From patchwork Tue Dec 10 17:23:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "ralf_lici (Code Review)" <gerrit@openvpn.net>
X-Patchwork-Id: 3985
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:750c:b0:5e7:b9eb:58e8 with SMTP id r12csp290333mai;
        Tue, 10 Dec 2024 09:23:53 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCWm3AQQOgmJ9rYOlFYslO/g/u5jrISOfOoJ+/+1aIe5cxkZmcuG87dWXCK1rC+uAt1rGGS9FG1+zr4=@openvpn.net
X-Google-Smtp-Source: 
 AGHT+IG7CKuLUsAOwwPK/dWpLDtILZfjcC0YR8YNHMoToj89xc2sW5RDSvGzGsoKXgvJaEf3verj
X-Received: by 2002:a05:6808:1384:b0:3eb:62d4:7092 with SMTP id
 5614622812f47-3eb62d47262mr4509036b6e.27.1733851433058;
        Tue, 10 Dec 2024 09:23:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1733851433; cv=none;
        d=google.com; s=arc-20240605;
        b=iuIsO8EH6JQCknYm0QIjSb8klXXWKDCLN5q5kVl9jevEOScwHBYMvNO7VjToquxBFf
         m51LEtB+ecszIzG7TAEwmepiTCg6SOufCG7uWx9OyhMvpUHYauUXs6ETYlAsEtht7MpW
         yvczvDY1KA4jIH/OFFRTbRBP8iLRHePSTNV9tXwdMFHq54/ao5p47rexXdUaq7w1nxTh
         PzWWdFZb+fSTIJNZwlxxuwbAiR+AtnBtsPYGnTLoRqgwoC5s6i2lr+vXZVmUORL00dZQ
         BoYVseGgckX1AmW69V9gn71Da429yefhaFPzh86zwEO4dCfMpVG03HzNV7k0MwW/DI8a
         mXgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
         :mime-version:message-id:references:auto-submitted:to:date:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=z/U6OjVSJWHSMFxsaRFJeoqsEVeQnbuh2pA+/X3015w=;
        fh=GFP4qDxgyJ2WEPo/oeLZg3Mj4NqvY1j2nTvTt7psNwg=;
        b=WQRfT1GTgw7UdoodIebYnaxkU8bUsm3PKFlJSk0TiztrLGdt2Mke9tXuFf6YZ1oTct
         lpFxdZprLd5uueNKmNptNGJ4ptOt6uiCT0oZo7lNgyeCQLGAl3IL8ZiFFdLE4KLIcCwP
         m9td99k9XHOG/KyWV6P4G7tW5rj+BaoYS1PemWqfTNK6r03mErVOCGwCcm0ZDNHiM4xS
         BBL+TS7ZxyQsyYGf8NKNf7SRkHWqgqj1sWRtwmBKjwqNy318rP5zTwZAPxpusK/r3e70
         /3Vtwe2Dx8v2lGSs7IeYVCAfPV8lHuTPi2IJ8+Vn57jQntSrQyZ5DG8QRf3aNPVuaKaj
         E0sw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=gWoKicS5;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="i9W/eSxe";
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=AFlilALA;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net;
       dara=fail header.i=@openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 5614622812f47-3eb7caa52d8si453930b6e.23.2024.12.10.09.23.52
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 10 Dec 2024 09:23:52 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=gWoKicS5;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="i9W/eSxe";
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=AFlilALA;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net;
       dara=fail header.i=@openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1tL3xc-00013Z-TX;
	Tue, 10 Dec 2024 17:23:48 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gerrit@openvpn.net>) id 1tL3xY-000137-AM
 for openvpn-devel@lists.sourceforge.net;
 Tue, 10 Dec 2024 17:23:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
 :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:
 From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Aqq6BJe6cSWuitvtVAcZUy7Fezion+DQfeyuF83bvAg=; b=gWoKicS5S3NmnfAmgSOOzsiAjP
 rg64E3OeTwpsmhlxxnt5ElXhLIUWCXjHq73VivugUPsh5PlyJXZK7Ewb44yC3cHlHQVHtxe3c463T
 CZ88vDErxd3/jt57iCoaMBTaYsUG/owq9jc5sDWHYpaN2CzQYuy2TqkUkF50Om/6YUFU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
 References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID
 :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
 Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=Aqq6BJe6cSWuitvtVAcZUy7Fezion+DQfeyuF83bvAg=; b=i
 9W/eSxeaRE2CaVrt8dNv9/ihTloV4UrIxY0KEzYxq7InK+NqPHS2B4hyu7CQrP4tu4GFq3Y6bK6vl
 DnJaPhyqcqVzt1UXkJz34irBRYGcTWJMd3iMPMfeYqxgh1jiZknQDsArJBqmi+dm6xSC7vvN4mcWy
 CwlqnvZFRqSNMW6g=;
Received: from mail-wr1-f52.google.com ([209.85.221.52])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1tL3xV-0007fS-Bu for openvpn-devel@lists.sourceforge.net;
 Tue, 10 Dec 2024 17:23:44 +0000
Received: by mail-wr1-f52.google.com with SMTP id
 ffacd0b85a97d-3862d6d5765so2465242f8f.3
 for <openvpn-devel@lists.sourceforge.net>;
 Tue, 10 Dec 2024 09:23:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=openvpn.net; s=google; t=1733851410; x=1734456210;
 darn=lists.sourceforge.net;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Aqq6BJe6cSWuitvtVAcZUy7Fezion+DQfeyuF83bvAg=;
 b=AFlilALA0UQcTeaRCER2o3WE9N4sc7UCyjNktZi0rBpHZOYZjYawcPnSw3xm7lt2Y8
 sjhXjXiZpPt0M+2LWbK3XcrnwvICvthlxF8hIfNCeSn6/tXhDuhCpUz0gjGyFDnSw1kX
 TRGg80HnrY2zykMWWPGvdcBJIF2+DmRlkFeAkACuMy/bybRWampu0icwOkmsW759/2PY
 HWy+zL+Ufu4R3TkXlKTo5P393d/bxKhAFZQn2cGseG7+Sb4GHpTwUbwJwHx5QfcM7KYW
 8quAAOJk+Wu/1Q1TgUWKBesnt+oTuocC+zl3prOjy+kTI0mlqiaPwsbV9ScoHxAAovlL
 jmxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1733851410; x=1734456210;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:to:date:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=Aqq6BJe6cSWuitvtVAcZUy7Fezion+DQfeyuF83bvAg=;
 b=ACMF/JvlKp4V64KO2ROee4W1L/vwhe9obxefz40K+6dUJOvp2eOwoRTRzxDVG8kpn6
 pyULTq+l+p9SjdLeScxDMbD24RdrKcP1n7NL8DTNeB+X+QqjnaYSLnM25DM5JXnil/vI
 bDcKvGfi5N0slPD85uEZ8jP4ziuGZ19RdsxlS/UVphY+3TB1NI6jCFsMDD7KyqFZUYQ3
 5FFyELHS3IvurKx4rWPVNf1xhxEgG7eCrYKJldoLuE7J17ATt3F0c8J09bB8268HQLp3
 g71I6fGkl34nvVGOT1Eh7Wg0uXEMaoAyDORHKUdmLchHvf8j428UdWUDEwhEXKfDIXfo
 75NQ==
X-Gm-Message-State: AOJu0Yw0q3vftsDL/5Gb2Z71lHJsoERJ6xBXLLrw2PNywuKup6OBq7fk
 Xk7ETj8MVUY2kYhccELH7mym7naDabTEmhF7khrdUWiWuxL1rWZoND/2lt8DU/+fUtsANi98gsP
 x
X-Gm-Gg: ASbGncupMXaIL5EZJ1z7JAlLaSrjZM1pB7Td5HT4fQ13BNqInY7YyiOarLncgrvKLRI
 3uebWl1st1/72GdyMYRoxaG06rsgOJnHfyezqps31vDEEPPPmK+qgQLu38cMB2mRN5eNcyfgoj0
 3nChTdDYAOw2LX2CXf5tEhpWNZfs+/pIq/yI8WNq/Wrfjc9yjGc83gaeTsjH07akpbwi4UCbRf1
 m60cgsUR/gTwh1DpBnxCBJAW4ZL+WMfxZC8gMFn/JWVLh5qBuuNTTdxDRFHCzeqrHciCxkXm2bb
 snVq1qvaSQKmiXuQDCriPx3LlC/rXrAO9iyr4BPIk9onZw==
X-Received: by 2002:a05:6000:1449:b0:386:930:fad4 with SMTP id
 ffacd0b85a97d-386453d663bmr4089524f8f.19.1733851409232;
 Tue, 10 Dec 2024 09:23:29 -0800 (PST)
Received: from gerrit.openvpn.in
 (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
 by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-3862d9cf980sm13246717f8f.44.2024.12.10.09.23.28
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 10 Dec 2024 09:23:28 -0800 (PST)
From: "flichtenheld (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "flichtenheld (Code Review)"
 <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 1
Date: Tue, 10 Dec 2024 17:23:28 +0000
To: plaisthos <arne-openvpn@rfc2549.org>
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38
X-Gerrit-Change-Number: 832
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/832?usp=email>
X-Gerrit-Commit: e9f9a901fa3095f44ddf89f2d9ae23ed7fceb92e
References: 
 <gerrit.1733851405000.I4f766fa22865eaf4466c31cf55e3d73b00008c38@gerrit.openvpn.net>
Message-ID: <f7ec7f48fa1ed277583f4f239b90ec55093ba207-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.2
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Attention is currently required from: plaisthos. Hello
 plaisthos, I'd like you to do a code review. Please visit
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.221.52 listed in list.dnswl.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [209.85.221.52 listed in bl.score.senderscore.com]
 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
 The query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [209.85.221.52 listed in sa-trusted.bondedsender.org]
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.221.52 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
 Colors in HTML
X-Headers-End: 1tL3xV-0007fS-Bu
Subject: [Openvpn-devel] [L] Change in openvpn[master]: options: Cleanup and
 simplify options_postprocess_verify_ce
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org,
 openvpn-devel@lists.sourceforge.net
Cc: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1818075000681220444?=
X-GMAIL-MSGID: =?utf-8?q?1818075000681220444?=
X-getmail-filter-classifier: gerrit message type newchange

Attention is currently required from: plaisthos.

Hello plaisthos,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/832?usp=email

to review the following change.


Change subject: options: Cleanup and simplify options_postprocess_verify_ce
......................................................................

options: Cleanup and simplify options_postprocess_verify_ce

- Reuse the MUST_BE_UNDEF macro in more places
- Add a second parameter so it actually reports the
  correct option name
- Add MUST_BE_FALSE for similar cases
- Reorder the checks for cert/key options to make
  more sense. Some of the checks could have never
  fired due to wrong placement of the management
  checks
- Some other small cleanups like missing spaces
  in multiline string literal

Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
---
M src/openvpn/options.c
1 file changed, 142 insertions(+), 274 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/832/1

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index d8dd518..d7f1a8f 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2300,6 +2300,13 @@
 static void
 check_ca_required(const struct options *options)
 {
+#ifdef ENABLE_CRYPTO_MBEDTLS
+    if (options->ca_path)
+    {
+        msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
+    }
+#endif
+
     if (options->verify_hash_no_ca
         || options->pkcs12_file
         || options->ca_file
@@ -2319,6 +2326,11 @@
     msg(M_USAGE, "%s", str);
 }
 
+#define MUST_BE_UNDEF(parm, parm_name) \
+    if (options->parm != defaults.parm) { msg(M_USAGE, use_err, parm_name); }
+#define MUST_BE_FALSE(condition, parm_name) \
+    if (condition) { msg(M_USAGE, use_err, parm_name); }
+
 static void
 options_postprocess_verify_ce(const struct options *options,
                               const struct connection_entry *ce)
@@ -2555,6 +2567,8 @@
      */
     if (options->mode == MODE_SERVER)
     {
+        const char use_err[] = "--%s cannot be used with --mode server.";
+
 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
     "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
 #ifdef TARGET_ANDROID
@@ -2564,10 +2578,7 @@
         {
             msg(M_USAGE, "--mode server only works with --dev tun or --dev tap");
         }
-        if (options->pull)
-        {
-            msg(M_USAGE, "--pull cannot be used with --mode server");
-        }
+        MUST_BE_UNDEF(pull, "pull");
         if (options->pull_filter_list)
         {
             msg(M_WARN, "--pull-filter ignored for --mode server");
@@ -2588,22 +2599,10 @@
         {
             msg(M_USAGE, "--mode server requires --tls-server");
         }
-        if (ce->remote)
-        {
-            msg(M_USAGE, "--remote cannot be used with --mode server");
-        }
-        if (!ce->bind_local)
-        {
-            msg(M_USAGE, "--nobind cannot be used with --mode server");
-        }
-        if (ce->http_proxy_options)
-        {
-            msg(M_USAGE, "--http-proxy cannot be used with --mode server");
-        }
-        if (ce->socks_proxy_server)
-        {
-            msg(M_USAGE, "--socks-proxy cannot be used with --mode server");
-        }
+        MUST_BE_FALSE(ce->remote, "remote");
+        MUST_BE_FALSE(!ce->bind_local, "nobind");
+        MUST_BE_FALSE(ce->http_proxy_options, "http-proxy");
+        MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy");
         /* <connection> blocks force to have a remote embedded, so we check
          * for the --remote and bail out if it is present
          */
@@ -2613,10 +2612,7 @@
             msg(M_USAGE, "<connection> cannot be used with --mode server");
         }
 
-        if (options->shaper)
-        {
-            msg(M_USAGE, "--shaper cannot be used with --mode server");
-        }
+        MUST_BE_UNDEF(shaper, "shaper");
         if (options->ipchange)
         {
             msg(M_USAGE,
@@ -2639,14 +2635,8 @@
         {
             msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
         }
-        if (options->route_delay_defined)
-        {
-            msg(M_USAGE, "--route-delay cannot be used with --mode server");
-        }
-        if (options->up_delay)
-        {
-            msg(M_USAGE, "--up-delay cannot be used with --mode server");
-        }
+        MUST_BE_UNDEF(route_delay_defined, "route-delay");
+        MUST_BE_UNDEF(up_delay, "up-delay");
         if (!options->ifconfig_pool_defined
             && !options->ifconfig_ipv6_pool_defined
             && options->ifconfig_pool_persist_filename)
@@ -2658,10 +2648,7 @@
         {
             msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
         }
-        if (options->allow_recursive_routing)
-        {
-            msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server");
-        }
+        MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing");
         if (options->auth_user_pass_file)
         {
             msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
@@ -2683,23 +2670,19 @@
                 options->handshake_window);
 
         }
+        if (!options->auth_user_pass_verify_script
+            || PLUGIN_OPTION_LIST(options)
+            || MAN_CLIENT_AUTH_ENABLED(options))
         {
-            const bool ccnr = (options->auth_user_pass_verify_script
-                               || PLUGIN_OPTION_LIST(options)
-                               || MAN_CLIENT_AUTH_ENABLED(options));
-            const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
-            if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
-            {
-                msg(M_USAGE, "--verify-client-cert none|optional %s", postfix);
-            }
-            if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
-            {
-                msg(M_USAGE, "--username-as-common-name %s", postfix);
-            }
-            if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
-            {
-                msg(M_USAGE, "--auth-user-pass-optional %s", postfix);
-            }
+            const char *use_err = "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
+
+            MUST_BE_FALSE(options->ssl_flags
+                          & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
+                          "verify-client-cert none|optional");
+            MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME,
+                          "username-as-common-name");
+            MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL,
+                          "auth-user-pass-optional");
         }
 
         if (options->vlan_tagging && dev != DEV_TYPE_TAP)
@@ -2708,125 +2691,65 @@
         }
         if (!options->vlan_tagging)
         {
-            if (options->vlan_accept != defaults.vlan_accept)
-            {
-                msg(M_USAGE, "--vlan-accept requires --vlan-tagging");
-            }
-            if (options->vlan_pvid != defaults.vlan_pvid)
-            {
-                msg(M_USAGE, "--vlan-pvid requires --vlan-tagging");
-            }
+            const char use_err[] = "--%s requires --vlan-tagging";
+            MUST_BE_UNDEF(vlan_accept, "vlan-accept");
+            MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
         }
     }
     else
     {
+        const char use_err[] = "--%s requires --mode server";
         /*
          * When not in server mode, err if parameters are
          * specified which require --mode server.
          */
-        if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename)
-        {
-            msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
-        }
-        if (options->ifconfig_ipv6_pool_defined)
-        {
-            msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server");
-        }
-        if (options->real_hash_size != defaults.real_hash_size
-            || options->virtual_hash_size != defaults.virtual_hash_size)
-        {
-            msg(M_USAGE, "--hash-size requires --mode server");
-        }
-        if (options->learn_address_script)
-        {
-            msg(M_USAGE, "--learn-address requires --mode server");
-        }
-        if (options->client_connect_script)
-        {
-            msg(M_USAGE, "--client-connect requires --mode server");
-        }
-        if (options->client_crresponse_script)
-        {
-            msg(M_USAGE, "--client-crresponse requires --mode server");
-        }
-        if (options->client_disconnect_script)
-        {
-            msg(M_USAGE, "--client-disconnect requires --mode server");
-        }
-        if (options->client_config_dir || options->ccd_exclusive)
-        {
-            msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server");
-        }
-        if (options->enable_c2c)
-        {
-            msg(M_USAGE, "--client-to-client requires --mode server");
-        }
-        if (options->duplicate_cn)
-        {
-            msg(M_USAGE, "--duplicate-cn requires --mode server");
-        }
-        if (options->cf_max || options->cf_per)
-        {
-            msg(M_USAGE, "--connect-freq requires --mode server");
-        }
-        if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
-        {
-            msg(M_USAGE, "--verify-client-cert requires --mode server");
-        }
-        if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
-        {
-            msg(M_USAGE, "--username-as-common-name requires --mode server");
-        }
-        if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)
-        {
-            msg(M_USAGE, "--auth-user-pass-optional requires --mode server");
-        }
-        if (options->ssl_flags & SSLF_OPT_VERIFY)
-        {
-            msg(M_USAGE, "--opt-verify requires --mode server");
-        }
+        MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool");
+        MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist");
+        MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool");
+        MUST_BE_UNDEF(real_hash_size, "hash-size");
+        MUST_BE_UNDEF(virtual_hash_size, "hash-size");
+        MUST_BE_UNDEF(learn_address_script, "learn-address");
+        MUST_BE_UNDEF(client_connect_script, "client-connect");
+        MUST_BE_UNDEF(client_crresponse_script, "client-crresponse");
+        MUST_BE_UNDEF(client_disconnect_script, "client-disconnect");
+        MUST_BE_UNDEF(client_config_dir, "client-config-dir");
+        MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive");
+        MUST_BE_UNDEF(enable_c2c, "client-to-client");
+        MUST_BE_UNDEF(duplicate_cn, "duplicate-cn");
+        MUST_BE_UNDEF(cf_max, "connect-freq");
+        MUST_BE_UNDEF(cf_per, "connect-freq");
+        MUST_BE_FALSE(options->ssl_flags
+                      & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL),
+                      "verify-client-cert");
+        MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name");
+        MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional");
+        MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify");
         if (options->server_flags & SF_TCP_NODELAY_HELPER)
         {
             msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not "
                 "affect the server. To have TCP_NODELAY in both direction use "
                 "tcp-nodelay in the server configuration instead.");
         }
-        if (options->auth_user_pass_verify_script)
-        {
-            msg(M_USAGE, "--auth-user-pass-verify requires --mode server");
-        }
-        if (options->auth_token_generate)
-        {
-            msg(M_USAGE, "--auth-gen-token requires --mode server");
-        }
+        MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify");
+        MUST_BE_UNDEF(auth_token_generate, "auth-gen-token");
 #if PORT_SHARE
         if (options->port_share_host || options->port_share_port)
         {
             msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
         }
 #endif
-
-        if (options->stale_routes_check_interval)
-        {
-            msg(M_USAGE, "--stale-routes-check requires --mode server");
-        }
-
-        if (options->vlan_tagging)
-        {
-            msg(M_USAGE, "--vlan-tagging requires --mode server");
-        }
-
-        if (options->force_key_material_export)
-        {
-            msg(M_USAGE, "--force-tls-key-material-export requires --mode server");
-        }
+        MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check");
+        MUST_BE_UNDEF(vlan_tagging, "vlan-tagging");
+        MUST_BE_UNDEF(vlan_accept, "vlan-accept");
+        MUST_BE_UNDEF(vlan_pvid, "vlan-pvid");
+        MUST_BE_UNDEF(force_key_material_export, "force-key-material-export");
     }
 
     /*
      * SSL/TLS mode sanity checks.
      */
     if (options->tls_server + options->tls_client
-        +(options->shared_secret_file != NULL) > 1)
+        + (options->shared_secret_file != NULL) > 1)
     {
         msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
     }
@@ -2843,9 +2766,9 @@
             "configuration detected. OpenVPN 2.8 will remove the "
             "functionality to run a VPN without TLS. "
             "See the examples section in the manual page for "
-            "examples of a similar quick setup with peer-fingerprint."
+            "examples of a similar quick setup with peer-fingerprint. "
             "OpenVPN 2.7 allows using this configuration when using "
-            "--allow-deprecated-insecure-static-crypto but you should move"
+            "--allow-deprecated-insecure-static-crypto but you should move "
             "to a proper configuration using TLS as soon as possible."
             );
     }
@@ -2892,112 +2815,58 @@
             {
                 msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
             }
-            if (options->cert_file)
-            {
-                msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
-            }
-            if (options->priv_key_file)
-            {
-                msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
-            }
-            if (options->management_flags & MF_EXTERNAL_KEY)
-            {
-                msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
-            }
-            if (options->management_flags & MF_EXTERNAL_CERT)
-            {
-                msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
-            }
-            if (options->pkcs12_file)
-            {
-                msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
-            }
-#ifdef ENABLE_CRYPTOAPI
-            if (options->cryptoapi_cert)
-            {
-                msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
-            }
-#endif
+            const char use_err[] = "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
+            MUST_BE_UNDEF(cert_file, "cert");
+            MUST_BE_UNDEF(priv_key_file, "key");
+            MUST_BE_UNDEF(pkcs12_file, "pkcs12");
+            MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
+            MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
+            MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert");
         }
         else
 #endif /* ifdef ENABLE_PKCS11 */
-        if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
-        {
-            msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
-        }
-        else if ((options->management_flags & MF_EXTERNAL_CERT))
-        {
-            if (options->cert_file)
-            {
-                msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
-            }
-            else if (!(options->management_flags & MF_EXTERNAL_KEY))
-            {
-                msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
-            }
-        }
-        else
 #ifdef ENABLE_CRYPTOAPI
         if (options->cryptoapi_cert)
         {
-            if (options->cert_file)
-            {
-                msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
-            }
-            if (options->priv_key_file)
-            {
-                msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified.");
-            }
-            if (options->pkcs12_file)
-            {
-                msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
-            }
-            if (options->management_flags & MF_EXTERNAL_KEY)
-            {
-                msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
-            }
-            if (options->management_flags & MF_EXTERNAL_CERT)
-            {
-                msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
-            }
+            const char use_err[] = "Parameter --%s cannot be used when --cryptoapicert is also specified.";
+            MUST_BE_UNDEF(cert_file, "cert");
+            MUST_BE_UNDEF(priv_key_file, "key");
+            MUST_BE_UNDEF(pkcs12_file, "pkcs12");
+            MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
+            MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
         }
         else
-#endif /* ifdef ENABLE_CRYPTOAPI */
+#endif
         if (options->pkcs12_file)
         {
 #ifdef ENABLE_CRYPTO_MBEDTLS
             msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
 #else
-            if (options->ca_path)
-            {
-                msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");
-            }
-            if (options->cert_file)
-            {
-                msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");
-            }
-            if (options->priv_key_file)
-            {
-                msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified.");
-            }
-            if (options->management_flags & MF_EXTERNAL_KEY)
-            {
-                msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
-            }
-            if (options->management_flags & MF_EXTERNAL_CERT)
-            {
-                msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
-            }
+            const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified.";
+            MUST_BE_UNDEF(ca_path, "capath");
+            MUST_BE_UNDEF(cert_file, "cert");
+            MUST_BE_UNDEF(priv_key_file, "key");
+            MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key");
+            MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert");
 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
         }
-        else
+        else /* cert/key from none of pkcs11, pkcs12, cryptoapi */
         {
-#ifdef ENABLE_CRYPTO_MBEDTLS
-            if (options->ca_path)
+            if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file)
             {
-                msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
+                msg(M_USAGE, "--key and --management-external-key are mutually exclusive");
             }
-#endif  /* ifdef ENABLE_CRYPTO_MBEDTLS */
+            if ((options->management_flags & MF_EXTERNAL_CERT))
+            {
+                if (options->cert_file)
+                {
+                    msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive");
+                }
+                else if (!(options->management_flags & MF_EXTERNAL_KEY))
+                {
+                    msg(M_USAGE, "--management-external-cert must be used with --management-external-key");
+                }
+            }
             if (pull)
             {
 
@@ -3049,55 +2918,51 @@
          * when in non-TLS mode.
          */
 
-#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
-}
+        const char use_err[] = "Parameter %s can only be specified in TLS-mode, "
+            "i.e. where --tls-server or --tls-client is also specified.";
 
-        const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
-
-        MUST_BE_UNDEF(ca_file);
-        MUST_BE_UNDEF(ca_path);
-        MUST_BE_UNDEF(dh_file);
-        MUST_BE_UNDEF(cert_file);
-        MUST_BE_UNDEF(priv_key_file);
+        MUST_BE_UNDEF(ca_file, "ca");
+        MUST_BE_UNDEF(ca_path, "capath");
+        MUST_BE_UNDEF(dh_file, "dh");
+        MUST_BE_UNDEF(cert_file, "cert");
+        MUST_BE_UNDEF(priv_key_file, "key");
 #ifndef ENABLE_CRYPTO_MBEDTLS
-        MUST_BE_UNDEF(pkcs12_file);
+        MUST_BE_UNDEF(pkcs12_file, "pkcs12");
 #endif
-        MUST_BE_UNDEF(cipher_list);
-        MUST_BE_UNDEF(cipher_list_tls13);
-        MUST_BE_UNDEF(tls_cert_profile);
-        MUST_BE_UNDEF(tls_verify);
-        MUST_BE_UNDEF(tls_export_peer_cert_dir);
-        MUST_BE_UNDEF(verify_x509_name);
-        MUST_BE_UNDEF(tls_timeout);
-        MUST_BE_UNDEF(renegotiate_bytes);
-        MUST_BE_UNDEF(renegotiate_packets);
-        MUST_BE_UNDEF(renegotiate_seconds);
-        MUST_BE_UNDEF(handshake_window);
-        MUST_BE_UNDEF(transition_window);
-        MUST_BE_UNDEF(tls_auth_file);
-        MUST_BE_UNDEF(tls_crypt_file);
-        MUST_BE_UNDEF(tls_crypt_v2_file);
-        MUST_BE_UNDEF(single_session);
-        MUST_BE_UNDEF(push_peer_info);
-        MUST_BE_UNDEF(tls_exit);
-        MUST_BE_UNDEF(crl_file);
-        MUST_BE_UNDEF(ns_cert_type);
-        MUST_BE_UNDEF(remote_cert_ku[0]);
-        MUST_BE_UNDEF(remote_cert_eku);
+        MUST_BE_UNDEF(cipher_list, "tls-cipher");
+        MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites");
+        MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile");
+        MUST_BE_UNDEF(tls_verify, "tls-verify");
+        MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert");
+        MUST_BE_UNDEF(verify_x509_name, "verify-x509-name");
+        MUST_BE_UNDEF(tls_timeout, "tls-timeout");
+        MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes");
+        MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts");
+        MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec");
+        MUST_BE_UNDEF(handshake_window, "hand-window");
+        MUST_BE_UNDEF(transition_window, "tran-window");
+        MUST_BE_UNDEF(tls_auth_file, "tls-auth");
+        MUST_BE_UNDEF(tls_crypt_file, "tls-crypt");
+        MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2");
+        MUST_BE_UNDEF(single_session, "single-session");
+        MUST_BE_UNDEF(push_peer_info, "push-peer-info");
+        MUST_BE_UNDEF(tls_exit, "tls-exit");
+        MUST_BE_UNDEF(crl_file, "crl-verify");
+        MUST_BE_UNDEF(ns_cert_type, "ns-cert-type");
+        MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku");
+        MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku");
 #ifdef ENABLE_PKCS11
-        MUST_BE_UNDEF(pkcs11_providers[0]);
-        MUST_BE_UNDEF(pkcs11_private_mode[0]);
-        MUST_BE_UNDEF(pkcs11_id);
-        MUST_BE_UNDEF(pkcs11_id_management);
+        MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers");
+        MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode");
+        MUST_BE_UNDEF(pkcs11_id, "pkcs11-id");
+        MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management");
 #endif
 
         if (pull)
         {
-            msg(M_USAGE, err, "--pull");
+            msg(M_USAGE, use_err, "--pull");
         }
     }
-#undef MUST_BE_UNDEF
-
     if (options->auth_user_pass_file && !options->pull)
     {
         msg(M_USAGE, "--auth-user-pass requires --pull");
@@ -3106,6 +2971,9 @@
     uninit_options(&defaults);
 }
 
+#undef MUST_BE_UNDEF
+#undef MUST_BE_FALSE
+
 static void
 options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
 {