summaryrefslogtreecommitdiff
path: root/src/openvpn/options.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
commit3a2bbdb05ca6a6996e424c9fb225cb0d53804125 (patch)
treef29063da5bec4caf3853d49a22a09c8619eebd21 /src/openvpn/options.c
parentd53dba59e78da865c4fe820386ff2f4f76925f3b (diff)
New upstream version 2.4.0upstream/2.4.0
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r--src/openvpn/options.c11964
1 files changed, 6332 insertions, 5632 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 47acd97..bfedb6a 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5,7 +5,7 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2013 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
* Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
*
* This program is free software; you can redistribute it and/or modify
@@ -63,715 +63,715 @@
#include "memdbg.h"
const char title_string[] =
- PACKAGE_STRING
+ PACKAGE_STRING
#ifdef CONFIGURE_GIT_REVISION
- " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
+ " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
#endif
- " " TARGET_ALIAS
+ " " TARGET_ALIAS
#ifdef ENABLE_CRYPTO
#if defined(ENABLE_CRYPTO_MBEDTLS)
- " [SSL (mbed TLS)]"
+ " [SSL (mbed TLS)]"
#elif defined(ENABLE_CRYPTO_OPENSSL)
- " [SSL (OpenSSL)]"
+ " [SSL (OpenSSL)]"
#else
- " [SSL]"
+ " [SSL]"
#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
#endif /* ENABLE_CRYPTO */
#ifdef USE_COMP
#ifdef ENABLE_LZO
- " [LZO]"
+ " [LZO]"
#endif
#ifdef ENABLE_LZ4
- " [LZ4]"
+ " [LZ4]"
#endif
#ifdef ENABLE_COMP_STUB
- " [COMP_STUB]"
+ " [COMP_STUB]"
#endif
#endif /* USE_COMP */
#if EPOLL
- " [EPOLL]"
+ " [EPOLL]"
#endif
#ifdef PRODUCT_TAP_DEBUG
- " [TAPDBG]"
+ " [TAPDBG]"
#endif
#ifdef ENABLE_PKCS11
- " [PKCS11]"
+ " [PKCS11]"
#endif
#if ENABLE_IP_PKTINFO
-# if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
- " [MH/PKTINFO]"
-# elif defined(IP_RECVDSTADDR)
- " [MH/RECVDA]"
-# endif
+#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
+ " [MH/PKTINFO]"
+#elif defined(IP_RECVDSTADDR)
+ " [MH/RECVDA]"
+#endif
#endif
#ifdef HAVE_AEAD_CIPHER_MODES
- " [AEAD]"
+ " [AEAD]"
#endif
- " built on " __DATE__
+ " built on " __DATE__
;
#ifndef ENABLE_SMALL
static const char usage_message[] =
- "%s\n"
- "\n"
- "General Options:\n"
- "--config file : Read configuration options from file.\n"
- "--help : Show options.\n"
- "--version : Show copyright and version information.\n"
- "\n"
- "Tunnel Options:\n"
- "--local host : Local host name or ip address. Implies --bind.\n"
- "--remote host [port] : Remote host name or ip address.\n"
- "--remote-random : If multiple --remote options specified, choose one randomly.\n"
- "--remote-random-hostname : Add a random string to remote DNS name.\n"
- "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
- "--proto p : Use protocol p for communicating with peer.\n"
- " p = udp (default), tcp-server, or tcp-client\n"
- "--proto-force p : only consider protocol p in list of connection profiles.\n"
- " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
- "--connect-retry n [m] : For client, number of seconds to wait between\n"
- " connection retries (default=%d). On repeated retries\n"
- " the wait time is exponentially increased to a maximum of m\n"
- " (default=%d).\n"
- "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
- "--http-proxy s p [up] [auth] : Connect to remote host\n"
- " through an HTTP proxy at address s and port p.\n"
- " If proxy authentication is required,\n"
- " up is a file containing username/password on 2 lines, or\n"
- " 'stdin' to prompt from console. Add auth='ntlm' if\n"
- " the proxy requires NTLM authentication.\n"
- "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
- " determine auth method and query for username/password\n"
- " if needed. auto-nct disables weak proxy auth methods.\n"
- "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
- " Repeat to set multiple options.\n"
- " VERSION version (default=1.0)\n"
- " AGENT user-agent\n"
- "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
- " address s and port p (default port = 1080).\n"
- " If proxy authentication is required,\n"
- " up is a file containing username/password on 2 lines, or\n"
- " 'stdin' to prompt for console.\n"
- "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
- "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
- " resolve for n seconds before failing (disabled by default).\n"
- " Set n=\"infinite\" to retry indefinitely.\n"
- "--float : Allow remote to change its IP address/port, such as through\n"
- " DHCP (this is the default if --remote is not used).\n"
- "--ipchange cmd : Run command cmd on remote ip address initial\n"
- " setting or change -- execute as: cmd ip-address port#\n"
- "--port port : TCP/UDP port # for both local and remote.\n"
- "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
- "--rport port : TCP/UDP port # for remote (default=%s).\n"
- "--bind : Bind to local address and port. (This is the default unless\n"
- " --proto tcp-client"
- " or --http-proxy"
- " or --socks-proxy"
- " is used).\n"
- "--nobind : Do not bind to local address and port.\n"
- "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
- "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
- " this option only if the tun/tap device used with --dev\n"
- " does not begin with \"tun\" or \"tap\".\n"
- "--dev-node node : Explicitly set the device node rather than using\n"
- " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
- "--lladdr hw : Set the link layer address of the tap device.\n"
- "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
+ "%s\n"
+ "\n"
+ "General Options:\n"
+ "--config file : Read configuration options from file.\n"
+ "--help : Show options.\n"
+ "--version : Show copyright and version information.\n"
+ "\n"
+ "Tunnel Options:\n"
+ "--local host : Local host name or ip address. Implies --bind.\n"
+ "--remote host [port] : Remote host name or ip address.\n"
+ "--remote-random : If multiple --remote options specified, choose one randomly.\n"
+ "--remote-random-hostname : Add a random string to remote DNS name.\n"
+ "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
+ "--proto p : Use protocol p for communicating with peer.\n"
+ " p = udp (default), tcp-server, or tcp-client\n"
+ "--proto-force p : only consider protocol p in list of connection profiles.\n"
+ " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
+ "--connect-retry n [m] : For client, number of seconds to wait between\n"
+ " connection retries (default=%d). On repeated retries\n"
+ " the wait time is exponentially increased to a maximum of m\n"
+ " (default=%d).\n"
+ "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
+ "--http-proxy s p [up] [auth] : Connect to remote host\n"
+ " through an HTTP proxy at address s and port p.\n"
+ " If proxy authentication is required,\n"
+ " up is a file containing username/password on 2 lines, or\n"
+ " 'stdin' to prompt from console. Add auth='ntlm' if\n"
+ " the proxy requires NTLM authentication.\n"
+ "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
+ " determine auth method and query for username/password\n"
+ " if needed. auto-nct disables weak proxy auth methods.\n"
+ "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
+ " Repeat to set multiple options.\n"
+ " VERSION version (default=1.0)\n"
+ " AGENT user-agent\n"
+ "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
+ " address s and port p (default port = 1080).\n"
+ " If proxy authentication is required,\n"
+ " up is a file containing username/password on 2 lines, or\n"
+ " 'stdin' to prompt for console.\n"
+ "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
+ "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
+ " resolve for n seconds before failing (disabled by default).\n"
+ " Set n=\"infinite\" to retry indefinitely.\n"
+ "--float : Allow remote to change its IP address/port, such as through\n"
+ " DHCP (this is the default if --remote is not used).\n"
+ "--ipchange cmd : Run command cmd on remote ip address initial\n"
+ " setting or change -- execute as: cmd ip-address port#\n"
+ "--port port : TCP/UDP port # for both local and remote.\n"
+ "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
+ "--rport port : TCP/UDP port # for remote (default=%s).\n"
+ "--bind : Bind to local address and port. (This is the default unless\n"
+ " --proto tcp-client"
+ " or --http-proxy"
+ " or --socks-proxy"
+ " is used).\n"
+ "--nobind : Do not bind to local address and port.\n"
+ "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
+ "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
+ " this option only if the tun/tap device used with --dev\n"
+ " does not begin with \"tun\" or \"tap\".\n"
+ "--dev-node node : Explicitly set the device node rather than using\n"
+ " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
+ "--lladdr hw : Set the link layer address of the tap device.\n"
+ "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
#ifdef ENABLE_IPROUTE
- "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
-#endif
- "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
- " endpoint and rn as a remote endpoint. l & rn should be\n"
- " swapped on the other peer. l & rn must be private\n"
- " addresses outside of the subnets used by either peer.\n"
- " TAP: configure device to use IP address l as a local\n"
- " endpoint and rn as a subnet mask.\n"
- "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
- " endpoint (as a /64) and r as remote endpoint\n"
- "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
- " pass --ifconfig parms by environment to scripts.\n"
- "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
- " connection doesn't match the remote side.\n"
- "--route network [netmask] [gateway] [metric] :\n"
- " Add route to routing table after connection\n"
- " is established. Multiple routes can be specified.\n"
- " netmask default: 255.255.255.255\n"
- " gateway default: taken from --route-gateway or --ifconfig\n"
- " Specify default by leaving blank or setting to \"nil\".\n"
- "--route-ipv6 network/bits [gateway] [metric] :\n"
- " Add IPv6 route to routing table after connection\n"
- " is established. Multiple routes can be specified.\n"
- " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
- "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
- "--route-metric m : Specify a default metric for use with --route.\n"
- "--route-delay n [w] : Delay n seconds after connection initiation before\n"
- " adding routes (may be 0). If not specified, routes will\n"
- " be added immediately after tun/tap open. On Windows, wait\n"
- " up to w seconds for TUN/TAP adapter to come up.\n"
- "--route-up cmd : Run command cmd after routes are added.\n"
- "--route-pre-down cmd : Run command cmd before routes are removed.\n"
- "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
- " --route-up script using environmental variables.\n"
- "--route-nopull : When used with --client or --pull, accept options pushed\n"
- " by server EXCEPT for routes and dhcp options.\n"
- "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
- " --ifconfig, --route, and --route-gateway.\n"
- "--redirect-gateway [flags]: Automatically execute routing\n"
- " commands to redirect all outgoing IP traffic through the\n"
- " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
- " connected via a common subnet, such as with WiFi.\n"
- " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
- " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
- " flag to add a direct route to DHCP server, bypassing tunnel.\n"
- " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
- "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
- " the default gateway. Useful when pushing private subnets.\n"
- "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
+ "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
+#endif
+ "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
+ " endpoint and rn as a remote endpoint. l & rn should be\n"
+ " swapped on the other peer. l & rn must be private\n"
+ " addresses outside of the subnets used by either peer.\n"
+ " TAP: configure device to use IP address l as a local\n"
+ " endpoint and rn as a subnet mask.\n"
+ "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
+ " endpoint (as a /64) and r as remote endpoint\n"
+ "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
+ " pass --ifconfig parms by environment to scripts.\n"
+ "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
+ " connection doesn't match the remote side.\n"
+ "--route network [netmask] [gateway] [metric] :\n"
+ " Add route to routing table after connection\n"
+ " is established. Multiple routes can be specified.\n"
+ " netmask default: 255.255.255.255\n"
+ " gateway default: taken from --route-gateway or --ifconfig\n"
+ " Specify default by leaving blank or setting to \"nil\".\n"
+ "--route-ipv6 network/bits [gateway] [metric] :\n"
+ " Add IPv6 route to routing table after connection\n"
+ " is established. Multiple routes can be specified.\n"
+ " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
+ "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
+ "--route-metric m : Specify a default metric for use with --route.\n"
+ "--route-delay n [w] : Delay n seconds after connection initiation before\n"
+ " adding routes (may be 0). If not specified, routes will\n"
+ " be added immediately after tun/tap open. On Windows, wait\n"
+ " up to w seconds for TUN/TAP adapter to come up.\n"
+ "--route-up cmd : Run command cmd after routes are added.\n"
+ "--route-pre-down cmd : Run command cmd before routes are removed.\n"
+ "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
+ " --route-up script using environmental variables.\n"
+ "--route-nopull : When used with --client or --pull, accept options pushed\n"
+ " by server EXCEPT for routes and dhcp options.\n"
+ "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
+ " --ifconfig, --route, and --route-gateway.\n"
+ "--redirect-gateway [flags]: Automatically execute routing\n"
+ " commands to redirect all outgoing IP traffic through the\n"
+ " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n"
+ " connected via a common subnet, such as with WiFi.\n"
+ " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
+ " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
+ " flag to add a direct route to DHCP server, bypassing tunnel.\n"
+ " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
+ "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
+ " the default gateway. Useful when pushing private subnets.\n"
+ "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
#ifdef ENABLE_PUSH_PEER_INFO
- "--push-peer-info : (client only) push client info to server.\n"
-#endif
- "--setenv name value : Set a custom environmental variable to pass to script.\n"
- "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
- " directives for future OpenVPN versions to be ignored.\n"
- "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
- " these options to be ignored when unknown\n"
- "--script-security level: Where level can be:\n"
- " 0 -- strictly no calling of external programs\n"
- " 1 -- (default) only call built-ins such as ifconfig\n"
- " 2 -- allow calling of built-ins and scripts\n"
- " 3 -- allow password to be passed to scripts via env\n"
- "--shaper n : Restrict output to peer to n bytes per second.\n"
- "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
- " ping once every n seconds, restart if ping not received\n"
- " for m seconds.\n"
- "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
- " produces a combined in/out byte count < bytes.\n"
- "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
- "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
- "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
- " remote address.\n"
- "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
+ "--push-peer-info : (client only) push client info to server.\n"
+#endif
+ "--setenv name value : Set a custom environmental variable to pass to script.\n"
+ "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
+ " directives for future OpenVPN versions to be ignored.\n"
+ "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
+ " these options to be ignored when unknown\n"
+ "--script-security level: Where level can be:\n"
+ " 0 -- strictly no calling of external programs\n"
+ " 1 -- (default) only call built-ins such as ifconfig\n"
+ " 2 -- allow calling of built-ins and scripts\n"
+ " 3 -- allow password to be passed to scripts via env\n"
+ "--shaper n : Restrict output to peer to n bytes per second.\n"
+ "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
+ " ping once every n seconds, restart if ping not received\n"
+ " for m seconds.\n"
+ "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
+ " produces a combined in/out byte count < bytes.\n"
+ "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
+ "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
+ "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
+ " remote address.\n"
+ "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
#if ENABLE_IP_PKTINFO
- "--multihome : Configure a multi-homed UDP server.\n"
-#endif
- "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
- "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
- "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
- "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
- "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
- "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
+ "--multihome : Configure a multi-homed UDP server.\n"
+#endif
+ "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
+ "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
+ "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
+ "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
+ "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
+ "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
#if PASSTOS_CAPABILITY
- "--passtos : TOS passthrough (applies to IPv4 only).\n"
-#endif
- "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
- " TCP/UDP MTU from it (default=%d).\n"
- "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
- " as n bytes more than the tun-mtu size on read\n"
- " (default TUN=0 TAP=%d).\n"
- "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
- " from it.\n"
- "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
- " 'no' -- Never send DF (Don't Fragment) frames\n"
- " 'maybe' -- Use per-route hints\n"
- " 'yes' -- Always DF (Don't Fragment)\n"
+ "--passtos : TOS passthrough (applies to IPv4 only).\n"
+#endif
+ "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
+ " TCP/UDP MTU from it (default=%d).\n"
+ "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
+ " as n bytes more than the tun-mtu size on read\n"
+ " (default TUN=0 TAP=%d).\n"
+ "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
+ " from it.\n"
+ "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
+ " 'no' -- Never send DF (Don't Fragment) frames\n"
+ " 'maybe' -- Use per-route hints\n"
+ " 'yes' -- Always DF (Don't Fragment)\n"
#ifdef ENABLE_OCC
- "--mtu-test : Empirically measure and report MTU.\n"
+ "--mtu-test : Empirically measure and report MTU.\n"
#endif
#ifdef ENABLE_FRAGMENT
- "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
- " datagrams are sent which are larger than max bytes.\n"
- " Adds 4 bytes of overhead per datagram.\n"
-#endif
- "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
- " or --fragment max value, whichever is lower.\n"
- "--sndbuf size : Set the TCP/UDP send buffer size.\n"
- "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
+ "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
+ " datagrams are sent which are larger than max bytes.\n"
+ " Adds 4 bytes of overhead per datagram.\n"
+#endif
+ "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
+ " or --fragment max value, whichever is lower.\n"
+ "--sndbuf size : Set the TCP/UDP send buffer size.\n"
+ "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
- "--mark value : Mark encrypted packets being sent with value. The mark value\n"
- " can be matched in policy routing and packetfilter rules.\n"
+ "--mark value : Mark encrypted packets being sent with value. The mark value\n"
+ " can be matched in policy routing and packetfilter rules.\n"
#endif
- "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
+ "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
#ifdef ENABLE_MEMSTATS
- "--memstats file : Write live usage stats to memory mapped binary file.\n"
-#endif
- "--mlock : Disable Paging -- ensures key material and tunnel\n"
- " data will never be written to disk.\n"
- "--up cmd : Run command cmd after successful tun device open.\n"
- " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
- " ifconfig-local-ip ifconfig-remote-ip\n"
- " (pre --user or --group UID/GID change)\n"
- "--up-delay : Delay tun/tap open and possible --up script execution\n"
- " until after TCP/UDP connection establishment with peer.\n"
- "--down cmd : Run command cmd after tun device close.\n"
- " (post --user/--group UID/GID change and/or --chroot)\n"
- " (command parameters are same as --up option)\n"
- "--down-pre : Run --down command before TUN/TAP close.\n"
- "--up-restart : Run up/down commands for all restarts including those\n"
- " caused by --ping-restart or SIGUSR1\n"
- "--user user : Set UID to user after initialization.\n"
- "--group group : Set GID to group after initialization.\n"
- "--chroot dir : Chroot to this directory after initialization.\n"
+ "--memstats file : Write live usage stats to memory mapped binary file.\n"
+#endif
+ "--mlock : Disable Paging -- ensures key material and tunnel\n"
+ " data will never be written to disk.\n"
+ "--up cmd : Run command cmd after successful tun device open.\n"
+ " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
+ " ifconfig-local-ip ifconfig-remote-ip\n"
+ " (pre --user or --group UID/GID change)\n"
+ "--up-delay : Delay tun/tap open and possible --up script execution\n"
+ " until after TCP/UDP connection establishment with peer.\n"
+ "--down cmd : Run command cmd after tun device close.\n"
+ " (post --user/--group UID/GID change and/or --chroot)\n"
+ " (command parameters are same as --up option)\n"
+ "--down-pre : Run --down command before TUN/TAP close.\n"
+ "--up-restart : Run up/down commands for all restarts including those\n"
+ " caused by --ping-restart or SIGUSR1\n"
+ "--user user : Set UID to user after initialization.\n"
+ "--group group : Set GID to group after initialization.\n"
+ "--chroot dir : Chroot to this directory after initialization.\n"
#ifdef ENABLE_SELINUX
- "--setcon context: Apply this SELinux context after initialization.\n"
-#endif
- "--cd dir : Change to this directory before initialization.\n"
- "--daemon [name] : Become a daemon after initialization.\n"
- " The optional 'name' parameter will be passed\n"
- " as the program name to the system logger.\n"
- "--syslog [name] : Output to syslog, but do not become a daemon.\n"
- " See --daemon above for a description of the 'name' parm.\n"
- "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
- " See --daemon above for a description of the 'name' parm.\n"
- "--log file : Output log to file which is created/truncated on open.\n"
- "--log-append file : Append log to file, or create file if nonexistent.\n"
- "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
- "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
- "--writepid file : Write main process ID to file.\n"
- "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
- "--echo [parms ...] : Echo parameters to log output.\n"
- "--verb n : Set output verbosity to n (default=%d):\n"
- " (Level 3 is recommended if you want a good summary\n"
- " of what's happening without being swamped by output).\n"
- " : 0 -- no output except fatal errors\n"
- " : 1 -- startup info + connection initiated messages +\n"
- " non-fatal encryption & net errors\n"
- " : 2,3 -- show TLS negotiations & route info\n"
- " : 4 -- show parameters\n"
- " : 5 -- show 'RrWw' chars on console for each packet sent\n"
- " and received from TCP/UDP (caps) or tun/tap (lc)\n"
- " : 6 to 11 -- debug messages of increasing verbosity\n"
- "--mute n : Log at most n consecutive messages in the same category.\n"
- "--status file n : Write operational status to file every n seconds.\n"
- "--status-version [n] : Choose the status file format version number.\n"
- " Currently, n can be 1, 2, or 3 (default=1).\n"
+ "--setcon context: Apply this SELinux context after initialization.\n"
+#endif
+ "--cd dir : Change to this directory before initialization.\n"
+ "--daemon [name] : Become a daemon after initialization.\n"
+ " The optional 'name' parameter will be passed\n"
+ " as the program name to the system logger.\n"
+ "--syslog [name] : Output to syslog, but do not become a daemon.\n"
+ " See --daemon above for a description of the 'name' parm.\n"
+ "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
+ " See --daemon above for a description of the 'name' parm.\n"
+ "--log file : Output log to file which is created/truncated on open.\n"
+ "--log-append file : Append log to file, or create file if nonexistent.\n"
+ "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
+ "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
+ "--writepid file : Write main process ID to file.\n"
+ "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
+ "--echo [parms ...] : Echo parameters to log output.\n"
+ "--verb n : Set output verbosity to n (default=%d):\n"
+ " (Level 3 is recommended if you want a good summary\n"
+ " of what's happening without being swamped by output).\n"
+ " : 0 -- no output except fatal errors\n"
+ " : 1 -- startup info + connection initiated messages +\n"
+ " non-fatal encryption & net errors\n"
+ " : 2,3 -- show TLS negotiations & route info\n"
+ " : 4 -- show parameters\n"
+ " : 5 -- show 'RrWw' chars on console for each packet sent\n"
+ " and received from TCP/UDP (caps) or tun/tap (lc)\n"
+ " : 6 to 11 -- debug messages of increasing verbosity\n"
+ "--mute n : Log at most n consecutive messages in the same category.\n"
+ "--status file n : Write operational status to file every n seconds.\n"
+ "--status-version [n] : Choose the status file format version number.\n"
+ " Currently, n can be 1, 2, or 3 (default=1).\n"
#ifdef ENABLE_OCC
- "--disable-occ : Disable options consistency check between peers.\n"
+ "--disable-occ : Disable options consistency check between peers.\n"
#endif
#ifdef ENABLE_DEBUG
- "--gremlin mask : Special stress testing mode (for debugging only).\n"
+ "--gremlin mask : Special stress testing mode (for debugging only).\n"
#endif
#if defined(USE_COMP)
- "--compress alg : Use compression algorithm alg\n"
+ "--compress alg : Use compression algorithm alg\n"
#if defined(ENABLE_LZO)
- "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
- " packet for uncompressible data.\n"
- "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
- " is specified.\n"
+ "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
+ " packet for uncompressible data.\n"
+ "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
+ " is specified.\n"
#endif
#endif
#ifdef ENABLE_MANAGEMENT
- "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
- " management functions. pass is a password file\n"
- " or 'stdin' to prompt from console.\n"
+ "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
+ " management functions. pass is a password file\n"
+ " or 'stdin' to prompt from console.\n"
#if UNIX_SOCK_SUPPORT
- " To listen on a unix domain socket, specific the pathname\n"
- " in place of ip and use 'unix' as the port number.\n"
-#endif
- "--management-client : Management interface will connect as a TCP client to\n"
- " ip/port rather than listen as a TCP server.\n"
- "--management-query-passwords : Query management channel for private key\n"
- " and auth-user-pass passwords.\n"
- "--management-query-proxy : Query management channel for proxy information.\n"
- "--management-query-remote : Query management channel for --remote directive.\n"
- "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
- " of the management interface explicitly starts it.\n"
- "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
- "--management-forget-disconnect : Forget passwords when management disconnect\n"
- " event occurs.\n"
- "--management-up-down : Report tunnel up/down events to management interface.\n"
- "--management-log-cache n : Cache n lines of log file history for usage\n"
- " by the management channel.\n"
+ " To listen on a unix domain socket, specific the pathname\n"
+ " in place of ip and use 'unix' as the port number.\n"
+#endif
+ "--management-client : Management interface will connect as a TCP client to\n"
+ " ip/port rather than listen as a TCP server.\n"
+ "--management-query-passwords : Query management channel for private key\n"
+ " and auth-user-pass passwords.\n"
+ "--management-query-proxy : Query management channel for proxy information.\n"
+ "--management-query-remote : Query management channel for --remote directive.\n"
+ "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
+ " of the management interface explicitly starts it.\n"
+ "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
+ "--management-forget-disconnect : Forget passwords when management disconnect\n"
+ " event occurs.\n"
+ "--management-up-down : Report tunnel up/down events to management interface.\n"
+ "--management-log-cache n : Cache n lines of log file history for usage\n"
+ " by the management channel.\n"
#if UNIX_SOCK_SUPPORT
- "--management-client-user u : When management interface is a unix socket, only\n"
- " allow connections from user u.\n"
- "--management-client-group g : When management interface is a unix socket, only\n"
- " allow connections from group g.\n"
+ "--management-client-user u : When management interface is a unix socket, only\n"
+ " allow connections from user u.\n"
+ "--management-client-group g : When management interface is a unix socket, only\n"
+ " allow connections from group g.\n"
#endif
#ifdef MANAGEMENT_DEF_AUTH
- "--management-client-auth : gives management interface client the responsibility\n"
- " to authenticate clients after their client certificate\n"
- " has been verified.\n"
+ "--management-client-auth : gives management interface client the responsibility\n"
+ " to authenticate clients after their client certificate\n"
+ " has been verified.\n"
#endif
#ifdef MANAGEMENT_PF
- "--management-client-pf : management interface clients must specify a packet\n"
- " filter file for each connecting client.\n"
-#endif
+ "--management-client-pf : management interface clients must specify a packet\n"
+ " filter file for each connecting client.\n"
#endif
+#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef ENABLE_PLUGIN
- "--plugin m [str]: Load plug-in module m passing str as an argument\n"
- " to its initialization function.\n"
+ "--plugin m [str]: Load plug-in module m passing str as an argument\n"
+ " to its initialization function.\n"
#endif
#if P2MP
#if P2MP_SERVER
- "\n"
- "Multi-Client Server options (when --mode server is used):\n"
- "--server network netmask : Helper option to easily configure server mode.\n"
- "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
- "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
- " easily configure ethernet bridging server mode.\n"
- "--push \"option\" : Push a config file option back to the peer for remote\n"
- " execution. Peer must specify --pull in its config file.\n"
- "--push-reset : Don't inherit global push list for specific\n"
- " client instance.\n"
- "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
- " to be dynamically allocated to connecting clients.\n"
- "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
- " in tun mode. Not compatible with Windows clients.\n"
- "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
- " data to file, at seconds intervals (default=600).\n"
- " If seconds=0, file will be treated as read-only.\n"
- "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
- " to be dynamically allocated to connecting clients.\n"
- "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
- " overrides --ifconfig-pool dynamic allocation.\n"
- " Only valid in a client-specific config file.\n"
- "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
- " remote, overrides --ifconfig-ipv6-pool allocation.\n"
- " Only valid in a client-specific config file.\n"
- "--iroute network [netmask] : Route subnet to client.\n"
- "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
- " Sets up internal routes only.\n"
- " Only valid in a client-specific config file.\n"
- "--disable : Client is disabled.\n"
- " Only valid in a client-specific config file.\n"
- "--client-cert-not-required : Don't require client certificate, client\n"
- " will authenticate using username/password.\n"
- "--verify-client-cert [none|optional|require] : perform no, optional or\n"
- " mandatory client certificate verification.\n"
- " Default is to require the client to supply a certificate.\n"
- "--username-as-common-name : For auth-user-pass authentication, use\n"
- " the authenticated username as the common name,\n"
- " rather than the common name from the client cert.\n"
- "--auth-user-pass-verify cmd method: Query client for username/password and\n"
- " run command cmd to verify. If method='via-env', pass\n"
- " user/pass via environment, if method='via-file', pass\n"
- " user/pass via temporary file.\n"
- "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
- " to each client, replacing the password. Usefull when\n"
- " OTP based two-factor auth mechanisms are in use and\n"
- " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
- " for generated tokens can be set.\n"
- "--opt-verify : Clients that connect with options that are incompatible\n"
- " with those of the server will be disconnected.\n"
- "--auth-user-pass-optional : Allow connections by clients that don't\n"
- " specify a username/password.\n"
- "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
- " any printable character.\n"
- "--client-to-client : Internally route client-to-client traffic.\n"
- "--duplicate-cn : Allow multiple clients with the same common name to\n"
- " concurrently connect.\n"
- "--client-connect cmd : Run command cmd on client connection.\n"
- "--client-disconnect cmd : Run command cmd on client disconnection.\n"
- "--client-config-dir dir : Directory for custom client config files.\n"
- "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
- "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
- "--hash-size r v : Set the size of the real address hash table to r and the\n"
- " virtual address table to v.\n"
- "--bcast-buffers n : Allocate n broadcast buffers.\n"
- "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
- "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
- " as well as pushes it to connecting clients.\n"
- "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
- "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
- "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
- "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
- "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
- " older than n seconds. Run this check every t\n"
- " seconds (defaults to n).\n"
- "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
- " clients. n = 1 - reconnect to same server,\n"
- " 2 - advance to next server, default=1.\n"
+ "\n"
+ "Multi-Client Server options (when --mode server is used):\n"
+ "--server network netmask : Helper option to easily configure server mode.\n"
+ "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
+ "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
+ " easily configure ethernet bridging server mode.\n"
+ "--push \"option\" : Push a config file option back to the peer for remote\n"
+ " execution. Peer must specify --pull in its config file.\n"
+ "--push-reset : Don't inherit global push list for specific\n"
+ " client instance.\n"
+ "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
+ " to be dynamically allocated to connecting clients.\n"
+ "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
+ " in tun mode. Not compatible with Windows clients.\n"
+ "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
+ " data to file, at seconds intervals (default=600).\n"
+ " If seconds=0, file will be treated as read-only.\n"
+ "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
+ " to be dynamically allocated to connecting clients.\n"
+ "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
+ " overrides --ifconfig-pool dynamic allocation.\n"
+ " Only valid in a client-specific config file.\n"
+ "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
+ " remote, overrides --ifconfig-ipv6-pool allocation.\n"
+ " Only valid in a client-specific config file.\n"
+ "--iroute network [netmask] : Route subnet to client.\n"
+ "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
+ " Sets up internal routes only.\n"
+ " Only valid in a client-specific config file.\n"
+ "--disable : Client is disabled.\n"
+ " Only valid in a client-specific config file.\n"
+ "--client-cert-not-required : Don't require client certificate, client\n"
+ " will authenticate using username/password.\n"
+ "--verify-client-cert [none|optional|require] : perform no, optional or\n"
+ " mandatory client certificate verification.\n"
+ " Default is to require the client to supply a certificate.\n"
+ "--username-as-common-name : For auth-user-pass authentication, use\n"
+ " the authenticated username as the common name,\n"
+ " rather than the common name from the client cert.\n"
+ "--auth-user-pass-verify cmd method: Query client for username/password and\n"
+ " run command cmd to verify. If method='via-env', pass\n"
+ " user/pass via environment, if method='via-file', pass\n"
+ " user/pass via temporary file.\n"
+ "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
+ " to each client, replacing the password. Usefull when\n"
+ " OTP based two-factor auth mechanisms are in use and\n"
+ " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
+ " for generated tokens can be set.\n"
+ "--opt-verify : Clients that connect with options that are incompatible\n"
+ " with those of the server will be disconnected.\n"
+ "--auth-user-pass-optional : Allow connections by clients that don't\n"
+ " specify a username/password.\n"
+ "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
+ " any printable character.\n"
+ "--client-to-client : Internally route client-to-client traffic.\n"
+ "--duplicate-cn : Allow multiple clients with the same common name to\n"
+ " concurrently connect.\n"
+ "--client-connect cmd : Run command cmd on client connection.\n"
+ "--client-disconnect cmd : Run command cmd on client disconnection.\n"
+ "--client-config-dir dir : Directory for custom client config files.\n"
+ "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
+ "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
+ "--hash-size r v : Set the size of the real address hash table to r and the\n"
+ " virtual address table to v.\n"
+ "--bcast-buffers n : Allocate n broadcast buffers.\n"
+ "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
+ "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
+ " as well as pushes it to connecting clients.\n"
+ "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
+ "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
+ "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
+ "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
+ "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
+ " older than n seconds. Run this check every t\n"
+ " seconds (defaults to n).\n"
+ "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
+ " clients. n = 1 - reconnect to same server,\n"
+ " 2 - advance to next server, default=1.\n"
#if PORT_SHARE
- "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
- " sessions to a web server at host:port. dir specifies an\n"
- " optional directory to write origin IP:port data.\n"
-#endif
-#endif
- "\n"
- "Client options (when connecting to a multi-client server):\n"
- "--client : Helper option to easily configure client mode.\n"
- "--auth-user-pass [up] : Authenticate with server using username/password.\n"
- " up is a file containing the username on the first line,\n"
- " and a password on the second. If either the password or both\n"
- " the username and the password are omitted OpenVPN will prompt\n"
- " for them from console.\n"
- "--pull : Accept certain config file options from the peer as if they\n"
- " were part of the local config file. Must be specified\n"
- " when connecting to a '--mode server' remote host.\n"
- "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
- " server if it starts with the text t. The action flag accept,\n"
- " ignore or reject causes the option to be allowed, removed or\n"
- " rejected with error. May be specified multiple times, and\n"
- " each filter is applied in the order of appearance.\n"
- "--auth-retry t : How to handle auth failures. Set t to\n"
- " none (default), interact, or nointeract.\n"
- "--static-challenge t e : Enable static challenge/response protocol using\n"
- " challenge text t, with e indicating echo flag (0|1)\n"
- "--connect-timeout n : when polling possible remote servers to connect to\n"
- " in a round-robin fashion, spend no more than n seconds\n"
- " waiting for a response before trying the next server.\n"
- "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
- " incoming tun packets with same destination as host.\n"
-#endif
+ "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
+ " sessions to a web server at host:port. dir specifies an\n"
+ " optional directory to write origin IP:port data.\n"
+#endif
+#endif /* if P2MP_SERVER */
+ "\n"
+ "Client options (when connecting to a multi-client server):\n"
+ "--client : Helper option to easily configure client mode.\n"
+ "--auth-user-pass [up] : Authenticate with server using username/password.\n"
+ " up is a file containing the username on the first line,\n"
+ " and a password on the second. If either the password or both\n"
+ " the username and the password are omitted OpenVPN will prompt\n"
+ " for them from console.\n"
+ "--pull : Accept certain config file options from the peer as if they\n"
+ " were part of the local config file. Must be specified\n"
+ " when connecting to a '--mode server' remote host.\n"
+ "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
+ " server if it starts with the text t. The action flag accept,\n"
+ " ignore or reject causes the option to be allowed, removed or\n"
+ " rejected with error. May be specified multiple times, and\n"
+ " each filter is applied in the order of appearance.\n"
+ "--auth-retry t : How to handle auth failures. Set t to\n"
+ " none (default), interact, or nointeract.\n"
+ "--static-challenge t e : Enable static challenge/response protocol using\n"
+ " challenge text t, with e indicating echo flag (0|1)\n"
+ "--connect-timeout n : when polling possible remote servers to connect to\n"
+ " in a round-robin fashion, spend no more than n seconds\n"
+ " waiting for a response before trying the next server.\n"
+ "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
+ " incoming tun packets with same destination as host.\n"
+#endif /* if P2MP */
#ifdef ENABLE_OCC
- "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
- " server/remote. n = # of retries, default=1.\n"
+ "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
+ " server/remote. n = # of retries, default=1.\n"
#endif
#ifdef ENABLE_CRYPTO
- "\n"
- "Data Channel Encryption Options (must be compatible between peers):\n"
- "(These options are meaningful for both Static Key & TLS-mode)\n"
- "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
- " Use shared secret file f, generate with --genkey.\n"
- " The optional d parameter controls key directionality.\n"
- " If d is specified, use separate keys for each\n"
- " direction, set d=0 on one side of the connection,\n"
- " and d=1 on the other side.\n"
- "--auth alg : Authenticate packets with HMAC using message\n"
- " digest algorithm alg (default=%s).\n"
- " (usually adds 16 or 20 bytes per packet)\n"
- " Set alg=none to disable authentication.\n"
- "--cipher alg : Encrypt packets with cipher algorithm alg\n"
- " (default=%s).\n"
- " Set alg=none to disable encryption.\n"
- "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
- "--ncp-disable : Disable cipher negotiation.\n"
- "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
- " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
+ "\n"
+ "Data Channel Encryption Options (must be compatible between peers):\n"
+ "(These options are meaningful for both Static Key & TLS-mode)\n"
+ "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
+ " Use shared secret file f, generate with --genkey.\n"
+ " The optional d parameter controls key directionality.\n"
+ " If d is specified, use separate keys for each\n"
+ " direction, set d=0 on one side of the connection,\n"
+ " and d=1 on the other side.\n"
+ "--auth alg : Authenticate packets with HMAC using message\n"
+ " digest algorithm alg (default=%s).\n"
+ " (usually adds 16 or 20 bytes per packet)\n"
+ " Set alg=none to disable authentication.\n"
+ "--cipher alg : Encrypt packets with cipher algorithm alg\n"
+ " (default=%s).\n"
+ " Set alg=none to disable encryption.\n"
+ "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
+ "--ncp-disable : Disable cipher negotiation.\n"
+ "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
+ " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- "--keysize n : Size of cipher key in bits (optional).\n"
- " If unspecified, defaults to cipher-specific default.\n"
+ "--keysize n : Size of cipher key in bits (optional).\n"
+ " If unspecified, defaults to cipher-specific default.\n"
#endif
#ifndef ENABLE_CRYPTO_MBEDTLS
- "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
-#endif
- "--no-replay : Disable replay protection.\n"
- "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
- "--replay-window n [t] : Use a replay protection sliding window of size n\n"
- " and a time window of t seconds.\n"
- " Default n=%d t=%d\n"
- "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
- "--replay-persist file : Persist replay-protection state across sessions\n"
- " using file.\n"
- "--test-crypto : Run a self-test of crypto features enabled.\n"
- " For debugging only.\n"
+ "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
+#endif
+ "--no-replay : Disable replay protection.\n"
+ "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
+ "--replay-window n [t] : Use a replay protection sliding window of size n\n"
+ " and a time window of t seconds.\n"
+ " Default n=%d t=%d\n"
+ "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
+ "--replay-persist file : Persist replay-protection state across sessions\n"
+ " using file.\n"
+ "--test-crypto : Run a self-test of crypto features enabled.\n"
+ " For debugging only.\n"
#ifdef ENABLE_PREDICTION_RESISTANCE
- "--use-prediction-resistance: Enable prediction resistance on the random\n"
- " number generator.\n"
-#endif
- "\n"
- "TLS Key Negotiation Options:\n"
- "(These options are meaningful only for TLS-mode)\n"
- "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
- "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
- "--key-method m : Data channel key exchange method. m should be a method\n"
- " number, such as 1 (default), 2, etc.\n"
- "--ca file : Certificate authority file in .pem format containing\n"
- " root certificate.\n"
+ "--use-prediction-resistance: Enable prediction resistance on the random\n"
+ " number generator.\n"
+#endif
+ "\n"
+ "TLS Key Negotiation Options:\n"
+ "(These options are meaningful only for TLS-mode)\n"
+ "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
+ "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
+ "--key-method m : Data channel key exchange method. m should be a method\n"
+ " number, such as 1 (default), 2, etc.\n"
+ "--ca file : Certificate authority file in .pem format containing\n"
+ " root certificate.\n"
#ifndef ENABLE_CRYPTO_MBEDTLS
- "--capath dir : A directory of trusted certificates (CAs"
- " and CRLs).\n"
+ "--capath dir : A directory of trusted certificates (CAs"
+ " and CRLs).\n"
#endif /* ENABLE_CRYPTO_MBEDTLS */
- "--dh file : File containing Diffie Hellman parameters\n"
- " in .pem format (for --tls-server only).\n"
- " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
- "--cert file : Local certificate in .pem format -- must be signed\n"
- " by a Certificate Authority in --ca file.\n"
- "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
- "--key file : Local private key in .pem format.\n"
- "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
- " will accept from the peer. If version is unrecognized and 'or-highest'\n"
- " is specified, require max TLS version supported by SSL implementation.\n"
- "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
+ "--dh file : File containing Diffie Hellman parameters\n"
+ " in .pem format (for --tls-server only).\n"
+ " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
+ "--cert file : Local certificate in .pem format -- must be signed\n"
+ " by a Certificate Authority in --ca file.\n"
+ "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
+ "--key file : Local private key in .pem format.\n"
+ "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
+ " will accept from the peer. If version is unrecognized and 'or-highest'\n"
+ " is specified, require max TLS version supported by SSL implementation.\n"
+ "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
#ifndef ENABLE_CRYPTO_MBEDTLS
- "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
- " and optionally the root CA certificate.\n"
+ "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
+ " and optionally the root CA certificate.\n"
#endif
#ifdef ENABLE_X509ALTUSERNAME
- "--x509-username-field : Field in x509 certificate containing the username.\n"
- " Default is CN in the Subject field.\n"
+ "--x509-username-field : Field in x509 certificate containing the username.\n"
+ " Default is CN in the Subject field.\n"
#endif
- "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
+ "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
#ifdef _WIN32
- "--cryptoapicert select-string : Load the certificate and private key from the\n"
- " Windows Certificate System Store.\n"
-#endif
- "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
- " : Use --show-tls to see a list of supported TLS ciphers.\n"
- "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
- " if no ACK from remote within n seconds (default=%d).\n"
- "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
- "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
- "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
- "--hand-window n : Data channel key exchange must finalize within n seconds\n"
- " of handshake initiation by any peer (default=%d).\n"
- "--tran-window n : Transition window -- old key can live this many seconds\n"
- " after new key renegotiation begins (default=%d).\n"
- "--single-session: Allow only one session (reset state on restart).\n"
- "--tls-exit : Exit on TLS negotiation failure.\n"
- "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
- " control channel to protect against attacks on the TLS stack\n"
- " and DoS attacks.\n"
- " f (required) is a shared-secret key file.\n"
- " The optional d parameter controls key directionality,\n"
- " see --secret option for more info.\n"
- "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
- " of the TLS control channel to hide the TLS certificate,\n"
- " provide basic post-quantum security and protect against\n"
- " attacks on the TLS stack and DoS attacks.\n"
- " key (required) provides the pre-shared key file.\n"
- " see --secret option for more info.\n"
- "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
- "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
- "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
- "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
- " pending TLS connection that has otherwise passed all other\n"
- " tests of certification. cmd should return 0 to allow\n"
- " TLS handshake to proceed, or 1 to fail. (cmd is\n"
- " executed as 'cmd certificate_depth subject')\n"
- "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
- " in an openvpn temporary file in [directory]. Peer cert is \n"
- " stored before tls-verify script execution and deleted after.\n"
- "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
- " DN name. The remote host must also pass all other tests\n"
- " of verification.\n"
- "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
- " nsCertType designation t = 'client' | 'server'.\n"
- "--x509-track x : Save peer X509 attribute x in environment for use by\n"
- " plugins and management interface.\n"
+ "--cryptoapicert select-string : Load the certificate and private key from the\n"
+ " Windows Certificate System Store.\n"
+#endif
+ "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
+ " : Use --show-tls to see a list of supported TLS ciphers.\n"
+ "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
+ " if no ACK from remote within n seconds (default=%d).\n"
+ "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
+ "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
+ "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
+ "--hand-window n : Data channel key exchange must finalize within n seconds\n"
+ " of handshake initiation by any peer (default=%d).\n"
+ "--tran-window n : Transition window -- old key can live this many seconds\n"
+ " after new key renegotiation begins (default=%d).\n"
+ "--single-session: Allow only one session (reset state on restart).\n"
+ "--tls-exit : Exit on TLS negotiation failure.\n"
+ "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
+ " control channel to protect against attacks on the TLS stack\n"
+ " and DoS attacks.\n"
+ " f (required) is a shared-secret key file.\n"
+ " The optional d parameter controls key directionality,\n"
+ " see --secret option for more info.\n"
+ "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
+ " of the TLS control channel to hide the TLS certificate,\n"
+ " provide basic post-quantum security and protect against\n"
+ " attacks on the TLS stack and DoS attacks.\n"
+ " key (required) provides the pre-shared key file.\n"
+ " see --secret option for more info.\n"
+ "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
+ "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
+ "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
+ "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
+ " pending TLS connection that has otherwise passed all other\n"
+ " tests of certification. cmd should return 0 to allow\n"
+ " TLS handshake to proceed, or 1 to fail. (cmd is\n"
+ " executed as 'cmd certificate_depth subject')\n"
+ "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
+ " in an openvpn temporary file in [directory]. Peer cert is \n"
+ " stored before tls-verify script execution and deleted after.\n"
+ "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
+ " DN name. The remote host must also pass all other tests\n"
+ " of verification.\n"
+ "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
+ " nsCertType designation t = 'client' | 'server'.\n"
+ "--x509-track x : Save peer X509 attribute x in environment for use by\n"
+ " plugins and management interface.\n"
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
- "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
- " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
-#endif
- "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
- " explicit key usage, you can specify more than one value.\n"
- " value should be given in hex format.\n"
- "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
- " explicit extended key usage. Extended key usage can be encoded\n"
- " as an object identifier or OpenSSL string representation.\n"
- "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
- " key usage and extended key usage based on RFC3280 TLS rules.\n"
- " t = 'client' | 'server'.\n"
+ "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
+ " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
+#endif
+ "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
+ " explicit key usage, you can specify more than one value.\n"
+ " value should be given in hex format.\n"
+ "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
+ " explicit extended key usage. Extended key usage can be encoded\n"
+ " as an object identifier or OpenSSL string representation.\n"
+ "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
+ " key usage and extended key usage based on RFC3280 TLS rules.\n"
+ " t = 'client' | 'server'.\n"
#ifdef ENABLE_PKCS11
- "\n"
- "PKCS#11 Options:\n"
- "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
- "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
- " path. Set for each provider.\n"
- "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
- " 0 : Try to determind automatically (default).\n"
- " 1 : Use Sign.\n"
- " 2 : Use SignRecover.\n"
- " 4 : Use Decrypt.\n"
- " 8 : Use Unwrap.\n"
- "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
- " certificate can be accessed. Set for each provider.\n"
- "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
- " cache until token is removed.\n"
- "--pkcs11-id-management : Acquire identity from management interface.\n"
- "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
-#endif /* ENABLE_PKCS11 */
- "\n"
- "SSL Library information:\n"
- "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
- "--show-digests : Show message digest algorithms to use with --auth option.\n"
- "--show-engines : Show hardware crypto accelerator engines (if available).\n"
- "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
+ "\n"
+ "PKCS#11 Options:\n"
+ "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
+ "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
+ " path. Set for each provider.\n"
+ "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
+ " 0 : Try to determind automatically (default).\n"
+ " 1 : Use Sign.\n"
+ " 2 : Use SignRecover.\n"
+ " 4 : Use Decrypt.\n"
+ " 8 : Use Unwrap.\n"
+ "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
+ " certificate can be accessed. Set for each provider.\n"
+ "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
+ " cache until token is removed.\n"
+ "--pkcs11-id-management : Acquire identity from management interface.\n"
+ "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
+#endif /* ENABLE_PKCS11 */
+ "\n"
+ "SSL Library information:\n"
+ "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
+ "--show-digests : Show message digest algorithms to use with --auth option.\n"
+ "--show-engines : Show hardware crypto accelerator engines (if available).\n"
+ "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
#ifdef _WIN32
- "\n"
- "Windows Specific:\n"
- "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
- " from SystemRoot environment variable.\n"
- "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
- " IP address using method = manual, netsh, ipapi,\n"
- " dynamic, or adaptive (default = adaptive).\n"
- " Dynamic method allows two optional parameters:\n"
- " offset: DHCP server address offset (> -256 and < 256).\n"
- " If 0, use network address, if >0, take nth\n"
- " address forward from network address, if <0,\n"
- " take nth address backward from broadcast\n"
- " address.\n"
- " Default is 0.\n"
- " lease-time: Lease time in seconds.\n"
- " Default is one year.\n"
- "--route-method : Which method to use for adding routes on Windows?\n"
- " adaptive (default) -- Try ipapi then fall back to exe.\n"
- " ipapi -- Use IP helper API.\n"
- " exe -- Call the route.exe shell command.\n"
- "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
- " be used with --ip-win32 dynamic. For options\n"
- " which allow multiple addresses,\n"
- " --dhcp-option must be repeated.\n"
- " DOMAIN name : Set DNS suffix\n"
- " DNS addr : Set domain name server address(es) (IPv4)\n"
- " DNS6 addr : Set domain name server address(es) (IPv6)\n"
- " NTP : Set NTP server address(es)\n"
- " NBDD : Set NBDD server address(es)\n"
- " WINS addr : Set WINS server address(es)\n"
- " NBT type : Set NetBIOS over TCP/IP Node type\n"
- " 1: B, 2: P, 4: M, 8: H\n"
- " NBS id : Set NetBIOS scope ID\n"
- " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
- "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
- "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
-" startup.\n"
- "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
- "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
- " on connection initiation.\n"
- "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
- " attempting to set adapter properties.\n"
- "--pause-exit : When run from a console window, pause before exiting.\n"
- "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
- " service, and should not be used directly by end-users.\n"
- " ex is the name of an event object which, when\n"
- " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
- " optional parameter controls the initial state of ex.\n"
- "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
- " after TAP adapter is up and routes have been added.\n"
+ "\n"
+ "Windows Specific:\n"
+ "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
+ " from SystemRoot environment variable.\n"
+ "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
+ " IP address using method = manual, netsh, ipapi,\n"
+ " dynamic, or adaptive (default = adaptive).\n"
+ " Dynamic method allows two optional parameters:\n"
+ " offset: DHCP server address offset (> -256 and < 256).\n"
+ " If 0, use network address, if >0, take nth\n"
+ " address forward from network address, if <0,\n"
+ " take nth address backward from broadcast\n"
+ " address.\n"
+ " Default is 0.\n"
+ " lease-time: Lease time in seconds.\n"
+ " Default is one year.\n"
+ "--route-method : Which method to use for adding routes on Windows?\n"
+ " adaptive (default) -- Try ipapi then fall back to exe.\n"
+ " ipapi -- Use IP helper API.\n"
+ " exe -- Call the route.exe shell command.\n"
+ "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
+ " be used with --ip-win32 dynamic. For options\n"
+ " which allow multiple addresses,\n"
+ " --dhcp-option must be repeated.\n"
+ " DOMAIN name : Set DNS suffix\n"
+ " DNS addr : Set domain name server address(es) (IPv4)\n"
+ " DNS6 addr : Set domain name server address(es) (IPv6)\n"
+ " NTP : Set NTP server address(es)\n"
+ " NBDD : Set NBDD server address(es)\n"
+ " WINS addr : Set WINS server address(es)\n"
+ " NBT type : Set NetBIOS over TCP/IP Node type\n"
+ " 1: B, 2: P, 4: M, 8: H\n"
+ " NBS id : Set NetBIOS scope ID\n"
+ " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
+ "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
+ "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
+ " startup.\n"
+ "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
+ "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
+ " on connection initiation.\n"
+ "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
+ " attempting to set adapter properties.\n"
+ "--pause-exit : When run from a console window, pause before exiting.\n"
+ "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n"
+ " service, and should not be used directly by end-users.\n"
+ " ex is the name of an event object which, when\n"
+ " signaled, will cause " PACKAGE_NAME " to exit. A second\n"
+ " optional parameter controls the initial state of ex.\n"
+ "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
+ " after TAP adapter is up and routes have been added.\n"
#ifdef _WIN32
- "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
-#endif
- "Windows Standalone Options:\n"
- "\n"
- "--show-adapters : Show all TAP-Windows adapters.\n"
- "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
- "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
- "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
- " to access TAP adapter.\n"
-#endif
- "\n"
- "Generate a random key (only for non-TLS static key encryption mode):\n"
- "--genkey : Generate a random key to be used as a shared secret,\n"
- " for use with the --secret option.\n"
- "--secret file : Write key to file.\n"
-#endif /* ENABLE_CRYPTO */
+ "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
+#endif
+ "Windows Standalone Options:\n"
+ "\n"
+ "--show-adapters : Show all TAP-Windows adapters.\n"
+ "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n"
+ "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
+ "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n"
+ " to access TAP adapter.\n"
+#endif /* ifdef _WIN32 */
+ "\n"
+ "Generate a random key (only for non-TLS static key encryption mode):\n"
+ "--genkey : Generate a random key to be used as a shared secret,\n"
+ " for use with the --secret option.\n"
+ "--secret file : Write key to file.\n"
+#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_FEATURE_TUN_PERSIST
- "\n"
- "Tun/tap config mode (available with linux 2.4+):\n"
- "--mktun : Create a persistent tunnel.\n"
- "--rmtun : Remove a persistent tunnel.\n"
- "--dev tunX|tapX : tun/tap device\n"
- "--dev-type dt : Device type. See tunnel options above for details.\n"
- "--user user : User to set privilege to.\n"
- "--group group : Group to set privilege to.\n"
+ "\n"
+ "Tun/tap config mode (available with linux 2.4+):\n"
+ "--mktun : Create a persistent tunnel.\n"
+ "--rmtun : Remove a persistent tunnel.\n"
+ "--dev tunX|tapX : tun/tap device\n"
+ "--dev-type dt : Device type. See tunnel options above for details.\n"
+ "--user user : User to set privilege to.\n"
+ "--group group : Group to set privilege to.\n"
#endif
#ifdef ENABLE_PKCS11
- "\n"
- "PKCS#11 standalone options:\n"
+ "\n"
+ "PKCS#11 standalone options:\n"
#ifdef DEFAULT_PKCS11_MODULE
- "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
+ "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
#else
- "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
+ "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
#endif
- " --verb option can be added *BEFORE* this.\n"
-#endif /* ENABLE_PKCS11 */
- "\n"
- "General Standalone Options:\n"
+ " --verb option can be added *BEFORE* this.\n"
+#endif /* ENABLE_PKCS11 */
+ "\n"
+ "General Standalone Options:\n"
#ifdef ENABLE_DEBUG
- "--show-gateway : Show info about default gateway.\n"
+ "--show-gateway : Show info about default gateway.\n"
#endif
- ;
+;
#endif /* !ENABLE_SMALL */
@@ -781,165 +781,174 @@ static const char usage_message[] =
* will be set to 0.
*/
void
-init_options (struct options *o, const bool init_gc)
+init_options(struct options *o, const bool init_gc)
{
- CLEAR (*o);
- if (init_gc)
- {
- gc_init (&o->gc);
- o->gc_owned = true;
- }
- o->mode = MODE_POINT_TO_POINT;
- o->topology = TOP_NET30;
- o->ce.proto = PROTO_UDP;
- o->ce.af = AF_UNSPEC;
- o->ce.bind_ipv6_only = false;
- o->ce.connect_retry_seconds = 5;
- o->ce.connect_retry_seconds_max = 300;
- o->ce.connect_timeout = 120;
- o->connect_retry_max = 0;
- o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
- o->verbosity = 1;
- o->status_file_update_freq = 60;
- o->status_file_version = 1;
- o->ce.bind_local = true;
- o->ce.tun_mtu = TUN_MTU_DEFAULT;
- o->ce.link_mtu = LINK_MTU_DEFAULT;
- o->ce.mtu_discover_type = -1;
- o->ce.mssfix = MSSFIX_DEFAULT;
- o->route_delay_window = 30;
- o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
- o->resolve_in_advance = false;
- o->proto_force = -1;
+ CLEAR(*o);
+ if (init_gc)
+ {
+ gc_init(&o->gc);
+ o->gc_owned = true;
+ }
+ o->mode = MODE_POINT_TO_POINT;
+ o->topology = TOP_NET30;
+ o->ce.proto = PROTO_UDP;
+ o->ce.af = AF_UNSPEC;
+ o->ce.bind_ipv6_only = false;
+ o->ce.connect_retry_seconds = 5;
+ o->ce.connect_retry_seconds_max = 300;
+ o->ce.connect_timeout = 120;
+ o->connect_retry_max = 0;
+ o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
+ o->verbosity = 1;
+ o->status_file_update_freq = 60;
+ o->status_file_version = 1;
+ o->ce.bind_local = true;
+ o->ce.tun_mtu = TUN_MTU_DEFAULT;
+ o->ce.link_mtu = LINK_MTU_DEFAULT;
+ o->ce.mtu_discover_type = -1;
+ o->ce.mssfix = MSSFIX_DEFAULT;
+ o->route_delay_window = 30;
+ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
+ o->resolve_in_advance = false;
+ o->proto_force = -1;
#ifdef ENABLE_OCC
- o->occ = true;
+ o->occ = true;
#endif
#ifdef ENABLE_MANAGEMENT
- o->management_log_history_cache = 250;
- o->management_echo_buffer_size = 100;
- o->management_state_buffer_size = 100;
+ o->management_log_history_cache = 250;
+ o->management_echo_buffer_size = 100;
+ o->management_state_buffer_size = 100;
#endif
#ifdef ENABLE_FEATURE_TUN_PERSIST
- o->persist_mode = 1;
+ o->persist_mode = 1;
#endif
#ifdef TARGET_LINUX
- o->tuntap_options.txqueuelen = 100;
+ o->tuntap_options.txqueuelen = 100;
#endif
#ifdef _WIN32
#if 0
- o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
+ o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
#else
- o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
+ o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
#endif
- o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
- o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
- o->route_method = ROUTE_METHOD_ADAPTIVE;
- o->block_outside_dns = false;
+ o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
+ o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
+ o->route_method = ROUTE_METHOD_ADAPTIVE;
+ o->block_outside_dns = false;
#endif
#if P2MP_SERVER
- o->real_hash_size = 256;
- o->virtual_hash_size = 256;
- o->n_bcast_buf = 256;
- o->tcp_queue_limit = 64;
- o->max_clients = 1024;
- o->max_routes_per_client = 256;
- o->stale_routes_check_interval = 0;
- o->ifconfig_pool_persist_refresh_freq = 600;
+ o->real_hash_size = 256;
+ o->virtual_hash_size = 256;
+ o->n_bcast_buf = 256;
+ o->tcp_queue_limit = 64;
+ o->max_clients = 1024;
+ o->max_routes_per_client = 256;
+ o->stale_routes_check_interval = 0;
+ o->ifconfig_pool_persist_refresh_freq = 600;
#endif
#if P2MP
- o->scheduled_exit_interval = 5;
+ o->scheduled_exit_interval = 5;
#endif
#ifdef ENABLE_CRYPTO
- o->ciphername = "BF-CBC";
+ o->ciphername = "BF-CBC";
#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
- o->ncp_enabled = true;
+ o->ncp_enabled = true;
#else
- o->ncp_enabled = false;
-#endif
- o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
- o->authname = "SHA1";
- o->prng_hash = "SHA1";
- o->prng_nonce_secret_len = 16;
- o->replay = true;
- o->replay_window = DEFAULT_SEQ_BACKTRACK;
- o->replay_time = DEFAULT_TIME_BACKTRACK;
- o->use_iv = true;
- o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
+ o->ncp_enabled = false;
+#endif
+ o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
+ o->authname = "SHA1";
+ o->prng_hash = "SHA1";
+ o->prng_nonce_secret_len = 16;
+ o->replay = true;
+ o->replay_window = DEFAULT_SEQ_BACKTRACK;
+ o->replay_time = DEFAULT_TIME_BACKTRACK;
+ o->use_iv = true;
+ o->key_direction = KEY_DIRECTION_BIDIRECTIONAL;
#ifdef ENABLE_PREDICTION_RESISTANCE
- o->use_prediction_resistance = false;
-#endif
- o->key_method = 2;
- o->tls_timeout = 2;
- o->renegotiate_bytes = -1;
- o->renegotiate_seconds = 3600;
- o->handshake_window = 60;
- o->transition_window = 3600;
- o->ecdh_curve = NULL;
+ o->use_prediction_resistance = false;
+#endif
+ o->key_method = 2;
+ o->tls_timeout = 2;
+ o->renegotiate_bytes = -1;
+ o->renegotiate_seconds = 3600;
+ o->handshake_window = 60;
+ o->transition_window = 3600;
+ o->ecdh_curve = NULL;
#ifdef ENABLE_X509ALTUSERNAME
- o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+ o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
#endif
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
- o->pkcs11_pin_cache_period = -1;
-#endif /* ENABLE_PKCS11 */
+ o->pkcs11_pin_cache_period = -1;
+#endif /* ENABLE_PKCS11 */
/* P2MP server context features */
#if P2MP_SERVER
- o->auth_token_generate = false;
+ o->auth_token_generate = false;
- /* Set default --tmp-dir */
+ /* Set default --tmp-dir */
#ifdef _WIN32
- /* On Windows, find temp dir via enviroment variables */
- o->tmp_dir = win_get_tempdir();
+ /* On Windows, find temp dir via enviroment variables */
+ o->tmp_dir = win_get_tempdir();
#else
- /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
- o->tmp_dir = getenv("TMPDIR");
- if( !o->tmp_dir ) {
- o->tmp_dir = "/tmp";
- }
+ /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
+ o->tmp_dir = getenv("TMPDIR");
+ if (!o->tmp_dir)
+ {
+ o->tmp_dir = "/tmp";
+ }
#endif /* _WIN32 */
#endif /* P2MP_SERVER */
- o->allow_recursive_routing = false;
+ o->allow_recursive_routing = false;
}
void
-uninit_options (struct options *o)
+uninit_options(struct options *o)
{
- if (o->gc_owned)
+ if (o->gc_owned)
{
- gc_free (&o->gc);
+ gc_free(&o->gc);
}
}
struct pull_filter
{
-# define PUF_TYPE_UNDEF 0 /** undefined filter type */
-# define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
-# define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
-# define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
- int type;
- int size;
- char *pattern;
- struct pull_filter *next;
+#define PUF_TYPE_UNDEF 0 /** undefined filter type */
+#define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
+#define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
+#define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
+ int type;
+ int size;
+ char *pattern;
+ struct pull_filter *next;
};
struct pull_filter_list
{
- struct pull_filter *head;
- struct pull_filter *tail;
+ struct pull_filter *head;
+ struct pull_filter *tail;
};
static const char *
-pull_filter_type_name (int type)
+pull_filter_type_name(int type)
{
- if (type == PUF_TYPE_ACCEPT)
- return "accept";
- if (type == PUF_TYPE_IGNORE)
- return "ignore";
- if (type == PUF_TYPE_REJECT)
- return "reject";
- else
- return "???";
+ if (type == PUF_TYPE_ACCEPT)
+ {
+ return "accept";
+ }
+ if (type == PUF_TYPE_IGNORE)
+ {
+ return "ignore";
+ }
+ if (type == PUF_TYPE_REJECT)
+ {
+ return "reject";
+ }
+ else
+ {
+ return "???";
+ }
}
#ifndef ENABLE_SMALL
@@ -954,62 +963,68 @@ pull_filter_type_name (int type)
#endif
void
-setenv_connection_entry (struct env_set *es,
- const struct connection_entry *e,
- const int i)
+setenv_connection_entry(struct env_set *es,
+ const struct connection_entry *e,
+ const int i)
{
- setenv_str_i (es, "proto", proto2ascii (e->proto, e->af, false), i);
- setenv_str_i (es, "local", e->local, i);
- setenv_str_i (es, "local_port", e->local_port, i);
- setenv_str_i (es, "remote", e->remote, i);
- setenv_str_i (es, "remote_port", e->remote_port, i);
+ setenv_str_i(es, "proto", proto2ascii(e->proto, e->af, false), i);
+ setenv_str_i(es, "local", e->local, i);
+ setenv_str_i(es, "local_port", e->local_port, i);
+ setenv_str_i(es, "remote", e->remote, i);
+ setenv_str_i(es, "remote_port", e->remote_port, i);
- if (e->http_proxy_options)
+ if (e->http_proxy_options)
{
- setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i);
- setenv_str_i (es, "http_proxy_port", e->http_proxy_options->port, i);
+ setenv_str_i(es, "http_proxy_server", e->http_proxy_options->server, i);
+ setenv_str_i(es, "http_proxy_port", e->http_proxy_options->port, i);
}
- if (e->socks_proxy_server)
+ if (e->socks_proxy_server)
{
- setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i);
- setenv_str_i (es, "socks_proxy_port", e->socks_proxy_port, i);
+ setenv_str_i(es, "socks_proxy_server", e->socks_proxy_server, i);
+ setenv_str_i(es, "socks_proxy_port", e->socks_proxy_port, i);
}
}
void
-setenv_settings (struct env_set *es, const struct options *o)
+setenv_settings(struct env_set *es, const struct options *o)
{
- setenv_str (es, "config", o->config);
- setenv_int (es, "verb", o->verbosity);
- setenv_int (es, "daemon", o->daemon);
- setenv_int (es, "daemon_log_redirect", o->log);
- setenv_unsigned (es, "daemon_start_time", time(NULL));
- setenv_int (es, "daemon_pid", platform_getpid());
+ setenv_str(es, "config", o->config);
+ setenv_int(es, "verb", o->verbosity);
+ setenv_int(es, "daemon", o->daemon);
+ setenv_int(es, "daemon_log_redirect", o->log);
+ setenv_unsigned(es, "daemon_start_time", time(NULL));
+ setenv_int(es, "daemon_pid", platform_getpid());
- if (o->connection_list)
+ if (o->connection_list)
+ {
+ int i;
+ for (i = 0; i < o->connection_list->len; ++i)
+ setenv_connection_entry(es, o->connection_list->array[i], i+1);
+ }
+ else
{
- int i;
- for (i = 0; i < o->connection_list->len; ++i)
- setenv_connection_entry (es, o->connection_list->array[i], i+1);
+ setenv_connection_entry(es, &o->ce, 1);
}
- else
- setenv_connection_entry (es, &o->ce, 1);
}
static in_addr_t
-get_ip_addr (const char *ip_string, int msglevel, bool *error)
+get_ip_addr(const char *ip_string, int msglevel, bool *error)
{
- unsigned int flags = GETADDR_HOST_ORDER;
- bool succeeded = false;
- in_addr_t ret;
+ unsigned int flags = GETADDR_HOST_ORDER;
+ bool succeeded = false;
+ in_addr_t ret;
- if (msglevel & M_FATAL)
- flags |= GETADDR_FATAL;
+ if (msglevel & M_FATAL)
+ {
+ flags |= GETADDR_FATAL;
+ }
- ret = getaddr (flags, ip_string, 0, &succeeded, NULL);
- if (!succeeded && error)
- *error = true;
- return ret;
+ ret = getaddr(flags, ip_string, 0, &succeeded, NULL);
+ if (!succeeded && error)
+ {
+ *error = true;
+ }
+ return ret;
}
/* helper: parse a text string containing an IPv6 address + netbits
@@ -1019,52 +1034,58 @@ get_ip_addr (const char *ip_string, int msglevel, bool *error)
* return true if parsing succeeded, modify *network and *netbits
*/
bool
-get_ipv6_addr( const char * prefix_str, struct in6_addr *network,
- unsigned int * netbits, int msglevel)
+get_ipv6_addr( const char *prefix_str, struct in6_addr *network,
+ unsigned int *netbits, int msglevel)
{
- char * sep, * endp;
+ char *sep, *endp;
int bits;
struct in6_addr t_network;
sep = strchr( prefix_str, '/' );
- if ( sep == NULL )
- {
- bits = 64;
- }
+ if (sep == NULL)
+ {
+ bits = 64;
+ }
else
- {
- bits = strtol( sep+1, &endp, 10 );
- if ( *endp != '\0' || bits < 0 || bits > 128 )
- {
- msg (msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
- return false;
- }
- }
+ {
+ bits = strtol( sep+1, &endp, 10 );
+ if (*endp != '\0' || bits < 0 || bits > 128)
+ {
+ msg(msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str);
+ return false;
+ }
+ }
/* temporary replace '/' in caller-provided string with '\0', otherwise
* inet_pton() will refuse prefix string
* (alternative would be to strncpy() the prefix to temporary buffer)
*/
- if ( sep != NULL ) *sep = '\0';
-
- if ( inet_pton( AF_INET6, prefix_str, &t_network ) != 1 )
- {
- msg (msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
- return false;
- }
-
- if ( sep != NULL ) *sep = '/';
-
- if ( netbits != NULL )
- {
- *netbits = bits;
- }
- if ( network != NULL )
- {
- *network = t_network;
- }
- return true; /* parsing OK, values set */
+ if (sep != NULL)
+ {
+ *sep = '\0';
+ }
+
+ if (inet_pton( AF_INET6, prefix_str, &t_network ) != 1)
+ {
+ msg(msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str);
+ return false;
+ }
+
+ if (sep != NULL)
+ {
+ *sep = '/';
+ }
+
+ if (netbits != NULL)
+ {
+ *netbits = bits;
+ }
+ if (network != NULL)
+ {
+ *network = t_network;
+ }
+ return true; /* parsing OK, values set */
}
/**
@@ -1073,24 +1094,25 @@ get_ipv6_addr( const char * prefix_str, struct in6_addr *network,
* If gc != NULL, the allocated memory is registered in the supplied gc.
*/
static char *
-get_ipv6_addr_no_netbits (const char *addr, struct gc_arena *gc)
+get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
{
- const char *end = strchr (addr, '/');
- char *ret = NULL;
- if (NULL == end)
+ const char *end = strchr(addr, '/');
+ char *ret = NULL;
+ if (NULL == end)
{
- ret = string_alloc (addr, gc);
+ ret = string_alloc(addr, gc);
}
- else
+ else
{
- size_t len = end - addr;
- ret = gc_malloc (len + 1, true, gc);
- memcpy (ret, addr, len);
+ size_t len = end - addr;
+ ret = gc_malloc(len + 1, true, gc);
+ memcpy(ret, addr, len);
}
- return ret;
+ return ret;
}
-static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec )
+static bool
+ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec )
{
struct in6_addr t_addr;
unsigned int t_bits;
@@ -1099,205 +1121,221 @@ static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec )
}
static char *
-string_substitute (const char *src, int from, int to, struct gc_arena *gc)
+string_substitute(const char *src, int from, int to, struct gc_arena *gc)
{
- char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc);
- char *dest = ret;
- char c;
+ char *ret = (char *) gc_malloc(strlen(src) + 1, true, gc);
+ char *dest = ret;
+ char c;
- do
+ do
{
- c = *src++;
- if (c == from)
- c = to;
- *dest++ = c;
+ c = *src++;
+ if (c == from)
+ {
+ c = to;
+ }
+ *dest++ = c;
}
- while (c);
- return ret;
+ while (c);
+ return ret;
}
#ifdef ENABLE_CRYPTO
static uint8_t *
parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
{
- int i;
- const char *cp = str;
- uint8_t *ret = (uint8_t *) gc_malloc (nbytes, true, gc);
- char term = 1;
- int byte;
- char bs[3];
-
- for (i = 0; i < nbytes; ++i)
- {
- if (strlen(cp) < 2)
- msg (msglevel, "format error in hash fingerprint: %s", str);
- bs[0] = *cp++;
- bs[1] = *cp++;
- bs[2] = 0;
- byte = 0;
- if (sscanf(bs, "%x", &byte) != 1)
- msg (msglevel, "format error in hash fingerprint hex byte: %s", str);
- ret[i] = (uint8_t)byte;
- term = *cp++;
- if (term != ':' && term != 0)
- msg (msglevel, "format error in hash fingerprint delimiter: %s", str);
- if (term == 0)
- break;
- }
- if (term != 0 || i != nbytes-1)
- msg (msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
- return ret;
+ int i;
+ const char *cp = str;
+ uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc);
+ char term = 1;
+ int byte;
+ char bs[3];
+
+ for (i = 0; i < nbytes; ++i)
+ {
+ if (strlen(cp) < 2)
+ {
+ msg(msglevel, "format error in hash fingerprint: %s", str);
+ }
+ bs[0] = *cp++;
+ bs[1] = *cp++;
+ bs[2] = 0;
+ byte = 0;
+ if (sscanf(bs, "%x", &byte) != 1)
+ {
+ msg(msglevel, "format error in hash fingerprint hex byte: %s", str);
+ }
+ ret[i] = (uint8_t)byte;
+ term = *cp++;
+ if (term != ':' && term != 0)
+ {
+ msg(msglevel, "format error in hash fingerprint delimiter: %s", str);
+ }
+ if (term == 0)
+ {
+ break;
+ }
+ }
+ if (term != 0 || i != nbytes-1)
+ {
+ msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
+ }
+ return ret;
}
-#endif
+#endif /* ifdef ENABLE_CRYPTO */
#ifdef _WIN32
#ifndef ENABLE_SMALL
static void
-show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
+show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
{
- struct gc_arena gc = gc_new ();
- int i;
- for (i = 0; i < len; ++i)
+ struct gc_arena gc = gc_new();
+ int i;
+ for (i = 0; i < len; ++i)
{
- msg (D_SHOW_PARMS, " %s[%d] = %s",
- name,
- i,
- print_in_addr_t (array[i], 0, &gc));
+ msg(D_SHOW_PARMS, " %s[%d] = %s",
+ name,
+ i,
+ print_in_addr_t(array[i], 0, &gc));
}
- gc_free (&gc);
+ gc_free(&gc);
}
static void
-show_tuntap_options (const struct tuntap_options *o)
+show_tuntap_options(const struct tuntap_options *o)
{
- SHOW_BOOL (ip_win32_defined);
- SHOW_INT (ip_win32_type);
- SHOW_INT (dhcp_masq_offset);
- SHOW_INT (dhcp_lease_time);
- SHOW_INT (tap_sleep);
- SHOW_BOOL (dhcp_options);
- SHOW_BOOL (dhcp_renew);
- SHOW_BOOL (dhcp_pre_release);
- SHOW_BOOL (dhcp_release);
- SHOW_STR (domain);
- SHOW_STR (netbios_scope);
- SHOW_INT (netbios_node_type);
- SHOW_BOOL (disable_nbt);
-
- show_dhcp_option_addrs ("DNS", o->dns, o->dns_len);
- show_dhcp_option_addrs ("WINS", o->wins, o->wins_len);
- show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len);
- show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len);
+ SHOW_BOOL(ip_win32_defined);
+ SHOW_INT(ip_win32_type);
+ SHOW_INT(dhcp_masq_offset);
+ SHOW_INT(dhcp_lease_time);
+ SHOW_INT(tap_sleep);
+ SHOW_BOOL(dhcp_options);
+ SHOW_BOOL(dhcp_renew);
+ SHOW_BOOL(dhcp_pre_release);
+ SHOW_BOOL(dhcp_release);
+ SHOW_STR(domain);
+ SHOW_STR(netbios_scope);
+ SHOW_INT(netbios_node_type);
+ SHOW_BOOL(disable_nbt);
+
+ show_dhcp_option_addrs("DNS", o->dns, o->dns_len);
+ show_dhcp_option_addrs("WINS", o->wins, o->wins_len);
+ show_dhcp_option_addrs("NTP", o->ntp, o->ntp_len);
+ show_dhcp_option_addrs("NBDD", o->nbdd, o->nbdd_len);
}
-#endif
-#endif
+#endif /* ifndef ENABLE_SMALL */
+#endif /* ifdef _WIN32 */
#if defined(_WIN32) || defined(TARGET_ANDROID)
static void
-dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
+dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
{
- if (*len >= N_DHCP_ADDR)
- {
- msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
- name,
- N_DHCP_ADDR,
- name);
- }
- else
- {
- if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */
- {
- bool error = false;
- const in_addr_t addr = get_ip_addr (parm, msglevel, &error);
- if (!error)
- array[(*len)++] = addr;
- }
- else
- {
- msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
- }
+ if (*len >= N_DHCP_ADDR)
+ {
+ msg(msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified",
+ name,
+ N_DHCP_ADDR,
+ name);
+ }
+ else
+ {
+ if (ip_addr_dotted_quad_safe(parm)) /* FQDN -- IP address only */
+ {
+ bool error = false;
+ const in_addr_t addr = get_ip_addr(parm, msglevel, &error);
+ if (!error)
+ {
+ array[(*len)++] = addr;
+ }
+ }
+ else
+ {
+ msg(msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm);
+ }
}
}
-#endif
+#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
#if P2MP
#ifndef ENABLE_SMALL
static void
-show_p2mp_parms (const struct options *o)
+show_p2mp_parms(const struct options *o)
{
- struct gc_arena gc = gc_new ();
+ struct gc_arena gc = gc_new();
#if P2MP_SERVER
- msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc));
- msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc));
- msg (D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr (o->server_network_ipv6, 0, &gc) );
- SHOW_INT (server_netbits_ipv6);
- msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc));
- msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc));
- msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc));
- msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc));
- if (o->push_list.head)
- {
- const struct push_entry *e = o->push_list.head;
- while (e)
- {
- if (e->enable)
- msg (D_SHOW_PARMS, " push_entry = '%s'", e->option);
- e = e->next;
- }
- }
- SHOW_BOOL (ifconfig_pool_defined);
- msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc));
- msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc));
- msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc));
- SHOW_STR (ifconfig_pool_persist_filename);
- SHOW_INT (ifconfig_pool_persist_refresh_freq);
- SHOW_BOOL (ifconfig_ipv6_pool_defined);
- msg (D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr (o->ifconfig_ipv6_pool_base, 0, &gc));
- SHOW_INT (ifconfig_ipv6_pool_netbits);
- SHOW_INT (n_bcast_buf);
- SHOW_INT (tcp_queue_limit);
- SHOW_INT (real_hash_size);
- SHOW_INT (virtual_hash_size);
- SHOW_STR (client_connect_script);
- SHOW_STR (learn_address_script);
- SHOW_STR (client_disconnect_script);
- SHOW_STR (client_config_dir);
- SHOW_BOOL (ccd_exclusive);
- SHOW_STR (tmp_dir);
- SHOW_BOOL (push_ifconfig_defined);
- msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc));
- msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc));
- SHOW_BOOL (push_ifconfig_ipv6_defined);
- msg (D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr (o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
- msg (D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr (o->push_ifconfig_ipv6_remote, 0, &gc));
- SHOW_BOOL (enable_c2c);
- SHOW_BOOL (duplicate_cn);
- SHOW_INT (cf_max);
- SHOW_INT (cf_per);
- SHOW_INT (max_clients);
- SHOW_INT (max_routes_per_client);
- SHOW_STR (auth_user_pass_verify_script);
- SHOW_BOOL (auth_user_pass_verify_script_via_file);
- SHOW_BOOL (auth_token_generate);
- SHOW_INT (auth_token_lifetime);
+ msg(D_SHOW_PARMS, " server_network = %s", print_in_addr_t(o->server_network, 0, &gc));
+ msg(D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t(o->server_netmask, 0, &gc));
+ msg(D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr(o->server_network_ipv6, 0, &gc) );
+ SHOW_INT(server_netbits_ipv6);
+ msg(D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t(o->server_bridge_ip, 0, &gc));
+ msg(D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t(o->server_bridge_netmask, 0, &gc));
+ msg(D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t(o->server_bridge_pool_start, 0, &gc));
+ msg(D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t(o->server_bridge_pool_end, 0, &gc));
+ if (o->push_list.head)
+ {
+ const struct push_entry *e = o->push_list.head;
+ while (e)
+ {
+ if (e->enable)
+ {
+ msg(D_SHOW_PARMS, " push_entry = '%s'", e->option);
+ }
+ e = e->next;
+ }
+ }
+ SHOW_BOOL(ifconfig_pool_defined);
+ msg(D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t(o->ifconfig_pool_start, 0, &gc));
+ msg(D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t(o->ifconfig_pool_end, 0, &gc));
+ msg(D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t(o->ifconfig_pool_netmask, 0, &gc));
+ SHOW_STR(ifconfig_pool_persist_filename);
+ SHOW_INT(ifconfig_pool_persist_refresh_freq);
+ SHOW_BOOL(ifconfig_ipv6_pool_defined);
+ msg(D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o->ifconfig_ipv6_pool_base, 0, &gc));
+ SHOW_INT(ifconfig_ipv6_pool_netbits);
+ SHOW_INT(n_bcast_buf);
+ SHOW_INT(tcp_queue_limit);
+ SHOW_INT(real_hash_size);
+ SHOW_INT(virtual_hash_size);
+ SHOW_STR(client_connect_script);
+ SHOW_STR(learn_address_script);
+ SHOW_STR(client_disconnect_script);
+ SHOW_STR(client_config_dir);
+ SHOW_BOOL(ccd_exclusive);
+ SHOW_STR(tmp_dir);
+ SHOW_BOOL(push_ifconfig_defined);
+ msg(D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t(o->push_ifconfig_local, 0, &gc));
+ msg(D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o->push_ifconfig_remote_netmask, 0, &gc));
+ SHOW_BOOL(push_ifconfig_ipv6_defined);
+ msg(D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits );
+ msg(D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o->push_ifconfig_ipv6_remote, 0, &gc));
+ SHOW_BOOL(enable_c2c);
+ SHOW_BOOL(duplicate_cn);
+ SHOW_INT(cf_max);
+ SHOW_INT(cf_per);
+ SHOW_INT(max_clients);
+ SHOW_INT(max_routes_per_client);
+ SHOW_STR(auth_user_pass_verify_script);
+ SHOW_BOOL(auth_user_pass_verify_script_via_file);
+ SHOW_BOOL(auth_token_generate);
+ SHOW_INT(auth_token_lifetime);
#if PORT_SHARE
- SHOW_STR (port_share_host);
- SHOW_STR (port_share_port);
+ SHOW_STR(port_share_host);
+ SHOW_STR(port_share_port);
#endif
#endif /* P2MP_SERVER */
- SHOW_BOOL (client);
- SHOW_BOOL (pull);
- SHOW_STR (auth_user_pass_file);
+ SHOW_BOOL(client);
+ SHOW_BOOL(pull);
+ SHOW_STR(auth_user_pass_file);
- gc_free (&gc);
+ gc_free(&gc);
}
#endif /* ! ENABLE_SMALL */
@@ -1305,461 +1343,485 @@ show_p2mp_parms (const struct options *o)
#if P2MP_SERVER
static void
-option_iroute (struct options *o,
- const char *network_str,
- const char *netmask_str,
- int msglevel)
+option_iroute(struct options *o,
+ const char *network_str,
+ const char *netmask_str,
+ int msglevel)
{
- struct iroute *ir;
+ struct iroute *ir;
- ALLOC_OBJ_GC (ir, struct iroute, &o->gc);
- ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
- ir->netbits = -1;
+ ALLOC_OBJ_GC(ir, struct iroute, &o->gc);
+ ir->network = getaddr(GETADDR_HOST_ORDER, network_str, 0, NULL, NULL);
+ ir->netbits = -1;
- if (netmask_str)
+ if (netmask_str)
{
- const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
- if (!netmask_to_netbits (ir->network, netmask, &ir->netbits))
- {
- msg (msglevel, "in --iroute %s %s : Bad network/subnet specification",
- network_str,
- netmask_str);
- return;
- }
+ const in_addr_t netmask = getaddr(GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL);
+ if (!netmask_to_netbits(ir->network, netmask, &ir->netbits))
+ {
+ msg(msglevel, "in --iroute %s %s : Bad network/subnet specification",
+ network_str,
+ netmask_str);
+ return;
+ }
}
- ir->next = o->iroutes;
- o->iroutes = ir;
+ ir->next = o->iroutes;
+ o->iroutes = ir;
}
static void
-option_iroute_ipv6 (struct options *o,
- const char *prefix_str,
- int msglevel)
+option_iroute_ipv6(struct options *o,
+ const char *prefix_str,
+ int msglevel)
{
- struct iroute_ipv6 *ir;
+ struct iroute_ipv6 *ir;
- ALLOC_OBJ_GC (ir, struct iroute_ipv6, &o->gc);
+ ALLOC_OBJ_GC(ir, struct iroute_ipv6, &o->gc);
- if ( !get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, msglevel ))
+ if (!get_ipv6_addr(prefix_str, &ir->network, &ir->netbits, msglevel ))
{
- msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
- prefix_str);
- return;
+ msg(msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
+ prefix_str);
+ return;
}
- ir->next = o->iroutes_ipv6;
- o->iroutes_ipv6 = ir;
+ ir->next = o->iroutes_ipv6;
+ o->iroutes_ipv6 = ir;
}
#endif /* P2MP_SERVER */
#endif /* P2MP */
#ifndef ENABLE_SMALL
static void
-show_http_proxy_options (const struct http_proxy_options *o)
+show_http_proxy_options(const struct http_proxy_options *o)
{
- int i;
- msg (D_SHOW_PARMS, "BEGIN http_proxy");
- SHOW_STR (server);
- SHOW_STR (port);
- SHOW_STR (auth_method_string);
- SHOW_STR (auth_file);
- SHOW_STR (http_version);
- SHOW_STR (user_agent);
- for (i=0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name;i++)
- {
- if (o->custom_headers[i].content)
- msg (D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
- o->custom_headers[i].name, o->custom_headers[i].content);
- else
- msg (D_SHOW_PARMS, " custom_header[%d] = %s", i,
- o->custom_headers[i].name);
- }
- msg (D_SHOW_PARMS, "END http_proxy");
+ int i;
+ msg(D_SHOW_PARMS, "BEGIN http_proxy");
+ SHOW_STR(server);
+ SHOW_STR(port);
+ SHOW_STR(auth_method_string);
+ SHOW_STR(auth_file);
+ SHOW_STR(http_version);
+ SHOW_STR(user_agent);
+ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name; i++)
+ {
+ if (o->custom_headers[i].content)
+ {
+ msg(D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
+ o->custom_headers[i].name, o->custom_headers[i].content);
+ }
+ else
+ {
+ msg(D_SHOW_PARMS, " custom_header[%d] = %s", i,
+ o->custom_headers[i].name);
+ }
+ }
+ msg(D_SHOW_PARMS, "END http_proxy");
}
-#endif
+#endif /* ifndef ENABLE_SMALL */
void
-options_detach (struct options *o)
+options_detach(struct options *o)
{
- gc_detach (&o->gc);
- o->routes = NULL;
- o->client_nat = NULL;
+ gc_detach(&o->gc);
+ o->routes = NULL;
+ o->client_nat = NULL;
#if P2MP_SERVER
- clone_push_list(o);
+ clone_push_list(o);
#endif
}
void
-rol_check_alloc (struct options *options)
+rol_check_alloc(struct options *options)
{
- if (!options->routes)
- options->routes = new_route_option_list (&options->gc);
+ if (!options->routes)
+ {
+ options->routes = new_route_option_list(&options->gc);
+ }
}
void
-rol6_check_alloc (struct options *options)
+rol6_check_alloc(struct options *options)
{
- if (!options->routes_ipv6)
- options->routes_ipv6 = new_route_ipv6_option_list (&options->gc);
+ if (!options->routes_ipv6)
+ {
+ options->routes_ipv6 = new_route_ipv6_option_list(&options->gc);
+ }
}
static void
-cnol_check_alloc (struct options *options)
+cnol_check_alloc(struct options *options)
{
- if (!options->client_nat)
- options->client_nat = new_client_nat_list (&options->gc);
+ if (!options->client_nat)
+ {
+ options->client_nat = new_client_nat_list(&options->gc);
+ }
}
#ifndef ENABLE_SMALL
static void
-show_connection_entry (const struct connection_entry *o)
+show_connection_entry(const struct connection_entry *o)
{
- msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, o->af, false));
- SHOW_STR (local);
- SHOW_STR (local_port);
- SHOW_STR (remote);
- SHOW_STR (remote_port);
- SHOW_BOOL (remote_float);
- SHOW_BOOL (bind_defined);
- SHOW_BOOL (bind_local);
- SHOW_BOOL (bind_ipv6_only);
- SHOW_INT (connect_retry_seconds);
- SHOW_INT (connect_timeout);
-
- if (o->http_proxy_options)
- show_http_proxy_options (o->http_proxy_options);
- SHOW_STR (socks_proxy_server);
- SHOW_STR (socks_proxy_port);
- SHOW_INT (tun_mtu);
- SHOW_BOOL (tun_mtu_defined);
- SHOW_INT (link_mtu);
- SHOW_BOOL (link_mtu_defined);
- SHOW_INT (tun_mtu_extra);
- SHOW_BOOL (tun_mtu_extra_defined);
-
- SHOW_INT (mtu_discover_type);
+ msg(D_SHOW_PARMS, " proto = %s", proto2ascii(o->proto, o->af, false));
+ SHOW_STR(local);
+ SHOW_STR(local_port);
+ SHOW_STR(remote);
+ SHOW_STR(remote_port);
+ SHOW_BOOL(remote_float);
+ SHOW_BOOL(bind_defined);
+ SHOW_BOOL(bind_local);
+ SHOW_BOOL(bind_ipv6_only);
+ SHOW_INT(connect_retry_seconds);
+ SHOW_INT(connect_timeout);
+
+ if (o->http_proxy_options)
+ {
+ show_http_proxy_options(o->http_proxy_options);
+ }
+ SHOW_STR(socks_proxy_server);
+ SHOW_STR(socks_proxy_port);
+ SHOW_INT(tun_mtu);
+ SHOW_BOOL(tun_mtu_defined);
+ SHOW_INT(link_mtu);
+ SHOW_BOOL(link_mtu_defined);
+ SHOW_INT(tun_mtu_extra);
+ SHOW_BOOL(tun_mtu_extra_defined);
+
+ SHOW_INT(mtu_discover_type);
#ifdef ENABLE_FRAGMENT
- SHOW_INT (fragment);
+ SHOW_INT(fragment);
#endif
- SHOW_INT (mssfix);
+ SHOW_INT(mssfix);
#ifdef ENABLE_OCC
- SHOW_INT (explicit_exit_notification);
+ SHOW_INT(explicit_exit_notification);
#endif
}
static void
-show_connection_entries (const struct options *o)
+show_connection_entries(const struct options *o)
{
- if (o->connection_list)
- {
- const struct connection_list *l = o->connection_list;
- int i;
- for (i = 0; i < l->len; ++i)
- {
- msg (D_SHOW_PARMS, "Connection profiles [%d]:", i);
- show_connection_entry (l->array[i]);
- }
- }
- else
- {
- msg (D_SHOW_PARMS, "Connection profiles [default]:");
- show_connection_entry (&o->ce);
- }
- msg (D_SHOW_PARMS, "Connection profiles END");
+ if (o->connection_list)
+ {
+ const struct connection_list *l = o->connection_list;
+ int i;
+ for (i = 0; i < l->len; ++i)
+ {
+ msg(D_SHOW_PARMS, "Connection profiles [%d]:", i);
+ show_connection_entry(l->array[i]);
+ }
+ }
+ else
+ {
+ msg(D_SHOW_PARMS, "Connection profiles [default]:");
+ show_connection_entry(&o->ce);
+ }
+ msg(D_SHOW_PARMS, "Connection profiles END");
}
static void
-show_pull_filter_list (const struct pull_filter_list *l)
+show_pull_filter_list(const struct pull_filter_list *l)
{
- struct pull_filter *f;
- if (!l)
- return;
+ struct pull_filter *f;
+ if (!l)
+ {
+ return;
+ }
- msg (D_SHOW_PARMS, " Pull filters:");
- for (f = l->head; f; f = f->next)
+ msg(D_SHOW_PARMS, " Pull filters:");
+ for (f = l->head; f; f = f->next)
{
- msg (D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
+ msg(D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
}
}
-#endif
+#endif /* ifndef ENABLE_SMALL */
void
-show_settings (const struct options *o)
+show_settings(const struct options *o)
{
#ifndef ENABLE_SMALL
- msg (D_SHOW_PARMS, "Current Parameter Settings:");
+ msg(D_SHOW_PARMS, "Current Parameter Settings:");
- SHOW_STR (config);
-
- SHOW_INT (mode);
+ SHOW_STR(config);
+
+ SHOW_INT(mode);
#ifdef ENABLE_FEATURE_TUN_PERSIST
- SHOW_BOOL (persist_config);
- SHOW_INT (persist_mode);
+ SHOW_BOOL(persist_config);
+ SHOW_INT(persist_mode);
#endif
#ifdef ENABLE_CRYPTO
- SHOW_BOOL (show_ciphers);
- SHOW_BOOL (show_digests);
- SHOW_BOOL (show_engines);
- SHOW_BOOL (genkey);
- SHOW_STR (key_pass_file);
- SHOW_BOOL (show_tls_ciphers);
-#endif
-
- SHOW_INT (connect_retry_max);
- show_connection_entries (o);
-
- SHOW_BOOL (remote_random);
-
- SHOW_STR (ipchange);
- SHOW_STR (dev);
- SHOW_STR (dev_type);
- SHOW_STR (dev_node);
- SHOW_STR (lladdr);
- SHOW_INT (topology);
- SHOW_STR (ifconfig_local);
- SHOW_STR (ifconfig_remote_netmask);
- SHOW_BOOL (ifconfig_noexec);
- SHOW_BOOL (ifconfig_nowarn);
- SHOW_STR (ifconfig_ipv6_local);
- SHOW_INT (ifconfig_ipv6_netbits);
- SHOW_STR (ifconfig_ipv6_remote);
+ SHOW_BOOL(show_ciphers);
+ SHOW_BOOL(show_digests);
+ SHOW_BOOL(show_engines);
+ SHOW_BOOL(genkey);
+ SHOW_STR(key_pass_file);
+ SHOW_BOOL(show_tls_ciphers);
+#endif
+
+ SHOW_INT(connect_retry_max);
+ show_connection_entries(o);
+
+ SHOW_BOOL(remote_random);
+
+ SHOW_STR(ipchange);
+ SHOW_STR(dev);
+ SHOW_STR(dev_type);
+ SHOW_STR(dev_node);
+ SHOW_STR(lladdr);
+ SHOW_INT(topology);
+ SHOW_STR(ifconfig_local);
+ SHOW_STR(ifconfig_remote_netmask);
+ SHOW_BOOL(ifconfig_noexec);
+ SHOW_BOOL(ifconfig_nowarn);
+ SHOW_STR(ifconfig_ipv6_local);
+ SHOW_INT(ifconfig_ipv6_netbits);
+ SHOW_STR(ifconfig_ipv6_remote);
#ifdef ENABLE_FEATURE_SHAPER
- SHOW_INT (shaper);
+ SHOW_INT(shaper);
#endif
#ifdef ENABLE_OCC
- SHOW_INT (mtu_test);
+ SHOW_INT(mtu_test);
#endif
- SHOW_BOOL (mlock);
+ SHOW_BOOL(mlock);
- SHOW_INT (keepalive_ping);
- SHOW_INT (keepalive_timeout);
- SHOW_INT (inactivity_timeout);
- SHOW_INT (ping_send_timeout);
- SHOW_INT (ping_rec_timeout);
- SHOW_INT (ping_rec_timeout_action);
- SHOW_BOOL (ping_timer_remote);
- SHOW_INT (remap_sigusr1);
- SHOW_BOOL (persist_tun);
- SHOW_BOOL (persist_local_ip);
- SHOW_BOOL (persist_remote_ip);
- SHOW_BOOL (persist_key);
+ SHOW_INT(keepalive_ping);
+ SHOW_INT(keepalive_timeout);
+ SHOW_INT(inactivity_timeout);
+ SHOW_INT(ping_send_timeout);
+ SHOW_INT(ping_rec_timeout);
+ SHOW_INT(ping_rec_timeout_action);
+ SHOW_BOOL(ping_timer_remote);
+ SHOW_INT(remap_sigusr1);
+ SHOW_BOOL(persist_tun);
+ SHOW_BOOL(persist_local_ip);
+ SHOW_BOOL(persist_remote_ip);
+ SHOW_BOOL(persist_key);
#if PASSTOS_CAPABILITY
- SHOW_BOOL (passtos);
+ SHOW_BOOL(passtos);
#endif
- SHOW_INT (resolve_retry_seconds);
- SHOW_BOOL (resolve_in_advance);
+ SHOW_INT(resolve_retry_seconds);
+ SHOW_BOOL(resolve_in_advance);
- SHOW_STR (username);
- SHOW_STR (groupname);
- SHOW_STR (chroot_dir);
- SHOW_STR (cd_dir);
+ SHOW_STR(username);
+ SHOW_STR(groupname);
+ SHOW_STR(chroot_dir);
+ SHOW_STR(cd_dir);
#ifdef ENABLE_SELINUX
- SHOW_STR (selinux_context);
-#endif
- SHOW_STR (writepid);
- SHOW_STR (up_script);
- SHOW_STR (down_script);
- SHOW_BOOL (down_pre);
- SHOW_BOOL (up_restart);
- SHOW_BOOL (up_delay);
- SHOW_BOOL (daemon);
- SHOW_INT (inetd);
- SHOW_BOOL (log);
- SHOW_BOOL (suppress_timestamps);
- SHOW_BOOL (machine_readable_output);
- SHOW_INT (nice);
- SHOW_INT (verbosity);
- SHOW_INT (mute);
+ SHOW_STR(selinux_context);
+#endif
+ SHOW_STR(writepid);
+ SHOW_STR(up_script);
+ SHOW_STR(down_script);
+ SHOW_BOOL(down_pre);
+ SHOW_BOOL(up_restart);
+ SHOW_BOOL(up_delay);
+ SHOW_BOOL(daemon);
+ SHOW_INT(inetd);
+ SHOW_BOOL(log);
+ SHOW_BOOL(suppress_timestamps);
+ SHOW_BOOL(machine_readable_output);
+ SHOW_INT(nice);
+ SHOW_INT(verbosity);
+ SHOW_INT(mute);
#ifdef ENABLE_DEBUG
- SHOW_INT (gremlin);
+ SHOW_INT(gremlin);
#endif
- SHOW_STR (status_file);
- SHOW_INT (status_file_version);
- SHOW_INT (status_file_update_freq);
+ SHOW_STR(status_file);
+ SHOW_INT(status_file_version);
+ SHOW_INT(status_file_update_freq);
#ifdef ENABLE_OCC
- SHOW_BOOL (occ);
+ SHOW_BOOL(occ);
#endif
- SHOW_INT (rcvbuf);
- SHOW_INT (sndbuf);
+ SHOW_INT(rcvbuf);
+ SHOW_INT(sndbuf);
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
- SHOW_INT (mark);
+ SHOW_INT(mark);
#endif
- SHOW_INT (sockflags);
+ SHOW_INT(sockflags);
- SHOW_BOOL (fast_io);
+ SHOW_BOOL(fast_io);
#ifdef USE_COMP
- SHOW_INT (comp.alg);
- SHOW_INT (comp.flags);
+ SHOW_INT(comp.alg);
+ SHOW_INT(comp.flags);
#endif
- SHOW_STR (route_script);
- SHOW_STR (route_default_gateway);
- SHOW_INT (route_default_metric);
- SHOW_BOOL (route_noexec);
- SHOW_INT (route_delay);
- SHOW_INT (route_delay_window);
- SHOW_BOOL (route_delay_defined);
- SHOW_BOOL (route_nopull);
- SHOW_BOOL (route_gateway_via_dhcp);
- SHOW_BOOL (allow_pull_fqdn);
- show_pull_filter_list (o->pull_filter_list);
+ SHOW_STR(route_script);
+ SHOW_STR(route_default_gateway);
+ SHOW_INT(route_default_metric);
+ SHOW_BOOL(route_noexec);
+ SHOW_INT(route_delay);
+ SHOW_INT(route_delay_window);
+ SHOW_BOOL(route_delay_defined);
+ SHOW_BOOL(route_nopull);
+ SHOW_BOOL(route_gateway_via_dhcp);
+ SHOW_BOOL(allow_pull_fqdn);
+ show_pull_filter_list(o->pull_filter_list);
- if (o->routes)
- print_route_options (o->routes, D_SHOW_PARMS);
+ if (o->routes)
+ {
+ print_route_options(o->routes, D_SHOW_PARMS);
+ }
- if (o->client_nat)
- print_client_nat_list(o->client_nat, D_SHOW_PARMS);
+ if (o->client_nat)
+ {
+ print_client_nat_list(o->client_nat, D_SHOW_PARMS);
+ }
#ifdef ENABLE_MANAGEMENT
- SHOW_STR (management_addr);
- SHOW_STR (management_port);
- SHOW_STR (management_user_pass);
- SHOW_INT (management_log_history_cache);
- SHOW_INT (management_echo_buffer_size);
- SHOW_STR (management_write_peer_info_file);
- SHOW_STR (management_client_user);
- SHOW_STR (management_client_group);
- SHOW_INT (management_flags);
+ SHOW_STR(management_addr);
+ SHOW_STR(management_port);
+ SHOW_STR(management_user_pass);
+ SHOW_INT(management_log_history_cache);
+ SHOW_INT(management_echo_buffer_size);
+ SHOW_STR(management_write_peer_info_file);
+ SHOW_STR(management_client_user);
+ SHOW_STR(management_client_group);
+ SHOW_INT(management_flags);
#endif
#ifdef ENABLE_PLUGIN
- if (o->plugin_list)
- plugin_option_list_print (o->plugin_list, D_SHOW_PARMS);
+ if (o->plugin_list)
+ {
+ plugin_option_list_print(o->plugin_list, D_SHOW_PARMS);
+ }
#endif
#ifdef ENABLE_CRYPTO
- SHOW_STR (shared_secret_file);
- SHOW_INT (key_direction);
- SHOW_STR (ciphername);
- SHOW_BOOL (ncp_enabled);
- SHOW_STR (ncp_ciphers);
- SHOW_STR (authname);
- SHOW_STR (prng_hash);
- SHOW_INT (prng_nonce_secret_len);
- SHOW_INT (keysize);
+ SHOW_STR(shared_secret_file);
+ SHOW_INT(key_direction);
+ SHOW_STR(ciphername);
+ SHOW_BOOL(ncp_enabled);
+ SHOW_STR(ncp_ciphers);
+ SHOW_STR(authname);
+ SHOW_STR(prng_hash);
+ SHOW_INT(prng_nonce_secret_len);
+ SHOW_INT(keysize);
#ifndef ENABLE_CRYPTO_MBEDTLS
- SHOW_BOOL (engine);
+ SHOW_BOOL(engine);
#endif /* ENABLE_CRYPTO_MBEDTLS */
- SHOW_BOOL (replay);
- SHOW_BOOL (mute_replay_warnings);
- SHOW_INT (replay_window);
- SHOW_INT (replay_time);
- SHOW_STR (packet_id_file);
- SHOW_BOOL (use_iv);
- SHOW_BOOL (test_crypto);
+ SHOW_BOOL(replay);
+ SHOW_BOOL(mute_replay_warnings);
+ SHOW_INT(replay_window);
+ SHOW_INT(replay_time);
+ SHOW_STR(packet_id_file);
+ SHOW_BOOL(use_iv);
+ SHOW_BOOL(test_crypto);
#ifdef ENABLE_PREDICTION_RESISTANCE
- SHOW_BOOL (use_prediction_resistance);
+ SHOW_BOOL(use_prediction_resistance);
#endif
- SHOW_BOOL (tls_server);
- SHOW_BOOL (tls_client);
- SHOW_INT (key_method);
- SHOW_STR (ca_file);
- SHOW_STR (ca_path);
- SHOW_STR (dh_file);
+ SHOW_BOOL(tls_server);
+ SHOW_BOOL(tls_client);
+ SHOW_INT(key_method);
+ SHOW_STR(ca_file);
+ SHOW_STR(ca_path);
+ SHOW_STR(dh_file);
#ifdef MANAGMENT_EXTERNAL_KEY
- if((o->management_flags & MF_EXTERNAL_CERT))
- SHOW_PARM ("cert_file","EXTERNAL_CERT","%s");
- else
+ if ((o->management_flags & MF_EXTERNAL_CERT))
+ {
+ SHOW_PARM("cert_file","EXTERNAL_CERT","%s");
+ }
+ else
#endif
- SHOW_STR (cert_file);
- SHOW_STR (extra_certs_file);
+ SHOW_STR(cert_file);
+ SHOW_STR(extra_certs_file);
#ifdef MANAGMENT_EXTERNAL_KEY
- if((o->management_flags & MF_EXTERNAL_KEY))
- SHOW_PARM ("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
- else
+ if ((o->management_flags & MF_EXTERNAL_KEY))
+ {
+ SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
+ }
+ else
#endif
- SHOW_STR (priv_key_file);
+ SHOW_STR(priv_key_file);
#ifndef ENABLE_CRYPTO_MBEDTLS
- SHOW_STR (pkcs12_file);
+ SHOW_STR(pkcs12_file);
#endif
#ifdef ENABLE_CRYPTOAPI
- SHOW_STR (cryptoapi_cert);
-#endif
- SHOW_STR (cipher_list);
- SHOW_STR (tls_verify);
- SHOW_STR (tls_export_cert);
- SHOW_INT (verify_x509_type);
- SHOW_STR (verify_x509_name);
- SHOW_STR (crl_file);
- SHOW_INT (ns_cert_type);
- {
- int i;
- for (i=0;i<MAX_PARMS;i++)
- SHOW_INT (remote_cert_ku[i]);
- }
- SHOW_STR (remote_cert_eku);
- SHOW_INT (ssl_flags);
+ SHOW_STR(cryptoapi_cert);
+#endif
+ SHOW_STR(cipher_list);
+ SHOW_STR(tls_verify);
+ SHOW_STR(tls_export_cert);
+ SHOW_INT(verify_x509_type);
+ SHOW_STR(verify_x509_name);
+ SHOW_STR(crl_file);
+ SHOW_INT(ns_cert_type);
+ {
+ int i;
+ for (i = 0; i<MAX_PARMS; i++)
+ SHOW_INT(remote_cert_ku[i]);
+ }
+ SHOW_STR(remote_cert_eku);
+ SHOW_INT(ssl_flags);
- SHOW_INT (tls_timeout);
+ SHOW_INT(tls_timeout);
- SHOW_INT (renegotiate_bytes);
- SHOW_INT (renegotiate_packets);
- SHOW_INT (renegotiate_seconds);
+ SHOW_INT(renegotiate_bytes);
+ SHOW_INT(renegotiate_packets);
+ SHOW_INT(renegotiate_seconds);
- SHOW_INT (handshake_window);
- SHOW_INT (transition_window);
+ SHOW_INT(handshake_window);
+ SHOW_INT(transition_window);
- SHOW_BOOL (single_session);
+ SHOW_BOOL(single_session);
#ifdef ENABLE_PUSH_PEER_INFO
- SHOW_BOOL (push_peer_info);
+ SHOW_BOOL(push_peer_info);
#endif
- SHOW_BOOL (tls_exit);
+ SHOW_BOOL(tls_exit);
- SHOW_STR (tls_auth_file);
- SHOW_STR (tls_crypt_file);
+ SHOW_STR(tls_auth_file);
+ SHOW_STR(tls_crypt_file);
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
- {
- int i;
- for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++)
- SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s");
- }
- {
- int i;
- for (i=0;i<MAX_PARMS;i++)
- SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
- }
- {
- int i;
- for (i=0;i<MAX_PARMS;i++)
- SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
- }
- {
- int i;
- for (i=0;i<MAX_PARMS;i++)
- SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
- }
- SHOW_INT (pkcs11_pin_cache_period);
- SHOW_STR (pkcs11_id);
- SHOW_BOOL (pkcs11_id_management);
-#endif /* ENABLE_PKCS11 */
+ {
+ int i;
+ for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
+ SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
+ }
+ {
+ int i;
+ for (i = 0; i<MAX_PARMS; i++)
+ SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
+ }
+ {
+ int i;
+ for (i = 0; i<MAX_PARMS; i++)
+ SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
+ }
+ {
+ int i;
+ for (i = 0; i<MAX_PARMS; i++)
+ SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
+ }
+ SHOW_INT(pkcs11_pin_cache_period);
+ SHOW_STR(pkcs11_id);
+ SHOW_BOOL(pkcs11_id_management);
+#endif /* ENABLE_PKCS11 */
#if P2MP
- show_p2mp_parms (o);
+ show_p2mp_parms(o);
#endif
#ifdef _WIN32
- SHOW_BOOL (show_net_up);
- SHOW_INT (route_method);
- SHOW_BOOL (block_outside_dns);
- show_tuntap_options (&o->tuntap_options);
-#endif
+ SHOW_BOOL(show_net_up);
+ SHOW_INT(route_method);
+ SHOW_BOOL(block_outside_dns);
+ show_tuntap_options(&o->tuntap_options);
#endif
+#endif /* ifndef ENABLE_SMALL */
}
#undef SHOW_PARM
@@ -1770,945 +1832,1217 @@ show_settings (const struct options *o)
#ifdef ENABLE_MANAGEMENT
static struct http_proxy_options *
-parse_http_proxy_override (const char *server,
- const char *port,
- const char *flags,
- const int msglevel,
- struct gc_arena *gc)
+parse_http_proxy_override(const char *server,
+ const char *port,
+ const char *flags,
+ const int msglevel,
+ struct gc_arena *gc)
{
- if (server && port)
- {
- struct http_proxy_options *ho;
- ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc);
- ho->server = string_alloc(server, gc);
- ho->port = port;
- if (flags && !strcmp(flags, "nct"))
- ho->auth_retry = PAR_NCT;
- else
- ho->auth_retry = PAR_ALL;
- ho->http_version = "1.0";
- ho->user_agent = "OpenVPN-Autoproxy/1.0";
- return ho;
- }
- else
- return NULL;
+ if (server && port)
+ {
+ struct http_proxy_options *ho;
+ ALLOC_OBJ_CLEAR_GC(ho, struct http_proxy_options, gc);
+ ho->server = string_alloc(server, gc);
+ ho->port = port;
+ if (flags && !strcmp(flags, "nct"))
+ {
+ ho->auth_retry = PAR_NCT;
+ }
+ else
+ {
+ ho->auth_retry = PAR_ALL;
+ }
+ ho->http_version = "1.0";
+ ho->user_agent = "OpenVPN-Autoproxy/1.0";
+ return ho;
+ }
+ else
+ {
+ return NULL;
+ }
}
void
-options_postprocess_http_proxy_override (struct options *o)
+options_postprocess_http_proxy_override(struct options *o)
{
- const struct connection_list *l = o->connection_list;
- int i;
- bool succeed = false;
- for (i = 0; i < l->len; ++i)
+ const struct connection_list *l = o->connection_list;
+ int i;
+ bool succeed = false;
+ for (i = 0; i < l->len; ++i)
{
- struct connection_entry *ce = l->array[i];
- if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
+ struct connection_entry *ce = l->array[i];
+ if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
{
- ce->http_proxy_options = o->http_proxy_override;
- succeed = true;
+ ce->http_proxy_options = o->http_proxy_override;
+ succeed = true;
}
}
- if (succeed)
+ if (succeed)
{
- for (i = 0; i < l->len; ++i)
+ for (i = 0; i < l->len; ++i)
{
- struct connection_entry *ce = l->array[i];
- if (ce->proto == PROTO_UDP)
+ struct connection_entry *ce = l->array[i];
+ if (ce->proto == PROTO_UDP)
{
- ce->flags |= CE_DISABLED;
+ ce->flags |= CE_DISABLED;
}
}
}
- else
+ else
{
- msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
+ msg(M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
}
}
-#endif
+#endif /* ifdef ENABLE_MANAGEMENT */
static struct connection_list *
-alloc_connection_list_if_undef (struct options *options)
+alloc_connection_list_if_undef(struct options *options)
{
- if (!options->connection_list)
- ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc);
- return options->connection_list;
+ if (!options->connection_list)
+ {
+ ALLOC_OBJ_CLEAR_GC(options->connection_list, struct connection_list, &options->gc);
+ }
+ return options->connection_list;
}
static struct connection_entry *
-alloc_connection_entry (struct options *options, const int msglevel)
+alloc_connection_entry(struct options *options, const int msglevel)
{
- struct connection_list *l = alloc_connection_list_if_undef (options);
- struct connection_entry *e;
+ struct connection_list *l = alloc_connection_list_if_undef(options);
+ struct connection_entry *e;
- if (l->len >= CONNECTION_LIST_SIZE)
+ if (l->len >= CONNECTION_LIST_SIZE)
{
- msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
- return NULL;
+ msg(msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE);
+ return NULL;
}
- ALLOC_OBJ_GC (e, struct connection_entry, &options->gc);
- l->array[l->len++] = e;
- return e;
+ ALLOC_OBJ_GC(e, struct connection_entry, &options->gc);
+ l->array[l->len++] = e;
+ return e;
}
static struct remote_list *
-alloc_remote_list_if_undef (struct options *options)
+alloc_remote_list_if_undef(struct options *options)
{
- if (!options->remote_list)
- ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc);
- return options->remote_list;
+ if (!options->remote_list)
+ {
+ ALLOC_OBJ_CLEAR_GC(options->remote_list, struct remote_list, &options->gc);
+ }
+ return options->remote_list;
}
static struct remote_entry *
-alloc_remote_entry (struct options *options, const int msglevel)
+alloc_remote_entry(struct options *options, const int msglevel)
{
- struct remote_list *l = alloc_remote_list_if_undef (options);
- struct remote_entry *e;
+ struct remote_list *l = alloc_remote_list_if_undef(options);
+ struct remote_entry *e;
- if (l->len >= CONNECTION_LIST_SIZE)
+ if (l->len >= CONNECTION_LIST_SIZE)
{
- msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
- return NULL;
+ msg(msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE);
+ return NULL;
}
- ALLOC_OBJ_GC (e, struct remote_entry, &options->gc);
- l->array[l->len++] = e;
- return e;
+ ALLOC_OBJ_GC(e, struct remote_entry, &options->gc);
+ l->array[l->len++] = e;
+ return e;
}
static struct pull_filter_list *
-alloc_pull_filter_list (struct options *o)
+alloc_pull_filter_list(struct options *o)
{
- if (!o->pull_filter_list)
- ALLOC_OBJ_CLEAR_GC (o->pull_filter_list, struct pull_filter_list, &o->gc);
- return o->pull_filter_list;
+ if (!o->pull_filter_list)
+ {
+ ALLOC_OBJ_CLEAR_GC(o->pull_filter_list, struct pull_filter_list, &o->gc);
+ }
+ return o->pull_filter_list;
}
static struct pull_filter *
-alloc_pull_filter (struct options *o, const int msglevel)
+alloc_pull_filter(struct options *o, const int msglevel)
{
- struct pull_filter_list *l = alloc_pull_filter_list (o);
- struct pull_filter *f;
+ struct pull_filter_list *l = alloc_pull_filter_list(o);
+ struct pull_filter *f;
- ALLOC_OBJ_CLEAR_GC (f, struct pull_filter, &o->gc);
- if (l->head)
+ ALLOC_OBJ_CLEAR_GC(f, struct pull_filter, &o->gc);
+ if (l->head)
{
- ASSERT (l->tail);
- l->tail->next = f;
+ ASSERT(l->tail);
+ l->tail->next = f;
}
- else
+ else
{
- ASSERT (!l->tail);
- l->head = f;
+ ASSERT(!l->tail);
+ l->head = f;
}
- l->tail = f;
- return f;
+ l->tail = f;
+ return f;
}
void
-connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
+connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
{
- if (re->remote)
- ce->remote = re->remote;
- if (re->remote_port)
- ce->remote_port = re->remote_port;
- if (re->proto >= 0)
- ce->proto = re->proto;
- if (re->af > 0)
- ce->af = re->af;
+ if (re->remote)
+ {
+ ce->remote = re->remote;
+ }
+ if (re->remote_port)
+ {
+ ce->remote_port = re->remote_port;
+ }
+ if (re->proto >= 0)
+ {
+ ce->proto = re->proto;
+ }
+ if (re->af > 0)
+ {
+ ce->af = re->af;
+ }
}
static void
-options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce)
+options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
{
- struct options defaults;
- int dev = DEV_TYPE_UNDEF;
- bool pull = false;
+ struct options defaults;
+ int dev = DEV_TYPE_UNDEF;
+ bool pull = false;
- init_options (&defaults, true);
+ init_options(&defaults, true);
#ifdef ENABLE_CRYPTO
- if (options->test_crypto)
+ if (options->test_crypto)
{
- notnull (options->shared_secret_file, "key file (--secret)");
+ notnull(options->shared_secret_file, "key file (--secret)");
}
- else
+ else
#endif
- notnull (options->dev, "TUN/TAP device (--dev)");
+ notnull(options->dev, "TUN/TAP device (--dev)");
- /*
- * Get tun/tap/null device type
- */
- dev = dev_type_enum (options->dev, options->dev_type);
+ /*
+ * Get tun/tap/null device type
+ */
+ dev = dev_type_enum(options->dev, options->dev_type);
- /*
- * If "proto tcp" is specified, make sure we know whether it is
- * tcp-client or tcp-server.
- */
- if (ce->proto == PROTO_TCP)
- msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
+ /*
+ * If "proto tcp" is specified, make sure we know whether it is
+ * tcp-client or tcp-server.
+ */
+ if (ce->proto == PROTO_TCP)
+ {
+ msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
+ }
- /*
- * Sanity check on daemon/inetd modes
- */
+ /*
+ * Sanity check on daemon/inetd modes
+ */
- if (options->daemon && options->inetd)
- msg (M_USAGE, "only one of --daemon or --inetd may be specified");
+ if (options->daemon && options->inetd)
+ {
+ msg(M_USAGE, "only one of --daemon or --inetd may be specified");
+ }
- if (options->inetd && (ce->local || ce->remote))
- msg (M_USAGE, "--local or --remote cannot be used with --inetd");
+ if (options->inetd && (ce->local || ce->remote))
+ {
+ msg(M_USAGE, "--local or --remote cannot be used with --inetd");
+ }
- if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
- msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
+ if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
+ {
+ msg(M_USAGE, "--proto tcp-client cannot be used with --inetd");
+ }
- if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
- msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
+ if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
+ {
+ msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
+ }
- if (options->inetd == INETD_NOWAIT
+ if (options->inetd == INETD_NOWAIT
#ifdef ENABLE_CRYPTO
- && !(options->tls_server || options->tls_client)
+ && !(options->tls_server || options->tls_client)
#endif
- )
- msg (M_USAGE, "--inetd nowait can only be used in TLS mode");
+ )
+ {
+ msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
+ }
- if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
- msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
+ if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
+ {
+ msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
+ }
- if (options->lladdr && dev != DEV_TYPE_TAP)
- msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
-
- /*
- * Sanity check on MTU parameters
- */
- if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
- msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
+ if (options->lladdr && dev != DEV_TYPE_TAP)
+ {
+ msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
+ }
+
+ /*
+ * Sanity check on MTU parameters
+ */
+ if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
+ {
+ msg(M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);
+ }
#ifdef ENABLE_OCC
- if (!proto_is_udp(ce->proto) && options->mtu_test)
- msg (M_USAGE, "--mtu-test only makes sense with --proto udp");
+ if (!proto_is_udp(ce->proto) && options->mtu_test)
+ {
+ msg(M_USAGE, "--mtu-test only makes sense with --proto udp");
+ }
#endif
- /* will we be pulling options from server? */
+ /* will we be pulling options from server? */
#if P2MP
- pull = options->pull;
+ pull = options->pull;
#endif
- /*
- * Sanity check on --local, --remote, and --ifconfig
- */
+ /*
+ * Sanity check on --local, --remote, and --ifconfig
+ */
- if (proto_is_net(ce->proto)
- && string_defined_equal (ce->local, ce->remote)
- && string_defined_equal (ce->local_port, ce->remote_port))
- msg (M_USAGE, "--remote and --local addresses are the same");
-
- if (string_defined_equal (ce->remote, options->ifconfig_local)
- || string_defined_equal (ce->remote, options->ifconfig_remote_netmask))
- msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
+ if (proto_is_net(ce->proto)
+ && string_defined_equal(ce->local, ce->remote)
+ && string_defined_equal(ce->local_port, ce->remote_port))
+ {
+ msg(M_USAGE, "--remote and --local addresses are the same");
+ }
- if (string_defined_equal (ce->local, options->ifconfig_local)
- || string_defined_equal (ce->local, options->ifconfig_remote_netmask))
- msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
+ if (string_defined_equal(ce->remote, options->ifconfig_local)
+ || string_defined_equal(ce->remote, options->ifconfig_remote_netmask))
+ {
+ msg(M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses");
+ }
- if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
- msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
+ if (string_defined_equal(ce->local, options->ifconfig_local)
+ || string_defined_equal(ce->local, options->ifconfig_remote_netmask))
+ {
+ msg(M_USAGE, "--local addresses must be distinct from --ifconfig addresses");
+ }
- if (ce->bind_defined && !ce->bind_local)
- msg (M_USAGE, "--bind and --nobind can't be used together");
+ if (string_defined_equal(options->ifconfig_local, options->ifconfig_remote_netmask))
+ {
+ msg(M_USAGE, "local and remote/netmask --ifconfig addresses must be different");
+ }
- if (ce->local && !ce->bind_local)
- msg (M_USAGE, "--local and --nobind don't make sense when used together");
+ if (ce->bind_defined && !ce->bind_local)
+ {
+ msg(M_USAGE, "--bind and --nobind can't be used together");
+ }
- if (ce->local_port_defined && !ce->bind_local)
- msg (M_USAGE, "--lport and --nobind don't make sense when used together");
+ if (ce->local && !ce->bind_local)
+ {
+ msg(M_USAGE, "--local and --nobind don't make sense when used together");
+ }
- if (!ce->remote && !ce->bind_local)
- msg (M_USAGE, "--nobind doesn't make sense unless used with --remote");
+ if (ce->local_port_defined && !ce->bind_local)
+ {
+ msg(M_USAGE, "--lport and --nobind don't make sense when used together");
+ }
- /*
- * Check for consistency of management options
- */
+ if (!ce->remote && !ce->bind_local)
+ {
+ msg(M_USAGE, "--nobind doesn't make sense unless used with --remote");
+ }
+
+ /*
+ * Check for consistency of management options
+ */
#ifdef ENABLE_MANAGEMENT
- if (!options->management_addr &&
- (options->management_flags
- || options->management_write_peer_info_file
- || options->management_log_history_cache != defaults.management_log_history_cache))
- msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
+ if (!options->management_addr
+ && (options->management_flags
+ || options->management_write_peer_info_file
+ || options->management_log_history_cache != defaults.management_log_history_cache))
+ {
+ msg(M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
+ }
- if ((options->management_client_user || options->management_client_group)
- && !(options->management_flags & MF_UNIX_SOCK))
- msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
+ if ((options->management_client_user || options->management_client_group)
+ && !(options->management_flags & MF_UNIX_SOCK))
+ {
+ msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
+ }
#endif
- /*
- * Windows-specific options.
- */
+ /*
+ * Windows-specific options.
+ */
#ifdef _WIN32
- if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
- msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
+ if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
+ {
+ msg(M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
+ }
- if ((options->tuntap_options.ip_win32_defined)
- && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
- msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
+ if ((options->tuntap_options.ip_win32_defined)
+ && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
+ {
+ msg(M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
+ }
- if (options->tuntap_options.dhcp_options
- && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
- && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
- msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
+ if (options->tuntap_options.dhcp_options
+ && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
+ && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
+ {
+ msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
+ }
#endif
- /*
- * Check that protocol options make sense.
- */
+ /*
+ * Check that protocol options make sense.
+ */
#ifdef ENABLE_FRAGMENT
- if (!proto_is_udp(ce->proto) && ce->fragment)
- msg (M_USAGE, "--fragment can only be used with --proto udp");
+ if (!proto_is_udp(ce->proto) && ce->fragment)
+ {
+ msg(M_USAGE, "--fragment can only be used with --proto udp");
+ }
#endif
#ifdef ENABLE_OCC
- if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
- msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
+ if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
+ {
+ msg(M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
+ }
#endif
- if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
- msg (M_USAGE, "--remote MUST be used in TCP Client mode");
+ if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
+ {
+ msg(M_USAGE, "--remote MUST be used in TCP Client mode");
+ }
- if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
- msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
- if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
- msg (M_USAGE, "--http-proxy not specified but other http proxy options present");
+ if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
+ {
+ msg(M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
+ }
+ if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
+ {
+ msg(M_USAGE, "--http-proxy not specified but other http proxy options present");
+ }
- if (ce->http_proxy_options && ce->socks_proxy_server)
- msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
+ if (ce->http_proxy_options && ce->socks_proxy_server)
+ {
+ msg(M_USAGE, "--http-proxy can not be used together with --socks-proxy");
+ }
- if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
- msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
+ if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
+ {
+ msg(M_USAGE, "--socks-proxy can not be used in TCP Server mode");
+ }
- if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
- msg (M_USAGE, "TCP server mode allows at most one --remote address");
+ if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
+ {
+ msg(M_USAGE, "TCP server mode allows at most one --remote address");
+ }
#if P2MP_SERVER
- /*
- * Check consistency of --mode server options.
- */
- if (options->mode == MODE_SERVER)
- {
- if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
- msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
- if (options->pull)
- msg (M_USAGE, "--pull cannot be used with --mode server");
- if (options->pull_filter_list)
- msg (M_USAGE, "--pull-filter cannot be used with --mode server");
- if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
- msg (M_USAGE, "--mode server currently only supports "
- "--proto udp or --proto tcp-server or proto tcp6-server");
+ /*
+ * Check consistency of --mode server options.
+ */
+ if (options->mode == MODE_SERVER)
+ {
+ if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
+ {
+ msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
+ }
+ if (options->pull)
+ {
+ msg(M_USAGE, "--pull cannot be used with --mode server");
+ }
+ if (options->pull_filter_list)
+ {
+ msg(M_USAGE, "--pull-filter cannot be used with --mode server");
+ }
+ if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
+ {
+ msg(M_USAGE, "--mode server currently only supports "
+ "--proto udp or --proto tcp-server or proto tcp6-server");
+ }
#if PORT_SHARE
- if ((options->port_share_host || options->port_share_port) &&
- (ce->proto != PROTO_TCP_SERVER))
- msg (M_USAGE, "--port-share only works in TCP server mode "
- "(--proto tcp-server or tcp6-server)");
-#endif
- if (!options->tls_server)
- msg (M_USAGE, "--mode server requires --tls-server");
- if (ce->remote)
- msg (M_USAGE, "--remote cannot be used with --mode server");
- if (!ce->bind_local)
- msg (M_USAGE, "--nobind cannot be used with --mode server");
- if (ce->http_proxy_options)
- msg (M_USAGE, "--http-proxy cannot be used with --mode server");
- if (ce->socks_proxy_server)
- msg (M_USAGE, "--socks-proxy cannot be used with --mode server");
- /* <connection> blocks force to have a remote embedded, so we check for the
- * --remote and bail out if it is present */
- if (options->connection_list->len >1 ||
- options->connection_list->array[0]->remote)
- msg (M_USAGE, "<connection> cannot be used with --mode server");
-
- if (options->shaper)
- msg (M_USAGE, "--shaper cannot be used with --mode server");
- if (options->inetd)
- msg (M_USAGE, "--inetd cannot be used with --mode server");
- if (options->ipchange)
- msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
- if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
- msg (M_USAGE, "--mode server currently only supports "
- "--proto udp or --proto tcp-server or --proto tcp6-server");
- if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
- msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
- if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
- msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
- if (options->routes && (options->routes->flags & RG_ENABLE))
- msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
- if (options->route_delay_defined)
- msg (M_USAGE, "--route-delay cannot be used with --mode server");
- if (options->up_delay)
- msg (M_USAGE, "--up-delay cannot be used with --mode server");
- if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
- msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
- if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local )
- msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
- if (options->allow_recursive_routing)
- msg (M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
- if (options->auth_user_pass_file)
- msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
- if (options->ccd_exclusive && !options->client_config_dir)
- msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
- if (options->key_method != 2)
- msg (M_USAGE, "--mode server requires --key-method 2");
-
- {
- const bool ccnr = (options->auth_user_pass_verify_script
- || PLUGIN_OPTION_LIST (options)
- || MAN_CLIENT_AUTH_ENABLED (options));
- const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
- if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
- msg (M_USAGE, "--verify-client-cert none|optional %s", postfix);
- if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
- msg (M_USAGE, "--username-as-common-name %s", postfix);
- if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
- msg (M_USAGE, "--auth-user-pass-optional %s", postfix);
- }
- }
- else
- {
- /*
- * When not in server mode, err if parameters are
- * specified which require --mode server.
- */
- if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
- msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
- if (options->ifconfig_ipv6_pool_defined)
- msg (M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
- if (options->real_hash_size != defaults.real_hash_size
- || options->virtual_hash_size != defaults.virtual_hash_size)
- msg (M_USAGE, "--hash-size requires --mode server");
- if (options->learn_address_script)
- msg (M_USAGE, "--learn-address requires --mode server");
- if (options->client_connect_script)
- msg (M_USAGE, "--client-connect requires --mode server");
- if (options->client_disconnect_script)
- msg (M_USAGE, "--client-disconnect requires --mode server");
- if (options->client_config_dir || options->ccd_exclusive)
- msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
- if (options->enable_c2c)
- msg (M_USAGE, "--client-to-client requires --mode server");
- if (options->duplicate_cn)
- msg (M_USAGE, "--duplicate-cn requires --mode server");
- if (options->cf_max || options->cf_per)
- msg (M_USAGE, "--connect-freq requires --mode server");
- if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
- msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
- if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
- msg (M_USAGE, "--username-as-common-name requires --mode server");
- if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
- msg (M_USAGE, "--auth-user-pass-optional requires --mode server");
- if (options->ssl_flags & SSLF_OPT_VERIFY)
- msg (M_USAGE, "--opt-verify requires --mode server");
- if (options->server_flags & SF_TCP_NODELAY_HELPER)
- msg (M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
- "affect the server. To have TCP_NODELAY in both direction use "
- "tcp-nodelay in the server configuration instead.");
- if (options->auth_user_pass_verify_script)
- msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
- if (options->auth_token_generate)
- msg (M_USAGE, "--auth-gen-token requires --mode server");
+ if ((options->port_share_host || options->port_share_port)
+ && (ce->proto != PROTO_TCP_SERVER))
+ {
+ msg(M_USAGE, "--port-share only works in TCP server mode "
+ "(--proto tcp-server or tcp6-server)");
+ }
+#endif
+ if (!options->tls_server)
+ {
+ msg(M_USAGE, "--mode server requires --tls-server");
+ }
+ if (ce->remote)
+ {
+ msg(M_USAGE, "--remote cannot be used with --mode server");
+ }
+ if (!ce->bind_local)
+ {
+ msg(M_USAGE, "--nobind cannot be used with --mode server");
+ }
+ if (ce->http_proxy_options)
+ {
+ msg(M_USAGE, "--http-proxy cannot be used with --mode server");
+ }
+ if (ce->socks_proxy_server)
+ {
+ msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
+ }
+ /* <connection> blocks force to have a remote embedded, so we check for the
+ * --remote and bail out if it is present */
+ if (options->connection_list->len >1
+ || options->connection_list->array[0]->remote)
+ {
+ msg(M_USAGE, "<connection> cannot be used with --mode server");
+ }
+
+ if (options->shaper)
+ {
+ msg(M_USAGE, "--shaper cannot be used with --mode server");
+ }
+ if (options->inetd)
+ {
+ msg(M_USAGE, "--inetd cannot be used with --mode server");
+ }
+ if (options->ipchange)
+ {
+ msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
+ }
+ if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
+ {
+ msg(M_USAGE, "--mode server currently only supports "
+ "--proto udp or --proto tcp-server or --proto tcp6-server");
+ }
+ if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
+ {
+ msg(M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
+ }
+ if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
+ {
+ msg(M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
+ }
+ if (options->routes && (options->routes->flags & RG_ENABLE))
+ {
+ msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
+ }
+ if (options->route_delay_defined)
+ {
+ msg(M_USAGE, "--route-delay cannot be used with --mode server");
+ }
+ if (options->up_delay)
+ {
+ msg(M_USAGE, "--up-delay cannot be used with --mode server");
+ }
+ if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename)
+ {
+ msg(M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
+ }
+ if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local)
+ {
+ msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
+ }
+ if (options->allow_recursive_routing)
+ {
+ msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
+ }
+ if (options->auth_user_pass_file)
+ {
+ msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
+ }
+ if (options->ccd_exclusive && !options->client_config_dir)
+ {
+ msg(M_USAGE, "--ccd-exclusive must be used with --client-config-dir");
+ }
+ if (options->key_method != 2)
+ {
+ msg(M_USAGE, "--mode server requires --key-method 2");
+ }
+
+ {
+ const bool ccnr = (options->auth_user_pass_verify_script
+ || PLUGIN_OPTION_LIST(options)
+ || MAN_CLIENT_AUTH_ENABLED(options));
+ const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
+ if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
+ {
+ msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
+ }
+ if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
+ {
+ msg(M_USAGE, "--username-as-common-name %s", postfix);
+ }
+ if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
+ {
+ msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
+ }
+ }
+ }
+ else
+ {
+ /*
+ * When not in server mode, err if parameters are
+ * specified which require --mode server.
+ */
+ if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
+ {
+ msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
+ }
+ if (options->ifconfig_ipv6_pool_defined)
+ {
+ msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
+ }
+ if (options->real_hash_size != defaults.real_hash_size
+ || options->virtual_hash_size != defaults.virtual_hash_size)
+ {
+ msg(M_USAGE, "--hash-size requires --mode server");
+ }
+ if (options->learn_address_script)
+ {
+ msg(M_USAGE, "--learn-address requires --mode server");
+ }
+ if (options->client_connect_script)
+ {
+ msg(M_USAGE, "--client-connect requires --mode server");
+ }
+ if (options->client_disconnect_script)
+ {
+ msg(M_USAGE, "--client-disconnect requires --mode server");
+ }
+ if (options->client_config_dir || options->ccd_exclusive)
+ {
+ msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
+ }
+ if (options->enable_c2c)
+ {
+ msg(M_USAGE, "--client-to-client requires --mode server");
+ }
+ if (options->duplicate_cn)
+ {
+ msg(M_USAGE, "--duplicate-cn requires --mode server");
+ }
+ if (options->cf_max || options->cf_per)
+ {
+ msg(M_USAGE, "--connect-freq requires --mode server");
+ }
+ if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+ {
+ msg(M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
+ }
+ if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
+ {
+ msg(M_USAGE, "--username-as-common-name requires --mode server");
+ }
+ if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
+ {
+ msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
+ }
+ if (options->ssl_flags & SSLF_OPT_VERIFY)
+ {
+ msg(M_USAGE, "--opt-verify requires --mode server");
+ }
+ if (options->server_flags & SF_TCP_NODELAY_HELPER)
+ {
+ msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
+ "affect the server. To have TCP_NODELAY in both direction use "
+ "tcp-nodelay in the server configuration instead.");
+ }
+ if (options->auth_user_pass_verify_script)
+ {
+ msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
+ }
+ if (options->auth_token_generate)
+ {
+ msg(M_USAGE, "--auth-gen-token requires --mode server");
+ }
#if PORT_SHARE
- if (options->port_share_host || options->port_share_port)
- msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
+ if (options->port_share_host || options->port_share_port)
+ {
+ msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
+ }
#endif
- if (options->stale_routes_check_interval)
- msg (M_USAGE, "--stale-routes-check requires --mode server");
- if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING))
- msg (M_USAGE, "--compat-x509-names no-remapping requires --mode server");
+ if (options->stale_routes_check_interval)
+ {
+ msg(M_USAGE, "--stale-routes-check requires --mode server");
+ }
+ if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NO_NAME_REMAPPING))
+ {
+ msg(M_USAGE, "--compat-x509-names no-remapping requires --mode server");
+ }
}
#endif /* P2MP_SERVER */
#ifdef ENABLE_CRYPTO
- if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
+ if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
+ {
+ msg(M_USAGE, "NCP cipher list contains unsupported ciphers.");
+ }
+ if (options->ncp_enabled && !options->use_iv)
{
- msg (M_USAGE, "NCP cipher list contains unsupported ciphers.");
+ msg(M_USAGE, "--no-iv not allowed when NCP is enabled.");
+ }
+ if (!options->use_iv)
+ {
+ msg(M_WARN, "WARNING: --no-iv is deprecated and will be removed in 2.5");
}
- /*
- * Check consistency of replay options
- */
- if (!options->replay
- && (options->replay_window != defaults.replay_window
- || options->replay_time != defaults.replay_time))
- msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
+ /*
+ * Check consistency of replay options
+ */
+ if (!options->replay
+ && (options->replay_window != defaults.replay_window
+ || options->replay_time != defaults.replay_time))
+ {
+ msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
+ }
- /*
- * SSL/TLS mode sanity checks.
- */
- if (options->tls_server + options->tls_client +
- (options->shared_secret_file != NULL) > 1)
- msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
+ /*
+ * SSL/TLS mode sanity checks.
+ */
+ if (options->tls_server + options->tls_client
+ +(options->shared_secret_file != NULL) > 1)
+ {
+ msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
+ }
- if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+ if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
{
- msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
- "--verify-client-cert none|optional (or --client-cert-not-required) "
- "may accept clients which do not present a certificate");
+ msg(M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+ "--verify-client-cert none|optional (or --client-cert-not-required) "
+ "may accept clients which do not present a certificate");
}
- if (options->key_method == 1)
+ if (options->key_method == 1)
{
- msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
- "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
- "in the configuration file, which is the recommended approach.");
+ msg(M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
+ "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
+ "in the configuration file, which is the recommended approach.");
}
- if (options->tls_server || options->tls_client)
+ if (options->tls_server || options->tls_client)
{
#ifdef ENABLE_PKCS11
- if (options->pkcs11_providers[0])
- {
- notnull (options->ca_file, "CA file (--ca)");
-
- if (options->pkcs11_id_management && options->pkcs11_id != NULL)
- msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
- if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
- msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
- if (options->cert_file)
- msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
- if (options->priv_key_file)
- msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
+ if (options->pkcs11_providers[0])
+ {
+ notnull(options->ca_file, "CA file (--ca)");
+
+ if (options->pkcs11_id_management && options->pkcs11_id != NULL)
+ {
+ msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
+ }
+ if (!options->pkcs11_id_management && options->pkcs11_id == NULL)
+ {
+ msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
+ }
+ if (options->cert_file)
+ {
+ msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
+ }
+ if (options->priv_key_file)
+ {
+ msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
+ }
#ifdef MANAGMENT_EXTERNAL_KEY
- if (options->management_flags & MF_EXTERNAL_KEY)
- msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
- if (options->management_flags & MF_EXTERNAL_CERT)
- msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
+ if (options->management_flags & MF_EXTERNAL_KEY)
+ {
+ msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
+ }
+ if (options->management_flags & MF_EXTERNAL_CERT)
+ {
+ msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
+ }
#endif
- if (options->pkcs12_file)
- msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
+ if (options->pkcs12_file)
+ {
+ msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
+ }
#ifdef ENABLE_CRYPTOAPI
- if (options->cryptoapi_cert)
- msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
-#endif
- }
- else
+ if (options->cryptoapi_cert)
+ {
+ msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
+ }
#endif
+ }
+ else
+#endif /* ifdef ENABLE_PKCS11 */
#ifdef MANAGMENT_EXTERNAL_KEY
- if((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
- {
- msg (M_USAGE, "--key and --management-external-key are mutually exclusive");
- }
- else if((options->management_flags & MF_EXTERNAL_CERT))
- {
- if (options->cert_file)
- msg (M_USAGE, "--cert and --management-external-cert are mutually exclusive");
- else if(!(options->management_flags & MF_EXTERNAL_KEY))
- msg (M_USAGE, "--management-external-cert must be used with --management-external-key");
- }
- else
+ if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
+ {
+ msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
+ }
+ else if ((options->management_flags & MF_EXTERNAL_CERT))
+ {
+ if (options->cert_file)
+ {
+ msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
+ }
+ else if (!(options->management_flags & MF_EXTERNAL_KEY))
+ {
+ msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
+ }
+ }
+ else
#endif
#ifdef ENABLE_CRYPTOAPI
- if (options->cryptoapi_cert)
- {
- if ((!(options->ca_file)) && (!(options->ca_path)))
- msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
- if (options->cert_file)
- msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
- if (options->priv_key_file)
- msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
- if (options->pkcs12_file)
- msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
+ if (options->cryptoapi_cert)
+ {
+ if ((!(options->ca_file)) && (!(options->ca_path)))
+ {
+ msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
+ }
+ if (options->cert_file)
+ {
+ msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
+ }
+ if (options->priv_key_file)
+ {
+ msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
+ }
+ if (options->pkcs12_file)
+ {
+ msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
+ }
#ifdef MANAGMENT_EXTERNAL_KEY
- if (options->management_flags & MF_EXTERNAL_KEY)
- msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
- if (options->management_flags & MF_EXTERNAL_CERT)
- msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
-#endif
- }
- else
+ if (options->management_flags & MF_EXTERNAL_KEY)
+ {
+ msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
+ }
+ if (options->management_flags & MF_EXTERNAL_CERT)
+ {
+ msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
+ }
#endif
- if (options->pkcs12_file)
+ }
+ else
+#endif /* ifdef ENABLE_CRYPTOAPI */
+ if (options->pkcs12_file)
{
#ifdef ENABLE_CRYPTO_MBEDTLS
- msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
+ msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
#else
- if (options->ca_path)
- msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
- if (options->cert_file)
- msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
- if (options->priv_key_file)
- msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
+ if (options->ca_path)
+ {
+ msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
+ }
+ if (options->cert_file)
+ {
+ msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
+ }
+ if (options->priv_key_file)
+ {
+ msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
+ }
#ifdef MANAGMENT_EXTERNAL_KEY
- if (options->management_flags & MF_EXTERNAL_KEY)
- msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
- if (options->management_flags & MF_EXTERNAL_CERT)
- msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
-#endif
+ if (options->management_flags & MF_EXTERNAL_KEY)
+ {
+ msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
+ }
+ if (options->management_flags & MF_EXTERNAL_CERT)
+ {
+ msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
+ }
#endif
+#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
}
- else
+ else
{
#ifdef ENABLE_CRYPTO_MBEDTLS
- if (!(options->ca_file))
- msg(M_USAGE, "You must define CA file (--ca)");
- if (options->ca_path)
- msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
-#else
- if ((!(options->ca_file)) && (!(options->ca_path)))
- msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
+ if (!(options->ca_file))
+ {
+ msg(M_USAGE, "You must define CA file (--ca)");
+ }
+ if (options->ca_path)
+ {
+ msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
+ }
+#else /* ifdef ENABLE_CRYPTO_MBEDTLS */
+ if ((!(options->ca_file)) && (!(options->ca_path)))
+ {
+ msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
+ }
#endif
- if (pull)
- {
+ if (pull)
+ {
- const int sum =
+ const int sum =
#ifdef MANAGMENT_EXTERNAL_KEY
- ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +
- ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
+ ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT))
+ +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
#else
- (options->cert_file != NULL) + (options->priv_key_file != NULL);
+ (options->cert_file != NULL) + (options->priv_key_file != NULL);
#endif
- if (sum == 0)
- {
+ if (sum == 0)
+ {
#if P2MP
- if (!options->auth_user_pass_file)
-#endif
- msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
- }
- else if (sum == 2)
- ;
- else
- {
- msg (M_USAGE, "If you use one of --cert or --key, you must use them both");
- }
- }
- else
- {
+ if (!options->auth_user_pass_file)
+#endif
+ msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
+ }
+ else if (sum == 2)
+ {
+ }
+ else
+ {
+ msg(M_USAGE, "If you use one of --cert or --key, you must use them both");
+ }
+ }
+ else
+ {
#ifdef MANAGMENT_EXTERNAL_KEY
- if (!(options->management_flags & MF_EXTERNAL_CERT))
+ if (!(options->management_flags & MF_EXTERNAL_CERT))
#endif
- notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
+ notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
#ifdef MANAGMENT_EXTERNAL_KEY
- if (!(options->management_flags & MF_EXTERNAL_KEY))
+ if (!(options->management_flags & MF_EXTERNAL_KEY))
#endif
- notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
- }
- }
- if (options->tls_auth_file && options->tls_crypt_file)
- {
- msg (M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
- }
+ notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
+ }
+ }
+ if (options->tls_auth_file && options->tls_crypt_file)
+ {
+ msg(M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
+ }
}
- else
+ else
{
- /*
- * Make sure user doesn't specify any TLS options
- * when in non-TLS mode.
- */
+ /*
+ * Make sure user doesn't specify any TLS options
+ * when in non-TLS mode.
+ */
-#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
+#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
+}
- const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
+ const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
- MUST_BE_UNDEF (ca_file);
- MUST_BE_UNDEF (ca_path);
- MUST_BE_UNDEF (dh_file);
- MUST_BE_UNDEF (cert_file);
- MUST_BE_UNDEF (priv_key_file);
+ MUST_BE_UNDEF(ca_file);
+ MUST_BE_UNDEF(ca_path);
+ MUST_BE_UNDEF(dh_file);
+ MUST_BE_UNDEF(cert_file);
+ MUST_BE_UNDEF(priv_key_file);
#ifndef ENABLE_CRYPTO_MBEDTLS
- MUST_BE_UNDEF (pkcs12_file);
-#endif
- MUST_BE_UNDEF (cipher_list);
- MUST_BE_UNDEF (tls_verify);
- MUST_BE_UNDEF (tls_export_cert);
- MUST_BE_UNDEF (verify_x509_name);
- MUST_BE_UNDEF (tls_timeout);
- MUST_BE_UNDEF (renegotiate_bytes);
- MUST_BE_UNDEF (renegotiate_packets);
- MUST_BE_UNDEF (renegotiate_seconds);
- MUST_BE_UNDEF (handshake_window);
- MUST_BE_UNDEF (transition_window);
- MUST_BE_UNDEF (tls_auth_file);
- MUST_BE_UNDEF (tls_crypt_file);
- MUST_BE_UNDEF (single_session);
+ MUST_BE_UNDEF(pkcs12_file);
+#endif
+ MUST_BE_UNDEF(cipher_list);
+ MUST_BE_UNDEF(tls_verify);
+ MUST_BE_UNDEF(tls_export_cert);
+ MUST_BE_UNDEF(verify_x509_name);
+ MUST_BE_UNDEF(tls_timeout);
+ MUST_BE_UNDEF(renegotiate_bytes);
+ MUST_BE_UNDEF(renegotiate_packets);
+ MUST_BE_UNDEF(renegotiate_seconds);
+ MUST_BE_UNDEF(handshake_window);
+ MUST_BE_UNDEF(transition_window);
+ MUST_BE_UNDEF(tls_auth_file);
+ MUST_BE_UNDEF(tls_crypt_file);
+ MUST_BE_UNDEF(single_session);
#ifdef ENABLE_PUSH_PEER_INFO
- MUST_BE_UNDEF (push_peer_info);
-#endif
- MUST_BE_UNDEF (tls_exit);
- MUST_BE_UNDEF (crl_file);
- MUST_BE_UNDEF (key_method);
- MUST_BE_UNDEF (ns_cert_type);
- MUST_BE_UNDEF (remote_cert_ku[0]);
- MUST_BE_UNDEF (remote_cert_eku);
+ MUST_BE_UNDEF(push_peer_info);
+#endif
+ MUST_BE_UNDEF(tls_exit);
+ MUST_BE_UNDEF(crl_file);
+ MUST_BE_UNDEF(key_method);
+ MUST_BE_UNDEF(ns_cert_type);
+ MUST_BE_UNDEF(remote_cert_ku[0]);
+ MUST_BE_UNDEF(remote_cert_eku);
#ifdef ENABLE_PKCS11
- MUST_BE_UNDEF (pkcs11_providers[0]);
- MUST_BE_UNDEF (pkcs11_private_mode[0]);
- MUST_BE_UNDEF (pkcs11_id);
- MUST_BE_UNDEF (pkcs11_id_management);
+ MUST_BE_UNDEF(pkcs11_providers[0]);
+ MUST_BE_UNDEF(pkcs11_private_mode[0]);
+ MUST_BE_UNDEF(pkcs11_id);
+ MUST_BE_UNDEF(pkcs11_id_management);
#endif
- if (pull)
- msg (M_USAGE, err, "--pull");
+ if (pull)
+ {
+ msg(M_USAGE, err, "--pull");
+ }
}
#undef MUST_BE_UNDEF
#endif /* ENABLE_CRYPTO */
#if P2MP
- if (options->auth_user_pass_file && !options->pull)
- msg (M_USAGE, "--auth-user-pass requires --pull");
+ if (options->auth_user_pass_file && !options->pull)
+ {
+ msg(M_USAGE, "--auth-user-pass requires --pull");
+ }
#endif
- uninit_options (&defaults);
+ uninit_options(&defaults);
}
static void
-options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
+options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
{
- const int dev = dev_type_enum (o->dev, o->dev_type);
+ const int dev = dev_type_enum(o->dev, o->dev_type);
#if P2MP_SERVER
- if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
+ if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
{
- if (ce->proto == PROTO_TCP)
- ce->proto = PROTO_TCP_SERVER;
+ if (ce->proto == PROTO_TCP)
+ {
+ ce->proto = PROTO_TCP_SERVER;
+ }
}
#endif
#if P2MP
- if (o->client)
+ if (o->client)
{
- if (ce->proto == PROTO_TCP)
- ce->proto = PROTO_TCP_CLIENT;
+ if (ce->proto == PROTO_TCP)
+ {
+ ce->proto = PROTO_TCP_CLIENT;
+ }
}
#endif
- if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
- ce->bind_local = false;
+ if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
+ {
+ ce->bind_local = false;
+ }
- if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
- ce->bind_local = false;
+ if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
+ {
+ ce->bind_local = false;
+ }
- if (!ce->bind_local)
- ce->local_port = NULL;
+ if (!ce->bind_local)
+ {
+ ce->local_port = NULL;
+ }
- /* if protocol forcing is enabled, disable all protocols except for the forced one */
- if (o->proto_force >= 0 && o->proto_force != ce->proto)
- ce->flags |= CE_DISABLED;
+ /* if protocol forcing is enabled, disable all protocols except for the forced one */
+ if (o->proto_force >= 0 && o->proto_force != ce->proto)
+ {
+ ce->flags |= CE_DISABLED;
+ }
- /*
- * If --mssfix is supplied without a parameter, default
- * it to --fragment value, if --fragment is specified.
- */
- if (o->ce.mssfix_default)
+ /*
+ * If --mssfix is supplied without a parameter, default
+ * it to --fragment value, if --fragment is specified.
+ */
+ if (o->ce.mssfix_default)
{
#ifdef ENABLE_FRAGMENT
- if (ce->fragment)
- ce->mssfix = ce->fragment;
+ if (ce->fragment)
+ {
+ ce->mssfix = ce->fragment;
+ }
#else
- msg (M_USAGE, "--mssfix must specify a parameter");
-#endif
- }
-
- /*
- * Set MTU defaults
- */
- {
- if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
- {
- ce->tun_mtu_defined = true;
- }
- if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
- {
- ce->tun_mtu_extra_defined = true;
- ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
- }
- }
+ msg(M_USAGE, "--mssfix must specify a parameter");
+#endif
+ }
+
+ /*
+ * Set MTU defaults
+ */
+ {
+ if (!ce->tun_mtu_defined && !ce->link_mtu_defined)
+ {
+ ce->tun_mtu_defined = true;
+ }
+ if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined)
+ {
+ ce->tun_mtu_extra_defined = true;
+ ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
+ }
+ }
}
#ifdef _WIN32
/* If iservice is in use, we need def1 method for redirect-gateway */
static void
-remap_redirect_gateway_flags (struct options *opt)
+remap_redirect_gateway_flags(struct options *opt)
{
- if (opt->routes
- && opt->route_method == ROUTE_METHOD_SERVICE
- && opt->routes->flags & RG_REROUTE_GW
- && !(opt->routes->flags & RG_DEF1))
+ if (opt->routes
+ && opt->route_method == ROUTE_METHOD_SERVICE
+ && opt->routes->flags & RG_REROUTE_GW
+ && !(opt->routes->flags & RG_DEF1))
{
- msg (M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
- opt->routes->flags |= RG_DEF1;
+ msg(M_INFO, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
+ opt->routes->flags |= RG_DEF1;
}
}
#endif
static void
-options_postprocess_mutate_invariant (struct options *options)
+options_postprocess_mutate_invariant(struct options *options)
{
#ifdef _WIN32
- const int dev = dev_type_enum (options->dev, options->dev_type);
+ const int dev = dev_type_enum(options->dev, options->dev_type);
#endif
- /*
- * In forking TCP server mode, you don't need to ifconfig
- * the tap device (the assumption is that it will be bridged).
- */
- if (options->inetd == INETD_NOWAIT)
- options->ifconfig_noexec = true;
+ /*
+ * In forking TCP server mode, you don't need to ifconfig
+ * the tap device (the assumption is that it will be bridged).
+ */
+ if (options->inetd == INETD_NOWAIT)
+ {
+ options->ifconfig_noexec = true;
+ }
#ifdef _WIN32
- if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
+ if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
{
- if (options->mode == MODE_POINT_TO_POINT)
- {
- options->route_delay_defined = true;
- options->route_delay = 5; /* Vista sometimes has a race without this */
- }
+ if (options->mode == MODE_POINT_TO_POINT)
+ {
+ options->route_delay_defined = true;
+ options->route_delay = 5; /* Vista sometimes has a race without this */
+ }
}
- if (options->ifconfig_noexec)
+ if (options->ifconfig_noexec)
{
- options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
- options->ifconfig_noexec = false;
+ options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
+ options->ifconfig_noexec = false;
}
- remap_redirect_gateway_flags (options);
+ remap_redirect_gateway_flags(options);
#endif
#if P2MP_SERVER
- /*
- * Check consistency of --mode server options.
- */
- if (options->mode == MODE_SERVER)
+ /*
+ * Check consistency of --mode server options.
+ */
+ if (options->mode == MODE_SERVER)
{
#ifdef _WIN32
- /*
- * We need to explicitly set --tap-sleep because
- * we do not schedule event timers in the top-level context.
- */
- options->tuntap_options.tap_sleep = 10;
- if (options->route_delay_defined && options->route_delay)
- options->tuntap_options.tap_sleep = options->route_delay;
- options->route_delay_defined = false;
+ /*
+ * We need to explicitly set --tap-sleep because
+ * we do not schedule event timers in the top-level context.
+ */
+ options->tuntap_options.tap_sleep = 10;
+ if (options->route_delay_defined && options->route_delay)
+ {
+ options->tuntap_options.tap_sleep = options->route_delay;
+ }
+ options->route_delay_defined = false;
#endif
}
#endif
#ifdef DEFAULT_PKCS11_MODULE
- /* If p11-kit is present on the system then load its p11-kit-proxy.so
- by default if the user asks for PKCS#11 without otherwise specifying
- the module to use. */
- if (!options->pkcs11_providers[0] &&
- (options->pkcs11_id || options->pkcs11_id_management))
- options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
+ /* If p11-kit is present on the system then load its p11-kit-proxy.so
+ * by default if the user asks for PKCS#11 without otherwise specifying
+ * the module to use. */
+ if (!options->pkcs11_providers[0]
+ && (options->pkcs11_id || options->pkcs11_id_management))
+ {
+ options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
+ }
#endif
}
static void
-options_postprocess_verify (const struct options *o)
+options_postprocess_verify(const struct options *o)
{
- if (o->connection_list)
+ if (o->connection_list)
+ {
+ int i;
+ for (i = 0; i < o->connection_list->len; ++i)
+ options_postprocess_verify_ce(o, o->connection_list->array[i]);
+ }
+ else
{
- int i;
- for (i = 0; i < o->connection_list->len; ++i)
- options_postprocess_verify_ce (o, o->connection_list->array[i]);
+ options_postprocess_verify_ce(o, &o->ce);
}
- else
- options_postprocess_verify_ce (o, &o->ce);
}
static void
-options_postprocess_mutate (struct options *o)
+options_postprocess_mutate(struct options *o)
{
- int i;
- /*
- * Process helper-type options which map to other, more complex
- * sequences of options.
- */
- helper_client_server (o);
- helper_keepalive (o);
- helper_tcp_nodelay (o);
+ int i;
+ /*
+ * Process helper-type options which map to other, more complex
+ * sequences of options.
+ */
+ helper_client_server(o);
+ helper_keepalive(o);
+ helper_tcp_nodelay(o);
- options_postprocess_mutate_invariant (o);
+ options_postprocess_mutate_invariant(o);
- if (o->remote_list && !o->connection_list)
+ if (o->remote_list && !o->connection_list)
{
- /*
- * Convert remotes into connection list
- */
- const struct remote_list *rl = o->remote_list;
- for (i = 0; i < rl->len; ++i)
+ /*
+ * Convert remotes into connection list
+ */
+ const struct remote_list *rl = o->remote_list;
+ for (i = 0; i < rl->len; ++i)
{
- const struct remote_entry *re = rl->array[i];
- struct connection_entry ce = o->ce;
- struct connection_entry *ace;
-
- ASSERT (re->remote);
- connection_entry_load_re (&ce, re);
- ace = alloc_connection_entry (o, M_USAGE);
- ASSERT (ace);
- *ace = ce;
+ const struct remote_entry *re = rl->array[i];
+ struct connection_entry ce = o->ce;
+ struct connection_entry *ace;
+
+ ASSERT(re->remote);
+ connection_entry_load_re(&ce, re);
+ ace = alloc_connection_entry(o, M_USAGE);
+ ASSERT(ace);
+ *ace = ce;
}
}
- else if(!o->remote_list && !o->connection_list)
+ else if (!o->remote_list && !o->connection_list)
{
- struct connection_entry *ace;
- ace = alloc_connection_entry (o, M_USAGE);
- ASSERT (ace);
- *ace = o->ce;
+ struct connection_entry *ace;
+ ace = alloc_connection_entry(o, M_USAGE);
+ ASSERT(ace);
+ *ace = o->ce;
}
- ASSERT (o->connection_list);
- for (i = 0; i < o->connection_list->len; ++i)
- options_postprocess_mutate_ce (o, o->connection_list->array[i]);
+ ASSERT(o->connection_list);
+ for (i = 0; i < o->connection_list->len; ++i)
+ options_postprocess_mutate_ce(o, o->connection_list->array[i]);
#ifdef ENABLE_CRYPTO
- if (o->tls_server)
+ if (o->tls_server)
{
- /* Check that DH file is specified, or explicitly disabled */
- notnull (o->dh_file, "DH file (--dh)");
- if (streq (o->dh_file, "none"))
- o->dh_file = NULL;
+ /* Check that DH file is specified, or explicitly disabled */
+ notnull(o->dh_file, "DH file (--dh)");
+ if (streq(o->dh_file, "none"))
+ {
+ o->dh_file = NULL;
+ }
}
- /* cipher negotiation (NCP) currently assumes --pull or --mode server */
- if ( o->ncp_enabled &&
- ! (o->pull || o->mode == MODE_SERVER) )
+ /* cipher negotiation (NCP) currently assumes --pull or --mode server */
+ if (o->ncp_enabled
+ && !(o->pull || o->mode == MODE_SERVER) )
{
- msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
- "in P2MP client or server mode" );
- o->ncp_enabled = false;
+ msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
+ "in P2MP client or server mode" );
+ o->ncp_enabled = false;
}
#endif
#if ENABLE_MANAGEMENT
- if (o->http_proxy_override)
- options_postprocess_http_proxy_override(o);
+ if (o->http_proxy_override)
+ {
+ options_postprocess_http_proxy_override(o);
+ }
#endif
#ifdef ENABLE_CRYPTOAPI
- if (o->cryptoapi_cert)
+ if (o->cryptoapi_cert)
{
- const int tls_version_max =
- (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &
- SSLF_TLS_VERSION_MAX_MASK;
+ const int tls_version_max =
+ (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
+ &SSLF_TLS_VERSION_MAX_MASK;
- if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
- {
- msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
- "version to 1.1.");
- o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK <<
- SSLF_TLS_VERSION_MAX_SHIFT);
- o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT);
- }
+ if (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_1)
+ {
+ msg(M_WARN, "Warning: cryptapicert used, setting maximum TLS "
+ "version to 1.1.");
+ o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK
+ <<SSLF_TLS_VERSION_MAX_SHIFT);
+ o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT);
+ }
}
#endif /* ENABLE_CRYPTOAPI */
#if P2MP
- /*
- * Save certain parms before modifying options via --pull
- */
- pre_pull_save (o);
+ /*
+ * Save certain parms before modifying options via --pull
+ */
+ pre_pull_save(o);
#endif
}
@@ -2723,71 +3057,89 @@ options_postprocess_mutate (struct options *o)
#define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
#define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */
#define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */
-#define CHKACC_PRIVATE (1<<5) /** Warn if this (private) file is group/others accessible */
+#define CHKACC_PRIVATE (1<<5) /** Warn if this (private) file is group/others accessible */
static bool
check_file_access(const int type, const char *file, const int mode, const char *opt)
{
- int errcode = 0;
+ int errcode = 0;
- /* If no file configured, no errors to look for */
- if (!file)
- return false;
+ /* If no file configured, no errors to look for */
+ if (!file)
+ {
+ return false;
+ }
- /* If this may be an inline file, and the proper inline "filename" is set - no issues */
- if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
- return false;
+ /* If this may be an inline file, and the proper inline "filename" is set - no issues */
+ if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) )
+ {
+ return false;
+ }
- /* If stdin is allowed and the file name is 'stdin', then do no
- * further checks as stdin is always available
- */
- if( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
- return false;
+ /* If stdin is allowed and the file name is 'stdin', then do no
+ * further checks as stdin is always available
+ */
+ if ( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") )
+ {
+ return false;
+ }
- /* Is the directory path leading to the given file accessible? */
- if (type & CHKACC_DIRPATH)
+ /* Is the directory path leading to the given file accessible? */
+ if (type & CHKACC_DIRPATH)
{
- char *fullpath = string_alloc (file, NULL); /* POSIX dirname() implementaion may modify its arguments */
- char *dirpath = dirname(fullpath);
+ char *fullpath = string_alloc(file, NULL); /* POSIX dirname() implementaion may modify its arguments */
+ char *dirpath = dirname(fullpath);
- if (platform_access (dirpath, mode|X_OK) != 0)
- errcode = errno;
- free(fullpath);
+ if (platform_access(dirpath, mode|X_OK) != 0)
+ {
+ errcode = errno;
+ }
+ free(fullpath);
}
- /* Is the file itself accessible? */
- if (!errcode && (type & CHKACC_FILE) && (platform_access (file, mode) != 0) )
- errcode = errno;
+ /* Is the file itself accessible? */
+ if (!errcode && (type & CHKACC_FILE) && (platform_access(file, mode) != 0) )
+ {
+ errcode = errno;
+ }
- /* If the file exists and is accessible, is it writable? */
- if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access (file, F_OK) == 0) )
- if (platform_access (file, W_OK) != 0)
- errcode = errno;
+ /* If the file exists and is accessible, is it writable? */
+ if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access(file, F_OK) == 0) )
+ {
+ if (platform_access(file, W_OK) != 0)
+ {
+ errcode = errno;
+ }
+ }
- /* Warn if a given private file is group/others accessible. */
- if (type & CHKACC_PRIVATE)
+ /* Warn if a given private file is group/others accessible. */
+ if (type & CHKACC_PRIVATE)
{
- platform_stat_t st;
- if (platform_stat (file, &st))
- {
- msg (M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
- }
+ platform_stat_t st;
+ if (platform_stat(file, &st))
+ {
+ msg(M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
+ }
#ifndef _WIN32
- else
- {
- if (st.st_mode & (S_IRWXG|S_IRWXO))
- msg (M_WARN, "WARNING: file '%s' is group or others accessible", file);
- }
+ else
+ {
+ if (st.st_mode & (S_IRWXG|S_IRWXO))
+ {
+ msg(M_WARN, "WARNING: file '%s' is group or others accessible", file);
+ }
+ }
#endif
}
- /* Scream if an error is found */
- if( errcode > 0 )
- msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s",
- opt, file, strerror(errno));
+ /* Scream if an error is found */
+ if (errcode > 0)
+ {
+ msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s",
+ opt, file, strerror(errno));
+ }
- /* Return true if an error occured */
- return (errcode != 0 ? true : false);
+ /* Return true if an error occured */
+ return (errcode != 0 ? true : false);
}
/* A wrapper for check_file_access() which also takes a chroot directory.
@@ -2797,34 +3149,36 @@ check_file_access(const int type, const char *file, const int mode, const char *
static bool
check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
{
- bool ret = false;
+ bool ret = false;
- /* If no file configured, no errors to look for */
- if (!file)
- return false;
+ /* If no file configured, no errors to look for */
+ if (!file)
+ {
+ return false;
+ }
- /* If chroot is set, look for the file/directory inside the chroot */
- if( chroot )
+ /* If chroot is set, look for the file/directory inside the chroot */
+ if (chroot)
{
- struct gc_arena gc = gc_new();
- struct buffer chroot_file;
- int len = 0;
+ struct gc_arena gc = gc_new();
+ struct buffer chroot_file;
+ int len = 0;
- /* Build up a new full path including chroot directory */
- len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
- chroot_file = alloc_buf_gc(len, &gc);
- buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
- ASSERT (chroot_file.len > 0);
+ /* Build up a new full path including chroot directory */
+ len = strlen(chroot) + strlen(PATH_SEPARATOR_STR) + strlen(file) + 1;
+ chroot_file = alloc_buf_gc(len, &gc);
+ buf_printf(&chroot_file, "%s%s%s", chroot, PATH_SEPARATOR_STR, file);
+ ASSERT(chroot_file.len > 0);
- ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
- gc_free(&gc);
+ ret = check_file_access(type, BSTR(&chroot_file), mode, opt);
+ gc_free(&gc);
}
- else
+ else
{
- /* No chroot in play, just call core file check function */
- ret = check_file_access(type, file, mode, opt);
+ /* No chroot in play, just call core file check function */
+ ret = check_file_access(type, file, mode, opt);
}
- return ret;
+ return ret;
}
@@ -2847,34 +3201,38 @@ check_file_access_chroot(const char *chroot, const int type, const char *file, c
static bool
check_cmd_access(const char *command, const char *opt, const char *chroot)
{
- struct argv argv;
- bool return_code;
-
- /* If no command was set, there are no errors to look for */
- if (! command)
- return false;
-
- /* Extract executable path and arguments */
- argv = argv_new ();
- argv_parse_cmd (&argv, command);
-
- /* if an executable is specified then check it; otherwise, complain */
- if (argv.argv[0])
- /* Scripts requires R_OK as well, but that might fail on binaries which
- * only requires X_OK to function on Unix - a scenario not unlikely to
- * be seen on suid binaries.
- */
- return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
- else
+ struct argv argv;
+ bool return_code;
+
+ /* If no command was set, there are no errors to look for */
+ if (!command)
+ {
+ return false;
+ }
+
+ /* Extract executable path and arguments */
+ argv = argv_new();
+ argv_parse_cmd(&argv, command);
+
+ /* if an executable is specified then check it; otherwise, complain */
+ if (argv.argv[0])
+ {
+ /* Scripts requires R_OK as well, but that might fail on binaries which
+ * only requires X_OK to function on Unix - a scenario not unlikely to
+ * be seen on suid binaries.
+ */
+ return_code = check_file_access_chroot(chroot, CHKACC_FILE, argv.argv[0], X_OK, opt);
+ }
+ else
{
- msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
- opt, command);
- return_code = true;
+ msg(M_NOPREFIX|M_OPTERR, "%s fails with '%s': No path to executable.",
+ opt, command);
+ return_code = true;
}
- argv_reset (&argv);
+ argv_reset(&argv);
- return return_code;
+ return return_code;
}
/*
@@ -2882,84 +3240,90 @@ check_cmd_access(const char *command, const char *opt, const char *chroot)
* is accessible by OpenVPN
*/
static void
-options_postprocess_filechecks (struct options *options)
+options_postprocess_filechecks(struct options *options)
{
- bool errs = false;
+ bool errs = false;
#ifdef ENABLE_CRYPTO
- /* ** SSL/TLS/crypto related files ** */
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK,
- "--extra-certs");
+ /* ** SSL/TLS/crypto related files ** */
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK,
+ "--extra-certs");
#ifdef MANAGMENT_EXTERNAL_KEY
- if(!(options->management_flags & MF_EXTERNAL_KEY))
-#endif
- {
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
- options->priv_key_file, R_OK, "--key");
- }
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
- options->pkcs12_file, R_OK, "--pkcs12");
-
- if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
- "--crl-verify directory");
- else
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE,
- options->crl_file, R_OK, "--crl-verify");
-
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
- options->tls_auth_file, R_OK, "--tls-auth");
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
- options->tls_crypt_file, R_OK, "--tls-crypt");
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
- options->shared_secret_file, R_OK, "--secret");
- errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR,
- options->packet_id_file, R_OK|W_OK, "--replay-persist");
-
- /* ** Password files ** */
- errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
- options->key_pass_file, R_OK, "--askpass");
+ if (!(options->management_flags & MF_EXTERNAL_KEY))
+#endif
+ {
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->priv_key_file, R_OK, "--key");
+ }
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->pkcs12_file, R_OK, "--pkcs12");
+
+ if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
+ {
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
+ "--crl-verify directory");
+ }
+ else
+ {
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE|CHKACC_INLINE,
+ options->crl_file, R_OK, "--crl-verify");
+ }
+
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->tls_auth_file, R_OK, "--tls-auth");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->tls_crypt_file, R_OK, "--tls-crypt");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->shared_secret_file, R_OK, "--secret");
+ errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR,
+ options->packet_id_file, R_OK|W_OK, "--replay-persist");
+
+ /* ** Password files ** */
+ errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
+ options->key_pass_file, R_OK, "--askpass");
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_MANAGEMENT
- errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
- options->management_user_pass, R_OK,
- "--management user/password file");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
+ options->management_user_pass, R_OK,
+ "--management user/password file");
#endif /* ENABLE_MANAGEMENT */
#if P2MP
- errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
- options->auth_user_pass_file, R_OK,
- "--auth-user-pass");
+ errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
+ options->auth_user_pass_file, R_OK,
+ "--auth-user-pass");
#endif /* P2MP */
- /* ** System related ** */
- errs |= check_file_access (CHKACC_FILE, options->chroot_dir,
- R_OK|X_OK, "--chroot directory");
- errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
- R_OK|W_OK, "--writepid");
+ /* ** System related ** */
+ errs |= check_file_access(CHKACC_FILE, options->chroot_dir,
+ R_OK|X_OK, "--chroot directory");
+ errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->writepid,
+ R_OK|W_OK, "--writepid");
- /* ** Log related ** */
- errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
- R_OK|W_OK, "--status");
+ /* ** Log related ** */
+ errs |= check_file_access(CHKACC_DIRPATH|CHKACC_FILEXSTWR, options->status_file,
+ R_OK|W_OK, "--status");
- /* ** Config related ** */
+ /* ** Config related ** */
#ifdef ENABLE_CRYPTO
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
- R_OK|W_OK|X_OK, "--tls-export-cert");
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
+ R_OK|W_OK|X_OK, "--tls-export-cert");
#endif /* ENABLE_CRYPTO */
#if P2MP_SERVER
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->client_config_dir,
- R_OK|X_OK, "--client-config-dir");
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tmp_dir,
- R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir,
+ R_OK|X_OK, "--client-config-dir");
+ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir,
+ R_OK|W_OK|X_OK, "Temporary directory (--tmp-dir)");
#endif /* P2MP_SERVER */
- if (errs)
- msg (M_USAGE, "Please correct these errors.");
+ if (errs)
+ {
+ msg(M_USAGE, "Please correct these errors.");
+ }
}
#endif /* !ENABLE_SMALL */
@@ -2969,12 +3333,12 @@ options_postprocess_filechecks (struct options *options)
* options.
*/
void
-options_postprocess (struct options *options)
+options_postprocess(struct options *options)
{
- options_postprocess_mutate (options);
- options_postprocess_verify (options);
+ options_postprocess_mutate(options);
+ options_postprocess_verify(options);
#ifndef ENABLE_SMALL
- options_postprocess_filechecks (options);
+ options_postprocess_filechecks(options);
#endif /* !ENABLE_SMALL */
}
@@ -2985,74 +3349,82 @@ options_postprocess (struct options *options)
*/
void
-pre_pull_save (struct options *o)
+pre_pull_save(struct options *o)
{
- if (o->pull)
- {
- ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
- o->pre_pull->tuntap_options = o->tuntap_options;
- o->pre_pull->tuntap_options_defined = true;
- o->pre_pull->foreign_option_index = o->foreign_option_index;
- if (o->routes)
- {
- o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc);
- o->pre_pull->routes_defined = true;
- }
- if (o->routes_ipv6)
- {
- o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
- o->pre_pull->routes_ipv6_defined = true;
- }
- if (o->client_nat)
- {
- o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
- o->pre_pull->client_nat_defined = true;
- }
+ if (o->pull)
+ {
+ ALLOC_OBJ_CLEAR_GC(o->pre_pull, struct options_pre_pull, &o->gc);
+ o->pre_pull->tuntap_options = o->tuntap_options;
+ o->pre_pull->tuntap_options_defined = true;
+ o->pre_pull->foreign_option_index = o->foreign_option_index;
+ if (o->routes)
+ {
+ o->pre_pull->routes = clone_route_option_list(o->routes, &o->gc);
+ o->pre_pull->routes_defined = true;
+ }
+ if (o->routes_ipv6)
+ {
+ o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
+ o->pre_pull->routes_ipv6_defined = true;
+ }
+ if (o->client_nat)
+ {
+ o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
+ o->pre_pull->client_nat_defined = true;
+ }
}
}
void
-pre_pull_restore (struct options *o, struct gc_arena *gc)
+pre_pull_restore(struct options *o, struct gc_arena *gc)
{
- const struct options_pre_pull *pp = o->pre_pull;
- if (pp)
- {
- CLEAR (o->tuntap_options);
- if (pp->tuntap_options_defined)
- o->tuntap_options = pp->tuntap_options;
-
- if (pp->routes_defined)
- {
- rol_check_alloc (o);
- copy_route_option_list (o->routes, pp->routes, gc);
- }
- else
- o->routes = NULL;
-
- if (pp->routes_ipv6_defined)
- {
- rol6_check_alloc (o);
- copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6, gc);
- }
- else
- o->routes_ipv6 = NULL;
-
- if (pp->client_nat_defined)
- {
- cnol_check_alloc (o);
- copy_client_nat_option_list (o->client_nat, pp->client_nat);
- }
- else
- o->client_nat = NULL;
-
- o->foreign_option_index = pp->foreign_option_index;
- }
-
- o->push_continuation = 0;
- o->push_option_types_found = 0;
+ const struct options_pre_pull *pp = o->pre_pull;
+ if (pp)
+ {
+ CLEAR(o->tuntap_options);
+ if (pp->tuntap_options_defined)
+ {
+ o->tuntap_options = pp->tuntap_options;
+ }
+
+ if (pp->routes_defined)
+ {
+ rol_check_alloc(o);
+ copy_route_option_list(o->routes, pp->routes, gc);
+ }
+ else
+ {
+ o->routes = NULL;
+ }
+
+ if (pp->routes_ipv6_defined)
+ {
+ rol6_check_alloc(o);
+ copy_route_ipv6_option_list(o->routes_ipv6, pp->routes_ipv6, gc);
+ }
+ else
+ {
+ o->routes_ipv6 = NULL;
+ }
+
+ if (pp->client_nat_defined)
+ {
+ cnol_check_alloc(o);
+ copy_client_nat_option_list(o->client_nat, pp->client_nat);
+ }
+ else
+ {
+ o->client_nat = NULL;
+ }
+
+ o->foreign_option_index = pp->foreign_option_index;
+ }
+
+ o->push_continuation = 0;
+ o->push_option_types_found = 0;
}
-#endif
+#endif /* if P2MP */
#ifdef ENABLE_OCC
@@ -3066,25 +3438,25 @@ pre_pull_restore (struct options *o, struct gc_arena *gc)
static size_t
calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
{
- size_t link_mtu = EXPANDED_SIZE (frame);
+ size_t link_mtu = EXPANDED_SIZE(frame);
#ifdef ENABLE_CRYPTO
- if (o->pull || o->mode == MODE_SERVER)
- {
- struct frame fake_frame = *frame;
- struct key_type fake_kt;
- init_key_type (&fake_kt, o->ciphername, o->authname, o->keysize, true,
- false);
- frame_add_to_extra_frame (&fake_frame, -(crypto_max_overhead()));
- crypto_adjust_frame_parameters (&fake_frame, &fake_kt, o->use_iv,
- o->replay, cipher_kt_mode_ofb_cfb (fake_kt.cipher));
- frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
- o->ce.tun_mtu_defined, o->ce.tun_mtu);
- msg (D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
- EXPANDED_SIZE (&fake_frame));
- link_mtu = EXPANDED_SIZE (&fake_frame);
- }
-#endif
- return link_mtu;
+ if (o->pull || o->mode == MODE_SERVER)
+ {
+ struct frame fake_frame = *frame;
+ struct key_type fake_kt;
+ init_key_type(&fake_kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+ frame_add_to_extra_frame(&fake_frame, -(crypto_max_overhead()));
+ crypto_adjust_frame_parameters(&fake_frame, &fake_kt, o->use_iv,
+ o->replay, cipher_kt_mode_ofb_cfb(fake_kt.cipher));
+ frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
+ o->ce.tun_mtu_defined, o->ce.tun_mtu);
+ msg(D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
+ EXPANDED_SIZE(&fake_frame));
+ link_mtu = EXPANDED_SIZE(&fake_frame);
+ }
+#endif
+ return link_mtu;
}
/*
@@ -3132,74 +3504,84 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
* the other end of the connection]
*/
char *
-options_string (const struct options *o,
- const struct frame *frame,
- struct tuntap *tt,
- bool remote,
- struct gc_arena *gc)
+options_string(const struct options *o,
+ const struct frame *frame,
+ struct tuntap *tt,
+ bool remote,
+ struct gc_arena *gc)
{
- struct buffer out = alloc_buf (OPTION_LINE_SIZE);
- bool tt_local = false;
+ struct buffer out = alloc_buf(OPTION_LINE_SIZE);
+ bool tt_local = false;
- buf_printf (&out, "V4");
+ buf_printf(&out, "V4");
- /*
- * Tunnel Options
- */
-
- buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type));
- buf_printf (&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
- buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame));
- buf_printf (&out, ",proto %s", proto_remote (o->ce.proto, remote));
+ /*
+ * Tunnel Options
+ */
- /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
- * is usually pushed by the server, triggering a non-helpful warning
- */
- if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
- buf_printf (&out, ",tun-ipv6");
+ buf_printf(&out, ",dev-type %s", dev_type_string(o->dev, o->dev_type));
+ buf_printf(&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
+ buf_printf(&out, ",tun-mtu %d", PAYLOAD_SIZE(frame));
+ buf_printf(&out, ",proto %s", proto_remote(o->ce.proto, remote));
- /*
- * Try to get ifconfig parameters into the options string.
- * If tt is undefined, make a temporary instantiation.
- */
- if (!tt)
+ /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
+ * is usually pushed by the server, triggering a non-helpful warning
+ */
+ if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
{
- tt = init_tun (o->dev,
- o->dev_type,
- o->topology,
- o->ifconfig_local,
- o->ifconfig_remote_netmask,
- o->ifconfig_ipv6_local,
- o->ifconfig_ipv6_netbits,
- o->ifconfig_ipv6_remote,
- NULL,
- NULL,
- false,
- NULL);
- if (tt)
- tt_local = true;
+ buf_printf(&out, ",tun-ipv6");
}
- if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
+ /*
+ * Try to get ifconfig parameters into the options string.
+ * If tt is undefined, make a temporary instantiation.
+ */
+ if (!tt)
+ {
+ tt = init_tun(o->dev,
+ o->dev_type,
+ o->topology,
+ o->ifconfig_local,
+ o->ifconfig_remote_netmask,
+ o->ifconfig_ipv6_local,
+ o->ifconfig_ipv6_netbits,
+ o->ifconfig_ipv6_remote,
+ NULL,
+ NULL,
+ false,
+ NULL);
+ if (tt)
+ {
+ tt_local = true;
+ }
+ }
+
+ if (tt && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
{
- const char *ios = ifconfig_options_string (tt, remote, o->ifconfig_nowarn, gc);
- if (ios && strlen (ios))
- buf_printf (&out, ",ifconfig %s", ios);
+ const char *ios = ifconfig_options_string(tt, remote, o->ifconfig_nowarn, gc);
+ if (ios && strlen(ios))
+ {
+ buf_printf(&out, ",ifconfig %s", ios);
+ }
}
- if (tt_local)
+ if (tt_local)
{
- free (tt);
- tt = NULL;
+ free(tt);
+ tt = NULL;
}
#ifdef USE_COMP
- if (o->comp.alg != COMP_ALG_UNDEF)
- buf_printf (&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
+ if (o->comp.alg != COMP_ALG_UNDEF)
+ {
+ buf_printf(&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
+ }
#endif
#ifdef ENABLE_FRAGMENT
- if (o->ce.fragment)
- buf_printf (&out, ",mtu-dynamic");
+ if (o->ce.fragment)
+ {
+ buf_printf(&out, ",mtu-dynamic");
+ }
#endif
#ifdef ENABLE_CRYPTO
@@ -3207,85 +3589,107 @@ options_string (const struct options *o,
#define TLS_CLIENT (o->tls_client)
#define TLS_SERVER (o->tls_server)
- /*
- * Key direction
- */
- {
- const char *kd = keydirection2ascii (o->key_direction, remote);
- if (kd)
- buf_printf (&out, ",keydir %s", kd);
- }
-
- /*
- * Crypto Options
- */
+ /*
+ * Key direction
+ */
+ {
+ const char *kd = keydirection2ascii(o->key_direction, remote);
+ if (kd)
+ {
+ buf_printf(&out, ",keydir %s", kd);
+ }
+ }
+
+ /*
+ * Crypto Options
+ */
if (o->shared_secret_file || TLS_CLIENT || TLS_SERVER)
- {
- struct key_type kt;
-
- ASSERT ((o->shared_secret_file != NULL)
- + (TLS_CLIENT == true)
- + (TLS_SERVER == true)
- <= 1);
-
- init_key_type (&kt, o->ciphername, o->authname, o->keysize, true,
- false);
-
- buf_printf (&out, ",cipher %s",
- translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher)));
- buf_printf (&out, ",auth %s", md_kt_name (kt.digest));
- buf_printf (&out, ",keysize %d", kt.cipher_length * 8);
- if (o->shared_secret_file)
- buf_printf (&out, ",secret");
- if (!o->replay)
- buf_printf (&out, ",no-replay");
- if (!o->use_iv)
- buf_printf (&out, ",no-iv");
+ {
+ struct key_type kt;
+
+ ASSERT((o->shared_secret_file != NULL)
+ + (TLS_CLIENT == true)
+ + (TLS_SERVER == true)
+ <= 1);
+
+ init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+
+ buf_printf(&out, ",cipher %s",
+ translate_cipher_name_to_openvpn(cipher_kt_name(kt.cipher)));
+ buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
+ buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
+ if (o->shared_secret_file)
+ {
+ buf_printf(&out, ",secret");
+ }
+ if (!o->replay)
+ {
+ buf_printf(&out, ",no-replay");
+ }
+ if (!o->use_iv)
+ {
+ buf_printf(&out, ",no-iv");
+ }
#ifdef ENABLE_PREDICTION_RESISTANCE
if (o->use_prediction_resistance)
- buf_printf (&out, ",use-prediction-resistance");
-#endif
- }
-
- /*
- * SSL Options
- */
- {
- if (TLS_CLIENT || TLS_SERVER)
- {
- if (o->tls_auth_file)
- buf_printf (&out, ",tls-auth");
- /* Not adding tls-crypt here, because we won't reach this code if
- * tls-auth/tls-crypt does not match. Removing tls-auth here would
- * break stuff, so leaving that in place. */
-
- if (o->key_method > 1)
- buf_printf (&out, ",key-method %d", o->key_method);
- }
-
- if (remote)
- {
- if (TLS_CLIENT)
- buf_printf (&out, ",tls-server");
- else if (TLS_SERVER)
- buf_printf (&out, ",tls-client");
- }
- else
- {
- if (TLS_CLIENT)
- buf_printf (&out, ",tls-client");
- else if (TLS_SERVER)
- buf_printf (&out, ",tls-server");
- }
- }
+ {
+ buf_printf(&out, ",use-prediction-resistance");
+ }
+#endif
+ }
+
+ /*
+ * SSL Options
+ */
+ {
+ if (TLS_CLIENT || TLS_SERVER)
+ {
+ if (o->tls_auth_file)
+ {
+ buf_printf(&out, ",tls-auth");
+ }
+ /* Not adding tls-crypt here, because we won't reach this code if
+ * tls-auth/tls-crypt does not match. Removing tls-auth here would
+ * break stuff, so leaving that in place. */
+
+ if (o->key_method > 1)
+ {
+ buf_printf(&out, ",key-method %d", o->key_method);
+ }
+ }
+
+ if (remote)
+ {
+ if (TLS_CLIENT)
+ {
+ buf_printf(&out, ",tls-server");
+ }
+ else if (TLS_SERVER)
+ {
+ buf_printf(&out, ",tls-client");
+ }
+ }
+ else
+ {
+ if (TLS_CLIENT)
+ {
+ buf_printf(&out, ",tls-client");
+ }
+ else if (TLS_SERVER)
+ {
+ buf_printf(&out, ",tls-server");
+ }
+ }
+ }
#undef TLS_CLIENT
#undef TLS_SERVER
#endif /* ENABLE_CRYPTO */
- return BSTR (&out);
+ return BSTR(&out);
}
/*
@@ -3296,234 +3700,244 @@ options_string (const struct options *o,
*/
bool
-options_cmp_equal (char *actual, const char *expected)
+options_cmp_equal(char *actual, const char *expected)
{
- return options_cmp_equal_safe (actual, expected, strlen (actual) + 1);
+ return options_cmp_equal_safe(actual, expected, strlen(actual) + 1);
}
void
-options_warning (char *actual, const char *expected)
+options_warning(char *actual, const char *expected)
{
- options_warning_safe (actual, expected, strlen (actual) + 1);
+ options_warning_safe(actual, expected, strlen(actual) + 1);
}
static const char *
-options_warning_extract_parm1 (const char *option_string,
- struct gc_arena *gc_ret)
+options_warning_extract_parm1(const char *option_string,
+ struct gc_arena *gc_ret)
{
- struct gc_arena gc = gc_new ();
- struct buffer b = string_alloc_buf (option_string, &gc);
- char *p = gc_malloc (OPTION_PARM_SIZE, false, &gc);
- const char *ret;
-
- buf_parse (&b, ' ', p, OPTION_PARM_SIZE);
- ret = string_alloc (p, gc_ret);
- gc_free (&gc);
- return ret;
+ struct gc_arena gc = gc_new();
+ struct buffer b = string_alloc_buf(option_string, &gc);
+ char *p = gc_malloc(OPTION_PARM_SIZE, false, &gc);
+ const char *ret;
+
+ buf_parse(&b, ' ', p, OPTION_PARM_SIZE);
+ ret = string_alloc(p, gc_ret);
+ gc_free(&gc);
+ return ret;
}
static void
-options_warning_safe_scan2 (const int msglevel,
- const int delim,
- const bool report_inconsistent,
- const char *p1,
- const struct buffer *b2_src,
- const char *b1_name,
- const char *b2_name)
+options_warning_safe_scan2(const int msglevel,
+ const int delim,
+ const bool report_inconsistent,
+ const char *p1,
+ const struct buffer *b2_src,
+ const char *b1_name,
+ const char *b2_name)
{
- /* we will stop sending 'proto xxx' in OCC in a future version
- * (because it's not useful), and to reduce questions when
- * interoperating, we start not-printing a warning about it today
- */
- if (strncmp(p1, "proto ", 6) == 0 )
- {
- return;
- }
-
- if (strlen (p1) > 0)
- {
- struct gc_arena gc = gc_new ();
- struct buffer b2 = *b2_src;
- const char *p1_prefix = options_warning_extract_parm1 (p1, &gc);
- char *p2 = gc_malloc (OPTION_PARM_SIZE, false, &gc);
-
- while (buf_parse (&b2, delim, p2, OPTION_PARM_SIZE))
- {
- if (strlen (p2))
- {
- const char *p2_prefix = options_warning_extract_parm1 (p2, &gc);
-
- if (!strcmp (p1, p2))
- goto done;
- if (!strcmp (p1_prefix, p2_prefix))
- {
- if (report_inconsistent)
- msg (msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
- safe_print (p1_prefix, &gc),
- b1_name,
- safe_print (p1, &gc),
- b2_name,
- safe_print (p2, &gc));
- goto done;
- }
- }
- }
-
- msg (msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
- safe_print (p1_prefix, &gc),
- b1_name,
- b2_name,
- b1_name,
- safe_print (p1, &gc));
-
- done:
- gc_free (&gc);
+ /* we will stop sending 'proto xxx' in OCC in a future version
+ * (because it's not useful), and to reduce questions when
+ * interoperating, we start not-printing a warning about it today
+ */
+ if (strncmp(p1, "proto ", 6) == 0)
+ {
+ return;
+ }
+
+ if (strlen(p1) > 0)
+ {
+ struct gc_arena gc = gc_new();
+ struct buffer b2 = *b2_src;
+ const char *p1_prefix = options_warning_extract_parm1(p1, &gc);
+ char *p2 = gc_malloc(OPTION_PARM_SIZE, false, &gc);
+
+ while (buf_parse(&b2, delim, p2, OPTION_PARM_SIZE))
+ {
+ if (strlen(p2))
+ {
+ const char *p2_prefix = options_warning_extract_parm1(p2, &gc);
+
+ if (!strcmp(p1, p2))
+ {
+ goto done;
+ }
+ if (!strcmp(p1_prefix, p2_prefix))
+ {
+ if (report_inconsistent)
+ {
+ msg(msglevel, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
+ safe_print(p1_prefix, &gc),
+ b1_name,
+ safe_print(p1, &gc),
+ b2_name,
+ safe_print(p2, &gc));
+ }
+ goto done;
+ }
+ }
+ }
+
+ msg(msglevel, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
+ safe_print(p1_prefix, &gc),
+ b1_name,
+ b2_name,
+ b1_name,
+ safe_print(p1, &gc));
+
+done:
+ gc_free(&gc);
}
}
static void
-options_warning_safe_scan1 (const int msglevel,
- const int delim,
- const bool report_inconsistent,
- const struct buffer *b1_src,
- const struct buffer *b2_src,
- const char *b1_name,
- const char *b2_name)
+options_warning_safe_scan1(const int msglevel,
+ const int delim,
+ const bool report_inconsistent,
+ const struct buffer *b1_src,
+ const struct buffer *b2_src,
+ const char *b1_name,
+ const char *b2_name)
{
- struct gc_arena gc = gc_new ();
- struct buffer b = *b1_src;
- char *p = gc_malloc (OPTION_PARM_SIZE, true, &gc);
+ struct gc_arena gc = gc_new();
+ struct buffer b = *b1_src;
+ char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
- while (buf_parse (&b, delim, p, OPTION_PARM_SIZE))
- options_warning_safe_scan2 (msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
+ while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
+ options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
- gc_free (&gc);
+ gc_free(&gc);
}
static void
-options_warning_safe_ml (const int msglevel, char *actual, const char *expected, size_t actual_n)
+options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
{
- struct gc_arena gc = gc_new ();
+ struct gc_arena gc = gc_new();
- if (actual_n > 0)
+ if (actual_n > 0)
{
- struct buffer local = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
- struct buffer remote = alloc_buf_gc (OPTION_PARM_SIZE + 16, &gc);
- actual[actual_n - 1] = 0;
+ struct buffer local = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
+ struct buffer remote = alloc_buf_gc(OPTION_PARM_SIZE + 16, &gc);
+ actual[actual_n - 1] = 0;
- buf_printf (&local, "version %s", expected);
- buf_printf (&remote, "version %s", actual);
+ buf_printf(&local, "version %s", expected);
+ buf_printf(&remote, "version %s", actual);
- options_warning_safe_scan1 (msglevel, ',', true,
- &local, &remote,
- "local", "remote");
+ options_warning_safe_scan1(msglevel, ',', true,
+ &local, &remote,
+ "local", "remote");
- options_warning_safe_scan1 (msglevel, ',', false,
- &remote, &local,
- "remote", "local");
+ options_warning_safe_scan1(msglevel, ',', false,
+ &remote, &local,
+ "remote", "local");
}
- gc_free (&gc);
+ gc_free(&gc);
}
bool
-options_cmp_equal_safe (char *actual, const char *expected, size_t actual_n)
+options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
{
- struct gc_arena gc = gc_new ();
- bool ret = true;
+ struct gc_arena gc = gc_new();
+ bool ret = true;
- if (actual_n > 0)
+ if (actual_n > 0)
{
- actual[actual_n - 1] = 0;
+ actual[actual_n - 1] = 0;
#ifndef ENABLE_STRICT_OPTIONS_CHECK
- if (strncmp (actual, expected, 2))
- {
- msg (D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
- options_warning_safe_ml (D_SHOW_OCC, actual, expected, actual_n);
- }
- else
+ if (strncmp(actual, expected, 2))
+ {
+ msg(D_SHOW_OCC, "NOTE: Options consistency check may be skewed by version differences");
+ options_warning_safe_ml(D_SHOW_OCC, actual, expected, actual_n);
+ }
+ else
#endif
- ret = !strcmp (actual, expected);
+ ret = !strcmp(actual, expected);
}
- gc_free (&gc);
- return ret;
+ gc_free(&gc);
+ return ret;
}
void
-options_warning_safe (char *actual, const char *expected, size_t actual_n)
+options_warning_safe(char *actual, const char *expected, size_t actual_n)
{
- options_warning_safe_ml (M_WARN, actual, expected, actual_n);
+ options_warning_safe_ml(M_WARN, actual, expected, actual_n);
}
const char *
-options_string_version (const char* s, struct gc_arena *gc)
+options_string_version(const char *s, struct gc_arena *gc)
{
- struct buffer out = alloc_buf_gc (4, gc);
- strncpynt ((char *) BPTR (&out), s, 3);
- return BSTR (&out);
+ struct buffer out = alloc_buf_gc(4, gc);
+ strncpynt((char *) BPTR(&out), s, 3);
+ return BSTR(&out);
}
#endif /* ENABLE_OCC */
char *
-options_string_extract_option (const char *options_string,const char *opt_name,
- struct gc_arena *gc)
+options_string_extract_option(const char *options_string,const char *opt_name,
+ struct gc_arena *gc)
{
- char *ret = NULL;
- const size_t opt_name_len = strlen(opt_name);
-
- const char *p = options_string;
- while (p)
- {
- if (0 == strncmp(p, opt_name, opt_name_len) &&
- strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
- {
- /* option found, extract value */
- const char *start = &p[opt_name_len+1];
- const char *end = strchr (p, ',');
- size_t val_len = end ? end - start : strlen (start);
- ret = gc_malloc (val_len+1, true, gc);
- memcpy (ret, start, val_len);
- break;
- }
- p = strchr (p, ',');
- if (p)
- {
- p++; /* skip delimiter */
- }
- }
- return ret;
+ char *ret = NULL;
+ const size_t opt_name_len = strlen(opt_name);
+
+ const char *p = options_string;
+ while (p)
+ {
+ if (0 == strncmp(p, opt_name, opt_name_len)
+ && strlen(p) > (opt_name_len+1) && p[opt_name_len] == ' ')
+ {
+ /* option found, extract value */
+ const char *start = &p[opt_name_len+1];
+ const char *end = strchr(p, ',');
+ size_t val_len = end ? end - start : strlen(start);
+ ret = gc_malloc(val_len+1, true, gc);
+ memcpy(ret, start, val_len);
+ break;
+ }
+ p = strchr(p, ',');
+ if (p)
+ {
+ p++; /* skip delimiter */
+ }
+ }
+ return ret;
}
static void
-foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
+foreign_option(struct options *o, char *argv[], int len, struct env_set *es)
{
- if (len > 0)
- {
- struct gc_arena gc = gc_new();
- struct buffer name = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
- struct buffer value = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
- int i;
- bool first = true;
- bool good = true;
-
- good &= buf_printf (&name, "foreign_option_%d", o->foreign_option_index + 1);
- ++o->foreign_option_index;
- for (i = 0; i < len; ++i)
- {
- if (argv[i])
- {
- if (!first)
- good &= buf_printf (&value, " ");
- good &= buf_printf (&value, "%s", argv[i]);
- first = false;
- }
- }
- if (good)
- setenv_str (es, BSTR(&name), BSTR(&value));
- else
- msg (M_WARN, "foreign_option: name/value overflow");
- gc_free (&gc);
+ if (len > 0)
+ {
+ struct gc_arena gc = gc_new();
+ struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
+ struct buffer value = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
+ int i;
+ bool first = true;
+ bool good = true;
+
+ good &= buf_printf(&name, "foreign_option_%d", o->foreign_option_index + 1);
+ ++o->foreign_option_index;
+ for (i = 0; i < len; ++i)
+ {
+ if (argv[i])
+ {
+ if (!first)
+ {
+ good &= buf_printf(&value, " ");
+ }
+ good &= buf_printf(&value, "%s", argv[i]);
+ first = false;
+ }
+ }
+ if (good)
+ {
+ setenv_str(es, BSTR(&name), BSTR(&value));
+ }
+ else
+ {
+ msg(M_WARN, "foreign_option: name/value overflow");
+ }
+ gc_free(&gc);
}
}
@@ -3532,36 +3946,46 @@ foreign_option (struct options *o, char *argv[], int len, struct env_set *es)
*/
int
-parse_topology (const char *str, const int msglevel)
+parse_topology(const char *str, const int msglevel)
{
- if (streq (str, "net30"))
- return TOP_NET30;
- else if (streq (str, "p2p"))
- return TOP_P2P;
- else if (streq (str, "subnet"))
- return TOP_SUBNET;
- else
+ if (streq(str, "net30"))
{
- msg (msglevel, "--topology must be net30, p2p, or subnet");
- return TOP_UNDEF;
+ return TOP_NET30;
+ }
+ else if (streq(str, "p2p"))
+ {
+ return TOP_P2P;
+ }
+ else if (streq(str, "subnet"))
+ {
+ return TOP_SUBNET;
+ }
+ else
+ {
+ msg(msglevel, "--topology must be net30, p2p, or subnet");
+ return TOP_UNDEF;
}
}
const char *
-print_topology (const int topology)
+print_topology(const int topology)
{
- switch (topology)
- {
- case TOP_UNDEF:
- return "undef";
- case TOP_NET30:
- return "net30";
- case TOP_P2P:
- return "p2p";
- case TOP_SUBNET:
- return "subnet";
- default:
- return "unknown";
+ switch (topology)
+ {
+ case TOP_UNDEF:
+ return "undef";
+
+ case TOP_NET30:
+ return "net30";
+
+ case TOP_P2P:
+ return "p2p";
+
+ case TOP_SUBNET:
+ return "subnet";
+
+ default:
+ return "unknown";
}
}
@@ -3574,103 +3998,113 @@ print_topology (const int topology)
static int global_auth_retry; /* GLOBAL */
int
-auth_retry_get (void)
+auth_retry_get(void)
{
- return global_auth_retry;
+ return global_auth_retry;
}
bool
-auth_retry_set (const int msglevel, const char *option)
+auth_retry_set(const int msglevel, const char *option)
{
- if (streq (option, "interact"))
- global_auth_retry = AR_INTERACT;
- else if (streq (option, "nointeract"))
- global_auth_retry = AR_NOINTERACT;
- else if (streq (option, "none"))
- global_auth_retry = AR_NONE;
- else
- {
- msg (msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
- return false;
- }
- return true;
+ if (streq(option, "interact"))
+ {
+ global_auth_retry = AR_INTERACT;
+ }
+ else if (streq(option, "nointeract"))
+ {
+ global_auth_retry = AR_NOINTERACT;
+ }
+ else if (streq(option, "none"))
+ {
+ global_auth_retry = AR_NONE;
+ }
+ else
+ {
+ msg(msglevel, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
+ return false;
+ }
+ return true;
}
const char *
-auth_retry_print (void)
+auth_retry_print(void)
{
- switch (global_auth_retry)
+ switch (global_auth_retry)
{
- case AR_NONE:
- return "none";
- case AR_NOINTERACT:
- return "nointeract";
- case AR_INTERACT:
- return "interact";
- default:
- return "???";
+ case AR_NONE:
+ return "none";
+
+ case AR_NOINTERACT:
+ return "nointeract";
+
+ case AR_INTERACT:
+ return "interact";
+
+ default:
+ return "???";
}
}
-#endif
+#endif /* if P2MP */
/*
* Print the help message.
*/
static void
-usage (void)
+usage(void)
{
- FILE *fp = msg_fp(0);
+ FILE *fp = msg_fp(0);
#ifdef ENABLE_SMALL
- fprintf (fp, "Usage message not available\n");
+ fprintf(fp, "Usage message not available\n");
#else
- struct options o;
- init_options (&o, true);
+ struct options o;
+ init_options(&o, true);
#ifdef ENABLE_CRYPTO
- fprintf (fp, usage_message,
- title_string,
- o.ce.connect_retry_seconds,
- o.ce.connect_retry_seconds_max,
- o.ce.local_port, o.ce.remote_port,
- TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
- o.verbosity,
- o.authname, o.ciphername,
- o.replay_window, o.replay_time,
- o.tls_timeout, o.renegotiate_seconds,
- o.handshake_window, o.transition_window);
-#else
- fprintf (fp, usage_message,
- title_string,
- o.ce.connect_retry_seconds,
- o.ce.local_port, o.ce.remote_port,
- TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
- o.verbosity);
-#endif
- fflush(fp);
+ fprintf(fp, usage_message,
+ title_string,
+ o.ce.connect_retry_seconds,
+ o.ce.connect_retry_seconds_max,
+ o.ce.local_port, o.ce.remote_port,
+ TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
+ o.verbosity,
+ o.authname, o.ciphername,
+ o.replay_window, o.replay_time,
+ o.tls_timeout, o.renegotiate_seconds,
+ o.handshake_window, o.transition_window);
+#else /* ifdef ENABLE_CRYPTO */
+ fprintf(fp, usage_message,
+ title_string,
+ o.ce.connect_retry_seconds,
+ o.ce.local_port, o.ce.remote_port,
+ TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
+ o.verbosity);
+#endif
+ fflush(fp);
#endif /* ENABLE_SMALL */
-
- openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
+
+ openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
void
-usage_small (void)
+usage_small(void)
{
- msg (M_WARN|M_NOPREFIX, "Use --help for more information.");
- openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
+ msg(M_WARN|M_NOPREFIX, "Use --help for more information.");
+ openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
#ifdef _WIN32
-void show_windows_version(const unsigned int flags)
+void
+show_windows_version(const unsigned int flags)
{
- struct gc_arena gc = gc_new ();
- msg (flags, "Windows version %s", win32_version_string (&gc, true));
- gc_free (&gc);
+ struct gc_arena gc = gc_new();
+ msg(flags, "Windows version %s", win32_version_string(&gc, true));
+ gc_free(&gc);
}
#endif
@@ -3688,507 +4122,559 @@ show_library_versions(const unsigned int flags)
#define LZO_LIB_VER_STR "", ""
#endif
- msg (flags, "library versions: %s%s%s", SSL_LIB_VER_STR, LZO_LIB_VER_STR);
+ msg(flags, "library versions: %s%s%s", SSL_LIB_VER_STR, LZO_LIB_VER_STR);
#undef SSL_LIB_VER_STR
#undef LZO_LIB_VER_STR
}
static void
-usage_version (void)
+usage_version(void)
{
- msg (M_INFO|M_NOPREFIX, "%s", title_string);
- show_library_versions( M_INFO|M_NOPREFIX );
+ msg(M_INFO|M_NOPREFIX, "%s", title_string);
+ show_library_versions( M_INFO|M_NOPREFIX );
#ifdef _WIN32
- show_windows_version( M_INFO|M_NOPREFIX );
+ show_windows_version( M_INFO|M_NOPREFIX );
#endif
- msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
- msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net>");
+ msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
+ msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>");
#ifndef ENABLE_SMALL
#ifdef CONFIGURE_DEFINES
- msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
+ msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
#endif
#ifdef CONFIGURE_SPECIAL_BUILD
- msg (M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
+ msg(M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
#endif
#endif
- openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
+ openvpn_exit(OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
void
-notnull (const char *arg, const char *description)
+notnull(const char *arg, const char *description)
{
- if (!arg)
- msg (M_USAGE, "You must define %s", description);
+ if (!arg)
+ {
+ msg(M_USAGE, "You must define %s", description);
+ }
}
bool
-string_defined_equal (const char *s1, const char *s2)
+string_defined_equal(const char *s1, const char *s2)
{
- if (s1 && s2)
- return !strcmp (s1, s2);
- else
- return false;
+ if (s1 && s2)
+ {
+ return !strcmp(s1, s2);
+ }
+ else
+ {
+ return false;
+ }
}
#if 0
static void
-ping_rec_err (int msglevel)
+ping_rec_err(int msglevel)
{
- msg (msglevel, "only one of --ping-exit or --ping-restart options may be specified");
+ msg(msglevel, "only one of --ping-exit or --ping-restart options may be specified");
}
#endif
static int
-positive_atoi (const char *str)
+positive_atoi(const char *str)
{
- const int i = atoi (str);
- return i < 0 ? 0 : i;
+ const int i = atoi(str);
+ return i < 0 ? 0 : i;
}
#ifdef _WIN32 /* This function is only used when compiling on Windows */
static unsigned int
-atou (const char *str)
+atou(const char *str)
{
- unsigned int val = 0;
- sscanf (str, "%u", &val);
- return val;
+ unsigned int val = 0;
+ sscanf(str, "%u", &val);
+ return val;
}
#endif
static inline bool
-space (unsigned char c)
+space(unsigned char c)
{
- return c == '\0' || isspace (c);
+ return c == '\0' || isspace(c);
}
int
-parse_line (const char *line,
- char *p[],
- const int n,
- const char *file,
- const int line_num,
- int msglevel,
- struct gc_arena *gc)
+parse_line(const char *line,
+ char *p[],
+ const int n,
+ const char *file,
+ const int line_num,
+ int msglevel,
+ struct gc_arena *gc)
{
- const int STATE_INITIAL = 0;
- const int STATE_READING_QUOTED_PARM = 1;
- const int STATE_READING_UNQUOTED_PARM = 2;
- const int STATE_DONE = 3;
- const int STATE_READING_SQUOTED_PARM = 4;
-
- const char *error_prefix = "";
-
- int ret = 0;
- const char *c = line;
- int state = STATE_INITIAL;
- bool backslash = false;
- char in, out;
-
- char parm[OPTION_PARM_SIZE];
- unsigned int parm_len = 0;
-
- msglevel &= ~M_OPTERR;
-
- if (msglevel & M_MSG_VIRT_OUT)
- error_prefix = "ERROR: ";
-
- do
- {
- in = *c;
- out = 0;
-
- if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
- {
- backslash = true;
- }
- else
- {
- if (state == STATE_INITIAL)
- {
- if (!space (in))
- {
- if (in == ';' || in == '#') /* comment */
- break;
- if (!backslash && in == '\"')
- state = STATE_READING_QUOTED_PARM;
- else if (!backslash && in == '\'')
- state = STATE_READING_SQUOTED_PARM;
- else
- {
- out = in;
- state = STATE_READING_UNQUOTED_PARM;
- }
- }
- }
- else if (state == STATE_READING_UNQUOTED_PARM)
- {
- if (!backslash && space (in))
- state = STATE_DONE;
- else
- out = in;
- }
- else if (state == STATE_READING_QUOTED_PARM)
- {
- if (!backslash && in == '\"')
- state = STATE_DONE;
- else
- out = in;
- }
- else if (state == STATE_READING_SQUOTED_PARM)
- {
- if (in == '\'')
- state = STATE_DONE;
- else
- out = in;
- }
- if (state == STATE_DONE)
- {
- /* ASSERT (parm_len > 0); */
- p[ret] = gc_malloc (parm_len + 1, true, gc);
- memcpy (p[ret], parm, parm_len);
- p[ret][parm_len] = '\0';
- state = STATE_INITIAL;
- parm_len = 0;
- ++ret;
- }
-
- if (backslash && out)
- {
- if (!(out == '\\' || out == '\"' || space (out)))
- {
+ const int STATE_INITIAL = 0;
+ const int STATE_READING_QUOTED_PARM = 1;
+ const int STATE_READING_UNQUOTED_PARM = 2;
+ const int STATE_DONE = 3;
+ const int STATE_READING_SQUOTED_PARM = 4;
+
+ const char *error_prefix = "";
+
+ int ret = 0;
+ const char *c = line;
+ int state = STATE_INITIAL;
+ bool backslash = false;
+ char in, out;
+
+ char parm[OPTION_PARM_SIZE];
+ unsigned int parm_len = 0;
+
+ msglevel &= ~M_OPTERR;
+
+ if (msglevel & M_MSG_VIRT_OUT)
+ {
+ error_prefix = "ERROR: ";
+ }
+
+ do
+ {
+ in = *c;
+ out = 0;
+
+ if (!backslash && in == '\\' && state != STATE_READING_SQUOTED_PARM)
+ {
+ backslash = true;
+ }
+ else
+ {
+ if (state == STATE_INITIAL)
+ {
+ if (!space(in))
+ {
+ if (in == ';' || in == '#') /* comment */
+ {
+ break;
+ }
+ if (!backslash && in == '\"')
+ {
+ state = STATE_READING_QUOTED_PARM;
+ }
+ else if (!backslash && in == '\'')
+ {
+ state = STATE_READING_SQUOTED_PARM;
+ }
+ else
+ {
+ out = in;
+ state = STATE_READING_UNQUOTED_PARM;
+ }
+ }
+ }
+ else if (state == STATE_READING_UNQUOTED_PARM)
+ {
+ if (!backslash && space(in))
+ {
+ state = STATE_DONE;
+ }
+ else
+ {
+ out = in;
+ }
+ }
+ else if (state == STATE_READING_QUOTED_PARM)
+ {
+ if (!backslash && in == '\"')
+ {
+ state = STATE_DONE;
+ }
+ else
+ {
+ out = in;
+ }
+ }
+ else if (state == STATE_READING_SQUOTED_PARM)
+ {
+ if (in == '\'')
+ {
+ state = STATE_DONE;
+ }
+ else
+ {
+ out = in;
+ }
+ }
+ if (state == STATE_DONE)
+ {
+ /* ASSERT (parm_len > 0); */
+ p[ret] = gc_malloc(parm_len + 1, true, gc);
+ memcpy(p[ret], parm, parm_len);
+ p[ret][parm_len] = '\0';
+ state = STATE_INITIAL;
+ parm_len = 0;
+ ++ret;
+ }
+
+ if (backslash && out)
+ {
+ if (!(out == '\\' || out == '\"' || space(out)))
+ {
#ifdef ENABLE_SMALL
- msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
+ msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix, file, line_num);
#else
- msg (msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
-#endif
- return 0;
- }
- }
- backslash = false;
- }
-
- /* store parameter character */
- if (out)
- {
- if (parm_len >= SIZE (parm))
- {
- parm[SIZE (parm) - 1] = 0;
- msg (msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
- error_prefix, file, line_num, (int) SIZE (parm), parm);
- return 0;
- }
- parm[parm_len++] = out;
- }
-
- /* avoid overflow if too many parms in one config file line */
- if (ret >= n)
- break;
+ msg(msglevel, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE "\\\\static.key\"", error_prefix, file, line_num);
+#endif
+ return 0;
+ }
+ }
+ backslash = false;
+ }
+
+ /* store parameter character */
+ if (out)
+ {
+ if (parm_len >= SIZE(parm))
+ {
+ parm[SIZE(parm) - 1] = 0;
+ msg(msglevel, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
+ error_prefix, file, line_num, (int) SIZE(parm), parm);
+ return 0;
+ }
+ parm[parm_len++] = out;
+ }
+
+ /* avoid overflow if too many parms in one config file line */
+ if (ret >= n)
+ {
+ break;
+ }
} while (*c++ != '\0');
- if (state == STATE_READING_QUOTED_PARM)
+ if (state == STATE_READING_QUOTED_PARM)
{
- msg (msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
- return 0;
+ msg(msglevel, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file, line_num);
+ return 0;
}
- if (state == STATE_READING_SQUOTED_PARM)
+ if (state == STATE_READING_SQUOTED_PARM)
{
- msg (msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
- return 0;
+ msg(msglevel, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix, file, line_num);
+ return 0;
}
- if (state != STATE_INITIAL)
+ if (state != STATE_INITIAL)
{
- msg (msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
- return 0;
+ msg(msglevel, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state, file, line_num);
+ return 0;
}
#if 0
- {
- int i;
- for (i = 0; i < ret; ++i)
- {
- msg (M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
- }
- }
+ {
+ int i;
+ for (i = 0; i < ret; ++i)
+ {
+ msg(M_INFO|M_NOPREFIX, "%s:%d ARG[%d] '%s'", file, line_num, i, p[i]);
+ }
+ }
#endif
return ret;
}
static void
-bypass_doubledash (char **p)
+bypass_doubledash(char **p)
{
- if (strlen (*p) >= 3 && !strncmp (*p, "--", 2))
- *p += 2;
+ if (strlen(*p) >= 3 && !strncmp(*p, "--", 2))
+ {
+ *p += 2;
+ }
}
struct in_src {
-# define IS_TYPE_FP 1
-# define IS_TYPE_BUF 2
- int type;
- union {
- FILE *fp;
- struct buffer *multiline;
- } u;
+#define IS_TYPE_FP 1
+#define IS_TYPE_BUF 2
+ int type;
+ union {
+ FILE *fp;
+ struct buffer *multiline;
+ } u;
};
static bool
-in_src_get (const struct in_src *is, char *line, const int size)
+in_src_get(const struct in_src *is, char *line, const int size)
{
- if (is->type == IS_TYPE_FP)
+ if (is->type == IS_TYPE_FP)
{
- return BOOL_CAST (fgets (line, size, is->u.fp));
+ return BOOL_CAST(fgets(line, size, is->u.fp));
}
- else if (is->type == IS_TYPE_BUF)
+ else if (is->type == IS_TYPE_BUF)
{
- bool status = buf_parse (is->u.multiline, '\n', line, size);
- if ((int) strlen (line) + 1 < size)
- strcat (line, "\n");
- return status;
+ bool status = buf_parse(is->u.multiline, '\n', line, size);
+ if ((int) strlen(line) + 1 < size)
+ {
+ strcat(line, "\n");
+ }
+ return status;
}
- else
+ else
{
- ASSERT (0);
- return false;
+ ASSERT(0);
+ return false;
}
}
static char *
-read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
+read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
{
- char line[OPTION_LINE_SIZE];
- struct buffer buf = alloc_buf (8*OPTION_LINE_SIZE);
- char *ret;
- bool endtagfound = false;
-
- while (in_src_get (is, line, sizeof (line)))
- {
- char *line_ptr = line;
- /* Remove leading spaces */
- while (isspace(*line_ptr)) line_ptr++;
- if (!strncmp (line_ptr, close_tag, strlen (close_tag)))
- {
- endtagfound = true;
- break;
- }
- if (!buf_safe (&buf, strlen(line)+1))
- {
- /* Increase buffer size */
- struct buffer buf2 = alloc_buf (buf.capacity * 2);
- ASSERT (buf_copy (&buf2, &buf));
- buf_clear (&buf);
- free_buf (&buf);
- buf = buf2;
- }
- buf_printf (&buf, "%s", line);
- }
- if (!endtagfound)
- msg (M_FATAL, "ERROR: Endtag %s missing", close_tag);
- ret = string_alloc (BSTR (&buf), gc);
- buf_clear (&buf);
- free_buf (&buf);
- secure_memzero (line, sizeof (line));
- return ret;
+ char line[OPTION_LINE_SIZE];
+ struct buffer buf = alloc_buf(8*OPTION_LINE_SIZE);
+ char *ret;
+ bool endtagfound = false;
+
+ while (in_src_get(is, line, sizeof(line)))
+ {
+ char *line_ptr = line;
+ /* Remove leading spaces */
+ while (isspace(*line_ptr)) line_ptr++;
+ if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
+ {
+ endtagfound = true;
+ break;
+ }
+ if (!buf_safe(&buf, strlen(line)+1))
+ {
+ /* Increase buffer size */
+ struct buffer buf2 = alloc_buf(buf.capacity * 2);
+ ASSERT(buf_copy(&buf2, &buf));
+ buf_clear(&buf);
+ free_buf(&buf);
+ buf = buf2;
+ }
+ buf_printf(&buf, "%s", line);
+ }
+ if (!endtagfound)
+ {
+ msg(M_FATAL, "ERROR: Endtag %s missing", close_tag);
+ }
+ ret = string_alloc(BSTR(&buf), gc);
+ buf_clear(&buf);
+ free_buf(&buf);
+ secure_memzero(line, sizeof(line));
+ return ret;
}
static bool
-check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
+check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
{
- bool ret = false;
- if (p[0] && !p[1])
- {
- char *arg = p[0];
- if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
- {
- struct buffer close_tag;
- arg[strlen(arg)-1] = '\0';
- p[0] = string_alloc (arg+1, gc);
- p[1] = string_alloc (INLINE_FILE_TAG, gc);
- close_tag = alloc_buf (strlen(p[0]) + 4);
- buf_printf (&close_tag, "</%s>", p[0]);
- p[2] = read_inline_file (is, BSTR (&close_tag), gc);
- p[3] = NULL;
- free_buf (&close_tag);
- ret = true;
- }
- }
- return ret;
+ bool ret = false;
+ if (p[0] && !p[1])
+ {
+ char *arg = p[0];
+ if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
+ {
+ struct buffer close_tag;
+ arg[strlen(arg)-1] = '\0';
+ p[0] = string_alloc(arg+1, gc);
+ p[1] = string_alloc(INLINE_FILE_TAG, gc);
+ close_tag = alloc_buf(strlen(p[0]) + 4);
+ buf_printf(&close_tag, "</%s>", p[0]);
+ p[2] = read_inline_file(is, BSTR(&close_tag), gc);
+ p[3] = NULL;
+ free_buf(&close_tag);
+ ret = true;
+ }
+ }
+ return ret;
}
static bool
-check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
+check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
{
- struct in_src is;
- is.type = IS_TYPE_FP;
- is.u.fp = fp;
- return check_inline_file (&is, p, gc);
+ struct in_src is;
+ is.type = IS_TYPE_FP;
+ is.u.fp = fp;
+ return check_inline_file(&is, p, gc);
}
static bool
-check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
+check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
{
- struct in_src is;
- is.type = IS_TYPE_BUF;
- is.u.multiline = multiline;
- return check_inline_file (&is, p, gc);
+ struct in_src is;
+ is.type = IS_TYPE_BUF;
+ is.u.multiline = multiline;
+ return check_inline_file(&is, p, gc);
}
static void
-add_option (struct options *options,
- char *p[],
- const char *file,
- int line,
- const int level,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es);
+add_option(struct options *options,
+ char *p[],
+ const char *file,
+ int line,
+ const int level,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es);
static void
-read_config_file (struct options *options,
- const char *file,
- int level,
- const char *top_file,
- const int top_line,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+read_config_file(struct options *options,
+ const char *file,
+ int level,
+ const char *top_file,
+ const int top_line,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- const int max_recursive_levels = 10;
- FILE *fp;
- int line_num;
- char line[OPTION_LINE_SIZE+1];
- char *p[MAX_PARMS];
-
- ++level;
- if (level <= max_recursive_levels)
- {
- if (streq (file, "stdin"))
- fp = stdin;
- else
- fp = platform_fopen (file, "r");
- if (fp)
- {
- line_num = 0;
- while (fgets(line, sizeof (line), fp))
- {
- int offset = 0;
- CLEAR (p);
- ++line_num;
- if (strlen(line) == OPTION_LINE_SIZE)
- msg (msglevel, "In %s:%d: Maximum optione line length (%d) exceeded, line starts with %s",
- file, line_num, OPTION_LINE_SIZE, line);
-
- /* Ignore UTF-8 BOM at start of stream */
- if (line_num == 1 && strncmp (line, "\xEF\xBB\xBF", 3) == 0)
- offset = 3;
- if (parse_line (line + offset, p, SIZE (p), file, line_num, msglevel, &options->gc))
- {
- bypass_doubledash (&p[0]);
- check_inline_file_via_fp (fp, p, &options->gc);
- add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
- }
- }
- if (fp != stdin)
- fclose (fp);
- }
- else
- {
- msg (msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
- }
- }
- else
- {
- msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
- }
- secure_memzero (line, sizeof (line));
- CLEAR (p);
+ const int max_recursive_levels = 10;
+ FILE *fp;
+ int line_num;
+ char line[OPTION_LINE_SIZE+1];
+ char *p[MAX_PARMS];
+
+ ++level;
+ if (level <= max_recursive_levels)
+ {
+ if (streq(file, "stdin"))
+ {
+ fp = stdin;
+ }
+ else
+ {
+ fp = platform_fopen(file, "r");
+ }
+ if (fp)
+ {
+ line_num = 0;
+ while (fgets(line, sizeof(line), fp))
+ {
+ int offset = 0;
+ CLEAR(p);
+ ++line_num;
+ if (strlen(line) == OPTION_LINE_SIZE)
+ {
+ msg(msglevel, "In %s:%d: Maximum optione line length (%d) exceeded, line starts with %s",
+ file, line_num, OPTION_LINE_SIZE, line);
+ }
+
+ /* Ignore UTF-8 BOM at start of stream */
+ if (line_num == 1 && strncmp(line, "\xEF\xBB\xBF", 3) == 0)
+ {
+ offset = 3;
+ }
+ if (parse_line(line + offset, p, SIZE(p), file, line_num, msglevel, &options->gc))
+ {
+ bypass_doubledash(&p[0]);
+ check_inline_file_via_fp(fp, p, &options->gc);
+ add_option(options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
+ }
+ }
+ if (fp != stdin)
+ {
+ fclose(fp);
+ }
+ }
+ else
+ {
+ msg(msglevel, "In %s:%d: Error opening configuration file: %s", top_file, top_line, file);
+ }
+ }
+ else
+ {
+ msg(msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
+ }
+ secure_memzero(line, sizeof(line));
+ CLEAR(p);
}
static void
-read_config_string (const char *prefix,
- struct options *options,
- const char *config,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+read_config_string(const char *prefix,
+ struct options *options,
+ const char *config,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- char line[OPTION_LINE_SIZE];
- struct buffer multiline;
- int line_num = 0;
-
- buf_set_read (&multiline, (uint8_t*)config, strlen (config));
-
- while (buf_parse (&multiline, '\n', line, sizeof (line)))
- {
- char *p[MAX_PARMS];
- CLEAR (p);
- ++line_num;
- if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc))
- {
- bypass_doubledash (&p[0]);
- check_inline_file_via_buf (&multiline, p, &options->gc);
- add_option (options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es);
- }
- CLEAR (p);
- }
- secure_memzero (line, sizeof (line));
+ char line[OPTION_LINE_SIZE];
+ struct buffer multiline;
+ int line_num = 0;
+
+ buf_set_read(&multiline, (uint8_t *)config, strlen(config));
+
+ while (buf_parse(&multiline, '\n', line, sizeof(line)))
+ {
+ char *p[MAX_PARMS];
+ CLEAR(p);
+ ++line_num;
+ if (parse_line(line, p, SIZE(p), prefix, line_num, msglevel, &options->gc))
+ {
+ bypass_doubledash(&p[0]);
+ check_inline_file_via_buf(&multiline, p, &options->gc);
+ add_option(options, p, prefix, line_num, 0, msglevel, permission_mask, option_types_found, es);
+ }
+ CLEAR(p);
+ }
+ secure_memzero(line, sizeof(line));
}
void
-parse_argv (struct options *options,
- const int argc,
- char *argv[],
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+parse_argv(struct options *options,
+ const int argc,
+ char *argv[],
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- int i, j;
-
- /* usage message */
- if (argc <= 1)
- usage ();
-
- /* config filename specified only? */
- if (argc == 2 && strncmp (argv[1], "--", 2))
- {
- char *p[MAX_PARMS];
- CLEAR (p);
- p[0] = "config";
- p[1] = argv[1];
- add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
- }
- else
- {
- /* parse command line */
- for (i = 1; i < argc; ++i)
- {
- char *p[MAX_PARMS];
- CLEAR (p);
- p[0] = argv[i];
- if (strncmp(p[0], "--", 2))
- {
- msg (msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
- }
- else
- p[0] += 2;
-
- for (j = 1; j < MAX_PARMS; ++j)
- {
- if (i + j < argc)
- {
- char *arg = argv[i + j];
- if (strncmp (arg, "--", 2))
- p[j] = arg;
- else
- break;
- }
- }
- add_option (options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
- i += j - 1;
- }
+ int i, j;
+
+ /* usage message */
+ if (argc <= 1)
+ {
+ usage();
+ }
+
+ /* config filename specified only? */
+ if (argc == 2 && strncmp(argv[1], "--", 2))
+ {
+ char *p[MAX_PARMS];
+ CLEAR(p);
+ p[0] = "config";
+ p[1] = argv[1];
+ add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
+ }
+ else
+ {
+ /* parse command line */
+ for (i = 1; i < argc; ++i)
+ {
+ char *p[MAX_PARMS];
+ CLEAR(p);
+ p[0] = argv[i];
+ if (strncmp(p[0], "--", 2))
+ {
+ msg(msglevel, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p[0]);
+ }
+ else
+ {
+ p[0] += 2;
+ }
+
+ for (j = 1; j < MAX_PARMS; ++j)
+ {
+ if (i + j < argc)
+ {
+ char *arg = argv[i + j];
+ if (strncmp(arg, "--", 2))
+ {
+ p[j] = arg;
+ }
+ else
+ {
+ break;
+ }
+ }
+ }
+ add_option(options, p, NULL, 0, 0, msglevel, permission_mask, option_types_found, es);
+ i += j - 1;
+ }
}
}
@@ -4201,141 +4687,151 @@ parse_argv (struct options *options,
* In that case the caller must end the push processing.
*/
static bool
-apply_pull_filter (const struct options *o, char *line)
+apply_pull_filter(const struct options *o, char *line)
{
- struct pull_filter *f;
+ struct pull_filter *f;
- if (!o->pull_filter_list) return true;
+ if (!o->pull_filter_list)
+ {
+ return true;
+ }
- for (f = o->pull_filter_list->head; f; f = f->next)
+ for (f = o->pull_filter_list->head; f; f = f->next)
{
- if (f->type == PUF_TYPE_ACCEPT && strncmp (line, f->pattern, f->size) == 0)
+ if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
{
- msg (D_LOW, "Pushed option accepted by filter: '%s'", line);
- return true;
+ msg(D_LOW, "Pushed option accepted by filter: '%s'", line);
+ return true;
}
- else if (f->type == PUF_TYPE_IGNORE && strncmp (line, f->pattern, f->size) == 0)
+ else if (f->type == PUF_TYPE_IGNORE && strncmp(line, f->pattern, f->size) == 0)
{
- msg (D_PUSH, "Pushed option removed by filter: '%s'", line);
- *line = '\0';
- return true;
+ msg(D_PUSH, "Pushed option removed by filter: '%s'", line);
+ *line = '\0';
+ return true;
}
- else if (f->type == PUF_TYPE_REJECT && strncmp (line, f->pattern, f->size) == 0)
+ else if (f->type == PUF_TYPE_REJECT && strncmp(line, f->pattern, f->size) == 0)
{
- msg (M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
- *line = '\0';
- throw_signal_soft (SIGUSR1, "Offending option received from server");
- return false;
+ msg(M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
+ *line = '\0';
+ throw_signal_soft(SIGUSR1, "Offending option received from server");
+ return false;
}
}
- return true;
+ return true;
}
bool
-apply_push_options (struct options *options,
- struct buffer *buf,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+apply_push_options(struct options *options,
+ struct buffer *buf,
+ unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- char line[OPTION_PARM_SIZE];
- int line_num = 0;
- const char *file = "[PUSH-OPTIONS]";
- const int msglevel = D_PUSH_ERRORS|M_OPTERR;
+ char line[OPTION_PARM_SIZE];
+ int line_num = 0;
+ const char *file = "[PUSH-OPTIONS]";
+ const int msglevel = D_PUSH_ERRORS|M_OPTERR;
- while (buf_parse (buf, ',', line, sizeof (line)))
+ while (buf_parse(buf, ',', line, sizeof(line)))
{
- char *p[MAX_PARMS];
- CLEAR (p);
- ++line_num;
- if (!apply_pull_filter(options, line))
+ char *p[MAX_PARMS];
+ CLEAR(p);
+ ++line_num;
+ if (!apply_pull_filter(options, line))
+ {
+ return false; /* Cause push/pull error and stop push processing */
+ }
+ if (parse_line(line, p, SIZE(p), file, line_num, msglevel, &options->gc))
{
- return false; /* Cause push/pull error and stop push processing */
+ add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
}
- if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
- {
- add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
- }
}
- return true;
+ return true;
}
void
-options_server_import (struct options *o,
- const char *filename,
- int msglevel,
- unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+options_server_import(struct options *o,
+ const char *filename,
+ int msglevel,
+ unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- msg (D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
- read_config_file (o,
- filename,
- 0,
- filename,
- 0,
- msglevel,
- permission_mask,
- option_types_found,
- es);
+ msg(D_PUSH, "OPTIONS IMPORT: reading client specific options from: %s", filename);
+ read_config_file(o,
+ filename,
+ 0,
+ filename,
+ 0,
+ msglevel,
+ permission_mask,
+ option_types_found,
+ es);
}
-void options_string_import (struct options *options,
- const char *config,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+void
+options_string_import(struct options *options,
+ const char *config,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- read_config_string ("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
+ read_config_string("[CONFIG-STRING]", options, config, msglevel, permission_mask, option_types_found, es);
}
#if P2MP
-#define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) goto err; }
+#define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, msglevel, options)) {goto err;}}
static bool
-verify_permission (const char *name,
- const char* file,
- int line,
- const unsigned int type,
- const unsigned int allowed,
- unsigned int *found,
- const int msglevel,
- struct options* options)
+verify_permission(const char *name,
+ const char *file,
+ int line,
+ const unsigned int type,
+ const unsigned int allowed,
+ unsigned int *found,
+ const int msglevel,
+ struct options *options)
{
- if (!(type & allowed))
+ if (!(type & allowed))
{
- msg (msglevel, "option '%s' cannot be used in this context (%s)", name, file);
- return false;
+ msg(msglevel, "option '%s' cannot be used in this context (%s)", name, file);
+ return false;
}
- if (found)
- *found |= type;
+ if (found)
+ {
+ *found |= type;
+ }
#ifndef ENABLE_SMALL
- /* Check if this options is allowed in connection block,
- * but we are currently not in a connection block
- * Parsing a connection block uses a temporary options struct without
- * connection_list
- */
+ /* Check if this options is allowed in connection block,
+ * but we are currently not in a connection block
+ * Parsing a connection block uses a temporary options struct without
+ * connection_list
+ */
- if ((type & OPT_P_CONNECTION) && options->connection_list)
+ if ((type & OPT_P_CONNECTION) && options->connection_list)
{
- if (file)
- msg (M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
- else
- msg (M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
+ if (file)
+ {
+ msg(M_WARN, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name, file, line);
+ }
+ else
+ {
+ msg(M_WARN, "Option '%s' is ignored by previous <connection> blocks", name);
+ }
}
#endif
- return true;
+ return true;
}
-#else
+#else /* if P2MP */
#define VERIFY_PERMISSION(mask)
-#endif
+#endif /* if P2MP */
/*
* Check that an option doesn't have too
@@ -4345,3169 +4841,3373 @@ verify_permission (const char *name,
#define NM_QUOTE_HINT (1<<0)
static bool
-no_more_than_n_args (const int msglevel,
- char *p[],
- const int max,
- const unsigned int flags)
+no_more_than_n_args(const int msglevel,
+ char *p[],
+ const int max,
+ const unsigned int flags)
{
- const int len = string_array_len ((const char **)p);
+ const int len = string_array_len((const char **)p);
- if (!len)
- return false;
+ if (!len)
+ {
+ return false;
+ }
- if (len > max)
+ if (len > max)
{
- msg (msglevel, "the --%s directive should have at most %d parameter%s.%s",
- p[0],
- max - 1,
- max >= 3 ? "s" : "",
- (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
- return false;
+ msg(msglevel, "the --%s directive should have at most %d parameter%s.%s",
+ p[0],
+ max - 1,
+ max >= 3 ? "s" : "",
+ (flags & NM_QUOTE_HINT) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
+ return false;
+ }
+ else
+ {
+ return true;
}
- else
- return true;
}
static inline int
-msglevel_forward_compatible (struct options *options, const int msglevel)
+msglevel_forward_compatible(struct options *options, const int msglevel)
{
- return options->forward_compatible ? M_WARN : msglevel;
+ return options->forward_compatible ? M_WARN : msglevel;
}
static void
-set_user_script (struct options *options,
- const char **script,
- const char *new_script,
- const char *type,
- bool in_chroot)
+set_user_script(struct options *options,
+ const char **script,
+ const char *new_script,
+ const char *type,
+ bool in_chroot)
{
- if (*script) {
- msg (M_WARN, "Multiple --%s scripts defined. "
- "The previously configured script is overridden.", type);
- }
- *script = new_script;
- options->user_script_used = true;
+ if (*script)
+ {
+ msg(M_WARN, "Multiple --%s scripts defined. "
+ "The previously configured script is overridden.", type);
+ }
+ *script = new_script;
+ options->user_script_used = true;
#ifndef ENABLE_SMALL
- {
- char script_name[100];
- openvpn_snprintf (script_name, sizeof(script_name),
- "--%s script", type);
+ {
+ char script_name[100];
+ openvpn_snprintf(script_name, sizeof(script_name),
+ "--%s script", type);
- if (check_cmd_access (*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
- msg (M_USAGE, "Please correct this error.");
+ if (check_cmd_access(*script, script_name, (in_chroot ? options->chroot_dir : NULL)))
+ {
+ msg(M_USAGE, "Please correct this error.");
+ }
- }
+ }
#endif
}
static void
-add_option (struct options *options,
- char *p[],
- const char *file,
- int line,
- const int level,
- const int msglevel,
- const unsigned int permission_mask,
- unsigned int *option_types_found,
- struct env_set *es)
+add_option(struct options *options,
+ char *p[],
+ const char *file,
+ int line,
+ const int level,
+ const int msglevel,
+ const unsigned int permission_mask,
+ unsigned int *option_types_found,
+ struct env_set *es)
{
- struct gc_arena gc = gc_new ();
- const bool pull_mode = BOOL_CAST (permission_mask & OPT_P_PULL_MODE);
- int msglevel_fc = msglevel_forward_compatible (options, msglevel);
+ struct gc_arena gc = gc_new();
+ const bool pull_mode = BOOL_CAST(permission_mask & OPT_P_PULL_MODE);
+ int msglevel_fc = msglevel_forward_compatible(options, msglevel);
- ASSERT (MAX_PARMS >= 7);
+ ASSERT(MAX_PARMS >= 7);
- /*
- * If directive begins with "setenv opt" prefix, don't raise an error if
- * directive is unrecognized.
- */
- if (streq (p[0], "setenv") && p[1] && streq (p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
+ /*
+ * If directive begins with "setenv opt" prefix, don't raise an error if
+ * directive is unrecognized.
+ */
+ if (streq(p[0], "setenv") && p[1] && streq(p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE))
{
- if (!p[2])
- p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
- p += 2;
- msglevel_fc = M_WARN;
+ if (!p[2])
+ {
+ p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
+ }
+ p += 2;
+ msglevel_fc = M_WARN;
}
- if (!file)
+ if (!file)
{
- file = "[CMD-LINE]";
- line = 1;
+ file = "[CMD-LINE]";
+ line = 1;
}
- if (streq (p[0], "help"))
+ if (streq(p[0], "help"))
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- usage ();
- if (p[1])
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ usage();
+ if (p[1])
{
- msg (msglevel, "--help does not accept any parameters");
- goto err;
+ msg(msglevel, "--help does not accept any parameters");
+ goto err;
}
}
- if (streq (p[0], "version") && !p[1])
+ if (streq(p[0], "version") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- usage_version ();
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ usage_version();
}
- else if (streq (p[0], "config") && p[1] && !p[2])
+ else if (streq(p[0], "config") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_CONFIG);
+ VERIFY_PERMISSION(OPT_P_CONFIG);
- /* save first config file only in options */
- if (!options->config)
- options->config = p[1];
+ /* save first config file only in options */
+ if (!options->config)
+ {
+ options->config = p[1];
+ }
- read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
+ read_config_file(options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
}
#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
- else if (streq (p[0], "show-gateway") && !p[2])
+ else if (streq(p[0], "show-gateway") && !p[2])
{
- struct route_gateway_info rgi;
- struct route_ipv6_gateway_info rgi6;
- struct in6_addr remote = IN6ADDR_ANY_INIT;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (p[1])
- get_ipv6_addr (p[1], &remote, NULL, M_WARN);
- get_default_gateway(&rgi);
- get_default_gateway_ipv6(&rgi6, &remote);
- print_default_gateway(M_INFO, &rgi, &rgi6);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ struct route_gateway_info rgi;
+ struct route_ipv6_gateway_info rgi6;
+ struct in6_addr remote = IN6ADDR_ANY_INIT;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (p[1])
+ {
+ get_ipv6_addr(p[1], &remote, NULL, M_WARN);
+ }
+ get_default_gateway(&rgi);
+ get_default_gateway_ipv6(&rgi6, &remote);
+ print_default_gateway(M_INFO, &rgi, &rgi6);
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
#endif
#if 0
- else if (streq (p[0], "foreign-option") && p[1])
+ else if (streq(p[0], "foreign-option") && p[1])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- foreign_option (options, p, 3, es);
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ foreign_option(options, p, 3, es);
}
#endif
- else if (streq (p[0], "echo") || streq (p[0], "parameter"))
+ else if (streq(p[0], "echo") || streq(p[0], "parameter"))
{
- struct buffer string = alloc_buf_gc (OPTION_PARM_SIZE, &gc);
- int j;
- bool good = true;
+ struct buffer string = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
+ int j;
+ bool good = true;
- VERIFY_PERMISSION (OPT_P_ECHO);
+ VERIFY_PERMISSION(OPT_P_ECHO);
- for (j = 1; j < MAX_PARMS; ++j)
- {
- if (!p[j])
- break;
- if (j > 1)
- good &= buf_printf (&string, " ");
- good &= buf_printf (&string, "%s", p[j]);
- }
- if (good)
- {
+ for (j = 1; j < MAX_PARMS; ++j)
+ {
+ if (!p[j])
+ {
+ break;
+ }
+ if (j > 1)
+ {
+ good &= buf_printf(&string, " ");
+ }
+ good &= buf_printf(&string, "%s", p[j]);
+ }
+ if (good)
+ {
#if 0
- /* removed for now since ECHO can potentially include
- security-sensitive strings */
- msg (M_INFO, "%s:%s",
- pull_mode ? "ECHO-PULL" : "ECHO",
- BSTR (&string));
+ /* removed for now since ECHO can potentially include
+ * security-sensitive strings */
+ msg(M_INFO, "%s:%s",
+ pull_mode ? "ECHO-PULL" : "ECHO",
+ BSTR(&string));
#endif
#ifdef ENABLE_MANAGEMENT
- if (management)
- management_echo (management, BSTR (&string), pull_mode);
+ if (management)
+ {
+ management_echo(management, BSTR(&string), pull_mode);
+ }
#endif
- }
- else
- msg (M_WARN, "echo/parameter option overflow");
+ }
+ else
+ {
+ msg(M_WARN, "echo/parameter option overflow");
+ }
}
#ifdef ENABLE_MANAGEMENT
- else if (streq (p[0], "management") && p[1] && p[2] && !p[4])
+ else if (streq(p[0], "management") && p[1] && p[2] && !p[4])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[2], "unix"))
- {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[2], "unix"))
+ {
#if UNIX_SOCK_SUPPORT
- options->management_flags |= MF_UNIX_SOCK;
+ options->management_flags |= MF_UNIX_SOCK;
#else
- msg (msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
- goto err;
+ msg(msglevel, "MANAGEMENT: this platform does not support unix domain sockets");
+ goto err;
#endif
- }
+ }
- options->management_addr = p[1];
- options->management_port = p[2];
- if (p[3])
- {
- options->management_user_pass = p[3];
- }
+ options->management_addr = p[1];
+ options->management_port = p[2];
+ if (p[3])
+ {
+ options->management_user_pass = p[3];
+ }
}
- else if (streq (p[0], "management-client-user") && p[1] && !p[2])
+ else if (streq(p[0], "management-client-user") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_client_user = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_client_user = p[1];
}
- else if (streq (p[0], "management-client-group") && p[1] && !p[2])
+ else if (streq(p[0], "management-client-group") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_client_group = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_client_group = p[1];
}
- else if (streq (p[0], "management-query-passwords") && !p[1])
+ else if (streq(p[0], "management-query-passwords") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_QUERY_PASSWORDS;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_QUERY_PASSWORDS;
}
- else if (streq (p[0], "management-query-remote") && !p[1])
+ else if (streq(p[0], "management-query-remote") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_QUERY_REMOTE;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_QUERY_REMOTE;
}
- else if (streq (p[0], "management-query-proxy") && !p[1])
+ else if (streq(p[0], "management-query-proxy") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_QUERY_PROXY;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_QUERY_PROXY;
}
- else if (streq (p[0], "management-hold") && !p[1])
+ else if (streq(p[0], "management-hold") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_HOLD;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_HOLD;
}
- else if (streq (p[0], "management-signal") && !p[1])
+ else if (streq(p[0], "management-signal") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_SIGNAL;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_SIGNAL;
}
- else if (streq (p[0], "management-forget-disconnect") && !p[1])
+ else if (streq(p[0], "management-forget-disconnect") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_FORGET_DISCONNECT;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_FORGET_DISCONNECT;
}
- else if (streq (p[0], "management-up-down") && !p[1])
+ else if (streq(p[0], "management-up-down") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_UP_DOWN;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_UP_DOWN;
}
- else if (streq (p[0], "management-client") && !p[2])
+ else if (streq(p[0], "management-client") && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_CONNECT_AS_CLIENT;
- options->management_write_peer_info_file = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_CONNECT_AS_CLIENT;
+ options->management_write_peer_info_file = p[1];
}
#ifdef MANAGMENT_EXTERNAL_KEY
- else if (streq (p[0], "management-external-key") && !p[1])
+ else if (streq(p[0], "management-external-key") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_EXTERNAL_KEY;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_EXTERNAL_KEY;
}
- else if (streq (p[0], "management-external-cert") && p[1] && !p[2])
+ else if (streq(p[0], "management-external-cert") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_EXTERNAL_CERT;
- options->management_certificate = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_EXTERNAL_CERT;
+ options->management_certificate = p[1];
}
#endif
#ifdef MANAGEMENT_DEF_AUTH
- else if (streq (p[0], "management-client-auth") && !p[1])
+ else if (streq(p[0], "management-client-auth") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_CLIENT_AUTH;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= MF_CLIENT_AUTH;
}
#endif
#ifdef MANAGEMENT_PF
- else if (streq (p[0], "management-client-pf") && !p[1])
+ else if (streq(p[0], "management-client-pf") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
}
#endif
- else if (streq (p[0], "management-log-cache") && p[1] && !p[2])
+ else if (streq(p[0], "management-log-cache") && p[1] && !p[2])
{
- int cache;
+ int cache;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- cache = atoi (p[1]);
- if (cache < 1)
- {
- msg (msglevel, "--management-log-cache parameter is out of range");
- goto err;
- }
- options->management_log_history_cache = cache;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ cache = atoi(p[1]);
+ if (cache < 1)
+ {
+ msg(msglevel, "--management-log-cache parameter is out of range");
+ goto err;
+ }
+ options->management_log_history_cache = cache;
}
-#endif
+#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef ENABLE_PLUGIN
- else if (streq (p[0], "plugin") && p[1] && !p[3])
+ else if (streq(p[0], "plugin") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_PLUGIN);
- if (!options->plugin_list)
- options->plugin_list = plugin_option_list_new (&options->gc);
- if (!plugin_option_list_add (options->plugin_list, &p[1], &options->gc))
- {
- msg (msglevel, "plugin add failed: %s", p[1]);
- goto err;
- }
+ VERIFY_PERMISSION(OPT_P_PLUGIN);
+ if (!options->plugin_list)
+ {
+ options->plugin_list = plugin_option_list_new(&options->gc);
+ }
+ if (!plugin_option_list_add(options->plugin_list, &p[1], &options->gc))
+ {
+ msg(msglevel, "plugin add failed: %s", p[1]);
+ goto err;
+ }
}
#endif
- else if (streq (p[0], "mode") && p[1] && !p[2])
+ else if (streq(p[0], "mode") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "p2p"))
- options->mode = MODE_POINT_TO_POINT;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "p2p"))
+ {
+ options->mode = MODE_POINT_TO_POINT;
+ }
#if P2MP_SERVER
- else if (streq (p[1], "server"))
- options->mode = MODE_SERVER;
+ else if (streq(p[1], "server"))
+ {
+ options->mode = MODE_SERVER;
+ }
#endif
- else
- {
- msg (msglevel, "Bad --mode parameter: %s", p[1]);
- goto err;
- }
+ else
+ {
+ msg(msglevel, "Bad --mode parameter: %s", p[1]);
+ goto err;
+ }
}
- else if (streq (p[0], "dev") && p[1] && !p[2])
+ else if (streq(p[0], "dev") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->dev = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->dev = p[1];
}
- else if (streq (p[0], "dev-type") && p[1] && !p[2])
+ else if (streq(p[0], "dev-type") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->dev_type = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->dev_type = p[1];
}
- else if (streq (p[0], "dev-node") && p[1] && !p[2])
+ else if (streq(p[0], "dev-node") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->dev_node = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->dev_node = p[1];
}
- else if (streq (p[0], "lladdr") && p[1] && !p[2])
+ else if (streq(p[0], "lladdr") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_UP);
- if (mac_addr_safe (p[1])) /* MAC address only */
- options->lladdr = p[1];
- else
- {
- msg (msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
- goto err;
- }
+ VERIFY_PERMISSION(OPT_P_UP);
+ if (mac_addr_safe(p[1])) /* MAC address only */
+ {
+ options->lladdr = p[1];
+ }
+ else
+ {
+ msg(msglevel, "lladdr parm '%s' must be a MAC address", p[1]);
+ goto err;
+ }
}
- else if (streq (p[0], "topology") && p[1] && !p[2])
+ else if (streq(p[0], "topology") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_UP);
- options->topology = parse_topology (p[1], msglevel);
+ VERIFY_PERMISSION(OPT_P_UP);
+ options->topology = parse_topology(p[1], msglevel);
}
- else if (streq (p[0], "tun-ipv6") && !p[1])
+ else if (streq(p[0], "tun-ipv6") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_UP);
- msg (M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
+ VERIFY_PERMISSION(OPT_P_UP);
+ msg(M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
}
#ifdef ENABLE_IPROUTE
- else if (streq (p[0], "iproute") && p[1] && !p[2])
+ else if (streq(p[0], "iproute") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- iproute_path = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ iproute_path = p[1];
}
#endif
- else if (streq (p[0], "ifconfig") && p[1] && p[2] && !p[3])
+ else if (streq(p[0], "ifconfig") && p[1] && p[2] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_UP);
- if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
- {
- options->ifconfig_local = p[1];
- options->ifconfig_remote_netmask = p[2];
- }
- else
- {
- msg (msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
- goto err;
- }
+ VERIFY_PERMISSION(OPT_P_UP);
+ if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe(p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
+ {
+ options->ifconfig_local = p[1];
+ options->ifconfig_remote_netmask = p[2];
+ }
+ else
+ {
+ msg(msglevel, "ifconfig parms '%s' and '%s' must be valid addresses", p[1], p[2]);
+ goto err;
+ }
}
- else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
+ else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
{
- unsigned int netbits;
+ unsigned int netbits;
- VERIFY_PERMISSION (OPT_P_UP);
- if ( get_ipv6_addr( p[1], NULL, &netbits, msglevel ) &&
- ipv6_addr_safe( p[2] ) )
+ VERIFY_PERMISSION(OPT_P_UP);
+ if (get_ipv6_addr( p[1], NULL, &netbits, msglevel )
+ && ipv6_addr_safe( p[2] ) )
{
- if ( netbits < 64 || netbits > 124 )
- {
- msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
- goto err;
- }
+ if (netbits < 64 || netbits > 124)
+ {
+ msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits );
+ goto err;
+ }
- options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits (p[1], &options->gc);
- options->ifconfig_ipv6_netbits = netbits;
- options->ifconfig_ipv6_remote = p[2];
+ options->ifconfig_ipv6_local = get_ipv6_addr_no_netbits(p[1], &options->gc);
+ options->ifconfig_ipv6_netbits = netbits;
+ options->ifconfig_ipv6_remote = p[2];
+ }
+ else
+ {
+ msg(msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
+ goto err;
}
- else
- {
- msg (msglevel, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p[1], p[2]);
- goto err;
- }
}
- else if (streq (p[0], "ifconfig-noexec") && !p[1])
+ else if (streq(p[0], "ifconfig-noexec") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_UP);
- options->ifconfig_noexec = true;
+ VERIFY_PERMISSION(OPT_P_UP);
+ options->ifconfig_noexec = true;
}
- else if (streq (p[0], "ifconfig-nowarn") && !p[1])
+ else if (streq(p[0], "ifconfig-nowarn") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_UP);
- options->ifconfig_nowarn = true;
+ VERIFY_PERMISSION(OPT_P_UP);
+ options->ifconfig_nowarn = true;
}
- else if (streq (p[0], "local") && p[1] && !p[2])
+ else if (streq(p[0], "local") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.local = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.local = p[1];
}
- else if (streq (p[0], "remote-random") && !p[1])
+ else if (streq(p[0], "remote-random") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->remote_random = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->remote_random = true;
}
- else if (streq (p[0], "connection") && p[1] && !p[3])
+ else if (streq(p[0], "connection") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- struct options sub;
- struct connection_entry *e;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ struct options sub;
+ struct connection_entry *e;
- init_options (&sub, true);
- sub.ce = options->ce;
- read_config_string ("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
- if (!sub.ce.remote)
- {
- msg (msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
- goto err;
- }
+ init_options(&sub, true);
+ sub.ce = options->ce;
+ read_config_string("[CONNECTION-OPTIONS]", &sub, p[2], msglevel, OPT_P_CONNECTION, option_types_found, es);
+ if (!sub.ce.remote)
+ {
+ msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
+ goto err;
+ }
- e = alloc_connection_entry (options, msglevel);
- if (!e)
- goto err;
- *e = sub.ce;
- gc_transfer (&options->gc, &sub.gc);
- uninit_options (&sub);
- }
+ e = alloc_connection_entry(options, msglevel);
+ if (!e)
+ {
+ goto err;
+ }
+ *e = sub.ce;
+ gc_transfer(&options->gc, &sub.gc);
+ uninit_options(&sub);
+ }
}
- else if (streq (p[0], "ignore-unknown-option") && p[1])
+ else if (streq(p[0], "ignore-unknown-option") && p[1])
{
- int i;
- int j;
- int numignored=0;
- const char **ignore;
+ int i;
+ int j;
+ int numignored = 0;
+ const char **ignore;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- /* Find out how many options to be ignored */
- for (i=1;p[i];i++)
- numignored++;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ /* Find out how many options to be ignored */
+ for (i = 1; p[i]; i++)
+ numignored++;
- /* add number of options already ignored */
- for (i=0;options->ignore_unknown_option &&
- options->ignore_unknown_option[i]; i++)
- numignored++;
+ /* add number of options already ignored */
+ for (i = 0; options->ignore_unknown_option
+ && options->ignore_unknown_option[i]; i++)
+ numignored++;
- /* Allocate array */
- ALLOC_ARRAY_GC (ignore, const char*, numignored+1, &options->gc);
- for (i=0;options->ignore_unknown_option &&
- options->ignore_unknown_option[i]; i++)
- ignore[i]=options->ignore_unknown_option[i];
+ /* Allocate array */
+ ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
+ for (i = 0; options->ignore_unknown_option
+ && options->ignore_unknown_option[i]; i++)
+ ignore[i] = options->ignore_unknown_option[i];
- options->ignore_unknown_option=ignore;
+ options->ignore_unknown_option = ignore;
- for (j=1;p[j];j++)
+ for (j = 1; p[j]; j++)
{
- /* Allow the user to specify ignore-unknown-option --opt too */
- if (p[j][0]=='-' && p[j][1]=='-')
- options->ignore_unknown_option[i] = (p[j]+2);
- else
- options->ignore_unknown_option[i] = p[j];
- i++;
+ /* Allow the user to specify ignore-unknown-option --opt too */
+ if (p[j][0]=='-' && p[j][1]=='-')
+ {
+ options->ignore_unknown_option[i] = (p[j]+2);
+ }
+ else
+ {
+ options->ignore_unknown_option[i] = p[j];
+ }
+ i++;
}
- options->ignore_unknown_option[i] = NULL;
+ options->ignore_unknown_option[i] = NULL;
}
#if ENABLE_MANAGEMENT
- else if (streq (p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
- if (!options->http_proxy_override)
- goto err;
- }
-#endif
- else if (streq (p[0], "remote") && p[1] && !p[4])
- {
- struct remote_entry re;
- re.remote = re.remote_port= NULL;
- re.proto = -1;
- re.af=0;
-
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- re.remote = p[1];
- if (p[2])
- {
- re.remote_port = p[2];
- if (p[3])
- {
- const int proto = ascii2proto (p[3]);
- const sa_family_t af = ascii2af (p[3]);
- if (proto < 0)
- {
- msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
- goto err;
- }
- re.proto = proto;
- re.af = af;
- }
- }
- if (permission_mask & OPT_P_GENERAL)
- {
- struct remote_entry *e = alloc_remote_entry (options, msglevel);
- if (!e)
- goto err;
- *e = re;
- }
- else if (permission_mask & OPT_P_CONNECTION)
- {
- connection_entry_load_re (&options->ce, &re);
- }
- }
- else if (streq (p[0], "resolv-retry") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "infinite"))
- options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
- else
- options->resolve_retry_seconds = positive_atoi (p[1]);
- }
- else if ((streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint")) && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->resolve_in_advance = true;
- /* Note the ip-remote-hint and the argument p[1] are for
- backward compatibility */
- if (p[1])
- options->ip_remote_hint=p[1];
- }
- else if (streq (p[0], "connect-retry") && p[1] && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.connect_retry_seconds = positive_atoi (p[1]);
- /*
- * Limit the base value of retry wait interval to 16 bits to avoid
- * overflow when scaled up for exponential backoff
- */
- if (options->ce.connect_retry_seconds > 0xFFFF)
- {
- options->ce.connect_retry_seconds = 0xFFFF;
- msg (M_WARN, "connect retry wait interval truncated to %d",
- options->ce.connect_retry_seconds);
- }
-
- if (p[2])
- options->ce.connect_retry_seconds_max =
- max_int (positive_atoi (p[2]), options->ce.connect_retry_seconds);
- }
- else if ((streq (p[0], "connect-timeout") || streq (p[0], "server-poll-timeout"))
- && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.connect_timeout = positive_atoi (p[1]);
- }
- else if (streq (p[0], "connect-retry-max") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->connect_retry_max = positive_atoi (p[1]);
- }
- else if (streq (p[0], "ipchange") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options,
- &options->ipchange,
- string_substitute (p[1], ',', ' ', &options->gc),
- "ipchange", true);
- }
- else if (streq (p[0], "float") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.remote_float = true;
+ else if (streq(p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
+ if (!options->http_proxy_override)
+ {
+ goto err;
+ }
+ }
+#endif
+ else if (streq(p[0], "remote") && p[1] && !p[4])
+ {
+ struct remote_entry re;
+ re.remote = re.remote_port = NULL;
+ re.proto = -1;
+ re.af = 0;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ re.remote = p[1];
+ if (p[2])
+ {
+ re.remote_port = p[2];
+ if (p[3])
+ {
+ const int proto = ascii2proto(p[3]);
+ const sa_family_t af = ascii2af(p[3]);
+ if (proto < 0)
+ {
+ msg(msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
+ goto err;
+ }
+ re.proto = proto;
+ re.af = af;
+ }
+ }
+ if (permission_mask & OPT_P_GENERAL)
+ {
+ struct remote_entry *e = alloc_remote_entry(options, msglevel);
+ if (!e)
+ {
+ goto err;
+ }
+ *e = re;
+ }
+ else if (permission_mask & OPT_P_CONNECTION)
+ {
+ connection_entry_load_re(&options->ce, &re);
+ }
+ }
+ else if (streq(p[0], "resolv-retry") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "infinite"))
+ {
+ options->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
+ }
+ else
+ {
+ options->resolve_retry_seconds = positive_atoi(p[1]);
+ }
+ }
+ else if ((streq(p[0], "preresolve") || streq(p[0], "ip-remote-hint")) && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->resolve_in_advance = true;
+ /* Note the ip-remote-hint and the argument p[1] are for
+ * backward compatibility */
+ if (p[1])
+ {
+ options->ip_remote_hint = p[1];
+ }
+ }
+ else if (streq(p[0], "connect-retry") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.connect_retry_seconds = positive_atoi(p[1]);
+ /*
+ * Limit the base value of retry wait interval to 16 bits to avoid
+ * overflow when scaled up for exponential backoff
+ */
+ if (options->ce.connect_retry_seconds > 0xFFFF)
+ {
+ options->ce.connect_retry_seconds = 0xFFFF;
+ msg(M_WARN, "connect retry wait interval truncated to %d",
+ options->ce.connect_retry_seconds);
+ }
+
+ if (p[2])
+ {
+ options->ce.connect_retry_seconds_max =
+ max_int(positive_atoi(p[2]), options->ce.connect_retry_seconds);
+ }
+ }
+ else if ((streq(p[0], "connect-timeout") || streq(p[0], "server-poll-timeout"))
+ && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.connect_timeout = positive_atoi(p[1]);
+ }
+ else if (streq(p[0], "connect-retry-max") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->connect_retry_max = positive_atoi(p[1]);
+ }
+ else if (streq(p[0], "ipchange") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options,
+ &options->ipchange,
+ string_substitute(p[1], ',', ' ', &options->gc),
+ "ipchange", true);
+ }
+ else if (streq(p[0], "float") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.remote_float = true;
}
#ifdef ENABLE_DEBUG
- else if (streq (p[0], "gremlin") && p[1] && !p[2])
+ else if (streq(p[0], "gremlin") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->gremlin = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->gremlin = positive_atoi(p[1]);
}
#endif
- else if (streq (p[0], "chroot") && p[1] && !p[2])
+ else if (streq(p[0], "chroot") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->chroot_dir = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->chroot_dir = p[1];
}
- else if (streq (p[0], "cd") && p[1] && !p[2])
+ else if (streq(p[0], "cd") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (platform_chdir (p[1]))
- {
- msg (M_ERR, "cd to '%s' failed", p[1]);
- goto err;
- }
- options->cd_dir = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (platform_chdir(p[1]))
+ {
+ msg(M_ERR, "cd to '%s' failed", p[1]);
+ goto err;
+ }
+ options->cd_dir = p[1];
}
#ifdef ENABLE_SELINUX
- else if (streq (p[0], "setcon") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->selinux_context = p[1];
- }
-#endif
- else if (streq (p[0], "writepid") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->writepid = p[1];
- }
- else if (streq (p[0], "up") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->up_script, p[1], "up", false);
- }
- else if (streq (p[0], "down") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->down_script, p[1], "down", true);
- }
- else if (streq (p[0], "down-pre") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->down_pre = true;
- }
- else if (streq (p[0], "up-delay") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->up_delay = true;
- }
- else if (streq (p[0], "up-restart") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->up_restart = true;
- }
- else if (streq (p[0], "syslog") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- open_syslog (p[1], false);
- }
- else if (streq (p[0], "daemon") && !p[2])
- {
- bool didit = false;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (!options->daemon)
- {
- options->daemon = didit = true;
- open_syslog (p[1], false);
- }
- if (p[1])
- {
- if (!didit)
- {
- msg (M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
- goto err;
- }
- }
- }
- else if (streq (p[0], "inetd") && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (!options->inetd)
- {
- int z;
- const char *name = NULL;
- const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
-
- options->inetd = -1;
-
- for (z = 1; z <= 2; ++z)
- {
- if (p[z])
- {
- if (streq (p[z], "wait"))
- {
- if (options->inetd != -1)
- {
- msg (msglevel, "%s", opterr);
- goto err;
- }
- else
- options->inetd = INETD_WAIT;
- }
- else if (streq (p[z], "nowait"))
- {
- if (options->inetd != -1)
- {
- msg (msglevel, "%s", opterr);
- goto err;
- }
- else
- options->inetd = INETD_NOWAIT;
- }
- else
- {
- if (name != NULL)
- {
- msg (msglevel, "%s", opterr);
- goto err;
- }
- name = p[z];
- }
- }
- }
-
- /* default */
- if (options->inetd == -1)
- options->inetd = INETD_WAIT;
-
- save_inetd_socket_descriptor ();
- open_syslog (name, true);
- }
- }
- else if (streq (p[0], "log") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->log = true;
- redirect_stdout_stderr (p[1], false);
- }
- else if (streq (p[0], "suppress-timestamps") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->suppress_timestamps = true;
- set_suppress_timestamps(true);
- }
- else if (streq (p[0], "machine-readable-output") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->machine_readable_output = true;
- set_machine_readable_output(true);
- }
- else if (streq (p[0], "log-append") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->log = true;
- redirect_stdout_stderr (p[1], true);
+ else if (streq(p[0], "setcon") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->selinux_context = p[1];
+ }
+#endif
+ else if (streq(p[0], "writepid") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->writepid = p[1];
+ }
+ else if (streq(p[0], "up") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->up_script, p[1], "up", false);
+ }
+ else if (streq(p[0], "down") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->down_script, p[1], "down", true);
+ }
+ else if (streq(p[0], "down-pre") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->down_pre = true;
+ }
+ else if (streq(p[0], "up-delay") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->up_delay = true;
+ }
+ else if (streq(p[0], "up-restart") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->up_restart = true;
+ }
+ else if (streq(p[0], "syslog") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ open_syslog(p[1], false);
+ }
+ else if (streq(p[0], "daemon") && !p[2])
+ {
+ bool didit = false;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (!options->daemon)
+ {
+ options->daemon = didit = true;
+ open_syslog(p[1], false);
+ }
+ if (p[1])
+ {
+ if (!didit)
+ {
+ msg(M_WARN, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p[1]);
+ goto err;
+ }
+ }
+ }
+ else if (streq(p[0], "inetd") && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (!options->inetd)
+ {
+ int z;
+ const char *name = NULL;
+ const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
+
+ options->inetd = -1;
+
+ for (z = 1; z <= 2; ++z)
+ {
+ if (p[z])
+ {
+ if (streq(p[z], "wait"))
+ {
+ if (options->inetd != -1)
+ {
+ msg(msglevel, "%s", opterr);
+ goto err;
+ }
+ else
+ {
+ options->inetd = INETD_WAIT;
+ }
+ }
+ else if (streq(p[z], "nowait"))
+ {
+ if (options->inetd != -1)
+ {
+ msg(msglevel, "%s", opterr);
+ goto err;
+ }
+ else
+ {
+ options->inetd = INETD_NOWAIT;
+ }
+ }
+ else
+ {
+ if (name != NULL)
+ {
+ msg(msglevel, "%s", opterr);
+ goto err;
+ }
+ name = p[z];
+ }
+ }
+ }
+
+ /* default */
+ if (options->inetd == -1)
+ {
+ options->inetd = INETD_WAIT;
+ }
+
+ save_inetd_socket_descriptor();
+ open_syslog(name, true);
+ }
+ }
+ else if (streq(p[0], "log") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->log = true;
+ redirect_stdout_stderr(p[1], false);
+ }
+ else if (streq(p[0], "suppress-timestamps") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->suppress_timestamps = true;
+ set_suppress_timestamps(true);
+ }
+ else if (streq(p[0], "machine-readable-output") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->machine_readable_output = true;
+ set_machine_readable_output(true);
+ }
+ else if (streq(p[0], "log-append") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->log = true;
+ redirect_stdout_stderr(p[1], true);
}
#ifdef ENABLE_MEMSTATS
- else if (streq (p[0], "memstats") && p[1] && !p[2])
+ else if (streq(p[0], "memstats") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->memstats_fn = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->memstats_fn = p[1];
}
#endif
- else if (streq (p[0], "mlock") && !p[1])
+ else if (streq(p[0], "mlock") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->mlock = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->mlock = true;
}
#if ENABLE_IP_PKTINFO
- else if (streq (p[0], "multihome") && !p[1])
+ else if (streq(p[0], "multihome") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->sockflags |= SF_USE_IP_PKTINFO;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->sockflags |= SF_USE_IP_PKTINFO;
}
#endif
- else if (streq (p[0], "verb") && p[1] && !p[2])
+ else if (streq(p[0], "verb") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_MESSAGES);
- options->verbosity = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_MESSAGES);
+ options->verbosity = positive_atoi(p[1]);
#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
- /* Warn when a debug verbosity is supplied when built without debug support */
- if (options->verbosity >= 7)
- msg (M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
- options->verbosity);
+ /* Warn when a debug verbosity is supplied when built without debug support */
+ if (options->verbosity >= 7)
+ {
+ msg(M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
+ options->verbosity);
+ }
#endif
}
- else if (streq (p[0], "mute") && p[1] && !p[2])
+ else if (streq(p[0], "mute") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_MESSAGES);
- options->mute = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_MESSAGES);
+ options->mute = positive_atoi(p[1]);
}
- else if (streq (p[0], "errors-to-stderr") && !p[1])
+ else if (streq(p[0], "errors-to-stderr") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_MESSAGES);
- errors_to_stderr();
+ VERIFY_PERMISSION(OPT_P_MESSAGES);
+ errors_to_stderr();
}
- else if (streq (p[0], "status") && p[1] && !p[3])
+ else if (streq(p[0], "status") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->status_file = p[1];
- if (p[2])
- {
- options->status_file_update_freq = positive_atoi (p[2]);
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->status_file = p[1];
+ if (p[2])
+ {
+ options->status_file_update_freq = positive_atoi(p[2]);
+ }
}
- else if (streq (p[0], "status-version") && p[1] && !p[2])
+ else if (streq(p[0], "status-version") && p[1] && !p[2])
{
- int version;
+ int version;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- version = atoi (p[1]);
- if (version < 1 || version > 3)
- {
- msg (msglevel, "--status-version must be 1 to 3");
- goto err;
- }
- options->status_file_version = version;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ version = atoi(p[1]);
+ if (version < 1 || version > 3)
+ {
+ msg(msglevel, "--status-version must be 1 to 3");
+ goto err;
+ }
+ options->status_file_version = version;
}
- else if (streq (p[0], "remap-usr1") && p[1] && !p[2])
+ else if (streq(p[0], "remap-usr1") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "SIGHUP"))
- options->remap_sigusr1 = SIGHUP;
- else if (streq (p[1], "SIGTERM"))
- options->remap_sigusr1 = SIGTERM;
- else
- {
- msg (msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
- goto err;
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "SIGHUP"))
+ {
+ options->remap_sigusr1 = SIGHUP;
+ }
+ else if (streq(p[1], "SIGTERM"))
+ {
+ options->remap_sigusr1 = SIGTERM;
+ }
+ else
+ {
+ msg(msglevel, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
+ goto err;
+ }
}
- else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1] && !p[2])
+ else if ((streq(p[0], "link-mtu") || streq(p[0], "udp-mtu")) && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
- options->ce.link_mtu = positive_atoi (p[1]);
- options->ce.link_mtu_defined = true;
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ options->ce.link_mtu = positive_atoi(p[1]);
+ options->ce.link_mtu_defined = true;
}
- else if (streq (p[0], "tun-mtu") && p[1] && !p[2])
+ else if (streq(p[0], "tun-mtu") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
- options->ce.tun_mtu = positive_atoi (p[1]);
- options->ce.tun_mtu_defined = true;
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ options->ce.tun_mtu = positive_atoi(p[1]);
+ options->ce.tun_mtu_defined = true;
}
- else if (streq (p[0], "tun-mtu-extra") && p[1] && !p[2])
+ else if (streq(p[0], "tun-mtu-extra") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
- options->ce.tun_mtu_extra = positive_atoi (p[1]);
- options->ce.tun_mtu_extra_defined = true;
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ options->ce.tun_mtu_extra = positive_atoi(p[1]);
+ options->ce.tun_mtu_extra_defined = true;
}
#ifdef ENABLE_FRAGMENT
- else if (streq (p[0], "mtu-dynamic"))
+ else if (streq(p[0], "mtu-dynamic"))
{
- VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
- msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
- goto err;
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ msg(msglevel, "--mtu-dynamic has been replaced by --fragment");
+ goto err;
}
- else if (streq (p[0], "fragment") && p[1] && !p[2])
+ else if (streq(p[0], "fragment") && p[1] && !p[2])
{
/* VERIFY_PERMISSION (OPT_P_MTU); */
- VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
- options->ce.fragment = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ options->ce.fragment = positive_atoi(p[1]);
}
#endif
- else if (streq (p[0], "mtu-disc") && p[1] && !p[2])
+ else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
- options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]);
+ VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
+ options->ce.mtu_discover_type = translate_mtu_discover_type_name(p[1]);
}
#ifdef ENABLE_OCC
- else if (streq (p[0], "mtu-test") && !p[1])
+ else if (streq(p[0], "mtu-test") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->mtu_test = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->mtu_test = true;
}
#endif
- else if (streq (p[0], "nice") && p[1] && !p[2])
+ else if (streq(p[0], "nice") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_NICE);
- options->nice = atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_NICE);
+ options->nice = atoi(p[1]);
}
- else if (streq (p[0], "rcvbuf") && p[1] && !p[2])
+ else if (streq(p[0], "rcvbuf") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_SOCKBUF);
- options->rcvbuf = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_SOCKBUF);
+ options->rcvbuf = positive_atoi(p[1]);
}
- else if (streq (p[0], "sndbuf") && p[1] && !p[2])
+ else if (streq(p[0], "sndbuf") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_SOCKBUF);
- options->sndbuf = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_SOCKBUF);
+ options->sndbuf = positive_atoi(p[1]);
}
- else if (streq (p[0], "mark") && p[1] && !p[2])
+ else if (streq(p[0], "mark") && p[1] && !p[2])
{
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->mark = atoi(p[1]);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->mark = atoi(p[1]);
#endif
}
- else if (streq (p[0], "socket-flags"))
+ else if (streq(p[0], "socket-flags"))
{
- int j;
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
- for (j = 1; j < MAX_PARMS && p[j]; ++j)
- {
- if (streq (p[j], "TCP_NODELAY"))
- options->sockflags |= SF_TCP_NODELAY;
- else
- msg (msglevel, "unknown socket flag: %s", p[j]);
- }
+ int j;
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
+ for (j = 1; j < MAX_PARMS && p[j]; ++j)
+ {
+ if (streq(p[j], "TCP_NODELAY"))
+ {
+ options->sockflags |= SF_TCP_NODELAY;
+ }
+ else
+ {
+ msg(msglevel, "unknown socket flag: %s", p[j]);
+ }
+ }
}
- else if (streq (p[0], "txqueuelen") && p[1] && !p[2])
+ else if (streq(p[0], "txqueuelen") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
#ifdef TARGET_LINUX
- options->tuntap_options.txqueuelen = positive_atoi (p[1]);
+ options->tuntap_options.txqueuelen = positive_atoi(p[1]);
#else
- msg (msglevel, "--txqueuelen not supported on this OS");
- goto err;
+ msg(msglevel, "--txqueuelen not supported on this OS");
+ goto err;
#endif
}
- else if (streq (p[0], "shaper") && p[1] && !p[2])
+ else if (streq(p[0], "shaper") && p[1] && !p[2])
{
#ifdef ENABLE_FEATURE_SHAPER
- int shaper;
-
- VERIFY_PERMISSION (OPT_P_SHAPER);
- shaper = atoi (p[1]);
- if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
- {
- msg (msglevel, "Bad shaper value, must be between %d and %d",
- SHAPER_MIN, SHAPER_MAX);
- goto err;
- }
- options->shaper = shaper;
+ int shaper;
+
+ VERIFY_PERMISSION(OPT_P_SHAPER);
+ shaper = atoi(p[1]);
+ if (shaper < SHAPER_MIN || shaper > SHAPER_MAX)
+ {
+ msg(msglevel, "Bad shaper value, must be between %d and %d",
+ SHAPER_MIN, SHAPER_MAX);
+ goto err;
+ }
+ options->shaper = shaper;
#else /* ENABLE_FEATURE_SHAPER */
- VERIFY_PERMISSION (OPT_P_GENERAL);
- msg (msglevel, "--shaper requires the gettimeofday() function which is missing");
- goto err;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ msg(msglevel, "--shaper requires the gettimeofday() function which is missing");
+ goto err;
#endif /* ENABLE_FEATURE_SHAPER */
}
- else if (streq (p[0], "port") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.local_port = options->ce.remote_port = p[1];
- }
- else if (streq (p[0], "lport") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.local_port_defined = true;
- options->ce.local_port = p[1];
- }
- else if (streq (p[0], "rport") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.remote_port = p[1];
- }
- else if (streq (p[0], "bind") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.bind_defined = true;
- if (p[1] && streq (p[1], "ipv6only"))
- options->ce.bind_ipv6_only=true;
-
- }
- else if (streq (p[0], "nobind") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.bind_local = false;
- }
- else if (streq (p[0], "fast-io") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->fast_io = true;
- }
- else if (streq (p[0], "inactive") && p[1] && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_TIMER);
- options->inactivity_timeout = positive_atoi (p[1]);
- if (p[2])
- options->inactivity_minimum_bytes = positive_atoi (p[2]);
- }
- else if (streq (p[0], "proto") && p[1] && !p[2])
- {
- int proto;
- sa_family_t af;
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- proto = ascii2proto (p[1]);
- af = ascii2af(p[1]);
- if (proto < 0)
- {
- msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
- p[1],
- proto2ascii_all (&gc));
- goto err;
- }
- options->ce.proto = proto;
- options->ce.af = af;
- }
- else if (streq (p[0], "proto-force") && p[1] && !p[2])
- {
- int proto_force;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- proto_force = ascii2proto (p[1]);
- if (proto_force < 0)
- {
- msg (msglevel, "Bad --proto-force protocol: '%s'", p[1]);
- goto err;
- }
- options->proto_force = proto_force;
- }
- else if (streq (p[0], "http-proxy") && p[1] && !p[5])
- {
- struct http_proxy_options *ho;
-
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
-
- {
- if (!p[2])
- {
- msg (msglevel, "http-proxy port number not defined");
- goto err;
- }
-
- ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
-
- ho->server = p[1];
- ho->port = p[2];
- }
-
- if (p[3])
- {
- /* auto -- try to figure out proxy addr, port, and type automatically */
- /* semiauto -- given proxy addr:port, try to figure out type automatically */
- /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
- if (streq (p[3], "auto"))
- ho->auth_retry = PAR_ALL;
- else if (streq (p[3], "auto-nct"))
- ho->auth_retry = PAR_NCT;
- else
- {
- ho->auth_method_string = "basic";
- ho->auth_file = p[3];
-
- if (p[4])
- {
- ho->auth_method_string = p[4];
- }
- }
- }
- else
- {
- ho->auth_method_string = "none";
- }
- }
- else if (streq (p[0], "http-proxy-user-pass") && p[1])
- {
- struct http_proxy_options *ho;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- ho->auth_file = p[2];
- ho->inline_creds = true;
- }
- else
- ho->auth_file = p[1];
- }
- else if (streq (p[0], "http-proxy-retry") || streq (p[0], "socks-proxy-retry"))
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- msg (M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
- "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
- "Use connect-retry-max 1 to get a similar behavior as before.");
- }
- else if (streq (p[0], "http-proxy-timeout") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- msg (M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
- "server is established is managed with a single timeout set by connect-timeout");
- }
- else if (streq (p[0], "http-proxy-option") && p[1] && !p[4])
- {
- struct http_proxy_options *ho;
-
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
-
- if (streq (p[1], "VERSION") && p[2] && !p[3])
- {
- ho->http_version = p[2];
- }
- else if (streq (p[1], "AGENT") && p[2] && !p[3])
- {
- ho->user_agent = p[2];
- }
- else if ((streq (p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
- && p[2])
- {
- /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
- * with either two argument or one */
-
- struct http_custom_header *custom_header = NULL;
- int i;
- /* Find the first free header */
- for (i=0; i < MAX_CUSTOM_HTTP_HEADER; i++) {
- if (!ho->custom_headers[i].name) {
- custom_header = &ho->custom_headers[i];
- break;
- }
- }
- if (!custom_header)
- {
- msg (msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
- }
- else
- {
- /* We will save p[2] and p[3], the proxy code will detect if
- * p[3] is NULL */
- custom_header->name = p[2];
- custom_header->content = p[3];
- }
- }
- else
- {
- msg (msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
- }
- }
- else if (streq (p[0], "socks-proxy") && p[1] && !p[4])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
-
- if (p[2])
- {
- options->ce.socks_proxy_port = p[2];
- }
- else
- {
- options->ce.socks_proxy_port = "1080";
- }
- options->ce.socks_proxy_server = p[1];
- options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
- }
- else if (streq (p[0], "keepalive") && p[1] && p[2] && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->keepalive_ping = atoi (p[1]);
- options->keepalive_timeout = atoi (p[2]);
- }
- else if (streq (p[0], "ping") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_TIMER);
- options->ping_send_timeout = positive_atoi (p[1]);
- }
- else if (streq (p[0], "ping-exit") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_TIMER);
- options->ping_rec_timeout = positive_atoi (p[1]);
- options->ping_rec_timeout_action = PING_EXIT;
- }
- else if (streq (p[0], "ping-restart") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_TIMER);
- options->ping_rec_timeout = positive_atoi (p[1]);
- options->ping_rec_timeout_action = PING_RESTART;
- }
- else if (streq (p[0], "ping-timer-rem") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_TIMER);
- options->ping_timer_remote = true;
+ else if (streq(p[0], "port") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.local_port = options->ce.remote_port = p[1];
+ }
+ else if (streq(p[0], "lport") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.local_port_defined = true;
+ options->ce.local_port = p[1];
+ }
+ else if (streq(p[0], "rport") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.remote_port = p[1];
+ }
+ else if (streq(p[0], "bind") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.bind_defined = true;
+ if (p[1] && streq(p[1], "ipv6only"))
+ {
+ options->ce.bind_ipv6_only = true;
+ }
+
+ }
+ else if (streq(p[0], "nobind") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ options->ce.bind_local = false;
+ }
+ else if (streq(p[0], "fast-io") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->fast_io = true;
+ }
+ else if (streq(p[0], "inactive") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_TIMER);
+ options->inactivity_timeout = positive_atoi(p[1]);
+ if (p[2])
+ {
+ options->inactivity_minimum_bytes = positive_atoi(p[2]);
+ }
+ }
+ else if (streq(p[0], "proto") && p[1] && !p[2])
+ {
+ int proto;
+ sa_family_t af;
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ proto = ascii2proto(p[1]);
+ af = ascii2af(p[1]);
+ if (proto < 0)
+ {
+ msg(msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
+ p[1],
+ proto2ascii_all(&gc));
+ goto err;
+ }
+ options->ce.proto = proto;
+ options->ce.af = af;
+ }
+ else if (streq(p[0], "proto-force") && p[1] && !p[2])
+ {
+ int proto_force;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ proto_force = ascii2proto(p[1]);
+ if (proto_force < 0)
+ {
+ msg(msglevel, "Bad --proto-force protocol: '%s'", p[1]);
+ goto err;
+ }
+ options->proto_force = proto_force;
+ }
+ else if (streq(p[0], "http-proxy") && p[1] && !p[5])
+ {
+ struct http_proxy_options *ho;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+
+ {
+ if (!p[2])
+ {
+ msg(msglevel, "http-proxy port number not defined");
+ goto err;
+ }
+
+ ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
+
+ ho->server = p[1];
+ ho->port = p[2];
+ }
+
+ if (p[3])
+ {
+ /* auto -- try to figure out proxy addr, port, and type automatically */
+ /* semiauto -- given proxy addr:port, try to figure out type automatically */
+ /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
+ if (streq(p[3], "auto"))
+ {
+ ho->auth_retry = PAR_ALL;
+ }
+ else if (streq(p[3], "auto-nct"))
+ {
+ ho->auth_retry = PAR_NCT;
+ }
+ else
+ {
+ ho->auth_method_string = "basic";
+ ho->auth_file = p[3];
+
+ if (p[4])
+ {
+ ho->auth_method_string = p[4];
+ }
+ }
+ }
+ else
+ {
+ ho->auth_method_string = "none";
+ }
+ }
+ else if (streq(p[0], "http-proxy-user-pass") && p[1])
+ {
+ struct http_proxy_options *ho;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ ho->auth_file = p[2];
+ ho->inline_creds = true;
+ }
+ else
+ {
+ ho->auth_file = p[1];
+ }
+ }
+ else if (streq(p[0], "http-proxy-retry") || streq(p[0], "socks-proxy-retry"))
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ msg(M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
+ "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
+ "Use connect-retry-max 1 to get a similar behavior as before.");
+ }
+ else if (streq(p[0], "http-proxy-timeout") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ msg(M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
+ "server is established is managed with a single timeout set by connect-timeout");
+ }
+ else if (streq(p[0], "http-proxy-option") && p[1] && !p[4])
+ {
+ struct http_proxy_options *ho;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ ho = init_http_proxy_options_once(&options->ce.http_proxy_options, &options->gc);
+
+ if (streq(p[1], "VERSION") && p[2] && !p[3])
+ {
+ ho->http_version = p[2];
+ }
+ else if (streq(p[1], "AGENT") && p[2] && !p[3])
+ {
+ ho->user_agent = p[2];
+ }
+ else if ((streq(p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
+ && p[2])
+ {
+ /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
+ * with either two argument or one */
+
+ struct http_custom_header *custom_header = NULL;
+ int i;
+ /* Find the first free header */
+ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) {
+ if (!ho->custom_headers[i].name)
+ {
+ custom_header = &ho->custom_headers[i];
+ break;
+ }
+ }
+ if (!custom_header)
+ {
+ msg(msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
+ }
+ else
+ {
+ /* We will save p[2] and p[3], the proxy code will detect if
+ * p[3] is NULL */
+ custom_header->name = p[2];
+ custom_header->content = p[3];
+ }
+ }
+ else
+ {
+ msg(msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
+ }
+ }
+ else if (streq(p[0], "socks-proxy") && p[1] && !p[4])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+
+ if (p[2])
+ {
+ options->ce.socks_proxy_port = p[2];
+ }
+ else
+ {
+ options->ce.socks_proxy_port = "1080";
+ }
+ options->ce.socks_proxy_server = p[1];
+ options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
+ }
+ else if (streq(p[0], "keepalive") && p[1] && p[2] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->keepalive_ping = atoi(p[1]);
+ options->keepalive_timeout = atoi(p[2]);
+ }
+ else if (streq(p[0], "ping") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_TIMER);
+ options->ping_send_timeout = positive_atoi(p[1]);
+ }
+ else if (streq(p[0], "ping-exit") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_TIMER);
+ options->ping_rec_timeout = positive_atoi(p[1]);
+ options->ping_rec_timeout_action = PING_EXIT;
+ }
+ else if (streq(p[0], "ping-restart") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_TIMER);
+ options->ping_rec_timeout = positive_atoi(p[1]);
+ options->ping_rec_timeout_action = PING_RESTART;
+ }
+ else if (streq(p[0], "ping-timer-rem") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_TIMER);
+ options->ping_timer_remote = true;
}
#ifdef ENABLE_OCC
- else if (streq (p[0], "explicit-exit-notify") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
- if (p[1])
- {
- options->ce.explicit_exit_notification = positive_atoi (p[1]);
- }
- else
- {
- options->ce.explicit_exit_notification = 1;
- }
- }
-#endif
- else if (streq (p[0], "persist-tun") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_PERSIST);
- options->persist_tun = true;
- }
- else if (streq (p[0], "persist-key") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_PERSIST);
- options->persist_key = true;
- }
- else if (streq (p[0], "persist-local-ip") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_PERSIST_IP);
- options->persist_local_ip = true;
- }
- else if (streq (p[0], "persist-remote-ip") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_PERSIST_IP);
- options->persist_remote_ip = true;
- }
- else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE);
- cnol_check_alloc (options);
- add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
- }
- else if (streq (p[0], "route") && p[1] && !p[5])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE);
- rol_check_alloc (options);
- if (pull_mode)
- {
- if (!ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && !is_special_addr (p[1])) /* FQDN -- may be DNS name */
- {
- msg (msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
- goto err;
- }
- if (p[2] && !ip_addr_dotted_quad_safe (p[2])) /* FQDN -- must be IP address */
- {
- msg (msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
- goto err;
- }
- if (p[3] && !ip_or_dns_addr_safe (p[3], options->allow_pull_fqdn) && !is_special_addr (p[3])) /* FQDN -- may be DNS name */
- {
- msg (msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
- goto err;
- }
- }
- add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
- }
- else if (streq (p[0], "route-ipv6") && p[1] && !p[4])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE);
- rol6_check_alloc (options);
- if (pull_mode)
- {
- if (!ipv6_addr_safe_hexplusbits (p[1]))
- {
- msg (msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
- goto err;
- }
- if (p[2] && !ipv6_addr_safe (p[2]))
- {
- msg (msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
- goto err;
- }
- /* p[3] is metric, if present */
- }
- add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]);
- }
- else if (streq (p[0], "max-routes") && !p[2])
- {
- msg (M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
- "The number of routes is unlimited as of version 2.4. "
- "This option will be removed in a future version, "
- "please remove it from your configuration.");
- }
- else if (streq (p[0], "route-gateway") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
- if (streq (p[1], "dhcp"))
- {
- options->route_gateway_via_dhcp = true;
- }
- else
- {
- if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) || is_special_addr (p[1])) /* FQDN -- may be DNS name */
- {
- options->route_default_gateway = p[1];
- }
- else
- {
- msg (msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
- goto err;
- }
- }
- }
- else if (streq (p[0], "route-metric") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE);
- options->route_default_metric = positive_atoi (p[1]);
- }
- else if (streq (p[0], "route-delay") && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
- options->route_delay_defined = true;
- if (p[1])
- {
- options->route_delay = positive_atoi (p[1]);
- if (p[2])
- {
- options->route_delay_window = positive_atoi (p[2]);
- }
- }
- else
- {
- options->route_delay = 0;
- }
- }
- else if (streq (p[0], "route-up") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->route_script, p[1], "route-up", false);
- }
- else if (streq (p[0], "route-pre-down") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options,
- &options->route_predown_script,
- p[1],
- "route-pre-down", true);
- }
- else if (streq (p[0], "route-noexec") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- options->route_noexec = true;
- }
- else if (streq (p[0], "route-nopull") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->route_nopull = true;
- }
- else if (streq (p[0], "pull-filter") && p[1] && p[2] && !p[3])
- {
- struct pull_filter *f;
- VERIFY_PERMISSION (OPT_P_GENERAL)
- f = alloc_pull_filter (options, msglevel);
-
- if (strcmp ("accept", p[1]) == 0)
- f->type = PUF_TYPE_ACCEPT;
- else if (strcmp ("ignore", p[1]) == 0)
- f->type = PUF_TYPE_IGNORE;
- else if (strcmp ("reject", p[1]) == 0)
- f->type = PUF_TYPE_REJECT;
- else
- {
- msg (msglevel, "Unknown --pull-filter type: %s", p[1]);
- goto err;
- }
- f->pattern = p[2];
- f->size = strlen(p[2]);
- }
- else if (streq (p[0], "allow-pull-fqdn") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->allow_pull_fqdn = true;
- }
- else if (streq (p[0], "redirect-gateway") || streq (p[0], "redirect-private"))
- {
- int j;
- VERIFY_PERMISSION (OPT_P_ROUTE);
- rol_check_alloc (options);
- if (streq (p[0], "redirect-gateway"))
- options->routes->flags |= RG_REROUTE_GW;
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- {
- if (streq (p[j], "local"))
- options->routes->flags |= RG_LOCAL;
- else if (streq (p[j], "autolocal"))
- options->routes->flags |= RG_AUTO_LOCAL;
- else if (streq (p[j], "def1"))
- options->routes->flags |= RG_DEF1;
- else if (streq (p[j], "bypass-dhcp"))
- options->routes->flags |= RG_BYPASS_DHCP;
- else if (streq (p[j], "bypass-dns"))
- options->routes->flags |= RG_BYPASS_DNS;
- else if (streq (p[j], "block-local"))
- options->routes->flags |= RG_BLOCK_LOCAL;
- else if (streq (p[j], "ipv6"))
- {
- rol6_check_alloc (options);
- options->routes_ipv6->flags |= RG_REROUTE_GW;
- }
- else if (streq (p[j], "!ipv4"))
- options->routes->flags &= ~RG_REROUTE_GW;
- else
- {
- msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
- goto err;
- }
- }
+ else if (streq(p[0], "explicit-exit-notify") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
+ if (p[1])
+ {
+ options->ce.explicit_exit_notification = positive_atoi(p[1]);
+ }
+ else
+ {
+ options->ce.explicit_exit_notification = 1;
+ }
+ }
+#endif
+ else if (streq(p[0], "persist-tun") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_PERSIST);
+ options->persist_tun = true;
+ }
+ else if (streq(p[0], "persist-key") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_PERSIST);
+ options->persist_key = true;
+ }
+ else if (streq(p[0], "persist-local-ip") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_PERSIST_IP);
+ options->persist_local_ip = true;
+ }
+ else if (streq(p[0], "persist-remote-ip") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_PERSIST_IP);
+ options->persist_remote_ip = true;
+ }
+ else if (streq(p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ cnol_check_alloc(options);
+ add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
+ }
+ else if (streq(p[0], "route") && p[1] && !p[5])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol_check_alloc(options);
+ if (pull_mode)
+ {
+ if (!ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) && !is_special_addr(p[1])) /* FQDN -- may be DNS name */
+ {
+ msg(msglevel, "route parameter network/IP '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ if (p[2] && !ip_addr_dotted_quad_safe(p[2])) /* FQDN -- must be IP address */
+ {
+ msg(msglevel, "route parameter netmask '%s' must be an IP address", p[2]);
+ goto err;
+ }
+ if (p[3] && !ip_or_dns_addr_safe(p[3], options->allow_pull_fqdn) && !is_special_addr(p[3])) /* FQDN -- may be DNS name */
+ {
+ msg(msglevel, "route parameter gateway '%s' must be a valid address", p[3]);
+ goto err;
+ }
+ }
+ add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
+ }
+ else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol6_check_alloc(options);
+ if (pull_mode)
+ {
+ if (!ipv6_addr_safe_hexplusbits(p[1]))
+ {
+ msg(msglevel, "route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ if (p[2] && !ipv6_addr_safe(p[2]))
+ {
+ msg(msglevel, "route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
+ goto err;
+ }
+ /* p[3] is metric, if present */
+ }
+ add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
+ }
+ else if (streq(p[0], "max-routes") && !p[2])
+ {
+ msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
+ "The number of routes is unlimited as of version 2.4. "
+ "This option will be removed in a future version, "
+ "please remove it from your configuration.");
+ }
+ else if (streq(p[0], "route-gateway") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
+ if (streq(p[1], "dhcp"))
+ {
+ options->route_gateway_via_dhcp = true;
+ }
+ else
+ {
+ if (ip_or_dns_addr_safe(p[1], options->allow_pull_fqdn) || is_special_addr(p[1])) /* FQDN -- may be DNS name */
+ {
+ options->route_default_gateway = p[1];
+ }
+ else
+ {
+ msg(msglevel, "route-gateway parm '%s' must be a valid address", p[1]);
+ goto err;
+ }
+ }
+ }
+ else if (streq(p[0], "route-metric") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ options->route_default_metric = positive_atoi(p[1]);
+ }
+ else if (streq(p[0], "route-delay") && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
+ options->route_delay_defined = true;
+ if (p[1])
+ {
+ options->route_delay = positive_atoi(p[1]);
+ if (p[2])
+ {
+ options->route_delay_window = positive_atoi(p[2]);
+ }
+ }
+ else
+ {
+ options->route_delay = 0;
+ }
+ }
+ else if (streq(p[0], "route-up") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->route_script, p[1], "route-up", false);
+ }
+ else if (streq(p[0], "route-pre-down") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options,
+ &options->route_predown_script,
+ p[1],
+ "route-pre-down", true);
+ }
+ else if (streq(p[0], "route-noexec") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ options->route_noexec = true;
+ }
+ else if (streq(p[0], "route-nopull") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->route_nopull = true;
+ }
+ else if (streq(p[0], "pull-filter") && p[1] && p[2] && !p[3])
+ {
+ struct pull_filter *f;
+ VERIFY_PERMISSION(OPT_P_GENERAL)
+ f = alloc_pull_filter(options, msglevel);
+
+ if (strcmp("accept", p[1]) == 0)
+ {
+ f->type = PUF_TYPE_ACCEPT;
+ }
+ else if (strcmp("ignore", p[1]) == 0)
+ {
+ f->type = PUF_TYPE_IGNORE;
+ }
+ else if (strcmp("reject", p[1]) == 0)
+ {
+ f->type = PUF_TYPE_REJECT;
+ }
+ else
+ {
+ msg(msglevel, "Unknown --pull-filter type: %s", p[1]);
+ goto err;
+ }
+ f->pattern = p[2];
+ f->size = strlen(p[2]);
+ }
+ else if (streq(p[0], "allow-pull-fqdn") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->allow_pull_fqdn = true;
+ }
+ else if (streq(p[0], "redirect-gateway") || streq(p[0], "redirect-private"))
+ {
+ int j;
+ VERIFY_PERMISSION(OPT_P_ROUTE);
+ rol_check_alloc(options);
+ if (streq(p[0], "redirect-gateway"))
+ {
+ options->routes->flags |= RG_REROUTE_GW;
+ }
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ {
+ if (streq(p[j], "local"))
+ {
+ options->routes->flags |= RG_LOCAL;
+ }
+ else if (streq(p[j], "autolocal"))
+ {
+ options->routes->flags |= RG_AUTO_LOCAL;
+ }
+ else if (streq(p[j], "def1"))
+ {
+ options->routes->flags |= RG_DEF1;
+ }
+ else if (streq(p[j], "bypass-dhcp"))
+ {
+ options->routes->flags |= RG_BYPASS_DHCP;
+ }
+ else if (streq(p[j], "bypass-dns"))
+ {
+ options->routes->flags |= RG_BYPASS_DNS;
+ }
+ else if (streq(p[j], "block-local"))
+ {
+ options->routes->flags |= RG_BLOCK_LOCAL;
+ }
+ else if (streq(p[j], "ipv6"))
+ {
+ rol6_check_alloc(options);
+ options->routes_ipv6->flags |= RG_REROUTE_GW;
+ }
+ else if (streq(p[j], "!ipv4"))
+ {
+ options->routes->flags &= ~RG_REROUTE_GW;
+ }
+ else
+ {
+ msg(msglevel, "unknown --%s flag: %s", p[0], p[j]);
+ goto err;
+ }
+ }
#ifdef _WIN32
- /* we need this here to handle pushed --redirect-gateway */
- remap_redirect_gateway_flags (options);
+ /* we need this here to handle pushed --redirect-gateway */
+ remap_redirect_gateway_flags(options);
#endif
- options->routes->flags |= RG_ENABLE;
+ options->routes->flags |= RG_ENABLE;
}
- else if (streq (p[0], "remote-random-hostname") && !p[1])
+ else if (streq(p[0], "remote-random-hostname") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->sockflags |= SF_HOST_RANDOMIZE;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->sockflags |= SF_HOST_RANDOMIZE;
}
- else if (streq (p[0], "setenv") && p[1] && !p[3])
+ else if (streq(p[0], "setenv") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
- {
- options->sockflags |= SF_HOST_RANDOMIZE;
- }
- else if (streq (p[1], "GENERIC_CONFIG"))
- {
- msg (msglevel, "this is a generic configuration and cannot directly be used");
- goto err;
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
+ {
+ options->sockflags |= SF_HOST_RANDOMIZE;
+ }
+ else if (streq(p[1], "GENERIC_CONFIG"))
+ {
+ msg(msglevel, "this is a generic configuration and cannot directly be used");
+ goto err;
+ }
#ifdef ENABLE_PUSH_PEER_INFO
- else if (streq (p[1], "PUSH_PEER_INFO") && !p[2])
- {
- options->push_peer_info = true;
- }
-#endif
- else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
- {
- options->ce.connect_timeout = positive_atoi(p[2]);
- }
- else
- {
- if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
- {
- options->forward_compatible = true;
- msglevel_fc = msglevel_forward_compatible (options, msglevel);
- }
- setenv_str (es, p[1], p[2] ? p[2] : "");
- }
- }
- else if (streq (p[0], "setenv-safe") && p[1] && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_SETENV);
- setenv_str_safe (es, p[1], p[2] ? p[2] : "");
- }
- else if (streq (p[0], "script-security") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- script_security = atoi (p[1]);
- }
- else if (streq (p[0], "mssfix") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- if (p[1])
- {
- options->ce.mssfix = positive_atoi (p[1]);
- }
- else
- options->ce.mssfix_default = true;
+ else if (streq(p[1], "PUSH_PEER_INFO") && !p[2])
+ {
+ options->push_peer_info = true;
+ }
+#endif
+ else if (streq(p[1], "SERVER_POLL_TIMEOUT") && p[2])
+ {
+ options->ce.connect_timeout = positive_atoi(p[2]);
+ }
+ else
+ {
+ if (streq(p[1], "FORWARD_COMPATIBLE") && p[2] && streq(p[2], "1"))
+ {
+ options->forward_compatible = true;
+ msglevel_fc = msglevel_forward_compatible(options, msglevel);
+ }
+ setenv_str(es, p[1], p[2] ? p[2] : "");
+ }
+ }
+ else if (streq(p[0], "setenv-safe") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_SETENV);
+ setenv_str_safe(es, p[1], p[2] ? p[2] : "");
+ }
+ else if (streq(p[0], "script-security") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ script_security = atoi(p[1]);
+ }
+ else if (streq(p[0], "mssfix") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_CONNECTION);
+ if (p[1])
+ {
+ options->ce.mssfix = positive_atoi(p[1]);
+ }
+ else
+ {
+ options->ce.mssfix_default = true;
+ }
}
#ifdef ENABLE_OCC
- else if (streq (p[0], "disable-occ") && !p[1])
+ else if (streq(p[0], "disable-occ") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->occ = false;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->occ = false;
}
#endif
#if P2MP
#if P2MP_SERVER
- else if (streq (p[0], "server") && p[1] && p[2] && !p[4])
- {
- const int lev = M_WARN;
- bool error = false;
- in_addr_t network, netmask;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- network = get_ip_addr (p[1], lev, &error);
- netmask = get_ip_addr (p[2], lev, &error);
- if (error || !network || !netmask)
- {
- msg (msglevel, "error parsing --server parameters");
- goto err;
- }
- options->server_defined = true;
- options->server_network = network;
- options->server_netmask = netmask;
-
- if (p[3])
- {
- if (streq (p[3], "nopool"))
- options->server_flags |= SF_NOPOOL;
- else
- {
- msg (msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
- goto err;
- }
- }
- }
- else if (streq (p[0], "server-ipv6") && p[1] && !p[3])
- {
- const int lev = M_WARN;
- struct in6_addr network;
- unsigned int netbits = 0;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if ( ! get_ipv6_addr (p[1], &network, &netbits, lev) )
- {
- msg (msglevel, "error parsing --server-ipv6 parameter");
- goto err;
- }
- if ( netbits < 64 || netbits > 112 )
- {
- msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits );
- goto err;
- }
- options->server_ipv6_defined = true;
- options->server_network_ipv6 = network;
- options->server_netbits_ipv6 = netbits;
-
- if (p[2]) /* no "nopool" options or similar for IPv6 */
- {
- msg (msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]);
- goto err;
- }
- }
- else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
- {
- const int lev = M_WARN;
- bool error = false;
- in_addr_t ip, netmask, pool_start, pool_end;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- ip = get_ip_addr (p[1], lev, &error);
- netmask = get_ip_addr (p[2], lev, &error);
- pool_start = get_ip_addr (p[3], lev, &error);
- pool_end = get_ip_addr (p[4], lev, &error);
- if (error || !ip || !netmask || !pool_start || !pool_end)
- {
- msg (msglevel, "error parsing --server-bridge parameters");
- goto err;
- }
- options->server_bridge_defined = true;
- options->server_bridge_ip = ip;
- options->server_bridge_netmask = netmask;
- options->server_bridge_pool_start = pool_start;
- options->server_bridge_pool_end = pool_end;
- }
- else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->server_bridge_proxy_dhcp = true;
- options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
- }
- else if (streq (p[0], "server-bridge") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->server_bridge_proxy_dhcp = true;
- }
- else if (streq (p[0], "push") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_PUSH);
- push_options (options, &p[1], msglevel, &options->gc);
- }
- else if (streq (p[0], "push-reset") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_INSTANCE);
- push_reset (options);
- }
- else if (streq (p[0], "push-remove") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_INSTANCE);
- msg (D_PUSH, "PUSH_REMOVE '%s'", p[1]);
- push_remove_option (options,p[1]);
- }
- else if (streq (p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
- {
- const int lev = M_WARN;
- bool error = false;
- in_addr_t start, end, netmask=0;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- start = get_ip_addr (p[1], lev, &error);
- end = get_ip_addr (p[2], lev, &error);
- if (p[3])
- {
- netmask = get_ip_addr (p[3], lev, &error);
- }
- if (error)
- {
- msg (msglevel, "error parsing --ifconfig-pool parameters");
- goto err;
- }
- if (!ifconfig_pool_verify_range (msglevel, start, end))
- goto err;
-
- options->ifconfig_pool_defined = true;
- options->ifconfig_pool_start = start;
- options->ifconfig_pool_end = end;
- if (netmask)
- options->ifconfig_pool_netmask = netmask;
- }
- else if (streq (p[0], "ifconfig-pool-persist") && p[1] && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ifconfig_pool_persist_filename = p[1];
- if (p[2])
- {
- options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
- }
- }
- else if (streq (p[0], "ifconfig-pool-linear") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->topology = TOP_P2P;
- }
- else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
- {
- const int lev = M_WARN;
- struct in6_addr network;
- unsigned int netbits = 0;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if ( ! get_ipv6_addr (p[1], &network, &netbits, lev ) )
- {
- msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");
- goto err;
- }
- if ( netbits < 64 || netbits > 112 )
- {
- msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );
- goto err;
- }
-
- options->ifconfig_ipv6_pool_defined = true;
- options->ifconfig_ipv6_pool_base = network;
- options->ifconfig_ipv6_pool_netbits = netbits;
- }
- else if (streq (p[0], "hash-size") && p[1] && p[2] && !p[3])
- {
- int real, virtual;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- real = atoi (p[1]);
- virtual = atoi (p[2]);
- if (real < 1 || virtual < 1)
- {
- msg (msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
- goto err;
- }
- options->real_hash_size = real;
- options->virtual_hash_size = real;
- }
- else if (streq (p[0], "connect-freq") && p[1] && p[2] && !p[3])
- {
- int cf_max, cf_per;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- cf_max = atoi (p[1]);
- cf_per = atoi (p[2]);
- if (cf_max < 0 || cf_per < 0)
- {
- msg (msglevel, "--connect-freq parms must be > 0");
- goto err;
- }
- options->cf_max = cf_max;
- options->cf_per = cf_per;
- }
- else if (streq (p[0], "max-clients") && p[1] && !p[2])
- {
- int max_clients;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- max_clients = atoi (p[1]);
- if (max_clients < 0)
- {
- msg (msglevel, "--max-clients must be at least 1");
- goto err;
- }
- if (max_clients >= MAX_PEER_ID) /* max peer-id value */
- {
- msg (msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
- goto err;
- }
- options->max_clients = max_clients;
- }
- else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_INHERIT);
- options->max_routes_per_client = max_int (atoi (p[1]), 1);
- }
- else if (streq (p[0], "client-cert-not-required") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
- msg (M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead");
- }
- else if (streq (p[0], "verify-client-cert") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
-
- /* Reset any existing flags */
- options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
- options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
- if (p[1])
- {
- if (streq (p[1], "none"))
- options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
- else if (streq (p[1], "optional"))
- options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
- else if (!streq (p[1], "require"))
- {
- msg (msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
- goto err;
- }
- }
- }
- else if (streq (p[0], "username-as-common-name") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
- }
- else if (streq (p[0], "auth-user-pass-optional") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
- }
- else if (streq (p[0], "opt-verify") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ssl_flags |= SSLF_OPT_VERIFY;
- }
- else if (streq (p[0], "auth-user-pass-verify") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 3, NM_QUOTE_HINT))
- goto err;
- if (p[2])
- {
- if (streq (p[2], "via-env"))
- options->auth_user_pass_verify_script_via_file = false;
- else if (streq (p[2], "via-file"))
- options->auth_user_pass_verify_script_via_file = true;
- else
- {
- msg (msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
- goto err;
- }
- }
- else
- {
- msg (msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
- goto err;
- }
- set_user_script (options,
- &options->auth_user_pass_verify_script,
- p[1], "auth-user-pass-verify", true);
- }
- else if (streq (p[0], "auth-gen-token"))
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->auth_token_generate = true;
- options->auth_token_lifetime = p[1] ? positive_atoi (p[1]) : 0;
- }
- else if (streq (p[0], "client-connect") && p[1])
+ else if (streq(p[0], "server") && p[1] && p[2] && !p[4])
+ {
+ const int lev = M_WARN;
+ bool error = false;
+ in_addr_t network, netmask;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ network = get_ip_addr(p[1], lev, &error);
+ netmask = get_ip_addr(p[2], lev, &error);
+ if (error || !network || !netmask)
+ {
+ msg(msglevel, "error parsing --server parameters");
+ goto err;
+ }
+ options->server_defined = true;
+ options->server_network = network;
+ options->server_netmask = netmask;
+
+ if (p[3])
+ {
+ if (streq(p[3], "nopool"))
+ {
+ options->server_flags |= SF_NOPOOL;
+ }
+ else
+ {
+ msg(msglevel, "error parsing --server: %s is not a recognized flag", p[3]);
+ goto err;
+ }
+ }
+ }
+ else if (streq(p[0], "server-ipv6") && p[1] && !p[3])
+ {
+ const int lev = M_WARN;
+ struct in6_addr network;
+ unsigned int netbits = 0;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (!get_ipv6_addr(p[1], &network, &netbits, lev) )
+ {
+ msg(msglevel, "error parsing --server-ipv6 parameter");
+ goto err;
+ }
+ if (netbits < 64 || netbits > 112)
+ {
+ msg( msglevel, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits );
+ goto err;
+ }
+ options->server_ipv6_defined = true;
+ options->server_network_ipv6 = network;
+ options->server_netbits_ipv6 = netbits;
+
+ if (p[2]) /* no "nopool" options or similar for IPv6 */
+ {
+ msg(msglevel, "error parsing --server-ipv6: %s is not a recognized flag", p[3]);
+ goto err;
+ }
+ }
+ else if (streq(p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
+ {
+ const int lev = M_WARN;
+ bool error = false;
+ in_addr_t ip, netmask, pool_start, pool_end;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ ip = get_ip_addr(p[1], lev, &error);
+ netmask = get_ip_addr(p[2], lev, &error);
+ pool_start = get_ip_addr(p[3], lev, &error);
+ pool_end = get_ip_addr(p[4], lev, &error);
+ if (error || !ip || !netmask || !pool_start || !pool_end)
+ {
+ msg(msglevel, "error parsing --server-bridge parameters");
+ goto err;
+ }
+ options->server_bridge_defined = true;
+ options->server_bridge_ip = ip;
+ options->server_bridge_netmask = netmask;
+ options->server_bridge_pool_start = pool_start;
+ options->server_bridge_pool_end = pool_end;
+ }
+ else if (streq(p[0], "server-bridge") && p[1] && streq(p[1], "nogw") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->server_bridge_proxy_dhcp = true;
+ options->server_flags |= SF_NO_PUSH_ROUTE_GATEWAY;
+ }
+ else if (streq(p[0], "server-bridge") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->server_bridge_proxy_dhcp = true;
+ }
+ else if (streq(p[0], "push") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_PUSH);
+ push_options(options, &p[1], msglevel, &options->gc);
+ }
+ else if (streq(p[0], "push-reset") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+ push_reset(options);
+ }
+ else if (streq(p[0], "push-remove") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+ msg(D_PUSH, "PUSH_REMOVE '%s'", p[1]);
+ push_remove_option(options,p[1]);
+ }
+ else if (streq(p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
+ {
+ const int lev = M_WARN;
+ bool error = false;
+ in_addr_t start, end, netmask = 0;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ start = get_ip_addr(p[1], lev, &error);
+ end = get_ip_addr(p[2], lev, &error);
+ if (p[3])
+ {
+ netmask = get_ip_addr(p[3], lev, &error);
+ }
+ if (error)
+ {
+ msg(msglevel, "error parsing --ifconfig-pool parameters");
+ goto err;
+ }
+ if (!ifconfig_pool_verify_range(msglevel, start, end))
+ {
+ goto err;
+ }
+
+ options->ifconfig_pool_defined = true;
+ options->ifconfig_pool_start = start;
+ options->ifconfig_pool_end = end;
+ if (netmask)
+ {
+ options->ifconfig_pool_netmask = netmask;
+ }
+ }
+ else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ifconfig_pool_persist_filename = p[1];
+ if (p[2])
+ {
+ options->ifconfig_pool_persist_refresh_freq = positive_atoi(p[2]);
+ }
+ }
+ else if (streq(p[0], "ifconfig-pool-linear") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->topology = TOP_P2P;
+ }
+ else if (streq(p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
+ {
+ const int lev = M_WARN;
+ struct in6_addr network;
+ unsigned int netbits = 0;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (!get_ipv6_addr(p[1], &network, &netbits, lev ) )
+ {
+ msg(msglevel, "error parsing --ifconfig-ipv6-pool parameters");
+ goto err;
+ }
+ if (netbits < 64 || netbits > 112)
+ {
+ msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );
+ goto err;
+ }
+
+ options->ifconfig_ipv6_pool_defined = true;
+ options->ifconfig_ipv6_pool_base = network;
+ options->ifconfig_ipv6_pool_netbits = netbits;
+ }
+ else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
+ {
+ int real, virtual;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ real = atoi(p[1]);
+ virtual = atoi(p[2]);
+ if (real < 1 || virtual < 1)
+ {
+ msg(msglevel, "--hash-size sizes must be >= 1 (preferably a power of 2)");
+ goto err;
+ }
+ options->real_hash_size = real;
+ options->virtual_hash_size = real;
+ }
+ else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
+ {
+ int cf_max, cf_per;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ cf_max = atoi(p[1]);
+ cf_per = atoi(p[2]);
+ if (cf_max < 0 || cf_per < 0)
+ {
+ msg(msglevel, "--connect-freq parms must be > 0");
+ goto err;
+ }
+ options->cf_max = cf_max;
+ options->cf_per = cf_per;
+ }
+ else if (streq(p[0], "max-clients") && p[1] && !p[2])
+ {
+ int max_clients;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ max_clients = atoi(p[1]);
+ if (max_clients < 0)
+ {
+ msg(msglevel, "--max-clients must be at least 1");
+ goto err;
+ }
+ if (max_clients >= MAX_PEER_ID) /* max peer-id value */
+ {
+ msg(msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
+ goto err;
+ }
+ options->max_clients = max_clients;
+ }
+ else if (streq(p[0], "max-routes-per-client") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_INHERIT);
+ options->max_routes_per_client = max_int(atoi(p[1]), 1);
+ }
+ else if (streq(p[0], "client-cert-not-required") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
+ msg(M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead");
+ }
+ else if (streq(p[0], "verify-client-cert") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+
+ /* Reset any existing flags */
+ options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
+ options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
+ if (p[1])
+ {
+ if (streq(p[1], "none"))
+ {
+ options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
+ }
+ else if (streq(p[1], "optional"))
+ {
+ options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
+ }
+ else if (!streq(p[1], "require"))
+ {
+ msg(msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
+ goto err;
+ }
+ }
+ }
+ else if (streq(p[0], "username-as-common-name") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
+ }
+ else if (streq(p[0], "auth-user-pass-optional") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
+ }
+ else if (streq(p[0], "opt-verify") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->client_connect_script,
- p[1], "client-connect", true);
- }
- else if (streq (p[0], "client-disconnect") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->client_disconnect_script,
- p[1], "client-disconnect", true);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ssl_flags |= SSLF_OPT_VERIFY;
}
- else if (streq (p[0], "learn-address") && p[1])
+ else if (streq(p[0], "auth-user-pass-verify") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->learn_address_script,
- p[1], "learn-address", true);
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 3, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ if (p[2])
+ {
+ if (streq(p[2], "via-env"))
+ {
+ options->auth_user_pass_verify_script_via_file = false;
+ }
+ else if (streq(p[2], "via-file"))
+ {
+ options->auth_user_pass_verify_script_via_file = true;
+ }
+ else
+ {
+ msg(msglevel, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
+ goto err;
+ }
+ }
+ else
+ {
+ msg(msglevel, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
+ goto err;
+ }
+ set_user_script(options,
+ &options->auth_user_pass_verify_script,
+ p[1], "auth-user-pass-verify", true);
+ }
+ else if (streq(p[0], "auth-gen-token"))
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->auth_token_generate = true;
+ options->auth_token_lifetime = p[1] ? positive_atoi(p[1]) : 0;
+ }
+ else if (streq(p[0], "client-connect") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->client_connect_script,
+ p[1], "client-connect", true);
+ }
+ else if (streq(p[0], "client-disconnect") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->client_disconnect_script,
+ p[1], "client-disconnect", true);
+ }
+ else if (streq(p[0], "learn-address") && p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->learn_address_script,
+ p[1], "learn-address", true);
}
- else if (streq (p[0], "tmp-dir") && p[1] && !p[2])
+ else if (streq(p[0], "tmp-dir") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->tmp_dir = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->tmp_dir = p[1];
}
- else if (streq (p[0], "client-config-dir") && p[1] && !p[2])
+ else if (streq(p[0], "client-config-dir") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->client_config_dir = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->client_config_dir = p[1];
}
- else if (streq (p[0], "ccd-exclusive") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ccd_exclusive = true;
- }
- else if (streq (p[0], "bcast-buffers") && p[1] && !p[2])
+ else if (streq(p[0], "ccd-exclusive") && !p[1])
{
- int n_bcast_buf;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ccd_exclusive = true;
+ }
+ else if (streq(p[0], "bcast-buffers") && p[1] && !p[2])
+ {
+ int n_bcast_buf;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- n_bcast_buf = atoi (p[1]);
- if (n_bcast_buf < 1)
- msg (msglevel, "--bcast-buffers parameter must be > 0");
- options->n_bcast_buf = n_bcast_buf;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ n_bcast_buf = atoi(p[1]);
+ if (n_bcast_buf < 1)
+ {
+ msg(msglevel, "--bcast-buffers parameter must be > 0");
+ }
+ options->n_bcast_buf = n_bcast_buf;
}
- else if (streq (p[0], "tcp-queue-limit") && p[1] && !p[2])
+ else if (streq(p[0], "tcp-queue-limit") && p[1] && !p[2])
{
- int tcp_queue_limit;
+ int tcp_queue_limit;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- tcp_queue_limit = atoi (p[1]);
- if (tcp_queue_limit < 1)
- msg (msglevel, "--tcp-queue-limit parameter must be > 0");
- options->tcp_queue_limit = tcp_queue_limit;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ tcp_queue_limit = atoi(p[1]);
+ if (tcp_queue_limit < 1)
+ {
+ msg(msglevel, "--tcp-queue-limit parameter must be > 0");
+ }
+ options->tcp_queue_limit = tcp_queue_limit;
}
#if PORT_SHARE
- else if (streq (p[0], "port-share") && p[1] && p[2] && !p[4])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->port_share_host = p[1];
- options->port_share_port = p[2];
- options->port_share_journal_dir = p[3];
- }
-#endif
- else if (streq (p[0], "client-to-client") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->enable_c2c = true;
- }
- else if (streq (p[0], "duplicate-cn") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->duplicate_cn = true;
- }
- else if (streq (p[0], "iroute") && p[1] && !p[3])
- {
- const char *netmask = NULL;
-
- VERIFY_PERMISSION (OPT_P_INSTANCE);
- if (p[2])
- {
- netmask = p[2];
- }
- option_iroute (options, p[1], netmask, msglevel);
- }
- else if (streq (p[0], "iroute-ipv6") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_INSTANCE);
- option_iroute_ipv6 (options, p[1], msglevel);
- }
- else if (streq (p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
- {
- in_addr_t local, remote_netmask;
-
- VERIFY_PERMISSION (OPT_P_INSTANCE);
- local = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
- remote_netmask = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
- if (local && remote_netmask)
- {
- options->push_ifconfig_defined = true;
- options->push_ifconfig_local = local;
- options->push_ifconfig_remote_netmask = remote_netmask;
- if (p[3])
- options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
- }
- else
- {
- msg (msglevel, "cannot parse --ifconfig-push addresses");
- goto err;
- }
- }
- else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
- {
- in_addr_t network, netmask;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- network = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
- netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
- if (network && netmask)
- {
- options->push_ifconfig_constraint_defined = true;
- options->push_ifconfig_constraint_network = network;
- options->push_ifconfig_constraint_netmask = netmask;
- }
- else
- {
- msg (msglevel, "cannot parse --ifconfig-push-constraint addresses");
- goto err;
- }
- }
- else if (streq (p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
- {
- struct in6_addr local, remote;
- unsigned int netbits;
-
- VERIFY_PERMISSION (OPT_P_INSTANCE);
-
- if ( ! get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
- {
- msg (msglevel, "cannot parse --ifconfig-ipv6-push addresses");
- goto err;
- }
-
- if ( p[2] )
- {
- if ( !get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
- {
- msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
- goto err;
- }
- }
- else
- {
- if ( ! options->ifconfig_ipv6_local ||
- ! get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
- NULL, msglevel ) )
- {
- msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
- goto err;
- }
- }
-
- options->push_ifconfig_ipv6_defined = true;
- options->push_ifconfig_ipv6_local = local;
- options->push_ifconfig_ipv6_netbits = netbits;
- options->push_ifconfig_ipv6_remote = remote;
- options->push_ifconfig_ipv6_blocked = false;
- }
- else if (streq (p[0], "disable") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_INSTANCE);
- options->disable = true;
- }
- else if (streq (p[0], "tcp-nodelay") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->server_flags |= SF_TCP_NODELAY_HELPER;
- }
- else if (streq (p[0], "stale-routes-check") && p[1] && !p[3])
- {
- int ageing_time, check_interval;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- ageing_time = atoi (p[1]);
- if (p[2])
- check_interval = atoi (p[2]);
- else
- check_interval = ageing_time;
-
- if (ageing_time < 1 || check_interval < 1)
- {
- msg (msglevel, "--stale-routes-check aging time and check interval must be >= 1");
- goto err;
+ else if (streq(p[0], "port-share") && p[1] && p[2] && !p[4])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->port_share_host = p[1];
+ options->port_share_port = p[2];
+ options->port_share_journal_dir = p[3];
+ }
+#endif
+ else if (streq(p[0], "client-to-client") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->enable_c2c = true;
+ }
+ else if (streq(p[0], "duplicate-cn") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->duplicate_cn = true;
+ }
+ else if (streq(p[0], "iroute") && p[1] && !p[3])
+ {
+ const char *netmask = NULL;
+
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+ if (p[2])
+ {
+ netmask = p[2];
+ }
+ option_iroute(options, p[1], netmask, msglevel);
+ }
+ else if (streq(p[0], "iroute-ipv6") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+ option_iroute_ipv6(options, p[1], msglevel);
+ }
+ else if (streq(p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
+ {
+ in_addr_t local, remote_netmask;
+
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+ local = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
+ remote_netmask = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[2], 0, NULL, NULL);
+ if (local && remote_netmask)
+ {
+ options->push_ifconfig_defined = true;
+ options->push_ifconfig_local = local;
+ options->push_ifconfig_remote_netmask = remote_netmask;
+ if (p[3])
+ {
+ options->push_ifconfig_local_alias = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
+ }
+ }
+ else
+ {
+ msg(msglevel, "cannot parse --ifconfig-push addresses");
+ goto err;
+ }
+ }
+ else if (streq(p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
+ {
+ in_addr_t network, netmask;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ network = getaddr(GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[1], 0, NULL, NULL);
+ netmask = getaddr(GETADDR_HOST_ORDER, p[2], 0, NULL, NULL);
+ if (network && netmask)
+ {
+ options->push_ifconfig_constraint_defined = true;
+ options->push_ifconfig_constraint_network = network;
+ options->push_ifconfig_constraint_netmask = netmask;
+ }
+ else
+ {
+ msg(msglevel, "cannot parse --ifconfig-push-constraint addresses");
+ goto err;
+ }
+ }
+ else if (streq(p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
+ {
+ struct in6_addr local, remote;
+ unsigned int netbits;
+
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+
+ if (!get_ipv6_addr( p[1], &local, &netbits, msglevel ) )
+ {
+ msg(msglevel, "cannot parse --ifconfig-ipv6-push addresses");
+ goto err;
+ }
+
+ if (p[2])
+ {
+ if (!get_ipv6_addr( p[2], &remote, NULL, msglevel ) )
+ {
+ msg( msglevel, "cannot parse --ifconfig-ipv6-push addresses");
+ goto err;
+ }
+ }
+ else
+ {
+ if (!options->ifconfig_ipv6_local
+ || !get_ipv6_addr( options->ifconfig_ipv6_local, &remote,
+ NULL, msglevel ) )
+ {
+ msg( msglevel, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
+ goto err;
+ }
}
- options->stale_routes_ageing_time = ageing_time;
- options->stale_routes_check_interval = check_interval;
+
+ options->push_ifconfig_ipv6_defined = true;
+ options->push_ifconfig_ipv6_local = local;
+ options->push_ifconfig_ipv6_netbits = netbits;
+ options->push_ifconfig_ipv6_remote = remote;
+ options->push_ifconfig_ipv6_blocked = false;
+ }
+ else if (streq(p[0], "disable") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_INSTANCE);
+ options->disable = true;
+ }
+ else if (streq(p[0], "tcp-nodelay") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->server_flags |= SF_TCP_NODELAY_HELPER;
+ }
+ else if (streq(p[0], "stale-routes-check") && p[1] && !p[3])
+ {
+ int ageing_time, check_interval;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ ageing_time = atoi(p[1]);
+ if (p[2])
+ {
+ check_interval = atoi(p[2]);
+ }
+ else
+ {
+ check_interval = ageing_time;
+ }
+
+ if (ageing_time < 1 || check_interval < 1)
+ {
+ msg(msglevel, "--stale-routes-check aging time and check interval must be >= 1");
+ goto err;
+ }
+ options->stale_routes_ageing_time = ageing_time;
+ options->stale_routes_check_interval = check_interval;
}
#endif /* P2MP_SERVER */
- else if (streq (p[0], "client") && !p[1])
+ else if (streq(p[0], "client") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->client = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->client = true;
}
- else if (streq (p[0], "pull") && !p[1])
+ else if (streq(p[0], "pull") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pull = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->pull = true;
}
- else if (streq (p[0], "push-continuation") && p[1] && !p[2])
+ else if (streq(p[0], "push-continuation") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_PULL_MODE);
- options->push_continuation = atoi(p[1]);
+ VERIFY_PERMISSION(OPT_P_PULL_MODE);
+ options->push_continuation = atoi(p[1]);
}
- else if (streq (p[0], "auth-user-pass") && !p[2])
+ else if (streq(p[0], "auth-user-pass") && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (p[1])
- {
- options->auth_user_pass_file = p[1];
- }
- else
- options->auth_user_pass_file = "stdin";
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (p[1])
+ {
+ options->auth_user_pass_file = p[1];
+ }
+ else
+ {
+ options->auth_user_pass_file = "stdin";
+ }
}
- else if (streq (p[0], "auth-retry") && p[1] && !p[2])
+ else if (streq(p[0], "auth-retry") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- auth_retry_set (msglevel, p[1]);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ auth_retry_set(msglevel, p[1]);
}
#ifdef ENABLE_CLIENT_CR
- else if (streq (p[0], "static-challenge") && p[1] && p[2] && !p[3])
+ else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->sc_info.challenge_text = p[1];
- if (atoi(p[2]))
- options->sc_info.flags |= SC_ECHO;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->sc_info.challenge_text = p[1];
+ if (atoi(p[2]))
+ {
+ options->sc_info.flags |= SC_ECHO;
+ }
}
#endif
-#endif
- else if (streq (p[0], "msg-channel") && p[1])
+#endif /* if P2MP */
+ else if (streq(p[0], "msg-channel") && p[1])
{
#ifdef _WIN32
- VERIFY_PERMISSION (OPT_P_GENERAL);
- HANDLE process = GetCurrentProcess ();
- HANDLE handle = (HANDLE) atoi (p[1]);
- if (!DuplicateHandle (process, handle, process, &options->msg_channel, 0,
- FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ HANDLE process = GetCurrentProcess();
+ HANDLE handle = (HANDLE) atoi(p[1]);
+ if (!DuplicateHandle(process, handle, process, &options->msg_channel, 0,
+ FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
{
- msg (msglevel, "could not duplicate service pipe handle");
- goto err;
+ msg(msglevel, "could not duplicate service pipe handle");
+ goto err;
}
- options->route_method = ROUTE_METHOD_SERVICE;
-#else
- msg (msglevel, "--msg-channel is only supported on Windows");
- goto err;
+ options->route_method = ROUTE_METHOD_SERVICE;
+#else /* ifdef _WIN32 */
+ msg(msglevel, "--msg-channel is only supported on Windows");
+ goto err;
#endif
}
#ifdef _WIN32
- else if (streq (p[0], "win-sys") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "env"))
- msg (M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. "
- "This entry will now be ignored. "
- "Please remove this entry from your configuration file.");
- else
- set_win_sys_path (p[1], es);
- }
- else if (streq (p[0], "route-method") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
- if (streq (p[1], "adaptive"))
- options->route_method = ROUTE_METHOD_ADAPTIVE;
- else if (streq (p[1], "ipapi"))
- options->route_method = ROUTE_METHOD_IPAPI;
- else if (streq (p[1], "exe"))
- options->route_method = ROUTE_METHOD_EXE;
- else
- {
- msg (msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
- goto err;
- }
- }
- else if (streq (p[0], "ip-win32") && p[1] && !p[4])
- {
- const int index = ascii2ipset (p[1]);
- struct tuntap_options *to = &options->tuntap_options;
-
- VERIFY_PERMISSION (OPT_P_IPWIN32);
-
- if (index < 0)
- {
- msg (msglevel,
- "Bad --ip-win32 method: '%s'. Allowed methods: %s",
- p[1],
- ipset2ascii_all (&gc));
- goto err;
- }
-
- if (index == IPW32_SET_ADAPTIVE)
- options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
-
- if (index == IPW32_SET_DHCP_MASQ)
- {
- if (p[2])
- {
- if (!streq (p[2], "default"))
- {
- int offset = atoi (p[2]);
-
- if (!(offset > -256 && offset < 256))
- {
- msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
- goto err;
- }
-
- to->dhcp_masq_custom_offset = true;
- to->dhcp_masq_offset = offset;
- }
-
- if (p[3])
- {
- const int min_lease = 30;
- int lease_time;
- lease_time = atoi (p[3]);
- if (lease_time < min_lease)
- {
- msg (msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
- goto err;
- }
- to->dhcp_lease_time = lease_time;
- }
- }
- }
- to->ip_win32_type = index;
- to->ip_win32_defined = true;
+ else if (streq(p[0], "win-sys") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "env"))
+ {
+ msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3. "
+ "This entry will now be ignored. "
+ "Please remove this entry from your configuration file.");
+ }
+ else
+ {
+ set_win_sys_path(p[1], es);
+ }
}
-#endif
+ else if (streq(p[0], "route-method") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
+ if (streq(p[1], "adaptive"))
+ {
+ options->route_method = ROUTE_METHOD_ADAPTIVE;
+ }
+ else if (streq(p[1], "ipapi"))
+ {
+ options->route_method = ROUTE_METHOD_IPAPI;
+ }
+ else if (streq(p[1], "exe"))
+ {
+ options->route_method = ROUTE_METHOD_EXE;
+ }
+ else
+ {
+ msg(msglevel, "--route method must be 'adaptive', 'ipapi', or 'exe'");
+ goto err;
+ }
+ }
+ else if (streq(p[0], "ip-win32") && p[1] && !p[4])
+ {
+ const int index = ascii2ipset(p[1]);
+ struct tuntap_options *to = &options->tuntap_options;
+
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+
+ if (index < 0)
+ {
+ msg(msglevel,
+ "Bad --ip-win32 method: '%s'. Allowed methods: %s",
+ p[1],
+ ipset2ascii_all(&gc));
+ goto err;
+ }
+
+ if (index == IPW32_SET_ADAPTIVE)
+ {
+ options->route_delay_window = IPW32_SET_ADAPTIVE_DELAY_WINDOW;
+ }
+
+ if (index == IPW32_SET_DHCP_MASQ)
+ {
+ if (p[2])
+ {
+ if (!streq(p[2], "default"))
+ {
+ int offset = atoi(p[2]);
+
+ if (!(offset > -256 && offset < 256))
+ {
+ msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset);
+ goto err;
+ }
+
+ to->dhcp_masq_custom_offset = true;
+ to->dhcp_masq_offset = offset;
+ }
+
+ if (p[3])
+ {
+ const int min_lease = 30;
+ int lease_time;
+ lease_time = atoi(p[3]);
+ if (lease_time < min_lease)
+ {
+ msg(msglevel, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time, min_lease);
+ goto err;
+ }
+ to->dhcp_lease_time = lease_time;
+ }
+ }
+ }
+ to->ip_win32_type = index;
+ to->ip_win32_defined = true;
+ }
+#endif /* ifdef _WIN32 */
#if defined(_WIN32) || defined(TARGET_ANDROID)
- else if (streq (p[0], "dhcp-option") && p[1] && !p[3])
- {
- struct tuntap_options *o = &options->tuntap_options;
- VERIFY_PERMISSION (OPT_P_IPWIN32);
-
- if (streq (p[1], "DOMAIN") && p[2])
- {
- o->domain = p[2];
- }
- else if (streq (p[1], "NBS") && p[2])
- {
- o->netbios_scope = p[2];
- }
- else if (streq (p[1], "NBT") && p[2])
- {
- int t;
- t = atoi (p[2]);
- if (!(t == 1 || t == 2 || t == 4 || t == 8))
- {
- msg (msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
- goto err;
- }
- o->netbios_node_type = t;
- }
- else if (streq (p[1], "DNS") && p[2])
- {
- dhcp_option_address_parse ("DNS", p[2], o->dns, &o->dns_len, msglevel);
- }
- else if (streq (p[1], "DNS6") && p[2] && ipv6_addr_safe(p[2]))
- {
- struct in6_addr addr;
- foreign_option (options, p, 3, es);
- if (o->dns6_len >= N_DHCP_ADDR)
- {
- msg (msglevel, "--dhcp-option DNS6: maximum of %d dns servers can be specified",
- N_DHCP_ADDR);
- }
- else if (get_ipv6_addr (p[2], &addr, NULL, msglevel))
- {
- o->dns6[o->dns6_len++] = addr;
- }
- }
- else if (streq (p[1], "WINS") && p[2])
- {
- dhcp_option_address_parse ("WINS", p[2], o->wins, &o->wins_len, msglevel);
- }
- else if (streq (p[1], "NTP") && p[2])
- {
- dhcp_option_address_parse ("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
- }
- else if (streq (p[1], "NBDD") && p[2])
- {
- dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
- }
- else if (streq (p[1], "DISABLE-NBT") && !p[2])
- {
- o->disable_nbt = 1;
- }
- else
- {
- msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
- goto err;
- }
-
- /* flag that we have options to give to the TAP driver's DHCPv4 server
- * - skipped for "DNS6", as that's not a DHCPv4 option
- */
- if (!streq (p[1], "DNS6"))
- {
- o->dhcp_options = true;
- }
+ else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
+ {
+ struct tuntap_options *o = &options->tuntap_options;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+
+ if (streq(p[1], "DOMAIN") && p[2])
+ {
+ o->domain = p[2];
+ }
+ else if (streq(p[1], "NBS") && p[2])
+ {
+ o->netbios_scope = p[2];
+ }
+ else if (streq(p[1], "NBT") && p[2])
+ {
+ int t;
+ t = atoi(p[2]);
+ if (!(t == 1 || t == 2 || t == 4 || t == 8))
+ {
+ msg(msglevel, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
+ goto err;
+ }
+ o->netbios_node_type = t;
+ }
+ else if (streq(p[1], "DNS") && p[2])
+ {
+ dhcp_option_address_parse("DNS", p[2], o->dns, &o->dns_len, msglevel);
+ }
+ else if (streq(p[1], "DNS6") && p[2] && ipv6_addr_safe(p[2]))
+ {
+ struct in6_addr addr;
+ foreign_option(options, p, 3, es);
+ if (o->dns6_len >= N_DHCP_ADDR)
+ {
+ msg(msglevel, "--dhcp-option DNS6: maximum of %d dns servers can be specified",
+ N_DHCP_ADDR);
+ }
+ else if (get_ipv6_addr(p[2], &addr, NULL, msglevel))
+ {
+ o->dns6[o->dns6_len++] = addr;
+ }
+ }
+ else if (streq(p[1], "WINS") && p[2])
+ {
+ dhcp_option_address_parse("WINS", p[2], o->wins, &o->wins_len, msglevel);
+ }
+ else if (streq(p[1], "NTP") && p[2])
+ {
+ dhcp_option_address_parse("NTP", p[2], o->ntp, &o->ntp_len, msglevel);
+ }
+ else if (streq(p[1], "NBDD") && p[2])
+ {
+ dhcp_option_address_parse("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
+ }
+ else if (streq(p[1], "DISABLE-NBT") && !p[2])
+ {
+ o->disable_nbt = 1;
+ }
+ else
+ {
+ msg(msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
+ goto err;
+ }
+
+ /* flag that we have options to give to the TAP driver's DHCPv4 server
+ * - skipped for "DNS6", as that's not a DHCPv4 option
+ */
+ if (!streq(p[1], "DNS6"))
+ {
+ o->dhcp_options = true;
+ }
}
-#endif
+#endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
#ifdef _WIN32
- else if (streq (p[0], "show-adapters") && !p[1])
+ else if (streq(p[0], "show-adapters") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- show_tap_win_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ show_tap_win_adapters(M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "show-net") && !p[1])
+ else if (streq(p[0], "show-net") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- show_routes (M_INFO|M_NOPREFIX);
- show_adapters (M_INFO|M_NOPREFIX);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ show_routes(M_INFO|M_NOPREFIX);
+ show_adapters(M_INFO|M_NOPREFIX);
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "show-net-up") && !p[1])
+ else if (streq(p[0], "show-net-up") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_UP);
- options->show_net_up = true;
+ VERIFY_PERMISSION(OPT_P_UP);
+ options->show_net_up = true;
}
- else if (streq (p[0], "tap-sleep") && p[1] && !p[2])
+ else if (streq(p[0], "tap-sleep") && p[1] && !p[2])
{
- int s;
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- s = atoi (p[1]);
- if (s < 0 || s >= 256)
- {
- msg (msglevel, "--tap-sleep parameter must be between 0 and 255");
- goto err;
- }
- options->tuntap_options.tap_sleep = s;
+ int s;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ s = atoi(p[1]);
+ if (s < 0 || s >= 256)
+ {
+ msg(msglevel, "--tap-sleep parameter must be between 0 and 255");
+ goto err;
+ }
+ options->tuntap_options.tap_sleep = s;
}
- else if (streq (p[0], "dhcp-renew") && !p[1])
+ else if (streq(p[0], "dhcp-renew") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- options->tuntap_options.dhcp_renew = true;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ options->tuntap_options.dhcp_renew = true;
}
- else if (streq (p[0], "dhcp-pre-release") && !p[1])
+ else if (streq(p[0], "dhcp-pre-release") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- options->tuntap_options.dhcp_pre_release = true;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ options->tuntap_options.dhcp_pre_release = true;
}
- else if (streq (p[0], "dhcp-release") && !p[1])
+ else if (streq(p[0], "dhcp-release") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- options->tuntap_options.dhcp_release = true;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ options->tuntap_options.dhcp_release = true;
}
- else if (streq (p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
+ else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
{
- unsigned int adapter_index;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- set_debug_level (options->verbosity, SDL_CONSTRAIN);
- adapter_index = atou (p[1]);
- sleep (options->tuntap_options.tap_sleep);
- if (options->tuntap_options.dhcp_pre_release)
- dhcp_release_by_adapter_index (adapter_index);
- if (options->tuntap_options.dhcp_renew)
- dhcp_renew_by_adapter_index (adapter_index);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ unsigned int adapter_index;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ set_debug_level(options->verbosity, SDL_CONSTRAIN);
+ adapter_index = atou(p[1]);
+ sleep(options->tuntap_options.tap_sleep);
+ if (options->tuntap_options.dhcp_pre_release)
+ {
+ dhcp_release_by_adapter_index(adapter_index);
+ }
+ if (options->tuntap_options.dhcp_renew)
+ {
+ dhcp_renew_by_adapter_index(adapter_index);
+ }
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "register-dns") && !p[1])
+ else if (streq(p[0], "register-dns") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- options->tuntap_options.register_dns = true;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ options->tuntap_options.register_dns = true;
}
- else if (streq (p[0], "block-outside-dns") && !p[1])
+ else if (streq(p[0], "block-outside-dns") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- options->block_outside_dns = true;
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ options->block_outside_dns = true;
}
- else if (streq (p[0], "rdns-internal") && !p[1])
- /* standalone method for internal use
- *
- * (if --register-dns is set, openvpn needs to call itself in a
- * sub-process to execute the required functions in a non-blocking
- * way, and uses --rdns-internal to signal that to itself)
- */
+ else if (streq(p[0], "rdns-internal") && !p[1])
+ /* standalone method for internal use
+ *
+ * (if --register-dns is set, openvpn needs to call itself in a
+ * sub-process to execute the required functions in a non-blocking
+ * way, and uses --rdns-internal to signal that to itself)
+ */
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- set_debug_level (options->verbosity, SDL_CONSTRAIN);
- if (options->tuntap_options.register_dns)
- ipconfig_register_dns (NULL);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ set_debug_level(options->verbosity, SDL_CONSTRAIN);
+ if (options->tuntap_options.register_dns)
+ {
+ ipconfig_register_dns(NULL);
+ }
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "show-valid-subnets") && !p[1])
+ else if (streq(p[0], "show-valid-subnets") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- show_valid_win32_tun_subnets ();
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ show_valid_win32_tun_subnets();
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "pause-exit") && !p[1])
+ else if (streq(p[0], "pause-exit") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- set_pause_exit_win32 ();
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ set_pause_exit_win32();
}
- else if (streq (p[0], "service") && p[1] && !p[3])
+ else if (streq(p[0], "service") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->exit_event_name = p[1];
- if (p[2])
- {
- options->exit_event_initial_state = (atoi(p[2]) != 0);
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->exit_event_name = p[1];
+ if (p[2])
+ {
+ options->exit_event_initial_state = (atoi(p[2]) != 0);
+ }
}
- else if (streq (p[0], "allow-nonadmin") && !p[2])
+ else if (streq(p[0], "allow-nonadmin") && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- tap_allow_nonadmin_access (p[1]);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ tap_allow_nonadmin_access(p[1]);
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "user") && p[1] && !p[2])
+ else if (streq(p[0], "user") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- msg (M_WARN, "NOTE: --user option is not implemented on Windows");
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ msg(M_WARN, "NOTE: --user option is not implemented on Windows");
}
- else if (streq (p[0], "group") && p[1] && !p[2])
+ else if (streq(p[0], "group") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- msg (M_WARN, "NOTE: --group option is not implemented on Windows");
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ msg(M_WARN, "NOTE: --group option is not implemented on Windows");
}
-#else
- else if (streq (p[0], "user") && p[1] && !p[2])
+#else /* ifdef _WIN32 */
+ else if (streq(p[0], "user") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->username = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->username = p[1];
}
- else if (streq (p[0], "group") && p[1] && !p[2])
+ else if (streq(p[0], "group") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->groupname = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->groupname = p[1];
}
- else if (streq (p[0], "dhcp-option") && p[1] && !p[3])
+ else if (streq(p[0], "dhcp-option") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_IPWIN32);
- foreign_option (options, p, 3, es);
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ foreign_option(options, p, 3, es);
}
- else if (streq (p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
+ else if (streq(p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
{
- VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
+ VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS);
}
-#endif
+#endif /* ifdef _WIN32 */
#if PASSTOS_CAPABILITY
- else if (streq (p[0], "passtos") && !p[1])
+ else if (streq(p[0], "passtos") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->passtos = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->passtos = true;
}
#endif
#if defined(USE_COMP)
- else if (streq (p[0], "comp-lzo") && !p[2])
+ else if (streq(p[0], "comp-lzo") && !p[2])
{
- VERIFY_PERMISSION (OPT_P_COMP);
+ VERIFY_PERMISSION(OPT_P_COMP);
#if defined(ENABLE_LZO)
- if (p[1] && streq (p[1], "no"))
+ if (p[1] && streq(p[1], "no"))
#endif
- {
- options->comp.alg = COMP_ALG_STUB;
- options->comp.flags = 0;
- }
+ {
+ options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags = 0;
+ }
#if defined(ENABLE_LZO)
- else if (p[1])
- {
- if (streq (p[1], "yes"))
- {
- options->comp.alg = COMP_ALG_LZO;
- options->comp.flags = 0;
- }
- else if (streq (p[1], "adaptive"))
- {
- options->comp.alg = COMP_ALG_LZO;
- options->comp.flags = COMP_F_ADAPTIVE;
- }
- else
- {
- msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
- goto err;
- }
- }
- else
- {
- options->comp.alg = COMP_ALG_LZO;
- options->comp.flags = COMP_F_ADAPTIVE;
- }
-#endif
- }
- else if (streq (p[0], "comp-noadapt") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_COMP);
- options->comp.flags &= ~COMP_F_ADAPTIVE;
- }
- else if (streq (p[0], "compress") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_COMP);
- if (p[1])
- {
- if (streq (p[1], "stub"))
- {
- options->comp.alg = COMP_ALG_STUB;
- options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
- }
- else if (streq(p[1], "stub-v2"))
- {
- options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
- options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY;
- }
+ else if (p[1])
+ {
+ if (streq(p[1], "yes"))
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = 0;
+ }
+ else if (streq(p[1], "adaptive"))
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = COMP_F_ADAPTIVE;
+ }
+ else
+ {
+ msg(msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
+ goto err;
+ }
+ }
+ else
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = COMP_F_ADAPTIVE;
+ }
+#endif /* if defined(ENABLE_LZO) */
+ }
+ else if (streq(p[0], "comp-noadapt") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_COMP);
+ options->comp.flags &= ~COMP_F_ADAPTIVE;
+ }
+ else if (streq(p[0], "compress") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_COMP);
+ if (p[1])
+ {
+ if (streq(p[1], "stub"))
+ {
+ options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
+ }
+ else if (streq(p[1], "stub-v2"))
+ {
+ options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
+ options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY;
+ }
#if defined(ENABLE_LZO)
- else if (streq (p[1], "lzo"))
- {
- options->comp.alg = COMP_ALG_LZO;
- options->comp.flags = 0;
- }
+ else if (streq(p[1], "lzo"))
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = 0;
+ }
#endif
#if defined(ENABLE_LZ4)
- else if (streq (p[1], "lz4"))
- {
- options->comp.alg = COMP_ALG_LZ4;
- options->comp.flags = COMP_F_SWAP;
- }
- else if (streq (p[1], "lz4-v2"))
- {
- options->comp.alg = COMP_ALGV2_LZ4;
- options->comp.flags = 0;
- }
-#endif
- else
- {
- msg (msglevel, "bad comp option: %s", p[1]);
- goto err;
- }
- }
- else
- {
- options->comp.alg = COMP_ALG_STUB;
- options->comp.flags = COMP_F_SWAP;
- }
+ else if (streq(p[1], "lz4"))
+ {
+ options->comp.alg = COMP_ALG_LZ4;
+ options->comp.flags = COMP_F_SWAP;
+ }
+ else if (streq(p[1], "lz4-v2"))
+ {
+ options->comp.alg = COMP_ALGV2_LZ4;
+ options->comp.flags = 0;
+ }
+#endif
+ else
+ {
+ msg(msglevel, "bad comp option: %s", p[1]);
+ goto err;
+ }
+ }
+ else
+ {
+ options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags = COMP_F_SWAP;
+ }
}
#endif /* USE_COMP */
#ifdef ENABLE_CRYPTO
- else if (streq (p[0], "show-ciphers") && !p[1])
+ else if (streq(p[0], "show-ciphers") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->show_ciphers = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->show_ciphers = true;
}
- else if (streq (p[0], "show-digests") && !p[1])
+ else if (streq(p[0], "show-digests") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->show_digests = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->show_digests = true;
}
- else if (streq (p[0], "show-engines") && !p[1])
+ else if (streq(p[0], "show-engines") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->show_engines = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->show_engines = true;
}
- else if (streq (p[0], "key-direction") && p[1] && !p[2])
+ else if (streq(p[0], "key-direction") && p[1] && !p[2])
{
- int key_direction;
+ int key_direction;
- key_direction = ascii2keydirection (msglevel, p[1]);
- if (key_direction >= 0)
- options->key_direction = key_direction;
- else
- goto err;
- }
- else if (streq (p[0], "secret") && p[1] && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->shared_secret_file_inline = p[2];
- }
- else
- if (p[2])
- {
- int key_direction;
-
- key_direction = ascii2keydirection (msglevel, p[2]);
- if (key_direction >= 0)
- options->key_direction = key_direction;
- else
- goto err;
- }
- options->shared_secret_file = p[1];
- }
- else if (streq (p[0], "genkey") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->genkey = true;
- }
- else if (streq (p[0], "auth") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->authname = p[1];
+ key_direction = ascii2keydirection(msglevel, p[1]);
+ if (key_direction >= 0)
+ {
+ options->key_direction = key_direction;
+ }
+ else
+ {
+ goto err;
+ }
}
- else if (streq (p[0], "cipher") && p[1] && !p[2])
+ else if (streq(p[0], "secret") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_NCP);
- options->ciphername = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->shared_secret_file_inline = p[2];
+ }
+ else if (p[2])
+ {
+ int key_direction;
+
+ key_direction = ascii2keydirection(msglevel, p[2]);
+ if (key_direction >= 0)
+ {
+ options->key_direction = key_direction;
+ }
+ else
+ {
+ goto err;
+ }
+ }
+ options->shared_secret_file = p[1];
}
- else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2])
+ else if (streq(p[0], "genkey") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
- options->ncp_ciphers = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->genkey = true;
}
- else if (streq (p[0], "ncp-disable") && !p[1])
+ else if (streq(p[0], "auth") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
- options->ncp_enabled = false;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->authname = p[1];
}
- else if (streq (p[0], "prng") && p[1] && !p[3])
+ else if (streq(p[0], "cipher") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "none"))
- options->prng_hash = NULL;
- else
- options->prng_hash = p[1];
- if (p[2])
- {
- const int sl = atoi (p[2]);
- if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
- {
- options->prng_nonce_secret_len = sl;
- }
- else
- {
- msg (msglevel, "prng parameter nonce_secret_len must be between %d and %d",
- NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
- goto err;
- }
- }
+ VERIFY_PERMISSION(OPT_P_NCP);
+ options->ciphername = p[1];
+ }
+ else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
+ options->ncp_ciphers = p[1];
+ }
+ else if (streq(p[0], "ncp-disable") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
+ options->ncp_enabled = false;
+ }
+ else if (streq(p[0], "prng") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "none"))
+ {
+ options->prng_hash = NULL;
+ }
+ else
+ {
+ options->prng_hash = p[1];
+ }
+ if (p[2])
+ {
+ const int sl = atoi(p[2]);
+ if (sl >= NONCE_SECRET_LEN_MIN && sl <= NONCE_SECRET_LEN_MAX)
+ {
+ options->prng_nonce_secret_len = sl;
+ }
+ else
+ {
+ msg(msglevel, "prng parameter nonce_secret_len must be between %d and %d",
+ NONCE_SECRET_LEN_MIN, NONCE_SECRET_LEN_MAX);
+ goto err;
+ }
+ }
}
- else if (streq (p[0], "no-replay") && !p[1])
+ else if (streq(p[0], "no-replay") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->replay = false;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->replay = false;
}
- else if (streq (p[0], "replay-window") && !p[3])
+ else if (streq(p[0], "replay-window") && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (p[1])
- {
- int replay_window;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (p[1])
+ {
+ int replay_window;
- replay_window = atoi (p[1]);
- if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
- {
- msg (msglevel, "replay-window window size parameter (%d) must be between %d and %d",
- replay_window,
- MIN_SEQ_BACKTRACK,
- MAX_SEQ_BACKTRACK);
- goto err;
- }
- options->replay_window = replay_window;
-
- if (p[2])
- {
- int replay_time;
-
- replay_time = atoi (p[2]);
- if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
- {
- msg (msglevel, "replay-window time window parameter (%d) must be between %d and %d",
- replay_time,
- MIN_TIME_BACKTRACK,
- MAX_TIME_BACKTRACK);
- goto err;
- }
- options->replay_time = replay_time;
- }
- }
- else
- {
- msg (msglevel, "replay-window option is missing window size parameter");
- goto err;
- }
- }
- else if (streq (p[0], "mute-replay-warnings") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->mute_replay_warnings = true;
- }
- else if (streq (p[0], "no-iv") && !p[1])
+ replay_window = atoi(p[1]);
+ if (!(MIN_SEQ_BACKTRACK <= replay_window && replay_window <= MAX_SEQ_BACKTRACK))
+ {
+ msg(msglevel, "replay-window window size parameter (%d) must be between %d and %d",
+ replay_window,
+ MIN_SEQ_BACKTRACK,
+ MAX_SEQ_BACKTRACK);
+ goto err;
+ }
+ options->replay_window = replay_window;
+
+ if (p[2])
+ {
+ int replay_time;
+
+ replay_time = atoi(p[2]);
+ if (!(MIN_TIME_BACKTRACK <= replay_time && replay_time <= MAX_TIME_BACKTRACK))
+ {
+ msg(msglevel, "replay-window time window parameter (%d) must be between %d and %d",
+ replay_time,
+ MIN_TIME_BACKTRACK,
+ MAX_TIME_BACKTRACK);
+ goto err;
+ }
+ options->replay_time = replay_time;
+ }
+ }
+ else
+ {
+ msg(msglevel, "replay-window option is missing window size parameter");
+ goto err;
+ }
+ }
+ else if (streq(p[0], "mute-replay-warnings") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->use_iv = false;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->mute_replay_warnings = true;
}
- else if (streq (p[0], "replay-persist") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->packet_id_file = p[1];
- }
- else if (streq (p[0], "test-crypto") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->test_crypto = true;
+ else if (streq(p[0], "no-iv") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->use_iv = false;
+ }
+ else if (streq(p[0], "replay-persist") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->packet_id_file = p[1];
+ }
+ else if (streq(p[0], "test-crypto") && !p[1])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->test_crypto = true;
}
#ifndef ENABLE_CRYPTO_MBEDTLS
- else if (streq (p[0], "engine") && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (p[1])
- {
- options->engine = p[1];
- }
- else
- options->engine = "auto";
- }
+ else if (streq(p[0], "engine") && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (p[1])
+ {
+ options->engine = p[1];
+ }
+ else
+ {
+ options->engine = "auto";
+ }
+ }
#endif /* ENABLE_CRYPTO_MBEDTLS */
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- else if (streq (p[0], "keysize") && p[1] && !p[2])
+ else if (streq(p[0], "keysize") && p[1] && !p[2])
{
- int keysize;
+ int keysize;
- VERIFY_PERMISSION (OPT_P_NCP);
- keysize = atoi (p[1]) / 8;
- if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
- {
- msg (msglevel, "Bad keysize: %s", p[1]);
- goto err;
- }
- options->keysize = keysize;
+ VERIFY_PERMISSION(OPT_P_NCP);
+ keysize = atoi(p[1]) / 8;
+ if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
+ {
+ msg(msglevel, "Bad keysize: %s", p[1]);
+ goto err;
+ }
+ options->keysize = keysize;
}
#endif
#ifdef ENABLE_PREDICTION_RESISTANCE
- else if (streq (p[0], "use-prediction-resistance") && !p[1])
+ else if (streq(p[0], "use-prediction-resistance") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->use_prediction_resistance = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->use_prediction_resistance = true;
}
#endif
- else if (streq (p[0], "show-tls") && !p[1])
+ else if (streq(p[0], "show-tls") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->show_tls_ciphers = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->show_tls_ciphers = true;
}
- else if (streq (p[0], "show-curves") && !p[1])
+ else if (streq(p[0], "show-curves") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->show_curves = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->show_curves = true;
}
- else if (streq (p[0], "ecdh-curve") && p[1] && !p[2])
+ else if (streq(p[0], "ecdh-curve") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ecdh_curve= p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ecdh_curve = p[1];
}
- else if (streq (p[0], "tls-server") && !p[1])
+ else if (streq(p[0], "tls-server") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->tls_server = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->tls_server = true;
}
- else if (streq (p[0], "tls-client") && !p[1])
+ else if (streq(p[0], "tls-client") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->tls_client = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->tls_client = true;
}
- else if (streq (p[0], "ca") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
+ else if (streq(p[0], "ca") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ca_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->ca_file_inline = p[2];
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ca_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->ca_file_inline = p[2];
+ }
}
#ifndef ENABLE_CRYPTO_MBEDTLS
- else if (streq (p[0], "capath") && p[1] && !p[2])
+ else if (streq(p[0], "capath") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ca_path = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->ca_path = p[1];
}
#endif /* ENABLE_CRYPTO_MBEDTLS */
- else if (streq (p[0], "dh") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
+ else if (streq(p[0], "dh") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->dh_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->dh_file_inline = p[2];
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->dh_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->dh_file_inline = p[2];
+ }
}
- else if (streq (p[0], "cert") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
+ else if (streq(p[0], "cert") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->cert_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->cert_file_inline = p[2];
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->cert_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->cert_file_inline = p[2];
+ }
}
- else if (streq (p[0], "extra-certs") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
+ else if (streq(p[0], "extra-certs") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->extra_certs_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->extra_certs_file_inline = p[2];
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->extra_certs_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->extra_certs_file_inline = p[2];
+ }
}
- else if (streq (p[0], "verify-hash") && p[1] && !p[2])
+ else if (streq(p[0], "verify-hash") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
}
#ifdef ENABLE_CRYPTOAPI
- else if (streq (p[0], "cryptoapicert") && p[1] && !p[2])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->cryptoapi_cert = p[1];
- }
-#endif
- else if (streq (p[0], "key") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->priv_key_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->priv_key_file_inline = p[2];
- }
- }
- else if (streq (p[0], "tls-version-min") && p[1] && !p[3])
- {
- int ver;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- ver = tls_version_parse(p[1], p[2]);
- if (ver == TLS_VER_BAD)
- {
- msg (msglevel, "unknown tls-version-min parameter: %s", p[1]);
- goto err;
- }
- options->ssl_flags &=
- ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
- options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
- }
- else if (streq (p[0], "tls-version-max") && p[1] && !p[2])
- {
- int ver;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- ver = tls_version_parse(p[1], NULL);
- if (ver == TLS_VER_BAD)
- {
- msg (msglevel, "unknown tls-version-max parameter: %s", p[1]);
- goto err;
- }
- options->ssl_flags &=
- ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
- options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
+ else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->cryptoapi_cert = p[1];
+ }
+#endif
+ else if (streq(p[0], "key") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
+ {
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->priv_key_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->priv_key_file_inline = p[2];
+ }
+ }
+ else if (streq(p[0], "tls-version-min") && p[1] && !p[3])
+ {
+ int ver;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ ver = tls_version_parse(p[1], p[2]);
+ if (ver == TLS_VER_BAD)
+ {
+ msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
+ goto err;
+ }
+ options->ssl_flags &=
+ ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
+ options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
+ }
+ else if (streq(p[0], "tls-version-max") && p[1] && !p[2])
+ {
+ int ver;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ ver = tls_version_parse(p[1], NULL);
+ if (ver == TLS_VER_BAD)
+ {
+ msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
+ goto err;
+ }
+ options->ssl_flags &=
+ ~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
+ options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
}
#ifndef ENABLE_CRYPTO_MBEDTLS
- else if (streq (p[0], "pkcs12") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
+ else if (streq(p[0], "pkcs12") && p[1] && ((streq(p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs12_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->pkcs12_file_inline = p[2];
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->pkcs12_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->pkcs12_file_inline = p[2];
+ }
}
#endif /* ENABLE_CRYPTO_MBEDTLS */
- else if (streq (p[0], "askpass") && !p[2])
+ else if (streq(p[0], "askpass") && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (p[1])
- {
- options->key_pass_file = p[1];
- }
- else
- options->key_pass_file = "stdin";
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (p[1])
+ {
+ options->key_pass_file = p[1];
+ }
+ else
+ {
+ options->key_pass_file = "stdin";
+ }
}
- else if (streq (p[0], "auth-nocache") && !p[1])
+ else if (streq(p[0], "auth-nocache") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- ssl_set_auth_nocache ();
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ ssl_set_auth_nocache();
}
- else if (streq (p[0], "auth-token") && p[1] && !p[2])
+ else if (streq(p[0], "auth-token") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_ECHO);
- ssl_set_auth_token(p[1]);
+ VERIFY_PERMISSION(OPT_P_ECHO);
+ ssl_set_auth_token(p[1]);
#ifdef ENABLE_MANAGEMENT
- if (management)
- management_auth_token (management, p[1]);
+ if (management)
+ {
+ management_auth_token(management, p[1]);
+ }
#endif
}
- else if (streq (p[0], "single-session") && !p[1])
+ else if (streq(p[0], "single-session") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->single_session = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->single_session = true;
}
#ifdef ENABLE_PUSH_PEER_INFO
- else if (streq (p[0], "push-peer-info") && !p[1])
+ else if (streq(p[0], "push-peer-info") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->push_peer_info = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->push_peer_info = true;
}
#endif
- else if (streq (p[0], "tls-exit") && !p[1])
+ else if (streq(p[0], "tls-exit") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->tls_exit = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->tls_exit = true;
}
- else if (streq (p[0], "tls-cipher") && p[1] && !p[2])
+ else if (streq(p[0], "tls-cipher") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->cipher_list = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->cipher_list = p[1];
}
- else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
- || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])
+ else if (streq(p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
+ || (p[2] && streq(p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (p[2] && streq(p[2], "dir"))
- options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
- options->crl_file = p[1];
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->crl_file_inline = p[2];
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (p[2] && streq(p[2], "dir"))
+ {
+ options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
+ }
+ options->crl_file = p[1];
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->crl_file_inline = p[2];
+ }
}
- else if (streq (p[0], "tls-verify") && p[1])
+ else if (streq(p[0], "tls-verify") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SCRIPT);
- if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
- goto err;
- set_user_script (options, &options->tls_verify,
- string_substitute (p[1], ',', ' ', &options->gc),
- "tls-verify", true);
+ VERIFY_PERMISSION(OPT_P_SCRIPT);
+ if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT))
+ {
+ goto err;
+ }
+ set_user_script(options, &options->tls_verify,
+ string_substitute(p[1], ',', ' ', &options->gc),
+ "tls-verify", true);
}
#ifndef ENABLE_CRYPTO_MBEDTLS
- else if (streq (p[0], "tls-export-cert") && p[1] && !p[2])
+ else if (streq(p[0], "tls-export-cert") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->tls_export_cert = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->tls_export_cert = p[1];
}
#endif
#if P2MP_SERVER
- else if (streq (p[0], "compat-names") && ((p[1] && streq (p[1], "no-remapping")) || !p[1]) && !p[2])
+ else if (streq(p[0], "compat-names") && ((p[1] && streq(p[1], "no-remapping")) || !p[1]) && !p[2])
#else
- else if (streq (p[0], "compat-names") && !p[1])
+ else if (streq(p[0], "compat-names") && !p[1])
#endif
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (options->verify_x509_type != VERIFY_X509_NONE)
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (options->verify_x509_type != VERIFY_X509_NONE)
{
- msg (msglevel, "you cannot use --compat-names with --verify-x509-name");
- goto err;
+ msg(msglevel, "you cannot use --compat-names with --verify-x509-name");
+ goto err;
}
- msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5.");
- compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
+ msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5.");
+ compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
#if P2MP_SERVER
- if (p[1] && streq (p[1], "no-remapping"))
- compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
+ if (p[1] && streq(p[1], "no-remapping"))
+ {
+ compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
+ }
}
- else if (streq (p[0], "no-name-remapping") && !p[1])
+ else if (streq(p[0], "no-name-remapping") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (options->verify_x509_type != VERIFY_X509_NONE)
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (options->verify_x509_type != VERIFY_X509_NONE)
{
- msg (msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
- goto err;
+ msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
+ goto err;
}
- msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5.");
- compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
- compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
+ msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5.");
+ compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);
+ compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
#endif
}
- else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]) && !p[3])
+ else if (streq(p[0], "verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
{
- int type = VERIFY_X509_SUBJECT_DN;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES))
+ int type = VERIFY_X509_SUBJECT_DN;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (compat_flag(COMPAT_FLAG_QUERY | COMPAT_NAMES))
{
- msg (msglevel, "you cannot use --verify-x509-name with "
- "--compat-names or --no-name-remapping");
- goto err;
+ msg(msglevel, "you cannot use --verify-x509-name with "
+ "--compat-names or --no-name-remapping");
+ goto err;
}
- if (p[2])
+ if (p[2])
{
- if (streq (p[2], "subject"))
- type = VERIFY_X509_SUBJECT_DN;
- else if (streq (p[2], "name"))
- type = VERIFY_X509_SUBJECT_RDN;
- else if (streq (p[2], "name-prefix"))
- type = VERIFY_X509_SUBJECT_RDN_PREFIX;
- else
+ if (streq(p[2], "subject"))
{
- msg (msglevel, "unknown X.509 name type: %s", p[2]);
- goto err;
+ type = VERIFY_X509_SUBJECT_DN;
+ }
+ else if (streq(p[2], "name"))
+ {
+ type = VERIFY_X509_SUBJECT_RDN;
+ }
+ else if (streq(p[2], "name-prefix"))
+ {
+ type = VERIFY_X509_SUBJECT_RDN_PREFIX;
+ }
+ else
+ {
+ msg(msglevel, "unknown X.509 name type: %s", p[2]);
+ goto err;
}
}
- options->verify_x509_type = type;
- options->verify_x509_name = p[1];
+ options->verify_x509_type = type;
+ options->verify_x509_name = p[1];
}
- else if (streq (p[0], "ns-cert-type") && p[1] && !p[2])
+ else if (streq(p[0], "ns-cert-type") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "server"))
- options->ns_cert_type = NS_CERT_CHECK_SERVER;
- else if (streq (p[1], "client"))
- options->ns_cert_type = NS_CERT_CHECK_CLIENT;
- else
- {
- msg (msglevel, "--ns-cert-type must be 'client' or 'server'");
- goto err;
- }
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], "server"))
+ {
+ options->ns_cert_type = NS_CERT_CHECK_SERVER;
+ }
+ else if (streq(p[1], "client"))
+ {
+ options->ns_cert_type = NS_CERT_CHECK_CLIENT;
+ }
+ else
+ {
+ msg(msglevel, "--ns-cert-type must be 'client' or 'server'");
+ goto err;
+ }
}
- else if (streq (p[0], "remote-cert-ku"))
+ else if (streq(p[0], "remote-cert-ku"))
{
- int j;
+ int j;
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
}
- else if (streq (p[0], "remote-cert-eku") && p[1] && !p[2])
+ else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->remote_cert_eku = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->remote_cert_eku = p[1];
}
- else if (streq (p[0], "remote-cert-tls") && p[1] && !p[2])
+ else if (streq(p[0], "remote-cert-tls") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- if (streq (p[1], "server"))
- {
- options->remote_cert_ku[0] = 0xa0;
- options->remote_cert_ku[1] = 0x88;
- options->remote_cert_eku = "TLS Web Server Authentication";
- }
- else if (streq (p[1], "client"))
- {
- options->remote_cert_ku[0] = 0x80;
- options->remote_cert_ku[1] = 0x08;
- options->remote_cert_ku[2] = 0x88;
- options->remote_cert_eku = "TLS Web Client Authentication";
- }
- else
- {
- msg (msglevel, "--remote-cert-tls must be 'client' or 'server'");
- goto err;
- }
+ if (streq(p[1], "server"))
+ {
+ options->remote_cert_ku[0] = 0xa0;
+ options->remote_cert_ku[1] = 0x88;
+ options->remote_cert_eku = "TLS Web Server Authentication";
+ }
+ else if (streq(p[1], "client"))
+ {
+ options->remote_cert_ku[0] = 0x80;
+ options->remote_cert_ku[1] = 0x08;
+ options->remote_cert_ku[2] = 0x88;
+ options->remote_cert_eku = "TLS Web Client Authentication";
+ }
+ else
+ {
+ msg(msglevel, "--remote-cert-tls must be 'client' or 'server'");
+ goto err;
+ }
}
- else if (streq (p[0], "tls-timeout") && p[1] && !p[2])
+ else if (streq(p[0], "tls-timeout") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_TLS_PARMS);
- options->tls_timeout = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_TLS_PARMS);
+ options->tls_timeout = positive_atoi(p[1]);
}
- else if (streq (p[0], "reneg-bytes") && p[1] && !p[2])
+ else if (streq(p[0], "reneg-bytes") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_TLS_PARMS);
- options->renegotiate_bytes = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_TLS_PARMS);
+ options->renegotiate_bytes = positive_atoi(p[1]);
}
- else if (streq (p[0], "reneg-pkts") && p[1] && !p[2])
+ else if (streq(p[0], "reneg-pkts") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_TLS_PARMS);
- options->renegotiate_packets = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_TLS_PARMS);
+ options->renegotiate_packets = positive_atoi(p[1]);
}
- else if (streq (p[0], "reneg-sec") && p[1] && !p[2])
+ else if (streq(p[0], "reneg-sec") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_TLS_PARMS);
- options->renegotiate_seconds = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_TLS_PARMS);
+ options->renegotiate_seconds = positive_atoi(p[1]);
}
- else if (streq (p[0], "hand-window") && p[1] && !p[2])
+ else if (streq(p[0], "hand-window") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_TLS_PARMS);
- options->handshake_window = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_TLS_PARMS);
+ options->handshake_window = positive_atoi(p[1]);
}
- else if (streq (p[0], "tran-window") && p[1] && !p[2])
+ else if (streq(p[0], "tran-window") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_TLS_PARMS);
- options->transition_window = positive_atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_TLS_PARMS);
+ options->transition_window = positive_atoi(p[1]);
}
- else if (streq (p[0], "tls-auth") && p[1] && !p[3])
+ else if (streq(p[0], "tls-auth") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->tls_auth_file_inline = p[2];
- }
- else
- if (p[2])
- {
- int key_direction;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->tls_auth_file_inline = p[2];
+ }
+ else if (p[2])
+ {
+ int key_direction;
- key_direction = ascii2keydirection (msglevel, p[2]);
- if (key_direction >= 0)
- options->key_direction = key_direction;
- else
- goto err;
- }
- options->tls_auth_file = p[1];
+ key_direction = ascii2keydirection(msglevel, p[2]);
+ if (key_direction >= 0)
+ {
+ options->key_direction = key_direction;
+ }
+ else
+ {
+ goto err;
+ }
+ }
+ options->tls_auth_file = p[1];
}
- else if (streq (p[0], "tls-crypt") && p[1] && !p[3])
+ else if (streq(p[0], "tls-crypt") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], INLINE_FILE_TAG) && p[2])
- {
- options->tls_crypt_inline = p[2];
- }
- options->tls_crypt_file = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (streq(p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->tls_crypt_inline = p[2];
+ }
+ options->tls_crypt_file = p[1];
}
- else if (streq (p[0], "key-method") && p[1] && !p[2])
+ else if (streq(p[0], "key-method") && p[1] && !p[2])
{
- int key_method;
+ int key_method;
- VERIFY_PERMISSION (OPT_P_GENERAL);
- key_method = atoi (p[1]);
- if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
- {
- msg (msglevel, "key_method parameter (%d) must be >= %d and <= %d",
- key_method,
- KEY_METHOD_MIN,
- KEY_METHOD_MAX);
- goto err;
- }
- options->key_method = key_method;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ key_method = atoi(p[1]);
+ if (key_method < KEY_METHOD_MIN || key_method > KEY_METHOD_MAX)
+ {
+ msg(msglevel, "key_method parameter (%d) must be >= %d and <= %d",
+ key_method,
+ KEY_METHOD_MIN,
+ KEY_METHOD_MAX);
+ goto err;
+ }
+ options->key_method = key_method;
}
- else if (streq (p[0], "x509-track") && p[1] && !p[2])
+ else if (streq(p[0], "x509-track") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- x509_track_add (&options->x509_track, p[1], msglevel, &options->gc);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ x509_track_add(&options->x509_track, p[1], msglevel, &options->gc);
}
#ifdef ENABLE_X509ALTUSERNAME
- else if (streq (p[0], "x509-username-field") && p[1] && !p[2])
- {
- /* This option used to automatically upcase the fieldname passed as the
- * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is
- * fine-tuned by only upcasing Subject field attribute names which consist
- * of all lower-case characters. Mixed-case attributes such as
- * "emailAddress" are left as-is. An option parameter having the "ext:"
- * prefix for matching X.509v3 extended fields will also remain unchanged.
- */
- char *s = p[1];
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- if (strncmp("ext:", s, 4) != 0)
- {
- size_t i = 0;
- while (s[i] && !isupper(s[i])) i++;
- if (strlen(s) == i)
- {
- while ((*s = toupper(*s)) != '\0') s++;
- msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
- "--x509-username-field parameter to '%s'; please update your"
- "configuration", p[1]);
- }
- }
- options->x509_username_field = p[1];
+ else if (streq(p[0], "x509-username-field") && p[1] && !p[2])
+ {
+ /* This option used to automatically upcase the fieldname passed as the
+ * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is
+ * fine-tuned by only upcasing Subject field attribute names which consist
+ * of all lower-case characters. Mixed-case attributes such as
+ * "emailAddress" are left as-is. An option parameter having the "ext:"
+ * prefix for matching X.509v3 extended fields will also remain unchanged.
+ */
+ char *s = p[1];
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ if (strncmp("ext:", s, 4) != 0)
+ {
+ size_t i = 0;
+ while (s[i] && !isupper(s[i])) i++;
+ if (strlen(s) == i)
+ {
+ while ((*s = toupper(*s)) != '\0') s++;
+ msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
+ "--x509-username-field parameter to '%s'; please update your"
+ "configuration", p[1]);
+ }
+ }
+ options->x509_username_field = p[1];
}
#endif /* ENABLE_X509ALTUSERNAME */
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
- else if (streq (p[0], "show-pkcs11-ids") && !p[3])
+ else if (streq(p[0], "show-pkcs11-ids") && !p[3])
{
- char *provider = p[1];
- bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
+ char *provider = p[1];
+ bool cert_private = (p[2] == NULL ? false : ( atoi(p[2]) != 0 ));
#ifdef DEFAULT_PKCS11_MODULE
- if (!provider)
- provider = DEFAULT_PKCS11_MODULE;
- else if (!p[2])
+ if (!provider)
{
- char *endp = NULL;
- int i = strtol(provider, &endp, 10);
+ provider = DEFAULT_PKCS11_MODULE;
+ }
+ else if (!p[2])
+ {
+ char *endp = NULL;
+ int i = strtol(provider, &endp, 10);
- if (*endp == 0)
- {
- /* There was one argument, and it was purely numeric.
- Interpret it as the cert_private argument */
- provider = DEFAULT_PKCS11_MODULE;
- cert_private = i;
- }
+ if (*endp == 0)
+ {
+ /* There was one argument, and it was purely numeric.
+ * Interpret it as the cert_private argument */
+ provider = DEFAULT_PKCS11_MODULE;
+ cert_private = i;
+ }
}
-#else
- if (!provider)
- {
- msg (msglevel, "--show-pkcs11-ids requires a provider parameter");
+#else /* ifdef DEFAULT_PKCS11_MODULE */
+ if (!provider)
+ {
+ msg(msglevel, "--show-pkcs11-ids requires a provider parameter");
goto err;
- }
-#endif
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ }
+#endif /* ifdef DEFAULT_PKCS11_MODULE */
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- set_debug_level (options->verbosity, SDL_CONSTRAIN);
- show_pkcs11_ids (provider, cert_private);
- openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
+ set_debug_level(options->verbosity, SDL_CONSTRAIN);
+ show_pkcs11_ids(provider, cert_private);
+ openvpn_exit(OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "pkcs11-providers") && p[1])
+ else if (streq(p[0], "pkcs11-providers") && p[1])
{
- int j;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ int j;
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- options->pkcs11_providers[j-1] = p[j];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ options->pkcs11_providers[j-1] = p[j];
}
- else if (streq (p[0], "pkcs11-protected-authentication"))
+ else if (streq(p[0], "pkcs11-protected-authentication"))
{
- int j;
+ int j;
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- options->pkcs11_protected_authentication[j-1] = atoi (p[j]) != 0 ? 1 : 0;
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
}
- else if (streq (p[0], "pkcs11-private-mode") && p[1])
+ else if (streq(p[0], "pkcs11-private-mode") && p[1])
{
- int j;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ int j;
+
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- sscanf (p[j], "%x", &(options->pkcs11_private_mode[j-1]));
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
}
- else if (streq (p[0], "pkcs11-cert-private"))
+ else if (streq(p[0], "pkcs11-cert-private"))
{
- int j;
+ int j;
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
+ for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
+ options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
}
- else if (streq (p[0], "pkcs11-pin-cache") && p[1] && !p[2])
+ else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs11_pin_cache_period = atoi (p[1]);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->pkcs11_pin_cache_period = atoi(p[1]);
}
- else if (streq (p[0], "pkcs11-id") && p[1] && !p[2])
+ else if (streq(p[0], "pkcs11-id") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs11_id = p[1];
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->pkcs11_id = p[1];
}
- else if (streq (p[0], "pkcs11-id-management") && !p[1])
+ else if (streq(p[0], "pkcs11-id-management") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->pkcs11_id_management = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->pkcs11_id_management = true;
}
-#endif
- else if (streq (p[0], "rmtun") && !p[1])
+#endif /* ifdef ENABLE_PKCS11 */
+ else if (streq(p[0], "rmtun") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->persist_config = true;
- options->persist_mode = 0;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->persist_config = true;
+ options->persist_mode = 0;
}
- else if (streq (p[0], "mktun") && !p[1])
+ else if (streq(p[0], "mktun") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->persist_config = true;
- options->persist_mode = 1;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->persist_config = true;
+ options->persist_mode = 1;
}
- else if (streq (p[0], "peer-id") && p[1] && !p[2])
+ else if (streq(p[0], "peer-id") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_PEER_ID);
- options->use_peer_id = true;
- options->peer_id = atoi(p[1]);
+ VERIFY_PERMISSION(OPT_P_PEER_ID);
+ options->use_peer_id = true;
+ options->peer_id = atoi(p[1]);
}
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
- else if (streq (p[0], "keying-material-exporter") && p[1] && p[2])
+ else if (streq(p[0], "keying-material-exporter") && p[1] && p[2])
{
- int ekm_length = positive_atoi (p[2]);
+ int ekm_length = positive_atoi(p[2]);
- VERIFY_PERMISSION (OPT_P_GENERAL);
+ VERIFY_PERMISSION(OPT_P_GENERAL);
- if (strncmp(p[1], "EXPORTER", 8))
+ if (strncmp(p[1], "EXPORTER", 8))
{
- msg (msglevel, "Keying material exporter label must begin with "
- "\"EXPORTER\"");
- goto err;
+ msg(msglevel, "Keying material exporter label must begin with "
+ "\"EXPORTER\"");
+ goto err;
}
- if (ekm_length < 16 || ekm_length > 4095)
+ if (ekm_length < 16 || ekm_length > 4095)
{
- msg (msglevel, "Invalid keying material exporter length");
- goto err;
+ msg(msglevel, "Invalid keying material exporter length");
+ goto err;
}
- options->keying_material_exporter_label = p[1];
- options->keying_material_exporter_length = ekm_length;
+ options->keying_material_exporter_label = p[1];
+ options->keying_material_exporter_length = ekm_length;
}
-#endif
- else if (streq (p[0], "allow-recursive-routing") && !p[1])
+#endif /* if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000 */
+ else if (streq(p[0], "allow-recursive-routing") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->allow_recursive_routing = true;
+ VERIFY_PERMISSION(OPT_P_GENERAL);
+ options->allow_recursive_routing = true;
}
- else
+ else
{
- int i;
- int msglevel= msglevel_fc;
- /* Check if an option is in --ignore-unknown-option and
- set warning level to non fatal */
- for(i=0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
+ int i;
+ int msglevel = msglevel_fc;
+ /* Check if an option is in --ignore-unknown-option and
+ * set warning level to non fatal */
+ for (i = 0; options->ignore_unknown_option && options->ignore_unknown_option[i]; i++)
{
- if (streq(p[0], options->ignore_unknown_option[i]))
+ if (streq(p[0], options->ignore_unknown_option[i]))
{
- msglevel = M_WARN;
- break;
+ msglevel = M_WARN;
+ break;
}
}
- if (file)
- msg (msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
- else
- msg (msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
+ if (file)
+ {
+ msg(msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
+ }
+ else
+ {
+ msg(msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
+ }
}
- err:
- gc_free (&gc);
+err:
+ gc_free(&gc);
}