From patchwork Tue Mar 18 15:53:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4183 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:7046:b0:60a:d70a:d3c7 with SMTP id t6csp2905302mat; Tue, 18 Mar 2025 08:53:51 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX8VuZUvaLa/5ExOEyhlUlZzx/eoPppqc6T5YjuChn+rc7ryJTv47zD3/pq54SqhdOW7mymuPi3CDs=@openvpn.net X-Google-Smtp-Source: AGHT+IGMxbBk8kSGGuml0cTOSn8s4FPQFfBoNZerh0gkcGbEOE+ee7cc8x4CXCdbg60Ah0UwELgl X-Received: by 2002:a05:6870:3912:b0:29e:362b:2162 with SMTP id 586e51a60fabf-2c690fef2a3mr8126727fac.20.1742313231372; Tue, 18 Mar 2025 08:53:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742313231; cv=none; d=google.com; s=arc-20240605; b=YeRzDr+nEmk17+zgFbfvDM+oFTaGMln7xyRd7YDoTGHxmZVAjQZx3RBqaEbL4Nkmp3 n/PZ1NEu7InQepjqq+x3pZXVW6HNDP7GFuhXs834d6Y4lZXoq/Np5ozBYlntqYzNIUk4 tx4qWxvxTPfsiR+fuTqxi2iOByuxq21erl40cbIRTj0wERqpQb97e2D/3EkAiI/DERlE u0XLKKBQ6vg4C2PjrZN7CKC6FHjhg1coRTbf5QBxt6fAvc6slMLb+0J9m6MZGrxfISTd P9Vs5wbb8IYF48u351X0Ybi2rG1dc1R45zK9M+qSzaimNxl9wAZK/0FPDrV+wWqvGO30 CHbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=08tEQg9cpkM0gqcjTikDfVdxXkhEsIpUh0XXx2zmTWY=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=eIiO346yMIxAmfXQnv/hBCrhvRsIIXdJZvUPSCVpH2jzbzoeb0MH9xzrkLH5NVbHkL LQIM4ZFaJTaoS3UAiPu9eTsVVAYj+cy/rK4k+C+E533bhKSBCu292EZCdwCy++8OpVzE zFWZycoqB0rf+u7F3HPN9WbaJqBLQGdBYkazVwF9fMvv4/x4Bdbl7WPppJa1dlEmCa1/ lcmIyYNbP6Z7FDZdATv2A9yK69P6aKKkHxn5zK8xfz4STQWynwUTBdtr1CkIPRC536V4 AIw7rQWLlJrwCAJLvFTZGrRIRUBVEDtde1cdjPsgvfb0acYHCY1CaB+5xkuEaGYWLXwb o92w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TLc8kkj9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=aiHiKnia; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-72bb299c9dcsi6998326a34.302.2025.03.18.08.53.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Mar 2025 08:53:51 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TLc8kkj9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=aiHiKnia; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tuZGG-0008Ma-Un; Tue, 18 Mar 2025 15:53:48 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tuZGE-0008MS-PQ for openvpn-devel@lists.sourceforge.net; Tue, 18 Mar 2025 15:53:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/ZuUYr904tUb/UF5m289zPStrEe52AVoPb4wluhXHEA=; b=TLc8kkj95H3TqMkJ25ZAzIDtva UXlqtRQbEgO0MIB1rwBjICbNKQcWdih/cs8MvRYRPinU1vLESV4s/sH8NEd4q7K2jw8ATvaUfj62Z /76u8WC5TdKF9bycWKyywxP/nK+gxJxm2jZ4r31eUD40qiwCqrDCODyqNolPqRHdg0Vg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/ZuUYr904tUb/UF5m289zPStrEe52AVoPb4wluhXHEA=; b=aiHiKniaIwfqOSHL09nFp2nDFO 7N4Fdt4uJm99OFUeEWT6LpAQy6zZZ7Vh7byUZHdtQ4+e9rsO54bz08K5ygWTz6j7ggj12AG5O8IiJ a0n9gYNXsUBroyf5VgxGupY2K+XLZX7WXSLdz/hWpx5ol7vnLwjDET0pxX8LmQud8vsM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tuZG1-0002Sd-Lw for openvpn-devel@lists.sourceforge.net; Tue, 18 Mar 2025 15:53:46 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 52IFrLH3032622 for ; Tue, 18 Mar 2025 16:53:21 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 52IFrLvD032621 for openvpn-devel@lists.sourceforge.net; Tue, 18 Mar 2025 16:53:21 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 18 Mar 2025 16:53:11 +0100 Message-ID: <20250318155320.32573-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld - Reuse the MUST_BE_UNDEF macro in more places - Add a second parameter so it actually reports the correct option name - Add MUST_BE_FALSE for similar cases - Reorder the checks for cert/key options t [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1tuZG1-0002Sd-Lw Subject: [Openvpn-devel] [PATCH v3] options: Cleanup and simplify options_postprocess_verify_ce X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1826947838629590963?= X-GMAIL-MSGID: =?utf-8?q?1826947838629590963?= From: Frank Lichtenheld - Reuse the MUST_BE_UNDEF macro in more places - Add a second parameter so it actually reports the correct option name - Add MUST_BE_FALSE for similar cases - Reorder the checks for cert/key options to make more sense. Some of the checks could have never fired due to wrong placement of the management checks - Some other small cleanups like missing spaces in multiline string literal Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/832 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 31000e9..67ef55b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2369,6 +2369,13 @@ static void check_ca_required(const struct options *options) { +#ifdef ENABLE_CRYPTO_MBEDTLS + if (options->ca_path) + { + msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN."); + } +#endif + if (options->verify_hash_no_ca || options->pkcs12_file || options->ca_file @@ -2388,6 +2395,11 @@ msg(M_USAGE, "%s", str); } +#define MUST_BE_UNDEF(parm, parm_name) \ + if (options->parm != defaults.parm) { msg(M_USAGE, use_err, parm_name); } +#define MUST_BE_FALSE(condition, parm_name) \ + if (condition) { msg(M_USAGE, use_err, parm_name); } + static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce) @@ -2636,6 +2648,8 @@ */ if (options->mode == MODE_SERVER) { + const char use_err[] = "--%s cannot be used with --mode server."; + #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server" #ifdef TARGET_ANDROID @@ -2645,10 +2659,7 @@ { msg(M_USAGE, "--mode server only works with --dev tun or --dev tap"); } - if (options->pull) - { - msg(M_USAGE, "--pull cannot be used with --mode server"); - } + MUST_BE_UNDEF(pull, "pull"); if (options->pull_filter_list) { msg(M_WARN, "--pull-filter ignored for --mode server"); @@ -2669,22 +2680,10 @@ { msg(M_USAGE, "--mode server requires --tls-server"); } - if (ce->remote) - { - msg(M_USAGE, "--remote cannot be used with --mode server"); - } - if (!ce->bind_local) - { - msg(M_USAGE, "--nobind cannot be used with --mode server"); - } - if (ce->http_proxy_options) - { - msg(M_USAGE, "--http-proxy cannot be used with --mode server"); - } - if (ce->socks_proxy_server) - { - msg(M_USAGE, "--socks-proxy cannot be used with --mode server"); - } + MUST_BE_FALSE(ce->remote, "remote"); + MUST_BE_FALSE(!ce->bind_local, "nobind"); + MUST_BE_FALSE(ce->http_proxy_options, "http-proxy"); + MUST_BE_FALSE(ce->socks_proxy_server, "socks-proxy"); /* blocks force to have a remote embedded, so we check * for the --remote and bail out if it is present */ @@ -2694,10 +2693,7 @@ msg(M_USAGE, " cannot be used with --mode server"); } - if (options->shaper) - { - msg(M_USAGE, "--shaper cannot be used with --mode server"); - } + MUST_BE_UNDEF(shaper, "shaper"); if (options->ipchange) { msg(M_USAGE, @@ -2720,14 +2716,8 @@ { msg(M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)"); } - if (options->route_delay_defined) - { - msg(M_USAGE, "--route-delay cannot be used with --mode server"); - } - if (options->up_delay) - { - msg(M_USAGE, "--up-delay cannot be used with --mode server"); - } + MUST_BE_UNDEF(route_delay_defined, "route-delay"); + MUST_BE_UNDEF(up_delay, "up-delay"); if (!options->ifconfig_pool_defined && !options->ifconfig_ipv6_pool_defined && options->ifconfig_pool_persist_filename) @@ -2739,10 +2729,7 @@ { msg(M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6"); } - if (options->allow_recursive_routing) - { - msg(M_USAGE, "--allow-recursive-routing cannot be used with --mode server"); - } + MUST_BE_UNDEF(allow_recursive_routing, "allow-recursive-routing"); if (options->auth_user_pass_file) { msg(M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); @@ -2764,23 +2751,19 @@ options->handshake_window); } + if (!options->auth_user_pass_verify_script + || PLUGIN_OPTION_LIST(options) + || MAN_CLIENT_AUTH_ENABLED(options)) { - const bool ccnr = (options->auth_user_pass_verify_script - || PLUGIN_OPTION_LIST(options) - || MAN_CLIENT_AUTH_ENABLED(options)); - const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; - if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr) - { - msg(M_USAGE, "--verify-client-cert none|optional %s", postfix); - } - if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr) - { - msg(M_USAGE, "--username-as-common-name %s", postfix); - } - if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr) - { - msg(M_USAGE, "--auth-user-pass-optional %s", postfix); - } + const char *use_err = "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; + + MUST_BE_FALSE(options->ssl_flags + & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL), + "verify-client-cert none|optional"); + MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, + "username-as-common-name"); + MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, + "auth-user-pass-optional"); } if (options->vlan_tagging && dev != DEV_TYPE_TAP) @@ -2789,125 +2772,65 @@ } if (!options->vlan_tagging) { - if (options->vlan_accept != defaults.vlan_accept) - { - msg(M_USAGE, "--vlan-accept requires --vlan-tagging"); - } - if (options->vlan_pvid != defaults.vlan_pvid) - { - msg(M_USAGE, "--vlan-pvid requires --vlan-tagging"); - } + const char use_err[] = "--%s requires --vlan-tagging"; + MUST_BE_UNDEF(vlan_accept, "vlan-accept"); + MUST_BE_UNDEF(vlan_pvid, "vlan-pvid"); } } else { + const char use_err[] = "--%s requires --mode server"; /* * When not in server mode, err if parameters are * specified which require --mode server. */ - if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename) - { - msg(M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server"); - } - if (options->ifconfig_ipv6_pool_defined) - { - msg(M_USAGE, "--ifconfig-ipv6-pool requires --mode server"); - } - if (options->real_hash_size != defaults.real_hash_size - || options->virtual_hash_size != defaults.virtual_hash_size) - { - msg(M_USAGE, "--hash-size requires --mode server"); - } - if (options->learn_address_script) - { - msg(M_USAGE, "--learn-address requires --mode server"); - } - if (options->client_connect_script) - { - msg(M_USAGE, "--client-connect requires --mode server"); - } - if (options->client_crresponse_script) - { - msg(M_USAGE, "--client-crresponse requires --mode server"); - } - if (options->client_disconnect_script) - { - msg(M_USAGE, "--client-disconnect requires --mode server"); - } - if (options->client_config_dir || options->ccd_exclusive) - { - msg(M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server"); - } - if (options->enable_c2c) - { - msg(M_USAGE, "--client-to-client requires --mode server"); - } - if (options->duplicate_cn) - { - msg(M_USAGE, "--duplicate-cn requires --mode server"); - } - if (options->cf_max || options->cf_per) - { - msg(M_USAGE, "--connect-freq requires --mode server"); - } - if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) - { - msg(M_USAGE, "--verify-client-cert requires --mode server"); - } - if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) - { - msg(M_USAGE, "--username-as-common-name requires --mode server"); - } - if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) - { - msg(M_USAGE, "--auth-user-pass-optional requires --mode server"); - } - if (options->ssl_flags & SSLF_OPT_VERIFY) - { - msg(M_USAGE, "--opt-verify requires --mode server"); - } + MUST_BE_UNDEF(ifconfig_pool_defined, "ifconfig-pool"); + MUST_BE_UNDEF(ifconfig_pool_persist_filename, "ifconfig-pool-persist"); + MUST_BE_UNDEF(ifconfig_ipv6_pool_defined, "ifconfig-ipv6-pool"); + MUST_BE_UNDEF(real_hash_size, "hash-size"); + MUST_BE_UNDEF(virtual_hash_size, "hash-size"); + MUST_BE_UNDEF(learn_address_script, "learn-address"); + MUST_BE_UNDEF(client_connect_script, "client-connect"); + MUST_BE_UNDEF(client_crresponse_script, "client-crresponse"); + MUST_BE_UNDEF(client_disconnect_script, "client-disconnect"); + MUST_BE_UNDEF(client_config_dir, "client-config-dir"); + MUST_BE_UNDEF(ccd_exclusive, "ccd-exclusive"); + MUST_BE_UNDEF(enable_c2c, "client-to-client"); + MUST_BE_UNDEF(duplicate_cn, "duplicate-cn"); + MUST_BE_UNDEF(cf_max, "connect-freq"); + MUST_BE_UNDEF(cf_per, "connect-freq"); + MUST_BE_FALSE(options->ssl_flags + & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL), + "verify-client-cert"); + MUST_BE_FALSE(options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME, "username-as-common-name"); + MUST_BE_FALSE(options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL, "auth-user-pass-optional"); + MUST_BE_FALSE(options->ssl_flags & SSLF_OPT_VERIFY, "opt-verify"); if (options->server_flags & SF_TCP_NODELAY_HELPER) { msg(M_WARN, "WARNING: setting tcp-nodelay on the client side will not " "affect the server. To have TCP_NODELAY in both direction use " "tcp-nodelay in the server configuration instead."); } - if (options->auth_user_pass_verify_script) - { - msg(M_USAGE, "--auth-user-pass-verify requires --mode server"); - } - if (options->auth_token_generate) - { - msg(M_USAGE, "--auth-gen-token requires --mode server"); - } + MUST_BE_UNDEF(auth_user_pass_verify_script, "auth-user-pass-verify"); + MUST_BE_UNDEF(auth_token_generate, "auth-gen-token"); #if PORT_SHARE if (options->port_share_host || options->port_share_port) { msg(M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)"); } #endif - - if (options->stale_routes_check_interval) - { - msg(M_USAGE, "--stale-routes-check requires --mode server"); - } - - if (options->vlan_tagging) - { - msg(M_USAGE, "--vlan-tagging requires --mode server"); - } - - if (options->force_key_material_export) - { - msg(M_USAGE, "--force-tls-key-material-export requires --mode server"); - } + MUST_BE_UNDEF(stale_routes_check_interval, "stale-routes-check"); + MUST_BE_UNDEF(vlan_tagging, "vlan-tagging"); + MUST_BE_UNDEF(vlan_accept, "vlan-accept"); + MUST_BE_UNDEF(vlan_pvid, "vlan-pvid"); + MUST_BE_UNDEF(force_key_material_export, "force-key-material-export"); } /* * SSL/TLS mode sanity checks. */ if (options->tls_server + options->tls_client - +(options->shared_secret_file != NULL) > 1) + + (options->shared_secret_file != NULL) > 1) { msg(M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); } @@ -2924,9 +2847,9 @@ "configuration detected. OpenVPN 2.8 will remove the " "functionality to run a VPN without TLS. " "See the examples section in the manual page for " - "examples of a similar quick setup with peer-fingerprint." + "examples of a similar quick setup with peer-fingerprint. " "OpenVPN 2.7 allows using this configuration when using " - "--allow-deprecated-insecure-static-crypto but you should move" + "--allow-deprecated-insecure-static-crypto but you should move " "to a proper configuration using TLS as soon as possible." ); } @@ -2973,112 +2896,60 @@ { msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); } - if (options->cert_file) - { - msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified."); - } - if (options->priv_key_file) - { - msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); - } - if (options->management_flags & MF_EXTERNAL_KEY) - { - msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); - } - if (options->management_flags & MF_EXTERNAL_CERT) - { - msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified."); - } - if (options->pkcs12_file) - { - msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified."); - } + const char use_err[] = "Parameter --%s cannot be used when --pkcs11-provider is also specified."; + MUST_BE_UNDEF(cert_file, "cert"); + MUST_BE_UNDEF(priv_key_file, "key"); + MUST_BE_UNDEF(pkcs12_file, "pkcs12"); + MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key"); + MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert"); #ifdef ENABLE_CRYPTOAPI - if (options->cryptoapi_cert) - { - msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified."); - } + MUST_BE_UNDEF(cryptoapi_cert, "cryptoapicert"); #endif } else #endif /* ifdef ENABLE_PKCS11 */ - if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) - { - msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); - } - else if ((options->management_flags & MF_EXTERNAL_CERT)) - { - if (options->cert_file) - { - msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive"); - } - else if (!(options->management_flags & MF_EXTERNAL_KEY)) - { - msg(M_USAGE, "--management-external-cert must be used with --management-external-key"); - } - } - else #ifdef ENABLE_CRYPTOAPI if (options->cryptoapi_cert) { - if (options->cert_file) - { - msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified."); - } - if (options->priv_key_file) - { - msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified."); - } - if (options->pkcs12_file) - { - msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); - } - if (options->management_flags & MF_EXTERNAL_KEY) - { - msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); - } - if (options->management_flags & MF_EXTERNAL_CERT) - { - msg(M_USAGE, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified."); - } + const char use_err[] = "Parameter --%s cannot be used when --cryptoapicert is also specified."; + MUST_BE_UNDEF(cert_file, "cert"); + MUST_BE_UNDEF(priv_key_file, "key"); + MUST_BE_UNDEF(pkcs12_file, "pkcs12"); + MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key"); + MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert"); } else -#endif /* ifdef ENABLE_CRYPTOAPI */ +#endif if (options->pkcs12_file) { #ifdef ENABLE_CRYPTO_MBEDTLS msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN."); #else - if (options->ca_path) - { - msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); - } - if (options->cert_file) - { - msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified."); - } - if (options->priv_key_file) - { - msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); - } - if (options->management_flags & MF_EXTERNAL_KEY) - { - msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); - } - if (options->management_flags & MF_EXTERNAL_CERT) - { - msg(M_USAGE, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified."); - } + const char use_err[] = "Parameter --%s cannot be used when --pkcs12 is also specified."; + MUST_BE_UNDEF(ca_path, "capath"); + MUST_BE_UNDEF(cert_file, "cert"); + MUST_BE_UNDEF(priv_key_file, "key"); + MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_KEY, "management-external-key"); + MUST_BE_FALSE(options->management_flags & MF_EXTERNAL_CERT, "management-external-cert"); #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ } - else + else /* cert/key from none of pkcs11, pkcs12, cryptoapi */ { -#ifdef ENABLE_CRYPTO_MBEDTLS - if (options->ca_path) + if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) { - msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version of OpenVPN."); + msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); } -#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ + if ((options->management_flags & MF_EXTERNAL_CERT)) + { + if (options->cert_file) + { + msg(M_USAGE, "--cert and --management-external-cert are mutually exclusive"); + } + else if (!(options->management_flags & MF_EXTERNAL_KEY)) + { + msg(M_USAGE, "--management-external-cert must be used with --management-external-key"); + } + } if (pull) { @@ -3130,55 +3001,51 @@ * when in non-TLS mode. */ -#define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \ -} + const char use_err[] = "Parameter %s can only be specified in TLS-mode, " + "i.e. where --tls-server or --tls-client is also specified."; - const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."; - - MUST_BE_UNDEF(ca_file); - MUST_BE_UNDEF(ca_path); - MUST_BE_UNDEF(dh_file); - MUST_BE_UNDEF(cert_file); - MUST_BE_UNDEF(priv_key_file); + MUST_BE_UNDEF(ca_file, "ca"); + MUST_BE_UNDEF(ca_path, "capath"); + MUST_BE_UNDEF(dh_file, "dh"); + MUST_BE_UNDEF(cert_file, "cert"); + MUST_BE_UNDEF(priv_key_file, "key"); #ifndef ENABLE_CRYPTO_MBEDTLS - MUST_BE_UNDEF(pkcs12_file); + MUST_BE_UNDEF(pkcs12_file, "pkcs12"); #endif - MUST_BE_UNDEF(cipher_list); - MUST_BE_UNDEF(cipher_list_tls13); - MUST_BE_UNDEF(tls_cert_profile); - MUST_BE_UNDEF(tls_verify); - MUST_BE_UNDEF(tls_export_peer_cert_dir); - MUST_BE_UNDEF(verify_x509_name); - MUST_BE_UNDEF(tls_timeout); - MUST_BE_UNDEF(renegotiate_bytes); - MUST_BE_UNDEF(renegotiate_packets); - MUST_BE_UNDEF(renegotiate_seconds); - MUST_BE_UNDEF(handshake_window); - MUST_BE_UNDEF(transition_window); - MUST_BE_UNDEF(tls_auth_file); - MUST_BE_UNDEF(tls_crypt_file); - MUST_BE_UNDEF(tls_crypt_v2_file); - MUST_BE_UNDEF(single_session); - MUST_BE_UNDEF(push_peer_info); - MUST_BE_UNDEF(tls_exit); - MUST_BE_UNDEF(crl_file); - MUST_BE_UNDEF(ns_cert_type); - MUST_BE_UNDEF(remote_cert_ku[0]); - MUST_BE_UNDEF(remote_cert_eku); + MUST_BE_UNDEF(cipher_list, "tls-cipher"); + MUST_BE_UNDEF(cipher_list_tls13, "tls-ciphersuites"); + MUST_BE_UNDEF(tls_cert_profile, "tls-cert-profile"); + MUST_BE_UNDEF(tls_verify, "tls-verify"); + MUST_BE_UNDEF(tls_export_peer_cert_dir, "tls-export-cert"); + MUST_BE_UNDEF(verify_x509_name, "verify-x509-name"); + MUST_BE_UNDEF(tls_timeout, "tls-timeout"); + MUST_BE_UNDEF(renegotiate_bytes, "reneg-bytes"); + MUST_BE_UNDEF(renegotiate_packets, "reneg-pkts"); + MUST_BE_UNDEF(renegotiate_seconds, "reneg-sec"); + MUST_BE_UNDEF(handshake_window, "hand-window"); + MUST_BE_UNDEF(transition_window, "tran-window"); + MUST_BE_UNDEF(tls_auth_file, "tls-auth"); + MUST_BE_UNDEF(tls_crypt_file, "tls-crypt"); + MUST_BE_UNDEF(tls_crypt_v2_file, "tls-crypt-v2"); + MUST_BE_UNDEF(single_session, "single-session"); + MUST_BE_UNDEF(push_peer_info, "push-peer-info"); + MUST_BE_UNDEF(tls_exit, "tls-exit"); + MUST_BE_UNDEF(crl_file, "crl-verify"); + MUST_BE_UNDEF(ns_cert_type, "ns-cert-type"); + MUST_BE_UNDEF(remote_cert_ku[0], "remote-cert-ku"); + MUST_BE_UNDEF(remote_cert_eku, "remote-cert-eku"); #ifdef ENABLE_PKCS11 - MUST_BE_UNDEF(pkcs11_providers[0]); - MUST_BE_UNDEF(pkcs11_private_mode[0]); - MUST_BE_UNDEF(pkcs11_id); - MUST_BE_UNDEF(pkcs11_id_management); + MUST_BE_UNDEF(pkcs11_providers[0], "pkcs11-providers"); + MUST_BE_UNDEF(pkcs11_private_mode[0], "pkcs11-private-mode"); + MUST_BE_UNDEF(pkcs11_id, "pkcs11-id"); + MUST_BE_UNDEF(pkcs11_id_management, "pkcs11-id-management"); #endif if (pull) { - msg(M_USAGE, err, "--pull"); + msg(M_USAGE, use_err, "--pull"); } } -#undef MUST_BE_UNDEF - if (options->auth_user_pass_file && !options->pull) { msg(M_USAGE, "--auth-user-pass requires --pull"); @@ -3187,6 +3054,9 @@ uninit_options(&defaults); } +#undef MUST_BE_UNDEF +#undef MUST_BE_FALSE + static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) {