diff options
author | Jonathan K. Bullard <jkbullard@gmail.com> | 2015-06-02 08:43:26 -0400 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2015-06-21 14:56:24 +0200 |
commit | 3d6a4cded2b20fb816b17d70eb65cd6c14a95eff (patch) | |
tree | 9f0edd43172bbd103082447d98f377c00a62389e /src/openvpn | |
parent | 659eae7b79e5565bb0c93f6d6d04e2163fea1141 (diff) | |
download | openvpn-3d6a4cded2b20fb816b17d70eb65cd6c14a95eff.tar.gz openvpn-3d6a4cded2b20fb816b17d70eb65cd6c14a95eff.tar.xz openvpn-3d6a4cded2b20fb816b17d70eb65cd6c14a95eff.zip |
Fail if options have extra parameters [v2]
Throw an error if an option has extra parameters; previously they
were silently ignored (see also trac #557)
This feature was discussed on the openvpn-devel mailing list
(http://thread.gmane.org/gmane.network.openvpn.devel/9599).
The (modified) message "Unrecognized option or missing or extra
parameter(s)" is used except for a few options:
* The --help option: An extra parameter for --help generates a
specific error message after showing the syntax message. This
is done to help a user who tries "--help tls-cipher" or similar,
hoping to get more information about the "tls-cipher" option.
* The --dhcp-option option: It has its own similar message, into
which " or extra" has been inserted.
* Ten options such as --up that accept a command (instead of a
path) already detect extra parameters and generate specific
error messages that mention double-quoting commands which
contain embedded spaces.
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <CAEsd45RvRfmqetu-EoFjSdyBk5F9X1K5muPGu-+_+30TMNOU_A@mail.gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9783
URL: https://community.openvpn.net/openvpn/ticket/557
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn')
-rw-r--r-- | src/openvpn/options.c | 543 |
1 files changed, 276 insertions, 267 deletions
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8487ce1..74276d4 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -4126,13 +4126,18 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); usage (); + if (p[1]) + { + msg (msglevel, "--help does not accept any parameters"); + goto err; + } } - if (streq (p[0], "version")) + if (streq (p[0], "version") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); usage_version (); } - else if (streq (p[0], "config") && p[1]) + else if (streq (p[0], "config") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_CONFIG); @@ -4143,7 +4148,7 @@ add_option (struct options *options, read_config_file (options, p[1], level, file, line, msglevel, permission_mask, option_types_found, es); } #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) - else if (streq (p[0], "show-gateway")) + else if (streq (p[0], "show-gateway") && !p[1]) { struct route_gateway_info rgi; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -4193,7 +4198,7 @@ add_option (struct options *options, msg (M_WARN, "echo/parameter option overflow"); } #ifdef ENABLE_MANAGEMENT - else if (streq (p[0], "management") && p[1] && p[2]) + else if (streq (p[0], "management") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[2], "unix")) @@ -4213,64 +4218,64 @@ add_option (struct options *options, options->management_user_pass = p[3]; } } - else if (streq (p[0], "management-client-user") && p[1]) + else if (streq (p[0], "management-client-user") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_client_user = p[1]; } - else if (streq (p[0], "management-client-group") && p[1]) + else if (streq (p[0], "management-client-group") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_client_group = p[1]; } - else if (streq (p[0], "management-query-passwords")) + else if (streq (p[0], "management-query-passwords") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_PASSWORDS; } - else if (streq (p[0], "management-query-remote")) + else if (streq (p[0], "management-query-remote") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_REMOTE; } - else if (streq (p[0], "management-query-proxy")) + else if (streq (p[0], "management-query-proxy") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_QUERY_PROXY; } - else if (streq (p[0], "management-hold")) + else if (streq (p[0], "management-hold") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_HOLD; } - else if (streq (p[0], "management-signal")) + else if (streq (p[0], "management-signal") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_SIGNAL; } - else if (streq (p[0], "management-forget-disconnect")) + else if (streq (p[0], "management-forget-disconnect") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_FORGET_DISCONNECT; } - else if (streq (p[0], "management-up-down")) + else if (streq (p[0], "management-up-down") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_UP_DOWN; } - else if (streq (p[0], "management-client")) + else if (streq (p[0], "management-client") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_CONNECT_AS_CLIENT; options->management_write_peer_info_file = p[1]; } #ifdef MANAGMENT_EXTERNAL_KEY - else if (streq (p[0], "management-external-key")) + else if (streq (p[0], "management-external-key") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_EXTERNAL_KEY; } - else if (streq (p[0], "management-external-cert") && p[1]) + else if (streq (p[0], "management-external-cert") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_EXTERNAL_CERT; @@ -4278,27 +4283,27 @@ add_option (struct options *options, } #endif #ifdef MANAGEMENT_DEF_AUTH - else if (streq (p[0], "management-client-auth")) + else if (streq (p[0], "management-client-auth") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= MF_CLIENT_AUTH; } #endif #ifdef ENABLE_X509_TRACK - else if (streq (p[0], "x509-track") && p[1]) + else if (streq (p[0], "x509-track") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); x509_track_add (&options->x509_track, p[1], msglevel, &options->gc); } #endif #ifdef MANAGEMENT_PF - else if (streq (p[0], "management-client-pf")) + else if (streq (p[0], "management-client-pf") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->management_flags |= (MF_CLIENT_PF | MF_CLIENT_AUTH); } #endif - else if (streq (p[0], "management-log-cache") && p[1]) + else if (streq (p[0], "management-log-cache") && p[1] && !p[2]) { int cache; @@ -4313,7 +4318,7 @@ add_option (struct options *options, } #endif #ifdef ENABLE_PLUGIN - else if (streq (p[0], "plugin") && p[1]) + else if (streq (p[0], "plugin") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PLUGIN); if (!options->plugin_list) @@ -4325,7 +4330,7 @@ add_option (struct options *options, } } #endif - else if (streq (p[0], "mode") && p[1]) + else if (streq (p[0], "mode") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "p2p")) @@ -4340,22 +4345,22 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "dev") && p[1]) + else if (streq (p[0], "dev") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dev = p[1]; } - else if (streq (p[0], "dev-type") && p[1]) + else if (streq (p[0], "dev-type") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dev_type = p[1]; } - else if (streq (p[0], "dev-node") && p[1]) + else if (streq (p[0], "dev-node") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dev_node = p[1]; } - else if (streq (p[0], "lladdr") && p[1]) + else if (streq (p[0], "lladdr") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_UP); if (mac_addr_safe (p[1])) /* MAC address only */ @@ -4366,24 +4371,24 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "topology") && p[1]) + else if (streq (p[0], "topology") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_UP); options->topology = parse_topology (p[1], msglevel); } - else if (streq (p[0], "tun-ipv6")) + else if (streq (p[0], "tun-ipv6") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->tun_ipv6 = true; } #ifdef ENABLE_IPROUTE - else if (streq (p[0], "iproute") && p[1]) + else if (streq (p[0], "iproute") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); iproute_path = p[1]; } #endif - else if (streq (p[0], "ifconfig") && p[1] && p[2]) + else if (streq (p[0], "ifconfig") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION (OPT_P_UP); if (ip_or_dns_addr_safe (p[1], options->allow_pull_fqdn) && ip_or_dns_addr_safe (p[2], options->allow_pull_fqdn)) /* FQDN -- may be DNS name */ @@ -4397,7 +4402,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] ) + else if (streq (p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3]) { unsigned int netbits; char * ipv6_local; @@ -4426,27 +4431,27 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-noexec")) + else if (streq (p[0], "ifconfig-noexec") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->ifconfig_noexec = true; } - else if (streq (p[0], "ifconfig-nowarn")) + else if (streq (p[0], "ifconfig-nowarn") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->ifconfig_nowarn = true; } - else if (streq (p[0], "local") && p[1]) + else if (streq (p[0], "local") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local = p[1]; } - else if (streq (p[0], "remote-random")) + else if (streq (p[0], "remote-random") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->remote_random = true; } - else if (streq (p[0], "connection") && p[1]) + else if (streq (p[0], "connection") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], INLINE_FILE_TAG) && p[2]) @@ -4509,7 +4514,7 @@ add_option (struct options *options, options->ignore_unknown_option[i] = NULL; } #if ENABLE_MANAGEMENT - else if (streq (p[0], "http-proxy-override") && p[1] && p[2]) + else if (streq (p[0], "http-proxy-override") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->http_proxy_override = parse_http_proxy_override(p[1], p[2], p[3], msglevel, &options->gc); @@ -4517,7 +4522,7 @@ add_option (struct options *options, goto err; } #endif - else if (streq (p[0], "remote") && p[1]) + else if (streq (p[0], "remote") && p[1] && !p[4]) { struct remote_entry re; re.remote = re.remote_port= NULL; @@ -4554,7 +4559,7 @@ add_option (struct options *options, connection_entry_load_re (&options->ce, &re); } } - else if (streq (p[0], "resolv-retry") && p[1]) + else if (streq (p[0], "resolv-retry") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "infinite")) @@ -4562,7 +4567,7 @@ add_option (struct options *options, else options->resolve_retry_seconds = positive_atoi (p[1]); } - else if (streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint")) + else if (streq (p[0], "preresolve") || streq (p[0], "ip-remote-hint") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->resolve_in_advance = true; @@ -4571,18 +4576,18 @@ add_option (struct options *options, if (p[1]) options->ip_remote_hint=p[1]; } - else if (streq (p[0], "connect-retry") && p[1]) + else if (streq (p[0], "connect-retry") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_retry_seconds = positive_atoi (p[1]); } - else if (streq (p[0], "connect-timeout") && p[1]) + else if (streq (p[0], "connect-timeout") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.connect_timeout = positive_atoi (p[1]); options->ce.connect_timeout_defined = true; } - else if (streq (p[0], "connect-retry-max") && p[1]) + else if (streq (p[0], "connect-retry-max") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->connect_retry_max = positive_atoi (p[1]); @@ -4597,24 +4602,24 @@ add_option (struct options *options, string_substitute (p[1], ',', ' ', &options->gc), "ipchange", true); } - else if (streq (p[0], "float")) + else if (streq (p[0], "float") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.remote_float = true; } #ifdef ENABLE_DEBUG - else if (streq (p[0], "gremlin") && p[1]) + else if (streq (p[0], "gremlin") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->gremlin = positive_atoi (p[1]); } #endif - else if (streq (p[0], "chroot") && p[1]) + else if (streq (p[0], "chroot") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->chroot_dir = p[1]; } - else if (streq (p[0], "cd") && p[1]) + else if (streq (p[0], "cd") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (platform_chdir (p[1])) @@ -4625,13 +4630,13 @@ add_option (struct options *options, options->cd_dir = p[1]; } #ifdef ENABLE_SELINUX - else if (streq (p[0], "setcon") && p[1]) + else if (streq (p[0], "setcon") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->selinux_context = p[1]; } #endif - else if (streq (p[0], "writepid") && p[1]) + else if (streq (p[0], "writepid") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->writepid = p[1]; @@ -4650,27 +4655,27 @@ add_option (struct options *options, goto err; set_user_script (options, &options->down_script, p[1], "down", true); } - else if (streq (p[0], "down-pre")) + else if (streq (p[0], "down-pre") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->down_pre = true; } - else if (streq (p[0], "up-delay")) + else if (streq (p[0], "up-delay") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->up_delay = true; } - else if (streq (p[0], "up-restart")) + else if (streq (p[0], "up-restart") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->up_restart = true; } - else if (streq (p[0], "syslog")) + else if (streq (p[0], "syslog") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); open_syslog (p[1], false); } - else if (streq (p[0], "daemon")) + else if (streq (p[0], "daemon") && !p[2]) { bool didit = false; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -4688,7 +4693,7 @@ add_option (struct options *options, } } } - else if (streq (p[0], "inetd")) + else if (streq (p[0], "inetd") && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (!options->inetd) @@ -4743,50 +4748,50 @@ add_option (struct options *options, open_syslog (name, true); } } - else if (streq (p[0], "log") && p[1]) + else if (streq (p[0], "log") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->log = true; redirect_stdout_stderr (p[1], false); } - else if (streq (p[0], "suppress-timestamps")) + else if (streq (p[0], "suppress-timestamps") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->suppress_timestamps = true; set_suppress_timestamps(true); } - else if (streq (p[0], "machine-readable-output")) + else if (streq (p[0], "machine-readable-output") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->machine_readable_output = true; set_machine_readable_output(true); } - else if (streq (p[0], "log-append") && p[1]) + else if (streq (p[0], "log-append") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->log = true; redirect_stdout_stderr (p[1], true); } #ifdef ENABLE_MEMSTATS - else if (streq (p[0], "memstats") && p[1]) + else if (streq (p[0], "memstats") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->memstats_fn = p[1]; } #endif - else if (streq (p[0], "mlock")) + else if (streq (p[0], "mlock") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->mlock = true; } #if ENABLE_IP_PKTINFO - else if (streq (p[0], "multihome")) + else if (streq (p[0], "multihome") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->sockflags |= SF_USE_IP_PKTINFO; } #endif - else if (streq (p[0], "verb") && p[1]) + else if (streq (p[0], "verb") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MESSAGES); options->verbosity = positive_atoi (p[1]); @@ -4797,17 +4802,17 @@ add_option (struct options *options, options->verbosity); #endif } - else if (streq (p[0], "mute") && p[1]) + else if (streq (p[0], "mute") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MESSAGES); options->mute = positive_atoi (p[1]); } - else if (streq (p[0], "errors-to-stderr")) + else if (streq (p[0], "errors-to-stderr") && !p[1]) { VERIFY_PERMISSION (OPT_P_MESSAGES); errors_to_stderr(); } - else if (streq (p[0], "status") && p[1]) + else if (streq (p[0], "status") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->status_file = p[1]; @@ -4816,7 +4821,7 @@ add_option (struct options *options, options->status_file_update_freq = positive_atoi (p[2]); } } - else if (streq (p[0], "status-version") && p[1]) + else if (streq (p[0], "status-version") && p[1] && !p[2]) { int version; @@ -4829,7 +4834,7 @@ add_option (struct options *options, } options->status_file_version = version; } - else if (streq (p[0], "remap-usr1") && p[1]) + else if (streq (p[0], "remap-usr1") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "SIGHUP")) @@ -4842,19 +4847,19 @@ add_option (struct options *options, goto err; } } - else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1]) + else if ((streq (p[0], "link-mtu") || streq (p[0], "udp-mtu")) && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.link_mtu = positive_atoi (p[1]); options->ce.link_mtu_defined = true; } - else if (streq (p[0], "tun-mtu") && p[1]) + else if (streq (p[0], "tun-mtu") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu = positive_atoi (p[1]); options->ce.tun_mtu_defined = true; } - else if (streq (p[0], "tun-mtu-extra") && p[1]) + else if (streq (p[0], "tun-mtu-extra") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.tun_mtu_extra = positive_atoi (p[1]); @@ -4867,41 +4872,41 @@ add_option (struct options *options, msg (msglevel, "--mtu-dynamic has been replaced by --fragment"); goto err; } - else if (streq (p[0], "fragment") && p[1]) + else if (streq (p[0], "fragment") && p[1] && !p[2]) { /* VERIFY_PERMISSION (OPT_P_MTU); */ VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.fragment = positive_atoi (p[1]); } #endif - else if (streq (p[0], "mtu-disc") && p[1]) + else if (streq (p[0], "mtu-disc") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_MTU|OPT_P_CONNECTION); options->ce.mtu_discover_type = translate_mtu_discover_type_name (p[1]); } #ifdef ENABLE_OCC - else if (streq (p[0], "mtu-test")) + else if (streq (p[0], "mtu-test") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->mtu_test = true; } #endif - else if (streq (p[0], "nice") && p[1]) + else if (streq (p[0], "nice") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_NICE); options->nice = atoi (p[1]); } - else if (streq (p[0], "rcvbuf") && p[1]) + else if (streq (p[0], "rcvbuf") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_SOCKBUF); options->rcvbuf = positive_atoi (p[1]); } - else if (streq (p[0], "sndbuf") && p[1]) + else if (streq (p[0], "sndbuf") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_SOCKBUF); options->sndbuf = positive_atoi (p[1]); } - else if (streq (p[0], "mark") && p[1]) + else if (streq (p[0], "mark") && p[1] && !p[2]) { #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK VERIFY_PERMISSION (OPT_P_GENERAL); @@ -4920,7 +4925,7 @@ add_option (struct options *options, msg (msglevel, "unknown socket flag: %s", p[j]); } } - else if (streq (p[0], "txqueuelen") && p[1]) + else if (streq (p[0], "txqueuelen") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); #ifdef TARGET_LINUX @@ -4930,7 +4935,7 @@ add_option (struct options *options, goto err; #endif } - else if (streq (p[0], "shaper") && p[1]) + else if (streq (p[0], "shaper") && p[1] && !p[2]) { #ifdef ENABLE_FEATURE_SHAPER int shaper; @@ -4950,23 +4955,23 @@ add_option (struct options *options, goto err; #endif /* ENABLE_FEATURE_SHAPER */ } - else if (streq (p[0], "port") && p[1]) + else if (streq (p[0], "port") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local_port = options->ce.remote_port = p[1]; } - else if (streq (p[0], "lport") && p[1]) + else if (streq (p[0], "lport") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.local_port_defined = true; options->ce.local_port = p[1]; } - else if (streq (p[0], "rport") && p[1]) + else if (streq (p[0], "rport") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.remote_port = p[1]; } - else if (streq (p[0], "bind")) + else if (streq (p[0], "bind") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_defined = true; @@ -4974,24 +4979,24 @@ add_option (struct options *options, options->ce.bind_ipv6_only=true; } - else if (streq (p[0], "nobind")) + else if (streq (p[0], "nobind") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.bind_local = false; } - else if (streq (p[0], "fast-io")) + else if (streq (p[0], "fast-io") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->fast_io = true; } - else if (streq (p[0], "inactive") && p[1]) + else if (streq (p[0], "inactive") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_TIMER); options->inactivity_timeout = positive_atoi (p[1]); if (p[2]) options->inactivity_minimum_bytes = positive_atoi (p[2]); } - else if (streq (p[0], "proto") && p[1]) + else if (streq (p[0], "proto") && p[1] && !p[2]) { int proto; sa_family_t af; @@ -5008,7 +5013,7 @@ add_option (struct options *options, options->ce.proto = proto; options->ce.af = af; } - else if (streq (p[0], "proto-force") && p[1]) + else if (streq (p[0], "proto-force") && p[1] && !p[2]) { int proto_force; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -5020,7 +5025,7 @@ add_option (struct options *options, } options->proto_force = proto_force; } - else if (streq (p[0], "http-proxy") && p[1]) + else if (streq (p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; @@ -5064,14 +5069,14 @@ add_option (struct options *options, ho->auth_method_string = "none"; } } - else if (streq (p[0], "http-proxy-retry")) + else if (streq (p[0], "http-proxy-retry") && !p[1]) { struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); ho->retry = true; } - else if (streq (p[0], "http-proxy-timeout") && p[1]) + else if (streq (p[0], "http-proxy-timeout") && p[1] && !p[2]) { struct http_proxy_options *ho; @@ -5079,18 +5084,18 @@ add_option (struct options *options, ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); ho->timeout = positive_atoi (p[1]); } - else if (streq (p[0], "http-proxy-option") && p[1]) + else if (streq (p[0], "http-proxy-option") && p[1] && !p[4]) { struct http_proxy_options *ho; VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); ho = init_http_proxy_options_once (&options->ce.http_proxy_options, &options->gc); - if (streq (p[1], "VERSION") && p[2]) + if (streq (p[1], "VERSION") && p[2] && !p[3]) { ho->http_version = p[2]; } - else if (streq (p[1], "AGENT") && p[2]) + else if (streq (p[1], "AGENT") && p[2] && !p[3]) { ho->user_agent = p[2]; } @@ -5123,10 +5128,10 @@ add_option (struct options *options, } else { - msg (msglevel, "Bad http-proxy-option or missing parameter: '%s'", p[1]); + msg (msglevel, "Bad http-proxy-option or missing or extra parameter: '%s'", p[1]); } } - else if (streq (p[0], "socks-proxy") && p[1]) + else if (streq (p[0], "socks-proxy") && p[1] && !p[4]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); @@ -5141,41 +5146,41 @@ add_option (struct options *options, options->ce.socks_proxy_server = p[1]; options->ce.socks_proxy_authfile = p[3]; /* might be NULL */ } - else if (streq (p[0], "socks-proxy-retry")) + else if (streq (p[0], "socks-proxy-retry") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); options->ce.socks_proxy_retry = true; } - else if (streq (p[0], "keepalive") && p[1] && p[2]) + else if (streq (p[0], "keepalive") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->keepalive_ping = atoi (p[1]); options->keepalive_timeout = atoi (p[2]); } - else if (streq (p[0], "ping") && p[1]) + else if (streq (p[0], "ping") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_send_timeout = positive_atoi (p[1]); } - else if (streq (p[0], "ping-exit") && p[1]) + else if (streq (p[0], "ping-exit") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_rec_timeout = positive_atoi (p[1]); options->ping_rec_timeout_action = PING_EXIT; } - else if (streq (p[0], "ping-restart") && p[1]) + else if (streq (p[0], "ping-restart") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_rec_timeout = positive_atoi (p[1]); options->ping_rec_timeout_action = PING_RESTART; } - else if (streq (p[0], "ping-timer-rem")) + else if (streq (p[0], "ping-timer-rem") && !p[1]) { VERIFY_PERMISSION (OPT_P_TIMER); options->ping_timer_remote = true; } #ifdef ENABLE_OCC - else if (streq (p[0], "explicit-exit-notify")) + else if (streq (p[0], "explicit-exit-notify") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION|OPT_P_EXPLICIT_NOTIFY); if (p[1]) @@ -5188,35 +5193,35 @@ add_option (struct options *options, } } #endif - else if (streq (p[0], "persist-tun")) + else if (streq (p[0], "persist-tun") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST); options->persist_tun = true; } - else if (streq (p[0], "persist-key")) + else if (streq (p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST); options->persist_key = true; } - else if (streq (p[0], "persist-local-ip")) + else if (streq (p[0], "persist-local-ip") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST_IP); options->persist_local_ip = true; } - else if (streq (p[0], "persist-remote-ip")) + else if (streq (p[0], "persist-remote-ip") && !p[1]) { VERIFY_PERMISSION (OPT_P_PERSIST_IP); options->persist_remote_ip = true; } #ifdef ENABLE_CLIENT_NAT - else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4]) + else if (streq (p[0], "client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5]) { VERIFY_PERMISSION (OPT_P_ROUTE); cnol_check_alloc (options); add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3], p[4], msglevel); } #endif - else if (streq (p[0], "route") && p[1]) + else if (streq (p[0], "route") && p[1] && !p[5]) { VERIFY_PERMISSION (OPT_P_ROUTE); rol_check_alloc (options); @@ -5240,7 +5245,7 @@ add_option (struct options *options, } add_route_to_option_list (options->routes, p[1], p[2], p[3], p[4]); } - else if (streq (p[0], "route-ipv6") && p[1]) + else if (streq (p[0], "route-ipv6") && p[1] && !p[4]) { VERIFY_PERMISSION (OPT_P_ROUTE); rol6_check_alloc (options); @@ -5260,14 +5265,14 @@ add_option (struct options *options, } add_route_ipv6_to_option_list (options->routes_ipv6, p[1], p[2], p[3]); } - else if (streq (p[0], "max-routes")) + else if (streq (p[0], "max-routes") && !p[2]) { msg (M_WARN, "DEPRECATED OPTION: --max-routes option ignored." "The number of routes is unlimited as of version 2.4. " "This option will be removed in a future version, " "please remove it from your configuration."); } - else if (streq (p[0], "route-gateway") && p[1]) + else if (streq (p[0], "route-gateway") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); if (streq (p[1], "dhcp")) @@ -5287,12 +5292,12 @@ add_option (struct options *options, } } } - else if (streq (p[0], "route-metric") && p[1]) + else if (streq (p[0], "route-metric") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ROUTE); options->route_default_metric = positive_atoi (p[1]); } - else if (streq (p[0], "route-delay")) + else if (streq (p[0], "route-delay") && !p[3]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); options->route_delay_defined = true; @@ -5326,17 +5331,17 @@ add_option (struct options *options, p[1], "route-pre-down", true); } - else if (streq (p[0], "route-noexec")) + else if (streq (p[0], "route-noexec") && !p[1]) { VERIFY_PERMISSION (OPT_P_SCRIPT); options->route_noexec = true; } - else if (streq (p[0], "route-nopull")) + else if (streq (p[0], "route-nopull") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->route_nopull = true; } - else if (streq (p[0], "allow-pull-fqdn")) + else if (streq (p[0], "allow-pull-fqdn") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->allow_pull_fqdn = true; @@ -5370,15 +5375,15 @@ add_option (struct options *options, } options->routes->flags |= RG_ENABLE; } - else if (streq (p[0], "remote-random-hostname")) + else if (streq (p[0], "remote-random-hostname") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->sockflags |= SF_HOST_RANDOMIZE; } - else if (streq (p[0], "setenv") && p[1]) + else if (streq (p[0], "setenv") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); - if (streq (p[1], "REMOTE_RANDOM_HOSTNAME")) + if (streq (p[1], "REMOTE_RANDOM_HOSTNAME") && !p[2]) { options->sockflags |= SF_HOST_RANDOMIZE; } @@ -5388,7 +5393,7 @@ add_option (struct options *options, goto err; } #ifdef ENABLE_PUSH_PEER_INFO - else if (streq (p[1], "PUSH_PEER_INFO")) + else if (streq (p[1], "PUSH_PEER_INFO") && !p[2]) { options->push_peer_info = true; } @@ -5409,17 +5414,17 @@ add_option (struct options *options, setenv_str (es, p[1], p[2] ? p[2] : ""); } } - else if (streq (p[0], "setenv-safe") && p[1]) + else if (streq (p[0], "setenv-safe") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_SETENV); setenv_str_safe (es, p[1], p[2] ? p[2] : ""); } - else if (streq (p[0], "script-security") && p[1]) + else if (streq (p[0], "script-security") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); script_security = atoi (p[1]); } - else if (streq (p[0], "mssfix")) + else if (streq (p[0], "mssfix") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_CONNECTION); if (p[1]) @@ -5431,7 +5436,7 @@ add_option (struct options *options, } #ifdef ENABLE_OCC - else if (streq (p[0], "disable-occ")) + else if (streq (p[0], "disable-occ") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->occ = false; @@ -5439,7 +5444,7 @@ add_option (struct options *options, #endif #if P2MP #if P2MP_SERVER - else if (streq (p[0], "server") && p[1] && p[2]) + else if (streq (p[0], "server") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; bool error = false; @@ -5468,7 +5473,7 @@ add_option (struct options *options, } } } - else if (streq (p[0], "server-ipv6") && p[1] ) + else if (streq (p[0], "server-ipv6") && p[1] && !p[3]) { const int lev = M_WARN; struct in6_addr network; @@ -5495,7 +5500,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4]) + else if (streq (p[0], "server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5]) { const int lev = M_WARN; bool error = false; @@ -5517,7 +5522,7 @@ add_option (struct options *options, options->server_bridge_pool_start = pool_start; options->server_bridge_pool_end = pool_end; } - else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw")) + else if (streq (p[0], "server-bridge") && p[1] && streq (p[1], "nogw") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->server_bridge_proxy_dhcp = true; @@ -5528,17 +5533,17 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->server_bridge_proxy_dhcp = true; } - else if (streq (p[0], "push") && p[1]) + else if (streq (p[0], "push") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PUSH); push_options (options, &p[1], msglevel, &options->gc); } - else if (streq (p[0], "push-reset")) + else if (streq (p[0], "push-reset") && !p[1]) { VERIFY_PERMISSION (OPT_P_INSTANCE); push_reset (options); } - else if (streq (p[0], "ifconfig-pool") && p[1] && p[2]) + else if (streq (p[0], "ifconfig-pool") && p[1] && p[2] && !p[4]) { const int lev = M_WARN; bool error = false; @@ -5565,7 +5570,7 @@ add_option (struct options *options, if (netmask) options->ifconfig_pool_netmask = netmask; } - else if (streq (p[0], "ifconfig-pool-persist") && p[1]) + else if (streq (p[0], "ifconfig-pool-persist") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ifconfig_pool_persist_filename = p[1]; @@ -5574,12 +5579,12 @@ add_option (struct options *options, options->ifconfig_pool_persist_refresh_freq = positive_atoi (p[2]); } } - else if (streq (p[0], "ifconfig-pool-linear")) + else if (streq (p[0], "ifconfig-pool-linear") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->topology = TOP_P2P; } - else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] ) + else if (streq (p[0], "ifconfig-ipv6-pool") && p[1] && !p[2]) { const int lev = M_WARN; struct in6_addr network; @@ -5601,7 +5606,7 @@ add_option (struct options *options, options->ifconfig_ipv6_pool_base = network; options->ifconfig_ipv6_pool_netbits = netbits; } - else if (streq (p[0], "hash-size") && p[1] && p[2]) + else if (streq (p[0], "hash-size") && p[1] && p[2] && !p[3]) { int real, virtual; @@ -5616,7 +5621,7 @@ add_option (struct options *options, options->real_hash_size = real; options->virtual_hash_size = real; } - else if (streq (p[0], "connect-freq") && p[1] && p[2]) + else if (streq (p[0], "connect-freq") && p[1] && p[2] && !p[3]) { int cf_max, cf_per; @@ -5631,7 +5636,7 @@ add_option (struct options *options, options->cf_max = cf_max; options->cf_per = cf_per; } - else if (streq (p[0], "max-clients") && p[1]) + else if (streq (p[0], "max-clients") && p[1] && !p[2]) { int max_clients; @@ -5644,27 +5649,27 @@ add_option (struct options *options, } options->max_clients = max_clients; } - else if (streq (p[0], "max-routes-per-client") && p[1]) + else if (streq (p[0], "max-routes-per-client") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_INHERIT); options->max_routes_per_client = max_int (atoi (p[1]), 1); } - else if (streq (p[0], "client-cert-not-required")) + else if (streq (p[0], "client-cert-not-required") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_CLIENT_CERT_NOT_REQUIRED; } - else if (streq (p[0], "username-as-common-name")) + else if (streq (p[0], "username-as-common-name") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_USERNAME_AS_COMMON_NAME; } - else if (streq (p[0], "auth-user-pass-optional")) + else if (streq (p[0], "auth-user-pass-optional") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_AUTH_USER_PASS_OPTIONAL; } - else if (streq (p[0], "opt-verify")) + else if (streq (p[0], "opt-verify") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ssl_flags |= SSLF_OPT_VERIFY; @@ -5719,22 +5724,22 @@ add_option (struct options *options, set_user_script (options, &options->learn_address_script, p[1], "learn-address", true); } - else if (streq (p[0], "tmp-dir") && p[1]) + else if (streq (p[0], "tmp-dir") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tmp_dir = p[1]; } - else if (streq (p[0], "client-config-dir") && p[1]) + else if (streq (p[0], "client-config-dir") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->client_config_dir = p[1]; } - else if (streq (p[0], "ccd-exclusive")) + else if (streq (p[0], "ccd-exclusive") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ccd_exclusive = true; } - else if (streq (p[0], "bcast-buffers") && p[1]) + else if (streq (p[0], "bcast-buffers") && p[1] && !p[2]) { int n_bcast_buf; @@ -5744,7 +5749,7 @@ add_option (struct options *options, msg (msglevel, "--bcast-buffers parameter must be > 0"); options->n_bcast_buf = n_bcast_buf; } - else if (streq (p[0], "tcp-queue-limit") && p[1]) + else if (streq (p[0], "tcp-queue-limit") && p[1] && !p[2]) { int tcp_queue_limit; @@ -5755,7 +5760,7 @@ add_option (struct options *options, options->tcp_queue_limit = tcp_queue_limit; } #if PORT_SHARE - else if (streq (p[0], "port-share") && p[1] && p[2]) + else if (streq (p[0], "port-share") && p[1] && p[2] && !p[4]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->port_share_host = p[1]; @@ -5763,17 +5768,17 @@ add_option (struct options *options, options->port_share_journal_dir = p[3]; } #endif - else if (streq (p[0], "client-to-client")) + else if (streq (p[0], "client-to-client") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->enable_c2c = true; } - else if (streq (p[0], "duplicate-cn")) + else if (streq (p[0], "duplicate-cn") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->duplicate_cn = true; } - else if (streq (p[0], "iroute") && p[1]) + else if (streq (p[0], "iroute") && p[1] && !p[3]) { const char *netmask = NULL; @@ -5784,12 +5789,12 @@ add_option (struct options *options, } option_iroute (options, p[1], netmask, msglevel); } - else if (streq (p[0], "iroute-ipv6") && p[1]) + else if (streq (p[0], "iroute-ipv6") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_INSTANCE); option_iroute_ipv6 (options, p[1], msglevel); } - else if (streq (p[0], "ifconfig-push") && p[1] && p[2]) + else if (streq (p[0], "ifconfig-push") && p[1] && p[2] && !p[4]) { in_addr_t local, remote_netmask; @@ -5812,7 +5817,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2]) + else if (streq (p[0], "ifconfig-push-constraint") && p[1] && p[2] && !p[3]) { in_addr_t network, netmask; @@ -5831,7 +5836,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ifconfig-ipv6-push") && p[1] ) + else if (streq (p[0], "ifconfig-ipv6-push") && p[1] && !p[3]) { struct in6_addr local, remote; unsigned int netbits; @@ -5868,17 +5873,17 @@ add_option (struct options *options, options->push_ifconfig_ipv6_netbits = netbits; options->push_ifconfig_ipv6_remote = remote; } - else if (streq (p[0], "disable")) + else if (streq (p[0], "disable") && !p[1]) { VERIFY_PERMISSION (OPT_P_INSTANCE); options->disable = true; } - else if (streq (p[0], "tcp-nodelay")) + else if (streq (p[0], "tcp-nodelay") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->server_flags |= SF_TCP_NODELAY_HELPER; } - else if (streq (p[0], "stale-routes-check") && p[1]) + else if (streq (p[0], "stale-routes-check") && p[1] && !p[3]) { int ageing_time, check_interval; @@ -5899,27 +5904,27 @@ add_option (struct options *options, } #endif /* P2MP_SERVER */ - else if (streq (p[0], "client")) + else if (streq (p[0], "client") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->client = true; } - else if (streq (p[0], "pull")) + else if (streq (p[0], "pull") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pull = true; } - else if (streq (p[0], "push-continuation") && p[1]) + else if (streq (p[0], "push-continuation") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PULL_MODE); options->push_continuation = atoi(p[1]); } - else if (streq (p[0], "server-poll-timeout") && p[1]) + else if (streq (p[0], "server-poll-timeout") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->server_poll_timeout = positive_atoi(p[1]); } - else if (streq (p[0], "auth-user-pass")) + else if (streq (p[0], "auth-user-pass") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) @@ -5929,13 +5934,13 @@ add_option (struct options *options, else options->auth_user_pass_file = "stdin"; } - else if (streq (p[0], "auth-retry") && p[1]) + else if (streq (p[0], "auth-retry") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); auth_retry_set (msglevel, p[1]); } #ifdef ENABLE_CLIENT_CR - else if (streq (p[0], "static-challenge") && p[1] && p[2]) + else if (streq (p[0], "static-challenge") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->sc_info.challenge_text = p[1]; @@ -5945,7 +5950,7 @@ add_option (struct options *options, #endif #endif #ifdef WIN32 - else if (streq (p[0], "win-sys") && p[1]) + else if (streq (p[0], "win-sys") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "env")) @@ -5955,7 +5960,7 @@ add_option (struct options *options, else set_win_sys_path (p[1], es); } - else if (streq (p[0], "route-method") && p[1]) + else if (streq (p[0], "route-method") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); if (streq (p[1], "adaptive")) @@ -5970,7 +5975,7 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "ip-win32") && p[1]) + else if (streq (p[0], "ip-win32") && p[1] && !p[4]) { const int index = ascii2ipset (p[1]); struct tuntap_options *to = &options->tuntap_options; @@ -6026,7 +6031,7 @@ add_option (struct options *options, } #endif #if defined(WIN32) || defined(TARGET_ANDROID) - else if (streq (p[0], "dhcp-option") && p[1]) + else if (streq (p[0], "dhcp-option") && p[1] && !p[3]) { struct tuntap_options *o = &options->tuntap_options; VERIFY_PERMISSION (OPT_P_IPWIN32); @@ -6066,38 +6071,38 @@ add_option (struct options *options, { dhcp_option_address_parse ("NBDD", p[2], o->nbdd, &o->nbdd_len, msglevel); } - else if (streq (p[1], "DISABLE-NBT")) + else if (streq (p[1], "DISABLE-NBT") && !p[2]) { o->disable_nbt = 1; } else { - msg (msglevel, "--dhcp-option: unknown option type '%s' or missing parameter", p[1]); + msg (msglevel, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p[1]); goto err; } o->dhcp_options = true; } #endif #ifdef WIN32 - else if (streq (p[0], "show-adapters")) + else if (streq (p[0], "show-adapters") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); show_tap_win_adapters (M_INFO|M_NOPREFIX, M_WARN|M_NOPREFIX); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "show-net")) + else if (streq (p[0], "show-net") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); show_routes (M_INFO|M_NOPREFIX); show_adapters (M_INFO|M_NOPREFIX); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "show-net-up")) + else if (streq (p[0], "show-net-up") && !p[1]) { VERIFY_PERMISSION (OPT_P_UP); options->show_net_up = true; } - else if (streq (p[0], "tap-sleep") && p[1]) + else if (streq (p[0], "tap-sleep") && p[1] && !p[2]) { int s; VERIFY_PERMISSION (OPT_P_IPWIN32); @@ -6109,22 +6114,22 @@ add_option (struct options *options, } options->tuntap_options.tap_sleep = s; } - else if (streq (p[0], "dhcp-renew")) + else if (streq (p[0], "dhcp-renew") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.dhcp_renew = true; } - else if (streq (p[0], "dhcp-pre-release")) + else if (streq (p[0], "dhcp-pre-release") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.dhcp_pre_release = true; } - else if (streq (p[0], "dhcp-release")) + else if (streq (p[0], "dhcp-release") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.dhcp_release = true; } - else if (streq (p[0], "dhcp-internal") && p[1]) /* standalone method for internal use */ + else if (streq (p[0], "dhcp-internal") && p[1] && !p[2]) /* standalone method for internal use */ { unsigned int adapter_index; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6137,12 +6142,12 @@ add_option (struct options *options, dhcp_renew_by_adapter_index (adapter_index); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "register-dns")) + else if (streq (p[0], "register-dns") && !p[1]) { VERIFY_PERMISSION (OPT_P_IPWIN32); options->tuntap_options.register_dns = true; } - else if (streq (p[0], "rdns-internal")) + else if (streq (p[0], "rdns-internal") && !p[1]) /* standalone method for internal use * * (if --register-dns is set, openvpn needs to call itself in a @@ -6156,18 +6161,18 @@ add_option (struct options *options, ipconfig_register_dns (NULL); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "show-valid-subnets")) + else if (streq (p[0], "show-valid-subnets") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); show_valid_win32_tun_subnets (); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "pause-exit")) + else if (streq (p[0], "pause-exit") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); set_pause_exit_win32 (); } - else if (streq (p[0], "service") && p[1]) + else if (streq (p[0], "service") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->exit_event_name = p[1]; @@ -6176,52 +6181,52 @@ add_option (struct options *options, options->exit_event_initial_state = (atoi(p[2]) != 0); } } - else if (streq (p[0], "allow-nonadmin")) + else if (streq (p[0], "allow-nonadmin") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); tap_allow_nonadmin_access (p[1]); openvpn_exit (OPENVPN_EXIT_STATUS_GOOD); /* exit point */ } - else if (streq (p[0], "user") && p[1]) + else if (streq (p[0], "user") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); msg (M_WARN, "NOTE: --user option is not implemented on Windows"); } - else if (streq (p[0], "group") && p[1]) + else if (streq (p[0], "group") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); msg (M_WARN, "NOTE: --group option is not implemented on Windows"); } #else - else if (streq (p[0], "user") && p[1]) + else if (streq (p[0], "user") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->username = p[1]; } - else if (streq (p[0], "group") && p[1]) + else if (streq (p[0], "group") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->groupname = p[1]; } - else if (streq (p[0], "dhcp-option") && p[1]) + else if (streq (p[0], "dhcp-option") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_IPWIN32); foreign_option (options, p, 3, es); } - else if (streq (p[0], "route-method") && p[1]) /* ignore when pushed to non-Windows OS */ + else if (streq (p[0], "route-method") && p[1] && !p[2]) /* ignore when pushed to non-Windows OS */ { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); } #endif #if PASSTOS_CAPABILITY - else if (streq (p[0], "passtos")) + else if (streq (p[0], "passtos") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->passtos = true; } #endif #if defined(USE_COMP) - else if (streq (p[0], "comp-lzo")) + else if (streq (p[0], "comp-lzo") && !p[2]) { VERIFY_PERMISSION (OPT_P_COMP); @@ -6258,12 +6263,12 @@ add_option (struct options *options, } #endif } - else if (streq (p[0], "comp-noadapt")) + else if (streq (p[0], "comp-noadapt") && !p[1]) { VERIFY_PERMISSION (OPT_P_COMP); options->comp.flags &= ~COMP_F_ADAPTIVE; } - else if (streq (p[0], "compress")) + else if (streq (p[0], "compress") && !p[2]) { VERIFY_PERMISSION (OPT_P_COMP); if (p[1]) @@ -6308,22 +6313,22 @@ add_option (struct options *options, } #endif /* USE_COMP */ #ifdef ENABLE_CRYPTO - else if (streq (p[0], "show-ciphers")) + else if (streq (p[0], "show-ciphers") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_ciphers = true; } - else if (streq (p[0], "show-digests")) + else if (streq (p[0], "show-digests") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_digests = true; } - else if (streq (p[0], "show-engines")) + else if (streq (p[0], "show-engines") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_engines = true; } - else if (streq (p[0], "key-direction") && p[1]) + else if (streq (p[0], "key-direction") && p[1] && !p[2]) { int key_direction; @@ -6333,7 +6338,7 @@ add_option (struct options *options, else goto err; } - else if (streq (p[0], "secret") && p[1]) + else if (streq (p[0], "secret") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], INLINE_FILE_TAG) && p[2]) @@ -6353,12 +6358,12 @@ add_option (struct options *options, } options->shared_secret_file = p[1]; } - else if (streq (p[0], "genkey")) + else if (streq (p[0], "genkey") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->genkey = true; } - else if (streq (p[0], "auth") && p[1]) + else if (streq (p[0], "auth") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->authname_defined = true; @@ -6369,12 +6374,12 @@ add_option (struct options *options, options->authname = NULL; } } - else if (streq (p[0], "auth")) + else if (streq (p[0], "auth") && !p[1]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->authname_defined = true; } - else if (streq (p[0], "cipher") && p[1]) + else if (streq (p[0], "cipher") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->ciphername_defined = true; @@ -6385,12 +6390,12 @@ add_option (struct options *options, options->ciphername = NULL; } } - else if (streq (p[0], "cipher")) + else if (streq (p[0], "cipher") && !p[1]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->ciphername_defined = true; } - else if (streq (p[0], "prng") && p[1]) + else if (streq (p[0], "prng") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_CRYPTO); if (streq (p[1], "none")) @@ -6412,12 +6417,12 @@ add_option (struct options *options, } } } - else if (streq (p[0], "no-replay")) + else if (streq (p[0], "no-replay") && !p[1]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->replay = false; } - else if (streq (p[0], "replay-window")) + else if (streq (p[0], "replay-window") && !p[3]) { VERIFY_PERMISSION (OPT_P_CRYPTO); if (p[1]) @@ -6457,28 +6462,28 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "mute-replay-warnings")) + else if (streq (p[0], "mute-replay-warnings") && !p[1]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->mute_replay_warnings = true; } - else if (streq (p[0], "no-iv")) + else if (streq (p[0], "no-iv") && !p[1]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->use_iv = false; } - else if (streq (p[0], "replay-persist") && p[1]) + else if (streq (p[0], "replay-persist") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->packet_id_file = p[1]; } - else if (streq (p[0], "test-crypto")) + else if (streq (p[0], "test-crypto") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->test_crypto = true; } #ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "engine")) + else if (streq (p[0], "engine") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) @@ -6490,7 +6495,7 @@ add_option (struct options *options, } #endif /* ENABLE_CRYPTO_POLARSSL */ #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH - else if (streq (p[0], "keysize") && p[1]) + else if (streq (p[0], "keysize") && p[1] && !p[2]) { int keysize; @@ -6505,38 +6510,38 @@ add_option (struct options *options, } #endif #ifdef ENABLE_PREDICTION_RESISTANCE - else if (streq (p[0], "use-prediction-resistance")) + else if (streq (p[0], "use-prediction-resistance") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->use_prediction_resistance = true; } #endif - else if (streq (p[0], "show-tls")) + else if (streq (p[0], "show-tls") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_tls_ciphers = true; } - else if (streq (p[0], "show-curves")) + else if (streq (p[0], "show-curves") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->show_curves = true; } - else if (streq (p[0], "ecdh-curve") && p[1]) + else if (streq (p[0], "ecdh-curve") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_CRYPTO); options->ecdh_curve= p[1]; } - else if (streq (p[0], "tls-server")) + else if (streq (p[0], "tls-server") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_server = true; } - else if (streq (p[0], "tls-client")) + else if (streq (p[0], "tls-client") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_client = true; } - else if (streq (p[0], "ca") && p[1]) + else if (streq (p[0], "ca") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ca_file = p[1]; @@ -6546,13 +6551,13 @@ add_option (struct options *options, } } #ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "capath") && p[1]) + else if (streq (p[0], "capath") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->ca_path = p[1]; } #endif /* ENABLE_CRYPTO_POLARSSL */ - else if (streq (p[0], "dh") && p[1]) + else if (streq (p[0], "dh") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->dh_file = p[1]; @@ -6561,7 +6566,7 @@ add_option (struct options *options, options->dh_file_inline = p[2]; } } - else if (streq (p[0], "cert") && p[1]) + else if (streq (p[0], "cert") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->cert_file = p[1]; @@ -6570,7 +6575,7 @@ add_option (struct options *options, options->cert_file_inline = p[2]; } } - else if (streq (p[0], "extra-certs") && p[1]) + else if (streq (p[0], "extra-certs") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->extra_certs_file = p[1]; @@ -6579,19 +6584,19 @@ add_option (struct options *options, options->extra_certs_file_inline = p[2]; } } - else if (streq (p[0], "verify-hash") && p[1]) + else if (streq (p[0], "verify-hash") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); } #ifdef ENABLE_CRYPTOAPI - else if (streq (p[0], "cryptoapicert") && p[1]) + else if (streq (p[0], "cryptoapicert") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->cryptoapi_cert = p[1]; } #endif - else if (streq (p[0], "key") && p[1]) + else if (streq (p[0], "key") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->priv_key_file = p[1]; @@ -6600,7 +6605,7 @@ add_option (struct options *options, options->priv_key_file_inline = p[2]; } } - else if (streq (p[0], "tls-version-min") && p[1]) + else if (streq (p[0], "tls-version-min") && p[1] && !p[3]) { int ver; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6614,7 +6619,7 @@ add_option (struct options *options, ~(SSLF_TLS_VERSION_MIN_MASK << SSLF_TLS_VERSION_MIN_SHIFT); options->ssl_flags |= (ver << SSLF_TLS_VERSION_MIN_SHIFT); } - else if (streq (p[0], "tls-version-max") && p[1]) + else if (streq (p[0], "tls-version-max") && p[1] && !p[2]) { int ver; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6629,7 +6634,7 @@ add_option (struct options *options, options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); } #ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "pkcs12") && p[1]) + else if (streq (p[0], "pkcs12") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs12_file = p[1]; @@ -6639,7 +6644,7 @@ add_option (struct options *options, } } #endif /* ENABLE_CRYPTO_POLARSSL */ - else if (streq (p[0], "askpass")) + else if (streq (p[0], "askpass") && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[1]) @@ -6649,12 +6654,12 @@ add_option (struct options *options, else options->key_pass_file = "stdin"; } - else if (streq (p[0], "auth-nocache")) + else if (streq (p[0], "auth-nocache") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); ssl_set_auth_nocache (); } - else if (streq (p[0], "auth-token") && p[1]) + else if (streq (p[0], "auth-token") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_ECHO); ssl_set_auth_token(p[1]); @@ -6663,29 +6668,29 @@ add_option (struct options *options, management_auth_token (management, p[1]); #endif } - else if (streq (p[0], "single-session")) + else if (streq (p[0], "single-session") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->single_session = true; } #ifdef ENABLE_PUSH_PEER_INFO - else if (streq (p[0], "push-peer-info")) + else if (streq (p[0], "push-peer-info") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->push_peer_info = true; } #endif - else if (streq (p[0], "tls-exit")) + else if (streq (p[0], "tls-exit") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_exit = true; } - else if (streq (p[0], "tls-cipher") && p[1]) + else if (streq (p[0], "tls-cipher") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->cipher_list = p[1]; } - else if (streq (p[0], "crl-verify") && p[1]) + else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[2] && streq(p[2], "dir")) @@ -6702,13 +6707,17 @@ add_option (struct options *options, "tls-verify", true); } #ifndef ENABLE_CRYPTO_POLARSSL - else if (streq (p[0], "tls-export-cert") && p[1]) + else if (streq (p[0], "tls-export-cert") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_export_cert = p[1]; } #endif - else if (streq (p[0], "compat-names")) +#if P2MP_SERVER + else if (streq (p[0], "compat-names") && ((p[1] && streq (p[1], "no-remapping")) || !p[1]) && !p[2]) +#else + else if (streq (p[0], "compat-names") && !p[1]) +#endif { VERIFY_PERMISSION (OPT_P_GENERAL); if (options->verify_x509_type != VERIFY_X509_NONE && @@ -6724,7 +6733,7 @@ add_option (struct options *options, if (p[1] && streq (p[1], "no-remapping")) compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); } - else if (streq (p[0], "no-name-remapping")) + else if (streq (p[0], "no-name-remapping") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (options->verify_x509_type != VERIFY_X509_NONE && @@ -6739,7 +6748,7 @@ add_option (struct options *options, compat_flag (COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING); #endif } - else if (streq (p[0], "tls-remote") && p[1]) + else if (streq (p[0], "tls-remote") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6770,7 +6779,7 @@ add_option (struct options *options, options->verify_x509_name = p[1]; } } - else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1])) + else if (streq (p[0], "verify-x509-name") && p[1] && strlen (p[1]) && !p[3]) { int type = VERIFY_X509_SUBJECT_DN; VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6803,7 +6812,7 @@ add_option (struct options *options, options->verify_x509_type = type; options->verify_x509_name = p[1]; } - else if (streq (p[0], "ns-cert-type") && p[1]) + else if (streq (p[0], "ns-cert-type") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], "server")) @@ -6825,12 +6834,12 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) sscanf (p[j], "%x", &(options->remote_cert_ku[j-1])); } - else if (streq (p[0], "remote-cert-eku") && p[1]) + else if (streq (p[0], "remote-cert-eku") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->remote_cert_eku = p[1]; } - else if (streq (p[0], "remote-cert-tls") && p[1]) + else if (streq (p[0], "remote-cert-tls") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6853,37 +6862,37 @@ add_option (struct options *options, goto err; } } - else if (streq (p[0], "tls-timeout") && p[1]) + else if (streq (p[0], "tls-timeout") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->tls_timeout = positive_atoi (p[1]); } - else if (streq (p[0], "reneg-bytes") && p[1]) + else if (streq (p[0], "reneg-bytes") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->renegotiate_bytes = positive_atoi (p[1]); } - else if (streq (p[0], "reneg-pkts") && p[1]) + else if (streq (p[0], "reneg-pkts") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->renegotiate_packets = positive_atoi (p[1]); } - else if (streq (p[0], "reneg-sec") && p[1]) + else if (streq (p[0], "reneg-sec") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->renegotiate_seconds = positive_atoi (p[1]); } - else if (streq (p[0], "hand-window") && p[1]) + else if (streq (p[0], "hand-window") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->handshake_window = positive_atoi (p[1]); } - else if (streq (p[0], "tran-window") && p[1]) + else if (streq (p[0], "tran-window") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_TLS_PARMS); options->transition_window = positive_atoi (p[1]); } - else if (streq (p[0], "tls-auth") && p[1]) + else if (streq (p[0], "tls-auth") && p[1] && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (streq (p[1], INLINE_FILE_TAG) && p[2]) @@ -6903,7 +6912,7 @@ add_option (struct options *options, } options->tls_auth_file = p[1]; } - else if (streq (p[0], "key-method") && p[1]) + else if (streq (p[0], "key-method") && p[1] && !p[2]) { int key_method; @@ -6920,7 +6929,7 @@ add_option (struct options *options, options->key_method = key_method; } #ifdef ENABLE_X509ALTUSERNAME - else if (streq (p[0], "x509-username-field") && p[1]) + else if (streq (p[0], "x509-username-field") && p[1] && !p[2]) { /* This option used to automatically upcase the fieldname passed as the * option argument, e.g., "ou" became "OU". Now, this "helpfulness" is @@ -6949,7 +6958,7 @@ add_option (struct options *options, #endif /* ENABLE_X509ALTUSERNAME */ #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 - else if (streq (p[0], "show-pkcs11-ids")) + else if (streq (p[0], "show-pkcs11-ids") && !p[3]) { char *provider = p[1]; bool cert_private = (p[2] == NULL ? false : ( atoi (p[2]) != 0 )); @@ -7019,35 +7028,35 @@ add_option (struct options *options, for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) options->pkcs11_cert_private[j-1] = atoi (p[j]) != 0 ? 1 : 0; } - else if (streq (p[0], "pkcs11-pin-cache") && p[1]) + else if (streq (p[0], "pkcs11-pin-cache") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_pin_cache_period = atoi (p[1]); } - else if (streq (p[0], "pkcs11-id") && p[1]) + else if (streq (p[0], "pkcs11-id") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_id = p[1]; } - else if (streq (p[0], "pkcs11-id-management")) + else if (streq (p[0], "pkcs11-id-management") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs11_id_management = true; } #endif - else if (streq (p[0], "rmtun")) + else if (streq (p[0], "rmtun") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->persist_config = true; options->persist_mode = 0; } - else if (streq (p[0], "mktun")) + else if (streq (p[0], "mktun") && !p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->persist_config = true; options->persist_mode = 1; } - else if (streq (p[0], "peer-id") && p[1]) + else if (streq (p[0], "peer-id") && p[1] && !p[2]) { VERIFY_PERMISSION (OPT_P_PEER_ID); options->use_peer_id = true; @@ -7068,9 +7077,9 @@ add_option (struct options *options, } } if (file) - msg (msglevel, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); + msg (msglevel, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file, line, p[0], PACKAGE_VERSION); else - msg (msglevel, "Unrecognized option or missing parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); + msg (msglevel, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p[0], PACKAGE_VERSION); } err: gc_free (&gc); |