/* local wrapping of the log function, to add more details */
static plugin_vlog_t _plugin_vlog_func = NULL;
-static void plog(const struct plugin_context *ctx, int flags, char *fmt, ...)
+static void
+plog(const struct plugin_context *ctx, int flags, char *fmt, ...)
{
char logid[129];
const char *username, const char *password)
{
plog(context, PLOG_NOTE,
- "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s",
- np(context->test_valid_user),
- np(username),
- np(context->test_valid_pass),
- np(password));
+ "expect_user=%s, received_user=%s, expect_passw=%s, received_passw=%s",
+ np(context->test_valid_user),
+ np(username),
+ np(context->test_valid_pass),
+ np(password));
if (context->test_valid_user && context->test_valid_pass)
{
|| (strcmp(context->test_valid_pass, password) != 0))
{
plog(context, PLOG_ERR,
- "User/Password auth result: FAIL");
+ "User/Password auth result: FAIL");
return false;
}
else
{
plog(context, PLOG_NOTE,
- "User/Password auth result: PASS");
+ "User/Password auth result: PASS");
return true;
}
}
{
plog(context, PLOG_NOTE, "Direct authentication");
return do_auth_user_pass(context, username, password) ?
- OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR;
+ OPENVPN_PLUGIN_FUNC_SUCCESS : OPENVPN_PLUGIN_FUNC_ERROR;
}
/* get auth_control_file filename from envp string array*/
/* do mighty complicated work that will really take time here... */
plog(context, PLOG_NOTE, "in async/deferred handler, usleep(%d)",
- context->test_deferred_auth*1000);
+ context->test_deferred_auth*1000);
usleep(context->test_deferred_auth*1000);
/* now signal success state to openvpn */
if (fd < 0)
{
plog(context, PLOG_ERR|PLOG_ERRNO,
- "open('%s') failed", auth_control_file);
+ "open('%s') failed", auth_control_file);
exit(1);
}
struct session {
char user[48];
- char key [48];
+ char key[48];
};
/*
#define _WIN32_WINNT_WINBLUE 0x0603
#ifndef _WIN32_WINNT_WINTHRESHOLD
-#define _WIN32_WINNT_WINTHRESHOLD 0x0A00 // Windows 10
+#define _WIN32_WINNT_WINTHRESHOLD 0x0A00 /* Windows 10 */
#endif
VERSIONHELPERAPI
strlen(SESSION_ID_PREFIX) + AUTH_TOKEN_SESSION_ID_BASE64_LEN))
{
msg(M_WARN, "--auth-gen-token: session id in token changed (Rejecting "
- "token.");
+ "token.");
ret = 0;
}
return ret;
input[0] = '\0';
HANDLE in = GetStdHandle(STD_INPUT_HANDLE);
- int orig_stderr = get_orig_stderr(); // guaranteed to be always valid
+ int orig_stderr = get_orig_stderr(); /* guaranteed to be always valid */
if ((in == INVALID_HANDLE_VALUE)
|| win32_service_interrupt(&win32_signal)
|| (_write(orig_stderr, prompt, strlen(prompt)) == -1))
*
* @return if the cipher is valid
*/
-static inline bool cipher_valid(const char *ciphername)
+static inline bool
+cipher_valid(const char *ciphername)
{
const char *reason;
return cipher_valid_reason(ciphername, &reason);
* be NULL
* @return The cipher is defined and not the null (none) cipher
*/
-static inline bool cipher_defined(const char *ciphername)
+static inline bool
+cipher_defined(const char *ciphername)
{
ASSERT(ciphername);
return strcmp(ciphername, "none") != 0;
* @param mdname Name of the digest
* @return
*/
-static inline bool md_defined(const char* mdname)
+static inline bool
+md_defined(const char *mdname)
{
return strcmp(mdname, "none") != 0;
}
"available");
}
-provider_t *crypto_load_provider(const char *provider)
+provider_t *
+crypto_load_provider(const char *provider)
{
if (provider)
{
return NULL;
}
-void crypto_unload_provider(const char *provname, provider_t *provider)
+void
+crypto_unload_provider(const char *provname, provider_t *provider)
{
}
*
*/
static const mbedtls_cipher_info_t *
-cipher_get(const char* ciphername)
+cipher_get(const char *ciphername)
{
ASSERT(ciphername);
return cipher_kt_mode(ctx->cipher_info);
}
-bool cipher_ctx_mode_cbc(const cipher_ctx_t *ctx)
+bool
+cipher_ctx_mode_cbc(const cipher_ctx_t *ctx)
{
return ctx && cipher_ctx_mode(ctx) == OPENVPN_MODE_CBC;
}
-bool cipher_ctx_mode_ofb_cfb(const cipher_ctx_t *ctx)
+bool
+cipher_ctx_mode_ofb_cfb(const cipher_ctx_t *ctx)
{
return ctx && (cipher_ctx_mode(ctx) == OPENVPN_MODE_OFB
- || cipher_ctx_mode(ctx) == OPENVPN_MODE_CFB);
+ || cipher_ctx_mode(ctx) == OPENVPN_MODE_CFB);
}
-bool cipher_ctx_mode_aead(const cipher_ctx_t *ctx)
+bool
+cipher_ctx_mode_aead(const cipher_ctx_t *ctx)
{
return ctx && (cipher_ctx_mode(ctx) == OPENVPN_MODE_GCM
#ifdef MBEDTLS_CHACHAPOLY_C
- || cipher_ctx_mode(ctx) == MBEDTLS_MODE_CHACHAPOLY
+ || cipher_ctx_mode(ctx) == MBEDTLS_MODE_CHACHAPOLY
#endif
- );
+ );
}
int
#endif
}
-void crypto_unload_provider(const char *provname, provider_t *provider)
+void
+crypto_unload_provider(const char *provname, provider_t *provider)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if (!OSSL_PROVIDER_unload(provider))
size_t num;
};
-static void collect_ciphers(EVP_CIPHER *cipher, void *list)
+static void
+collect_ciphers(EVP_CIPHER *cipher, void *list)
{
if (!cipher)
{
return;
}
- struct collect_ciphers* cipher_list = list;
+ struct collect_ciphers *cipher_list = list;
if (cipher_list->num == SIZE(cipher_list->list))
{
msg(M_WARN, "WARNING: Too many ciphers, not showing all");
if (ciphername && (cipher_kt_mode_cbc(ciphername)
#ifdef ENABLE_OFB_CFB_MODE
- || cipher_kt_mode_ofb_cfb(ciphername)
+ || cipher_kt_mode_ofb_cfb(ciphername)
#endif
- || cipher_kt_mode_aead(ciphername)
- ))
+ || cipher_kt_mode_aead(ciphername)
+ ))
{
cipher_list->list[cipher_list->num++] = cipher;
}
}
void
-print_digest(EVP_MD* digest, void* unused)
+print_digest(EVP_MD *digest, void *unused)
{
printf("%s %d bit digest size\n", EVP_MD_get0_name(digest),
EVP_MD_size(digest) * 8);
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but "
- "currently disabled by running in FIPS mode.", ciphername);
+ "currently disabled by running in FIPS mode.", ciphername);
*reason = "disabled by FIPS mode";
goto out;
}
evp_cipher_type *cipher = cipher_get(ciphername);
bool ret = cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
- /* Exclude AEAD cipher modes, they require a different API */
+ /* Exclude AEAD cipher modes, they require a different API */
#ifdef EVP_CIPH_FLAG_CTS
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
EVP_CIPHER_free(cipher);
return ret;
}
{
evp_cipher_type *cipher = cipher_get(ciphername);
bool ofb_cfb = cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
- || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
- /* Exclude AEAD cipher modes, they require a different API */
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
+ || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
+ /* Exclude AEAD cipher modes, they require a different API */
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
EVP_CIPHER_free(cipher);
return ofb_cfb;
}
int mode = EVP_CIPHER_CTX_mode(ctx);
return mode == EVP_CIPH_CBC_MODE
- /* Exclude AEAD cipher modes, they require a different API */
+ /* Exclude AEAD cipher modes, they require a different API */
#ifdef EVP_CIPH_FLAG_CTS
- && !(flags & EVP_CIPH_FLAG_CTS)
+ && !(flags & EVP_CIPH_FLAG_CTS)
#endif
- && !(flags & EVP_CIPH_FLAG_AEAD_CIPHER);
+ && !(flags & EVP_CIPH_FLAG_AEAD_CIPHER);
}
bool
int mode = EVP_CIPHER_CTX_get_mode(ctx);
return (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CFB_MODE)
- /* Exclude AEAD cipher modes, they require a different API */
- && !(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER);
+ /* Exclude AEAD cipher modes, they require a different API */
+ && !(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER);
}
bool
}
unsigned char key3[DES_KEY_LENGTH*3];
- for (int i = 0;i < 3;i++)
+ for (int i = 0; i < 3; i++)
{
memcpy(key3 + (i * DES_KEY_LENGTH), key, DES_KEY_LENGTH);
}
* though there is nothing to encrypt anymore, provide space for that to
* not overflow the stack */
unsigned char dst2[DES_KEY_LENGTH * 2];
- if(!EVP_EncryptUpdate(ctx, dst2, &len, src, DES_KEY_LENGTH))
+ if (!EVP_EncryptUpdate(ctx, dst2, &len, src, DES_KEY_LENGTH))
{
crypto_msg(M_FATAL, "%s: EVP_EncryptUpdate() failed", __func__);
}
HMAC_Final(ctx, dst, &in_hmac_len);
}
-#else
+#else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
hmac_ctx_t *
hmac_ctx_new(void)
{
EVP_MAC_final(ctx->ctx, dst, &in_hmac_len, in_hmac_len);
}
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
int
memcmp_constant_time(const void *a, const void *b, size_t size)
static int (*default_pkey_sign_init) (EVP_PKEY_CTX *ctx);
static int (*default_pkey_sign) (EVP_PKEY_CTX *ctx, unsigned char *sig,
size_t *siglen, const unsigned char *tbs, size_t tbslen);
-#else
+#else /* ifndef HAVE_XKEY_PROVIDER */
static XKEY_EXTERNAL_SIGN_fn xkey_cng_sign;
#endif /* HAVE_XKEY_PROVIDER */
/** Sign hash in tbs using RSA key in cd and NCryptSignHash */
static int
xkey_cng_rsa_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsigned char *tbs,
- size_t tbslen, XKEY_SIGALG sigalg)
+ size_t tbslen, XKEY_SIGALG sigalg)
{
dmsg(D_LOW, "In xkey_cng_rsa_sign");
}
msg(D_LOW, "Signing using NCryptSignHash with PSS padding: hashalg <%s>, saltlen <%d>",
- sigalg.mdname, saltlen);
+ sigalg.mdname, saltlen);
BCRYPT_PSS_PADDING_INFO padinfo = {hashalg, (DWORD) saltlen}; /* cast is safe as saltlen >= 0 */
status = NCryptSignHash(cd->crypt_prov, &padinfo, (BYTE *)tbs, (DWORD) tbslen,
/** Dispatch sign op to xkey_cng_<rsa/ec>_sign */
static int
xkey_cng_sign(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs,
- size_t tbslen, XKEY_SIGALG sigalg)
+ size_t tbslen, XKEY_SIGALG sigalg)
{
dmsg(D_LOW, "In xkey_cng_sign");
/* compute digest if required */
if (!strcmp(sigalg.op, "DigestSign"))
{
- if(!xkey_digest(tbs, tbslen, mdbuf, &buflen, sigalg.mdname))
+ if (!xkey_digest(tbs, tbslen, mdbuf, &buflen, sigalg.mdname))
{
return 0;
}
{
/* private key may be in a token not available, or incompatible with CNG */
msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to acquire key. Key not present or "
- "is in a legacy token not supported by Windows CNG API");
+ "is in a legacy token not supported by Windows CNG API");
goto err;
}
#ifdef HAVE_XKEY_PROVIDER
EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey,
- xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free);
+ xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free);
SSL_CTX_use_PrivateKey(ssl_ctx, privkey);
return 1; /* do not free cd -- its kept by xkey provider */
-#else
+#else /* ifdef HAVE_XKEY_PROVIDER */
if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
{
* @param priority Priority of the DNS server to find / create
* @param gc The gc new list items should be allocated in
*/
-struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc);
+struct dns_server *dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc);
/**
* Appends DNS domain parameters to a linked list.
#ifdef _WIN32
static int orig_stderr;
-int get_orig_stderr()
+int
+get_orig_stderr()
{
return orig_stderr ? orig_stderr : _fileno(stderr);
}
return stat;
}
-void reschedule_multi_process(struct context *c)
+void
+reschedule_multi_process(struct context *c)
{
interval_action(&c->c2.tmp_int);
context_immediate_reschedule(c); /* ZERO-TIMEOUT */
else if (!c->options.enable_ncp_fallback)
{
msg(D_TLS_ERRORS, "ERROR: failed to negotiate cipher with peer and "
- "--data-ciphers-fallback not enabled. No usable "
- "data channel cipher");
+ "--data-ciphers-fallback not enabled. No usable "
+ "data channel cipher");
return false;
}
#endif
if (!tls_session_update_crypto_params(session, &c->options, &c->c2.frame,
- frame_fragment, get_link_socket_info(c)))
+ frame_fragment, get_link_socket_info(c)))
{
msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher");
return false;
/* the space that is reserved before the payload to add extra headers to it
- * we always reserve the space for the worst case */
+ * we always reserve the space for the worst case */
size_t headroom = 0;
/* includes IV and packet ID */
#ifdef USE_COMP
msg(D_MTU_DEBUG, "MTU: adding %lu buffer tailroom for compression for %lu "
- "bytes of payload",
- COMP_EXTRA_BUFFER(payload_size), payload_size);
+ "bytes of payload",
+ COMP_EXTRA_BUFFER(payload_size), payload_size);
tailroom += COMP_EXTRA_BUFFER(payload_size);
#endif
return;
}
- /*
- * BF-CBC is allowed to be used only when explicitly configured
- * as NCP-fallback or when NCP has been disabled or explicitly
- * allowed in the in ncp_ciphers list.
- * In all other cases do not attempt to initialize BF-CBC as it
- * may not even be supported by the underlying SSL library.
- *
- * Therefore, the key structure has to be initialized when:
- * - any non-BF-CBC cipher was selected; or
- * - BF-CBC is selected, NCP is enabled and fallback is enabled
- * (BF-CBC will be the fallback).
- * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
- * If the negotiated cipher and options->ciphername are the
- * same we do not reinit the cipher
- *
- * Note that BF-CBC will still be part of the OCC string to retain
- * backwards compatibility with older clients.
- */
- const char* ciphername = options->ciphername;
+ /*
+ * BF-CBC is allowed to be used only when explicitly configured
+ * as NCP-fallback or when NCP has been disabled or explicitly
+ * allowed in the in ncp_ciphers list.
+ * In all other cases do not attempt to initialize BF-CBC as it
+ * may not even be supported by the underlying SSL library.
+ *
+ * Therefore, the key structure has to be initialized when:
+ * - any non-BF-CBC cipher was selected; or
+ * - BF-CBC is selected, NCP is enabled and fallback is enabled
+ * (BF-CBC will be the fallback).
+ * - BF-CBC is in data-ciphers and we negotiate to use BF-CBC:
+ * If the negotiated cipher and options->ciphername are the
+ * same we do not reinit the cipher
+ *
+ * Note that BF-CBC will still be part of the OCC string to retain
+ * backwards compatibility with older clients.
+ */
+ const char *ciphername = options->ciphername;
if (streq(options->ciphername, "BF-CBC")
&& !tls_item_in_cipher_list("BF-CBC", options->ncp_ciphers)
&& !options->enable_ncp_fallback)
if (c->options.ce.fragment > 0 && c->options.ce.mssfix > c->options.ce.fragment)
{
msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
- "set --fragment (%d) larger or equal than --mssfix (%d)",
- c->options.ce.fragment, c->options.ce.mssfix);
+ "set --fragment (%d) larger or equal than --mssfix (%d)",
+ c->options.ce.fragment, c->options.ce.mssfix);
}
if (c->options.ce.fragment > 0 && c->options.ce.mssfix > 0
&& c->options.ce.fragment_encap != c->options.ce.mssfix_encap)
{
msg(M_WARN, "WARNING: if you use --mssfix and --fragment, you should "
- "use the \"mtu\" flag for both or none of of them.");
+ "use the \"mtu\" flag for both or none of of them.");
}
#endif
}
void tun_abort(void);
void write_pid_file(const char *filename, const char *chroot_dir);
+
void remove_pid_file(void);
#endif /* ifndef INIT_H */
}
static bool
-parse_uint(const char *str, const char* what, unsigned int *uint)
+parse_uint(const char *str, const char *what, unsigned int *uint)
{
if (sscanf(str, "%u", uint) == 1)
{
#define MAC_FMT _STRINGIFY(%02hhx:%02hhx:%02hhx:%02hhx:%02hhx:%02hhx)
/* *INDENT-ON* */
#define MAC_PRINT_ARG(_mac) _mac[0], _mac[1], _mac[2], \
- _mac[3], _mac[4], _mac[5]
+ _mac[3], _mac[4], _mac[5]
#define MAC_SCAN_ARG(_mac) &_mac[0], &_mac[1], &_mac[2], \
- &_mac[3], &_mac[4], &_mac[5]
+ &_mac[3], &_mac[4], &_mac[5]
#endif /* ifndef MISC_H */
if (pmtu < o->ce.mssfix
|| (o->ce.mssfix_encap && pmtu < o->ce.mssfix + encap_overhead))
{
- const char* mtustr = o->ce.mssfix_encap ? " mtu" : "";
+ const char *mtustr = o->ce.mssfix_encap ? " mtu" : "";
msg(D_MTU_INFO, "Note adjusting 'mssfix %d%s' to 'mssfix %d mtu' "
- "according to path MTU discovery", o->ce.mssfix,
+ "according to path MTU discovery", o->ce.mssfix,
mtustr, pmtu);
o->ce.mssfix = pmtu;
o->ce.mssfix_encap = true;
}
#if defined(ENABLE_FRAGMENT)
- if (pmtu < o->ce.fragment ||
- (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead))
+ if (pmtu < o->ce.fragment
+ || (o->ce.fragment_encap && pmtu < o->ce.fragment + encap_overhead))
{
- const char* mtustr = o->ce.fragment_encap ? " mtu" : "";
+ const char *mtustr = o->ce.fragment_encap ? " mtu" : "";
msg(D_MTU_INFO, "Note adjusting 'fragment %d%s' to 'fragment %d mtu' "
- "according to path MTU discovery", o->ce.fragment,
+ "according to path MTU discovery", o->ce.fragment,
mtustr, pmtu);
o->ce.fragment = pmtu;
o->ce.fragment_encap = true;
*/
void frame_adjust_path_mtu(struct context *c);
-#endif
+#endif /* ifndef MSS_H */
* by pretending to have no encryption enabled and by manually adding
* the required packet overhead to the MTU computation.
*/
- const char* ciphername = o->ciphername;
+ const char *ciphername = o->ciphername;
unsigned int overhead = 0;
if (!ret)
{
auth_set_client_reason(tls_multi, "Data channel cipher negotiation "
- "failed (no shared cipher)");
+ "failed (no shared cipher)");
}
gc_free(&gc);
if (o->comp.flags & COMP_F_MIGRATE && mi->context.c2.tls_multi->remote_usescomp)
{
- if(peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
+ if (peer_info && strstr(peer_info, "IV_COMP_STUBv2=1"))
{
push_option(o, "compress stub-v2", M_USAGE);
}
#endif /* ifdef ENABLE_MANAGEMENT */
}
-void multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
+void
+multi_assign_peer_id(struct multi_context *m, struct multi_instance *mi)
{
/* max_clients must be less then max peer-id value */
ASSERT(m->max_clients < MAX_PEER_ID);
int ifindex = if_nametoindex(iface);
if (!ifindex)
+ {
return errno;
+ }
req.n.nlmsg_len = NLMSG_LENGTH(sizeof(req.i));
req.n.nlmsg_flags = NLM_F_REQUEST;
* is good enough for our case of printing certificate details during
* handshake */
static inline
-int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz,
- size_t *gname_len)
+int
+EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz,
+ size_t *gname_len)
{
- const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey);
+ const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
if (ec == NULL)
{
return 0;
}
- const EC_GROUP* group = EC_KEY_get0_group(ec);
+ const EC_GROUP *group = EC_KEY_get0_group(ec);
int nid = EC_GROUP_get_curve_name(group);
if (nid == 0)
*gname_len = strlen(curve);
return 1;
}
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
#define EVP_MD_get0_name EVP_MD_name
/** Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3 */
#define SSL_CTX_new_ex(libctx, propq, method) \
- SSL_CTX_new((method))
+ SSL_CTX_new((method))
/* Some safe typedefs to avoid too many ifdefs */
typedef void OSSL_LIB_CTX;
return EVP_get_cipherbyname(algorithm);
}
-static inline const EVP_MD*
+static inline const EVP_MD *
EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties)
{
ASSERT(!ctx);
#undef PROCESS_SIGNAL_P2P
-void init_early(struct context *c)
+void
+init_early(struct context *c)
{
net_ctx_init(c, &c->net_ctx);
init_verb_mute(c, IVM_LEVEL_1);
/* Initialise OpenSSL provider, this needs to be initialised this
- * early since option post-processing and also openssl info
- * printing depends on it */
- for (int j=1; j < MAX_PARMS && c->options.providers.names[j]; j++)
+ * early since option post-processing and also openssl info
+ * printing depends on it */
+ for (int j = 1; j < MAX_PARMS && c->options.providers.names[j]; j++)
{
c->options.providers.providers[j] =
crypto_load_provider(c->options.providers.names[j]);
}
}
-static void uninit_early(struct context *c)
+static void
+uninit_early(struct context *c)
{
- for (int j=1; j < MAX_PARMS && c->options.providers.providers[j]; j++)
+ for (int j = 1; j < MAX_PARMS && c->options.providers.providers[j]; j++)
{
crypto_unload_provider(c->options.providers.names[j],
c->options.providers.providers[j]);
#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
-#endif
+#endif /* ifndef ENABLE_SMALL */
static void
setenv_connection_entry(struct env_set *es,
while ((line = strsep(&lines, "\n")))
{
/* ignore leading whitespace */
- while(isspace(*line))
+ while (isspace(*line))
{
line++;
}
#ifndef ENABLE_SMALL
static void
-show_dhcp_option_list(const char *name, const char * const*array, int len)
+show_dhcp_option_list(const char *name, const char *const *array, int len)
{
int i;
for (i = 0; i < len; ++i)
#ifndef ENABLE_CRYPTO_MBEDTLS
|| options->ca_path
#endif
- )
+ )
{
return;
}
- const char* const str = "You must define CA file (--ca)"
+ const char *const str = "You must define CA file (--ca)"
#ifndef ENABLE_CRYPTO_MBEDTLS
- " or CA path (--capath)"
+ " or CA path (--capath)"
#endif
- " and/or peer fingerprint verification (--peer-fingerprint)";
+ " and/or peer fingerprint verification (--peer-fingerprint)";
msg(M_USAGE, str);
}
if (options->mode == MODE_SERVER)
{
#define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
- "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
+ "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
#ifdef TARGET_ANDROID
msg(M_FATAL, "--mode server not supported on Android");
#endif
if (!options->tls_server && !options->tls_client)
{
msg(M_INFO, "DEPRECATION: No tls-client or tls-server option in "
- "configuration detected. OpenVPN 2.7 will remove the "
- "functionality to run a VPN without TLS. "
- "See the examples section in the manual page for "
- "examples of a similar quick setup with peer-fingerprint.");
+ "configuration detected. OpenVPN 2.7 will remove the "
+ "functionality to run a VPN without TLS. "
+ "See the examples section in the manual page for "
+ "examples of a similar quick setup with peer-fingerprint.");
}
if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
if (!options->auth_user_pass_file)
{
msg(M_USAGE, "No client-side authentication method is "
- "specified. You must use either "
- "--cert/--key, --pkcs12, or "
- "--auth-user-pass");
+ "specified. You must use either "
+ "--cert/--key, --pkcs12, or "
+ "--auth-user-pass");
}
}
else if (sum == 2)
o->ciphername = "BF-CBC";
msg(M_INFO, "Note: --cipher is not set. OpenVPN versions before 2.5 "
- "defaulted to BF-CBC as fallback when cipher negotiation "
- "failed in this case. If you need this fallback please add "
- "'--data-ciphers-fallback 'BF-CBC' to your configuration "
- "and/or add BF-CBC to --data-ciphers.");
+ "defaulted to BF-CBC as fallback when cipher negotiation "
+ "failed in this case. If you need this fallback please add "
+ "'--data-ciphers-fallback 'BF-CBC' to your configuration "
+ "and/or add BF-CBC to --data-ciphers.");
}
else if (!o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
}
/**
- * The option --compat-mode is used to set up default settings to values
+ * The option --compat-mode is used to set up default settings to values
* used on the specified openvpn version and earlier.
*
* This function is used in various "default option" paths to test if the
* user requested compatibility with a version before the one specified
- * as argument. This way some default settings can be automatically
- * altered to guarantee compatibility with the version specified by the
+ * as argument. This way some default settings can be automatically
+ * altered to guarantee compatibility with the version specified by the
* user via --compat-mode.
*
* @param version need compatibility with openvpn versions before the
{
/* TLS min version is not set */
int tls_ver_min = (o->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
- & SSLF_TLS_VERSION_MIN_MASK;
+ & SSLF_TLS_VERSION_MIN_MASK;
if (tls_ver_min == 0)
{
int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
}
#endif
-bool key_is_external(const struct options *options)
+bool
+key_is_external(const struct options *options)
{
bool ret = false;
#ifdef ENABLE_MANAGEMENT
msg(msglevel, "Unknown parameter to --fragment: %s", p[2]);
}
}
-#endif
+#endif /* ifdef ENABLE_FRAGMENT */
else if (streq(p[0], "mtu-disc") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_MTU|OPT_P_CONNECTION);
}
}
#ifdef TARGET_LINUX
- else if (streq (p[0], "bind-dev") && p[1])
+ else if (streq(p[0], "bind-dev") && p[1])
{
- VERIFY_PERMISSION (OPT_P_SOCKFLAGS);
+ VERIFY_PERMISSION(OPT_P_SOCKFLAGS);
options->bind_dev = p[1];
}
#endif
{
int64_t val = atoll(p[2]);
options->inactivity_minimum_bytes = (val < 0) ? 0 : val;
- if ( options->inactivity_minimum_bytes > INT_MAX )
+ if (options->inactivity_minimum_bytes > INT_MAX)
{
msg(M_WARN, "WARNING: '--inactive' with a 'bytes' value"
" >2 Gbyte was silently ignored in older versions. If "
else if (streq(p[1], "server") && p[2] && p[3] && p[4])
{
long priority;
- if (!dns_server_priority_parse(&priority, p[2], pull_mode)) {
+ if (!dns_server_priority_parse(&priority, p[2], pull_mode))
+ {
msg(msglevel, "--dns server: invalid priority value '%s'", p[2]);
goto err;
}
{
for (int i = 4; p[i]; i++)
{
- if(!dns_server_addr_parse(server, p[i]))
+ if (!dns_server_addr_parse(server, p[i]))
{
msg(msglevel, "--dns server %ld: malformed or duplicate address '%s'", priority, p[i]);
goto err;
o->netbios_node_type = t;
}
else if ((streq(p[1], "DNS") || streq(p[1], "DNS6")) && p[2] && !p[3]
- && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
+ && (!strstr(p[2], ":") || ipv6_addr_safe(p[2])))
{
if (strstr(p[2], ":"))
{
#endif /* ENABLE_CRYPTO_MBEDTLS */
else if (streq(p[0], "providers") && p[1])
{
- for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++)
+ for (size_t j = 1; j < MAX_PARMS && p[j] != NULL; j++)
{
options->providers.names[j] = p[j];
}
if (streq(p[0], "verify-hash"))
{
msg(M_WARN, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
- "You should switch to the either use the level 1 certificate as "
- "--ca option, use --tls-verify or use --peer-fingerprint");
+ "You should switch to the either use the level 1 certificate as "
+ "--ca option, use --tls-verify or use --peer-fingerprint");
/* verify level 1 cert, i.e. the CA that signed the leaf cert */
verify_hash_depth = 1;
}
if (options->verify_hash && options->verify_hash_depth != verify_hash_depth)
{
msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and"
- " --peer-fingerprint are mutually exclusive", p[0]);
+ " --peer-fingerprint are mutually exclusive", p[0]);
goto err;
}
else if (p[2] && !streq(p[2], "SHA256"))
{
msg(msglevel, "invalid or unsupported hashing algorithm: %s "
- "(only SHA1 and SHA256 are supported)", p[2]);
+ "(only SHA1 and SHA256 are supported)", p[2]);
goto err;
}
}
struct dns_options dns_options;
- const char* ciphername;
- const char* authname;
+ const char *ciphername;
+ const char *authname;
int ping_send_timeout;
int ping_rec_timeout;
/* enable forward compatibility for post-2.1 features */
bool forward_compatible;
/** What version we should try to be compatible with as major * 10000 +
- * minor * 100 + patch, e.g. 2.4.7 => 20407 */
+ * minor * 100 + patch, e.g. 2.4.7 => 20407 */
unsigned int backwards_compatible;
/* list of options that should be ignored even if unknown */
int key_direction;
const char *ciphername;
bool enable_ncp_fallback; /**< If defined fall back to
- * ciphername if NCP fails */
+ * ciphername if NCP fails */
const char *ncp_ciphers;
const char *authname;
const char *engine;
#if PKCS11H_VERSION > ((1<<16) | (27<<8)) /* version > 1.27 */
/* Table linking OpenSSL digest NID with CKM and CKG constants in PKCS#11 */
-#define MD_TYPE(n) {NID_sha##n, CKM_SHA##n, CKG_MGF1_SHA##n}
+#define MD_TYPE(n) {NID_sha ## n, CKM_SHA ## n, CKG_MGF1_SHA ## n}
static const struct
{
- int nid;
- unsigned long ckm_id;
- unsigned long mgf_id;
+ int nid;
+ unsigned long ckm_id;
+ unsigned long mgf_id;
} mdtypes[] = {MD_TYPE(224), MD_TYPE(256), MD_TYPE(384), MD_TYPE(512),
- {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */
- {NID_undef, 0, 0}};
+ {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */
+ {NID_undef, 0, 0}};
/* From sigalg, derive parameters for pss signature and fill in pss_params.
* Its of type CK_RSA_PKCS_PSS_PARAMS struct with three fields to be filled in:
if (!md)
{
msg(M_WARN, "WARN: set_pss_params: EVP_get_digestbyname returned NULL "
- "for mdname = <%s>", sigalg.mdname);
+ "for mdname = <%s>", sigalg.mdname);
goto cleanup;
}
int mdsize = EVP_MD_get_size(md);
if (saltlen < 0 || pss_params->hashAlg == 0)
{
msg(M_WARN, "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> "
- "mdname = <%s>.", sigalg.saltlen, sigalg.mdname);
+ "mdname = <%s>.", sigalg.saltlen, sigalg.mdname);
goto cleanup;
}
pss_params->sLen = (unsigned long) saltlen; /* saltlen >= 0 at this point */
return ret;
}
-#else
+#else /* if PKCS11H_VERSION > ((1<<16) | (27<<8)) */
/* Make set_pss_params a no-op that always succeeds */
#define set_pss_params(...) (1)
*/
static CK_RV
pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert,
- const CK_MECHANISM *mech, const unsigned char *tbs,
- size_t tbslen, unsigned char *sig, size_t *siglen)
+ const CK_MECHANISM *mech, const unsigned char *tbs,
+ size_t tbslen, unsigned char *sig, size_t *siglen)
{
if (mech->mechanism == CKM_RSA_PKCS_PSS)
{
msg(M_NONFATAL, "PKCS#11: Error: PSS padding is not supported by "
- "this version of pkcs11-helper library.");
+ "this version of pkcs11-helper library.");
return CKR_MECHANISM_INVALID;
}
return pkcs11h_certificate_signAny(cert, mech->mechanism, tbs, tbslen, sig, siglen);
*/
static int
xkey_pkcs11h_sign(void *handle, unsigned char *sig,
- size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg)
+ size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg)
{
pkcs11h_certificate_t cert = handle;
CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
}
else
{
- ASSERT(0); /* coding error -- we couldnt have created any such key */
+ ASSERT(0); /* coding error -- we couldnt have created any such key */
}
return CKR_OK == pkcs11h_certificate_signAny_ex(cert, &mech,
- tbs, tbslen, sig, siglen);
+ tbs, tbslen, sig, siglen);
}
/* wrapper for handle free */
*/
static int
xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate,
- struct tls_root_ctx *const ctx)
+ struct tls_root_ctx *const ctx)
{
int ret = 0;
}
}
}
-#endif
+#endif /* if defined(HAVE_GETRLIMIT) && defined(RLIMIT_MEMLOCK) */
if (mlockall(MCL_CURRENT | MCL_FUTURE))
{
}
#else /* ifdef HAVE_MLOCKALL */
msg(M_WARN, "WARNING: mlockall call failed (function not implemented)");
-#endif
+#endif /* ifdef HAVE_MLOCKALL */
}
/*
return -1;
}
}
-#else
+#else /* ifdef _WIN32 */
int
platform_ret_code(int stat)
{
return -1;
}
}
-#endif
+#endif /* ifdef _WIN32 */
int
platform_access(const char *path, int mode)
receive_auth_pending(struct context *c, const struct buffer *buffer)
{
if (!c->options.pull)
+ {
return;
+ }
/* Cap the increase at the maximum time we are willing stay in the
* pending authentication state */
unsigned int max_timeout = max_uint(c->options.renegotiate_seconds/2,
- c->options.handshake_window);
+ c->options.handshake_window);
/* try to parse parameter keywords, default to hand-winow timeout if the
* server does not supply a timeout */
parse_auth_pending_keywords(buffer, &server_timeout);
msg(D_PUSH, "AUTH_PENDING received, extending handshake timeout from %us "
- "to %us", c->options.handshake_window,
- min_uint(max_timeout, server_timeout));
+ "to %us", c->options.handshake_window,
+ min_uint(max_timeout, server_timeout));
const struct key_state *ks = get_primary_key(c->c2.tls_multi);
c->c2.push_request_timeout = ks->established + min_uint(max_timeout, server_timeout);
else
{
static const char auth_pre[] = "AUTH_PENDING,timeout ";
- // Assume a worst case of 8 byte uint64 in decimal which
- // needs 20 bytes
+ /* Assume a worst case of 8 byte uint64 in decimal which */
+ /* needs 20 bytes */
size_t len = 20 + 1 + sizeof(auth_pre);
struct buffer buf = alloc_buf_gc(len, &gc);
buf_printf(&buf, auth_pre);
rr.receive.tail_moved = receive_tail_moved;
res = DeviceIoControl(device, TUN_IOCTL_REGISTER_RINGS, &rr, sizeof(rr),
- NULL, 0, &bytes_returned, NULL);
+ NULL, 0, &bytes_returned, NULL);
return res != FALSE;
}
#endif
#if defined(TARGET_NETBSD)
-#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
+#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
#endif
#ifdef _WIN32
if (r6->flags & RT_METRIC_DEFINED)
{
struct buffer name3 = alloc_buf_gc( 256, &gc );
- buf_printf( &name3, "route_ipv6_metric_%d", i) ;
+ buf_printf( &name3, "route_ipv6_metric_%d", i);
setenv_int( es, BSTR(&name3), r6->metric);
}
}
bool openvpn_execve_allowed(const unsigned int flags);
int openvpn_execve_check(const struct argv *a, const struct env_set *es,
- const unsigned int flags, const char *error_message);
+ const unsigned int flags, const char *error_message);
/**
* Will run a script and return the exit code of the script if between
SocketHandleGetOverlappedResult(sockethandle_t sh, struct overlapped_io *io)
{
return sh.is_handle ?
- GetOverlappedResult(sh.h, &io->overlapped, &io->size, FALSE) :
- WSAGetOverlappedResult(sh.s, &io->overlapped, &io->size, FALSE, &io->flags);
+ GetOverlappedResult(sh.h, &io->overlapped, &io->size, FALSE) :
+ WSAGetOverlappedResult(sh.s, &io->overlapped, &io->size, FALSE, &io->flags);
}
static inline int
#define openvpn_close_socket(s) close(s)
-#endif
+#endif /* ifdef _WIN32 */
struct link_socket *link_socket_new(void);
}
/**
- * @brief returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
+ * @brief returns if the proto is a TCP variant (tcp-server, tcp-client or tcp)
*/
static inline bool
proto_is_tcp(int proto)
char atyp = '\0';
int alen = 0;
int len = 0;
- char buf[270]; /* 4 + alen(max 256) + 2 */
+ char buf[270]; /* 4 + alen(max 256) + 2 */
const int timeout_sec = 5;
if (addr != NULL)
packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
/* TCP length field and opcode */
- overhead+= 3;
+ overhead += 3;
/* ACK array and remote SESSION ID (part of the ACK array) */
overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
{
case KS_AUTH_TRUE:
return "KS_AUTH_TRUE";
+
case KS_AUTH_DEFERRED:
return "KS_AUTH_DEFERRED";
+
case KS_AUTH_FALSE:
return "KS_AUTH_FALSE";
+
default:
return "KS_????";
}
bool
tls_session_update_crypto_params_do_work(struct tls_session *session,
- struct options* options, struct frame *frame,
- struct frame *frame_fragment,
- struct link_socket_info *lsi)
+ struct options *options, struct frame *frame,
+ struct frame *frame_fragment,
+ struct link_socket_info *lsi)
{
if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
{
{
bool cipher_allowed_as_fallback = options->enable_ncp_fallback
- && streq(options->ciphername, session->opt->config_ciphername);
+ && streq(options->ciphername, session->opt->config_ciphername);
if (!session->opt->server && !cipher_allowed_as_fallback
&& !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
if (e->string)
{
if ((((strncmp(e->string, "UV_", 3) == 0
- || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
- && session->opt->push_peer_info_detail >= 2)
- || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
- || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0)
- )
+ || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
+ && session->opt->push_peer_info_detail >= 2)
+ || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
+ || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0)
+ )
&& buf_safe(&out, strlen(e->string) + 1))
{
buf_printf(&out, "%s\n", e->string);
{
#ifdef USE_COMP
if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
- && multi->opt.comp_options.flags & COMP_F_MIGRATE)
+ && multi->opt.comp_options.flags & COMP_F_MIGRATE)
{
if (!write_compat_local_options(buf, session->opt->local_options))
{
if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
{
msg(D_SHOW_OCC, "Note: 'compress migrate' detected remote peer "
- "with compression enabled.");
+ "with compression enabled.");
remote_options = options_string_compat_lzo(remote_options, &gc);
}
#endif
if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
{
/* Session is now fully authenticated.
- * tls_session_generate_data_channel_keys will move ks->state
- * from S_ACTIVE to S_GENERATED_KEYS */
+ * tls_session_generate_data_channel_keys will move ks->state
+ * from S_ACTIVE to S_GENERATED_KEYS */
if (!tls_session_generate_data_channel_keys(session))
{
msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
return false;
}
-struct key_state *tls_select_encryption_key(struct tls_multi *multi)
+struct key_state *
+tls_select_encryption_key(struct tls_multi *multi)
{
struct key_state *ks_select = NULL;
for (int i = 0; i < KEY_SCAN_SIZE; ++i)
*/
bool
key_state_export_keying_material(struct tls_session *session,
- const char* label, size_t label_size,
+ const char *label, size_t label_size,
void *ekm, size_t ekm_size);
/**************************************************************************/
* handshake window. Deferred auth and
* client connect can still be pending. */
#define S_GENERATED_KEYS 7 /**< The data channel keys have been generated
- * The TLS session is fully authenticated
- * when reaching this state. */
+ * The TLS session is fully authenticated
+ * when reaching this state. */
/* Note that earlier versions also had a S_OP_NORMAL state that was
* virtually identical with S_ACTIVE and the code still assumes everything
* Only KS_AUTH_TRUE is fully authenticated
*/
enum ks_auth_state {
- KS_AUTH_FALSE, /**< Key state is not authenticated */
- KS_AUTH_DEFERRED, /**< Key state authentication is being deferred,
- * by async auth */
- KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass
- * succeeded. This includes AUTH_PENDING/OOB
- * authentication as those hold the
- * connection artificially in KS_AUTH_DEFERRED
- */
+ KS_AUTH_FALSE, /**< Key state is not authenticated */
+ KS_AUTH_DEFERRED, /**< Key state authentication is being deferred,
+ * by async auth */
+ KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass
+ * succeeded. This includes AUTH_PENDING/OOB
+ * authentication as those hold the
+ * connection artificially in KS_AUTH_DEFERRED
+ */
};
struct auth_deferred_status
{
case 0:
return &multi->session[TM_ACTIVE].key[KS_PRIMARY];
+
case 1:
return &multi->session[TM_ACTIVE].key[KS_LAME_DUCK];
+
case 2:
return &multi->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
+
default:
ASSERT(false);
return NULL; /* NOTREACHED */
static inline const struct key_state *
get_primary_key(const struct tls_multi *multi)
{
- return &multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ return &multi->session[TM_ACTIVE].key[KS_PRIMARY];
}
#endif /* SSL_COMMON_H_ */
* rely on function detection at configure time.
*/
#ifndef HAVE_CTR_DRBG_UPDATE_RET
-static int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
- const unsigned char *additional,
- size_t add_len)
+static int
+mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
+ const unsigned char *additional,
+ size_t add_len)
{
mbedtls_ctr_drbg_update(ctx, additional, add_len);
return 0;
struct tls_key_cache *cache = &ks_ssl->tls_key_cache;
static_assert(sizeof(ks_ssl->ctx->session->master)
- == sizeof(cache->master_secret), "master size mismatch");
+ == sizeof(cache->master_secret), "master size mismatch");
memcpy(cache->client_server_random, client_random, 32);
memcpy(cache->client_server_random + 32, server_random, 32);
bool
key_state_export_keying_material(struct tls_session *session,
- const char* label, size_t label_size,
+ const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
ASSERT(strlen(label) == label_size);
else
{
secure_memzero(ekm, session->opt->ekm_size);
- return false;
+ return false;
}
}
-#else
+#else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */
bool
key_state_export_keying_material(struct tls_session *session,
- const char* label, size_t label_size,
+ const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
/* Dummy function to avoid ifdefs in the common code */
}
/* Disable TLS renegotiations if the mbedtls library supports that feature.
- * OpenVPN's renegotiation creates new SSL sessions and does not depend on
- * this feature and TLS renegotiations have been problematic in the past. */
+ * OpenVPN's renegotiation creates new SSL sessions and does not depend on
+ * this feature and TLS renegotiations have been problematic in the past. */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
#endif /* MBEDTLS_SSL_RENEGOTIATION */
mbedtls_tls_prf_types tls_prf_type;
unsigned char master_secret[48];
};
-#else
+#else /* ifdef HAVE_EXPORT_KEYING_MATERIAL */
struct tls_key_cache { };
#endif
if (nonecipher)
{
msg(M_WARN, "WARNING: cipher 'none' specified for --data-ciphers. "
- "This allows negotiation of NO encryption and "
- "tunnelled data WILL then be transmitted in clear text "
- "over the network! "
- "PLEASE DO RECONSIDER THIS SETTING!");
+ "This allows negotiation of NO encryption and "
+ "tunnelled data WILL then be transmitted in clear text "
+ "over the network! "
+ "PLEASE DO RECONSIDER THIS SETTING!");
}
if (!nonecipher && !cipher_valid(token))
{
- const char* optstr = optional ? "optional ": "";
+ const char *optstr = optional ? "optional " : "";
msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
error_found = error_found || !optional;
}
/* non-NCP client without OCC? "assume nothing" */
/* For client doing the newer version of NCP (that send IV_CIPHER)
* we cannot assume that they will accept remote_cipher */
- if (remote_cipher == NULL ||
- (peer_info && strstr(peer_info, "IV_CIPHERS=")))
+ if (remote_cipher == NULL
+ || (peer_info && strstr(peer_info, "IV_CIPHERS=")))
{
remote_cipher = "";
}
/* If the server did not push a --cipher, we will switch to the
* remote cipher if it is in our ncp-ciphers list */
- if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
+ if (tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
{
return true;
}
}
}
-const char*
+const char *
get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
struct gc_arena *gc)
{
return NULL;
}
- const char* server_ciphers;
- const char* client_ciphers;
+ const char *server_ciphers;
+ const char *client_ciphers;
if (session->opt->server)
{
if (iv_proto_peer & IV_PROTO_DATA_V2)
{
multi->use_peer_id = true;
- multi->peer_id = 0x76706e; // 'v' 'p' 'n'
+ multi->peer_id = 0x76706e; /* 'v' 'p' 'n' */
}
#if defined(HAVE_EXPORT_KEYING_MATERIAL)
* happen or very likely the TLS encryption key exporter will
* also fail */
msg(M_NONFATAL, "TLS key export for P2P peer id failed. "
- "Continuing anyway, expect problems");
+ "Continuing anyway, expect problems");
}
else
{
}
}
-#endif
+#endif /* if defined(HAVE_EXPORT_KEYING_MATERIAL) */
}
void
/* Query the common cipher here to log it as part of our message.
* We postpone switching the cipher to do_up */
- const char* common_cipher = get_p2p_ncp_cipher(session, multi->peer_info, &gc);
+ const char *common_cipher = get_p2p_ncp_cipher(session, multi->peer_info, &gc);
if (!common_cipher)
{
}
msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: "
- "TLS_export=%d, DATA_v2=%d, peer-id %d, cipher=%s",
+ "TLS_export=%d, DATA_v2=%d, peer-id %d, cipher=%s",
(bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT),
multi->use_peer_id, multi->peer_id, common_cipher);
bool
key_state_export_keying_material(struct tls_session *session,
- const char* label, size_t label_size,
+ const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
- SSL* ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
+ SSL *ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
label_size, NULL, 0, 0) == 1)
groups);
}
gc_free(&gc);
-#else
+#else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
{
crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
groups);
}
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
}
void
msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
8 * EVP_PKEY_get_size(dh));
-#else
+#else /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
8 * DH_size(dh));
DH_free(dh);
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
}
void
if (curve_name != NULL)
{
msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
- "ECDH curve with --ecdh-curve, using default curves. Use "
- "--tls-groups to specify groups.");
+ "ECDH curve with --ecdh-curve, using default curves. Use "
+ "--tls-groups to specify groups.");
}
#elif !defined(OPENSSL_NO_EC)
int nid = NID_undef;
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
{
crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password "
- "or unsupported/legacy encryption");
+ "or unsupported/legacy encryption");
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
{
goto cleanup;
}
EVP_PKEY_free(privkey);
-#else
+#else /* ifdef HAVE_XKEY_PROVIDER */
if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
{
if (!tls_ctx_use_external_rsa_key(ctx, pkey))
if (typeid == EVP_PKEY_EC)
{
size_t len;
- if(EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len))
+ if (EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len))
{
- curve = groupname;
+ curve = groupname;
}
else
{
if (!OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey"))
{
msg(M_NONFATAL, "ERROR: failed loading external key provider: "
- "Signing with external keys will not work.");
+ "Signing with external keys will not work.");
}
}
if (!lines->head || !lines->head->next || !lines->head->next->next)
{
msg(M_WARN, "auth pending control file is not at least "
- "three lines long.");
+ "three lines long.");
buffer_list_free(lines);
return false;
}
return false;
}
- const char* pending_method = BSTR(iv_buf);
+ const char *pending_method = BSTR(iv_buf);
if (!check_auth_pending_method(multi->peer_info, pending_method))
{
char buf[128];
"method '%s' not supported", pending_method);
auth_set_client_reason(multi, buf);
msg(M_INFO, "Client does not supported auth pending method "
- "'%s'", pending_method);
+ "'%s'", pending_method);
ret = false;
}
else
}
/**
- * Checks the auth control status from a file. The function will try
- * to read and update the cached status if the status is still pending
- * and the parameter cached is false.
+ * Checks the auth control status from a file. The function will try
+ * to read and update the cached status if the status is still pending
+ * and the parameter cached is false.
* The function returns the most recent known status.
*
* @param ads deferred status control structure
ASSERT(auth_plugin < 4 && auth_script < 4 && auth_man < 4);
if (auth_plugin == ACF_FAILED || auth_script == ACF_FAILED
- || auth_man == ACF_FAILED)
+ || auth_man == ACF_FAILED)
{
ks->authenticated = KS_AUTH_FALSE;
return;
if (!key_state_gen_auth_control_files(&ks->script_auth, session->opt))
{
msg(D_TLS_ERRORS, "TLS Auth Error (%s): "
- "could not create deferred auth control file", __func__);
+ "could not create deferred auth control file", __func__);
return OPENVPN_PLUGIN_FUNC_ERROR;
}
"--auth-user-pass-verify");
switch (script_ret)
{
- case 0:
- retval = OPENVPN_PLUGIN_FUNC_SUCCESS;
- break;
- case 2:
- retval = OPENVPN_PLUGIN_FUNC_DEFERRED;
- break;
- default:
- retval = OPENVPN_PLUGIN_FUNC_ERROR;
- break;
+ case 0:
+ retval = OPENVPN_PLUGIN_FUNC_SUCCESS;
+ break;
+
+ case 2:
+ retval = OPENVPN_PLUGIN_FUNC_DEFERRED;
+ break;
+
+ default:
+ retval = OPENVPN_PLUGIN_FUNC_ERROR;
+ break;
}
if (retval == OPENVPN_PLUGIN_FUNC_DEFERRED)
{
/* Check if we the plugin has written the pending auth control
* file and send the pending auth to the client */
- if(!key_state_check_auth_pending_file(&ks->script_auth,
- multi))
+ if (!key_state_check_auth_pending_file(&ks->script_auth,
+ multi))
{
retval = OPENVPN_PLUGIN_FUNC_ERROR;
key_state_rm_auth_control_files(&ks->script_auth);
{
/* Check if the plugin has written the pending auth control
* file and send the pending auth to the client */
- if(!key_state_check_auth_pending_file(&ks->plugin_auth, multi))
+ if (!key_state_check_auth_pending_file(&ks->plugin_auth, multi))
{
retval = OPENVPN_PLUGIN_FUNC_ERROR;
key_state_rm_auth_control_files(&ks->plugin_auth);
}
/* auth succeeded? */
bool plugin_ok = plugin_status == OPENVPN_PLUGIN_FUNC_SUCCESS
- || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
+ || plugin_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
bool script_ok = script_status == OPENVPN_PLUGIN_FUNC_SUCCESS
- || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
+ || script_status == OPENVPN_PLUGIN_FUNC_DEFERRED;
if (script_ok && plugin_ok && tls_lock_username(multi, up->username)
#ifdef ENABLE_MANAGEMENT
gc_free(&gc);
}
else
-#endif
+#endif /* ifdef ENABLE_X509ALTUSERNAME */
if (FAILURE == extract_x509_field_ssl(X509_get_subject_name(peer_cert),
x509_username_field, common_name, cn_len))
{
/*
* Do we have CryptoAPI capability?
*/
-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
- !defined(ENABLE_CRYPTO_WOLFSSL)
+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) \
+ && !defined(ENABLE_CRYPTO_WOLFSSL)
#define ENABLE_CRYPTOAPI
#endif
*/
msg(D_LOW, "%s dns domain on '%s' (if_index = %d) using service",
- (add ? "Setting" : "Deleting"), dns.iface.name, dns.iface.index);
+ (add ? "Setting" : "Deleting"), dns.iface.name, dns.iface.index);
if (!send_msg_iservice(pipe, &dns, sizeof(dns), &ack, "TUN"))
{
goto out;
if (type == DEV_TYPE_TUN)
{
const in_addr_t test_netmask = 0xFFFFFF00;
- const in_addr_t public_net = public & test_netmask;
+ const in_addr_t public_net = public &test_netmask;
const in_addr_t local_net = local & test_netmask;
const in_addr_t remote_net = remote_netmask & test_netmask;
}
else if (type == DEV_TYPE_TAP)
{
- const in_addr_t public_network = public & remote_netmask;
+ const in_addr_t public_network = public &remote_netmask;
const in_addr_t virtual_network = local & remote_netmask;
if (public_network == virtual_network)
{
/* If IPv4 is not enabled, set DNS domain here */
if (!tt->did_ifconfig_setup)
{
- do_dns_domain_service(true, tt);
+ do_dns_domain_service(true, tt);
}
}
else
/* TUNSETGROUP appeared in 2.6.23 */
#ifndef TUNSETGROUP
-# define TUNSETGROUP _IOW('T', 206, int)
+#define TUNSETGROUP _IOW('T', 206, int)
#endif
void
* 0x1D 0x7 openvpn 0x3 net 0x00 0x0A duckduckgo 0x3 com 0x00
*/
static void
-write_dhcp_search_str(struct buffer *buf, const int type, const char * const *str_array,
+write_dhcp_search_str(struct buffer *buf, const int type, const char *const *str_array,
int array_len, bool *error)
{
- char tmp_buf[256];
- int i;
- int len = 0;
- int label_length_pos;
+ char tmp_buf[256];
+ int i;
+ int len = 0;
+ int label_length_pos;
- for (i=0; i < array_len; i++)
+ for (i = 0; i < array_len; i++)
{
const char *ptr = str_array[i];
return;
}
/* Loop over all subdomains separated by a dot and replace the dot
- with the length of the subdomain */
+ * with the length of the subdomain */
/* label_length_pos points to the byte to be replaced by the length
* of the following domain label */
while (true)
{
- if (*ptr == '.' || *ptr == '\0' )
+ if (*ptr == '.' || *ptr == '\0')
{
tmp_buf[label_length_pos] = (len-label_length_pos)-1;
label_length_pos = len;
if (o->domain_search_list_len > 0)
{
write_dhcp_search_str(buf, 119, o->domain_search_list,
- o->domain_search_list_len,
- &error);
+ o->domain_search_list_len,
+ &error);
}
/* the MS DHCP server option 'Disable Netbios-over-TCP/IP
{
case ERROR_ACCESS_DENIED:
msg(M_FATAL, "ERROR: Wintun requires SYSTEM privileges and therefore "
- "should be used with interactive service. If you want to "
- "use openvpn from command line, you need to do SYSTEM "
- "elevation yourself (for example with psexec).");
+ "should be used with interactive service. If you want to "
+ "use openvpn from command line, you need to do SYSTEM "
+ "elevation yourself (for example with psexec).");
break;
case ERROR_ALREADY_INITIALIZED:
/* translate high-level device name into a device instance
* GUID using the registry */
- tt->actual_name = string_alloc((const char*)actual_buffer, NULL);
+ tt->actual_name = string_alloc((const char *)actual_buffer, NULL);
msg(M_INFO, "%s device [%s] opened", print_windows_driver(tt->windows_driver), tt->actual_name);
tt->adapter_index = get_adapter_index(*device_guid);
* to sign operation.
*/
typedef struct {
- const char *padmode; /**< "pkcs1", "pss" or "none" */
- const char *mdname; /**< "SHA256" or "SHA2-256" etc. */
- const char *saltlen; /**< "digest", "auto" or "max" */
- const char *keytype; /**< "EC" or "RSA" */
- const char *op; /**< "Sign" or "DigestSign" */
+ const char *padmode; /**< "pkcs1", "pss" or "none" */
+ const char *mdname; /**< "SHA256" or "SHA2-256" etc. */
+ const char *saltlen; /**< "digest", "auto" or "max" */
+ const char *keytype; /**< "EC" or "RSA" */
+ const char *op; /**< "Sign" or "DigestSign" */
} XKEY_SIGALG;
/**
* structure.
*/
typedef int (XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *siglen,
- const unsigned char *tbs, size_t tbslen,
- XKEY_SIGALG sigalg);
+ const unsigned char *tbs, size_t tbslen,
+ XKEY_SIGALG sigalg);
/**
* Signature of private key free function callback used
* to free the opaque private key handle obtained from the
* stored in the key. We use a dummy pointer as we do need a
* non-NULL value to indicate private key is available.
*/
- void *dummy = & "dummy";
+ void *dummy = &"dummy";
XKEY_EXTERNAL_SIGN_fn *sign_op = xkey_management_sign;
{"handle", OSSL_PARAM_OCTET_PTR, &handle, sizeof(handle), 0},
{"sign_op", OSSL_PARAM_OCTET_PTR, (void **) &sign_op, sizeof(void *), 0},
{"free_op", OSSL_PARAM_OCTET_PTR, (void **) &free_op, sizeof(void *), 0},
- {NULL, 0, NULL, 0, 0}};
+ {NULL, 0, NULL, 0, 0}
+ };
/* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from pubkey */
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(libctx, EVP_PKEY_get0_type_name(pubkey), props);
else
{
openvpn_snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s",
- "RSA_PKCS1_PADDING", alg.mdname);
+ "RSA_PKCS1_PADDING", alg.mdname);
}
}
else if (!strcmp(alg.padmode, "none") && (flags & MF_EXTERNAL_KEY_NOPADDING)
- &&!strcmp(alg.op, "Sign")) /* NO_PADDING requires digested data */
+ && !strcmp(alg.op, "Sign")) /* NO_PADDING requires digested data */
{
strncpynt(alg_str, "RSA_NO_PADDING", sizeof(alg_str));
}
else if (!strcmp(alg.padmode, "pss") && (flags & MF_EXTERNAL_KEY_PSSPAD))
{
openvpn_snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s",
- "RSA_PKCS1_PSS_PADDING", alg.mdname,alg.saltlen);
+ "RSA_PKCS1_PSS_PADDING", alg.mdname,alg.saltlen);
}
- else {
+ else
+ {
msg(M_NONFATAL, "RSA padding mode not supported by management-client <%s>",
alg.padmode);
return 0;
const unsigned char sha224[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c};
const unsigned char sha512_224[] = {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c};
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x05, 0x05, 0x00, 0x04, 0x1c};
const unsigned char sha512_256[] = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
- 0x01, 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20};
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x06, 0x05, 0x00, 0x04, 0x20};
typedef struct {
- const int nid;
- const unsigned char *header;
- size_t sz;
+ const int nid;
+ const unsigned char *header;
+ size_t sz;
} DIG_INFO;
-#define MAKE_DI(x) {NID_##x, x, sizeof(x)}
+#define MAKE_DI(x) {NID_ ## x, x, sizeof(x)}
DIG_INFO dinfo[] = {MAKE_DI(sha1), MAKE_DI(sha256), MAKE_DI(sha384),
MAKE_DI(sha512), MAKE_DI(sha224), MAKE_DI(sha512_224),
/* helper to print debug messages */
#define xkey_dmsg(f, ...) \
- do { \
- dmsg(f|M_NOLF, "xkey_provider: In %s: ", __func__); \
- dmsg(f|M_NOPREFIX, __VA_ARGS__); \
- } while(0)
+ do { \
+ dmsg(f|M_NOLF, "xkey_provider: In %s: ", __func__); \
+ dmsg(f|M_NOPREFIX, __VA_ARGS__); \
+ } while(0)
typedef enum
{
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(key->prov->libctx, name, NULL);
if (!ctx
|| (EVP_PKEY_fromdata_init(ctx) != 1)
- || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM*) params) !=1))
+ || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM *) params) !=1))
{
msg(M_WARN, "Error: keymgmt_import failed for key type <%s>", name);
if (pkey)
{
/* create private key */
pkey = NULL;
- if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM*) params) == 1)
+ if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM *) params) == 1)
{
key->handle = pkey;
key->free = (XKEY_PRIVKEY_FREE_fn *) EVP_PKEY_free;
if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY)
{
- return key_types;
+ return key_types;
}
return NULL;
}
}
static const OSSL_DISPATCH rsa_keymgmt_functions[] = {
- {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void)) keymgmt_new},
- {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void)) keymgmt_free},
- {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void)) keymgmt_load},
- {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void)) keymgmt_has},
- {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void)) keymgmt_match},
- {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void)) rsa_keymgmt_import},
- {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void)) keymgmt_import_types},
- {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params},
- {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void)) keymgmt_get_params},
- {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void)) keymgmt_set_params},
- {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params}, /* same as gettable */
- {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void)) rsa_keymgmt_name},
+ {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new},
+ {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free},
+ {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load},
+ {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has},
+ {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match},
+ {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))rsa_keymgmt_import},
+ {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types},
+ {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params},
+ {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params},
+ {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params},
+ {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */
+ {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))rsa_keymgmt_name},
{0, NULL }
};
static const OSSL_DISPATCH ec_keymgmt_functions[] = {
- {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void)) keymgmt_new},
- {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void)) keymgmt_free},
- {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void)) keymgmt_load},
- {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void)) keymgmt_has},
- {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void)) keymgmt_match},
- {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void)) ec_keymgmt_import},
- {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void)) keymgmt_import_types},
- {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params},
- {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void)) keymgmt_get_params},
- {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void)) keymgmt_set_params},
- {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params}, /* same as gettable */
- {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void)) ec_keymgmt_name},
+ {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))keymgmt_new},
+ {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))keymgmt_free},
+ {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))keymgmt_load},
+ {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))keymgmt_has},
+ {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))keymgmt_match},
+ {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))ec_keymgmt_import},
+ {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))keymgmt_import_types},
+ {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params},
+ {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*)(void))keymgmt_get_params},
+ {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*)(void))keymgmt_set_params},
+ {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*)(void))keymgmt_gettable_params}, /* same as gettable */
+ {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void))ec_keymgmt_name},
{0, NULL }
};
XKEY_SIGALG sigalg;
} XKEY_SIGNATURE_CTX;
-static const XKEY_SIGALG default_sigalg = { .mdname="MD5-SHA1", .saltlen="digest",
- .padmode="pkcs1", .keytype = "RSA"};
+static const XKEY_SIGALG default_sigalg = { .mdname = "MD5-SHA1", .saltlen = "digest",
+ .padmode = "pkcs1", .keytype = "RSA"};
const struct {
int nid;
}
static const OSSL_DISPATCH signature_functions[] = {
- {OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void)) signature_newctx},
- {OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void)) signature_freectx},
- {OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void)) signature_sign_init},
- {OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void)) signature_sign},
- {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, (void (*)(void)) signature_digest_verify_init},
- {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, (void (*)(void)) signature_digest_verify},
- {OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, (void (*)(void)) signature_digest_sign_init},
- {OSSL_FUNC_SIGNATURE_DIGEST_SIGN, (void (*)(void)) signature_digest_sign},
- {OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void)) signature_set_ctx_params},
- {OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, (void (*)(void)) signature_settable_ctx_params},
- {OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void)) signature_get_ctx_params},
- {OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void)) signature_gettable_ctx_params},
+ {OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))signature_newctx},
+ {OSSL_FUNC_SIGNATURE_FREECTX, (void (*)(void))signature_freectx},
+ {OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))signature_sign_init},
+ {OSSL_FUNC_SIGNATURE_SIGN, (void (*)(void))signature_sign},
+ {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, (void (*)(void))signature_digest_verify_init},
+ {OSSL_FUNC_SIGNATURE_DIGEST_VERIFY, (void (*)(void))signature_digest_verify},
+ {OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, (void (*)(void))signature_digest_sign_init},
+ {OSSL_FUNC_SIGNATURE_DIGEST_SIGN, (void (*)(void))signature_digest_sign},
+ {OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, (void (*)(void))signature_set_ctx_params},
+ {OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, (void (*)(void))signature_settable_ctx_params},
+ {OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, (void (*)(void))signature_get_ctx_params},
+ {OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, (void (*)(void))signature_gettable_ctx_params},
{0, NULL }
};
}
static const OSSL_DISPATCH dispatch_table[] = {
- {OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void)) gettable_params},
- {OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void)) get_params},
- {OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void)) query_operation},
- {OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void)) teardown},
+ {OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))gettable_params},
+ {OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))get_params},
+ {OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation},
+ {OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))teardown},
{0, NULL}
};
* Set MSI session handle in thread local storage.
*/
#define OPENVPNMSICA_SAVE_MSI_SESSION(hInstall) \
-{ \
- struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); \
- s->hInstall = (hInstall); \
-}
+ { \
+ struct openvpnmsica_thread_data *s = (struct openvpnmsica_thread_data *)TlsGetValue(openvpnmsica_thread_data_idx); \
+ s->hInstall = (hInstall); \
+ }
/*
}
openvpn_swprintf(default_value, _countof(default_value), TEXT("%ls\\bin\\openvpn.exe"),
- install_path);
+ install_path);
error = GetRegString(key, TEXT("exe_path"), s->exe_path, sizeof(s->exe_path), default_value);
if (error != ERROR_SUCCESS)
{
if (hEventSource != NULL)
{
openvpn_swprintf(msg[0], _countof(msg[0]),
- TEXT("%ls%ls%ls: %ls"), APPNAME, service_instance,
- (flags & MSG_FLAGS_ERROR) ? TEXT(" error") : TEXT(""), err_msg);
+ TEXT("%ls%ls%ls: %ls"), APPNAME, service_instance,
+ (flags & MSG_FLAGS_ERROR) ? TEXT(" error") : TEXT(""), err_msg);
va_start(arglist, format);
openvpn_vswprintf(msg[1], _countof(msg[1]), format, arglist);
if (!argv)
{
openvpn_swprintf(errmsg, capacity,
- L"Cannot validate options: CommandLineToArgvW failed with error = 0x%08x",
- GetLastError());
+ L"Cannot validate options: CommandLineToArgvW failed with error = 0x%08x",
+ GetLastError());
goto out;
}
static DWORD
ConvertInterfaceNameToIndex(const wchar_t *ifname, NET_IFINDEX *index)
{
- NET_LUID luid;
- DWORD err;
-
- err = ConvertInterfaceAliasToLuid(ifname, &luid);
- if (err == ERROR_SUCCESS)
- {
- err = ConvertInterfaceLuidToIndex(&luid, index);
- }
- if (err != ERROR_SUCCESS)
- {
- MsgToEventLog(M_ERR, L"Failed to find interface index for <%ls>", ifname);
- }
- return err;
+ NET_LUID luid;
+ DWORD err;
+
+ err = ConvertInterfaceAliasToLuid(ifname, &luid);
+ if (err == ERROR_SUCCESS)
+ {
+ err = ConvertInterfaceLuidToIndex(&luid, index);
+ }
+ if (err != ERROR_SUCCESS)
+ {
+ MsgToEventLog(M_ERR, L"Failed to find interface index for <%ls>", ifname);
+ }
+ return err;
}
static BOOL
/* comma separated list must be enclosed in parenthesis */
if (data && wcschr(data, L','))
{
- fmt = L"wmic nicconfig where (InterfaceIndex=%ld) call %ls (%ls)";
+ fmt = L"wmic nicconfig where (InterfaceIndex=%ld) call %ls (%ls)";
}
else
{
- fmt = L"wmic nicconfig where (InterfaceIndex=%ld) call %ls \"%ls\"";
+ fmt = L"wmic nicconfig where (InterfaceIndex=%ld) call %ls \"%ls\"";
}
size_t ncmdline = wcslen(fmt) + 20 + wcslen(action) /* max 20 for ifindex */
- + (data ? wcslen(data) + 1 : 1);
+ + (data ? wcslen(data) + 1 : 1);
cmdline = malloc(ncmdline*sizeof(wchar_t));
if (!cmdline)
{
}
openvpn_swprintf(cmdline, ncmdline, fmt, if_index, action,
- data? data : L"");
+ data ? data : L"");
err = ExecCommand(argv0, cmdline, timeout);
free(cmdline);
static DWORD
SetDNSDomain(const wchar_t *if_name, const char *domain, undo_lists_t *lists)
{
- NET_IFINDEX if_index;
-
- DWORD err = ConvertInterfaceNameToIndex(if_name, &if_index);
- if (err != ERROR_SUCCESS)
- {
- return err;
- }
-
- wchar_t *wdomain = utf8to16(domain); /* utf8 to wide-char */
- if (!wdomain)
- {
- return ERROR_OUTOFMEMORY;
- }
-
- /* free undo list if previously set */
- if (lists)
- {
- free(RemoveListItem(&(*lists)[undo_domain], CmpWString, (void *)if_name));
- }
-
- err = wmic_nicconfig_cmd(L"SetDNSDomain", if_index, wdomain);
-
- /* Add to undo list if domain is non-empty */
- if (err == 0 && wdomain[0] && lists)
- {
+ NET_IFINDEX if_index;
+
+ DWORD err = ConvertInterfaceNameToIndex(if_name, &if_index);
+ if (err != ERROR_SUCCESS)
+ {
+ return err;
+ }
+
+ wchar_t *wdomain = utf8to16(domain); /* utf8 to wide-char */
+ if (!wdomain)
+ {
+ return ERROR_OUTOFMEMORY;
+ }
+
+ /* free undo list if previously set */
+ if (lists)
+ {
+ free(RemoveListItem(&(*lists)[undo_domain], CmpWString, (void *)if_name));
+ }
+
+ err = wmic_nicconfig_cmd(L"SetDNSDomain", if_index, wdomain);
+
+ /* Add to undo list if domain is non-empty */
+ if (err == 0 && wdomain[0] && lists)
+ {
wchar_t *tmp_name = _wcsdup(if_name);
if (!tmp_name || AddListItem(&(*lists)[undo_domain], tmp_name))
{
free(tmp_name);
err = ERROR_OUTOFMEMORY;
}
- }
+ }
- free(wdomain);
- return err;
+ free(wdomain);
+ return err;
}
static DWORD
}
static DWORD
-OvpnDuplicateHandle(HANDLE ovpn_proc, HANDLE orig_handle, HANDLE* new_handle)
+OvpnDuplicateHandle(HANDLE ovpn_proc, HANDLE orig_handle, HANDLE *new_handle)
{
DWORD err = ERROR_SUCCESS;
interface_data->metric_v6);
}
break;
+
case _undo_type_max:
/* unreachable */
break;
}
openvpn_swprintf(ovpn_pipe_name, _countof(ovpn_pipe_name),
- TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service_%lu"), service_instance, GetCurrentThreadId());
+ TEXT("\\\\.\\pipe\\" PACKAGE "%ls\\service_%lu"), service_instance, GetCurrentThreadId());
ovpn_pipe = CreateNamedPipe(ovpn_pipe_name,
PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE | FILE_FLAG_OVERLAPPED,
PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, 1, 128, 128, 0, NULL);
goto out;
}
openvpn_swprintf(cmdline, cmdline_size, L"openvpn %ls --msg-channel %lu",
- sud.options, svc_pipe);
+ sud.options, svc_pipe);
if (!CreateEnvironmentBlock(&user_env, imp_token, FALSE))
{
wprintf(TEXT("\nService run-time parameters:\n"));
wprintf(TEXT("-instance interactive <id>\n")
- TEXT(" Runs the service as an alternate instance.\n")
- TEXT(" The service settings will be loaded from\n")
- TEXT(" HKLM\\Software\\" PACKAGE_NAME "<id> registry key, and the service will accept\n")
- TEXT(" requests on \\\\.\\pipe\\" PACKAGE "<id>\\service named pipe.\n"));
+ TEXT(" Runs the service as an alternate instance.\n")
+ TEXT(" The service settings will be loaded from\n")
+ TEXT(" HKLM\\Software\\" PACKAGE_NAME "<id> registry key, and the service will accept\n")
+ TEXT(" requests on \\\\.\\pipe\\" PACKAGE "<id>\\service named pipe.\n"));
return 0;
}
if (DEBUG(up->verb))
{
plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: my_conv[%d] query='%s' style=%d",
- i,
- msg->msg ? msg->msg : "NULL",
- msg->msg_style);
+ i,
+ msg->msg ? msg->msg : "NULL",
+ msg->msg_style);
}
if (up->name_value_list && up->name_value_list->len > 0)
if (DEBUG(up->verb))
{
plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'",
- msg->msg,
- match_name,
- match_value);
+ msg->msg,
+ match_name,
+ match_value);
}
if (strstr(match_value, "USERNAME"))
if (!ret)
{
plugin_log(PLOG_ERR, MODULE, "BACKGROUND: user '%s' failed to authenticate: %s",
- up->username,
- pam_strerror(pamh, status));
+ up->username,
+ pam_strerror(pamh, status));
}
/* Close PAM */
|| recv_string(fd, ac_file_name, sizeof(ac_file_name)) == -1)
{
plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read error on command channel: code=%d, exiting",
- command);
+ command);
goto done;
}
{
#if 0
plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER/PASS: %s/%s",
- up.username, up.password);
+ up.username, up.password);
#else
plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: USER: %s", up.username);
#endif
default:
plugin_log(PLOG_ERR, MODULE, "BACKGROUND: unknown command code: code=%d, exiting",
- command);
+ command);
goto done;
}
plugin_secure_memzero(up.response, sizeof(up.response));
{
szName = argv[++i];
}
- else
- if (_tcsicmp(argv[i], TEXT("--hwid")) == 0)
+ else if (_tcsicmp(argv[i], TEXT("--hwid")) == 0)
{
szHwId = argv[++i];
}
/* Make sure the dll is loaded from the system32 folder */
if (!GetSystemDirectoryW(libpath, _countof(libpath)))
{
- return NULL;
+ return NULL;
}
/* +1 for the path seperator '\' */
const size_t path_length = wcslen(libpath) + 1 + wcslen(libname);
if (path_length >= _countof(libpath))
{
- SetLastError(ERROR_INSUFFICIENT_BUFFER);
- return NULL;
+ SetLastError(ERROR_INSUFFICIENT_BUFFER);
+ return NULL;
}
wcscat_s(libpath, _countof(libpath), L"\\");
wcscat_s(libpath, _countof(libpath), libname);
*m = LoadLibraryW(libpath);
if (*m == NULL)
{
- return NULL;
+ return NULL;
}
fptr = GetProcAddress(*m, funcname);
if (!fptr)
{
- FreeLibrary(*m);
- *m = NULL;
- return NULL;
+ FreeLibrary(*m);
+ *m = NULL;
+ return NULL;
}
return fptr;
}
if (!DiInstallDevice(hwndParent, hDevInfoList, &devinfo_data, NULL, 0, pbRebootRequired))
#else
/* mingw does not resolve DiInstallDevice, so load it at run time. */
- typedef BOOL (WINAPI *DiInstallDeviceFn) (HWND, HDEVINFO, SP_DEVINFO_DATA *,
- SP_DRVINFO_DATA *, DWORD, BOOL *);
+ typedef BOOL (WINAPI *DiInstallDeviceFn)(HWND, HDEVINFO, SP_DEVINFO_DATA *,
+ SP_DRVINFO_DATA *, DWORD, BOOL *);
DiInstallDeviceFn installfn
- = find_function (L"newdev.dll", "DiInstallDevice", &libnewdev);
+ = find_function(L"newdev.dll", "DiInstallDevice", &libnewdev);
if (!installfn)
{
/* stripped version of ExecCommand in interactive.c */
static DWORD
-ExecCommand(const WCHAR* cmdline)
+ExecCommand(const WCHAR *cmdline)
{
DWORD exit_code;
STARTUPINFOW si;
PROCESS_INFORMATION pi;
DWORD proc_flags = CREATE_NO_WINDOW | CREATE_UNICODE_ENVIRONMENT;
- WCHAR* cmdline_dup = NULL;
+ WCHAR *cmdline_dup = NULL;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
/* CreateProcess needs a modifiable cmdline: make a copy */
cmdline_dup = _wcsdup(cmdline);
if (cmdline_dup && CreateProcessW(NULL, cmdline_dup, NULL, NULL, FALSE,
- proc_flags, NULL, NULL, &si, &pi))
+ proc_flags, NULL, NULL, &si, &pi))
{
WaitForSingleObject(pi.hProcess, INFINITE);
if (!GetExitCodeProcess(pi.hProcess, &exit_code))
}
/* rename adapter via netsh call */
- const TCHAR* szFmt = TEXT("netsh interface set interface name=\"%")
+ const TCHAR *szFmt = TEXT("netsh interface set interface name=\"%")
TEXT(PRIsLPTSTR) TEXT("\" newname=\"%") TEXT(PRIsLPTSTR) TEXT("\"");
size_t ncmdline = _tcslen(szFmt) + _tcslen(szOldName) + _tcslen(szName) + 1;
- WCHAR* szCmdLine = malloc(ncmdline * sizeof(TCHAR));
+ WCHAR *szCmdLine = malloc(ncmdline * sizeof(TCHAR));
_stprintf_s(szCmdLine, ncmdline, szFmt, szOldName, szName);
free(szOldName);
0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6,
0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67};
-static const char* ipsumlorem = "Lorem ipsum dolor sit amet, consectetur "
+static const char *ipsumlorem = "Lorem ipsum dolor sit amet, consectetur "
"adipisici elit, sed eiusmod tempor incidunt "
"ut labore et dolore magna aliqua.";
o.authname = "none";
init_key_type(&kt, o.ciphername, o.authname, false, false);
- for (int i = 990;i <= 1010;i++)
+ for (int i = 990; i <= 1010; i++)
{
/* 992 - 1008 should end up with the same mssfix value all they
* all result in the same CBC block size/padding and <= 991 and >=1008
/* Same but with compression added. Compression adds one byte extra to the
* payload so the payload should be reduced by compared to the no
* compression calculation before */
- for (int i = 990;i <= 1010;i++)
+ for (int i = 990; i <= 1010; i++)
{
/* 992 - 1008 should end up with the same mssfix value all they
* all result in the same CBC block size/padding and <= 991 and >=1008
}
}
o.comp.alg = COMP_ALG_UNDEF;
-#endif
+#endif /* ifdef USE_COMP */
/* tls client, auth SHA1, cipher AES-256-GCM */
o.authname = "SHA1";
o.use_peer_id = true;
init_key_type(&kt, o.ciphername, o.authname, true, false);
- for (int i=900;i <= 1200;i++)
+ for (int i = 900; i <= 1200; i++)
{
/* For stream ciphers, the value should not be influenced by block
* sizes or similar but always have the same difference */
{
struct gc_arena gc = gc_new();
- const char* input = "V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
+ const char *input = "V4,dev-type tun,link-mtu 1457,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server";
- const char* output = options_string_compat_lzo(input, &gc);
+ const char *output = options_string_compat_lzo(input, &gc);
assert_string_equal(output, "V4,dev-type tun,link-mtu 1458,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo");
assert_string_equal(output, "V4,dev-type tun,link-mtu 1000,tun-mtu 1400,proto UDPv4,auth SHA1,keysize 128,key-method 2,tls-server,comp-lzo");
gc_free(&gc);
-};
+}
const struct CMUnitTest misc_tests[] = {
cmocka_unit_test(test_compat_lzo_string),
* leads to having to include even more unrelated code */
bool
key_state_export_keying_material(struct tls_session *session,
- const char* label, size_t label_size,
+ const char *label, size_t label_size,
void *ekm, size_t ekm_size)
{
ASSERT(0);
static OSSL_PROVIDER *prov[2];
/* public keys for testing -- RSA and EC */
-static const char * const pubkey1 = "-----BEGIN PUBLIC KEY-----\n"
- "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7GWP6RLCGlvmVioIqYI6\n"
- "LUR4owA7sJ/nJxBAk+/xzD6gqgSigBsTqeb+gdZwkKjY1N4w2DUA0r5i8Eja/BWN\n"
- "xMZtC5nxK4MACtMqIwvlzfk130NhFXKtlZj2cyFBXqDdRyeg1ZrUQagcHVcgcReP\n"
- "9yiePgfO7NUOQk8edEeOR53SFCgnLBQQ9dGWtZN0hO/5BN6NSm/fd6vq0VjTRP5a\n"
- "BAH/BnqX9/3jV0jh8N9AE59mI1rjVVQ9VDnuAPkS8dLfdC661/CNxt0YWByTIgt1\n"
- "+qjW4LUvLbnU/rlPhuJ1SBZg+z/JtDBCKfs7syu5WYFqRvNFg7/91Rr/NwxvW/1h\n"
- "8QIDAQAB\n"
- "-----END PUBLIC KEY-----\n";
-
-static const char * const pubkey2 = "-----BEGIN PUBLIC KEY-----\n"
- "MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEO85iXW+HgnUkwlj1DohNVw0GsnGIh1gZ\n"
- "u95ff1JiUaJIkYNIkZA+hwIPFVH5aJcSCv3SPIeDS2VUAESNKHZJBQ==\n"
- "-----END PUBLIC KEY-----\n";
+static const char *const pubkey1 = "-----BEGIN PUBLIC KEY-----\n"
+ "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7GWP6RLCGlvmVioIqYI6\n"
+ "LUR4owA7sJ/nJxBAk+/xzD6gqgSigBsTqeb+gdZwkKjY1N4w2DUA0r5i8Eja/BWN\n"
+ "xMZtC5nxK4MACtMqIwvlzfk130NhFXKtlZj2cyFBXqDdRyeg1ZrUQagcHVcgcReP\n"
+ "9yiePgfO7NUOQk8edEeOR53SFCgnLBQQ9dGWtZN0hO/5BN6NSm/fd6vq0VjTRP5a\n"
+ "BAH/BnqX9/3jV0jh8N9AE59mI1rjVVQ9VDnuAPkS8dLfdC661/CNxt0YWByTIgt1\n"
+ "+qjW4LUvLbnU/rlPhuJ1SBZg+z/JtDBCKfs7syu5WYFqRvNFg7/91Rr/NwxvW/1h\n"
+ "8QIDAQAB\n"
+ "-----END PUBLIC KEY-----\n";
+
+static const char *const pubkey2 = "-----BEGIN PUBLIC KEY-----\n"
+ "MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEO85iXW+HgnUkwlj1DohNVw0GsnGIh1gZ\n"
+ "u95ff1JiUaJIkYNIkZA+hwIPFVH5aJcSCv3SPIeDS2VUAESNKHZJBQ==\n"
+ "-----END PUBLIC KEY-----\n";
static const char *pubkeys[] = {pubkey1, pubkey2};
static const char *prov_name = "ovpn.xkey";
-static const char* test_msg = "Lorem ipsum dolor sit amet, consectetur "
+static const char *test_msg = "Lorem ipsum dolor sit amet, consectetur "
"adipisici elit, sed eiusmod tempor incidunt "
"ut labore et dolore magna aliqua.";
-static const char* test_msg_b64 =
+static const char *test_msg_b64 =
"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2ljaS"
"BlbGl0LCBzZWQgZWl1c21vZCB0ZW1wb3IgaW5jaWR1bnQgdXQgbGFib3JlIGV0IGRv"
"bG9yZSBtYWduYSBhbGlxdWEu";
/* Sha256 digest of test_msg excluding NUL terminator */
-static const uint8_t test_digest[] =
- {0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae,
- 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7, 0xdb, 0xf3,
- 0x3a, 0xbf, 0x02, 0xcc, 0x78, 0x61, 0x83, 0x20, 0x20, 0xee};
+static const uint8_t test_digest[] = {
+ 0x77, 0x38, 0x65, 0x00, 0x1e, 0x96, 0x48, 0xc6, 0x57, 0x0b, 0xae,
+ 0xc0, 0xb7, 0x96, 0xf9, 0x66, 0x4d, 0x5f, 0xd0, 0xb7, 0xdb, 0xf3,
+ 0x3a, 0xbf, 0x02, 0xcc, 0x78, 0x61, 0x83, 0x20, 0x20, 0xee
+};
static const char *test_digest_b64 = "dzhlAB6WSMZXC67At5b5Zk1f0Lfb8zq/Asx4YYMgIO4=";
* --- the smallest size of the actual signature with the above
* keys.
*/
-static const uint8_t good_sig[] =
- {0xd8, 0xa7, 0xd9, 0x81, 0xd8, 0xaa, 0xd8, 0xad, 0x20, 0xd9, 0x8a, 0xd8,
- 0xa7, 0x20, 0xd8, 0xb3, 0xd9, 0x85, 0xd8, 0xb3, 0xd9, 0x85, 0x0};
+static const uint8_t good_sig[] = {
+ 0xd8, 0xa7, 0xd9, 0x81, 0xd8, 0xaa, 0xd8, 0xad, 0x20, 0xd9, 0x8a, 0xd8,
+ 0xa7, 0x20, 0xd8, 0xb3, 0xd9, 0x85, 0xd8, 0xb3, 0xd9, 0x85, 0x0
+};
static const char *good_sig_b64 = "2KfZgdiq2K0g2YrYpyDYs9mF2LPZhQA=";
const char *expected_tbs = test_digest_b64;
if (strstr(algorithm, "data=message"))
{
- expected_tbs = test_msg_b64;
- assert_non_null(strstr(algorithm, "hashalg=SHA256"));
+ expected_tbs = test_msg_b64;
+ assert_non_null(strstr(algorithm, "hashalg=SHA256"));
}
assert_string_equal(b64_data, expected_tbs);
}
/* sign with sig = NULL to get required siglen */
- assert_int_equal(EVP_DigestSign(mctx, sig, &siglen, (uint8_t*)test_msg, strlen(test_msg)), 1);
+ assert_int_equal(EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)), 1);
assert_true(siglen > 0);
if ((sig = test_calloc(1, siglen)) == NULL)
{
fail_msg("Out of memory");
}
- assert_int_equal(EVP_DigestSign(mctx, sig, &siglen, (uint8_t*)test_msg, strlen(test_msg)), 1);
+ assert_int_equal(EVP_DigestSign(mctx, sig, &siglen, (uint8_t *)test_msg, strlen(test_msg)), 1);
done:
if (mctx)
pubkey = load_pubkey(pubkeys[i]);
assert_true(pubkey != NULL);
- EVP_PKEY *privkey = xkey_load_generic_key(NULL, (void*)dummy, pubkey, xkey_sign, xkey_free);
+ EVP_PKEY *privkey = xkey_load_generic_key(NULL, (void *)dummy, pubkey, xkey_sign, xkey_free);
assert_true(privkey != NULL);
xkey_sign_called = 0;
uninit_test();
return ret;
}
-#else
+#else /* ifdef HAVE_XKEY_PROVIDER */
int
main(void)
{
/* Test writing the client key */
expect_string(__wrap_buffer_write_file, filename, filename);
expect_memory(__wrap_buffer_write_file, pem, test_client_key_metadata,
- strlen(test_client_key_metadata));
+ strlen(test_client_key_metadata));
will_return(__wrap_buffer_write_file, true);
/* Key generation re-reads the created file as a sanity check */
#include "utils.h"
static void
-pass_any_null_param__returns_null() {
+pass_any_null_param__returns_null()
+{
char DUMMY[] = "DUMMY";
}
static void
-pass_any_empty_string__returns_null() {
+pass_any_empty_string__returns_null()
+{
char DUMMY[] = "DUMMY";
char EMPTY[] = "";
}
static void
-replace_single_char__one_time__match_is_replaced() {
+replace_single_char__one_time__match_is_replaced()
+{
char *replaced = searchandreplace("X","X","Y");
assert_non_null(replaced);
}
static void
-replace_single_char__multiple_times__match_all_matches_are_replaced() {
+replace_single_char__multiple_times__match_all_matches_are_replaced()
+{
char *replaced = searchandreplace("XaX","X","Y");
assert_non_null(replaced);
}
static void
-replace_longer_text__multiple_times__match_all_matches_are_replaced() {
+replace_longer_text__multiple_times__match_all_matches_are_replaced()
+{
char *replaced = searchandreplace("XXaXX","XX","YY");
assert_non_null(replaced);
}
static void
-pattern_not_found__returns_original() {
+pattern_not_found__returns_original()
+{
char *replaced = searchandreplace("abc","X","Y");
assert_non_null(replaced);
int
-main(void) {
+main(void)
+{
const struct CMUnitTest tests[] = {
cmocka_unit_test(pass_any_null_param__returns_null),
cmocka_unit_test(pass_any_empty_string__returns_null),
projects / thirdparty / openvpn.git / commitdiff
