diff options
author | Bernhard Schmidt <berni@debian.org> | 2020-08-15 21:29:50 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2020-08-15 21:29:50 +0200 |
commit | 1079962e4c06f88a54e50d997c1b7e84303d30b4 (patch) | |
tree | 4d019426928435425214ccedd6f89b70dbdf035d /src/openvpn/options.c | |
parent | 620785fe268a1221c1ba7a9cb5a70f3140a4f1ca (diff) |
New upstream version 2.5~beta1upstream/2.5_beta1
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r-- | src/openvpn/options.c | 1404 |
1 files changed, 934 insertions, 470 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index de30fcb..8bf82c5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -41,9 +41,11 @@ #include "buffer.h" #include "error.h" #include "common.h" +#include "run_command.h" #include "shaper.h" #include "crypto.h" #include "ssl.h" +#include "ssl_ncp.h" #include "options.h" #include "misc.h" #include "socket.h" @@ -52,6 +54,7 @@ #include "win32.h" #include "push.h" #include "pool.h" +#include "proto.h" #include "helper.h" #include "manage.h" #include "forward.h" @@ -67,7 +70,6 @@ const char title_string[] = " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]" #endif " " TARGET_ALIAS -#ifdef ENABLE_CRYPTO #if defined(ENABLE_CRYPTO_MBEDTLS) " [SSL (mbed TLS)]" #elif defined(ENABLE_CRYPTO_OPENSSL) @@ -75,7 +77,6 @@ const char title_string[] = #else " [SSL]" #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */ -#endif /* ENABLE_CRYPTO */ #ifdef USE_COMP #ifdef ENABLE_LZO " [LZO]" @@ -103,9 +104,7 @@ const char title_string[] = " [MH/RECVDA]" #endif #endif -#ifdef HAVE_AEAD_CIPHER_MODES " [AEAD]" -#endif " built on " __DATE__ ; @@ -201,8 +200,10 @@ static const char usage_message[] = "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" - " gateway default: taken from 'remote' in --ifconfig-ipv6\n" + " gateway default: taken from --route-ipv6-gateway or 'remote'\n" + " in --ifconfig-ipv6\n" "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n" + "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n" "--route-metric m : Specify a default metric for use with --route.\n" "--route-delay n [w] : Delay n seconds after connection initiation before\n" " adding routes (may be 0). If not specified, routes will\n" @@ -226,10 +227,12 @@ static const char usage_message[] = " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n" " the default gateway. Useful when pushing private subnets.\n" + "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n" + " ICMPv6 host unreachable messages on the client.\n" + " (Server) Instead of forwarding IPv6 packets send\n" + " ICMPv6 host unreachable packets to the client.\n" "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" -#ifdef ENABLE_PUSH_PEER_INFO "--push-peer-info : (client only) push client info to server.\n" -#endif "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" @@ -274,9 +277,7 @@ static const char usage_message[] = " 'no' -- Never send DF (Don't Fragment) frames\n" " 'maybe' -- Use per-route hints\n" " 'yes' -- Always DF (Don't Fragment)\n" -#ifdef ENABLE_OCC "--mtu-test : Empirically measure and report MTU.\n" -#endif #ifdef ENABLE_FRAGMENT "--fragment max : Enable internal datagram fragmentation so that no UDP\n" " datagrams are sent which are larger than max bytes.\n" @@ -289,6 +290,9 @@ static const char usage_message[] = #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK "--mark value : Mark encrypted packets being sent with value. The mark value\n" " can be matched in policy routing and packetfilter rules.\n" + "--bind-dev dev : Bind to the given device when making connection to a peer or\n" + " listening for connections. This allows sending encrypted packets\n" + " via a VRF present on the system.\n" #endif "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n" #ifdef ENABLE_MEMSTATS @@ -344,17 +348,16 @@ static const char usage_message[] = "--status file n : Write operational status to file every n seconds.\n" "--status-version [n] : Choose the status file format version number.\n" " Currently, n can be 1, 2, or 3 (default=1).\n" -#ifdef ENABLE_OCC "--disable-occ : Disable options consistency check between peers.\n" -#endif #ifdef ENABLE_DEBUG "--gremlin mask : Special stress testing mode (for debugging only).\n" #endif #if defined(USE_COMP) "--compress alg : Use compression algorithm alg\n" + "--allow-compression: Specify whether compression should be allowed\n" #if defined(ENABLE_LZO) "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n" - " packet for uncompressible data.\n" + " packet for incompressible data.\n" "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n" " is specified.\n" #endif @@ -401,8 +404,10 @@ static const char usage_message[] = "--plugin m [str]: Load plug-in module m passing str as an argument\n" " to its initialization function.\n" #endif + "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n" + "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n" + "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n" #if P2MP -#if P2MP_SERVER "\n" "Multi-Client Server options (when --mode server is used):\n" "--server network netmask : Helper option to easily configure server mode.\n" @@ -415,9 +420,6 @@ static const char usage_message[] = " client instance.\n" "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" " to be dynamically allocated to connecting clients.\n" - "--ifconfig-pool-linear : (DEPRECATED) Use individual addresses rather \n" - " than /30 subnets\n in tun mode. Not compatible with\n" - " Windows clients.\n" "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n" " data to file, at seconds intervals (default=600).\n" " If seconds=0, file will be treated as read-only.\n" @@ -435,8 +437,6 @@ static const char usage_message[] = " Only valid in a client-specific config file.\n" "--disable : Client is disabled.\n" " Only valid in a client-specific config file.\n" - "--client-cert-not-required : (DEPRECATED) Don't require client certificate, client\n" - " will authenticate using username/password.\n" "--verify-client-cert [none|optional|require] : perform no, optional or\n" " mandatory client certificate verification.\n" " Default is to require the client to supply a certificate.\n" @@ -448,7 +448,7 @@ static const char usage_message[] = " user/pass via environment, if method='via-file', pass\n" " user/pass via temporary file.\n" "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n" - " to each client, replacing the password. Usefull when\n" + " to each client, replacing the password. Useful when\n" " OTP based two-factor auth mechanisms are in use and\n" " --reneg-* options are enabled. Optionally a lifetime in seconds\n" " for generated tokens can be set.\n" @@ -487,7 +487,6 @@ static const char usage_message[] = " sessions to a web server at host:port. dir specifies an\n" " optional directory to write origin IP:port data.\n" #endif -#endif /* if P2MP_SERVER */ "\n" "Client options (when connecting to a multi-client server):\n" "--client : Helper option to easily configure client mode.\n" @@ -514,11 +513,8 @@ static const char usage_message[] = "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n" " incoming tun packets with same destination as host.\n" #endif /* if P2MP */ -#ifdef ENABLE_OCC "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n" " server/remote. n = # of retries, default=1.\n" -#endif -#ifdef ENABLE_CRYPTO "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" @@ -535,8 +531,8 @@ static const char usage_message[] = "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" - "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" - "--ncp-disable : Disable cipher negotiation.\n" + "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n" + "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH @@ -551,7 +547,6 @@ static const char usage_message[] = "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" " Default n=%d t=%d\n" - "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n" "--replay-persist file : Persist replay-protection state across sessions\n" " using file.\n" "--test-crypto : Run a self-test of crypto features enabled.\n" @@ -599,14 +594,17 @@ static const char usage_message[] = " Windows Certificate System Store.\n" #endif "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" - " : Use --show-tls to see a list of supported TLS ciphers.\n" + "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n" + " : Use --show-tls to see a list of supported TLS ciphers (suites).\n" "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" " (default=legacy).\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n" - "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n" + "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n" + " and at least min (defaults to 90%% of max on servers and equal\n" + " to max on clients).\n" "--hand-window n : Data channel key exchange must finalize within n seconds\n" " of handshake initiation by any peer (default=%d).\n" "--tran-window n : Transition window -- old key can live this many seconds\n" @@ -625,6 +623,17 @@ static const char usage_message[] = " attacks on the TLS stack and DoS attacks.\n" " key (required) provides the pre-shared key file.\n" " see --secret option for more info.\n" + "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n" + " For servers: use key to decrypt client-specific keys. For\n" + " key generation (--tls-crypt-v2-genkey): use key to\n" + " encrypt generated client-specific key. (See --tls-crypt.)\n" + "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n" + " fresh tls-crypt-v2 client key, and store to\n" + " keyfile. If supplied, include metadata in wrapped key.\n" + "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n" + " fresh tls-crypt-v2 server key, and store to keyfile\n" + "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n" + " client-supplied tls-crypt-v2 client key\n" "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n" "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n" "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n" @@ -643,7 +652,7 @@ static const char usage_message[] = " an explicit nsCertType designation t = 'client' | 'server'.\n" "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 +#ifdef HAVE_EXPORT_KEYING_MATERIAL "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n" " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n" #endif @@ -663,7 +672,7 @@ static const char usage_message[] = "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n" " path. Set for each provider.\n" "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n" - " 0 : Try to determind automatically (default).\n" + " 0 : Try to determine automatically (default).\n" " 1 : Use Sign.\n" " 2 : Use SignRecover.\n" " 4 : Use Decrypt.\n" @@ -707,6 +716,7 @@ static const char usage_message[] = " which allow multiple addresses,\n" " --dhcp-option must be repeated.\n" " DOMAIN name : Set DNS suffix\n" + " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n" " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" @@ -730,9 +740,10 @@ static const char usage_message[] = " optional parameter controls the initial state of ex.\n" "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n" " after TAP adapter is up and routes have been added.\n" -#ifdef _WIN32 + "--windows-driver : Which tun driver to use?\n" + " tap-windows6 (default)\n" + " wintun\n" "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n" -#endif "Windows Standalone Options:\n" "\n" "--show-adapters : Show all TAP-Windows adapters.\n" @@ -742,11 +753,9 @@ static const char usage_message[] = " to access TAP adapter.\n" #endif /* ifdef _WIN32 */ "\n" - "Generate a random key (only for non-TLS static key encryption mode):\n" - "--genkey : Generate a random key to be used as a shared secret,\n" - " for use with the --secret option.\n" - "--secret file : Write key to file.\n" -#endif /* ENABLE_CRYPTO */ + "Generate a new key :\n" + "--genkey secret file : Generate a new random key of type and write to file\n" + " (for use with --secret, --tls-auth or --tls-crypt)." #ifdef ENABLE_FEATURE_TUN_PERSIST "\n" "Tun/tap config mode (available with linux 2.4+):\n" @@ -812,9 +821,7 @@ init_options(struct options *o, const bool init_gc) o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; o->proto_force = -1; -#ifdef ENABLE_OCC o->occ = true; -#endif #ifdef ENABLE_MANAGEMENT o->management_log_history_cache = 250; o->management_echo_buffer_size = 100; @@ -823,9 +830,6 @@ init_options(struct options *o, const bool init_gc) #ifdef ENABLE_FEATURE_TUN_PERSIST o->persist_mode = 1; #endif -#ifdef TARGET_LINUX - o->tuntap_options.txqueuelen = 100; -#endif #ifdef _WIN32 #if 0 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE; @@ -836,8 +840,10 @@ init_options(struct options *o, const bool init_gc) o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */ o->route_method = ROUTE_METHOD_ADAPTIVE; o->block_outside_dns = false; + o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6; #endif -#if P2MP_SERVER + o->vlan_accept = VLAN_ALL; + o->vlan_pvid = 1; o->real_hash_size = 256; o->virtual_hash_size = 256; o->n_bcast_buf = 256; @@ -846,17 +852,10 @@ init_options(struct options *o, const bool init_gc) o->max_routes_per_client = 256; o->stale_routes_check_interval = 0; o->ifconfig_pool_persist_refresh_freq = 600; -#endif #if P2MP o->scheduled_exit_interval = 5; #endif -#ifdef ENABLE_CRYPTO - o->ciphername = "BF-CBC"; -#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ o->ncp_enabled = true; -#else - o->ncp_enabled = false; -#endif o->ncp_ciphers = "AES-256-GCM:AES-128-GCM"; o->authname = "SHA1"; o->prng_hash = "SHA1"; @@ -864,15 +863,14 @@ init_options(struct options *o, const bool init_gc) o->replay = true; o->replay_window = DEFAULT_SEQ_BACKTRACK; o->replay_time = DEFAULT_TIME_BACKTRACK; - o->use_iv = true; o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; #ifdef ENABLE_PREDICTION_RESISTANCE o->use_prediction_resistance = false; #endif - o->key_method = 2; o->tls_timeout = 2; o->renegotiate_bytes = -1; o->renegotiate_seconds = 3600; + o->renegotiate_seconds_min = -1; o->handshake_window = 60; o->transition_window = 3600; o->tls_cert_profile = NULL; @@ -880,18 +878,16 @@ init_options(struct options *o, const bool init_gc) #ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif -#endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ /* P2MP server context features */ -#if P2MP_SERVER o->auth_token_generate = false; /* Set default --tmp-dir */ #ifdef _WIN32 - /* On Windows, find temp dir via enviroment variables */ + /* On Windows, find temp dir via environment variables */ o->tmp_dir = win_get_tempdir(); #else /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */ @@ -901,7 +897,6 @@ init_options(struct options *o, const bool init_gc) o->tmp_dir = "/tmp"; } #endif /* _WIN32 */ -#endif /* P2MP_SERVER */ o->allow_recursive_routing = false; } @@ -957,6 +952,10 @@ pull_filter_type_name(int type) #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value)) #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'") +#define SHOW_STR_INLINE(var) SHOW_PARM(var, \ + o->var ## _inline ? "[INLINE]" : \ + (o->var ? o->var : "[UNDEF]"), \ + "'%s'") #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d") #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u") #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x") @@ -994,7 +993,7 @@ setenv_settings(struct env_set *es, const struct options *o) setenv_int(es, "verb", o->verbosity); setenv_int(es, "daemon", o->daemon); setenv_int(es, "daemon_log_redirect", o->log); - setenv_unsigned(es, "daemon_start_time", time(NULL)); + setenv_long_long(es, "daemon_start_time", time(NULL)); setenv_int(es, "daemon_pid", platform_getpid()); if (o->connection_list) @@ -1083,7 +1082,6 @@ string_substitute(const char *src, int from, int to, struct gc_arena *gc) return ret; } -#ifdef ENABLE_CRYPTO static uint8_t * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc) { @@ -1125,13 +1123,22 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren } return ret; } -#endif /* ifdef ENABLE_CRYPTO */ #ifdef _WIN32 #ifndef ENABLE_SMALL static void +show_dhcp_option_list(const char *name, const char * const*array, int len) +{ + int i; + for (i = 0; i < len; ++i) + { + msg(D_SHOW_PARMS, " %s[%d] = %s", name, i, array[i] ); + } +} + +static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len) { struct gc_arena gc = gc_new(); @@ -1166,6 +1173,7 @@ show_tuntap_options(const struct tuntap_options *o) show_dhcp_option_addrs("WINS", o->wins, o->wins_len); show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len); show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len); + show_dhcp_option_list("DOMAIN-SEARCH", o->domain_search_list, o->domain_search_list_len); } #endif /* ifndef ENABLE_SMALL */ @@ -1216,6 +1224,23 @@ dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */ +static const char * +print_vlan_accept(enum vlan_acceptable_frames mode) +{ + switch (mode) + { + case VLAN_ONLY_TAGGED: + return "tagged"; + + case VLAN_ONLY_UNTAGGED_OR_PRIORITY: + return "untagged"; + + case VLAN_ALL: + return "all"; + } + return NULL; +} + #if P2MP #ifndef ENABLE_SMALL @@ -1225,7 +1250,6 @@ show_p2mp_parms(const struct options *o) { struct gc_arena gc = gc_new(); -#if P2MP_SERVER msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc)); msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc)); msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) ); @@ -1281,11 +1305,14 @@ show_p2mp_parms(const struct options *o) SHOW_BOOL(auth_user_pass_verify_script_via_file); SHOW_BOOL(auth_token_generate); SHOW_INT(auth_token_lifetime); + SHOW_STR_INLINE(auth_token_secret_file); #if PORT_SHARE SHOW_STR(port_share_host); SHOW_STR(port_share_port); #endif -#endif /* P2MP_SERVER */ + SHOW_BOOL(vlan_tagging); + msg(D_SHOW_PARMS, " vlan_accept = %s", print_vlan_accept(o->vlan_accept)); + SHOW_INT(vlan_pvid); SHOW_BOOL(client); SHOW_BOOL(pull); @@ -1296,8 +1323,6 @@ show_p2mp_parms(const struct options *o) #endif /* ! ENABLE_SMALL */ -#if P2MP_SERVER - static void option_iroute(struct options *o, const char *network_str, @@ -1345,7 +1370,6 @@ option_iroute_ipv6(struct options *o, ir->next = o->iroutes_ipv6; o->iroutes_ipv6 = ir; } -#endif /* P2MP_SERVER */ #endif /* P2MP */ #ifndef ENABLE_SMALL @@ -1383,9 +1407,7 @@ options_detach(struct options *o) gc_detach(&o->gc); o->routes = NULL; o->client_nat = NULL; -#if P2MP_SERVER clone_push_list(o); -#endif } void @@ -1451,9 +1473,13 @@ show_connection_entry(const struct connection_entry *o) #endif SHOW_INT(mssfix); -#ifdef ENABLE_OCC SHOW_INT(explicit_exit_notification); -#endif + + SHOW_STR_INLINE(tls_auth_file); + SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), + "%s"); + SHOW_STR_INLINE(tls_crypt_file); + SHOW_STR_INLINE(tls_crypt_v2_file); } @@ -1511,14 +1537,13 @@ show_settings(const struct options *o) SHOW_INT(persist_mode); #endif -#ifdef ENABLE_CRYPTO SHOW_BOOL(show_ciphers); SHOW_BOOL(show_digests); SHOW_BOOL(show_engines); SHOW_BOOL(genkey); + SHOW_STR(genkey_filename); SHOW_STR(key_pass_file); SHOW_BOOL(show_tls_ciphers); -#endif SHOW_INT(connect_retry_max); show_connection_entries(o); @@ -1542,9 +1567,7 @@ show_settings(const struct options *o) #ifdef ENABLE_FEATURE_SHAPER SHOW_INT(shaper); #endif -#ifdef ENABLE_OCC SHOW_INT(mtu_test); -#endif SHOW_BOOL(mlock); @@ -1596,9 +1619,7 @@ show_settings(const struct options *o) SHOW_INT(status_file_version); SHOW_INT(status_file_update_freq); -#ifdef ENABLE_OCC SHOW_BOOL(occ); -#endif SHOW_INT(rcvbuf); SHOW_INT(sndbuf); #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK @@ -1653,8 +1674,7 @@ show_settings(const struct options *o) } #endif -#ifdef ENABLE_CRYPTO - SHOW_STR(shared_secret_file); + SHOW_STR_INLINE(shared_secret_file); SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, true), "%s"); SHOW_STR(ciphername); SHOW_BOOL(ncp_enabled); @@ -1671,7 +1691,6 @@ show_settings(const struct options *o) SHOW_INT(replay_window); SHOW_INT(replay_time); SHOW_STR(packet_id_file); - SHOW_BOOL(use_iv); SHOW_BOOL(test_crypto); #ifdef ENABLE_PREDICTION_RESISTANCE SHOW_BOOL(use_prediction_resistance); @@ -1679,30 +1698,29 @@ show_settings(const struct options *o) SHOW_BOOL(tls_server); SHOW_BOOL(tls_client); - SHOW_INT(key_method); - SHOW_STR(ca_file); + SHOW_STR_INLINE(ca_file); SHOW_STR(ca_path); SHOW_STR(dh_file); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((o->management_flags & MF_EXTERNAL_CERT)) { SHOW_PARM("cert_file","EXTERNAL_CERT","%s"); } else #endif - SHOW_STR(cert_file); - SHOW_STR(extra_certs_file); + SHOW_STR_INLINE(cert_file); + SHOW_STR_INLINE(extra_certs_file); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((o->management_flags & MF_EXTERNAL_KEY)) { SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s"); } else #endif - SHOW_STR(priv_key_file); + SHOW_STR_INLINE(priv_key_file); #ifndef ENABLE_CRYPTO_MBEDTLS - SHOW_STR(pkcs12_file); + SHOW_STR_INLINE(pkcs12_file); #endif #ifdef ENABLE_CRYPTOAPI SHOW_STR(cryptoapi_cert); @@ -1714,7 +1732,7 @@ show_settings(const struct options *o) SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); - SHOW_STR(crl_file); + SHOW_STR_INLINE(crl_file); SHOW_INT(ns_cert_type); { int i; @@ -1736,14 +1754,10 @@ show_settings(const struct options *o) SHOW_INT(transition_window); SHOW_BOOL(single_session); -#ifdef ENABLE_PUSH_PEER_INFO SHOW_BOOL(push_peer_info); -#endif SHOW_BOOL(tls_exit); - SHOW_STR(tls_auth_file); - SHOW_STR(tls_crypt_file); -#endif /* ENABLE_CRYPTO */ + SHOW_STR(tls_crypt_v2_metadata); #ifdef ENABLE_PKCS11 { @@ -1977,14 +1991,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec init_options(&defaults, true); -#ifdef ENABLE_CRYPTO if (options->test_crypto) { notnull(options->shared_secret_file, "key file (--secret)"); } else -#endif - notnull(options->dev, "TUN/TAP device (--dev)"); + { + notnull(options->dev, "TUN/TAP device (--dev)"); + } /* * Get tun/tap/null device type @@ -2025,10 +2039,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } if (options->inetd == INETD_NOWAIT -#ifdef ENABLE_CRYPTO - && !(options->tls_server || options->tls_client) -#endif - ) + && !(options->tls_server || options->tls_client)) { msg(M_USAGE, "--inetd nowait can only be used in TLS mode"); } @@ -2038,6 +2049,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode"); } + if (options->inetd) + { + msg(M_WARN, "DEPRECATED OPTION: --inetd mode is deprecated " + "and will be removed in OpenVPN 2.6"); + } if (options->lladdr && dev != DEV_TYPE_TAP) { @@ -2052,12 +2068,10 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT); } -#ifdef ENABLE_OCC if (!proto_is_udp(ce->proto) && options->mtu_test) { msg(M_USAGE, "--mtu-test only makes sense with --proto udp"); } -#endif /* will we be pulling options from server? */ #if P2MP @@ -2138,8 +2152,18 @@ options_postprocess_verify_ce(const struct options *options, const struct connec "passwords is STRONGLY discouraged and considered insecure"); } -#endif +#endif /* ifdef ENABLE_MANAGEMENT */ +#if defined(ENABLE_MANAGEMENT) + if ((tls_version_max() >= TLS_VER_1_3) + && (options->management_flags & MF_EXTERNAL_KEY) + && !(options->management_flags & (MF_EXTERNAL_KEY_NOPADDING)) + ) + { + msg(M_ERR, "management-external-key with OpenSSL 1.1.1 requires " + "the nopadding argument/support"); + } +#endif /* * Windows-specific options. */ @@ -2162,7 +2186,12 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive"); } -#endif + + if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN) + { + msg(M_USAGE, "--windows-driver wintun requires --dev tun"); + } +#endif /* ifdef _WIN32 */ /* * Check that protocol options make sense. @@ -2175,12 +2204,10 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } #endif -#ifdef ENABLE_OCC if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp"); } -#endif if (!ce->remote && ce->proto == PROTO_TCP_CLIENT) { @@ -2211,13 +2238,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "TCP server mode allows at most one --remote address"); } -#if P2MP_SERVER - /* * Check consistency of --mode server options. */ if (options->mode == MODE_SERVER) { +#ifdef TARGET_ANDROID + msg(M_FATAL, "--mode server not supported on Android"); +#endif if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP)) { msg(M_USAGE, "--mode server only works with --dev tun or --dev tap"); @@ -2308,9 +2336,12 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--up-delay cannot be used with --mode server"); } - if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename) + if (!options->ifconfig_pool_defined + && !options->ifconfig_ipv6_pool_defined + && options->ifconfig_pool_persist_filename) { - msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool"); + msg(M_USAGE, + "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool"); } if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local) { @@ -2328,11 +2359,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir"); } - if (options->key_method != 2) + if (options->auth_token_generate && !options->renegotiate_seconds) { - msg(M_USAGE, "--mode server requires --key-method 2"); + msg(M_USAGE, "--auth-gen-token needs a non-infinite " + "--renegotiate_seconds setting"); } - { const bool ccnr = (options->auth_user_pass_verify_script || PLUGIN_OPTION_LIST(options) @@ -2351,6 +2382,22 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "--auth-user-pass-optional %s", postfix); } } + + if (options->vlan_tagging && dev != DEV_TYPE_TAP) + { + msg(M_USAGE, "--vlan-tagging must be used with --dev tap"); + } + if (!options->vlan_tagging) + { + if (options->vlan_accept != defaults.vlan_accept) + { + msg(M_USAGE, "--vlan-accept requires --vlan-tagging"); + } + if (options->vlan_pvid != defaults.vlan_pvid) + { + msg(M_USAGE, "--vlan-pvid requires --vlan-tagging"); + } + } } else { @@ -2401,7 +2448,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { - msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server"); + msg(M_USAGE, "--verify-client-cert requires --mode server"); } if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) { @@ -2440,38 +2487,18 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--stale-routes-check requires --mode server"); } - if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING)) + + if (options->vlan_tagging) { - msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server"); + msg(M_USAGE, "--vlan-tagging requires --mode server"); } } -#endif /* P2MP_SERVER */ - -#ifdef ENABLE_CRYPTO - - if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers)) - { - msg(M_USAGE, "NCP cipher list contains unsupported ciphers."); - } - if (options->ncp_enabled && !options->use_iv) - { - msg(M_USAGE, "--no-iv not allowed when NCP is enabled."); - } - if (!options->use_iv) - { - msg(M_WARN, "WARNING: --no-iv is deprecated and will be removed in 2.5"); - } if (options->keysize) { msg(M_WARN, "WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6"); } - if (!options->replay) - { - msg(M_WARN, "WARNING: --no-replay is DEPRECATED and will be removed in OpenVPN 2.5"); - } - /* * Check consistency of replay options */ @@ -2494,17 +2521,10 @@ options_postprocess_verify_ce(const struct options *options, const struct connec if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) { msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION " - "--verify-client-cert none|optional (or --client-cert-not-required) " + "--verify-client-cert none|optional " "may accept clients which do not present a certificate"); } - if (options->key_method == 1) - { - msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed " - "in OpenVPN 2.5. By default --key-method 2 will be used if not set " - "in the configuration file, which is the recommended approach."); - } - const int tls_version_max = (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; @@ -2540,7 +2560,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); @@ -2563,7 +2583,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } else #endif /* ifdef ENABLE_PKCS11 */ -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) { msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); @@ -2600,7 +2620,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); @@ -2630,7 +2650,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); @@ -2663,7 +2683,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { const int sum = -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); #else @@ -2687,20 +2707,25 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } else { -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_CERT)) #endif notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); } } - if (options->tls_auth_file && options->tls_crypt_file) + if (ce->tls_auth_file && ce->tls_crypt_file) { msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive"); } + if (options->tls_client && ce->tls_crypt_v2_file + && (ce->tls_auth_file || ce->tls_crypt_file)) + { + msg(M_USAGE, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode"); + } } else { @@ -2736,13 +2761,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec MUST_BE_UNDEF(transition_window); MUST_BE_UNDEF(tls_auth_file); MUST_BE_UNDEF(tls_crypt_file); + MUST_BE_UNDEF(tls_crypt_v2_file); MUST_BE_UNDEF(single_session); -#ifdef ENABLE_PUSH_PEER_INFO MUST_BE_UNDEF(push_peer_info); -#endif MUST_BE_UNDEF(tls_exit); MUST_BE_UNDEF(crl_file); - MUST_BE_UNDEF(key_method); MUST_BE_UNDEF(ns_cert_type); MUST_BE_UNDEF(remote_cert_ku[0]); MUST_BE_UNDEF(remote_cert_eku); @@ -2759,7 +2782,6 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } } #undef MUST_BE_UNDEF -#endif /* ENABLE_CRYPTO */ #if P2MP if (options->auth_user_pass_file && !options->pull) @@ -2776,7 +2798,6 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) { const int dev = dev_type_enum(o->dev, o->dev_type); -#if P2MP_SERVER if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp) { if (ce->proto == PROTO_TCP) @@ -2784,7 +2805,7 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->proto = PROTO_TCP_SERVER; } } -#endif + #if P2MP if (o->client) { @@ -2865,6 +2886,56 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) } } + /* + * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined. + * + * At the end only one of these will be really set because the parser + * logic prevents configurations where more are set. + */ + if (!ce->tls_auth_file && !ce->tls_crypt_file && !ce->tls_crypt_v2_file) + { + ce->tls_auth_file = o->tls_auth_file; + ce->tls_auth_file_inline = o->tls_auth_file_inline; + ce->key_direction = o->key_direction; + + ce->tls_crypt_file = o->tls_crypt_file; + ce->tls_crypt_file_inline = o->tls_crypt_file_inline; + + ce->tls_crypt_v2_file = o->tls_crypt_v2_file; + ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; + } + + /* pre-cache tls-auth/crypt key file if persist-key was specified and keys + * were not already embedded in the config file + */ + if (o->persist_key) + { + if (ce->tls_auth_file && !ce->tls_auth_file_inline) + { + struct buffer in = buffer_read_from_file(ce->tls_auth_file, &o->gc); + if (!buf_valid(&in)) + { + msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)", + ce->tls_auth_file); + } + + ce->tls_auth_file = (char *)in.data; + ce->tls_auth_file_inline = true; + } + + if (ce->tls_crypt_file && !ce->tls_crypt_file_inline) + { + struct buffer in = buffer_read_from_file(ce->tls_crypt_file, &o->gc); + if (!buf_valid(&in)) + { + msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)", + ce->tls_crypt_file); + } + + ce->tls_crypt_file = (char *)in.data; + ce->tls_crypt_file_inline = true; + } + } } #ifdef _WIN32 @@ -2900,9 +2971,19 @@ options_postprocess_mutate_invariant(struct options *options) } #ifdef _WIN32 + /* when using wintun, kernel doesn't send DHCP requests, so don't use it */ + if (options->windows_driver == WINDOWS_DRIVER_WINTUN + && (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE)) + { + options->tuntap_options.ip_win32_type = IPW32_SET_NETSH; + } + if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined) { - if (options->mode == MODE_POINT_TO_POINT) + /* delay may only be necessary when we perform DHCP handshake */ + const bool dhcp = (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ) + || (options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE); + if ((options->mode == MODE_POINT_TO_POINT) && dhcp) { options->route_delay_defined = true; options->route_delay = 5; /* Vista sometimes has a race without this */ @@ -2916,15 +2997,12 @@ options_postprocess_mutate_invariant(struct options *options) } remap_redirect_gateway_flags(options); -#endif -#if P2MP_SERVER /* * Check consistency of --mode server options. */ if (options->mode == MODE_SERVER) { -#ifdef _WIN32 /* * We need to explicitly set --tap-sleep because * we do not schedule event timers in the top-level context. @@ -2935,9 +3013,8 @@ options_postprocess_mutate_invariant(struct options *options) options->tuntap_options.tap_sleep = options->route_delay; } options->route_delay_defined = false; -#endif } -#endif +#endif /* ifdef _WIN32 */ #ifdef DEFAULT_PKCS11_MODULE /* If p11-kit is present on the system then load its p11-kit-proxy.so @@ -2969,6 +3046,67 @@ options_postprocess_verify(const struct options *o) } static void +options_postprocess_cipher(struct options *o) +{ + if (!o->pull && !(o->mode == MODE_SERVER)) + { + /* we are in the classic P2P mode */ + o->ncp_enabled = false; + msg( M_WARN, "Cipher negotiation is disabled since neither " + "P2MP client nor server mode is enabled"); + + /* If the cipher is not set, use the old default of BF-CBC. We will + * warn that this is deprecated on cipher initialisation, no need + * to warn here as well */ + if (!o->ciphername) + { + o->ciphername = "BF-CBC"; + } + return; + } + + /* pull or P2MP mode */ + if (!o->ciphername) + { + if (!o->ncp_enabled) + { + msg(M_USAGE, "--ncp-disable needs an explicit --cipher or " + "--data-ciphers-fallback config option"); + } + + msg(M_WARN, "--cipher is not set. Previous OpenVPN version defaulted to " + "BF-CBC as fallback when cipher negotiation failed in this case. " + "If you need this fallback please add '--data-ciphers-fallback " + "BF-CBC' to your configuration and/or add BF-CBC to " + "--data-ciphers."); + + /* We still need to set the ciphername to BF-CBC since various other + * parts of OpenVPN assert that the ciphername is set */ + o->ciphername = "BF-CBC"; + } + else if (!o->enable_ncp_fallback + && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) + { + msg(M_WARN, "DEPRECATED OPTION: --cipher set to '%s' but missing in" + " --data-ciphers (%s). Future OpenVPN version will " + "ignore --cipher for cipher negotiations. " + "Add '%s' to --data-ciphers or change --cipher '%s' to " + "--data-ciphers-fallback '%s' to silence this warning.", + o->ciphername, o->ncp_ciphers, o->ciphername, + o->ciphername, o->ciphername); + o->enable_ncp_fallback = true; + + /* Append the --cipher to ncp_ciphers to allow it in NCP */ + size_t newlen = strlen(o->ncp_ciphers) + 1 + strlen(o->ciphername) + 1; + char *ncp_ciphers = gc_malloc(newlen, false, &o->gc); + + ASSERT(openvpn_snprintf(ncp_ciphers, newlen, "%s:%s", o->ncp_ciphers, + o->ciphername)); + o->ncp_ciphers = ncp_ciphers; + } +} + +static void options_postprocess_mutate(struct options *o) { int i; @@ -2980,8 +3118,18 @@ options_postprocess_mutate(struct options *o) helper_keepalive(o); helper_tcp_nodelay(o); + options_postprocess_cipher(o); options_postprocess_mutate_invariant(o); + if (o->ncp_enabled) + { + o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc); + if (o->ncp_ciphers == NULL) + { + msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is too long."); + } + } + if (o->remote_list && !o->connection_list) { /* @@ -3015,7 +3163,6 @@ options_postprocess_mutate(struct options *o) options_postprocess_mutate_ce(o, o->connection_list->array[i]); } -#ifdef ENABLE_CRYPTO if (o->tls_server) { /* Check that DH file is specified, or explicitly disabled */ @@ -3029,20 +3176,9 @@ options_postprocess_mutate(struct options *o) { /* DH file is only meaningful in a tls-server context. */ msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only " - "include this in your server configuration"); + "include this in your server configuration"); o->dh_file = NULL; } - - /* cipher negotiation (NCP) currently assumes --pull or --mode server */ - if (o->ncp_enabled - && !(o->pull || o->mode == MODE_SERVER) ) - { - msg( M_WARN, "disabling NCP mode (--ncp-disable) because not " - "in P2MP client or server mode" ); - o->ncp_enabled = false; - } -#endif - #if ENABLE_MANAGEMENT if (o->http_proxy_override) { @@ -3064,12 +3200,11 @@ options_postprocess_mutate(struct options *o) */ #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */ -#define CHKACC_FILE (1<<0) /** Check for a file/directory precense */ -#define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */ +#define CHKACC_FILE (1<<0) /** Check for a file/directory presence */ +#define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */ #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */ -#define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */ -#define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */ -#define CHKACC_PRIVATE (1<<5) /** Warn if this (private) file is group/others accessible */ +#define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */ +#define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */ static bool check_file_access(const int type, const char *file, const int mode, const char *opt) @@ -3082,12 +3217,6 @@ check_file_access(const int type, const char *file, const int mode, const char * return false; } - /* If this may be an inline file, and the proper inline "filename" is set - no issues */ - if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) ) - { - return false; - } - /* If stdin is allowed and the file name is 'stdin', then do no * further checks as stdin is always available */ @@ -3099,7 +3228,7 @@ check_file_access(const int type, const char *file, const int mode, const char * /* Is the directory path leading to the given file accessible? */ if (type & CHKACC_DIRPATH) { - char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */ + char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementation may modify its arguments */ char *dirpath = dirname(fullpath); if (platform_access(dirpath, mode|X_OK) != 0) @@ -3149,7 +3278,7 @@ check_file_access(const int type, const char *file, const int mode, const char * msg(M_NOPREFIX | M_OPTERR | M_ERRNO, "%s fails with '%s'", opt, file); } - /* Return true if an error occured */ + /* Return true if an error occurred */ return (errcode != 0 ? true : false); } @@ -3192,6 +3321,38 @@ check_file_access_chroot(const char *chroot, const int type, const char *file, c return ret; } +/** + * A wrapper for check_file_access_chroot() that returns false immediately if + * the file is inline (and therefore there is no access to check) + */ +static bool +check_file_access_chroot_inline(bool is_inline, const char *chroot, + const int type, const char *file, + const int mode, const char *opt) +{ + if (is_inline) + { + return false; + } + + return check_file_access_chroot(chroot, type, file, mode, opt); +} + +/** + * A wrapper for check_file_access() that returns false immediately if the file + * is inline (and therefore there is no access to check) + */ +static bool +check_file_access_inline(bool is_inline, const int type, const char *file, + const int mode, const char *opt) +{ + if (is_inline) + { + return false; + } + + return check_file_access(type, file, mode, opt); +} /* * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a @@ -3241,7 +3402,7 @@ check_cmd_access(const char *command, const char *opt, const char *chroot) return_code = true; } - argv_reset(&argv); + argv_free(&argv); return return_code; } @@ -3255,48 +3416,80 @@ options_postprocess_filechecks(struct options *options) { bool errs = false; -#ifdef ENABLE_CRYPTO /* ** SSL/TLS/crypto related files ** */ - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh"); - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca"); - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert"); - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, - "--extra-certs"); -#ifdef MANAGMENT_EXTERNAL_KEY + errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, + options->dh_file, R_OK, "--dh"); + + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); + + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->ca_path, R_OK, "--capath"); + + errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE, + options->cert_file, R_OK, "--cert"); + + errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE, + options->extra_certs_file, R_OK, + "--extra-certs"); + +#ifdef ENABLE_MANAGMENT if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif { - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->priv_key_file, R_OK, "--key"); + errs |= check_file_access_inline(options->priv_key_file_inline, + CHKACC_FILE|CHKACC_PRIVATE, + options->priv_key_file, R_OK, "--key"); } - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->pkcs12_file, R_OK, "--pkcs12"); + + errs |= check_file_access_inline(options->pkcs12_file_inline, + CHKACC_FILE|CHKACC_PRIVATE, + options->pkcs12_file, R_OK, "--pkcs12"); if (options->ssl_flags & SSLF_CRL_VERIFY_DIR) { - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK, + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->crl_file, R_OK|X_OK, "--crl-verify directory"); } else { - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE|CHKACC_INLINE, - options->crl_file, R_OK, "--crl-verify"); + errs |= check_file_access_chroot_inline(options->crl_file_inline, + options->chroot_dir, + CHKACC_FILE, options->crl_file, + R_OK, "--crl-verify"); + } + + ASSERT(options->connection_list); + for (int i = 0; i < options->connection_list->len; ++i) + { + struct connection_entry *ce = options->connection_list->array[i]; + + errs |= check_file_access_inline(ce->tls_auth_file_inline, + CHKACC_FILE|CHKACC_PRIVATE, + ce->tls_auth_file, R_OK, + "--tls-auth"); + errs |= check_file_access_inline(ce->tls_crypt_file_inline, + CHKACC_FILE|CHKACC_PRIVATE, + ce->tls_crypt_file, R_OK, + "--tls-crypt"); + errs |= check_file_access_inline(ce->tls_crypt_v2_file_inline, + CHKACC_FILE|CHKACC_PRIVATE, + ce->tls_crypt_v2_file, R_OK, + "--tls-crypt-v2"); } - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->tls_auth_file, R_OK, "--tls-auth"); - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->tls_crypt_file, R_OK, "--tls-crypt"); - errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE, - options->shared_secret_file, R_OK, "--secret"); + errs |= check_file_access_inline(options->shared_secret_file_inline, + CHKACC_FILE|CHKACC_PRIVATE, + options->shared_secret_file, R_OK, + "--secret"); + errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->packet_id_file, R_OK|W_OK, "--replay-persist"); /* ** Password files ** */ errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->key_pass_file, R_OK, "--askpass"); -#endif /* ENABLE_CRYPTO */ #ifdef ENABLE_MANAGEMENT errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, options->management_user_pass, R_OK, @@ -3319,18 +3512,13 @@ options_postprocess_filechecks(struct options *options) R_OK|W_OK, "--status"); /* ** Config related ** */ -#ifdef ENABLE_CRYPTO errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert, R_OK|W_OK|X_OK, "--tls-export-cert"); -#endif /* ENABLE_CRYPTO */ -#if P2MP_SERVER errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir, R_OK|X_OK, "--client-config-dir"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)"); -#endif /* P2MP_SERVER */ - if (errs) { msg(M_USAGE, "Please correct these errors."); @@ -3436,9 +3624,6 @@ pre_pull_restore(struct options *o, struct gc_arena *gc) } #endif /* if P2MP */ - -#ifdef ENABLE_OCC - /** * Calculate the link-mtu to advertise to our peer. The actual value is not * relevant, because we will possibly perform data channel cipher negotiation @@ -3450,7 +3635,7 @@ static size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame) { size_t link_mtu = EXPANDED_SIZE(frame); -#ifdef ENABLE_CRYPTO + if (o->pull || o->mode == MODE_SERVER) { struct frame fake_frame = *frame; @@ -3458,18 +3643,16 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true, false); frame_remove_from_extra_frame(&fake_frame, crypto_max_overhead()); - crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv, - o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher)); + crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->replay, + cipher_kt_mode_ofb_cfb(fake_kt.cipher)); frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu, o->ce.tun_mtu_defined, o->ce.tun_mtu); msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu, EXPANDED_SIZE(&fake_frame)); link_mtu = EXPANDED_SIZE(&fake_frame); } -#endif return link_mtu; } - /* * Build an options string to represent data channel encryption options. * This string must match exactly between peers. The keysize is checked @@ -3504,7 +3687,6 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) * --keysize * --secret * --no-replay - * --no-iv * * SSL Options: * @@ -3518,6 +3700,7 @@ char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, + openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc) { @@ -3531,14 +3714,21 @@ options_string(const struct options *o, */ buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type)); - buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame)); + /* the link-mtu that we send has only a meaning if have a fixed + * cipher (p2p) or have a fallback cipher configured for older non + * ncp clients. But not sending it will make even 2.4 complain + * about it being missing. So still send it. */ + buf_printf(&out, ",link-mtu %u", + (unsigned int) calc_options_string_link_mtu(o, frame)); + buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame)); buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote)); + bool p2p_nopull = o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o); /* send tun_ipv6 only in peer2peer mode - in client/server mode, it * is usually pushed by the server, triggering a non-helpful warning */ - if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) + if (o->ifconfig_ipv6_local && p2p_nopull) { buf_printf(&out, ",tun-ipv6"); } @@ -3560,14 +3750,15 @@ options_string(const struct options *o, NULL, NULL, false, - NULL); + NULL, + ctx); if (tt) { tt_local = true; } } - if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o)) + if (tt && p2p_nopull) { const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc); if (ios && strlen(ios)) @@ -3595,8 +3786,6 @@ options_string(const struct options *o, } #endif -#ifdef ENABLE_CRYPTO - #define TLS_CLIENT (o->tls_client) #define TLS_SERVER (o->tls_server) @@ -3625,9 +3814,14 @@ options_string(const struct options *o, init_key_type(&kt, o->ciphername, o->authname, o->keysize, true, false); - - buf_printf(&out, ",cipher %s", - translate_cipher_name_to_openvpn(cipher_kt_name(kt.cipher))); + /* Only announce the cipher to our peer if we are willing to + * support it */ + const char *ciphername = cipher_kt_name(kt.cipher); + if (p2p_nopull || !o->ncp_enabled + || tls_item_in_cipher_list(ciphername, o->ncp_ciphers)) + { + buf_printf(&out, ",cipher %s", ciphername); + } buf_printf(&out, ",auth %s", md_kt_name(kt.digest)); buf_printf(&out, ",keysize %d", kt.cipher_length * 8); if (o->shared_secret_file) @@ -3638,10 +3832,6 @@ options_string(const struct options *o, { buf_printf(&out, ",no-replay"); } - if (!o->use_iv) - { - buf_printf(&out, ",no-iv"); - } #ifdef ENABLE_PREDICTION_RESISTANCE if (o->use_prediction_resistance) @@ -3657,7 +3847,7 @@ options_string(const struct options *o, { if (TLS_CLIENT || TLS_SERVER) { - if (o->tls_auth_file) + if (o->ce.tls_auth_file) { buf_printf(&out, ",tls-auth"); } @@ -3665,10 +3855,7 @@ options_string(const struct options *o, * tls-auth/tls-crypt does not match. Removing tls-auth here would * break stuff, so leaving that in place. */ - if (o->key_method > 1) - { - buf_printf(&out, ",key-method %d", o->key_method); - } + buf_printf(&out, ",key-method %d", KEY_METHOD_2); } if (remote) @@ -3698,8 +3885,6 @@ options_string(const struct options *o, #undef TLS_CLIENT #undef TLS_SERVER -#endif /* ENABLE_CRYPTO */ - return BSTR(&out); } @@ -3754,7 +3939,8 @@ options_warning_safe_scan2(const int msglevel, || strprefix(p1, "keydir ") || strprefix(p1, "proto ") || strprefix(p1, "tls-auth ") - || strprefix(p1, "tun-ipv6")) + || strprefix(p1, "tun-ipv6") + || strprefix(p1, "cipher ")) { return; } @@ -3888,8 +4074,6 @@ options_string_version(const char *s, struct gc_arena *gc) return BSTR(&out); } -#endif /* ENABLE_OCC */ - char * options_string_extract_option(const char *options_string,const char *opt_name, struct gc_arena *gc) @@ -3958,6 +4142,33 @@ foreign_option(struct options *o, char *argv[], int len, struct env_set *es) } } +#ifdef _WIN32 +/** + * Parses --windows-driver config option + * + * @param str value of --windows-driver option + * @param msglevel msglevel to report parsing error + * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value + */ +static enum windows_driver_type +parse_windows_driver(const char *str, const int msglevel) +{ + if (streq(str, "tap-windows6")) + { + return WINDOWS_DRIVER_TAP_WINDOWS6; + } + else if (streq(str, "wintun")) + { + return WINDOWS_DRIVER_WINTUN; + } + else + { + msg(msglevel, "--windows-driver must be tap-windows6 or wintun"); + return WINDOWS_DRIVER_UNSPECIFIED; + } +} +#endif + /* * parse/print topology coding */ @@ -4081,7 +4292,6 @@ usage(void) struct options o; init_options(&o, true); -#ifdef ENABLE_CRYPTO fprintf(fp, usage_message, title_string, o.ce.connect_retry_seconds, @@ -4093,15 +4303,6 @@ usage(void) o.replay_window, o.replay_time, o.tls_timeout, o.renegotiate_seconds, o.handshake_window, o.transition_window); -#else /* ifdef ENABLE_CRYPTO */ - fprintf(fp, usage_message, - title_string, - o.ce.connect_retry_seconds, - o.ce.connect_retry_seconds_max, - o.ce.local_port, o.ce.remote_port, - TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT, - o.verbosity); -#endif fflush(fp); #endif /* ENABLE_SMALL */ @@ -4129,20 +4330,15 @@ show_windows_version(const unsigned int flags) void show_library_versions(const unsigned int flags) { -#ifdef ENABLE_CRYPTO -#define SSL_LIB_VER_STR get_ssl_library_version() -#else -#define SSL_LIB_VER_STR "" -#endif #ifdef ENABLE_LZO #define LZO_LIB_VER_STR ", LZO ", lzo_version_string() #else #define LZO_LIB_VER_STR "", "" #endif - msg(flags, "library versions: %s%s%s", SSL_LIB_VER_STR, LZO_LIB_VER_STR); + msg(flags, "library versions: %s%s%s", get_ssl_library_version(), + LZO_LIB_VER_STR); -#undef SSL_LIB_VER_STR #undef LZO_LIB_VER_STR } @@ -4164,7 +4360,7 @@ usage_version(void) msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD); #endif #endif - openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */ + openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); } void @@ -4482,25 +4678,26 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc) static bool check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc) { - bool ret = false; + bool is_inline = false; + if (p[0] && !p[1]) { char *arg = p[0]; if (arg[0] == '<' && arg[strlen(arg)-1] == '>') { struct buffer close_tag; - arg[strlen(arg)-1] = '\0'; - p[0] = string_alloc(arg+1, gc); - p[1] = string_alloc(INLINE_FILE_TAG, gc); + + arg[strlen(arg) - 1] = '\0'; + p[0] = string_alloc(arg + 1, gc); close_tag = alloc_buf(strlen(p[0]) + 4); buf_printf(&close_tag, "</%s>", p[0]); - p[2] = read_inline_file(is, BSTR(&close_tag), gc); - p[3] = NULL; + p[1] = read_inline_file(is, BSTR(&close_tag), gc); + p[2] = NULL; free_buf(&close_tag); - ret = true; + is_inline = true; } } - return ret; + return is_inline; } static bool @@ -4513,7 +4710,8 @@ check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc) } static bool -check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc) +check_inline_file_via_buf(struct buffer *multiline, char *p[], + struct gc_arena *gc) { struct in_src is; is.type = IS_TYPE_BUF; @@ -4524,6 +4722,7 @@ check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena * static void add_option(struct options *options, char *p[], + bool is_inline, const char *file, int line, const int level, @@ -4581,9 +4780,13 @@ read_config_file(struct options *options, } if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { + bool is_inline; + bypass_doubledash(&p[0]); - check_inline_file_via_fp(fp, p, &options->gc); - add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es); + is_inline = check_inline_file_via_fp(fp, p, &options->gc); + add_option(options, p, is_inline, file, line_num, level, + msglevel, permission_mask, option_types_found, + es); } } if (fp != stdin) @@ -4626,9 +4829,12 @@ read_config_string(const char *prefix, ++line_num; if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc)) { + bool is_inline; + bypass_doubledash(&p[0]); - check_inline_file_via_buf(&multiline, p, &options->gc); - add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es); + is_inline = check_inline_file_via_buf(&multiline, p, &options->gc); + add_option(options, p, is_inline, prefix, line_num, 0, msglevel, + permission_mask, option_types_found, es); } CLEAR(p); } @@ -4659,7 +4865,8 @@ parse_argv(struct options *options, CLEAR(p); p[0] = "config"; p[1] = argv[1]; - add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es); + add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, + option_types_found, es); } else { @@ -4693,7 +4900,8 @@ parse_argv(struct options *options, } } } - add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es); + add_option(options, p, false, NULL, 0, 0, msglevel, permission_mask, + option_types_found, es); i += j - 1; } } @@ -4764,7 +4972,8 @@ apply_push_options(struct options *options, } if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc)) { - add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es); + add_option(options, p, false, file, line_num, 0, msglevel, + permission_mask, option_types_found, es); } } return true; @@ -4803,7 +5012,13 @@ options_string_import(struct options *options, #if P2MP -#define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}} +#define VERIFY_PERMISSION(mask) { \ + if (!verify_permission(p[0], file, line, (mask), permission_mask, \ + option_types_found, msglevel, options, is_inline)) \ + { \ + goto err; \ + } \ +} static bool verify_permission(const char *name, @@ -4813,7 +5028,8 @@ verify_permission(const char *name, const unsigned int allowed, unsigned int *found, const int msglevel, - struct options *options) + struct options *options, + bool is_inline) { if (!(type & allowed)) { @@ -4821,6 +5037,13 @@ verify_permission(const char *name, return false; } + if (is_inline && !(type & OPT_P_INLINE)) + { + msg(msglevel, "option '%s' is not expected to be inline (%s:%d)", name, + file, line); + return false; + } + if (found) { *found |= type; @@ -4927,10 +5150,31 @@ set_user_script(struct options *options, #endif } +#ifdef USE_COMP +static void +show_compression_warning(struct compress_options *info) +{ + if (comp_non_stub_enabled(info)) + { + /* + * Check if already displayed the strong warning and enabled full + * compression + */ + if (!(info->flags & COMP_F_ALLOW_COMPRESS)) + { + msg(M_WARN, "WARNING: Compression for receiving enabled. " + "Compression has been used in the past to break encryption. " + "Sent packets are not compressed unless \"allow-compression yes\" " + "is also set."); + } + } +} +#endif static void add_option(struct options *options, char *p[], + bool is_inline, const char *file, int line, const int level, @@ -4997,13 +5241,15 @@ add_option(struct options *options, struct route_gateway_info rgi; struct route_ipv6_gateway_info rgi6; struct in6_addr remote = IN6ADDR_ANY_INIT; + openvpn_net_ctx_t net_ctx; VERIFY_PERMISSION(OPT_P_GENERAL); if (p[1]) { get_ipv6_addr(p[1], &remote, NULL, M_WARN); } - get_default_gateway(&rgi); - get_default_gateway_ipv6(&rgi6, &remote); + net_ctx_init(NULL, &net_ctx); + get_default_gateway(&rgi, &net_ctx); + get_default_gateway_ipv6(&rgi6, &remote, &net_ctx); print_default_gateway(M_INFO, &rgi, &rgi6); openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } @@ -5128,10 +5374,34 @@ add_option(struct options *options, options->management_flags |= MF_CONNECT_AS_CLIENT; options->management_write_peer_info_file = p[1]; } -#ifdef MANAGMENT_EXTERNAL_KEY - else if (streq(p[0], "management-external-key") && !p[1]) +#ifdef ENABLE_MANAGEMENT + else if (streq(p[0], "management-external-key")) { VERIFY_PERMISSION(OPT_P_GENERAL); + for (int j = 1; j < MAX_PARMS && p[j] != NULL; ++j) + { + if (streq(p[j], "nopadding")) + { + options->management_flags |= MF_EXTERNAL_KEY_NOPADDING; + } + else if (streq(p[j], "pkcs1")) + { + options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD; + } + else + { + msg(msglevel, "Unknown management-external-key flag: %s", p[j]); + } + } + /* + * When no option is present, assume that only PKCS1 + * padding is supported + */ + if (!(options->management_flags + &(MF_EXTERNAL_KEY_NOPADDING | MF_EXTERNAL_KEY_PKCS1PAD))) + { + options->management_flags |= MF_EXTERNAL_KEY_PKCS1PAD; + } options->management_flags |= MF_EXTERNAL_KEY; } else if (streq(p[0], "management-external-cert") && p[1] && !p[2]) @@ -5140,7 +5410,7 @@ add_option(struct options *options, options->management_flags |= MF_EXTERNAL_CERT; options->management_certificate = p[1]; } -#endif +#endif /* ifdef ENABLE_MANAGEMENT */ #ifdef MANAGEMENT_DEF_AUTH else if (streq(p[0], "management-client-auth") && !p[1]) { @@ -5191,12 +5461,10 @@ add_option(struct options *options, { options->mode = MODE_POINT_TO_POINT; } -#if P2MP_SERVER else if (streq(p[1], "server")) { options->mode = MODE_SERVER; } -#endif else { msg(msglevel, "Bad --mode parameter: %s", p[1]); @@ -5213,6 +5481,13 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->dev_type = p[1]; } +#ifdef _WIN32 + else if (streq(p[0], "windows-driver") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->windows_driver = parse_windows_driver(p[1], M_FATAL); + } +#endif else if (streq(p[0], "dev-node") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -5310,15 +5585,16 @@ add_option(struct options *options, } else if (streq(p[0], "connection") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + if (is_inline) { struct options sub; struct connection_entry *e; init_options(&sub, true); sub.ce = options->ce; - read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es); + read_config_string("[CONNECTION-OPTIONS]", &sub, p[1], msglevel, + OPT_P_CONNECTION, option_types_found, es); if (!sub.ce.remote) { msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive"); @@ -5799,13 +6075,11 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION); options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]); } -#ifdef ENABLE_OCC else if (streq(p[0], "mtu-test") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->mtu_test = true; } -#endif else if (streq(p[0], "nice") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_NICE); @@ -5844,6 +6118,13 @@ add_option(struct options *options, } } } +#ifdef TARGET_LINUX + else if (streq (p[0], "bind-dev") && p[1]) + { + VERIFY_PERMISSION (OPT_P_SOCKFLAGS); + options->bind_dev = p[1]; + } +#endif else if (streq(p[0], "txqueuelen") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -5999,17 +6280,10 @@ add_option(struct options *options, else if (streq(p[0], "http-proxy-user-pass") && p[1]) { struct http_proxy_options *ho; - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - ho->auth_file = p[2]; - ho->inline_creds = true; - } - else - { - ho->auth_file = p[1]; - } + ho->auth_file = p[1]; + ho->inline_creds = is_inline; } else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry")) { @@ -6116,7 +6390,6 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_TIMER); options->ping_timer_remote = true; } -#ifdef ENABLE_OCC else if (streq(p[0], "explicit-exit-notify") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); @@ -6129,7 +6402,6 @@ add_option(struct options *options, options->ce.explicit_exit_notification = 1; } } -#endif else if (streq(p[0], "persist-tun") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); @@ -6227,6 +6499,18 @@ add_option(struct options *options, } } } + else if (streq(p[0], "route-ipv6-gateway") && p[1] && !p[2]) + { + if (ipv6_addr_safe(p[1])) + { + options->route_ipv6_default_gateway = p[1]; + } + else + { + msg(msglevel, "route-ipv6-gateway parm '%s' must be a valid address", p[1]); + goto err; + } + } else if (streq(p[0], "route-metric") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_ROUTE); @@ -6316,6 +6600,18 @@ add_option(struct options *options, int j; VERIFY_PERMISSION(OPT_P_ROUTE); rol_check_alloc(options); + + if (options->routes->flags & RG_ENABLE) + { + msg(M_WARN, + "WARNING: You have specified redirect-gateway and " + "redirect-private at the same time (or the same option " + "multiple times). This is not well supported and may lead to " + "unexpected results"); + } + + options->routes->flags |= RG_ENABLE; + if (streq(p[0], "redirect-gateway")) { options->routes->flags |= RG_REROUTE_GW; @@ -6353,7 +6649,7 @@ add_option(struct options *options, } else if (streq(p[j], "!ipv4")) { - options->routes->flags &= ~RG_REROUTE_GW; + options->routes->flags &= ~(RG_REROUTE_GW | RG_ENABLE); } else { @@ -6365,7 +6661,11 @@ add_option(struct options *options, /* we need this here to handle pushed --redirect-gateway */ remap_redirect_gateway_flags(options); #endif - options->routes->flags |= RG_ENABLE; + } + else if (streq(p[0], "block-ipv6") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_ROUTE); + options->block_ipv6 = true; } else if (streq(p[0], "remote-random-hostname") && !p[1]) { @@ -6384,12 +6684,10 @@ add_option(struct options *options, msg(msglevel, "this is a generic configuration and cannot directly be used"); goto err; } -#ifdef ENABLE_PUSH_PEER_INFO else if (streq(p[1], "PUSH_PEER_INFO") && !p[2]) { options->push_peer_info = true; } -#endif else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2]) { options->ce.connect_timeout = positive_atoi(p[2]); @@ -6412,7 +6710,7 @@ add_option(struct options *options, else if (streq(p[0], "script-security") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); - script_security = atoi(p[1]); + script_security_set(atoi(p[1])); } else if (streq(p[0], "mssfix") && !p[2]) { @@ -6427,15 +6725,12 @@ add_option(struct options *options, } } -#ifdef ENABLE_OCC else if (streq(p[0], "disable-occ") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->occ = false; } -#endif #if P2MP -#if P2MP_SERVER else if (streq(p[0], "server") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; @@ -6479,9 +6774,12 @@ add_option(struct options *options, msg(msglevel, "error parsing --server-ipv6 parameter"); goto err; } - if (netbits < 64 || netbits > 112) + if (netbits < 64 || netbits > 124) { - msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits ); + msg(msglevel, + "--server-ipv6 settings: network must be between /64 and /124 (not /%d)", + netbits); + goto err; } options->server_ipv6_defined = true; @@ -6583,12 +6881,6 @@ add_option(struct options *options, options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]); } } - else if (streq(p[0], "ifconfig-pool-linear") && !p[1]) - { - VERIFY_PERMISSION(OPT_P_GENERAL); - options->topology = TOP_P2P; - msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool-linear, use --topology p2p instead"); - } else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) { const int lev = M_WARN; @@ -6601,9 +6893,11 @@ add_option(struct options *options, msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters"); goto err; } - if (netbits < 64 || netbits > 112) + if (netbits < 64 || netbits > 124) { - msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits ); + msg(msglevel, + "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)", + netbits); goto err; } @@ -6667,8 +6961,7 @@ add_option(struct options *options, else if (streq(p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; - msg(M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead"); + msg(M_FATAL, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead"); } else if (streq(p[0], "verify-client-cert") && !p[2]) { @@ -6741,11 +7034,30 @@ add_option(struct options *options, &options->auth_user_pass_verify_script, p[1], "auth-user-pass-verify", true); } - else if (streq(p[0], "auth-gen-token")) + else if (streq(p[0], "auth-gen-token") && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->auth_token_generate = true; options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0; + if (p[2]) + { + if (streq(p[2], "external-auth")) + { + options->auth_token_call_auth = true; + } + else + { + msg(msglevel, "Invalid argument to auth-gen-token: %s", p[2]); + } + } + + } + else if (streq(p[0], "auth-gen-token-secret") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + options->auth_token_secret_file = p[1]; + options->auth_token_secret_file_inline = is_inline; + } else if (streq(p[0], "client-connect") && p[1]) { @@ -6964,7 +7276,6 @@ add_option(struct options *options, options->stale_routes_ageing_time = ageing_time; options->stale_routes_check_interval = check_interval; } -#endif /* P2MP_SERVER */ else if (streq(p[0], "client") && !p[1]) { @@ -6998,7 +7309,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); auth_retry_set(msglevel, p[1]); } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -7015,7 +7326,7 @@ add_option(struct options *options, #ifdef _WIN32 VERIFY_PERMISSION(OPT_P_GENERAL); HANDLE process = GetCurrentProcess(); - HANDLE handle = (HANDLE) atoi(p[1]); + HANDLE handle = (HANDLE) atoll(p[1]); if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0, FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) { @@ -7151,7 +7462,7 @@ add_option(struct options *options, { if (strstr(p[2], ":")) { - ipv6dns=true; + ipv6dns = true; foreign_option(options, p, 3, es); dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel); } @@ -7172,6 +7483,18 @@ add_option(struct options *options, { dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel); } + else if (streq(p[1], "DOMAIN-SEARCH") && p[2]) + { + if (o->domain_search_list_len < N_SEARCH_LIST_LEN) + { + o->domain_search_list[o->domain_search_list_len++] = p[2]; + } + else + { + msg(msglevel, "--dhcp-option %s: maximum of %d search entries can be specified", + p[1], N_SEARCH_LIST_LEN); + } + } else if (streq(p[1], "DISABLE-NBT") && !p[2]) { o->disable_nbt = 1; @@ -7345,29 +7668,80 @@ add_option(struct options *options, } #endif #if defined(USE_COMP) + else if (streq(p[0], "allow-compression") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + + if (streq(p[1], "no")) + { + options->comp.flags = + COMP_F_ALLOW_STUB_ONLY|COMP_F_ADVERTISE_STUBS_ONLY; + if (comp_non_stub_enabled(&options->comp)) + { + msg(msglevel, "'--allow-compression no' conflicts with " + " enabling compression"); + } + } + else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set allow-compression to '%s' " + "after set to 'no'", p[1]); + goto err; + } + else if (streq(p[1], "asym")) + { + options->comp.flags &= ~COMP_F_ALLOW_COMPRESS; + } + else if (streq(p[1], "yes")) + { + msg(M_WARN, "WARNING: Compression for sending and receiving enabled. Compression has " + "been used in the past to break encryption. Allowing compression allows " + "attacks that break encryption. Using \"--allow-compression yes\" is " + "strongly discouraged for common usage. See --compress in the manual " + "page for more information "); + + options->comp.flags |= COMP_F_ALLOW_COMPRESS; + } + else + { + msg(msglevel, "bad allow-compression option: %s -- " + "must be 'yes', 'no', or 'asym'", p[1]); + goto err; + } + } else if (streq(p[0], "comp-lzo") && !p[2]) { VERIFY_PERMISSION(OPT_P_COMP); + /* All lzo variants do not use swap */ + options->comp.flags &= ~COMP_F_SWAP; #if defined(ENABLE_LZO) if (p[1] && streq(p[1], "no")) #endif { options->comp.alg = COMP_ALG_STUB; - options->comp.flags = 0; + options->comp.flags &= ~COMP_F_ADAPTIVE; } #if defined(ENABLE_LZO) + else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set comp-lzo to '%s', " + "allow-compression is set to 'no'", p[1]); + goto err; + } else if (p[1]) { if (streq(p[1], "yes")) { options->comp.alg = COMP_ALG_LZO; - options->comp.flags = 0; + options->comp.flags &= ~COMP_F_ADAPTIVE; } else if (streq(p[1], "adaptive")) { options->comp.alg = COMP_ALG_LZO; - options->comp.flags = COMP_F_ADAPTIVE; + options->comp.flags |= COMP_F_ADAPTIVE; } else { @@ -7378,12 +7752,17 @@ add_option(struct options *options, else { options->comp.alg = COMP_ALG_LZO; - options->comp.flags = COMP_F_ADAPTIVE; + options->comp.flags |= COMP_F_ADAPTIVE; } + show_compression_warning(&options->comp); #endif /* if defined(ENABLE_LZO) */ } else if (streq(p[0], "comp-noadapt") && !p[1]) { + /* + * We do not need to check here if we allow compression since + * it only modifies a flag if compression is enabled + */ VERIFY_PERMISSION(OPT_P_COMP); options->comp.flags &= ~COMP_F_ADAPTIVE; } @@ -7395,30 +7774,36 @@ add_option(struct options *options, if (streq(p[1], "stub")) { options->comp.alg = COMP_ALG_STUB; - options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); + options->comp.flags |= (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY); } else if (streq(p[1], "stub-v2")) { options->comp.alg = COMP_ALGV2_UNCOMPRESSED; - options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY; + options->comp.flags |= COMP_F_ADVERTISE_STUBS_ONLY; + } + else if (options->comp.flags & COMP_F_ALLOW_STUB_ONLY) + { + /* Also printed on a push to hint at configuration problems */ + msg(msglevel, "Cannot set compress to '%s', " + "allow-compression is set to 'no'", p[1]); + goto err; } #if defined(ENABLE_LZO) else if (streq(p[1], "lzo")) { options->comp.alg = COMP_ALG_LZO; - options->comp.flags = 0; + options->comp.flags &= ~(COMP_F_ADAPTIVE | COMP_F_SWAP); } #endif #if defined(ENABLE_LZ4) else if (streq(p[1], "lz4")) { options->comp.alg = COMP_ALG_LZ4; - options->comp.flags = COMP_F_SWAP; + options->comp.flags |= COMP_F_SWAP; } else if (streq(p[1], "lz4-v2")) { options->comp.alg = COMP_ALGV2_LZ4; - options->comp.flags = 0; } #endif else @@ -7430,11 +7815,11 @@ add_option(struct options *options, else { options->comp.alg = COMP_ALG_STUB; - options->comp.flags = COMP_F_SWAP; + options->comp.flags |= COMP_F_SWAP; } + show_compression_warning(&options->comp); } #endif /* USE_COMP */ -#ifdef ENABLE_CRYPTO else if (streq(p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -7454,10 +7839,19 @@ add_option(struct options *options, { int key_direction; + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION); + key_direction = ascii2keydirection(msglevel, p[1]); if (key_direction >= 0) { - options->key_direction = key_direction; + if (permission_mask & OPT_P_GENERAL) + { + options->key_direction = key_direction; + } + else if (permission_mask & OPT_P_CONNECTION) + { + options->ce.key_direction = key_direction; + } } else { @@ -7466,12 +7860,10 @@ add_option(struct options *options, } else if (streq(p[0], "secret") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->shared_secret_file_inline = p[2]; - } - else if (p[2]) + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + options->shared_secret_file = p[1]; + options->shared_secret_file_inline = is_inline; + if (!is_inline && p[2]) { int key_direction; @@ -7485,12 +7877,48 @@ add_option(struct options *options, goto err; } } - options->shared_secret_file = p[1]; } - else if (streq(p[0], "genkey") && !p[1]) + else if (streq(p[0], "genkey") && !p[4]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->genkey = true; + if (!p[1]) + { + options->genkey_type = GENKEY_SECRET; + } + else + { + if (streq(p[1], "secret") || streq(p[1], "tls-auth") + || streq(p[1], "tls-crypt")) + { + options->genkey_type = GENKEY_SECRET; + } + else if (streq(p[1], "tls-crypt-v2-server")) + { + options->genkey_type = GENKEY_TLS_CRYPTV2_SERVER; + } + else if (streq(p[1], "tls-crypt-v2-client")) + { + options->genkey_type = GENKEY_TLS_CRYPTV2_CLIENT; + if (p[3]) + { + options->genkey_extra_data = p[3]; + } + } + else if (streq(p[1], "auth-token")) + { + options->genkey_type = GENKEY_AUTH_TOKEN; + } + else + { + msg(msglevel, "unknown --genkey type: %s", p[1]); + } + + } + if (p[2]) + { + options->genkey_filename = p[2]; + } } else if (streq(p[0], "auth") && p[1] && !p[2]) { @@ -7499,18 +7927,33 @@ add_option(struct options *options, } else if (streq(p[0], "cipher") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_NCP); + VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); options->ciphername = p[1]; } - else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) + else if (streq(p[0], "data-ciphers-fallback") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); + options->ciphername = p[1]; + options->enable_ncp_fallback = true; + } + else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) + && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); + if (streq(p[0], "ncp-ciphers")) + { + msg(M_INFO, "Note: Treating option '--ncp-ciphers' as " + " '--data-ciphers' (renamed in OpenVPN 2.5)."); + } options->ncp_ciphers = p[1]; } else if (streq(p[0], "ncp-disable") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_enabled = false; + msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling " + "cipher negotiation is a deprecated debug feature that " + "will be removed in OpenVPN 2.6"); } else if (streq(p[0], "prng") && p[1] && !p[3]) { @@ -7588,11 +8031,6 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->mute_replay_warnings = true; } - else if (streq(p[0], "no-iv") && !p[1]) - { - VERIFY_PERMISSION(OPT_P_GENERAL); - options->use_iv = false; - } else if (streq(p[0], "replay-persist") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -7644,7 +8082,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->show_tls_ciphers = true; } - else if (streq(p[0], "show-curves") && !p[1]) + else if ((streq(p[0], "show-curves") || streq(p[0], "show-groups")) && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->show_curves = true; @@ -7652,6 +8090,9 @@ add_option(struct options *options, else if (streq(p[0], "ecdh-curve") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); + msg(M_WARN, "Consider setting groups/curves preference with " + "tls-groups instead of forcing a specific curve with " + "ecdh-curve."); options->ecdh_curve = p[1]; } else if (streq(p[0], "tls-server") && !p[1]) @@ -7664,14 +8105,11 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->tls_client = true; } - else if (streq(p[0], "ca") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) + else if (streq(p[0], "ca") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->ca_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->ca_file_inline = p[2]; - } + options->ca_file_inline = is_inline; } #ifndef ENABLE_CRYPTO_MBEDTLS else if (streq(p[0], "capath") && p[1] && !p[2]) @@ -7680,32 +8118,23 @@ add_option(struct options *options, options->ca_path = p[1]; } #endif /* ENABLE_CRYPTO_MBEDTLS */ - else if (streq(p[0], "dh") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) + else if (streq(p[0], "dh") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->dh_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->dh_file_inline = p[2]; - } + options->dh_file_inline = is_inline; } - else if (streq(p[0], "cert") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) + else if (streq(p[0], "cert") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->cert_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->cert_file_inline = p[2]; - } + options->cert_file_inline = is_inline; } - else if (streq(p[0], "extra-certs") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) + else if (streq(p[0], "extra-certs") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->extra_certs_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->extra_certs_file_inline = p[2]; - } + options->extra_certs_file_inline = is_inline; } else if (streq(p[0], "verify-hash") && p[1] && !p[3]) { @@ -7734,14 +8163,11 @@ add_option(struct options *options, options->cryptoapi_cert = p[1]; } #endif - else if (streq(p[0], "key") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) + else if (streq(p[0], "key") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->priv_key_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->priv_key_file_inline = p[2]; - } + options->priv_key_file_inline = is_inline; } else if (streq(p[0], "tls-version-min") && p[1] && !p[3]) { @@ -7772,14 +8198,11 @@ add_option(struct options *options, options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); } #ifndef ENABLE_CRYPTO_MBEDTLS - else if (streq(p[0], "pkcs12") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) + else if (streq(p[0], "pkcs12") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); options->pkcs12_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->pkcs12_file_inline = p[2]; - } + options->pkcs12_file_inline = is_inline; } #endif /* ENABLE_CRYPTO_MBEDTLS */ else if (streq(p[0], "askpass") && !p[2]) @@ -7815,13 +8238,11 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->single_session = true; } -#ifdef ENABLE_PUSH_PEER_INFO else if (streq(p[0], "push-peer-info") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->push_peer_info = true; } -#endif else if (streq(p[0], "tls-exit") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -7842,19 +8263,21 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->cipher_list_tls13 = p[1]; } - else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) - || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) + else if (streq(p[0], "tls-groups") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); + options->tls_groups = p[1]; + } + else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) + || !p[2])) + { + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); if (p[2] && streq(p[2], "dir")) { options->ssl_flags |= SSLF_CRL_VERIFY_DIR; } options->crl_file = p[1]; - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->crl_file_inline = p[2]; - } + options->crl_file_inline = is_inline; } else if (streq(p[0], "tls-verify") && p[1]) { @@ -7874,49 +8297,24 @@ add_option(struct options *options, options->tls_export_cert = p[1]; } #endif -#if P2MP_SERVER - else if (streq(p[0], "compat-names") && ((p[1] && streq(p[1], "no-remapping")) || !p[1]) && !p[2]) -#else - else if (streq(p[0], "compat-names") && !p[1]) -#endif + else if (streq(p[0], "compat-names")) { VERIFY_PERMISSION(OPT_P_GENERAL); - if (options->verify_x509_type != VERIFY_X509_NONE) - { - msg(msglevel, "you cannot use --compat-names with --verify-x509-name"); - goto err; - } - msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5."); - compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); -#if P2MP_SERVER - if (p[1] && streq(p[1], "no-remapping")) - { - compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); - } + msg(msglevel, "--compat-names was removed in OpenVPN 2.5. " + "Update your configuration."); + goto err; } else if (streq(p[0], "no-name-remapping") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - if (options->verify_x509_type != VERIFY_X509_NONE) - { - msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name"); - goto err; - } - msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5."); - compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES); - compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); -#endif + msg(msglevel, "--no-name-remapping was removed in OpenVPN 2.5. " + "Update your configuration."); + goto err; } else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3]) { int type = VERIFY_X509_SUBJECT_DN; VERIFY_PERMISSION(OPT_P_GENERAL); - if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES)) - { - msg(msglevel, "you cannot use --verify-x509-name with " - "--compat-names or --no-name-remapping"); - goto err; - } if (p[2]) { if (streq(p[2], "subject")) @@ -8012,10 +8410,14 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->renegotiate_packets = positive_atoi(p[1]); } - else if (streq(p[0], "reneg-sec") && p[1] && !p[2]) + else if (streq(p[0], "reneg-sec") && p[1] && !p[3]) { VERIFY_PERMISSION(OPT_P_TLS_PARMS); options->renegotiate_seconds = positive_atoi(p[1]); + if (p[2]) + { + options->renegotiate_seconds_min = positive_atoi(p[2]); + } } else if (streq(p[0], "hand-window") && p[1] && !p[2]) { @@ -8029,51 +8431,75 @@ add_option(struct options *options, } else if (streq(p[0], "tls-auth") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) - { - options->tls_auth_file_inline = p[2]; - } - else if (p[2]) + int key_direction = -1; + + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); + + if (permission_mask & OPT_P_GENERAL) { - int key_direction; + options->tls_auth_file = p[1]; + options->tls_auth_file_inline = is_inline; - key_direction = ascii2keydirection(msglevel, p[2]); - if (key_direction >= 0) + if (!is_inline && p[2]) { + key_direction = ascii2keydirection(msglevel, p[2]); + if (key_direction < 0) + { + goto err; + } options->key_direction = key_direction; } - else + + } + else if (permission_mask & OPT_P_CONNECTION) + { + options->ce.tls_auth_file = p[1]; + options->ce.tls_auth_file_inline = is_inline; + options->ce.key_direction = KEY_DIRECTION_BIDIRECTIONAL; + + if (!is_inline && p[2]) { - goto err; + key_direction = ascii2keydirection(msglevel, p[2]); + if (key_direction < 0) + { + goto err; + } + options->ce.key_direction = key_direction; } } - options->tls_auth_file = p[1]; } else if (streq(p[0], "tls-crypt") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); - if (streq(p[1], INLINE_FILE_TAG) && p[2]) + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); + if (permission_mask & OPT_P_GENERAL) { - options->tls_crypt_inline = p[2]; + options->tls_crypt_file = p[1]; + options->tls_crypt_file_inline = is_inline; + } + else if (permission_mask & OPT_P_CONNECTION) + { + options->ce.tls_crypt_file = p[1]; + options->ce.tls_crypt_file_inline = is_inline; } - options->tls_crypt_file = p[1]; } - else if (streq(p[0], "key-method") && p[1] && !p[2]) + else if (streq(p[0], "tls-crypt-v2") && p[1] && !p[3]) { - int key_method; - - VERIFY_PERMISSION(OPT_P_GENERAL); - key_method = atoi(p[1]); - if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX) + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_INLINE); + if (permission_mask & OPT_P_GENERAL) { - msg(msglevel, "key_method parameter (%d) must be >= %d and <= %d", - key_method, - KEY_METHOD_MIN, - KEY_METHOD_MAX); - goto err; + options->tls_crypt_v2_file = p[1]; + options->tls_crypt_v2_file_inline = is_inline; + } + else if (permission_mask & OPT_P_CONNECTION) + { + options->ce.tls_crypt_v2_file = p[1]; + options->ce.tls_crypt_v2_file_inline = is_inline; } - options->key_method = key_method; + } + else if (streq(p[0], "tls-crypt-v2-verify") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->tls_crypt_v2_verify_script = p[1]; } else if (streq(p[0], "x509-track") && p[1] && !p[2]) { @@ -8118,7 +8544,6 @@ add_option(struct options *options, options->x509_username_field = p[1]; } #endif /* ENABLE_X509ALTUSERNAME */ -#endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 else if (streq(p[0], "show-pkcs11-ids") && !p[3]) { @@ -8234,7 +8659,7 @@ add_option(struct options *options, options->use_peer_id = true; options->peer_id = atoi(p[1]); } -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 +#ifdef HAVE_EXPORT_KEYING_MATERIAL else if (streq(p[0], "keying-material-exporter") && p[1] && p[2]) { int ekm_length = positive_atoi(p[2]); @@ -8256,12 +8681,51 @@ add_option(struct options *options, options->keying_material_exporter_label = p[1]; options->keying_material_exporter_length = ekm_length; } -#endif /* if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 */ +#endif /* HAVE_EXPORT_KEYING_MATERIAL */ else if (streq(p[0], "allow-recursive-routing") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); options->allow_recursive_routing = true; } + else if (streq(p[0], "vlan-tagging") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->vlan_tagging = true; + } + else if (streq(p[0], "vlan-accept") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + if (streq(p[1], "tagged")) + { + options->vlan_accept = VLAN_ONLY_TAGGED; + } + else if (streq(p[1], "untagged")) + { + options->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY; + } + else if (streq(p[1], "all")) + { + options->vlan_accept = VLAN_ALL; + } + else + { + msg(msglevel, "--vlan-accept must be 'tagged', 'untagged' or 'all'"); + goto err; + } + } + else if (streq(p[0], "vlan-pvid") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); + options->vlan_pvid = positive_atoi(p[1]); + if (options->vlan_pvid < OPENVPN_8021Q_MIN_VID + || options->vlan_pvid > OPENVPN_8021Q_MAX_VID) + { + msg(msglevel, + "the parameter of --vlan-pvid parameters must be >= %u and <= %u", + OPENVPN_8021Q_MIN_VID, OPENVPN_8021Q_MAX_VID); + goto err; + } + } else { int i; |