#define PLUGIN_NAME "base64.c"
/* Exported plug-in v3 API functions */
-plugin_log_t ovpn_log = NULL; /**< Pointer to the OpenVPN log function. See plugin_log() */
-plugin_vlog_t ovpn_vlog = NULL; /**< Pointer to the OpenVPN vlog function. See plugin_vlog() */
-plugin_base64_encode_t ovpn_base64_encode = NULL; /**< Pointer to the openvpn_base64_encode () function */
-plugin_base64_decode_t ovpn_base64_decode = NULL; /**< Pointer to the openvpn_base64_decode () function */
+/** Pointer to the OpenVPN log function. See plugin_log() */
+plugin_log_t ovpn_log = NULL;
+/** Pointer to the OpenVPN vlog function. See plugin_vlog() */
+plugin_vlog_t ovpn_vlog = NULL;
+/** Pointer to the openvpn_base64_encode () function */
+plugin_base64_encode_t ovpn_base64_encode = NULL;
+/** Pointer to the openvpn_base64_decode () function */
+plugin_base64_decode_t ovpn_base64_decode = NULL;
/**
* Search the environment pointer for a specific env var name
#define COMP_F_ADAPTIVE (1<<0) / * COMP_ALG_LZO only * /
#define COMP_F_ALLOW_COMPRESS (1<<1) / * not only incoming is compressed but also outgoing * /
*/
-#define COMP_F_SWAP (1<<2) /* initial command byte is swapped with last byte in buffer to preserve payload alignment */
-#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3) /* tell server that we only support compression stubs */
-#define COMP_F_ALLOW_STUB_ONLY (1<<4) /* Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY
- * we still accept other compressions to be pushed */
-#define COMP_F_MIGRATE (1<<5) /* push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */
-#define COMP_F_ALLOW_ASYM (1<<6) /* Compression was explicitly set to allow asymetric compression */
-#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7) /* Do not allow compression framing (breaks DCO) */
+/** initial command byte is swapped with last byte in buffer to preserve payload alignment */
+#define COMP_F_SWAP (1<<2)
+/** tell server that we only support compression stubs */
+#define COMP_F_ADVERTISE_STUBS_ONLY (1<<3)
+/** Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY
+ * we still accept other compressions to be pushed */
+#define COMP_F_ALLOW_STUB_ONLY (1<<4)
+/** push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ */
+#define COMP_F_MIGRATE (1<<5)
+/** Compression was explicitly set to allow asymetric compression */
+#define COMP_F_ALLOW_ASYM (1<<6)
+/** Do not allow compression framing (breaks DCO) */
+#define COMP_F_ALLOW_NOCOMP_ONLY (1<<7)
/* algorithms */
#define COMP_ALG_UNDEF 0
-#define COMP_ALG_STUB 1 /* support compression command byte and framing without actual compression */
-#define COMP_ALG_LZO 2 /* LZO algorithm */
-#define COMP_ALG_SNAPPY 3 /* Snappy algorithm (no longer supported) */
-#define COMP_ALG_LZ4 4 /* LZ4 algorithm */
+/** support compression command byte and framing without actual compression */
+#define COMP_ALG_STUB 1
+#define COMP_ALG_LZO 2 /**< LZO algorithm */
+#define COMP_ALG_SNAPPY 3 /**< Snappy algorithm (no longer supported) */
+#define COMP_ALG_LZ4 4 /**< LZ4 algorithm */
/* algorithm v2 */
#define LZO_COMPRESS_BYTE 0x66
#define LZ4_COMPRESS_BYTE 0x69
#define NO_COMPRESS_BYTE 0xFA
-#define NO_COMPRESS_BYTE_SWAP 0xFB /* to maintain payload alignment, replace this byte with last byte of packet */
+/** to maintain payload alignment, replace this byte with last byte of packet */
+#define NO_COMPRESS_BYTE_SWAP 0xFB
/* V2 on wire code */
#define COMP_ALGV2_INDICATOR_BYTE 0x50
#define D_PACKET_TRUNC_DEBUG LOGLEV(7, 70, M_DEBUG) /* PACKET_TRUNCATION_CHECK verbose */
#define D_PING LOGLEV(7, 70, M_DEBUG) /* PING send/receive messages */
#define D_PS_PROXY_DEBUG LOGLEV(7, 70, M_DEBUG) /* port share proxy debug */
-#define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show information on key selection for data channel */
+#define D_TLS_KEYSELECT LOGLEV(7, 70, M_DEBUG) /* show key selection for data channel */
#define D_ARGV_PARSE_CMD LOGLEV(7, 70, M_DEBUG) /* show parse_line() errors in argv_parse_cmd */
#define D_CRYPTO_DEBUG LOGLEV(7, 70, M_DEBUG) /* show detailed info from crypto.c routines */
#define D_PID_DEBUG LOGLEV(7, 70, M_DEBUG) /* show packet-id debugging info */
#define D_VLAN_DEBUG LOGLEV(7, 74, M_DEBUG) /* show VLAN tagging/untagging debug info */
-#define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of each handshake */
+#define D_HANDSHAKE_VERBOSE LOGLEV(8, 70, M_DEBUG) /* show detailed description of handshake */
#define D_TLS_DEBUG_MED LOGLEV(8, 70, M_DEBUG) /* limited info from tls_session routines */
#define D_INTERVAL LOGLEV(8, 70, M_DEBUG) /* show interval.h debugging info */
#define D_SCHEDULER LOGLEV(8, 70, M_DEBUG) /* show scheduler debugging info */
#define D_PACKET_CONTENT LOGLEV(9, 70, M_DEBUG) /* show before/after encryption packet content */
#define D_TLS_NO_SEND_KEY LOGLEV(9, 70, M_DEBUG) /* show when no data channel send-key exists */
#define D_PID_PERSIST_DEBUG LOGLEV(9, 70, M_DEBUG) /* show packet-id persist debugging info */
-#define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* show link reads/writes with greater verbosity */
+#define D_LINK_RW_VERBOSE LOGLEV(9, 70, M_DEBUG) /* increase link reads/writes verbosity */
#define D_STREAM_DEBUG LOGLEV(9, 70, M_DEBUG) /* show TCP stream debug info */
#define D_WIN32_IO LOGLEV(9, 70, M_DEBUG) /* win32 I/O debugging info */
#define D_PKCS11_DEBUG LOGLEV(9, 70, M_DEBUG) /* show PKCS#11 debugging */
* List of fragment structures for reassembling multiple incoming packets
* concurrently.
*/
-struct fragment_list {
- int seq_id; /**< Highest fragmentation sequence ID of
- * the packets currently being
- * reassembled. */
- int index; /**< Index of the packet being reassembled
- * with the highest fragmentation
- * sequence ID into the \c
- * fragment_list.fragments array. */
-
-/** Array of reassembly structures, each can contain one whole packet.
- *
- * The fragmentation sequence IDs of the packets being reassembled in
- * this array are linearly increasing. \c
- * fragment_list.fragments[fragment_list.index] has an ID of \c
- * fragment_list.seq_id. This means that one of these \c fragment_list
- * structures can at any one time contain at most packets with the
- * fragmentation sequence IDs in the range \c fragment_list.seq_id \c -
- * \c N_FRAG_BUF \c + \c 1 to \c fragment_list.seq_id, inclusive.
- */
+struct fragment_list
+{
+ /** Highest fragmentation sequence ID of
+ * the packets currently being
+ * reassembled. */
+ int seq_id;
+ /** Index of the packet being reassembled
+ * with the highest fragmentation
+ * sequence ID into the \c
+ * fragment_list.fragments array. */
+ int index;
+
+ /** Array of reassembly structures, each can contain one whole packet.
+ *
+ * The fragmentation sequence IDs of the packets being reassembled in
+ * this array are linearly increasing. \c
+ * fragment_list.fragments[fragment_list.index] has an ID of \c
+ * fragment_list.seq_id. This means that one of these \c fragment_list
+ * structures can at any one time contain at most packets with the
+ * fragmentation sequence IDs in the range \c fragment_list.seq_id \c -
+ * \c N_FRAG_BUF \c + \c 1 to \c fragment_list.seq_id, inclusive.
+ */
struct fragment fragments[N_FRAG_BUF];
};
* the remote OpenVPN peer can determine
* which parts belong to which original
* packet. */
-#define MAX_FRAG_PKT_SIZE 65536
- /**< (Not used) Maximum packet size before
- * fragmenting. */
+#define MAX_FRAG_PKT_SIZE 65536 /**< (Not used) Maximum packet size before fragmenting. */
int outgoing_frag_size; /**< Size in bytes of each part to be
* sent, except for the last part which
* may be smaller.
/**************************************************************************/
/** @name Fragment header
* @todo Add description of %fragment header format.
- *//** @{ *//*************************************/
+ */
+/** @{ */ /*************************************/
typedef uint32_t fragment_header_type;
-/**< Fragmentation information is stored in
- * a 32-bit packet header. */
+/**< Fragmentation information is stored in a 32-bit packet header. */
#define hton_fragment_header_type(x) htonl(x)
-/**< Convert a fragment_header_type from
- * host to network order. */
+/**< Convert a fragment_header_type from host to network order. */
#define ntoh_fragment_header_type(x) ntohl(x)
-/**< Convert a \c fragment_header_type
- * from network to host order. */
-
-#define FRAG_TYPE_MASK 0x00000003
-/**< Bit mask for %fragment type info. */
-#define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */
-
-#define FRAG_WHOLE 0 /**< Fragment type indicating packet is
- * whole. */
-#define FRAG_YES_NOTLAST 1 /**< Fragment type indicating packet is
- * part of a fragmented packet, but not
- * the last part in the sequence. */
-#define FRAG_YES_LAST 2 /**< Fragment type indicating packet is
- * the last part in the sequence of
- * parts. */
-#define FRAG_TEST 3 /**< Fragment type not implemented yet.
- * In the future might be used as a
- * control packet for establishing MTU
- * size. */
-
-#define FRAG_SEQ_ID_MASK 0x000000ff
-/**< Bit mask for %fragment sequence ID. */
-#define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */
-
-#define FRAG_ID_MASK 0x0000001f
-/**< Bit mask for %fragment ID. */
-#define FRAG_ID_SHIFT 10
-/**< Bit shift for %fragment ID. */
+/**< Convert a \c fragment_header_type from network to host order. */
+
+#define FRAG_TYPE_MASK 0x00000003 /**< Bit mask for %fragment type info. */
+#define FRAG_TYPE_SHIFT 0 /**< Bit shift for %fragment type info. */
+
+#define FRAG_WHOLE 0 /**< Fragment type indicating packet is whole. */
+#define FRAG_YES_NOTLAST 1
+/**< Fragment type indicating packet is part of a fragmented packet, but not
+ * the last part in the sequence. */
+#define FRAG_YES_LAST 2
+/**< Fragment type indicating packet is the last part in the sequence of parts. */
+#define FRAG_TEST 3
+/**< Fragment type not implemented yet.
+ * In the future might be used as a control packet for establishing MTU size. */
+
+#define FRAG_SEQ_ID_MASK 0x000000ff /**< Bit mask for %fragment sequence ID. */
+#define FRAG_SEQ_ID_SHIFT 2 /**< Bit shift for %fragment sequence ID. */
+
+#define FRAG_ID_MASK 0x0000001f /**< Bit mask for %fragment ID. */
+#define FRAG_ID_SHIFT 10 /**< Bit shift for %fragment ID. */
+
/*
* FRAG_SIZE 14 bits
* max_frag_size is only sent over the wire if FRAG_LAST is set. Otherwise it is assumed
* to be the actual %fragment size received.
*/
-#define FRAG_SIZE_MASK 0x00003fff
-/**< Bit mask for %fragment size. */
-#define FRAG_SIZE_SHIFT 15
-/**< Bit shift for %fragment size. */
-#define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */
-#define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1)
+#define FRAG_SIZE_MASK 0x00003fff /**< Bit mask for %fragment size. */
+#define FRAG_SIZE_SHIFT 15 /**< Bit shift for %fragment size. */
+#define FRAG_SIZE_ROUND_SHIFT 2 /**< Bit shift for %fragment size rounding. */
+#define FRAG_SIZE_ROUND_MASK ((1 << FRAG_SIZE_ROUND_SHIFT) - 1)
/**< Bit mask for %fragment size rounding. */
/*
*
* IF FRAG_WHOLE or FRAG_YES_NOTLAST, these 16 bits are available (not currently used)
*/
-#define FRAG_EXTRA_MASK 0x0000ffff
-/**< Bit mask for extra bits. */
-#define FRAG_EXTRA_SHIFT 15
-/**< Bit shift for extra bits. */
+#define FRAG_EXTRA_MASK 0x0000ffff /**< Bit mask for extra bits. */
+#define FRAG_EXTRA_SHIFT 15 /**< Bit shift for extra bits. */
/** @} name Fragment header *//********************************************/
{
if (!options->dev && options->dev_node)
{
- char *dev_node = string_alloc(options->dev_node, NULL); /* POSIX basename() implementations may modify its arguments */
+ /* POSIX basename() implementations may modify its arguments */
+ char *dev_node = string_alloc(options->dev_node, NULL);
options->dev = basename(dev_node);
}
}
}
else
{
- initialization_sequence_completed(c, error_flags); /* client/p2p --route-delay undefined */
+ /* client/p2p --route-delay undefined */
+ initialization_sequence_completed(c, error_flags);
}
}
else if (c->options.mode == MODE_POINT_TO_POINT)
{
- initialization_sequence_completed(c, error_flags); /* client/p2p restart with --persist-tun */
+ /* client/p2p restart with --persist-tun */
+ initialization_sequence_completed(c, error_flags);
}
tls_print_deferred_options_results(c);
const bool standalone_disabled_save = man->persist.standalone_disabled;
time_t expire = 0;
- man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
+ /* This is so M_CLIENT messages will be correctly passed through msg() */
+ man->persist.standalone_disabled = false;
/* set expire time */
update_time();
unsigned int up_query_mode = 0;
const char *sc = NULL;
ret = true;
- man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
+ /* This is so M_CLIENT messages will be correctly passed through msg() */
+ man->persist.standalone_disabled = false;
man->persist.special_state_msg = NULL;
CLEAR(man->connection.up_query);
if (man_standalone_ok(man))
{
- man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */
+ /* This is so M_CLIENT messages will be correctly passed through msg() */
+ man->persist.standalone_disabled = false;
man->persist.special_state_msg = NULL;
*state = EKS_SOLICIT;
#define GET_USER_PASS_NEED_STR (1<<5)
#define GET_USER_PASS_PREVIOUS_CREDS_FAILED (1<<6)
-#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /* CRV1 protocol -- dynamic challenge */
-#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /* SCRV1 protocol -- static challenge */
-#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /* SCRV1 protocol -- echo response */
-
-#define GET_USER_PASS_INLINE_CREDS (1<<10) /* indicates that auth_file is actually inline creds */
-#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11) /* indicates password and response should be concatenated */
+#define GET_USER_PASS_DYNAMIC_CHALLENGE (1<<7) /**< CRV1 protocol -- dynamic challenge */
+#define GET_USER_PASS_STATIC_CHALLENGE (1<<8) /**< SCRV1 protocol -- static challenge */
+#define GET_USER_PASS_STATIC_CHALLENGE_ECHO (1<<9) /**< SCRV1 protocol -- echo response */
+
+/** indicates that auth_file is actually inline creds */
+#define GET_USER_PASS_INLINE_CREDS (1<<10)
+/** indicates password and response should be concatenated */
+#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT (1<<11)
/**
* Retrieves the user credentials from various sources depending on the flags.
o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ;
#endif
o->tuntap_options.dhcp_lease_time = 31536000; /* one year */
- o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */
+ /* use network address as internal DHCP server address */
+ o->tuntap_options.dhcp_masq_offset = 0;
o->route_method = ROUTE_METHOD_ADAPTIVE;
o->block_outside_dns = false;
o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED;
*
* @{
*/
-#define S_ERROR (-2) /**< Error state. */
-#define S_ERROR_PRE (-1) /**< Error state but try to send out alerts
- * before killing the keystore and moving
- * it to S_ERROR */
+#define S_ERROR (-2) /**< Error state. */
+#define S_ERROR_PRE (-1) /**< Error state but try to send out alerts
+ * before killing the keystore and moving
+ * it to S_ERROR */
#define S_UNDEF 0 /**< Undefined state, used after a \c
* key_state is cleaned up. */
#define S_INITIAL 1 /**< Initial \c key_state state after
* tls_session reaches S_ACTIVE, this state machine moves to CAS_PENDING (server)
* or CAS_CONNECT_DONE (client/p2p) as clients skip the stages associated with
* connect scripts/plugins */
-enum multi_status {
+enum multi_status
+{
CAS_NOT_CONNECTED,
- CAS_WAITING_AUTH, /**< Initial TLS connection established but deferred auth is not yet finished */
- CAS_PENDING, /**< Options import (Connect script/plugin, ccd,...) */
- CAS_PENDING_DEFERRED, /**< Waiting on an async option import handler */
- CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded but another is still pending */
- CAS_FAILED, /**< Option import failed or explicitly denied the client */
- CAS_WAITING_OPTIONS_IMPORT, /**< client with pull or p2p waiting for first time options import */
- CAS_RECONNECT_PENDING, /**< session has already successful established (CAS_CONNECT_DONE)
- * but has a reconnect and needs to redo some initialisation, this state is
- * similar CAS_WAITING_OPTIONS_IMPORT but skips a few things. The normal connection
- * skips this step. */
+ CAS_WAITING_AUTH, /**< Initial TLS connection established but deferred auth is not yet finished
+ */
+ CAS_PENDING, /**< Options import (Connect script/plugin, ccd,...) */
+ CAS_PENDING_DEFERRED, /**< Waiting on an async option import handler */
+ CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded but another is still pending */
+ CAS_FAILED, /**< Option import failed or explicitly denied the client */
+ CAS_WAITING_OPTIONS_IMPORT, /**< client with pull or p2p waiting for first time options import
+ */
+ /** session has already successful established (CAS_CONNECT_DONE) but has a
+ * reconnect and needs to redo some initialisation, this state is similar
+ * CAS_WAITING_OPTIONS_IMPORT but skips a few things. The normal connection
+ * skips this step. */
+ CAS_RECONNECT_PENDING,
CAS_CONNECT_DONE,
};
int n_hard_errors; /* errors due to TLS negotiation failure */
int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
- /*
- * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
+ /**
+ * Our locked common name, username, and cert hashes
+ * (cannot change during the life of this tls_multi object)
*/
char *locked_cn;
struct cert_hash_set *locked_cert_hash_set;
- /** Time of last when we updated the cached state of
+ /**
+ * Time of last when we updated the cached state of
* tls_authentication_status deferred files */
time_t tas_cache_last_update;
/** The number of times we updated the cache */
unsigned int tas_cache_num_updates;
- /*
- * An error message to send to client on AUTH_FAILED
- */
+ /** An error message to send to client on AUTH_FAILED */
char *client_reason;
- /*
+ /**
* A multi-line string of general-purpose info received from peer
* over control channel.
*/
char *peer_info;
- char *auth_token; /**< If server sends a generated auth-token,
- * this is the token to use for future
- * user/pass authentications in this session.
- */
- char *auth_token_initial;
- /**< The first auth-token we sent to a client. We use this to remember
- * the session ID and initial timestamp when generating new auth-token.
+ /**
+ * If server sends a generated auth-token,
+ * this is the token to use for future
+ * user/pass authentications in this session.
*/
-#define AUTH_TOKEN_HMAC_OK (1<<0)
- /**< Auth-token sent from client has valid hmac */
-#define AUTH_TOKEN_EXPIRED (1<<1)
- /**< Auth-token sent from client has expired */
-#define AUTH_TOKEN_VALID_EMPTYUSER (1<<2)
- /**<
- * Auth-token is only valid for an empty username
- * and not the username actually supplied from the client
- *
- * OpenVPN 3 clients sometimes wipes or replaces the username with a
- * username hint from their config.
+ char *auth_token;
+ /**
+ * The first auth-token we sent to a client. We use this to remember
+ * the session ID and initial timestamp when generating new auth-token.
*/
+ char *auth_token_initial;
+
+/** Auth-token sent from client has valid hmac */
+#define AUTH_TOKEN_HMAC_OK (1 << 0)
+/** Auth-token sent from client has expired */
+#define AUTH_TOKEN_EXPIRED (1 << 1)
+/**
+ * Auth-token is only valid for an empty username
+ * and not the username actually supplied from the client
+ *
+ * OpenVPN 3 clients sometimes wipes or replaces the username with a
+ * username hint from their config.
+ */
+#define AUTH_TOKEN_VALID_EMPTYUSER (1 << 2)
/* For P_DATA_V2 */
uint32_t peer_id;
/*
* Our session objects.
*/
+ /** Array of \c tls_session objects
+ * representing control channel
+ * sessions with the remote peer. */
struct tls_session session[TM_SIZE];
- /**< Array of \c tls_session objects
- * representing control channel
- * sessions with the remote peer. */
/* Only used when DCO is used to remember how many keys we installed
* for this session */
projects / thirdparty / openvpn.git / commitdiff
