto = PROTO_TCPv4_CLIENT;
2140
}
2141
#endif
2142
2143
if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2144
ce->bind_local = false;
2145
2146
#ifdef ENABLE_SOCKS
2147
if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
2148
ce->bind_local = false;
2149
#endif
2150
2151
if (!ce->bind_local)
2152
ce->local_port = 0;
2153
2154
/* if protocol forcing is enabled, disable all protocols except for the forced one */
2155
if (o->proto_force >= 0 && is_proto_tcp(o->proto_force) != is_proto_tcp(ce->proto))
2156
ce->flags |= CE_DISABLED;
2157
}
2158
2159
static void
2160
options_postprocess_mutate_invariant (struct options *options)
2161
{
2162
const int dev = dev_type_enum (options->dev, options->dev_type);
2163
2164
/*
2165
* If --mssfix is supplied without a parameter, default
2166
* it to --fragment value, if --fragment is specified.
2167
*/
2168
if (options->mssfix_default)
2169
{
2170
#ifdef ENABLE_FRAGMENT
2171
if (options->fragment)
2172
options->mssfix = options->fragment;
2173
#else
2174
msg (M_USAGE, "--mssfix must specify a parameter");
2175
#endif
2176
}
2177
2178
/*
2179
* In forking TCP server mode, you don't need to ifconfig
2180
* the tap device (the assumption is that it will be bridged).
2181
*/
2182
if (options->inetd == INETD_NOWAIT)
2183
options->ifconfig_noexec = true;
2184
2185
/*
2186
* Set MTU defaults
2187
*/
2188
{
2189
if (!options->tun_mtu_defined && !options->link_mtu_defined)
2190
{
2191
options->tun_mtu_defined = true;
2192
}
2193
if ((dev == DEV_TYPE_TAP) && !options->tun_mtu_extra_defined)
2194
{
2195
options->tun_mtu_extra_defined = true;
2196
options->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
2197
}
2198
}
2199
2200
#ifdef WIN32
2201
if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
2202
{
2203
if (options->mode == MODE_POINT_TO_POINT)
2204
{
2205
options->route_delay_defined = true;
2206
options->route_delay = 5; /* Vista sometimes has a race without this */
2207
}
2208
}
2209
2210
if (options->ifconfig_noexec)
2211
{
2212
options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
2213
options->ifconfig_noexec = false;
2214
}
2215
#endif
2216
2217
#if P2MP_SERVER
2218
/*
2219
* Check consistency of --mode server options.
2220
*/
2221
if (options->mode == MODE_SERVER)
2222
{
2223
#ifdef WIN32
2224
/*
2225
* We need to explicitly set --tap-sleep because
2226
* we do not schedule event timers in the top-level context.
2227
*/
2228
options->tuntap_options.tap_sleep = 10;
2229
if (options->route_delay_defined && options->route_delay)
2230
options->tuntap_options.tap_sleep = options->route_delay;
2231
options->route_delay_defined = false;
2232
#endif
2233
}
2234
#endif
2235
}
2236
2237
static void
2238
options_postprocess_verify (const struct options *o)
2239
{
2240
#ifdef ENABLE_CONNECTION
2241
if (o->connection_list)
2242
{
2243
int i;
2244
for (i = 0; i < o->connection_list->len; ++i)
2245
options_postprocess_verify_ce (o, o->connection_list->array[i]);
2246
}
2247
else
2248
#endif
2249
options_postprocess_verify_ce (o, &o->ce);
2250
}
2251
2252
static void
2253
options_postprocess_mutate (struct options *o)
2254
{
2255
/*
2256
* Process helper-type options which map to other, more complex
2257
* sequences of options.
2258
*/
2259
helper_client_server (o);
2260
helper_keepalive (o);
2261
helper_tcp_nodelay (o);
2262
2263
options_postprocess_mutate_invariant (o);
2264
2265
#ifdef ENABLE_CONNECTION
2266
if (o->remote_list && !o->connection_list)
2267
{
2268
/*
2269
* For compatibility with 2.0.x, map multiple --remote options
2270
* into connection list (connection lists added in 2.1).
2271
*/
2272
if (o->remote_list->len > 1 || o->force_connection_list)
2273
{
2274
const struct remote_list *rl = o->remote_list;
2275
int i;
2276
for (i = 0; i < rl->len; ++i)
2277
{
2278
const struct remote_entry *re = rl->array[i];
2279
struct connection_entry ce = o->ce;
2280
struct connection_entry *ace;
2281
2282
ASSERT (re->remote);
2283
connection_entry_load_re (&ce, re);
2284
ace = alloc_connection_entry (o, M_USAGE);
2285
ASSERT (ace);
2286
*ace = ce;
2287
}
2288
}
2289
else if (o->remote_list->len == 1) /* one --remote option specified */
2290
{
2291
connection_entry_load_re (&o->ce, o->remote_list->array[0]);
2292
}
2293
else
2294
{
2295
ASSERT (0);
2296
}
2297
}
2298
if (o->connection_list)
2299
{
2300
int i;
2301
for (i = 0; i < o->connection_list->len; ++i)
2302
options_postprocess_mutate_ce (o, o->connection_list->array[i]);
2303
2304
#if HTTP_PROXY_FALLBACK
2305
if (o->http_proxy_override)
2306
options_postprocess_http_proxy_override(o);
2307
else if (o->http_proxy_fallback)
2308
options_postprocess_http_proxy_fallback(o);
2309
#endif
2310
}
2311
else
2312
#endif
2313
options_postprocess_mutate_ce (o, &o->ce);
2314
2315
#if P2MP
2316
/*
2317
* Save certain parms before modifying options via --pull
2318
*/
2319
pre_pull_save (o);
2320
#endif
2321
}
2322
2323
/*
2324
* Sanity check on options.
2325
* Also set some options based on other
2326
* options.
2327
*/
2328
void
2329
options_postprocess (struct options *options)
2330
{
2331
options_postprocess_mutate (options);
2332
options_postprocess_verify (options);
2333
}
2334
2335
#if P2MP
2336
2337
/*
2338
* Save/Restore certain option defaults before --pull is applied.
2339
*/
2340
2341
void
2342
pre_pull_save (struct options *o)
2343
{
2344
if (o->pull)
2345
{
2346
ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
2347
o->pre_pull->tuntap_options = o->tuntap_options;
2348
o->pre_pull->tuntap_options_defined = true;
2349
o->pre_pull->foreign_option_index = o->foreign_option_index;
2350
if (o->routes)
2351
{
2352
o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc);
2353
o->pre_pull->routes_defined = true;
2354
}
2355
}
2356
}
2357
2358
void
2359
pre_pull_restore (struct options *o)
2360
{
2361
const struct options_pre_pull *pp = o->pre_pull;
2362
if (pp)
2363
{
2364
CLEAR (o->tuntap_options);
2365
if (pp->tuntap_options_defined)
2366
o->tuntap_options = pp->tuntap_options;
2367
2368
if (pp->routes_defined)
2369
{
2370
rol_check_alloc (o);
2371
copy_route_option_list (o->routes, pp->routes);
2372
}
2373
else
2374
o->routes = NULL;
2375
2376
o->foreign_option_index = pp->foreign_option_index;
2377
}
2378
2379
o->push_continuation = 0;
2380
}
2381
2382
#endif
2383
2384
#ifdef ENABLE_OCC
2385
2386
/*
2387
* Build an options string to represent data channel encryption options.
2388
* This string must match exactly between peers. The keysize is checked
2389
* separately by read_key().
2390
*
2391
* The following options must match on both peers:
2392
*
2393
* Tunnel options:
2394
*
2395
* --dev tun|tap [unit number need not match]
2396
* --dev-type tun|tap
2397
* --link-mtu
2398
* --udp-mtu
2399
* --tun-mtu
2400
* --proto udp
2401
* --proto tcp-client [matched with --proto tcp-server
2402
* on the other end of the connection]
2403
* --proto tcp-server [matched with --proto tcp-client on
2404
* the other end of the connection]
2405
* --tun-ipv6
2406
* --ifconfig x y [matched with --ifconfig y x on
2407
* the other end of the connection]
2408
*
2409
* --comp-lzo
2410
* --fragment
2411
*
2412
* Crypto Options:
2413
*
2414
* --cipher
2415
* --auth
2416
* --keysize
2417
* --secret
2418
* --no-replay
2419
* --no-iv
2420
*
2421
* SSL Options:
2422
*
2423
* --tls-auth
2424
* --tls-client [matched with --tls-server on
2425
* the other end of the connection]
2426
* --tls-server [matched with --tls-client on
2427
* the other end of the connection]
2428
*/
2429
2430
char *
2431
options_string (const struct options *o,
2432
const struct frame *frame,
2433
struct tuntap *tt,
2434
bool remote,
2435
struct gc_arena *gc)
2436
{
2437
struct buffer out = alloc_buf (OPTION_LINE_SIZE);
2438
bool tt_local = false;
2439
2440
buf_printf (&out, "V4");
2441
2442
/*
2443
* Tunnel Options
2444
*/
2445
2446
buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type));
2447
buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame));
2448
buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame));
2449
buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true));
2450
if (o->tun_ipv6)
2451
buf_printf (&out, ",tun-ipv6");
2452
2453
/*
2454
* Try to get ifconfig parameters into the options string.
2455
* If tt is undefined, make a temporary instantiation.
2456
*/
2457
if (!tt)
2458
{
2459
tt = init_tun (o->dev,
2460
o->dev_type,
2461
o->topology,
2462
o->ifconfig_local,
2463
o->ifconfig_remote_netmask,
2464
(in_addr_t)0,
2465
(in_addr_t)0,
2466
false,
2467
NULL);
2468
if (tt)
2469
tt_local = true;
2470
}
2471
2472
if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
2473
{
2474
const char *ios = ifconfig_options_string (tt, remote, o->ifconfig_nowarn, gc);
2475
if (ios && strlen (ios))
2476
buf_printf (&out, ",ifconfig %s", ios);
2477
}
2478
if (tt_local)
2479
{
2480
free (tt);
2481
tt = NULL;
2482
}
2483
2484
#ifdef USE_LZO
2485
if (o->lzo & LZO_SELECTED)
2486
buf_printf (&out, ",comp-lzo");
2487
#endif
2488
2489
#ifdef ENABLE_FRAGMENT
2490
if (o->fragment)
2491
buf_printf (&out, ",mtu-dynamic");
2492
#endif
2493
2494
#ifdef USE_CRYPTO
2495
2496
#ifdef USE_SSL
2497
#define TLS_CLIENT (o->tls_client)
2498
#define TLS_SERVER (o->tls_server)
2499
#else
2500
#define TLS_CLIENT (false)
2501
#define TLS_SERVER (false)
2502
#endif
2503
2504
/*
2505
* Key direction
2506
*/
2507
{
2508
const char *kd = keydirection2ascii (o->key_direction, remote);
2509
if (kd)
2510
buf_printf (&out, ",keydir %s", kd);
2511
}
2512
2513
/*
2514
* Crypto Options
2515
*/
2516
if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
2517
{
2518
struct key_type kt;
2519
2520
ASSERT ((o->shared_secret_file != NULL)
2521
+ (TLS_CLIENT == true)
2522
+ (TLS_SERVER == true)
2523
<= 1);
2524
2525
init_key_type (&kt, o->ciphername, o->ciphername_defined,
2526
o->authname, o->authname_defined,
2527
o->keysize, true, false);
2528
2529
buf_printf (&out, ",cipher %s", kt_cipher_name (&kt));
2530
buf_printf (&out, ",auth %s", kt_digest_name (&kt));
2531
buf_printf (&out, ",keysize %d", kt_key_size (&kt));
2532
if (o->shared_secret_file)
2533
buf_printf (&out, ",secret");
2534
if (!o->replay)
2535
buf_printf (&out, ",no-replay");
2536
if (!o->use_iv)
2537
buf_printf (&out, ",no-iv");
2538
}
2539
2540
#ifdef USE_SSL
2541
/*
2542
* SSL Options
2543
*/
2544
{
2545
if (TLS_CLIENT || TLS_SERVER)
2546
{
2547
if (o->tls_auth_file)
2548
buf_printf (&out, ",tls-auth");
2549
2550
if (o->key_method > 1)
2551
buf_printf (&out, ",key-method %d", o->key_method);
2552
}
2553
2554
if (remote)
2555
{
2556
if (TLS_CLIENT)
2557
buf_printf (&out, ",tls-server");
2558
else if (TLS_SERVER)
2559
buf_printf (&out, ",tls-client");
2560
}
2561
else
2562
{
2563
if (TLS_CLIENT)
2564
buf_printf (&out, ",tls-client");
2565
else if (TLS_SERVER)
2566
buf_printf (&out, ",tls-server");
2567
}
2568
}
2569
#endif /* USE_SSL */
2570
2571
#undef TLS_CLIENT
2572
#undef TLS_SERVER
2573
2574
#endif /* USE_CRYPTO */
2575
2576
return BSTR (&out);
2577
}
2578
2579
/*
2580
* Compare option strings for equality.
2581
* If the first two chars of the strings differ, it means that
2582
* we are looking at different versions of the options string,
2583
* therefore don't compare them and return true.
2584
*/
2585
2586
bool
2587
options_cmp_equal (char *actual, const char *expected)
2588
{
2589
return options_cmp_equal_safe (actual, expected, strlen (actual) + 1);
2590
}
2591
2592
void
2593
options_warning (char *actual, const char *expected)
2594
{
2595
options_warning_safe (actual, expected, strlen (actual) + 1);
2596
}
2597
2598
static const char *
2599
options_warning_extract_parm1 (const char *option_string,
2600
struct gc_arena *gc_ret)
2601
{
2602
struct gc_arena gc = gc_new ();
2603
struct buffer b = string_alloc_buf (option_string, &gc);
2604
char *p = gc_malloc (OPTION_PARM_SIZE, false, &gc);
2605
const char *ret;
2606
2607
buf_parse (&b, ' ', p, OPTION_PARM_SIZE);
2608
ret = string_alloc (p, gc_ret);
2609
gc_free (&gc);
2610
return ret;
2611
}
2612
2613
static void
2614
options_warning_safe_scan2 (const int msglevel,
2615
const int delim,
2616
const bool report_inconsistent,
2617
const char *p1,
2618
const struct buffer *b2_src,
2619
const char *b1_name,
2620
const char *b2_name)
2621
{
2622
if (strlen (p1) > 0)
2623
{
2624
struct gc_arena gc = gc_new ();
2625
struct buffer b2 = *b2_src;
2626
const char *p1_prefix = options_warning_extract_parm1 (p1, &gc);
2627
char *p2 = gc_malloc (OPTION_PARM_SIZE, false, &gc);
2628
2629
while (buf_parse (&b2, delim, p2, OPTION_PARM_SIZE))
2630
{
2631
if (strlen (p2))
2632
{
2633
const char *p2_prefix = options_warning_extract_parm1 (p2, &gc);
2634
2635
if (!strcmp (p1, p2))
2636
goto done;
2637
if (!strcmp (p1_prefix, p2_prefix))
2638
{
2639
if (report_inconsistent)
2640
msg (msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
2641
safe_print (p1_prefix, &gc),
2642
b1_name,
2643
safe_print (p1, &gc),
2644
b2_name,
2645
safe_print (p2, &gc));
2646
goto done;
2647
}
2648
}
2649
}
2650
2651
msg (msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
2652
safe_print (p1_prefix, &gc),
2653
b1_name,
2654
b2_name,
2655
b1_name,
2656
safe_print (p1, &gc));
2657
2658
done:
2659
gc_free (&gc);
2660
}
2661
}
2662
2663
static void
2664
options_warning_safe_scan1 (const int msglevel,
2665
const int delim,
2666
const bool report_inconsistent,
2667
const struct buffer *b1_src,
2668
const struct buffer *b2_src,
2669
const char *b1_name,
2670
const char *b2_name)
2671
{
2672
struct gc_arena gc = gc_new ();
2673
struct buffer b = *b1_src;
2674
char *p = gc_malloc (OPTION_PARM_SIZE, true, &gc);
2675
2676
while (buf_parse (&b, delim, p, OPTION_PARM_SIZE))
2677
options_warning_safe_scan2 (msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
2678
2679
gc_free (&gc);
2680
}
2681
2682
static void
2683
options_warning_safe_ml (const int msglevel, char *actual, const char *expected, size_t actual_n)
2684
{
2685
struct gc_arena gc = gc_new ();
2686
2687
if (actual_n > 0)
2688
{
2689
struct buffer local = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
2690
struct buffer remote = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
2691
actual[actual_n - 1] = 0;
2692
2693
buf_printf (&local, "version %s", expected);
2694
buf_printf (&remote, "version %s", actual);
2695
2696
options_warning_safe_scan1 (msglevel, ',', true,
2697
&local, &remote,
2698
"local", "remote");
2699
2700
options_warning_safe_scan1 (msglevel, ',', false,
2701
&remote, &local,
2702
"remote", "local");
2703
}
2704
2705
gc_free (&gc);
2706
}
2707
2708
bool
2709
options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n)
2710
{
2711
struct gc_arena gc = gc_new ();
2712
bool ret = true;
2713
2714
if (actual_n > 0)
2715
{
2716
actual[actual_n - 1] = 0;
2717
#ifndef STRICT_OPTIONS_CHECK
2718
if (strncmp (actual, expected, 2))
2719
{
2720
msg (D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
2721
options_warning_safe_ml (D_SHOW_OCC, actual, expected, actual_n);
2722
}
2723
else
2724
#endif
2725
ret = !strcmp (actual, expected);
2726
}
2727
gc_free (&gc);
2728
return ret;
2729
}
2730
2731
void
2732
options_warning_safe (char *actual, const char *expected, size_t actual_n)
2733
{
2734
options_warning_safe_ml (M_WARN, actual, expected, actual_n);
2735
}
2736
2737
const char *
2738
options_string_version (const char* s, struct gc_arena *gc)
2739
{
2740
struct buffer out = alloc_buf_gc (4, gc);
2741
strncpynt ((char *) BPTR (&out), s, 3);
2742
return BSTR (&out);
2743
}
2744
2745
#endif /* ENABLE_OCC */
2746
2747
static void
2748
foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
2749
{
2750
if (len > 0)
2751
{
2752
struct gc_arena gc = gc_new();
2753
struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
2754
struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
2755
int i;
2756
bool first = true;
2757
bool good = true;
2758
2759
good &= buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1);
2760
++o->foreign_option_index;
2761
for (i = 0; i < len; ++i)
2762
{
2763
if (argv[i])
2764
{
2765
if (!first)
2766
good &= buf_printf (&value, " ");
2767
good &= buf_printf (&value, "%s", argv[i]);
2768
first = false;
2769
}
2770
}
2771
if (good)
2772
setenv_str (es, BSTR(&name), BSTR(&value));
2773
else
2774
msg (M_WARN, "foreign_option: name/value overflow");
2775
gc_free (&gc);
2776
}
2777
}
2778
2779
/*
2780
* parse/print topology coding
2781
*/
2782
2783
int
2784
parse_topology (const char *str, const int msglevel)
2785
{
2786
if (streq (str, "net30"))
2787
return TOP_NET30;
2788
else if (streq (str, "p2p"))
2789
return TOP_P2P;
2790
else if (streq (str, "subnet"))
2791
return TOP_SUBNET;
2792
else
2793
{
2794
msg (msglevel, "--topology must be net30, p2p, or subnet");
2795
return TOP_UNDEF;
2796
}
2797
}
2798
2799
const char *
2800
print_topology (const int topology)
2801
{
2802
switch (topology)
2803
{
2804
case TOP_UNDEF:
2805
return "undef";
2806
case TOP_NET30:
2807
return "net30";
2808
case TOP_P2P:
2809
return "p2p";
2810
case TOP_SUBNET:
2811
return "subnet";
2812
default:
2813
return "unknown";
2814
}
2815
}
2816
2817
#if P2MP
2818
2819
/*
2820
* Manage auth-retry variable
2821
*/
2822
2823
static int global_auth_retry; /* GLOBAL */
2824
2825
int
2826
auth_retry_get (void)
2827
{
2828
return global_auth_retry;
2829
}
2830
2831
bool
2832
auth_retry_set (const int msglevel, const char *option)
2833
{
2834
if (streq (option, "interact"))
2835
global_auth_retry = AR_INTERACT;
2836
else if (streq (option, "nointeract"))
2837
global_auth_retry = AR_NOINTERACT;
2838
else if (streq (option, "none"))
2839
global_auth_retry = AR_NONE;
2840
else
2841
{
2842
msg (msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
2843
return false;
2844
}
2845
return true;
2846
}
2847
2848
const char *
2849
auth_retry_print (void)
2850
{
2851
switch (global_auth_retry)
2852
{
2853
case AR_NONE:
2854
return "none";
2855
case AR_NOINTERACT:
2856
return "nointeract";
2857
case AR_INTERACT:
2858
return "interact";
2859
default:
2860
return "???";
2861
}
2862
}
2863
2864
#endif
2865
2866
/*
2867
* Print the help message.
2868
*/
2869
static void
2870
usage (void)
2871
{
2872
FILE *fp = msg_fp(0);
2873
2874
#ifdef ENABLE_SMALL
2875
2876
fprintf (fp, "Usage message not available\n");
2877
2878
#else
2879
2880
struct options o;
2881
init_options (&o, true);
2882
2883
#if defined(USE_CRYPTO) && defined(USE_SSL)
2884
fprintf (fp, usage_message,
2885
title_string,
2886
o.ce.connect_retry_seconds,
2887
o.ce.local_port, o.ce.remote_port,
2888
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2889
o.verbosity,
2890
o.authname, o.ciphername,
2891
o.replay_window, o.replay_time,
2892
o.tls_timeout, o.renegotiate_seconds,
2893
o.handshake_window, o.transition_window);
2894
#elif defined(USE_CRYPTO)
2895
fprintf (fp, usage_message,
2896
title_string,
2897
o.ce.connect_retry_seconds,
2898
o.ce.local_port, o.ce.remote_port,
2899
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2900
o.verbosity,
2901
o.authname, o.ciphername,
2902
o.replay_window, o.replay_time);
2903
#else
2904
fprintf (fp, usage_message,
2905
title_string,
2906
o.ce.connect_retry_seconds,
2907
o.ce.local_port, o.ce.remote_port,
2908
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
2909
o.verbosity);
2910
#endif
2911
fflush(fp);
2912
2913
#endif /* ENABLE_SMALL */
2914
2915
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2916
}
2917
2918
void
2919
usage_small (void)
2920
{
2921
msg (M_WARN|M_NOPREFIX, "Use --help for more information.");
2922
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2923
}
2924
2925
static void
2926
usage_version (void)
2927
{
2928
msg (M_INFO|M_NOPREFIX, "%s", title_string);
2929
msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
2930
msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>");
2931
#ifndef ENABLE_SMALL
2932
#ifdef CONFIGURE_CALL
2933
msg (M_INFO|M_NOPREFIX, "\n%s\n", CONFIGURE_CALL);
2934
#endif
2935
#ifdef CONFIGURE_DEFINES
2936
msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
2937
#endif
2938
#endif
2939
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
2940
}
2941
2942
void
2943
notnull (const char *arg, const char *description)
2944
{
2945
if (!arg)
2946
msg (M_USAGE, "You must define %s", description);
2947
}
2948
2949
bool
2950
string_defined_equal (const char *s1, const char *s2)
2951
{
2952
if (s1 && s2)
2953
return !strcmp (s1, s2);
2954
else
2955
return false;
2956
}
2957
2958
#if 0
2959
static void
2960
ping_rec_err (int msglevel)
2961
{
2962
msg (msglevel, "only one of --ping-exit or --ping-restart options may be specified");
2963
}
2964
#endif
2965
2966
static int
2967
positive_atoi (const char *str)
2968
{
2969
const int i = atoi (str);
2970
return i < 0 ? 0 : i;
2971
}
2972
2973
#ifdef WIN32 /* This function is only used when compiling on Windows */
2974
static unsigned int
2975
atou (const char *str)
2976
{
2977
unsigned int val = 0;
2978
sscanf (str, "%u", &val);
2979
return val;
2980
}
2981
#endif
2982
2983
static inline bool
2984
space (unsigned char c)
2985
{
2986
return c == '\0' || isspace (c);
2987
}
2988
2989
int
2990
parse_line (const char *line,
2991
char *p[],
2992
const int n,
2993
const char *file,
2994
const int line_num,
2995
int msglevel,
2996
struct gc_arena *gc)
2997
{
2998
const int STATE_INITIAL = 0;
2999
const int STATE_READING_QUOTED_PARM = 1;
3000
const int STATE_READING_UNQUOTED_PARM = 2;
3001
const int STATE_DONE = 3;
3002
const int STATE_READING_SQUOTED_PARM = 4;
3003
3004
const char *error_prefix = "";
3005
3006
int ret = 0;
3007
const char *c = line;
3008
int state = STATE_INITIAL;
3009
bool backslash = false;
3010
char in, out;
3011
3012
char parm[OPTION_PARM_SIZE];
3013
unsigned int parm_len = 0;
3014
3015
msglevel &= ~M_OPTERR;
3016
3017
if (msglevel & M_MSG_VIRT_OUT)
3018
error_prefix = "ERROR: ";
3019
3020
do
3021
{
3022
in = *c;
3023
out = 0;
3024
3025
if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
3026
{
3027
backslash = true;
3028
}
3029
else
3030
{
3031
if (state == STATE_INITIAL)
3032
{
3033
if (!space (in))
3034
{
3035
if (in == ';' || in == '#') /* comment */
3036
break;
3037
if (!backslash && in == '\"')
3038
state = STATE_READING_QUOTED_PARM;
3039
else if (!backslash && in == '\'')
3040
state = STATE_READING_SQUOTED_PARM;
3041
else
3042
{
3043
out = in;
3044
state = STATE_READING_UNQUOTED_PARM;
3045
}
3046
}
3047
}
3048
else if (state == STATE_READING_UNQUOTED_PARM)
3049
{
3050
if (!backslash && space (in))
3051
state = STATE_DONE;
3052
else
3053
out = in;
3054
}
3055
else if (state == STATE_READING_QUOTED_PARM)
3056
{
3057
if (!backslash && in == '\"')
3058
state = STATE_DONE;
3059
else
3060
out = in;
3061
}
3062
else if (state == STATE_READING_SQUOTED_PARM)
3063
{
3064
if (in == '\'')
3065
state = STATE_DONE;
3066
else
3067
out = in;
3068
}
3069
if (state == STATE_DONE)
3070
{
3071
/* ASSERT (parm_len > 0); */
3072
p[ret] = gc_malloc (parm_len + 1, true, gc);
3073
memcpy (p[ret], parm, parm_len);
3074
p[ret][parm_len] = '\0';
3075
state = STATE_INITIAL;
3076
parm_len = 0;
3077
++ret;
3078
}
3079
3080
if (backslash && out)
3081
{
3082
if (!(out == '\\' || out == '\"' || space (out)))
3083
{
3084
#ifdef ENABLE_SMALL
3085
msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
3086
#else
3087
msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
3088
#endif
3089
return 0;
3090
}
3091
}
3092
backslash = false;
3093
}
3094
3095
/* store parameter character */
3096
if (out)
3097
{
3098
if (parm_len >= SIZE (parm))
3099
{
3100
parm[SIZE (parm) - 1] = 0;
3101
msg (msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
3102
error_prefix, file, line_num, (int) SIZE (parm), parm);
3103
return 0;
3104
}
3105
parm[parm_len++] = out;
3106
}
3107
3108
/* avoid overflow if too many parms in one config file line */
3109
if (ret >= n)
3110
break;
3111
3112
} while (*c++ != '\0');
3113
3114
if (state == STATE_READING_QUOTED_PARM)
3115
{
3116
msg (msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
3117
return 0;
3118
}
3119
if (state == STATE_READING_SQUOTED_PARM)
3120
{
3121
msg (msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
3122
return 0;
3123
}
3124
if (state != STATE_INITIAL)
3125
{
3126
msg (msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
3127
return 0;
3128
}
3129
#if 0
3130
{
3131
int i;
3132
for (i = 0; i < ret; ++i)
3133
{
3134
msg (M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
3135
}
3136
}
3137
#endif
3138
return ret;
3139
}
3140
3141
static void
3142
bypass_doubledash (char **p)
3143
{
3144
if (strlen (*p) >= 3 && !strncmp (*p, "--", 2))
3145
*p += 2;
3146
}
3147
3148
#if ENABLE_INLINE_FILES
3149
3150
struct in_src {
3151
# define IS_TYPE_FP 1
3152
# define IS_TYPE_BUF 2
3153
int type;
3154
union {
3155
FILE *fp;
3156
struct buffer *multiline;
3157
} u;
3158
};
3159
3160
static bool
3161
in_src_get (const struct in_src *is, char *line, const int size)
3162
{
3163
if (is->type == IS_TYPE_FP)
3164
{
3165
return BOOL_CAST (fgets (line, size, is->u.fp));
3166
}
3167
else if (is->type == IS_TYPE_BUF)
3168
{
3169
bool status = buf_parse (is->u.multiline, '\n', line, size);
3170
if ((int) strlen (line) + 1 < size)
3171
strcat (line, "\n");
3172
return status;
3173
}
3174
else
3175
{
3176
ASSERT (0);
3177
return false;
3178
}
3179
}
3180
3181
static char *
3182
read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
3183
{
3184
char line[OPTION_LINE_SIZE];
3185
struct buffer buf = alloc_buf (10000);
3186
char *ret;
3187
while (in_src_get (is, line, sizeof (line)))
3188
{
3189
if (!strncmp (line, close_tag, strlen (close_tag)))
3190
break;
3191
buf_printf (&buf, "%s", line);
3192
}
3193
ret = string_alloc (BSTR (&buf), gc);
3194
buf_clear (&buf);
3195
free_buf (&buf);
3196
CLEAR (line);
3197
return ret;
3198
}
3199
3200
static bool
3201
check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
3202
{
3203
bool ret = false;
3204
if (p[0] && !p[1])
3205
{
3206
char *arg = p[0];
3207
if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
3208
{
3209
struct buffer close_tag;
3210
arg[strlen(arg)-1] = '\0';
3211
p[0] = string_alloc (arg+1, gc);
3212
p[1] = string_alloc (INLINE_FILE_TAG, gc);
3213
close_tag = alloc_buf (strlen(p[0]) + 4);
3214
buf_printf (&close_tag, "</%s>", p[0]);
3215
p[2] = read_inline_file (is, BSTR (&close_tag), gc);
3216
p[3] = NULL;
3217
free_buf (&close_tag);
3218
ret = true;
3219
}
3220
}
3221
return ret;
3222
}
3223
3224
static bool
3225
check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
3226
{
3227
struct in_src is;
3228
is.type = IS_TYPE_FP;
3229
is.u.fp = fp;
3230
return check_inline_file (&is, p, gc);
3231
}
3232
3233
static bool
3234
check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
3235
{
3236
struct in_src is;
3237
is.type = IS_TYPE_BUF;
3238
is.u.multiline = multiline;
3239
return check_inline_file (&is, p, gc);
3240
}
3241
3242
#endif
3243
3244
static void
3245
add_option (struct options *options,
3246
char *p[],
3247
const char *file,
3248
int line,
3249
const int level,
3250
const int msglevel,
3251
const unsigned int permission_mask,
3252
unsigned int *option_types_found,
3253
struct env_set *es);
3254
3255
static void
3256
read_config_file (struct options *options,
3257
const char *file,
3258
int level,
3259
const char *top_file,
3260
const int top_line,
3261
const int msglevel,
3262
const unsigned int permission_mask,
3263
unsigned int *option_types_found,
3264
struct env_set *es)
3265
{
3266
const int max_recursive_levels = 10;
3267
FILE *fp;
3268
int line_num;
3269
char line[OPTION_LINE_SIZE];
3270
char *p[MAX_PARMS];
3271
3272
++level;
3273
if (level <= max_recursive_levels)
3274
{
3275
if (streq (file, "stdin"))
3276
fp = stdin;
3277
else
3278
fp = fopen (file, "r");
3279
if (fp)
3280
{
3281
line_num = 0;
3282
while (fgets(line, sizeof (line), fp))
3283
{
3284
CLEAR (p);
3285
++line_num;
3286
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3287
{
3288
bypass_doubledash (&p[0]);
3289
#if ENABLE_INLINE_FILES
3290
check_inline_file_via_fp (fp, p, &options->gc);
3291
#endif
3292
add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
3293
}
3294
}
3295
if (fp != stdin)
3296
fclose (fp);
3297
}
3298
else
3299
{
3300
msg (msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
3301
}
3302
}
3303
else
3304
{
3305
msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
3306
}
3307
CLEAR (line);
3308
CLEAR (p);
3309
}
3310
3311
static void
3312
read_config_string (const char *prefix,
3313
struct options *options,
3314
const char *config,
3315
const int msglevel,
3316
const unsigned int permission_mask,
3317
unsigned int *option_types_found,
3318
struct env_set *es)
3319
{
3320
char line[OPTION_LINE_SIZE];
3321
struct buffer multiline;
3322
int line_num = 0;
3323
3324
buf_set_read (&multiline, (uint8_t*)config, strlen (config));
3325
3326
while (buf_parse (&multiline, '\n', line, sizeof (line)))
3327
{
3328
char *p[MAX_PARMS];
3329
CLEAR (p);
3330
++line_num;
3331
if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc))
3332
{
3333
bypass_doubledash (&p[0]);
3334
#if ENABLE_INLINE_FILES
3335
check_inline_file_via_buf (&multiline, p, &options->gc);
3336
#endif
3337
add_option (options, p, NULL, line_num, 0, msglevel, permission_mask, option_types_found, es);
3338
}
3339
CLEAR (p);
3340
}
3341
CLEAR (line);
3342
}
3343
3344
void
3345
parse_argv (struct options *options,
3346
const int argc,
3347
char *argv[],
3348
const int msglevel,
3349
const unsigned int permission_mask,
3350
unsigned int *option_types_found,
3351
struct env_set *es)
3352
{
3353
int i, j;
3354
3355
/* usage message */
3356
if (argc <= 1)
3357
usage ();
3358
3359
/* config filename specified only? */
3360
if (argc == 2 && strncmp (argv[1], "--", 2))
3361
{
3362
char *p[MAX_PARMS];
3363
CLEAR (p);
3364
p[0] = "config";
3365
p[1] = argv[1];
3366
add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3367
}
3368
else
3369
{
3370
/* parse command line */
3371
for (i = 1; i < argc; ++i)
3372
{
3373
char *p[MAX_PARMS];
3374
CLEAR (p);
3375
p[0] = argv[i];
3376
if (strncmp(p[0], "--", 2))
3377
{
3378
msg (msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
3379
}
3380
else
3381
p[0] += 2;
3382
3383
for (j = 1; j < MAX_PARMS; ++j)
3384
{
3385
if (i + j < argc)
3386
{
3387
char *arg = argv[i + j];
3388
if (strncmp (arg, "--", 2))
3389
p[j] = arg;
3390
else
3391
break;
3392
}
3393
}
3394
add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
3395
i += j - 1;
3396
}
3397
}
3398
}
3399
3400
bool
3401
apply_push_options (struct options *options,
3402
struct buffer *buf,
3403
unsigned int permission_mask,
3404
unsigned int *option_types_found,
3405
struct env_set *es)
3406
{
3407
char line[OPTION_PARM_SIZE];
3408
int line_num = 0;
3409
const char *file = "[PUSH-OPTIONS]";
3410
const int msglevel = D_PUSH_ERRORS|M_OPTERR;
3411
3412
while (buf_parse (buf, ',', line, sizeof (line)))
3413
{
3414
char *p[MAX_PARMS];
3415
CLEAR (p);
3416
++line_num;
3417
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
3418
{
3419
add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
3420
}
3421
}
3422
return true;
3423
}
3424
3425
void
3426
options_server_import (struct options *o,
3427
const char *filename,
3428
int msglevel,
3429
unsigned int permission_mask,
3430
unsigned int *option_types_found,
3431
struct env_set *es)
3432
{
3433
msg (D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
3434
read_config_file (o,
3435
filename,
3436
0,
3437
filename,
3438
0,
3439
msglevel,
3440
permission_mask,
3441
option_types_found,
3442
es);
3443
}
3444
3445
void options_string_import (struct options *options,
3446
const char *config,
3447
const int msglevel,
3448
const unsigned int permission_mask,
3449
unsigned int *option_types_found,
3450
struct env_set *es)
3451
{
3452
read_config_string ("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
3453
}
3454
3455
#if P2MP
3456
3457
#define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], (mask), permission_mask, option_types_found, msglevel)) goto err; }
3458
3459
static bool
3460
verify_permission (const char *name,
3461
const unsigned int type,
3462
const unsigned int allowed,
3463
unsigned int *found,
3464
const int msglevel)
3465
{
3466
if (!(type & allowed))
3467
{
3468
msg (msglevel, "option '%s' cannot be used in this context", name);
3469
return false;
3470
}
3471
else
3472
{
3473
if (found)
3474
*found |= type;
3475
return true;
3476
}
3477
}
3478
3479
#else
3480
3481
#define VERIFY_PERMISSION(mask)
3482
3483
#endif
3484
3485
/*
3486
* Check that an option doesn't have too
3487
* many parameters.
3488
*/
3489
3490
#define NM_QUOTE_HINT (1<<0)
3491
3492
static bool
3493
no_more_than_n_args (const int msglevel,
3494
char *p[],
3495
const int max,
3496
const unsigned int flags)
3497
{
3498
const int len = string_array_len ((const char **)p);
3499
3500
if (!len)
3501
return false;
3502
3503
if (len > max)
3504
{
3505
msg (msglevel, "the --%s directive should have at most %d parameter%s.%s",
3506
p[0],
3507
max - 1,
3508
max >= 3 ? "s" : "",
3509
(flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
3510
return false;
3511
}
3512
else
3513
return true;
3514
}
3515
3516
static inline int
3517
msglevel_forward_compatible (struct options *options, const int msglevel)
3518
{
3519
return options->forward_compatible ? M_WARN : msglevel;
3520
}
3521
3522
static void
3523
warn_multiple_script (const char *script, const char *type) {
3524
if (script) {
3525
msg (M_WARN, "Multiple --%s scripts defined. "
3526
"The previously configured script is overridden.", type);
3527
}
3528
}
3529
3530
3531
static void
3532
add_option (struct options *options,
3533
char *p[],
3534
const char *file,
3535
int line,
3536
const int level,
3537
const int msglevel,
3538
const unsigned int permission_mask,
3539
unsigned int *option_types_found,
3540
struct env_set *es)
3541
{
3542
struct gc_arena gc = gc_new ();
3543
const bool pull_mode = BOOL_CAST (permission_mask & OPT_P_PULL_MODE);
3544
int msglevel_fc = msglevel_forward_compatible (options, msglevel);
3545
3546
ASSERT (MAX_PARMS >= 5);
3547
if (!file)
3548
{
3549
file = "[CMD-LINE]";
3550
line = 1;
3551
}
3552
if (streq (p[0], "help"))
3553
{
3554
VERIFY_PERMISSION (OPT_P_GENERAL);
3555
usage ();
3556
}
3557
if (streq (p[0], "version"))
3558
{
3559
VERIFY_PERMISSION (OPT_P_GENERAL);
3560
usage_version ();
3561
}
3562
else if (streq (p[0], "config") && p[1])
3563
{
3564
VERIFY_PERMISSION (OPT_P_CONFIG);
3565
3566
/* save first config file only in options */
3567
if (!options->config)
3568
options->config = p[1];
3569
3570
read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
3571
}
3572
#if 0
3573
else if (streq (p[0], "foreign-option") && p[1])
3574
{
3575
VERIFY_PERMISSION (OPT_P_IPWIN32);
3576
foreign_option (options, p, 3, es);
3577
}
3578
#endif
3579
else if (streq (p[0], "echo") || streq (p[0], "parameter"))
3580
{
3581
struct buffer string = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
3582
int j;
3583
bool good = true;
3584
3585
VERIFY_PERMISSION (OPT_P_ECHO);
3586
3587
for (j = 1; j < MAX_PARMS; ++j)
3588
{
3589
if (!p[j])
3590
break;
3591
if (j > 1)
3592
good &= buf_printf (&string, " ");
3593
good &= buf_printf (&string, "%s", p[j]);
3594
}
3595
if (good)
3596
{
3597
msg (M_INFO, "%s:%s",
3598
pull_mode ? "ECHO-PULL" : "ECHO",
3599
BSTR (&string));
3600
#ifdef ENABLE_MANAGEMENT
3601
if (management)
3602
management_echo (management, BSTR (&string), pull_mode);
3603
#endif
3604
}
3605
else
3606
msg (M_WARN, "echo/parameter option overflow");
3607
}
3608
#ifdef ENABLE_MANAGEMENT
3609
else if (streq (p[0], "management") && p[1] && p[2])
3610
{
3611
int port = 0;
3612
3613
VERIFY_PERMISSION (OPT_P_GENERAL);
3614
if (streq (p[2], "unix"))
3615
{
3616
#if UNIX_SOCK_SUPPORT
3617
options->management_flags |= MF_UNIX_SOCK;
3618
#else
3619
msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
3620
goto err;
3621
#endif
3622
}
3623
else
3624
{
3625
port = atoi (p[2]);
3626
if (!legal_ipv4_port (port))
3627
{
3628
msg (msglevel, "port number associated with --management directive is out of range");
3629
goto err;
3630
}
3631
}
3632
3633
options->management_addr = p[1];
3634
options->management_port = port;
3635
if (p[3])
3636
{
3637
options->management_user_pass = p[3];
3638
}
3639
}
3640
else if (streq (p[0], "management-client-user") && p[1])
3641
{
3642
VERIFY_PERMISSION (OPT_P_GENERAL);
3643
options->management_client_user = p[1];
3644
}
3645
else if (streq (p[0], "management-client-group") && p[1])
3646
{
3647
VERIFY_PERMISSION (OPT_P_GENERAL);
3648
options->management_client_group = p[1];
3649
}
3650
else if (streq (p[0], "management-query-passwords"))
3651
{
3652
VERIFY_PERMISSION (OPT_P_GENERAL);
3653
options->management_flags |= MF_QUERY_PASSWORDS;
3654
}
3655
else if (streq (p[0], "management-hold"))
3656
{
3657
VERIFY_PERMISSION (OPT_P_GENERAL);
3658
options->management_flags |= MF_HOLD;
3659
}
3660
else if (streq (p[0], "management-signal"))
3661
{
3662
VERIFY_PERMISSION (OPT_P_GENERAL);
3663
options->management_flags |= MF_SIGNAL;
3664
}
3665
else if (streq (p[0], "management-forget-disconnect"))
3666
{
3667
VERIFY_PERMISSION (OPT_P_GENERAL);
3668
options->management_flags |= MF_FORGET_DISCONNECT;
3669
}
3670
else if (streq (p[0], "management-client"))
3671
{
3672
VERIFY_PERMISSION (OPT_P_GENERAL);
3673
options->management_flags |= MF_CONNECT_AS_CLIENT;
3674
options->management_write_peer_info_file = p[1];
3675
}
3676
#ifdef MANAGEMENT_DEF_AUTH
3677
else if (streq (p[0], "management-client-auth"))
3678
{
3679
VERIFY_PERMISSION (OPT_P_GENERAL);
3680
options->management_flags |= MF_CLIENT_AUTH;
3681
}
3682
#endif
3683
#ifdef MANAGEMENT_PF
3684
else if (streq (p[0], "management-client-pf"))
3685
{
3686
VERIFY_PERMISSION (OPT_P_GENERAL);
3687
options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
3688
}
3689
#endif
3690
else if (streq (p[0], "management-log-cache") && p[1])
3691
{
3692
int cache;
3693
3694
VERIFY_PERMISSION (OPT_P_GENERAL);
3695
cache = atoi (p[1]);
3696
if (cache < 1)
3697
{
3698
msg (msglevel, "--management-log-cache parameter is out of range");
3699
goto err;
3700
}
3701
options->management_log_history_cache = cache;
3702
}
3703
#endif
3704
#ifdef ENABLE_PLUGIN
3705
else if (streq (p[0], "plugin") && p[1])
3706
{
3707
VERIFY_PERMISSION (OPT_P_PLUGIN);
3708
if (!options->plugin_list)
3709
options->plugin_list = plugin_option_list_new (&options->gc);
3710
if (!plugin_option_list_add (options->plugin_list, &p[1], &options->gc))
3711
{
3712
msg (msglevel, "plugin add failed: %s", p[1]);
3713
goto err;
3714
}
3715
}
3716
#endif
3717
else if (streq (p[0], "mode") && p[1])
3718
{
3719
VERIFY_PERMISSION (OPT_P_GENERAL);
3720
if (streq (p[1], "p2p"))
3721
options->mode = MODE_POINT_TO_POINT;
3722
#if P2MP_SERVER
3723
else if (streq (p[1], "server"))
3724
options->mode = MODE_SERVER;
3725
#endif
3726
else
3727
{
3728
msg (msglevel, "Bad --mode parameter: %s", p[1]);
3729
goto err;
3730
}
3731
}
3732
else if (streq (p[0], "dev") && p[1])
3733
{
3734
VERIFY_PERMISSION (OPT_P_GENERAL);
3735
options->dev = p[1];
3736
}
3737
else if (streq (p[0], "dev-type") && p[1])
3738
{
3739
VERIFY_PERMISSION (OPT_P_GENERAL);
3740
options->dev_type = p[1];
3741
}
3742
else if (streq (p[0], "dev-node") && p[1])
3743
{
3744
VERIFY_PERMISSION (OPT_P_GENERAL);
3745
options->dev_node = p[1];
3746
}
3747
else if (streq (p[0], "lladdr") && p[1])
3748
{
3749
VERIFY_PERMISSION (OPT_P_UP);
3750
if (mac_addr_safe (p[1])) /* MAC address only */
3751
options->lladdr = p[1];
3752
else
3753
{
3754
msg (msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
3755
goto err;
3756
}
3757
}
3758
else if (streq (p[0], "topology") && p[1])
3759
{
3760
VERIFY_PERMISSION (OPT_P_UP);
3761
options->topology = parse_topology (p[1], msglevel);
3762
}
3763
else if (streq (p[0], "tun-ipv6"))
3764
{
3765
VERIFY_PERMISSION (OPT_P_UP);
3766
options->tun_ipv6 = true;
3767
}
3768
#ifdef CONFIG_FEATURE_IPROUTE
3769
else if (streq (p[0], "iproute") && p[1])
3770
{
3771
VERIFY_PERMISSION (OPT_P_GENERAL);
3772
iproute_path = p[1];
3773
}
3774
#endif
3775
else if (streq (p[0], "ifconfig") && p[1] && p[2])
3776
{
3777
VERIFY_PERMISSION (OPT_P_UP);
3778
if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
3779
{
3780
options->ifconfig_local = p[1];
3781
options->ifconfig_remote_netmask = p[2];
3782
}
3783
else
3784
{
3785
msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
3786
goto err;
3787
}
3788
}
3789
else if (streq (p[0], "ifconfig-noexec"))
3790
{
3791
VERIFY_PERMISSION (OPT_P_UP);
3792
options->ifconfig_noexec = true;
3793
}
3794
else if (streq (p[0], "ifconfig-nowarn"))
3795
{
3796
VERIFY_PERMISSION (OPT_P_UP);
3797
options->ifconfig_nowarn = true;
3798
}
3799
else if (streq (p[0], "local") && p[1])
3800
{
3801
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3802
options->ce.local = p[1];
3803
}
3804
else if (streq (p[0], "remote-random"))
3805
{
3806
VERIFY_PERMISSION (OPT_P_GENERAL);
3807
options->remote_random = true;
3808
}
3809
#if ENABLE_CONNECTION
3810
else if (streq (p[0], "connection") && p[1])
3811
{
3812
VERIFY_PERMISSION (OPT_P_GENERAL);
3813
if (streq (p[1], INLINE_FILE_TAG) && p[2])
3814
{
3815
struct options sub;
3816
struct connection_entry *e;
3817
3818
init_options (&sub, true);
3819
sub.ce = options->ce;
3820
read_config_string ("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
3821
if (!sub.ce.remote)
3822
{
3823
msg (msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
3824
goto err;
3825
}
3826
3827
e = alloc_connection_entry (options, msglevel);
3828
if (!e)
3829
goto err;
3830
*e = sub.ce;
3831
gc_transfer (&options->gc, &sub.gc);
3832
uninit_options (&sub);
3833
}
3834
}
3835
#endif
3836
#ifdef ENABLE_CONNECTION
3837
else if (streq (p[0], "remote-ip-hint") && p[1])
3838
{
3839
VERIFY_PERMISSION (OPT_P_GENERAL);
3840
options->remote_ip_hint = p[1];
3841
}
3842
#endif
3843
#if HTTP_PROXY_FALLBACK
3844
else if (streq (p[0], "http-proxy-fallback"))
3845
{
3846
VERIFY_PERMISSION (OPT_P_GENERAL);
3847
options->http_proxy_fallback = true;
3848
options->force_connection_list = true;
3849
}
3850
else if (streq (p[0], "http-proxy-override") && p[1] && p[2])
3851
{
3852
VERIFY_PERMISSION (OPT_P_GENERAL);
3853
options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
3854
if (!options->http_proxy_override)
3855
goto err;
3856
options->force_connection_list = true;
3857
}
3858
#endif
3859
else if (streq (p[0], "remote") && p[1])
3860
{
3861
struct remote_entry re;
3862
re.remote = NULL;
3863
re.remote_port = re.proto = -1;
3864
3865
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3866
re.remote = p[1];
3867
if (p[2])
3868
{
3869
const int port = atoi (p[2]);
3870
if (!legal_ipv4_port (port))
3871
{
3872
msg (msglevel, "remote: port number associated with host %s is out of range", p[1]);
3873
goto err;
3874
}
3875
re.remote_port = port;
3876
if (p[3])
3877
{
3878
const int proto = ascii2proto (p[3]);
3879
if (proto < 0)
3880
{
3881
msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
3882
goto err;
3883
}
3884
re.proto = proto;
3885
}
3886
}
3887
#ifdef ENABLE_CONNECTION
3888
if (permission_mask & OPT_P_GENERAL)
3889
{
3890
struct remote_entry *e = alloc_remote_entry (options, msglevel);
3891
if (!e)
3892
goto err;
3893
*e = re;
3894
}
3895
else if (permission_mask & OPT_P_CONNECTION)
3896
#endif
3897
{
3898
connection_entry_load_re (&options->ce, &re);
3899
}
3900
}
3901
else if (streq (p[0], "resolv-retry") && p[1])
3902
{
3903
VERIFY_PERMISSION (OPT_P_GENERAL);
3904
if (streq (p[1], "infinite"))
3905
options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
3906
else
3907
options->resolve_retry_seconds = positive_atoi (p[1]);
3908
}
3909
else if (streq (p[0], "connect-retry") && p[1])
3910
{
3911
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3912
options->ce.connect_retry_seconds = positive_atoi (p[1]);
3913
options->ce.connect_retry_defined = true;
3914
}
3915
else if (streq (p[0], "connect-timeout") && p[1])
3916
{
3917
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3918
options->ce.connect_timeout = positive_atoi (p[1]);
3919
options->ce.connect_timeout_defined = true;
3920
}
3921
else if (streq (p[0], "connect-retry-max") && p[1])
3922
{
3923
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3924
options->ce.connect_retry_max = positive_atoi (p[1]);
3925
}
3926
else if (streq (p[0], "ipchange") && p[1])
3927
{
3928
VERIFY_PERMISSION (OPT_P_SCRIPT);
3929
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3930
goto err;
3931
warn_multiple_script (options->ipchange, "ipchange");
3932
options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);
3933
}
3934
else if (streq (p[0], "float"))
3935
{
3936
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
3937
options->ce.remote_float = true;
3938
}
3939
#ifdef ENABLE_DEBUG
3940
else if (streq (p[0], "gremlin") && p[1])
3941
{
3942
VERIFY_PERMISSION (OPT_P_GENERAL);
3943
options->gremlin = positive_atoi (p[1]);
3944
}
3945
#endif
3946
else if (streq (p[0], "chroot") && p[1])
3947
{
3948
VERIFY_PERMISSION (OPT_P_GENERAL);
3949
options->chroot_dir = p[1];
3950
}
3951
else if (streq (p[0], "cd") && p[1])
3952
{
3953
VERIFY_PERMISSION (OPT_P_GENERAL);
3954
if (openvpn_chdir (p[1]))
3955
{
3956
msg (M_ERR, "cd to '%s' failed", p[1]);
3957
goto err;
3958
}
3959
options->cd_dir = p[1];
3960
}
3961
#ifdef HAVE_SETCON
3962
else if (streq (p[0], "setcon") && p[1])
3963
{
3964
VERIFY_PERMISSION (OPT_P_GENERAL);
3965
options->selinux_context = p[1];
3966
}
3967
#endif
3968
else if (streq (p[0], "writepid") && p[1])
3969
{
3970
VERIFY_PERMISSION (OPT_P_GENERAL);
3971
options->writepid = p[1];
3972
}
3973
else if (streq (p[0], "up") && p[1])
3974
{
3975
VERIFY_PERMISSION (OPT_P_SCRIPT);
3976
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3977
goto err;
3978
warn_multiple_script (options->up_script, "up");
3979
options->up_script = p[1];
3980
}
3981
else if (streq (p[0], "down") && p[1])
3982
{
3983
VERIFY_PERMISSION (OPT_P_SCRIPT);
3984
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
3985
goto err;
3986
warn_multiple_script (options->down_script, "down");
3987
options->down_script = p[1];
3988
}
3989
else if (streq (p[0], "down-pre"))
3990
{
3991
VERIFY_PERMISSION (OPT_P_GENERAL);
3992
options->down_pre = true;
3993
}
3994
else if (streq (p[0], "up-delay"))
3995
{
3996
VERIFY_PERMISSION (OPT_P_GENERAL);
3997
options->up_delay = true;
3998
}
3999
else if (streq (p[0], "up-restart"))
4000
{
4001
VERIFY_PERMISSION (OPT_P_GENERAL);
4002
options->up_restart = true;
4003
}
4004
else if (streq (p[0], "syslog"))
4005
{
4006
VERIFY_PERMISSION (OPT_P_GENERAL);
4007
open_syslog (p[1], false);
4008
}
4009
else if (streq (p[0], "daemon"))
4010
{
4011
bool didit = false;
4012
VERIFY_PERMISSION (OPT_P_GENERAL);
4013
if (!options->daemon)
4014
{
4015
options->daemon = didit = true;
4016
open_syslog (p[1], false);
4017
}
4018
if (p[1])
4019
{
4020
if (!didit)
4021
{
4022
msg (M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
4023
goto err;
4024
}
4025
}
4026
}
4027
else if (streq (p[0], "inetd"))
4028
{
4029
VERIFY_PERMISSION (OPT_P_GENERAL);
4030
if (!options->inetd)
4031
{
4032
int z;
4033
const char *name = NULL;
4034
const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
4035
4036
options->inetd = -1;
4037
4038
for (z = 1; z <= 2; ++z)
4039
{
4040
if (p[z])
4041
{
4042
if (streq (p[z], "wait"))
4043
{
4044
if (options->inetd != -1)
4045
{
4046
msg (msglevel, "%s", opterr);
4047
goto err;
4048
}
4049
else
4050
options->inetd = INETD_WAIT;
4051
}
4052
else if (streq (p[z], "nowait"))
4053
{
4054
if (options->inetd != -1)
4055
{
4056
msg (msglevel, "%s", opterr);
4057
goto err;
4058
}
4059
else
4060
options->inetd = INETD_NOWAIT;
4061
}
4062
else
4063
{
4064
if (name != NULL)
4065
{
4066
msg (msglevel, "%s", opterr);
4067
goto err;
4068
}
4069
name = p[z];
4070
}
4071
}
4072
}
4073
4074
/* default */
4075
if (options->inetd == -1)
4076
options->inetd = INETD_WAIT;
4077
4078
save_inetd_socket_descriptor ();
4079
open_syslog (name, true);
4080
}
4081
}
4082
else if (streq (p[0], "log") && p[1])
4083
{
4084
VERIFY_PERMISSION (OPT_P_GENERAL);
4085
options->log = true;
4086
redirect_stdout_stderr (p[1], false);
4087
}
4088
else if (streq (p[0], "suppress-timestamps"))
4089
{
4090
VERIFY_PERMISSION (OPT_P_GENERAL);
4091
options->suppress_timestamps = true;
4092
set_suppress_timestamps(true);
4093
}
4094
else if (streq (p[0], "log-append") && p[1])
4095
{
4096
VERIFY_PERMISSION (OPT_P_GENERAL);
4097
options->log = true;
4098
redirect_stdout_stderr (p[1], true);
4099
}
4100
else if (streq (p[0], "mlock"))
4101
{
4102
VERIFY_PERMISSION (OPT_P_GENERAL);
4103
options->mlock = true;
4104
}
4105
#if ENABLE_IP_PKTINFO
4106
else if (streq (p[0], "multihome"))
4107
{
4108
VERIFY_PERMISSION (OPT_P_GENERAL);
4109
options->sockflags |= SF_USE_IP_PKTINFO;
4110
}
4111
#endif
4112
else if (streq (p[0], "verb") && p[1])
4113
{
4114
VERIFY_PERMISSION (OPT_P_MESSAGES);
4115
options->verbosity = positive_atoi (p[1]);
4116
}
4117
else if (streq (p[0], "mute") && p[1])
4118
{
4119
VERIFY_PERMISSION (OPT_P_MESSAGES);
4120
options->mute = positive_atoi (p[1]);
4121
}
4122
else if (streq (p[0], "errors-to-stderr"))
4123
{
4124
VERIFY_PERMISSION (OPT_P_MESSAGES);
4125
errors_to_stderr();
4126
}
4127
else if (streq (p[0], "status") && p[1])
4128
{
4129
VERIFY_PERMISSION (OPT_P_GENERAL);
4130
options->status_file = p[1];
4131
if (p[2])
4132
{
4133
options->status_file_update_freq = positive_atoi (p[2]);
4134
}
4135
}
4136
else if (streq (p[0], "status-version") && p[1])
4137
{
4138
int version;
4139
4140
VERIFY_PERMISSION (OPT_P_GENERAL);
4141
version = atoi (p[1]);
4142
if (version < 1 || version > 3)
4143
{
4144
msg (msglevel, "--status-version must be 1 to 3");
4145
goto err;
4146
}
4147
options->status_file_version = version;
4148
}
4149
else if (streq (p[0], "remap-usr1") && p[1])
4150
{
4151
VERIFY_PERMISSION (OPT_P_GENERAL);
4152
if (streq (p[1], "SIGHUP"))
4153
options->remap_sigusr1 = SIGHUP;
4154
else if (streq (p[1], "SIGTERM"))
4155
options->remap_sigusr1 = SIGTERM;
4156
else
4157
{
4158
msg (msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
4159
goto err;
4160
}
4161
}
4162
else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1])
4163
{
4164
VERIFY_PERMISSION (OPT_P_MTU);
4165
options->link_mtu = positive_atoi (p[1]);
4166
options->link_mtu_defined = true;
4167
}
4168
else if (streq (p[0], "tun-mtu") && p[1])
4169
{
4170
VERIFY_PERMISSION (OPT_P_MTU);
4171
options->tun_mtu = positive_atoi (p[1]);
4172
options->tun_mtu_defined = true;
4173
}
4174
else if (streq (p[0], "tun-mtu-extra") && p[1])
4175
{
4176
VERIFY_PERMISSION (OPT_P_MTU);
4177
options->tun_mtu_extra = positive_atoi (p[1]);
4178
options->tun_mtu_extra_defined = true;
4179
}
4180
#ifdef ENABLE_FRAGMENT
4181
else if (streq (p[0], "mtu-dynamic"))
4182
{
4183
VERIFY_PERMISSION (OPT_P_GENERAL);
4184
msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
4185
goto err;
4186
}
4187
else if (streq (p[0], "fragment") && p[1])
4188
{
4189
VERIFY_PERMISSION (OPT_P_MTU);
4190
options->fragment = positive_atoi (p[1]);
4191
}
4192
#endif
4193
else if (streq (p[0], "mtu-disc") && p[1])
4194
{
4195
VERIFY_PERMISSION (OPT_P_MTU);
4196
options->mtu_discover_type = translate_mtu_discover_type_name (p[1]);
4197
}
4198
#ifdef ENABLE_OCC
4199
else if (streq (p[0], "mtu-test"))
4200
{
4201
VERIFY_PERMISSION (OPT_P_GENERAL);
4202
options->mtu_test = true;
4203
}
4204
#endif
4205
else if (streq (p[0], "nice") && p[1])
4206
{
4207
VERIFY_PERMISSION (OPT_P_NICE);
4208
options->nice = atoi (p[1]);
4209
}
4210
else if (streq (p[0], "rcvbuf") && p[1])
4211
{
4212
VERIFY_PERMISSION (OPT_P_SOCKBUF);
4213
options->rcvbuf = positive_atoi (p[1]);
4214
}
4215
else if (streq (p[0], "sndbuf") && p[1])
4216
{
4217
VERIFY_PERMISSION (OPT_P_SOCKBUF);
4218
options->sndbuf = positive_atoi (p[1]);
4219
}
4220
else if (streq (p[0], "socket-flags"))
4221
{
4222
int j;
4223
VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
4224
for (j = 1; j < MAX_PARMS && p[j]; ++j)
4225
{
4226
if (streq (p[j], "TCP_NODELAY"))
4227
options->sockflags |= SF_TCP_NODELAY;
4228
else
4229
msg (msglevel, "unknown socket flag: %s", p[j]);
4230
}
4231
}
4232
else if (streq (p[0], "txqueuelen") && p[1])
4233
{
4234
VERIFY_PERMISSION (OPT_P_GENERAL);
4235
#ifdef TARGET_LINUX
4236
options->tuntap_options.txqueuelen = positive_atoi (p[1]);
4237
#else
4238
msg (msglevel, "--txqueuelen not supported on this OS");
4239
goto err;
4240
#endif
4241
}
4242
else if (streq (p[0], "shaper") && p[1])
4243
{
4244
#ifdef HAVE_GETTIMEOFDAY
4245
int shaper;
4246
4247
VERIFY_PERMISSION (OPT_P_SHAPER);
4248
shaper = atoi (p[1]);
4249
if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
4250
{
4251
msg (msglevel, "Bad shaper value, must be between %d and %d",
4252
SHAPER_MIN, SHAPER_MAX);
4253
goto err;
4254
}
4255
options->shaper = shaper;
4256
#else /* HAVE_GETTIMEOFDAY */
4257
VERIFY_PERMISSION (OPT_P_GENERAL);
4258
msg (msglevel, "--shaper requires the gettimeofday() function which is missing");
4259
goto err;
4260
#endif /* HAVE_GETTIMEOFDAY */
4261
}
4262
else if (streq (p[0], "port") && p[1])
4263
{
4264
int port;
4265
4266
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4267
port = atoi (p[1]);
4268
if (!legal_ipv4_port (port))
4269
{
4270
msg (msglevel, "Bad port number: %s", p[1]);
4271
goto err;
4272
}
4273
options->ce.port_option_used = true;
4274
options->ce.local_port = options->ce.remote_port = port;
4275
}
4276
else if (streq (p[0], "lport") && p[1])
4277
{
4278
int port;
4279
4280
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4281
port = atoi (p[1]);
4282
if ((port != 0) && !legal_ipv4_port (port))
4283
{
4284
msg (msglevel, "Bad local port number: %s", p[1]);
4285
goto err;
4286
}
4287
options->ce.local_port_defined = true;
4288
options->ce.port_option_used = true;
4289
options->ce.local_port = port;
4290
}
4291
else if (streq (p[0], "rport") && p[1])
4292
{
4293
int port;
4294
4295
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4296
port = atoi (p[1]);
4297
if (!legal_ipv4_port (port))
4298
{
4299
msg (msglevel, "Bad remote port number: %s", p[1]);
4300
goto err;
4301
}
4302
options->ce.port_option_used = true;
4303
options->ce.remote_port = port;
4304
}
4305
else if (streq (p[0], "bind"))
4306
{
4307
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4308
options->ce.bind_defined = true;
4309
}
4310
else if (streq (p[0], "nobind"))
4311
{
4312
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4313
options->ce.bind_local = false;
4314
}
4315
else if (streq (p[0], "fast-io"))
4316
{
4317
VERIFY_PERMISSION (OPT_P_GENERAL);
4318
options->fast_io = true;
4319
}
4320
else if (streq (p[0], "inactive") && p[1])
4321
{
4322
VERIFY_PERMISSION (OPT_P_TIMER);
4323
options->inactivity_timeout = positive_atoi (p[1]);
4324
if (p[2])
4325
options->inactivity_minimum_bytes = positive_atoi (p[2]);
4326
}
4327
else if (streq (p[0], "proto") && p[1])
4328
{
4329
int proto;
4330
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4331
proto = ascii2proto (p[1]);
4332
if (proto < 0)
4333
{
4334
msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
4335
p[1],
4336
proto2ascii_all (&gc));
4337
goto err;
4338
}
4339
options->ce.proto = proto;
4340
}
4341
else if (streq (p[0], "proto-force") && p[1])
4342
{
4343
int proto_force;
4344
VERIFY_PERMISSION (OPT_P_GENERAL);
4345
proto_force = ascii2proto (p[1]);
4346
if (proto_force < 0)
4347
{
4348
msg (msglevel, "Bad --proto-force protocol: '%s'", p[1]);
4349
goto err;
4350
}
4351
options->proto_force = proto_force;
4352
options->force_connection_list = true;
4353
}
4354
#ifdef GENERAL_PROXY_SUPPORT
4355
else if (streq (p[0], "auto-proxy"))
4356
{
4357
char *error = NULL;
4358
4359
VERIFY_PERMISSION (OPT_P_GENERAL);
4360
options->auto_proxy_info = get_proxy_settings (&error, &options->gc);
4361
if (error)
4362
msg (M_WARN, "PROXY: %s", error);
4363
}
4364
else if (streq (p[0], "show-proxy-settings"))
4365
{
4366
struct auto_proxy_info *pi;
4367
char *error = NULL;
4368
4369
VERIFY_PERMISSION (OPT_P_GENERAL);
4370
pi = get_proxy_settings (&error, &options->gc);
4371
if (pi)
4372
{
4373
msg (M_INFO|M_NOPREFIX, "HTTP Server: %s", np(pi->http.server));
4374
msg (M_INFO|M_NOPREFIX, "HTTP Port: %d", pi->http.port);
4375
msg (M_INFO|M_NOPREFIX, "SOCKS Server: %s", np(pi->socks.server));
4376
msg (M_INFO|M_NOPREFIX, "SOCKS Port: %d", pi->socks.port);
4377
}
4378
if (error)
4379
msg (msglevel, "Proxy error: %s", error);
4380
#ifdef WIN32
4381
show_win_proxy_settings (M_INFO|M_NOPREFIX);
4382
#endif
4383
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
4384
}
4385
#endif /* GENERAL_PROXY_SUPPORT */
4386
#ifdef ENABLE_HTTP_PROXY
4387
else if (streq (p[0], "http-proxy") && p[1])
4388
{
4389
struct http_proxy_options *ho;
4390
4391
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4392
4393
{
4394
int port;
4395
if (!p[2])
4396
{
4397
msg (msglevel, "http-proxy port number not defined");
4398
goto err;
4399
}
4400
port = atoi (p[2]);
4401
if (!legal_ipv4_port (port))
4402
{
4403
msg (msglevel, "Bad http-proxy port number: %s", p[2]);
4404
goto err;
4405
}
4406
4407
ho = init_http_options_if_undefined (options);
4408
4409
ho->server = p[1];
4410
ho->port = port;
4411
}
4412
4413
if (p[3])
4414
{
4415
/* auto -- try to figure out proxy addr, port, and type automatically */
4416
/* semiauto -- given proxy addr:port, try to figure out type automatically */
4417
/* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
4418
if (streq (p[3], "auto"))
4419
ho->auth_retry = PAR_ALL;
4420
else if (streq (p[3], "auto-nct"))
4421
ho->auth_retry = PAR_NCT;
4422
else
4423
{
4424
ho->auth_method_string = "basic";
4425
ho->auth_file = p[3];
4426
4427
if (p[4])
4428
{
4429
ho->auth_method_string = p[4];
4430
}
4431
}
4432
}
4433
else
4434
{
4435
ho->auth_method_string = "none";
4436
}
4437
}
4438
else if (streq (p[0], "http-proxy-retry"))
4439
{
4440
struct http_proxy_options *ho;
4441
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4442
ho = init_http_options_if_undefined (options);
4443
ho->retry = true;
4444
}
4445
else if (streq (p[0], "http-proxy-timeout") && p[1])
4446
{
4447
struct http_proxy_options *ho;
4448
4449
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4450
ho = init_http_options_if_undefined (options);
4451
ho->timeout = positive_atoi (p[1]);
4452
}
4453
else if (streq (p[0], "http-proxy-option") && p[1])
4454
{
4455
struct http_proxy_options *ho;
4456
4457
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4458
ho = init_http_options_if_undefined (options);
4459
4460
if (streq (p[1], "VERSION") && p[2])
4461
{
4462
ho->http_version = p[2];
4463
}
4464
else if (streq (p[1], "AGENT") && p[2])
4465
{
4466
ho->user_agent = p[2];
4467
}
4468
else
4469
{
4470
msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]);
4471
}
4472
}
4473
#endif
4474
#ifdef ENABLE_SOCKS
4475
else if (streq (p[0], "socks-proxy") && p[1])
4476
{
4477
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4478
4479
if (p[2])
4480
{
4481
int port;
4482
port = atoi (p[2]);
4483
if (!legal_ipv4_port (port))
4484
{
4485
msg (msglevel, "Bad socks-proxy port number: %s", p[2]);
4486
goto err;
4487
}
4488
options->ce.socks_proxy_port = port;
4489
}
4490
else
4491
{
4492
options->ce.socks_proxy_port = 1080;
4493
}
4494
options->ce.socks_proxy_server = p[1];
4495
options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
4496
}
4497
else if (streq (p[0], "socks-proxy-retry"))
4498
{
4499
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
4500
options->ce.socks_proxy_retry = true;
4501
}
4502
#endif
4503
else if (streq (p[0], "keepalive") && p[1] && p[2])
4504
{
4505
VERIFY_PERMISSION (OPT_P_GENERAL);
4506
options->keepalive_ping = atoi (p[1]);
4507
options->keepalive_timeout = atoi (p[2]);
4508
}
4509
else if (streq (p[0], "ping") && p[1])
4510
{
4511
VERIFY_PERMISSION (OPT_P_TIMER);
4512
options->ping_send_timeout = positive_atoi (p[1]);
4513
}
4514
else if (streq (p[0], "ping-exit") && p[1])
4515
{
4516
VERIFY_PERMISSION (OPT_P_TIMER);
4517
options->ping_rec_timeout = positive_atoi (p[1]);
4518
options->ping_rec_timeout_action = PING_EXIT;
4519
}
4520
else if (streq (p[0], "ping-restart") && p[1])
4521
{
4522
VERIFY_PERMISSION (OPT_P_TIMER);
4523
options->ping_rec_timeout = positive_atoi (p[1]);
4524
options->ping_rec_timeout_action = PING_RESTART;
4525
}
4526
else if (streq (p[0], "ping-timer-rem"))
4527
{
4528
VERIFY_PERMISSION (OPT_P_TIMER);
4529
options->ping_timer_remote = true;
4530
}
4531
#ifdef ENABLE_OCC
4532
else if (streq (p[0], "explicit-exit-notify"))
4533
{
4534
VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY);
4535
if (p[1])
4536
{
4537
options->explicit_exit_notification = positive_atoi (p[1]);
4538
}
4539
else
4540
{
4541
options->explicit_exit_notification = 1;
4542
}
4543
}
4544
#endif
4545
else if (streq (p[0], "persist-tun"))
4546
{
4547
VERIFY_PERMISSION (OPT_P_PERSIST);
4548
options->persist_tun = true;
4549
}
4550
else if (streq (p[0], "persist-key"))
4551
{
4552
VERIFY_PERMISSION (OPT_P_PERSIST);
4553
options->persist_key = true;
4554
}
4555
else if (streq (p[0], "persist-local-ip"))
4556
{
4557
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
4558
options->persist_local_ip = true;
4559
}
4560
else if (streq (p[0], "persist-remote-ip"))
4561
{
4562
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
4563
options->persist_remote_ip = true;
4564
}
4565
else if (streq (p[0], "route") && p[1])
4566
{
4567
VERIFY_PERMISSION (OPT_P_ROUTE);
4568
rol_check_alloc (options);
4569
if (pull_mode)
4570
{
4571
if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
4572
{
4573
msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
4574
goto err;
4575
}
4576
if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
4577
{
4578
msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
4579
goto err;
4580
}
4581
if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
4582
{
4583
msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
4584
goto err;
4585
}
4586
}
4587
add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
4588
}
4589
else if (streq (p[0], "max-routes") && p[1])
4590
{
4591
int max_routes;
4592
4593
VERIFY_PERMISSION (OPT_P_GENERAL);
4594
max_routes = atoi (p[1]);
4595
if (max_routes < 0 || max_routes > 100000000)
4596
{
4597
msg (msglevel, "--max-routes parameter is out of range");
4598
goto err;
4599
}
4600
options->max_routes = max_routes;
4601
}
4602
else if (streq (p[0], "route-gateway") && p[1])
4603
{
4604
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4605
if (streq (p[1], "dhcp"))
4606
{
4607
options->route_gateway_via_dhcp = true;
4608
}
4609
else
4610
{
4611
if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
4612
{
4613
options->route_default_gateway = p[1];
4614
}
4615
else
4616
{
4617
msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
4618
goto err;
4619
}
4620
}
4621
}
4622
else if (streq (p[0], "route-metric") && p[1])
4623
{
4624
VERIFY_PERMISSION (OPT_P_ROUTE);
4625
options->route_default_metric = positive_atoi (p[1]);
4626
}
4627
else if (streq (p[0], "route-delay"))
4628
{
4629
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
4630
options->route_delay_defined = true;
4631
if (p[1])
4632
{
4633
options->route_delay = positive_atoi (p[1]);
4634
if (p[2])
4635
{
4636
options->route_delay_window = positive_atoi (p[2]);
4637
}
4638
}
4639
else
4640
{
4641
options->route_delay = 0;
4642
}
4643
}
4644
else if (streq (p[0], "route-up") && p[1])
4645
{
4646
VERIFY_PERMISSION (OPT_P_SCRIPT);
4647
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4648
goto err;
4649
warn_multiple_script (options->route_script, "route-up");
4650
options->route_script = p[1];
4651
}
4652
else if (streq (p[0], "route-noexec"))
4653
{
4654
VERIFY_PERMISSION (OPT_P_SCRIPT);
4655
options->route_noexec = true;
4656
}
4657
else if (streq (p[0], "route-nopull"))
4658
{
4659
VERIFY_PERMISSION (OPT_P_GENERAL);
4660
options->route_nopull = true;
4661
}
4662
else if (streq (p[0], "allow-pull-fqdn"))
4663
{
4664
VERIFY_PERMISSION (OPT_P_GENERAL);
4665
options->allow_pull_fqdn = true;
4666
}
4667
else if (streq (p[0], "redirect-gateway") || streq (p[0], "redirect-private"))
4668
{
4669
int j;
4670
VERIFY_PERMISSION (OPT_P_ROUTE);
4671
rol_check_alloc (options);
4672
if (streq (p[0], "redirect-gateway"))
4673
options->routes->flags |= RG_REROUTE_GW;
4674
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
4675
{
4676
if (streq (p[j], "local"))
4677
options->routes->flags |= RG_LOCAL;
4678
else if (streq (p[j], "autolocal"))
4679
options->routes->flags |= RG_AUTO_LOCAL;
4680
else if (streq (p[j], "def1"))
4681
options->routes->flags |= RG_DEF1;
4682
else if (streq (p[j], "bypass-dhcp"))
4683
options->routes->flags |= RG_BYPASS_DHCP;
4684
else if (streq (p[j], "bypass-dns"))
4685
options->routes->flags |= RG_BYPASS_DNS;
4686
else
4687
{
4688
msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
4689
goto err;
4690
}
4691
}
4692
options->routes->flags |= RG_ENABLE;
4693
}
4694
else if (streq (p[0], "remote-random-hostname"))
4695
{
4696
VERIFY_PERMISSION (OPT_P_GENERAL);
4697
options->sockflags |= SF_HOST_RANDOMIZE;
4698
}
4699
else if (streq (p[0], "setenv") && p[1])
4700
{
4701
VERIFY_PERMISSION (OPT_P_GENERAL);
4702
if (streq (p[1], "REMOTE_RANDOM_HOSTNAME"))
4703
{
4704
options->sockflags |= SF_HOST_RANDOMIZE;
4705
}
4706
else if (streq (p[1], "GENERIC_CONFIG"))
4707
{
4708
msg (msglevel, "this is a generic configuration and cannot directly be used");
4709
goto err;
4710
}
4711
#if P2MP
4712
else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
4713
{
4714
options->server_poll_timeout = positive_atoi(p[2]);
4715
}
4716
#endif
4717
else
4718
{
4719
if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
4720
{
4721
options->forward_compatible = true;
4722
msglevel_fc = msglevel_forward_compatible (options, msglevel);
4723
}
4724
setenv_str (es, p[1], p[2] ? p[2] : "");
4725
}
4726
}
4727
else if (streq (p[0], "setenv-safe") && p[1])
4728
{
4729
VERIFY_PERMISSION (OPT_P_SETENV);
4730
setenv_str_safe (es, p[1], p[2] ? p[2] : "");
4731
}
4732
else if (streq (p[0], "script-security") && p[1])
4733
{
4734
VERIFY_PERMISSION (OPT_P_GENERAL);
4735
script_security = atoi (p[1]);
4736
if (p[2])
4737
{
4738
if (streq (p[2], "execve"))
4739
script_method = SM_EXECVE;
4740
else if (streq (p[2], "system"))
4741
script_method = SM_SYSTEM;
4742
else
4743
{
4744
msg (msglevel, "unknown --script-security method: %s", p[2]);
4745
goto err;
4746
}
4747
}
4748
else
4749
script_method = SM_EXECVE;
4750
}
4751
else if (streq (p[0], "mssfix"))
4752
{
4753
VERIFY_PERMISSION (OPT_P_GENERAL);
4754
if (p[1])
4755
{
4756
options->mssfix = positive_atoi (p[1]);
4757
}
4758
else
4759
options->mssfix_default = true;
4760
4761
}
4762
#ifdef ENABLE_OCC
4763
else if (streq (p[0], "disable-occ"))
4764
{
4765
VERIFY_PERMISSION (OPT_P_GENERAL);
4766
options->occ = false;
4767
}
4768
#endif
4769
#if P2MP
4770
#if P2MP_SERVER
4771
else if (streq (p[0], "server") && p[1] && p[2])
4772
{
4773
const int lev = M_WARN;
4774
bool error = false;
4775
in_addr_t network, netmask;
4776
4777
VERIFY_PERMISSION (OPT_P_GENERAL);
4778
network = get_ip_addr (p[1], lev, &error);
4779
netmask = get_ip_addr (p[2], lev, &error);
4780
if (error || !network || !netmask)
4781
{
4782
msg (msglevel, "error parsing --server parameters");
4783
goto err;
4784
}
4785
options->server_defined = true;
4786
options->server_network = network;
4787
options->server_netmask = netmask;
4788
4789
if (p[3])
4790
{
4791
if (streq (p[3], "nopool"))
4792
options->server_flags |= SF_NOPOOL;
4793
else
4794
{
4795
msg (msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
4796
goto err;
4797
}
4798
}
4799
}
4800
else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4])
4801
{
4802
const int lev = M_WARN;
4803
bool error = false;
4804
in_addr_t ip, netmask, pool_start, pool_end;
4805
4806
VERIFY_PERMISSION (OPT_P_GENERAL);
4807
ip = get_ip_addr (p[1], lev, &error);
4808
netmask = get_ip_addr (p[2], lev, &error);
4809
pool_start = get_ip_addr (p[3], lev, &error);
4810
pool_end = get_ip_addr (p[4], lev, &error);
4811
if (error || !ip || !netmask || !pool_start || !pool_end)
4812
{
4813
msg (msglevel, "error parsing --server-bridge parameters");
4814
goto err;
4815
}
4816
options->server_bridge_defined = true;
4817
options->server_bridge_ip = ip;
4818
options->server_bridge_netmask = netmask;
4819
options->server_bridge_pool_start = pool_start;
4820
options->server_bridge_pool_end = pool_end;
4821
}
4822
else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw"))
4823
{
4824
VERIFY_PERMISSION (OPT_P_GENERAL);
4825
options->server_bridge_proxy_dhcp = true;
4826
options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
4827
}
4828
else if (streq (p[0], "server-bridge") && !p[1])
4829
{
4830
VERIFY_PERMISSION (OPT_P_GENERAL);
4831
options->server_bridge_proxy_dhcp = true;
4832
}
4833
else if (streq (p[0], "push") && p[1])
4834
{
4835
VERIFY_PERMISSION (OPT_P_PUSH);
4836
push_options (options, &p[1], msglevel, &options->gc);
4837
}
4838
else if (streq (p[0], "push-reset"))
4839
{
4840
VERIFY_PERMISSION (OPT_P_INSTANCE);
4841
push_reset (options);
4842
}
4843
else if (streq (p[0], "ifconfig-pool") && p[1] && p[2])
4844
{
4845
const int lev = M_WARN;
4846
bool error = false;
4847
in_addr_t start, end, netmask=0;
4848
4849
VERIFY_PERMISSION (OPT_P_GENERAL);
4850
start = get_ip_addr (p[1], lev, &error);
4851
end = get_ip_addr (p[2], lev, &error);
4852
if (p[3])
4853
{
4854
netmask = get_ip_addr (p[3], lev, &error);
4855
}
4856
if (error)
4857
{
4858
msg (msglevel, "error parsing --ifconfig-pool parameters");
4859
goto err;
4860
}
4861
if (!ifconfig_pool_verify_range (msglevel, start, end))
4862
goto err;
4863
4864
options->ifconfig_pool_defined = true;
4865
options->ifconfig_pool_start = start;
4866
options->ifconfig_pool_end = end;
4867
if (netmask)
4868
options->ifconfig_pool_netmask = netmask;
4869
}
4870
else if (streq (p[0], "ifconfig-pool-persist") && p[1])
4871
{
4872
VERIFY_PERMISSION (OPT_P_GENERAL);
4873
options->ifconfig_pool_persist_filename = p[1];
4874
if (p[2])
4875
{
4876
options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
4877
}
4878
}
4879
else if (streq (p[0], "ifconfig-pool-linear"))
4880
{
4881
VERIFY_PERMISSION (OPT_P_GENERAL);
4882
options->topology = TOP_P2P;
4883
}
4884
else if (streq (p[0], "hash-size") && p[1] && p[2])
4885
{
4886
int real, virtual;
4887
4888
VERIFY_PERMISSION (OPT_P_GENERAL);
4889
real = atoi (p[1]);
4890
virtual = atoi (p[2]);
4891
if (real < 1 || virtual < 1)
4892
{
4893
msg (msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
4894
goto err;
4895
}
4896
options->real_hash_size = real;
4897
options->virtual_hash_size = real;
4898
}
4899
else if (streq (p[0], "connect-freq") && p[1] && p[2])
4900
{
4901
int cf_max, cf_per;
4902
4903
VERIFY_PERMISSION (OPT_P_GENERAL);
4904
cf_max = atoi (p[1]);
4905
cf_per = atoi (p[2]);
4906
if (cf_max < 0 || cf_per < 0)
4907
{
4908
msg (msglevel, "--connect-freq parms must be > 0");
4909
goto err;
4910
}
4911
options->cf_max = cf_max;
4912
options->cf_per = cf_per;
4913
}
4914
else if (streq (p[0], "max-clients") && p[1])
4915
{
4916
int max_clients;
4917
4918
VERIFY_PERMISSION (OPT_P_GENERAL);
4919
max_clients = atoi (p[1]);
4920
if (max_clients < 0)
4921
{
4922
msg (msglevel, "--max-clients must be at least 1");
4923
goto err;
4924
}
4925
options->max_clients = max_clients;
4926
}
4927
else if (streq (p[0], "max-routes-per-client") && p[1])
4928
{
4929
VERIFY_PERMISSION (OPT_P_INHERIT);
4930
options->max_routes_per_client = max_int (atoi (p[1]), 1);
4931
}
4932
else if (streq (p[0], "client-cert-not-required"))
4933
{
4934
VERIFY_PERMISSION (OPT_P_GENERAL);
4935
options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
4936
}
4937
else if (streq (p[0], "username-as-common-name"))
4938
{
4939
VERIFY_PERMISSION (OPT_P_GENERAL);
4940
options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
4941
}
4942
else if (streq (p[0], "auth-user-pass-optional"))
4943
{
4944
VERIFY_PERMISSION (OPT_P_GENERAL);
4945
options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
4946
}
4947
else if (streq (p[0], "no-name-remapping"))
4948
{
4949
VERIFY_PERMISSION (OPT_P_GENERAL);
4950
options->ssl_flags |= SSLF_NO_NAME_REMAPPING;
4951
}
4952
else if (streq (p[0], "opt-verify"))
4953
{
4954
VERIFY_PERMISSION (OPT_P_GENERAL);
4955
options->ssl_flags |= SSLF_OPT_VERIFY;
4956
}
4957
else if (streq (p[0], "auth-user-pass-verify") && p[1])
4958
{
4959
VERIFY_PERMISSION (OPT_P_SCRIPT);
4960
if (!no_more_than_n_args (msglevel, p, 3, NM_QUOTE_HINT))
4961
goto err;
4962
if (p[2])
4963
{
4964
if (streq (p[2], "via-env"))
4965
options->auth_user_pass_verify_script_via_file = false;
4966
else if (streq (p[2], "via-file"))
4967
options->auth_user_pass_verify_script_via_file = true;
4968
else
4969
{
4970
msg (msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
4971
goto err;
4972
}
4973
}
4974
else
4975
{
4976
msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
4977
goto err;
4978
}
4979
warn_multiple_script (options->auth_user_pass_verify_script, "auth-user-pass-verify");
4980
options->auth_user_pass_verify_script = p[1];
4981
}
4982
else if (streq (p[0], "client-connect") && p[1])
4983
{
4984
VERIFY_PERMISSION (OPT_P_SCRIPT);
4985
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4986
goto err;
4987
warn_multiple_script (options->client_connect_script, "client-connect");
4988
options->client_connect_script = p[1];
4989
}
4990
else if (streq (p[0], "client-disconnect") && p[1])
4991
{
4992
VERIFY_PERMISSION (OPT_P_SCRIPT);
4993
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
4994
goto err;
4995
warn_multiple_script (options->client_disconnect_script, "client-disconnect");
4996
options->client_disconnect_script = p[1];
4997
}
4998
else if (streq (p[0], "learn-address") && p[1])
4999
{
5000
VERIFY_PERMISSION (OPT_P_SCRIPT);
5001
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5002
goto err;
5003
warn_multiple_script (options->learn_address_script, "learn-address");
5004
options->learn_address_script = p[1];
5005
}
5006
else if (streq (p[0], "tmp-dir") && p[1])
5007
{
5008
VERIFY_PERMISSION (OPT_P_GENERAL);
5009
options->tmp_dir = p[1];
5010
}
5011
else if (streq (p[0], "client-config-dir") && p[1])
5012
{
5013
VERIFY_PERMISSION (OPT_P_GENERAL);
5014
options->client_config_dir = p[1];
5015
}
5016
else if (streq (p[0], "ccd-exclusive"))
5017
{
5018
VERIFY_PERMISSION (OPT_P_GENERAL);
5019
options->ccd_exclusive = true;
5020
}
5021
else if (streq (p[0], "bcast-buffers") && p[1])
5022
{
5023
int n_bcast_buf;
5024
5025
VERIFY_PERMISSION (OPT_P_GENERAL);
5026
n_bcast_buf = atoi (p[1]);
5027
if (n_bcast_buf < 1)
5028
msg (msglevel, "--bcast-buffers parameter must be > 0");
5029
options->n_bcast_buf = n_bcast_buf;
5030
}
5031
else if (streq (p[0], "tcp-queue-limit") && p[1])
5032
{
5033
int tcp_queue_limit;
5034
5035
VERIFY_PERMISSION (OPT_P_GENERAL);
5036
tcp_queue_limit = atoi (p[1]);
5037
if (tcp_queue_limit < 1)
5038
msg (msglevel, "--tcp-queue-limit parameter must be > 0");
5039
options->tcp_queue_limit = tcp_queue_limit;
5040
}
5041
#if PORT_SHARE
5042
else if (streq (p[0], "port-share") && p[1] && p[2])
5043
{
5044
int port;
5045
5046
VERIFY_PERMISSION (OPT_P_GENERAL);
5047
port = atoi (p[2]);
5048
if (!legal_ipv4_port (port))
5049
{
5050
msg (msglevel, "port number associated with --port-share directive is out of range");
5051
goto err;
5052
}
5053
5054
options->port_share_host = p[1];
5055
options->port_share_port = port;
5056
}
5057
#endif
5058
else if (streq (p[0], "client-to-client"))
5059
{
5060
VERIFY_PERMISSION (OPT_P_GENERAL);
5061
options->enable_c2c = true;
5062
}
5063
else if (streq (p[0], "duplicate-cn"))
5064
{
5065
VERIFY_PERMISSION (OPT_P_GENERAL);
5066
options->duplicate_cn = true;
5067
}
5068
else if (streq (p[0], "iroute") && p[1])
5069
{
5070
const char *netmask = NULL;
5071
5072
VERIFY_PERMISSION (OPT_P_INSTANCE);
5073
if (p[2])
5074
{
5075
netmask = p[2];
5076
}
5077
option_iroute (options, p[1], netmask, msglevel);
5078
}
5079
else if (streq (p[0], "ifconfig-push") && p[1] && p[2])
5080
{
5081
in_addr_t local, remote_netmask;
5082
5083
VERIFY_PERMISSION (OPT_P_INSTANCE);
5084
local = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
5085
remote_netmask = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
5086
if (local && remote_netmask)
5087
{
5088
options->push_ifconfig_defined = true;
5089
options->push_ifconfig_local = local;
5090
options->push_ifconfig_remote_netmask = remote_netmask;
5091
}
5092
else
5093
{
5094
msg (msglevel, "cannot parse --ifconfig-push addresses");
5095
goto err;
5096
}
5097
}
5098
else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2])
5099
{
5100
in_addr_t network, netmask;
5101
5102
VERIFY_PERMISSION (OPT_P_GENERAL);
5103
network = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
5104
netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
5105
if (network && netmask)
5106
{
5107
options->push_ifconfig_constraint_defined = true;
5108
options->push_ifconfig_constraint_network = network;
5109
options->push_ifconfig_constraint_netmask = netmask;
5110
}
5111
else
5112
{
5113
msg (msglevel, "cannot parse --ifconfig-push-constraint addresses");
5114
goto err;
5115
}
5116
}
5117
else if (streq (p[0], "disable"))
5118
{
5119
VERIFY_PERMISSION (OPT_P_INSTANCE);
5120
options->disable = true;
5121
}
5122
else if (streq (p[0], "tcp-nodelay"))
5123
{
5124
VERIFY_PERMISSION (OPT_P_GENERAL);
5125
options->server_flags |= SF_TCP_NODELAY_HELPER;
5126
}
5127
#endif /* P2MP_SERVER */
5128
5129
else if (streq (p[0], "client"))
5130
{
5131
VERIFY_PERMISSION (OPT_P_GENERAL);
5132
options->client = true;
5133
}
5134
else if (streq (p[0], "pull"))
5135
{
5136
VERIFY_PERMISSION (OPT_P_GENERAL);
5137
options->pull = true;
5138
}
5139
else if (streq (p[0], "push-continuation") && p[1])
5140
{
5141
VERIFY_PERMISSION (OPT_P_PULL_MODE);
5142
options->push_continuation = atoi(p[1]);
5143
}
5144
else if (streq (p[0], "server-poll-timeout") && p[1])
5145
{
5146
VERIFY_PERMISSION (OPT_P_GENERAL);
5147
options->server_poll_timeout = positive_atoi(p[1]);
5148
}
5149
else if (streq (p[0], "auth-user-pass"))
5150
{
5151
VERIFY_PERMISSION (OPT_P_GENERAL);
5152
if (p[1])
5153
{
5154
options->auth_user_pass_file = p[1];
5155
}
5156
else
5157
options->auth_user_pass_file = "stdin";
5158
}
5159
else if (streq (p[0], "auth-retry") && p[1])
5160
{
5161
VERIFY_PERMISSION (OPT_P_GENERAL);
5162
auth_retry_set (msglevel, p[1]);
5163
}
5164
#endif
5165
#ifdef WIN32
5166
else if (streq (p[0], "win-sys") && p[1])
5167
{
5168
VERIFY_PERMISSION (OPT_P_GENERAL);
5169
if (streq (p[1], "env"))
5170
set_win_sys_path_via_env (es);
5171
else
5172
set_win_sys_path (p[1], es);
5173
}
5174
else if (streq (p[0], "route-method") && p[1])
5175
{
5176
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5177
if (streq (p[1], "adaptive"))
5178
options->route_method = ROUTE_METHOD_ADAPTIVE;
5179
else if (streq (p[1], "ipapi"))
5180
options->route_method = ROUTE_METHOD_IPAPI;
5181
else if (streq (p[1], "exe"))
5182
options->route_method = ROUTE_METHOD_EXE;
5183
else
5184
{
5185
msg (msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
5186
goto err;
5187
}
5188
}
5189
else if (streq (p[0], "ip-win32") && p[1])
5190
{
5191
const int index = ascii2ipset (p[1]);
5192
struct tuntap_options *to = &options->tuntap_options;
5193
5194
VERIFY_PERMISSION (OPT_P_IPWIN32);
5195
5196
if (index < 0)
5197
{
5198
msg (msglevel,
5199
"Bad --ip-win32 method: '%s'. Allowed methods: %s",
5200
p[1],
5201
ipset2ascii_all (&gc));
5202
goto err;
5203
}
5204
5205
if (index == IPW32_SET_ADAPTIVE)
5206
options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
5207
5208
if (index == IPW32_SET_DHCP_MASQ)
5209
{
5210
if (p[2])
5211
{
5212
if (!streq (p[2], "default"))
5213
{
5214
int offset = atoi (p[2]);
5215
5216
if (!(offset > -256 && offset < 256))
5217
{
5218
msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
5219
goto err;
5220
}
5221
5222
to->dhcp_masq_custom_offset = true;
5223
to->dhcp_masq_offset = offset;
5224
}
5225
5226
if (p[3])
5227
{
5228
const int min_lease = 30;
5229
int lease_time;
5230
lease_time = atoi (p[3]);
5231
if (lease_time < min_lease)
5232
{
5233
msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
5234
goto err;
5235
}
5236
to->dhcp_lease_time = lease_time;
5237
}
5238
}
5239
}
5240
to->ip_win32_type = index;
5241
to->ip_win32_defined = true;
5242
}
5243
else if (streq (p[0], "dhcp-option") && p[1])
5244
{
5245
struct tuntap_options *o = &options->tuntap_options;
5246
VERIFY_PERMISSION (OPT_P_IPWIN32);
5247
5248
if (streq (p[1], "DOMAIN") && p[2])
5249
{
5250
o->domain = p[2];
5251
}
5252
else if (streq (p[1], "NBS") && p[2])
5253
{
5254
o->netbios_scope = p[2];
5255
}
5256
else if (streq (p[1], "NBT") && p[2])
5257
{
5258
int t;
5259
t = atoi (p[2]);
5260
if (!(t == 1 || t == 2 || t == 4 || t == 8))
5261
{
5262
msg (msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
5263
goto err;
5264
}
5265
o->netbios_node_type = t;
5266
}
5267
else if (streq (p[1], "DNS") && p[2])
5268
{
5269
dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel);
5270
}
5271
else if (streq (p[1], "WINS") && p[2])
5272
{
5273
dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel);
5274
}
5275
else if (streq (p[1], "NTP") && p[2])
5276
{
5277
dhcp_option_address_parse ("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
5278
}
5279
else if (streq (p[1], "NBDD") && p[2])
5280
{
5281
dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
5282
}
5283
else if (streq (p[1], "DISABLE-NBT"))
5284
{
5285
o->disable_nbt = 1;
5286
}
5287
else
5288
{
5289
msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]);
5290
goto err;
5291
}
5292
o->dhcp_options = true;
5293
}
5294
else if (streq (p[0], "show-adapters"))
5295
{
5296
VERIFY_PERMISSION (OPT_P_GENERAL);
5297
show_tap_win32_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
5298
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5299
}
5300
else if (streq (p[0], "show-net"))
5301
{
5302
VERIFY_PERMISSION (OPT_P_GENERAL);
5303
show_routes (M_INFO|M_NOPREFIX);
5304
show_adapters (M_INFO|M_NOPREFIX);
5305
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5306
}
5307
else if (streq (p[0], "show-net-up"))
5308
{
5309
VERIFY_PERMISSION (OPT_P_UP);
5310
options->show_net_up = true;
5311
}
5312
else if (streq (p[0], "tap-sleep") && p[1])
5313
{
5314
int s;
5315
VERIFY_PERMISSION (OPT_P_IPWIN32);
5316
s = atoi (p[1]);
5317
if (s < 0 || s >= 256)
5318
{
5319
msg (msglevel, "--tap-sleep parameter must be between 0 and 255");
5320
goto err;
5321
}
5322
options->tuntap_options.tap_sleep = s;
5323
}
5324
else if (streq (p[0], "dhcp-renew"))
5325
{
5326
VERIFY_PERMISSION (OPT_P_IPWIN32);
5327
options->tuntap_options.dhcp_renew = true;
5328
}
5329
else if (streq (p[0], "dhcp-pre-release"))
5330
{
5331
VERIFY_PERMISSION (OPT_P_IPWIN32);
5332
options->tuntap_options.dhcp_pre_release = true;
5333
}
5334
else if (streq (p[0], "dhcp-release"))
5335
{
5336
VERIFY_PERMISSION (OPT_P_IPWIN32);
5337
options->tuntap_options.dhcp_release = true;
5338
}
5339
else if (streq (p[0], "dhcp-internal") && p[1]) /* standalone method for internal use */
5340
{
5341
unsigned int adapter_index;
5342
VERIFY_PERMISSION (OPT_P_GENERAL);
5343
set_debug_level (options->verbosity, SDL_CONSTRAIN);
5344
adapter_index = atou (p[1]);
5345
sleep (options->tuntap_options.tap_sleep);
5346
if (options->tuntap_options.dhcp_pre_release)
5347
dhcp_release_by_adapter_index (adapter_index);
5348
if (options->tuntap_options.dhcp_renew)
5349
dhcp_renew_by_adapter_index (adapter_index);
5350
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5351
}
5352
else if (streq (p[0], "register-dns"))
5353
{
5354
VERIFY_PERMISSION (OPT_P_IPWIN32);
5355
options->tuntap_options.register_dns = true;
5356
}
5357
else if (streq (p[0], "rdns-internal"))
5358
/* standalone method for internal use
5359
*
5360
* (if --register-dns is set, openvpn needs to call itself in a
5361
* sub-process to execute the required functions in a non-blocking
5362
* way, and uses --rdns-internal to signal that to itself)
5363
*/
5364
{
5365
VERIFY_PERMISSION (OPT_P_GENERAL);
5366
set_debug_level (options->verbosity, SDL_CONSTRAIN);
5367
if (options->tuntap_options.register_dns)
5368
ipconfig_register_dns (NULL);
5369
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5370
}
5371
else if (streq (p[0], "show-valid-subnets"))
5372
{
5373
VERIFY_PERMISSION (OPT_P_GENERAL);
5374
show_valid_win32_tun_subnets ();
5375
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5376
}
5377
else if (streq (p[0], "pause-exit"))
5378
{
5379
VERIFY_PERMISSION (OPT_P_GENERAL);
5380
set_pause_exit_win32 ();
5381
}
5382
else if (streq (p[0], "service") && p[1])
5383
{
5384
VERIFY_PERMISSION (OPT_P_GENERAL);
5385
options->exit_event_name = p[1];
5386
if (p[2])
5387
{
5388
options->exit_event_initial_state = (atoi(p[2]) != 0);
5389
}
5390
}
5391
else if (streq (p[0], "allow-nonadmin"))
5392
{
5393
VERIFY_PERMISSION (OPT_P_GENERAL);
5394
tap_allow_nonadmin_access (p[1]);
5395
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5396
}
5397
else if (streq (p[0], "user") && p[1])
5398
{
5399
VERIFY_PERMISSION (OPT_P_GENERAL);
5400
msg (M_WARN, "NOTE: --user option is not implemented on Windows");
5401
}
5402
else if (streq (p[0], "group") && p[1])
5403
{
5404
VERIFY_PERMISSION (OPT_P_GENERAL);
5405
msg (M_WARN, "NOTE: --group option is not implemented on Windows");
5406
}
5407
#else
5408
else if (streq (p[0], "user") && p[1])
5409
{
5410
VERIFY_PERMISSION (OPT_P_GENERAL);
5411
options->username = p[1];
5412
}
5413
else if (streq (p[0], "group") && p[1])
5414
{
5415
VERIFY_PERMISSION (OPT_P_GENERAL);
5416
options->groupname = p[1];
5417
}
5418
else if (streq (p[0], "dhcp-option") && p[1])
5419
{
5420
VERIFY_PERMISSION (OPT_P_IPWIN32);
5421
foreign_option (options, p, 3, es);
5422
}
5423
else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */
5424
{
5425
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
5426
}
5427
#endif
5428
#if PASSTOS_CAPABILITY
5429
else if (streq (p[0], "passtos"))
5430
{
5431
VERIFY_PERMISSION (OPT_P_GENERAL);
5432
options->passtos = true;
5433
}
5434
#endif
5435
#ifdef USE_LZO
5436
else if (streq (p[0], "comp-lzo"))
5437
{
5438
VERIFY_PERMISSION (OPT_P_COMP);
5439
if (p[1])
5440
{
5441
if (streq (p[1], "yes"))
5442
options->lzo = LZO_SELECTED|LZO_ON;
5443
else if (streq (p[1], "no"))
5444
options->lzo = LZO_SELECTED;
5445
else if (streq (p[1], "adaptive"))
5446
options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
5447
else
5448
{
5449
msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
5450
goto err;
5451
}
5452
}
5453
else
5454
options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
5455
}
5456
else if (streq (p[0], "comp-noadapt"))
5457
{
5458
VERIFY_PERMISSION (OPT_P_COMP);
5459
options->lzo &= ~LZO_ADAPTIVE;
5460
}
5461
#endif /* USE_LZO */
5462
#ifdef USE_CRYPTO
5463
else if (streq (p[0], "show-ciphers"))
5464
{
5465
VERIFY_PERMISSION (OPT_P_GENERAL);
5466
options->show_ciphers = true;
5467
}
5468
else if (streq (p[0], "show-digests"))
5469
{
5470
VERIFY_PERMISSION (OPT_P_GENERAL);
5471
options->show_digests = true;
5472
}
5473
else if (streq (p[0], "show-engines"))
5474
{
5475
VERIFY_PERMISSION (OPT_P_GENERAL);
5476
options->show_engines = true;
5477
}
5478
else if (streq (p[0], "key-direction") && p[1])
5479
{
5480
int key_direction;
5481
5482
key_direction = ascii2keydirection (msglevel, p[1]);
5483
if (key_direction >= 0)
5484
options->key_direction = key_direction;
5485
else
5486
goto err;
5487
}
5488
else if (streq (p[0], "secret") && p[1])
5489
{
5490
VERIFY_PERMISSION (OPT_P_GENERAL);
5491
#if ENABLE_INLINE_FILES
5492
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5493
{
5494
options->shared_secret_file_inline = p[2];
5495
}
5496
else
5497
#endif
5498
if (p[2])
5499
{
5500
int key_direction;
5501
5502
key_direction = ascii2keydirection (msglevel, p[2]);
5503
if (key_direction >= 0)
5504
options->key_direction = key_direction;
5505
else
5506
goto err;
5507
}
5508
options->shared_secret_file = p[1];
5509
}
5510
else if (streq (p[0], "genkey"))
5511
{
5512
VERIFY_PERMISSION (OPT_P_GENERAL);
5513
options->genkey = true;
5514
}
5515
else if (streq (p[0], "auth") && p[1])
5516
{
5517
VERIFY_PERMISSION (OPT_P_CRYPTO);
5518
options->authname_defined = true;
5519
options->authname = p[1];
5520
if (streq (options->authname, "none"))
5521
{
5522
options->authname_defined = false;
5523
options->authname = NULL;
5524
}
5525
}
5526
else if (streq (p[0], "auth"))
5527
{
5528
VERIFY_PERMISSION (OPT_P_CRYPTO);
5529
options->authname_defined = true;
5530
}
5531
else if (streq (p[0], "cipher") && p[1])
5532
{
5533
VERIFY_PERMISSION (OPT_P_CRYPTO);
5534
options->ciphername_defined = true;
5535
options->ciphername = p[1];
5536
if (streq (options->ciphername, "none"))
5537
{
5538
options->ciphername_defined = false;
5539
options->ciphername = NULL;
5540
}
5541
}
5542
else if (streq (p[0], "cipher"))
5543
{
5544
VERIFY_PERMISSION (OPT_P_CRYPTO);
5545
options->ciphername_defined = true;
5546
}
5547
else if (streq (p[0], "prng") && p[1])
5548
{
5549
VERIFY_PERMISSION (OPT_P_CRYPTO);
5550
if (streq (p[1], "none"))
5551
options->prng_hash = NULL;
5552
else
5553
options->prng_hash = p[1];
5554
if (p[2])
5555
{
5556
const int sl = atoi (p[2]);
5557
if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
5558
{
5559
options->prng_nonce_secret_len = sl;
5560
}
5561
else
5562
{
5563
msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d",
5564
NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
5565
goto err;
5566
}
5567
}
5568
}
5569
else if (streq (p[0], "no-replay"))
5570
{
5571
VERIFY_PERMISSION (OPT_P_CRYPTO);
5572
options->replay = false;
5573
}
5574
else if (streq (p[0], "replay-window"))
5575
{
5576
VERIFY_PERMISSION (OPT_P_CRYPTO);
5577
if (p[1])
5578
{
5579
int replay_window;
5580
5581
replay_window = atoi (p[1]);
5582
if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
5583
{
5584
msg (msglevel, "replay-window window size parameter (%d) must be between %d and %d",
5585
replay_window,
5586
MIN_SEQ_BACKTRACK,
5587
MAX_SEQ_BACKTRACK);
5588
goto err;
5589
}
5590
options->replay_window = replay_window;
5591
5592
if (p[2])
5593
{
5594
int replay_time;
5595
5596
replay_time = atoi (p[2]);
5597
if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
5598
{
5599
msg (msglevel, "replay-window time window parameter (%d) must be between %d and %d",
5600
replay_time,
5601
MIN_TIME_BACKTRACK,
5602
MAX_TIME_BACKTRACK);
5603
goto err;
5604
}
5605
options->replay_time = replay_time;
5606
}
5607
}
5608
else
5609
{
5610
msg (msglevel, "replay-window option is missing window size parameter");
5611
goto err;
5612
}
5613
}
5614
else if (streq (p[0], "mute-replay-warnings"))
5615
{
5616
VERIFY_PERMISSION (OPT_P_CRYPTO);
5617
options->mute_replay_warnings = true;
5618
}
5619
else if (streq (p[0], "no-iv"))
5620
{
5621
VERIFY_PERMISSION (OPT_P_CRYPTO);
5622
options->use_iv = false;
5623
}
5624
else if (streq (p[0], "replay-persist") && p[1])
5625
{
5626
VERIFY_PERMISSION (OPT_P_GENERAL);
5627
options->packet_id_file = p[1];
5628
}
5629
else if (streq (p[0], "test-crypto"))
5630
{
5631
VERIFY_PERMISSION (OPT_P_GENERAL);
5632
options->test_crypto = true;
5633
}
5634
else if (streq (p[0], "engine"))
5635
{
5636
VERIFY_PERMISSION (OPT_P_GENERAL);
5637
if (p[1])
5638
{
5639
options->engine = p[1];
5640
}
5641
else
5642
options->engine = "auto";
5643
}
5644
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
5645
else if (streq (p[0], "keysize") && p[1])
5646
{
5647
int keysize;
5648
5649
VERIFY_PERMISSION (OPT_P_CRYPTO);
5650
keysize = atoi (p[1]) / 8;
5651
if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
5652
{
5653
msg (msglevel, "Bad keysize: %s", p[1]);
5654
goto err;
5655
}
5656
options->keysize = keysize;
5657
}
5658
#endif
5659
#ifdef USE_SSL
5660
else if (streq (p[0], "show-tls"))
5661
{
5662
VERIFY_PERMISSION (OPT_P_GENERAL);
5663
options->show_tls_ciphers = true;
5664
}
5665
else if (streq (p[0], "tls-server"))
5666
{
5667
VERIFY_PERMISSION (OPT_P_GENERAL);
5668
options->tls_server = true;
5669
}
5670
else if (streq (p[0], "tls-client"))
5671
{
5672
VERIFY_PERMISSION (OPT_P_GENERAL);
5673
options->tls_client = true;
5674
}
5675
else if (streq (p[0], "ca") && p[1])
5676
{
5677
VERIFY_PERMISSION (OPT_P_GENERAL);
5678
options->ca_file = p[1];
5679
#if ENABLE_INLINE_FILES
5680
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5681
{
5682
options->ca_file_inline = p[2];
5683
}
5684
#endif
5685
}
5686
else if (streq (p[0], "capath") && p[1])
5687
{
5688
VERIFY_PERMISSION (OPT_P_GENERAL);
5689
options->ca_path = p[1];
5690
}
5691
else if (streq (p[0], "dh") && p[1])
5692
{
5693
VERIFY_PERMISSION (OPT_P_GENERAL);
5694
options->dh_file = p[1];
5695
#if ENABLE_INLINE_FILES
5696
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5697
{
5698
options->dh_file_inline = p[2];
5699
}
5700
#endif
5701
}
5702
else if (streq (p[0], "cert") && p[1])
5703
{
5704
VERIFY_PERMISSION (OPT_P_GENERAL);
5705
options->cert_file = p[1];
5706
#if ENABLE_INLINE_FILES
5707
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5708
{
5709
options->cert_file_inline = p[2];
5710
}
5711
#endif
5712
}
5713
#ifdef WIN32
5714
else if (streq (p[0], "cryptoapicert") && p[1])
5715
{
5716
VERIFY_PERMISSION (OPT_P_GENERAL);
5717
options->cryptoapi_cert = p[1];
5718
}
5719
#endif
5720
else if (streq (p[0], "key") && p[1])
5721
{
5722
VERIFY_PERMISSION (OPT_P_GENERAL);
5723
options->priv_key_file = p[1];
5724
#if ENABLE_INLINE_FILES
5725
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5726
{
5727
options->priv_key_file_inline = p[2];
5728
}
5729
#endif
5730
}
5731
else if (streq (p[0], "pkcs12") && p[1])
5732
{
5733
VERIFY_PERMISSION (OPT_P_GENERAL);
5734
options->pkcs12_file = p[1];
5735
#if ENABLE_INLINE_FILES
5736
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5737
{
5738
options->pkcs12_file_inline = p[2];
5739
}
5740
#endif
5741
}
5742
else if (streq (p[0], "askpass"))
5743
{
5744
VERIFY_PERMISSION (OPT_P_GENERAL);
5745
if (p[1])
5746
{
5747
options->key_pass_file = p[1];
5748
}
5749
else
5750
options->key_pass_file = "stdin";
5751
}
5752
else if (streq (p[0], "auth-nocache"))
5753
{
5754
VERIFY_PERMISSION (OPT_P_GENERAL);
5755
ssl_set_auth_nocache ();
5756
}
5757
else if (streq (p[0], "single-session"))
5758
{
5759
VERIFY_PERMISSION (OPT_P_GENERAL);
5760
options->single_session = true;
5761
}
5762
#ifdef ENABLE_PUSH_PEER_INFO
5763
else if (streq (p[0], "push-peer-info"))
5764
{
5765
VERIFY_PERMISSION (OPT_P_GENERAL);
5766
options->push_peer_info = true;
5767
}
5768
#endif
5769
else if (streq (p[0], "tls-exit"))
5770
{
5771
VERIFY_PERMISSION (OPT_P_GENERAL);
5772
options->tls_exit = true;
5773
}
5774
else if (streq (p[0], "tls-cipher") && p[1])
5775
{
5776
VERIFY_PERMISSION (OPT_P_GENERAL);
5777
options->cipher_list = p[1];
5778
}
5779
else if (streq (p[0], "crl-verify") && p[1])
5780
{
5781
VERIFY_PERMISSION (OPT_P_GENERAL);
5782
options->crl_file = p[1];
5783
}
5784
else if (streq (p[0], "tls-verify") && p[1])
5785
{
5786
VERIFY_PERMISSION (OPT_P_SCRIPT);
5787
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
5788
goto err;
5789
warn_multiple_script (options->tls_verify, "tls-verify");
5790
options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
5791
}
5792
else if (streq (p[0], "tls-export-cert") && p[1])
5793
{
5794
VERIFY_PERMISSION (OPT_P_GENERAL);
5795
options->tls_export_cert = p[1];
5796
}
5797
else if (streq (p[0], "tls-remote") && p[1])
5798
{
5799
VERIFY_PERMISSION (OPT_P_GENERAL);
5800
options->tls_remote = p[1];
5801
}
5802
else if (streq (p[0], "ns-cert-type") && p[1])
5803
{
5804
VERIFY_PERMISSION (OPT_P_GENERAL);
5805
if (streq (p[1], "server"))
5806
options->ns_cert_type = NS_SSL_SERVER;
5807
else if (streq (p[1], "client"))
5808
options->ns_cert_type = NS_SSL_CLIENT;
5809
else
5810
{
5811
msg (msglevel, "--ns-cert-type must be 'client' or 'server'");
5812
goto err;
5813
}
5814
}
5815
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
5816
else if (streq (p[0], "remote-cert-ku"))
5817
{
5818
int j;
5819
5820
VERIFY_PERMISSION (OPT_P_GENERAL);
5821
5822
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5823
sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
5824
}
5825
else if (streq (p[0], "remote-cert-eku") && p[1])
5826
{
5827
VERIFY_PERMISSION (OPT_P_GENERAL);
5828
options->remote_cert_eku = p[1];
5829
}
5830
else if (streq (p[0], "remote-cert-tls") && p[1])
5831
{
5832
VERIFY_PERMISSION (OPT_P_GENERAL);
5833
5834
if (streq (p[1], "server"))
5835
{
5836
options->remote_cert_ku[0] = 0xa0;
5837
options->remote_cert_ku[1] = 0x88;
5838
options->remote_cert_eku = "TLS Web Server Authentication";
5839
}
5840
else if (streq (p[1], "client"))
5841
{
5842
options->remote_cert_ku[0] = 0x80;
5843
options->remote_cert_ku[1] = 0x08;
5844
options->remote_cert_ku[2] = 0x88;
5845
options->remote_cert_eku = "TLS Web Client Authentication";
5846
}
5847
else
5848
{
5849
msg (msglevel, "--remote-cert-tls must be 'client' or 'server'");
5850
goto err;
5851
}
5852
}
5853
#endif /* OPENSSL_VERSION_NUMBER */
5854
else if (streq (p[0], "tls-timeout") && p[1])
5855
{
5856
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5857
options->tls_timeout = positive_atoi (p[1]);
5858
}
5859
else if (streq (p[0], "reneg-bytes") && p[1])
5860
{
5861
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5862
options->renegotiate_bytes = positive_atoi (p[1]);
5863
}
5864
else if (streq (p[0], "reneg-pkts") && p[1])
5865
{
5866
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5867
options->renegotiate_packets = positive_atoi (p[1]);
5868
}
5869
else if (streq (p[0], "reneg-sec") && p[1])
5870
{
5871
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5872
options->renegotiate_seconds = positive_atoi (p[1]);
5873
}
5874
else if (streq (p[0], "hand-window") && p[1])
5875
{
5876
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5877
options->handshake_window = positive_atoi (p[1]);
5878
}
5879
else if (streq (p[0], "tran-window") && p[1])
5880
{
5881
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
5882
options->transition_window = positive_atoi (p[1]);
5883
}
5884
else if (streq (p[0], "tls-auth") && p[1])
5885
{
5886
VERIFY_PERMISSION (OPT_P_GENERAL);
5887
#if ENABLE_INLINE_FILES
5888
if (streq (p[1], INLINE_FILE_TAG) && p[2])
5889
{
5890
options->tls_auth_file_inline = p[2];
5891
}
5892
else
5893
#endif
5894
if (p[2])
5895
{
5896
int key_direction;
5897
5898
key_direction = ascii2keydirection (msglevel, p[2]);
5899
if (key_direction >= 0)
5900
options->key_direction = key_direction;
5901
else
5902
goto err;
5903
}
5904
options->tls_auth_file = p[1];
5905
}
5906
else if (streq (p[0], "key-method") && p[1])
5907
{
5908
int key_method;
5909
5910
VERIFY_PERMISSION (OPT_P_GENERAL);
5911
key_method = atoi (p[1]);
5912
if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
5913
{
5914
msg (msglevel, "key_method parameter (%d) must be >= %d and <= %d",
5915
key_method,
5916
KEY_METHOD_MIN,
5917
KEY_METHOD_MAX);
5918
goto err;
5919
}
5920
options->key_method = key_method;
5921
}
5922
#ifdef ENABLE_X509ALTUSERNAME
5923
else if (streq (p[0], "x509-username-field") && p[1])
5924
{
5925
char *s = p[1];
5926
VERIFY_PERMISSION (OPT_P_GENERAL);
5927
while ((*s = toupper(*s)) != '\0') s++; /* Uppercase if necessary */
5928
options->x509_username_field = p[1];
5929
}
5930
#endif /* ENABLE_X509ALTUSERNAME */
5931
#endif /* USE_SSL */
5932
#endif /* USE_CRYPTO */
5933
#ifdef ENABLE_PKCS11
5934
else if (streq (p[0], "show-pkcs11-ids") && p[1])
5935
{
5936
char *provider = p[1];
5937
bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
5938
5939
VERIFY_PERMISSION (OPT_P_GENERAL);
5940
5941
set_debug_level (options->verbosity, SDL_CONSTRAIN);
5942
show_pkcs11_ids (provider, cert_private);
5943
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
5944
}
5945
else if (streq (p[0], "pkcs11-providers") && p[1])
5946
{
5947
int j;
5948
5949
VERIFY_PERMISSION (OPT_P_GENERAL);
5950
5951
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5952
options->pkcs11_providers[j-1] = p[j];
5953
}
5954
else if (streq (p[0], "pkcs11-protected-authentication"))
5955
{
5956
int j;
5957
5958
VERIFY_PERMISSION (OPT_P_GENERAL);
5959
5960
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5961
options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
5962
}
5963
else if (streq (p[0], "pkcs11-private-mode") && p[1])
5964
{
5965
int j;
5966
5967
VERIFY_PERMISSION (OPT_P_GENERAL);
5968
5969
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5970
sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1]));
5971
}
5972
else if (streq (p[0], "pkcs11-cert-private"))
5973
{
5974
int j;
5975
5976
VERIFY_PERMISSION (OPT_P_GENERAL);
5977
5978
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
5979
options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
5980
}
5981
else if (streq (p[0], "pkcs11-pin-cache") && p[1])
5982
{
5983
VERIFY_PERMISSION (OPT_P_GENERAL);
5984
options->pkcs11_pin_cache_period = atoi (p[1]);
5985
}
5986
else if (streq (p[0], "pkcs11-id") && p[1])
5987
{
5988
VERIFY_PERMISSION (OPT_P_GENERAL);
5989
options->pkcs11_id = p[1];
5990
}
5991
else if (streq (p[0], "pkcs11-id-management"))
5992
{
5993
VERIFY_PERMISSION (OPT_P_GENERAL);
5994
options->pkcs11_id_management = true;
5995
}
5996
#endif
5997
#ifdef TUNSETPERSIST
5998
else if (streq (p[0], "rmtun"))
5999
{
6000
VERIFY_PERMISSION (OPT_P_GENERAL);
6001
options->persist_config = true;
6002
options->persist_mode = 0;
6003
}
6004
else if (streq (p[0], "mktun"))
6005
{
6006
VERIFY_PERMISSION (OPT_P_GENERAL);
6007
options->persist_config = true;
6008
options->persist_mode = 1;
6009
}
6010
#endif
6011
else
6012
{
6013
if (file)
6014
msg (msglevel_fc, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
6015
else
6016
msg (msglevel_fc, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
6017
}
6018
err:
6019
gc_free (&gc);
6020
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1