diff options
| author | Gert Doering | 2018-11-30 14:56:41 +0100 |
|---|---|---|
| committer | David Sommerseth | 2018-12-12 13:43:17 +0100 |
| commit | f57431cdc88f22fa4d7962946f0d3187fe058539 (patch) | |
| tree | 6e606561672de812959563f555c591479d406e81 /src | |
| parent | a7b5993d9d6319c77d80212db61c74060cd7e7f1 (diff) | |
| download | openvpn-f57431cdc88f22fa4d7962946f0d3187fe058539.zip openvpn-f57431cdc88f22fa4d7962946f0d3187fe058539.tar.gz | |
uncrustify openvpn/ sources
There are an amazing number of brackets that were either
totally missing, or have snuck up on the "for(...){"
line. Further, uncrustify wants "|" in multi-line
logical expressions now at the beginning of the new
line, and "PRIi64" now gets surrounding spaces.
Added "sp_after_semi_for_empty=Add" to uncrustify.conf
to leave a few for() statements alone that look better
the way they are.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20181130135641.11533-3-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17970.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Diffstat (limited to 'src')
52 files changed, 240 insertions, 204 deletions
diff --git a/src/openvpn/block_dns.h b/src/openvpn/block_dns.h index 50b383f..f9b1e5d 100644 --- a/src/openvpn/block_dns.h +++ b/src/openvpn/block_dns.h @@ -65,5 +65,5 @@ DWORD set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family, const ULONG metric); -#endif -#endif +#endif /* ifndef OPENVPN_BLOCK_DNS_H */ +#endif /* ifdef _WIN32 */ diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index 27c7527..2aae5c4 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -312,7 +312,7 @@ openvpn_snprintf(char *str, size_t size, const char *format, ...) /* * openvpn_swprintf() is currently only used by Windows code paths - * and when enabled for all platforms it will currently break older + * and when enabled for all platforms it will currently break older * OpenBSD versions lacking vswprintf(3) support in their libc. */ @@ -474,7 +474,7 @@ x_gc_freespecial(struct gc_arena *a) } void -gc_addspecial(void *addr, void(free_function)(void *), struct gc_arena *a) +gc_addspecial(void *addr, void (free_function)(void *), struct gc_arena *a) { ASSERT(a); struct gc_entry_special *e; diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h index d402d05..a4fe6f9 100644 --- a/src/openvpn/buffer.h +++ b/src/openvpn/buffer.h @@ -458,6 +458,7 @@ __attribute__ ((format(__printf__, 3, 4))) */ bool openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...); + /* * Unlike in openvpn_snprintf, we cannot use format attributes since * GCC doesn't support wprintf as archetype. diff --git a/src/openvpn/console.h b/src/openvpn/console.h index 5a70e5f..0ffd668 100644 --- a/src/openvpn/console.h +++ b/src/openvpn/console.h @@ -21,7 +21,7 @@ * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -*/ + */ #ifndef CONSOLE_H #define CONSOLE_H diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index e9bf22b..df6f36c 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -920,10 +920,12 @@ key_is_zero(struct key *key, const struct key_type *kt) { int i; for (i = 0; i < kt->cipher_length; ++i) + { if (key->cipher[i]) { return false; } + } msg(D_CRYPT_ERRORS, "CRYPTO INFO: WARNING: zero key detected"); return true; } @@ -1270,7 +1272,9 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) { in = buffer_read_from_file(file, &gc); if (!buf_valid(&in)) + { msg(M_FATAL, "Read error on key file ('%s')", file); + } size = in.len; } @@ -1462,7 +1466,7 @@ write_key_file(const int nkeys, const char *filename) buf_printf(&out, "%s\n", static_key_foot); /* write key file, now formatted in out, to file */ - if(!buffer_write_file(filename, &out)) + if (!buffer_write_file(filename, &out)) { nbits = -1; } @@ -1692,7 +1696,9 @@ prng_reset_nonce(void) { int i; for (i = 0; i < size; ++i) + { nonce_data[i] = (uint8_t) i; + } } #endif } @@ -1773,7 +1779,7 @@ void print_cipher(const cipher_kt_t *cipher) { const char *var_key_size = cipher_kt_var_key_size(cipher) ? - " by default" : ""; + " by default" : ""; printf("%s (%d bit key%s, ", translate_cipher_name_to_openvpn(cipher_kt_name(cipher)), diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 96ba858..1edde2e 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -318,7 +318,7 @@ void free_key_ctx(struct key_ctx *ctx); void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, - const char *name); + const char *name); void free_key_ctx_bi(struct key_ctx_bi *ctx); @@ -504,7 +504,8 @@ memcmp_constant_time(const void *a, const void *b, size_t size) int ret = 0; size_t i; - for (i = 0; i < size; i++) { + for (i = 0; i < size; i++) + { ret |= *a1++ ^ *b1++; } diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 38b2c17..a04e01f 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -51,7 +51,7 @@ typedef enum { MD_SHA1, MD_SHA256 -} hash_algo_type ; +} hash_algo_type; /** Struct used in cipher name translation table */ typedef struct { diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 77e84c3..2e93144 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -233,8 +233,8 @@ crypto_pem_encode(const char *name, struct buffer *dst, size_t out_len = 0; if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL != - mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), - NULL, 0, &out_len)) + mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src), + NULL, 0, &out_len)) { return false; } @@ -858,7 +858,8 @@ md_ctx_new(void) return ctx; } -void md_ctx_free(mbedtls_md_context_t *ctx) +void +md_ctx_free(mbedtls_md_context_t *ctx) { free(ctx); } diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h index 81b542b..c4b13b7 100644 --- a/src/openvpn/crypto_mbedtls.h +++ b/src/openvpn/crypto_mbedtls.h @@ -146,7 +146,8 @@ mbed_log_func_line_lite(unsigned int flags, int errval, #define mbed_ok(errval) \ mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__) -static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher) +static inline bool +cipher_kt_var_key_size(const cipher_kt_t *cipher) { return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN; } diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 0bff1a2..9691ce0 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -202,12 +202,12 @@ crypto_print_openssl_errors(const unsigned int flags) else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL) { msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically " - "indicates that client and server have no common TLS version enabled. " - "This can be caused by mismatched tls-version-min and tls-version-max " - "options on client and server. " - "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding " - "tls-version-min 1.0 to the client configuration to use TLS 1.0+ " - "instead of TLS 1.0 only"); + "indicates that client and server have no common TLS version enabled. " + "This can be caused by mismatched tls-version-min and tls-version-max " + "options on client and server. " + "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding " + "tls-version-min 1.0 to the client configuration to use TLS 1.0+ " + "instead of TLS 1.0 only"); } msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL)); } @@ -315,7 +315,8 @@ show_available_ciphers(void) qsort(cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp); - for (i = 0; i < num_ciphers; i++) { + for (i = 0; i < num_ciphers; i++) + { if (!cipher_kt_insecure(cipher_list[i])) { print_cipher(cipher_list[i]); @@ -324,7 +325,8 @@ show_available_ciphers(void) printf("\nThe following ciphers have a block size of less than 128 bits, \n" "and are therefore deprecated. Do not use unless you have to.\n\n"); - for (i = 0; i < num_ciphers; i++) { + for (i = 0; i < num_ciphers; i++) + { if (cipher_kt_insecure(cipher_list[i])) { print_cipher(cipher_list[i]); @@ -405,7 +407,7 @@ crypto_pem_encode(const char *name, struct buffer *dst, cleanup: if (!BIO_free(bio)) { - ret = false;; + ret = false; } return ret; @@ -458,7 +460,7 @@ cleanup: OPENSSL_free(data_read); if (!BIO_free(bio)) { - ret = false;; + ret = false; } return ret; @@ -688,7 +690,7 @@ cipher_kt_insecure(const EVP_CIPHER *cipher) #ifdef NID_chacha20_poly1305 || EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305 #endif - ); + ); } int @@ -729,13 +731,13 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) { switch (EVP_CIPHER_nid(cipher)) { - case NID_aes_128_gcm: - case NID_aes_192_gcm: - case NID_aes_256_gcm: + case NID_aes_128_gcm: + case NID_aes_192_gcm: + case NID_aes_256_gcm: #ifdef NID_chacha20_poly1305 - case NID_chacha20_poly1305: + case NID_chacha20_poly1305: #endif - return true; + return true; } } #endif @@ -962,7 +964,8 @@ md_ctx_new(void) return ctx; } -void md_ctx_free(EVP_MD_CTX *ctx) +void +md_ctx_free(EVP_MD_CTX *ctx) { EVP_MD_CTX_free(ctx); } diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 1ea3e85..6475448 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -101,7 +101,8 @@ void crypto_print_openssl_errors(const unsigned int flags); msg((flags), __VA_ARGS__); \ } while (false) -static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher) +static inline bool +cipher_kt_var_key_size(const cipher_kt_t *cipher) { return EVP_CIPHER_flags(cipher) & EVP_CIPH_VARIABLE_LENGTH; } diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index fa057cb..9687d8c 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -159,7 +159,8 @@ ms_error_text(DWORD ms_err) /* trim to the left */ if (rv) { - for (p = rv + strlen(rv) - 1; p >= rv; p--) { + for (p = rv + strlen(rv) - 1; p >= rv; p--) + { if (isspace(*p)) { *p = '\0'; @@ -198,7 +199,8 @@ err_put_ms_error(DWORD ms_err, int func, const char *file, int line) } /* since MS error codes are 32 bit, and the ones in the ERR_... system is * only 12, we must have a mapping table between them. */ - for (i = 0; i < ERR_MAP_SZ; i++) { + for (i = 0; i < ERR_MAP_SZ; i++) + { if (err_map[i].ms_err == ms_err) { ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line); @@ -267,8 +269,8 @@ priv_enc_CNG(const CAPI_DATA *cd, const wchar_t *hash_algo, const unsigned char BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo}; DWORD status; - status = NCryptSignHash(hkey, padding? &padinfo : NULL, (BYTE*) from, flen, - to, tlen, &len, padding? BCRYPT_PAD_PKCS1 : 0); + status = NCryptSignHash(hkey, padding ? &padinfo : NULL, (BYTE *) from, flen, + to, tlen, &len, padding ? BCRYPT_PAD_PKCS1 : 0); if (status != ERROR_SUCCESS) { SetLastError(status); @@ -375,7 +377,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i */ static int rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len, - unsigned char *sig, unsigned int *siglen, const RSA *rsa) + unsigned char *sig, unsigned int *siglen, const RSA *rsa) { CAPI_DATA *cd = (CAPI_DATA *) RSA_meth_get0_app_data(RSA_get_method(rsa)); const wchar_t *alg = NULL; @@ -419,6 +421,7 @@ rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len, /* No DigestInfo header is required -- set alg-name to NULL */ alg = NULL; break; + default: msg(M_WARN, "cryptoapicert: Unknown hash type NID=0x%x", type); RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE); @@ -459,7 +462,7 @@ finish(RSA *rsa) return 0; } CAPI_DATA_free(cd); - RSA_meth_free((RSA_METHOD*) rsa_meth); + RSA_meth_free((RSA_METHOD *) rsa_meth); return 1; } @@ -586,7 +589,7 @@ ssl_ctx_set_eckey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) if (cd->key_spec != CERT_NCRYPT_KEY_SPEC) { msg(M_NONFATAL, "ERROR: cryptoapicert with only legacy private key handle available." - " EC certificate not supported."); + " EC certificate not supported."); goto err; } /* create a method struct with default callbacks filled in */ @@ -686,7 +689,8 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) /* skip the tag */ cert_prop += 6; - for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) { + for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) + { if (*p >= '0' && *p <= '9') { x = (*p - '0') << 4; @@ -739,7 +743,7 @@ ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) bool rsa_method_set = false; my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method", - RSA_METHOD_FLAG_NO_CHECK); + RSA_METHOD_FLAG_NO_CHECK); check_malloc_return(my_rsa_method); RSA_meth_set_pub_enc(my_rsa_method, rsa_pub_enc); RSA_meth_set_pub_dec(my_rsa_method, rsa_pub_dec); @@ -797,7 +801,7 @@ ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) goto err; } /* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so - * we decrease it here with RSA_free(), or it will never be cleaned up. */ + * we decrease it here with RSA_free(), or it will never be cleaned up. */ RSA_free(rsa); return 1; @@ -867,7 +871,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG | CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG; if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL, - &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov)) + &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov)) { /* if we don't have a smart card reader here, and we try to access a * smart card certificate, we get: diff --git a/src/openvpn/env_set.c b/src/openvpn/env_set.c index e7fb2d8..0ab0262 100644 --- a/src/openvpn/env_set.c +++ b/src/openvpn/env_set.c @@ -277,7 +277,7 @@ void setenv_long_long(struct env_set *es, const char *name, long long value) { char buf[64]; - openvpn_snprintf(buf, sizeof(buf), "%"PRIi64, (int64_t)value); + openvpn_snprintf(buf, sizeof(buf), "%" PRIi64, (int64_t)value); setenv_str(es, name, buf); } diff --git a/src/openvpn/env_set.h b/src/openvpn/env_set.h index 5dc3348..cf8415c 100644 --- a/src/openvpn/env_set.h +++ b/src/openvpn/env_set.h @@ -94,13 +94,15 @@ void env_set_print(int msglevel, const struct env_set *es); void env_set_inherit(struct env_set *es, const struct env_set *src); /* returns true if environmental variable name starts with 'password' */ -static inline bool is_password_env_var(const char *str) +static inline bool +is_password_env_var(const char *str) { return (strncmp(str, "password", 8) == 0); } /* returns true if environmental variable safe to print to log */ -static inline bool env_safe_to_print(const char *str) +static inline bool +env_safe_to_print(const char *str) { #ifndef UNSAFE_DEBUG if (is_password_env_var(str)) diff --git a/src/openvpn/error.c b/src/openvpn/error.c index 5129468..b2492f2 100644 --- a/src/openvpn/error.c +++ b/src/openvpn/error.c @@ -343,7 +343,7 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist) struct timeval tv; gettimeofday(&tv, NULL); - fprintf(fp, "%"PRIi64".%06ld %x %s%s%s%s", + fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s", (int64_t)tv.tv_sec, (long)tv.tv_usec, flags, diff --git a/src/openvpn/event.c b/src/openvpn/event.c index 3727690..49dfa86 100644 --- a/src/openvpn/event.c +++ b/src/openvpn/event.c @@ -1041,7 +1041,7 @@ se_wait_fast(struct event_set *es, const struct timeval *tv, struct event_set_re struct timeval tv_tmp = *tv; int stat; - dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%"PRIi64"/%ld", + dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld", ses->maxfd, (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec); @@ -1065,7 +1065,7 @@ se_wait_scalable(struct event_set *es, const struct timeval *tv, struct event_se fd_set write = ses->writefds; int stat; - dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%"PRIi64"/%ld", + dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld", ses->maxfd, (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec); stat = select(ses->maxfd + 1, &read, &write, NULL, &tv_tmp); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index ba0797f..0a90fff 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -757,7 +757,7 @@ static void process_coarse_timers(struct context *c) { /* flush current packet-id to file once per 60 - * seconds if --replay-persist was specified */ + * seconds if --replay-persist was specified */ check_packet_id_persist_flush(c); /* should we update status file? */ @@ -836,7 +836,7 @@ check_coarse_timers_dowork(struct context *c) process_coarse_timers(c); c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec; - dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %"PRIi64" seconds", (int64_t)c->c2.timeval.tv_sec); + dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec); /* Is the coarse timeout NOT the earliest one? */ if (c->c2.timeval.tv_sec > save.tv_sec) diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index a791308..f97b0e2 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -80,10 +80,12 @@ void check_incoming_control_channel_dowork(struct context *c); void check_scheduled_exit_dowork(struct context *c); void check_push_request_dowork(struct context *c); + #endif /* P2MP */ #ifdef ENABLE_FRAGMENT void check_fragment_dowork(struct context *c); + #endif /* ENABLE_FRAGMENT */ void check_connection_established_dowork(struct context *c); diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d24634c..560d87d 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1077,13 +1077,13 @@ do_genkey(const struct options *options) } if (options->tls_crypt_v2_genkey_type) { - if(!strcmp(options->tls_crypt_v2_genkey_type, "server")) + if (!strcmp(options->tls_crypt_v2_genkey_type, "server")) { tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file); return true; } if (options->tls_crypt_v2_genkey_type - && !strcmp(options->tls_crypt_v2_genkey_type, "client")) + && !strcmp(options->tls_crypt_v2_genkey_type, "client")) { if (!options->tls_crypt_v2_file) { @@ -1091,8 +1091,8 @@ do_genkey(const struct options *options) } tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file, - options->tls_crypt_v2_metadata, options->tls_crypt_v2_file, - options->tls_crypt_v2_inline); + options->tls_crypt_v2_metadata, options->tls_crypt_v2_file, + options->tls_crypt_v2_inline); return true; } @@ -2568,8 +2568,8 @@ do_init_tls_wrap_key(struct context *c) if (!streq(options->authname, "none")) { c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname); - c->c1.ks.tls_auth_key_type.hmac_length = - md_kt_size(c->c1.ks.tls_auth_key_type.digest); + c->c1.ks.tls_auth_key_type.hmac_length = + md_kt_size(c->c1.ks.tls_auth_key_type.digest); } else { @@ -2653,7 +2653,7 @@ do_init_crypto_tls_c1(struct context *c) return; #else /* if P2MP */ msg(M_FATAL, "Error: private key password verification failed"); -#endif +#endif /* if P2MP */ } /* Get cipher & hash algorithms */ @@ -2761,15 +2761,15 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) { /* Add 10% jitter to reneg-sec by default (server side only) */ int auto_jitter = options->mode != MODE_SERVER ? 0 : - get_random() % max_int(options->renegotiate_seconds / 10, 1); + get_random() % max_int(options->renegotiate_seconds / 10, 1); to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter; } else { /* Add user-specified jitter to reneg-sec */ - to.renegotiate_seconds = options->renegotiate_seconds - - (get_random() % max_int(options->renegotiate_seconds - - options->renegotiate_seconds_min, 1)); + to.renegotiate_seconds = options->renegotiate_seconds + -(get_random() % max_int(options->renegotiate_seconds + - options->renegotiate_seconds_min, 1)); } to.single_session = options->single_session; to.mode = options->mode; diff --git a/src/openvpn/integer.h b/src/openvpn/integer.h index b1ae0ed..3755f43 100644 --- a/src/openvpn/integer.h +++ b/src/openvpn/integer.h @@ -28,12 +28,12 @@ #ifndef htonll #define htonll(x) ((1==htonl(1)) ? (x) : \ - ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32)) + ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32)) #endif #ifndef ntohll #define ntohll(x) ((1==ntohl(1)) ? (x) : \ - ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32)) + ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32)) #endif /* diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 8b633f2..2d86dad 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -3640,7 +3640,7 @@ management_query_multiline_flatten(struct management *man, char * /* returns allocated base64 signature */ management_query_pk_sig(struct management *man, - const char *b64_data) + const char *b64_data) { const char *prompt = "PK_SIGN"; const char *desc = "pk-sign"; @@ -3650,7 +3650,7 @@ management_query_pk_sig(struct management *man, desc = "rsa-sign"; } return management_query_multiline_flatten(man, b64_data, prompt, desc, - &man->connection.ext_key_state, &man->connection.ext_key_input); + &man->connection.ext_key_state, &man->connection.ext_key_input); } char * diff --git a/src/openvpn/mss.c b/src/openvpn/mss.c index facdf7b..b0e2c42 100644 --- a/src/openvpn/mss.c +++ b/src/openvpn/mss.c @@ -150,7 +150,7 @@ mss_fixup_dowork(struct buffer *buf, uint16_t maxmss) if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr)) { - return; + return; } verify_align_4(buf); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index d327893..55c167b 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2394,7 +2394,7 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL); #ifdef MULTI_DEBUG_EVENT_LOOP - printf("POST %s[%d] to=%d lo=%d/%d w=%"PRIi64"/%ld\n", + printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n", id(mi), (int) (mi == m->pending), mi ? mi->context.c2.to_tun.len : -1, diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index 3d3d687..7216865 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -537,6 +537,7 @@ clear_prefix(void) #define MULTI_CACHE_ROUTE_TTL 60 void multi_reap_process_dowork(const struct multi_context *m); + void multi_process_per_second_timers_dowork(struct multi_context *m); static inline void diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 077fa3e..e370748 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -314,8 +314,8 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, * byte order on the wire for the NTLM header is LE. */ const size_t hoff = 0x14; - unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) | - (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24); + unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) + |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24); if ((flags & 0x00800000) == 0x00800000) { tib_len = buf2[0x28]; /* Get Target Information block size */ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 9560b29..a4072b9 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -193,8 +193,8 @@ X509_get0_pubkey(const X509 *x) * @param store X509 object store * @return the X509 object stack */ -static inline STACK_OF(X509_OBJECT) * -X509_STORE_get0_objects(X509_STORE *store) +static inline STACK_OF(X509_OBJECT) +*X509_STORE_get0_objects(X509_STORE *store) { return store ? store->objs : NULL; } @@ -369,7 +369,7 @@ RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) return 1; } -#endif +#endif /* if !defined(HAVE_RSA_SET0_KEY) */ #if !defined(HAVE_RSA_BITS) /** @@ -483,9 +483,9 @@ RSA_meth_free(RSA_METHOD *meth) */ static inline int RSA_meth_set_pub_enc(RSA_METHOD *meth, - int (*pub_enc) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) + int (*pub_enc)(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) { if (meth) { @@ -506,9 +506,9 @@ RSA_meth_set_pub_enc(RSA_METHOD *meth, */ static inline int RSA_meth_set_pub_dec(RSA_METHOD *meth, - int (*pub_dec) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) + int (*pub_dec)(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) { if (meth) { @@ -529,9 +529,9 @@ RSA_meth_set_pub_dec(RSA_METHOD *meth, */ static inline int RSA_meth_set_priv_enc(RSA_METHOD *meth, - int (*priv_enc) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) + int (*priv_enc)(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) { if (meth) { @@ -552,9 +552,9 @@ RSA_meth_set_priv_enc(RSA_METHOD *meth, */ static inline int RSA_meth_set_priv_dec(RSA_METHOD *meth, - int (*priv_dec) (int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, - int padding)) + int (*priv_dec)(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, + int padding)) { if (meth) { @@ -574,7 +574,7 @@ RSA_meth_set_priv_dec(RSA_METHOD *meth, * @return 1 on success, 0 on error */ static inline int -RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) +RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa)) { if (meth) { @@ -594,11 +594,12 @@ RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa)) * @return 1 on success, 0 on error */ static inline -int RSA_meth_set_sign(RSA_METHOD *meth, - int (*sign) (int type, const unsigned char *m, - unsigned int m_length, - unsigned char *sigret, unsigned int *siglen, - const RSA *rsa)) +int +RSA_meth_set_sign(RSA_METHOD *meth, + int (*sign)(int type, const unsigned char *m, + unsigned int m_length, + unsigned char *sigret, unsigned int *siglen, + const RSA *rsa)) { meth->rsa_sign = sign; return 1; @@ -614,7 +615,7 @@ int RSA_meth_set_sign(RSA_METHOD *meth, * @return 1 on success, 0 on error */ static inline int -RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) +RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) { if (meth) { @@ -669,7 +670,7 @@ RSA_meth_get0_app_data(const RSA_METHOD *meth) static inline int EC_GROUP_order_bits(const EC_GROUP *group) { - BIGNUM* order = BN_new(); + BIGNUM *order = BN_new(); EC_GROUP_get_order(group, order, NULL); int bits = BN_num_bits(order); BN_free(order); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 26f056f..0cf8db7 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2140,7 +2140,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec "passwords is STRONGLY discouraged and considered insecure"); } -#endif +#endif /* ifdef ENABLE_MANAGEMENT */ /* * Windows-specific options. @@ -2865,8 +2865,10 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) { struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc); if (!buf_valid(&in)) + { msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)", o->tls_auth_file); + } ce->tls_auth_file = INLINE_FILE_TAG; ce->tls_auth_file_inline = (char *)in.data; @@ -2876,8 +2878,10 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) { struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc); if (!buf_valid(&in)) + { msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)", o->tls_auth_file); + } ce->tls_crypt_file = INLINE_FILE_TAG; ce->tls_crypt_inline = (char *)in.data; @@ -3046,7 +3050,7 @@ options_postprocess_mutate(struct options *o) { /* DH file is only meaningful in a tls-server context. */ msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only " - "include this in your server configuration"); + "include this in your server configuration"); o->dh_file = NULL; } @@ -7169,7 +7173,7 @@ add_option(struct options *options, { if (strstr(p[2], ":")) { - ipv6dns=true; + ipv6dns = true; foreign_option(options, p, 3, es); dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel); } diff --git a/src/openvpn/otime.c b/src/openvpn/otime.c index e0b1b0e..759a7fb 100644 --- a/src/openvpn/otime.c +++ b/src/openvpn/otime.c @@ -88,7 +88,7 @@ const char * tv_string(const struct timeval *tv, struct gc_arena *gc) { struct buffer out = alloc_buf_gc(64, gc); - buf_printf(&out, "[%"PRIi64"/%ld]", + buf_printf(&out, "[%" PRIi64 "/%ld]", (int64_t)tv->tv_sec, (long)tv->tv_usec); return BSTR(&out); @@ -198,7 +198,7 @@ time_test(void) t = time(NULL); gettimeofday(&tv, NULL); #if 1 - msg(M_INFO, "t=%"PRIi64" s=%"PRIi64" us=%ld", + msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld", (int64_t)t, (int64_t)tv.tv_sec, (long)tv.tv_usec); diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index dc44f36..0c74487 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -347,7 +347,7 @@ packet_id_send_update(struct packet_id_send *p, bool long_form) bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, - bool prepend) + bool prepend) { if (!packet_id_send_update(p, long_form)) { @@ -606,13 +606,13 @@ packet_id_debug_print(int msglevel, } buf_printf(&out, "%c", c); } - buf_printf(&out, "] %"PRIi64":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id); + buf_printf(&out, "] %" PRIi64 ":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id); if (pin) { - buf_printf(&out, " %"PRIi64":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id); + buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id); } - buf_printf(&out, " t=%"PRIi64"[%d]", + buf_printf(&out, " t=%" PRIi64 "[%d]", (int64_t)prev_now, (int)(prev_now - tv.tv_sec)); @@ -666,7 +666,7 @@ packet_id_interactive_test(void) { packet_id_reap_test(&pid.rec); test = packet_id_test(&pid.rec, &pin); - printf("packet_id_test (%"PRIi64", " packet_id_format ") returned %d\n", + printf("packet_id_test (%" PRIi64 ", " packet_id_format ") returned %d\n", (int64_t)pin.time, (packet_id_print_type)pin.id, test); @@ -679,7 +679,7 @@ packet_id_interactive_test(void) { long_form = (count < 20); packet_id_alloc_outgoing(&pid.send, &pin, long_form); - printf("(%"PRIi64"(" packet_id_format "), %d)\n", + printf("(%" PRIi64 "(" packet_id_format "), %d)\n", (int64_t)pin.time, (packet_id_print_type)pin.id, long_form); diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index ec03e34..26b0797 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -263,7 +263,7 @@ bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_for * @return true if successful, false otherwise. */ bool packet_id_write(struct packet_id_send *p, struct buffer *buf, - bool long_form, bool prepend); + bool long_form, bool prepend); /* * Inline functions. diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h index a196b32..b51f082 100644 --- a/src/openvpn/ping.h +++ b/src/openvpn/ping.h @@ -84,4 +84,4 @@ check_ping_send(struct context *c) } } -#endif +#endif /* ifndef PING_H */ diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c index 4d17c82..b970834 100644 --- a/src/openvpn/plugin.c +++ b/src/openvpn/plugin.c @@ -552,8 +552,7 @@ plugin_call_item(const struct plugin *p, p->plugin_handle, per_client_context, (current_cert ? certdepth : -1), - current_cert - }; + current_cert }; struct openvpn_plugin_args_func_return retargs; diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c index fdad3ed..c8bd86d 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c @@ -884,10 +884,10 @@ establish_http_proxy_passthru(struct http_proxy_info *p, const char *algor = get_pa_var("algorithm", pa, &gc); const char *opaque = get_pa_var("opaque", pa, &gc); - if ( !realm || !nonce ) + if (!realm || !nonce) { msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response " - "from server: realm= or nonce= missing" ); + "from server: realm= or nonce= missing" ); goto error; } diff --git a/src/openvpn/reliable.c b/src/openvpn/reliable.c index a7f4ed9..eae1e0c 100644 --- a/src/openvpn/reliable.c +++ b/src/openvpn/reliable.c @@ -762,14 +762,14 @@ reliable_debug_print(const struct reliable *rel, char *desc) printf("********* struct reliable %s\n", desc); printf(" initial_timeout=%d\n", (int)rel->initial_timeout); printf(" packet_id=" packet_id_format "\n", rel->packet_id); - printf(" now=%"PRIi64"\n", (int64_t)now); + printf(" now=%" PRIi64 "\n", (int64_t)now); for (i = 0; i < rel->size; ++i) { const struct reliable_entry *e = &rel->array[i]; if (e->active) { printf(" %d: packet_id=" packet_id_format " len=%d", i, e->packet_id, e->buf.len); - printf(" next_try=%"PRIi64, (int64_t)e->next_try); + printf(" next_try=%" PRIi64, (int64_t)e->next_try); printf("\n"); } } diff --git a/src/openvpn/route.c b/src/openvpn/route.c index d97e8db..346f08e 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -3074,7 +3074,7 @@ do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct t * (only do this for routes actually using the tun/tap device) */ if (tt->type == DEV_TYPE_TUN - && msg.iface.index == tt->adapter_index ) + && msg.iface.index == tt->adapter_index) { inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6); } @@ -3298,7 +3298,7 @@ get_default_gateway(struct route_gateway_info *rgi) if (rgi->flags & RGI_ON_LINK) { /* check that interface name of current interface - * matches interface name of best default route */ + * matches interface name of best default route */ if (strcmp(ifreq.ifr_name, best_name)) { continue; diff --git a/src/openvpn/run_command.c b/src/openvpn/run_command.c index 4e19867..04ad231 100644 --- a/src/openvpn/run_command.c +++ b/src/openvpn/run_command.c @@ -41,12 +41,14 @@ /* contains an SSEC_x value defined in platform.h */ static int script_security_level = SSEC_BUILT_IN; /* GLOBAL */ -int script_security(void) +int +script_security(void) { return script_security_level; } -void script_security_set(int level) +void +script_security_set(int level) { script_security_level = level; } diff --git a/src/openvpn/shaper.c b/src/openvpn/shaper.c index 92364f2..6257984 100644 --- a/src/openvpn/shaper.c +++ b/src/openvpn/shaper.c @@ -76,7 +76,7 @@ shaper_soonest_event(struct timeval *tv, int delay) } } #ifdef SHAPER_DEBUG - dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%"PRIi64" usec=%ld ret=%d", + dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%" PRIi64 " usec=%ld ret=%d", (int64_t)tv->tv_sec, (long)tv->tv_usec, (int)ret); #endif return ret; diff --git a/src/openvpn/shaper.h b/src/openvpn/shaper.h index 4efe398..bcdb5e3 100644 --- a/src/openvpn/shaper.h +++ b/src/openvpn/shaper.h @@ -147,7 +147,7 @@ shaper_wrote_bytes(struct shaper *s, int nbytes) tv_add(&s->wakeup, &tv); #ifdef SHAPER_DEBUG - dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%"PRIi64" usec=%ld", + dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld", nbytes, (long)tv.tv_usec, (int64_t)s->wakeup.tv_sec, diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 3f2b97e..db94424 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -100,10 +100,12 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, bits = 0; max_bits = sizeof(in_addr_t) * 8; break; + case AF_INET6: bits = 64; max_bits = sizeof(struct in6_addr) * 8; break; + default: msg(M_WARN, "Unsupported AF family passed to getaddrinfo for %s (%d)", @@ -125,7 +127,7 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, } /* check if this hostname has a /bits suffix */ - sep = strchr(var_host , '/'); + sep = strchr(var_host, '/'); if (sep) { bits = strtoul(sep + 1, &endp, 10); @@ -156,10 +158,12 @@ get_addr_generic(sa_family_t af, unsigned int flags, const char *hostname, *ip4 = ntohl(*ip4); } break; + case AF_INET6: ip6 = network; *ip6 = ((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr; break; + default: /* can't get here because 'af' was previously checked */ msg(M_WARN, diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 0f22d47..1780141 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -138,7 +138,7 @@ struct stream_buf int len; /* -1 if not yet known */ bool error; /* if true, fatal TCP error has occurred, - * requiring that connection be restarted */ + * requiring that connection be restarted */ #if PORT_SHARE #define PS_DISABLED 0 #define PS_ENABLED 1 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c0bc7a4..e9927eb 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -684,7 +684,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) { if (tls_ctx_use_management_external_key(new_ctx)) { - msg (M_WARN, "Cannot initialize mamagement-external-key"); + msg(M_WARN, "Cannot initialize mamagement-external-key"); goto err; } } @@ -1103,7 +1103,7 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) else { session->initial_opcode = session->opt->tls_crypt_v2 ? - P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2; + P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2; } } @@ -1531,9 +1531,9 @@ read_control_auth(struct buffer *buf, if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3 && !tls_crypt_v2_extract_client_key(buf, ctx, opt)) { - msg (D_TLS_ERRORS, - "TLS Error: can not extract tls-crypt-v2 client key from %s", - print_link_socket_actual(from, &gc)); + msg(D_TLS_ERRORS, + "TLS Error: can not extract tls-crypt-v2 client key from %s", + print_link_socket_actual(from, &gc)); goto cleanup; } @@ -3792,7 +3792,7 @@ tls_pre_decrypt(struct tls_multi *multi, /* Save incoming ciphertext packet to reliable buffer */ struct buffer *in = reliable_get_buf(ks->rec_reliable); ASSERT(in); - if(!buf_copy(in, buf)) + if (!buf_copy(in, buf)) { msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping."); @@ -4193,10 +4193,10 @@ show_available_tls_ciphers(const char *cipher_list, show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false); printf("\n" - "Be aware that that whether a cipher suite in this list can actually work\n" - "depends on the specific setup of both peers. See the man page entries of\n" - "--tls-cipher and --show-tls for more details.\n\n" - ); + "Be aware that that whether a cipher suite in this list can actually work\n" + "depends on the specific setup of both peers. See the man page entries of\n" + "--tls-cipher and --show-tls for more details.\n\n" + ); } /* diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 7bf82b3..410b216 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -215,10 +215,10 @@ struct tls_wrap_ctx struct buffer work; /**< Work buffer (only for --tls-crypt) */ struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */ const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key, - sent to server */ + * sent to server */ struct buffer tls_crypt_v2_metadata; /**< Received from client */ bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by - this context */ + * this context */ }; /* diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index f7e8c2d..a4197cb 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -65,12 +65,12 @@ static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = { /* Hashes from SHA-1 and above */ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), 0xFFFFFFF, /* Any PK alg */ 0xFFFFFFF, /* Any curve */ 1024, /* RSA-1024 and larger */ @@ -79,10 +79,10 @@ static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred = { /* SHA-2 and above */ - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) | - MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), + MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) + |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ), 0xFFFFFFF, /* Any PK alg */ 0xFFFFFFF, /* Any curve */ 2048, /* RSA-2048 and larger */ @@ -232,7 +232,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) } msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. " - "Ignoring TLS 1.3 cipher list: %s", ciphers); + "Ignoring TLS 1.3 cipher list: %s", ciphers); } void @@ -299,7 +299,7 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) } else { - msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile); + msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile); } } @@ -600,14 +600,14 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, if (ctx->crt_chain == NULL) { - msg (M_WARN, "ERROR: external key requires a certificate."); + msg(M_WARN, "ERROR: external key requires a certificate."); return 1; } if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA) { msg(M_WARN, "ERROR: external key with mbed TLS requires a " - "certificate with an RSA key."); + "certificate with an RSA key."); return 1; } @@ -653,8 +653,8 @@ management_sign_func(void *sign_ctx, const void *src, size_t src_len, ret = true; cleanup: - free (src_b64); - free (dst_b64); + free(src_b64); + free(dst_b64); return ret; } diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 998d6f2..1328ceb 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -71,8 +71,8 @@ typedef struct { * @return true if signing succeeded, false otherwise. */ typedef bool (*external_sign_func)( - void *sign_ctx, const void *src, size_t src_size, - void *dst, size_t dst_size); + void *sign_ctx, const void *src, size_t src_size, + void *dst, size_t dst_size); /** Context used by external_pkcs1_sign() */ struct external_context { diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index da573cf..ddb78da 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -217,7 +217,7 @@ tls_version_max(void) return TLS_VER_1_2; #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; -#else +#else /* if defined(TLS1_3_VERSION) */ return TLS_VER_1_0; #endif } @@ -322,7 +322,7 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) } void -convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *ciphers) +convert_tls_list_to_openssl(char *openssl_ciphers, size_t len,const char *ciphers) { /* Parse supplied cipher list and pass on to OpenSSL */ size_t begin_of_cipher, end_of_cipher; @@ -466,9 +466,9 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) } #if (OPENSSL_VERSION_NUMBER < 0x1010100fL) - crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " - "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", - ciphers); + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " + "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", + ciphers); #else ASSERT(NULL != ctx); @@ -509,13 +509,13 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile); } -#else +#else /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ if (profile) { msg(M_WARN, "WARNING: OpenSSL 1.0.1 does not support --tls-cert-profile" ", ignoring user-set profile: '%s'", profile); } -#endif +#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */ } void @@ -658,7 +658,7 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name { nid = EC_GROUP_get_curve_name(ecgrp); } -#endif +#endif /* if OPENSSL_VERSION_NUMBER >= 0x10002000L */ } /* Translate NID back to name , just for kicks */ @@ -1137,7 +1137,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i ret = get_sig_from_man(from, flen, to, len); - return (ret == len)? ret : -1; + return (ret == len) ? ret : -1; } static int @@ -1325,7 +1325,7 @@ err: { EVP_PKEY_free(privkey); } - if(ec) + if (ec) { EC_KEY_free(ec); } @@ -1375,7 +1375,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); goto cleanup; } -#else +#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */ else { crypto_msg(M_WARN, "management-external-key requires an RSA certificate"); @@ -1644,7 +1644,7 @@ bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const ch if (len > 0) { open_biofp(); - fprintf(biofp, "BIO_%s %s time=%"PRIi64" bio=" ptr_format " len=%d data=%s\n", + fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n", mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc)); fflush(biofp); } @@ -1655,7 +1655,7 @@ static void bio_debug_oc(const char *mode, BIO *bio) { open_biofp(); - fprintf(biofp, "BIO %s time=%"PRIi64" bio=" ptr_format "\n", + fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n", mode, (int64_t)time(NULL), (ptr_type)bio); fflush(biofp); } @@ -1963,7 +1963,7 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) { EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); const EC_GROUP *group = EC_KEY_get0_group(ec); - const char* curve; + const char *curve; int nid = EC_GROUP_get_curve_name(group); if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL) @@ -2024,7 +2024,7 @@ show_available_tls_ciphers_list(const char *cipher_list, #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); #endif - for (int i=0;i < sk_SSL_CIPHER_num(sk);i++) + for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); @@ -2035,7 +2035,7 @@ show_available_tls_ciphers_list(const char *cipher_list, if (tls13) { - printf("%s\n", cipher_name); + printf("%s\n", cipher_name); } else if (NULL == pair) { diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 03c0b66..a7f5175 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -72,7 +72,7 @@ setenv_untrusted(struct tls_session *session) static void wipe_auth_token(struct tls_multi *multi) { - if(multi) + if (multi) { if (multi->auth_token) { @@ -712,24 +712,24 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep switch (opt->verify_hash_algo) { - case MD_SHA1: - ca_hash = x509_get_sha1_fingerprint(cert, &gc); - break; - - case MD_SHA256: - ca_hash = x509_get_sha256_fingerprint(cert, &gc); - break; - - default: - /* This should normally not happen at all; the algorithm used - * is parsed by add_option() [options.c] and set to a predefined - * value in an enumerated type. So if this unlikely scenario - * happens, consider this a failure - */ - msg(M_WARN, "Unexpected invalid algorithm used with " - "--verify-hash (%i)", opt->verify_hash_algo); - ret = FAILURE; - goto cleanup; + case MD_SHA1: + ca_hash = x509_get_sha1_fingerprint(cert, &gc); + break; + + case MD_SHA256: + ca_hash = x509_get_sha256_fingerprint(cert, &gc); + break; + + default: + /* This should normally not happen at all; the algorithm used + * is parsed by add_option() [options.c] and set to a predefined + * value in an enumerated type. So if this unlikely scenario + * happens, consider this a failure + */ + msg(M_WARN, "Unexpected invalid algorithm used with " + "--verify-hash (%i)", opt->verify_hash_algo); + ret = FAILURE; + goto cleanup; } if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash))) @@ -1178,8 +1178,8 @@ verify_user_pass_plugin(struct tls_session *session, const struct user_pass *up) /* generate filename for deferred auth control file */ if (!key_state_gen_auth_control_file(ks, session->opt)) { - msg (D_TLS_ERRORS, "TLS Auth Error (%s): " - "could not create deferred auth control file", __func__); + msg(D_TLS_ERRORS, "TLS Auth Error (%s): " + "could not create deferred auth control file", __func__); goto cleanup; } #endif diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 2a9e8bb..f4cc2c5 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -130,6 +130,7 @@ result_t backend_x509_get_username(char *common_name, int cn_len, * --x509-username-field option. */ bool x509_username_field_ext_supported(const char *extname); + #endif /* diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 10085b2..ff14db2 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -114,7 +114,8 @@ cleanup: } #ifdef ENABLE_X509ALTUSERNAME -bool x509_username_field_ext_supported(const char *fieldname) +bool +x509_username_field_ext_supported(const char *fieldname) { int nid = OBJ_txt2nid(fieldname); return nid == NID_subject_alt_name || nid == NID_issuer_alt_name; @@ -587,7 +588,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) * prevent it to take a const argument */ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ? - SUCCESS : FAILURE; + SUCCESS : FAILURE; /* * old versions of OpenSSL allow us to make the less strict check we used to @@ -615,7 +616,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage) * prevent it to take a const argument */ result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ? - SUCCESS : FAILURE; + SUCCESS : FAILURE; /* * old versions of OpenSSL allow us to make the less strict check we used to diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index c3ed2b9..85495d7 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -86,7 +86,7 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, struct key_type kt = tls_crypt_kt(); if (!kt.cipher || !kt.digest) { - msg (M_FATAL, "ERROR: --tls-crypt not supported"); + msg(M_FATAL, "ERROR: --tls-crypt not supported"); } crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, "Control Channel Encryption", "tls-crypt"); @@ -530,7 +530,7 @@ tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys)); ASSERT(buf_advance(&plaintext, sizeof(client_key->keys))); - if(!buf_copy(metadata, &plaintext)) + if (!buf_copy(metadata, &plaintext)) { CRYPT_ERROR("metadata too large for supplied buffer"); } @@ -613,7 +613,7 @@ tls_crypt_v2_extract_client_key(struct buffer *buf, if (!ctx->tls_crypt_v2_server_key.cipher) { msg(D_TLS_ERRORS, - "Client wants tls-crypt-v2, but no server key present."); + "Client wants tls-crypt-v2, but no server key present."); return false; } diff --git a/src/openvpn/tls_crypt.h b/src/openvpn/tls_crypt.h index 9b5ea97..43bf812 100644 --- a/src/openvpn/tls_crypt.h +++ b/src/openvpn/tls_crypt.h @@ -99,10 +99,10 @@ #define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key)) #define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE) #define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \ - - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \ - + sizeof(uint16_t))) + - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \ + + sizeof(uint16_t))) #define TLS_CRYPT_V2_MAX_B64_METADATA_LEN \ - OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1) + OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1) /** * Initialize a key_ctx_bi structure for use with --tls-crypt. diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index c091401..12e6eb0 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -553,8 +553,8 @@ is_tun_p2p(const struct tuntap *tt) bool tun = false; if (tt->type == DEV_TYPE_TAP - || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) - || tt->type == DEV_TYPE_NULL ) + || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET) + || tt->type == DEV_TYPE_NULL) { tun = false; } @@ -893,7 +893,7 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu, ifconfig_ipv6_local, tt->netbits_ipv6, ifname); argv_msg(M_INFO, &argv); openvpn_execve_check(&argv, es, S_FATAL, "Linux ip -6 addr add failed"); -#else +#else /* ifdef ENABLE_IPROUTE */ argv_printf(&argv, "%s %s add %s/%d mtu %d up", IFCONFIG_PATH, ifname, ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu); argv_msg(M_INFO, &argv); @@ -1387,6 +1387,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu, ifname, ifconfig_local, print_in_addr_t(tt->adapter_netmask, 0, &gc)); break; + case IPW32_SET_NETSH: netsh_ifconfig(&tt->options, ifname, tt->local, tt->adapter_netmask, NI_IP_NETMASK|NI_OPTIONS); @@ -2442,7 +2443,7 @@ close_tun(struct tuntap *tt) struct argv argv = argv_new(); /* setup command, close tun dev (clears tt->actual_name!), run command - */ + */ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); @@ -2528,7 +2529,7 @@ close_tun(struct tuntap *tt) struct argv argv = argv_new(); /* setup command, close tun dev (clears tt->actual_name!), run command - */ + */ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); @@ -2668,7 +2669,7 @@ close_tun(struct tuntap *tt) struct argv argv = argv_new(); /* setup command, close tun dev (clears tt->actual_name!), run command - */ + */ argv_printf(&argv, "%s %s destroy", IFCONFIG_PATH, tt->actual_name); @@ -5923,7 +5924,7 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun }; if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg), - &ack, "TUN")) + &ack, "TUN")) { status = ack.error_number; } diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index e43296e..be52694 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -1481,7 +1481,7 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size, || !ReadFile(pipe, ack, sizeof(*ack), &len, NULL)) { msg(M_WARN, "%s: could not talk to service: %s [%lu]", - context? context : "Unknown", + context ? context : "Unknown", strerror_win32(GetLastError(), &gc), GetLastError()); ret = false; } |