summaryrefslogtreecommitdiff
path: root/src/openvpn/options.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpn/options.c')
-rw-r--r--src/openvpn/options.c143
1 files changed, 46 insertions, 97 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index fef5e90..2f1b298 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -17,9 +17,10 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/*
@@ -197,7 +198,7 @@ static const char usage_message[] =
" is established. Multiple routes can be specified.\n"
" netmask default: 255.255.255.255\n"
" gateway default: taken from --route-gateway or --ifconfig\n"
- " Specify default by leaving blank or setting to \"nil\".\n"
+ " Specify default by leaving blank or setting to \"default\".\n"
"--route-ipv6 network/bits [gateway] [metric] :\n"
" Add IPv6 route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
@@ -591,8 +592,7 @@ static const char usage_message[] =
"--x509-username-field : Field in x509 certificate containing the username.\n"
" Default is CN in the Subject field.\n"
#endif
- "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
- " Valid algo flags are SHA1 and SHA256. \n"
+ "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
#ifdef _WIN32
"--cryptoapicert select-string : Load the certificate and private key from the\n"
" Windows Certificate System Store.\n"
@@ -636,8 +636,8 @@ static const char usage_message[] =
"--verify-x509-name name: Accept connections only from a host with X509 subject\n"
" DN name. The remote host must also pass all other tests\n"
" of verification.\n"
- "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
- " an explicit nsCertType designation t = 'client' | 'server'.\n"
+ "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
+ " nsCertType designation t = 'client' | 'server'.\n"
"--x509-track x : Save peer X509 attribute x in environment for use by\n"
" plugins and management interface.\n"
#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x10001000
@@ -716,6 +716,7 @@ static const char usage_message[] =
"--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
"--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
" startup.\n"
+ "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
"--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
" on connection initiation.\n"
"--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
@@ -998,9 +999,7 @@ setenv_settings(struct env_set *es, const struct options *o)
{
int i;
for (i = 0; i < o->connection_list->len; ++i)
- {
setenv_connection_entry(es, o->connection_list->array[i], i+1);
- }
}
else
{
@@ -1215,6 +1214,7 @@ show_tuntap_options(const struct tuntap_options *o)
SHOW_BOOL(dhcp_options);
SHOW_BOOL(dhcp_renew);
SHOW_BOOL(dhcp_pre_release);
+ SHOW_BOOL(dhcp_release);
SHOW_STR(domain);
SHOW_STR(netbios_scope);
SHOW_INT(netbios_node_type);
@@ -1761,9 +1761,7 @@ show_settings(const struct options *o)
{
int i;
for (i = 0; i<MAX_PARMS; i++)
- {
SHOW_INT(remote_cert_ku[i]);
- }
}
SHOW_STR(remote_cert_eku);
SHOW_INT(ssl_flags);
@@ -1791,30 +1789,22 @@ show_settings(const struct options *o)
{
int i;
for (i = 0; i<MAX_PARMS && o->pkcs11_providers[i] != NULL; i++)
- {
SHOW_PARM(pkcs11_providers, o->pkcs11_providers[i], "%s");
- }
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
- {
SHOW_PARM(pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s");
- }
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
- {
SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x");
- }
}
{
int i;
for (i = 0; i<MAX_PARMS; i++)
- {
SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s");
- }
}
SHOW_INT(pkcs11_pin_cache_period);
SHOW_STR(pkcs11_id);
@@ -2949,9 +2939,7 @@ options_postprocess_verify(const struct options *o)
{
int i;
for (i = 0; i < o->connection_list->len; ++i)
- {
options_postprocess_verify_ce(o, o->connection_list->array[i]);
- }
}
else
{
@@ -3002,9 +2990,7 @@ options_postprocess_mutate(struct options *o)
ASSERT(o->connection_list);
for (i = 0; i < o->connection_list->len; ++i)
- {
options_postprocess_mutate_ce(o, o->connection_list->array[i]);
- }
#ifdef ENABLE_CRYPTO
if (o->tls_server)
@@ -3817,9 +3803,7 @@ options_warning_safe_scan1(const int msglevel,
char *p = gc_malloc(OPTION_PARM_SIZE, true, &gc);
while (buf_parse(&b, delim, p, OPTION_PARM_SIZE))
- {
options_warning_safe_scan2(msglevel, delim, report_inconsistent, p, b2_src, b1_name, b2_name);
- }
gc_free(&gc);
}
@@ -4096,7 +4080,6 @@ usage(void)
fprintf(fp, usage_message,
title_string,
o.ce.connect_retry_seconds,
- o.ce.connect_retry_seconds_max,
o.ce.local_port, o.ce.remote_port,
TUN_MTU_DEFAULT, TAP_MTU_EXTRA_DEFAULT,
o.verbosity);
@@ -4447,10 +4430,7 @@ read_inline_file(struct in_src *is, const char *close_tag, struct gc_arena *gc)
{
char *line_ptr = line;
/* Remove leading spaces */
- while (isspace(*line_ptr))
- {
- line_ptr++;
- }
+ while (isspace(*line_ptr)) line_ptr++;
if (!strncmp(line_ptr, close_tag, strlen(close_tag)))
{
endtagfound = true;
@@ -4546,7 +4526,7 @@ read_config_file(struct options *options,
FILE *fp;
int line_num;
char line[OPTION_LINE_SIZE+1];
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS];
++level;
if (level <= max_recursive_levels)
@@ -4578,7 +4558,7 @@ read_config_file(struct options *options,
{
offset = 3;
}
- if (parse_line(line + offset, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
+ if (parse_line(line + offset, p, SIZE(p), file, line_num, msglevel, &options->gc))
{
bypass_doubledash(&p[0]);
check_inline_file_via_fp(fp, p, &options->gc);
@@ -4620,10 +4600,10 @@ read_config_string(const char *prefix,
while (buf_parse(&multiline, '\n', line, sizeof(line)))
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS];
CLEAR(p);
++line_num;
- if (parse_line(line, p, SIZE(p)-1, prefix, line_num, msglevel, &options->gc))
+ if (parse_line(line, p, SIZE(p), prefix, line_num, msglevel, &options->gc))
{
bypass_doubledash(&p[0]);
check_inline_file_via_buf(&multiline, p, &options->gc);
@@ -4754,14 +4734,14 @@ apply_push_options(struct options *options,
while (buf_parse(buf, ',', line, sizeof(line)))
{
- char *p[MAX_PARMS+1];
+ char *p[MAX_PARMS];
CLEAR(p);
++line_num;
if (!apply_pull_filter(options, line))
{
return false; /* Cause push/pull error and stop push processing */
}
- if (parse_line(line, p, SIZE(p)-1, file, line_num, msglevel, &options->gc))
+ if (parse_line(line, p, SIZE(p), file, line_num, msglevel, &options->gc))
{
add_option(options, p, file, line_num, 0, msglevel, permission_mask, option_types_found, es);
}
@@ -5167,7 +5147,7 @@ add_option(struct options *options,
}
#endif /* ifdef ENABLE_MANAGEMENT */
#ifdef ENABLE_PLUGIN
- else if (streq(p[0], "plugin") && p[1])
+ else if (streq(p[0], "plugin") && p[1] && !p[3])
{
VERIFY_PERMISSION(OPT_P_PLUGIN);
if (!options->plugin_list)
@@ -5317,14 +5297,12 @@ add_option(struct options *options,
if (!sub.ce.remote)
{
msg(msglevel, "Each 'connection' block must contain exactly one 'remote' directive");
- uninit_options(&sub);
goto err;
}
e = alloc_connection_entry(options, msglevel);
if (!e)
{
- uninit_options(&sub);
goto err;
}
*e = sub.ce;
@@ -5342,24 +5320,18 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
/* Find out how many options to be ignored */
for (i = 1; p[i]; i++)
- {
numignored++;
- }
/* add number of options already ignored */
for (i = 0; options->ignore_unknown_option
&& options->ignore_unknown_option[i]; i++)
- {
numignored++;
- }
/* Allocate array */
ALLOC_ARRAY_GC(ignore, const char *, numignored+1, &options->gc);
for (i = 0; options->ignore_unknown_option
&& options->ignore_unknown_option[i]; i++)
- {
ignore[i] = options->ignore_unknown_option[i];
- }
options->ignore_unknown_option = ignore;
@@ -6043,8 +6015,7 @@ add_option(struct options *options,
struct http_custom_header *custom_header = NULL;
int i;
/* Find the first free header */
- for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++)
- {
+ for (i = 0; i < MAX_CUSTOM_HTTP_HEADER; i++) {
if (!ho->custom_headers[i].name)
{
custom_header = &ho->custom_headers[i];
@@ -6818,6 +6789,20 @@ add_option(struct options *options,
options->port_share_port = p[2];
options->port_share_journal_dir = p[3];
}
+ else if (streq (p[0], "pkcs11-id-type") ||
+ streq (p[0], "pkcs11-sign-mode") ||
+ streq (p[0], "pkcs11-slot") ||
+ streq (p[0], "pkcs11-slot-type") ||
+ streq (p[0], "show-pkcs11-objects") ||
+ streq (p[0], "show-pkcs11-slots"))
+ {
+ if (file)
+ msg (msglevel, "You are using an obsolete parameter in %s:%d: %s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
+ file, line, p[0], PACKAGE_VERSION);
+ else
+ msg (msglevel, "You are using an obsolete parameter: --%s (%s).\nPlease see /usr/share/doc/openvpn/NEWS.Debian.gz for details.",
+ p[0], PACKAGE_VERSION);
+ }
#endif
else if (streq(p[0], "client-to-client") && !p[1])
{
@@ -7229,11 +7214,11 @@ add_option(struct options *options,
{
VERIFY_PERMISSION(OPT_P_IPWIN32);
options->tuntap_options.dhcp_pre_release = true;
- options->tuntap_options.dhcp_renew = true;
}
else if (streq(p[0], "dhcp-release") && !p[1])
{
- msg(M_WARN, "Obsolete option --dhcp-release detected. This is now on by default");
+ VERIFY_PERMISSION(OPT_P_IPWIN32);
+ options->tuntap_options.dhcp_release = true;
}
else if (streq(p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */
{
@@ -7705,25 +7690,10 @@ add_option(struct options *options,
options->extra_certs_file_inline = p[2];
}
}
- else if (streq(p[0], "verify-hash") && p[1] && !p[3])
+ else if (streq(p[0], "verify-hash") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
-
- if (!p[2] || (p[2] && streq(p[2], "SHA1")))
- {
- options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
- options->verify_hash_algo = MD_SHA1;
- }
- else if (p[2] && streq(p[2], "SHA256"))
- {
- options->verify_hash = parse_hash_fingerprint(p[1], SHA256_DIGEST_LENGTH, msglevel, &options->gc);
- options->verify_hash_algo = MD_SHA256;
- }
- else
- {
- msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]);
- goto err;
- }
+ options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
}
#ifdef ENABLE_CRYPTOAPI
else if (streq(p[0], "cryptoapicert") && p[1] && !p[2])
@@ -7947,18 +7917,12 @@ add_option(struct options *options,
}
else if (streq(p[0], "remote-cert-ku"))
{
+ int j;
+
VERIFY_PERMISSION(OPT_P_GENERAL);
- size_t j;
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- {
sscanf(p[j], "%x", &(options->remote_cert_ku[j-1]));
- }
- if (j == 1)
- {
- /* No specific KU required, but require KU to be present */
- options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
- }
}
else if (streq(p[0], "remote-cert-eku") && p[1] && !p[2])
{
@@ -7971,12 +7935,15 @@ add_option(struct options *options,
if (streq(p[1], "server"))
{
- options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
+ options->remote_cert_ku[0] = 0xa0;
+ options->remote_cert_ku[1] = 0x88;
options->remote_cert_eku = "TLS Web Server Authentication";
}
else if (streq(p[1], "client"))
{
- options->remote_cert_ku[0] = OPENVPN_KU_REQUIRED;
+ options->remote_cert_ku[0] = 0x80;
+ options->remote_cert_ku[1] = 0x08;
+ options->remote_cert_ku[2] = 0x88;
options->remote_cert_eku = "TLS Web Client Authentication";
}
else
@@ -8084,25 +8051,15 @@ add_option(struct options *options,
if (strncmp("ext:", s, 4) != 0)
{
size_t i = 0;
- while (s[i] && !isupper(s[i]))
- {
- i++;
- }
+ while (s[i] && !isupper(s[i])) i++;
if (strlen(s) == i)
{
- while ((*s = toupper(*s)) != '\0')
- {
- s++;
- }
+ while ((*s = toupper(*s)) != '\0') s++;
msg(M_WARN, "DEPRECATED FEATURE: automatically upcased the "
"--x509-username-field parameter to '%s'; please update your"
"configuration", p[1]);
}
}
- else if (!x509_username_field_ext_supported(s+4))
- {
- msg(msglevel, "Unsupported x509-username-field extension: %s", s);
- }
options->x509_username_field = p[1];
}
#endif /* ENABLE_X509ALTUSERNAME */
@@ -8151,9 +8108,7 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- {
options->pkcs11_providers[j-1] = p[j];
- }
}
else if (streq(p[0], "pkcs11-protected-authentication"))
{
@@ -8162,9 +8117,7 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- {
options->pkcs11_protected_authentication[j-1] = atoi(p[j]) != 0 ? 1 : 0;
- }
}
else if (streq(p[0], "pkcs11-private-mode") && p[1])
{
@@ -8173,9 +8126,7 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- {
sscanf(p[j], "%x", &(options->pkcs11_private_mode[j-1]));
- }
}
else if (streq(p[0], "pkcs11-cert-private"))
{
@@ -8184,9 +8135,7 @@ add_option(struct options *options,
VERIFY_PERMISSION(OPT_P_GENERAL);
for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j)
- {
options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0;
- }
}
else if (streq(p[0], "pkcs11-pin-cache") && p[1] && !p[2])
{