# Misc cleanup
mod_remove_extra_semicolon=true
+# leave blank at end of empty for() statements
+sp_after_semi_for_empty=Add
+
# Use C-style comments (/* .. */)
cmt_c_nl_end=true
cmt_star_cont=true
set_interface_metric(const NET_IFINDEX index, const ADDRESS_FAMILY family,
const ULONG metric);
-#endif
-#endif
+#endif /* ifndef OPENVPN_BLOCK_DNS_H */
+#endif /* ifdef _WIN32 */
/*
* openvpn_swprintf() is currently only used by Windows code paths
- * and when enabled for all platforms it will currently break older
+ * and when enabled for all platforms it will currently break older
* OpenBSD versions lacking vswprintf(3) support in their libc.
*/
}
void
-gc_addspecial(void *addr, void(free_function)(void *), struct gc_arena *a)
+gc_addspecial(void *addr, void (free_function)(void *), struct gc_arena *a)
{
ASSERT(a);
struct gc_entry_special *e;
*/
bool
openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...);
+
/*
* Unlike in openvpn_snprintf, we cannot use format attributes since
* GCC doesn't support wprintf as archetype.
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
+ */
#ifndef CONSOLE_H
#define CONSOLE_H
{
int i;
for (i = 0; i < kt->cipher_length; ++i)
+ {
if (key->cipher[i])
{
return false;
}
+ }
msg(D_CRYPT_ERRORS, "CRYPTO INFO: WARNING: zero key detected");
return true;
}
{
in = buffer_read_from_file(file, &gc);
if (!buf_valid(&in))
+ {
msg(M_FATAL, "Read error on key file ('%s')", file);
+ }
size = in.len;
}
buf_printf(&out, "%s\n", static_key_foot);
/* write key file, now formatted in out, to file */
- if(!buffer_write_file(filename, &out))
+ if (!buffer_write_file(filename, &out))
{
nbits = -1;
}
{
int i;
for (i = 0; i < size; ++i)
+ {
nonce_data[i] = (uint8_t) i;
+ }
}
#endif
}
print_cipher(const cipher_kt_t *cipher)
{
const char *var_key_size = cipher_kt_var_key_size(cipher) ?
- " by default" : "";
+ " by default" : "";
printf("%s (%d bit key%s, ",
translate_cipher_name_to_openvpn(cipher_kt_name(cipher)),
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
int key_direction, const struct key_type *kt,
- const char *name);
+ const char *name);
void free_key_ctx_bi(struct key_ctx_bi *ctx);
int ret = 0;
size_t i;
- for (i = 0; i < size; i++) {
+ for (i = 0; i < size; i++)
+ {
ret |= *a1++ ^ *b1++;
}
typedef enum {
MD_SHA1,
MD_SHA256
-} hash_algo_type ;
+} hash_algo_type;
/** Struct used in cipher name translation table */
typedef struct {
size_t out_len = 0;
if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL !=
- mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),
- NULL, 0, &out_len))
+ mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),
+ NULL, 0, &out_len))
{
return false;
}
return ctx;
}
-void md_ctx_free(mbedtls_md_context_t *ctx)
+void
+md_ctx_free(mbedtls_md_context_t *ctx)
{
free(ctx);
}
#define mbed_ok(errval) \
mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)
-static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher)
+static inline bool
+cipher_kt_var_key_size(const cipher_kt_t *cipher)
{
return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
}
else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
{
msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
- "indicates that client and server have no common TLS version enabled. "
- "This can be caused by mismatched tls-version-min and tls-version-max "
- "options on client and server. "
- "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
- "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
- "instead of TLS 1.0 only");
+ "indicates that client and server have no common TLS version enabled. "
+ "This can be caused by mismatched tls-version-min and tls-version-max "
+ "options on client and server. "
+ "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
+ "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
+ "instead of TLS 1.0 only");
}
msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL));
}
qsort(cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp);
- for (i = 0; i < num_ciphers; i++) {
+ for (i = 0; i < num_ciphers; i++)
+ {
if (!cipher_kt_insecure(cipher_list[i]))
{
print_cipher(cipher_list[i]);
printf("\nThe following ciphers have a block size of less than 128 bits, \n"
"and are therefore deprecated. Do not use unless you have to.\n\n");
- for (i = 0; i < num_ciphers; i++) {
+ for (i = 0; i < num_ciphers; i++)
+ {
if (cipher_kt_insecure(cipher_list[i]))
{
print_cipher(cipher_list[i]);
cleanup:
if (!BIO_free(bio))
{
- ret = false;;
+ ret = false;
}
return ret;
OPENSSL_free(data_read);
if (!BIO_free(bio))
{
- ret = false;;
+ ret = false;
}
return ret;
#ifdef NID_chacha20_poly1305
|| EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305
#endif
- );
+ );
}
int
{
switch (EVP_CIPHER_nid(cipher))
{
- case NID_aes_128_gcm:
- case NID_aes_192_gcm:
- case NID_aes_256_gcm:
+ case NID_aes_128_gcm:
+ case NID_aes_192_gcm:
+ case NID_aes_256_gcm:
#ifdef NID_chacha20_poly1305
- case NID_chacha20_poly1305:
+ case NID_chacha20_poly1305:
#endif
- return true;
+ return true;
}
}
#endif
return ctx;
}
-void md_ctx_free(EVP_MD_CTX *ctx)
+void
+md_ctx_free(EVP_MD_CTX *ctx)
{
EVP_MD_CTX_free(ctx);
}
msg((flags), __VA_ARGS__); \
} while (false)
-static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher)
+static inline bool
+cipher_kt_var_key_size(const cipher_kt_t *cipher)
{
return EVP_CIPHER_flags(cipher) & EVP_CIPH_VARIABLE_LENGTH;
}
/* trim to the left */
if (rv)
{
- for (p = rv + strlen(rv) - 1; p >= rv; p--) {
+ for (p = rv + strlen(rv) - 1; p >= rv; p--)
+ {
if (isspace(*p))
{
*p = '\0';
}
/* since MS error codes are 32 bit, and the ones in the ERR_... system is
* only 12, we must have a mapping table between them. */
- for (i = 0; i < ERR_MAP_SZ; i++) {
+ for (i = 0; i < ERR_MAP_SZ; i++)
+ {
if (err_map[i].ms_err == ms_err)
{
ERR_PUT_error(ERR_LIB_CRYPTOAPI, func, err_map[i].err, file, line);
BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo};
DWORD status;
- status = NCryptSignHash(hkey, padding? &padinfo : NULL, (BYTE*) from, flen,
- to, tlen, &len, padding? BCRYPT_PAD_PKCS1 : 0);
+ status = NCryptSignHash(hkey, padding ? &padinfo : NULL, (BYTE *) from, flen,
+ to, tlen, &len, padding ? BCRYPT_PAD_PKCS1 : 0);
if (status != ERROR_SUCCESS)
{
SetLastError(status);
*/
static int
rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len,
- unsigned char *sig, unsigned int *siglen, const RSA *rsa)
+ unsigned char *sig, unsigned int *siglen, const RSA *rsa)
{
CAPI_DATA *cd = (CAPI_DATA *) RSA_meth_get0_app_data(RSA_get_method(rsa));
const wchar_t *alg = NULL;
/* No DigestInfo header is required -- set alg-name to NULL */
alg = NULL;
break;
+
default:
msg(M_WARN, "cryptoapicert: Unknown hash type NID=0x%x", type);
RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE);
return 0;
}
CAPI_DATA_free(cd);
- RSA_meth_free((RSA_METHOD*) rsa_meth);
+ RSA_meth_free((RSA_METHOD *) rsa_meth);
return 1;
}
if (cd->key_spec != CERT_NCRYPT_KEY_SPEC)
{
msg(M_NONFATAL, "ERROR: cryptoapicert with only legacy private key handle available."
- " EC certificate not supported.");
+ " EC certificate not supported.");
goto err;
}
/* create a method struct with default callbacks filled in */
/* skip the tag */
cert_prop += 6;
- for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++) {
+ for (p = (char *) cert_prop, i = 0; *p && i < sizeof(hash); i++)
+ {
if (*p >= '0' && *p <= '9')
{
x = (*p - '0') << 4;
bool rsa_method_set = false;
my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method",
- RSA_METHOD_FLAG_NO_CHECK);
+ RSA_METHOD_FLAG_NO_CHECK);
check_malloc_return(my_rsa_method);
RSA_meth_set_pub_enc(my_rsa_method, rsa_pub_enc);
RSA_meth_set_pub_dec(my_rsa_method, rsa_pub_dec);
goto err;
}
/* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so
- * we decrease it here with RSA_free(), or it will never be cleaned up. */
+ * we decrease it here with RSA_free(), or it will never be cleaned up. */
RSA_free(rsa);
return 1;
DWORD flags = CRYPT_ACQUIRE_COMPARE_KEY_FLAG
| CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG;
if (!CryptAcquireCertificatePrivateKey(cd->cert_context, flags, NULL,
- &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
+ &cd->crypt_prov, &cd->key_spec, &cd->free_crypt_prov))
{
/* if we don't have a smart card reader here, and we try to access a
* smart card certificate, we get:
setenv_long_long(struct env_set *es, const char *name, long long value)
{
char buf[64];
- openvpn_snprintf(buf, sizeof(buf), "%"PRIi64, (int64_t)value);
+ openvpn_snprintf(buf, sizeof(buf), "%" PRIi64, (int64_t)value);
setenv_str(es, name, buf);
}
void env_set_inherit(struct env_set *es, const struct env_set *src);
/* returns true if environmental variable name starts with 'password' */
-static inline bool is_password_env_var(const char *str)
+static inline bool
+is_password_env_var(const char *str)
{
return (strncmp(str, "password", 8) == 0);
}
/* returns true if environmental variable safe to print to log */
-static inline bool env_safe_to_print(const char *str)
+static inline bool
+env_safe_to_print(const char *str)
{
#ifndef UNSAFE_DEBUG
if (is_password_env_var(str))
struct timeval tv;
gettimeofday(&tv, NULL);
- fprintf(fp, "%"PRIi64".%06ld %x %s%s%s%s",
+ fprintf(fp, "%" PRIi64 ".%06ld %x %s%s%s%s",
(int64_t)tv.tv_sec,
(long)tv.tv_usec,
flags,
struct timeval tv_tmp = *tv;
int stat;
- dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%"PRIi64"/%ld",
+ dmsg(D_EVENT_WAIT, "SE_WAIT_FAST maxfd=%d tv=%" PRIi64 "/%ld",
ses->maxfd,
(int64_t)tv_tmp.tv_sec,
(long)tv_tmp.tv_usec);
fd_set write = ses->writefds;
int stat;
- dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%"PRIi64"/%ld",
+ dmsg(D_EVENT_WAIT, "SE_WAIT_SCALEABLE maxfd=%d tv=%" PRIi64 "/%ld",
ses->maxfd, (int64_t)tv_tmp.tv_sec, (long)tv_tmp.tv_usec);
stat = select(ses->maxfd + 1, &read, &write, NULL, &tv_tmp);
process_coarse_timers(struct context *c)
{
/* flush current packet-id to file once per 60
- * seconds if --replay-persist was specified */
+ * seconds if --replay-persist was specified */
check_packet_id_persist_flush(c);
/* should we update status file? */
process_coarse_timers(c);
c->c2.coarse_timer_wakeup = now + c->c2.timeval.tv_sec;
- dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %"PRIi64" seconds", (int64_t)c->c2.timeval.tv_sec);
+ dmsg(D_INTERVAL, "TIMER: coarse timer wakeup %" PRIi64 " seconds", (int64_t)c->c2.timeval.tv_sec);
/* Is the coarse timeout NOT the earliest one? */
if (c->c2.timeval.tv_sec > save.tv_sec)
void check_scheduled_exit_dowork(struct context *c);
void check_push_request_dowork(struct context *c);
+
#endif /* P2MP */
#ifdef ENABLE_FRAGMENT
void check_fragment_dowork(struct context *c);
+
#endif /* ENABLE_FRAGMENT */
void check_connection_established_dowork(struct context *c);
}
if (options->tls_crypt_v2_genkey_type)
{
- if(!strcmp(options->tls_crypt_v2_genkey_type, "server"))
+ if (!strcmp(options->tls_crypt_v2_genkey_type, "server"))
{
tls_crypt_v2_write_server_key_file(options->tls_crypt_v2_genkey_file);
return true;
}
if (options->tls_crypt_v2_genkey_type
- && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
+ && !strcmp(options->tls_crypt_v2_genkey_type, "client"))
{
if (!options->tls_crypt_v2_file)
{
}
tls_crypt_v2_write_client_key_file(options->tls_crypt_v2_genkey_file,
- options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
- options->tls_crypt_v2_inline);
+ options->tls_crypt_v2_metadata, options->tls_crypt_v2_file,
+ options->tls_crypt_v2_inline);
return true;
}
if (!streq(options->authname, "none"))
{
c->c1.ks.tls_auth_key_type.digest = md_kt_get(options->authname);
- c->c1.ks.tls_auth_key_type.hmac_length =
- md_kt_size(c->c1.ks.tls_auth_key_type.digest);
+ c->c1.ks.tls_auth_key_type.hmac_length =
+ md_kt_size(c->c1.ks.tls_auth_key_type.digest);
}
else
{
return;
#else /* if P2MP */
msg(M_FATAL, "Error: private key password verification failed");
-#endif
+#endif /* if P2MP */
}
/* Get cipher & hash algorithms */
{
/* Add 10% jitter to reneg-sec by default (server side only) */
int auto_jitter = options->mode != MODE_SERVER ? 0 :
- get_random() % max_int(options->renegotiate_seconds / 10, 1);
+ get_random() % max_int(options->renegotiate_seconds / 10, 1);
to.renegotiate_seconds = options->renegotiate_seconds - auto_jitter;
}
else
{
/* Add user-specified jitter to reneg-sec */
- to.renegotiate_seconds = options->renegotiate_seconds -
- (get_random() % max_int(options->renegotiate_seconds
- - options->renegotiate_seconds_min, 1));
+ to.renegotiate_seconds = options->renegotiate_seconds
+ -(get_random() % max_int(options->renegotiate_seconds
+ - options->renegotiate_seconds_min, 1));
}
to.single_session = options->single_session;
to.mode = options->mode;
#ifndef htonll
#define htonll(x) ((1==htonl(1)) ? (x) : \
- ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32))
+ ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32))
#endif
#ifndef ntohll
#define ntohll(x) ((1==ntohl(1)) ? (x) : \
- ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32))
+ ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32))
#endif
/*
char *
/* returns allocated base64 signature */
management_query_pk_sig(struct management *man,
- const char *b64_data)
+ const char *b64_data)
{
const char *prompt = "PK_SIGN";
const char *desc = "pk-sign";
desc = "rsa-sign";
}
return management_query_multiline_flatten(man, b64_data, prompt, desc,
- &man->connection.ext_key_state, &man->connection.ext_key_input);
+ &man->connection.ext_key_state, &man->connection.ext_key_input);
}
char *
if (BLEN(buf) < (int) sizeof(struct openvpn_tcphdr))
{
- return;
+ return;
}
verify_align_4(buf);
multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
#ifdef MULTI_DEBUG_EVENT_LOOP
- printf("POST %s[%d] to=%d lo=%d/%d w=%"PRIi64"/%ld\n",
+ printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
id(mi),
(int) (mi == m->pending),
mi ? mi->context.c2.to_tun.len : -1,
#define MULTI_CACHE_ROUTE_TTL 60
void multi_reap_process_dowork(const struct multi_context *m);
+
void multi_process_per_second_timers_dowork(struct multi_context *m);
static inline void
* byte order on the wire for the NTLM header is LE.
*/
const size_t hoff = 0x14;
- unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8) |
- (buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
+ unsigned long flags = buf2[hoff] | (buf2[hoff + 1] << 8)
+ |(buf2[hoff + 2] << 16) | (buf2[hoff + 3] << 24);
if ((flags & 0x00800000) == 0x00800000)
{
tib_len = buf2[0x28]; /* Get Target Information block size */
* @param store X509 object store
* @return the X509 object stack
*/
-static inline STACK_OF(X509_OBJECT) *
-X509_STORE_get0_objects(X509_STORE *store)
+static inline STACK_OF(X509_OBJECT)
+*X509_STORE_get0_objects(X509_STORE *store)
{
return store ? store->objs : NULL;
}
return 1;
}
-#endif
+#endif /* if !defined(HAVE_RSA_SET0_KEY) */
#if !defined(HAVE_RSA_BITS)
/**
*/
static inline int
RSA_meth_set_pub_enc(RSA_METHOD *meth,
- int (*pub_enc) (int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa,
- int padding))
+ int (*pub_enc)(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
{
if (meth)
{
*/
static inline int
RSA_meth_set_pub_dec(RSA_METHOD *meth,
- int (*pub_dec) (int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa,
- int padding))
+ int (*pub_dec)(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
{
if (meth)
{
*/
static inline int
RSA_meth_set_priv_enc(RSA_METHOD *meth,
- int (*priv_enc) (int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa,
- int padding))
+ int (*priv_enc)(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
{
if (meth)
{
*/
static inline int
RSA_meth_set_priv_dec(RSA_METHOD *meth,
- int (*priv_dec) (int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa,
- int padding))
+ int (*priv_dec)(int flen, const unsigned char *from,
+ unsigned char *to, RSA *rsa,
+ int padding))
{
if (meth)
{
* @return 1 on success, 0 on error
*/
static inline int
-RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
+RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa))
{
if (meth)
{
* @return 1 on success, 0 on error
*/
static inline
-int RSA_meth_set_sign(RSA_METHOD *meth,
- int (*sign) (int type, const unsigned char *m,
- unsigned int m_length,
- unsigned char *sigret, unsigned int *siglen,
- const RSA *rsa))
+int
+RSA_meth_set_sign(RSA_METHOD *meth,
+ int (*sign)(int type, const unsigned char *m,
+ unsigned int m_length,
+ unsigned char *sigret, unsigned int *siglen,
+ const RSA *rsa))
{
meth->rsa_sign = sign;
return 1;
* @return 1 on success, 0 on error
*/
static inline int
-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
+RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
{
if (meth)
{
static inline int
EC_GROUP_order_bits(const EC_GROUP *group)
{
- BIGNUM* order = BN_new();
+ BIGNUM *order = BN_new();
EC_GROUP_get_order(group, order, NULL);
int bits = BN_num_bits(order);
BN_free(order);
"passwords is STRONGLY discouraged and considered insecure");
}
-#endif
+#endif /* ifdef ENABLE_MANAGEMENT */
/*
* Windows-specific options.
{
struct buffer in = buffer_read_from_file(o->tls_auth_file, &o->gc);
if (!buf_valid(&in))
+ {
msg(M_FATAL, "Cannot pre-load tls-auth keyfile (%s)",
o->tls_auth_file);
+ }
ce->tls_auth_file = INLINE_FILE_TAG;
ce->tls_auth_file_inline = (char *)in.data;
{
struct buffer in = buffer_read_from_file(o->tls_crypt_file, &o->gc);
if (!buf_valid(&in))
+ {
msg(M_FATAL, "Cannot pre-load tls-crypt keyfile (%s)",
o->tls_auth_file);
+ }
ce->tls_crypt_file = INLINE_FILE_TAG;
ce->tls_crypt_inline = (char *)in.data;
{
/* DH file is only meaningful in a tls-server context. */
msg(M_WARN, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
- "include this in your server configuration");
+ "include this in your server configuration");
o->dh_file = NULL;
}
{
if (strstr(p[2], ":"))
{
- ipv6dns=true;
+ ipv6dns = true;
foreign_option(options, p, 3, es);
dhcp_option_dns6_parse(p[2], o->dns6, &o->dns6_len, msglevel);
}
tv_string(const struct timeval *tv, struct gc_arena *gc)
{
struct buffer out = alloc_buf_gc(64, gc);
- buf_printf(&out, "[%"PRIi64"/%ld]",
+ buf_printf(&out, "[%" PRIi64 "/%ld]",
(int64_t)tv->tv_sec,
(long)tv->tv_usec);
return BSTR(&out);
t = time(NULL);
gettimeofday(&tv, NULL);
#if 1
- msg(M_INFO, "t=%"PRIi64" s=%"PRIi64" us=%ld",
+ msg(M_INFO, "t=%" PRIi64 " s=%" PRIi64 " us=%ld",
(int64_t)t,
(int64_t)tv.tv_sec,
(long)tv.tv_usec);
bool
packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form,
- bool prepend)
+ bool prepend)
{
if (!packet_id_send_update(p, long_form))
{
}
buf_printf(&out, "%c", c);
}
- buf_printf(&out, "] %"PRIi64":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id);
+ buf_printf(&out, "] %" PRIi64 ":" packet_id_format, (int64_t)p->time, (packet_id_print_type)p->id);
if (pin)
{
- buf_printf(&out, " %"PRIi64":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id);
+ buf_printf(&out, " %" PRIi64 ":" packet_id_format, (int64_t)pin->time, (packet_id_print_type)pin->id);
}
- buf_printf(&out, " t=%"PRIi64"[%d]",
+ buf_printf(&out, " t=%" PRIi64 "[%d]",
(int64_t)prev_now,
(int)(prev_now - tv.tv_sec));
{
packet_id_reap_test(&pid.rec);
test = packet_id_test(&pid.rec, &pin);
- printf("packet_id_test (%"PRIi64", " packet_id_format ") returned %d\n",
+ printf("packet_id_test (%" PRIi64 ", " packet_id_format ") returned %d\n",
(int64_t)pin.time,
(packet_id_print_type)pin.id,
test);
{
long_form = (count < 20);
packet_id_alloc_outgoing(&pid.send, &pin, long_form);
- printf("(%"PRIi64"(" packet_id_format "), %d)\n",
+ printf("(%" PRIi64 "(" packet_id_format "), %d)\n",
(int64_t)pin.time,
(packet_id_print_type)pin.id,
long_form);
* @return true if successful, false otherwise.
*/
bool packet_id_write(struct packet_id_send *p, struct buffer *buf,
- bool long_form, bool prepend);
+ bool long_form, bool prepend);
/*
* Inline functions.
}
}
-#endif
+#endif /* ifndef PING_H */
p->plugin_handle,
per_client_context,
(current_cert ? certdepth : -1),
- current_cert
- };
+ current_cert };
struct openvpn_plugin_args_func_return retargs;
const char *algor = get_pa_var("algorithm", pa, &gc);
const char *opaque = get_pa_var("opaque", pa, &gc);
- if ( !realm || !nonce )
+ if (!realm || !nonce)
{
msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response "
- "from server: realm= or nonce= missing" );
+ "from server: realm= or nonce= missing" );
goto error;
}
printf("********* struct reliable %s\n", desc);
printf(" initial_timeout=%d\n", (int)rel->initial_timeout);
printf(" packet_id=" packet_id_format "\n", rel->packet_id);
- printf(" now=%"PRIi64"\n", (int64_t)now);
+ printf(" now=%" PRIi64 "\n", (int64_t)now);
for (i = 0; i < rel->size; ++i)
{
const struct reliable_entry *e = &rel->array[i];
if (e->active)
{
printf(" %d: packet_id=" packet_id_format " len=%d", i, e->packet_id, e->buf.len);
- printf(" next_try=%"PRIi64, (int64_t)e->next_try);
+ printf(" next_try=%" PRIi64, (int64_t)e->next_try);
printf("\n");
}
}
* (only do this for routes actually using the tun/tap device)
*/
if (tt->type == DEV_TYPE_TUN
- && msg.iface.index == tt->adapter_index )
+ && msg.iface.index == tt->adapter_index)
{
inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
}
if (rgi->flags & RGI_ON_LINK)
{
/* check that interface name of current interface
- * matches interface name of best default route */
+ * matches interface name of best default route */
if (strcmp(ifreq.ifr_name, best_name))
{
continue;
/* contains an SSEC_x value defined in platform.h */
static int script_security_level = SSEC_BUILT_IN; /* GLOBAL */
-int script_security(void)
+int
+script_security(void)
{
return script_security_level;
}
-void script_security_set(int level)
+void
+script_security_set(int level)
{
script_security_level = level;
}
}
}
#ifdef SHAPER_DEBUG
- dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%"PRIi64" usec=%ld ret=%d",
+ dmsg(D_SHAPER_DEBUG, "SHAPER shaper_soonest_event sec=%" PRIi64 " usec=%ld ret=%d",
(int64_t)tv->tv_sec, (long)tv->tv_usec, (int)ret);
#endif
return ret;
tv_add(&s->wakeup, &tv);
#ifdef SHAPER_DEBUG
- dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%"PRIi64" usec=%ld",
+ dmsg(D_SHAPER_DEBUG, "SHAPER shaper_wrote_bytes bytes=%d delay=%ld sec=%" PRIi64 " usec=%ld",
nbytes,
(long)tv.tv_usec,
(int64_t)s->wakeup.tv_sec,
bits = 0;
max_bits = sizeof(in_addr_t) * 8;
break;
+
case AF_INET6:
bits = 64;
max_bits = sizeof(struct in6_addr) * 8;
break;
+
default:
msg(M_WARN,
"Unsupported AF family passed to getaddrinfo for %s (%d)",
}
/* check if this hostname has a /bits suffix */
- sep = strchr(var_host , '/');
+ sep = strchr(var_host, '/');
if (sep)
{
bits = strtoul(sep + 1, &endp, 10);
*ip4 = ntohl(*ip4);
}
break;
+
case AF_INET6:
ip6 = network;
*ip6 = ((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
break;
+
default:
/* can't get here because 'af' was previously checked */
msg(M_WARN,
int len; /* -1 if not yet known */
bool error; /* if true, fatal TCP error has occurred,
- * requiring that connection be restarted */
+ * requiring that connection be restarted */
#if PORT_SHARE
#define PS_DISABLED 0
#define PS_ENABLED 1
{
if (tls_ctx_use_management_external_key(new_ctx))
{
- msg (M_WARN, "Cannot initialize mamagement-external-key");
+ msg(M_WARN, "Cannot initialize mamagement-external-key");
goto err;
}
}
else
{
session->initial_opcode = session->opt->tls_crypt_v2 ?
- P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
+ P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
}
}
if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
&& !tls_crypt_v2_extract_client_key(buf, ctx, opt))
{
- msg (D_TLS_ERRORS,
- "TLS Error: can not extract tls-crypt-v2 client key from %s",
- print_link_socket_actual(from, &gc));
+ msg(D_TLS_ERRORS,
+ "TLS Error: can not extract tls-crypt-v2 client key from %s",
+ print_link_socket_actual(from, &gc));
goto cleanup;
}
/* Save incoming ciphertext packet to reliable buffer */
struct buffer *in = reliable_get_buf(ks->rec_reliable);
ASSERT(in);
- if(!buf_copy(in, buf))
+ if (!buf_copy(in, buf))
{
msg(D_MULTI_DROPPED,
"Incoming control channel packet too big, dropping.");
show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
printf("\n"
- "Be aware that that whether a cipher suite in this list can actually work\n"
- "depends on the specific setup of both peers. See the man page entries of\n"
- "--tls-cipher and --show-tls for more details.\n\n"
- );
+ "Be aware that that whether a cipher suite in this list can actually work\n"
+ "depends on the specific setup of both peers. See the man page entries of\n"
+ "--tls-cipher and --show-tls for more details.\n\n"
+ );
}
/*
struct buffer work; /**< Work buffer (only for --tls-crypt) */
struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */
const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key,
- sent to server */
+ * sent to server */
struct buffer tls_crypt_v2_metadata; /**< Received from client */
bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by
- this context */
+ * this context */
};
/*
static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy =
{
/* Hashes from SHA-1 and above */
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_RIPEMD160 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
1024, /* RSA-1024 and larger */
static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred =
{
/* SHA-2 and above */
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
- MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
+ MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 )
+ |MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
0xFFFFFFF, /* Any PK alg */
0xFFFFFFF, /* Any curve */
2048, /* RSA-2048 and larger */
}
msg(M_WARN, "mbed TLS does not support setting tls-ciphersuites. "
- "Ignoring TLS 1.3 cipher list: %s", ciphers);
+ "Ignoring TLS 1.3 cipher list: %s", ciphers);
}
void
}
else
{
- msg (M_FATAL, "ERROR: Invalid cert profile: %s", profile);
+ msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
}
}
if (ctx->crt_chain == NULL)
{
- msg (M_WARN, "ERROR: external key requires a certificate.");
+ msg(M_WARN, "ERROR: external key requires a certificate.");
return 1;
}
if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
{
msg(M_WARN, "ERROR: external key with mbed TLS requires a "
- "certificate with an RSA key.");
+ "certificate with an RSA key.");
return 1;
}
ret = true;
cleanup:
- free (src_b64);
- free (dst_b64);
+ free(src_b64);
+ free(dst_b64);
return ret;
}
* @return true if signing succeeded, false otherwise.
*/
typedef bool (*external_sign_func)(
- void *sign_ctx, const void *src, size_t src_size,
- void *dst, size_t dst_size);
+ void *sign_ctx, const void *src, size_t src_size,
+ void *dst, size_t dst_size);
/** Context used by external_pkcs1_sign() */
struct external_context {
return TLS_VER_1_2;
#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
return TLS_VER_1_1;
-#else
+#else /* if defined(TLS1_3_VERSION) */
return TLS_VER_1_0;
#endif
}
}
void
-convert_tls_list_to_openssl(char* openssl_ciphers, size_t len,const char *ciphers)
+convert_tls_list_to_openssl(char *openssl_ciphers, size_t len,const char *ciphers)
{
/* Parse supplied cipher list and pass on to OpenSSL */
size_t begin_of_cipher, end_of_cipher;
}
#if (OPENSSL_VERSION_NUMBER < 0x1010100fL)
- crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
- "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
- ciphers);
+ crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
+ "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
+ ciphers);
#else
ASSERT(NULL != ctx);
{
msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
}
-#else
+#else /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
if (profile)
{
msg(M_WARN, "WARNING: OpenSSL 1.0.1 does not support --tls-cert-profile"
", ignoring user-set profile: '%s'", profile);
}
-#endif
+#endif /* ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL */
}
void
{
nid = EC_GROUP_get_curve_name(ecgrp);
}
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x10002000L */
}
/* Translate NID back to name , just for kicks */
ret = get_sig_from_man(from, flen, to, len);
- return (ret == len)? ret : -1;
+ return (ret == len) ? ret : -1;
}
static int
{
EVP_PKEY_free(privkey);
}
- if(ec)
+ if (ec)
{
EC_KEY_free(ec);
}
crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
goto cleanup;
}
-#else
+#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */
else
{
crypto_msg(M_WARN, "management-external-key requires an RSA certificate");
if (len > 0)
{
open_biofp();
- fprintf(biofp, "BIO_%s %s time=%"PRIi64" bio=" ptr_format " len=%d data=%s\n",
+ fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n",
mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
fflush(biofp);
}
bio_debug_oc(const char *mode, BIO *bio)
{
open_biofp();
- fprintf(biofp, "BIO %s time=%"PRIi64" bio=" ptr_format "\n",
+ fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n",
mode, (int64_t)time(NULL), (ptr_type)bio);
fflush(biofp);
}
{
EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
const EC_GROUP *group = EC_KEY_get0_group(ec);
- const char* curve;
+ const char *curve;
int nid = EC_GROUP_get_curve_name(group);
if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL)
#else
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
#endif
- for (int i=0;i < sk_SSL_CIPHER_num(sk);i++)
+ for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
{
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
if (tls13)
{
- printf("%s\n", cipher_name);
+ printf("%s\n", cipher_name);
}
else if (NULL == pair)
{
static void
wipe_auth_token(struct tls_multi *multi)
{
- if(multi)
+ if (multi)
{
if (multi->auth_token)
{
switch (opt->verify_hash_algo)
{
- case MD_SHA1:
- ca_hash = x509_get_sha1_fingerprint(cert, &gc);
- break;
-
- case MD_SHA256:
- ca_hash = x509_get_sha256_fingerprint(cert, &gc);
- break;
-
- default:
- /* This should normally not happen at all; the algorithm used
- * is parsed by add_option() [options.c] and set to a predefined
- * value in an enumerated type. So if this unlikely scenario
- * happens, consider this a failure
- */
- msg(M_WARN, "Unexpected invalid algorithm used with "
- "--verify-hash (%i)", opt->verify_hash_algo);
- ret = FAILURE;
- goto cleanup;
+ case MD_SHA1:
+ ca_hash = x509_get_sha1_fingerprint(cert, &gc);
+ break;
+
+ case MD_SHA256:
+ ca_hash = x509_get_sha256_fingerprint(cert, &gc);
+ break;
+
+ default:
+ /* This should normally not happen at all; the algorithm used
+ * is parsed by add_option() [options.c] and set to a predefined
+ * value in an enumerated type. So if this unlikely scenario
+ * happens, consider this a failure
+ */
+ msg(M_WARN, "Unexpected invalid algorithm used with "
+ "--verify-hash (%i)", opt->verify_hash_algo);
+ ret = FAILURE;
+ goto cleanup;
}
if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash)))
/* generate filename for deferred auth control file */
if (!key_state_gen_auth_control_file(ks, session->opt))
{
- msg (D_TLS_ERRORS, "TLS Auth Error (%s): "
- "could not create deferred auth control file", __func__);
+ msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
+ "could not create deferred auth control file", __func__);
goto cleanup;
}
#endif
* --x509-username-field option.
*/
bool x509_username_field_ext_supported(const char *extname);
+
#endif
/*
}
#ifdef ENABLE_X509ALTUSERNAME
-bool x509_username_field_ext_supported(const char *fieldname)
+bool
+x509_username_field_ext_supported(const char *fieldname)
{
int nid = OBJ_txt2nid(fieldname);
return nid == NID_subject_alt_name || nid == NID_issuer_alt_name;
* prevent it to take a const argument
*/
result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_CLIENT, 0) ?
- SUCCESS : FAILURE;
+ SUCCESS : FAILURE;
/*
* old versions of OpenSSL allow us to make the less strict check we used to
* prevent it to take a const argument
*/
result_t result = X509_check_purpose(peer_cert, X509_PURPOSE_SSL_SERVER, 0) ?
- SUCCESS : FAILURE;
+ SUCCESS : FAILURE;
/*
* old versions of OpenSSL allow us to make the less strict check we used to
struct key_type kt = tls_crypt_kt();
if (!kt.cipher || !kt.digest)
{
- msg (M_FATAL, "ERROR: --tls-crypt not supported");
+ msg(M_FATAL, "ERROR: --tls-crypt not supported");
}
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
"Control Channel Encryption", "tls-crypt");
memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
- if(!buf_copy(metadata, &plaintext))
+ if (!buf_copy(metadata, &plaintext))
{
CRYPT_ERROR("metadata too large for supplied buffer");
}
if (!ctx->tls_crypt_v2_server_key.cipher)
{
msg(D_TLS_ERRORS,
- "Client wants tls-crypt-v2, but no server key present.");
+ "Client wants tls-crypt-v2, but no server key present.");
return false;
}
#define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
#define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
#define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
- - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
- + sizeof(uint16_t)))
+ - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
+ + sizeof(uint16_t)))
#define TLS_CRYPT_V2_MAX_B64_METADATA_LEN \
- OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
+ OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
/**
* Initialize a key_ctx_bi structure for use with --tls-crypt.
bool tun = false;
if (tt->type == DEV_TYPE_TAP
- || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
- || tt->type == DEV_TYPE_NULL )
+ || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
+ || tt->type == DEV_TYPE_NULL)
{
tun = false;
}
ifconfig_ipv6_local, tt->netbits_ipv6, ifname);
argv_msg(M_INFO, &argv);
openvpn_execve_check(&argv, es, S_FATAL, "Linux ip -6 addr add failed");
-#else
+#else /* ifdef ENABLE_IPROUTE */
argv_printf(&argv, "%s %s add %s/%d mtu %d up", IFCONFIG_PATH, ifname,
ifconfig_ipv6_local, tt->netbits_ipv6, tun_mtu);
argv_msg(M_INFO, &argv);
ifname, ifconfig_local,
print_in_addr_t(tt->adapter_netmask, 0, &gc));
break;
+
case IPW32_SET_NETSH:
netsh_ifconfig(&tt->options, ifname, tt->local,
tt->adapter_netmask, NI_IP_NETMASK|NI_OPTIONS);
struct argv argv = argv_new();
/* setup command, close tun dev (clears tt->actual_name!), run command
- */
+ */
argv_printf(&argv, "%s %s destroy",
IFCONFIG_PATH, tt->actual_name);
struct argv argv = argv_new();
/* setup command, close tun dev (clears tt->actual_name!), run command
- */
+ */
argv_printf(&argv, "%s %s destroy",
IFCONFIG_PATH, tt->actual_name);
struct argv argv = argv_new();
/* setup command, close tun dev (clears tt->actual_name!), run command
- */
+ */
argv_printf(&argv, "%s %s destroy",
IFCONFIG_PATH, tt->actual_name);
};
if (send_msg_iservice(tt->options.msg_channel, &msg, sizeof(msg),
- &ack, "TUN"))
+ &ack, "TUN"))
{
status = ack.error_number;
}
|| !ReadFile(pipe, ack, sizeof(*ack), &len, NULL))
{
msg(M_WARN, "%s: could not talk to service: %s [%lu]",
- context? context : "Unknown",
+ context ? context : "Unknown",
strerror_win32(GetLastError(), &gc), GetLastError());
ret = false;
}
projects / thirdparty / openvpn.git / commitdiff
