6fbf66fa |
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
* |
b77bffe8 |
* Copyright (C) 2002-2013 OpenVPN Technologies, Inc. <sales@openvpn.net> |
e3d38865 |
* Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net> |
0c1f7ad5 |
* |
6fbf66fa |
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
* 2004-01-28: Added Socks5 proxy support
* (Christof Meerwald, http://cmeerw.org)
*/
|
c110b289 |
#ifdef HAVE_CONFIG_H
#include "config.h"
#elif defined(_MSC_VER)
#include "config-msvc.h"
#endif |
7046ff20 |
#ifdef HAVE_CONFIG_VERSION_H
#include "config-version.h"
#endif |
c110b289 |
|
6fbf66fa |
#include "syshead.h"
#include "buffer.h"
#include "error.h"
#include "common.h"
#include "shaper.h"
#include "crypto.h"
#include "ssl.h"
#include "options.h"
#include "misc.h"
#include "socket.h"
#include "packet_id.h" |
ce98fd24 |
#include "pkcs11.h" |
6fbf66fa |
#include "win32.h"
#include "push.h"
#include "pool.h"
#include "helper.h"
#include "manage.h" |
423d68b0 |
#include "forward.h" |
63dc03d0 |
#include "ssl_verify.h" |
2e8337de |
#include <ctype.h> |
6fbf66fa |
#include "memdbg.h"
const char title_string[] =
PACKAGE_STRING |
fb621041 |
#ifdef CONFIGURE_GIT_REVISION
" [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
#endif |
6fbf66fa |
" " TARGET_ALIAS |
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
86d8cd68 |
#if defined(ENABLE_CRYPTO_MBEDTLS)
" [SSL (mbed TLS)]" |
9b33b5a4 |
#elif defined(ENABLE_CRYPTO_OPENSSL) |
88203950 |
" [SSL (OpenSSL)]"
#else |
6fbf66fa |
" [SSL]" |
86d8cd68 |
#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */ |
9b33b5a4 |
#endif /* ENABLE_CRYPTO */ |
38d96bd7 |
#ifdef USE_COMP |
74bbc71b |
#ifdef ENABLE_LZO
" [LZO]"
#endif |
40efb635 |
#ifdef ENABLE_LZ4
" [LZ4]"
#endif |
38d96bd7 |
#ifdef ENABLE_COMP_STUB
" [COMP_STUB]" |
6fbf66fa |
#endif |
38d96bd7 |
#endif /* USE_COMP */ |
6fbf66fa |
#if EPOLL
" [EPOLL]"
#endif |
657ecf14 |
#ifdef PRODUCT_TAP_DEBUG
" [TAPDBG]"
#endif |
718526e0 |
#ifdef ENABLE_PKCS11
" [PKCS11]"
#endif |
6dbf82a9 |
#if ENABLE_IP_PKTINFO |
d7c15ff1 |
# if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
" [MH/PKTINFO]"
# elif defined(IP_RECVDSTADDR)
" [MH/RECVDA]"
# endif |
8335caf9 |
#endif |
2391a3ab |
#ifdef HAVE_AEAD_CIPHER_MODES
" [AEAD]"
#endif |
6fbf66fa |
" built on " __DATE__
;
#ifndef ENABLE_SMALL
static const char usage_message[] =
"%s\n"
"\n"
"General Options:\n"
"--config file : Read configuration options from file.\n"
"--help : Show options.\n"
"--version : Show copyright and version information.\n"
"\n"
"Tunnel Options:\n" |
04f4b793 |
"--local host : Local host name or ip address. Implies --bind.\n" |
6fbf66fa |
"--remote host [port] : Remote host name or ip address.\n"
"--remote-random : If multiple --remote options specified, choose one randomly.\n" |
8e9666d5 |
"--remote-random-hostname : Add a random string to remote DNS name.\n" |
6fbf66fa |
"--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
"--proto p : Use protocol p for communicating with peer.\n"
" p = udp (default), tcp-server, or tcp-client\n" |
51e6e5b0 |
"--proto-force p : only consider protocol p in list of connection profiles.\n" |
51afc8b8 |
" p = udp6, tcp6-server, or tcp6-client (ipv6)\n" |
5d429efd |
"--connect-retry n [m] : For client, number of seconds to wait between\n"
" connection retries (default=%d). On repeated retries\n"
" the wait time is exponentially increased to a maximum of m\n"
" (default=%d).\n" |
b540a9e0 |
"--connect-retry-max n : Maximum connection attempt retries, default infinite.\n" |
f214bb21 |
"--http-proxy s p [up] [auth] : Connect to remote host\n"
" through an HTTP proxy at address s and port p.\n"
" If proxy authentication is required,\n" |
6fbf66fa |
" up is a file containing username/password on 2 lines, or\n"
" 'stdin' to prompt from console. Add auth='ntlm' if\n"
" the proxy requires NTLM authentication.\n" |
b27dc04c |
"--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
" determine auth method and query for username/password\n"
" if needed. auto-nct disables weak proxy auth methods.\n" |
6fbf66fa |
"--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
" Repeat to set multiple options.\n"
" VERSION version (default=1.0)\n"
" AGENT user-agent\n" |
fc1fa9ff |
"--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
" address s and port p (default port = 1080).\n"
" If proxy authentication is required,\n"
" up is a file containing username/password on 2 lines, or\n"
" 'stdin' to prompt for console.\n" |
6fbf66fa |
"--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
"--resolv-retry n: If hostname resolve fails for --remote, retry\n"
" resolve for n seconds before failing (disabled by default).\n"
" Set n=\"infinite\" to retry indefinitely.\n"
"--float : Allow remote to change its IP address/port, such as through\n"
" DHCP (this is the default if --remote is not used).\n" |
d6285998 |
"--ipchange cmd : Run command cmd on remote ip address initial\n" |
6fbf66fa |
" setting or change -- execute as: cmd ip-address port#\n"
"--port port : TCP/UDP port # for both local and remote.\n" |
076fd3e4 |
"--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
"--rport port : TCP/UDP port # for remote (default=%s).\n" |
04f4b793 |
"--bind : Bind to local address and port. (This is the default unless\n"
" --proto tcp-client"
" or --http-proxy"
" or --socks-proxy"
" is used).\n" |
6fbf66fa |
"--nobind : Do not bind to local address and port.\n"
"--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
"--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
" this option only if the tun/tap device used with --dev\n"
" does not begin with \"tun\" or \"tap\".\n"
"--dev-node node : Explicitly set the device node rather than using\n"
" /dev/net/tun, /dev/tun, /dev/tap, etc.\n" |
e12fe286 |
"--lladdr hw : Set the link layer address of the tap device.\n" |
3c7f2f55 |
"--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n" |
51bd56f4 |
#ifdef ENABLE_IPROUTE |
0aee9ca7 |
"--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
#endif |
6fbf66fa |
"--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
" endpoint and rn as a remote endpoint. l & rn should be\n"
" swapped on the other peer. l & rn must be private\n"
" addresses outside of the subnets used by either peer.\n"
" TAP: configure device to use IP address l as a local\n"
" endpoint and rn as a subnet mask.\n" |
512cda46 |
"--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
" endpoint (as a /64) and r as remote endpoint\n" |
6fbf66fa |
"--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
" pass --ifconfig parms by environment to scripts.\n"
"--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
" connection doesn't match the remote side.\n"
"--route network [netmask] [gateway] [metric] :\n"
" Add route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
" netmask default: 255.255.255.255\n"
" gateway default: taken from --route-gateway or --ifconfig\n"
" Specify default by leaving blank or setting to \"nil\".\n" |
512cda46 |
"--route-ipv6 network/bits [gateway] [metric] :\n"
" Add IPv6 route to routing table after connection\n"
" is established. Multiple routes can be specified.\n" |
a1010a84 |
" gateway default: taken from 'remote' in --ifconfig-ipv6\n" |
03731db3 |
"--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n" |
40ac3d7a |
"--route-metric m : Specify a default metric for use with --route.\n" |
6fbf66fa |
"--route-delay n [w] : Delay n seconds after connection initiation before\n"
" adding routes (may be 0). If not specified, routes will\n"
" be added immediately after tun/tap open. On Windows, wait\n"
" up to w seconds for TUN/TAP adapter to come up.\n" |
d6285998 |
"--route-up cmd : Run command cmd after routes are added.\n"
"--route-pre-down cmd : Run command cmd before routes are removed.\n" |
6fbf66fa |
"--route-noexec : Don't add routes automatically. Instead pass routes to\n"
" --route-up script using environmental variables.\n" |
a4d621ec |
"--route-nopull : When used with --client or --pull, accept options pushed\n" |
97235cc7 |
" by server EXCEPT for routes and dhcp options.\n" |
0a838de8 |
"--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
" --ifconfig, --route, and --route-gateway.\n" |
b723833b |
"--redirect-gateway [flags]: Automatically execute routing\n" |
6fbf66fa |
" commands to redirect all outgoing IP traffic through the\n"
" VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
" connected via a common subnet, such as with WiFi.\n"
" Add 'def1' flag to set default route using using 0.0.0.0/1\n" |
3c7f2f55 |
" and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
" flag to add a direct route to DHCP server, bypassing tunnel.\n"
" Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" |
b723833b |
"--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
" the default gateway. Useful when pushing private subnets.\n" |
581bef87 |
"--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" |
aaf72974 |
#ifdef ENABLE_PUSH_PEER_INFO
"--push-peer-info : (client only) push client info to server.\n"
#endif |
6fbf66fa |
"--setenv name value : Set a custom environmental variable to pass to script.\n" |
373faab1 |
"--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
" directives for future OpenVPN versions to be ignored.\n" |
b685a1e6 |
"--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
" these options to be ignored when unknown\n" |
05634736 |
"--script-security level: Where level can be:\n" |
a8281352 |
" 0 -- strictly no calling of external programs\n"
" 1 -- (default) only call built-ins such as ifconfig\n"
" 2 -- allow calling of built-ins and scripts\n"
" 3 -- allow password to be passed to scripts via env\n" |
6fbf66fa |
"--shaper n : Restrict output to peer to n bytes per second.\n"
"--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
" ping once every n seconds, restart if ping not received\n"
" for m seconds.\n" |
838911cc |
"--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
" produces a combined in/out byte count < bytes.\n" |
6fbf66fa |
"--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
"--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
"--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
" remote address.\n"
"--ping n : Ping remote once every n seconds over TCP/UDP port.\n" |
8bc93d7f |
#if ENABLE_IP_PKTINFO
"--multihome : Configure a multi-homed UDP server.\n"
#endif |
6fbf66fa |
"--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
"--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
"--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
"--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
"--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
"--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
#if PASSTOS_CAPABILITY
"--passtos : TOS passthrough (applies to IPv4 only).\n"
#endif
"--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
" TCP/UDP MTU from it (default=%d).\n"
"--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
" as n bytes more than the tun-mtu size on read\n"
" (default TUN=0 TAP=%d).\n"
"--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
" from it.\n"
"--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
" 'no' -- Never send DF (Don't Fragment) frames\n"
" 'maybe' -- Use per-route hints\n"
" 'yes' -- Always DF (Don't Fragment)\n"
#ifdef ENABLE_OCC
"--mtu-test : Empirically measure and report MTU.\n"
#endif
#ifdef ENABLE_FRAGMENT
"--fragment max : Enable internal datagram fragmentation so that no UDP\n"
" datagrams are sent which are larger than max bytes.\n"
" Adds 4 bytes of overhead per datagram.\n"
#endif
"--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
" or --fragment max value, whichever is lower.\n"
"--sndbuf size : Set the TCP/UDP send buffer size.\n"
"--rcvbuf size : Set the TCP/UDP receive buffer size.\n" |
51bd56f4 |
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK |
d90428d1 |
"--mark value : Mark encrypted packets being sent with value. The mark value\n"
" can be matched in policy routing and packetfilter rules.\n"
#endif |
6fbf66fa |
"--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n" |
ffea644c |
#ifdef ENABLE_MEMSTATS
"--memstats file : Write live usage stats to memory mapped binary file.\n"
#endif |
6fbf66fa |
"--mlock : Disable Paging -- ensures key material and tunnel\n"
" data will never be written to disk.\n" |
d6285998 |
"--up cmd : Run command cmd after successful tun device open.\n" |
6fbf66fa |
" Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
" ifconfig-local-ip ifconfig-remote-ip\n"
" (pre --user or --group UID/GID change)\n"
"--up-delay : Delay tun/tap open and possible --up script execution\n"
" until after TCP/UDP connection establishment with peer.\n" |
d6285998 |
"--down cmd : Run command cmd after tun device close.\n" |
6fbf66fa |
" (post --user/--group UID/GID change and/or --chroot)\n" |
d6285998 |
" (command parameters are same as --up option)\n"
"--down-pre : Run --down command before TUN/TAP close.\n"
"--up-restart : Run up/down commands for all restarts including those\n" |
6fbf66fa |
" caused by --ping-restart or SIGUSR1\n"
"--user user : Set UID to user after initialization.\n"
"--group group : Set GID to group after initialization.\n"
"--chroot dir : Chroot to this directory after initialization.\n" |
cd5990e0 |
#ifdef ENABLE_SELINUX |
99385447 |
"--setcon context: Apply this SELinux context after initialization.\n"
#endif |
6fbf66fa |
"--cd dir : Change to this directory before initialization.\n"
"--daemon [name] : Become a daemon after initialization.\n"
" The optional 'name' parameter will be passed\n"
" as the program name to the system logger.\n"
"--syslog [name] : Output to syslog, but do not become a daemon.\n"
" See --daemon above for a description of the 'name' parm.\n"
"--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
" See --daemon above for a description of the 'name' parm.\n"
"--log file : Output log to file which is created/truncated on open.\n"
"--log-append file : Append log to file, or create file if nonexistent.\n"
"--suppress-timestamps : Don't log timestamps to stdout/stderr.\n" |
8f7d5e67 |
"--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n" |
6fbf66fa |
"--writepid file : Write main process ID to file.\n"
"--nice n : Change process priority (>0 = lower, <0 = higher).\n"
"--echo [parms ...] : Echo parameters to log output.\n"
"--verb n : Set output verbosity to n (default=%d):\n"
" (Level 3 is recommended if you want a good summary\n"
" of what's happening without being swamped by output).\n"
" : 0 -- no output except fatal errors\n"
" : 1 -- startup info + connection initiated messages +\n"
" non-fatal encryption & net errors\n"
" : 2,3 -- show TLS negotiations & route info\n"
" : 4 -- show parameters\n"
" : 5 -- show 'RrWw' chars on console for each packet sent\n"
" and received from TCP/UDP (caps) or tun/tap (lc)\n"
" : 6 to 11 -- debug messages of increasing verbosity\n"
"--mute n : Log at most n consecutive messages in the same category.\n"
"--status file n : Write operational status to file every n seconds.\n"
"--status-version [n] : Choose the status file format version number.\n" |
c421bacf |
" Currently, n can be 1, 2, or 3 (default=1).\n" |
6fbf66fa |
#ifdef ENABLE_OCC
"--disable-occ : Disable options consistency check between peers.\n"
#endif
#ifdef ENABLE_DEBUG
"--gremlin mask : Special stress testing mode (for debugging only).\n"
#endif |
38d96bd7 |
#if defined(USE_COMP)
"--compress alg : Use compression algorithm alg\n"
#if defined(ENABLE_LZO)
"--comp-lzo : Use LZO compression -- may add up to 1 byte per\n" |
6fbf66fa |
" packet for uncompressible data.\n"
"--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
" is specified.\n"
#endif |
38d96bd7 |
#endif |
6fbf66fa |
#ifdef ENABLE_MANAGEMENT
"--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
" management functions. pass is a password file\n"
" or 'stdin' to prompt from console.\n" |
bb564a59 |
#if UNIX_SOCK_SUPPORT
" To listen on a unix domain socket, specific the pathname\n"
" in place of ip and use 'unix' as the port number.\n"
#endif |
4f404ad3 |
"--management-client : Management interface will connect as a TCP client to\n"
" ip/port rather than listen as a TCP server.\n" |
6fbf66fa |
"--management-query-passwords : Query management channel for private key\n"
" and auth-user-pass passwords.\n" |
af1bf85a |
"--management-query-proxy : Query management channel for proxy information.\n" |
54561af6 |
"--management-query-remote : Query management channel for --remote directive.\n" |
6fbf66fa |
"--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
" of the management interface explicitly starts it.\n" |
1184b824 |
"--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n" |
a032fcb7 |
"--management-forget-disconnect : Forget passwords when management disconnect\n"
" event occurs.\n" |
15be3202 |
"--management-up-down : Report tunnel up/down events to management interface.\n" |
6fbf66fa |
"--management-log-cache n : Cache n lines of log file history for usage\n"
" by the management channel.\n" |
bb564a59 |
#if UNIX_SOCK_SUPPORT
"--management-client-user u : When management interface is a unix socket, only\n"
" allow connections from user u.\n"
"--management-client-group g : When management interface is a unix socket, only\n"
" allow connections from group g.\n"
#endif |
90efcacb |
#ifdef MANAGEMENT_DEF_AUTH
"--management-client-auth : gives management interface client the responsibility\n"
" to authenticate clients after their client certificate\n"
" has been verified.\n"
#endif
#ifdef MANAGEMENT_PF
"--management-client-pf : management interface clients must specify a packet\n"
" filter file for each connecting client.\n"
#endif |
6fbf66fa |
#endif
#ifdef ENABLE_PLUGIN
"--plugin m [str]: Load plug-in module m passing str as an argument\n"
" to its initialization function.\n"
#endif
#if P2MP
#if P2MP_SERVER
"\n"
"Multi-Client Server options (when --mode server is used):\n"
"--server network netmask : Helper option to easily configure server mode.\n" |
512cda46 |
"--server-ipv6 network/bits : Configure IPv6 server mode.\n" |
03731db3 |
"--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n" |
6fbf66fa |
" easily configure ethernet bridging server mode.\n"
"--push \"option\" : Push a config file option back to the peer for remote\n"
" execution. Peer must specify --pull in its config file.\n"
"--push-reset : Don't inherit global push list for specific\n"
" client instance.\n"
"--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
" to be dynamically allocated to connecting clients.\n"
"--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
" in tun mode. Not compatible with Windows clients.\n"
"--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
" data to file, at seconds intervals (default=600).\n"
" If seconds=0, file will be treated as read-only.\n" |
512cda46 |
"--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
" to be dynamically allocated to connecting clients.\n" |
6fbf66fa |
"--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
" overrides --ifconfig-pool dynamic allocation.\n"
" Only valid in a client-specific config file.\n" |
1840c852 |
"--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
" remote, overrides --ifconfig-ipv6-pool allocation.\n"
" Only valid in a client-specific config file.\n" |
6fbf66fa |
"--iroute network [netmask] : Route subnet to client.\n" |
512cda46 |
"--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n" |
6fbf66fa |
" Sets up internal routes only.\n"
" Only valid in a client-specific config file.\n"
"--disable : Client is disabled.\n"
" Only valid in a client-specific config file.\n"
"--client-cert-not-required : Don't require client certificate, client\n"
" will authenticate using username/password.\n" |
b8cdb213 |
"--verify-client-cert [none|optional|require] : perform no, optional or\n"
" mandatory client certificate verification.\n"
" Default is to require the client to supply a certificate.\n" |
6fbf66fa |
"--username-as-common-name : For auth-user-pass authentication, use\n"
" the authenticated username as the common name,\n"
" rather than the common name from the client cert.\n"
"--auth-user-pass-verify cmd method: Query client for username/password and\n" |
d6285998 |
" run command cmd to verify. If method='via-env', pass\n" |
6fbf66fa |
" user/pass via environment, if method='via-file', pass\n"
" user/pass via temporary file.\n" |
58066d04 |
"--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
" to each client, replacing the password. Usefull when\n"
" OTP based two-factor auth mechanisms are in use and\n"
" --reneg-* options are enabled. Optionally a lifetime in seconds\n"
" for generated tokens can be set.\n" |
09cc9c81 |
"--opt-verify : Clients that connect with options that are incompatible\n"
" with those of the server will be disconnected.\n" |
24ce3b27 |
"--auth-user-pass-optional : Allow connections by clients that don't\n"
" specify a username/password.\n" |
ed304247 |
"--no-name-remapping : Allow Common Name and X509 Subject to include\n"
" any printable character.\n" |
6fbf66fa |
"--client-to-client : Internally route client-to-client traffic.\n"
"--duplicate-cn : Allow multiple clients with the same common name to\n"
" concurrently connect.\n" |
d6285998 |
"--client-connect cmd : Run command cmd on client connection.\n"
"--client-disconnect cmd : Run command cmd on client disconnection.\n" |
6fbf66fa |
"--client-config-dir dir : Directory for custom client config files.\n"
"--ccd-exclusive : Refuse connection unless custom client config is found.\n" |
dc2ccc82 |
"--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n" |
6fbf66fa |
"--hash-size r v : Set the size of the real address hash table to r and the\n"
" virtual address table to v.\n"
"--bcast-buffers n : Allocate n broadcast buffers.\n"
"--tcp-queue-limit n : Maximum number of queued TCP output packets.\n" |
ae3b3746 |
"--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
" as well as pushes it to connecting clients.\n" |
d6285998 |
"--learn-address cmd : Run command cmd to validate client virtual addresses.\n" |
6fbf66fa |
"--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
"--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
"--max-routes-per-client n : Allow a maximum of n internal routes per client.\n" |
3a957aae |
"--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
" older than n seconds. Run this check every t\n"
" seconds (defaults to n).\n" |
8dd9ff8c |
"--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
" clients. n = 1 - reconnect to same server,\n"
" 2 - advance to next server, default=1.\n" |
6add6b2f |
#if PORT_SHARE |
1c5ff772 |
"--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
" sessions to a web server at host:port. dir specifies an\n"
" optional directory to write origin IP:port data.\n" |
6add6b2f |
#endif |
6fbf66fa |
#endif
"\n"
"Client options (when connecting to a multi-client server):\n"
"--client : Helper option to easily configure client mode.\n"
"--auth-user-pass [up] : Authenticate with server using username/password.\n" |
6e9373c8 |
" up is a file containing the username on the first line,\n"
" and a password on the second. If either the password or both\n"
" the username and the password are omitted OpenVPN will prompt\n"
" for them from console.\n" |
6fbf66fa |
"--pull : Accept certain config file options from the peer as if they\n"
" were part of the local config file. Must be specified\n"
" when connecting to a '--mode server' remote host.\n" |
7f74c27e |
"--pull-filter accept|ignore|reject t : Filter each option received from the\n"
" server if it starts with the text t. The action flag accept,\n"
" ignore or reject causes the option to be allowed, removed or\n"
" rejected with error. May be specified multiple times, and\n"
" each filter is applied in the order of appearance.\n" |
6fbf66fa |
"--auth-retry t : How to handle auth failures. Set t to\n"
" none (default), interact, or nointeract.\n" |
eab3e22f |
"--static-challenge t e : Enable static challenge/response protocol using\n"
" challenge text t, with e indicating echo flag (0|1)\n" |
f2134b7b |
"--connect-timeout n : when polling possible remote servers to connect to\n" |
e1e977f3 |
" in a round-robin fashion, spend no more than n seconds\n"
" waiting for a response before trying the next server.\n" |
e8c42658 |
"--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
" incoming tun packets with same destination as host.\n" |
6fbf66fa |
#endif
#ifdef ENABLE_OCC
"--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
" server/remote. n = # of retries, default=1.\n"
#endif |
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
"\n"
"Data Channel Encryption Options (must be compatible between peers):\n"
"(These options are meaningful for both Static Key & TLS-mode)\n"
"--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
" Use shared secret file f, generate with --genkey.\n"
" The optional d parameter controls key directionality.\n"
" If d is specified, use separate keys for each\n"
" direction, set d=0 on one side of the connection,\n"
" and d=1 on the other side.\n"
"--auth alg : Authenticate packets with HMAC using message\n"
" digest algorithm alg (default=%s).\n"
" (usually adds 16 or 20 bytes per packet)\n"
" Set alg=none to disable authentication.\n"
"--cipher alg : Encrypt packets with cipher algorithm alg\n"
" (default=%s).\n"
" Set alg=none to disable encryption.\n" |
d728ebed |
"--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
"--ncp-disable : Disable cipher negotiation.\n" |
03bfb228 |
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" |
6fbf66fa |
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
"--keysize n : Size of cipher key in bits (optional).\n"
" If unspecified, defaults to cipher-specific default.\n"
#endif |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
6fbf66fa |
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" |
53f97e1e |
#endif |
6fbf66fa |
"--no-replay : Disable replay protection.\n"
"--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
"--replay-window n [t] : Use a replay protection sliding window of size n\n"
" and a time window of t seconds.\n"
" Default n=%d t=%d\n"
"--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
"--replay-persist file : Persist replay-protection state across sessions\n"
" using file.\n"
"--test-crypto : Run a self-test of crypto features enabled.\n"
" For debugging only.\n" |
0f25d296 |
#ifdef ENABLE_PREDICTION_RESISTANCE
"--use-prediction-resistance: Enable prediction resistance on the random\n"
" number generator.\n"
#endif |
6fbf66fa |
"\n"
"TLS Key Negotiation Options:\n"
"(These options are meaningful only for TLS-mode)\n"
"--tls-server : Enable TLS and assume server role during TLS handshake.\n"
"--tls-client : Enable TLS and assume client role during TLS handshake.\n"
"--key-method m : Data channel key exchange method. m should be a method\n"
" number, such as 1 (default), 2, etc.\n"
"--ca file : Certificate authority file in .pem format containing\n"
" root certificate.\n" |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
e9c5e170 |
"--capath dir : A directory of trusted certificates (CAs"
" and CRLs).\n" |
86d8cd68 |
#endif /* ENABLE_CRYPTO_MBEDTLS */ |
6fbf66fa |
"--dh file : File containing Diffie Hellman parameters\n"
" in .pem format (for --tls-server only).\n"
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
"--cert file : Local certificate in .pem format -- must be signed\n"
" by a Certificate Authority in --ca file.\n" |
7966d75a |
"--extra-certs file : one or more PEM certs that complete the cert chain.\n" |
6fbf66fa |
"--key file : Local private key in .pem format.\n" |
4b67f984 |
"--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
" will accept from the peer. If version is unrecognized and 'or-highest'\n"
" is specified, require max TLS version supported by SSL implementation.\n" |
6cb15b90 |
"--tls-version-max <version> : sets the maximum TLS version we will use.\n" |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
6fbf66fa |
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" |
e83b8190 |
" and optionally the root CA certificate.\n" |
93ee3932 |
#endif |
fbd18db6 |
#ifdef ENABLE_X509ALTUSERNAME |
f4e0ad82 |
"--x509-username-field : Field in x509 certificate containing the username.\n"
" Default is CN in the Subject field.\n" |
fbd18db6 |
#endif |
7966d75a |
"--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" |
6fbf66fa |
#ifdef WIN32
"--cryptoapicert select-string : Load the certificate and private key from the\n"
" Windows Certificate System Store.\n"
#endif
"--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
" : Use --show-tls to see a list of supported TLS ciphers.\n"
"--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
" if no ACK from remote within n seconds (default=%d).\n"
"--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
"--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
"--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
"--hand-window n : Data channel key exchange must finalize within n seconds\n"
" of handshake initiation by any peer (default=%d).\n"
"--tran-window n : Transition window -- old key can live this many seconds\n"
" after new key renegotiation begins (default=%d).\n"
"--single-session: Allow only one session (reset state on restart).\n"
"--tls-exit : Exit on TLS negotiation failure.\n"
"--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
" control channel to protect against DoS attacks.\n"
" f (required) is a shared-secret passphrase file.\n"
" The optional d parameter controls key directionality,\n"
" see --secret option for more info.\n"
"--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
"--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n" |
d5497262 |
"--crl-verify crl ['dir']: Check peer certificate against a CRL.\n" |
d6285998 |
"--tls-verify cmd: Run command cmd to verify the X509 name of a\n" |
6fbf66fa |
" pending TLS connection that has otherwise passed all other\n"
" tests of certification. cmd should return 0 to allow\n"
" TLS handshake to proceed, or 1 to fail. (cmd is\n" |
5e86fd93 |
" executed as 'cmd certificate_depth subject')\n" |
39238d1b |
"--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
" in an openvpn temporary file in [directory]. Peer cert is \n"
" stored before tls-verify script execution and deleted after.\n" |
9f0fc745 |
"--verify-x509-name name: Accept connections only from a host with X509 subject\n"
" DN name. The remote host must also pass all other tests\n" |
6fbf66fa |
" of verification.\n"
"--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
" nsCertType designation t = 'client' | 'server'.\n" |
9356bae8 |
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n" |
685e486e |
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
"--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
" of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
#endif |
411e89ae |
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
" explicit key usage, you can specify more than one value.\n"
" value should be given in hex format.\n"
"--remote-cert-eku oid : Require that the peer certificate was signed with\n"
" explicit extended key usage. Extended key usage can be encoded\n" |
f19f12c8 |
" as an object identifier or OpenSSL string representation.\n" |
411e89ae |
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n" |
6117b639 |
" key usage and extended key usage based on RFC3280 TLS rules.\n"
" t = 'client' | 'server'.\n" |
6835555e |
#ifdef ENABLE_PKCS11 |
6fbf66fa |
"\n" |
6835555e |
"PKCS#11 Options:\n"
"--pkcs11-providers provider ... : PKCS#11 provider to load.\n" |
18597b93 |
"--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
" path. Set for each provider.\n" |
718526e0 |
"--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
" 0 : Try to determind automatically (default).\n"
" 1 : Use Sign.\n"
" 2 : Use SignRecover.\n"
" 4 : Use Decrypt.\n"
" 8 : Use Unwrap.\n" |
18597b93 |
"--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n" |
1bda73a7 |
" certificate can be accessed. Set for each provider.\n"
"--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
" cache until token is removed.\n"
"--pkcs11-id-management : Acquire identity from management interface.\n"
"--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n" |
6835555e |
#endif /* ENABLE_PKCS11 */
"\n" |
6fbf66fa |
"SSL Library information:\n"
"--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
"--show-digests : Show message digest algorithms to use with --auth option.\n"
"--show-engines : Show hardware crypto accelerator engines (if available).\n"
"--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
#ifdef WIN32
"\n"
"Windows Specific:\n" |
9f6ac06b |
"--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
" from SystemRoot environment variable.\n" |
ac2447cd |
"--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n" |
9bfae363 |
" IP address using method = manual, netsh, ipapi,\n"
" dynamic, or adaptive (default = adaptive).\n" |
6fbf66fa |
" Dynamic method allows two optional parameters:\n"
" offset: DHCP server address offset (> -256 and < 256).\n"
" If 0, use network address, if >0, take nth\n"
" address forward from network address, if <0,\n"
" take nth address backward from broadcast\n"
" address.\n"
" Default is 0.\n"
" lease-time: Lease time in seconds.\n"
" Default is one year.\n"
"--route-method : Which method to use for adding routes on Windows?\n" |
33e81c48 |
" adaptive (default) -- Try ipapi then fall back to exe.\n"
" ipapi -- Use IP helper API.\n" |
6fbf66fa |
" exe -- Call the route.exe shell command.\n" |
ac2447cd |
"--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n" |
6fbf66fa |
" be used with --ip-win32 dynamic. For options\n"
" which allow multiple addresses,\n"
" --dhcp-option must be repeated.\n"
" DOMAIN name : Set DNS suffix\n"
" DNS addr : Set domain name server address(es)\n"
" NTP : Set NTP server address(es)\n"
" NBDD : Set NBDD server address(es)\n"
" WINS addr : Set WINS server address(es)\n"
" NBT type : Set NetBIOS over TCP/IP Node type\n"
" 1: B, 2: P, 4: M, 8: H\n"
" NBS id : Set NetBIOS scope ID\n"
" DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
"--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
"--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
" startup.\n"
"--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n" |
75dfe3d7 |
"--register-dns : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n"
" and ipconfig /registerdns on connection initiation.\n" |
6fbf66fa |
"--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
" attempting to set adapter properties.\n"
"--pause-exit : When run from a console window, pause before exiting.\n"
"--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
" service, and should not be used directly by end-users.\n"
" ex is the name of an event object which, when\n"
" signaled, will cause " PACKAGE_NAME " to exit. A second\n"
" optional parameter controls the initial state of ex.\n"
"--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
" after TAP adapter is up and routes have been added.\n" |
38c85658 |
#ifdef WIN32
"--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
#endif |
6fbf66fa |
"Windows Standalone Options:\n"
"\n" |
ac2447cd |
"--show-adapters : Show all TAP-Windows adapters.\n" |
6fbf66fa |
"--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
"--show-valid-subnets : Show valid subnets for --dev tun emulation.\n" |
3c7f2f55 |
"--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
" to access TAP adapter.\n" |
6fbf66fa |
#endif
"\n"
"Generate a random key (only for non-TLS static key encryption mode):\n"
"--genkey : Generate a random key to be used as a shared secret,\n"
" for use with the --secret option.\n"
"--secret file : Write key to file.\n" |
9b33b5a4 |
#endif /* ENABLE_CRYPTO */ |
88f3a402 |
#ifdef ENABLE_FEATURE_TUN_PERSIST |
6fbf66fa |
"\n"
"Tun/tap config mode (available with linux 2.4+):\n"
"--mktun : Create a persistent tunnel.\n"
"--rmtun : Remove a persistent tunnel.\n"
"--dev tunX|tapX : tun/tap device\n"
"--dev-type dt : Device type. See tunnel options above for details.\n" |
0aee9ca7 |
"--user user : User to set privilege to.\n"
"--group group : Group to set privilege to.\n" |
6fbf66fa |
#endif |
ce98fd24 |
#ifdef ENABLE_PKCS11
"\n" |
6835555e |
"PKCS#11 standalone options:\n" |
7c1d614c |
#ifdef DEFAULT_PKCS11_MODULE
"--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
#else
"--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
#endif |
718526e0 |
" --verb option can be added *BEFORE* this.\n" |
6835555e |
#endif /* ENABLE_PKCS11 */ |
7fb0e07e |
"\n"
"General Standalone Options:\n" |
ecede953 |
#ifdef ENABLE_DEBUG |
7fb0e07e |
"--show-gateway : Show info about default gateway.\n" |
ecede953 |
#endif |
6fbf66fa |
;
#endif /* !ENABLE_SMALL */
/*
* This is where the options defaults go.
* Any option not explicitly set here
* will be set to 0.
*/
void |
4e9a51d7 |
init_options (struct options *o, const bool init_gc) |
6fbf66fa |
{
CLEAR (*o); |
4e9a51d7 |
if (init_gc)
{
gc_init (&o->gc);
o->gc_owned = true;
} |
6fbf66fa |
o->mode = MODE_POINT_TO_POINT; |
3c7f2f55 |
o->topology = TOP_NET30; |
30077d1f |
o->ce.proto = PROTO_UDP; |
23d61c56 |
o->ce.af = AF_UNSPEC; |
8832c6c4 |
o->ce.bind_ipv6_only = false; |
4e9a51d7 |
o->ce.connect_retry_seconds = 5; |
5d429efd |
o->ce.connect_retry_seconds_max = 300; |
f2134b7b |
o->ce.connect_timeout = 120; |
23d61c56 |
o->connect_retry_max = 0; |
4e9a51d7 |
o->ce.local_port = o->ce.remote_port = OPENVPN_PORT; |
6fbf66fa |
o->verbosity = 1;
o->status_file_update_freq = 60;
o->status_file_version = 1; |
4e9a51d7 |
o->ce.bind_local = true; |
76809cae |
o->ce.tun_mtu = TUN_MTU_DEFAULT;
o->ce.link_mtu = LINK_MTU_DEFAULT;
o->ce.mtu_discover_type = -1;
o->ce.mssfix = MSSFIX_DEFAULT; |
6fbf66fa |
o->route_delay_window = 30;
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; |
e719a053 |
o->resolve_in_advance = false; |
51e6e5b0 |
o->proto_force = -1; |
6fbf66fa |
#ifdef ENABLE_OCC
o->occ = true;
#endif
#ifdef ENABLE_MANAGEMENT
o->management_log_history_cache = 250;
o->management_echo_buffer_size = 100;
o->management_state_buffer_size = 100;
#endif |
88f3a402 |
#ifdef ENABLE_FEATURE_TUN_PERSIST |
6fbf66fa |
o->persist_mode = 1;
#endif
#ifdef TARGET_LINUX
o->tuntap_options.txqueuelen = 100;
#endif
#ifdef WIN32 |
384fd137 |
#if 0 |
a9c802b2 |
o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
#else |
d31f9fd2 |
o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ; |
a9c802b2 |
#endif |
6fbf66fa |
o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */ |
6215931b |
o->route_method = ROUTE_METHOD_ADAPTIVE; |
38c85658 |
o->block_outside_dns = false; |
6fbf66fa |
#endif
#if P2MP_SERVER
o->real_hash_size = 256;
o->virtual_hash_size = 256;
o->n_bcast_buf = 256;
o->tcp_queue_limit = 64;
o->max_clients = 1024;
o->max_routes_per_client = 256; |
3a957aae |
o->stale_routes_check_interval = 0; |
6fbf66fa |
o->ifconfig_pool_persist_refresh_freq = 600;
#endif
#if P2MP
o->scheduled_exit_interval = 5;
#endif |
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
o->ciphername = "BF-CBC"; |
d728ebed |
#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
o->ncp_enabled = true;
#else
o->ncp_enabled = false;
#endif
o->ncp_ciphers = "AES-256-GCM:AES-128-GCM"; |
6fbf66fa |
o->authname = "SHA1"; |
03bfb228 |
o->prng_hash = "SHA1";
o->prng_nonce_secret_len = 16; |
6fbf66fa |
o->replay = true;
o->replay_window = DEFAULT_SEQ_BACKTRACK;
o->replay_time = DEFAULT_TIME_BACKTRACK;
o->use_iv = true;
o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; |
0f25d296 |
#ifdef ENABLE_PREDICTION_RESISTANCE
o->use_prediction_resistance = false;
#endif |
6fbf66fa |
o->key_method = 2;
o->tls_timeout = 2; |
752caece |
o->renegotiate_bytes = -1; |
6fbf66fa |
o->renegotiate_seconds = 3600;
o->handshake_window = 60;
o->transition_window = 3600; |
609e8131 |
o->ecdh_curve = NULL; |
fbd18db6 |
#ifdef ENABLE_X509ALTUSERNAME |
2e8337de |
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; |
6fbf66fa |
#endif |
9b33b5a4 |
#endif /* ENABLE_CRYPTO */ |
6835555e |
#ifdef ENABLE_PKCS11
o->pkcs11_pin_cache_period = -1;
#endif /* ENABLE_PKCS11 */ |
ca4c6d61 |
|
51d4d154 |
/* P2MP server context features */ |
ea5e091e |
#if P2MP_SERVER |
51d4d154 |
o->auth_token_generate = false;
|
ca4c6d61 |
/* Set default --tmp-dir */
#ifdef WIN32
/* On Windows, find temp dir via enviroment variables */
o->tmp_dir = win_get_tempdir();
#else
/* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
o->tmp_dir = getenv("TMPDIR");
if( !o->tmp_dir ) {
o->tmp_dir = "/tmp";
}
#endif /* WIN32 */ |
ea5e091e |
#endif /* P2MP_SERVER */ |
e8c42658 |
o->allow_recursive_routing = false; |
6fbf66fa |
}
void
uninit_options (struct options *o)
{ |
4e9a51d7 |
if (o->gc_owned) |
3cf6c932 |
{
gc_free (&o->gc);
} |
6fbf66fa |
}
|
7f74c27e |
struct pull_filter
{
# define PUF_TYPE_UNDEF 0 /** undefined filter type */
# define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
# define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
# define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
int type;
int size;
char *pattern;
struct pull_filter *next;
};
struct pull_filter_list
{
struct pull_filter *head;
struct pull_filter *tail;
};
static const char *
pull_filter_type_name (int type)
{
if (type == PUF_TYPE_ACCEPT)
return "accept";
if (type == PUF_TYPE_IGNORE)
return "ignore";
if (type == PUF_TYPE_REJECT)
return "reject";
else
return "???";
}
|
6c61d0dd |
#ifndef ENABLE_SMALL |
6fbf66fa |
#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
#endif
void |
4e9a51d7 |
setenv_connection_entry (struct env_set *es,
const struct connection_entry *e,
const int i)
{ |
30077d1f |
setenv_str_i (es, "proto", proto2ascii (e->proto, e->af, false), i); |
4e9a51d7 |
setenv_str_i (es, "local", e->local, i); |
076fd3e4 |
setenv_str_i (es, "local_port", e->local_port, i); |
2f26a79c |
setenv_str_i (es, "remote", e->remote, i); |
076fd3e4 |
setenv_str_i (es, "remote_port", e->remote_port, i); |
4e9a51d7 |
if (e->http_proxy_options)
{
setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i); |
076fd3e4 |
setenv_str_i (es, "http_proxy_port", e->http_proxy_options->port, i); |
4e9a51d7 |
}
if (e->socks_proxy_server)
{
setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i); |
076fd3e4 |
setenv_str_i (es, "socks_proxy_port", e->socks_proxy_port, i); |
4e9a51d7 |
}
}
void |
6fbf66fa |
setenv_settings (struct env_set *es, const struct options *o)
{
setenv_str (es, "config", o->config);
setenv_int (es, "verb", o->verbosity);
setenv_int (es, "daemon", o->daemon);
setenv_int (es, "daemon_log_redirect", o->log); |
60d9e137 |
setenv_unsigned (es, "daemon_start_time", time(NULL)); |
14a131ac |
setenv_int (es, "daemon_pid", platform_getpid()); |
6fbf66fa |
|
4e9a51d7 |
if (o->connection_list) |
6fbf66fa |
{
int i; |
4e9a51d7 |
for (i = 0; i < o->connection_list->len; ++i)
setenv_connection_entry (es, o->connection_list->array[i], i+1); |
6fbf66fa |
} |
4e9a51d7 |
else
setenv_connection_entry (es, &o->ce, 1); |
6fbf66fa |
}
static in_addr_t
get_ip_addr (const char *ip_string, int msglevel, bool *error)
{
unsigned int flags = GETADDR_HOST_ORDER;
bool succeeded = false;
in_addr_t ret;
if (msglevel & M_FATAL)
flags |= GETADDR_FATAL;
ret = getaddr (flags, ip_string, 0, &succeeded, NULL);
if (!succeeded && error)
*error = true;
return ret;
}
|
1840c852 |
/* helper: parse a text string containing an IPv6 address + netbits |
512cda46 |
* in "standard format" (2001:dba::/32) |
1840c852 |
* "/nn" is optional, default to /64 if missing
* |
512cda46 |
* return true if parsing succeeded, modify *network and *netbits
*/
bool
get_ipv6_addr( const char * prefix_str, struct in6_addr *network, |
4f19cd1d |
unsigned int * netbits, int msglevel) |
512cda46 |
{
char * sep, * endp;
int bits; |
1840c852 |
struct in6_addr t_network; |
512cda46 |
sep = strchr( prefix_str, '/' );
if ( sep == NULL ) |
1840c852 |
{
bits = 64;
}
else
{
bits = strtol( sep+1, &endp, 10 );
if ( *endp != '\0' || bits < 0 || bits > 128 )
{
msg (msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
return false;
}
} |
512cda46 |
/* temporary replace '/' in caller-provided string with '\0', otherwise
* inet_pton() will refuse prefix string
* (alternative would be to strncpy() the prefix to temporary buffer)
*/
|
1840c852 |
if ( sep != NULL ) *sep = '\0';
|
4f19cd1d |
if ( inet_pton( AF_INET6, prefix_str, &t_network ) != 1 ) |
1840c852 |
{
msg (msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
return false;
}
|
4f19cd1d |
if ( sep != NULL ) *sep = '/';
|
1840c852 |
if ( netbits != NULL )
{
*netbits = bits;
}
if ( network != NULL )
{
*network = t_network;
} |
512cda46 |
return true; /* parsing OK, values set */
}
|
4f19cd1d |
/**
* Returns newly allocated string containing address part without "/nn".
*
* If gc != NULL, the allocated memory is registered in the supplied gc.
*/
static char *
get_ipv6_addr_no_netbits (const char *addr, struct gc_arena *gc)
{
const char *end = strchr (addr, '/');
char *ret = NULL;
if (NULL == end)
{
ret = string_alloc (addr, gc);
}
else
{
size_t len = end - addr;
ret = gc_malloc (len + 1, true, gc);
memcpy (ret, addr, len);
}
return ret;
}
|
512cda46 |
static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec )
{
struct in6_addr t_addr;
unsigned int t_bits;
|
4f19cd1d |
return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, M_WARN ); |
512cda46 |
}
|
6fbf66fa |
static char *
string_substitute (const char *src, int from, int to, struct gc_arena *gc)
{
char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc);
char *dest = ret;
char c;
do
{
c = *src++;
if (c == from)
c = to;
*dest++ = c;
}
while (c);
return ret;
}
|
ec828db6 |
#ifdef ENABLE_CRYPTO |
7966d75a |
static uint8_t *
parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
{
int i;
const char *cp = str;
uint8_t *ret = (uint8_t *) gc_malloc (nbytes, true, gc);
char term = 1;
int byte;
char bs[3];
for (i = 0; i < nbytes; ++i)
{
if (strlen(cp) < 2)
msg (msglevel, "format error in hash fingerprint: %s", str);
bs[0] = *cp++;
bs[1] = *cp++;
bs[2] = 0;
byte = 0;
if (sscanf(bs, "%x", &byte) != 1)
msg (msglevel, "format error in hash fingerprint hex byte: %s", str);
ret[i] = (uint8_t)byte;
term = *cp++;
if (term != ':' && term != 0)
msg (msglevel, "format error in hash fingerprint delimiter: %s", str);
if (term == 0)
break;
}
if (term != 0 || i != nbytes-1)
msg (msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
return ret;
}
#endif
|
6fbf66fa |
#ifdef WIN32
|
6c61d0dd |
#ifndef ENABLE_SMALL |
6fbf66fa |
static void
show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
{
struct gc_arena gc = gc_new ();
int i;
for (i = 0; i < len; ++i)
{
msg (D_SHOW_PARMS, " %s[%d] = %s",
name,
i,
print_in_addr_t (array[i], 0, &gc));
}
gc_free (&gc);
}
static void
show_tuntap_options (const struct tuntap_options *o)
{
SHOW_BOOL (ip_win32_defined);
SHOW_INT (ip_win32_type);
SHOW_INT (dhcp_masq_offset);
SHOW_INT (dhcp_lease_time);
SHOW_INT (tap_sleep);
SHOW_BOOL (dhcp_options);
SHOW_BOOL (dhcp_renew);
SHOW_BOOL (dhcp_pre_release);
SHOW_BOOL (dhcp_release);
SHOW_STR (domain);
SHOW_STR (netbios_scope);
SHOW_INT (netbios_node_type);
SHOW_BOOL (disable_nbt);
show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
}
#endif |
a55b3cdb |
#endif |
6fbf66fa |
|
a55b3cdb |
#if defined(WIN32) || defined(TARGET_ANDROID) |
6fbf66fa |
static void
dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
{
if (*len >= N_DHCP_ADDR)
{
msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
name,
N_DHCP_ADDR,
name);
}
else
{ |
0a838de8 |
if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */ |
b4073a76 |
{
bool error = false;
const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
if (!error)
array[(*len)++] = addr;
}
else
{
msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
} |
6fbf66fa |
}
}
#endif
#if P2MP
|
6c61d0dd |
#ifndef ENABLE_SMALL |
6fbf66fa |
static void
show_p2mp_parms (const struct options *o)
{
struct gc_arena gc = gc_new ();
#if P2MP_SERVER
msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc)); |
512cda46 |
msg (D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr (o->server_network_ipv6, 0, &gc) );
SHOW_INT (server_netbits_ipv6); |
6fbf66fa |
msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc)); |
3eee126e |
if (o->push_list.head) |
6fbf66fa |
{ |
3eee126e |
const struct push_entry *e = o->push_list.head;
while (e)
{
if (e->enable)
msg (D_SHOW_PARMS, " push_entry = '%s'", e->option);
e = e->next;
} |
6fbf66fa |
}
SHOW_BOOL (ifconfig_pool_defined);
msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc));
msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
SHOW_STR (ifconfig_pool_persist_filename);
SHOW_INT (ifconfig_pool_persist_refresh_freq); |
1840c852 |
SHOW_BOOL (ifconfig_ipv6_pool_defined); |
512cda46 |
msg (D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr (o->ifconfig_ipv6_pool_base, 0, &gc));
SHOW_INT (ifconfig_ipv6_pool_netbits); |
6fbf66fa |
SHOW_INT (n_bcast_buf);
SHOW_INT (tcp_queue_limit);
SHOW_INT (real_hash_size);
SHOW_INT (virtual_hash_size);
SHOW_STR (client_connect_script);
SHOW_STR (learn_address_script);
SHOW_STR (client_disconnect_script);
SHOW_STR (client_config_dir);
SHOW_BOOL (ccd_exclusive);
SHOW_STR (tmp_dir);
SHOW_BOOL (push_ifconfig_defined);
msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc)); |
1840c852 |
SHOW_BOOL (push_ifconfig_ipv6_defined);
msg (D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr (o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
msg (D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr (o->push_ifconfig_ipv6_remote, 0, &gc)); |
6fbf66fa |
SHOW_BOOL (enable_c2c);
SHOW_BOOL (duplicate_cn);
SHOW_INT (cf_max);
SHOW_INT (cf_per);
SHOW_INT (max_clients);
SHOW_INT (max_routes_per_client);
SHOW_STR (auth_user_pass_verify_script);
SHOW_BOOL (auth_user_pass_verify_script_via_file); |
58066d04 |
SHOW_BOOL (auth_token_generate);
SHOW_INT (auth_token_lifetime); |
6add6b2f |
#if PORT_SHARE
SHOW_STR (port_share_host); |
076fd3e4 |
SHOW_STR (port_share_port); |
6add6b2f |
#endif |
6fbf66fa |
#endif /* P2MP_SERVER */
SHOW_BOOL (client);
SHOW_BOOL (pull);
SHOW_STR (auth_user_pass_file);
gc_free (&gc);
}
|
6c61d0dd |
#endif /* ! ENABLE_SMALL */ |
6fbf66fa |
#if P2MP_SERVER
static void
option_iroute (struct options *o,
const char *network_str,
const char *netmask_str,
int msglevel)
{
struct iroute *ir;
ALLOC_OBJ_GC (ir, struct iroute, &o->gc);
ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
ir->netbits = -1;
if (netmask_str)
{
const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
if (!netmask_to_netbits (ir->network, netmask, &ir->netbits))
{
msg (msglevel, "in --iroute %s %s : Bad network/subnet specification",
network_str,
netmask_str);
return;
}
}
ir->next = o->iroutes;
o->iroutes = ir;
}
|
512cda46 |
static void
option_iroute_ipv6 (struct options *o,
const char *prefix_str,
int msglevel)
{
struct iroute_ipv6 *ir;
ALLOC_OBJ_GC (ir, struct iroute_ipv6, &o->gc);
|
4f19cd1d |
if ( !get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, msglevel )) |
512cda46 |
{
msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
prefix_str);
return;
}
ir->next = o->iroutes_ipv6;
o->iroutes_ipv6 = ir;
} |
6fbf66fa |
#endif /* P2MP_SERVER */
#endif /* P2MP */
|
a4b8f653 |
#ifndef ENABLE_SMALL |
6fbf66fa |
static void
show_http_proxy_options (const struct http_proxy_options *o)
{ |
d0cb816c |
int i; |
6fbf66fa |
msg (D_SHOW_PARMS, "BEGIN http_proxy");
SHOW_STR (server); |
076fd3e4 |
SHOW_STR (port); |
6fbf66fa |
SHOW_STR (auth_method_string);
SHOW_STR (auth_file);
SHOW_STR (http_version);
SHOW_STR (user_agent); |
d0cb816c |
for (i=0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name;i++)
{
if (o->custom_headers[i].content)
msg (D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
o->custom_headers[i].name, o->custom_headers[i].content);
else
msg (D_SHOW_PARMS, " custom_header[%d] = %s", i,
o->custom_headers[i].name);
} |
6fbf66fa |
msg (D_SHOW_PARMS, "END http_proxy");
}
#endif
void
options_detach (struct options *o)
{
gc_detach (&o->gc);
o->routes = NULL; |
581bef87 |
o->client_nat = NULL; |
6fbf66fa |
#if P2MP_SERVER |
3eee126e |
clone_push_list(o); |
6fbf66fa |
#endif
}
void
rol_check_alloc (struct options *options)
{
if (!options->routes) |
d0085293 |
options->routes = new_route_option_list (&options->gc); |
6fbf66fa |
}
|
512cda46 |
void
rol6_check_alloc (struct options *options)
{
if (!options->routes_ipv6) |
d0085293 |
options->routes_ipv6 = new_route_ipv6_option_list (&options->gc); |
512cda46 |
}
|
581bef87 |
static void
cnol_check_alloc (struct options *options)
{
if (!options->client_nat)
options->client_nat = new_client_nat_list (&options->gc);
}
|
6c61d0dd |
#ifndef ENABLE_SMALL |
4e9a51d7 |
static void
show_connection_entry (const struct connection_entry *o)
{ |
30077d1f |
msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, o->af, false)); |
4e9a51d7 |
SHOW_STR (local); |
076fd3e4 |
SHOW_STR (local_port); |
4e9a51d7 |
SHOW_STR (remote); |
076fd3e4 |
SHOW_STR (remote_port); |
4e9a51d7 |
SHOW_BOOL (remote_float);
SHOW_BOOL (bind_defined);
SHOW_BOOL (bind_local); |
e719a053 |
SHOW_BOOL (bind_ipv6_only); |
4e9a51d7 |
SHOW_INT (connect_retry_seconds);
SHOW_INT (connect_timeout);
if (o->http_proxy_options)
show_http_proxy_options (o->http_proxy_options);
SHOW_STR (socks_proxy_server); |
076fd3e4 |
SHOW_STR (socks_proxy_port); |
76809cae |
SHOW_INT (tun_mtu);
SHOW_BOOL (tun_mtu_defined);
SHOW_INT (link_mtu);
SHOW_BOOL (link_mtu_defined);
SHOW_INT (tun_mtu_extra);
SHOW_BOOL (tun_mtu_extra_defined);
SHOW_INT (mtu_discover_type);
#ifdef ENABLE_FRAGMENT
SHOW_INT (fragment);
#endif
SHOW_INT (mssfix);
#ifdef ENABLE_OCC
SHOW_INT (explicit_exit_notification);
#endif |
4e9a51d7 |
}
|
76809cae |
|
4e9a51d7 |
static void
show_connection_entries (const struct options *o)
{
if (o->connection_list)
{
const struct connection_list *l = o->connection_list;
int i;
for (i = 0; i < l->len; ++i)
{
msg (D_SHOW_PARMS, "Connection profiles [%d]:", i);
show_connection_entry (l->array[i]);
}
} |
98e24cc7 |
else
{
msg (D_SHOW_PARMS, "Connection profiles [default]:");
show_connection_entry (&o->ce);
} |
4e9a51d7 |
msg (D_SHOW_PARMS, "Connection profiles END");
}
|
7f74c27e |
static void
show_pull_filter_list (const struct pull_filter_list *l)
{
struct pull_filter *f;
if (!l)
return;
msg (D_SHOW_PARMS, " Pull filters:");
for (f = l->head; f; f = f->next)
{
msg (D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
}
}
|
4e9a51d7 |
#endif
|
6fbf66fa |
void
show_settings (const struct options *o)
{ |
6c61d0dd |
#ifndef ENABLE_SMALL |
6fbf66fa |
msg (D_SHOW_PARMS, "Current Parameter Settings:");
SHOW_STR (config);
SHOW_INT (mode);
|
88f3a402 |
#ifdef ENABLE_FEATURE_TUN_PERSIST |
6fbf66fa |
SHOW_BOOL (persist_config);
SHOW_INT (persist_mode);
#endif
|
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
SHOW_BOOL (show_ciphers);
SHOW_BOOL (show_digests);
SHOW_BOOL (show_engines);
SHOW_BOOL (genkey);
SHOW_STR (key_pass_file);
SHOW_BOOL (show_tls_ciphers);
#endif
|
23d61c56 |
SHOW_INT (connect_retry_max); |
4e9a51d7 |
show_connection_entries (o);
|
6fbf66fa |
SHOW_BOOL (remote_random);
SHOW_STR (ipchange);
SHOW_STR (dev);
SHOW_STR (dev_type);
SHOW_STR (dev_node); |
e12fe286 |
SHOW_STR (lladdr); |
3c7f2f55 |
SHOW_INT (topology); |
6fbf66fa |
SHOW_STR (ifconfig_local);
SHOW_STR (ifconfig_remote_netmask);
SHOW_BOOL (ifconfig_noexec);
SHOW_BOOL (ifconfig_nowarn); |
512cda46 |
SHOW_STR (ifconfig_ipv6_local); |
1840c852 |
SHOW_INT (ifconfig_ipv6_netbits); |
512cda46 |
SHOW_STR (ifconfig_ipv6_remote); |
6fbf66fa |
|
3d163bc5 |
#ifdef ENABLE_FEATURE_SHAPER |
6fbf66fa |
SHOW_INT (shaper);
#endif
#ifdef ENABLE_OCC
SHOW_INT (mtu_test);
#endif
SHOW_BOOL (mlock);
SHOW_INT (keepalive_ping);
SHOW_INT (keepalive_timeout);
SHOW_INT (inactivity_timeout);
SHOW_INT (ping_send_timeout);
SHOW_INT (ping_rec_timeout);
SHOW_INT (ping_rec_timeout_action);
SHOW_BOOL (ping_timer_remote);
SHOW_INT (remap_sigusr1);
SHOW_BOOL (persist_tun);
SHOW_BOOL (persist_local_ip);
SHOW_BOOL (persist_remote_ip);
SHOW_BOOL (persist_key);
#if PASSTOS_CAPABILITY
SHOW_BOOL (passtos);
#endif
SHOW_INT (resolve_retry_seconds); |
e719a053 |
SHOW_BOOL (resolve_in_advance); |
6fbf66fa |
SHOW_STR (username);
SHOW_STR (groupname);
SHOW_STR (chroot_dir);
SHOW_STR (cd_dir); |
cd5990e0 |
#ifdef ENABLE_SELINUX |
99385447 |
SHOW_STR (selinux_context);
#endif |
6fbf66fa |
SHOW_STR (writepid);
SHOW_STR (up_script);
SHOW_STR (down_script);
SHOW_BOOL (down_pre);
SHOW_BOOL (up_restart);
SHOW_BOOL (up_delay);
SHOW_BOOL (daemon);
SHOW_INT (inetd);
SHOW_BOOL (log);
SHOW_BOOL (suppress_timestamps); |
8f7d5e67 |
SHOW_BOOL (machine_readable_output); |
6fbf66fa |
SHOW_INT (nice);
SHOW_INT (verbosity);
SHOW_INT (mute);
#ifdef ENABLE_DEBUG
SHOW_INT (gremlin);
#endif
SHOW_STR (status_file);
SHOW_INT (status_file_version);
SHOW_INT (status_file_update_freq);
#ifdef ENABLE_OCC
SHOW_BOOL (occ);
#endif
SHOW_INT (rcvbuf);
SHOW_INT (sndbuf); |
51bd56f4 |
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK |
d90428d1 |
SHOW_INT (mark);
#endif |
00d39170 |
SHOW_INT (sockflags); |
6fbf66fa |
SHOW_BOOL (fast_io);
|
38d96bd7 |
#ifdef USE_COMP
SHOW_INT (comp.alg);
SHOW_INT (comp.flags); |
6fbf66fa |
#endif
SHOW_STR (route_script);
SHOW_STR (route_default_gateway); |
40ac3d7a |
SHOW_INT (route_default_metric); |
6fbf66fa |
SHOW_BOOL (route_noexec);
SHOW_INT (route_delay);
SHOW_INT (route_delay_window);
SHOW_BOOL (route_delay_defined); |
3c7f2f55 |
SHOW_BOOL (route_nopull); |
03731db3 |
SHOW_BOOL (route_gateway_via_dhcp); |
0a838de8 |
SHOW_BOOL (allow_pull_fqdn); |
7f74c27e |
show_pull_filter_list (o->pull_filter_list);
|
6fbf66fa |
if (o->routes)
print_route_options (o->routes, D_SHOW_PARMS); |
8db23a57 |
|
581bef87 |
if (o->client_nat)
print_client_nat_list(o->client_nat, D_SHOW_PARMS); |
6fbf66fa |
#ifdef ENABLE_MANAGEMENT
SHOW_STR (management_addr); |
076fd3e4 |
SHOW_STR (management_port); |
6fbf66fa |
SHOW_STR (management_user_pass);
SHOW_INT (management_log_history_cache);
SHOW_INT (management_echo_buffer_size); |
8d33c060 |
SHOW_STR (management_write_peer_info_file); |
bb564a59 |
SHOW_STR (management_client_user);
SHOW_STR (management_client_group); |
90efcacb |
SHOW_INT (management_flags); |
6fbf66fa |
#endif
#ifdef ENABLE_PLUGIN
if (o->plugin_list)
plugin_option_list_print (o->plugin_list, D_SHOW_PARMS);
#endif
|
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
SHOW_STR (shared_secret_file);
SHOW_INT (key_direction);
SHOW_STR (ciphername);
SHOW_STR (authname); |
03bfb228 |
SHOW_STR (prng_hash);
SHOW_INT (prng_nonce_secret_len); |
6fbf66fa |
SHOW_INT (keysize); |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
6fbf66fa |
SHOW_BOOL (engine); |
86d8cd68 |
#endif /* ENABLE_CRYPTO_MBEDTLS */ |
6fbf66fa |
SHOW_BOOL (replay);
SHOW_BOOL (mute_replay_warnings);
SHOW_INT (replay_window);
SHOW_INT (replay_time);
SHOW_STR (packet_id_file);
SHOW_BOOL (use_iv);
SHOW_BOOL (test_crypto); |
0f25d296 |
#ifdef ENABLE_PREDICTION_RESISTANCE
SHOW_BOOL (use_prediction_resistance);
#endif |
6fbf66fa |
SHOW_BOOL (tls_server);
SHOW_BOOL (tls_client);
SHOW_INT (key_method);
SHOW_STR (ca_file); |
e9c5e170 |
SHOW_STR (ca_path); |
6fbf66fa |
SHOW_STR (dh_file); |
39e3d336 |
#ifdef MANAGMENT_EXTERNAL_KEY
if((o->management_flags & MF_EXTERNAL_CERT))
SHOW_PARM ("cert_file","EXTERNAL_CERT","%s");
else
#endif |
6fbf66fa |
SHOW_STR (cert_file); |
291c227d |
SHOW_STR (extra_certs_file); |
4806cc10 |
#ifdef MANAGMENT_EXTERNAL_KEY
if((o->management_flags & MF_EXTERNAL_KEY))
SHOW_PARM ("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
else
#endif |
6fbf66fa |
SHOW_STR (priv_key_file); |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
6fbf66fa |
SHOW_STR (pkcs12_file); |
93ee3932 |
#endif |
93c22ecc |
#ifdef ENABLE_CRYPTOAPI |
6fbf66fa |
SHOW_STR (cryptoapi_cert);
#endif
SHOW_STR (cipher_list);
SHOW_STR (tls_verify); |
39238d1b |
SHOW_STR (tls_export_cert); |
9f0fc745 |
SHOW_INT (verify_x509_type);
SHOW_STR (verify_x509_name); |
6fbf66fa |
SHOW_STR (crl_file);
SHOW_INT (ns_cert_type); |
411e89ae |
{
int i;
for (i=0;i<MAX_PARMS;i++)
SHOW_INT (remote_cert_ku[i]);
}
SHOW_STR (remote_cert_eku); |
e4359af4 |
SHOW_INT (ssl_flags); |
6fbf66fa |
SHOW_INT (tls_timeout);
SHOW_INT (renegotiate_bytes);
SHOW_INT (renegotiate_packets);
SHOW_INT (renegotiate_seconds);
SHOW_INT (handshake_window);
SHOW_INT (transition_window);
SHOW_BOOL (single_session); |
aaf72974 |
#ifdef ENABLE_PUSH_PEER_INFO
SHOW_BOOL (push_peer_info);
#endif |
6fbf66fa |
SHOW_BOOL (tls_exit);
SHOW_STR (tls_auth_file); |
ec828db6 |
#endif /* ENABLE_CRYPTO */ |
6fbf66fa |
|
6835555e |
#ifdef ENABLE_PKCS11
{
int i;
for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
}
{
int i; |
18597b93 |
for (i=0;i<MAX_PARMS;i++)
SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
}
{
int i; |
718526e0 |
for (i=0;i<MAX_PARMS;i++)
SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x"); |
6835555e |
} |
18597b93 |
{
int i;
for (i=0;i<MAX_PARMS;i++)
SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
}
SHOW_INT (pkcs11_pin_cache_period); |
6835555e |
SHOW_STR (pkcs11_id); |
1bda73a7 |
SHOW_BOOL (pkcs11_id_management); |
6835555e |
#endif /* ENABLE_PKCS11 */
|
6fbf66fa |
#if P2MP
show_p2mp_parms (o);
#endif
#ifdef WIN32
SHOW_BOOL (show_net_up);
SHOW_INT (route_method); |
38c85658 |
SHOW_BOOL (block_outside_dns); |
6fbf66fa |
show_tuntap_options (&o->tuntap_options);
#endif
#endif
}
#undef SHOW_PARM
#undef SHOW_STR
#undef SHOW_INT
#undef SHOW_BOOL
|
a4b8f653 |
#ifdef ENABLE_MANAGEMENT |
3cf6c932 |
static struct http_proxy_options *
parse_http_proxy_override (const char *server,
const char *port,
const char *flags,
const int msglevel,
struct gc_arena *gc)
{
if (server && port)
{
struct http_proxy_options *ho;
ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc);
ho->server = string_alloc(server, gc); |
076fd3e4 |
ho->port = port; |
3cf6c932 |
if (flags && !strcmp(flags, "nct"))
ho->auth_retry = PAR_NCT;
else
ho->auth_retry = PAR_ALL;
ho->http_version = "1.0";
ho->user_agent = "OpenVPN-Autoproxy/1.0";
return ho;
}
else
return NULL;
}
void
options_postprocess_http_proxy_override (struct options *o)
{
const struct connection_list *l = o->connection_list; |
23d61c56 |
int i;
bool succeed = false;
for (i = 0; i < l->len; ++i)
{
struct connection_entry *ce = l->array[i];
if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
{
ce->http_proxy_options = o->http_proxy_override;
succeed = true;
}
}
if (succeed) |
3cf6c932 |
{
for (i = 0; i < l->len; ++i) |
23d61c56 |
{
struct connection_entry *ce = l->array[i];
if (ce->proto == PROTO_UDP)
{
ce->flags |= CE_DISABLED;
}
}
}
else
{
msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined"); |
3cf6c932 |
}
}
#endif
|
4e9a51d7 |
static struct connection_list *
alloc_connection_list_if_undef (struct options *options)
{
if (!options->connection_list)
ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc);
return options->connection_list;
}
static struct connection_entry *
alloc_connection_entry (struct options *options, const int msglevel)
{
struct connection_list *l = alloc_connection_list_if_undef (options);
struct connection_entry *e;
if (l->len >= CONNECTION_LIST_SIZE)
{
msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
return NULL;
}
ALLOC_OBJ_GC (e, struct connection_entry, &options->gc);
l->array[l->len++] = e;
return e;
}
static struct remote_list *
alloc_remote_list_if_undef (struct options *options)
{
if (!options->remote_list)
ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc);
return options->remote_list;
}
static struct remote_entry *
alloc_remote_entry (struct options *options, const int msglevel)
{
struct remote_list *l = alloc_remote_list_if_undef (options);
struct remote_entry *e;
if (l->len >= CONNECTION_LIST_SIZE)
{
msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
return NULL;
}
ALLOC_OBJ_GC (e, struct remote_entry, &options->gc);
l->array[l->len++] = e;
return e; |
6fbf66fa |
}
|
7f74c27e |
static struct pull_filter_list *
alloc_pull_filter_list (struct options *o)
{
if (!o->pull_filter_list)
ALLOC_OBJ_CLEAR_GC (o->pull_filter_list, struct pull_filter_list, &o->gc);
return o->pull_filter_list;
}
static struct pull_filter *
alloc_pull_filter (struct options *o, const int msglevel)
{
struct pull_filter_list *l = alloc_pull_filter_list (o);
struct pull_filter *f;
ALLOC_OBJ_CLEAR_GC (f, struct pull_filter, &o->gc);
if (l->head)
{
ASSERT (l->tail);
l->tail->next = f;
}
else
{
ASSERT (!l->tail);
l->head = f;
}
l->tail = f;
return f;
}
|
6fbf66fa |
void |
4e9a51d7 |
connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
{
if (re->remote)
ce->remote = re->remote; |
076fd3e4 |
if (re->remote_port) |
4e9a51d7 |
ce->remote_port = re->remote_port;
if (re->proto >= 0)
ce->proto = re->proto; |
30077d1f |
if (re->af > 0)
ce->af = re->af; |
4e9a51d7 |
}
static void
options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce) |
6fbf66fa |
{
struct options defaults;
int dev = DEV_TYPE_UNDEF;
bool pull = false;
|
4e9a51d7 |
init_options (&defaults, true); |
6fbf66fa |
|
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
if (options->test_crypto)
{
notnull (options->shared_secret_file, "key file (--secret)");
}
else
#endif
notnull (options->dev, "TUN/TAP device (--dev)");
/*
* Get tun/tap/null device type
*/
dev = dev_type_enum (options->dev, options->dev_type);
/* |
4e9a51d7 |
* If "proto tcp" is specified, make sure we know whether it is
* tcp-client or tcp-server. |
6fbf66fa |
*/ |
30077d1f |
if (ce->proto == PROTO_TCP) |
4e9a51d7 |
msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); |
6fbf66fa |
/*
* Sanity check on daemon/inetd modes
*/
if (options->daemon && options->inetd)
msg (M_USAGE, "only one of --daemon or --inetd may be specified");
|
4e9a51d7 |
if (options->inetd && (ce->local || ce->remote)) |
6fbf66fa |
msg (M_USAGE, "--local or --remote cannot be used with --inetd");
|
30077d1f |
if (options->inetd && ce->proto == PROTO_TCP_CLIENT) |
6fbf66fa |
msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
|
30077d1f |
if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER) |
6fbf66fa |
msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
if (options->inetd == INETD_NOWAIT |
ec828db6 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
&& !(options->tls_server || options->tls_client)
#endif
)
msg (M_USAGE, "--inetd nowait can only be used in TLS mode");
if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
|
e12fe286 |
if (options->lladdr && dev != DEV_TYPE_TAP)
msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
|
6fbf66fa |
/*
* Sanity check on MTU parameters
*/ |
76809cae |
if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined) |
6fbf66fa |
msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
#ifdef ENABLE_OCC |
8335caf9 |
if (!proto_is_udp(ce->proto) && options->mtu_test) |
6fbf66fa |
msg (M_USAGE, "--mtu-test only makes sense with --proto udp");
#endif
/* will we be pulling options from server? */
#if P2MP
pull = options->pull;
#endif
/*
* Sanity check on --local, --remote, and --ifconfig
*/
|
8335caf9 |
if (proto_is_net(ce->proto)
&& string_defined_equal (ce->local, ce->remote) |
076fd3e4 |
&& string_defined_equal (ce->local_port, ce->remote_port)) |
4e9a51d7 |
msg (M_USAGE, "--remote and --local addresses are the same");
if (string_defined_equal (ce->remote, options->ifconfig_local)
|| string_defined_equal (ce->remote, options->ifconfig_remote_netmask))
msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses"); |
6fbf66fa |
|
4e9a51d7 |
if (string_defined_equal (ce->local, options->ifconfig_local)
|| string_defined_equal (ce->local, options->ifconfig_remote_netmask)) |
6fbf66fa |
msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
|
4e9a51d7 |
if (ce->bind_defined && !ce->bind_local) |
04f4b793 |
msg (M_USAGE, "--bind and --nobind can't be used together");
|
4e9a51d7 |
if (ce->local && !ce->bind_local) |
04f4b793 |
msg (M_USAGE, "--local and --nobind don't make sense when used together");
|
4e9a51d7 |
if (ce->local_port_defined && !ce->bind_local) |
6fbf66fa |
msg (M_USAGE, "--lport and --nobind don't make sense when used together");
|
4e9a51d7 |
if (!ce->remote && !ce->bind_local) |
6fbf66fa |
msg (M_USAGE, "--nobind doesn't make sense unless used with --remote");
/*
* Check for consistency of management options
*/
#ifdef ENABLE_MANAGEMENT
if (!options->management_addr && |
90efcacb |
(options->management_flags |
a032fcb7 |
|| options->management_write_peer_info_file |
6fbf66fa |
|| options->management_log_history_cache != defaults.management_log_history_cache))
msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified"); |
bb564a59 |
if ((options->management_client_user || options->management_client_group) |
86f5c7c9 |
&& !(options->management_flags & MF_UNIX_SOCK)) |
bb564a59 |
msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); |
6fbf66fa |
#endif
/*
* Windows-specific options.
*/
#ifdef WIN32
if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
if ((options->tuntap_options.ip_win32_defined)
&& !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
|
c67d59cd |
if (options->tuntap_options.dhcp_options
&& options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
&& options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive"); |
6fbf66fa |
#endif
/*
* Check that protocol options make sense.
*/
#ifdef ENABLE_FRAGMENT |
76809cae |
if (!proto_is_udp(ce->proto) && ce->fragment) |
6fbf66fa |
msg (M_USAGE, "--fragment can only be used with --proto udp");
#endif
#ifdef ENABLE_OCC |
76809cae |
if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) |
6fbf66fa |
msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
#endif
|
30077d1f |
if (!ce->remote && ce->proto == PROTO_TCP_CLIENT) |
6fbf66fa |
msg (M_USAGE, "--remote MUST be used in TCP Client mode");
|
30077d1f |
if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT) |
8e1975b0 |
msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)"); |
087b5103 |
if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
msg (M_USAGE, "--http-proxy not specified but other http proxy options present"); |
6fbf66fa |
|
4e9a51d7 |
if (ce->http_proxy_options && ce->socks_proxy_server) |
6fbf66fa |
msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
|
30077d1f |
if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER) |
6fbf66fa |
msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
|
23d61c56 |
if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1)) |
6fbf66fa |
msg (M_USAGE, "TCP server mode allows at most one --remote address");
#if P2MP_SERVER
/*
* Check consistency of --mode server options.
*/
if (options->mode == MODE_SERVER)
{
if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
if (options->pull)
msg (M_USAGE, "--pull cannot be used with --mode server"); |
7f74c27e |
if (options->pull_filter_list)
msg (M_USAGE, "--pull-filter cannot be used with --mode server"); |
30077d1f |
if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER)) |
eb230891 |
msg (M_USAGE, "--mode server currently only supports "
"--proto udp or --proto tcp-server or proto tcp6-server"); |
6add6b2f |
#if PORT_SHARE |
8335caf9 |
if ((options->port_share_host || options->port_share_port) && |
30077d1f |
(ce->proto != PROTO_TCP_SERVER)) |
eb230891 |
msg (M_USAGE, "--port-share only works in TCP server mode "
"(--proto tcp-server or tcp6-server)"); |
6add6b2f |
#endif |
6fbf66fa |
if (!options->tls_server)
msg (M_USAGE, "--mode server requires --tls-server"); |
4e9a51d7 |
if (ce->remote) |
6fbf66fa |
msg (M_USAGE, "--remote cannot be used with --mode server"); |
4e9a51d7 |
if (!ce->bind_local) |
6fbf66fa |
msg (M_USAGE, "--nobind cannot be used with --mode server"); |
4e9a51d7 |
if (ce->http_proxy_options) |
6fbf66fa |
msg (M_USAGE, "--http-proxy cannot be used with --mode server"); |
4e9a51d7 |
if (ce->socks_proxy_server) |
6fbf66fa |
msg (M_USAGE, "--socks-proxy cannot be used with --mode server"); |
23d61c56 |
/* <connection> blocks force to have a remote embedded, so we check for the
* --remote and bail out if it is present */
if (options->connection_list->len >1 ||
options->connection_list->array[0]->remote)
msg (M_USAGE, "<connection> cannot be used with --mode server");
|
6fbf66fa |
if (options->shaper)
msg (M_USAGE, "--shaper cannot be used with --mode server");
if (options->inetd)
msg (M_USAGE, "--inetd cannot be used with --mode server");
if (options->ipchange)
msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); |
30077d1f |
if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER)) |
eb230891 |
msg (M_USAGE, "--mode server currently only supports "
"--proto udp or --proto tcp-server or --proto tcp6-server"); |
8335caf9 |
if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) |
6fbf66fa |
msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead."); |
3c7f2f55 |
if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask) |
6fbf66fa |
msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode"); |
3c7f2f55 |
if (options->routes && (options->routes->flags & RG_ENABLE)) |
6fbf66fa |
msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
if (options->route_delay_defined)
msg (M_USAGE, "--route-delay cannot be used with --mode server");
if (options->up_delay)
msg (M_USAGE, "--up-delay cannot be used with --mode server");
if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool"); |
1840c852 |
if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local )
msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6"); |
e8c42658 |
if (options->allow_recursive_routing)
msg (M_USAGE, "--allow-recursive-routing cannot be used with --mode server"); |
6fbf66fa |
if (options->auth_user_pass_file)
msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
if (options->ccd_exclusive && !options->client_config_dir)
msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
if (options->key_method != 2)
msg (M_USAGE, "--mode server requires --key-method 2");
{ |
90efcacb |
const bool ccnr = (options->auth_user_pass_verify_script
|| PLUGIN_OPTION_LIST (options)
|| MAN_CLIENT_AUTH_ENABLED (options));
const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; |
f107c620 |
if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
msg (M_USAGE, "--verify-client-cert none|optional %s", postfix); |
24ce3b27 |
if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr) |
90efcacb |
msg (M_USAGE, "--username-as-common-name %s", postfix); |
24ce3b27 |
if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
msg (M_USAGE, "--auth-user-pass-optional %s", postfix); |
6fbf66fa |
}
}
else
{
/*
* When not in server mode, err if parameters are
* specified which require --mode server.
*/
if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server"); |
1840c852 |
if (options->ifconfig_ipv6_pool_defined)
msg (M_USAGE, "--ifconfig-ipv6-pool requires --mode server"); |
6fbf66fa |
if (options->real_hash_size != defaults.real_hash_size
|| options->virtual_hash_size != defaults.virtual_hash_size)
msg (M_USAGE, "--hash-size requires --mode server");
if (options->learn_address_script)
msg (M_USAGE, "--learn-address requires --mode server");
if (options->client_connect_script)
msg (M_USAGE, "--client-connect requires --mode server");
if (options->client_disconnect_script)
msg (M_USAGE, "--client-disconnect requires --mode server");
if (options->client_config_dir || options->ccd_exclusive)
msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
if (options->enable_c2c)
msg (M_USAGE, "--client-to-client requires --mode server");
if (options->duplicate_cn)
msg (M_USAGE, "--duplicate-cn requires --mode server");
if (options->cf_max || options->cf_per)
msg (M_USAGE, "--connect-freq requires --mode server"); |
f107c620 |
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) |
b8cdb213 |
msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); |
24ce3b27 |
if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) |
6fbf66fa |
msg (M_USAGE, "--username-as-common-name requires --mode server"); |
24ce3b27 |
if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
msg (M_USAGE, "--auth-user-pass-optional requires --mode server"); |
09cc9c81 |
if (options->ssl_flags & SSLF_OPT_VERIFY)
msg (M_USAGE, "--opt-verify requires --mode server"); |
ae3b3746 |
if (options->server_flags & SF_TCP_NODELAY_HELPER) |
706283d3 |
msg (M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
"affect the server. To have TCP_NODELAY in both direction use "
"tcp-nodelay in the server configuration instead."); |
6fbf66fa |
if (options->auth_user_pass_verify_script)
msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); |
58066d04 |
if (options->auth_token_generate)
msg (M_USAGE, "--auth-gen-token requires --mode server"); |
6add6b2f |
#if PORT_SHARE
if (options->port_share_host || options->port_share_port)
msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
#endif
|
3a957aae |
if (options->stale_routes_check_interval)
msg (M_USAGE, "--stale-routes-check requires --mode server"); |
e7412ca3 |
if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING))
msg (M_USAGE, "--compat-x509-names no-remapping requires --mode server"); |
6fbf66fa |
}
#endif /* P2MP_SERVER */
|
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
|
dc4fa3c4 |
if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
{
msg (M_USAGE, "NCP cipher list contains unsupported ciphers.");
}
|
6fbf66fa |
/*
* Check consistency of replay options
*/
if (!options->replay
&& (options->replay_window != defaults.replay_window
|| options->replay_time != defaults.replay_time))
msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
/*
* SSL/TLS mode sanity checks.
*/
if (options->tls_server + options->tls_client +
(options->shared_secret_file != NULL) > 1)
msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
|
f107c620 |
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
{
msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
"--verify-client-cert none|optional (or --client-cert-not-required) "
"may accept clients which do not present a certificate");
}
|
6fbf66fa |
if (options->tls_server || options->tls_client)
{ |
ce98fd24 |
#ifdef ENABLE_PKCS11
if (options->pkcs11_providers[0])
{
notnull (options->ca_file, "CA file (--ca)");
|
1bda73a7 |
if (options->pkcs11_id_management && options->pkcs11_id != NULL)
msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); |
ce98fd24 |
if (options->cert_file)
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
if (options->priv_key_file)
msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); |
6dad4f8e |
#ifdef MANAGMENT_EXTERNAL_KEY
if (options->management_flags & MF_EXTERNAL_KEY)
msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); |
39e3d336 |
if (options->management_flags & MF_EXTERNAL_CERT)
msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified."); |
6dad4f8e |
#endif |
ce98fd24 |
if (options->pkcs12_file)
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified."); |
93c22ecc |
#ifdef ENABLE_CRYPTOAPI |
ce98fd24 |
if (options->cryptoapi_cert)
msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
#endif
}
else
#endif |
4806cc10 |
#ifdef MANAGMENT_EXTERNAL_KEY
if((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) |
70a07339 |
{
msg (M_USAGE, "--key and --management-external-key are mutually exclusive");
} |
d023fb66 |
else if((options->management_flags & MF_EXTERNAL_CERT))
{
if (options->cert_file)
msg (M_USAGE, "--cert and --management-external-cert are mutually exclusive");
else if(!(options->management_flags & MF_EXTERNAL_KEY))
msg (M_USAGE, "--management-external-cert must be used with --management-external-key");
} |
70a07339 |
else |
4806cc10 |
#endif |
70a07339 |
#ifdef ENABLE_CRYPTOAPI
if (options->cryptoapi_cert) |
6fbf66fa |
{ |
e9c5e170 |
if ((!(options->ca_file)) && (!(options->ca_path)))
msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
6fbf66fa |
if (options->cert_file)
msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
if (options->priv_key_file)
msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
if (options->pkcs12_file)
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); |
6dad4f8e |
#ifdef MANAGMENT_EXTERNAL_KEY
if (options->management_flags & MF_EXTERNAL_KEY)
msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); |
39e3d336 |
if (options->management_flags & MF_EXTERNAL_CERT)
msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified."); |
6dad4f8e |
#endif |
6fbf66fa |
}
else
#endif
if (options->pkcs12_file)
{ |
86d8cd68 |
#ifdef ENABLE_CRYPTO_MBEDTLS
msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN."); |
88133cdb |
#else |
e9c5e170 |
if (options->ca_path)
msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); |
6fbf66fa |
if (options->cert_file)
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
if (options->priv_key_file)
msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); |
6dad4f8e |
#ifdef MANAGMENT_EXTERNAL_KEY
if (options->management_flags & MF_EXTERNAL_KEY) |
39e3d336 |
msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
if (options->management_flags & MF_EXTERNAL_CERT)
msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified."); |
6dad4f8e |
#endif |
88133cdb |
#endif |
6fbf66fa |
}
else
{ |
86d8cd68 |
#ifdef ENABLE_CRYPTO_MBEDTLS |
53f97e1e |
if (!(options->ca_file))
msg(M_USAGE, "You must define CA file (--ca)"); |
8d26c253 |
if (options->ca_path) |
86d8cd68 |
msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); |
53f97e1e |
#else |
e9c5e170 |
if ((!(options->ca_file)) && (!(options->ca_path)))
msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
53f97e1e |
#endif |
6fbf66fa |
if (pull)
{ |
6dad4f8e |
|
d023fb66 |
const int sum = |
6dad4f8e |
#ifdef MANAGMENT_EXTERNAL_KEY |
d023fb66 |
((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +
((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); |
6dad4f8e |
#else |
d023fb66 |
(options->cert_file != NULL) + (options->priv_key_file != NULL); |
6dad4f8e |
#endif
|
6fbf66fa |
if (sum == 0)
{
#if P2MP
if (!options->auth_user_pass_file)
#endif
msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
}
else if (sum == 2)
;
else
{
msg (M_USAGE, "If you use one of --cert or --key, you must use them both");
}
}
else
{ |
39e3d336 |
#ifdef MANAGMENT_EXTERNAL_KEY
if (!(options->management_flags & MF_EXTERNAL_CERT))
#endif |
6fbf66fa |
notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); |
6dad4f8e |
#ifdef MANAGMENT_EXTERNAL_KEY |
feca0900 |
if (!(options->management_flags & MF_EXTERNAL_KEY)) |
6dad4f8e |
#endif |
6fbf66fa |
notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
}
}
}
else
{
/*
* Make sure user doesn't specify any TLS options
* when in non-TLS mode.
*/
#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
MUST_BE_UNDEF (ca_file); |
e9c5e170 |
MUST_BE_UNDEF (ca_path); |
6fbf66fa |
MUST_BE_UNDEF (dh_file);
MUST_BE_UNDEF (cert_file);
MUST_BE_UNDEF (priv_key_file); |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
6fbf66fa |
MUST_BE_UNDEF (pkcs12_file); |
93ee3932 |
#endif |
6fbf66fa |
MUST_BE_UNDEF (cipher_list);
MUST_BE_UNDEF (tls_verify); |
39238d1b |
MUST_BE_UNDEF (tls_export_cert); |
9f0fc745 |
MUST_BE_UNDEF (verify_x509_name); |
6fbf66fa |
MUST_BE_UNDEF (tls_timeout);
MUST_BE_UNDEF (renegotiate_bytes);
MUST_BE_UNDEF (renegotiate_packets);
MUST_BE_UNDEF (renegotiate_seconds);
MUST_BE_UNDEF (handshake_window);
MUST_BE_UNDEF (transition_window);
MUST_BE_UNDEF (tls_auth_file);
MUST_BE_UNDEF (single_session); |
aaf72974 |
#ifdef ENABLE_PUSH_PEER_INFO
MUST_BE_UNDEF (push_peer_info);
#endif |
6fbf66fa |
MUST_BE_UNDEF (tls_exit);
MUST_BE_UNDEF (crl_file);
MUST_BE_UNDEF (key_method);
MUST_BE_UNDEF (ns_cert_type); |
411e89ae |
MUST_BE_UNDEF (remote_cert_ku[0]);
MUST_BE_UNDEF (remote_cert_eku); |
ce98fd24 |
#ifdef ENABLE_PKCS11
MUST_BE_UNDEF (pkcs11_providers[0]); |
e9a57dcd |
MUST_BE_UNDEF (pkcs11_private_mode[0]); |
ce98fd24 |
MUST_BE_UNDEF (pkcs11_id); |
1bda73a7 |
MUST_BE_UNDEF (pkcs11_id_management); |
ce98fd24 |
#endif |
6fbf66fa |
if (pull)
msg (M_USAGE, err, "--pull");
}
#undef MUST_BE_UNDEF |
9b33b5a4 |
#endif /* ENABLE_CRYPTO */ |
6fbf66fa |
#if P2MP |
4e9a51d7 |
if (options->auth_user_pass_file && !options->pull)
msg (M_USAGE, "--auth-user-pass requires --pull");
#endif
uninit_options (&defaults);
}
static void
options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
{ |
86e8754c |
const int dev = dev_type_enum (o->dev, o->dev_type);
|
4e9a51d7 |
#if P2MP_SERVER |
03731db3 |
if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp) |
4e9a51d7 |
{ |
30077d1f |
if (ce->proto == PROTO_TCP)
ce->proto = PROTO_TCP_SERVER; |
4e9a51d7 |
}
#endif
#if P2MP
if (o->client)
{ |
30077d1f |
if (ce->proto == PROTO_TCP)
ce->proto = PROTO_TCP_CLIENT; |
4e9a51d7 |
}
#endif
|
30077d1f |
if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) |
4e9a51d7 |
ce->bind_local = false;
|
30077d1f |
if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) |
4e9a51d7 |
ce->bind_local = false;
if (!ce->bind_local) |
076fd3e4 |
ce->local_port = NULL; |
51e6e5b0 |
/* if protocol forcing is enabled, disable all protocols except for the forced one */ |
30077d1f |
if (o->proto_force >= 0 && o->proto_force != ce->proto) |
51e6e5b0 |
ce->flags |= CE_DISABLED; |
4e9a51d7 |
|
6fbf66fa |
/* |
4e9a51d7 |
* If --mssfix is supplied without a parameter, default
* it to --fragment value, if --fragment is specified. |
6fbf66fa |
*/ |
76809cae |
if (o->ce.mssfix_default) |
6fbf66fa |
{ |
4e9a51d7 |
#ifdef ENABLE_FRAGMENT |
76809cae |
if (ce->fragment) |
d384a958 |
ce->mssfix = ce->fragment; |
4e9a51d7 |
#else
msg (M_USAGE, "--mssfix must specify a parameter");
#endif |
6fbf66fa |
}
|
86e8754c |
/*
* Set MTU defaults
*/
{
if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
{
ce->tun_mtu_defined = true;
}
if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
{
ce->tun_mtu_extra_defined = true;
ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
}
}
|
76809cae |
}
static void
options_postprocess_mutate_invariant (struct options *options)
{ |
672943fb |
#ifdef WIN32 |
76809cae |
const int dev = dev_type_enum (options->dev, options->dev_type); |
672943fb |
#endif |
76809cae |
|
4e9a51d7 |
/*
* In forking TCP server mode, you don't need to ifconfig
* the tap device (the assumption is that it will be bridged).
*/
if (options->inetd == INETD_NOWAIT)
options->ifconfig_noexec = true;
#ifdef WIN32
if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
{
if (options->mode == MODE_POINT_TO_POINT)
{
options->route_delay_defined = true;
options->route_delay = 5; /* Vista sometimes has a race without this */
}
}
if (options->ifconfig_noexec)
{
options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
options->ifconfig_noexec = false;
}
#endif |
6fbf66fa |
|
4e9a51d7 |
#if P2MP_SERVER
/*
* Check consistency of --mode server options.
*/
if (options->mode == MODE_SERVER)
{
#ifdef WIN32
/*
* We need to explicitly set --tap-sleep because
* we do not schedule event timers in the top-level context.
*/
options->tuntap_options.tap_sleep = 10;
if (options->route_delay_defined && options->route_delay)
options->tuntap_options.tap_sleep = options->route_delay;
options->route_delay_defined = false;
#endif
}
#endif |
3c6d3220 |
#ifdef DEFAULT_PKCS11_MODULE
/* If p11-kit is present on the system then load its p11-kit-proxy.so
by default if the user asks for PKCS#11 without otherwise specifying
the module to use. */
if (!options->pkcs11_providers[0] &&
(options->pkcs11_id || options->pkcs11_id_management))
options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
#endif |
4e9a51d7 |
}
static void
options_postprocess_verify (const struct options *o)
{
if (o->connection_list)
{
int i;
for (i = 0; i < o->connection_list->len; ++i)
options_postprocess_verify_ce (o, o->connection_list->array[i]);
}
else
options_postprocess_verify_ce (o, &o->ce);
}
static void
options_postprocess_mutate (struct options *o)
{ |
23d61c56 |
int i; |
4e9a51d7 |
/*
* Process helper-type options which map to other, more complex
* sequences of options.
*/
helper_client_server (o);
helper_keepalive (o); |
ae3b3746 |
helper_tcp_nodelay (o); |
4e9a51d7 |
options_postprocess_mutate_invariant (o);
if (o->remote_list && !o->connection_list)
{
/* |
23d61c56 |
* Convert remotes into connection list |
4e9a51d7 |
*/ |
23d61c56 |
const struct remote_list *rl = o->remote_list;
for (i = 0; i < rl->len; ++i)
{
const struct remote_entry *re = rl->array[i];
struct connection_entry ce = o->ce;
struct connection_entry *ace;
ASSERT (re->remote);
connection_entry_load_re (&ce, re);
ace = alloc_connection_entry (o, M_USAGE);
ASSERT (ace);
*ace = ce;
} |
4e9a51d7 |
} |
23d61c56 |
else if(!o->remote_list && !o->connection_list) |
4e9a51d7 |
{ |
23d61c56 |
struct connection_entry *ace;
ace = alloc_connection_entry (o, M_USAGE);
ASSERT (ace);
*ace = o->ce;
}
ASSERT (o->connection_list);
for (i = 0; i < o->connection_list->len; ++i) |
4e9a51d7 |
options_postprocess_mutate_ce (o, o->connection_list->array[i]); |
3cf6c932 |
|
bd9aa06f |
#ifdef ENABLE_CRYPTO
if (o->tls_server)
{
/* Check that DH file is specified, or explicitly disabled */
notnull (o->dh_file, "DH file (--dh)");
if (streq (o->dh_file, "none"))
o->dh_file = NULL;
} |
d90249f7 |
/* cipher negotiation (NCP) currently assumes --pull or --mode server */
if ( o->ncp_enabled &&
! (o->pull || o->mode == MODE_SERVER) )
{
msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
"in P2MP client or server mode" );
o->ncp_enabled = false;
} |
bd9aa06f |
#endif
|
a4b8f653 |
#if ENABLE_MANAGEMENT |
23d61c56 |
if (o->http_proxy_override) |
3cf6c932 |
options_postprocess_http_proxy_override(o);
#endif |
4e9a51d7 |
|
04dcb96c |
#ifdef ENABLE_CRYPTOAPI
if (o->cryptoapi_cert)
{
const int tls_version_max =
(o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &
SSLF_TLS_VERSION_MAX_MASK;
if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
{
msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
"version to 1.1.");
o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK <<
SSLF_TLS_VERSION_MAX_SHIFT);
o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT);
}
}
#endif /* ENABLE_CRYPTOAPI */
|
4e9a51d7 |
#if P2MP |
6fbf66fa |
/*
* Save certain parms before modifying options via --pull
*/ |
4e9a51d7 |
pre_pull_save (o); |
6fbf66fa |
#endif
}
|
4e9a51d7 |
/* |
0f2bc0dd |
* Check file/directory sanity
*
*/
#ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
#define CHKACC_FILE (1<<0) /** Check for a file/directory precense */
#define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */
#define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */ |
06e781f8 |
#define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */ |
a4de190b |
#define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */ |
0f2bc0dd |
static bool
check_file_access(const int type, const char *file, const int mode, const char *opt)
{
int errcode = 0;
/* If no file configured, no errors to look for */
if (!file)
return false;
|
06e781f8 |
/* If this may be an inline file, and the proper inline "filename" is set - no issues */
if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
return false;
|
a4de190b |
/* If stdin is allowed and the file name is 'stdin', then do no
* further checks as stdin is always available
*/
if( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
return false;
|
0f2bc0dd |
/* Is the directory path leading to the given file accessible? */
if (type & CHKACC_DIRPATH)
{ |
ddc7692d |
char *fullpath = string_alloc (file, NULL); /* POSIX dirname() implementaion may modify its arguments */ |
0f2bc0dd |
char *dirpath = dirname(fullpath);
|
14a131ac |
if (platform_access (dirpath, mode|X_OK) != 0) |
0f2bc0dd |
errcode = errno;
free(fullpath);
}
/* Is the file itself accessible? */ |
14a131ac |
if (!errcode && (type & CHKACC_FILE) && (platform_access (file, mode) != 0) ) |
0f2bc0dd |
errcode = errno;
/* If the file exists and is accessible, is it writable? */ |
14a131ac |
if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access (file, F_OK) == 0) )
if (platform_access (file, W_OK) != 0) |
0f2bc0dd |
errcode = errno;
/* Scream if an error is found */
if( errcode > 0 )
msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s",
opt, file, strerror(errno));
/* Return true if an error occured */
return (errcode != 0 ? true : false);
}
|
b77bffe8 |
/* A wrapper for check_file_access() which also takes a chroot directory.
* If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
* otherwise it will look for the file inside the given chroot directory instead.
*/
static bool
check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
{
bool ret = false;
/* If no file configured, no errors to look for */
if (!file)
return false;
/* If chroot is set, look for the file/directory inside the chroot */
if( chroot )
{
struct gc_arena gc = gc_new();
struct buffer chroot_file;
int len = 0;
/* Build up a new full path including chroot directory */
len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
chroot_file = alloc_buf_gc(len, &gc);
buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
ASSERT (chroot_file.len > 0);
ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
gc_free(&gc);
}
else
{
/* No chroot in play, just call core file check function */
ret = check_file_access(type, file, mode, opt);
}
return ret;
}
|
0f2bc0dd |
/* |
a050bcef |
* Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
* valid file with appropriate permissions.
*
* "command" consists of a path, optionally followed by a space, which may be
* followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
* performed.
*
* The path and arguments in "command" may be single- or double-quoted or escaped.
*
* The path is extracted from "command", then check_file_access() is called to check it. The
* arguments, if any, are ignored.
*
* Note that the type, mode, and opt arguments to this routine are the same as the corresponding
* check_file_access() arguments.
*/
static bool |
b77bffe8 |
check_cmd_access(const char *command, const char *opt, const char *chroot) |
a050bcef |
{
struct argv argv;
bool return_code;
/* If no command was set, there are no errors to look for */
if (! command)
return false;
/* Extract executable path and arguments */
argv = argv_new (); |
25360912 |
argv_parse_cmd (&argv, command); |
a050bcef |
/* if an executable is specified then check it; otherwise, complain */
if (argv.argv[0]) |
0576a9f2 |
/* Scripts requires R_OK as well, but that might fail on binaries which
* only requires X_OK to function on Unix - a scenario not unlikely to
* be seen on suid binaries.
*/ |
b77bffe8 |
return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt); |
a050bcef |
else
{
msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
opt, command);
return_code = true;
}
argv_reset (&argv);
return return_code;
}
/* |
0f2bc0dd |
* Sanity check of all file/dir options. Checks that file/dir
* is accessible by OpenVPN
*/
static void
options_postprocess_filechecks (struct options *options)
{
bool errs = false;
|
ec828db6 |
#ifdef ENABLE_CRYPTO |
0f2bc0dd |
/* ** SSL/TLS/crypto related files ** */ |
06e781f8 |
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca"); |
b77bffe8 |
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); |
06e781f8 |
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, |
0f2bc0dd |
"--extra-certs"); |
4806cc10 |
#ifdef MANAGMENT_EXTERNAL_KEY |
feca0900 |
if(!(options->management_flags & MF_EXTERNAL_KEY)) |
4806cc10 |
#endif
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->priv_key_file, R_OK, |
0f2bc0dd |
"--key"); |
06e781f8 |
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->pkcs12_file, R_OK, |
0f2bc0dd |
"--pkcs12"); |
06e781f8 |
|
0f2bc0dd |
if (options->ssl_flags & SSLF_CRL_VERIFY_DIR) |
b77bffe8 |
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK, |
0f2bc0dd |
"--crl-verify directory");
else |
7a7a79f6 |
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE,
options->crl_file, R_OK, "--crl-verify"); |
06e781f8 |
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK, |
0f2bc0dd |
"--tls-auth"); |
06e781f8 |
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->shared_secret_file, R_OK, |
0f2bc0dd |
"--secret");
errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR,
options->packet_id_file, R_OK|W_OK, "--replay-persist");
/* ** Password files ** */ |
4e1e3ba1 |
errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
options->key_pass_file, R_OK, "--askpass"); |
ec828db6 |
#endif /* ENABLE_CRYPTO */ |
0f2bc0dd |
#ifdef ENABLE_MANAGEMENT |
a4de190b |
errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
options->management_user_pass, R_OK, |
0f2bc0dd |
"--management user/password file");
#endif /* ENABLE_MANAGEMENT */ |
1d5c4433 |
#if P2MP |
a4de190b |
errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
options->auth_user_pass_file, R_OK,
"--auth-user-pass"); |
1d5c4433 |
#endif /* P2MP */ |
0f2bc0dd |
/* ** System related ** */
errs |= check_file_access (CHKACC_FILE, options->chroot_dir,
R_OK|X_OK, "--chroot directory");
errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
R_OK|W_OK, "--writepid");
/* ** Log related ** */
errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
R_OK|W_OK, "--status");
/* ** Config related ** */ |
ec828db6 |
#ifdef ENABLE_CRYPTO |
b77bffe8 |
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tls_export_cert, |
0f2bc0dd |
R_OK|W_OK|X_OK, "--tls-export-cert"); |
ec828db6 |
#endif /* ENABLE_CRYPTO */ |
1d5c4433 |
#if P2MP_SERVER |
b77bffe8 |
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->client_config_dir, |
0f2bc0dd |
R_OK|X_OK, "--client-config-dir"); |
b77bffe8 |
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tmp_dir, |
ea5e091e |
R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); |
a050bcef |
|
0f2bc0dd |
#endif /* P2MP_SERVER */
if (errs)
msg (M_USAGE, "Please correct these errors.");
}
#endif /* !ENABLE_SMALL */
/* |
4e9a51d7 |
* Sanity check on options.
* Also set some options based on other
* options.
*/
void
options_postprocess (struct options *options)
{
options_postprocess_mutate (options);
options_postprocess_verify (options); |
0f2bc0dd |
#ifndef ENABLE_SMALL
options_postprocess_filechecks (options);
#endif /* !ENABLE_SMALL */ |
4e9a51d7 |
}
|
6fbf66fa |
#if P2MP
/*
* Save/Restore certain option defaults before --pull is applied.
*/
void
pre_pull_save (struct options *o)
{
if (o->pull)
{
ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
o->pre_pull->tuntap_options = o->tuntap_options;
o->pre_pull->tuntap_options_defined = true;
o->pre_pull->foreign_option_index = o->foreign_option_index;
if (o->routes)
{ |
673f583f |
o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc); |
6fbf66fa |
o->pre_pull->routes_defined = true;
} |
91402236 |
if (o->routes_ipv6)
{
o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
o->pre_pull->routes_ipv6_defined = true;
} |
581bef87 |
if (o->client_nat)
{
o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
o->pre_pull->client_nat_defined = true;
} |
6fbf66fa |
}
}
void |
d0085293 |
pre_pull_restore (struct options *o, struct gc_arena *gc) |
6fbf66fa |
{
const struct options_pre_pull *pp = o->pre_pull;
if (pp)
{
CLEAR (o->tuntap_options);
if (pp->tuntap_options_defined)
o->tuntap_options = pp->tuntap_options;
if (pp->routes_defined)
{
rol_check_alloc (o); |
d0085293 |
copy_route_option_list (o->routes, pp->routes, gc); |
6fbf66fa |
}
else
o->routes = NULL;
|
91402236 |
if (pp->routes_ipv6_defined)
{
rol6_check_alloc (o); |
d0085293 |
copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6, gc); |
91402236 |
}
else
o->routes_ipv6 = NULL;
|
581bef87 |
if (pp->client_nat_defined)
{
cnol_check_alloc (o);
copy_client_nat_option_list (o->client_nat, pp->client_nat);
}
else
o->client_nat = NULL;
|
6fbf66fa |
o->foreign_option_index = pp->foreign_option_index;
} |
3eee126e |
o->push_continuation = 0; |
1aac9a0b |
o->push_option_types_found = 0; |
6fbf66fa |
}
#endif
#ifdef ENABLE_OCC
|
97894360 |
/**
* Calculate the link-mtu to advertise to our peer. The actual value is not
* relevant, because we will possibly perform data channel cipher negotiation
* after this, but older clients will log warnings if we do not supply them the
* value they expect. This assumes that the traditional cipher/auth directives
* in the config match the config of the peer.
*/
static size_t
calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
{
size_t link_mtu = EXPANDED_SIZE (frame);
#ifdef ENABLE_CRYPTO
if (o->pull || o->mode == MODE_SERVER)
{
struct frame fake_frame = *frame;
struct key_type fake_kt; |
dea8917a |
init_key_type (&fake_kt, o->ciphername, o->authname, o->keysize, true,
false); |
97894360 |
frame_add_to_extra_frame (&fake_frame, -(crypto_max_overhead())); |
dea8917a |
crypto_adjust_frame_parameters (&fake_frame, &fake_kt, o->use_iv,
o->replay, cipher_kt_mode_ofb_cfb (fake_kt.cipher)); |
97894360 |
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
o->ce.tun_mtu_defined, o->ce.tun_mtu); |
d1bd37fd |
msg (D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu, |
97894360 |
EXPANDED_SIZE (&fake_frame));
link_mtu = EXPANDED_SIZE (&fake_frame);
}
#endif
return link_mtu;
}
|
6fbf66fa |
/*
* Build an options string to represent data channel encryption options.
* This string must match exactly between peers. The keysize is checked
* separately by read_key().
*
* The following options must match on both peers:
*
* Tunnel options:
*
* --dev tun|tap [unit number need not match]
* --dev-type tun|tap
* --link-mtu
* --udp-mtu
* --tun-mtu
* --proto udp
* --proto tcp-client [matched with --proto tcp-server
* on the other end of the connection]
* --proto tcp-server [matched with --proto tcp-client on
* the other end of the connection]
* --tun-ipv6
* --ifconfig x y [matched with --ifconfig y x on
* the other end of the connection]
*
* --comp-lzo |
38d96bd7 |
* --compress alg |
6fbf66fa |
* --fragment
*
* Crypto Options:
*
* --cipher
* --auth
* --keysize
* --secret
* --no-replay
* --no-iv
*
* SSL Options:
*
* --tls-auth
* --tls-client [matched with --tls-server on
* the other end of the connection]
* --tls-server [matched with --tls-client on
* the other end of the connection]
*/
char *
options_string (const struct options *o,
const struct frame *frame,
struct tuntap *tt,
bool remote,
struct gc_arena *gc)
{
struct buffer out = alloc_buf (OPTION_LINE_SIZE);
bool tt_local = false;
buf_printf (&out, "V4");
/*
* Tunnel Options
*/
buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type)); |
d1bd37fd |
buf_printf (&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); |
6fbf66fa |
buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame)); |
34136dd8 |
buf_printf (&out, ",proto %s", proto_remote (o->ce.proto, remote)); |
3b860cf2 |
/* send tun_ipv6 only in peer2peer mode - in client/server mode, it
* is usually pushed by the server, triggering a non-helpful warning
*/ |
86e2fa55 |
if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) |
6fbf66fa |
buf_printf (&out, ",tun-ipv6");
/*
* Try to get ifconfig parameters into the options string.
* If tt is undefined, make a temporary instantiation.
*/
if (!tt)
{
tt = init_tun (o->dev,
o->dev_type, |
3c7f2f55 |
o->topology, |
6fbf66fa |
o->ifconfig_local,
o->ifconfig_remote_netmask, |
512cda46 |
o->ifconfig_ipv6_local, |
c55e9562 |
o->ifconfig_ipv6_netbits, |
512cda46 |
o->ifconfig_ipv6_remote, |
555b54cc |
NULL,
NULL, |
6fbf66fa |
false,
NULL);
if (tt)
tt_local = true;
}
if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
{
const char *ios = ifconfig_options_string (tt, remote, o->ifconfig_nowarn, gc);
if (ios && strlen (ios))
buf_printf (&out, ",ifconfig %s", ios);
}
if (tt_local)
{
free (tt);
tt = NULL;
}
|
38d96bd7 |
#ifdef USE_COMP
if (o->comp.alg != COMP_ALG_UNDEF)
buf_printf (&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */ |
6fbf66fa |
#endif
#ifdef ENABLE_FRAGMENT |
76809cae |
if (o->ce.fragment) |
6fbf66fa |
buf_printf (&out, ",mtu-dynamic");
#endif
|
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
#define TLS_CLIENT (o->tls_client)
#define TLS_SERVER (o->tls_server)
/*
* Key direction
*/
{
const char *kd = keydirection2ascii (o->key_direction, remote);
if (kd)
buf_printf (&out, ",keydir %s", kd);
}
/*
* Crypto Options
*/
if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
{
struct key_type kt;
ASSERT ((o->shared_secret_file != NULL)
+ (TLS_CLIENT == true)
+ (TLS_SERVER == true)
<= 1);
|
dea8917a |
init_key_type (&kt, o->ciphername, o->authname, o->keysize, true,
false); |
6fbf66fa |
|
44dc5d30 |
buf_printf (&out, ",cipher %s",
translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher))); |
902f674e |
buf_printf (&out, ",auth %s", md_kt_name (kt.digest)); |
1271be60 |
buf_printf (&out, ",keysize %d", kt.cipher_length * 8); |
6fbf66fa |
if (o->shared_secret_file)
buf_printf (&out, ",secret");
if (!o->replay)
buf_printf (&out, ",no-replay");
if (!o->use_iv)
buf_printf (&out, ",no-iv"); |
0f25d296 |
#ifdef ENABLE_PREDICTION_RESISTANCE
if (o->use_prediction_resistance)
buf_printf (&out, ",use-prediction-resistance");
#endif |
6fbf66fa |
}
/*
* SSL Options
*/
{
if (TLS_CLIENT || TLS_SERVER)
{
if (o->tls_auth_file)
buf_printf (&out, ",tls-auth");
if (o->key_method > 1)
buf_printf (&out, ",key-method %d", o->key_method);
}
if (remote)
{
if (TLS_CLIENT)
buf_printf (&out, ",tls-server");
else if (TLS_SERVER)
buf_printf (&out, ",tls-client");
}
else
{
if (TLS_CLIENT)
buf_printf (&out, ",tls-client");
else if (TLS_SERVER)
buf_printf (&out, ",tls-server");
}
}
#undef TLS_CLIENT
#undef TLS_SERVER
|
9b33b5a4 |
#endif /* ENABLE_CRYPTO */ |
6fbf66fa |
return BSTR (&out);
}
/*
* Compare option strings for equality.
* If the first two chars of the strings differ, it means that
* we are looking at different versions of the options string,
* therefore don't compare them and return true.
*/
bool
options_cmp_equal (char *actual, const char *expected)
{
return options_cmp_equal_safe (actual, expected, strlen (actual) + 1);
}
void
options_warning (char *actual, const char *expected)
{
options_warning_safe (actual, expected, strlen (actual) + 1);
}
static const char *
options_warning_extract_parm1 (const char *option_string,
struct gc_arena *gc_ret)
{
struct gc_arena gc = gc_new ();
struct buffer b = string_alloc_buf (option_string, &gc);
char *p = gc_malloc (OPTION_PARM_SIZE, false, &gc);
const char *ret;
buf_parse (&b, ' ', p, OPTION_PARM_SIZE);
ret = string_alloc (p, gc_ret);
gc_free (&gc);
return ret;
}
static void
options_warning_safe_scan2 (const int msglevel,
const int delim,
const bool report_inconsistent,
const char *p1,
const struct buffer *b2_src,
const char *b1_name,
const char *b2_name)
{ |
3b860cf2 |
/* we will stop sending 'proto xxx' in OCC in a future version
* (because it's not useful), and to reduce questions when
* interoperating, we start not-printing a warning about it today
*/
if (strncmp(p1, "proto ", 6) == 0 )
{
return;
}
|
6fbf66fa |
if (strlen (p1) > 0)
{
struct gc_arena gc = gc_new ();
struct buffer b2 = *b2_src;
const char *p1_prefix = options_warning_extract_parm1 (p1, &gc);
char *p2 = gc_malloc (OPTION_PARM_SIZE, false, &gc);
while (buf_parse (&b2, delim, p2, OPTION_PARM_SIZE))
{
if (strlen (p2))
{
const char *p2_prefix = options_warning_extract_parm1 (p2, &gc);
if (!strcmp (p1, p2))
goto done;
if (!strcmp (p1_prefix, p2_prefix))
{
if (report_inconsistent)
msg (msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
safe_print (p1_prefix, &gc),
b1_name,
safe_print (p1, &gc),
b2_name,
safe_print (p2, &gc));
goto done;
}
}
}
msg (msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
safe_print (p1_prefix, &gc),
b1_name,
b2_name,
b1_name,
safe_print (p1, &gc));
done:
gc_free (&gc);
}
}
static void
options_warning_safe_scan1 (const int msglevel,
const int delim,
const bool report_inconsistent,
const struct buffer *b1_src,
const struct buffer *b2_src,
const char *b1_name,
const char *b2_name)
{
struct gc_arena gc = gc_new ();
struct buffer b = *b1_src;
char *p = gc_malloc (OPTION_PARM_SIZE, true, &gc);
while (buf_parse (&b, delim, p, OPTION_PARM_SIZE))
options_warning_safe_scan2 (msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
gc_free (&gc);
}
static void
options_warning_safe_ml (const int msglevel, char *actual, const char *expected, size_t actual_n)
{
struct gc_arena gc = gc_new ();
if (actual_n > 0)
{
struct buffer local = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
struct buffer remote = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
actual[actual_n - 1] = 0;
buf_printf (&local, "version %s", expected);
buf_printf (&remote, "version %s", actual);
options_warning_safe_scan1 (msglevel, ',', true,
&local, &remote,
"local", "remote");
options_warning_safe_scan1 (msglevel, ',', false,
&remote, &local,
"remote", "local");
}
gc_free (&gc);
}
bool
options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n)
{
struct gc_arena gc = gc_new ();
bool ret = true;
if (actual_n > 0)
{
actual[actual_n - 1] = 0; |
51bd56f4 |
#ifndef ENABLE_STRICT_OPTIONS_CHECK |
6fbf66fa |
if (strncmp (actual, expected, 2))
{
msg (D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
options_warning_safe_ml (D_SHOW_OCC, actual, expected, actual_n);
}
else
#endif
ret = !strcmp (actual, expected);
}
gc_free (&gc);
return ret;
}
void
options_warning_safe (char *actual, const char *expected, size_t actual_n)
{
options_warning_safe_ml (M_WARN, actual, expected, actual_n);
}
const char *
options_string_version (const char* s, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc (4, gc);
strncpynt ((char *) BPTR (&out), s, 3);
return BSTR (&out);
}
#endif /* ENABLE_OCC */
static void
foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
{
if (len > 0)
{
struct gc_arena gc = gc_new();
struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
int i;
bool first = true; |
b4073a76 |
bool good = true; |
6fbf66fa |
|
b4073a76 |
good &= buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1); |
6fbf66fa |
++o->foreign_option_index;
for (i = 0; i < len; ++i)
{
if (argv[i])
{
if (!first) |
b4073a76 |
good &= buf_printf (&value, " ");
good &= buf_printf (&value, "%s", argv[i]); |
6fbf66fa |
first = false;
}
} |
b4073a76 |
if (good)
setenv_str (es, BSTR(&name), BSTR(&value));
else
msg (M_WARN, "foreign_option: name/value overflow"); |
6fbf66fa |
gc_free (&gc);
}
}
|
3c7f2f55 |
/*
* parse/print topology coding
*/
int
parse_topology (const char *str, const int msglevel)
{
if (streq (str, "net30"))
return TOP_NET30;
else if (streq (str, "p2p"))
return TOP_P2P;
else if (streq (str, "subnet"))
return TOP_SUBNET;
else
{
msg (msglevel, "--topology must be net30, p2p, or subnet");
return TOP_UNDEF;
}
}
const char *
print_topology (const int topology)
{
switch (topology)
{
case TOP_UNDEF:
return "undef";
case TOP_NET30:
return "net30";
case TOP_P2P:
return "p2p";
case TOP_SUBNET:
return "subnet";
default:
return "unknown";
}
}
|
6fbf66fa |
#if P2MP
/*
* Manage auth-retry variable
*/
static int global_auth_retry; /* GLOBAL */
int
auth_retry_get (void)
{
return global_auth_retry;
}
bool
auth_retry_set (const int msglevel, const char *option)
{
if (streq (option, "interact"))
global_auth_retry = AR_INTERACT;
else if (streq (option, "nointeract"))
global_auth_retry = AR_NOINTERACT;
else if (streq (option, "none"))
global_auth_retry = AR_NONE;
else
{
msg (msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
return false;
}
return true;
}
const char *
auth_retry_print (void)
{
switch (global_auth_retry)
{
case AR_NONE:
return "none";
case AR_NOINTERACT:
return "nointeract";
case AR_INTERACT:
return "interact";
default:
return "???";
}
}
#endif
/*
* Print the help message.
*/
static void
usage (void)
{ |
b16cd4d2 |
FILE *fp = msg_fp(0); |
6fbf66fa |
#ifdef ENABLE_SMALL
fprintf (fp, "Usage message not available\n");
#else
struct options o; |
4e9a51d7 |
init_options (&o, true); |
6fbf66fa |
|
ec828db6 |
#ifdef ENABLE_CRYPTO |
6fbf66fa |
fprintf (fp, usage_message,
title_string, |
4e9a51d7 |
o.ce.connect_retry_seconds, |
5d429efd |
o.ce.connect_retry_seconds_max, |
4e9a51d7 |
o.ce.local_port, o.ce.remote_port, |
6fbf66fa |
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
o.verbosity,
o.authname, o.ciphername,
o.replay_window, o.replay_time,
o.tls_timeout, o.renegotiate_seconds,
o.handshake_window, o.transition_window);
#else
fprintf (fp, usage_message,
title_string, |
4e9a51d7 |
o.ce.connect_retry_seconds,
o.ce.local_port, o.ce.remote_port, |
6fbf66fa |
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
o.verbosity);
#endif
fflush(fp);
#endif /* ENABLE_SMALL */
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
void
usage_small (void)
{
msg (M_WARN|M_NOPREFIX, "Use --help for more information.");
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
|
cdc65ea0 |
#ifdef WIN32
void show_windows_version(const unsigned int flags)
{
struct gc_arena gc = gc_new ();
msg (flags, "Windows version %s", win32_version_string (&gc, true));
gc_free (&gc);
}
#endif
|
1ec984b1 |
void
show_library_versions(const unsigned int flags)
{ |
ec828db6 |
#ifdef ENABLE_CRYPTO |
5b17803e |
#define SSL_LIB_VER_STR get_ssl_library_version() |
1ec984b1 |
#else |
5b17803e |
#define SSL_LIB_VER_STR "" |
1ec984b1 |
#endif
#ifdef ENABLE_LZO |
5b17803e |
#define LZO_LIB_VER_STR ", LZO ", lzo_version_string() |
1ec984b1 |
#else |
5b17803e |
#define LZO_LIB_VER_STR "", "" |
1ec984b1 |
#endif |
5b17803e |
msg (flags, "library versions: %s%s%s", SSL_LIB_VER_STR, LZO_LIB_VER_STR);
#undef SSL_LIB_VER_STR
#undef LZO_LIB_VER_STR |
1ec984b1 |
}
|
6fbf66fa |
static void
usage_version (void)
{
msg (M_INFO|M_NOPREFIX, "%s", title_string); |
1ec984b1 |
show_library_versions( M_INFO|M_NOPREFIX ); |
cdc65ea0 |
#ifdef WIN32
show_windows_version( M_INFO|M_NOPREFIX );
#endif |
4580320b |
msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); |
564a2109 |
msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>"); |
aa6e58ae |
#ifndef ENABLE_SMALL |
5682d339 |
#ifdef CONFIGURE_DEFINES |
d94049b8 |
msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); |
aa6e58ae |
#endif |
10b4b65e |
#ifdef CONFIGURE_SPECIAL_BUILD
msg (M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
#endif |
5682d339 |
#endif |
6fbf66fa |
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
void
notnull (const char *arg, const char *description)
{
if (!arg)
msg (M_USAGE, "You must define %s", description);
}
bool
string_defined_equal (const char *s1, const char *s2)
{
if (s1 && s2)
return !strcmp (s1, s2);
else
return false;
}
#if 0
static void
ping_rec_err (int msglevel)
{
msg (msglevel, "only one of --ping-exit or --ping-restart options may be specified");
}
#endif
static int
positive_atoi (const char *str)
{
const int i = atoi (str);
return i < 0 ? 0 : i;
}
|
d29e6de1 |
#ifdef WIN32 /* This function is only used when compiling on Windows */ |
5c30df12 |
static unsigned int
atou (const char *str)
{
unsigned int val = 0;
sscanf (str, "%u", &val);
return val;
} |
d29e6de1 |
#endif |
5c30df12 |
|
6fbf66fa |
static inline bool |
dcc0b244 |
space (unsigned char c) |
6fbf66fa |
{
return c == '\0' || isspace (c);
}
int
parse_line (const char *line,
char *p[],
const int n,
const char *file,
const int line_num,
int msglevel,
struct gc_arena *gc)
{
const int STATE_INITIAL = 0;
const int STATE_READING_QUOTED_PARM = 1;
const int STATE_READING_UNQUOTED_PARM = 2;
const int STATE_DONE = 3; |
7256e6b4 |
const int STATE_READING_SQUOTED_PARM = 4; |
6fbf66fa |
const char *error_prefix = "";
int ret = 0;
const char *c = line;
int state = STATE_INITIAL;
bool backslash = false;
char in, out;
char parm[OPTION_PARM_SIZE];
unsigned int parm_len = 0;
msglevel &= ~M_OPTERR;
if (msglevel & M_MSG_VIRT_OUT)
error_prefix = "ERROR: ";
do
{
in = *c;
out = 0;
|
7256e6b4 |
if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM) |
6fbf66fa |
{
backslash = true;
}
else
{
if (state == STATE_INITIAL)
{
if (!space (in))
{
if (in == ';' || in == '#') /* comment */
break;
if (!backslash && in == '\"')
state = STATE_READING_QUOTED_PARM; |
7256e6b4 |
else if (!backslash && in == '\'')
state = STATE_READING_SQUOTED_PARM; |
6fbf66fa |
else
{
out = in;
state = STATE_READING_UNQUOTED_PARM;
}
}
}
else if (state == STATE_READING_UNQUOTED_PARM)
{
if (!backslash && space (in))
state = STATE_DONE;
else
out = in;
}
else if (state == STATE_READING_QUOTED_PARM)
{
if (!backslash && in == '\"')
state = STATE_DONE;
else
out = in;
} |
7256e6b4 |
else if (state == STATE_READING_SQUOTED_PARM)
{
if (in == '\'')
state = STATE_DONE;
else
out = in;
} |
6fbf66fa |
if (state == STATE_DONE)
{
/* ASSERT (parm_len > 0); */
p[ret] = gc_malloc (parm_len + 1, true, gc);
memcpy (p[ret], parm, parm_len);
p[ret][parm_len] = '\0';
state = STATE_INITIAL;
parm_len = 0;
++ret;
}
if (backslash && out)
{
if (!(out == '\\' || out == '\"' || space (out))) |
a8281352 |
{ |
6fbf66fa |
#ifdef ENABLE_SMALL |
a8281352 |
msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num); |
6fbf66fa |
#else |
a8281352 |
msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num); |
6fbf66fa |
#endif |
a8281352 |
return 0;
} |
6fbf66fa |
}
backslash = false;
}
/* store parameter character */
if (out)
{
if (parm_len >= SIZE (parm))
{
parm[SIZE (parm) - 1] = 0;
msg (msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
error_prefix, file, line_num, (int) SIZE (parm), parm);
return 0;
}
parm[parm_len++] = out;
}
/* avoid overflow if too many parms in one config file line */
if (ret >= n)
break;
} while (*c++ != '\0');
if (state == STATE_READING_QUOTED_PARM)
{
msg (msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
return 0;
} |
7256e6b4 |
if (state == STATE_READING_SQUOTED_PARM)
{
msg (msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
return 0;
} |
6fbf66fa |
if (state != STATE_INITIAL)
{
msg (msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
return 0;
}
#if 0
{
int i;
for (i = 0; i < ret; ++i)
{
msg (M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
}
}
#endif
return ret;
}
|
3c7f2f55 |
static void
bypass_doubledash (char **p)
{
if (strlen (*p) >= 3 && !strncmp (*p, "--", 2))
*p += 2;
}
|
d40f2b20 |
struct in_src {
# define IS_TYPE_FP 1
# define IS_TYPE_BUF 2
int type;
union {
FILE *fp;
struct buffer *multiline;
} u;
};
static bool
in_src_get (const struct in_src *is, char *line, const int size)
{
if (is->type == IS_TYPE_FP)
{
return BOOL_CAST (fgets (line, size, is->u.fp));
}
else if (is->type == IS_TYPE_BUF)
{
bool status = buf_parse (is->u.multiline, '\n', line, size);
if ((int) strlen (line) + 1 < size)
strcat (line, "\n");
return status;
}
else
{
ASSERT (0);
return false;
}
}
static char *
read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
{
char line[OPTION_LINE_SIZE]; |
e473b7c4 |
struct buffer buf = alloc_buf (8*OPTION_LINE_SIZE); |
d40f2b20 |
char *ret; |
68eecf76 |
bool endtagfound = false;
|
d40f2b20 |
while (in_src_get (is, line, sizeof (line)))
{ |
cba33989 |
char *line_ptr = line; |
c67acea1 |
/* Remove leading spaces */
while (isspace(*line_ptr)) line_ptr++;
if (!strncmp (line_ptr, close_tag, strlen (close_tag))) |
68eecf76 |
{
endtagfound = true;
break;
} |
d40cbf0e |
if (!buf_safe (&buf, strlen(line)+1)) |
e473b7c4 |
{
/* Increase buffer size */
struct buffer buf2 = alloc_buf (buf.capacity * 2);
ASSERT (buf_copy (&buf2, &buf));
buf_clear (&buf);
free_buf (&buf);
buf = buf2;
} |
de6dbb5f |
buf_printf (&buf, "%s", line); |
d40f2b20 |
} |
68eecf76 |
if (!endtagfound)
msg (M_FATAL, "ERROR: Endtag %s missing", close_tag); |
d40f2b20 |
ret = string_alloc (BSTR (&buf), gc);
buf_clear (&buf);
free_buf (&buf);
CLEAR (line);
return ret;
}
static bool
check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
{
bool ret = false;
if (p[0] && !p[1])
{
char *arg = p[0];
if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
{
struct buffer close_tag;
arg[strlen(arg)-1] = '\0';
p[0] = string_alloc (arg+1, gc);
p[1] = string_alloc (INLINE_FILE_TAG, gc);
close_tag = alloc_buf (strlen(p[0]) + 4);
buf_printf (&close_tag, "</%s>", p[0]);
p[2] = read_inline_file (is, BSTR (&close_tag), gc);
p[3] = NULL;
free_buf (&close_tag);
ret = true;
}
}
return ret;
}
static bool
check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
{
struct in_src is;
is.type = IS_TYPE_FP;
is.u.fp = fp;
return check_inline_file (&is, p, gc);
}
static bool
check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
{
struct in_src is;
is.type = IS_TYPE_BUF;
is.u.multiline = multiline;
return check_inline_file (&is, p, gc);
}
|
eadf16a6 |
static void |
6fbf66fa |
add_option (struct options *options,
char *p[],
const char *file,
int line,
const int level,
const int msglevel,
const unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es);
static void
read_config_file (struct options *options,
const char *file,
int level,
const char *top_file,
const int top_line,
const int msglevel,
const unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
const int max_recursive_levels = 10;
FILE *fp;
int line_num; |
4baec3ee |
char line[OPTION_LINE_SIZE+1]; |
3c7f2f55 |
char *p[MAX_PARMS]; |
6fbf66fa |
++level;
if (level <= max_recursive_levels)
{ |
f202f143 |
if (streq (file, "stdin"))
fp = stdin;
else |
14a131ac |
fp = platform_fopen (file, "r"); |
6fbf66fa |
if (fp)
{
line_num = 0;
while (fgets(line, sizeof (line), fp))
{ |
6e6f55f4 |
int offset = 0; |
6fbf66fa |
CLEAR (p);
++line_num; |
4baec3ee |
if (strlen(line) == OPTION_LINE_SIZE)
msg (msglevel, "In %s:%d: Maximum optione line length (%d) exceeded, line starts with %s",
file, line_num, OPTION_LINE_SIZE, line);
|
6e6f55f4 |
/* Ignore UTF-8 BOM at start of stream */
if (line_num == 1 && strncmp (line, "\xEF\xBB\xBF", 3) == 0)
offset = 3;
if (parse_line (line + offset, p, SIZE (p), file, line_num, msglevel, &options->gc)) |
6fbf66fa |
{ |
3c7f2f55 |
bypass_doubledash (&p[0]); |
d40f2b20 |
check_inline_file_via_fp (fp, p, &options->gc); |
eadf16a6 |
add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es); |
6fbf66fa |
}
} |
f202f143 |
if (fp != stdin)
fclose (fp); |
6fbf66fa |
}
else
{
msg (msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
}
}
else
{
msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
} |
d40f2b20 |
CLEAR (line);
CLEAR (p); |
6fbf66fa |
}
|
3c7f2f55 |
static void |
4e9a51d7 |
read_config_string (const char *prefix,
struct options *options, |
3c7f2f55 |
const char *config,
const int msglevel,
const unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
char line[OPTION_LINE_SIZE];
struct buffer multiline;
int line_num = 0;
buf_set_read (&multiline, (uint8_t*)config, strlen (config));
while (buf_parse (&multiline, '\n', line, sizeof (line)))
{
char *p[MAX_PARMS];
CLEAR (p);
++line_num; |
4e9a51d7 |
if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc)) |
3c7f2f55 |
{
bypass_doubledash (&p[0]); |
d40f2b20 |
check_inline_file_via_buf (&multiline, p, &options->gc); |
cd6555e0 |
add_option (options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es); |
3c7f2f55 |
} |
d40f2b20 |
CLEAR (p); |
3c7f2f55 |
} |
d40f2b20 |
CLEAR (line); |
3c7f2f55 |
}
|
6fbf66fa |
void
parse_argv (struct options *options,
const int argc,
char *argv[],
const int msglevel,
const unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
int i, j;
/* usage message */
if (argc <= 1)
usage ();
/* config filename specified only? */
if (argc == 2 && strncmp (argv[1], "--", 2))
{
char *p[MAX_PARMS];
CLEAR (p);
p[0] = "config";
p[1] = argv[1]; |
eadf16a6 |
add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es); |
6fbf66fa |
}
else
{
/* parse command line */
for (i = 1; i < argc; ++i)
{
char *p[MAX_PARMS];
CLEAR (p);
p[0] = argv[i];
if (strncmp(p[0], "--", 2))
{
msg (msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
}
else
p[0] += 2;
for (j = 1; j < MAX_PARMS; ++j)
{
if (i + j < argc)
{
char *arg = argv[i + j];
if (strncmp (arg, "--", 2))
p[j] = arg;
else
break;
}
} |
eadf16a6 |
add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
i += j - 1; |
6fbf66fa |
}
}
}
|
7f74c27e |
/**
* Filter an option line by all pull filters.
*
* If a match is found, the line is modified depending on
* the filter type, and returns true. If the filter type is
* reject, SIGUSR1 is triggered and the return value is false.
* In that case the caller must end the push processing.
*/
static bool
apply_pull_filter (const struct options *o, char *line)
{
struct pull_filter *f;
if (!o->pull_filter_list) return true;
for (f = o->pull_filter_list->head; f; f = f->next)
{
if (f->type == PUF_TYPE_ACCEPT && strncmp (line, f->pattern, f->size) == 0)
{
msg (D_LOW, "Pushed option accepted by filter: '%s'", line);
return true;
}
else if (f->type == PUF_TYPE_IGNORE && strncmp (line, f->pattern, f->size) == 0)
{
msg (D_PUSH, "Pushed option removed by filter: '%s'", line);
*line = '\0';
return true;
}
else if (f->type == PUF_TYPE_REJECT && strncmp (line, f->pattern, f->size) == 0)
{
msg (M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
*line = '\0';
throw_signal_soft (SIGUSR1, "Offending option received from server");
return false;
}
}
return true;
}
|
6fbf66fa |
bool
apply_push_options (struct options *options,
struct buffer *buf,
unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
char line[OPTION_PARM_SIZE];
int line_num = 0;
const char *file = "[PUSH-OPTIONS]";
const int msglevel = D_PUSH_ERRORS|M_OPTERR;
while (buf_parse (buf, ',', line, sizeof (line)))
{
char *p[MAX_PARMS];
CLEAR (p);
++line_num; |
7f74c27e |
if (!apply_pull_filter(options, line))
{
return false; /* Cause push/pull error and stop push processing */
} |
6fbf66fa |
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
{ |
eadf16a6 |
add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); |
6fbf66fa |
}
}
return true;
}
void
options_server_import (struct options *o,
const char *filename,
int msglevel,
unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
msg (D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
read_config_file (o,
filename,
0,
filename,
0,
msglevel,
permission_mask,
option_types_found,
es);
}
|
90efcacb |
void options_string_import (struct options *options, |
3c7f2f55 |
const char *config,
const int msglevel,
const unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{ |
4e9a51d7 |
read_config_string ("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es); |
3c7f2f55 |
}
|
6fbf66fa |
#if P2MP
|
cd6555e0 |
#define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) goto err; } |
6fbf66fa |
static bool
verify_permission (const char *name, |
e656b995 |
const char* file, |
cd6555e0 |
int line, |
6fbf66fa |
const unsigned int type,
const unsigned int allowed,
unsigned int *found, |
cd6555e0 |
const int msglevel,
struct options* options) |
6fbf66fa |
{
if (!(type & allowed))
{ |
e656b995 |
msg (msglevel, "option '%s' cannot be used in this context (%s)", name, file); |
6fbf66fa |
return false;
} |
cd6555e0 |
if (found)
*found |= type;
#ifndef ENABLE_SMALL
/* Check if this options is allowed in connection block,
* but we are currently not in a connection block
* Parsing a connection block uses a temporary options struct without
* connection_list
*/
if ((type & OPT_P_CONNECTION) && options->connection_list) |
6fbf66fa |
{ |
cd6555e0 |
if (file)
msg (M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
else
msg (M_WARN, "Option '%s' is ignored by previous <connection> blocks", name); |
6fbf66fa |
} |
cd6555e0 |
#endif
return true; |
6fbf66fa |
}
#else
#define VERIFY_PERMISSION(mask)
#endif
/*
* Check that an option doesn't have too
* many parameters.
*/
#define NM_QUOTE_HINT (1<<0)
static bool
no_more_than_n_args (const int msglevel,
char *p[],
const int max,
const unsigned int flags)
{ |
eadf16a6 |
const int len = string_array_len ((const char **)p); |
6fbf66fa |
if (!len)
return false;
if (len > max)
{
msg (msglevel, "the --%s directive should have at most %d parameter%s.%s",
p[0],
max - 1,
max >= 3 ? "s" : "",
(flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
return false;
}
else
return true;
}
|
373faab1 |
static inline int |
bd0a5857 |
msglevel_forward_compatible (struct options *options, const int msglevel) |
373faab1 |
{
return options->forward_compatible ? M_WARN : msglevel;
}
|
eadf16a6 |
static void |
9b6a5028 |
set_user_script (struct options *options,
const char **script,
const char *new_script, |
b77bffe8 |
const char *type,
bool in_chroot) |
9b6a5028 |
{
if (*script) {
msg (M_WARN, "Multiple --%s scripts defined. "
"The previously configured script is overridden.", type);
}
*script = new_script;
options->user_script_used = true; |
e55681a9 |
#ifndef ENABLE_SMALL
{
char script_name[100];
openvpn_snprintf (script_name, sizeof(script_name),
"--%s script", type);
|
b77bffe8 |
if (check_cmd_access (*script, script_name, (in_chroot ? options->chroot_dir : NULL))) |
e55681a9 |
msg (M_USAGE, "Please correct this error."); |
b77bffe8 |
|
e55681a9 |
}
#endif |
3a777430 |
}
static void |
6fbf66fa |
add_option (struct options *options,
char *p[],
const char *file,
int line,
const int level,
const int msglevel,
const unsigned int permission_mask,
unsigned int *option_types_found,
struct env_set *es)
{
struct gc_arena gc = gc_new (); |
b4073a76 |
const bool pull_mode = BOOL_CAST (permission_mask & OPT_P_PULL_MODE); |
bd0a5857 |
int msglevel_fc = msglevel_forward_compatible (options, msglevel); |
6fbf66fa |
|
2a92fba7 |
ASSERT (MAX_PARMS >= 7);
/*
* If directive begins with "setenv opt" prefix, don't raise an error if
* directive is unrecognized.
*/
if (streq (p[0], "setenv") && p[1] && streq (p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
{
p += 2;
msglevel_fc = M_WARN;
}
|
6fbf66fa |
if (!file)
{
file = "[CMD-LINE]";
line = 1;
}
if (streq (p[0], "help"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
usage (); |
3d6a4cde |
if (p[1])
{
msg (msglevel, "--help does not accept any parameters");
goto err;
} |
6fbf66fa |
} |
3d6a4cde |
if (streq (p[0], "version") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
usage_version ();
} |
3d6a4cde |
else if (streq (p[0], "config") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_CONFIG);
/* save first config file only in options */
if (!options->config)
options->config = p[1];
read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
} |
c29e08a2 |
#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) |
d8a8656f |
else if (streq (p[0], "show-gateway") && !p[2]) |
7fb0e07e |
{
struct route_gateway_info rgi; |
d8a8656f |
struct route_ipv6_gateway_info rgi6;
struct in6_addr remote = IN6ADDR_ANY_INIT; |
7fb0e07e |
VERIFY_PERMISSION (OPT_P_GENERAL); |
d8a8656f |
if (p[1]) |
4f19cd1d |
get_ipv6_addr (p[1], &remote, NULL, M_WARN); |
7fb0e07e |
get_default_gateway(&rgi); |
d8a8656f |
get_default_gateway_ipv6(&rgi6, &remote);
print_default_gateway(M_INFO, &rgi, &rgi6); |
7fb0e07e |
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
} |
ecede953 |
#endif |
b4073a76 |
#if 0
else if (streq (p[0], "foreign-option") && p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
foreign_option (options, p, 3, es);
}
#endif |
3c7f2f55 |
else if (streq (p[0], "echo") || streq (p[0], "parameter")) |
6fbf66fa |
{
struct buffer string = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
int j; |
b4073a76 |
bool good = true; |
3c7f2f55 |
|
6fbf66fa |
VERIFY_PERMISSION (OPT_P_ECHO);
for (j = 1; j < MAX_PARMS; ++j)
{
if (!p[j])
break;
if (j > 1) |
b4073a76 |
good &= buf_printf (&string, " ");
good &= buf_printf (&string, "%s", p[j]); |
6fbf66fa |
} |
b4073a76 |
if (good)
{ |
429ab795 |
#if 0
/* removed for now since ECHO can potentially include
security-sensitive strings */ |
b4073a76 |
msg (M_INFO, "%s:%s",
pull_mode ? "ECHO-PULL" : "ECHO",
BSTR (&string)); |
429ab795 |
#endif |
6fbf66fa |
#ifdef ENABLE_MANAGEMENT |
b4073a76 |
if (management)
management_echo (management, BSTR (&string), pull_mode); |
6fbf66fa |
#endif |
b4073a76 |
}
else
msg (M_WARN, "echo/parameter option overflow"); |
6fbf66fa |
}
#ifdef ENABLE_MANAGEMENT |
3d6a4cde |
else if (streq (p[0], "management") && p[1] && p[2] && !p[4]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
bb564a59 |
if (streq (p[2], "unix")) |
6fbf66fa |
{ |
bb564a59 |
#if UNIX_SOCK_SUPPORT |
86f5c7c9 |
options->management_flags |= MF_UNIX_SOCK; |
bb564a59 |
#else
msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets"); |
6fbf66fa |
goto err; |
bb564a59 |
#endif
} |
6fbf66fa |
options->management_addr = p[1]; |
076fd3e4 |
options->management_port = p[2]; |
6fbf66fa |
if (p[3])
{
options->management_user_pass = p[3];
}
} |
3d6a4cde |
else if (streq (p[0], "management-client-user") && p[1] && !p[2]) |
bb564a59 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_client_user = p[1];
} |
3d6a4cde |
else if (streq (p[0], "management-client-group") && p[1] && !p[2]) |
bb564a59 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_client_group = p[1];
} |
3d6a4cde |
else if (streq (p[0], "management-query-passwords") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
90efcacb |
options->management_flags |= MF_QUERY_PASSWORDS; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "management-query-remote") && !p[1]) |
54561af6 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_REMOTE;
} |
3d6a4cde |
else if (streq (p[0], "management-query-proxy") && !p[1]) |
af1bf85a |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_PROXY;
} |
3d6a4cde |
else if (streq (p[0], "management-hold") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
90efcacb |
options->management_flags |= MF_HOLD; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "management-signal") && !p[1]) |
1184b824 |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
90efcacb |
options->management_flags |= MF_SIGNAL; |
1184b824 |
} |
3d6a4cde |
else if (streq (p[0], "management-forget-disconnect") && !p[1]) |
a032fcb7 |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
90efcacb |
options->management_flags |= MF_FORGET_DISCONNECT; |
a032fcb7 |
} |
3d6a4cde |
else if (streq (p[0], "management-up-down") && !p[1]) |
15be3202 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_UP_DOWN;
} |
3d6a4cde |
else if (streq (p[0], "management-client") && !p[2]) |
4f404ad3 |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
90efcacb |
options->management_flags |= MF_CONNECT_AS_CLIENT; |
8d33c060 |
options->management_write_peer_info_file = p[1]; |
4f404ad3 |
} |
cf69617b |
#ifdef MANAGMENT_EXTERNAL_KEY |
3d6a4cde |
else if (streq (p[0], "management-external-key") && !p[1]) |
cf69617b |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_EXTERNAL_KEY;
} |
3d6a4cde |
else if (streq (p[0], "management-external-cert") && p[1] && !p[2]) |
39e3d336 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_EXTERNAL_CERT;
options->management_certificate = p[1];
} |
cf69617b |
#endif |
90efcacb |
#ifdef MANAGEMENT_DEF_AUTH |
3d6a4cde |
else if (streq (p[0], "management-client-auth") && !p[1]) |
90efcacb |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_CLIENT_AUTH;
}
#endif
#ifdef MANAGEMENT_PF |
3d6a4cde |
else if (streq (p[0], "management-client-pf") && !p[1]) |
90efcacb |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
}
#endif |
3d6a4cde |
else if (streq (p[0], "management-log-cache") && p[1] && !p[2]) |
6fbf66fa |
{
int cache;
VERIFY_PERMISSION (OPT_P_GENERAL);
cache = atoi (p[1]);
if (cache < 1)
{
msg (msglevel, "--management-log-cache parameter is out of range");
goto err;
}
options->management_log_history_cache = cache;
}
#endif
#ifdef ENABLE_PLUGIN |
82acf216 |
else if (streq (p[0], "plugin") && p[1] && !p[3]) |
6fbf66fa |
{ |
3c7f2f55 |
VERIFY_PERMISSION (OPT_P_PLUGIN); |
6fbf66fa |
if (!options->plugin_list)
options->plugin_list = plugin_option_list_new (&options->gc); |
eadf16a6 |
if (!plugin_option_list_add (options->plugin_list, &p[1], &options->gc)) |
6fbf66fa |
{
msg (msglevel, "plugin add failed: %s", p[1]);
goto err;
}
}
#endif |
3d6a4cde |
else if (streq (p[0], "mode") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "p2p"))
options->mode = MODE_POINT_TO_POINT;
#if P2MP_SERVER
else if (streq (p[1], "server"))
options->mode = MODE_SERVER;
#endif
else
{
msg (msglevel, "Bad --mode parameter: %s", p[1]);
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "dev") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dev = p[1];
} |
3d6a4cde |
else if (streq (p[0], "dev-type") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dev_type = p[1];
} |
3d6a4cde |
else if (streq (p[0], "dev-node") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dev_node = p[1];
} |
3d6a4cde |
else if (streq (p[0], "lladdr") && p[1] && !p[2]) |
e12fe286 |
{
VERIFY_PERMISSION (OPT_P_UP); |
6e2c457d |
if (mac_addr_safe (p[1])) /* MAC address only */ |
b4073a76 |
options->lladdr = p[1];
else
{ |
6e2c457d |
msg (msglevel, "lladdr parm '%s' must be a MAC address", p[1]); |
b4073a76 |
goto err;
} |
e12fe286 |
} |
3d6a4cde |
else if (streq (p[0], "topology") && p[1] && !p[2]) |
3c7f2f55 |
{
VERIFY_PERMISSION (OPT_P_UP);
options->topology = parse_topology (p[1], msglevel);
} |
3d6a4cde |
else if (streq (p[0], "tun-ipv6") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_UP); |
86e2fa55 |
msg (M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore."); |
6fbf66fa |
} |
51bd56f4 |
#ifdef ENABLE_IPROUTE |
3d6a4cde |
else if (streq (p[0], "iproute") && p[1] && !p[2]) |
0aee9ca7 |
{ |
b4073a76 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
0aee9ca7 |
iproute_path = p[1];
}
#endif |
3d6a4cde |
else if (streq (p[0], "ifconfig") && p[1] && p[2] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_UP); |
0a838de8 |
if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ |
b4073a76 |
{
options->ifconfig_local = p[1];
options->ifconfig_remote_netmask = p[2];
}
else
{ |
0a838de8 |
msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]); |
b4073a76 |
goto err;
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3]) |
512cda46 |
{ |
1840c852 |
unsigned int netbits; |
dc7be6d0 |
|
512cda46 |
VERIFY_PERMISSION (OPT_P_UP); |
4f19cd1d |
if ( get_ipv6_addr( p[1], NULL, &netbits, msglevel ) && |
1840c852 |
ipv6_addr_safe( p[2] ) ) |
512cda46 |
{ |
1840c852 |
if ( netbits < 64 || netbits > 124 )
{
msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
goto err;
} |
dc7be6d0 |
|
4f19cd1d |
options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits (p[1], &options->gc); |
1840c852 |
options->ifconfig_ipv6_netbits = netbits; |
512cda46 |
options->ifconfig_ipv6_remote = p[2];
}
else
{
msg (msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-noexec") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_UP);
options->ifconfig_noexec = true;
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-nowarn") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_UP);
options->ifconfig_nowarn = true;
} |
3d6a4cde |
else if (streq (p[0], "local") && p[1] && !p[2]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.local = p[1]; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "remote-random") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->remote_random = true;
} |
3d6a4cde |
else if (streq (p[0], "connection") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
4e9a51d7 |
if (streq (p[1], INLINE_FILE_TAG) && p[2]) |
6fbf66fa |
{ |
4e9a51d7 |
struct options sub;
struct connection_entry *e;
init_options (&sub, true);
sub.ce = options->ce;
read_config_string ("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
if (!sub.ce.remote)
{
msg (msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
goto err;
}
e = alloc_connection_entry (options, msglevel);
if (!e)
goto err;
*e = sub.ce;
gc_transfer (&options->gc, &sub.gc);
uninit_options (&sub); |
6fbf66fa |
} |
4e9a51d7 |
} |
b685a1e6 |
else if (streq (p[0], "ignore-unknown-option") && p[1])
{
int i;
int j;
int numignored=0;
const char **ignore;
VERIFY_PERMISSION (OPT_P_GENERAL);
/* Find out how many options to be ignored */
for (i=1;p[i];i++)
numignored++;
/* add number of options already ignored */
for (i=0;options->ignore_unknown_option &&
options->ignore_unknown_option[i]; i++)
numignored++;
/* Allocate array */
ALLOC_ARRAY_GC (ignore, const char*, numignored+1, &options->gc);
for (i=0;options->ignore_unknown_option &&
options->ignore_unknown_option[i]; i++)
ignore[i]=options->ignore_unknown_option[i];
options->ignore_unknown_option=ignore;
for (j=1;p[j];j++)
{
/* Allow the user to specify ignore-unknown-option --opt too */
if (p[j][0]=='-' && p[j][1]=='-')
options->ignore_unknown_option[i] = (p[j]+2);
else
options->ignore_unknown_option[i] = p[j];
i++;
}
options->ignore_unknown_option[i] = NULL;
} |
a4b8f653 |
#if ENABLE_MANAGEMENT |
3d6a4cde |
else if (streq (p[0], "http-proxy-override") && p[1] && p[2] && !p[4]) |
3cf6c932 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
if (!options->http_proxy_override)
goto err;
}
#endif |
3d6a4cde |
else if (streq (p[0], "remote") && p[1] && !p[4]) |
4e9a51d7 |
{
struct remote_entry re; |
076fd3e4 |
re.remote = re.remote_port= NULL;
re.proto = -1; |
30077d1f |
re.af=0; |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
re.remote = p[1]; |
6fbf66fa |
if (p[2])
{ |
076fd3e4 |
re.remote_port = p[2]; |
4e9a51d7 |
if (p[3])
{
const int proto = ascii2proto (p[3]); |
30077d1f |
const sa_family_t af = ascii2af (p[3]); |
4e9a51d7 |
if (proto < 0)
{
msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
goto err;
}
re.proto = proto; |
30077d1f |
re.af = af; |
4e9a51d7 |
}
}
if (permission_mask & OPT_P_GENERAL)
{
struct remote_entry *e = alloc_remote_entry (options, msglevel);
if (!e)
goto err;
*e = re;
}
else if (permission_mask & OPT_P_CONNECTION)
{
connection_entry_load_re (&options->ce, &re); |
6fbf66fa |
}
} |
3d6a4cde |
else if (streq (p[0], "resolv-retry") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "infinite"))
options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
else
options->resolve_retry_seconds = positive_atoi (p[1]);
} |
291c227d |
else if ((streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint")) && !p[2]) |
e719a053 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->resolve_in_advance = true;
/* Note the ip-remote-hint and the argument p[1] are for
backward compatibility */
if (p[1])
options->ip_remote_hint=p[1];
} |
5d429efd |
else if (streq (p[0], "connect-retry") && p[1] && !p[3]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.connect_retry_seconds = positive_atoi (p[1]); |
5d429efd |
/*
* Limit the base value of retry wait interval to 16 bits to avoid
* overflow when scaled up for exponential backoff
*/
if (options->ce.connect_retry_seconds > 0xFFFF)
{
options->ce.connect_retry_seconds = 0xFFFF;
msg (M_WARN, "connect retry wait interval truncated to %d",
options->ce.connect_retry_seconds);
}
if (p[2])
options->ce.connect_retry_seconds_max =
max_int (positive_atoi (p[2]), options->ce.connect_retry_seconds); |
6fbf66fa |
} |
f2134b7b |
else if ((streq (p[0], "connect-timeout") || streq (p[0], "server-poll-timeout"))
&& p[1] && !p[2]) |
1ae9d051 |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.connect_timeout = positive_atoi (p[1]); |
1ae9d051 |
} |
3d6a4cde |
else if (streq (p[0], "connect-retry-max") && p[1] && !p[2]) |
b540a9e0 |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
23d61c56 |
options->connect_retry_max = positive_atoi (p[1]); |
b540a9e0 |
} |
6fbf66fa |
else if (streq (p[0], "ipchange") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
9b6a5028 |
set_user_script (options,
&options->ipchange,
string_substitute (p[1], ',', ' ', &options->gc), |
b77bffe8 |
"ipchange", true); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "float") && !p[1]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.remote_float = true; |
6fbf66fa |
}
#ifdef ENABLE_DEBUG |
3d6a4cde |
else if (streq (p[0], "gremlin") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->gremlin = positive_atoi (p[1]);
}
#endif |
3d6a4cde |
else if (streq (p[0], "chroot") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->chroot_dir = p[1];
} |
3d6a4cde |
else if (streq (p[0], "cd") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
14a131ac |
if (platform_chdir (p[1])) |
6fbf66fa |
{
msg (M_ERR, "cd to '%s' failed", p[1]);
goto err;
}
options->cd_dir = p[1];
} |
cd5990e0 |
#ifdef ENABLE_SELINUX |
3d6a4cde |
else if (streq (p[0], "setcon") && p[1] && !p[2]) |
99385447 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->selinux_context = p[1];
}
#endif |
3d6a4cde |
else if (streq (p[0], "writepid") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->writepid = p[1];
}
else if (streq (p[0], "up") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
b77bffe8 |
set_user_script (options, &options->up_script, p[1], "up", false); |
6fbf66fa |
}
else if (streq (p[0], "down") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
b77bffe8 |
set_user_script (options, &options->down_script, p[1], "down", true); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "down-pre") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->down_pre = true;
} |
3d6a4cde |
else if (streq (p[0], "up-delay") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->up_delay = true;
} |
3d6a4cde |
else if (streq (p[0], "up-restart") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->up_restart = true;
} |
3d6a4cde |
else if (streq (p[0], "syslog") && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
open_syslog (p[1], false);
} |
3d6a4cde |
else if (streq (p[0], "daemon") && !p[2]) |
6fbf66fa |
{
bool didit = false;
VERIFY_PERMISSION (OPT_P_GENERAL);
if (!options->daemon)
{
options->daemon = didit = true;
open_syslog (p[1], false);
}
if (p[1])
{
if (!didit)
{
msg (M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
goto err;
}
}
} |
3d6a4cde |
else if (streq (p[0], "inetd") && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (!options->inetd)
{
int z;
const char *name = NULL;
const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
options->inetd = -1;
for (z = 1; z <= 2; ++z)
{
if (p[z])
{
if (streq (p[z], "wait"))
{
if (options->inetd != -1)
{ |
d6b783a8 |
msg (msglevel, "%s", opterr); |
6fbf66fa |
goto err;
}
else
options->inetd = INETD_WAIT;
}
else if (streq (p[z], "nowait"))
{
if (options->inetd != -1)
{ |
d6b783a8 |
msg (msglevel, "%s", opterr); |
6fbf66fa |
goto err;
}
else
options->inetd = INETD_NOWAIT;
}
else
{
if (name != NULL)
{ |
d6b783a8 |
msg (msglevel, "%s", opterr); |
6fbf66fa |
goto err;
}
name = p[z];
}
}
}
/* default */
if (options->inetd == -1)
options->inetd = INETD_WAIT;
save_inetd_socket_descriptor ();
open_syslog (name, true);
}
} |
3d6a4cde |
else if (streq (p[0], "log") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->log = true;
redirect_stdout_stderr (p[1], false);
} |
3d6a4cde |
else if (streq (p[0], "suppress-timestamps") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->suppress_timestamps = true;
set_suppress_timestamps(true);
} |
3d6a4cde |
else if (streq (p[0], "machine-readable-output") && !p[1]) |
8f7d5e67 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->machine_readable_output = true;
set_machine_readable_output(true);
} |
3d6a4cde |
else if (streq (p[0], "log-append") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->log = true;
redirect_stdout_stderr (p[1], true);
} |
ffea644c |
#ifdef ENABLE_MEMSTATS |
3d6a4cde |
else if (streq (p[0], "memstats") && p[1] && !p[2]) |
ffea644c |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->memstats_fn = p[1];
}
#endif |
3d6a4cde |
else if (streq (p[0], "mlock") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->mlock = true;
} |
8bc93d7f |
#if ENABLE_IP_PKTINFO |
3d6a4cde |
else if (streq (p[0], "multihome") && !p[1]) |
8bc93d7f |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->sockflags |= SF_USE_IP_PKTINFO;
}
#endif |
3d6a4cde |
else if (streq (p[0], "verb") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
options->verbosity = positive_atoi (p[1]); |
58fbb804 |
#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
/* Warn when a debug verbosity is supplied when built without debug support */
if (options->verbosity >= 7)
msg (M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
options->verbosity);
#endif |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "mute") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
options->mute = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "errors-to-stderr") && !p[1]) |
b16cd4d2 |
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
errors_to_stderr();
} |
3d6a4cde |
else if (streq (p[0], "status") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->status_file = p[1];
if (p[2])
{
options->status_file_update_freq = positive_atoi (p[2]);
}
} |
3d6a4cde |
else if (streq (p[0], "status-version") && p[1] && !p[2]) |
6fbf66fa |
{
int version;
VERIFY_PERMISSION (OPT_P_GENERAL);
version = atoi (p[1]); |
eddd5066 |
if (version < 1 || version > 3) |
6fbf66fa |
{ |
eddd5066 |
msg (msglevel, "--status-version must be 1 to 3"); |
6fbf66fa |
goto err;
}
options->status_file_version = version;
} |
3d6a4cde |
else if (streq (p[0], "remap-usr1") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "SIGHUP"))
options->remap_sigusr1 = SIGHUP;
else if (streq (p[1], "SIGTERM"))
options->remap_sigusr1 = SIGTERM;
else
{
msg (msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
goto err;
}
} |
3d6a4cde |
else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1] && !p[2]) |
6fbf66fa |
{ |
76809cae |
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.link_mtu = positive_atoi (p[1]);
options->ce.link_mtu_defined = true; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "tun-mtu") && p[1] && !p[2]) |
6fbf66fa |
{ |
76809cae |
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.tun_mtu = positive_atoi (p[1]);
options->ce.tun_mtu_defined = true; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "tun-mtu-extra") && p[1] && !p[2]) |
6fbf66fa |
{ |
76809cae |
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.tun_mtu_extra = positive_atoi (p[1]);
options->ce.tun_mtu_extra_defined = true; |
6fbf66fa |
}
#ifdef ENABLE_FRAGMENT
else if (streq (p[0], "mtu-dynamic"))
{ |
76809cae |
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); |
6fbf66fa |
msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
goto err;
} |
3d6a4cde |
else if (streq (p[0], "fragment") && p[1] && !p[2]) |
6fbf66fa |
{ |
cc8dd144 |
/* VERIFY_PERMISSION (OPT_P_MTU); */ |
76809cae |
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.fragment = positive_atoi (p[1]); |
6fbf66fa |
}
#endif |
3d6a4cde |
else if (streq (p[0], "mtu-disc") && p[1] && !p[2]) |
6fbf66fa |
{ |
76809cae |
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]); |
6fbf66fa |
}
#ifdef ENABLE_OCC |
3d6a4cde |
else if (streq (p[0], "mtu-test") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->mtu_test = true;
}
#endif |
3d6a4cde |
else if (streq (p[0], "nice") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_NICE);
options->nice = atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "rcvbuf") && p[1] && !p[2]) |
6fbf66fa |
{ |
00d39170 |
VERIFY_PERMISSION (OPT_P_SOCKBUF); |
6fbf66fa |
options->rcvbuf = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "sndbuf") && p[1] && !p[2]) |
6fbf66fa |
{ |
00d39170 |
VERIFY_PERMISSION (OPT_P_SOCKBUF); |
6fbf66fa |
options->sndbuf = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "mark") && p[1] && !p[2]) |
d90428d1 |
{ |
51bd56f4 |
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK |
d90428d1 |
VERIFY_PERMISSION (OPT_P_GENERAL);
options->mark = atoi(p[1]);
#endif
} |
00d39170 |
else if (streq (p[0], "socket-flags"))
{
int j;
VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
for (j = 1; j < MAX_PARMS && p[j]; ++j)
{
if (streq (p[j], "TCP_NODELAY"))
options->sockflags |= SF_TCP_NODELAY;
else
msg (msglevel, "unknown socket flag: %s", p[j]);
}
} |
3d6a4cde |
else if (streq (p[0], "txqueuelen") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
#ifdef TARGET_LINUX
options->tuntap_options.txqueuelen = positive_atoi (p[1]);
#else
msg (msglevel, "--txqueuelen not supported on this OS");
goto err;
#endif
} |
3d6a4cde |
else if (streq (p[0], "shaper") && p[1] && !p[2]) |
6fbf66fa |
{ |
3d163bc5 |
#ifdef ENABLE_FEATURE_SHAPER |
6fbf66fa |
int shaper;
VERIFY_PERMISSION (OPT_P_SHAPER);
shaper = atoi (p[1]);
if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
{
msg (msglevel, "Bad shaper value, must be between %d and %d",
SHAPER_MIN, SHAPER_MAX);
goto err;
}
options->shaper = shaper; |
3d163bc5 |
#else /* ENABLE_FEATURE_SHAPER */ |
6fbf66fa |
VERIFY_PERMISSION (OPT_P_GENERAL);
msg (msglevel, "--shaper requires the gettimeofday() function which is missing");
goto err; |
3d163bc5 |
#endif /* ENABLE_FEATURE_SHAPER */ |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "port") && p[1] && !p[2]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
076fd3e4 |
options->ce.local_port = options->ce.remote_port = p[1]; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "lport") && p[1] && !p[2]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.local_port_defined = true; |
076fd3e4 |
options->ce.local_port = p[1]; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "rport") && p[1] && !p[2]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
076fd3e4 |
options->ce.remote_port = p[1]; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "bind") && !p[1]) |
04f4b793 |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.bind_defined = true; |
8832c6c4 |
if (p[1] && streq (p[1], "ipv6only"))
options->ce.bind_ipv6_only=true;
|
04f4b793 |
} |
3d6a4cde |
else if (streq (p[0], "nobind") && !p[1]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.bind_local = false; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "fast-io") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->fast_io = true;
} |
3d6a4cde |
else if (streq (p[0], "inactive") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->inactivity_timeout = positive_atoi (p[1]); |
838911cc |
if (p[2])
options->inactivity_minimum_bytes = positive_atoi (p[2]); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "proto") && p[1] && !p[2]) |
6fbf66fa |
{
int proto; |
30077d1f |
sa_family_t af; |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
6fbf66fa |
proto = ascii2proto (p[1]); |
30077d1f |
af = ascii2af(p[1]); |
6fbf66fa |
if (proto < 0)
{
msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
p[1],
proto2ascii_all (&gc));
goto err;
} |
4e9a51d7 |
options->ce.proto = proto; |
30077d1f |
options->ce.af = af; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "proto-force") && p[1] && !p[2]) |
51e6e5b0 |
{
int proto_force;
VERIFY_PERMISSION (OPT_P_GENERAL);
proto_force = ascii2proto (p[1]);
if (proto_force < 0)
{
msg (msglevel, "Bad --proto-force protocol: '%s'", p[1]);
goto err;
}
options->proto_force = proto_force;
} |
3d6a4cde |
else if (streq (p[0], "http-proxy") && p[1] && !p[5]) |
f214bb21 |
{
struct http_proxy_options *ho; |
6fbf66fa |
|
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
df5722cc |
|
f214bb21 |
{
if (!p[2])
{
msg (msglevel, "http-proxy port number not defined");
goto err;
}
|
4f879dae |
ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); |
f214bb21 |
ho->server = p[1]; |
076fd3e4 |
ho->port = p[2]; |
f214bb21 |
} |
6fbf66fa |
if (p[3])
{ |
b27dc04c |
/* auto -- try to figure out proxy addr, port, and type automatically */
/* semiauto -- given proxy addr:port, try to figure out type automatically */
/* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */ |
f214bb21 |
if (streq (p[3], "auto")) |
b27dc04c |
ho->auth_retry = PAR_ALL;
else if (streq (p[3], "auto-nct"))
ho->auth_retry = PAR_NCT; |
f214bb21 |
else |
6fbf66fa |
{ |
f214bb21 |
ho->auth_method_string = "basic";
ho->auth_file = p[3];
if (p[4])
{
ho->auth_method_string = p[4];
} |
6fbf66fa |
}
}
else
{
ho->auth_method_string = "none";
}
} |
c9a35a20 |
else if (streq (p[0], "http-proxy-user-pass") && p[1])
{
struct http_proxy_options *ho;
VERIFY_PERMISSION (OPT_P_GENERAL);
ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
ho->auth_file = p[2];
ho->inline_creds = true;
}
else
ho->auth_file = p[1];
} |
2011b832 |
else if (streq (p[0], "http-proxy-retry") || streq (p[0], "socks-proxy-retry")) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
2011b832 |
msg (M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
"In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
"Use connect-retry-max 1 to get a similar behavior as before."); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "http-proxy-timeout") && p[1] && !p[2]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
f2134b7b |
msg (M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
"server is established is managed with a single timeout set by connect-timeout"); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "http-proxy-option") && p[1] && !p[4]) |
6fbf66fa |
{
struct http_proxy_options *ho;
|
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
4f879dae |
ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); |
6fbf66fa |
|
3d6a4cde |
if (streq (p[1], "VERSION") && p[2] && !p[3]) |
6fbf66fa |
{
ho->http_version = p[2];
} |
3d6a4cde |
else if (streq (p[1], "AGENT") && p[2] && !p[3]) |
6fbf66fa |
{
ho->user_agent = p[2];
} |
d0cb816c |
else if ((streq (p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
&& p[2])
{
/* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
* with either two argument or one */
struct http_custom_header *custom_header = NULL;
int i;
/* Find the first free header */
for (i=0; i < MAX_CUSTOM_HTTP_HEADER; i++) {
if (!ho->custom_headers[i].name) {
custom_header = &ho->custom_headers[i];
break;
}
}
if (!custom_header)
{
msg (msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
}
else
{
/* We will save p[2] and p[3], the proxy code will detect if
* p[3] is NULL */
custom_header->name = p[2];
custom_header->content = p[3];
}
} |
6fbf66fa |
else
{ |
3d6a4cde |
msg (msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]); |
6fbf66fa |
}
} |
3d6a4cde |
else if (streq (p[0], "socks-proxy") && p[1] && !p[4]) |
6fbf66fa |
{ |
4e9a51d7 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
6fbf66fa |
if (p[2]) |
076fd3e4 |
{
options->ce.socks_proxy_port = p[2]; |
6fbf66fa |
}
else
{ |
076fd3e4 |
options->ce.socks_proxy_port = "1080"; |
6fbf66fa |
} |
4e9a51d7 |
options->ce.socks_proxy_server = p[1]; |
fc1fa9ff |
options->ce.socks_proxy_authfile = p[3]; /* might be NULL */ |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "keepalive") && p[1] && p[2] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->keepalive_ping = atoi (p[1]);
options->keepalive_timeout = atoi (p[2]);
} |
3d6a4cde |
else if (streq (p[0], "ping") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_send_timeout = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "ping-exit") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_rec_timeout = positive_atoi (p[1]);
options->ping_rec_timeout_action = PING_EXIT;
} |
3d6a4cde |
else if (streq (p[0], "ping-restart") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_rec_timeout = positive_atoi (p[1]);
options->ping_rec_timeout_action = PING_RESTART;
} |
3d6a4cde |
else if (streq (p[0], "ping-timer-rem") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_timer_remote = true;
}
#ifdef ENABLE_OCC |
3d6a4cde |
else if (streq (p[0], "explicit-exit-notify") && !p[2]) |
6fbf66fa |
{ |
49f71494 |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); |
6fbf66fa |
if (p[1])
{ |
76809cae |
options->ce.explicit_exit_notification = positive_atoi (p[1]); |
6fbf66fa |
}
else
{ |
76809cae |
options->ce.explicit_exit_notification = 1; |
6fbf66fa |
}
}
#endif |
3d6a4cde |
else if (streq (p[0], "persist-tun") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_PERSIST);
options->persist_tun = true;
} |
3d6a4cde |
else if (streq (p[0], "persist-key") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_PERSIST);
options->persist_key = true;
} |
3d6a4cde |
else if (streq (p[0], "persist-local-ip") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
options->persist_local_ip = true;
} |
3d6a4cde |
else if (streq (p[0], "persist-remote-ip") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
options->persist_remote_ip = true;
} |
3d6a4cde |
else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5]) |
581bef87 |
{
VERIFY_PERMISSION (OPT_P_ROUTE);
cnol_check_alloc (options);
add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
} |
3d6a4cde |
else if (streq (p[0], "route") && p[1] && !p[5]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_ROUTE);
rol_check_alloc (options); |
b4073a76 |
if (pull_mode)
{ |
0a838de8 |
if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */ |
b4073a76 |
{ |
0a838de8 |
msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]); |
b4073a76 |
goto err;
} |
0a838de8 |
if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */ |
b4073a76 |
{ |
0a838de8 |
msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]); |
b4073a76 |
goto err;
} |
0a838de8 |
if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */ |
b4073a76 |
{ |
0a838de8 |
msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]); |
b4073a76 |
goto err;
}
} |
6fbf66fa |
add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
} |
3d6a4cde |
else if (streq (p[0], "route-ipv6") && p[1] && !p[4]) |
512cda46 |
{
VERIFY_PERMISSION (OPT_P_ROUTE);
rol6_check_alloc (options);
if (pull_mode)
{
if (!ipv6_addr_safe_hexplusbits (p[1]))
{
msg (msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
goto err;
}
if (p[2] && !ipv6_addr_safe (p[2]))
{
msg (msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
goto err;
}
/* p[3] is metric, if present */
}
add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]);
} |
3d6a4cde |
else if (streq (p[0], "max-routes") && !p[2]) |
673f583f |
{ |
4affd9c9 |
msg (M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
"The number of routes is unlimited as of version 2.4. "
"This option will be removed in a future version, "
"please remove it from your configuration."); |
673f583f |
} |
3d6a4cde |
else if (streq (p[0], "route-gateway") && p[1] && !p[2]) |
6fbf66fa |
{ |
3c7f2f55 |
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); |
03731db3 |
if (streq (p[1], "dhcp")) |
b4073a76 |
{ |
03731db3 |
options->route_gateway_via_dhcp = true; |
b4073a76 |
}
else
{ |
0a838de8 |
if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */ |
03731db3 |
{
options->route_default_gateway = p[1];
}
else
{ |
0a838de8 |
msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]); |
03731db3 |
goto err;
} |
b4073a76 |
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "route-metric") && p[1] && !p[2]) |
40ac3d7a |
{
VERIFY_PERMISSION (OPT_P_ROUTE);
options->route_default_metric = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "route-delay") && !p[3]) |
6fbf66fa |
{ |
3c7f2f55 |
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); |
6fbf66fa |
options->route_delay_defined = true;
if (p[1])
{
options->route_delay = positive_atoi (p[1]);
if (p[2])
{
options->route_delay_window = positive_atoi (p[2]);
}
}
else
{
options->route_delay = 0;
}
}
else if (streq (p[0], "route-up") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
b77bffe8 |
set_user_script (options, &options->route_script, p[1], "route-up", false); |
6fbf66fa |
} |
415421c2 |
else if (streq (p[0], "route-pre-down") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
9b6a5028 |
set_user_script (options,
&options->route_predown_script,
p[1], |
b77bffe8 |
"route-pre-down", true); |
415421c2 |
} |
3d6a4cde |
else if (streq (p[0], "route-noexec") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
options->route_noexec = true;
} |
3d6a4cde |
else if (streq (p[0], "route-nopull") && !p[1]) |
3c7f2f55 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->route_nopull = true;
} |
7f74c27e |
else if (streq (p[0], "pull-filter") && p[1] && p[2] && !p[3])
{
struct pull_filter *f;
VERIFY_PERMISSION (OPT_P_GENERAL)
f = alloc_pull_filter (options, msglevel);
if (strcmp ("accept", p[1]) == 0)
f->type = PUF_TYPE_ACCEPT;
else if (strcmp ("ignore", p[1]) == 0)
f->type = PUF_TYPE_IGNORE;
else if (strcmp ("reject", p[1]) == 0)
f->type = PUF_TYPE_REJECT;
else
{
msg (msglevel, "Unknown --pull-filter type: %s", p[1]);
goto err;
}
f->pattern = p[2];
f->size = strlen(p[2]);
} |
3d6a4cde |
else if (streq (p[0], "allow-pull-fqdn") && !p[1]) |
0a838de8 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->allow_pull_fqdn = true;
} |
b723833b |
else if (streq (p[0], "redirect-gateway") || streq (p[0], "redirect-private")) |
6fbf66fa |
{
int j;
VERIFY_PERMISSION (OPT_P_ROUTE);
rol_check_alloc (options); |
8e952ed1 |
if (streq (p[0], "redirect-gateway"))
options->routes->flags |= RG_REROUTE_GW; |
6fbf66fa |
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
{
if (streq (p[j], "local")) |
3c7f2f55 |
options->routes->flags |= RG_LOCAL; |
775a6ac2 |
else if (streq (p[j], "autolocal"))
options->routes->flags |= RG_AUTO_LOCAL; |
6fbf66fa |
else if (streq (p[j], "def1")) |
3c7f2f55 |
options->routes->flags |= RG_DEF1;
else if (streq (p[j], "bypass-dhcp"))
options->routes->flags |= RG_BYPASS_DHCP;
else if (streq (p[j], "bypass-dns"))
options->routes->flags |= RG_BYPASS_DNS; |
7fb0e07e |
else if (streq (p[j], "block-local"))
options->routes->flags |= RG_BLOCK_LOCAL; |
d227929b |
else if (streq (p[j], "ipv6"))
{
rol6_check_alloc (options);
options->routes_ipv6->flags |= RG_REROUTE_GW;
}
else if (streq (p[j], "!ipv4"))
options->routes->flags &= ~RG_REROUTE_GW; |
6fbf66fa |
else
{ |
b723833b |
msg (msglevel, "unknown --%s flag: %s", p[0], p[j]); |
6fbf66fa |
goto err;
}
} |
3c7f2f55 |
options->routes->flags |= RG_ENABLE; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "remote-random-hostname") && !p[1]) |
8e9666d5 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->sockflags |= SF_HOST_RANDOMIZE;
} |
3d6a4cde |
else if (streq (p[0], "setenv") && p[1] && !p[3]) |
6fbf66fa |
{ |
07d19ba7 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
3d6a4cde |
if (streq (p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2]) |
8e9666d5 |
{
options->sockflags |= SF_HOST_RANDOMIZE;
} |
0f9c77b7 |
else if (streq (p[1], "GENERIC_CONFIG"))
{
msg (msglevel, "this is a generic configuration and cannot directly be used");
goto err;
} |
6c34e74f |
#ifdef ENABLE_PUSH_PEER_INFO |
3d6a4cde |
else if (streq (p[1], "PUSH_PEER_INFO") && !p[2]) |
6c34e74f |
{
options->push_peer_info = true;
}
#endif |
e1e977f3 |
else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
{ |
f2134b7b |
options->ce.connect_timeout = positive_atoi(p[2]); |
e1e977f3 |
} |
8e9666d5 |
else |
373faab1 |
{ |
8e9666d5 |
if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
{
options->forward_compatible = true;
msglevel_fc = msglevel_forward_compatible (options, msglevel);
}
setenv_str (es, p[1], p[2] ? p[2] : ""); |
373faab1 |
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "setenv-safe") && p[1] && !p[3]) |
07d19ba7 |
{
VERIFY_PERMISSION (OPT_P_SETENV); |
47ae8457 |
setenv_str_safe (es, p[1], p[2] ? p[2] : ""); |
07d19ba7 |
} |
3d6a4cde |
else if (streq (p[0], "script-security") && p[1] && !p[2]) |
5a2e9a25 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
script_security = atoi (p[1]); |
a8281352 |
} |
3d6a4cde |
else if (streq (p[0], "mssfix") && !p[2]) |
6fbf66fa |
{ |
76809cae |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); |
6fbf66fa |
if (p[1])
{ |
76809cae |
options->ce.mssfix = positive_atoi (p[1]); |
6fbf66fa |
}
else |
76809cae |
options->ce.mssfix_default = true; |
6fbf66fa |
}
#ifdef ENABLE_OCC |
3d6a4cde |
else if (streq (p[0], "disable-occ") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->occ = false;
}
#endif
#if P2MP
#if P2MP_SERVER |
3d6a4cde |
else if (streq (p[0], "server") && p[1] && p[2] && !p[4]) |
6fbf66fa |
{
const int lev = M_WARN;
bool error = false;
in_addr_t network, netmask;
VERIFY_PERMISSION (OPT_P_GENERAL);
network = get_ip_addr (p[1], lev, &error);
netmask = get_ip_addr (p[2], lev, &error);
if (error || !network || !netmask)
{
msg (msglevel, "error parsing --server parameters");
goto err;
}
options->server_defined = true;
options->server_network = network;
options->server_netmask = netmask; |
3c7f2f55 |
if (p[3])
{
if (streq (p[3], "nopool"))
options->server_flags |= SF_NOPOOL;
else
{
msg (msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
goto err;
}
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "server-ipv6") && p[1] && !p[3]) |
512cda46 |
{
const int lev = M_WARN;
struct in6_addr network;
unsigned int netbits = 0;
VERIFY_PERMISSION (OPT_P_GENERAL); |
4f19cd1d |
if ( ! get_ipv6_addr (p[1], &network, &netbits, lev) ) |
512cda46 |
{
msg (msglevel, "error parsing --server-ipv6 parameter");
goto err;
} |
c55e9562 |
if ( netbits < 64 || netbits > 112 ) |
512cda46 |
{ |
c55e9562 |
msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits ); |
512cda46 |
goto err;
}
options->server_ipv6_defined = true;
options->server_network_ipv6 = network;
options->server_netbits_ipv6 = netbits;
if (p[2]) /* no "nopool" options or similar for IPv6 */
{ |
1840c852 |
msg (msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]); |
512cda46 |
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5]) |
6fbf66fa |
{
const int lev = M_WARN;
bool error = false;
in_addr_t ip, netmask, pool_start, pool_end;
VERIFY_PERMISSION (OPT_P_GENERAL);
ip = get_ip_addr (p[1], lev, &error);
netmask = get_ip_addr (p[2], lev, &error);
pool_start = get_ip_addr (p[3], lev, &error);
pool_end = get_ip_addr (p[4], lev, &error);
if (error || !ip || !netmask || !pool_start || !pool_end)
{
msg (msglevel, "error parsing --server-bridge parameters");
goto err;
}
options->server_bridge_defined = true;
options->server_bridge_ip = ip;
options->server_bridge_netmask = netmask;
options->server_bridge_pool_start = pool_start;
options->server_bridge_pool_end = pool_end;
} |
3d6a4cde |
else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw") && !p[2]) |
148329ca |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->server_bridge_proxy_dhcp = true;
options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
} |
03731db3 |
else if (streq (p[0], "server-bridge") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->server_bridge_proxy_dhcp = true;
} |
3d6a4cde |
else if (streq (p[0], "push") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_PUSH); |
eadf16a6 |
push_options (options, &p[1], msglevel, &options->gc); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "push-reset") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_INSTANCE);
push_reset (options);
} |
970312f1 |
else if (streq (p[0], "push-remove") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_INSTANCE); |
974ec19d |
msg (D_PUSH, "PUSH_REMOVE '%s'", p[1]); |
970312f1 |
push_remove_option (options,p[1]);
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-pool") && p[1] && p[2] && !p[4]) |
6fbf66fa |
{
const int lev = M_WARN;
bool error = false;
in_addr_t start, end, netmask=0;
VERIFY_PERMISSION (OPT_P_GENERAL);
start = get_ip_addr (p[1], lev, &error);
end = get_ip_addr (p[2], lev, &error);
if (p[3])
{
netmask = get_ip_addr (p[3], lev, &error);
}
if (error)
{
msg (msglevel, "error parsing --ifconfig-pool parameters");
goto err;
} |
92bbb061 |
if (!ifconfig_pool_verify_range (msglevel, start, end))
goto err; |
6fbf66fa |
options->ifconfig_pool_defined = true;
options->ifconfig_pool_start = start;
options->ifconfig_pool_end = end; |
223b2c51 |
if (netmask)
options->ifconfig_pool_netmask = netmask; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-pool-persist") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ifconfig_pool_persist_filename = p[1];
if (p[2])
{
options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
}
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-pool-linear") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
3c7f2f55 |
options->topology = TOP_P2P; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) |
512cda46 |
{
const int lev = M_WARN;
struct in6_addr network;
unsigned int netbits = 0;
VERIFY_PERMISSION (OPT_P_GENERAL); |
4f19cd1d |
if ( ! get_ipv6_addr (p[1], &network, &netbits, lev ) ) |
512cda46 |
{
msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");
goto err;
} |
704d9273 |
if ( netbits < 64 || netbits > 112 ) |
512cda46 |
{ |
704d9273 |
msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits ); |
512cda46 |
goto err;
}
options->ifconfig_ipv6_pool_defined = true;
options->ifconfig_ipv6_pool_base = network;
options->ifconfig_ipv6_pool_netbits = netbits;
} |
3d6a4cde |
else if (streq (p[0], "hash-size") && p[1] && p[2] && !p[3]) |
6fbf66fa |
{
int real, virtual;
VERIFY_PERMISSION (OPT_P_GENERAL);
real = atoi (p[1]);
virtual = atoi (p[2]);
if (real < 1 || virtual < 1)
{
msg (msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
goto err;
}
options->real_hash_size = real;
options->virtual_hash_size = real;
} |
3d6a4cde |
else if (streq (p[0], "connect-freq") && p[1] && p[2] && !p[3]) |
6fbf66fa |
{
int cf_max, cf_per;
VERIFY_PERMISSION (OPT_P_GENERAL);
cf_max = atoi (p[1]);
cf_per = atoi (p[2]);
if (cf_max < 0 || cf_per < 0)
{
msg (msglevel, "--connect-freq parms must be > 0");
goto err;
}
options->cf_max = cf_max;
options->cf_per = cf_per;
} |
3d6a4cde |
else if (streq (p[0], "max-clients") && p[1] && !p[2]) |
6fbf66fa |
{
int max_clients;
VERIFY_PERMISSION (OPT_P_GENERAL);
max_clients = atoi (p[1]);
if (max_clients < 0)
{
msg (msglevel, "--max-clients must be at least 1");
goto err;
} |
e8e1377d |
if (max_clients >= MAX_PEER_ID) /* max peer-id value */
{
msg (msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
goto err;
} |
6fbf66fa |
options->max_clients = max_clients;
} |
3d6a4cde |
else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_INHERIT);
options->max_routes_per_client = max_int (atoi (p[1]), 1);
} |
3d6a4cde |
else if (streq (p[0], "client-cert-not-required") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
24ce3b27 |
options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; |
b8cdb213 |
msg (M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead");
}
else if (streq (p[0], "verify-client-cert") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
/* Reset any existing flags */
options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
if (p[1])
{
if (streq (p[1], "none"))
options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
else if (streq (p[1], "optional"))
options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
else if (!streq (p[1], "require"))
{
msg (msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
goto err;
}
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "username-as-common-name") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
24ce3b27 |
options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
} |
3d6a4cde |
else if (streq (p[0], "auth-user-pass-optional") && !p[1]) |
24ce3b27 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "opt-verify") && !p[1]) |
09cc9c81 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_OPT_VERIFY;
} |
6fbf66fa |
else if (streq (p[0], "auth-user-pass-verify") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 3, NM_QUOTE_HINT))
goto err;
if (p[2])
{
if (streq (p[2], "via-env"))
options->auth_user_pass_verify_script_via_file = false;
else if (streq (p[2], "via-file"))
options->auth_user_pass_verify_script_via_file = true;
else
{
msg (msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
goto err;
}
}
else
{
msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
goto err;
} |
9b6a5028 |
set_user_script (options,
&options->auth_user_pass_verify_script, |
b77bffe8 |
p[1], "auth-user-pass-verify", true); |
6fbf66fa |
} |
58066d04 |
else if (streq (p[0], "auth-gen-token"))
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->auth_token_generate = true;
options->auth_token_lifetime = p[1] ? positive_atoi (p[1]) : 0;
} |
6fbf66fa |
else if (streq (p[0], "client-connect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
9b6a5028 |
set_user_script (options, &options->client_connect_script, |
b77bffe8 |
p[1], "client-connect", true); |
6fbf66fa |
}
else if (streq (p[0], "client-disconnect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
9b6a5028 |
set_user_script (options, &options->client_disconnect_script, |
b77bffe8 |
p[1], "client-disconnect", true); |
6fbf66fa |
}
else if (streq (p[0], "learn-address") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
9b6a5028 |
set_user_script (options, &options->learn_address_script, |
b77bffe8 |
p[1], "learn-address", true); |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "tmp-dir") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tmp_dir = p[1];
} |
3d6a4cde |
else if (streq (p[0], "client-config-dir") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->client_config_dir = p[1];
} |
3d6a4cde |
else if (streq (p[0], "ccd-exclusive") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ccd_exclusive = true;
} |
3d6a4cde |
else if (streq (p[0], "bcast-buffers") && p[1] && !p[2]) |
6fbf66fa |
{
int n_bcast_buf;
VERIFY_PERMISSION (OPT_P_GENERAL);
n_bcast_buf = atoi (p[1]);
if (n_bcast_buf < 1)
msg (msglevel, "--bcast-buffers parameter must be > 0");
options->n_bcast_buf = n_bcast_buf;
} |
3d6a4cde |
else if (streq (p[0], "tcp-queue-limit") && p[1] && !p[2]) |
6fbf66fa |
{
int tcp_queue_limit;
VERIFY_PERMISSION (OPT_P_GENERAL);
tcp_queue_limit = atoi (p[1]);
if (tcp_queue_limit < 1)
msg (msglevel, "--tcp-queue-limit parameter must be > 0");
options->tcp_queue_limit = tcp_queue_limit;
} |
6add6b2f |
#if PORT_SHARE |
3d6a4cde |
else if (streq (p[0], "port-share") && p[1] && p[2] && !p[4]) |
6add6b2f |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->port_share_host = p[1]; |
076fd3e4 |
options->port_share_port = p[2]; |
1c5ff772 |
options->port_share_journal_dir = p[3]; |
6add6b2f |
}
#endif |
3d6a4cde |
else if (streq (p[0], "client-to-client") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->enable_c2c = true;
} |
3d6a4cde |
else if (streq (p[0], "duplicate-cn") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->duplicate_cn = true;
} |
3d6a4cde |
else if (streq (p[0], "iroute") && p[1] && !p[3]) |
6fbf66fa |
{
const char *netmask = NULL;
VERIFY_PERMISSION (OPT_P_INSTANCE);
if (p[2])
{
netmask = p[2];
}
option_iroute (options, p[1], netmask, msglevel);
} |
3d6a4cde |
else if (streq (p[0], "iroute-ipv6") && p[1] && !p[2]) |
512cda46 |
{
VERIFY_PERMISSION (OPT_P_INSTANCE);
option_iroute_ipv6 (options, p[1], msglevel);
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-push") && p[1] && p[2] && !p[4]) |
6fbf66fa |
{
in_addr_t local, remote_netmask;
VERIFY_PERMISSION (OPT_P_INSTANCE);
local = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
remote_netmask = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
if (local && remote_netmask)
{
options->push_ifconfig_defined = true;
options->push_ifconfig_local = local;
options->push_ifconfig_remote_netmask = remote_netmask; |
581bef87 |
if (p[3])
options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL); |
6fbf66fa |
}
else
{
msg (msglevel, "cannot parse --ifconfig-push addresses");
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3]) |
3c7f2f55 |
{
in_addr_t network, netmask;
VERIFY_PERMISSION (OPT_P_GENERAL);
network = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
if (network && netmask)
{
options->push_ifconfig_constraint_defined = true;
options->push_ifconfig_constraint_network = network;
options->push_ifconfig_constraint_netmask = netmask;
}
else
{
msg (msglevel, "cannot parse --ifconfig-push-constraint addresses");
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "ifconfig-ipv6-push") && p[1] && !p[3]) |
1840c852 |
{
struct in6_addr local, remote;
unsigned int netbits;
VERIFY_PERMISSION (OPT_P_INSTANCE);
|
4f19cd1d |
if ( ! get_ipv6_addr( p[1], &local, &netbits, msglevel ) ) |
1840c852 |
{
msg (msglevel, "cannot parse --ifconfig-ipv6-push addresses");
goto err;
}
if ( p[2] )
{ |
4f19cd1d |
if ( !get_ipv6_addr( p[2], &remote, NULL, msglevel ) ) |
1840c852 |
{
msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
goto err;
}
}
else
{
if ( ! options->ifconfig_ipv6_local ||
! get_ipv6_addr( options->ifconfig_ipv6_local, &remote, |
4f19cd1d |
NULL, msglevel ) ) |
1840c852 |
{
msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
goto err;
}
}
options->push_ifconfig_ipv6_defined = true;
options->push_ifconfig_ipv6_local = local;
options->push_ifconfig_ipv6_netbits = netbits;
options->push_ifconfig_ipv6_remote = remote; |
970312f1 |
options->push_ifconfig_ipv6_blocked = false; |
1840c852 |
} |
3d6a4cde |
else if (streq (p[0], "disable") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_INSTANCE);
options->disable = true;
} |
3d6a4cde |
else if (streq (p[0], "tcp-nodelay") && !p[1]) |
ae3b3746 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->server_flags |= SF_TCP_NODELAY_HELPER;
} |
3d6a4cde |
else if (streq (p[0], "stale-routes-check") && p[1] && !p[3]) |
32ab329b |
{
int ageing_time, check_interval;
VERIFY_PERMISSION (OPT_P_GENERAL);
ageing_time = atoi (p[1]);
if (p[2])
check_interval = atoi (p[2]);
else
check_interval = ageing_time;
if (ageing_time < 1 || check_interval < 1)
{
msg (msglevel, "--stale-routes-check aging time and check interval must be >= 1");
goto err;
}
options->stale_routes_ageing_time = ageing_time;
options->stale_routes_check_interval = check_interval;
} |
6fbf66fa |
#endif /* P2MP_SERVER */
|
3d6a4cde |
else if (streq (p[0], "client") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->client = true;
} |
3d6a4cde |
else if (streq (p[0], "pull") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pull = true;
} |
3d6a4cde |
else if (streq (p[0], "push-continuation") && p[1] && !p[2]) |
3eee126e |
{
VERIFY_PERMISSION (OPT_P_PULL_MODE);
options->push_continuation = atoi(p[1]);
} |
3d6a4cde |
else if (streq (p[0], "auth-user-pass") && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
{
options->auth_user_pass_file = p[1];
}
else
options->auth_user_pass_file = "stdin";
} |
3d6a4cde |
else if (streq (p[0], "auth-retry") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
auth_retry_set (msglevel, p[1]);
} |
eab3e22f |
#ifdef ENABLE_CLIENT_CR |
3d6a4cde |
else if (streq (p[0], "static-challenge") && p[1] && p[2] && !p[3]) |
eab3e22f |
{ |
75987303 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
eab3e22f |
options->sc_info.challenge_text = p[1];
if (atoi(p[2]))
options->sc_info.flags |= SC_ECHO;
}
#endif |
6fbf66fa |
#endif |
a24dd2e3 |
else if (streq (p[0], "msg-channel") && p[1])
{
#ifdef WIN32
VERIFY_PERMISSION (OPT_P_GENERAL);
HANDLE process = GetCurrentProcess ();
HANDLE handle = (HANDLE) atoi (p[1]);
if (!DuplicateHandle (process, handle, process, &options->msg_channel, 0,
FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
{
msg (msglevel, "could not duplicate service pipe handle");
goto err;
}
options->route_method = ROUTE_METHOD_SERVICE;
#else
msg (msglevel, "--msg-channel is only supported on Windows");
goto err;
#endif
} |
6fbf66fa |
#ifdef WIN32 |
3d6a4cde |
else if (streq (p[0], "win-sys") && p[1] && !p[2]) |
5a2e9a25 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "env")) |
9f6ac06b |
msg (M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. "
"This entry will now be ignored. "
"Please remove this entry from your configuration file."); |
5a2e9a25 |
else
set_win_sys_path (p[1], es);
} |
3d6a4cde |
else if (streq (p[0], "route-method") && p[1] && !p[2]) |
6fbf66fa |
{ |
3c7f2f55 |
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); |
6215931b |
if (streq (p[1], "adaptive"))
options->route_method = ROUTE_METHOD_ADAPTIVE;
else if (streq (p[1], "ipapi")) |
6fbf66fa |
options->route_method = ROUTE_METHOD_IPAPI;
else if (streq (p[1], "exe"))
options->route_method = ROUTE_METHOD_EXE;
else
{ |
6215931b |
msg (msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'"); |
6fbf66fa |
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "ip-win32") && p[1] && !p[4]) |
6fbf66fa |
{
const int index = ascii2ipset (p[1]);
struct tuntap_options *to = &options->tuntap_options;
VERIFY_PERMISSION (OPT_P_IPWIN32);
if (index < 0)
{
msg (msglevel,
"Bad --ip-win32 method: '%s'. Allowed methods: %s",
p[1],
ipset2ascii_all (&gc));
goto err;
}
|
c67d59cd |
if (index == IPW32_SET_ADAPTIVE)
options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
|
6fbf66fa |
if (index == IPW32_SET_DHCP_MASQ)
{
if (p[2])
{
if (!streq (p[2], "default"))
{
int offset = atoi (p[2]);
if (!(offset > -256 && offset < 256))
{
msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
goto err;
}
to->dhcp_masq_custom_offset = true;
to->dhcp_masq_offset = offset;
}
if (p[3])
{
const int min_lease = 30;
int lease_time;
lease_time = atoi (p[3]);
if (lease_time < min_lease)
{
msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
goto err;
}
to->dhcp_lease_time = lease_time;
}
}
}
to->ip_win32_type = index;
to->ip_win32_defined = true;
} |
a55b3cdb |
#endif
#if defined(WIN32) || defined(TARGET_ANDROID) |
3d6a4cde |
else if (streq (p[0], "dhcp-option") && p[1] && !p[3]) |
6fbf66fa |
{
struct tuntap_options *o = &options->tuntap_options;
VERIFY_PERMISSION (OPT_P_IPWIN32);
if (streq (p[1], "DOMAIN") && p[2])
{
o->domain = p[2];
}
else if (streq (p[1], "NBS") && p[2])
{
o->netbios_scope = p[2];
}
else if (streq (p[1], "NBT") && p[2])
{
int t;
t = atoi (p[2]);
if (!(t == 1 || t == 2 || t == 4 || t == 8))
{
msg (msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
goto err;
}
o->netbios_node_type = t;
}
else if (streq (p[1], "DNS") && p[2])
{
dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel);
}
else if (streq (p[1], "WINS") && p[2])
{
dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel);
}
else if (streq (p[1], "NTP") && p[2])
{
dhcp_option_address_parse ("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
}
else if (streq (p[1], "NBDD") && p[2])
{
dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
} |
3d6a4cde |
else if (streq (p[1], "DISABLE-NBT") && !p[2]) |
6fbf66fa |
{
o->disable_nbt = 1;
}
else
{ |
3d6a4cde |
msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); |
6fbf66fa |
goto err;
}
o->dhcp_options = true;
} |
a55b3cdb |
#endif
#ifdef WIN32 |
3d6a4cde |
else if (streq (p[0], "show-adapters") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
ac2447cd |
show_tap_win_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX); |
6fbf66fa |
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
} |
3d6a4cde |
else if (streq (p[0], "show-net") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
show_routes (M_INFO|M_NOPREFIX);
show_adapters (M_INFO|M_NOPREFIX);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
} |
3d6a4cde |
else if (streq (p[0], "show-net-up") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_UP);
options->show_net_up = true;
} |
3d6a4cde |
else if (streq (p[0], "tap-sleep") && p[1] && !p[2]) |
6fbf66fa |
{
int s;
VERIFY_PERMISSION (OPT_P_IPWIN32);
s = atoi (p[1]);
if (s < 0 || s >= 256)
{
msg (msglevel, "--tap-sleep parameter must be between 0 and 255");
goto err;
}
options->tuntap_options.tap_sleep = s;
} |
3d6a4cde |
else if (streq (p[0], "dhcp-renew") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.dhcp_renew = true;
} |
3d6a4cde |
else if (streq (p[0], "dhcp-pre-release") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.dhcp_pre_release = true;
} |
3d6a4cde |
else if (streq (p[0], "dhcp-release") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.dhcp_release = true;
} |
3d6a4cde |
else if (streq (p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */ |
5c30df12 |
{
unsigned int adapter_index;
VERIFY_PERMISSION (OPT_P_GENERAL);
set_debug_level (options->verbosity, SDL_CONSTRAIN);
adapter_index = atou (p[1]);
sleep (options->tuntap_options.tap_sleep);
if (options->tuntap_options.dhcp_pre_release)
dhcp_release_by_adapter_index (adapter_index);
if (options->tuntap_options.dhcp_renew)
dhcp_renew_by_adapter_index (adapter_index); |
b90c6f17 |
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
} |
3d6a4cde |
else if (streq (p[0], "register-dns") && !p[1]) |
b90c6f17 |
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.register_dns = true;
} |
38c85658 |
else if (streq (p[0], "block-outside-dns") && !p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->block_outside_dns = true;
} |
3d6a4cde |
else if (streq (p[0], "rdns-internal") && !p[1]) |
cdb3a5c0 |
/* standalone method for internal use
*
* (if --register-dns is set, openvpn needs to call itself in a
* sub-process to execute the required functions in a non-blocking
* way, and uses --rdns-internal to signal that to itself)
*/ |
b90c6f17 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
set_debug_level (options->verbosity, SDL_CONSTRAIN);
if (options->tuntap_options.register_dns)
ipconfig_register_dns (NULL);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ |
5c30df12 |
} |
3d6a4cde |
else if (streq (p[0], "show-valid-subnets") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
show_valid_win32_tun_subnets (); |
b90c6f17 |
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "pause-exit") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
set_pause_exit_win32 ();
} |
3d6a4cde |
else if (streq (p[0], "service") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->exit_event_name = p[1];
if (p[2])
{
options->exit_event_initial_state = (atoi(p[2]) != 0);
}
} |
3d6a4cde |
else if (streq (p[0], "allow-nonadmin") && !p[2]) |
3c7f2f55 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
tap_allow_nonadmin_access (p[1]);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
} |
3d6a4cde |
else if (streq (p[0], "user") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
msg (M_WARN, "NOTE: --user option is not implemented on Windows");
} |
3d6a4cde |
else if (streq (p[0], "group") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
msg (M_WARN, "NOTE: --group option is not implemented on Windows");
}
#else |
3d6a4cde |
else if (streq (p[0], "user") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->username = p[1];
} |
3d6a4cde |
else if (streq (p[0], "group") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->groupname = p[1];
} |
3d6a4cde |
else if (streq (p[0], "dhcp-option") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
foreign_option (options, p, 3, es);
} |
3d6a4cde |
else if (streq (p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */ |
6fbf66fa |
{ |
3c7f2f55 |
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); |
6fbf66fa |
}
#endif
#if PASSTOS_CAPABILITY |
3d6a4cde |
else if (streq (p[0], "passtos") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->passtos = true;
}
#endif |
38d96bd7 |
#if defined(USE_COMP) |
3d6a4cde |
else if (streq (p[0], "comp-lzo") && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_COMP); |
38d96bd7 |
#if defined(ENABLE_LZO)
if (p[1] && streq (p[1], "no"))
#endif
{
options->comp.alg = COMP_ALG_STUB;
options->comp.flags = 0;
}
#if defined(ENABLE_LZO)
else if (p[1]) |
537073fd |
{
if (streq (p[1], "yes")) |
38d96bd7 |
{
options->comp.alg = COMP_ALG_LZO;
options->comp.flags = 0;
} |
537073fd |
else if (streq (p[1], "adaptive")) |
38d96bd7 |
{
options->comp.alg = COMP_ALG_LZO;
options->comp.flags = COMP_F_ADAPTIVE;
} |
537073fd |
else
{
msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
goto err;
}
}
else |
38d96bd7 |
{
options->comp.alg = COMP_ALG_LZO;
options->comp.flags = COMP_F_ADAPTIVE;
}
#endif |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "comp-noadapt") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_COMP); |
38d96bd7 |
options->comp.flags &= ~COMP_F_ADAPTIVE;
} |
3d6a4cde |
else if (streq (p[0], "compress") && !p[2]) |
38d96bd7 |
{
VERIFY_PERMISSION (OPT_P_COMP);
if (p[1])
{
if (streq (p[1], "stub"))
{
options->comp.alg = COMP_ALG_STUB;
options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
} |
a75bb2e4 |
else if (streq(p[1], "stub-v2"))
{
options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY;
} |
38d96bd7 |
#if defined(ENABLE_LZO)
else if (streq (p[1], "lzo"))
{
options->comp.alg = COMP_ALG_LZO; |
67b3de98 |
options->comp.flags = 0; |
38d96bd7 |
}
#endif |
40efb635 |
#if defined(ENABLE_LZ4)
else if (streq (p[1], "lz4"))
{
options->comp.alg = COMP_ALG_LZ4;
options->comp.flags = COMP_F_SWAP;
} |
a75bb2e4 |
else if (streq (p[1], "lz4-v2"))
{
options->comp.alg = COMP_ALGV2_LZ4; |
67b3de98 |
options->comp.flags = 0; |
a75bb2e4 |
} |
40efb635 |
#endif |
38d96bd7 |
else
{
msg (msglevel, "bad comp option: %s", p[1]);
goto err;
}
}
else
{
options->comp.alg = COMP_ALG_STUB;
options->comp.flags = COMP_F_SWAP;
} |
6fbf66fa |
} |
38d96bd7 |
#endif /* USE_COMP */ |
9b33b5a4 |
#ifdef ENABLE_CRYPTO |
3d6a4cde |
else if (streq (p[0], "show-ciphers") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_ciphers = true;
} |
3d6a4cde |
else if (streq (p[0], "show-digests") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_digests = true;
} |
3d6a4cde |
else if (streq (p[0], "show-engines") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_engines = true;
} |
3d6a4cde |
else if (streq (p[0], "key-direction") && p[1] && !p[2]) |
c959fc74 |
{
int key_direction;
key_direction = ascii2keydirection (msglevel, p[1]);
if (key_direction >= 0)
options->key_direction = key_direction;
else
goto err;
} |
3d6a4cde |
else if (streq (p[0], "secret") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
c959fc74 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->shared_secret_file_inline = p[2];
}
else |
6fbf66fa |
if (p[2])
{
int key_direction;
key_direction = ascii2keydirection (msglevel, p[2]);
if (key_direction >= 0)
options->key_direction = key_direction;
else
goto err;
}
options->shared_secret_file = p[1];
} |
3d6a4cde |
else if (streq (p[0], "genkey") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->genkey = true;
} |
3d6a4cde |
else if (streq (p[0], "auth") && p[1] && !p[2]) |
6fbf66fa |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6fbf66fa |
options->authname = p[1];
} |
3d6a4cde |
else if (streq (p[0], "cipher") && p[1] && !p[2]) |
6fbf66fa |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_NCP); |
6fbf66fa |
options->ciphername = p[1];
} |
d728ebed |
else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2])
{ |
834f602f |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); |
d728ebed |
options->ncp_ciphers = p[1];
}
else if (streq (p[0], "ncp-disable") && !p[1])
{ |
834f602f |
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE); |
d728ebed |
options->ncp_enabled = false;
} |
3d6a4cde |
else if (streq (p[0], "prng") && p[1] && !p[3]) |
03bfb228 |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
03bfb228 |
if (streq (p[1], "none"))
options->prng_hash = NULL;
else
options->prng_hash = p[1];
if (p[2])
{
const int sl = atoi (p[2]);
if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
{
options->prng_nonce_secret_len = sl;
}
else
{
msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d",
NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
goto err;
}
}
} |
3d6a4cde |
else if (streq (p[0], "no-replay") && !p[1]) |
6fbf66fa |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6fbf66fa |
options->replay = false;
} |
3d6a4cde |
else if (streq (p[0], "replay-window") && !p[3]) |
6fbf66fa |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6fbf66fa |
if (p[1])
{
int replay_window;
replay_window = atoi (p[1]);
if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
{
msg (msglevel, "replay-window window size parameter (%d) must be between %d and %d",
replay_window,
MIN_SEQ_BACKTRACK,
MAX_SEQ_BACKTRACK);
goto err;
}
options->replay_window = replay_window;
if (p[2])
{
int replay_time;
replay_time = atoi (p[2]);
if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
{
msg (msglevel, "replay-window time window parameter (%d) must be between %d and %d",
replay_time,
MIN_TIME_BACKTRACK,
MAX_TIME_BACKTRACK);
goto err;
}
options->replay_time = replay_time;
}
}
else
{
msg (msglevel, "replay-window option is missing window size parameter");
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "mute-replay-warnings") && !p[1]) |
6fbf66fa |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6fbf66fa |
options->mute_replay_warnings = true;
} |
3d6a4cde |
else if (streq (p[0], "no-iv") && !p[1]) |
6fbf66fa |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6fbf66fa |
options->use_iv = false;
} |
3d6a4cde |
else if (streq (p[0], "replay-persist") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->packet_id_file = p[1];
} |
3d6a4cde |
else if (streq (p[0], "test-crypto") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->test_crypto = true;
} |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
3d6a4cde |
else if (streq (p[0], "engine") && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
{
options->engine = p[1];
}
else
options->engine = "auto";
} |
86d8cd68 |
#endif /* ENABLE_CRYPTO_MBEDTLS */ |
6fbf66fa |
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH |
3d6a4cde |
else if (streq (p[0], "keysize") && p[1] && !p[2]) |
6fbf66fa |
{
int keysize;
|
d728ebed |
VERIFY_PERMISSION (OPT_P_NCP); |
6fbf66fa |
keysize = atoi (p[1]) / 8;
if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
{
msg (msglevel, "Bad keysize: %s", p[1]);
goto err;
}
options->keysize = keysize;
}
#endif |
0f25d296 |
#ifdef ENABLE_PREDICTION_RESISTANCE |
3d6a4cde |
else if (streq (p[0], "use-prediction-resistance") && !p[1]) |
0f25d296 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->use_prediction_resistance = true;
}
#endif |
3d6a4cde |
else if (streq (p[0], "show-tls") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_tls_ciphers = true;
} |
3d6a4cde |
else if (streq (p[0], "show-curves") && !p[1]) |
609e8131 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_curves = true;
} |
3d6a4cde |
else if (streq (p[0], "ecdh-curve") && p[1] && !p[2]) |
609e8131 |
{ |
d728ebed |
VERIFY_PERMISSION (OPT_P_GENERAL); |
609e8131 |
options->ecdh_curve= p[1];
} |
3d6a4cde |
else if (streq (p[0], "tls-server") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_server = true;
} |
3d6a4cde |
else if (streq (p[0], "tls-client") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_client = true;
} |
3d6a4cde |
else if (streq (p[0], "ca") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ca_file = p[1]; |
d40f2b20 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->ca_file_inline = p[2];
} |
6fbf66fa |
} |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
3d6a4cde |
else if (streq (p[0], "capath") && p[1] && !p[2]) |
e9c5e170 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ca_path = p[1];
} |
86d8cd68 |
#endif /* ENABLE_CRYPTO_MBEDTLS */ |
3d6a4cde |
else if (streq (p[0], "dh") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dh_file = p[1]; |
d40f2b20 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->dh_file_inline = p[2];
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "cert") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cert_file = p[1]; |
d40f2b20 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->cert_file_inline = p[2];
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "extra-certs") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
7966d75a |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->extra_certs_file = p[1];
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->extra_certs_file_inline = p[2];
}
} |
3d6a4cde |
else if (streq (p[0], "verify-hash") && p[1] && !p[2]) |
7966d75a |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
} |
93c22ecc |
#ifdef ENABLE_CRYPTOAPI |
3d6a4cde |
else if (streq (p[0], "cryptoapicert") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cryptoapi_cert = p[1];
}
#endif |
3d6a4cde |
else if (streq (p[0], "key") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->priv_key_file = p[1]; |
d40f2b20 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->priv_key_file_inline = p[2];
} |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "tls-version-min") && p[1] && !p[3]) |
4b67f984 |
{
int ver;
VERIFY_PERMISSION (OPT_P_GENERAL); |
6cb15b90 |
ver = tls_version_parse(p[1], p[2]); |
4b67f984 |
if (ver == TLS_VER_BAD)
{
msg (msglevel, "unknown tls-version-min parameter: %s", p[1]);
goto err;
} |
6cb15b90 |
options->ssl_flags &=
~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
} |
3d6a4cde |
else if (streq (p[0], "tls-version-max") && p[1] && !p[2]) |
6cb15b90 |
{
int ver;
VERIFY_PERMISSION (OPT_P_GENERAL);
ver = tls_version_parse(p[1], NULL);
if (ver == TLS_VER_BAD)
{
msg (msglevel, "unknown tls-version-max parameter: %s", p[1]);
goto err;
}
options->ssl_flags &=
~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); |
4b67f984 |
} |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
3d6a4cde |
else if (streq (p[0], "pkcs12") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs12_file = p[1]; |
2e8ff6c1 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->pkcs12_file_inline = p[2];
} |
6fbf66fa |
} |
86d8cd68 |
#endif /* ENABLE_CRYPTO_MBEDTLS */ |
3d6a4cde |
else if (streq (p[0], "askpass") && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
{
options->key_pass_file = p[1];
}
else
options->key_pass_file = "stdin";
} |
3d6a4cde |
else if (streq (p[0], "auth-nocache") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
ssl_set_auth_nocache ();
} |
3d6a4cde |
else if (streq (p[0], "auth-token") && p[1] && !p[2]) |
0db046f2 |
{
VERIFY_PERMISSION (OPT_P_ECHO);
ssl_set_auth_token(p[1]);
#ifdef ENABLE_MANAGEMENT
if (management)
management_auth_token (management, p[1]);
#endif
} |
3d6a4cde |
else if (streq (p[0], "single-session") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->single_session = true;
} |
aaf72974 |
#ifdef ENABLE_PUSH_PEER_INFO |
3d6a4cde |
else if (streq (p[0], "push-peer-info") && !p[1]) |
aaf72974 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->push_peer_info = true;
}
#endif |
3d6a4cde |
else if (streq (p[0], "tls-exit") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_exit = true;
} |
3d6a4cde |
else if (streq (p[0], "tls-cipher") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cipher_list = p[1];
} |
7a7a79f6 |
else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
|| (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
d5497262 |
if (p[2] && streq(p[2], "dir"))
options->ssl_flags |= SSLF_CRL_VERIFY_DIR; |
6fbf66fa |
options->crl_file = p[1]; |
7a7a79f6 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->crl_file_inline = p[2];
} |
6fbf66fa |
}
else if (streq (p[0], "tls-verify") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err; |
9b6a5028 |
set_user_script (options, &options->tls_verify,
string_substitute (p[1], ',', ' ', &options->gc), |
b77bffe8 |
"tls-verify", true); |
6fbf66fa |
} |
86d8cd68 |
#ifndef ENABLE_CRYPTO_MBEDTLS |
3d6a4cde |
else if (streq (p[0], "tls-export-cert") && p[1] && !p[2]) |
39238d1b |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_export_cert = p[1];
} |
8bb72fbc |
#endif |
3d6a4cde |
#if P2MP_SERVER
else if (streq (p[0], "compat-names") && ((p[1] && streq (p[1], "no-remapping")) || !p[1]) && !p[2])
#else
else if (streq (p[0], "compat-names") && !p[1])
#endif |
26b0433c |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
9f0fc745 |
if (options->verify_x509_type != VERIFY_X509_NONE &&
options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
{
msg (msglevel, "you cannot use --compat-names with --verify-x509-name");
goto err;
}
msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration"); |
26b0433c |
compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES); |
9f0fc745 |
#if P2MP_SERVER |
26b0433c |
if (p[1] && streq (p[1], "no-remapping"))
compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
} |
3d6a4cde |
else if (streq (p[0], "no-name-remapping") && !p[1]) |
26b0433c |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
9f0fc745 |
if (options->verify_x509_type != VERIFY_X509_NONE &&
options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
{
msg (msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
goto err;
} |
26b0433c |
msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration");
compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); |
9f0fc745 |
#endif |
26b0433c |
} |
3d6a4cde |
else if (streq (p[0], "tls-remote") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
9f0fc745 |
if (options->verify_x509_type != VERIFY_X509_NONE &&
options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
{
msg (msglevel, "you cannot use --tls-remote with --verify-x509-name");
goto err;
}
msg (M_WARN, "DEPRECATED OPTION: --tls-remote, please update your configuration");
if (strlen (p[1]))
{
int is_username = (!strchr (p[1], '=') || !strstr (p[1], ", "));
int type = TLS_REMOTE_SUBJECT_DN;
if (p[1][0] != '/' && is_username)
type = TLS_REMOTE_SUBJECT_RDN_PREFIX;
/*
* Enable legacy openvpn format for DNs that have not been converted
* yet and --x509-username-field (not containing an '=' or ', ')
*/
if (p[1][0] == '/' || is_username)
compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
options->verify_x509_type = type;
options->verify_x509_name = p[1];
}
} |
3d6a4cde |
else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]) && !p[3]) |
9f0fc745 |
{
int type = VERIFY_X509_SUBJECT_DN;
VERIFY_PERMISSION (OPT_P_GENERAL);
if (options->verify_x509_type == TLS_REMOTE_SUBJECT_DN ||
options->verify_x509_type == TLS_REMOTE_SUBJECT_RDN_PREFIX)
{
msg (msglevel, "you cannot use --verify-x509-name with --tls-remote");
goto err;
}
if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES))
{
msg (msglevel, "you cannot use --verify-x509-name with "
"--compat-names or --no-name-remapping");
goto err;
}
if (p[2])
{
if (streq (p[2], "subject"))
type = VERIFY_X509_SUBJECT_DN;
else if (streq (p[2], "name"))
type = VERIFY_X509_SUBJECT_RDN;
else if (streq (p[2], "name-prefix"))
type = VERIFY_X509_SUBJECT_RDN_PREFIX;
else
{
msg (msglevel, "unknown X.509 name type: %s", p[2]);
goto err;
}
}
options->verify_x509_type = type;
options->verify_x509_name = p[1]; |
6fbf66fa |
} |
3d6a4cde |
else if (streq (p[0], "ns-cert-type") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "server")) |
06d22777 |
options->ns_cert_type = NS_CERT_CHECK_SERVER; |
6fbf66fa |
else if (streq (p[1], "client")) |
06d22777 |
options->ns_cert_type = NS_CERT_CHECK_CLIENT; |
6fbf66fa |
else
{
msg (msglevel, "--ns-cert-type must be 'client' or 'server'");
goto err;
}
} |
411e89ae |
else if (streq (p[0], "remote-cert-ku"))
{
int j;
VERIFY_PERMISSION (OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
} |
3d6a4cde |
else if (streq (p[0], "remote-cert-eku") && p[1] && !p[2]) |
411e89ae |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->remote_cert_eku = p[1];
} |
3d6a4cde |
else if (streq (p[0], "remote-cert-tls") && p[1] && !p[2]) |
411e89ae |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "server"))
{
options->remote_cert_ku[0] = 0xa0; |
6117b639 |
options->remote_cert_ku[1] = 0x88; |
411e89ae |
options->remote_cert_eku = "TLS Web Server Authentication";
}
else if (streq (p[1], "client"))
{
options->remote_cert_ku[0] = 0x80;
options->remote_cert_ku[1] = 0x08;
options->remote_cert_ku[2] = 0x88;
options->remote_cert_eku = "TLS Web Client Authentication";
}
else
{
msg (msglevel, "--remote-cert-tls must be 'client' or 'server'");
goto err;
}
} |
3d6a4cde |
else if (streq (p[0], "tls-timeout") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->tls_timeout = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "reneg-bytes") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->renegotiate_bytes = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "reneg-pkts") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->renegotiate_packets = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "reneg-sec") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->renegotiate_seconds = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "hand-window") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->handshake_window = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "tran-window") && p[1] && !p[2]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->transition_window = positive_atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "tls-auth") && p[1] && !p[3]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL); |
c959fc74 |
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->tls_auth_file_inline = p[2];
}
else |
6fbf66fa |
if (p[2])
{
int key_direction;
key_direction = ascii2keydirection (msglevel, p[2]);
if (key_direction >= 0)
options->key_direction = key_direction;
else
goto err;
}
options->tls_auth_file = p[1];
} |
3d6a4cde |
else if (streq (p[0], "key-method") && p[1] && !p[2]) |
6fbf66fa |
{
int key_method;
VERIFY_PERMISSION (OPT_P_GENERAL);
key_method = atoi (p[1]);
if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
{
msg (msglevel, "key_method parameter (%d) must be >= %d and <= %d",
key_method,
KEY_METHOD_MIN,
KEY_METHOD_MAX);
goto err;
}
options->key_method = key_method;
} |
fab49d17 |
else if (streq (p[0], "x509-track") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
x509_track_add (&options->x509_track, p[1], msglevel, &options->gc);
} |
fbd18db6 |
#ifdef ENABLE_X509ALTUSERNAME |
3d6a4cde |
else if (streq (p[0], "x509-username-field") && p[1] && !p[2]) |
2e8337de |
{ |
f4e0ad82 |
/* This option used to automatically upcase the fieldname passed as the
* option argument, e.g., "ou" became "OU". Now, this "helpfulness" is
* fine-tuned by only upcasing Subject field attribute names which consist
* of all lower-case characters. Mixed-case attributes such as
* "emailAddress" are left as-is. An option parameter having the "ext:"
* prefix for matching X.509v3 extended fields will also remain unchanged.
*/ |
2e8337de |
char *s = p[1]; |
f4e0ad82 |
|
2e8337de |
VERIFY_PERMISSION (OPT_P_GENERAL); |
f4e0ad82 |
if (strncmp("ext:", s, 4) != 0)
{
size_t i = 0;
while (s[i] && !isupper(s[i])) i++;
if (strlen(s) == i)
{
while ((*s = toupper(*s)) != '\0') s++;
msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
"--x509-username-field parameter to '%s'; please update your"
"configuration", p[1]);
}
} |
2e8337de |
options->x509_username_field = p[1];
} |
fbd18db6 |
#endif /* ENABLE_X509ALTUSERNAME */ |
9b33b5a4 |
#endif /* ENABLE_CRYPTO */ |
6835555e |
#ifdef ENABLE_PKCS11 |
3d6a4cde |
else if (streq (p[0], "show-pkcs11-ids") && !p[3]) |
6835555e |
{ |
eadf16a6 |
char *provider = p[1]; |
718526e0 |
bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 )); |
6835555e |
|
7c1d614c |
#ifdef DEFAULT_PKCS11_MODULE
if (!provider)
provider = DEFAULT_PKCS11_MODULE;
else if (!p[2])
{
char *endp = NULL;
int i = strtol(provider, &endp, 10);
if (*endp == 0)
{
/* There was one argument, and it was purely numeric.
Interpret it as the cert_private argument */
provider = DEFAULT_PKCS11_MODULE;
cert_private = i;
}
}
#else
if (!provider)
{
msg (msglevel, "--show-pkcs11-ids requires a provider parameter");
goto err;
}
#endif |
6835555e |
VERIFY_PERMISSION (OPT_P_GENERAL);
|
718526e0 |
set_debug_level (options->verbosity, SDL_CONSTRAIN);
show_pkcs11_ids (provider, cert_private); |
6835555e |
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
else if (streq (p[0], "pkcs11-providers") && p[1])
{
int j;
VERIFY_PERMISSION (OPT_P_GENERAL);
|
eadf16a6 |
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) |
6835555e |
options->pkcs11_providers[j-1] = p[j];
} |
18597b93 |
else if (streq (p[0], "pkcs11-protected-authentication"))
{
int j;
VERIFY_PERMISSION (OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
} |
718526e0 |
else if (streq (p[0], "pkcs11-private-mode") && p[1]) |
6835555e |
{
int j;
VERIFY_PERMISSION (OPT_P_GENERAL);
|
eadf16a6 |
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) |
718526e0 |
sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1])); |
6835555e |
} |
18597b93 |
else if (streq (p[0], "pkcs11-cert-private"))
{
int j;
VERIFY_PERMISSION (OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
} |
3d6a4cde |
else if (streq (p[0], "pkcs11-pin-cache") && p[1] && !p[2]) |
18597b93 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_pin_cache_period = atoi (p[1]);
} |
3d6a4cde |
else if (streq (p[0], "pkcs11-id") && p[1] && !p[2]) |
6835555e |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_id = p[1];
} |
3d6a4cde |
else if (streq (p[0], "pkcs11-id-management") && !p[1]) |
1bda73a7 |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_id_management = true;
} |
6835555e |
#endif |
3d6a4cde |
else if (streq (p[0], "rmtun") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->persist_config = true;
options->persist_mode = 0;
} |
3d6a4cde |
else if (streq (p[0], "mktun") && !p[1]) |
6fbf66fa |
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->persist_config = true;
options->persist_mode = 1;
} |
3d6a4cde |
else if (streq (p[0], "peer-id") && p[1] && !p[2]) |
65eedc35 |
{
VERIFY_PERMISSION (OPT_P_PEER_ID);
options->use_peer_id = true;
options->peer_id = atoi(p[1]);
} |
685e486e |
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
else if (streq (p[0], "keying-material-exporter") && p[1] && p[2])
{
int ekm_length = positive_atoi (p[2]);
VERIFY_PERMISSION (OPT_P_GENERAL);
if (strncmp(p[1], "EXPORTER", 8))
{
msg (msglevel, "Keying material exporter label must begin with "
"\"EXPORTER\"");
goto err;
}
if (ekm_length < 16 || ekm_length > 4095)
{
msg (msglevel, "Invalid keying material exporter length");
goto err;
}
options->keying_material_exporter_label = p[1];
options->keying_material_exporter_length = ekm_length;
}
#endif |
e8c42658 |
else if (streq (p[0], "allow-recursive-routing") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->allow_recursive_routing = true;
} |
6fbf66fa |
else
{ |
b685a1e6 |
int i;
int msglevel= msglevel_fc;
/* Check if an option is in --ignore-unknown-option and
set warning level to non fatal */
for(i=0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
{
if (streq(p[0], options->ignore_unknown_option[i]))
{
msglevel = M_WARN;
break;
}
} |
6fbf66fa |
if (file) |
3d6a4cde |
msg (msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); |
6fbf66fa |
else |
3d6a4cde |
msg (msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); |
6fbf66fa |
}
err:
gc_free (&gc);
} |