options.c

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authe

  SHOW_BOOL (tls_client);
  SHOW_INT (key_method);
  SHOW_STR (ca_file);
  SHOW_STR (dh_file);
  SHOW_STR (cert_file);
  SHOW_STR (priv_key_file);
  SHOW_STR (cipher_list);
  SHOW_STR (tls_verify);
  SHOW_STR (tls_remote);
  SHOW_STR (crl_file);

  SHOW_INT (tls_timeout);

  SHOW_INT (renegotiate_bytes);
  SHOW_INT (renegotiate_packets);
  SHOW_INT (renegotiate_seconds);

  SHOW_INT (handshake_window);
  SHOW_INT (transition_window);

  SHOW_BOOL (single_session);

  SHOW_STR (tls_auth_file);
#endif
#endif

#if P2MP
  show_p2mp_parms (o);
#endif

#ifdef WIN32
  show_tuntap_options (&o->tuntap_options);
#endif
}

#undef SHOW_PARM
#undef SHOW_STR
#undef SHOW_INT
#undef SHOW_BOOL

/*
 * Sanity check on options.
 * Also set some options based on other
 * options.
 */
void
options_postprocess (struct options *options, bool first_time)
{
  struct options defaults;
  int dev = DEV_TYPE_UNDEF;
  int i;
  bool pull = false;

  init_options (&defaults);

#ifdef USE_CRYPTO
  if (options->test_crypto)
    {
      notnull (options->shared_secret_file, "key file (--secret)");
    }
  else
#endif
    notnull (options->dev, "TUN/TAP device (--dev)");

  /*
   * Get tun/tap/null device type
   */
  dev = dev_type_enum (options->dev, options->dev_type);

  /*
   * Fill in default port number for --remote list
   */
  if (options->remote_list)
    {
      for (i = 0; i < options->remote_list->len; ++i)
	{
	  struct remote_entry *e = &options->remote_list->array[i];
	  if (e->port < 0)
	    e->port = options->remote_port;
	}
    }

  /* will we be pulling options from server? */
#if P2MP
  pull = options->pull;
#endif

  /*
   * Sanity check on daemon/inetd modes
   */

  if (options->daemon && options->inetd)
    msg (M_USAGE, "Options error: only one of --daemon or --inetd may be specified");

  if (options->inetd && (options->local || options->remote_list))
    msg (M_USAGE, "Options error: --local or --remote cannot be used with --inetd");

  if (options->inetd && options->proto == PROTO_TCPv4_CLIENT)
    msg (M_USAGE, "Options error: --proto tcp-client cannot be used with --inetd");

  if (options->inetd == INETD_NOWAIT && options->proto != PROTO_TCPv4_SERVER)
    msg (M_USAGE, "Options error: --inetd nowait can only be used with --proto tcp-server");

  if (options->inetd == INETD_NOWAIT
#if defined(USE_CRYPTO) && defined(USE_SSL)
      && !(options->tls_server || options->tls_client)
#endif
      )
    msg (M_USAGE, "Options error: --inetd nowait can only be used in TLS mode");

  if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
    msg (M_USAGE, "Options error: --inetd nowait only makes sense in --dev tap mode");

  /*
   * In forking TCP server mode, you don't need to ifconfig
   * the tap device (the assumption is that it will be bridged).
   */
  if (options->inetd == INETD_NOWAIT)
    options->ifconfig_noexec = true;

  /*
   * Sanity check on TCP mode options
   */

  if (options->connect_retry_defined && options->proto != PROTO_TCPv4_CLIENT)
    msg (M_USAGE, "Options error: --connect-retry doesn't make sense unless also used with --proto tcp-client");

  /*
   * Sanity check on MTU parameters
   */
  if (options->tun_mtu_defined && options->link_mtu_defined)
    msg (M_USAGE, "Options error: only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT);

  if (options->proto != PROTO_UDPv4 && options->mtu_test)
    msg (M_USAGE, "Options error: --mtu-test only makes sense with --proto udp");

  /*
   * Set MTU defaults
   */
  {
    if (!options->tun_mtu_defined && !options->link_mtu_defined)
      {
	options->tun_mtu_defined = true;
      }
    if ((dev == DEV_TYPE_TAP) && !options->tun_mtu_extra_defined)
      {
	options->tun_mtu_extra_defined = true;
	options->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT;
      }
  }

  /*
   * Sanity check on --local, --remote, and ifconfig
   */

  if (options->remote_list)
    {
      int i;
      struct remote_list *l = options->remote_list;

      for (i = 0; i < l->len; ++i)
	{
	  const char *remote = l->array[i].hostname;
	  const int remote_port = l->array[i].port;

	  if (string_defined_equal (options->local, remote)
	      && options->local_port == remote_port)
	    msg (M_USAGE, "Options error: --remote and --local addresses are the same");
	
	  if (string_defined_equal (remote, options->ifconfig_local)
	      || string_defined_equal (remote, options->ifconfig_remote_netmask))
	    msg (M_USAGE, "Options error: --local and --remote addresses must be distinct from --ifconfig addresses");
	}
    }

  if (string_defined_equal (options->local, options->ifconfig_local)
      || string_defined_equal (options->local, options->ifconfig_remote_netmask))
    msg (M_USAGE, "Options error: --local addresses must be distinct from --ifconfig addresses");

  if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask))
    msg (M_USAGE, "Options error: local and remote/netmask --ifconfig addresses must be different");

#ifdef WIN32
      if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
	msg (M_USAGE, "Options error: On Windows, --ifconfig is required when --dev tun is used");

      if ((options->tuntap_options.ip_win32_defined)
	  && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask)))
	msg (M_USAGE, "Options error: On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");

      if (options->tuntap_options.dhcp_options &&
	  options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ)
	msg (M_USAGE, "Options error: --dhcp-options requires --ip-win32 dynamic");

      if (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ
	  && !options->route_delay_defined)
	{
	  options->route_delay_defined = true;
	  options->route_delay = 10;
	}

      if (options->ifconfig_noexec)
	{
	  options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL;
	  options->ifconfig_noexec = false;
	}
#endif

  /*
   * Check that protocol options make sense.
   */

  if (options->proto != PROTO_UDPv4 && options->fragment)
    msg (M_USAGE, "Options error: --fragment can only be used with --proto udp");

  if (!options->remote_list && options->proto == PROTO_TCPv4_CLIENT)
    msg (M_USAGE, "Options error: --remote MUST be used in TCP Client mode");

  if (options->http_proxy_server && options->proto != PROTO_TCPv4_CLIENT)
    msg (M_USAGE, "Options error: --http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");

  if (options->http_proxy_server && options->socks_proxy_server)
    msg (M_USAGE, "Options error: --http-proxy can not be used together with --socks-proxy");

  if (options->socks_proxy_server && options->proto == PROTO_TCPv4_SERVER)
    msg (M_USAGE, "Options error: --socks-proxy can not be used in TCP Server mode");

  if (options->proto == PROTO_TCPv4_SERVER && remote_list_len (options->remote_list) > 1)
    msg (M_USAGE, "Options error: TCP server mode allows at most one --remote address");

#if P2MP
  /*
   * Check consistency of --mode server options.
   */
  if (options->mode == MODE_SERVER)
    {
      if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP))
	msg (M_USAGE, "Options error: --mode server only works with --dev tun or --dev tap");
      if (options->pull)
	msg (M_USAGE, "Options error: --pull cannot be used with --mode server");
      if (!(options->proto == PROTO_UDPv4 || options->proto == PROTO_TCPv4_SERVER))
	msg (M_USAGE, "Options error: --mode server currently only supports --proto udp or --proto tcp-server");
      if (!options->tls_server)
	msg (M_USAGE, "Options error: --mode server requires --tls-server");
      if (options->remote_list)
	msg (M_USAGE, "Options error: --remote cannot be used with --mode server");
      if (options->http_proxy_server || options->socks_proxy_server)
	msg (M_USAGE, "Options error: --http-proxy or --socks-proxy cannot be used with --mode server");
      if (options->tun_ipv6)
	msg (M_USAGE, "Options error: --tun-ipv6 cannot be used with --mode server");
      if (options->shaper)
	msg (M_USAGE, "Options error: --shaper cannot be used with --mode server");

#if 1 // JYFIXME -- should we allow --mode server --proto tcp?
      if (!(options->proto == PROTO_UDPv4 || options->proto == PROTO_TCPv4_SERVER))
	msg (M_USAGE, "Options error: --mode server currently only supports --proto udp or --proto tcp-server");
#else
      if (!(options->proto == PROTO_UDPv4))
	msg (M_USAGE, "Options error: --mode server currently only supports --proto udp");
#endif

#ifdef WIN32
      /*
       * We need to treat --route-delay as --tap-sleep because
       * we do not schedule event timers in the top-level context.
       */
      options->route_delay_defined = false;
      options->tuntap_options.tap_sleep = options->route_delay;
#endif

    }
  else
    {
      if (options->ifconfig_pool_defined)
	msg (M_USAGE, "Options error: --ifconfig-pool requires --mode server");
      if (options->real_hash_size != defaults.real_hash_size
	  || options->virtual_hash_size != defaults.virtual_hash_size)
	msg (M_USAGE, "Options error: --hash-size requires --mode server");
      if (options->learn_address_script)
	msg (M_USAGE, "Options error: --learn-address requires --mode server");
      if (options->client_connect_script)
	msg (M_USAGE, "Options error: --client-connect requires --mode server");
      if (options->client_disconnect_script)
	msg (M_USAGE, "Options error: --client-disconnect requires --mode server");
      if (options->tmp_dir)
	msg (M_USAGE, "Options error: --tmp-dir requires --mode server");
      if (options->client_config_dir)
	msg (M_USAGE, "Options error: --client-config-dir requires --mode server");
      if (options->enable_c2c)
	msg (M_USAGE, "Options error: --client-to-client requires --mode server");
      if (options->duplicate_cn)
	msg (M_USAGE, "Options error: --duplicate-cn requires --mode server");
      if (options->cf_max || options->cf_per)
	msg (M_USAGE, "Options error: --connect-freq requires --mode server");
    }
#endif

#ifdef USE_CRYPTO

  /*
   * Check consistency of replay options
   */
  if ((options->proto != PROTO_UDPv4)
      && (options->replay_window != defaults.replay_window
	  || options->replay_time != defaults.replay_time))
    msg (M_USAGE, "Options error: --replay-window only makes sense with --proto udp");

  if (!options->replay
      && (options->replay_window != defaults.replay_window
	  || options->replay_time != defaults.replay_time))
    msg (M_USAGE, "Options error: --replay-window doesn't make sense when replay protection is disabled with --no-replay");

  /* Don't use replay window for TCP mode (i.e. require that packets
     be strictly in sequence). */
  if (link_socket_proto_connection_oriented (options->proto))
    options->replay_window = options->replay_time = 0;

#ifdef USE_SSL
  if (options->tls_server + options->tls_client +
      (options->shared_secret_file != NULL) > 1)
    msg (M_USAGE, "Options error: specify only one of --tls-server, --tls-client, or --secret");

  if (options->tls_server)
    {
      notnull (options->dh_file, "DH file (--dh)");
    }
  if (options->tls_server || options->tls_client)
    {
      notnull (options->ca_file, "CA file (--ca)");
      notnull (options->cert_file, "certificate file (--cert)");
      notnull (options->priv_key_file, "private key file (--key)");
      if (first_time && options->askpass)
	pem_password_callback (NULL, 0, 0, NULL);
    }
  else
    {
      /*
       * Make sure user doesn't specify any TLS options
       * when in non-TLS mode.
       */

#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);

      const char err[] = "Options error: Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";

      MUST_BE_UNDEF (ca_file);
      MUST_BE_UNDEF (dh_file);
      MUST_BE_UNDEF (cert_file);
      MUST_BE_UNDEF (priv_key_file);
      MUST_BE_UNDEF (cipher_list);
      MUST_BE_UNDEF (tls_verify);
      MUST_BE_UNDEF (tls_remote);
      MUST_BE_UNDEF (tls_timeout);
      MUST_BE_UNDEF (renegotiate_bytes);
      MUST_BE_UNDEF (renegotiate_packets);
      MUST_BE_UNDEF (renegotiate_seconds);
      MUST_BE_UNDEF (handshake_window);
      MUST_BE_UNDEF (transition_window);
      MUST_BE_UNDEF (tls_auth_file);
      MUST_BE_UNDEF (single_session);
      MUST_BE_UNDEF (crl_file);
      MUST_BE_UNDEF (key_method);
    }
#undef MUST_BE_UNDEF
#endif /* USE_CRYPTO */
#endif /* USE_SSL */

#if P2MP
  /*
   * Save certain parms before modifying options via --pull
   */
  pre_pull_save (options);
#endif
}

#if P2MP

/*
 * Save/Restore certain option defaults before --pull is applied.
 */

void
pre_pull_save (struct options *o)
{
  if (o->pull)
    {
      ALLOC_OBJ_CLEAR_GC (o->pre_pull, struct options_pre_pull, &o->gc);
      o->pre_pull->tuntap_options = o->tuntap_options;
      o->pre_pull->tuntap_options_defined = true;
      o->pre_pull->foreign_option_index = o->foreign_option_index;
      if (o->routes)
	{
	  o->pre_pull->routes = *o->routes;
	  o->pre_pull->routes_defined = true;
	}
    }
}

void
pre_pull_restore (struct options *o)
{
  const struct options_pre_pull *pp = o->pre_pull;
  if (pp)
    {
      
      if (pp->tuntap_options_defined)
	{
	  o->tuntap_options = pp->tuntap_options;
	}
      if (pp->routes_defined && o->routes)
	{
	  *o->routes = pp->routes;
	}
      o->foreign_option_index = pp->foreign_option_index;
    }
}