summaryrefslogtreecommitdiff
path: root/src/openvpn/options.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-11-21 09:37:33 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-11-21 09:37:33 +0100
commit93b77cacdbb7e6f310c4e20f85c3a24ed5ba18ba (patch)
tree55a7688c9969ef4d01625caa58c7f679098c76eb /src/openvpn/options.c
parentdaa9ef0efeb5e10a1b43820fbab3a4ff5fbd22f1 (diff)
parent20c8675ba46bda97330a4117c459a59a9f1c465e (diff)
Merge tag 'upstream/2.4_beta1'
Upstream version 2.4~beta1
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r--src/openvpn/options.c2026
1 files changed, 1158 insertions, 868 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a49a4fb..7f128c3 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -56,39 +56,38 @@
#include "helper.h"
#include "manage.h"
#include "forward.h"
+#include "ssl_verify.h"
+#include "platform.h"
#include <ctype.h>
#include "memdbg.h"
const char title_string[] =
PACKAGE_STRING
+#ifdef CONFIGURE_GIT_REVISION
+ " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS "]"
+#endif
" " TARGET_ALIAS
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
-#if defined(ENABLE_CRYPTO_POLARSSL)
- " [SSL (PolarSSL)]"
+#if defined(ENABLE_CRYPTO_MBEDTLS)
+ " [SSL (mbed TLS)]"
#elif defined(ENABLE_CRYPTO_OPENSSL)
" [SSL (OpenSSL)]"
#else
" [SSL]"
-#endif /* defined(ENABLE_CRYPTO_POLARSSL) */
-#else /* ! ENABLE_SSL */
-#if defined(ENABLE_CRYPTO_POLARSSL)
- " [CRYPTO (PolarSSL)]"
-#elif defined(ENABLE_CRYPTO_OPENSSL)
- " [CRYPTO (OpenSSL)]"
-#else
- " [CRYPTO]"
-#endif /* defined(ENABLE_CRYPTO_POLARSSL) */
-#endif /* ENABLE_SSL */
+#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
#endif /* ENABLE_CRYPTO */
+#ifdef USE_COMP
#ifdef ENABLE_LZO
-#ifdef ENABLE_LZO_STUB
- " [LZO (STUB)]"
-#else
" [LZO]"
#endif
+#ifdef ENABLE_LZ4
+ " [LZ4]"
+#endif
+#ifdef ENABLE_COMP_STUB
+ " [COMP_STUB]"
#endif
+#endif /* USE_COMP */
#if EPOLL
" [EPOLL]"
#endif
@@ -99,9 +98,15 @@ const char title_string[] =
" [PKCS11]"
#endif
#if ENABLE_IP_PKTINFO
- " [MH]"
+# if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
+ " [MH/PKTINFO]"
+# elif defined(IP_RECVDSTADDR)
+ " [MH/RECVDA]"
+# endif
+#endif
+#ifdef HAVE_AEAD_CIPHER_MODES
+ " [AEAD]"
#endif
- " [IPv6]"
" built on " __DATE__
;
@@ -125,11 +130,11 @@ static const char usage_message[] =
" p = udp (default), tcp-server, or tcp-client\n"
"--proto-force p : only consider protocol p in list of connection profiles.\n"
" p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
- "--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
- " between connection retries (default=%d).\n"
- "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
+ "--connect-retry n [m] : For client, number of seconds to wait between\n"
+ " connection retries (default=%d). On repeated retries\n"
+ " the wait time is exponentially increased to a maximum of m\n"
+ " (default=%d).\n"
"--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
-#ifdef ENABLE_HTTP_PROXY
"--http-proxy s p [up] [auth] : Connect to remote host\n"
" through an HTTP proxy at address s and port p.\n"
" If proxy authentication is required,\n"
@@ -139,21 +144,16 @@ static const char usage_message[] =
"--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
" determine auth method and query for username/password\n"
" if needed. auto-nct disables weak proxy auth methods.\n"
- "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
- "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
"--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
" Repeat to set multiple options.\n"
" VERSION version (default=1.0)\n"
" AGENT user-agent\n"
-#endif
-#ifdef ENABLE_SOCKS
"--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
" address s and port p (default port = 1080).\n"
" If proxy authentication is required,\n"
" up is a file containing username/password on 2 lines, or\n"
" 'stdin' to prompt for console.\n"
"--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
-#endif
"--resolv-retry n: If hostname resolve fails for --remote, retry\n"
" resolve for n seconds before failing (disabled by default).\n"
" Set n=\"infinite\" to retry indefinitely.\n"
@@ -162,16 +162,12 @@ static const char usage_message[] =
"--ipchange cmd : Run command cmd on remote ip address initial\n"
" setting or change -- execute as: cmd ip-address port#\n"
"--port port : TCP/UDP port # for both local and remote.\n"
- "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
- "--rport port : TCP/UDP port # for remote (default=%d).\n"
+ "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
+ "--rport port : TCP/UDP port # for remote (default=%s).\n"
"--bind : Bind to local address and port. (This is the default unless\n"
" --proto tcp-client"
-#ifdef ENABLE_HTTP_PROXY
" or --http-proxy"
-#endif
-#ifdef ENABLE_SOCKS
" or --socks-proxy"
-#endif
" is used).\n"
"--nobind : Do not bind to local address and port.\n"
"--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
@@ -182,7 +178,6 @@ static const char usage_message[] =
" /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
"--lladdr hw : Set the link layer address of the tap device.\n"
"--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
- "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
#ifdef ENABLE_IPROUTE
"--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n"
#endif
@@ -207,9 +202,7 @@ static const char usage_message[] =
"--route-ipv6 network/bits [gateway] [metric] :\n"
" Add IPv6 route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
- " gateway default: taken from --route-ipv6-gateway or --ifconfig\n"
- "--max-routes n : Specify the maximum number of routes that may be defined\n"
- " or pulled from a server.\n"
+ " gateway default: taken from 'remote' in --ifconfig-ipv6\n"
"--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
"--route-metric m : Specify a default metric for use with --route.\n"
"--route-delay n [w] : Delay n seconds after connection initiation before\n"
@@ -234,9 +227,7 @@ static const char usage_message[] =
" Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
"--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
" the default gateway. Useful when pushing private subnets.\n"
-#ifdef ENABLE_CLIENT_NAT
"--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
-#endif
#ifdef ENABLE_PUSH_PEER_INFO
"--push-peer-info : (client only) push client info to server.\n"
#endif
@@ -335,6 +326,7 @@ static const char usage_message[] =
"--log file : Output log to file which is created/truncated on open.\n"
"--log-append file : Append log to file, or create file if nonexistent.\n"
"--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
+ "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
"--writepid file : Write main process ID to file.\n"
"--nice n : Change process priority (>0 = lower, <0 = higher).\n"
"--echo [parms ...] : Echo parameters to log output.\n"
@@ -359,12 +351,15 @@ static const char usage_message[] =
#ifdef ENABLE_DEBUG
"--gremlin mask : Special stress testing mode (for debugging only).\n"
#endif
-#ifdef ENABLE_LZO
- "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
+#if defined(USE_COMP)
+ "--compress alg : Use compression algorithm alg\n"
+#if defined(ENABLE_LZO)
+ "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
" packet for uncompressible data.\n"
"--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
" is specified.\n"
#endif
+#endif
#ifdef ENABLE_MANAGEMENT
"--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
" management functions. pass is a password file\n"
@@ -442,6 +437,9 @@ static const char usage_message[] =
" Only valid in a client-specific config file.\n"
"--client-cert-not-required : Don't require client certificate, client\n"
" will authenticate using username/password.\n"
+ "--verify-client-cert [none|optional|require] : perform no, optional or\n"
+ " mandatory client certificate verification.\n"
+ " Default is to require the client to supply a certificate.\n"
"--username-as-common-name : For auth-user-pass authentication, use\n"
" the authenticated username as the common name,\n"
" rather than the common name from the client cert.\n"
@@ -449,6 +447,11 @@ static const char usage_message[] =
" run command cmd to verify. If method='via-env', pass\n"
" user/pass via environment, if method='via-file', pass\n"
" user/pass via temporary file.\n"
+ "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
+ " to each client, replacing the password. Usefull when\n"
+ " OTP based two-factor auth mechanisms are in use and\n"
+ " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
+ " for generated tokens can be set.\n"
"--opt-verify : Clients that connect with options that are incompatible\n"
" with those of the server will be disconnected.\n"
"--auth-user-pass-optional : Allow connections by clients that don't\n"
@@ -476,6 +479,9 @@ static const char usage_message[] =
"--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
" older than n seconds. Run this check every t\n"
" seconds (defaults to n).\n"
+ "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
+ " clients. n = 1 - reconnect to same server,\n"
+ " 2 - advance to next server, default=1.\n"
#if PORT_SHARE
"--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
" sessions to a web server at host:port. dir specifies an\n"
@@ -493,13 +499,20 @@ static const char usage_message[] =
"--pull : Accept certain config file options from the peer as if they\n"
" were part of the local config file. Must be specified\n"
" when connecting to a '--mode server' remote host.\n"
+ "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
+ " server if it starts with the text t. The action flag accept,\n"
+ " ignore or reject causes the option to be allowed, removed or\n"
+ " rejected with error. May be specified multiple times, and\n"
+ " each filter is applied in the order of appearance.\n"
"--auth-retry t : How to handle auth failures. Set t to\n"
" none (default), interact, or nointeract.\n"
"--static-challenge t e : Enable static challenge/response protocol using\n"
" challenge text t, with e indicating echo flag (0|1)\n"
- "--server-poll-timeout n : when polling possible remote servers to connect to\n"
+ "--connect-timeout n : when polling possible remote servers to connect to\n"
" in a round-robin fashion, spend no more than n seconds\n"
" waiting for a response before trying the next server.\n"
+ "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
+ " incoming tun packets with same destination as host.\n"
#endif
#ifdef ENABLE_OCC
"--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
@@ -522,13 +535,15 @@ static const char usage_message[] =
"--cipher alg : Encrypt packets with cipher algorithm alg\n"
" (default=%s).\n"
" Set alg=none to disable encryption.\n"
+ "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
+ "--ncp-disable : Disable cipher negotiation.\n"
"--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
" nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
"--keysize n : Size of cipher key in bits (optional).\n"
" If unspecified, defaults to cipher-specific default.\n"
#endif
-#ifndef ENABLE_CRYPTO_POLARSSL
+#ifndef ENABLE_CRYPTO_MBEDTLS
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
#endif
"--no-replay : Disable replay protection.\n"
@@ -545,7 +560,6 @@ static const char usage_message[] =
"--use-prediction-resistance: Enable prediction resistance on the random\n"
" number generator.\n"
#endif
-#ifdef ENABLE_SSL
"\n"
"TLS Key Negotiation Options:\n"
"(These options are meaningful only for TLS-mode)\n"
@@ -555,15 +569,10 @@ static const char usage_message[] =
" number, such as 1 (default), 2, etc.\n"
"--ca file : Certificate authority file in .pem format containing\n"
" root certificate.\n"
-#ifndef ENABLE_CRYPTO_POLARSSL
+#ifndef ENABLE_CRYPTO_MBEDTLS
"--capath dir : A directory of trusted certificates (CAs"
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
" and CRLs).\n"
-#else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
- ").\n"
- " WARNING: no support of CRL available with this version.\n"
-#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
-#endif /* ENABLE_CRYPTO_POLARSSL */
+#endif /* ENABLE_CRYPTO_MBEDTLS */
"--dh file : File containing Diffie Hellman parameters\n"
" in .pem format (for --tls-server only).\n"
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
@@ -575,7 +584,7 @@ static const char usage_message[] =
" will accept from the peer. If version is unrecognized and 'or-highest'\n"
" is specified, require max TLS version supported by SSL implementation.\n"
"--tls-version-max <version> : sets the maximum TLS version we will use.\n"
-#ifndef ENABLE_CRYPTO_POLARSSL
+#ifndef ENABLE_CRYPTO_MBEDTLS
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
" and optionally the root CA certificate.\n"
#endif
@@ -584,7 +593,7 @@ static const char usage_message[] =
" Default is CN in the Subject field.\n"
#endif
"--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
-#ifdef WIN32
+#ifdef _WIN32
"--cryptoapicert select-string : Load the certificate and private key from the\n"
" Windows Certificate System Store.\n"
#endif
@@ -602,10 +611,17 @@ static const char usage_message[] =
"--single-session: Allow only one session (reset state on restart).\n"
"--tls-exit : Exit on TLS negotiation failure.\n"
"--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
- " control channel to protect against DoS attacks.\n"
- " f (required) is a shared-secret passphrase file.\n"
+ " control channel to protect against attacks on the TLS stack\n"
+ " and DoS attacks.\n"
+ " f (required) is a shared-secret key file.\n"
" The optional d parameter controls key directionality,\n"
" see --secret option for more info.\n"
+ "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
+ " of the TLS control channel to hide the TLS certificate,\n"
+ " provide basic post-quantum security and protect against\n"
+ " attacks on the TLS stack and DoS attacks.\n"
+ " key (required) provides the pre-shared key file.\n"
+ " see --secret option for more info.\n"
"--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
"--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
"--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
@@ -622,11 +638,12 @@ static const char usage_message[] =
" of verification.\n"
"--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
" nsCertType designation t = 'client' | 'server'.\n"
-#ifdef ENABLE_X509_TRACK
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
+#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
+ "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
+ " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
"--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
" explicit key usage, you can specify more than one value.\n"
" value should be given in hex format.\n"
@@ -636,8 +653,6 @@ static const char usage_message[] =
"--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
" key usage and extended key usage based on RFC3280 TLS rules.\n"
" t = 'client' | 'server'.\n"
-#endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */
-#endif /* ENABLE_SSL */
#ifdef ENABLE_PKCS11
"\n"
"PKCS#11 Options:\n"
@@ -662,10 +677,8 @@ static const char usage_message[] =
"--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
"--show-digests : Show message digest algorithms to use with --auth option.\n"
"--show-engines : Show hardware crypto accelerator engines (if available).\n"
-#ifdef ENABLE_SSL
"--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
-#endif
-#ifdef WIN32
+#ifdef _WIN32
"\n"
"Windows Specific:\n"
"--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
@@ -715,7 +728,9 @@ static const char usage_message[] =
" optional parameter controls the initial state of ex.\n"
"--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n"
" after TAP adapter is up and routes have been added.\n"
+#ifdef _WIN32
"--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
+#endif
"Windows Standalone Options:\n"
"\n"
"--show-adapters : Show all TAP-Windows adapters.\n"
@@ -775,10 +790,13 @@ init_options (struct options *o, const bool init_gc)
}
o->mode = MODE_POINT_TO_POINT;
o->topology = TOP_NET30;
- o->ce.proto = PROTO_UDPv4;
+ o->ce.proto = PROTO_UDP;
+ o->ce.af = AF_UNSPEC;
+ o->ce.bind_ipv6_only = false;
o->ce.connect_retry_seconds = 5;
- o->ce.connect_timeout = 10;
- o->ce.connect_retry_max = 0;
+ o->ce.connect_retry_seconds_max = 300;
+ o->ce.connect_timeout = 120;
+ o->connect_retry_max = 0;
o->ce.local_port = o->ce.remote_port = OPENVPN_PORT;
o->verbosity = 1;
o->status_file_update_freq = 60;
@@ -789,8 +807,8 @@ init_options (struct options *o, const bool init_gc)
o->ce.mtu_discover_type = -1;
o->ce.mssfix = MSSFIX_DEFAULT;
o->route_delay_window = 30;
- o->max_routes = MAX_ROUTES_DEFAULT;
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
+ o->resolve_in_advance = false;
o->proto_force = -1;
#ifdef ENABLE_OCC
o->occ = true;
@@ -806,7 +824,7 @@ init_options (struct options *o, const bool init_gc)
#ifdef TARGET_LINUX
o->tuntap_options.txqueuelen = 100;
#endif
-#ifdef WIN32
+#ifdef _WIN32
#if 0
o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE;
#else
@@ -829,13 +847,16 @@ init_options (struct options *o, const bool init_gc)
#endif
#if P2MP
o->scheduled_exit_interval = 5;
- o->server_poll_timeout = 0;
#endif
#ifdef ENABLE_CRYPTO
o->ciphername = "BF-CBC";
- o->ciphername_defined = true;
+#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
+ o->ncp_enabled = true;
+#else
+ o->ncp_enabled = false;
+#endif
+ o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
o->authname = "SHA1";
- o->authname_defined = true;
o->prng_hash = "SHA1";
o->prng_nonce_secret_len = 16;
o->replay = true;
@@ -846,25 +867,27 @@ init_options (struct options *o, const bool init_gc)
#ifdef ENABLE_PREDICTION_RESISTANCE
o->use_prediction_resistance = false;
#endif
-#ifdef ENABLE_SSL
o->key_method = 2;
o->tls_timeout = 2;
+ o->renegotiate_bytes = -1;
o->renegotiate_seconds = 3600;
o->handshake_window = 60;
o->transition_window = 3600;
+ o->ecdh_curve = NULL;
#ifdef ENABLE_X509ALTUSERNAME
o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
#endif
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
o->pkcs11_pin_cache_period = -1;
#endif /* ENABLE_PKCS11 */
-/* tmp is only used in P2MP server context */
+/* P2MP server context features */
#if P2MP_SERVER
+ o->auth_token_generate = false;
+
/* Set default --tmp-dir */
-#ifdef WIN32
+#ifdef _WIN32
/* On Windows, find temp dir via enviroment variables */
o->tmp_dir = win_get_tempdir();
#else
@@ -873,8 +896,9 @@ init_options (struct options *o, const bool init_gc)
if( !o->tmp_dir ) {
o->tmp_dir = "/tmp";
}
-#endif /* WIN32 */
+#endif /* _WIN32 */
#endif /* P2MP_SERVER */
+ o->allow_recursive_routing = false;
}
void
@@ -886,6 +910,37 @@ uninit_options (struct options *o)
}
}
+struct pull_filter
+{
+# define PUF_TYPE_UNDEF 0 /** undefined filter type */
+# define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
+# define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
+# define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
+ int type;
+ int size;
+ char *pattern;
+ struct pull_filter *next;
+};
+
+struct pull_filter_list
+{
+ struct pull_filter *head;
+ struct pull_filter *tail;
+};
+
+static const char *
+pull_filter_type_name (int type)
+{
+ if (type == PUF_TYPE_ACCEPT)
+ return "accept";
+ if (type == PUF_TYPE_IGNORE)
+ return "ignore";
+ if (type == PUF_TYPE_REJECT)
+ return "reject";
+ else
+ return "???";
+}
+
#ifndef ENABLE_SMALL
#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
@@ -902,26 +957,22 @@ setenv_connection_entry (struct env_set *es,
const struct connection_entry *e,
const int i)
{
- setenv_str_i (es, "proto", proto2ascii (e->proto, false), i);
+ setenv_str_i (es, "proto", proto2ascii (e->proto, e->af, false), i);
setenv_str_i (es, "local", e->local, i);
- setenv_int_i (es, "local_port", e->local_port, i);
+ setenv_str_i (es, "local_port", e->local_port, i);
setenv_str_i (es, "remote", e->remote, i);
- setenv_int_i (es, "remote_port", e->remote_port, i);
+ setenv_str_i (es, "remote_port", e->remote_port, i);
-#ifdef ENABLE_HTTP_PROXY
if (e->http_proxy_options)
{
setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i);
- setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i);
+ setenv_str_i (es, "http_proxy_port", e->http_proxy_options->port, i);
}
-#endif
-#ifdef ENABLE_SOCKS
if (e->socks_proxy_server)
{
setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i);
- setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i);
+ setenv_str_i (es, "socks_proxy_port", e->socks_proxy_port, i);
}
-#endif
}
void
@@ -1064,7 +1115,7 @@ string_substitute (const char *src, int from, int to, struct gc_arena *gc)
return ret;
}
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
static uint8_t *
parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
{
@@ -1098,7 +1149,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
}
#endif
-#ifdef WIN32
+#ifdef _WIN32
#ifndef ENABLE_SMALL
@@ -1141,7 +1192,9 @@ show_tuntap_options (const struct tuntap_options *o)
}
#endif
+#endif
+#if defined(_WIN32) || defined(TARGET_ANDROID)
static void
dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
{
@@ -1231,9 +1284,11 @@ show_p2mp_parms (const struct options *o)
SHOW_INT (max_routes_per_client);
SHOW_STR (auth_user_pass_verify_script);
SHOW_BOOL (auth_user_pass_verify_script_via_file);
+ SHOW_BOOL (auth_token_generate);
+ SHOW_INT (auth_token_lifetime);
#if PORT_SHARE
SHOW_STR (port_share_host);
- SHOW_INT (port_share_port);
+ SHOW_STR (port_share_port);
#endif
#endif /* P2MP_SERVER */
@@ -1298,19 +1353,27 @@ option_iroute_ipv6 (struct options *o,
#endif /* P2MP_SERVER */
#endif /* P2MP */
-#if defined(ENABLE_HTTP_PROXY) && !defined(ENABLE_SMALL)
+#ifndef ENABLE_SMALL
static void
show_http_proxy_options (const struct http_proxy_options *o)
{
+ int i;
msg (D_SHOW_PARMS, "BEGIN http_proxy");
SHOW_STR (server);
- SHOW_INT (port);
+ SHOW_STR (port);
SHOW_STR (auth_method_string);
SHOW_STR (auth_file);
- SHOW_BOOL (retry);
- SHOW_INT (timeout);
SHOW_STR (http_version);
SHOW_STR (user_agent);
+ for (i=0; i < MAX_CUSTOM_HTTP_HEADER && o->custom_headers[i].name;i++)
+ {
+ if (o->custom_headers[i].content)
+ msg (D_SHOW_PARMS, " custom_header[%d] = %s: %s", i,
+ o->custom_headers[i].name, o->custom_headers[i].content);
+ else
+ msg (D_SHOW_PARMS, " custom_header[%d] = %s", i,
+ o->custom_headers[i].name);
+ }
msg (D_SHOW_PARMS, "END http_proxy");
}
#endif
@@ -1320,9 +1383,7 @@ options_detach (struct options *o)
{
gc_detach (&o->gc);
o->routes = NULL;
-#ifdef ENABLE_CLIENT_NAT
o->client_nat = NULL;
-#endif
#if P2MP_SERVER
clone_push_list(o);
#endif
@@ -1332,50 +1393,43 @@ void
rol_check_alloc (struct options *options)
{
if (!options->routes)
- options->routes = new_route_option_list (options->max_routes, &options->gc);
+ options->routes = new_route_option_list (&options->gc);
}
void
rol6_check_alloc (struct options *options)
{
if (!options->routes_ipv6)
- options->routes_ipv6 = new_route_ipv6_option_list (options->max_routes, &options->gc);
+ options->routes_ipv6 = new_route_ipv6_option_list (&options->gc);
}
-#ifdef ENABLE_CLIENT_NAT
static void
cnol_check_alloc (struct options *options)
{
if (!options->client_nat)
options->client_nat = new_client_nat_list (&options->gc);
}
-#endif
#ifndef ENABLE_SMALL
static void
show_connection_entry (const struct connection_entry *o)
{
- msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false));
+ msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, o->af, false));
SHOW_STR (local);
- SHOW_INT (local_port);
+ SHOW_STR (local_port);
SHOW_STR (remote);
- SHOW_INT (remote_port);
+ SHOW_STR (remote_port);
SHOW_BOOL (remote_float);
SHOW_BOOL (bind_defined);
SHOW_BOOL (bind_local);
+ SHOW_BOOL (bind_ipv6_only);
SHOW_INT (connect_retry_seconds);
SHOW_INT (connect_timeout);
- SHOW_INT (connect_retry_max);
-#ifdef ENABLE_HTTP_PROXY
if (o->http_proxy_options)
show_http_proxy_options (o->http_proxy_options);
-#endif
-#ifdef ENABLE_SOCKS
SHOW_STR (socks_proxy_server);
- SHOW_INT (socks_proxy_port);
- SHOW_BOOL (socks_proxy_retry);
-#endif
+ SHOW_STR (socks_proxy_port);
SHOW_INT (tun_mtu);
SHOW_BOOL (tun_mtu_defined);
SHOW_INT (link_mtu);
@@ -1399,8 +1453,6 @@ show_connection_entry (const struct connection_entry *o)
static void
show_connection_entries (const struct options *o)
{
- msg (D_SHOW_PARMS, "Connection profiles [default]:");
- show_connection_entry (&o->ce);
if (o->connection_list)
{
const struct connection_list *l = o->connection_list;
@@ -1411,9 +1463,28 @@ show_connection_entries (const struct options *o)
show_connection_entry (l->array[i]);
}
}
+ else
+ {
+ msg (D_SHOW_PARMS, "Connection profiles [default]:");
+ show_connection_entry (&o->ce);
+ }
msg (D_SHOW_PARMS, "Connection profiles END");
}
+static void
+show_pull_filter_list (const struct pull_filter_list *l)
+{
+ struct pull_filter *f;
+ if (!l)
+ return;
+
+ msg (D_SHOW_PARMS, " Pull filters:");
+ for (f = l->head; f; f = f->next)
+ {
+ msg (D_SHOW_PARMS, " %s \"%s\"", pull_filter_type_name(f->type), f->pattern);
+ }
+}
+
#endif
void
@@ -1436,12 +1507,11 @@ show_settings (const struct options *o)
SHOW_BOOL (show_digests);
SHOW_BOOL (show_engines);
SHOW_BOOL (genkey);
-#ifdef ENABLE_SSL
SHOW_STR (key_pass_file);
SHOW_BOOL (show_tls_ciphers);
#endif
-#endif
+ SHOW_INT (connect_retry_max);
show_connection_entries (o);
SHOW_BOOL (remote_random);
@@ -1452,7 +1522,6 @@ show_settings (const struct options *o)
SHOW_STR (dev_node);
SHOW_STR (lladdr);
SHOW_INT (topology);
- SHOW_BOOL (tun_ipv6);
SHOW_STR (ifconfig_local);
SHOW_STR (ifconfig_remote_netmask);
SHOW_BOOL (ifconfig_noexec);
@@ -1488,6 +1557,7 @@ show_settings (const struct options *o)
#endif
SHOW_INT (resolve_retry_seconds);
+ SHOW_BOOL (resolve_in_advance);
SHOW_STR (username);
SHOW_STR (groupname);
@@ -1506,6 +1576,7 @@ show_settings (const struct options *o)
SHOW_INT (inetd);
SHOW_BOOL (log);
SHOW_BOOL (suppress_timestamps);
+ SHOW_BOOL (machine_readable_output);
SHOW_INT (nice);
SHOW_INT (verbosity);
SHOW_INT (mute);
@@ -1528,8 +1599,9 @@ show_settings (const struct options *o)
SHOW_BOOL (fast_io);
-#ifdef ENABLE_LZO
- SHOW_INT (lzo);
+#ifdef USE_COMP
+ SHOW_INT (comp.alg);
+ SHOW_INT (comp.flags);
#endif
SHOW_STR (route_script);
@@ -1541,19 +1613,18 @@ show_settings (const struct options *o)
SHOW_BOOL (route_delay_defined);
SHOW_BOOL (route_nopull);
SHOW_BOOL (route_gateway_via_dhcp);
- SHOW_INT (max_routes);
SHOW_BOOL (allow_pull_fqdn);
+ show_pull_filter_list (o->pull_filter_list);
+
if (o->routes)
print_route_options (o->routes, D_SHOW_PARMS);
-
-#ifdef ENABLE_CLIENT_NAT
+
if (o->client_nat)
print_client_nat_list(o->client_nat, D_SHOW_PARMS);
-#endif
#ifdef ENABLE_MANAGEMENT
SHOW_STR (management_addr);
- SHOW_INT (management_port);
+ SHOW_STR (management_port);
SHOW_STR (management_user_pass);
SHOW_INT (management_log_history_cache);
SHOW_INT (management_echo_buffer_size);
@@ -1570,16 +1641,14 @@ show_settings (const struct options *o)
#ifdef ENABLE_CRYPTO
SHOW_STR (shared_secret_file);
SHOW_INT (key_direction);
- SHOW_BOOL (ciphername_defined);
SHOW_STR (ciphername);
- SHOW_BOOL (authname_defined);
SHOW_STR (authname);
SHOW_STR (prng_hash);
SHOW_INT (prng_nonce_secret_len);
SHOW_INT (keysize);
-#ifndef ENABLE_CRYPTO_POLARSSL
+#ifndef ENABLE_CRYPTO_MBEDTLS
SHOW_BOOL (engine);
-#endif /* ENABLE_CRYPTO_POLARSSL */
+#endif /* ENABLE_CRYPTO_MBEDTLS */
SHOW_BOOL (replay);
SHOW_BOOL (mute_replay_warnings);
SHOW_INT (replay_window);
@@ -1591,13 +1660,17 @@ show_settings (const struct options *o)
SHOW_BOOL (use_prediction_resistance);
#endif
-#ifdef ENABLE_SSL
SHOW_BOOL (tls_server);
SHOW_BOOL (tls_client);
SHOW_INT (key_method);
SHOW_STR (ca_file);
SHOW_STR (ca_path);
SHOW_STR (dh_file);
+#ifdef MANAGMENT_EXTERNAL_KEY
+ if((o->management_flags & MF_EXTERNAL_CERT))
+ SHOW_PARM ("cert_file","EXTERNAL_CERT","%s");
+ else
+#endif
SHOW_STR (cert_file);
SHOW_STR (extra_certs_file);
@@ -1607,7 +1680,7 @@ show_settings (const struct options *o)
else
#endif
SHOW_STR (priv_key_file);
-#ifndef ENABLE_CRYPTO_POLARSSL
+#ifndef ENABLE_CRYPTO_MBEDTLS
SHOW_STR (pkcs12_file);
#endif
#ifdef ENABLE_CRYPTOAPI
@@ -1644,8 +1717,8 @@ show_settings (const struct options *o)
SHOW_BOOL (tls_exit);
SHOW_STR (tls_auth_file);
-#endif
-#endif
+ SHOW_STR (tls_crypt_file);
+#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
{
@@ -1677,7 +1750,7 @@ show_settings (const struct options *o)
show_p2mp_parms (o);
#endif
-#ifdef WIN32
+#ifdef _WIN32
SHOW_BOOL (show_net_up);
SHOW_INT (route_method);
SHOW_BOOL (block_outside_dns);
@@ -1691,7 +1764,7 @@ show_settings (const struct options *o)
#undef SHOW_INT
#undef SHOW_BOOL
-#if HTTP_PROXY_OVERRIDE
+#ifdef ENABLE_MANAGEMENT
static struct http_proxy_options *
parse_http_proxy_override (const char *server,
@@ -1703,19 +1776,9 @@ parse_http_proxy_override (const char *server,
if (server && port)
{
struct http_proxy_options *ho;
- const int int_port = atoi(port);
-
- if (!legal_ipv4_port (int_port))
- {
- msg (msglevel, "Bad http-proxy port number: %s", port);
- return NULL;
- }
-
ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc);
ho->server = string_alloc(server, gc);
- ho->port = int_port;
- ho->retry = true;
- ho->timeout = 5;
+ ho->port = port;
if (flags && !strcmp(flags, "nct"))
ho->auth_retry = PAR_NCT;
else
@@ -1732,32 +1795,31 @@ void
options_postprocess_http_proxy_override (struct options *o)
{
const struct connection_list *l = o->connection_list;
- if (l)
+ int i;
+ bool succeed = false;
+ for (i = 0; i < l->len; ++i)
+ {
+ struct connection_entry *ce = l->array[i];
+ if (ce->proto == PROTO_TCP_CLIENT || ce->proto == PROTO_TCP)
+ {
+ ce->http_proxy_options = o->http_proxy_override;
+ succeed = true;
+ }
+ }
+ if (succeed)
{
- int i;
- bool succeed = false;
for (i = 0; i < l->len; ++i)
- {
- struct connection_entry *ce = l->array[i];
- if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4)
- {
- ce->http_proxy_options = o->http_proxy_override;
- succeed = true;
- }
- }
- if (succeed)
- {
- for (i = 0; i < l->len; ++i)
- {
- struct connection_entry *ce = l->array[i];
- if (ce->proto == PROTO_UDPv4)
- {
- ce->flags |= CE_DISABLED;
- }
- }
- }
- else
- msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
+ {
+ struct connection_entry *ce = l->array[i];
+ if (ce->proto == PROTO_UDP)
+ {
+ ce->flags |= CE_DISABLED;
+ }
+ }
+ }
+ else
+ {
+ msg (M_WARN, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
}
}
@@ -1811,15 +1873,46 @@ alloc_remote_entry (struct options *options, const int msglevel)
return e;
}
+static struct pull_filter_list *
+alloc_pull_filter_list (struct options *o)
+{
+ if (!o->pull_filter_list)
+ ALLOC_OBJ_CLEAR_GC (o->pull_filter_list, struct pull_filter_list, &o->gc);
+ return o->pull_filter_list;
+}
+
+static struct pull_filter *
+alloc_pull_filter (struct options *o, const int msglevel)
+{
+ struct pull_filter_list *l = alloc_pull_filter_list (o);
+ struct pull_filter *f;
+
+ ALLOC_OBJ_CLEAR_GC (f, struct pull_filter, &o->gc);
+ if (l->head)
+ {
+ ASSERT (l->tail);
+ l->tail->next = f;
+ }
+ else
+ {
+ ASSERT (!l->tail);
+ l->head = f;
+ }
+ l->tail = f;
+ return f;
+}
+
void
connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re)
{
if (re->remote)
ce->remote = re->remote;
- if (re->remote_port >= 0)
+ if (re->remote_port)
ce->remote_port = re->remote_port;
if (re->proto >= 0)
ce->proto = re->proto;
+ if (re->af > 0)
+ ce->af = re->af;
}
static void
@@ -1849,10 +1942,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
* If "proto tcp" is specified, make sure we know whether it is
* tcp-client or tcp-server.
*/
- if (ce->proto == PROTO_TCPv4)
+ if (ce->proto == PROTO_TCP)
msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
- if (ce->proto == PROTO_TCPv6)
- msg (M_USAGE, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client");
/*
* Sanity check on daemon/inetd modes
@@ -1864,14 +1955,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
if (options->inetd && (ce->local || ce->remote))
msg (M_USAGE, "--local or --remote cannot be used with --inetd");
- if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT)
+ if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
msg (M_USAGE, "--proto tcp-client cannot be used with --inetd");
- if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER)
+ if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
if (options->inetd == INETD_NOWAIT
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
&& !(options->tls_server || options->tls_client)
#endif
)
@@ -1885,20 +1976,6 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--lladdr can only be used in --dev tap mode");
/*
- * Sanity check on TCP mode options
- */
-
- if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT
- && ce->proto != PROTO_TCPv6_CLIENT)
- msg (M_USAGE, "--connect-retry doesn't make sense unless also used with "
- "--proto tcp-client or tcp6-client");
-
- if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT
- && ce->proto != PROTO_TCPv6_CLIENT)
- msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with "
- "--proto tcp-client or tcp6-client");
-
- /*
* Sanity check on MTU parameters
*/
if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined)
@@ -1920,7 +1997,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
if (proto_is_net(ce->proto)
&& string_defined_equal (ce->local, ce->remote)
- && ce->local_port == ce->remote_port)
+ && string_defined_equal (ce->local_port, ce->remote_port))
msg (M_USAGE, "--remote and --local addresses are the same");
if (string_defined_equal (ce->remote, options->ifconfig_local)
@@ -1965,7 +2042,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
* Windows-specific options.
*/
-#ifdef WIN32
+#ifdef _WIN32
if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used");
@@ -1993,29 +2070,21 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp");
#endif
- if (!ce->remote && (ce->proto == PROTO_TCPv4_CLIENT
- || ce->proto == PROTO_TCPv6_CLIENT))
+ if (!ce->remote && ce->proto == PROTO_TCP_CLIENT)
msg (M_USAGE, "--remote MUST be used in TCP Client mode");
-#ifdef ENABLE_HTTP_PROXY
- if ((ce->http_proxy_options) && ce->proto != PROTO_TCPv4_CLIENT)
+ if ((ce->http_proxy_options) && ce->proto != PROTO_TCP_CLIENT)
msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
if ((ce->http_proxy_options) && !ce->http_proxy_options->server)
msg (M_USAGE, "--http-proxy not specified but other http proxy options present");
-#endif
-#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
if (ce->http_proxy_options && ce->socks_proxy_server)
msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy");
-#endif
-#ifdef ENABLE_SOCKS
- if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER)
+ if (ce->socks_proxy_server && ce->proto == PROTO_TCP_SERVER)
msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode");
-#endif
- if ((ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER)
- && connection_list_defined (options))
+ if (ce->proto == PROTO_TCP_SERVER && (options->connection_list->len > 1))
msg (M_USAGE, "TCP server mode allows at most one --remote address");
#if P2MP_SERVER
@@ -2029,13 +2098,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--mode server only works with --dev tun or --dev tap");
if (options->pull)
msg (M_USAGE, "--pull cannot be used with --mode server");
- if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCPv4_SERVER
- || ce->proto == PROTO_TCPv6_SERVER))
+ if (options->pull_filter_list)
+ msg (M_USAGE, "--pull-filter cannot be used with --mode server");
+ if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCP_SERVER))
msg (M_USAGE, "--mode server currently only supports "
"--proto udp or --proto tcp-server or proto tcp6-server");
#if PORT_SHARE
if ((options->port_share_host || options->port_share_port) &&
- (ce->proto != PROTO_TCPv4_SERVER && ce->proto != PROTO_TCPv6_SERVER))
+ (ce->proto != PROTO_TCP_SERVER))
msg (M_USAGE, "--port-share only works in TCP server mode "
"(--proto tcp-server or tcp6-server)");
#endif
@@ -2045,38 +2115,29 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--remote cannot be used with --mode server");
if (!ce->bind_local)
msg (M_USAGE, "--nobind cannot be used with --mode server");
-#ifdef ENABLE_HTTP_PROXY
if (ce->http_proxy_options)
msg (M_USAGE, "--http-proxy cannot be used with --mode server");
-#endif
-#ifdef ENABLE_SOCKS
if (ce->socks_proxy_server)
msg (M_USAGE, "--socks-proxy cannot be used with --mode server");
-#endif
- if (options->connection_list)
- msg (M_USAGE, "<connection> cannot be used with --mode server");
-#if 0
- if (options->tun_ipv6)
- msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server");
-#endif
+ /* <connection> blocks force to have a remote embedded, so we check for the
+ * --remote and bail out if it is present */
+ if (options->connection_list->len >1 ||
+ options->connection_list->array[0]->remote)
+ msg (M_USAGE, "<connection> cannot be used with --mode server");
+
if (options->shaper)
msg (M_USAGE, "--shaper cannot be used with --mode server");
if (options->inetd)
msg (M_USAGE, "--inetd cannot be used with --mode server");
if (options->ipchange)
msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)");
- if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCPv4_SERVER
- || ce->proto == PROTO_TCPv6_SERVER))
+ if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCP_SERVER))
msg (M_USAGE, "--mode server currently only supports "
"--proto udp or --proto tcp-server or --proto tcp6-server");
if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per))
msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask)
msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
-#ifdef ENABLE_OCC
- if (ce->explicit_exit_notification)
- msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server");
-#endif
if (options->routes && (options->routes->flags & RG_ENABLE))
msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
if (options->route_delay_defined)
@@ -2087,9 +2148,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool");
if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local )
msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
- if (options->ifconfig_ipv6_local && !options->tun_ipv6 )
- msg (M_INFO, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6");
-
+ if (options->allow_recursive_routing)
+ msg (M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
if (options->auth_user_pass_file)
msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
if (options->ccd_exclusive && !options->client_config_dir)
@@ -2102,8 +2162,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
|| PLUGIN_OPTION_LIST (options)
|| MAN_CLIENT_AUTH_ENABLED (options));
const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
- if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
- msg (M_USAGE, "--client-cert-not-required %s", postfix);
+ if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
+ msg (M_USAGE, "--verify-client-cert none|optional %s", postfix);
if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
msg (M_USAGE, "--username-as-common-name %s", postfix);
if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
@@ -2137,8 +2197,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg (M_USAGE, "--duplicate-cn requires --mode server");
if (options->cf_max || options->cf_per)
msg (M_USAGE, "--connect-freq requires --mode server");
- if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
- msg (M_USAGE, "--client-cert-not-required requires --mode server");
+ if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+ msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
msg (M_USAGE, "--username-as-common-name requires --mode server");
if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
@@ -2151,6 +2211,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
"tcp-nodelay in the server configuration instead.");
if (options->auth_user_pass_verify_script)
msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
+ if (options->auth_token_generate)
+ msg (M_USAGE, "--auth-gen-token requires --mode server");
#if PORT_SHARE
if (options->port_share_host || options->port_share_port)
msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
@@ -2165,14 +2227,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
#ifdef ENABLE_CRYPTO
+ if (options->ncp_enabled && !tls_check_ncp_cipher_list(options->ncp_ciphers))
+ {
+ msg (M_USAGE, "NCP cipher list contains unsupported ciphers.");
+ }
+
/*
* Check consistency of replay options
*/
- if ((!proto_is_udp(ce->proto))
- && (options->replay_window != defaults.replay_window
- || options->replay_time != defaults.replay_time))
- msg (M_USAGE, "--replay-window only makes sense with --proto udp");
-
if (!options->replay
&& (options->replay_window != defaults.replay_window
|| options->replay_time != defaults.replay_time))
@@ -2181,16 +2243,24 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
/*
* SSL/TLS mode sanity checks.
*/
-
-#ifdef ENABLE_SSL
if (options->tls_server + options->tls_client +
(options->shared_secret_file != NULL) > 1)
msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
- if (options->tls_server)
+ if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+ {
+ msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+ "--verify-client-cert none|optional (or --client-cert-not-required) "
+ "may accept clients which do not present a certificate");
+ }
+
+ if (options->key_method == 1)
{
- notnull (options->dh_file, "DH file (--dh)");
+ msg (M_WARN, "WARNING: --key-method 1 is deprecated and will be removed "
+ "in OpenVPN 2.5. By default --key-method 2 will be used if not set "
+ "in the configuration file, which is the recommended approach.");
}
+
if (options->tls_server || options->tls_client)
{
#ifdef ENABLE_PKCS11
@@ -2209,6 +2279,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
#ifdef MANAGMENT_EXTERNAL_KEY
if (options->management_flags & MF_EXTERNAL_KEY)
msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
+ if (options->management_flags & MF_EXTERNAL_CERT)
+ msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
#endif
if (options->pkcs12_file)
msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
@@ -2224,6 +2296,13 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
{
msg (M_USAGE, "--key and --management-external-key are mutually exclusive");
}
+ else if((options->management_flags & MF_EXTERNAL_CERT))
+ {
+ if (options->cert_file)
+ msg (M_USAGE, "--cert and --management-external-cert are mutually exclusive");
+ else if(!(options->management_flags & MF_EXTERNAL_KEY))
+ msg (M_USAGE, "--management-external-cert must be used with --management-external-key");
+ }
else
#endif
#ifdef ENABLE_CRYPTOAPI
@@ -2240,14 +2319,16 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
#ifdef MANAGMENT_EXTERNAL_KEY
if (options->management_flags & MF_EXTERNAL_KEY)
msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
+ if (options->management_flags & MF_EXTERNAL_CERT)
+ msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
#endif
}
else
#endif
if (options->pkcs12_file)
{
-#ifdef ENABLE_CRYPTO_POLARSSL
- msg(M_USAGE, "Parameter --pkcs12 cannot be used with the PolarSSL version version of OpenVPN.");
+#ifdef ENABLE_CRYPTO_MBEDTLS
+ msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
#else
if (options->ca_path)
msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
@@ -2257,17 +2338,19 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
#ifdef MANAGMENT_EXTERNAL_KEY
if (options->management_flags & MF_EXTERNAL_KEY)
- msg(M_USAGE, "Parameter --external-management-key cannot be used when --pkcs12 is also specified.");
+ msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
+ if (options->management_flags & MF_EXTERNAL_CERT)
+ msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
#endif
#endif
}
else
{
-#ifdef ENABLE_CRYPTO_POLARSSL
+#ifdef ENABLE_CRYPTO_MBEDTLS
if (!(options->ca_file))
msg(M_USAGE, "You must define CA file (--ca)");
if (options->ca_path)
- msg(M_USAGE, "Parameter --capath cannot be used with the PolarSSL version version of OpenVPN.");
+ msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
#else
if ((!(options->ca_file)) && (!(options->ca_path)))
msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
@@ -2275,14 +2358,14 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
if (pull)
{
- const int sum = (options->cert_file != NULL) +
+ const int sum =
#ifdef MANAGMENT_EXTERNAL_KEY
- ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
+ ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +
+ ((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY));
#else
- (options->priv_key_file != NULL);
+ (options->cert_file != NULL) + (options->priv_key_file != NULL);
#endif
-
if (sum == 0)
{
#if P2MP
@@ -2299,6 +2382,9 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
}
else
{
+#ifdef MANAGMENT_EXTERNAL_KEY
+ if (!(options->management_flags & MF_EXTERNAL_CERT))
+#endif
notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
#ifdef MANAGMENT_EXTERNAL_KEY
if (!(options->management_flags & MF_EXTERNAL_KEY))
@@ -2306,6 +2392,10 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)");
}
}
+ if (options->tls_auth_file && options->tls_crypt_file)
+ {
+ msg (M_USAGE, "--tls-auth and --tls-crypt are mutually exclusive");
+ }
}
else
{
@@ -2323,7 +2413,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
MUST_BE_UNDEF (dh_file);
MUST_BE_UNDEF (cert_file);
MUST_BE_UNDEF (priv_key_file);
-#ifndef ENABLE_CRYPTO_POLARSSL
+#ifndef ENABLE_CRYPTO_MBEDTLS
MUST_BE_UNDEF (pkcs12_file);
#endif
MUST_BE_UNDEF (cipher_list);
@@ -2337,6 +2427,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
MUST_BE_UNDEF (handshake_window);
MUST_BE_UNDEF (transition_window);
MUST_BE_UNDEF (tls_auth_file);
+ MUST_BE_UNDEF (tls_crypt_file);
MUST_BE_UNDEF (single_session);
#ifdef ENABLE_PUSH_PEER_INFO
MUST_BE_UNDEF (push_peer_info);
@@ -2353,16 +2444,12 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
MUST_BE_UNDEF (pkcs11_id);
MUST_BE_UNDEF (pkcs11_id_management);
#endif
-#if P2MP
- MUST_BE_UNDEF (server_poll_timeout);
-#endif
if (pull)
msg (M_USAGE, err, "--pull");
}
#undef MUST_BE_UNDEF
#endif /* ENABLE_CRYPTO */
-#endif /* ENABLE_SSL */
#if P2MP
if (options->auth_user_pass_file && !options->pull)
@@ -2380,35 +2467,29 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
#if P2MP_SERVER
if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp)
{
- if (ce->proto == PROTO_TCPv4)
- ce->proto = PROTO_TCPv4_SERVER;
- else if (ce->proto == PROTO_TCPv6)
- ce->proto = PROTO_TCPv6_SERVER;
+ if (ce->proto == PROTO_TCP)
+ ce->proto = PROTO_TCP_SERVER;
}
#endif
#if P2MP
if (o->client)
{
- if (ce->proto == PROTO_TCPv4)
- ce->proto = PROTO_TCPv4_CLIENT;
- else if (ce->proto == PROTO_TCPv6)
- ce->proto = PROTO_TCPv6_CLIENT;
+ if (ce->proto == PROTO_TCP)
+ ce->proto = PROTO_TCP_CLIENT;
}
#endif
- if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
+ if (ce->proto == PROTO_TCP_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined)
ce->bind_local = false;
-#ifdef ENABLE_SOCKS
- if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
+ if (ce->proto == PROTO_UDP && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined)
ce->bind_local = false;
-#endif
if (!ce->bind_local)
- ce->local_port = 0;
+ ce->local_port = NULL;
/* if protocol forcing is enabled, disable all protocols except for the forced one */
- if (o->proto_force >= 0 && proto_is_tcp(o->proto_force) != proto_is_tcp(ce->proto))
+ if (o->proto_force >= 0 && o->proto_force != ce->proto)
ce->flags |= CE_DISABLED;
/*
@@ -2445,7 +2526,9 @@ options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
static void
options_postprocess_mutate_invariant (struct options *options)
{
+#ifdef _WIN32
const int dev = dev_type_enum (options->dev, options->dev_type);
+#endif
/*
* In forking TCP server mode, you don't need to ifconfig
@@ -2454,7 +2537,7 @@ options_postprocess_mutate_invariant (struct options *options)
if (options->inetd == INETD_NOWAIT)
options->ifconfig_noexec = true;
-#ifdef WIN32
+#ifdef _WIN32
if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined)
{
if (options->mode == MODE_POINT_TO_POINT)
@@ -2477,7 +2560,7 @@ options_postprocess_mutate_invariant (struct options *options)
*/
if (options->mode == MODE_SERVER)
{
-#ifdef WIN32
+#ifdef _WIN32
/*
* We need to explicitly set --tap-sleep because
* we do not schedule event timers in the top-level context.
@@ -2516,6 +2599,7 @@ options_postprocess_verify (const struct options *o)
static void
options_postprocess_mutate (struct options *o)
{
+ int i;
/*
* Process helper-type options which map to other, more complex
* sequences of options.
@@ -2529,48 +2613,57 @@ options_postprocess_mutate (struct options *o)
if (o->remote_list && !o->connection_list)
{
/*
- * For compatibility with 2.0.x, map multiple --remote options
- * into connection list (connection lists added in 2.1).
+ * Convert remotes into connection list
*/
- if (o->remote_list->len > 1 || o->force_connection_list)
- {
- const struct remote_list *rl = o->remote_list;
- int i;
- for (i = 0; i < rl->len; ++i)
- {
- const struct remote_entry *re = rl->array[i];
- struct connection_entry ce = o->ce;
- struct connection_entry *ace;
-
- ASSERT (re->remote);
- connection_entry_load_re (&ce, re);
- ace = alloc_connection_entry (o, M_USAGE);
- ASSERT (ace);
- *ace = ce;
- }
- }
- else if (o->remote_list->len == 1) /* one --remote option specified */
- {
- connection_entry_load_re (&o->ce, o->remote_list->array[0]);
- }
- else
- {
- ASSERT (0);
- }
+ const struct remote_list *rl = o->remote_list;
+ for (i = 0; i < rl->len; ++i)
+ {
+ const struct remote_entry *re = rl->array[i];
+ struct connection_entry ce = o->ce;
+ struct connection_entry *ace;
+
+ ASSERT (re->remote);
+ connection_entry_load_re (&ce, re);
+ ace = alloc_connection_entry (o, M_USAGE);
+ ASSERT (ace);
+ *ace = ce;
+ }
}
- if (o->connection_list)
+ else if(!o->remote_list && !o->connection_list)
{
- int i;
- for (i = 0; i < o->connection_list->len; ++i)
+ struct connection_entry *ace;
+ ace = alloc_connection_entry (o, M_USAGE);
+ ASSERT (ace);
+ *ace = o->ce;
+ }
+
+ ASSERT (o->connection_list);
+ for (i = 0; i < o->connection_list->len; ++i)
options_postprocess_mutate_ce (o, o->connection_list->array[i]);
-#if HTTP_PROXY_OVERRIDE
- if (o->http_proxy_override)
+#ifdef ENABLE_CRYPTO
+ if (o->tls_server)
+ {
+ /* Check that DH file is specified, or explicitly disabled */
+ notnull (o->dh_file, "DH file (--dh)");
+ if (streq (o->dh_file, "none"))
+ o->dh_file = NULL;
+ }
+
+ /* cipher negotiation (NCP) currently assumes --pull or --mode server */
+ if ( o->ncp_enabled &&
+ ! (o->pull || o->mode == MODE_SERVER) )
+ {
+ msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
+ "in P2MP client or server mode" );
+ o->ncp_enabled = false;
+ }
+#endif
+
+#if ENABLE_MANAGEMENT
+ if (o->http_proxy_override)
options_postprocess_http_proxy_override(o);
#endif
- }
- else
- options_postprocess_mutate_ce (o, &o->ce);
#ifdef ENABLE_CRYPTOAPI
if (o->cryptoapi_cert)
@@ -2609,6 +2702,7 @@ options_postprocess_mutate (struct options *o)
#define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
#define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */
#define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */
+#define CHKACC_PRIVATE (1<<5) /** Warn if this (private) file is group/others accessible */
static bool
check_file_access(const int type, const char *file, const int mode, const char *opt)
@@ -2649,6 +2743,23 @@ check_file_access(const int type, const char *file, const int mode, const char *
if (platform_access (file, W_OK) != 0)
errcode = errno;
+ /* Warn if a given private file is group/others accessible. */
+ if (type & CHKACC_PRIVATE)
+ {
+ platform_stat_t st;
+ if (platform_stat (file, &st))
+ {
+ msg (M_WARN | M_ERRNO, "WARNING: cannot stat file '%s'", file);
+ }
+#ifndef _WIN32
+ else
+ {
+ if (st.st_mode & (S_IRWXG|S_IRWXO))
+ msg (M_WARN, "WARNING: file '%s' is group or others accessible", file);
+ }
+#endif
+ }
+
/* Scream if an error is found */
if( errcode > 0 )
msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s",
@@ -2724,7 +2835,7 @@ check_cmd_access(const char *command, const char *opt, const char *chroot)
/* Extract executable path and arguments */
argv = argv_new ();
- argv_printf (&argv, "%sc", command);
+ argv_parse_cmd (&argv, command);
/* if an executable is specified then check it; otherwise, complain */
if (argv.argv[0])
@@ -2754,8 +2865,8 @@ options_postprocess_filechecks (struct options *options)
{
bool errs = false;
+#ifdef ENABLE_CRYPTO
/* ** SSL/TLS/crypto related files ** */
-#ifdef ENABLE_SSL
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->dh_file, R_OK, "--dh");
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->ca_file, R_OK, "--ca");
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath");
@@ -2765,41 +2876,40 @@ options_postprocess_filechecks (struct options *options)
#ifdef MANAGMENT_EXTERNAL_KEY
if(!(options->management_flags & MF_EXTERNAL_KEY))
#endif
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->priv_key_file, R_OK,
- "--key");
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->pkcs12_file, R_OK,
- "--pkcs12");
+ {
+ errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->priv_key_file, R_OK, "--key");
+ }
+ errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->pkcs12_file, R_OK, "--pkcs12");
if (options->ssl_flags & SSLF_CRL_VERIFY_DIR)
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
"--crl-verify directory");
else
- errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK,
- "--crl-verify");
-
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK,
- "--tls-auth");
-#endif /* ENABLE_SSL */
-#ifdef ENABLE_CRYPTO
- errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->shared_secret_file, R_OK,
- "--secret");
+ errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE,
+ options->crl_file, R_OK, "--crl-verify");
+
+ errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->tls_auth_file, R_OK, "--tls-auth");
+ errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->tls_crypt_file, R_OK, "--tls-crypt");
+ errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE|CHKACC_PRIVATE,
+ options->shared_secret_file, R_OK, "--secret");
errs |= check_file_access (CHKACC_DIRPATH|CHKACC_FILEXSTWR,
- options->packet_id_file, R_OK|W_OK, "--replay-persist");
-#endif /* ENABLE_CRYPTO */
-
+ options->packet_id_file, R_OK|W_OK, "--replay-persist");
/* ** Password files ** */
-#ifdef ENABLE_SSL
- errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
- options->key_pass_file, R_OK, "--askpass");
-#endif /* ENABLE_SSL */
+ errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
+ options->key_pass_file, R_OK, "--askpass");
+#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_MANAGEMENT
- errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
+ errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
options->management_user_pass, R_OK,
"--management user/password file");
#endif /* ENABLE_MANAGEMENT */
#if P2MP
- errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN,
+ errs |= check_file_access (CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE,
options->auth_user_pass_file, R_OK,
"--auth-user-pass");
#endif /* P2MP */
@@ -2815,10 +2925,10 @@ options_postprocess_filechecks (struct options *options)
R_OK|W_OK, "--status");
/* ** Config related ** */
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->tls_export_cert,
R_OK|W_OK|X_OK, "--tls-export-cert");
-#endif /* ENABLE_SSL */
+#endif /* ENABLE_CRYPTO */
#if P2MP_SERVER
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->client_config_dir,
R_OK|X_OK, "--client-config-dir");
@@ -2872,18 +2982,16 @@ pre_pull_save (struct options *o)
o->pre_pull->routes_ipv6 = clone_route_ipv6_option_list(o->routes_ipv6, &o->gc);
o->pre_pull->routes_ipv6_defined = true;
}
-#ifdef ENABLE_CLIENT_NAT
if (o->client_nat)
{
o->pre_pull->client_nat = clone_client_nat_option_list(o->client_nat, &o->gc);
o->pre_pull->client_nat_defined = true;
}
-#endif
}
}
void
-pre_pull_restore (struct options *o)
+pre_pull_restore (struct options *o, struct gc_arena *gc)
{
const struct options_pre_pull *pp = o->pre_pull;
if (pp)
@@ -2895,7 +3003,7 @@ pre_pull_restore (struct options *o)
if (pp->routes_defined)
{
rol_check_alloc (o);
- copy_route_option_list (o->routes, pp->routes);
+ copy_route_option_list (o->routes, pp->routes, gc);
}
else
o->routes = NULL;
@@ -2903,12 +3011,11 @@ pre_pull_restore (struct options *o)
if (pp->routes_ipv6_defined)
{
rol6_check_alloc (o);
- copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6);
+ copy_route_ipv6_option_list (o->routes_ipv6, pp->routes_ipv6, gc);
}
else
o->routes_ipv6 = NULL;
-#ifdef ENABLE_CLIENT_NAT
if (pp->client_nat_defined)
{
cnol_check_alloc (o);
@@ -2916,7 +3023,6 @@ pre_pull_restore (struct options *o)
}
else
o->client_nat = NULL;
-#endif
o->foreign_option_index = pp->foreign_option_index;
}
@@ -2929,6 +3035,37 @@ pre_pull_restore (struct options *o)
#ifdef ENABLE_OCC
+/**
+ * Calculate the link-mtu to advertise to our peer. The actual value is not
+ * relevant, because we will possibly perform data channel cipher negotiation
+ * after this, but older clients will log warnings if we do not supply them the
+ * value they expect. This assumes that the traditional cipher/auth directives
+ * in the config match the config of the peer.
+ */
+static size_t
+calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
+{
+ size_t link_mtu = EXPANDED_SIZE (frame);
+#ifdef ENABLE_CRYPTO
+ if (o->pull || o->mode == MODE_SERVER)
+ {
+ struct frame fake_frame = *frame;
+ struct key_type fake_kt;
+ init_key_type (&fake_kt, o->ciphername, o->authname, o->keysize, true,
+ false);
+ frame_add_to_extra_frame (&fake_frame, -(crypto_max_overhead()));
+ crypto_adjust_frame_parameters (&fake_frame, &fake_kt, o->use_iv,
+ o->replay, cipher_kt_mode_ofb_cfb (fake_kt.cipher));
+ frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
+ o->ce.tun_mtu_defined, o->ce.tun_mtu);
+ msg (D_MTU_DEBUG, "%s: link-mtu %u -> %d", __func__, (unsigned int) link_mtu,
+ EXPANDED_SIZE (&fake_frame));
+ link_mtu = EXPANDED_SIZE (&fake_frame);
+ }
+#endif
+ return link_mtu;
+}
+
/*
* Build an options string to represent data channel encryption options.
* This string must match exactly between peers. The keysize is checked
@@ -2953,6 +3090,7 @@ pre_pull_restore (struct options *o)
* the other end of the connection]
*
* --comp-lzo
+ * --compress alg
* --fragment
*
* Crypto Options:
@@ -2972,7 +3110,6 @@ pre_pull_restore (struct options *o)
* --tls-server [matched with --tls-client on
* the other end of the connection]
*/
-
char *
options_string (const struct options *o,
const struct frame *frame,
@@ -2990,14 +3127,14 @@ options_string (const struct options *o,
*/
buf_printf (&out, ",dev-type %s", dev_type_string (o->dev, o->dev_type));
- buf_printf (&out, ",link-mtu %d", EXPANDED_SIZE (frame));
+ buf_printf (&out, ",link-mtu %u", (unsigned int) calc_options_string_link_mtu(o, frame));
buf_printf (&out, ",tun-mtu %d", PAYLOAD_SIZE (frame));
- buf_printf (&out, ",proto %s", proto2ascii (proto_remote (o->ce.proto, remote), true));
+ buf_printf (&out, ",proto %s", proto_remote (o->ce.proto, remote));
/* send tun_ipv6 only in peer2peer mode - in client/server mode, it
* is usually pushed by the server, triggering a non-helpful warning
*/
- if (o->tun_ipv6 && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
+ if (o->ifconfig_ipv6_local && o->mode == MODE_POINT_TO_POINT && !PULL_DEFINED(o))
buf_printf (&out, ",tun-ipv6");
/*
@@ -3014,8 +3151,8 @@ options_string (const struct options *o,
o->ifconfig_ipv6_local,
o->ifconfig_ipv6_netbits,
o->ifconfig_ipv6_remote,
- (in_addr_t)0,
- (in_addr_t)0,
+ NULL,
+ NULL,
false,
NULL);
if (tt)
@@ -3034,9 +3171,9 @@ options_string (const struct options *o,
tt = NULL;
}
-#ifdef ENABLE_LZO
- if (o->lzo & LZO_SELECTED)
- buf_printf (&out, ",comp-lzo");
+#ifdef USE_COMP
+ if (o->comp.alg != COMP_ALG_UNDEF)
+ buf_printf (&out, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
#endif
#ifdef ENABLE_FRAGMENT
@@ -3046,13 +3183,8 @@ options_string (const struct options *o,
#ifdef ENABLE_CRYPTO
-#ifdef ENABLE_SSL
#define TLS_CLIENT (o->tls_client)
#define TLS_SERVER (o->tls_server)
-#else
-#define TLS_CLIENT (false)
-#define TLS_SERVER (false)
-#endif
/*
* Key direction
@@ -3075,11 +3207,11 @@ options_string (const struct options *o,
+ (TLS_SERVER == true)
<= 1);
- init_key_type (&kt, o->ciphername, o->ciphername_defined,
- o->authname, o->authname_defined,
- o->keysize, true, false);
+ init_key_type (&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
- buf_printf (&out, ",cipher %s", cipher_kt_name (kt.cipher));
+ buf_printf (&out, ",cipher %s",
+ translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher)));
buf_printf (&out, ",auth %s", md_kt_name (kt.digest));
buf_printf (&out, ",keysize %d", kt.cipher_length * 8);
if (o->shared_secret_file)
@@ -3095,7 +3227,6 @@ options_string (const struct options *o,
#endif
}
-#ifdef ENABLE_SSL
/*
* SSL Options
*/
@@ -3104,6 +3235,9 @@ options_string (const struct options *o,
{
if (o->tls_auth_file)
buf_printf (&out, ",tls-auth");
+ /* Not adding tls-crypt here, because we won't reach this code if
+ * tls-auth/tls-crypt does not match. Removing tls-auth here would
+ * break stuff, so leaving that in place. */
if (o->key_method > 1)
buf_printf (&out, ",key-method %d", o->key_method);
@@ -3124,7 +3258,6 @@ options_string (const struct options *o,
buf_printf (&out, ",tls-server");
}
}
-#endif /* ENABLE_SSL */
#undef TLS_CLIENT
#undef TLS_SERVER
@@ -3447,10 +3580,11 @@ usage (void)
struct options o;
init_options (&o, true);
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
+#ifdef ENABLE_CRYPTO
fprintf (fp, usage_message,
title_string,
o.ce.connect_retry_seconds,
+ o.ce.connect_retry_seconds_max,
o.ce.local_port, o.ce.remote_port,
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
o.verbosity,
@@ -3458,15 +3592,6 @@ usage (void)
o.replay_window, o.replay_time,
o.tls_timeout, o.renegotiate_seconds,
o.handshake_window, o.transition_window);
-#elif defined(ENABLE_CRYPTO)
- fprintf (fp, usage_message,
- title_string,
- o.ce.connect_retry_seconds,
- o.ce.local_port, o.ce.remote_port,
- TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
- o.verbosity,
- o.authname, o.ciphername,
- o.replay_window, o.replay_time);
#else
fprintf (fp, usage_message,
title_string,
@@ -3489,7 +3614,7 @@ usage_small (void)
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
-#ifdef WIN32
+#ifdef _WIN32
void show_windows_version(const unsigned int flags)
{
struct gc_arena gc = gc_new ();
@@ -3501,7 +3626,7 @@ void show_windows_version(const unsigned int flags)
void
show_library_versions(const unsigned int flags)
{
-#ifdef ENABLE_SSL
+#ifdef ENABLE_CRYPTO
#define SSL_LIB_VER_STR get_ssl_library_version()
#else
#define SSL_LIB_VER_STR ""
@@ -3523,7 +3648,7 @@ usage_version (void)
{
msg (M_INFO|M_NOPREFIX, "%s", title_string);
show_library_versions( M_INFO|M_NOPREFIX );
-#ifdef WIN32
+#ifdef _WIN32
show_windows_version( M_INFO|M_NOPREFIX );
#endif
msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
@@ -3535,9 +3660,6 @@ usage_version (void)
#ifdef CONFIGURE_SPECIAL_BUILD
msg (M_INFO|M_NOPREFIX, "special build: %s", CONFIGURE_SPECIAL_BUILD);
#endif
-#ifdef CONFIGURE_GIT_REVISION
- msg (M_INFO|M_NOPREFIX, "git revision: %s", CONFIGURE_GIT_REVISION);
-#endif
#endif
openvpn_exit (OPENVPN_EXIT_STATUS_USAGE); /* exit point */
}
@@ -3573,7 +3695,7 @@ positive_atoi (const char *str)
return i < 0 ? 0 : i;
}
-#ifdef WIN32 /* This function is only used when compiling on Windows */
+#ifdef _WIN32 /* This function is only used when compiling on Windows */
static unsigned int
atou (const char *str)
{
@@ -3809,7 +3931,7 @@ read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
buf_printf (&buf, "%s", line);
}
if (!endtagfound)
- msg (M_WARN, "WARNING: Endtag %s missing", close_tag);
+ msg (M_FATAL, "ERROR: Endtag %s missing", close_tag);
ret = string_alloc (BSTR (&buf), gc);
buf_clear (&buf);
free_buf (&buf);
@@ -4019,6 +4141,45 @@ parse_argv (struct options *options,
}
}
+/**
+ * Filter an option line by all pull filters.
+ *
+ * If a match is found, the line is modified depending on
+ * the filter type, and returns true. If the filter type is
+ * reject, SIGUSR1 is triggered and the return value is false.
+ * In that case the caller must end the push processing.
+ */
+static bool
+apply_pull_filter (const struct options *o, char *line)
+{
+ struct pull_filter *f;
+
+ if (!o->pull_filter_list) return true;
+
+ for (f = o->pull_filter_list->head; f; f = f->next)
+ {
+ if (f->type == PUF_TYPE_ACCEPT && strncmp (line, f->pattern, f->size) == 0)
+ {
+ msg (D_LOW, "Pushed option accepted by filter: '%s'", line);
+ return true;
+ }
+ else if (f->type == PUF_TYPE_IGNORE && strncmp (line, f->pattern, f->size) == 0)
+ {
+ msg (D_PUSH, "Pushed option removed by filter: '%s'", line);
+ *line = '\0';
+ return true;
+ }
+ else if (f->type == PUF_TYPE_REJECT && strncmp (line, f->pattern, f->size) == 0)
+ {
+ msg (M_WARN, "Pushed option rejected by filter: '%s'. Restarting.", line);
+ *line = '\0';
+ throw_signal_soft (SIGUSR1, "Offending option received from server");
+ return false;
+ }
+ }
+ return true;
+}
+
bool
apply_push_options (struct options *options,
struct buffer *buf,
@@ -4036,6 +4197,10 @@ apply_push_options (struct options *options,
char *p[MAX_PARMS];
CLEAR (p);
++line_num;
+ if (!apply_pull_filter(options, line))
+ {
+ return false; /* Cause push/pull error and stop push processing */
+ }
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
{
add_option (options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
@@ -4222,13 +4387,18 @@ add_option (struct options *options,
{
VERIFY_PERMISSION (OPT_P_GENERAL);
usage ();
+ if (p[1])
+ {
+ msg (msglevel, "--help does not accept any parameters");
+ goto err;
+ }
}
- if (streq (p[0], "version"))
+ if (streq (p[0], "version") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
usage_version ();
}
- else if (streq (p[0], "config") && p[1])
+ else if (streq (p[0], "config") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_CONFIG);
@@ -4239,12 +4409,17 @@ add_option (struct options *options,
read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es);
}
#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
- else if (streq (p[0], "show-gateway"))
+ else if (streq (p[0], "show-gateway") && !p[2])
{
struct route_gateway_info rgi;
+ struct route_ipv6_gateway_info rgi6;
+ struct in6_addr remote = IN6ADDR_ANY_INIT;
VERIFY_PERMISSION (OPT_P_GENERAL);
+ if (p[1])
+ get_ipv6_addr (p[1], &remote, NULL, M_WARN);
get_default_gateway(&rgi);
- print_default_gateway(M_INFO, &rgi);
+ get_default_gateway_ipv6(&rgi6, &remote);
+ print_default_gateway(M_INFO, &rgi, &rgi6);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
#endif
@@ -4289,10 +4464,8 @@ add_option (struct options *options,
msg (M_WARN, "echo/parameter option overflow");
}
#ifdef ENABLE_MANAGEMENT
- else if (streq (p[0], "management") && p[1] && p[2])
+ else if (streq (p[0], "management") && p[1] && p[2] && !p[4])
{
- int port = 0;
-
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[2], "unix"))
{
@@ -4303,104 +4476,93 @@ add_option (struct options *options,
goto err;
#endif
}
- else
- {
- port = atoi (p[2]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "port number associated with --management directive is out of range");
- goto err;
- }
- }
options->management_addr = p[1];
- options->management_port = port;
+ options->management_port = p[2];
if (p[3])
{
options->management_user_pass = p[3];
}
}
- else if (streq (p[0], "management-client-user") && p[1])
+ else if (streq (p[0], "management-client-user") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_client_user = p[1];
}
- else if (streq (p[0], "management-client-group") && p[1])
+ else if (streq (p[0], "management-client-group") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_client_group = p[1];
}
- else if (streq (p[0], "management-query-passwords"))
+ else if (streq (p[0], "management-query-passwords") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_PASSWORDS;
}
- else if (streq (p[0], "management-query-remote"))
+ else if (streq (p[0], "management-query-remote") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_REMOTE;
}
- else if (streq (p[0], "management-query-proxy"))
+ else if (streq (p[0], "management-query-proxy") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_QUERY_PROXY;
- options->force_connection_list = true;
}
- else if (streq (p[0], "management-hold"))
+ else if (streq (p[0], "management-hold") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_HOLD;
}
- else if (streq (p[0], "management-signal"))
+ else if (streq (p[0], "management-signal") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_SIGNAL;
}
- else if (streq (p[0], "management-forget-disconnect"))
+ else if (streq (p[0], "management-forget-disconnect") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_FORGET_DISCONNECT;
}
- else if (streq (p[0], "management-up-down"))
+ else if (streq (p[0], "management-up-down") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_UP_DOWN;
}
- else if (streq (p[0], "management-client"))
+ else if (streq (p[0], "management-client") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_CONNECT_AS_CLIENT;
options->management_write_peer_info_file = p[1];
}
#ifdef MANAGMENT_EXTERNAL_KEY
- else if (streq (p[0], "management-external-key"))
+ else if (streq (p[0], "management-external-key") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= MF_EXTERNAL_KEY;
}
-#endif
-#ifdef MANAGEMENT_DEF_AUTH
- else if (streq (p[0], "management-client-auth"))
+ else if (streq (p[0], "management-external-cert") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
- options->management_flags |= MF_CLIENT_AUTH;
+ options->management_flags |= MF_EXTERNAL_CERT;
+ options->management_certificate = p[1];
}
#endif
-#ifdef ENABLE_X509_TRACK
- else if (streq (p[0], "x509-track") && p[1])
+#ifdef MANAGEMENT_DEF_AUTH
+ else if (streq (p[0], "management-client-auth") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
- x509_track_add (&options->x509_track, p[1], msglevel, &options->gc);
+ options->management_flags |= MF_CLIENT_AUTH;
}
#endif
#ifdef MANAGEMENT_PF
- else if (streq (p[0], "management-client-pf"))
+ else if (streq (p[0], "management-client-pf") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH);
}
#endif
- else if (streq (p[0], "management-log-cache") && p[1])
+ else if (streq (p[0], "management-log-cache") && p[1] && !p[2])
{
int cache;
@@ -4415,7 +4577,7 @@ add_option (struct options *options,
}
#endif
#ifdef ENABLE_PLUGIN
- else if (streq (p[0], "plugin") && p[1])
+ else if (streq (p[0], "plugin") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_PLUGIN);
if (!options->plugin_list)
@@ -4427,7 +4589,7 @@ add_option (struct options *options,
}
}
#endif
- else if (streq (p[0], "mode") && p[1])
+ else if (streq (p[0], "mode") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "p2p"))
@@ -4442,22 +4604,22 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "dev") && p[1])
+ else if (streq (p[0], "dev") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dev = p[1];
}
- else if (streq (p[0], "dev-type") && p[1])
+ else if (streq (p[0], "dev-type") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dev_type = p[1];
}
- else if (streq (p[0], "dev-node") && p[1])
+ else if (streq (p[0], "dev-node") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dev_node = p[1];
}
- else if (streq (p[0], "lladdr") && p[1])
+ else if (streq (p[0], "lladdr") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_UP);
if (mac_addr_safe (p[1])) /* MAC address only */
@@ -4468,24 +4630,24 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "topology") && p[1])
+ else if (streq (p[0], "topology") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_UP);
options->topology = parse_topology (p[1], msglevel);
}
- else if (streq (p[0], "tun-ipv6"))
+ else if (streq (p[0], "tun-ipv6") && !p[1])
{
VERIFY_PERMISSION (OPT_P_UP);
- options->tun_ipv6 = true;
+ msg (M_WARN, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
}
#ifdef ENABLE_IPROUTE
- else if (streq (p[0], "iproute") && p[1])
+ else if (streq (p[0], "iproute") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
iproute_path = p[1];
}
#endif
- else if (streq (p[0], "ifconfig") && p[1] && p[2])
+ else if (streq (p[0], "ifconfig") && p[1] && p[2] && !p[3])
{
VERIFY_PERMISSION (OPT_P_UP);
if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */
@@ -4499,7 +4661,7 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] )
+ else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
{
unsigned int netbits;
@@ -4523,27 +4685,27 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "ifconfig-noexec"))
+ else if (streq (p[0], "ifconfig-noexec") && !p[1])
{
VERIFY_PERMISSION (OPT_P_UP);
options->ifconfig_noexec = true;
}
- else if (streq (p[0], "ifconfig-nowarn"))
+ else if (streq (p[0], "ifconfig-nowarn") && !p[1])
{
VERIFY_PERMISSION (OPT_P_UP);
options->ifconfig_nowarn = true;
}
- else if (streq (p[0], "local") && p[1])
+ else if (streq (p[0], "local") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.local = p[1];
}
- else if (streq (p[0], "remote-random"))
+ else if (streq (p[0], "remote-random") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->remote_random = true;
}
- else if (streq (p[0], "connection") && p[1])
+ else if (streq (p[0], "connection") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], INLINE_FILE_TAG) && p[2])
@@ -4605,47 +4767,38 @@ add_option (struct options *options,
options->ignore_unknown_option[i] = NULL;
}
- else if (streq (p[0], "remote-ip-hint") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->remote_ip_hint = p[1];
- }
-#if HTTP_PROXY_OVERRIDE
- else if (streq (p[0], "http-proxy-override") && p[1] && p[2])
+#if ENABLE_MANAGEMENT
+ else if (streq (p[0], "http-proxy-override") && p[1] && p[2] && !p[4])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc);
if (!options->http_proxy_override)
goto err;
- options->force_connection_list = true;
}
#endif
- else if (streq (p[0], "remote") && p[1])
+ else if (streq (p[0], "remote") && p[1] && !p[4])
{
struct remote_entry re;
- re.remote = NULL;
- re.remote_port = re.proto = -1;
+ re.remote = re.remote_port= NULL;
+ re.proto = -1;
+ re.af=0;
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
re.remote = p[1];
if (p[2])
{
- const int port = atoi (p[2]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "remote: port number associated with host %s is out of range", p[1]);
- goto err;
- }
- re.remote_port = port;
+ re.remote_port = p[2];
if (p[3])
{
const int proto = ascii2proto (p[3]);
+ const sa_family_t af = ascii2af (p[3]);
if (proto < 0)
{
msg (msglevel, "remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
goto err;
}
re.proto = proto;
+ re.af = af;
}
}
if (permission_mask & OPT_P_GENERAL)
@@ -4660,7 +4813,7 @@ add_option (struct options *options,
connection_entry_load_re (&options->ce, &re);
}
}
- else if (streq (p[0], "resolv-retry") && p[1])
+ else if (streq (p[0], "resolv-retry") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "infinite"))
@@ -4668,22 +4821,44 @@ add_option (struct options *options,
else
options->resolve_retry_seconds = positive_atoi (p[1]);
}
- else if (streq (p[0], "connect-retry") && p[1])
+ else if ((streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint")) && !p[2])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->resolve_in_advance = true;
+ /* Note the ip-remote-hint and the argument p[1] are for
+ backward compatibility */
+ if (p[1])
+ options->ip_remote_hint=p[1];
+ }
+ else if (streq (p[0], "connect-retry") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.connect_retry_seconds = positive_atoi (p[1]);
- options->ce.connect_retry_defined = true;
+ /*
+ * Limit the base value of retry wait interval to 16 bits to avoid
+ * overflow when scaled up for exponential backoff
+ */
+ if (options->ce.connect_retry_seconds > 0xFFFF)
+ {
+ options->ce.connect_retry_seconds = 0xFFFF;
+ msg (M_WARN, "connect retry wait interval truncated to %d",
+ options->ce.connect_retry_seconds);
+ }
+
+ if (p[2])
+ options->ce.connect_retry_seconds_max =
+ max_int (positive_atoi (p[2]), options->ce.connect_retry_seconds);
}
- else if (streq (p[0], "connect-timeout") && p[1])
+ else if ((streq (p[0], "connect-timeout") || streq (p[0], "server-poll-timeout"))
+ && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.connect_timeout = positive_atoi (p[1]);
- options->ce.connect_timeout_defined = true;
}
- else if (streq (p[0], "connect-retry-max") && p[1])
+ else if (streq (p[0], "connect-retry-max") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.connect_retry_max = positive_atoi (p[1]);
+ options->connect_retry_max = positive_atoi (p[1]);
}
else if (streq (p[0], "ipchange") && p[1])
{
@@ -4695,24 +4870,24 @@ add_option (struct options *options,
string_substitute (p[1], ',', ' ', &options->gc),
"ipchange", true);
}
- else if (streq (p[0], "float"))
+ else if (streq (p[0], "float") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.remote_float = true;
}
#ifdef ENABLE_DEBUG
- else if (streq (p[0], "gremlin") && p[1])
+ else if (streq (p[0], "gremlin") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->gremlin = positive_atoi (p[1]);
}
#endif
- else if (streq (p[0], "chroot") && p[1])
+ else if (streq (p[0], "chroot") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->chroot_dir = p[1];
}
- else if (streq (p[0], "cd") && p[1])
+ else if (streq (p[0], "cd") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (platform_chdir (p[1]))
@@ -4723,13 +4898,13 @@ add_option (struct options *options,
options->cd_dir = p[1];
}
#ifdef ENABLE_SELINUX
- else if (streq (p[0], "setcon") && p[1])
+ else if (streq (p[0], "setcon") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->selinux_context = p[1];
}
#endif
- else if (streq (p[0], "writepid") && p[1])
+ else if (streq (p[0], "writepid") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->writepid = p[1];
@@ -4748,27 +4923,27 @@ add_option (struct options *options,
goto err;
set_user_script (options, &options->down_script, p[1], "down", true);
}
- else if (streq (p[0], "down-pre"))
+ else if (streq (p[0], "down-pre") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->down_pre = true;
}
- else if (streq (p[0], "up-delay"))
+ else if (streq (p[0], "up-delay") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->up_delay = true;
}
- else if (streq (p[0], "up-restart"))
+ else if (streq (p[0], "up-restart") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->up_restart = true;
}
- else if (streq (p[0], "syslog"))
+ else if (streq (p[0], "syslog") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
open_syslog (p[1], false);
}
- else if (streq (p[0], "daemon"))
+ else if (streq (p[0], "daemon") && !p[2])
{
bool didit = false;
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -4786,7 +4961,7 @@ add_option (struct options *options,
}
}
}
- else if (streq (p[0], "inetd"))
+ else if (streq (p[0], "inetd") && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (!options->inetd)
@@ -4841,44 +5016,50 @@ add_option (struct options *options,
open_syslog (name, true);
}
}
- else if (streq (p[0], "log") && p[1])
+ else if (streq (p[0], "log") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->log = true;
redirect_stdout_stderr (p[1], false);
}
- else if (streq (p[0], "suppress-timestamps"))
+ else if (streq (p[0], "suppress-timestamps") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->suppress_timestamps = true;
set_suppress_timestamps(true);
}
- else if (streq (p[0], "log-append") && p[1])
+ else if (streq (p[0], "machine-readable-output") && !p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->machine_readable_output = true;
+ set_machine_readable_output(true);
+ }
+ else if (streq (p[0], "log-append") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->log = true;
redirect_stdout_stderr (p[1], true);
}
#ifdef ENABLE_MEMSTATS
- else if (streq (p[0], "memstats") && p[1])
+ else if (streq (p[0], "memstats") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->memstats_fn = p[1];
}
#endif
- else if (streq (p[0], "mlock"))
+ else if (streq (p[0], "mlock") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->mlock = true;
}
#if ENABLE_IP_PKTINFO
- else if (streq (p[0], "multihome"))
+ else if (streq (p[0], "multihome") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->sockflags |= SF_USE_IP_PKTINFO;
}
#endif
- else if (streq (p[0], "verb") && p[1])
+ else if (streq (p[0], "verb") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
options->verbosity = positive_atoi (p[1]);
@@ -4889,17 +5070,17 @@ add_option (struct options *options,
options->verbosity);
#endif
}
- else if (streq (p[0], "mute") && p[1])
+ else if (streq (p[0], "mute") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
options->mute = positive_atoi (p[1]);
}
- else if (streq (p[0], "errors-to-stderr"))
+ else if (streq (p[0], "errors-to-stderr") && !p[1])
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
errors_to_stderr();
}
- else if (streq (p[0], "status") && p[1])
+ else if (streq (p[0], "status") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->status_file = p[1];
@@ -4908,7 +5089,7 @@ add_option (struct options *options,
options->status_file_update_freq = positive_atoi (p[2]);
}
}
- else if (streq (p[0], "status-version") && p[1])
+ else if (streq (p[0], "status-version") && p[1] && !p[2])
{
int version;
@@ -4921,7 +5102,7 @@ add_option (struct options *options,
}
options->status_file_version = version;
}
- else if (streq (p[0], "remap-usr1") && p[1])
+ else if (streq (p[0], "remap-usr1") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "SIGHUP"))
@@ -4934,19 +5115,19 @@ add_option (struct options *options,
goto err;
}
}
- else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1])
+ else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.link_mtu = positive_atoi (p[1]);
options->ce.link_mtu_defined = true;
}
- else if (streq (p[0], "tun-mtu") && p[1])
+ else if (streq (p[0], "tun-mtu") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.tun_mtu = positive_atoi (p[1]);
options->ce.tun_mtu_defined = true;
}
- else if (streq (p[0], "tun-mtu-extra") && p[1])
+ else if (streq (p[0], "tun-mtu-extra") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.tun_mtu_extra = positive_atoi (p[1]);
@@ -4959,41 +5140,41 @@ add_option (struct options *options,
msg (msglevel, "--mtu-dynamic has been replaced by --fragment");
goto err;
}
- else if (streq (p[0], "fragment") && p[1])
+ else if (streq (p[0], "fragment") && p[1] && !p[2])
{
/* VERIFY_PERMISSION (OPT_P_MTU); */
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.fragment = positive_atoi (p[1]);
}
#endif
- else if (streq (p[0], "mtu-disc") && p[1])
+ else if (streq (p[0], "mtu-disc") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION);
options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]);
}
#ifdef ENABLE_OCC
- else if (streq (p[0], "mtu-test"))
+ else if (streq (p[0], "mtu-test") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->mtu_test = true;
}
#endif
- else if (streq (p[0], "nice") && p[1])
+ else if (streq (p[0], "nice") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_NICE);
options->nice = atoi (p[1]);
}
- else if (streq (p[0], "rcvbuf") && p[1])
+ else if (streq (p[0], "rcvbuf") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_SOCKBUF);
options->rcvbuf = positive_atoi (p[1]);
}
- else if (streq (p[0], "sndbuf") && p[1])
+ else if (streq (p[0], "sndbuf") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_SOCKBUF);
options->sndbuf = positive_atoi (p[1]);
}
- else if (streq (p[0], "mark") && p[1])
+ else if (streq (p[0], "mark") && p[1] && !p[2])
{
#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -5012,7 +5193,7 @@ add_option (struct options *options,
msg (msglevel, "unknown socket flag: %s", p[j]);
}
}
- else if (streq (p[0], "txqueuelen") && p[1])
+ else if (streq (p[0], "txqueuelen") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
#ifdef TARGET_LINUX
@@ -5022,7 +5203,7 @@ add_option (struct options *options,
goto err;
#endif
}
- else if (streq (p[0], "shaper") && p[1])
+ else if (streq (p[0], "shaper") && p[1] && !p[2])
{
#ifdef ENABLE_FEATURE_SHAPER
int shaper;
@@ -5042,73 +5223,54 @@ add_option (struct options *options,
goto err;
#endif /* ENABLE_FEATURE_SHAPER */
}
- else if (streq (p[0], "port") && p[1])
+ else if (streq (p[0], "port") && p[1] && !p[2])
{
- int port;
-
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- port = atoi (p[1]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "Bad port number: %s", p[1]);
- goto err;
- }
- options->ce.local_port = options->ce.remote_port = port;
+ options->ce.local_port = options->ce.remote_port = p[1];
}
- else if (streq (p[0], "lport") && p[1])
+ else if (streq (p[0], "lport") && p[1] && !p[2])
{
- int port;
-
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- port = atoi (p[1]);
- if ((port != 0) && !legal_ipv4_port (port))
- {
- msg (msglevel, "Bad local port number: %s", p[1]);
- goto err;
- }
options->ce.local_port_defined = true;
- options->ce.local_port = port;
+ options->ce.local_port = p[1];
}
- else if (streq (p[0], "rport") && p[1])
+ else if (streq (p[0], "rport") && p[1] && !p[2])
{
- int port;
-
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- port = atoi (p[1]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "Bad remote port number: %s", p[1]);
- goto err;
- }
- options->ce.remote_port = port;
+ options->ce.remote_port = p[1];
}
- else if (streq (p[0], "bind"))
+ else if (streq (p[0], "bind") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.bind_defined = true;
+ if (p[1] && streq (p[1], "ipv6only"))
+ options->ce.bind_ipv6_only=true;
+
}
- else if (streq (p[0], "nobind"))
+ else if (streq (p[0], "nobind") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
options->ce.bind_local = false;
}
- else if (streq (p[0], "fast-io"))
+ else if (streq (p[0], "fast-io") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->fast_io = true;
}
- else if (streq (p[0], "inactive") && p[1])
+ else if (streq (p[0], "inactive") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->inactivity_timeout = positive_atoi (p[1]);
if (p[2])
options->inactivity_minimum_bytes = positive_atoi (p[2]);
}
- else if (streq (p[0], "proto") && p[1])
+ else if (streq (p[0], "proto") && p[1] && !p[2])
{
int proto;
+ sa_family_t af;
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
proto = ascii2proto (p[1]);
+ af = ascii2af(p[1]);
if (proto < 0)
{
msg (msglevel, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
@@ -5117,8 +5279,9 @@ add_option (struct options *options,
goto err;
}
options->ce.proto = proto;
+ options->ce.af = af;
}
- else if (streq (p[0], "proto-force") && p[1])
+ else if (streq (p[0], "proto-force") && p[1] && !p[2])
{
int proto_force;
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -5129,33 +5292,24 @@ add_option (struct options *options,
goto err;
}
options->proto_force = proto_force;
- options->force_connection_list = true;
}
-#ifdef ENABLE_HTTP_PROXY
- else if (streq (p[0], "http-proxy") && p[1])
+ else if (streq (p[0], "http-proxy") && p[1] && !p[5])
{
struct http_proxy_options *ho;
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
{
- int port;
if (!p[2])
{
msg (msglevel, "http-proxy port number not defined");
goto err;
}
- port = atoi (p[2]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "Bad http-proxy port number: %s", p[2]);
- goto err;
- }
ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
ho->server = p[1];
- ho->port = port;
+ ho->port = p[2];
}
if (p[3])
@@ -5183,101 +5337,124 @@ add_option (struct options *options,
ho->auth_method_string = "none";
}
}
- else if (streq (p[0], "http-proxy-retry"))
+ else if (streq (p[0], "http-proxy-user-pass") && p[1])
{
struct http_proxy_options *ho;
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
+ VERIFY_PERMISSION (OPT_P_GENERAL);
ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
- ho->retry = true;
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ ho->auth_file = p[2];
+ ho->inline_creds = true;
+ }
+ else
+ ho->auth_file = p[1];
}
- else if (streq (p[0], "http-proxy-timeout") && p[1])
+ else if (streq (p[0], "http-proxy-retry") || streq (p[0], "socks-proxy-retry"))
{
- struct http_proxy_options *ho;
-
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
- ho->timeout = positive_atoi (p[1]);
+ msg (M_WARN, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
+ "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
+ "Use connect-retry-max 1 to get a similar behavior as before.");
}
- else if (streq (p[0], "http-proxy-option") && p[1])
+ else if (streq (p[0], "http-proxy-timeout") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
+ msg (M_WARN, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
+ "server is established is managed with a single timeout set by connect-timeout");
+ }
+ else if (streq (p[0], "http-proxy-option") && p[1] && !p[4])
{
struct http_proxy_options *ho;
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc);
- if (streq (p[1], "VERSION") && p[2])
+ if (streq (p[1], "VERSION") && p[2] && !p[3])
{
ho->http_version = p[2];
}
- else if (streq (p[1], "AGENT") && p[2])
+ else if (streq (p[1], "AGENT") && p[2] && !p[3])
{
ho->user_agent = p[2];
}
+ else if ((streq (p[1], "EXT1") || streq(p[1], "EXT2") || streq(p[1], "CUSTOM-HEADER"))
+ && p[2])
+ {
+ /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
+ * with either two argument or one */
+
+ struct http_custom_header *custom_header = NULL;
+ int i;
+ /* Find the first free header */
+ for (i=0; i < MAX_CUSTOM_HTTP_HEADER; i++) {
+ if (!ho->custom_headers[i].name) {
+ custom_header = &ho->custom_headers[i];
+ break;
+ }
+ }
+ if (!custom_header)
+ {
+ msg (msglevel, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER, p[1]);
+ }
+ else
+ {
+ /* We will save p[2] and p[3], the proxy code will detect if
+ * p[3] is NULL */
+ custom_header->name = p[2];
+ custom_header->content = p[3];
+ }
+ }
else
{
- msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]);
+ msg (msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
}
}
-#endif
-#ifdef ENABLE_SOCKS
- else if (streq (p[0], "socks-proxy") && p[1])
+ else if (streq (p[0], "socks-proxy") && p[1] && !p[4])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
if (p[2])
- {
- int port;
- port = atoi (p[2]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "Bad socks-proxy port number: %s", p[2]);
- goto err;
- }
- options->ce.socks_proxy_port = port;
+ {
+ options->ce.socks_proxy_port = p[2];
}
else
{
- options->ce.socks_proxy_port = 1080;
+ options->ce.socks_proxy_port = "1080";
}
options->ce.socks_proxy_server = p[1];
options->ce.socks_proxy_authfile = p[3]; /* might be NULL */
}
- else if (streq (p[0], "socks-proxy-retry"))
- {
- VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
- options->ce.socks_proxy_retry = true;
- }
-#endif
- else if (streq (p[0], "keepalive") && p[1] && p[2])
+ else if (streq (p[0], "keepalive") && p[1] && p[2] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->keepalive_ping = atoi (p[1]);
options->keepalive_timeout = atoi (p[2]);
}
- else if (streq (p[0], "ping") && p[1])
+ else if (streq (p[0], "ping") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_send_timeout = positive_atoi (p[1]);
}
- else if (streq (p[0], "ping-exit") && p[1])
+ else if (streq (p[0], "ping-exit") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_rec_timeout = positive_atoi (p[1]);
options->ping_rec_timeout_action = PING_EXIT;
}
- else if (streq (p[0], "ping-restart") && p[1])
+ else if (streq (p[0], "ping-restart") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_rec_timeout = positive_atoi (p[1]);
options->ping_rec_timeout_action = PING_RESTART;
}
- else if (streq (p[0], "ping-timer-rem"))
+ else if (streq (p[0], "ping-timer-rem") && !p[1])
{
VERIFY_PERMISSION (OPT_P_TIMER);
options->ping_timer_remote = true;
}
#ifdef ENABLE_OCC
- else if (streq (p[0], "explicit-exit-notify"))
+ else if (streq (p[0], "explicit-exit-notify") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY);
if (p[1])
@@ -5290,35 +5467,33 @@ add_option (struct options *options,
}
}
#endif
- else if (streq (p[0], "persist-tun"))
+ else if (streq (p[0], "persist-tun") && !p[1])
{
VERIFY_PERMISSION (OPT_P_PERSIST);
options->persist_tun = true;
}
- else if (streq (p[0], "persist-key"))
+ else if (streq (p[0], "persist-key") && !p[1])
{
VERIFY_PERMISSION (OPT_P_PERSIST);
options->persist_key = true;
}
- else if (streq (p[0], "persist-local-ip"))
+ else if (streq (p[0], "persist-local-ip") && !p[1])
{
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
options->persist_local_ip = true;
}
- else if (streq (p[0], "persist-remote-ip"))
+ else if (streq (p[0], "persist-remote-ip") && !p[1])
{
VERIFY_PERMISSION (OPT_P_PERSIST_IP);
options->persist_remote_ip = true;
}
-#ifdef ENABLE_CLIENT_NAT
- else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4])
+ else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
{
VERIFY_PERMISSION (OPT_P_ROUTE);
cnol_check_alloc (options);
add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel);
}
-#endif
- else if (streq (p[0], "route") && p[1])
+ else if (streq (p[0], "route") && p[1] && !p[5])
{
VERIFY_PERMISSION (OPT_P_ROUTE);
rol_check_alloc (options);
@@ -5342,7 +5517,7 @@ add_option (struct options *options,
}
add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]);
}
- else if (streq (p[0], "route-ipv6") && p[1])
+ else if (streq (p[0], "route-ipv6") && p[1] && !p[4])
{
VERIFY_PERMISSION (OPT_P_ROUTE);
rol6_check_alloc (options);
@@ -5362,25 +5537,14 @@ add_option (struct options *options,
}
add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]);
}
- else if (streq (p[0], "max-routes") && p[1])
+ else if (streq (p[0], "max-routes") && !p[2])
{
- int max_routes;
-
- VERIFY_PERMISSION (OPT_P_GENERAL);
- max_routes = atoi (p[1]);
- if (max_routes < 0 || max_routes > 100000000)
- {
- msg (msglevel, "--max-routes parameter is out of range");
- goto err;
- }
- if (options->routes || options->routes_ipv6)
- {
- msg (msglevel, "--max-routes must to be specifed before any route/route-ipv6/redirect-gateway option");
- goto err;
- }
- options->max_routes = max_routes;
+ msg (M_WARN, "DEPRECATED OPTION: --max-routes option ignored."
+ "The number of routes is unlimited as of version 2.4. "
+ "This option will be removed in a future version, "
+ "please remove it from your configuration.");
}
- else if (streq (p[0], "route-gateway") && p[1])
+ else if (streq (p[0], "route-gateway") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
if (streq (p[1], "dhcp"))
@@ -5400,12 +5564,12 @@ add_option (struct options *options,
}
}
}
- else if (streq (p[0], "route-metric") && p[1])
+ else if (streq (p[0], "route-metric") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_ROUTE);
options->route_default_metric = positive_atoi (p[1]);
}
- else if (streq (p[0], "route-delay"))
+ else if (streq (p[0], "route-delay") && !p[3])
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
options->route_delay_defined = true;
@@ -5439,17 +5603,37 @@ add_option (struct options *options,
p[1],
"route-pre-down", true);
}
- else if (streq (p[0], "route-noexec"))
+ else if (streq (p[0], "route-noexec") && !p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
options->route_noexec = true;
}
- else if (streq (p[0], "route-nopull"))
+ else if (streq (p[0], "route-nopull") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->route_nopull = true;
}
- else if (streq (p[0], "allow-pull-fqdn"))
+ else if (streq (p[0], "pull-filter") && p[1] && p[2] && !p[3])
+ {
+ struct pull_filter *f;
+ VERIFY_PERMISSION (OPT_P_GENERAL)
+ f = alloc_pull_filter (options, msglevel);
+
+ if (strcmp ("accept", p[1]) == 0)
+ f->type = PUF_TYPE_ACCEPT;
+ else if (strcmp ("ignore", p[1]) == 0)
+ f->type = PUF_TYPE_IGNORE;
+ else if (strcmp ("reject", p[1]) == 0)
+ f->type = PUF_TYPE_REJECT;
+ else
+ {
+ msg (msglevel, "Unknown --pull-filter type: %s", p[1]);
+ goto err;
+ }
+ f->pattern = p[2];
+ f->size = strlen(p[2]);
+ }
+ else if (streq (p[0], "allow-pull-fqdn") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->allow_pull_fqdn = true;
@@ -5475,6 +5659,13 @@ add_option (struct options *options,
options->routes->flags |= RG_BYPASS_DNS;
else if (streq (p[j], "block-local"))
options->routes->flags |= RG_BLOCK_LOCAL;
+ else if (streq (p[j], "ipv6"))
+ {
+ rol6_check_alloc (options);
+ options->routes_ipv6->flags |= RG_REROUTE_GW;
+ }
+ else if (streq (p[j], "!ipv4"))
+ options->routes->flags &= ~RG_REROUTE_GW;
else
{
msg (msglevel, "unknown --%s flag: %s", p[0], p[j]);
@@ -5483,15 +5674,15 @@ add_option (struct options *options,
}
options->routes->flags |= RG_ENABLE;
}
- else if (streq (p[0], "remote-random-hostname"))
+ else if (streq (p[0], "remote-random-hostname") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->sockflags |= SF_HOST_RANDOMIZE;
}
- else if (streq (p[0], "setenv") && p[1])
+ else if (streq (p[0], "setenv") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
- if (streq (p[1], "REMOTE_RANDOM_HOSTNAME"))
+ if (streq (p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2])
{
options->sockflags |= SF_HOST_RANDOMIZE;
}
@@ -5501,17 +5692,15 @@ add_option (struct options *options,
goto err;
}
#ifdef ENABLE_PUSH_PEER_INFO
- else if (streq (p[1], "PUSH_PEER_INFO"))
+ else if (streq (p[1], "PUSH_PEER_INFO") && !p[2])
{
options->push_peer_info = true;
}
#endif
-#if P2MP
else if (streq (p[1], "SERVER_POLL_TIMEOUT") && p[2])
{
- options->server_poll_timeout = positive_atoi(p[2]);
+ options->ce.connect_timeout = positive_atoi(p[2]);
}
-#endif
else
{
if (streq (p[1], "FORWARD_COMPATIBLE") && p[2] && streq (p[2], "1"))
@@ -5522,17 +5711,17 @@ add_option (struct options *options,
setenv_str (es, p[1], p[2] ? p[2] : "");
}
}
- else if (streq (p[0], "setenv-safe") && p[1])
+ else if (streq (p[0], "setenv-safe") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_SETENV);
setenv_str_safe (es, p[1], p[2] ? p[2] : "");
}
- else if (streq (p[0], "script-security") && p[1])
+ else if (streq (p[0], "script-security") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
script_security = atoi (p[1]);
}
- else if (streq (p[0], "mssfix"))
+ else if (streq (p[0], "mssfix") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION);
if (p[1])
@@ -5544,7 +5733,7 @@ add_option (struct options *options,
}
#ifdef ENABLE_OCC
- else if (streq (p[0], "disable-occ"))
+ else if (streq (p[0], "disable-occ") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->occ = false;
@@ -5552,7 +5741,7 @@ add_option (struct options *options,
#endif
#if P2MP
#if P2MP_SERVER
- else if (streq (p[0], "server") && p[1] && p[2])
+ else if (streq (p[0], "server") && p[1] && p[2] && !p[4])
{
const int lev = M_WARN;
bool error = false;
@@ -5581,7 +5770,7 @@ add_option (struct options *options,
}
}
}
- else if (streq (p[0], "server-ipv6") && p[1] )
+ else if (streq (p[0], "server-ipv6") && p[1] && !p[3])
{
const int lev = M_WARN;
struct in6_addr network;
@@ -5608,7 +5797,7 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4])
+ else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
{
const int lev = M_WARN;
bool error = false;
@@ -5630,7 +5819,7 @@ add_option (struct options *options,
options->server_bridge_pool_start = pool_start;
options->server_bridge_pool_end = pool_end;
}
- else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw"))
+ else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->server_bridge_proxy_dhcp = true;
@@ -5641,17 +5830,23 @@ add_option (struct options *options,
VERIFY_PERMISSION (OPT_P_GENERAL);
options->server_bridge_proxy_dhcp = true;
}
- else if (streq (p[0], "push") && p[1])
+ else if (streq (p[0], "push") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_PUSH);
push_options (options, &p[1], msglevel, &options->gc);
}
- else if (streq (p[0], "push-reset"))
+ else if (streq (p[0], "push-reset") && !p[1])
{
VERIFY_PERMISSION (OPT_P_INSTANCE);
push_reset (options);
}
- else if (streq (p[0], "ifconfig-pool") && p[1] && p[2])
+ else if (streq (p[0], "push-remove") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION (OPT_P_INSTANCE);
+ msg (D_PUSH, "PUSH_REMOVE '%s'", p[1]);
+ push_remove_option (options,p[1]);
+ }
+ else if (streq (p[0], "ifconfig-pool") && p[1] && p[2] && !p[4])
{
const int lev = M_WARN;
bool error = false;
@@ -5678,7 +5873,7 @@ add_option (struct options *options,
if (netmask)
options->ifconfig_pool_netmask = netmask;
}
- else if (streq (p[0], "ifconfig-pool-persist") && p[1])
+ else if (streq (p[0], "ifconfig-pool-persist") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ifconfig_pool_persist_filename = p[1];
@@ -5687,12 +5882,12 @@ add_option (struct options *options,
options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]);
}
}
- else if (streq (p[0], "ifconfig-pool-linear"))
+ else if (streq (p[0], "ifconfig-pool-linear") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->topology = TOP_P2P;
}
- else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] )
+ else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] && !p[2])
{
const int lev = M_WARN;
struct in6_addr network;
@@ -5714,7 +5909,7 @@ add_option (struct options *options,
options->ifconfig_ipv6_pool_base = network;
options->ifconfig_ipv6_pool_netbits = netbits;
}
- else if (streq (p[0], "hash-size") && p[1] && p[2])
+ else if (streq (p[0], "hash-size") && p[1] && p[2] && !p[3])
{
int real, virtual;
@@ -5729,7 +5924,7 @@ add_option (struct options *options,
options->real_hash_size = real;
options->virtual_hash_size = real;
}
- else if (streq (p[0], "connect-freq") && p[1] && p[2])
+ else if (streq (p[0], "connect-freq") && p[1] && p[2] && !p[3])
{
int cf_max, cf_per;
@@ -5744,7 +5939,7 @@ add_option (struct options *options,
options->cf_max = cf_max;
options->cf_per = cf_per;
}
- else if (streq (p[0], "max-clients") && p[1])
+ else if (streq (p[0], "max-clients") && p[1] && !p[2])
{
int max_clients;
@@ -5755,29 +5950,55 @@ add_option (struct options *options,
msg (msglevel, "--max-clients must be at least 1");
goto err;
}
+ if (max_clients >= MAX_PEER_ID) /* max peer-id value */
+ {
+ msg (msglevel, "--max-clients must be less than %d", MAX_PEER_ID);
+ goto err;
+ }
options->max_clients = max_clients;
}
- else if (streq (p[0], "max-routes-per-client") && p[1])
+ else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_INHERIT);
options->max_routes_per_client = max_int (atoi (p[1]), 1);
}
- else if (streq (p[0], "client-cert-not-required"))
+ else if (streq (p[0], "client-cert-not-required") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
+ msg (M_WARN, "DEPRECATED OPTION: --client-cert-not-required, use --verify-client-cert instead");
+ }
+ else if (streq (p[0], "verify-client-cert") && !p[2])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+
+ /* Reset any existing flags */
+ options->ssl_flags &= ~SSLF_CLIENT_CERT_OPTIONAL;
+ options->ssl_flags &= ~SSLF_CLIENT_CERT_NOT_REQUIRED;
+ if (p[1])
+ {
+ if (streq (p[1], "none"))
+ options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED;
+ else if (streq (p[1], "optional"))
+ options->ssl_flags |= SSLF_CLIENT_CERT_OPTIONAL;
+ else if (!streq (p[1], "require"))
+ {
+ msg (msglevel, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
+ goto err;
+ }
+ }
}
- else if (streq (p[0], "username-as-common-name"))
+ else if (streq (p[0], "username-as-common-name") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME;
}
- else if (streq (p[0], "auth-user-pass-optional"))
+ else if (streq (p[0], "auth-user-pass-optional") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL;
}
- else if (streq (p[0], "opt-verify"))
+ else if (streq (p[0], "opt-verify") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ssl_flags |= SSLF_OPT_VERIFY;
@@ -5808,6 +6029,12 @@ add_option (struct options *options,
&options->auth_user_pass_verify_script,
p[1], "auth-user-pass-verify", true);
}
+ else if (streq (p[0], "auth-gen-token"))
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->auth_token_generate = true;
+ options->auth_token_lifetime = p[1] ? positive_atoi (p[1]) : 0;
+ }
else if (streq (p[0], "client-connect") && p[1])
{
VERIFY_PERMISSION (OPT_P_SCRIPT);
@@ -5832,22 +6059,22 @@ add_option (struct options *options,
set_user_script (options, &options->learn_address_script,
p[1], "learn-address", true);
}
- else if (streq (p[0], "tmp-dir") && p[1])
+ else if (streq (p[0], "tmp-dir") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tmp_dir = p[1];
}
- else if (streq (p[0], "client-config-dir") && p[1])
+ else if (streq (p[0], "client-config-dir") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->client_config_dir = p[1];
}
- else if (streq (p[0], "ccd-exclusive"))
+ else if (streq (p[0], "ccd-exclusive") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ccd_exclusive = true;
}
- else if (streq (p[0], "bcast-buffers") && p[1])
+ else if (streq (p[0], "bcast-buffers") && p[1] && !p[2])
{
int n_bcast_buf;
@@ -5857,7 +6084,7 @@ add_option (struct options *options,
msg (msglevel, "--bcast-buffers parameter must be > 0");
options->n_bcast_buf = n_bcast_buf;
}
- else if (streq (p[0], "tcp-queue-limit") && p[1])
+ else if (streq (p[0], "tcp-queue-limit") && p[1] && !p[2])
{
int tcp_queue_limit;
@@ -5868,34 +6095,25 @@ add_option (struct options *options,
options->tcp_queue_limit = tcp_queue_limit;
}
#if PORT_SHARE
- else if (streq (p[0], "port-share") && p[1] && p[2])
+ else if (streq (p[0], "port-share") && p[1] && p[2] && !p[4])
{
- int port;
-
VERIFY_PERMISSION (OPT_P_GENERAL);
- port = atoi (p[2]);
- if (!legal_ipv4_port (port))
- {
- msg (msglevel, "port number associated with --port-share directive is out of range");
- goto err;
- }
-
options->port_share_host = p[1];
- options->port_share_port = port;
+ options->port_share_port = p[2];
options->port_share_journal_dir = p[3];
}
#endif
- else if (streq (p[0], "client-to-client"))
+ else if (streq (p[0], "client-to-client") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->enable_c2c = true;
}
- else if (streq (p[0], "duplicate-cn"))
+ else if (streq (p[0], "duplicate-cn") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->duplicate_cn = true;
}
- else if (streq (p[0], "iroute") && p[1])
+ else if (streq (p[0], "iroute") && p[1] && !p[3])
{
const char *netmask = NULL;
@@ -5906,12 +6124,12 @@ add_option (struct options *options,
}
option_iroute (options, p[1], netmask, msglevel);
}
- else if (streq (p[0], "iroute-ipv6") && p[1])
+ else if (streq (p[0], "iroute-ipv6") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_INSTANCE);
option_iroute_ipv6 (options, p[1], msglevel);
}
- else if (streq (p[0], "ifconfig-push") && p[1] && p[2])
+ else if (streq (p[0], "ifconfig-push") && p[1] && p[2] && !p[4])
{
in_addr_t local, remote_netmask;
@@ -5923,10 +6141,8 @@ add_option (struct options *options,
options->push_ifconfig_defined = true;
options->push_ifconfig_local = local;
options->push_ifconfig_remote_netmask = remote_netmask;
-#ifdef ENABLE_CLIENT_NAT
if (p[3])
options->push_ifconfig_local_alias = getaddr (GETADDR_HOST_ORDER|GETADDR_RESOLVE, p[3], 0, NULL, NULL);
-#endif
}
else
{
@@ -5934,7 +6150,7 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2])
+ else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3])
{
in_addr_t network, netmask;
@@ -5953,7 +6169,7 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "ifconfig-ipv6-push") && p[1] )
+ else if (streq (p[0], "ifconfig-ipv6-push") && p[1] && !p[3])
{
struct in6_addr local, remote;
unsigned int netbits;
@@ -5989,18 +6205,19 @@ add_option (struct options *options,
options->push_ifconfig_ipv6_local = local;
options->push_ifconfig_ipv6_netbits = netbits;
options->push_ifconfig_ipv6_remote = remote;
+ options->push_ifconfig_ipv6_blocked = false;
}
- else if (streq (p[0], "disable"))
+ else if (streq (p[0], "disable") && !p[1])
{
VERIFY_PERMISSION (OPT_P_INSTANCE);
options->disable = true;
}
- else if (streq (p[0], "tcp-nodelay"))
+ else if (streq (p[0], "tcp-nodelay") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->server_flags |= SF_TCP_NODELAY_HELPER;
}
- else if (streq (p[0], "stale-routes-check") && p[1])
+ else if (streq (p[0], "stale-routes-check") && p[1] && !p[3])
{
int ageing_time, check_interval;
@@ -6021,27 +6238,22 @@ add_option (struct options *options,
}
#endif /* P2MP_SERVER */
- else if (streq (p[0], "client"))
+ else if (streq (p[0], "client") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->client = true;
}
- else if (streq (p[0], "pull"))
+ else if (streq (p[0], "pull") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pull = true;
}
- else if (streq (p[0], "push-continuation") && p[1])
+ else if (streq (p[0], "push-continuation") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_PULL_MODE);
options->push_continuation = atoi(p[1]);
}
- else if (streq (p[0], "server-poll-timeout") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->server_poll_timeout = positive_atoi(p[1]);
- }
- else if (streq (p[0], "auth-user-pass"))
+ else if (streq (p[0], "auth-user-pass") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
@@ -6051,13 +6263,13 @@ add_option (struct options *options,
else
options->auth_user_pass_file = "stdin";
}
- else if (streq (p[0], "auth-retry") && p[1])
+ else if (streq (p[0], "auth-retry") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
auth_retry_set (msglevel, p[1]);
}
#ifdef ENABLE_CLIENT_CR
- else if (streq (p[0], "static-challenge") && p[1] && p[2])
+ else if (streq (p[0], "static-challenge") && p[1] && p[2] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->sc_info.challenge_text = p[1];
@@ -6066,8 +6278,26 @@ add_option (struct options *options,
}
#endif
#endif
-#ifdef WIN32
- else if (streq (p[0], "win-sys") && p[1])
+ else if (streq (p[0], "msg-channel") && p[1])
+ {
+#ifdef _WIN32
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ HANDLE process = GetCurrentProcess ();
+ HANDLE handle = (HANDLE) atoi (p[1]);
+ if (!DuplicateHandle (process, handle, process, &options->msg_channel, 0,
+ FALSE, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
+ {
+ msg (msglevel, "could not duplicate service pipe handle");
+ goto err;
+ }
+ options->route_method = ROUTE_METHOD_SERVICE;
+#else
+ msg (msglevel, "--msg-channel is only supported on Windows");
+ goto err;
+#endif
+ }
+#ifdef _WIN32
+ else if (streq (p[0], "win-sys") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "env"))
@@ -6077,7 +6307,7 @@ add_option (struct options *options,
else
set_win_sys_path (p[1], es);
}
- else if (streq (p[0], "route-method") && p[1])
+ else if (streq (p[0], "route-method") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
if (streq (p[1], "adaptive"))
@@ -6092,7 +6322,7 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "ip-win32") && p[1])
+ else if (streq (p[0], "ip-win32") && p[1] && !p[4])
{
const int index = ascii2ipset (p[1]);
struct tuntap_options *to = &options->tuntap_options;
@@ -6146,7 +6376,9 @@ add_option (struct options *options,
to->ip_win32_type = index;
to->ip_win32_defined = true;
}
- else if (streq (p[0], "dhcp-option") && p[1])
+#endif
+#if defined(_WIN32) || defined(TARGET_ANDROID)
+ else if (streq (p[0], "dhcp-option") && p[1] && !p[3])
{
struct tuntap_options *o = &options->tuntap_options;
VERIFY_PERMISSION (OPT_P_IPWIN32);
@@ -6186,36 +6418,38 @@ add_option (struct options *options,
{
dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel);
}
- else if (streq (p[1], "DISABLE-NBT"))
+ else if (streq (p[1], "DISABLE-NBT") && !p[2])
{
o->disable_nbt = 1;
}
else
{
- msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]);
+ msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]);
goto err;
}
o->dhcp_options = true;
}
- else if (streq (p[0], "show-adapters"))
+#endif
+#ifdef _WIN32
+ else if (streq (p[0], "show-adapters") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
show_tap_win_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "show-net"))
+ else if (streq (p[0], "show-net") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
show_routes (M_INFO|M_NOPREFIX);
show_adapters (M_INFO|M_NOPREFIX);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "show-net-up"))
+ else if (streq (p[0], "show-net-up") && !p[1])
{
VERIFY_PERMISSION (OPT_P_UP);
options->show_net_up = true;
}
- else if (streq (p[0], "tap-sleep") && p[1])
+ else if (streq (p[0], "tap-sleep") && p[1] && !p[2])
{
int s;
VERIFY_PERMISSION (OPT_P_IPWIN32);
@@ -6227,22 +6461,22 @@ add_option (struct options *options,
}
options->tuntap_options.tap_sleep = s;
}
- else if (streq (p[0], "dhcp-renew"))
+ else if (streq (p[0], "dhcp-renew") && !p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.dhcp_renew = true;
}
- else if (streq (p[0], "dhcp-pre-release"))
+ else if (streq (p[0], "dhcp-pre-release") && !p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.dhcp_pre_release = true;
}
- else if (streq (p[0], "dhcp-release"))
+ else if (streq (p[0], "dhcp-release") && !p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.dhcp_release = true;
}
- else if (streq (p[0], "dhcp-internal") && p[1]) /* standalone method for internal use */
+ else if (streq (p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
{
unsigned int adapter_index;
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -6255,28 +6489,17 @@ add_option (struct options *options,
dhcp_renew_by_adapter_index (adapter_index);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "register-dns"))
+ else if (streq (p[0], "register-dns") && !p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
options->tuntap_options.register_dns = true;
}
-#ifdef WIN32
else if (streq (p[0], "block-outside-dns") && !p[1])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
- if (win_wfp_init_funcs())
- {
- options->block_outside_dns = true;
- }
- else
- {
- msg (msglevel_fc, "Failed to enable --block-outside-dns. "
- "Maybe WFP is not supported on your system?");
- goto err;
- }
+ options->block_outside_dns = true;
}
-#endif
- else if (streq (p[0], "rdns-internal"))
+ else if (streq (p[0], "rdns-internal") && !p[1])
/* standalone method for internal use
*
* (if --register-dns is set, openvpn needs to call itself in a
@@ -6290,18 +6513,18 @@ add_option (struct options *options,
ipconfig_register_dns (NULL);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "show-valid-subnets"))
+ else if (streq (p[0], "show-valid-subnets") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
show_valid_win32_tun_subnets ();
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "pause-exit"))
+ else if (streq (p[0], "pause-exit") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
set_pause_exit_win32 ();
}
- else if (streq (p[0], "service") && p[1])
+ else if (streq (p[0], "service") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->exit_event_name = p[1];
@@ -6310,62 +6533,75 @@ add_option (struct options *options,
options->exit_event_initial_state = (atoi(p[2]) != 0);
}
}
- else if (streq (p[0], "allow-nonadmin"))
+ else if (streq (p[0], "allow-nonadmin") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
tap_allow_nonadmin_access (p[1]);
openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */
}
- else if (streq (p[0], "user") && p[1])
+ else if (streq (p[0], "user") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
msg (M_WARN, "NOTE: --user option is not implemented on Windows");
}
- else if (streq (p[0], "group") && p[1])
+ else if (streq (p[0], "group") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
msg (M_WARN, "NOTE: --group option is not implemented on Windows");
}
#else
- else if (streq (p[0], "user") && p[1])
+ else if (streq (p[0], "user") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->username = p[1];
}
- else if (streq (p[0], "group") && p[1])
+ else if (streq (p[0], "group") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->groupname = p[1];
}
- else if (streq (p[0], "dhcp-option") && p[1])
+ else if (streq (p[0], "dhcp-option") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_IPWIN32);
foreign_option (options, p, 3, es);
}
- else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */
+ else if (streq (p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
}
#endif
#if PASSTOS_CAPABILITY
- else if (streq (p[0], "passtos"))
+ else if (streq (p[0], "passtos") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->passtos = true;
}
#endif
-#ifdef ENABLE_LZO
- else if (streq (p[0], "comp-lzo"))
+#if defined(USE_COMP)
+ else if (streq (p[0], "comp-lzo") && !p[2])
{
VERIFY_PERMISSION (OPT_P_COMP);
- if (p[1])
+
+#if defined(ENABLE_LZO)
+ if (p[1] && streq (p[1], "no"))
+#endif
+ {
+ options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags = 0;
+ }
+#if defined(ENABLE_LZO)
+ else if (p[1])
{
if (streq (p[1], "yes"))
- options->lzo = LZO_SELECTED|LZO_ON;
- else if (streq (p[1], "no"))
- options->lzo = LZO_SELECTED;
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = 0;
+ }
else if (streq (p[1], "adaptive"))
- options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = COMP_F_ADAPTIVE;
+ }
else
{
msg (msglevel, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p[1]);
@@ -6373,31 +6609,81 @@ add_option (struct options *options,
}
}
else
- options->lzo = LZO_SELECTED|LZO_ON|LZO_ADAPTIVE;
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = COMP_F_ADAPTIVE;
+ }
+#endif
+ }
+ else if (streq (p[0], "comp-noadapt") && !p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_COMP);
+ options->comp.flags &= ~COMP_F_ADAPTIVE;
}
- else if (streq (p[0], "comp-noadapt"))
+ else if (streq (p[0], "compress") && !p[2])
{
VERIFY_PERMISSION (OPT_P_COMP);
- options->lzo &= ~LZO_ADAPTIVE;
+ if (p[1])
+ {
+ if (streq (p[1], "stub"))
+ {
+ options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags = (COMP_F_SWAP|COMP_F_ADVERTISE_STUBS_ONLY);
+ }
+ else if (streq(p[1], "stub-v2"))
+ {
+ options->comp.alg = COMP_ALGV2_UNCOMPRESSED;
+ options->comp.flags = COMP_F_ADVERTISE_STUBS_ONLY;
+ }
+#if defined(ENABLE_LZO)
+ else if (streq (p[1], "lzo"))
+ {
+ options->comp.alg = COMP_ALG_LZO;
+ options->comp.flags = 0;
+ }
+#endif
+#if defined(ENABLE_LZ4)
+ else if (streq (p[1], "lz4"))
+ {
+ options->comp.alg = COMP_ALG_LZ4;
+ options->comp.flags = COMP_F_SWAP;
+ }
+ else if (streq (p[1], "lz4-v2"))
+ {
+ options->comp.alg = COMP_ALGV2_LZ4;
+ options->comp.flags = 0;
+ }
+#endif
+ else
+ {
+ msg (msglevel, "bad comp option: %s", p[1]);
+ goto err;
+ }
+ }
+ else
+ {
+ options->comp.alg = COMP_ALG_STUB;
+ options->comp.flags = COMP_F_SWAP;
+ }
}
-#endif /* ENABLE_LZO */
+#endif /* USE_COMP */
#ifdef ENABLE_CRYPTO
- else if (streq (p[0], "show-ciphers"))
+ else if (streq (p[0], "show-ciphers") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_ciphers = true;
}
- else if (streq (p[0], "show-digests"))
+ else if (streq (p[0], "show-digests") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_digests = true;
}
- else if (streq (p[0], "show-engines"))
+ else if (streq (p[0], "show-engines") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_engines = true;
}
- else if (streq (p[0], "key-direction") && p[1])
+ else if (streq (p[0], "key-direction") && p[1] && !p[2])
{
int key_direction;
@@ -6407,7 +6693,7 @@ add_option (struct options *options,
else
goto err;
}
- else if (streq (p[0], "secret") && p[1])
+ else if (streq (p[0], "secret") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], INLINE_FILE_TAG) && p[2])
@@ -6427,46 +6713,34 @@ add_option (struct options *options,
}
options->shared_secret_file = p[1];
}
- else if (streq (p[0], "genkey"))
+ else if (streq (p[0], "genkey") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->genkey = true;
}
- else if (streq (p[0], "auth") && p[1])
+ else if (streq (p[0], "auth") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
- options->authname_defined = true;
+ VERIFY_PERMISSION (OPT_P_GENERAL);
options->authname = p[1];
- if (streq (options->authname, "none"))
- {
- options->authname_defined = false;
- options->authname = NULL;
- }
}
- else if (streq (p[0], "auth"))
+ else if (streq (p[0], "cipher") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
- options->authname_defined = true;
+ VERIFY_PERMISSION (OPT_P_NCP);
+ options->ciphername = p[1];
}
- else if (streq (p[0], "cipher") && p[1])
+ else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
- options->ciphername_defined = true;
- options->ciphername = p[1];
- if (streq (options->ciphername, "none"))
- {
- options->ciphername_defined = false;
- options->ciphername = NULL;
- }
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
+ options->ncp_ciphers = p[1];
}
- else if (streq (p[0], "cipher"))
+ else if (streq (p[0], "ncp-disable") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
- options->ciphername_defined = true;
+ VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
+ options->ncp_enabled = false;
}
- else if (streq (p[0], "prng") && p[1])
+ else if (streq (p[0], "prng") && p[1] && !p[3])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
+ VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "none"))
options->prng_hash = NULL;
else
@@ -6486,14 +6760,14 @@ add_option (struct options *options,
}
}
}
- else if (streq (p[0], "no-replay"))
+ else if (streq (p[0], "no-replay") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
+ VERIFY_PERMISSION (OPT_P_GENERAL);
options->replay = false;
}
- else if (streq (p[0], "replay-window"))
+ else if (streq (p[0], "replay-window") && !p[3])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
+ VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
{
int replay_window;
@@ -6531,28 +6805,28 @@ add_option (struct options *options,
goto err;
}
}
- else if (streq (p[0], "mute-replay-warnings"))
+ else if (streq (p[0], "mute-replay-warnings") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
+ VERIFY_PERMISSION (OPT_P_GENERAL);
options->mute_replay_warnings = true;
}
- else if (streq (p[0], "no-iv"))
+ else if (streq (p[0], "no-iv") && !p[1])
{
- VERIFY_PERMISSION (OPT_P_CRYPTO);
+ VERIFY_PERMISSION (OPT_P_GENERAL);
options->use_iv = false;
}
- else if (streq (p[0], "replay-persist") && p[1])
+ else if (streq (p[0], "replay-persist") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->packet_id_file = p[1];
}
- else if (streq (p[0], "test-crypto"))
+ else if (streq (p[0], "test-crypto") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->test_crypto = true;
}
-#ifndef ENABLE_CRYPTO_POLARSSL
- else if (streq (p[0], "engine"))
+#ifndef ENABLE_CRYPTO_MBEDTLS
+ else if (streq (p[0], "engine") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
@@ -6562,13 +6836,13 @@ add_option (struct options *options,
else
options->engine = "auto";
}
-#endif /* ENABLE_CRYPTO_POLARSSL */
+#endif /* ENABLE_CRYPTO_MBEDTLS */
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
- else if (streq (p[0], "keysize") && p[1])
+ else if (streq (p[0], "keysize") && p[1] && !p[2])
{
int keysize;
- VERIFY_PERMISSION (OPT_P_CRYPTO);
+ VERIFY_PERMISSION (OPT_P_NCP);
keysize = atoi (p[1]) / 8;
if (keysize < 0 || keysize > MAX_CIPHER_KEY_LENGTH)
{
@@ -6579,29 +6853,38 @@ add_option (struct options *options,
}
#endif
#ifdef ENABLE_PREDICTION_RESISTANCE
- else if (streq (p[0], "use-prediction-resistance"))
+ else if (streq (p[0], "use-prediction-resistance") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->use_prediction_resistance = true;
}
#endif
-#ifdef ENABLE_SSL
- else if (streq (p[0], "show-tls"))
+ else if (streq (p[0], "show-tls") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->show_tls_ciphers = true;
}
- else if (streq (p[0], "tls-server"))
+ else if (streq (p[0], "show-curves") && !p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->show_curves = true;
+ }
+ else if (streq (p[0], "ecdh-curve") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->ecdh_curve= p[1];
+ }
+ else if (streq (p[0], "tls-server") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_server = true;
}
- else if (streq (p[0], "tls-client"))
+ else if (streq (p[0], "tls-client") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_client = true;
}
- else if (streq (p[0], "ca") && p[1])
+ else if (streq (p[0], "ca") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ca_file = p[1];
@@ -6610,14 +6893,14 @@ add_option (struct options *options,
options->ca_file_inline = p[2];
}
}
-#ifndef ENABLE_CRYPTO_POLARSSL
- else if (streq (p[0], "capath") && p[1])
+#ifndef ENABLE_CRYPTO_MBEDTLS
+ else if (streq (p[0], "capath") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ca_path = p[1];
}
-#endif /* ENABLE_CRYPTO_POLARSSL */
- else if (streq (p[0], "dh") && p[1])
+#endif /* ENABLE_CRYPTO_MBEDTLS */
+ else if (streq (p[0], "dh") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dh_file = p[1];
@@ -6626,7 +6909,7 @@ add_option (struct options *options,
options->dh_file_inline = p[2];
}
}
- else if (streq (p[0], "cert") && p[1])
+ else if (streq (p[0], "cert") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cert_file = p[1];
@@ -6635,7 +6918,7 @@ add_option (struct options *options,
options->cert_file_inline = p[2];
}
}
- else if (streq (p[0], "extra-certs") && p[1])
+ else if (streq (p[0], "extra-certs") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->extra_certs_file = p[1];
@@ -6644,19 +6927,19 @@ add_option (struct options *options,
options->extra_certs_file_inline = p[2];
}
}
- else if (streq (p[0], "verify-hash") && p[1])
+ else if (streq (p[0], "verify-hash") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
}
#ifdef ENABLE_CRYPTOAPI
- else if (streq (p[0], "cryptoapicert") && p[1])
+ else if (streq (p[0], "cryptoapicert") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cryptoapi_cert = p[1];
}
#endif
- else if (streq (p[0], "key") && p[1])
+ else if (streq (p[0], "key") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->priv_key_file = p[1];
@@ -6665,7 +6948,7 @@ add_option (struct options *options,
options->priv_key_file_inline = p[2];
}
}
- else if (streq (p[0], "tls-version-min") && p[1])
+ else if (streq (p[0], "tls-version-min") && p[1] && !p[3])
{
int ver;
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -6679,7 +6962,7 @@ add_option (struct options *options,
~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT);
}
- else if (streq (p[0], "tls-version-max") && p[1])
+ else if (streq (p[0], "tls-version-max") && p[1] && !p[2])
{
int ver;
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -6693,8 +6976,8 @@ add_option (struct options *options,
~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT);
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT);
}
-#ifndef ENABLE_CRYPTO_POLARSSL
- else if (streq (p[0], "pkcs12") && p[1])
+#ifndef ENABLE_CRYPTO_MBEDTLS
+ else if (streq (p[0], "pkcs12") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs12_file = p[1];
@@ -6703,8 +6986,8 @@ add_option (struct options *options,
options->pkcs12_file_inline = p[2];
}
}
-#endif /* ENABLE_CRYPTO_POLARSSL */
- else if (streq (p[0], "askpass"))
+#endif /* ENABLE_CRYPTO_MBEDTLS */
+ else if (streq (p[0], "askpass") && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[1])
@@ -6714,12 +6997,12 @@ add_option (struct options *options,
else
options->key_pass_file = "stdin";
}
- else if (streq (p[0], "auth-nocache"))
+ else if (streq (p[0], "auth-nocache") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
ssl_set_auth_nocache ();
}
- else if (streq (p[0], "auth-token") && p[1])
+ else if (streq (p[0], "auth-token") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_ECHO);
ssl_set_auth_token(p[1]);
@@ -6728,34 +7011,39 @@ add_option (struct options *options,
management_auth_token (management, p[1]);
#endif
}
- else if (streq (p[0], "single-session"))
+ else if (streq (p[0], "single-session") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->single_session = true;
}
#ifdef ENABLE_PUSH_PEER_INFO
- else if (streq (p[0], "push-peer-info"))
+ else if (streq (p[0], "push-peer-info") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->push_peer_info = true;
}
#endif
- else if (streq (p[0], "tls-exit"))
+ else if (streq (p[0], "tls-exit") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_exit = true;
}
- else if (streq (p[0], "tls-cipher") && p[1])
+ else if (streq (p[0], "tls-cipher") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cipher_list = p[1];
}
- else if (streq (p[0], "crl-verify") && p[1])
+ else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
+ || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (p[2] && streq(p[2], "dir"))
options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
options->crl_file = p[1];
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->crl_file_inline = p[2];
+ }
}
else if (streq (p[0], "tls-verify") && p[1])
{
@@ -6766,85 +7054,48 @@ add_option (struct options *options,
string_substitute (p[1], ',', ' ', &options->gc),
"tls-verify", true);
}
-#ifndef ENABLE_CRYPTO_POLARSSL
- else if (streq (p[0], "tls-export-cert") && p[1])
+#ifndef ENABLE_CRYPTO_MBEDTLS
+ else if (streq (p[0], "tls-export-cert") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->tls_export_cert = p[1];
}
#endif
- else if (streq (p[0], "compat-names"))
+#if P2MP_SERVER
+ else if (streq (p[0], "compat-names") && ((p[1] && streq (p[1], "no-remapping")) || !p[1]) && !p[2])
+#else
+ else if (streq (p[0], "compat-names") && !p[1])
+#endif
{
VERIFY_PERMISSION (OPT_P_GENERAL);
- if (options->verify_x509_type != VERIFY_X509_NONE &&
- options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
- options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+ if (options->verify_x509_type != VERIFY_X509_NONE)
{
msg (msglevel, "you cannot use --compat-names with --verify-x509-name");
goto err;
}
- msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration");
+ msg (M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5.");
compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
#if P2MP_SERVER
if (p[1] && streq (p[1], "no-remapping"))
compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
}
- else if (streq (p[0], "no-name-remapping"))
+ else if (streq (p[0], "no-name-remapping") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
- if (options->verify_x509_type != VERIFY_X509_NONE &&
- options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
- options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
+ if (options->verify_x509_type != VERIFY_X509_NONE)
{
msg (msglevel, "you cannot use --no-name-remapping with --verify-x509-name");
goto err;
}
- msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration");
+ msg (M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5.");
compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);
#endif
}
- else if (streq (p[0], "tls-remote") && p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
-
- if (options->verify_x509_type != VERIFY_X509_NONE &&
- options->verify_x509_type != TLS_REMOTE_SUBJECT_DN &&
- options->verify_x509_type != TLS_REMOTE_SUBJECT_RDN_PREFIX)
- {
- msg (msglevel, "you cannot use --tls-remote with --verify-x509-name");
- goto err;
- }
- msg (M_WARN, "DEPRECATED OPTION: --tls-remote, please update your configuration");
-
- if (strlen (p[1]))
- {
- int is_username = (!strchr (p[1], '=') || !strstr (p[1], ", "));
- int type = TLS_REMOTE_SUBJECT_DN;
- if (p[1][0] != '/' && is_username)
- type = TLS_REMOTE_SUBJECT_RDN_PREFIX;
-
- /*
- * Enable legacy openvpn format for DNs that have not been converted
- * yet and --x509-username-field (not containing an '=' or ', ')
- */
- if (p[1][0] == '/' || is_username)
- compat_flag (COMPAT_FLAG_SET | COMPAT_NAMES);
-
- options->verify_x509_type = type;
- options->verify_x509_name = p[1];
- }
- }
- else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]))
+ else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]) && !p[3])
{
int type = VERIFY_X509_SUBJECT_DN;
VERIFY_PERMISSION (OPT_P_GENERAL);
- if (options->verify_x509_type == TLS_REMOTE_SUBJECT_DN ||
- options->verify_x509_type == TLS_REMOTE_SUBJECT_RDN_PREFIX)
- {
- msg (msglevel, "you cannot use --verify-x509-name with --tls-remote");
- goto err;
- }
if (compat_flag (COMPAT_FLAG_QUERY | COMPAT_NAMES))
{
msg (msglevel, "you cannot use --verify-x509-name with "
@@ -6868,7 +7119,7 @@ add_option (struct options *options,
options->verify_x509_type = type;
options->verify_x509_name = p[1];
}
- else if (streq (p[0], "ns-cert-type") && p[1])
+ else if (streq (p[0], "ns-cert-type") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], "server"))
@@ -6881,7 +7132,6 @@ add_option (struct options *options,
goto err;
}
}
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
else if (streq (p[0], "remote-cert-ku"))
{
int j;
@@ -6891,12 +7141,12 @@ add_option (struct options *options,
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
sscanf (p[j], "%x", &(options->remote_cert_ku[j-1]));
}
- else if (streq (p[0], "remote-cert-eku") && p[1])
+ else if (streq (p[0], "remote-cert-eku") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->remote_cert_eku = p[1];
}
- else if (streq (p[0], "remote-cert-tls") && p[1])
+ else if (streq (p[0], "remote-cert-tls") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
@@ -6919,38 +7169,37 @@ add_option (struct options *options,
goto err;
}
}
-#endif /* OPENSSL_VERSION_NUMBER */
- else if (streq (p[0], "tls-timeout") && p[1])
+ else if (streq (p[0], "tls-timeout") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->tls_timeout = positive_atoi (p[1]);
}
- else if (streq (p[0], "reneg-bytes") && p[1])
+ else if (streq (p[0], "reneg-bytes") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->renegotiate_bytes = positive_atoi (p[1]);
}
- else if (streq (p[0], "reneg-pkts") && p[1])
+ else if (streq (p[0], "reneg-pkts") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->renegotiate_packets = positive_atoi (p[1]);
}
- else if (streq (p[0], "reneg-sec") && p[1])
+ else if (streq (p[0], "reneg-sec") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->renegotiate_seconds = positive_atoi (p[1]);
}
- else if (streq (p[0], "hand-window") && p[1])
+ else if (streq (p[0], "hand-window") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->handshake_window = positive_atoi (p[1]);
}
- else if (streq (p[0], "tran-window") && p[1])
+ else if (streq (p[0], "tran-window") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_TLS_PARMS);
options->transition_window = positive_atoi (p[1]);
}
- else if (streq (p[0], "tls-auth") && p[1])
+ else if (streq (p[0], "tls-auth") && p[1] && !p[3])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
if (streq (p[1], INLINE_FILE_TAG) && p[2])
@@ -6970,7 +7219,16 @@ add_option (struct options *options,
}
options->tls_auth_file = p[1];
}
- else if (streq (p[0], "key-method") && p[1])
+ else if (streq (p[0], "tls-crypt") && p[1] && !p[3])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->tls_crypt_inline = p[2];
+ }
+ options->tls_crypt_file = p[1];
+ }
+ else if (streq (p[0], "key-method") && p[1] && !p[2])
{
int key_method;
@@ -6986,8 +7244,13 @@ add_option (struct options *options,
}
options->key_method = key_method;
}
+ else if (streq (p[0], "x509-track") && p[1] && !p[2])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ x509_track_add (&options->x509_track, p[1], msglevel, &options->gc);
+ }
#ifdef ENABLE_X509ALTUSERNAME
- else if (streq (p[0], "x509-username-field") && p[1])
+ else if (streq (p[0], "x509-username-field") && p[1] && !p[2])
{
/* This option used to automatically upcase the fieldname passed as the
* option argument, e.g., "ou" became "OU". Now, this "helpfulness" is
@@ -7014,10 +7277,9 @@ add_option (struct options *options,
options->x509_username_field = p[1];
}
#endif /* ENABLE_X509ALTUSERNAME */
-#endif /* ENABLE_SSL */
#endif /* ENABLE_CRYPTO */
#ifdef ENABLE_PKCS11
- else if (streq (p[0], "show-pkcs11-ids"))
+ else if (streq (p[0], "show-pkcs11-ids") && !p[3])
{
char *provider = p[1];
bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 ));
@@ -7087,40 +7349,68 @@ add_option (struct options *options,
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0;
}
- else if (streq (p[0], "pkcs11-pin-cache") && p[1])
+ else if (streq (p[0], "pkcs11-pin-cache") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_pin_cache_period = atoi (p[1]);
}
- else if (streq (p[0], "pkcs11-id") && p[1])
+ else if (streq (p[0], "pkcs11-id") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_id = p[1];
}
- else if (streq (p[0], "pkcs11-id-management"))
+ else if (streq (p[0], "pkcs11-id-management") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs11_id_management = true;
}
#endif
- else if (streq (p[0], "rmtun"))
+ else if (streq (p[0], "rmtun") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->persist_config = true;
options->persist_mode = 0;
}
- else if (streq (p[0], "mktun"))
+ else if (streq (p[0], "mktun") && !p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->persist_config = true;
options->persist_mode = 1;
}
- else if (streq (p[0], "peer-id") && p[1])
+ else if (streq (p[0], "peer-id") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_PEER_ID);
options->use_peer_id = true;
options->peer_id = atoi(p[1]);
}
+#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
+ else if (streq (p[0], "keying-material-exporter") && p[1] && p[2])
+ {
+ int ekm_length = positive_atoi (p[2]);
+
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+
+ if (strncmp(p[1], "EXPORTER", 8))
+ {
+ msg (msglevel, "Keying material exporter label must begin with "
+ "\"EXPORTER\"");
+ goto err;
+ }
+ if (ekm_length < 16 || ekm_length > 4095)
+ {
+ msg (msglevel, "Invalid keying material exporter length");
+ goto err;
+ }
+
+ options->keying_material_exporter_label = p[1];
+ options->keying_material_exporter_length = ekm_length;
+ }
+#endif
+ else if (streq (p[0], "allow-recursive-routing") && !p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->allow_recursive_routing = true;
+ }
else
{
int i;
@@ -7136,9 +7426,9 @@ add_option (struct options *options,
}
}
if (file)
- msg (msglevel, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
+ msg (msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION);
else
- msg (msglevel, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
+ msg (msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION);
}
err:
gc_free (&gc);